From e5aebfe382e356dc9172fc7d380dc25a3b6c7617 Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 17 Mar 2025 09:29:52 +0000 Subject: [PATCH 1/6] chore!: update transfair config --- modules/transfair-compose.yml | 7 +++++-- modules/transfair-setup.sh | 11 ++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml index 4ee2ff9..adf0fb4 100644 --- a/modules/transfair-compose.yml +++ b/modules/transfair-compose.yml @@ -5,8 +5,11 @@ services: container_name: bridgehead-transfair environment: # NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values - - INSTITUTE_TTP_URL - - INSTITUTE_TTP_API_KEY + - TTP_URL + - TTP_ML_API_KEY + - TTP_GW_SOURCE + - TTP_TYPE + - TTP_AUTH - PROJECT_ID_SYSTEM - FHIR_REQUEST_URL=${FHIR_REQUEST_URL} - FHIR_INPUT_URL=${FHIR_INPUT_URL} diff --git a/modules/transfair-setup.sh b/modules/transfair-setup.sh index 58f7331..1d202a3 100755 --- a/modules/transfair-setup.sh +++ b/modules/transfair-setup.sh @@ -1,7 +1,7 @@ #!/bin/bash -e function transfairSetup() { - if [[ -n "$INSTITUTE_TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then + if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then echo "Starting transfair." OVERRIDE+=" -f ./modules/transfair-compose.yml" if [ -n "$FHIR_INPUT_URL" ]; then @@ -18,5 +18,14 @@ function transfairSetup() { FHIR_REQUEST_URL="http://transfair-requests-blaze:8080" OVERRIDE+=" --profile transfair-request-blaze" fi + if [ -n "$TTP_GW_SOURCE" ]; then + log INFO "TransFAIR configured with greifswald as ttp" + TTP_TYPE="greifswald" + elif [ -n "$TTP_ML_API_KEY" ]; then + log INFO "TransFAIR configured with mainzelliste as ttp" + TTP_TYPE="mainzelliste" + else + log INFO "TransFAIR configured without ttp" + fi fi } From 68804dc71bc80446a5744b9541b81ef4f4322029 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 19 Mar 2025 08:13:08 +0000 Subject: [PATCH 2/6] feat: add transfair setup to ccp --- ccp/vars | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ccp/vars b/ccp/vars index 0900914..cdc6877 100644 --- a/ccp/vars +++ b/ccp/vars @@ -29,4 +29,12 @@ done idManagementSetup mtbaSetup obds2fhirRestSetup -blazeSecondarySetup \ No newline at end of file +blazeSecondarySetup + +for module in modules/*.sh +do + log DEBUG "sourcing $module" + source $module +done + +transfairSetup \ No newline at end of file From 3144ee5214c237e21f1de04c0c715b95ca517e86 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Tue, 18 Mar 2025 11:42:53 +0100 Subject: [PATCH 3/6] Fix GitLab token syncing for BBMRI --- lib/functions.sh | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 44b000c..a11920b 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -334,6 +334,19 @@ function secret_sync_gitlab_token() { ;; esac + if [ "$PROJECT" == "bbmri" ]; then + # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker + proxy_id=$ERIC_PROXY_ID + broker_url=$ERIC_BROKER_URL + broker_id=$ERIC_BROKER_ID + root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem" + else + proxy_id=$PROXY_ID + broker_url=$BROKER_URL + broker_id=$BROKER_ID + root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem" + fi + # Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token. # If it is missing or expired, Secret Sync will create a new token and write it to the file. # The git credential helper reads the token from the file during git pull. @@ -344,14 +357,14 @@ function secret_sync_gitlab_token() { docker run --rm \ -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v $root_crt_file:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e NO_PROXY=localhost,127.0.0.1 \ -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \ - -e PROXY_ID=$PROXY_ID \ - -e BROKER_URL=$BROKER_URL \ - -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \ + -e PROXY_ID=$proxy_id \ + -e BROKER_URL=$broker_url \ + -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \ -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN:$gitlab \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest if [ $? -eq 0 ]; then From 6b649c923374d8952f576ac07c5baf4cb5e56b74 Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Wed, 9 Apr 2025 13:19:52 +0200 Subject: [PATCH 4/6] feat: expose transfair via traefik (#290) Note: Requires a bridgehead install to generate the basic auth user --- lib/install-bridgehead.sh | 8 ++++++++ modules/transfair-compose.yml | 25 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/lib/install-bridgehead.sh b/lib/install-bridgehead.sh index 38c3874..915e380 100755 --- a/lib/install-bridgehead.sh +++ b/lib/install-bridgehead.sh @@ -41,6 +41,14 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT fi +if [ -z "$TRANSFAIR_AUTH" ]; then + if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then + log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). " + generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" + add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT + fi +fi + log "INFO" "Registering system units for bridgehead and bridgehead-update" cp -v \ lib/systemd/bridgehead\@.service \ diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml index adf0fb4..9dd0c64 100644 --- a/modules/transfair-compose.yml +++ b/modules/transfair-compose.yml @@ -24,6 +24,17 @@ services: volumes: - /var/cache/bridgehead/${PROJECT}/transfair:/transfair - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro + labels: + - "traefik.enable=true" + - "traefik.http.middlewares.transfair-strip.stripprefix.prefixes=/transfair" + - "traefik.http.routers.transfair.middlewares=transfair-strip,transfair-auth" + - "traefik.http.routers.transfair.rule=PathPrefix(`/transfair`)" + - "traefik.http.services.transfair.loadbalancer.server.port=8080" + - "traefik.http.routers.transfair.tls=true" + + traefik: + labels: + - "traefik.http.middlewares.transfair-auth.basicauth.users=${TRANSFAIR_AUTH}" transfair-input-blaze: image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG} @@ -37,6 +48,13 @@ services: volumes: - "transfair-input-blaze-data:/app/data" profiles: ["transfair-input-blaze"] + labels: + - "traefik.enable=true" + - "traefik.http.routers.transfair-input-blaze.rule=PathPrefix(`/data-delivery`)" + - "traefik.http.middlewares.transfair-input-strip.stripprefix.prefixes=/data-delivery" + - "traefik.http.services.transfair-input-blaze.loadbalancer.server.port=8080" + - "traefik.http.routers.transfair-input-blaze.middlewares=transfair-input-strip,transfair-auth" + - "traefik.http.routers.transfair-input-blaze.tls=true" transfair-request-blaze: image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG} @@ -50,6 +68,13 @@ services: volumes: - "transfair-request-blaze-data:/app/data" profiles: ["transfair-request-blaze"] + labels: + - "traefik.enable=true" + - "traefik.http.routers.transfair-request-blaze.rule=PathPrefix(`/data-requests`)" + - "traefik.http.middlewares.transfair-request-strip.stripprefix.prefixes=/data-requests" + - "traefik.http.services.transfair-request-blaze.loadbalancer.server.port=8080" + - "traefik.http.routers.transfair-request-blaze.middlewares=transfair-request-strip,transfair-auth" + - "traefik.http.routers.transfair-request-blaze.tls=true" volumes: transfair-input-blaze-data: From 973547c322bb02beb8784d879e0cbaf58d1d393a Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Fri, 11 Apr 2025 08:37:31 +0200 Subject: [PATCH 5/6] chore(transfair): add new gw option (#291) --- modules/transfair-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml index 9dd0c64..81ef952 100644 --- a/modules/transfair-compose.yml +++ b/modules/transfair-compose.yml @@ -8,6 +8,7 @@ services: - TTP_URL - TTP_ML_API_KEY - TTP_GW_SOURCE + - TTP_GW_DOMAIN - TTP_TYPE - TTP_AUTH - PROJECT_ID_SYSTEM From 2ddd5357945b31f557c22fb0e572e97243c24226 Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Mon, 14 Apr 2025 10:45:15 +0200 Subject: [PATCH 6/6] feat: ssh tunnel (#292) * Added ccp module for a ssh tunnel Usage details under https://github.com/samply/ssh-tunnel * chore: update ssh-tunnel image to harbor * feat: ssh tunnel support diffrent port * chore: fix indentation * chore: move to top level modules * docs: add ssh-tunnel docs --------- Co-authored-by: Tobias Kussel --- modules/ssh-tunnel-compose.yml | 17 +++++++++++++++++ modules/ssh-tunnel-setup.sh | 6 ++++++ modules/ssh-tunnel.md | 19 +++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 modules/ssh-tunnel-compose.yml create mode 100644 modules/ssh-tunnel-setup.sh create mode 100644 modules/ssh-tunnel.md diff --git a/modules/ssh-tunnel-compose.yml b/modules/ssh-tunnel-compose.yml new file mode 100644 index 0000000..5ca9989 --- /dev/null +++ b/modules/ssh-tunnel-compose.yml @@ -0,0 +1,17 @@ +version: "3.7" + +services: + ssh-tunnel: + image: docker.verbis.dkfz.de/cache/samply/ssh-tunnel + container_name: bridgehead-ccp-ssh-tunnel + environment: + SSH_TUNNEL_USERNAME: "${SSH_TUNNEL_USERNAME}" + SSH_TUNNEL_HOST: "${SSH_TUNNEL_HOST}" + SSH_TUNNEL_PORT: "${SSH_TUNNEL_PORT:-22}" + volumes: + - "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro" + secrets: + - privkey +secrets: + privkey: + file: /etc/bridgehead/pki/ssh-tunnel.priv.pem diff --git a/modules/ssh-tunnel-setup.sh b/modules/ssh-tunnel-setup.sh new file mode 100644 index 0000000..eb49f1c --- /dev/null +++ b/modules/ssh-tunnel-setup.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +if [ -n "$ENABLE_SSH_TUNNEL" ]; then + log INFO "SSH Tunnel setup detected -- will start SSH Tunnel." + OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml" +fi diff --git a/modules/ssh-tunnel.md b/modules/ssh-tunnel.md new file mode 100644 index 0000000..4240b19 --- /dev/null +++ b/modules/ssh-tunnel.md @@ -0,0 +1,19 @@ +# SSH Tunnel Module + +This module enables SSH tunneling capabilities for the Bridgehead installation. +The primary use case for this is to connect bridgehead components that are hosted externally due to security concerns. +To connect the new components to the locally running bridgehead infra one is supposed to write a docker-compose.override.yml changing the urls to point to the corresponding forwarded port of the ssh-tunnel container. + +## Configuration Variables + +- `ENABLE_SSH_TUNNEL`: Required to enable the module +- `SSH_TUNNEL_USERNAME`: Username for SSH connection +- `SSH_TUNNEL_HOST`: Target host for SSH tunnel +- `SSH_TUNNEL_PORT`: SSH port (defaults to 22) + +## Configuration Files + +The module requires the following files to be present: + +- `/etc/bridgehead/ssh-tunnel.conf`: SSH tunnel configuration file. Detailed information can be found [here](https://github.com/samply/ssh-tunnel?tab=readme-ov-file#configuration). +- `/etc/bridgehead/pki/ssh-tunnel.priv.pem`: The SSH private key used to connect to the `SSH_TUNNEL_HOST`. **Passphrases for the key are not supported!** \ No newline at end of file