samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2025-10-31 18:10:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #289 from samply/develop

Browse Source 
Merge develop into main
This commit is contained in:
Jan
2025-04-15 10:17:11 +02:00
committed by GitHub
parent 4ef585bfc5 2ddd535794
commit cd38957dd7
8 changed files with 117 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ccp/vars
View File

@@ -29,4 +29,12 @@ done
idManagementSetup
mtbaSetup
obds2fhirRestSetup
blazeSecondarySetup
blazeSecondarySetup
for module in modules/*.sh
do
log DEBUG "sourcing $module"
source $module
done
transfairSetup

21
lib/functions.sh
View File

@@ -334,6 +334,19 @@ function secret_sync_gitlab_token() {
;;
esac
if [ "$PROJECT" == "bbmri" ]; then
# If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
proxy_id=$ERIC_PROXY_ID
broker_url=$ERIC_BROKER_URL
broker_id=$ERIC_BROKER_ID
root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
else
proxy_id=$PROXY_ID
broker_url=$BROKER_URL
broker_id=$BROKER_ID
root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
fi
# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
# If it is missing or expired, Secret Sync will create a new token and write it to the file.
# The git credential helper reads the token from the file during git pull.
@@ -344,14 +357,14 @@ function secret_sync_gitlab_token() {
docker run --rm \
-v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v $root_crt_file:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e NO_PROXY=localhost,127.0.0.1 \
-e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \
-e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \
-e PROXY_ID=$proxy_id \
-e BROKER_URL=$broker_url \
-e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
-e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN:$gitlab \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
if [ $? -eq 0 ]; then

8
lib/install-bridgehead.sh
View File

@@ -41,6 +41,14 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
fi
if [ -z "$TRANSFAIR_AUTH" ]; then
if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). "
generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT
fi
fi
log "INFO" "Registering system units for bridgehead and bridgehead-update"
cp -v \
lib/systemd/bridgehead\@.service \

17
modules/ssh-tunnel-compose.yml Normal file
View File

@@ -0,0 +1,17 @@
version: "3.7"
services:
ssh-tunnel:
image: docker.verbis.dkfz.de/cache/samply/ssh-tunnel
container_name: bridgehead-ccp-ssh-tunnel
environment:
SSH_TUNNEL_USERNAME: "${SSH_TUNNEL_USERNAME}"
SSH_TUNNEL_HOST: "${SSH_TUNNEL_HOST}"
SSH_TUNNEL_PORT: "${SSH_TUNNEL_PORT:-22}"
volumes:
- "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro"
secrets:
- privkey
secrets:
privkey:
file: /etc/bridgehead/pki/ssh-tunnel.priv.pem

6
modules/ssh-tunnel-setup.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
if [ -n "$ENABLE_SSH_TUNNEL" ]; then
log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml"
fi

19
modules/ssh-tunnel.md Normal file
View File

@@ -0,0 +1,19 @@
# SSH Tunnel Module
This module enables SSH tunneling capabilities for the Bridgehead installation.
The primary use case for this is to connect bridgehead components that are hosted externally due to security concerns.
To connect the new components to the locally running bridgehead infra one is supposed to write a docker-compose.override.yml changing the urls to point to the corresponding forwarded port of the ssh-tunnel container.
## Configuration Variables
- `ENABLE_SSH_TUNNEL`: Required to enable the module
- `SSH_TUNNEL_USERNAME`: Username for SSH connection
- `SSH_TUNNEL_HOST`: Target host for SSH tunnel
- `SSH_TUNNEL_PORT`: SSH port (defaults to 22)
## Configuration Files
The module requires the following files to be present:
- `/etc/bridgehead/ssh-tunnel.conf`: SSH tunnel configuration file. Detailed information can be found [here](https://github.com/samply/ssh-tunnel?tab=readme-ov-file#configuration).
- `/etc/bridgehead/pki/ssh-tunnel.priv.pem`: The SSH private key used to connect to the `SSH_TUNNEL_HOST`. **Passphrases for the key are not supported!**

33
modules/transfair-compose.yml
View File

@@ -5,8 +5,12 @@ services:
container_name: bridgehead-transfair
environment:
# NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values
- INSTITUTE_TTP_URL
- INSTITUTE_TTP_API_KEY
- TTP_URL
- TTP_ML_API_KEY
- TTP_GW_SOURCE
- TTP_GW_DOMAIN
- TTP_TYPE
- TTP_AUTH
- PROJECT_ID_SYSTEM
- FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
- FHIR_INPUT_URL=${FHIR_INPUT_URL}
@@ -21,6 +25,17 @@ services:
volumes:
- /var/cache/bridgehead/${PROJECT}/transfair:/transfair
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.transfair-strip.stripprefix.prefixes=/transfair"
- "traefik.http.routers.transfair.middlewares=transfair-strip,transfair-auth"
- "traefik.http.routers.transfair.rule=PathPrefix(`/transfair`)"
- "traefik.http.services.transfair.loadbalancer.server.port=8080"
- "traefik.http.routers.transfair.tls=true"
traefik:
labels:
- "traefik.http.middlewares.transfair-auth.basicauth.users=${TRANSFAIR_AUTH}"
transfair-input-blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
@@ -34,6 +49,13 @@ services:
volumes:
- "transfair-input-blaze-data:/app/data"
profiles: ["transfair-input-blaze"]
labels:
- "traefik.enable=true"
- "traefik.http.routers.transfair-input-blaze.rule=PathPrefix(`/data-delivery`)"
- "traefik.http.middlewares.transfair-input-strip.stripprefix.prefixes=/data-delivery"
- "traefik.http.services.transfair-input-blaze.loadbalancer.server.port=8080"
- "traefik.http.routers.transfair-input-blaze.middlewares=transfair-input-strip,transfair-auth"
- "traefik.http.routers.transfair-input-blaze.tls=true"
transfair-request-blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
@@ -47,6 +69,13 @@ services:
volumes:
- "transfair-request-blaze-data:/app/data"
profiles: ["transfair-request-blaze"]
labels:
- "traefik.enable=true"
- "traefik.http.routers.transfair-request-blaze.rule=PathPrefix(`/data-requests`)"
- "traefik.http.middlewares.transfair-request-strip.stripprefix.prefixes=/data-requests"
- "traefik.http.services.transfair-request-blaze.loadbalancer.server.port=8080"
- "traefik.http.routers.transfair-request-blaze.middlewares=transfair-request-strip,transfair-auth"
- "traefik.http.routers.transfair-request-blaze.tls=true"
volumes:
transfair-input-blaze-data:

11
modules/transfair-setup.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash -e
function transfairSetup() {
if [[ -n "$INSTITUTE_TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
echo "Starting transfair."
OVERRIDE+=" -f ./modules/transfair-compose.yml"
if [ -n "$FHIR_INPUT_URL" ]; then
@@ -18,5 +18,14 @@ function transfairSetup() {
FHIR_REQUEST_URL="http://transfair-requests-blaze:8080"
OVERRIDE+=" --profile transfair-request-blaze"
fi
if [ -n "$TTP_GW_SOURCE" ]; then
log INFO "TransFAIR configured with greifswald as ttp"
TTP_TYPE="greifswald"
elif [ -n "$TTP_ML_API_KEY" ]; then
log INFO "TransFAIR configured with mainzelliste as ttp"
TTP_TYPE="mainzelliste"
else
log INFO "TransFAIR configured without ttp"
fi
fi
}