Merge branch 'develop' into ovis

2026-03-25 14:20:15 +01:00 · 2026-03-17 15:38:01 +01:00
parent 4c8f7cb119 c1de9b8314
commit d386766e13
90 changed files with 2347 additions and 446 deletions
--- a/ccp/modules/blaze-secondary-compose.yml
+++ b/ccp/modules/blaze-secondary-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"

 services:
  blaze-secondary:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-ccp-blaze-secondary
    environment:
      BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"
--- a/ccp/modules/datashield-compose.yml
+++ b/ccp/modules/datashield-compose.yml
@@ -1,25 +1,6 @@
 version: "3.7"

 services:
-  rstudio:
-    container_name: bridgehead-rstudio
-    image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
-    environment:
-      #DEFAULT_USER: "rstudio" # This line is kept for informational purposes
-      PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled
-      DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
-      HTTP_RELATIVE_PATH: "/rstudio"
-      ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
-      - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
-      - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
-      - "traefik.http.routers.rstudio_ccp.tls=true"
-      - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
-    networks:
-      - rstudio
-
  opal:
    container_name: bridgehead-opal
    image: docker.verbis.dkfz.de/ccp/dktk-opal:latest
@@ -44,8 +25,7 @@ services:
      APP_CONTEXT_PATH: "/opal"
      OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
      OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_REALM: "${OIDC_REALM}"
+      OIDC_URL: "${OIDC_PRIVATE_URL}"
      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
@@ -93,79 +73,14 @@ services:
      - beam-proxy
    volumes:
      - /tmp/bridgehead/opal-map/:/map/:ro
-    networks:
-      - default
-      - rstudio
-
-  traefik:
-    labels:
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
-      - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
-    networks:
-      - default
-      - rstudio
-  forward_proxy:
-    networks:
-      - default
-      - rstudio

  beam-proxy:
    environment:
      APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
      APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}

-  # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
-  # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
-  # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
-  oauth2-proxy:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
-    container_name: bridgehead-oauth2proxy
-    command: >-
-      --allowed-group=DataSHIELD
-      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
-      --auth-logging=true
-      --whitelist-domain=${HOST}
-      --http-address="0.0.0.0:4180"
-      --reverse-proxy=true
-      --upstream="static://202"
-      --email-domain="*"
-      --cookie-name="_BRIDGEHEAD_oauth2"
-      --cookie-secret="${OAUTH2_PROXY_SECRET}"
-      --cookie-expire="12h"
-      --cookie-secure="true"
-      --cookie-httponly="true"
-      #OIDC settings
-      --provider="keycloak-oidc"
-      --provider-display-name="VerbIS Login"
-      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
-      --client-secret="${OIDC_CLIENT_SECRET}"
-      --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${OIDC_ISSUER_URL}"
-      --scope="openid email profile"
-      --code-challenge-method="S256"
-      --skip-provider-button=true
-      #X-Forwarded-Header settings - true/false depending on your needs
-      --pass-basic-auth=true
-      --pass-user-headers=false
-      --pass-access-token=false
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
-      - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
-      - "traefik.http.routers.oauth2_proxy.tls=true"
-    environment:
-      http_proxy: "http://forward_proxy:3128"
-      https_proxy: "http://forward_proxy:3128"
-    depends_on:
-      forward_proxy:
-        condition: service_healthy
-
 secrets:
  opal-cert.pem:
    file: /tmp/bridgehead/opal-cert.pem
  opal-key.pem:
    file: /tmp/bridgehead/opal-key.pem
-
-networks:
-  rstudio:
--- a/ccp/modules/datashield-setup.sh
+++ b/ccp/modules/datashield-setup.sh
@@ -5,17 +5,12 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
  if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then
    log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'."
  fi
-  OAUTH2_CALLBACK=/oauth2/callback
-  OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
-  add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
-
  log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
  OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
  EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
  TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")"
  OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)"
  OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")"
-  RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")"
  DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)"
  TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
  if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
@@ -23,18 +18,13 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
    openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
  fi
  mkdir -p /tmp/bridgehead/opal-map
-  sites="$(cat ./$PROJECT/modules/datashield-sites.json)"
-  echo "$sites" | docker_jq -n --args '{"sites": input | map({
-    "name": .,
-    "id": .,
-    "virtualhost": "\(.):443",
-    "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
-  })}' $sites >/tmp/bridgehead/opal-map/central.json
-  echo "$sites" | docker_jq -n --args '[{
-    "external": "'"$SITE_ID"':443",
+  echo '{"sites": []}' >/tmp/bridgehead/opal-map/central.json
+  # Only allow connections from the central beam proxy that is used by all coder workspaces
+  echo '[{
+    "external": "'$SITE_ID':443",
    "internal": "opal:8443",
-    "allowed": input | map("\(.).'"$BROKER_ID"'")
-  }]' >/tmp/bridgehead/opal-map/local.json
+    "allowed": ["central-ds-orchestrator.'$BROKER_ID'"]
+  }]' > /tmp/bridgehead/opal-map/local.json
  if [ "$USER" == "root" ]; then
    chown -R bridgehead:docker /tmp/bridgehead
    chmod g+wr /tmp/bridgehead/opal-map/*
--- a/ccp/modules/datashield-sites.json
+++ b/ccp/modules/datashield-sites.json
@@ -1,15 +0,0 @@
-[
-    "berlin",
-    "muenchen-lmu",
-    "dresden",
-    "freiburg",
-    "muenchen-tum",
-    "tuebingen",
-    "mainz",
-    "frankfurt",
-    "essen",
-    "dktk-datashield-test",
-    "dktk-test",
-    "mannheim",
-    "central-ds-orchestrator"
-]
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@@ -43,7 +43,7 @@ services:
      - "traefik.http.routers.dnpm-auth.tls=true"

  dnpm-portal:
-    image: ghcr.io/dnpm-dip/portal:latest
+    image: ghcr.io/dnpm-dip/portal:${DNPM_IMAGE_TAG:-latest}
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
@@ -58,7 +58,7 @@ services:

  dnpm-backend:
    container_name: bridgehead-dnpm-backend
-    image: ghcr.io/dnpm-dip/backend:latest
+    image: ghcr.io/dnpm-dip/api-gateway:latest
    environment:
      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
@@ -66,6 +66,7 @@ services:
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
+      - TZ=Europe/Berlin
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
--- a/ccp/modules/exporter.md
+++ b/ccp/modules/exporter.md
@@ -1,15 +0,0 @@
-# Exporter and Reporter
-
-
-## Exporter
-The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
-It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
-
-## Exporter-DB
-It is a database to save queries for its execution in the exporter. 
-The exporter manages also the different executions of the same query in through the database.
-
-## Reporter
-This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
-It is compatible with different template engines as Groovy, Thymeleaf,...
-It is perfect to generate a document as our traditional CCP quality report.
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -14,6 +14,7 @@ services:
      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
+      MAGICPL_OIDC_PROVIDER: ${OIDC_PRIVATE_URL}
    depends_on:
      - patientlist
      - traefik-forward-auth
@@ -71,12 +72,14 @@ services:
      - https_proxy=http://forward_proxy:3128
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
-      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master
-      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
-      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
+      - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
+      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
+      - OAUTH2_PROXY_COOKIE_REFRESH=4m
+      - OAUTH2_PROXY_COOKIE_EXPIRE=24h
      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
@@ -87,8 +90,8 @@ services:
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
-      - OAUTH2_PROXY_COOKIE_REFRESH=60s
-      - OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN
+      - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_PSP_GROUP}
+      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
    labels:
      - "traefik.enable=true"
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -14,6 +14,8 @@ function idManagementSetup() {

 		# Ensure old ids are working !!!
 		export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID")
+
+		add_private_oidc_redirect_url "/oauth2-idm/callback"
 	fi
 }

--- a/ccp/modules/mtba-compose.yml
+++ b/ccp/modules/mtba-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"

 services:
  mtba:
-    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
+    image: docker.verbis.dkfz.de/cache/samply/mtba:${MTBA_TAG}
    container_name: bridgehead-mtba
    environment:
      BLAZE_STORE_URL: http://blaze:8080
@@ -22,9 +22,14 @@ services:
      HTTP_RELATIVE_PATH: "/mtba"
      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      OIDC_REALM: "${OIDC_REALM}"
-      OIDC_URL: "${OIDC_URL}"
+      # TODO: Add following variables after moving to Authentik:
+      #OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      #OIDC_URL: "${OIDC_URL}"
+      # TODO: Remove following variables after moving to Authentik:
+      # Please add KECLOAK_CLIENT_SECRET in ccp.conf
+      OIDC_CLIENT_SECRET: "${KEYCLOAK_CLIENT_SECRET}"
+      OIDC_URL: "https://login.verbis.dkfz.de/realms/test-realm-01"
+      OIDC_ADMIN_URL: "https://login.verbis.dkfz.de/admin/realms/test-realm-01"

    labels:
      - "traefik.enable=true"
--- a/ccp/modules/obds2fhir-rest-compose.yml
+++ b/ccp/modules/obds2fhir-rest-compose.yml
@@ -3,7 +3,7 @@ version: "3.7"
 services:
  obds2fhir-rest:
    container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
+    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
--- a/ccp/modules/teiler-compose.yml
+++ b/ccp/modules/teiler-compose.yml
@@ -13,13 +13,13 @@ services:
      - "traefik.http.middlewares.teiler_orchestrator_ccp_strip.stripprefix.prefixes=/ccp-teiler"
      - "traefik.http.routers.teiler_orchestrator_ccp.middlewares=teiler_orchestrator_ccp_strip"
    environment:
-      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
+      TEILER_BACKEND_URL: "/ccp-teiler-backend"
+      TEILER_DASHBOARD_URL: "/ccp-teiler-dashboard"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/ccp-teiler"

  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
@@ -30,9 +30,9 @@ services:
      - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
+      TEILER_BACKEND_URL: "/ccp-teiler-backend"
+      TEILER_DASHBOARD_URL: "/ccp-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
-      OIDC_REALM: "${OIDC_REALM}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
@@ -40,8 +40,7 @@ services:
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
-      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
+      TEILER_ORCHESTRATOR_URL: "/ccp-teiler"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
@@ -62,20 +61,12 @@ services:
    environment:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
-      APPLICATION_ADDRESS: "${HOST}"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
-      TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
-      TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
-      CENTRAX_URL: "${CENTRAXX_URL}"
+      TEILER_ORCHESTRATOR_URL: "/ccp-teiler"
+      TEILER_DASHBOARD_DE_URL: "/ccp-teiler-dashboard/de"
+      TEILER_DASHBOARD_EN_URL: "/ccp-teiler-dashboard/en"
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-    secrets:
-      - ccp.conf
-
-secrets:
-  ccp.conf:
-    file: /etc/bridgehead/ccp.conf
+      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active
--- a/ccp/modules/teiler.md
+++ b/ccp/modules/teiler.md
@@ -1,19 +0,0 @@
-# Teiler
-This module orchestrates the different microfrontends of the bridgehead as a single page application.  
-
-## Teiler Orchestrator
-Single SPA component that consists on the root HTML site of the single page application and a javascript code that
-gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
-resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
-
-The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
-This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
-There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
-
-## Teiler Dashboard
-It consists on the main dashboard and a set of embedded services.
-### Login
-user and password in ccp.local.conf
-
-## Teiler Backend
-In this component, the microfrontends are configured.