mirror of https://github.com/samply/bridgehead.git
Integrate central Keycloak in Teiler
This commit is contained in:
juarez
parent
93a91326a2
commit
dc3d5496e1
|
|
@ -6,7 +6,8 @@ services:
|
|||
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
|
||||
environment:
|
||||
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
|
||||
PASSWORD: "${LDM_AUTH}"
|
||||
#PASSWORD: "${LDM_AUTH}"
|
||||
DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication.
|
||||
HTTP_RELATIVE_PATH: "/rstudio"
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
|
|
@ -14,7 +15,7 @@ services:
|
|||
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
|
||||
- "traefik.http.routers.rstudio_ccp.tls=true"
|
||||
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
|
||||
- "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip"
|
||||
- "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip,auth"
|
||||
|
||||
opal:
|
||||
container_name: bridgehead-opal
|
||||
|
|
@ -30,7 +31,7 @@ services:
|
|||
environment:
|
||||
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128"
|
||||
# OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes
|
||||
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}"
|
||||
OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}"
|
||||
POSTGRESDATA_HOST: "opal-db"
|
||||
POSTGRESDATA_DATABASE: "opal"
|
||||
POSTGRESDATA_USER: "opal"
|
||||
|
|
@ -40,6 +41,13 @@ services:
|
|||
APP_CONTEXT_PATH: "/opal"
|
||||
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
|
||||
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
|
||||
KEYCLOAK_URL: "https://login.verbis.dkfz.de"
|
||||
KEYCLOAK_REALM: "test-realm-01"
|
||||
KEYCLOAK_CLIENT_ID: "${SITE_ID}-private"
|
||||
KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
|
||||
KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
|
||||
TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
|
||||
EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
|
||||
secrets:
|
||||
- opal-cert.pem
|
||||
- opal-key.pem
|
||||
|
|
|
|||
|
|
@ -3,7 +3,10 @@
|
|||
if [ "$ENABLE_DATASHIELD" == true ]; then
|
||||
log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
|
||||
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
|
||||
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||
EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||
TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||
OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||
OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
|
||||
mkdir -p /tmp/bridgehead/
|
||||
|
|
@ -20,4 +23,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
|
|||
}]' > /tmp/bridgehead/opal-map/local.json
|
||||
cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json
|
||||
chown -R bridgehead:docker /tmp/bridgehead/
|
||||
generate_private_oidc_client "OIDC_CLIENT_SECRET" "https://${HOST}/opal/*"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ services:
|
|||
HTTP_RELATIVE_PATH: "/ccp-exporter"
|
||||
SITE: "${SITE_ID}"
|
||||
HTTP_SERVLET_REQUEST_SCHEME: "https"
|
||||
OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}"
|
||||
OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
|
||||
|
|
|
|||
|
|
@ -31,9 +31,10 @@ services:
|
|||
environment:
|
||||
DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
|
||||
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
|
||||
KEYCLOAK_URL: "https://${HOST}/login"
|
||||
KEYCLOAK_REALM: "teiler"
|
||||
KEYCLOAK_CLIENT_ID: "teiler"
|
||||
KEYCLOAK_URL: "https://login.verbis.dkfz.de"
|
||||
KEYCLOAK_REALM: "test-realm-01"
|
||||
KEYCLOAK_CLIENT_ID: "${SITE_ID}-public"
|
||||
KEYCLOAK_TOKEN_GROUP: "groups"
|
||||
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
|
||||
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
|
||||
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
|
||||
|
|
@ -42,8 +43,8 @@ services:
|
|||
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
|
||||
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
|
||||
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
|
||||
TEILER_USER: "TEILER_USER"
|
||||
TEILER_ADMIN: "TEILER_ADMIN"
|
||||
TEILER_USER: "${KEYCLOAK_USER_GROUP}"
|
||||
TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
|
||||
|
||||
teiler-backend:
|
||||
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
|
||||
|
|
|
|||
|
|
@ -3,4 +3,5 @@
|
|||
if [ "$ENABLE_TEILER" == true ];then
|
||||
log INFO "Teiler setup detected -- will start Teiler services."
|
||||
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
|
||||
generate_public_oidc_client "OIDC_PUBLIC" "https://${HOST}/ccp-teiler/*"
|
||||
fi
|
||||
|
|
|
|||
3
ccp/vars
3
ccp/vars
|
|
@ -10,10 +10,11 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
|
|||
DEFAULT_LANGUAGE=DE
|
||||
DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
|
||||
ENABLE_EXPORTER=true
|
||||
ENABLE_LOGIN=true
|
||||
ENABLE_TEILER=true
|
||||
#ENABLE_DATASHIELD=true
|
||||
|
||||
KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
|
||||
KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
|
||||
POSTGRES_TAG=15.6-alpine
|
||||
|
||||
for module in $PROJECT/modules/*.sh
|
||||
|
|
|
|||
|
|
@ -275,14 +275,20 @@ function sync_secrets() {
|
|||
docker run --rm \
|
||||
-v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
|
||||
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
|
||||
-v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
|
||||
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
|
||||
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
|
||||
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
|
||||
-e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \
|
||||
-e PROXY_ID=$PROXY_ID \
|
||||
-e BROKER_URL=$BROKER_URL \
|
||||
-e OIDC_PROVIDER=secret-sync-central.oidc.$BROKER_ID \
|
||||
-e OIDC_PROVIDER=secret-sync-central.dev-jan.$BROKER_ID \
|
||||
-e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \
|
||||
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
|
||||
source /var/cache/bridgehead/secrets/*
|
||||
}
|
||||
|
||||
capitalize_first_letter() {
|
||||
input="$1"
|
||||
capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"
|
||||
echo "$capitalized"
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue