Merge pull request #300 from samply/develop

Merge develop into main
2025-05-09 09:31:47 +02:00 · 2025-05-09 09:31:47 +02:00 · e22ac4b066
parent cd38957dd7 9782bf66b6
commit e22ac4b066
8 changed files with 41 additions and 7 deletions
--- a/bbmri/modules/eric-setup.sh
+++ b/bbmri/modules/eric-setup.sh
@ -10,6 +10,10 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 			export ERIC_BROKER_ID=broker.bbmri.samply.de
 			export ERIC_ROOT_CERT=eric
 			;;
+		"acceptance")
+			export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de
+			export ERIC_ROOT_CERT=eric.acc
+			;;
 		"test")
 			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
 			export ERIC_ROOT_CERT=eric.test
--- a/bbmri/modules/eric.acc.root.crt.pem
+++ b/bbmri/modules/eric.acc.root.crt.pem
@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUE/wu6FmI+KSMOalI65b+lI3HI4cwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwOTE2MTUyMzU0WhcNMzQw
+OTE0MTUyNDI0WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOt1I1FQt2bI4Nnjtg8JBYid29cBIkDT4MMb45Jr
+ays24y4R3WO7VJK9UjNduSq/A1jlA0W0A/szDf8Ojq6bBtg+uL92PTDjYH1QXwX0
+c7eMo2tvvyyrs/cb2/ovDBQ1lpibcxVmVAv042ASmil3SdqKKXpv3ATnF9I7V4cv
+fwB56FChaGIov5EK+9JOMjTx6oMlBEgUFR6qq/lSqM9my0HYwUFbX2W+nT9EKEIP
+9UP1eyfRZR3E/+oticnm/cS20BGCbjoYrNgLthXKyaASuhGoElKs8EZ3h9MiI+u0
+DpR0KpePhAkMLugBrgYWqkMwwD1684LfC4YVQrsLwzo5OW8CAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPbXs3g3lMjH
+1JMe0a5aVbN7lB92MB8GA1UdIwQYMBaAFPbXs3g3lMjH1JMe0a5aVbN7lB92MBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBM5RsXb2HN
+FpC1mYfocXAn20Zu4d603qmc/IqkiOWbp36pWo+jk1AxejyRS9hEpQalgSnvcRPQ
+1hPEhGU+wvI0WWVi/01iNjVbXmJNPQEouXQWAT17dyp9vqQkPw8LNzpSV/qdPgbT
+Z9o3sZrjUsSLsK7A7Q5ky4ePkiJBaMsHeAD+wqGwpiJ4D2Xhp8e1v36TWM0qt2EA
+gySx9isx/jeGGPBmDqYB9BCal5lrihPN56jd+5pCkyXeZqKWiiXFJKXwcwxctYZc
+ADHIiTLLPXE8LHTUJAO51it1NAZ1S24aMzax4eWDXcWO7/ybbx5pkYkMd6EqlKHd
+8riQJIhY4huX
+-----END CERTIFICATE-----
--- a/5
+++ b/5
@ -69,7 +69,7 @@ loadVars() {
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
-			ENVIRONMENT="test"
+			ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility
 		fi
 	fi
 	# Source the versions of the images components 
@ -80,6 +80,9 @@ loadVars() {
 		"test")
 			source ./versions/test
 			;;
+		"acceptance")
+			source ./versions/acceptance
+			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -347,18 +347,21 @@ function secret_sync_gitlab_token() {
        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
    fi

-    # Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+    # Create a temporary directory for Secret Sync that is valid per boot
+    secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
+    mkdir -p $secret_sync_tempdir
+
+    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
    # If it is missing or expired, Secret Sync will create a new token and write it to the file.
    # The git credential helper reads the token from the file during git pull.
-    mkdir -p /var/cache/bridgehead/secrets
-    touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
    log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
    docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
    docker run --rm \
-        -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+        -v $secret_sync_tempdir:/secret-sync/ \
+        -e CACHE_PATH=/secret-sync/gitlab-token \
        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
        -e NO_PROXY=localhost,127.0.0.1 \
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@ -2,7 +2,7 @@

 [ "$1" = "get" ] || exit

-source /var/cache/bridgehead/secrets/gitlab_token
+source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"

 # Any non-empty username works, only the token matters
 cat << EOF
--- a/modules/ssh-tunnel-setup.sh
+++ b/modules/ssh-tunnel-setup.sh
@ -2,5 +2,5 @@

 if [ -n "$ENABLE_SSH_TUNNEL" ]; then
 	log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
-	OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml"
+	OVERRIDE+=" -f ./modules/ssh-tunnel-compose.yml"
 fi
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@ -22,6 +22,7 @@ services:
      - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
      - RUST_LOG=${RUST_LOG:-info}
      - TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs
+      - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false}
    volumes:
      - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
--- a/versions/acceptance
+++ b/versions/acceptance
@ -0,0 +1,3 @@
+FOCUS_TAG=develop
+BEAM_TAG=develop
+BLAZE_TAG=main