From 72ecaadba84d25ae1aa57446a3db8dc09375739f Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Tue, 15 Apr 2025 11:36:20 +0200 Subject: [PATCH 1/5] fix: ssh-tunnel-setup.sh (#293) --- modules/ssh-tunnel-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ssh-tunnel-setup.sh b/modules/ssh-tunnel-setup.sh index eb49f1c..4ecf5a3 100644 --- a/modules/ssh-tunnel-setup.sh +++ b/modules/ssh-tunnel-setup.sh @@ -2,5 +2,5 @@ if [ -n "$ENABLE_SSH_TUNNEL" ]; then log INFO "SSH Tunnel setup detected -- will start SSH Tunnel." - OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml" + OVERRIDE+=" -f ./modules/ssh-tunnel-compose.yml" fi From c5d08c50a46f46641e00a2971b6ed8671ffdd957 Mon Sep 17 00:00:00 2001 From: Enola Knezevic <115070135+enola-dkfz@users.noreply.github.com> Date: Wed, 16 Apr 2025 15:37:55 +0200 Subject: [PATCH 2/5] chore: add BBMRI ERIC acceptance env (#294) --- bbmri/modules/eric-setup.sh | 4 ++++ bbmri/modules/eric.acc.root.crt.pem | 20 ++++++++++++++++++++ bridgehead | 5 ++++- versions/acceptance | 3 +++ 4 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 bbmri/modules/eric.acc.root.crt.pem create mode 100644 versions/acceptance diff --git a/bbmri/modules/eric-setup.sh b/bbmri/modules/eric-setup.sh index d2f36bb..fd44e73 100644 --- a/bbmri/modules/eric-setup.sh +++ b/bbmri/modules/eric-setup.sh @@ -10,6 +10,10 @@ if [ "${ENABLE_ERIC}" == "true" ]; then export ERIC_BROKER_ID=broker.bbmri.samply.de export ERIC_ROOT_CERT=eric ;; + "acceptance") + export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de + export ERIC_ROOT_CERT=eric.acc + ;; "test") export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de export ERIC_ROOT_CERT=eric.test diff --git a/bbmri/modules/eric.acc.root.crt.pem b/bbmri/modules/eric.acc.root.crt.pem new file mode 100644 index 0000000..d11033c --- /dev/null +++ b/bbmri/modules/eric.acc.root.crt.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUE/wu6FmI+KSMOalI65b+lI3HI4cwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwOTE2MTUyMzU0WhcNMzQw +OTE0MTUyNDI0WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOt1I1FQt2bI4Nnjtg8JBYid29cBIkDT4MMb45Jr +ays24y4R3WO7VJK9UjNduSq/A1jlA0W0A/szDf8Ojq6bBtg+uL92PTDjYH1QXwX0 +c7eMo2tvvyyrs/cb2/ovDBQ1lpibcxVmVAv042ASmil3SdqKKXpv3ATnF9I7V4cv +fwB56FChaGIov5EK+9JOMjTx6oMlBEgUFR6qq/lSqM9my0HYwUFbX2W+nT9EKEIP +9UP1eyfRZR3E/+oticnm/cS20BGCbjoYrNgLthXKyaASuhGoElKs8EZ3h9MiI+u0 +DpR0KpePhAkMLugBrgYWqkMwwD1684LfC4YVQrsLwzo5OW8CAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPbXs3g3lMjH +1JMe0a5aVbN7lB92MB8GA1UdIwQYMBaAFPbXs3g3lMjH1JMe0a5aVbN7lB92MBYG +A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBM5RsXb2HN +FpC1mYfocXAn20Zu4d603qmc/IqkiOWbp36pWo+jk1AxejyRS9hEpQalgSnvcRPQ +1hPEhGU+wvI0WWVi/01iNjVbXmJNPQEouXQWAT17dyp9vqQkPw8LNzpSV/qdPgbT +Z9o3sZrjUsSLsK7A7Q5ky4ePkiJBaMsHeAD+wqGwpiJ4D2Xhp8e1v36TWM0qt2EA +gySx9isx/jeGGPBmDqYB9BCal5lrihPN56jd+5pCkyXeZqKWiiXFJKXwcwxctYZc +ADHIiTLLPXE8LHTUJAO51it1NAZ1S24aMzax4eWDXcWO7/ybbx5pkYkMd6EqlKHd +8riQJIhY4huX +-----END CERTIFICATE----- \ No newline at end of file diff --git a/bridgehead b/bridgehead index cbe7527..395504a 100755 --- a/bridgehead +++ b/bridgehead @@ -69,7 +69,7 @@ loadVars() { if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then ENVIRONMENT="production" else - ENVIRONMENT="test" + ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility fi fi # Source the versions of the images components @@ -80,6 +80,9 @@ loadVars() { "test") source ./versions/test ;; + "acceptance") + source ./versions/acceptance + ;; *) report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!" source ./versions/prod diff --git a/versions/acceptance b/versions/acceptance new file mode 100644 index 0000000..7d66e03 --- /dev/null +++ b/versions/acceptance @@ -0,0 +1,3 @@ +FOCUS_TAG=develop +BEAM_TAG=develop +BLAZE_TAG=main \ No newline at end of file From 7365be3e7bf4d6ab7a9dcc4d5de40c8a13e5a8dc Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Thu, 17 Apr 2025 12:01:45 +0200 Subject: [PATCH 3/5] chore(transfair): add option to disable tls verification (#295) --- modules/transfair-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/transfair-compose.yml b/modules/transfair-compose.yml index 81ef952..e7e0eea 100644 --- a/modules/transfair-compose.yml +++ b/modules/transfair-compose.yml @@ -22,6 +22,7 @@ services: - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc - RUST_LOG=${RUST_LOG:-info} - TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs + - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false} volumes: - /var/cache/bridgehead/${PROJECT}/transfair:/transfair - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro From 87f0e8ad7f6ca07f6b9c3e0ea1a96c44229d0293 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Wed, 7 May 2025 14:15:25 +0200 Subject: [PATCH 4/5] Use temp directory for secret sync cache --- lib/functions.sh | 11 +++++++---- lib/gitlab-token-helper.sh | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index a11920b..d30cf58 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -347,18 +347,21 @@ function secret_sync_gitlab_token() { root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem" fi - # Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token. + # Create a temporary directory for Secret Sync that is valid per boot + secret_sync_tempdir="/tmp/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)" + mkdir -p $secret_sync_tempdir + + # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache. # If it is missing or expired, Secret Sync will create a new token and write it to the file. # The git credential helper reads the token from the file during git pull. - mkdir -p /var/cache/bridgehead/secrets - touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)" docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image docker run --rm \ - -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ -v $root_crt_file:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ + -v $secret_sync_tempdir:/secret-sync/ \ + -e CACHE_PATH=/secret-sync/gitlab-token \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e NO_PROXY=localhost,127.0.0.1 \ -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \ diff --git a/lib/gitlab-token-helper.sh b/lib/gitlab-token-helper.sh index e618029..56d65c6 100755 --- a/lib/gitlab-token-helper.sh +++ b/lib/gitlab-token-helper.sh @@ -2,7 +2,7 @@ [ "$1" = "get" ] || exit -source /var/cache/bridgehead/secrets/gitlab_token +source "/tmp/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token" # Any non-empty username works, only the token matters cat << EOF From 9782bf66b6c407582334af62a163962c79325bca Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Wed, 7 May 2025 16:13:16 +0200 Subject: [PATCH 5/5] Code review: Move to /tmp/bridgehead/... --- lib/functions.sh | 2 +- lib/gitlab-token-helper.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index d30cf58..680032c 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -348,7 +348,7 @@ function secret_sync_gitlab_token() { fi # Create a temporary directory for Secret Sync that is valid per boot - secret_sync_tempdir="/tmp/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)" + secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)" mkdir -p $secret_sync_tempdir # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache. diff --git a/lib/gitlab-token-helper.sh b/lib/gitlab-token-helper.sh index 56d65c6..1aa7a62 100755 --- a/lib/gitlab-token-helper.sh +++ b/lib/gitlab-token-helper.sh @@ -2,7 +2,7 @@ [ "$1" = "get" ] || exit -source "/tmp/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token" +source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token" # Any non-empty username works, only the token matters cat << EOF