Merge pull request #300 from samply/develop

Merge develop into main
2025-05-09 09:31:47 +02:00 · 2025-05-09 09:31:47 +02:00 · e22ac4b066
parent cd38957dd7 9782bf66b6
commit e22ac4b066
8 changed files with 41 additions and 7 deletions
--- a/bbmri/modules/eric-setup.sh
+++ b/bbmri/modules/eric-setup.sh
@ -10,6 +10,10 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 			export ERIC_BROKER_ID=broker.bbmri.samply.de
 			export ERIC_ROOT_CERT=eric
 			;;
 		"acceptance")
 			export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de
 			export ERIC_ROOT_CERT=eric.acc
 			;;
 		"test")
 			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
 			export ERIC_ROOT_CERT=eric.test
--- a/bbmri/modules/eric.acc.root.crt.pem
+++ b/bbmri/modules/eric.acc.root.crt.pem
@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUE/wu6FmI+KSMOalI65b+lI3HI4cwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwOTE2MTUyMzU0WhcNMzQw
 OTE0MTUyNDI0WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAOt1I1FQt2bI4Nnjtg8JBYid29cBIkDT4MMb45Jr
 ays24y4R3WO7VJK9UjNduSq/A1jlA0W0A/szDf8Ojq6bBtg+uL92PTDjYH1QXwX0
 c7eMo2tvvyyrs/cb2/ovDBQ1lpibcxVmVAv042ASmil3SdqKKXpv3ATnF9I7V4cv
 fwB56FChaGIov5EK+9JOMjTx6oMlBEgUFR6qq/lSqM9my0HYwUFbX2W+nT9EKEIP
 9UP1eyfRZR3E/+oticnm/cS20BGCbjoYrNgLthXKyaASuhGoElKs8EZ3h9MiI+u0
 DpR0KpePhAkMLugBrgYWqkMwwD1684LfC4YVQrsLwzo5OW8CAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPbXs3g3lMjH
 1JMe0a5aVbN7lB92MB8GA1UdIwQYMBaAFPbXs3g3lMjH1JMe0a5aVbN7lB92MBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBM5RsXb2HN
 FpC1mYfocXAn20Zu4d603qmc/IqkiOWbp36pWo+jk1AxejyRS9hEpQalgSnvcRPQ
 1hPEhGU+wvI0WWVi/01iNjVbXmJNPQEouXQWAT17dyp9vqQkPw8LNzpSV/qdPgbT
 Z9o3sZrjUsSLsK7A7Q5ky4ePkiJBaMsHeAD+wqGwpiJ4D2Xhp8e1v36TWM0qt2EA
 gySx9isx/jeGGPBmDqYB9BCal5lrihPN56jd+5pCkyXeZqKWiiXFJKXwcwxctYZc
 ADHIiTLLPXE8LHTUJAO51it1NAZ1S24aMzax4eWDXcWO7/ybbx5pkYkMd6EqlKHd
 8riQJIhY4huX
 -----END CERTIFICATE-----
--- a/5
+++ b/5
@ -69,7 +69,7 @@ loadVars() {
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
-			ENVIRONMENT="test"
+			ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility
 		fi
 	fi
 	# Source the versions of the images components 
@ -80,6 +80,9 @@ loadVars() {
 		"test")
 			source ./versions/test
 			;;
 		"acceptance")
 			source ./versions/acceptance
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -347,18 +347,21 @@ function secret_sync_gitlab_token() {
        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
    fi
-    # Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+    # Create a temporary directory for Secret Sync that is valid per boot
    secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
    mkdir -p $secret_sync_tempdir
    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
    # If it is missing or expired, Secret Sync will create a new token and write it to the file.
    # The git credential helper reads the token from the file during git pull.
    mkdir -p /var/cache/bridgehead/secrets
    touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
    log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
    docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
    docker run --rm \
        -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
        -v $secret_sync_tempdir:/secret-sync/ \
        -e CACHE_PATH=/secret-sync/gitlab-token \
        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
        -e NO_PROXY=localhost,127.0.0.1 \
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@ -2,7 +2,7 @@
 [ "$1" = "get" ] || exit
-source /var/cache/bridgehead/secrets/gitlab_token
+source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"
 # Any non-empty username works, only the token matters
 cat << EOF
--- a/modules/ssh-tunnel-setup.sh
+++ b/modules/ssh-tunnel-setup.sh
@ -2,5 +2,5 @@
 if [ -n "$ENABLE_SSH_TUNNEL" ]; then
 	log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
-	OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml"
+	OVERRIDE+=" -f ./modules/ssh-tunnel-compose.yml"
 fi
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@ -22,6 +22,7 @@ services:
      - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
      - RUST_LOG=${RUST_LOG:-info}
      - TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs
      - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false}
    volumes:
      - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
--- a/versions/acceptance
+++ b/versions/acceptance
@ -0,0 +1,3 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
 BLAZE_TAG=main