From 8fddb809a76078ecba0eac288983ddd13f281b46 Mon Sep 17 00:00:00 2001 From: Croft Date: Thu, 25 Jan 2024 13:49:46 +0100 Subject: [PATCH 01/82] Recommendation for standalone Bridgehead Requested by Zdenka --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index d892b19..36c702e 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,10 @@ This repository is the starting point for any information and tools you will nee ## Requirements +We recommend a dedicated VM for the Bridgehead, with nothing else running on it. + +It may to be possible to run other apps on the same server, if they don't share common ports with the Bridgehead, and if they do not take up resources that the Bridgehead needs, like RAM. The Bridgehead may also have problems if other applications need older versions of git, Docker or curl. + The data protection group at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts: - [Germany](https://www.bbmri.de/biobanking/it/infrastruktur/datenschutzkonzept/) From e4bc34cce97aa731d379f46e421cb7a27e26ffc7 Mon Sep 17 00:00:00 2001 From: Croft Date: Wed, 21 Feb 2024 10:08:54 +0100 Subject: [PATCH 02/82] Amended following Tobias' comments --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 36c702e..7017a5b 100644 --- a/README.md +++ b/README.md @@ -34,9 +34,9 @@ This repository is the starting point for any information and tools you will nee ## Requirements -We recommend a dedicated VM for the Bridgehead, with nothing else running on it. +To guarantee a smooth operation of the Bridgehead, we recommend a dedicated VM for the Bridgehead, with no other applications running on it. -It may to be possible to run other apps on the same server, if they don't share common ports with the Bridgehead, and if they do not take up resources that the Bridgehead needs, like RAM. The Bridgehead may also have problems if other applications need older versions of git, Docker or curl. +It may to be possible to run other apps on the same server, if they don't share common ports with the Bridgehead, and if they do not take up resources that the Bridgehead needs, like RAM. The Bridgehead may also run into issues if other applications need incompatible versions of git, Docker, curl, or other dependencies. The data protection group at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts: From 8104711075101b84d35dad9bb800a4a0d520097e Mon Sep 17 00:00:00 2001 From: Croft Date: Wed, 6 Mar 2024 11:26:07 +0100 Subject: [PATCH 03/82] Allow user to push star model facts to Directory This takes advantage of new functionality added to Directory sync. Defaults to false. --- bbmri/modules/directory-sync-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/bbmri/modules/directory-sync-compose.yml b/bbmri/modules/directory-sync-compose.yml index 9776ecb..99cb467 100644 --- a/bbmri/modules/directory-sync-compose.yml +++ b/bbmri/modules/directory-sync-compose.yml @@ -6,3 +6,4 @@ services: DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME} DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE} DS_TIMER_CRON: ${DS_TIMER_CRON} + DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL} From 1a928e670187ae3c29a75d576df4406cbfa02c70 Mon Sep 17 00:00:00 2001 From: Croft Date: Wed, 6 Mar 2024 11:35:17 +0100 Subject: [PATCH 04/82] Included the new functionality into the README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 05038ae..4f03fd5 100644 --- a/README.md +++ b/README.md @@ -298,6 +298,8 @@ Once you have added your biobank to the Directory you got persistent identifier The Bridgehead's **Directory Sync** is an optional feature that keeps the Directory up to date with your local data, e.g. number of samples. Conversely, it also updates the local FHIR store with the latest contact details etc. from the Directory. You must explicitly set your country specific directory URL, username and password to enable this feature. +You should talk with your local data protection group regarding the information that is published by Directory sync. + Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service). To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config: @@ -306,6 +308,7 @@ To enable it, you will need to set these variables to the ```bbmri.conf``` file DS_DIRECTORY_URL=https://directory.bbmri-eric.eu DS_DIRECTORY_USER_NAME=your_directory_username DS_DIRECTORY_USER_PASS=qwdnqwswdvqHBVGFR9887 +DS_DIRECTORY_ALLOW_STAR_MODEL=true DS_TIMER_CRON="0 22 * * *" ``` You must contact the Directory team for your national node to find the URL, and to register as a user. From 033da484d123c03bc9f4e69c0c571dca7711c1bd Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Tue, 21 May 2024 16:16:40 +0200 Subject: [PATCH 05/82] switch focus of ccp to tag --- ccp/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index c4a3b0f..331ce0d 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -21,7 +21,7 @@ services: - "traefik.http.routers.blaze_ccp.tls=true" focus: - image: docker.verbis.dkfz.de/cache/samply/focus:0.4.4 + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} From a018104e0bdde6312277472d19bd2c68971a5e8c Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 5 Jun 2024 12:35:44 +0000 Subject: [PATCH 06/82] feat: Add logs command for journalctl and rename old one to docker-logs --- README.md | 7 ++++--- bridgehead | 5 +++++ lib/functions.sh | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 05038ae..d95a3b0 100644 --- a/README.md +++ b/README.md @@ -200,7 +200,7 @@ sudo systemctl [enable|disable] bridgehead@.service After starting the Bridgehead, you can watch the initialization process with the following command: ```shell -journalctl -u bridgehead@bbmri -f +./bridghead logs -f ``` if this exits with something similar to the following: @@ -220,8 +220,9 @@ docker ps There should be 6 - 10 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run: ```shell -journalctl -u bridgehead@bbmri -f +./bridghead logs -f ``` +This translates to a journalctl command so all the regular journalctl flags can be used. Once the Bridgehead has passed these checks, take a look at the landing page: @@ -235,7 +236,7 @@ You can either do this in a browser or with curl. If you visit the URL in the br curl -k https://localhost ``` -If you get errors when you do this, you need to use ```docker logs``` to examine your landing page container in order to determine what is going wrong. +If you get errors when you do this, you can inspect the logs of your landing page container in order to determine what is going wrong. To do this you can use `./bridgehead docker-logs landing -f` to follow the logs of the container. This transaltes to a docker compose logs command meaning all the ususal docker logs flags work. If you have chosen to take part in our monitoring program (by setting the ```MONITOR_APIKEY``` variable in the configuration), you will be informed by email when problems are detected in your Bridgehead. diff --git a/bridgehead b/bridgehead index bde1e16..85593b0 100755 --- a/bridgehead +++ b/bridgehead @@ -107,6 +107,11 @@ case "$ACTION" in exit $? ;; logs) + loadVars + shift 2 + exec journalctl -u bridgehead@$PROJECT -u bridgehead-update@$PROJECT -a $@ + ;; + docker-logs) loadVars shift 2 exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE logs -f $@ diff --git a/lib/functions.sh b/lib/functions.sh index b519369..5e69a04 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -53,7 +53,7 @@ checkOwner(){ } printUsage() { - echo "Usage: bridgehead start|stop|logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME" + echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME" echo "PROJECTNAME should be one of ccp|bbmri" } From ec9df1feec212bd00e806083124cb2f4b6208955 Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Wed, 5 Jun 2024 14:57:42 +0200 Subject: [PATCH 07/82] Update README.md Co-authored-by: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d95a3b0..bb332e4 100644 --- a/README.md +++ b/README.md @@ -236,7 +236,7 @@ You can either do this in a browser or with curl. If you visit the URL in the br curl -k https://localhost ``` -If you get errors when you do this, you can inspect the logs of your landing page container in order to determine what is going wrong. To do this you can use `./bridgehead docker-logs landing -f` to follow the logs of the container. This transaltes to a docker compose logs command meaning all the ususal docker logs flags work. +Should the landing page not show anything, you can inspect the logs of the containers to determine what is going wrong. To do this you can use `./bridgehead docker-logs -f` to follow the logs of the container. This transaltes to a docker compose logs command meaning all the ususal docker logs flags work. If you have chosen to take part in our monitoring program (by setting the ```MONITOR_APIKEY``` variable in the configuration), you will be informed by email when problems are detected in your Bridgehead. From 4fc53c00bf96fc3dd159f30c5347d34bf15dd385 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Tue, 11 Jun 2024 08:41:35 +0200 Subject: [PATCH 08/82] Fix typo --- README.md | 4 ++-- ccp/modules/datashield.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bb332e4..c7a864b 100644 --- a/README.md +++ b/README.md @@ -200,7 +200,7 @@ sudo systemctl [enable|disable] bridgehead@.service After starting the Bridgehead, you can watch the initialization process with the following command: ```shell -./bridghead logs -f +/srv/docker/bridgehead/bridgehead logs -f ``` if this exits with something similar to the following: @@ -220,7 +220,7 @@ docker ps There should be 6 - 10 Docker proceses. If there are fewer, then you know that something has gone wrong. To see what is going on, run: ```shell -./bridghead logs -f +/srv/docker/bridgehead/bridgehead logs -f ``` This translates to a journalctl command so all the regular journalctl flags can be used. diff --git a/ccp/modules/datashield.md b/ccp/modules/datashield.md index aa2c4cb..4de5168 100644 --- a/ccp/modules/datashield.md +++ b/ccp/modules/datashield.md @@ -1,5 +1,5 @@ # DataSHIELD -This module constitutes the infrastructure to run DataSHIELD within the bridghead. +This module constitutes the infrastructure to run DataSHIELD within the bridgehead. For more information about DataSHIELD, please visit https://www.datashield.org/ ## R-Studio From e72c9969529b74a1399695f2d65fdf0e23e451b3 Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 13 Jun 2024 07:29:54 +0000 Subject: [PATCH 09/82] feat: allow setting focus retry count and increase default --- bbmri/vars | 2 +- ccp/vars | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bbmri/vars b/bbmri/vars index d1362fb..248fbee 100644 --- a/bbmri/vars +++ b/bbmri/vars @@ -4,7 +4,7 @@ # Makes only sense for German Biobanks : ${ENABLE_GBN:=false} -FOCUS_RETRY_COUNT=32 +FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem for module in $PROJECT/modules/*.sh diff --git a/ccp/vars b/ccp/vars index fa3f5a2..027a093 100644 --- a/ccp/vars +++ b/ccp/vars @@ -2,7 +2,7 @@ BROKER_ID=broker.ccp-it.dktk.dkfz.de BROKER_URL=https://${BROKER_ID} PROXY_ID=${SITE_ID}.${BROKER_ID} FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" -FOCUS_RETRY_COUNT=32 +FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem From 0db7df1440775552b119ba78f8a2ad897c0a4523 Mon Sep 17 00:00:00 2001 From: Torben Brenner <76154651+torbrenner@users.noreply.github.com> Date: Fri, 28 Jun 2024 13:57:30 +0200 Subject: [PATCH 10/82] Update docker-compose.yml --- ccp/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 331ce0d..24999c9 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:latest + image: docker.verbis.dkfz.de/cache/samply/blaze:0.27 container_name: bridgehead-ccp-blaze environment: BASE_URL: "http://bridgehead-ccp-blaze:8080" From f7751b9d92eecfa37b8261ee0e130d3d7b8a412f Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 28 Jun 2024 14:29:56 +0200 Subject: [PATCH 11/82] fix: set blaze to version 0.28 The 0.28 release is not downgradeable, therefore switching again to 0.28 --- bbmri/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index e48bd77..ac8df45 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -4,7 +4,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:latest + image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 container_name: bridgehead-bbmri-blaze environment: BASE_URL: "http://bridgehead-bbmri-blaze:8080" diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 24999c9..52e7eb5 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.27 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 container_name: bridgehead-ccp-blaze environment: BASE_URL: "http://bridgehead-ccp-blaze:8080" From 91ff51304b25a8d0d8bc272ea3faca87ed9a8c3b Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Mon, 1 Jul 2024 14:54:04 +0200 Subject: [PATCH 12/82] Add new dashboard backend --- ccp/modules/dashboard-compose.yml | 28 ++++++++++++++++++++++++++++ ccp/modules/dashboard-setup.sh | 7 +++++++ ccp/modules/dashboard.md | 1 + 3 files changed, 36 insertions(+) create mode 100644 ccp/modules/dashboard-compose.yml create mode 100644 ccp/modules/dashboard-setup.sh create mode 100644 ccp/modules/dashboard.md diff --git a/ccp/modules/dashboard-compose.yml b/ccp/modules/dashboard-compose.yml new file mode 100644 index 0000000..43b109d --- /dev/null +++ b/ccp/modules/dashboard-compose.yml @@ -0,0 +1,28 @@ +version: "3.7" + +services: + fhir2sql: + depends_on: + - "dashboard-db" + image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest + container_name: bridgehead-ccp-dashboard-fhir2sql + environment: + BLAZE_BASE_URL: "http://blaze:8080/fhir/" + PG_HOST: "dashboard-db" + PG_PORT: 5432 + PG_USERNAME: "dashboard" + PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in exporter-setup.sh + PG_DBNAME: "dashboard" + # TODO: Remove the following, replace with defaults in app + BLAZE_PAGE_RESOURCE_COUNT: 10000 + PG_BATCH_SIZE: 10000 + + dashboard-db: + image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} + container_name: bridgehead-ccp-dashboard-db + environment: + POSTGRES_USER: "dashboard" + POSTGRES_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in exporter-setup.sh + POSTGRES_DB: "dashboard" + volumes: + - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data" diff --git a/ccp/modules/dashboard-setup.sh b/ccp/modules/dashboard-setup.sh new file mode 100644 index 0000000..aee79fa --- /dev/null +++ b/ccp/modules/dashboard-setup.sh @@ -0,0 +1,7 @@ +#!/bin/bash -e + +if [ "$ENABLE_DASHBOARD" == true ]; then + log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service." + OVERRIDE+=" -f ./$PROJECT/modules/dashboard-compose.yml" + DASHBOARD_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the Dashboard database. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" +fi diff --git a/ccp/modules/dashboard.md b/ccp/modules/dashboard.md new file mode 100644 index 0000000..ed00305 --- /dev/null +++ b/ccp/modules/dashboard.md @@ -0,0 +1 @@ +# TODO David Scholz From f28e3c2cd2bd311271c6eff7e47b48eb4418e23c Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Mon, 1 Jul 2024 15:19:44 +0200 Subject: [PATCH 13/82] Remove unnecessary default values --- ccp/modules/dashboard-compose.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ccp/modules/dashboard-compose.yml b/ccp/modules/dashboard-compose.yml index 43b109d..037f88f 100644 --- a/ccp/modules/dashboard-compose.yml +++ b/ccp/modules/dashboard-compose.yml @@ -9,13 +9,9 @@ services: environment: BLAZE_BASE_URL: "http://blaze:8080/fhir/" PG_HOST: "dashboard-db" - PG_PORT: 5432 PG_USERNAME: "dashboard" PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in exporter-setup.sh PG_DBNAME: "dashboard" - # TODO: Remove the following, replace with defaults in app - BLAZE_PAGE_RESOURCE_COUNT: 10000 - PG_BATCH_SIZE: 10000 dashboard-db: image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} From 2ee8e0185a09de0109690ff1906c042bc4c900e9 Mon Sep 17 00:00:00 2001 From: Pierre Delpy Date: Mon, 1 Jul 2024 12:46:33 +0200 Subject: [PATCH 14/82] feature: upgrade to oBDS2FHIR --- ccp/modules/adt2fhir-rest-compose.yml | 18 ----------------- ccp/modules/mtba-setup.sh | 1 - ccp/modules/obds2fhir-rest-compose.yml | 20 +++++++++++++++++++ ...-rest-setup.sh => obds2fhir-rest-setup.sh} | 10 +++++----- ccp/vars | 2 +- 5 files changed, 26 insertions(+), 25 deletions(-) delete mode 100644 ccp/modules/adt2fhir-rest-compose.yml create mode 100644 ccp/modules/obds2fhir-rest-compose.yml rename ccp/modules/{adt2fhir-rest-setup.sh => obds2fhir-rest-setup.sh} (55%) diff --git a/ccp/modules/adt2fhir-rest-compose.yml b/ccp/modules/adt2fhir-rest-compose.yml deleted file mode 100644 index bba8163..0000000 --- a/ccp/modules/adt2fhir-rest-compose.yml +++ /dev/null @@ -1,18 +0,0 @@ -version: "3.7" - -services: - adt2fhir-rest: - container_name: bridgehead-adt2fhir-rest - image: docker.verbis.dkfz.de/ccp/adt2fhir-rest:main - environment: - IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID - MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - SALT: ${LOCAL_SALT} - restart: always - labels: - - "traefik.enable=true" - - "traefik.http.routers.adt2fhir-rest.rule=PathPrefix(`/adt2fhir-rest`)" - - "traefik.http.middlewares.adt2fhir-rest_strip.stripprefix.prefixes=/adt2fhir-rest" - - "traefik.http.services.adt2fhir-rest.loadbalancer.server.port=8080" - - "traefik.http.routers.adt2fhir-rest.tls=true" - - "traefik.http.routers.adt2fhir-rest.middlewares=adt2fhir-rest_strip,auth" \ No newline at end of file diff --git a/ccp/modules/mtba-setup.sh b/ccp/modules/mtba-setup.sh index cdf0f31..d2acbe2 100644 --- a/ccp/modules/mtba-setup.sh +++ b/ccp/modules/mtba-setup.sh @@ -5,7 +5,6 @@ function mtbaSetup() { log INFO "MTBA setup detected -- will start MTBA Service and CBioPortal." if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" - exit 1; fi OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml" add_private_oidc_redirect_url "/mtba/*" diff --git a/ccp/modules/obds2fhir-rest-compose.yml b/ccp/modules/obds2fhir-rest-compose.yml new file mode 100644 index 0000000..3f1b0e9 --- /dev/null +++ b/ccp/modules/obds2fhir-rest-compose.yml @@ -0,0 +1,20 @@ +version: "3.7" + +services: + obds2fhir-rest: + container_name: bridgehead-obds2fhir-rest + image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main + environment: + IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID + MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + SALT: ${LOCAL_SALT} + KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false} + MAINZELLISTE_URL: ${PATIENTLIST_URL:-"http://patientlist:8080/patientlist"} + restart: always + labels: + - "traefik.enable=true" + - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)" + - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest" + - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080" + - "traefik.http.routers.obds2fhir-rest.tls=true" + - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth" \ No newline at end of file diff --git a/ccp/modules/adt2fhir-rest-setup.sh b/ccp/modules/obds2fhir-rest-setup.sh similarity index 55% rename from ccp/modules/adt2fhir-rest-setup.sh rename to ccp/modules/obds2fhir-rest-setup.sh index 707d9c5..504bc86 100644 --- a/ccp/modules/adt2fhir-rest-setup.sh +++ b/ccp/modules/obds2fhir-rest-setup.sh @@ -1,13 +1,13 @@ #!/bin/bash -function adt2fhirRestSetup() { - if [ -n "$ENABLE_ADT2FHIR_REST" ]; then - log INFO "ADT2FHIR-REST setup detected -- will start adt2fhir-rest API." +function obds2fhirRestSetup() { + if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then + log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module." if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" - exit 1; + PATIENTLIST_URL=" " fi - OVERRIDE+=" -f ./$PROJECT/modules/adt2fhir-rest-compose.yml" + OVERRIDE+=" -f ./$PROJECT/modules/obds2fhir-rest-compose.yml" LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" fi } diff --git a/ccp/vars b/ccp/vars index 027a093..080b134 100644 --- a/ccp/vars +++ b/ccp/vars @@ -28,4 +28,4 @@ done idManagementSetup mtbaSetup -adt2fhirRestSetup +obds2fhirRestSetup From 9e4bc214cec349f92b679cad137d53c3d4255b09 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 3 Jul 2024 13:01:02 +0000 Subject: [PATCH 15/82] fix: Fix traefik label for oauth2 redirect --- ccp/modules/datashield-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 6426145..5e92db3 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -151,7 +151,7 @@ services: --pass-access-token=false labels: - "traefik.enable=true" - - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" + - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`)" - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" - "traefik.http.routers.oauth2_proxy.tls=true" environment: From 91dc31d0398d9a97a213c40260bb1a99e63dd7b8 Mon Sep 17 00:00:00 2001 From: Pierre Delpy Date: Mon, 8 Jul 2024 13:54:42 +0200 Subject: [PATCH 16/82] fix: use correct ID management flag for oBDS2FHIR --- ccp/modules/obds2fhir-rest-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/obds2fhir-rest-setup.sh b/ccp/modules/obds2fhir-rest-setup.sh index 504bc86..677ea63 100644 --- a/ccp/modules/obds2fhir-rest-setup.sh +++ b/ccp/modules/obds2fhir-rest-setup.sh @@ -3,7 +3,7 @@ function obds2fhirRestSetup() { if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module." - if [ ! -n "$IDMANAGER_LOCAL_PATIENTLIST_APIKEY" ]; then + if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" PATIENTLIST_URL=" " fi From b36c9ae03e2c8ce982c52e38182ef4c0fcbd3daa Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Tue, 16 Jul 2024 10:49:23 +0200 Subject: [PATCH 17/82] Fix patientlisturl in obds2fhir-rest-compose.yml --- ccp/modules/obds2fhir-rest-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/modules/obds2fhir-rest-compose.yml b/ccp/modules/obds2fhir-rest-compose.yml index 3f1b0e9..f201e23 100644 --- a/ccp/modules/obds2fhir-rest-compose.yml +++ b/ccp/modules/obds2fhir-rest-compose.yml @@ -9,7 +9,7 @@ services: MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} SALT: ${LOCAL_SALT} KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false} - MAINZELLISTE_URL: ${PATIENTLIST_URL:-"http://patientlist:8080/patientlist"} + MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist} restart: always labels: - "traefik.enable=true" @@ -17,4 +17,4 @@ services: - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest" - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080" - "traefik.http.routers.obds2fhir-rest.tls=true" - - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth" \ No newline at end of file + - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth" From 6b4480c54bae41ebcf92b5584c58f263c6377c9e Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Wed, 17 Jul 2024 09:53:08 +0200 Subject: [PATCH 18/82] workaround: add second blaze --- ccp/modules/blaze-secondary-compose.yml | 27 +++++++++++++++++++++++++ ccp/modules/blaze-secondary-setup.sh | 11 ++++++++++ ccp/vars | 1 + 3 files changed, 39 insertions(+) create mode 100644 ccp/modules/blaze-secondary-compose.yml create mode 100644 ccp/modules/blaze-secondary-setup.sh diff --git a/ccp/modules/blaze-secondary-compose.yml b/ccp/modules/blaze-secondary-compose.yml new file mode 100644 index 0000000..f3f4752 --- /dev/null +++ b/ccp/modules/blaze-secondary-compose.yml @@ -0,0 +1,27 @@ +version: "3.7" + +services: + blaze-secondary: + image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + container_name: bridgehead-ccp-blaze-secondary + environment: + BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080" + JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" + DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} + DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP + ENFORCE_REFERENTIAL_INTEGRITY: "false" + volumes: + - "blaze-secondary-data:/app/data" + labels: + - "traefik.enable=true" + - "traefik.http.routers.blaze-secondary_ccp.rule=PathPrefix(`/ccp-localdatamanagement-secondary`)" + - "traefik.http.middlewares.ccp_b-secondary_strip.stripprefix.prefixes=/ccp-localdatamanagement-secondary" + - "traefik.http.services.blaze-secondary_ccp.loadbalancer.server.port=8080" + - "traefik.http.routers.blaze-secondary_ccp.middlewares=ccp_b-secondary_strip,auth" + - "traefik.http.routers.blaze-secondary_ccp.tls=true" + obds2fhir-rest: + environment: + STORE_PATH: ${STORE_PATH:-http://blaze:8080/fhir} + +volumes: + blaze-secondary-data: \ No newline at end of file diff --git a/ccp/modules/blaze-secondary-setup.sh b/ccp/modules/blaze-secondary-setup.sh new file mode 100644 index 0000000..307da01 --- /dev/null +++ b/ccp/modules/blaze-secondary-setup.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +function blazeSecondarySetup() { + if [ -n "$ENABLE_SECONDARY_BLAZE" ]; then + log INFO "Secondary Blaze setup detected -- will start second blaze." + OVERRIDE+=" -f ./$PROJECT/modules/blaze-secondary-compose.yml" + #make oBDS2FHIR ignore ID-Management and replace target Blaze + PATIENTLIST_URL=" " + STORE_PATH="http://blaze-secondary:8080/fhir" + fi +} diff --git a/ccp/vars b/ccp/vars index 080b134..0900914 100644 --- a/ccp/vars +++ b/ccp/vars @@ -29,3 +29,4 @@ done idManagementSetup mtbaSetup obds2fhirRestSetup +blazeSecondarySetup \ No newline at end of file From 293810f2541bf104b6ba7ef26ea6d1aaf9949162 Mon Sep 17 00:00:00 2001 From: djuarezgf Date: Thu, 18 Jul 2024 09:54:16 +0200 Subject: [PATCH 19/82] Added: exporter with blaze-secondary --- ccp/modules/blaze-secondary-compose.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ccp/modules/blaze-secondary-compose.yml b/ccp/modules/blaze-secondary-compose.yml index f3f4752..b57bfbe 100644 --- a/ccp/modules/blaze-secondary-compose.yml +++ b/ccp/modules/blaze-secondary-compose.yml @@ -19,9 +19,14 @@ services: - "traefik.http.services.blaze-secondary_ccp.loadbalancer.server.port=8080" - "traefik.http.routers.blaze-secondary_ccp.middlewares=ccp_b-secondary_strip,auth" - "traefik.http.routers.blaze-secondary_ccp.tls=true" + obds2fhir-rest: environment: STORE_PATH: ${STORE_PATH:-http://blaze:8080/fhir} + exporter: + environment: + BLAZE_HOST: "blaze-secondary" + volumes: - blaze-secondary-data: \ No newline at end of file + blaze-secondary-data: From d316f1c798f7b92629e887ffe5a3784457bdc66b Mon Sep 17 00:00:00 2001 From: Pierre Delpy Date: Tue, 23 Jul 2024 13:01:07 +0200 Subject: [PATCH 20/82] add caching in focus --- ccp/docker-compose.yml | 3 +++ ccp/queries_to_cache.conf | 2 ++ 2 files changed, 5 insertions(+) create mode 100644 ccp/queries_to_cache.conf diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 52e7eb5..2395d8c 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -31,6 +31,9 @@ services: BEAM_PROXY_URL: http://beam-proxy:8081 RETRY_COUNT: ${FOCUS_RETRY_COUNT} EPSILON: 0.28 + QUERIES_TO_CACHE: '/queries_to_cache.conf' + volumes: + - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf depends_on: - "beam-proxy" - "blaze" diff --git a/ccp/queries_to_cache.conf b/ccp/queries_to_cache.conf new file mode 100644 index 0000000..b950312 --- /dev/null +++ b/ccp/queries_to_cache.conf @@ -0,0 +1,2 @@ +bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19TVFJBVF9ISVNUT0xPR1lfU1RSQVRJRklFUgpES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KdHJ1ZQ== +bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgogIERLVEtfU1RSQVRfSElTVE9MT0dZX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQgCigoZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDcvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg1MDAvMycpKQ== \ No newline at end of file From cfa85067f00d946398e9ef93b97f5374197d6fb0 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Thu, 25 Jul 2024 11:55:51 +0200 Subject: [PATCH 21/82] initialize develop; add itcc and cce --- bridgehead | 6 ++++ cce/docker-compose.yml | 63 +++++++++++++++++++++++++++++++++++ cce/modules/lens-compose.yml | 28 ++++++++++++++++ cce/modules/lens-setup.sh | 6 ++++ cce/root.crt.pem | 20 +++++++++++ cce/vars | 14 ++++++++ itcc/docker-compose.yml | 63 +++++++++++++++++++++++++++++++++++ itcc/modules/lens-compose.yml | 28 ++++++++++++++++ itcc/modules/lens-setup.sh | 5 +++ itcc/root.crt.pem | 20 +++++++++++ itcc/vars | 14 ++++++++ lib/functions.sh | 2 +- lib/prepare-system.sh | 6 ++++ 13 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 cce/docker-compose.yml create mode 100644 cce/modules/lens-compose.yml create mode 100644 cce/modules/lens-setup.sh create mode 100644 cce/root.crt.pem create mode 100644 cce/vars create mode 100644 itcc/docker-compose.yml create mode 100644 itcc/modules/lens-compose.yml create mode 100644 itcc/modules/lens-setup.sh create mode 100644 itcc/root.crt.pem create mode 100644 itcc/vars diff --git a/bridgehead b/bridgehead index 85593b0..702a351 100755 --- a/bridgehead +++ b/bridgehead @@ -32,6 +32,12 @@ case "$PROJECT" in bbmri) #nothing extra to do ;; + cce) + #nothing extra to do + ;; + itcc) + #nothing extra to do + ;; minimal) #nothing extra to do ;; diff --git a/cce/docker-compose.yml b/cce/docker-compose.yml new file mode 100644 index 0000000..13c5f38 --- /dev/null +++ b/cce/docker-compose.yml @@ -0,0 +1,63 @@ +version: "3.7" + +services: + blaze: + image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + container_name: bridgehead-cce-blaze + environment: + BASE_URL: "http://bridgehead-cce-blaze:8080" + JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" + DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} + DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP + ENFORCE_REFERENTIAL_INTEGRITY: "false" + volumes: + - "blaze-data:/app/data" + labels: + - "traefik.enable=true" + - "traefik.http.routers.blaze_cce.rule=PathPrefix(`/cce-localdatamanagement`)" + - "traefik.http.middlewares.cce_b_strip.stripprefix.prefixes=/cce-localdatamanagement" + - "traefik.http.services.blaze_cce.loadbalancer.server.port=8080" + - "traefik.http.routers.blaze_cce.middlewares=cce_b_strip,auth" + - "traefik.http.routers.blaze_cce.tls=true" + + focus: + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + container_name: bridgehead-focus + environment: + API_KEY: ${FOCUS_BEAM_SECRET_SHORT} + BEAM_APP_ID_LONG: focus.${PROXY_ID} + PROXY_ID: ${PROXY_ID} + BLAZE_URL: "http://bridgehead-cce-blaze:8080/fhir/" + BEAM_PROXY_URL: http://beam-proxy:8081 + RETRY_COUNT: ${FOCUS_RETRY_COUNT} + EPSILON: 0.28 + depends_on: + - "beam-proxy" + - "blaze" + + beam-proxy: + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + container_name: bridgehead-beam-proxy + environment: + BROKER_URL: ${BROKER_URL} + PROXY_ID: ${PROXY_ID} + APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT} + PRIVKEY_FILE: /run/secrets/proxy.pem + ALL_PROXY: http://forward_proxy:3128 + TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs + ROOTCERT_FILE: /conf/root.crt.pem + secrets: + - proxy.pem + depends_on: + - "forward_proxy" + volumes: + - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro + - /srv/docker/bridgehead/cce/root.crt.pem:/conf/root.crt.pem:ro + + +volumes: + blaze-data: + +secrets: + proxy.pem: + file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/cce/modules/lens-compose.yml b/cce/modules/lens-compose.yml new file mode 100644 index 0000000..6575578 --- /dev/null +++ b/cce/modules/lens-compose.yml @@ -0,0 +1,28 @@ +version: "3.7" +services: + landing: + container_name: lens_federated-search + image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} + + spot: + image: docker.verbis.dkfz.de/ccp-private/central-spot + environment: + BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}" + BEAM_URL: http://beam-proxy:8081 + BEAM_PROXY_ID: ${SITE_ID} + BEAM_BROKER_ID: ${BROKER_ID} + BEAM_APP_ID: "focus" + PROJECT_METADATA: "cce_supervisors" + depends_on: + - "beam-proxy" + labels: + - "traefik.enable=true" + - "traefik.http.services.spot.loadbalancer.server.port=8080" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1" + - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)" + - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend" + - "traefik.http.routers.spot.tls=true" + - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot" diff --git a/cce/modules/lens-setup.sh b/cce/modules/lens-setup.sh new file mode 100644 index 0000000..eb511b5 --- /dev/null +++ b/cce/modules/lens-setup.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +if [ -n "$ENABLE_LENS" ];then + OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml" +fi +} \ No newline at end of file diff --git a/cce/root.crt.pem b/cce/root.crt.pem new file mode 100644 index 0000000..1f1265a --- /dev/null +++ b/cce/root.crt.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw +MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI +TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO +OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf +XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu +pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7 +K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM +poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG +A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm +AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU +fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5 +3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l +n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/ +7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt +Rtup0MTxSJtN +-----END CERTIFICATE----- \ No newline at end of file diff --git a/cce/vars b/cce/vars new file mode 100644 index 0000000..b03403b --- /dev/null +++ b/cce/vars @@ -0,0 +1,14 @@ +BROKER_ID=test-no-real-data.broker.samply.de +BROKER_URL=https://${BROKER_ID} +PROXY_ID=${SITE_ID}.${BROKER_ID} +FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" +FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} +SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de +PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem +BROKER_URL_FOR_PREREQ=$BROKER_URL + +for module in $PROJECT/modules/*.sh +do + log DEBUG "sourcing $module" + source $module +done diff --git a/itcc/docker-compose.yml b/itcc/docker-compose.yml new file mode 100644 index 0000000..197f4c5 --- /dev/null +++ b/itcc/docker-compose.yml @@ -0,0 +1,63 @@ +version: "3.7" + +services: + blaze: + image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + container_name: bridgehead-itcc-blaze + environment: + BASE_URL: "http://bridgehead-itcc-blaze:8080" + JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" + DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} + DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP + ENFORCE_REFERENTIAL_INTEGRITY: "false" + volumes: + - "blaze-data:/app/data" + labels: + - "traefik.enable=true" + - "traefik.http.routers.blaze_itcc.rule=PathPrefix(`/itcc-localdatamanagement`)" + - "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement" + - "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080" + - "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth" + - "traefik.http.routers.blaze_itcc.tls=true" + + focus: + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + container_name: bridgehead-focus + environment: + API_KEY: ${FOCUS_BEAM_SECRET_SHORT} + BEAM_APP_ID_LONG: focus.${PROXY_ID} + PROXY_ID: ${PROXY_ID} + BLAZE_URL: "http://bridgehead-itcc-blaze:8080/fhir/" + BEAM_PROXY_URL: http://beam-proxy:8081 + RETRY_COUNT: ${FOCUS_RETRY_COUNT} + EPSILON: 0.28 + depends_on: + - "beam-proxy" + - "blaze" + + beam-proxy: + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + container_name: bridgehead-beam-proxy + environment: + BROKER_URL: ${BROKER_URL} + PROXY_ID: ${PROXY_ID} + APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT} + PRIVKEY_FILE: /run/secrets/proxy.pem + ALL_PROXY: http://forward_proxy:3128 + TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs + ROOTCERT_FILE: /conf/root.crt.pem + secrets: + - proxy.pem + depends_on: + - "forward_proxy" + volumes: + - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro + - /srv/docker/bridgehead/itcc/root.crt.pem:/conf/root.crt.pem:ro + + +volumes: + blaze-data: + +secrets: + proxy.pem: + file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/itcc/modules/lens-compose.yml b/itcc/modules/lens-compose.yml new file mode 100644 index 0000000..8593106 --- /dev/null +++ b/itcc/modules/lens-compose.yml @@ -0,0 +1,28 @@ +version: "3.7" +services: + landing: + container_name: lens_federated-search + image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} + + spot: + image: docker.verbis.dkfz.de/ccp-private/central-spot + environment: + BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}" + BEAM_URL: http://beam-proxy:8081 + BEAM_PROXY_ID: ${SITE_ID} + BEAM_BROKER_ID: ${BROKER_ID} + BEAM_APP_ID: "focus" + PROJECT_METADATA: "dktk_supervisors" + depends_on: + - "beam-proxy" + labels: + - "traefik.enable=true" + - "traefik.http.services.spot.loadbalancer.server.port=8080" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1" + - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)" + - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend" + - "traefik.http.routers.spot.tls=true" + - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot" diff --git a/itcc/modules/lens-setup.sh b/itcc/modules/lens-setup.sh new file mode 100644 index 0000000..c19dc4b --- /dev/null +++ b/itcc/modules/lens-setup.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +if [ -n "$ENABLE_LENS" ];then + OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml" +fi \ No newline at end of file diff --git a/itcc/root.crt.pem b/itcc/root.crt.pem new file mode 100644 index 0000000..1f1265a --- /dev/null +++ b/itcc/root.crt.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw +MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI +TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO +OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf +XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu +pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7 +K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM +poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG +A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm +AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU +fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5 +3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l +n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/ +7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt +Rtup0MTxSJtN +-----END CERTIFICATE----- \ No newline at end of file diff --git a/itcc/vars b/itcc/vars new file mode 100644 index 0000000..7d0c1a3 --- /dev/null +++ b/itcc/vars @@ -0,0 +1,14 @@ +BROKER_ID=test-no-real-data.broker.samply.de +BROKER_URL=https://${BROKER_ID} +PROXY_ID=${SITE_ID}.${BROKER_ID} +FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" +FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} +SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de +PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem +BROKER_URL_FOR_PREREQ=$BROKER_URL + +for module in $PROJECT/modules/*.sh +do + log DEBUG "sourcing $module" + source $module +done diff --git a/lib/functions.sh b/lib/functions.sh index 5e69a04..dc5ec25 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -54,7 +54,7 @@ checkOwner(){ printUsage() { echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME" - echo "PROJECTNAME should be one of ccp|bbmri" + echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc" } checkRequirements() { diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index 156f7c8..f93b6f0 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -52,6 +52,12 @@ case "$PROJECT" in bbmri) site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/" ;; + cce) + site_configuration_repository_middle="git.verbis.dkfz.de/cce-sites/" + ;; + itcc) + site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/" + ;; minimal) site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/" ;; From 8942b923b38efd16ae49bb03f6712e944dc1cd28 Mon Sep 17 00:00:00 2001 From: DavidCroftDKFZ <46788708+DavidCroftDKFZ@users.noreply.github.com> Date: Fri, 26 Jul 2024 09:57:40 +0200 Subject: [PATCH 22/82] Added comment for consistency with Directory Sync README --- bbmri/modules/directory-sync-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/bbmri/modules/directory-sync-compose.yml b/bbmri/modules/directory-sync-compose.yml index da329f8..60998f3 100644 --- a/bbmri/modules/directory-sync-compose.yml +++ b/bbmri/modules/directory-sync-compose.yml @@ -8,4 +8,5 @@ services: DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME} DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE} DS_TIMER_CRON: ${DS_TIMER_CRON} + # It is recommended to check the enabling of this flag with your local data protection group DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL} From df08d678398a1b719af426a16d4655c2a42364e4 Mon Sep 17 00:00:00 2001 From: davidmscholz Date: Mon, 29 Jul 2024 10:45:00 +0200 Subject: [PATCH 23/82] add optional dashboard module --- ccp/modules/dashboard-compose.yml | 4 ++-- ccp/modules/dashboard.md | 37 ++++++++++++++++++++++++++++++- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/ccp/modules/dashboard-compose.yml b/ccp/modules/dashboard-compose.yml index 037f88f..e2756d4 100644 --- a/ccp/modules/dashboard-compose.yml +++ b/ccp/modules/dashboard-compose.yml @@ -10,7 +10,7 @@ services: BLAZE_BASE_URL: "http://blaze:8080/fhir/" PG_HOST: "dashboard-db" PG_USERNAME: "dashboard" - PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in exporter-setup.sh + PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh PG_DBNAME: "dashboard" dashboard-db: @@ -18,7 +18,7 @@ services: container_name: bridgehead-ccp-dashboard-db environment: POSTGRES_USER: "dashboard" - POSTGRES_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in exporter-setup.sh + POSTGRES_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh POSTGRES_DB: "dashboard" volumes: - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data" diff --git a/ccp/modules/dashboard.md b/ccp/modules/dashboard.md index ed00305..defdf39 100644 --- a/ccp/modules/dashboard.md +++ b/ccp/modules/dashboard.md @@ -1 +1,36 @@ -# TODO David Scholz +# fhir2sql +fhir2sql connects to Blaze, retrieves data, and syncs it with a PostgreSQL database. The application is designed to run continuously, syncing data at regular intervals. +The Dashboard module is a optional component of the Bridgehead CCP setup. When enabled, it starts two Docker services: **fhir2sql** and **dashboard-db**. Data held in PostgreSQL is only stored temporarily and Blaze is considered to be the 'leading system' or 'source of truth'. + +## Services +### fhir2sql +* Image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest +* Container name: bridgehead-ccp-dashboard-fhir2sql +* Depends on: dashboard-db +* Environment variables: + - BLAZE_BASE_URL: The base URL of the Blaze FHIR server (set to http://blaze:8080/fhir/) + - PG_HOST: The hostname of the PostgreSQL database (set to dashboard-db) + - PG_USERNAME: The username for the PostgreSQL database (set to dashboard) + - PG_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD) + - PG_DBNAME: The name of the PostgreSQL database (set to dashboard) + +### dashboard-db + +* Image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} +* Container name: bridgehead-ccp-dashboard-db +* Environment variables: + - POSTGRES_USER: The username for the PostgreSQL database (set to dashboard) + - POSTGRES_PASSWORD: The password for the PostgreSQL database (set to the value of DASHBOARD_DB_PASSWORD) + - POSTGRES_DB: The name of the PostgreSQL database (set to dashboard) +* Volumes: + - /var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data + +The volume used by dashboard-db can be removed safely and should be restored to a working order by re-importing data from Blaze. + +### Environment Variables +* DASHBOARD_DB_PASSWORD: A generated password for the PostgreSQL database, created using a salt string and the SHA1 hash function. +* POSTGRES_TAG: The tag of the PostgreSQL image to use (not set in this module, but required by the dashboard-db service). + + +### Setup +To enable the Dashboard module, set the ENABLE_DASHBOARD environment variable to true. The dashboard-setup.sh script will then start the fhir2sql and dashboard-db services, using the environment variables and volumes defined above. \ No newline at end of file From 4ab10ff71dab58d641cf59e3f0da041fe3e1a282 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Mon, 29 Jul 2024 13:50:30 +0200 Subject: [PATCH 24/82] In ENVIRONMENT=production, use main tag for Samply.Beam. --- bbmri/modules/eric-compose.yml | 2 +- bbmri/modules/gbn-compose.yml | 2 +- bridgehead | 3 +++ cce/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- itcc/docker-compose.yml | 2 +- minimal/modules/dnpm-compose.yml | 2 +- 7 files changed, 9 insertions(+), 6 deletions(-) diff --git a/bbmri/modules/eric-compose.yml b/bbmri/modules/eric-compose.yml index b7a1cd4..72baa6c 100644 --- a/bbmri/modules/eric-compose.yml +++ b/bbmri/modules/eric-compose.yml @@ -16,7 +16,7 @@ services: - "blaze" beam-proxy-eric: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} container_name: bridgehead-beam-proxy-eric environment: BROKER_URL: ${ERIC_BROKER_URL} diff --git a/bbmri/modules/gbn-compose.yml b/bbmri/modules/gbn-compose.yml index f1c624f..94631ba 100644 --- a/bbmri/modules/gbn-compose.yml +++ b/bbmri/modules/gbn-compose.yml @@ -16,7 +16,7 @@ services: - "blaze" beam-proxy-gbn: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} container_name: bridgehead-beam-proxy-gbn environment: BROKER_URL: ${GBN_BROKER_URL} diff --git a/bridgehead b/bridgehead index 702a351..81b19b3 100755 --- a/bridgehead +++ b/bridgehead @@ -80,13 +80,16 @@ loadVars() { case "$ENVIRONMENT" in "production") export FOCUS_TAG=main + export BEAM_TAG=main ;; "test") export FOCUS_TAG=develop + export BEAM_TAG=develop ;; *) report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!" export FOCUS_TAG=main + export BEAM_TAG=main ;; esac } diff --git a/cce/docker-compose.yml b/cce/docker-compose.yml index 13c5f38..87b6b1c 100644 --- a/cce/docker-compose.yml +++ b/cce/docker-compose.yml @@ -36,7 +36,7 @@ services: - "blaze" beam-proxy: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 52e7eb5..95ff9c3 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -36,7 +36,7 @@ services: - "blaze" beam-proxy: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/itcc/docker-compose.yml b/itcc/docker-compose.yml index 197f4c5..7aab26d 100644 --- a/itcc/docker-compose.yml +++ b/itcc/docker-compose.yml @@ -36,7 +36,7 @@ services: - "blaze" beam-proxy: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} container_name: bridgehead-beam-proxy environment: BROKER_URL: ${BROKER_URL} diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml index 238c72c..646a457 100644 --- a/minimal/modules/dnpm-compose.yml +++ b/minimal/modules/dnpm-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: dnpm-beam-proxy: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} container_name: bridgehead-dnpm-beam-proxy environment: BROKER_URL: ${DNPM_BROKER_URL} From 5ed07423f3a04132c08f59294909534d4f1e8038 Mon Sep 17 00:00:00 2001 From: davidmscholz Date: Tue, 30 Jul 2024 09:24:07 +0200 Subject: [PATCH 25/82] fix dashboard-compose --- ccp/modules/dashboard-compose.yml | 3 ++- ccp/modules/dashboard-setup.sh | 2 +- ccp/modules/dashboard.md | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ccp/modules/dashboard-compose.yml b/ccp/modules/dashboard-compose.yml index e2756d4..a84ff24 100644 --- a/ccp/modules/dashboard-compose.yml +++ b/ccp/modules/dashboard-compose.yml @@ -4,10 +4,11 @@ services: fhir2sql: depends_on: - "dashboard-db" + - [ blaze ] image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest container_name: bridgehead-ccp-dashboard-fhir2sql environment: - BLAZE_BASE_URL: "http://blaze:8080/fhir/" + BLAZE_BASE_URL: "http://bridgehead-ccp-blaze:8080" PG_HOST: "dashboard-db" PG_USERNAME: "dashboard" PG_PASSWORD: "${DASHBOARD_DB_PASSWORD}" # Set in dashboard-setup.sh diff --git a/ccp/modules/dashboard-setup.sh b/ccp/modules/dashboard-setup.sh index aee79fa..e1a33af 100644 --- a/ccp/modules/dashboard-setup.sh +++ b/ccp/modules/dashboard-setup.sh @@ -1,6 +1,6 @@ #!/bin/bash -e -if [ "$ENABLE_DASHBOARD" == true ]; then +if [ "$ENABLE_FHIR2SQL" == true ]; then log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service." OVERRIDE+=" -f ./$PROJECT/modules/dashboard-compose.yml" DASHBOARD_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the Dashboard database. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" diff --git a/ccp/modules/dashboard.md b/ccp/modules/dashboard.md index defdf39..deea710 100644 --- a/ccp/modules/dashboard.md +++ b/ccp/modules/dashboard.md @@ -33,4 +33,4 @@ The volume used by dashboard-db can be removed safely and should be restored to ### Setup -To enable the Dashboard module, set the ENABLE_DASHBOARD environment variable to true. The dashboard-setup.sh script will then start the fhir2sql and dashboard-db services, using the environment variables and volumes defined above. \ No newline at end of file +To enable the Dashboard module, set the ENABLE_FHIR2SQL environment variable to true. The dashboard-setup.sh script will then start the fhir2sql and dashboard-db services, using the environment variables and volumes defined above. \ No newline at end of file From af44b6b4462e9ba874db9917a8d070a9df05aca4 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Tue, 30 Jul 2024 07:40:49 +0000 Subject: [PATCH 26/82] Fix depends_on syntax --- ccp/modules/dashboard-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/dashboard-compose.yml b/ccp/modules/dashboard-compose.yml index a84ff24..7733787 100644 --- a/ccp/modules/dashboard-compose.yml +++ b/ccp/modules/dashboard-compose.yml @@ -4,7 +4,7 @@ services: fhir2sql: depends_on: - "dashboard-db" - - [ blaze ] + - "blaze" image: docker.verbis.dkfz.de/cache/samply/fhir2sql:latest container_name: bridgehead-ccp-dashboard-fhir2sql environment: From 2e5aeabca8cc252c431dfb05ce964740fd0755e3 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Tue, 30 Jul 2024 07:44:47 +0000 Subject: [PATCH 27/82] Rename fhir2sql module files --- ccp/modules/{dashboard-compose.yml => fhir2sql-compose.yml} | 0 ccp/modules/{dashboard-setup.sh => fhir2sql-setup.sh} | 2 +- ccp/modules/{dashboard.md => fhir2sql.md} | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename ccp/modules/{dashboard-compose.yml => fhir2sql-compose.yml} (100%) rename ccp/modules/{dashboard-setup.sh => fhir2sql-setup.sh} (87%) rename ccp/modules/{dashboard.md => fhir2sql.md} (100%) diff --git a/ccp/modules/dashboard-compose.yml b/ccp/modules/fhir2sql-compose.yml similarity index 100% rename from ccp/modules/dashboard-compose.yml rename to ccp/modules/fhir2sql-compose.yml diff --git a/ccp/modules/dashboard-setup.sh b/ccp/modules/fhir2sql-setup.sh similarity index 87% rename from ccp/modules/dashboard-setup.sh rename to ccp/modules/fhir2sql-setup.sh index e1a33af..6b27571 100644 --- a/ccp/modules/dashboard-setup.sh +++ b/ccp/modules/fhir2sql-setup.sh @@ -2,6 +2,6 @@ if [ "$ENABLE_FHIR2SQL" == true ]; then log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service." - OVERRIDE+=" -f ./$PROJECT/modules/dashboard-compose.yml" + OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml" DASHBOARD_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the Dashboard database. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" fi diff --git a/ccp/modules/dashboard.md b/ccp/modules/fhir2sql.md similarity index 100% rename from ccp/modules/dashboard.md rename to ccp/modules/fhir2sql.md From 83b653e0c31dd1f63eac30297478b1273d440895 Mon Sep 17 00:00:00 2001 From: janskiba Date: Tue, 30 Jul 2024 14:17:22 +0000 Subject: [PATCH 28/82] feat: Configure beam-connect to trust ds-orchestrator beam proxy --- ccp/modules/datashield-setup.sh | 2 +- ccp/modules/datashield-sites.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 7a22050..9692fb9 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -33,7 +33,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then echo "$sites" | docker_jq -n --args '[{ "external": "'"$SITE_ID"':443", "internal": "opal:8443", - "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") + "allowed": input | map("\(.).'"$BROKER_ID"'") }]' >/tmp/bridgehead/opal-map/local.json if [ "$USER" == "root" ]; then chown -R bridgehead:docker /tmp/bridgehead diff --git a/ccp/modules/datashield-sites.json b/ccp/modules/datashield-sites.json index 07e2966..600534d 100644 --- a/ccp/modules/datashield-sites.json +++ b/ccp/modules/datashield-sites.json @@ -10,5 +10,6 @@ "essen", "dktk-datashield-test", "dktk-test", - "mannheim" + "mannheim", + "central-ds-orchestrator" ] From 33a2505517fe4d59e9b61d151083910f1369002f Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Thu, 1 Aug 2024 09:51:49 +0200 Subject: [PATCH 29/82] Move down, rephrase --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7017a5b..467bbe9 100644 --- a/README.md +++ b/README.md @@ -34,10 +34,6 @@ This repository is the starting point for any information and tools you will nee ## Requirements -To guarantee a smooth operation of the Bridgehead, we recommend a dedicated VM for the Bridgehead, with no other applications running on it. - -It may to be possible to run other apps on the same server, if they don't share common ports with the Bridgehead, and if they do not take up resources that the Bridgehead needs, like RAM. The Bridgehead may also run into issues if other applications need incompatible versions of git, Docker, curl, or other dependencies. - The data protection group at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts: - [Germany](https://www.bbmri.de/biobanking/it/infrastruktur/datenschutzkonzept/) @@ -50,6 +46,8 @@ Hardware requirements strongly depend on the specific use-cases of your network - 32 GB RAM - 160GB Hard Drive, SSD recommended +We recommend using a dedicated VM for the Bridgehead, with no other applications running on it. While the Bridgehead can, in principle, run on a shared VM, you might run into surprising problems such as resource conflicts (e.g., two apps using tcp port 443). + ### Software You are strongly recommended to install the Bridgehead under a Linux operating system (but see the section [Non-Linux OS](#non-linux-os)). You will need root (administrator) priveleges on this machine in order to perform the deployment. We recommend the newest Ubuntu LTS server release. From 62edaf99e035fbd8d507a904878f261346ee8cbd Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Thu, 1 Aug 2024 11:23:56 +0200 Subject: [PATCH 30/82] Reduce bridgehead update interval to once a day at 6am --- lib/systemd/bridgehead-update@.timer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/bridgehead-update@.timer b/lib/systemd/bridgehead-update@.timer index 4c8fada..21415c8 100644 --- a/lib/systemd/bridgehead-update@.timer +++ b/lib/systemd/bridgehead-update@.timer @@ -2,7 +2,7 @@ Description=Hourly Updates of Bridgehead (%i) [Timer] -OnCalendar=*-*-* *:00:00 +OnCalendar=*-*-* 6:00:00 [Install] WantedBy=basic.target From 5227dc57a78087b9d67143a2a2c03db6143d6515 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Thu, 1 Aug 2024 11:32:15 +0200 Subject: [PATCH 31/82] Fix systemd timer description Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> --- lib/systemd/bridgehead-update@.timer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/bridgehead-update@.timer b/lib/systemd/bridgehead-update@.timer index 21415c8..0790baf 100644 --- a/lib/systemd/bridgehead-update@.timer +++ b/lib/systemd/bridgehead-update@.timer @@ -1,5 +1,5 @@ [Unit] -Description=Hourly Updates of Bridgehead (%i) +Description=Daily Updates at 6am of Bridgehead (%i) [Timer] OnCalendar=*-*-* 6:00:00 From ecd92690220540726004b8c65847dcb87997edef Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Thu, 1 Aug 2024 11:38:25 +0200 Subject: [PATCH 32/82] Add bridgehead update timer persistance Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com> --- lib/systemd/bridgehead-update@.timer | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systemd/bridgehead-update@.timer b/lib/systemd/bridgehead-update@.timer index 0790baf..c2ce82e 100644 --- a/lib/systemd/bridgehead-update@.timer +++ b/lib/systemd/bridgehead-update@.timer @@ -3,6 +3,7 @@ Description=Daily Updates at 6am of Bridgehead (%i) [Timer] OnCalendar=*-*-* 6:00:00 +Persistent=true [Install] WantedBy=basic.target From 35d6a1777871b9f0c606c2b74d492d33a37a5585 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Thu, 1 Aug 2024 11:39:03 +0200 Subject: [PATCH 33/82] Fix bridgehead update timer time convention Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com> --- lib/systemd/bridgehead-update@.timer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/bridgehead-update@.timer b/lib/systemd/bridgehead-update@.timer index c2ce82e..d9abdf4 100644 --- a/lib/systemd/bridgehead-update@.timer +++ b/lib/systemd/bridgehead-update@.timer @@ -2,7 +2,7 @@ Description=Daily Updates at 6am of Bridgehead (%i) [Timer] -OnCalendar=*-*-* 6:00:00 +OnCalendar=*-*-* 06:00:00 Persistent=true [Install] From 7c560a2e9313f6a6c87bd7e3d26f0e44a2280fe5 Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 15 Aug 2024 09:10:37 +0200 Subject: [PATCH 34/82] Added env to landing-page --- minimal/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index e9f53d6..6e8818f 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -58,3 +58,4 @@ services: HOST: ${HOST} PROJECT: ${PROJECT} SITE_NAME: ${SITE_NAME} + ENVIRONMENT: ${ENVIRONMENT} From b8b81b1242f97ad8b7206224953f478eefd3514e Mon Sep 17 00:00:00 2001 From: DavidCroftDKFZ <46788708+DavidCroftDKFZ@users.noreply.github.com> Date: Thu, 15 Aug 2024 09:17:34 +0200 Subject: [PATCH 35/82] Fixed environment variable passing for Directory sync There were problems with the passing of environment variables from bbmri.conf to the Directory synce container: * The Directory password variable was misspellt. * Some useful variables were missing. Additionally, a delay was added before launching Directory sync, to give Blaze time to start up. --- bbmri/modules/directory-sync-compose.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bbmri/modules/directory-sync-compose.yml b/bbmri/modules/directory-sync-compose.yml index 60998f3..0a58cd1 100644 --- a/bbmri/modules/directory-sync-compose.yml +++ b/bbmri/modules/directory-sync-compose.yml @@ -6,7 +6,11 @@ services: environment: DS_DIRECTORY_URL: ${DS_DIRECTORY_URL} DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME} - DS_DIRECTORY_PASS_CODE: ${DS_DIRECTORY_PASS_CODE} + DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS} DS_TIMER_CRON: ${DS_TIMER_CRON} # It is recommended to check the enabling of this flag with your local data protection group DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL} + DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK} + DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID} + DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY} + command: sh -c "sleep 90 && java -jar directory_sync_service.jar" # Wait for Blaze before start From 95574f38befffe81c796178098d4c98704d6dad0 Mon Sep 17 00:00:00 2001 From: DavidCroftDKFZ <46788708+DavidCroftDKFZ@users.noreply.github.com> Date: Thu, 15 Aug 2024 10:33:28 +0200 Subject: [PATCH 36/82] Included Blaze dependency --- bbmri/modules/directory-sync-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bbmri/modules/directory-sync-compose.yml b/bbmri/modules/directory-sync-compose.yml index 0a58cd1..17929cc 100644 --- a/bbmri/modules/directory-sync-compose.yml +++ b/bbmri/modules/directory-sync-compose.yml @@ -14,3 +14,5 @@ services: DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID} DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY} command: sh -c "sleep 90 && java -jar directory_sync_service.jar" # Wait for Blaze before start + depends_on: + - "blaze" From 3496fa7a0f0669f891aee1af0914a8e248398440 Mon Sep 17 00:00:00 2001 From: DavidCroftDKFZ <46788708+DavidCroftDKFZ@users.noreply.github.com> Date: Thu, 15 Aug 2024 13:36:57 +0200 Subject: [PATCH 37/82] Let Directory sync handle connection with Blaze Remove the delayed start, because Directory sync will automatically keep trying to connect to Blaze if not initially present. --- bbmri/modules/directory-sync-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/bbmri/modules/directory-sync-compose.yml b/bbmri/modules/directory-sync-compose.yml index 17929cc..1afc46a 100644 --- a/bbmri/modules/directory-sync-compose.yml +++ b/bbmri/modules/directory-sync-compose.yml @@ -13,6 +13,5 @@ services: DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK} DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID} DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY} - command: sh -c "sleep 90 && java -jar directory_sync_service.jar" # Wait for Blaze before start depends_on: - "blaze" From de847f309c52ba5604d6f8768bb237440b47db90 Mon Sep 17 00:00:00 2001 From: lablans Date: Thu, 15 Aug 2024 11:40:02 +0000 Subject: [PATCH 38/82] Provide defaults --- README.md | 9 +++------ bbmri/modules/directory-sync-compose.yml | 6 +++--- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 6c0e480..12984d1 100644 --- a/README.md +++ b/README.md @@ -306,15 +306,12 @@ Full details can be found in [directory_sync_service](https://github.com/samply/ To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config: ``` -DS_DIRECTORY_URL=https://directory.bbmri-eric.eu DS_DIRECTORY_USER_NAME=your_directory_username -DS_DIRECTORY_USER_PASS=qwdnqwswdvqHBVGFR9887 -DS_DIRECTORY_ALLOW_STAR_MODEL=true -DS_TIMER_CRON="0 22 * * *" +DS_DIRECTORY_USER_PASS=your_directory_password ``` -You must contact the Directory team for your national node to find the URL, and to register as a user. +Please contact your National Node to obtain this information. -Additionally, you should choose when you want Directory sync to run. In the example above, this is set to happen at 10 pm every evening. You can modify this to suit your requirements. The timer specification should follow the [cron](https://crontab.guru) convention. +Optionally, you **may** change when you want Directory sync to run by specifying a [cron](https://crontab.guru) expression, e.g. `DS_TIMER_CRON="0 22 * * *"` for 10 pm every evening. Once you edited the gitlab config, the bridgehead will autoupdate the config with the values and will sync the data. diff --git a/bbmri/modules/directory-sync-compose.yml b/bbmri/modules/directory-sync-compose.yml index 1afc46a..215acd4 100644 --- a/bbmri/modules/directory-sync-compose.yml +++ b/bbmri/modules/directory-sync-compose.yml @@ -4,12 +4,12 @@ services: directory_sync_service: image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service" environment: - DS_DIRECTORY_URL: ${DS_DIRECTORY_URL} + DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu} DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME} DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS} - DS_TIMER_CRON: ${DS_TIMER_CRON} + DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *} # It is recommended to check the enabling of this flag with your local data protection group - DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL} + DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true} DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK} DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID} DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY} From 18c9e1bb308f62c1a74cb11eadf3fba0953494aa Mon Sep 17 00:00:00 2001 From: lablans Date: Thu, 15 Aug 2024 11:43:14 +0000 Subject: [PATCH 39/82] Remove DP statement already present in readme. --- bbmri/modules/directory-sync-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/bbmri/modules/directory-sync-compose.yml b/bbmri/modules/directory-sync-compose.yml index 215acd4..33a7d31 100644 --- a/bbmri/modules/directory-sync-compose.yml +++ b/bbmri/modules/directory-sync-compose.yml @@ -8,7 +8,6 @@ services: DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME} DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS} DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *} - # It is recommended to check the enabling of this flag with your local data protection group DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true} DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK} DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID} From ae95f1403013dc43c96457b830200e285217988b Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Mon, 19 Aug 2024 08:27:20 +0200 Subject: [PATCH 40/82] export ENVIRONMENT --- bridgehead | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bridgehead b/bridgehead index 85593b0..7a66262 100755 --- a/bridgehead +++ b/bridgehead @@ -74,13 +74,18 @@ loadVars() { case "$ENVIRONMENT" in "production") export FOCUS_TAG=main + export ENVIRONMENT="production" ;; "test") export FOCUS_TAG=develop + export ENVIRONMENT="test" + ;; *) report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!" export FOCUS_TAG=main + export ENVIRONMENT="production" + ;; esac } From 60acac619de3876db753a5da54fb2ae571825022 Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Mon, 19 Aug 2024 08:38:34 +0200 Subject: [PATCH 41/82] Don't repeat definition of ENVIRONMENT var --- bridgehead | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/bridgehead b/bridgehead index 7a66262..db1a469 100755 --- a/bridgehead +++ b/bridgehead @@ -70,22 +70,18 @@ loadVars() { # Set some project-independent default values : ${ENVIRONMENT:=production} + export ENVIRONMENT case "$ENVIRONMENT" in "production") export FOCUS_TAG=main - export ENVIRONMENT="production" ;; "test") export FOCUS_TAG=develop - export ENVIRONMENT="test" - ;; *) report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!" export FOCUS_TAG=main - export ENVIRONMENT="production" - ;; esac } From 33843fe961458730bc70b99f314311487c67aa6a Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Thu, 25 Jul 2024 15:56:47 +0200 Subject: [PATCH 42/82] fix: switch id-management to keycloak --- ccp/modules/id-management-compose.yml | 40 +++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 61a4733..7eef387 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -14,15 +14,15 @@ services: MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY} MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY} MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY} - MAGICPL_OIDC_CLIENT_ID: ${IDMANAGER_AUTH_CLIENT_ID} - MAGICPL_OIDC_CLIENT_SECRET: ${IDMANAGER_AUTH_CLIENT_SECRET} depends_on: - patientlist + - traefik-forward-auth labels: - "traefik.enable=true" - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)" - "traefik.http.services.id-manager.loadbalancer.server.port=8080" - "traefik.http.routers.id-manager.tls=true" + - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm" patientlist: image: docker.verbis.dkfz.de/bridgehead/mainzelliste @@ -56,5 +56,41 @@ services: # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!! - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/" + traefik-forward-auth: + image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:v7.6.0 + environment: + - http_proxy=http://forward_proxy:3128 + - https_proxy=http://forward_proxy:3128 + - OAUTH2_PROXY_PROVIDER=oidc + - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true + - OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master + - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID} + - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET} + - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET} + - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST} + - OAUTH2_PROXY_HTTP_ADDRESS=:4180 + - OAUTH2_PROXY_REVERSE_PROXY=true + - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST} + - OAUTH2_PROXY_UPSTREAMS=static://202 + - OAUTH2_PROXY_EMAIL_DOMAINS=* + - OAUTH2_PROXY_SCOPE=openid profile email + # Pass Authorization Header and some user information to backend services + - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true + - OAUTH2_PROXY_SET_XAUTHREQUEST=true + # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that + - OAUTH2_PROXY_COOKIE_REFRESH=60s + - OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN + - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm + labels: + - "traefik.enable=true" + - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4180" + - "traefik.http.routers.oauth2.rule=PathPrefix(`/oauth2-idm/`)" + - "traefik.http.routers.oauth2.tls=true" + - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.address=http://traefik-forward-auth:4180" + - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.authResponseHeaders=Authorization" + depends_on: + forward_proxy: + condition: service_healthy + volumes: patientlist-db-data: From 6228cb376202d6b35e623b2d44e91e4ef6044acf Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Mon, 19 Aug 2024 17:09:10 +0200 Subject: [PATCH 43/82] fix: specify host for id-management login Otherwise traefik will match the route with the one specified in datashield-compose.yml --- ccp/modules/id-management-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 7eef387..f9156cf 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -84,8 +84,8 @@ services: labels: - "traefik.enable=true" - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4180" - - "traefik.http.routers.oauth2.rule=PathPrefix(`/oauth2-idm/`)" - - "traefik.http.routers.oauth2.tls=true" + - "traefik.http.routers.traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-idm`)" + - "traefik.http.routers.traefik-forward-auth.tls=true" - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.address=http://traefik-forward-auth:4180" - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.authResponseHeaders=Authorization" depends_on: From 3fe781255bb2bb004c6425bcdbc9c6c4a829f23a Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Thu, 29 Aug 2024 09:07:50 +0200 Subject: [PATCH 44/82] feat: Configure beam-connect to trust ds-orchestrator beam proxy (#220) --- ccp/modules/datashield-setup.sh | 2 +- ccp/modules/datashield-sites.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 7a22050..9692fb9 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -33,7 +33,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then echo "$sites" | docker_jq -n --args '[{ "external": "'"$SITE_ID"':443", "internal": "opal:8443", - "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") + "allowed": input | map("\(.).'"$BROKER_ID"'") }]' >/tmp/bridgehead/opal-map/local.json if [ "$USER" == "root" ]; then chown -R bridgehead:docker /tmp/bridgehead diff --git a/ccp/modules/datashield-sites.json b/ccp/modules/datashield-sites.json index 07e2966..600534d 100644 --- a/ccp/modules/datashield-sites.json +++ b/ccp/modules/datashield-sites.json @@ -10,5 +10,6 @@ "essen", "dktk-datashield-test", "dktk-test", - "mannheim" + "mannheim", + "central-ds-orchestrator" ] From ed8dacaa59f0f1f9e31c2f93a7fc36ce18ad93d3 Mon Sep 17 00:00:00 2001 From: davidmscholz <130749829+davidmscholz@users.noreply.github.com> Date: Thu, 29 Aug 2024 09:15:22 +0200 Subject: [PATCH 45/82] Fix fhir2sql db pw generation (#219) fix postgresql password generation so that the password does not contain problematic characters that mess with the connection string --- ccp/modules/fhir2sql-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/fhir2sql-setup.sh b/ccp/modules/fhir2sql-setup.sh index 6b27571..64fa7c0 100644 --- a/ccp/modules/fhir2sql-setup.sh +++ b/ccp/modules/fhir2sql-setup.sh @@ -3,5 +3,5 @@ if [ "$ENABLE_FHIR2SQL" == true ]; then log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service." OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml" - DASHBOARD_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the Dashboard database. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + DASHBOARD_DB_PASSWORD="$(generate_simple_password 'fhir2sql')" fi From 4568e32ffa6bf29310482eab862e3a9673d2022b Mon Sep 17 00:00:00 2001 From: Martin Lablans Date: Wed, 4 Sep 2024 09:26:37 +0200 Subject: [PATCH 46/82] readme: Data protection group --> officer --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6958db6..2534ee7 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ This repository is the starting point for any information and tools you will nee ## Requirements -The data protection group at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts: +The data protection officer at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts: - [Germany](https://www.bbmri.de/biobanking/it/infrastruktur/datenschutzkonzept/) From 6465dcb0ad4d456688febe9ba160afbf47f57eff Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Fri, 16 Aug 2024 12:18:22 +0200 Subject: [PATCH 47/82] feat: added dhki project --- bridgehead | 3 ++ dhki/docker-compose.yml | 66 ++++++++++++++++++++++++++++++++++++++ dhki/queries_to_cache.conf | 2 ++ dhki/root.crt.pem | 20 ++++++++++++ dhki/vars | 11 +++++++ lib/prepare-system.sh | 3 ++ 6 files changed, 105 insertions(+) create mode 100644 dhki/docker-compose.yml create mode 100644 dhki/queries_to_cache.conf create mode 100644 dhki/root.crt.pem create mode 100644 dhki/vars diff --git a/bridgehead b/bridgehead index 37b3047..eae0648 100755 --- a/bridgehead +++ b/bridgehead @@ -38,6 +38,9 @@ case "$PROJECT" in itcc) #nothing extra to do ;; + dhki) + #nothing extra to do + ;; minimal) #nothing extra to do ;; diff --git a/dhki/docker-compose.yml b/dhki/docker-compose.yml new file mode 100644 index 0000000..ee8cd17 --- /dev/null +++ b/dhki/docker-compose.yml @@ -0,0 +1,66 @@ +version: "3.7" + +services: + blaze: + image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + container_name: bridgehead-dhki-blaze + environment: + BASE_URL: "http://bridgehead-dhki-blaze:8080" + JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" + DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} + DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP + ENFORCE_REFERENTIAL_INTEGRITY: "false" + volumes: + - "blaze-data:/app/data" + labels: + - "traefik.enable=true" + - "traefik.http.routers.blaze_dhki.rule=PathPrefix(`/dhki-localdatamanagement`)" + - "traefik.http.middlewares.dhki_b_strip.stripprefix.prefixes=/dhki-localdatamanagement" + - "traefik.http.services.blaze_dhki.loadbalancer.server.port=8080" + - "traefik.http.routers.blaze_dhki.middlewares=dhki_b_strip,auth" + - "traefik.http.routers.blaze_dhki.tls=true" + + focus: + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + container_name: bridgehead-focus + environment: + API_KEY: ${FOCUS_BEAM_SECRET_SHORT} + BEAM_APP_ID_LONG: focus.${PROXY_ID} + PROXY_ID: ${PROXY_ID} + BLAZE_URL: "http://bridgehead-dhki-blaze:8080/fhir/" + BEAM_PROXY_URL: http://beam-proxy:8081 + RETRY_COUNT: ${FOCUS_RETRY_COUNT} + EPSILON: 0.28 + QUERIES_TO_CACHE: '/queries_to_cache.conf' + volumes: + - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf + depends_on: + - "beam-proxy" + - "blaze" + + beam-proxy: + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + container_name: bridgehead-beam-proxy + environment: + BROKER_URL: ${BROKER_URL} + PROXY_ID: ${PROXY_ID} + APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT} + PRIVKEY_FILE: /run/secrets/proxy.pem + ALL_PROXY: http://forward_proxy:3128 + TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs + ROOTCERT_FILE: /conf/root.crt.pem + secrets: + - proxy.pem + depends_on: + - "forward_proxy" + volumes: + - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro + - /srv/docker/bridgehead/dhki/root.crt.pem:/conf/root.crt.pem:ro + + +volumes: + blaze-data: + +secrets: + proxy.pem: + file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/dhki/queries_to_cache.conf b/dhki/queries_to_cache.conf new file mode 100644 index 0000000..b950312 --- /dev/null +++ b/dhki/queries_to_cache.conf @@ -0,0 +1,2 @@ +bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19TVFJBVF9ISVNUT0xPR1lfU1RSQVRJRklFUgpES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KdHJ1ZQ== +bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgogIERLVEtfU1RSQVRfSElTVE9MT0dZX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQgCigoZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDcvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg1MDAvMycpKQ== \ No newline at end of file diff --git a/dhki/root.crt.pem b/dhki/root.crt.pem new file mode 100644 index 0000000..8d58dae --- /dev/null +++ b/dhki/root.crt.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUSWUPebUMNfJvPKMjdgX+WiH+OXgwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTA1MDg1NTM4WhcNMzQw +MTAyMDg1NjA4WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAL/nvo9Bn1/6Z/K4BKoLM6/mVziM4cmXTVx4npVz +pnptwPPFU4rz47akRZ6ZMD5MO0bsyvaxG1nwVrW3aAGC42JIGTdZHKwMKrd35sxw +k3YlGJagGUs+bKHUCL55OcSmyDWlh/UhA8+eeJWjOt9u0nYXv+vi+N4JSHA0oC9D +bTF1v+7blrTQagf7PTPSF3pe22iXOjJYdOkZMWoMoNAjn6F958fkLNLY3csOZwvP +/3eyNNawyAEPWeIm33Zk630NS8YHggz6WCqwXvuaKb6910mRP8jgauaYsqgsOyDt +pbWuvk//aZWdGeN9RNsAA8eGppygiwm/m9eRC6I0shDwv6ECAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFn/dbW1J3ry +7TBzbKo3H4vJr2MiMB8GA1UdIwQYMBaAFFn/dbW1J3ry7TBzbKo3H4vJr2MiMBYG +A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCa2V8B8aad +XNDS1EUIi9oMdvGvkolcdFwx9fI++qu9xSIaZs5GETHck3oYKZF0CFP5ESnKDn5w +enWgm5M0y+hVZppzB163WmET1efBXwrdyn8j4336NjX352h63JGWCaI2CfZ1qG1p +kf5W9CVXllSFaJe5r994ovgyHvK2ucWwe8l8iMJbQhH79oKi/9uJMCD6aUXnpg1K +nPHW1lsVx6foqYWijdBdtFU2i7LSH2OYo0nb1PgRnY/SABV63JHfJnqW9dZy4f7G +rpsvvrmFrKmEnCZH0n6qveY3Z5bMD94Yx0ebkCTYEqAw3pV65gwxrzBTpEg6dgF0 +eG0eKFUS0REJ +-----END CERTIFICATE----- diff --git a/dhki/vars b/dhki/vars new file mode 100644 index 0000000..52f8961 --- /dev/null +++ b/dhki/vars @@ -0,0 +1,11 @@ +BROKER_ID=broker.hector.dkfz.de +BROKER_URL=https://${BROKER_ID} +PROXY_ID=${SITE_ID}.${BROKER_ID} +FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" +FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} +SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de +PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem + +BROKER_URL_FOR_PREREQ=$BROKER_URL + +POSTGRES_TAG=15.6-alpine diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index f93b6f0..ecd29a5 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -57,6 +57,9 @@ case "$PROJECT" in ;; itcc) site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/" + ;; + dhki) + site_configuration_repository_middle="git.verbis.dkfz.de/dhki/" ;; minimal) site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/" From 735e064b030a7a7a35cdc14e467545fb80598627 Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Thu, 12 Sep 2024 09:19:21 +0200 Subject: [PATCH 48/82] Update queries_to_cache.conf --- dhki/queries_to_cache.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dhki/queries_to_cache.conf b/dhki/queries_to_cache.conf index b950312..53597fe 100644 --- a/dhki/queries_to_cache.conf +++ b/dhki/queries_to_cache.conf @@ -1,2 +1,2 @@ -bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19TVFJBVF9ISVNUT0xPR1lfU1RSQVRJRklFUgpES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KdHJ1ZQ== -bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgogIERLVEtfU1RSQVRfSElTVE9MT0dZX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQgCigoZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDcvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg1MDAvMycpKQ== \ No newline at end of file +bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREhLSV9TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfRU5DT1VOVEVSX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU= +bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpESEtJX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRIS0lfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgpESEtJX1NUUkFUX0VOQ09VTlRFUl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKChleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzM0LjknIGZyb20gaWNkMTBdKSBvcgooZXhpc3RzIFtDb25kaXRpb246IENvZGUgJ0MzNC44JyBmcm9tIGljZDEwXSkgb3IKKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDMzQuMCcgZnJvbSBpY2QxMF0pIG9yCihleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzM0LjInIGZyb20gaWNkMTBdKSBvcgooZXhpc3RzIFtDb25kaXRpb246IENvZGUgJ0MzNC4xJyBmcm9tIGljZDEwXSkgb3IKKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDMzQuMycgZnJvbSBpY2QxMF0pKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQxLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDMvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0Ny8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MjUwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgyNTEvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODI1Mi8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MjUzLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgyNTUvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODI2MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MzEwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgzMzMvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODQ3MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NDgwLzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0OTAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODU1MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MDUyLzMnKSkp From f0bdb5c1463541c0d070aef5324e955d06d9dc51 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Thu, 12 Sep 2024 09:24:48 +0200 Subject: [PATCH 49/82] fix: re-add modules --- ccp/modules/id-management-setup.sh | 2 +- ccp/modules/obds2fhir-rest-setup.sh | 2 +- dhki/vars | 9 +++++++++ lib/update-bridgehead.sh | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ccp/modules/id-management-setup.sh b/ccp/modules/id-management-setup.sh index 3165956..333b512 100644 --- a/ccp/modules/id-management-setup.sh +++ b/ccp/modules/id-management-setup.sh @@ -3,7 +3,7 @@ function idManagementSetup() { if [ -n "$IDMANAGER_UPLOAD_APIKEY" ]; then log INFO "id-management setup detected -- will start id-management (mainzelliste & magicpl)." - OVERRIDE+=" -f ./$PROJECT/modules/id-management-compose.yml" + OVERRIDE+=" -f ./ccp/modules/id-management-compose.yml" # Auto Generate local Passwords PATIENTLIST_POSTGRES_PASSWORD="$(echo \"id-management-module-db-password-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" diff --git a/ccp/modules/obds2fhir-rest-setup.sh b/ccp/modules/obds2fhir-rest-setup.sh index 677ea63..6120f31 100644 --- a/ccp/modules/obds2fhir-rest-setup.sh +++ b/ccp/modules/obds2fhir-rest-setup.sh @@ -7,7 +7,7 @@ function obds2fhirRestSetup() { log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" PATIENTLIST_URL=" " fi - OVERRIDE+=" -f ./$PROJECT/modules/obds2fhir-rest-compose.yml" + OVERRIDE+=" -f ./ccp/modules/obds2fhir-rest-compose.yml" LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" fi } diff --git a/dhki/vars b/dhki/vars index 52f8961..df3dd55 100644 --- a/dhki/vars +++ b/dhki/vars @@ -9,3 +9,12 @@ PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem BROKER_URL_FOR_PREREQ=$BROKER_URL POSTGRES_TAG=15.6-alpine + +for module in $PROJECT/modules/*.sh +do + log DEBUG "sourcing $module" + source $module +done + +idManagementSetup +obds2fhirRestSetup \ No newline at end of file diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 44655b1..16638b6 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -10,6 +10,7 @@ if [ "$AUTO_HOUSEKEEPING" == "true" ]; then docker system prune -a -f else A="$A Not cleaning docker images since BK is not running." + docker system prune -f fi hc_send log "$A" log INFO "$A" From 77c870ab22a991feed54707396010c98a5cad694 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Thu, 12 Sep 2024 09:29:30 +0200 Subject: [PATCH 50/82] fix: fix bash path --- dhki/vars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dhki/vars b/dhki/vars index df3dd55..b728925 100644 --- a/dhki/vars +++ b/dhki/vars @@ -10,7 +10,7 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL POSTGRES_TAG=15.6-alpine -for module in $PROJECT/modules/*.sh +for module in ccp/modules/*.sh do log DEBUG "sourcing $module" source $module From 969f1e724293922402c32f322fce9d5b95434da7 Mon Sep 17 00:00:00 2001 From: "p.delpy@dkfz-heidelberg.de" Date: Thu, 12 Sep 2024 09:41:19 +0200 Subject: [PATCH 51/82] fix: remove accidental commit --- lib/update-bridgehead.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 16638b6..44655b1 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -10,7 +10,6 @@ if [ "$AUTO_HOUSEKEEPING" == "true" ]; then docker system prune -a -f else A="$A Not cleaning docker images since BK is not running." - docker system prune -f fi hc_send log "$A" log INFO "$A" From 65359c2ee692f9c7b7acdf85dbb8178cb0e85ca8 Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Thu, 12 Sep 2024 10:04:53 +0200 Subject: [PATCH 52/82] Feature/pilot projects backup (#227) add pilot projects --- bridgehead | 3 + cce/modules/lens-compose.yml | 5 ++ cce/modules/lens-setup.sh | 3 +- cce/vars | 2 +- itcc/modules/lens-compose.yml | 5 ++ itcc/vars | 2 +- kr/docker-compose.yml | 63 +++++++++++++++++++ kr/modules/export-and-qb.curl-templates | 6 ++ kr/modules/exporter-compose.yml | 67 ++++++++++++++++++++ kr/modules/exporter-setup.sh | 8 +++ kr/modules/exporter.md | 15 +++++ kr/modules/lens-compose.yml | 33 ++++++++++ kr/modules/lens-setup.sh | 5 ++ kr/modules/obds2fhir-rest-compose.yml | 20 ++++++ kr/modules/obds2fhir-rest-setup.sh | 13 ++++ kr/modules/teiler-compose.yml | 81 +++++++++++++++++++++++++ kr/modules/teiler-setup.sh | 9 +++ kr/modules/teiler.md | 19 ++++++ kr/root.crt.pem | 20 ++++++ kr/vars | 16 +++++ lib/functions.sh | 2 +- lib/prepare-system.sh | 6 ++ 22 files changed, 398 insertions(+), 5 deletions(-) create mode 100644 kr/docker-compose.yml create mode 100644 kr/modules/export-and-qb.curl-templates create mode 100644 kr/modules/exporter-compose.yml create mode 100644 kr/modules/exporter-setup.sh create mode 100644 kr/modules/exporter.md create mode 100644 kr/modules/lens-compose.yml create mode 100644 kr/modules/lens-setup.sh create mode 100644 kr/modules/obds2fhir-rest-compose.yml create mode 100644 kr/modules/obds2fhir-rest-setup.sh create mode 100644 kr/modules/teiler-compose.yml create mode 100644 kr/modules/teiler-setup.sh create mode 100644 kr/modules/teiler.md create mode 100644 kr/root.crt.pem create mode 100644 kr/vars diff --git a/bridgehead b/bridgehead index eae0648..d5d3a20 100755 --- a/bridgehead +++ b/bridgehead @@ -38,6 +38,9 @@ case "$PROJECT" in itcc) #nothing extra to do ;; + kr) + #nothing extra to do + ;; dhki) #nothing extra to do ;; diff --git a/cce/modules/lens-compose.yml b/cce/modules/lens-compose.yml index 6575578..12b95ce 100644 --- a/cce/modules/lens-compose.yml +++ b/cce/modules/lens-compose.yml @@ -3,6 +3,11 @@ services: landing: container_name: lens_federated-search image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} + labels: + - "traefik.enable=true" + - "traefik.http.routers.landing.rule=PathPrefix(`/`)" + - "traefik.http.services.landing.loadbalancer.server.port=80" + - "traefik.http.routers.landing.tls=true" spot: image: docker.verbis.dkfz.de/ccp-private/central-spot diff --git a/cce/modules/lens-setup.sh b/cce/modules/lens-setup.sh index eb511b5..c19dc4b 100644 --- a/cce/modules/lens-setup.sh +++ b/cce/modules/lens-setup.sh @@ -2,5 +2,4 @@ if [ -n "$ENABLE_LENS" ];then OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml" -fi -} \ No newline at end of file +fi \ No newline at end of file diff --git a/cce/vars b/cce/vars index b03403b..7d0c1a3 100644 --- a/cce/vars +++ b/cce/vars @@ -3,7 +3,7 @@ BROKER_URL=https://${BROKER_ID} PROXY_ID=${SITE_ID}.${BROKER_ID} FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} -SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de +SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem BROKER_URL_FOR_PREREQ=$BROKER_URL diff --git a/itcc/modules/lens-compose.yml b/itcc/modules/lens-compose.yml index 8593106..2bbddbe 100644 --- a/itcc/modules/lens-compose.yml +++ b/itcc/modules/lens-compose.yml @@ -3,6 +3,11 @@ services: landing: container_name: lens_federated-search image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} + labels: + - "traefik.enable=true" + - "traefik.http.routers.landing.rule=PathPrefix(`/`)" + - "traefik.http.services.landing.loadbalancer.server.port=80" + - "traefik.http.routers.landing.tls=true" spot: image: docker.verbis.dkfz.de/ccp-private/central-spot diff --git a/itcc/vars b/itcc/vars index 7d0c1a3..b03403b 100644 --- a/itcc/vars +++ b/itcc/vars @@ -3,7 +3,7 @@ BROKER_URL=https://${BROKER_ID} PROXY_ID=${SITE_ID}.${BROKER_ID} FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} -SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de +SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem BROKER_URL_FOR_PREREQ=$BROKER_URL diff --git a/kr/docker-compose.yml b/kr/docker-compose.yml new file mode 100644 index 0000000..d875a24 --- /dev/null +++ b/kr/docker-compose.yml @@ -0,0 +1,63 @@ +version: "3.7" + +services: + blaze: + image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + container_name: bridgehead-kr-blaze + environment: + BASE_URL: "http://bridgehead-kr-blaze:8080" + JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" + DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} + DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP + ENFORCE_REFERENTIAL_INTEGRITY: "false" + volumes: + - "blaze-data:/app/data" + labels: + - "traefik.enable=true" + - "traefik.http.routers.blaze_kr.rule=PathPrefix(`/kr-localdatamanagement`)" + - "traefik.http.middlewares.kr_b_strip.stripprefix.prefixes=/kr-localdatamanagement" + - "traefik.http.services.blaze_kr.loadbalancer.server.port=8080" + - "traefik.http.routers.blaze_kr.middlewares=kr_b_strip,auth" + - "traefik.http.routers.blaze_kr.tls=true" + + focus: + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + container_name: bridgehead-focus + environment: + API_KEY: ${FOCUS_BEAM_SECRET_SHORT} + BEAM_APP_ID_LONG: focus.${PROXY_ID} + PROXY_ID: ${PROXY_ID} + BLAZE_URL: "http://bridgehead-kr-blaze:8080/fhir/" + BEAM_PROXY_URL: http://beam-proxy:8081 + RETRY_COUNT: ${FOCUS_RETRY_COUNT} + EPSILON: 0.28 + depends_on: + - "beam-proxy" + - "blaze" + + beam-proxy: + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop + container_name: bridgehead-beam-proxy + environment: + BROKER_URL: ${BROKER_URL} + PROXY_ID: ${PROXY_ID} + APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT} + PRIVKEY_FILE: /run/secrets/proxy.pem + ALL_PROXY: http://forward_proxy:3128 + TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs + ROOTCERT_FILE: /conf/root.crt.pem + secrets: + - proxy.pem + depends_on: + - "forward_proxy" + volumes: + - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro + - /srv/docker/bridgehead/kr/root.crt.pem:/conf/root.crt.pem:ro + + +volumes: + blaze-data: + +secrets: + proxy.pem: + file: /etc/bridgehead/pki/${SITE_ID}.priv.pem diff --git a/kr/modules/export-and-qb.curl-templates b/kr/modules/export-and-qb.curl-templates new file mode 100644 index 0000000..739c5af --- /dev/null +++ b/kr/modules/export-and-qb.curl-templates @@ -0,0 +1,6 @@ +# Full Excel Export +curl --location --request POST 'https://${HOST}/ccp-exporter/request?query=Patient&query-format=FHIR_PATH&template-id=ccp&output-format=EXCEL' \ +--header 'x-api-key: ${EXPORT_API_KEY}' + +# QB +curl --location --request POST 'https://${HOST}/ccp-reporter/generate?template-id=ccp' diff --git a/kr/modules/exporter-compose.yml b/kr/modules/exporter-compose.yml new file mode 100644 index 0000000..d5eb227 --- /dev/null +++ b/kr/modules/exporter-compose.yml @@ -0,0 +1,67 @@ +version: "3.7" + +services: + exporter: + image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest + container_name: bridgehead-ccp-exporter + environment: + JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC" + LOG_LEVEL: "INFO" + EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh + CROSS_ORIGINS: "https://${HOST}" + EXPORTER_DB_USER: "exporter" + EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh + EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter" + HTTP_RELATIVE_PATH: "/ccp-exporter" + SITE: "${SITE_ID}" + HTTP_SERVLET_REQUEST_SCHEME: "https" + OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" + labels: + - "traefik.enable=true" + - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)" + - "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092" + - "traefik.http.routers.exporter_ccp.tls=true" + - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter" + - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip" + volumes: + - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output" + + exporter-db: + image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} + container_name: bridgehead-ccp-exporter-db + environment: + POSTGRES_USER: "exporter" + POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh + POSTGRES_DB: "exporter" + volumes: + # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer. + - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data" + + reporter: + image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest + container_name: bridgehead-ccp-reporter + environment: + JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC" + LOG_LEVEL: "INFO" + CROSS_ORIGINS: "https://${HOST}" + HTTP_RELATIVE_PATH: "/ccp-reporter" + SITE: "${SITE_ID}" + EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh + EXPORTER_URL: "http://exporter:8092" + LOG_FHIR_VALIDATION: "false" + HTTP_SERVLET_REQUEST_SCHEME: "https" + + # In this initial development state of the bridgehead, we are trying to have so many volumes as possible. + # However, in the first executions in the CCP sites, this volume seems to be very important. A report is + # a process that can take several hours, because it depends on the exporter. + # There is a risk that the bridgehead restarts, losing the already created export. + + volumes: + - "/var/cache/bridgehead/ccp/reporter-files:/app/reports" + labels: + - "traefik.enable=true" + - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)" + - "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095" + - "traefik.http.routers.reporter_ccp.tls=true" + - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter" + - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip" diff --git a/kr/modules/exporter-setup.sh b/kr/modules/exporter-setup.sh new file mode 100644 index 0000000..9b947a6 --- /dev/null +++ b/kr/modules/exporter-setup.sh @@ -0,0 +1,8 @@ +#!/bin/bash -e + +if [ "$ENABLE_EXPORTER" == true ]; then + log INFO "Exporter setup detected -- will start Exporter service." + OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml" + EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" +fi diff --git a/kr/modules/exporter.md b/kr/modules/exporter.md new file mode 100644 index 0000000..24e81b0 --- /dev/null +++ b/kr/modules/exporter.md @@ -0,0 +1,15 @@ +# Exporter and Reporter + + +## Exporter +The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables. +It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal. + +## Exporter-DB +It is a database to save queries for its execution in the exporter. +The exporter manages also the different executions of the same query in through the database. + +## Reporter +This component is a plugin of the exporter that allows to create more complex Excel reports described in templates. +It is compatible with different template engines as Groovy, Thymeleaf,... +It is perfect to generate a document as our traditional CCP quality report. diff --git a/kr/modules/lens-compose.yml b/kr/modules/lens-compose.yml new file mode 100644 index 0000000..180dd67 --- /dev/null +++ b/kr/modules/lens-compose.yml @@ -0,0 +1,33 @@ +version: "3.7" +services: + landing: + container_name: lens_federated-search + image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} + labels: + - "traefik.enable=true" + - "traefik.http.routers.landing.rule=PathPrefix(`/`)" + - "traefik.http.services.landing.loadbalancer.server.port=80" + - "traefik.http.routers.landing.tls=true" + + spot: + image: docker.verbis.dkfz.de/ccp-private/central-spot + environment: + BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}" + BEAM_URL: http://beam-proxy:8081 + BEAM_PROXY_ID: ${SITE_ID} + BEAM_BROKER_ID: ${BROKER_ID} + BEAM_APP_ID: "focus" + PROJECT_METADATA: "kr_supervisors" + depends_on: + - "beam-proxy" + labels: + - "traefik.enable=true" + - "traefik.http.services.spot.loadbalancer.server.port=8080" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true" + - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1" + - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)" + - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend" + - "traefik.http.routers.spot.tls=true" + - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot" diff --git a/kr/modules/lens-setup.sh b/kr/modules/lens-setup.sh new file mode 100644 index 0000000..c19dc4b --- /dev/null +++ b/kr/modules/lens-setup.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +if [ -n "$ENABLE_LENS" ];then + OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml" +fi \ No newline at end of file diff --git a/kr/modules/obds2fhir-rest-compose.yml b/kr/modules/obds2fhir-rest-compose.yml new file mode 100644 index 0000000..f201e23 --- /dev/null +++ b/kr/modules/obds2fhir-rest-compose.yml @@ -0,0 +1,20 @@ +version: "3.7" + +services: + obds2fhir-rest: + container_name: bridgehead-obds2fhir-rest + image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main + environment: + IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID + MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + SALT: ${LOCAL_SALT} + KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false} + MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist} + restart: always + labels: + - "traefik.enable=true" + - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)" + - "traefik.http.middlewares.obds2fhir-rest_strip.stripprefix.prefixes=/obds2fhir-rest,/adt2fhir-rest" + - "traefik.http.services.obds2fhir-rest.loadbalancer.server.port=8080" + - "traefik.http.routers.obds2fhir-rest.tls=true" + - "traefik.http.routers.obds2fhir-rest.middlewares=obds2fhir-rest_strip,auth" diff --git a/kr/modules/obds2fhir-rest-setup.sh b/kr/modules/obds2fhir-rest-setup.sh new file mode 100644 index 0000000..677ea63 --- /dev/null +++ b/kr/modules/obds2fhir-rest-setup.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +function obds2fhirRestSetup() { + if [ -n "$ENABLE_OBDS2FHIR_REST" ]; then + log INFO "oBDS2FHIR-REST setup detected -- will start obds2fhir-rest module." + if [ ! -n "$IDMANAGER_UPLOAD_APIKEY" ]; then + log ERROR "Missing ID-Management Module! Fix this by setting up ID Management:" + PATIENTLIST_URL=" " + fi + OVERRIDE+=" -f ./$PROJECT/modules/obds2fhir-rest-compose.yml" + LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + fi +} diff --git a/kr/modules/teiler-compose.yml b/kr/modules/teiler-compose.yml new file mode 100644 index 0000000..f415ee9 --- /dev/null +++ b/kr/modules/teiler-compose.yml @@ -0,0 +1,81 @@ +version: "3.7" + +services: + + teiler-orchestrator: + image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest + container_name: bridgehead-teiler-orchestrator + labels: + - "traefik.enable=true" + - "traefik.http.routers.teiler_orchestrator_ccp.rule=PathPrefix(`/ccp-teiler`)" + - "traefik.http.services.teiler_orchestrator_ccp.loadbalancer.server.port=9000" + - "traefik.http.routers.teiler_orchestrator_ccp.tls=true" + - "traefik.http.middlewares.teiler_orchestrator_ccp_strip.stripprefix.prefixes=/ccp-teiler" + - "traefik.http.routers.teiler_orchestrator_ccp.middlewares=teiler_orchestrator_ccp_strip" + environment: + TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" + TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard" + DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}" + HTTP_RELATIVE_PATH: "/ccp-teiler" + + teiler-dashboard: + image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop + container_name: bridgehead-teiler-dashboard + labels: + - "traefik.enable=true" + - "traefik.http.routers.teiler_dashboard_ccp.rule=PathPrefix(`/ccp-teiler-dashboard`)" + - "traefik.http.services.teiler_dashboard_ccp.loadbalancer.server.port=80" + - "traefik.http.routers.teiler_dashboard_ccp.tls=true" + - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard" + - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip" + environment: + DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}" + TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" + OIDC_URL: "${OIDC_URL}" + OIDC_REALM: "${OIDC_REALM}" + OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}" + OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}" + TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" + TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" + TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" + TEILER_PROJECT: "${PROJECT}" + EXPORTER_API_KEY: "${EXPORTER_API_KEY}" + TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" + TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard" + TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" + TEILER_USER: "${OIDC_USER_GROUP}" + TEILER_ADMIN: "${OIDC_ADMIN_GROUP}" + REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb" + EXPORTER_DEFAULT_TEMPLATE_ID: "ccp" + + + teiler-backend: + image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest + container_name: bridgehead-teiler-backend + labels: + - "traefik.enable=true" + - "traefik.http.routers.teiler_backend_ccp.rule=PathPrefix(`/ccp-teiler-backend`)" + - "traefik.http.services.teiler_backend_ccp.loadbalancer.server.port=8085" + - "traefik.http.routers.teiler_backend_ccp.tls=true" + - "traefik.http.middlewares.teiler_backend_ccp_strip.stripprefix.prefixes=/ccp-teiler-backend" + - "traefik.http.routers.teiler_backend_ccp.middlewares=teiler_backend_ccp_strip" + environment: + LOG_LEVEL: "INFO" + APPLICATION_PORT: "8085" + APPLICATION_ADDRESS: "${HOST}" + DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}" + CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf" + TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" + TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" + TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de" + TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en" + CENTRAX_URL: "${CENTRAXX_URL}" + HTTP_PROXY: "http://forward_proxy:3128" + ENABLE_MTBA: "${ENABLE_MTBA}" + ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}" + secrets: + - ccp.conf + +secrets: + ccp.conf: + file: /etc/bridgehead/ccp.conf diff --git a/kr/modules/teiler-setup.sh b/kr/modules/teiler-setup.sh new file mode 100644 index 0000000..eed3f81 --- /dev/null +++ b/kr/modules/teiler-setup.sh @@ -0,0 +1,9 @@ +#!/bin/bash -e + +if [ "$ENABLE_TEILER" == true ];then + log INFO "Teiler setup detected -- will start Teiler services." + OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" + TEILER_DEFAULT_LANGUAGE=DE + TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,} + add_public_oidc_redirect_url "/ccp-teiler/*" +fi diff --git a/kr/modules/teiler.md b/kr/modules/teiler.md new file mode 100644 index 0000000..51e94e4 --- /dev/null +++ b/kr/modules/teiler.md @@ -0,0 +1,19 @@ +# Teiler +This module orchestrates the different microfrontends of the bridgehead as a single page application. + +## Teiler Orchestrator +Single SPA component that consists on the root HTML site of the single page application and a javascript code that +gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the +resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. + +The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...) +This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem). +There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler. + +## Teiler Dashboard +It consists on the main dashboard and a set of embedded services. +### Login +user and password in ccp.local.conf + +## Teiler Backend +In this component, the microfrontends are configured. diff --git a/kr/root.crt.pem b/kr/root.crt.pem new file mode 100644 index 0000000..1f1265a --- /dev/null +++ b/kr/root.crt.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw +MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI +TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO +OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf +XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu +pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7 +K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM +poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG +A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm +AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU +fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5 +3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l +n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/ +7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt +Rtup0MTxSJtN +-----END CERTIFICATE----- \ No newline at end of file diff --git a/kr/vars b/kr/vars new file mode 100644 index 0000000..d4e5a27 --- /dev/null +++ b/kr/vars @@ -0,0 +1,16 @@ +BROKER_ID=test-no-real-data.broker.samply.de +BROKER_URL=https://${BROKER_ID} +PROXY_ID=${SITE_ID}.${BROKER_ID} +FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" +FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} +SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de +PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem +BROKER_URL_FOR_PREREQ=$BROKER_URL + +for module in $PROJECT/modules/*.sh +do + log DEBUG "sourcing $module" + source $module +done + +obds2fhirRestSetup \ No newline at end of file diff --git a/lib/functions.sh b/lib/functions.sh index dc5ec25..68be4c9 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -54,7 +54,7 @@ checkOwner(){ printUsage() { echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|install|uninstall|adduser|enroll PROJECTNAME" - echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc" + echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki" } checkRequirements() { diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index ecd29a5..b6aba52 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -61,6 +61,12 @@ case "$PROJECT" in dhki) site_configuration_repository_middle="git.verbis.dkfz.de/dhki/" ;; + kr) + site_configuration_repository_middle="git.verbis.dkfz.de/krebsregister-sites/" + ;; + dhki) + site_configuration_repository_middle="git.verbis.dkfz.de/dhki/" + ;; minimal) site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/" ;; From 24da24d05ed062e3fdda8e69aa5701b9cfdf9433 Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Tue, 1 Oct 2024 10:40:24 +0200 Subject: [PATCH 53/82] Traefik dashboard Deactivate traefik dashboard by default. Add trailing slash to PathPrefix to clarify the URL the dashboard is available at. --- minimal/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index 6e8818f..dc76331 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -10,13 +10,13 @@ services: - --providers.docker=true - --providers.docker.exposedbydefault=false - --providers.file.directory=/configuration/ - - --api.dashboard=true + - --api.dashboard=false - --accesslog=true - --entrypoints.web.http.redirections.entrypoint.to=websecure - --entrypoints.web.http.redirections.entrypoint.scheme=https labels: - "traefik.enable=true" - - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)" + - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard/`)" - "traefik.http.routers.dashboard.entrypoints=websecure" - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls=true" From eb2955872f6541def1bcff8c07385ad3ad58fe29 Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Tue, 1 Oct 2024 13:30:23 +0200 Subject: [PATCH 54/82] fix: allow usage of centraxx interface without login Before this change CentraXX was redirected to the central login servers then interacting with the id-management --- ccp/modules/datashield-compose.yml | 2 +- ccp/modules/id-management-compose.yml | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 5e92db3..404cda9 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -151,7 +151,7 @@ services: --pass-access-token=false labels: - "traefik.enable=true" - - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`)" + - "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)" - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" - "traefik.http.routers.oauth2_proxy.tls=true" environment: diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index f9156cf..ce0a58a 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -19,10 +19,18 @@ services: - traefik-forward-auth labels: - "traefik.enable=true" + # Router with Authentication - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)" - - "traefik.http.services.id-manager.loadbalancer.server.port=8080" - "traefik.http.routers.id-manager.tls=true" - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm" + - "traefik.http.routers.id-manager.service=id-manager-service" + # Router without Authentication + - "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)" + - "traefik.http.routers.id-manager-compatibility.tls=true" + - "traefik.http.routers.id-manager-compatibility.service=id-manager-service" + # Definition of Service + - "traefik.http.services.id-manager-service.loadbalancer.server.port=8080" + - "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http" patientlist: image: docker.verbis.dkfz.de/bridgehead/mainzelliste @@ -57,7 +65,7 @@ services: - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/" traefik-forward-auth: - image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:v7.6.0 + image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest environment: - http_proxy=http://forward_proxy:3128 - https_proxy=http://forward_proxy:3128 @@ -67,6 +75,7 @@ services: - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID} - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET} - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET} + - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST} - OAUTH2_PROXY_HTTP_ADDRESS=:4180 - OAUTH2_PROXY_REVERSE_PROXY=true From 599bcfcec4723ae4ec5f56b2d553d27dbf750ea2 Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Wed, 2 Oct 2024 07:53:20 +0200 Subject: [PATCH 55/82] Feature/send branch to healthchecks (#232) feature: log git branches to healthchecks and code refactoring --- lib/prerequisites.sh | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh index 235826a..2c1e186 100755 --- a/lib/prerequisites.sh +++ b/lib/prerequisites.sh @@ -3,14 +3,16 @@ source lib/functions.sh detectCompose +CONFIG_DIR="/etc/bridgehead/" +COMPONENT_DIR="/srv/docker/bridgehead/" if ! id "bridgehead" &>/dev/null; then log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT" exit 1 fi -checkOwner /srv/docker/bridgehead bridgehead || exit 1 -checkOwner /etc/bridgehead bridgehead || exit 1 +checkOwner "${CONFIG_DIR}" bridgehead || exit 1 +checkOwner "${COMPONENT_DIR}" bridgehead || exit 1 ## Check if user is a su log INFO "Checking if all prerequisites are met ..." @@ -32,31 +34,31 @@ fi log INFO "Checking configuration ..." ## Download submodule -if [ ! -d "/etc/bridgehead/" ]; then - fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme." +if [ ! -d "${CONFIG_DIR}" ]; then + fail_and_report 1 "Please set up the config folder at ${CONFIG_DIR}. Instruction are in the readme." fi # TODO: Check all required variables here in a generic loop #check if project env is present -if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then - fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf." +if [ -d "${CONFIG_DIR}${PROJECT}.conf" ]; then + fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under ${CONFIG_DIR}${PROJECT}.conf." fi # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory. log INFO "Checking ssl cert for accessing bridgehead via https" -if [ ! -d "/etc/bridgehead/traefik-tls" ]; then +if [ ! -d "${CONFIG_DIR}traefik-tls" ]; then log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls" mkdir -p /etc/bridgehead/traefik-tls fi -if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then +if [ ! -e "${CONFIG_DIR}traefik-tls/fullchain.pem" ]; then openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST" fi -if [ -e /etc/bridgehead/vault.conf ]; then +if [ -e "${CONFIG_DIR}"vault.conf ]; then if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf." fi @@ -64,7 +66,7 @@ fi log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..." -source /etc/bridgehead/${PROJECT}.conf +source "${CONFIG_DIR}${PROJECT}".conf source ${PROJECT}/vars if [ "${PROJECT}" != "minimal" ]; then @@ -92,10 +94,10 @@ if [ "${PROJECT}" != "minimal" ]; then fi fi checkPrivKey() { - if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then + if [ -e "${CONFIG_DIR}pki/${SITE_ID}.priv.pem" ]; then log INFO "Success - private key found." else - log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions." + log ERROR "Unable to find private key at ${CONFIG_DIR}pki/${SITE_ID}.priv.pem. To fix, please run\n bridgehead enroll ${PROJECT}\nand follow the instructions." return 1 fi return 0 @@ -107,6 +109,11 @@ else checkPrivKey || exit 1 fi +for dir in "${CONFIG_DIR}" "${COMPONENT_DIR}"; do + log INFO "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")" + hc_send log "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")" +done + log INFO "Success - all prerequisites are met!" hc_send log "Success - all prerequisites are met!" From 072ee348fcc9a1172271cb4f1393d85bdfe2685c Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:24:27 +0200 Subject: [PATCH 56/82] fix: deactivate landingpage for KR project (#234) fix: deactivate landingpage for KR project --- kr/docker-compose.yml | 4 ++++ kr/modules/lens-compose.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/kr/docker-compose.yml b/kr/docker-compose.yml index d875a24..47a9db6 100644 --- a/kr/docker-compose.yml +++ b/kr/docker-compose.yml @@ -1,6 +1,10 @@ version: "3.7" services: + landing: + deploy: + replicas: 0 #deactivate landing page + blaze: image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 container_name: bridgehead-kr-blaze diff --git a/kr/modules/lens-compose.yml b/kr/modules/lens-compose.yml index 180dd67..b0b4573 100644 --- a/kr/modules/lens-compose.yml +++ b/kr/modules/lens-compose.yml @@ -1,6 +1,8 @@ version: "3.7" services: landing: + deploy: + replicas: 1 #reactivate if lens is in use container_name: lens_federated-search image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} labels: From 760d599b7cd40f657ecbbe73aa43000ceef6d81c Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 10 Oct 2024 12:56:36 +0200 Subject: [PATCH 57/82] Add CCP-PPI --- ccp/docker-compose.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index fcabc9b..01b5aad 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -57,6 +57,11 @@ services: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro + ccp-patient-project-identificator: + image: samply/ccp-patient-project-identificator + environment: + MAINZELLISTE_APIKEY: ${MAINZELLISTE_APIKEY} + SITE_NAME: ${SITE_NAME} volumes: blaze-data: From 8e7fe6851eefa3407d045d9d77cc666a651204ca Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 10 Oct 2024 13:11:43 +0200 Subject: [PATCH 58/82] fix: use correct mainzelliste api key --- ccp/docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 01b5aad..7318942 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -59,8 +59,9 @@ services: ccp-patient-project-identificator: image: samply/ccp-patient-project-identificator + container_name: bridgehead-ccp-patient-project-identificator environment: - MAINZELLISTE_APIKEY: ${MAINZELLISTE_APIKEY} + MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} SITE_NAME: ${SITE_NAME} volumes: From 23981062bb44c6f2b84d90809e88f4b50e382c1e Mon Sep 17 00:00:00 2001 From: Patrick Skowronek Date: Thu, 10 Oct 2024 13:27:24 +0200 Subject: [PATCH 59/82] Move ppi to id-management --- ccp/docker-compose.yml | 7 ------- ccp/modules/id-management-compose.yml | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 7318942..f46615d 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -57,13 +57,6 @@ services: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro - ccp-patient-project-identificator: - image: samply/ccp-patient-project-identificator - container_name: bridgehead-ccp-patient-project-identificator - environment: - MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - SITE_NAME: ${SITE_NAME} - volumes: blaze-data: diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index ce0a58a..704646d 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -101,5 +101,12 @@ services: forward_proxy: condition: service_healthy + ccp-patient-project-identificator: + image: samply/ccp-patient-project-identificator + container_name: bridgehead-ccp-patient-project-identificator + environment: + MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} + SITE_NAME: ${SITE_NAME} + volumes: patientlist-db-data: From 3312ca8a646bee1bb07677e145df56531450fe4c Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Thu, 10 Oct 2024 14:34:28 +0200 Subject: [PATCH 60/82] feat: added blaze cql cache (#236) --- bbmri/docker-compose.yml | 3 ++- ccp/docker-compose.yml | 3 ++- lib/functions.sh | 2 ++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index ac8df45..000df01 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -10,7 +10,8 @@ services: BASE_URL: "http://bridgehead-bbmri-blaze:8080" JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} - DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP + DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP} + CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32} ENFORCE_REFERENTIAL_INTEGRITY: "false" volumes: - "blaze-data:/app/data" diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index fcabc9b..fa1dc41 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -8,7 +8,8 @@ services: BASE_URL: "http://bridgehead-ccp-blaze:8080" JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} - DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP + DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP} + CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32} ENFORCE_REFERENTIAL_INTEGRITY: "false" volumes: - "blaze-data:/app/data" diff --git a/lib/functions.sh b/lib/functions.sh index 68be4c9..3fcae38 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -171,8 +171,10 @@ optimizeBlazeMemoryUsage() { if [ $available_system_memory_chunks -eq 0 ]; then log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower." export BLAZE_RESOURCE_CACHE_CAP=128000; + export BLAZE_CQL_CACHE_CAP=32; else export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500)) + export BLAZE_CQL_CACHE_CAP=$((($system_memory_in_mb/4)/16)); fi fi } From 7aaee5e7d53d5eb1e148d43776200ef760c79308 Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Tue, 15 Oct 2024 13:03:42 +0200 Subject: [PATCH 61/82] feat: add auto archiving action (#238) * feat: add auto archiving action --------- Co-authored-by: p.delpy@dkfz-heidelberg.de Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com> --- .github/scripts/rename_inactive_branches.py | 39 +++++++++++++++++++ .../workflows/rename-inactive-branches.yml | 27 +++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/scripts/rename_inactive_branches.py create mode 100644 .github/workflows/rename-inactive-branches.yml diff --git a/.github/scripts/rename_inactive_branches.py b/.github/scripts/rename_inactive_branches.py new file mode 100644 index 0000000..b9bd359 --- /dev/null +++ b/.github/scripts/rename_inactive_branches.py @@ -0,0 +1,39 @@ +import os +import requests +from datetime import datetime, timedelta + +# Configuration +GITHUB_TOKEN = os.getenv('GITHUB_TOKEN') +REPO = 'samply/bridgehead' +HEADERS = {'Authorization': f'token {GITHUB_TOKEN}', 'Accept': 'application/vnd.github.v3+json'} +API_URL = f'https://api.github.com/repos/{REPO}/branches' +INACTIVE_DAYS = 365 +CUTOFF_DATE = datetime.now() - timedelta(days=INACTIVE_DAYS) + +# Fetch all branches +def get_branches(): + response = requests.get(API_URL, headers=HEADERS) + response.raise_for_status() + return response.json() if response.status_code == 200 else [] + +# Rename inactive branches +def rename_branch(old_name, new_name): + rename_url = f'https://api.github.com/repos/{REPO}/branches/{old_name}/rename' + response = requests.post(rename_url, json={'new_name': new_name}, headers=HEADERS) + response.raise_for_status() + print(f"Renamed branch {old_name} to {new_name}" if response.status_code == 201 else f"Failed to rename {old_name}: {response.status_code}") + +# Check if the branch is inactive +def is_inactive(commit_url): + last_commit_date = requests.get(commit_url, headers=HEADERS).json()['commit']['committer']['date'] + return datetime.strptime(last_commit_date, '%Y-%m-%dT%H:%M:%SZ') < CUTOFF_DATE + +# Rename inactive branches +def main(): + for branch in get_branches(): + if is_inactive(branch['commit']['url']): + #rename_branch(branch['name'], f"archived/{branch['name']}") + print(f"[LOG] Branch '{branch['name']}' is inactive and would be renamed to 'archived/{branch['name']}'") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/.github/workflows/rename-inactive-branches.yml b/.github/workflows/rename-inactive-branches.yml new file mode 100644 index 0000000..9bcca79 --- /dev/null +++ b/.github/workflows/rename-inactive-branches.yml @@ -0,0 +1,27 @@ +name: Cleanup - Rename Inactive Branches + +on: + schedule: + - cron: '0 0 * * 0' # Runs every Sunday at midnight + +jobs: + archive-stale-branches: + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v2 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Libraries + run: pip install requests + + - name: Run Script to Rename Inactive Branches + run: | + python .github/scripts/rename_inactive_branches.py + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From cf5230963ca2d1b242457ca7e8b104591fd37a50 Mon Sep 17 00:00:00 2001 From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com> Date: Mon, 21 Oct 2024 11:00:01 +0200 Subject: [PATCH 62/82] feat: add focus tags in ccp and bbmri (#240) Co-authored-by: p.delpy@dkfz-heidelberg.de --- bbmri/modules/eric-compose.yml | 2 +- bbmri/modules/gbn-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bbmri/modules/eric-compose.yml b/bbmri/modules/eric-compose.yml index 72baa6c..364e1cb 100644 --- a/bbmri/modules/eric-compose.yml +++ b/bbmri/modules/eric-compose.yml @@ -16,7 +16,7 @@ services: - "blaze" beam-proxy-eric: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}-bbmri container_name: bridgehead-beam-proxy-eric environment: BROKER_URL: ${ERIC_BROKER_URL} diff --git a/bbmri/modules/gbn-compose.yml b/bbmri/modules/gbn-compose.yml index 94631ba..0fa7585 100644 --- a/bbmri/modules/gbn-compose.yml +++ b/bbmri/modules/gbn-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: focus-gbn: - image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri container_name: bridgehead-focus-gbn environment: API_KEY: ${GBN_FOCUS_BEAM_SECRET_SHORT} diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index fa1dc41..2e4e139 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -22,7 +22,7 @@ services: - "traefik.http.routers.blaze_ccp.tls=true" focus: - image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} From eea17c3478992545892518c95f3ca07d7030e571 Mon Sep 17 00:00:00 2001 From: Enola Knezevic <115070135+enola-dkfz@users.noreply.github.com> Date: Tue, 22 Oct 2024 16:48:48 +0200 Subject: [PATCH 63/82] fix: remove invalid beam-proxy tag and add it to focus instead (#242) --- bbmri/modules/eric-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bbmri/modules/eric-compose.yml b/bbmri/modules/eric-compose.yml index 364e1cb..7fc0ef6 100644 --- a/bbmri/modules/eric-compose.yml +++ b/bbmri/modules/eric-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: focus-eric: - image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-bbmri container_name: bridgehead-focus-eric environment: API_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT} @@ -16,7 +16,7 @@ services: - "blaze" beam-proxy-eric: - image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}-bbmri + image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG} container_name: bridgehead-beam-proxy-eric environment: BROKER_URL: ${ERIC_BROKER_URL} From 26712d3567225e8c5071456f7120ca94b326d7d0 Mon Sep 17 00:00:00 2001 From: davidmscholz <130749829+davidmscholz@users.noreply.github.com> Date: Wed, 30 Oct 2024 15:21:15 +0100 Subject: [PATCH 64/82] feat: add and set FOCUS_ENDPOINT_TYPE to support fhir2sql (#244) * add and set FOCUS_ENDPOINT_TYPE Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> --------- Co-authored-by: davidmscholz Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> --- ccp/docker-compose.yml | 1 + ccp/modules/fhir2sql-setup.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 2e4e139..e63f5a5 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -33,6 +33,7 @@ services: RETRY_COUNT: ${FOCUS_RETRY_COUNT} EPSILON: 0.28 QUERIES_TO_CACHE: '/queries_to_cache.conf' + ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze} volumes: - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf depends_on: diff --git a/ccp/modules/fhir2sql-setup.sh b/ccp/modules/fhir2sql-setup.sh index 64fa7c0..8c9a72b 100644 --- a/ccp/modules/fhir2sql-setup.sh +++ b/ccp/modules/fhir2sql-setup.sh @@ -4,4 +4,5 @@ if [ "$ENABLE_FHIR2SQL" == true ]; then log INFO "Dashboard setup detected -- will start Dashboard backend and FHIR2SQL service." OVERRIDE+=" -f ./$PROJECT/modules/fhir2sql-compose.yml" DASHBOARD_DB_PASSWORD="$(generate_simple_password 'fhir2sql')" + FOCUS_ENDPOINT_TYPE="blaze-and-sql" fi From 52c24ee6faa9d02c36aa838fb636c2dca2f6b1e9 Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Tue, 5 Nov 2024 13:34:36 +0100 Subject: [PATCH 65/82] fix(fhir2sql): add the postgres connection string to focus (#245) --- ccp/modules/fhir2sql-compose.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ccp/modules/fhir2sql-compose.yml b/ccp/modules/fhir2sql-compose.yml index 7733787..1230e89 100644 --- a/ccp/modules/fhir2sql-compose.yml +++ b/ccp/modules/fhir2sql-compose.yml @@ -23,3 +23,7 @@ services: POSTGRES_DB: "dashboard" volumes: - "/var/cache/bridgehead/ccp/dashboard-db:/var/lib/postgresql/data" + + focus: + environment: + POSTGRES_CONNECTION_STRING: "postgresql://dashboard:${DASHBOARD_DB_PASSWORD}@dashboard-db/dashboard" \ No newline at end of file From 967e45624e79d2649882c91b09874efb40dcc726 Mon Sep 17 00:00:00 2001 From: djuarezgf <46350150+djuarezgf@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:46:00 +0100 Subject: [PATCH 66/82] Add exporter configuration to focus (#249) --- ccp/modules/exporter-compose.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index d5eb227..af4c67b 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -65,3 +65,8 @@ services: - "traefik.http.routers.reporter_ccp.tls=true" - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter" - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip" + + focus: + environment: + EXPORTER_URL: "http://exporter:8092" + AUTH_HEADER: "${EXPORTER_API_KEY}" From 122ff16bb18084954d20780244032b7a7370dd18 Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 12 Nov 2024 09:58:17 +0100 Subject: [PATCH 67/82] fix: use verbis cache image instead of docker-hub (#250) --- ccp/modules/id-management-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index 704646d..b7c3f61 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -102,7 +102,7 @@ services: condition: service_healthy ccp-patient-project-identificator: - image: samply/ccp-patient-project-identificator + image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator container_name: bridgehead-ccp-patient-project-identificator environment: MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} From 45aefd24e52003a40aa50d9c29aae3d97ec98fce Mon Sep 17 00:00:00 2001 From: Enola Knezevic <115070135+enola-dkfz@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:27:38 +0100 Subject: [PATCH 68/82] renamed exporter API key to EXPORTER_API_KEY (#252) --- ccp/modules/exporter-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index af4c67b..10ae89f 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -69,4 +69,4 @@ services: focus: environment: EXPORTER_URL: "http://exporter:8092" - AUTH_HEADER: "${EXPORTER_API_KEY}" + EXPORTER_API_KEY: "${EXPORTER_API_KEY}" From e3510363ad2a2eb22ad686c4fb2e7cb346e8d2e4 Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 10 Dec 2024 17:18:07 +0100 Subject: [PATCH 69/82] fix: remove credentials from git remote, if update fails (#253) Signed-off-by: Patrick Skowronek --- lib/update-bridgehead.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh index 44655b1..56afb17 100755 --- a/lib/update-bridgehead.sh +++ b/lib/update-bridgehead.sh @@ -58,7 +58,8 @@ for DIR in /etc/bridgehead $(pwd); do OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1) fi if [ $? -ne 0 ]; then - report_error log "Unable to update git $DIR: $OUT" + OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g') + report_error log "Unable to update git $DIR: $OUT_SAN" fi new_git_hash="$(git -C $DIR rev-parse --verify HEAD)" From 5c28e704d2b04d2404d2d71cd9abbb6aae35c32a Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:27:27 +0100 Subject: [PATCH 70/82] fix: remove `restart: always` in compose files (#261) --- ccp/modules/nngm-compose.yml | 1 - ccp/modules/obds2fhir-rest-compose.yml | 1 - kr/modules/obds2fhir-rest-compose.yml | 1 - minimal/modules/nngm-compose.yml | 1 - 4 files changed, 4 deletions(-) diff --git a/ccp/modules/nngm-compose.yml b/ccp/modules/nngm-compose.yml index 7ffa190..36e9f27 100644 --- a/ccp/modules/nngm-compose.yml +++ b/ccp/modules/nngm-compose.yml @@ -12,7 +12,6 @@ services: CTS_API_KEY: ${NNGM_CTS_APIKEY} CRYPT_KEY: ${NNGM_CRYPTKEY} #CTS_MAGICPL_SITE: ${SITE_ID}TODO - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)" diff --git a/ccp/modules/obds2fhir-rest-compose.yml b/ccp/modules/obds2fhir-rest-compose.yml index f201e23..833580d 100644 --- a/ccp/modules/obds2fhir-rest-compose.yml +++ b/ccp/modules/obds2fhir-rest-compose.yml @@ -10,7 +10,6 @@ services: SALT: ${LOCAL_SALT} KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false} MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist} - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)" diff --git a/kr/modules/obds2fhir-rest-compose.yml b/kr/modules/obds2fhir-rest-compose.yml index f201e23..833580d 100644 --- a/kr/modules/obds2fhir-rest-compose.yml +++ b/kr/modules/obds2fhir-rest-compose.yml @@ -10,7 +10,6 @@ services: SALT: ${LOCAL_SALT} KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false} MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist} - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)" diff --git a/minimal/modules/nngm-compose.yml b/minimal/modules/nngm-compose.yml index e61532d..8e42e71 100644 --- a/minimal/modules/nngm-compose.yml +++ b/minimal/modules/nngm-compose.yml @@ -11,7 +11,6 @@ services: CTS_API_KEY: ${NNGM_CTS_APIKEY} CRYPT_KEY: ${NNGM_CRYPTKEY} #CTS_MAGICPL_SITE: ${SITE_ID}TODO - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)" From 3d1105b97ca64aa42b03f2f928d530303a25bb45 Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:28:47 +0100 Subject: [PATCH 71/82] Update: Blaze to version 0.31 (#260) --- bbmri/docker-compose.yml | 2 +- cce/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- ccp/modules/blaze-secondary-compose.yml | 2 +- dhki/docker-compose.yml | 2 +- itcc/docker-compose.yml | 2 +- kr/docker-compose.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 000df01..1903c62 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -4,7 +4,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-bbmri-blaze environment: BASE_URL: "http://bridgehead-bbmri-blaze:8080" diff --git a/cce/docker-compose.yml b/cce/docker-compose.yml index 87b6b1c..0641af7 100644 --- a/cce/docker-compose.yml +++ b/cce/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-cce-blaze environment: BASE_URL: "http://bridgehead-cce-blaze:8080" diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index b7a71b2..871eec2 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-ccp-blaze environment: BASE_URL: "http://bridgehead-ccp-blaze:8080" diff --git a/ccp/modules/blaze-secondary-compose.yml b/ccp/modules/blaze-secondary-compose.yml index b57bfbe..ad748a6 100644 --- a/ccp/modules/blaze-secondary-compose.yml +++ b/ccp/modules/blaze-secondary-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze-secondary: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-ccp-blaze-secondary environment: BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080" diff --git a/dhki/docker-compose.yml b/dhki/docker-compose.yml index ee8cd17..d37f1a2 100644 --- a/dhki/docker-compose.yml +++ b/dhki/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-dhki-blaze environment: BASE_URL: "http://bridgehead-dhki-blaze:8080" diff --git a/itcc/docker-compose.yml b/itcc/docker-compose.yml index 7aab26d..c9bce0c 100644 --- a/itcc/docker-compose.yml +++ b/itcc/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-itcc-blaze environment: BASE_URL: "http://bridgehead-itcc-blaze:8080" diff --git a/kr/docker-compose.yml b/kr/docker-compose.yml index 47a9db6..17b36b7 100644 --- a/kr/docker-compose.yml +++ b/kr/docker-compose.yml @@ -6,7 +6,7 @@ services: replicas: 0 #deactivate landing page blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-kr-blaze environment: BASE_URL: "http://bridgehead-kr-blaze:8080" From 1003cd73cf6c8a089366f0a72fdeccf0d720b90f Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:30:20 +0100 Subject: [PATCH 72/82] fix: changed ccp_ppi to use IDMANAGEMENT_FRIENDLY_ID instead of SITE_NAME (#259) --- ccp/modules/id-management-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index b7c3f61..4e3e90a 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -106,7 +106,7 @@ services: container_name: bridgehead-ccp-patient-project-identificator environment: MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - SITE_NAME: ${SITE_NAME} + SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID} volumes: patientlist-db-data: From 910289079b7defbef187666700ea7d9c6f0e9df6 Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:35:25 +0100 Subject: [PATCH 73/82] docs: documentation for changing your configuration repository access token (#256) --- README.md | 2 ++ docs/update-access-token.md | 42 +++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 docs/update-access-token.md diff --git a/README.md b/README.md index 3c36053..b7e60ad 100644 --- a/README.md +++ b/README.md @@ -254,6 +254,8 @@ sh bridgehead uninstall ## Site-specific configuration +[How to Change Config Access Token](docs/update-access-token.md) + ### HTTPS Access Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de). diff --git a/docs/update-access-token.md b/docs/update-access-token.md new file mode 100644 index 0000000..d608d45 --- /dev/null +++ b/docs/update-access-token.md @@ -0,0 +1,42 @@ +## How to Change Config Access Token + +### 1. Generate a New Access Token + +1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu). +2. Navigate to the configuration repository for your site. +3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired. + - **If expired**, create a new Access Token. +4. Configure the new Access Token with the following settings: + - **Expiration date**: One year from today, minus one day. + - **Role**: Developer. + - **Scope**: Only `read_repository`. +5. Save the newly generated Access Token in a secure location. + +--- + +### 2. Replace the Old Access Token + +1. Navigate to `/etc/bridgehead` in your system. +2. Run the following command to retrieve the current Git remote URL: + ```bash + git remote get-url origin + ``` + Example output: + ``` + https://name40dkfz-heidelberg.de:@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git + ``` +3. Replace `` with your new Access Token in the URL. +4. Set the updated URL using the following command: + ```bash + git remote set-url origin https://name40dkfz-heidelberg.de:@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git + + ``` + +5. Start the Bridgehead update service by running: + ```bash + systemctl start bridgehead-update@ + ``` +6. View the output to ensure the update process is successful: + ```bash + journalctl -u bridgehead-update@ -f + ``` \ No newline at end of file From 655d0d24c7be28262f555ea0786153f9a4259721 Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:27:27 +0100 Subject: [PATCH 74/82] fix: remove `restart: always` in compose files (#261) --- ccp/modules/nngm-compose.yml | 1 - ccp/modules/obds2fhir-rest-compose.yml | 1 - kr/modules/obds2fhir-rest-compose.yml | 1 - minimal/modules/nngm-compose.yml | 1 - 4 files changed, 4 deletions(-) diff --git a/ccp/modules/nngm-compose.yml b/ccp/modules/nngm-compose.yml index 7ffa190..36e9f27 100644 --- a/ccp/modules/nngm-compose.yml +++ b/ccp/modules/nngm-compose.yml @@ -12,7 +12,6 @@ services: CTS_API_KEY: ${NNGM_CTS_APIKEY} CRYPT_KEY: ${NNGM_CRYPTKEY} #CTS_MAGICPL_SITE: ${SITE_ID}TODO - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)" diff --git a/ccp/modules/obds2fhir-rest-compose.yml b/ccp/modules/obds2fhir-rest-compose.yml index f201e23..833580d 100644 --- a/ccp/modules/obds2fhir-rest-compose.yml +++ b/ccp/modules/obds2fhir-rest-compose.yml @@ -10,7 +10,6 @@ services: SALT: ${LOCAL_SALT} KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false} MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist} - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)" diff --git a/kr/modules/obds2fhir-rest-compose.yml b/kr/modules/obds2fhir-rest-compose.yml index f201e23..833580d 100644 --- a/kr/modules/obds2fhir-rest-compose.yml +++ b/kr/modules/obds2fhir-rest-compose.yml @@ -10,7 +10,6 @@ services: SALT: ${LOCAL_SALT} KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false} MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist} - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)" diff --git a/minimal/modules/nngm-compose.yml b/minimal/modules/nngm-compose.yml index e61532d..8e42e71 100644 --- a/minimal/modules/nngm-compose.yml +++ b/minimal/modules/nngm-compose.yml @@ -11,7 +11,6 @@ services: CTS_API_KEY: ${NNGM_CTS_APIKEY} CRYPT_KEY: ${NNGM_CRYPTKEY} #CTS_MAGICPL_SITE: ${SITE_ID}TODO - restart: always labels: - "traefik.enable=true" - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)" From 39a87bcf61ae3688c3ac9587c9cff0496046c782 Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:28:47 +0100 Subject: [PATCH 75/82] Update: Blaze to version 0.31 (#260) --- bbmri/docker-compose.yml | 2 +- cce/docker-compose.yml | 2 +- ccp/docker-compose.yml | 2 +- ccp/modules/blaze-secondary-compose.yml | 2 +- dhki/docker-compose.yml | 2 +- itcc/docker-compose.yml | 2 +- kr/docker-compose.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bbmri/docker-compose.yml b/bbmri/docker-compose.yml index 000df01..1903c62 100644 --- a/bbmri/docker-compose.yml +++ b/bbmri/docker-compose.yml @@ -4,7 +4,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-bbmri-blaze environment: BASE_URL: "http://bridgehead-bbmri-blaze:8080" diff --git a/cce/docker-compose.yml b/cce/docker-compose.yml index 87b6b1c..0641af7 100644 --- a/cce/docker-compose.yml +++ b/cce/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-cce-blaze environment: BASE_URL: "http://bridgehead-cce-blaze:8080" diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index b7a71b2..871eec2 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-ccp-blaze environment: BASE_URL: "http://bridgehead-ccp-blaze:8080" diff --git a/ccp/modules/blaze-secondary-compose.yml b/ccp/modules/blaze-secondary-compose.yml index b57bfbe..ad748a6 100644 --- a/ccp/modules/blaze-secondary-compose.yml +++ b/ccp/modules/blaze-secondary-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze-secondary: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-ccp-blaze-secondary environment: BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080" diff --git a/dhki/docker-compose.yml b/dhki/docker-compose.yml index ee8cd17..d37f1a2 100644 --- a/dhki/docker-compose.yml +++ b/dhki/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-dhki-blaze environment: BASE_URL: "http://bridgehead-dhki-blaze:8080" diff --git a/itcc/docker-compose.yml b/itcc/docker-compose.yml index 7aab26d..c9bce0c 100644 --- a/itcc/docker-compose.yml +++ b/itcc/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-itcc-blaze environment: BASE_URL: "http://bridgehead-itcc-blaze:8080" diff --git a/kr/docker-compose.yml b/kr/docker-compose.yml index 47a9db6..17b36b7 100644 --- a/kr/docker-compose.yml +++ b/kr/docker-compose.yml @@ -6,7 +6,7 @@ services: replicas: 0 #deactivate landing page blaze: - image: docker.verbis.dkfz.de/cache/samply/blaze:0.28 + image: docker.verbis.dkfz.de/cache/samply/blaze:0.31 container_name: bridgehead-kr-blaze environment: BASE_URL: "http://bridgehead-kr-blaze:8080" From 138a1fa5f116567cf1ee11da42ffd4b662ee43d5 Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:30:20 +0100 Subject: [PATCH 76/82] fix: changed ccp_ppi to use IDMANAGEMENT_FRIENDLY_ID instead of SITE_NAME (#259) --- ccp/modules/id-management-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/id-management-compose.yml b/ccp/modules/id-management-compose.yml index b7c3f61..4e3e90a 100644 --- a/ccp/modules/id-management-compose.yml +++ b/ccp/modules/id-management-compose.yml @@ -106,7 +106,7 @@ services: container_name: bridgehead-ccp-patient-project-identificator environment: MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - SITE_NAME: ${SITE_NAME} + SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID} volumes: patientlist-db-data: From 6a71da3dd1868132d6c802d4eac8a192aa621de3 Mon Sep 17 00:00:00 2001 From: patrickskowronekdkfz <86347677+patrickskowronekdkfz@users.noreply.github.com> Date: Tue, 21 Jan 2025 09:35:25 +0100 Subject: [PATCH 77/82] docs: documentation for changing your configuration repository access token (#256) --- README.md | 2 ++ docs/update-access-token.md | 42 +++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 docs/update-access-token.md diff --git a/README.md b/README.md index 3c36053..b7e60ad 100644 --- a/README.md +++ b/README.md @@ -254,6 +254,8 @@ sh bridgehead uninstall ## Site-specific configuration +[How to Change Config Access Token](docs/update-access-token.md) + ### HTTPS Access Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de). diff --git a/docs/update-access-token.md b/docs/update-access-token.md new file mode 100644 index 0000000..d608d45 --- /dev/null +++ b/docs/update-access-token.md @@ -0,0 +1,42 @@ +## How to Change Config Access Token + +### 1. Generate a New Access Token + +1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu). +2. Navigate to the configuration repository for your site. +3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired. + - **If expired**, create a new Access Token. +4. Configure the new Access Token with the following settings: + - **Expiration date**: One year from today, minus one day. + - **Role**: Developer. + - **Scope**: Only `read_repository`. +5. Save the newly generated Access Token in a secure location. + +--- + +### 2. Replace the Old Access Token + +1. Navigate to `/etc/bridgehead` in your system. +2. Run the following command to retrieve the current Git remote URL: + ```bash + git remote get-url origin + ``` + Example output: + ``` + https://name40dkfz-heidelberg.de:@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git + ``` +3. Replace `` with your new Access Token in the URL. +4. Set the updated URL using the following command: + ```bash + git remote set-url origin https://name40dkfz-heidelberg.de:@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git + + ``` + +5. Start the Bridgehead update service by running: + ```bash + systemctl start bridgehead-update@ + ``` +6. View the output to ensure the update process is successful: + ```bash + journalctl -u bridgehead-update@ -f + ``` \ No newline at end of file From db950d6d870246141c2b11c6d34755143dec42b8 Mon Sep 17 00:00:00 2001 From: Tobias Kussel Date: Tue, 28 Jan 2025 08:59:57 +0000 Subject: [PATCH 78/82] Fixed Docker Hub URL list link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b7e60ad..86bd1d9 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ The following URLs need to be accessible (prefix with `https://`): * git.verbis.dkfz.de * To fetch docker images * docker.verbis.dkfz.de - * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all)) + * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/)) * hub.docker.com * registry-1.docker.io * production.cloudflare.docker.com From 615990b92a5c7066f51c9e4563fcda2deff351d0 Mon Sep 17 00:00:00 2001 From: Martin Lablans <6804500+lablans@users.noreply.github.com> Date: Tue, 28 Jan 2025 14:53:49 +0100 Subject: [PATCH 79/82] Use secret-sync for gitpassword (#257) --------- Co-authored-by: Tim Schumacher Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> Co-authored-by: Tim Schumacher --- lib/functions.sh | 2 +- lib/gitlab-token-helper.sh | 11 ++++++++++ lib/gitpassword.sh | 41 ----------------------------------- lib/update-bridgehead.sh | 44 ++++++++++++++++++++++++++++++++------ 4 files changed, 50 insertions(+), 48 deletions(-) create mode 100755 lib/gitlab-token-helper.sh delete mode 100755 lib/gitpassword.sh diff --git a/lib/functions.sh b/lib/functions.sh index 3fcae38..ed57293 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -116,7 +116,7 @@ assertVarsNotEmpty() { MISSING_VARS="" for VAR in $@; do - if [ -z "${!VAR}" ]; then + if [ -z "${!VAR}" ]; then MISSING_VARS+="$VAR " fi done diff --git a/lib/gitlab-token-helper.sh b/lib/gitlab-token-helper.sh new file mode 100755 index 0000000..e618029 --- /dev/null +++ b/lib/gitlab-token-helper.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +[ "$1" = "get" ] || exit + +source /var/cache/bridgehead/secrets/gitlab_token + +# Any non-empty username works, only the token matters +cat << EOF +username=bk +password=$BRIDGEHEAD_CONFIG_REPO_TOKEN +EOF \ No newline at end of file diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh deleted file mode 100755 index 17756d6..0000000 --- a/lib/gitpassword.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash - -if [ "$1" != "get" ]; then - echo "Usage: $0 get" - exit 1 -fi - -baseDir() { - # see https://stackoverflow.com/questions/59895 - SOURCE=${BASH_SOURCE[0]} - while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink - DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd ) - SOURCE=$(readlink "$SOURCE") - [[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located - done - DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd ) - echo $DIR -} - -BASE=$(baseDir) -cd $BASE - -source lib/functions.sh - -assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty." - -PARAMS="$(cat)" -GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g') - -fetchVarsFromVault GIT_PASSWORD - -if [ -z "${GIT_PASSWORD}" ]; then - fail_and_report 1 "gitpassword.sh failed: Git password not found." -fi - -cat < Date: Wed, 29 Jan 2025 10:59:27 +0100 Subject: [PATCH 80/82] fix: properly load oidc secrets (#267) --- lib/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index ed57293..ffdc234 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -318,7 +318,7 @@ function sync_secrets() { docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest set -a # Export variables as environment variables - source /var/cache/bridgehead/secrets/* + source /var/cache/bridgehead/secrets/oidc set +a # Export variables in the regular way } From e3553370b6e4518122a9d14000fb1b87e6f73d8e Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Wed, 29 Jan 2025 13:17:59 +0100 Subject: [PATCH 81/82] feat: unify version handeling (#265) --- bridgehead | 49 ++++++++++++++++++++++++++++--------------------- versions/prod | 2 ++ versions/test | 2 ++ 3 files changed, 32 insertions(+), 21 deletions(-) create mode 100644 versions/prod create mode 100644 versions/test diff --git a/bridgehead b/bridgehead index d5d3a20..cbe7527 100755 --- a/bridgehead +++ b/bridgehead @@ -53,17 +53,44 @@ case "$PROJECT" in ;; esac +# Loads config variables and runs the projects setup script loadVars() { - # Load variables from /etc/bridgehead and /srv/docker/bridgehead set -a + # Source the project specific config file source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found" + # Source the project specific local config file if present + # This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then log INFO "Applying /etc/bridgehead/$PROJECT.local.conf" source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import" fi + # Set execution environment on main default to prod else test + if [[ -z "${ENVIRONMENT+x}" ]]; then + if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then + ENVIRONMENT="production" + else + ENVIRONMENT="test" + fi + fi + # Source the versions of the images components + case "$ENVIRONMENT" in + "production") + source ./versions/prod + ;; + "test") + source ./versions/test + ;; + *) + report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!" + source ./versions/prod + ;; + esac fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile" setHostname optimizeBlazeMemoryUsage + # Run project specific setup if it exists + # This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on + # This is also where projects specify which modules to load [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars set +a @@ -79,26 +106,6 @@ loadVars() { fi detectCompose setupProxy - - # Set some project-independent default values - : ${ENVIRONMENT:=production} - export ENVIRONMENT - - case "$ENVIRONMENT" in - "production") - export FOCUS_TAG=main - export BEAM_TAG=main - ;; - "test") - export FOCUS_TAG=develop - export BEAM_TAG=develop - ;; - *) - report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!" - export FOCUS_TAG=main - export BEAM_TAG=main - ;; - esac } case "$ACTION" in diff --git a/versions/prod b/versions/prod new file mode 100644 index 0000000..1dd754f --- /dev/null +++ b/versions/prod @@ -0,0 +1,2 @@ +FOCUS_TAG=main +BEAM_TAG=main \ No newline at end of file diff --git a/versions/test b/versions/test new file mode 100644 index 0000000..10ae062 --- /dev/null +++ b/versions/test @@ -0,0 +1,2 @@ +FOCUS_TAG=develop +BEAM_TAG=develop \ No newline at end of file From 721627a78fed32dfb8472dcec9321f4e4999c108 Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Wed, 5 Feb 2025 13:24:28 +0100 Subject: [PATCH 82/82] feat: migrate to new dnpm:dip node (#251) * feat: migrate to new dnpm:dip node * hardcode dnpm connector type to broker * use `SITE_NAME` for dnpm `LOCAL_SITE` * host central targets in git * dnpm: add goettingen to central targets * dnpm: add uksh to central targets * dnpm: replace named volumes with fs volumes * chore: change dnpm images * chore: pin mysql * dnpm: Secure endpoints for ETL and p2p communications (#254) * fix authup redirect (#262) When a OIDC provider is configured, you'll get redirected to authup by Keycloak which redirects you to the DNPM:DIP. Currently the url looks like this: https://myserver/authup//someurl and produces an error. Manually removing the additional / fixes the issue. * Whitespace formatting --------- Co-authored-by: Niklas Co-authored-by: Niklas Reimer Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com> --- ccp/modules/dnpm-compose.yml | 4 +- ccp/modules/dnpm-node-compose.yml | 115 ++++++++++++++---- ccp/modules/dnpm-node-setup.sh | 22 +--- minimal/docker-compose.yml | 2 +- minimal/modules/dnpm-central-targets.json | 142 ++++++++++++++++++++++ minimal/modules/dnpm-compose.yml | 4 +- minimal/modules/dnpm-node-compose.yml | 115 ++++++++++++++---- minimal/modules/dnpm-node-setup.sh | 22 +--- 8 files changed, 337 insertions(+), 89 deletions(-) create mode 100644 minimal/modules/dnpm-central-targets.json diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml index c32426f..0ce7f74 100644 --- a/ccp/modules/dnpm-compose.yml +++ b/ccp/modules/dnpm-compose.yml @@ -13,7 +13,7 @@ services: PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT} APP_ID: dnpm-connect.${PROXY_ID} DISCOVERY_URL: "./conf/central_targets.json" - LOCAL_TARGETS_FILE: "./conf/connect_targets.json" + LOCAL_TARGETS_FILE: "/conf/connect_targets.json" HTTP_PROXY: "http://forward_proxy:3128" HTTPS_PROXY: "http://forward_proxy:3128" NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY} @@ -25,7 +25,7 @@ services: volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro - - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro + - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro labels: - "traefik.enable=true" - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)" diff --git a/ccp/modules/dnpm-node-compose.yml b/ccp/modules/dnpm-node-compose.yml index ee84d89..c1f7dde 100644 --- a/ccp/modules/dnpm-node-compose.yml +++ b/ccp/modules/dnpm-node-compose.yml @@ -1,34 +1,99 @@ version: "3.7" services: - dnpm-backend: - image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector - container_name: bridgehead-dnpm-backend + dnpm-mysql: + image: mysql:9 + healthcheck: + test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ] + interval: 3s + timeout: 5s + retries: 5 environment: - - ZPM_SITE=${ZPM_SITE} - - N_RANDOM_FILES=${DNPM_SYNTH_NUM} + MYSQL_ROOT_HOST: "%" + MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD} volumes: - - /etc/bridgehead/dnpm:/bwhc_config:ro - - ${DNPM_DATA_DIR}:/bwhc_data - labels: - - "traefik.enable=true" - - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)" - - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000" - - "traefik.http.routers.bwhc-backend.tls=true" + - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql - dnpm-frontend: - image: ghcr.io/kohlbacherlab/bwhc-frontend:2209 - container_name: bridgehead-dnpm-frontend - links: - - dnpm-backend + dnpm-authup: + image: authup/authup:latest + container_name: bridgehead-dnpm-authup + volumes: + - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable + depends_on: + dnpm-mysql: + condition: service_healthy + command: server/core start environment: - - NUXT_HOST=0.0.0.0 - - NUXT_PORT=8080 - - BACKEND_PROTOCOL=https - - BACKEND_HOSTNAME=$HOST - - BACKEND_PORT=443 + - PUBLIC_URL=https://${HOST}/auth/ + - AUTHORIZE_REDIRECT_URL=https://${HOST} + - ROBOT_ADMIN_ENABLED=true + - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET} + - ROBOT_ADMIN_SECRET_RESET=true + - DB_TYPE=mysql + - DB_HOST=dnpm-mysql + - DB_USERNAME=root + - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD} + - DB_DATABASE=auth labels: - "traefik.enable=true" - - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)" - - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080" - - "traefik.http.routers.bwhc-frontend.tls=true" + - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth" + - "traefik.http.routers.dnpm-auth.middlewares=authup-strip" + - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)" + - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000" + - "traefik.http.routers.dnpm-auth.tls=true" + + dnpm-portal: + image: ghcr.io/dnpm-dip/portal:latest + container_name: bridgehead-dnpm-portal + environment: + - NUXT_API_URL=http://dnpm-backend:9000/ + - NUXT_PUBLIC_API_URL=https://${HOST}/api/ + - NUXT_AUTHUP_URL=http://dnpm-authup:3000/ + - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/ + labels: + - "traefik.enable=true" + - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)" + - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000" + - "traefik.http.routers.dnpm-frontend.tls=true" + + dnpm-backend: + container_name: bridgehead-dnpm-backend + image: ghcr.io/dnpm-dip/backend:latest + environment: + - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME} # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen + - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1} + - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1} + - HATEOAS_HOST=https://${HOST} + - CONNECTOR_TYPE=broker + - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000 + volumes: + - /etc/bridgehead/dnpm/config:/dnpm_config + - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data + depends_on: + dnpm-authup: + condition: service_healthy + labels: + - "traefik.enable=true" + - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000" + # expose everything + - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)" + - "traefik.http.routers.dnpm-backend.tls=true" + - "traefik.http.routers.dnpm-backend.service=dnpm-backend" + # except ETL + - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-etl.tls=true" + - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend" + # this needs an ETL processor with support for basic auth + - "traefik.http.routers.dnpm-backend-etl.middlewares=auth" + # except peer-to-peer + - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-peer.tls=true" + - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend" + - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer" + # this effectively denies all requests + # this is okay, because requests from peers don't go through Traefik + - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32" + + landing: + labels: + - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)" diff --git a/ccp/modules/dnpm-node-setup.sh b/ccp/modules/dnpm-node-setup.sh index bf8fd26..f3681b5 100644 --- a/ccp/modules/dnpm-node-setup.sh +++ b/ccp/modules/dnpm-node-setup.sh @@ -1,28 +1,16 @@ #!/bin/bash if [ -n "${ENABLE_DNPM_NODE}" ]; then - log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node." + log INFO "DNPM setup detected -- will start DNPM:DIP node." OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml" # Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/.conf - DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ -z "${ZPM_SITE+x}" ]; then log ERROR "Mandatory variable ZPM_SITE not defined!" exit 1 fi - if [ -z "${DNPM_DATA_DIR+x}" ]; then - log ERROR "Mandatory variable DNPM_DATA_DIR not defined!" - exit 1 - fi - DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0} - if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then - echo "Override of landing page url already in place" - else - echo "Adding override of landing page url" - if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then - echo -e ' landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml - else - echo -e 'version: "3.7"\nservices:\n landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml - fi - fi + mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions." + DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1} + DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')" + DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')" fi diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index dc76331..159276a 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -16,7 +16,7 @@ services: - --entrypoints.web.http.redirections.entrypoint.scheme=https labels: - "traefik.enable=true" - - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard/`)" + - "traefik.http.routers.dashboard.rule=PathPrefix(`/dashboard/`)" - "traefik.http.routers.dashboard.entrypoints=websecure" - "traefik.http.routers.dashboard.service=api@internal" - "traefik.http.routers.dashboard.tls=true" diff --git a/minimal/modules/dnpm-central-targets.json b/minimal/modules/dnpm-central-targets.json new file mode 100644 index 0000000..5469da0 --- /dev/null +++ b/minimal/modules/dnpm-central-targets.json @@ -0,0 +1,142 @@ +{ + "sites": [ + { + "id": "UKFR", + "name": "Freiburg", + "virtualhost": "ukfr.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKHD", + "name": "Heidelberg", + "virtualhost": "ukhd.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKT", + "name": "Tübingen", + "virtualhost": "ukt.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKU", + "name": "Ulm", + "virtualhost": "uku.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UM", + "name": "Mainz", + "virtualhost": "um.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKMR", + "name": "Marburg", + "virtualhost": "ukmr.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKE", + "name": "Hamburg", + "virtualhost": "uke.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKA", + "name": "Aachen", + "virtualhost": "uka.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "Charite", + "name": "Berlin", + "virtualhost": "charite.dnpm.de", + "beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "MRI", + "name": "Muenchen-tum", + "virtualhost": "mri.dnpm.de", + "beamconnect": "dnpm-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "KUM", + "name": "Muenchen-lmu", + "virtualhost": "kum.dnpm.de", + "beamconnect": "dnpm-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "MHH", + "name": "Hannover", + "virtualhost": "mhh.dnpm.de", + "beamconnect": "dnpm-connect.hannover.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKDD", + "name": "dresden-dnpm", + "virtualhost": "ukdd.dnpm.de", + "beamconnect": "dnpm-connect.dresden-dnpm.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKB", + "name": "Bonn", + "virtualhost": "ukb.dnpm.de", + "beamconnect": "dnpm-connect.bonn-dnpm.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKD", + "name": "Duesseldorf", + "virtualhost": "ukd.dnpm.de", + "beamconnect": "dnpm-connect.duesseldorf-dnpm.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKK", + "name": "Koeln", + "virtualhost": "ukk.dnpm.de", + "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UME", + "name": "Essen", + "virtualhost": "ume.dnpm.de", + "beamconnect": "dnpm-connect.essen.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKM", + "name": "Muenster", + "virtualhost": "ukm.dnpm.de", + "beamconnect": "dnpm-connect.muenster-dnpm.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKF", + "name": "Frankfurt", + "virtualhost": "ukf.dnpm.de", + "beamconnect": "dnpm-connect.frankfurt.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UMG", + "name": "Goettingen", + "virtualhost": "umg.dnpm.de", + "beamconnect": "dnpm-connect.goettingen.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKW", + "name": "Würzburg", + "virtualhost": "ukw.dnpm.de", + "beamconnect": "dnpm-connect.wuerzburg-dnpm.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "UKSH", + "name": "Schleswig-Holstein", + "virtualhost": "uksh.dnpm.de", + "beamconnect": "dnpm-connect.uksh-dnpm.broker.ccp-it.dktk.dkfz.de" + }, + { + "id": "TKT", + "name": "Test", + "virtualhost": "tkt.dnpm.de", + "beamconnect": "dnpm-connect.tobias-develop.broker.ccp-it.dktk.dkfz.de" + } + ] +} diff --git a/minimal/modules/dnpm-compose.yml b/minimal/modules/dnpm-compose.yml index 646a457..1c9a36a 100644 --- a/minimal/modules/dnpm-compose.yml +++ b/minimal/modules/dnpm-compose.yml @@ -29,7 +29,7 @@ services: PROXY_APIKEY: ${DNPM_BEAM_SECRET_SHORT} APP_ID: dnpm-connect.${DNPM_PROXY_ID} DISCOVERY_URL: "./conf/central_targets.json" - LOCAL_TARGETS_FILE: "./conf/connect_targets.json" + LOCAL_TARGETS_FILE: "/conf/connect_targets.json" HTTP_PROXY: http://forward_proxy:3128 HTTPS_PROXY: http://forward_proxy:3128 NO_PROXY: dnpm-beam-proxy,dnpm-backend, host.docker.internal${DNPM_ADDITIONAL_NO_PROXY} @@ -41,7 +41,7 @@ services: volumes: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /etc/bridgehead/dnpm/local_targets.json:/conf/connect_targets.json:ro - - /etc/bridgehead/dnpm/central_targets.json:/conf/central_targets.json:ro + - /srv/docker/bridgehead/minimal/modules/dnpm-central-targets.json:/conf/central_targets.json:ro labels: - "traefik.enable=true" - "traefik.http.routers.dnpm-connect.rule=PathPrefix(`/dnpm-connect`)" diff --git a/minimal/modules/dnpm-node-compose.yml b/minimal/modules/dnpm-node-compose.yml index ee84d89..8c2b146 100644 --- a/minimal/modules/dnpm-node-compose.yml +++ b/minimal/modules/dnpm-node-compose.yml @@ -1,34 +1,99 @@ version: "3.7" services: - dnpm-backend: - image: ghcr.io/kohlbacherlab/bwhc-backend:1.0-snapshot-broker-connector - container_name: bridgehead-dnpm-backend + dnpm-mysql: + image: mysql:9 + healthcheck: + test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ] + interval: 3s + timeout: 5s + retries: 5 environment: - - ZPM_SITE=${ZPM_SITE} - - N_RANDOM_FILES=${DNPM_SYNTH_NUM} + MYSQL_ROOT_HOST: "%" + MYSQL_ROOT_PASSWORD: ${DNPM_MYSQL_ROOT_PASSWORD} volumes: - - /etc/bridgehead/dnpm:/bwhc_config:ro - - ${DNPM_DATA_DIR}:/bwhc_data - labels: - - "traefik.enable=true" - - "traefik.http.routers.bwhc-backend.rule=PathPrefix(`/bwhc`)" - - "traefik.http.services.bwhc-backend.loadbalancer.server.port=9000" - - "traefik.http.routers.bwhc-backend.tls=true" + - /var/cache/bridgehead/dnpm/mysql:/var/lib/mysql - dnpm-frontend: - image: ghcr.io/kohlbacherlab/bwhc-frontend:2209 - container_name: bridgehead-dnpm-frontend - links: - - dnpm-backend + dnpm-authup: + image: authup/authup:latest + container_name: bridgehead-dnpm-authup + volumes: + - /var/cache/bridgehead/dnpm/authup:/usr/src/app/writable + depends_on: + dnpm-mysql: + condition: service_healthy + command: server/core start environment: - - NUXT_HOST=0.0.0.0 - - NUXT_PORT=8080 - - BACKEND_PROTOCOL=https - - BACKEND_HOSTNAME=$HOST - - BACKEND_PORT=443 + - PUBLIC_URL=https://${HOST}/auth/ + - AUTHORIZE_REDIRECT_URL=https://${HOST} + - ROBOT_ADMIN_ENABLED=true + - ROBOT_ADMIN_SECRET=${DNPM_AUTHUP_SECRET} + - ROBOT_ADMIN_SECRET_RESET=true + - DB_TYPE=mysql + - DB_HOST=dnpm-mysql + - DB_USERNAME=root + - DB_PASSWORD=${DNPM_MYSQL_ROOT_PASSWORD} + - DB_DATABASE=auth labels: - "traefik.enable=true" - - "traefik.http.routers.bwhc-frontend.rule=PathPrefix(`/`)" - - "traefik.http.services.bwhc-frontend.loadbalancer.server.port=8080" - - "traefik.http.routers.bwhc-frontend.tls=true" + - "traefik.http.middlewares.authup-strip.stripprefix.prefixes=/auth/" + - "traefik.http.routers.dnpm-auth.middlewares=authup-strip" + - "traefik.http.routers.dnpm-auth.rule=PathPrefix(`/auth`)" + - "traefik.http.services.dnpm-auth.loadbalancer.server.port=3000" + - "traefik.http.routers.dnpm-auth.tls=true" + + dnpm-portal: + image: ghcr.io/dnpm-dip/portal:latest + container_name: bridgehead-dnpm-portal + environment: + - NUXT_API_URL=http://dnpm-backend:9000/ + - NUXT_PUBLIC_API_URL=https://${HOST}/api/ + - NUXT_AUTHUP_URL=http://dnpm-authup:3000/ + - NUXT_PUBLIC_AUTHUP_URL=https://${HOST}/auth/ + labels: + - "traefik.enable=true" + - "traefik.http.routers.dnpm-frontend.rule=PathPrefix(`/`)" + - "traefik.http.services.dnpm-frontend.loadbalancer.server.port=3000" + - "traefik.http.routers.dnpm-frontend.tls=true" + + dnpm-backend: + container_name: bridgehead-dnpm-backend + image: ghcr.io/dnpm-dip/backend:latest + environment: + - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME} # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen + - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1} + - MTB_RANDOM_DATA=${DNPM_SYNTH_NUM:--1} + - HATEOAS_HOST=https://${HOST} + - CONNECTOR_TYPE=broker + - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000 + volumes: + - /etc/bridgehead/dnpm/config:/dnpm_config + - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data + depends_on: + dnpm-authup: + condition: service_healthy + labels: + - "traefik.enable=true" + - "traefik.http.services.dnpm-backend.loadbalancer.server.port=9000" + # expose everything + - "traefik.http.routers.dnpm-backend.rule=PathPrefix(`/api`)" + - "traefik.http.routers.dnpm-backend.tls=true" + - "traefik.http.routers.dnpm-backend.service=dnpm-backend" + # except ETL + - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-etl.tls=true" + - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend" + # this needs an ETL processor with support for basic auth + - "traefik.http.routers.dnpm-backend-etl.middlewares=auth" + # except peer-to-peer + - "traefik.http.routers.dnpm-backend-peer.rule=PathRegexp(`^/api(/.*)?/peer2peer(/.*)?$`)" + - "traefik.http.routers.dnpm-backend-peer.tls=true" + - "traefik.http.routers.dnpm-backend-peer.service=dnpm-backend" + - "traefik.http.routers.dnpm-backend-peer.middlewares=dnpm-backend-peer" + # this effectively denies all requests + # this is okay, because requests from peers don't go through Traefik + - "traefik.http.middlewares.dnpm-backend-peer.ipWhiteList.sourceRange=0.0.0.0/32" + + landing: + labels: + - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)" diff --git a/minimal/modules/dnpm-node-setup.sh b/minimal/modules/dnpm-node-setup.sh index bf8fd26..f3681b5 100644 --- a/minimal/modules/dnpm-node-setup.sh +++ b/minimal/modules/dnpm-node-setup.sh @@ -1,28 +1,16 @@ #!/bin/bash if [ -n "${ENABLE_DNPM_NODE}" ]; then - log INFO "DNPM setup detected (BwHC Node) -- will start BwHC node." + log INFO "DNPM setup detected -- will start DNPM:DIP node." OVERRIDE+=" -f ./$PROJECT/modules/dnpm-node-compose.yml" # Set variables required for BwHC Node. ZPM_SITE is assumed to be set in /etc/bridgehead/.conf - DNPM_APPLICATION_SECRET="$(echo \"This is a salt string to generate one consistent password for DNPM. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ -z "${ZPM_SITE+x}" ]; then log ERROR "Mandatory variable ZPM_SITE not defined!" exit 1 fi - if [ -z "${DNPM_DATA_DIR+x}" ]; then - log ERROR "Mandatory variable DNPM_DATA_DIR not defined!" - exit 1 - fi - DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:-0} - if grep -q 'traefik.http.routers.landing.rule=PathPrefix(`/landing`)' /srv/docker/bridgehead/minimal/docker-compose.override.yml 2>/dev/null; then - echo "Override of landing page url already in place" - else - echo "Adding override of landing page url" - if [ -f /srv/docker/bridgehead/minimal/docker-compose.override.yml ]; then - echo -e ' landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml - else - echo -e 'version: "3.7"\nservices:\n landing:\n labels:\n - "traefik.http.routers.landing.rule=PathPrefix(`/landing`)"' >> /srv/docker/bridgehead/minimal/docker-compose.override.yml - fi - fi + mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions." + DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1} + DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')" + DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')" fi