Changed: replace keycloak with oidc

ccp/modules/datashield-compose.yml

@@ -15,7 +15,6 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
       - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
-      - "traefik.http.routers.rstudio_ccp.tls=true"
       - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
       - "traefik.http.routers.rstudio_ccp.tls=true"
       - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
@@ -46,11 +45,11 @@ services:
       APP_CONTEXT_PATH: "/opal"
       OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
       OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      OIDC_URL: "${OIDC_URL}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      OIDC_REALM: "${OIDC_REALM}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}"
+      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
       TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
       EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
       BEAM_APP_ID: token-manager.${PROXY_ID}
@@ -113,15 +112,15 @@ services:
       APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
       APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}
 
-  # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time:
+  # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
   # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
-  # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP
+  # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
   oauth2_proxy:
     image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
     container_name: bridgehead_oauth2_proxy
     command: >-
       --allowed-group=DataSHIELD
-      --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM}
+      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
       --auth-logging=true
       --whitelist-domain=${HOST}
       --http-address="0.0.0.0:4180"
@@ -136,10 +135,10 @@ services:
       #OIDC settings
       --provider="keycloak-oidc"
       --provider-display-name="VerbIS Login"
-      --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}"
+      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
       --client-secret="${OIDC_CLIENT_SECRET}"
       --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}"
+      --oidc-issuer-url="${OIDC_ISSUER_URL}"
       --scope="openid email profile"
       --code-challenge-method="S256"
       --skip-provider-button=true
@@ -147,6 +146,7 @@ services:
       --pass-basic-auth=true
       --pass-user-headers=false
       --pass-access-token=false
+
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"

ccp/modules/mtba-compose.yml

@@ -2,9 +2,7 @@ version: "3.7"
 
 services:
   mtba:
-    #image: docker.verbis.dkfz.de/cache/samply/mtba:latest
+    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
-    #image: docker.verbis.dkfz.de/cache/samply/mtba:develop
-    image: samply/mtba:develop
     container_name: bridgehead-mtba
     environment:
       BLAZE_STORE_URL: http://blaze:8080
@@ -22,6 +20,12 @@ services:
       FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF}
       CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB}
       HTTP_RELATIVE_PATH: "/mtba"
+      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
+      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
+      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      OIDC_REALM: "${OIDC_REALM}"
+      OIDC_URL: "${OIDC_URL}"
+
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)"

ccp/modules/teiler-compose.yml

@@ -19,7 +19,7 @@ services:
       HTTP_RELATIVE_PATH: "/ccp-teiler"
 
   teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
     container_name: bridgehead-teiler-dashboard
     labels:
       - "traefik.enable=true"
@@ -31,10 +31,10 @@ services:
     environment:
       DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
       TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      KEYCLOAK_URL: "${KEYCLOAK_URL}"
+      OIDC_URL: "${OIDC_URL}"
-      KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
+      OIDC_REALM: "${OIDC_REALM}"
-      KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}"
+      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}"
+      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
       TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
       TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
       TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@@ -43,8 +43,8 @@ services:
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
       TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_USER: "${KEYCLOAK_USER_GROUP}"
+      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}"
+      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
       REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
       EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
 

ccp/vars

@@ -10,19 +10,18 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
 DEFAULT_LANGUAGE=DE
 DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
 ENABLE_EXPORTER=true
-ENABLE_LOGIN=true
 ENABLE_TEILER=true
 #ENABLE_DATASHIELD=true
 
-KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
+OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
-KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
+OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
-KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private
+OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
-KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public
+OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
 # Use "test-realm-01" for testing
-KEYCLOAK_REALM="${KEYCLOAK_REALM:-master}"
+OIDC_REALM="${OIDC_REALM:-master}"
-KEYCLOAK_URL="https://login.verbis.dkfz.de"
+OIDC_URL="https://login.verbis.dkfz.de"
-KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}"
+OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}"
-KEYCLOAK_GROUP_CLAIM="groups"
+OIDC_GROUP_CLAIM="groups"
 OAUTH2_CALLBACK=/oauth2/callback
 OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
 

lib/functions.sh

@@ -282,7 +282,7 @@ function sync_secrets() {
     docker run --rm \
         -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
         -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
         -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
         -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
         -e NO_PROXY=localhost,127.0.0.1 \

minimal/docker-compose.yml

@@ -57,5 +57,3 @@ services:
       HOST: ${HOST}
       PROJECT: ${PROJECT}
       SITE_NAME: ${SITE_NAME}
-
-