Changed: replace keycloak with oidc

This commit is contained in:
juarez 2024-02-13 18:54:26 +01:00
parent 19d0fefe94
commit f72e7c7799
6 changed files with 34 additions and 33 deletions

View File

@ -15,7 +15,6 @@ services:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
- "traefik.http.routers.rstudio_ccp.tls=true"
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
- "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.routers.rstudio_ccp.tls=true"
- "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
@ -46,11 +45,11 @@ services:
APP_CONTEXT_PATH: "/opal" APP_CONTEXT_PATH: "/opal"
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
KEYCLOAK_URL: "${KEYCLOAK_URL}" OIDC_URL: "${OIDC_URL}"
KEYCLOAK_REALM: "${KEYCLOAK_REALM}" OIDC_REALM: "${OIDC_REALM}"
KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}" TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
BEAM_APP_ID: token-manager.${PROXY_ID} BEAM_APP_ID: token-manager.${PROXY_ID}
@ -113,15 +112,15 @@ services:
APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}
# TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time: # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
# Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider): # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
# --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
oauth2_proxy: oauth2_proxy:
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
container_name: bridgehead_oauth2_proxy container_name: bridgehead_oauth2_proxy
command: >- command: >-
--allowed-group=DataSHIELD --allowed-group=DataSHIELD
--oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} --oidc-groups-claim=${OIDC_GROUP_CLAIM}
--auth-logging=true --auth-logging=true
--whitelist-domain=${HOST} --whitelist-domain=${HOST}
--http-address="0.0.0.0:4180" --http-address="0.0.0.0:4180"
@ -136,10 +135,10 @@ services:
#OIDC settings #OIDC settings
--provider="keycloak-oidc" --provider="keycloak-oidc"
--provider-display-name="VerbIS Login" --provider-display-name="VerbIS Login"
--client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" --client-id="${OIDC_PRIVATE_CLIENT_ID}"
--client-secret="${OIDC_CLIENT_SECRET}" --client-secret="${OIDC_CLIENT_SECRET}"
--redirect-url="https://${HOST}${OAUTH2_CALLBACK}" --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
--oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" --oidc-issuer-url="${OIDC_ISSUER_URL}"
--scope="openid email profile" --scope="openid email profile"
--code-challenge-method="S256" --code-challenge-method="S256"
--skip-provider-button=true --skip-provider-button=true
@ -147,6 +146,7 @@ services:
--pass-basic-auth=true --pass-basic-auth=true
--pass-user-headers=false --pass-user-headers=false
--pass-access-token=false --pass-access-token=false
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"

View File

@ -2,9 +2,7 @@ version: "3.7"
services: services:
mtba: mtba:
#image: docker.verbis.dkfz.de/cache/samply/mtba:latest image: docker.verbis.dkfz.de/cache/samply/mtba:develop
#image: docker.verbis.dkfz.de/cache/samply/mtba:develop
image: samply/mtba:develop
container_name: bridgehead-mtba container_name: bridgehead-mtba
environment: environment:
BLAZE_STORE_URL: http://blaze:8080 BLAZE_STORE_URL: http://blaze:8080
@ -22,6 +20,12 @@ services:
FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF} FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF}
CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB} CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB}
HTTP_RELATIVE_PATH: "/mtba" HTTP_RELATIVE_PATH: "/mtba"
OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
OIDC_REALM: "${OIDC_REALM}"
OIDC_URL: "${OIDC_URL}"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)" - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)"

View File

@ -19,7 +19,7 @@ services:
HTTP_RELATIVE_PATH: "/ccp-teiler" HTTP_RELATIVE_PATH: "/ccp-teiler"
teiler-dashboard: teiler-dashboard:
image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
container_name: bridgehead-teiler-dashboard container_name: bridgehead-teiler-dashboard
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
@ -31,10 +31,10 @@ services:
environment: environment:
DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}" DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}"
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
KEYCLOAK_URL: "${KEYCLOAK_URL}" OIDC_URL: "${OIDC_URL}"
KEYCLOAK_REALM: "${KEYCLOAK_REALM}" OIDC_REALM: "${OIDC_REALM}"
KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}" OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}" OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@ -43,8 +43,8 @@ services:
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard" TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
TEILER_USER: "${KEYCLOAK_USER_GROUP}" TEILER_USER: "${OIDC_USER_GROUP}"
TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}" TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb" REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
EXPORTER_DEFAULT_TEMPLATE_ID: "ccp" EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"

View File

@ -10,19 +10,18 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE=DE
DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,}
ENABLE_EXPORTER=true ENABLE_EXPORTER=true
ENABLE_LOGIN=true
ENABLE_TEILER=true ENABLE_TEILER=true
#ENABLE_DATASHIELD=true #ENABLE_DATASHIELD=true
KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
# Use "test-realm-01" for testing # Use "test-realm-01" for testing
KEYCLOAK_REALM="${KEYCLOAK_REALM:-master}" OIDC_REALM="${OIDC_REALM:-master}"
KEYCLOAK_URL="https://login.verbis.dkfz.de" OIDC_URL="https://login.verbis.dkfz.de"
KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}"
KEYCLOAK_GROUP_CLAIM="groups" OIDC_GROUP_CLAIM="groups"
OAUTH2_CALLBACK=/oauth2/callback OAUTH2_CALLBACK=/oauth2/callback
OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)" OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"

View File

@ -282,7 +282,7 @@ function sync_secrets() {
docker run --rm \ docker run --rm \
-v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e NO_PROXY=localhost,127.0.0.1 \ -e NO_PROXY=localhost,127.0.0.1 \

View File

@ -57,5 +57,3 @@ services:
HOST: ${HOST} HOST: ${HOST}
PROJECT: ${PROJECT} PROJECT: ${PROJECT}
SITE_NAME: ${SITE_NAME} SITE_NAME: ${SITE_NAME}