Removed outdated labels for the ovis-backend service and updated the middleware configuration for the ovis-frontend-ccp service to ensure proper routing and authentication. This streamlines the service setup and enhances clarity in the configuration.
Eliminated the environment variables and volume mounts related to trusted CA certificates in both the ovis-compose.yml and ovis-setup.sh files. This streamlines the configuration by relying solely on the system trust store for OIDC provider communication, simplifying the initialization process for the OVIS module.
Updated the ovis-setup.sh script to support both .crt and .pem certificate files for OIDC providers. Enhanced validation of CA candidates with improved logging to indicate skipped non-certificate files and clarified messages regarding the presence of valid CA files. This ensures better feedback during the OVIS module initialization process.
Enhanced the ovis-setup.sh script to include a comprehensive log message when the OVIS module is enabled. This update provides clear visual feedback during the initialization process, indicating that OVIS services will start with local oauth2-proxy middleware.
Updated the ovis-setup.sh script to improve handling of the trusted CA directory, ensuring that the oauth2-proxy uses the system trust store if the directory is missing. Adjusted logging messages for clarity regarding the detection of custom OIDC CA files, specifically focusing on .crt files. Additionally, added a new environment variable for TLS_CA_CERTIFICATES_DIR in the ovis-compose.yml file to support trusted CA certificates.
Enhanced the OVIS setup by introducing support for custom OIDC CA files in the oauth2-proxy configuration. Updated the ovis-compose.yml to include new environment variables and volume mounts for trusted CA certificates. Modified the ovis-setup.sh script to detect and log the presence of custom CA files, ensuring secure communication with OIDC providers.
Changed the image reference for the ovis-frontend service to use the updated `ovis-frontend` tag, ensuring consistency with the latest deployment standards.
Changed the service name for the OVIS frontend load balancer from `ovis-frontend` to `ovis-frontend-ccp`, ensuring consistency with the updated routing setup.
Replaced the existing middleware for path prefix stripping with a new middleware, ensuring proper handling of the `/ccp-ovis` path. This change enhances the routing setup by integrating both the slash-redirect and prefix-strip middlewares for improved service accessibility.
Configured new environment variables for the ovis-frontend service, including OVIS_PUBLIC_BASE_PATH, PUBLIC_GRAPHQL_URL, PUBLIC_LOGIN_ENABLED, and PUBLIC_OVIS_IMPORT, to enhance service configuration and accessibility.
Introduced a new service, `ovis-traefik-forward-auth`, to handle authentication via oauth2-proxy. Updated Traefik routing for existing services to integrate the new middleware, ensuring secure access control. Adjusted logging in ovis-setup.sh to reflect the addition of the oauth2-proxy middleware in the OVIS setup process.
Changed the image for the ovis-frontend service to use the new `ovis-frontend-ccp` tag, reflecting the latest version. Removed unnecessary environment variables to streamline the configuration.
Collapse the `/ccp-ovis` slash-redirect and prefix-strip flow into one `ovis-frontend-ccp` router by attaching both middlewares in order (redirect, then strip). This removes redundant router labels while preserving canonical `/ccp-ovis -> /ccp-ovis/` behavior and mounted-path forwarding to the frontend service.
Apply the PR #375 review feedback by removing Bridgehead-specific compose/setup overrides
that duplicated upstream OVIS behavior and by switching to the upstream-built Mongo image
that already contains init logic.
- rename CCP OVIS services to consistent upstream-style names (`ovis-*`) and update internal dependencies
- switch Mongo service image from direct `mongo:latest` + host-mounted init script to `docker.verbis.dkfz.de/ovis/ovis-backend-mongodb:latest`
- remove obsolete Mongo init bind mount (`/docker-entrypoint-initdb.d/init.js`) from compose
- drop redundant runtime overrides from compose (`restart`, `command`, `user`, `working_dir`)
- remove duplicated app-default/preprocessor env overrides (`OVIS_PREPROC_*`, misc backend defaults) and keep deployment wiring only
- fix Mongo connection env usage to `ADDRESS` and point services to `ovis-backend-database-mongodb`
- remove temporary root-compat Traefik redirect shim and keep mounted `/ccp-ovis` routing labels
- remove setup-time generation of Mongo init.js and related cache directory prep from `ccp/modules/ovis-setup.sh`
Right now, Directory sync will only be activated if a username has been
specified. It also needs to run if a login token has been specified,
hence the change in this commit.
The Directory team have requested that we allow token login to the
Directory, where a user uses LSAAI credentials to obtain a token from
the Directory, and then uses this to authenticate Directory sync. This
has been implemented via an environment variable, in an analogous way to
the already existing username/password method.
The default start time for the Directory sync has been shifted to 22:30,
to prevent conflicts with the Bridgehead auto-update.
Relevant changes have been made to the documentation.
Co-authored-by: Torben Brenner <76154651+torbrenner@users.noreply.github.com>
Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>
Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>
