refactor: explicitly set logging - to squash

README.md

@@ -76,7 +76,7 @@ The following URLs need to be accessible (prefix with `https://`):
   * git.verbis.dkfz.de
 * To fetch docker images
   * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
     * hub.docker.com
     * registry-1.docker.io
     * production.cloudflare.docker.com
@@ -254,8 +254,6 @@ sh bridgehead uninstall
 
 ## Site-specific configuration
 
-[How to Change Config Access Token](docs/update-access-token.md)
-
 ### HTTPS Access
 
 Even within your internal network, the Bridgehead enforces HTTPS for all services. During the installation, a self-signed, long-lived certificate was created for you. To increase security, you can simply replace the files under `/etc/bridgehead/traefik-tls` with ones from established certification authorities such as [Let's Encrypt](https://letsencrypt.org) or [DFN-AAI](https://www.aai.dfn.de).

bbmri/docker-compose.yml

@@ -4,7 +4,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
     container_name: bridgehead-bbmri-blaze
     environment:
       BASE_URL: "http://bridgehead-bbmri-blaze:8080"

bridgehead

@@ -53,44 +53,17 @@ case "$PROJECT" in
 		;;
 esac
 
-# Loads config variables and runs the projects setup script
 loadVars() {
+	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
-	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
-	# Source the project specific local config file if present
-	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
-	# Set execution environment on main default to prod else test
-	if [[ -z "${ENVIRONMENT+x}" ]]; then
-		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
-			ENVIRONMENT="production"
-		else
-			ENVIRONMENT="test"
-		fi
-	fi
-	# Source the versions of the images components 
-	case "$ENVIRONMENT" in
-		"production")
-			source ./versions/prod
-			;;
-		"test")
-			source ./versions/test
-			;;
-		*)
-			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
-			source ./versions/prod
-			;;
-	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
 	optimizeBlazeMemoryUsage
-	# Run project specific setup if it exists
-	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
-	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
 
@@ -106,6 +79,26 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
+
+	# Set some project-independent default values
+	: ${ENVIRONMENT:=production}
+	export ENVIRONMENT
+
+	case "$ENVIRONMENT" in
+		"production")
+			export FOCUS_TAG=main
+			export BEAM_TAG=main
+			;;
+		"test")
+			export FOCUS_TAG=develop
+			export BEAM_TAG=develop
+			;;
+		*)
+			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
+			export FOCUS_TAG=main
+			export BEAM_TAG=main
+			;;
+	esac
 }
 
 case "$ACTION" in

cce/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
     container_name: bridgehead-cce-blaze
     environment:
       BASE_URL: "http://bridgehead-cce-blaze:8080"

ccp/docker-compose.yml

@@ -11,6 +11,7 @@ services:
       DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
       CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
+      LOG_LEVEL: ${LOG_LEVEL_BLAZE:-WARN}
     volumes:
       - "blaze-data:/app/data"
     labels:
@@ -34,6 +35,7 @@ services:
       EPSILON: 0.28
       QUERIES_TO_CACHE: '/queries_to_cache.conf'
       ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
+      RUST_LOG: ${LOG_LEVEL_FOCUS:-WARN}
     volumes:
       - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf
     depends_on:
@@ -51,6 +53,7 @@ services:
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
       ROOTCERT_FILE: /conf/root.crt.pem
+      RUST_LOG: ${LOG_LEVEL_FOCUS:-WARN}
     secrets:
       - proxy.pem
     depends_on:

ccp/modules/blaze-secondary-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze-secondary:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
     container_name: bridgehead-ccp-blaze-secondary
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"
@@ -10,6 +10,7 @@ services:
       DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
       DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
+      LOG_LEVEL: ${LOG_LEVEL_BLAZE:-WARN}
     volumes:
       - "blaze-secondary-data:/app/data"
     labels:

ccp/modules/datashield-compose.yml

@@ -10,6 +10,7 @@ services:
       DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
       HTTP_RELATIVE_PATH: "/rstudio"
       ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
+      LOG_LEVEL: ${LOG_LEVEL_RSTUDIO:-WARN}
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
@@ -54,6 +55,7 @@ services:
       BEAM_APP_ID: token-manager.${PROXY_ID}
       BEAM_SECRET: ${TOKEN_MANAGER_SECRET}
       BEAM_DATASHIELD_PROXY: request-manager
+      LOG_LEVEL: ${LOG_LEVEL_OPAL:-WARN}
     volumes:
       - "/var/cache/bridgehead/ccp/opal-metadata-db:/srv" # Opal metadata
     secrets:
@@ -75,6 +77,8 @@ services:
     image: docker.verbis.dkfz.de/ccp/dktk-rserver # datashield/rock-base + dsCCPhos
     tmpfs:
       - /srv
+    environment:
+      LOG_LEVEL: ${LOG_LEVEL_OPAL:-WARN}
 
   beam-connect:
     image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
@@ -87,6 +91,7 @@ services:
       DISCOVERY_URL: "./map/central.json"
       LOCAL_TARGETS_FILE: "./map/local.json"
       NO_AUTH: "true"
+      RUST_LOG: ${LOG_LEVEL_BEAMCONNECT:-WARN}
     secrets:
       - opal-cert.pem
     depends_on:

ccp/modules/dnpm-compose.yml

@@ -17,7 +17,7 @@ services:
       HTTP_PROXY: "http://forward_proxy:3128"
       HTTPS_PROXY: "http://forward_proxy:3128"
       NO_PROXY: beam-proxy,dnpm-backend,host.docker.internal${DNPM_ADDITIONAL_NO_PROXY}
-      RUST_LOG: ${RUST_LOG:-info}
+      RUST_LOG: ${LOG_LEVEL_BEAMCONNECTDNPM:-WARN}
       NO_AUTH: "true"
       TLS_CA_CERTIFICATES_DIR: ./conf/trusted-ca-certs
     extra_hosts:

ccp/modules/exporter-compose.yml

@@ -6,7 +6,6 @@ services:
     container_name: bridgehead-ccp-exporter
     environment:
       JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
-      LOG_LEVEL: "INFO"
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
       CROSS_ORIGINS: "https://${HOST}"
       EXPORTER_DB_USER: "exporter"
@@ -16,6 +15,7 @@ services:
       SITE: "${SITE_ID}"
       HTTP_SERVLET_REQUEST_SCHEME: "https"
       OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
+      LOG_LEVEL: ${LOG_LEVEL_EXPORTER:-WARN}
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
@@ -42,7 +42,6 @@ services:
     container_name: bridgehead-ccp-reporter
     environment:
       JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
-      LOG_LEVEL: "INFO"
       CROSS_ORIGINS: "https://${HOST}"
       HTTP_RELATIVE_PATH: "/ccp-reporter"
       SITE: "${SITE_ID}"
@@ -50,6 +49,7 @@ services:
       EXPORTER_URL: "http://exporter:8092"
       LOG_FHIR_VALIDATION: "false"
       HTTP_SERVLET_REQUEST_SCHEME: "https"
+      LOG_LEVEL: ${LOG_LEVEL_REPORTER:-WARN}
 
     # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
     # However, in the first executions in the CCP sites, this volume seems to be very important. A report is
@@ -69,4 +69,4 @@ services:
   focus:
     environment:
       EXPORTER_URL: "http://exporter:8092"
-      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
+      AUTH_HEADER: "${EXPORTER_API_KEY}"

ccp/modules/id-management-compose.yml

@@ -14,6 +14,7 @@ services:
       MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
       MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
       MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
+      ML_LOG_LEVEL: ${LOG_LEVEL_IDMANAGER:-WARN}
     depends_on:
       - patientlist
       - traefik-forward-auth
@@ -44,6 +45,8 @@ services:
       - ML_UPLOAD_API_KEY=${IDMANAGER_UPLOAD_APIKEY}
       # Add Variables from /etc/patientlist-id-generators.env
       - PATIENTLIST_SEEDS_TRANSFORMED
+      - ML_LOG_LEVEL=${LOG_LEVEL_PATIENTLIST:-WARN}
+      #TODO confirm LOG_LEVEL
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)"
@@ -102,11 +105,11 @@ services:
         condition: service_healthy
 
   ccp-patient-project-identificator:
-    image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator
+    image: samply/ccp-patient-project-identificator
     container_name: bridgehead-ccp-patient-project-identificator
     environment:
       MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
-      SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID}
+      SITE_NAME: ${SITE_NAME}
 
 volumes:
   patientlist-db-data:

ccp/modules/mtba-compose.yml

@@ -25,6 +25,7 @@ services:
       OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
       OIDC_REALM: "${OIDC_REALM}"
       OIDC_URL: "${OIDC_URL}"
+      LOG_LEVEL: ${LOG_LEVEL_MTBA:-WARN}
 
     labels:
       - "traefik.enable=true"

ccp/modules/nngm-compose.yml

@@ -12,6 +12,8 @@ services:
       CTS_API_KEY: ${NNGM_CTS_APIKEY}
       CRYPT_KEY: ${NNGM_CRYPTKEY}
       #CTS_MAGICPL_SITE: ${SITE_ID}TODO
+      LOG_LEVEL: ${LOG_LEVEL_NNGM:-WARN}
+    restart: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"

ccp/modules/obds2fhir-rest-compose.yml

@@ -10,6 +10,8 @@ services:
       SALT: ${LOCAL_SALT}
       KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
       MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
+      LOG_LEVEL: ${LOG_LEVEL_REPORTER:-WARN}
+    restart: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"

ccp/modules/teiler-compose.yml

@@ -17,6 +17,7 @@ services:
       TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
       HTTP_RELATIVE_PATH: "/ccp-teiler"
+      LOG_LEVEL: ${LOG_LEVEL_TEILER:-WARN}
 
   teiler-dashboard:
     image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
@@ -47,6 +48,7 @@ services:
       TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
       REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
       EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
+      LOG_LEVEL: ${LOG_LEVEL_TEILER:-WARN}
 
 
   teiler-backend:
@@ -60,7 +62,6 @@ services:
       - "traefik.http.middlewares.teiler_backend_ccp_strip.stripprefix.prefixes=/ccp-teiler-backend"
       - "traefik.http.routers.teiler_backend_ccp.middlewares=teiler_backend_ccp_strip"
     environment:
-      LOG_LEVEL: "INFO"
       APPLICATION_PORT: "8085"
       APPLICATION_ADDRESS: "${HOST}"
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
@@ -73,6 +74,7 @@ services:
       HTTP_PROXY: "http://forward_proxy:3128"
       ENABLE_MTBA: "${ENABLE_MTBA}"
       ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
+      LOG_LEVEL: ${LOG_LEVEL_TEILER:-WARN}
     secrets:
       - ccp.conf
 

dhki/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
     container_name: bridgehead-dhki-blaze
     environment:
       BASE_URL: "http://bridgehead-dhki-blaze:8080"

docs/update-access-token.md

@@ -1,42 +0,0 @@
-## How to Change Config Access Token
-
-### 1. Generate a New Access Token
-
-1. Go to your Git configuration repository provider, it might be either [git.verbis.dkfz.de](https://git.verbis.dkfz.de) or [gitlab.bbmri-eric.eu](https://gitlab.bbmri-eric.eu).  
-2. Navigate to the configuration repository for your site.  
-3. Go to **Settings → Access Tokens** to check if your Access Token is valid or expired.  
-   - **If expired**, create a new Access Token.  
-4. Configure the new Access Token with the following settings:  
-   - **Expiration date**: One year from today, minus one day.  
-   - **Role**: Developer.  
-   - **Scope**: Only `read_repository`.  
-5. Save the newly generated Access Token in a secure location.  
-
----
-
-### 2. Replace the Old Access Token
-
-1. Navigate to `/etc/bridgehead` in your system.  
-2. Run the following command to retrieve the current Git remote URL:  
-   ```bash
-   git remote get-url origin
-   ```
-   Example output:  
-   ```
-   https://name40dkfz-heidelberg.de:<old_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
-   ```
-3. Replace `<old_access_token>` with your new Access Token in the URL.  
-4. Set the updated URL using the following command:  
-   ```bash
-   git remote set-url origin https://name40dkfz-heidelberg.de:<new_access_token>@git.verbis.dkfz.de/bbmri-bridgehead-configs/test.git
-   
-   ```
-
-5. Start the Bridgehead update service by running:  
-   ```bash
-   systemctl start bridgehead-update@<project>
-   ```
-6. View the output to ensure the update process is successful:  
-   ```bash
-   journalctl -u bridgehead-update@<project> -f
-   ```

itcc/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
     container_name: bridgehead-itcc-blaze
     environment:
       BASE_URL: "http://bridgehead-itcc-blaze:8080"

kr/docker-compose.yml

@@ -6,7 +6,7 @@ services:
       replicas: 0 #deactivate landing page
 
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
     container_name: bridgehead-kr-blaze
     environment:
       BASE_URL: "http://bridgehead-kr-blaze:8080"

kr/modules/obds2fhir-rest-compose.yml

@@ -10,6 +10,7 @@ services:
       SALT: ${LOCAL_SALT}
       KEEP_INTERNAL_ID: ${KEEP_INTERNAL_ID:-false}
       MAINZELLISTE_URL: ${PATIENTLIST_URL:-http://patientlist:8080/patientlist}
+    restart: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.obds2fhir-rest.rule=PathPrefix(`/obds2fhir-rest`) || PathPrefix(`/adt2fhir-rest`)"

lib/functions.sh

@@ -318,7 +318,7 @@ function sync_secrets() {
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
 
     set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/oidc
+    source /var/cache/bridgehead/secrets/*
     set +a # Export variables in the regular way
 }
 

lib/gitlab-token-helper.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-[ "$1" = "get" ] || exit
-
-source /var/cache/bridgehead/secrets/gitlab_token
-
-# Any non-empty username works, only the token matters
-cat << EOF
-username=bk
-password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
-EOF

lib/gitpassword.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+if [ "$1" != "get" ]; then
+	echo "Usage: $0 get"
+	exit 1
+fi
+
+baseDir() {
+	# see https://stackoverflow.com/questions/59895
+	SOURCE=${BASH_SOURCE[0]}
+	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
+		SOURCE=$(readlink "$SOURCE")
+		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+        done
+        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
+        echo $DIR
+}
+
+BASE=$(baseDir)
+cd $BASE
+
+source lib/functions.sh
+
+assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
+
+PARAMS="$(cat)"
+GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
+
+fetchVarsFromVault GIT_PASSWORD
+
+if [ -z "${GIT_PASSWORD}" ]; then
+	fail_and_report 1 "gitpassword.sh failed: Git password not found."
+fi
+
+cat <<EOF
+protocol=https
+host=$GITHOST
+username=bk-${SITE_ID}
+password=${GIT_PASSWORD}
+EOF

lib/update-bridgehead.sh

@@ -19,7 +19,7 @@ fi
 
 hc_send log "Checking for bridgehead updates ..."
 
-CONFFILE=/etc/bridgehead/$PROJECT.conf
+CONFFILE=/etc/bridgehead/$1.conf
 
 if [ ! -e $CONFFILE ]; then
   fail_and_report 1 "Configuration file $CONFFILE not found."
@@ -33,43 +33,7 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
-# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
-# If it is missing or expired, Secret Sync will create a new token and write it to the file.
-# The git credential helper reads the token from the file during git pull.
-mkdir -p /var/cache/bridgehead/secrets
-touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
-log "INFO" "Running Secret Sync for the GitLab token"
-docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
-docker run --rm \
-  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
-  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-  -e NO_PROXY=localhost,127.0.0.1 \
-  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-  -e PROXY_ID=$PROXY_ID \
-  -e BROKER_URL=$BROKER_URL \
-  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
-  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
-  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
-if [ $? -eq 0 ]; then
-  log "INFO" "Secret Sync was successful"
-  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
-  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
-  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
-  # Set the git credential helper
-  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
-else
-  log "WARN" "Secret Sync failed"
-  # Remove the git credential helper
-  git -C /etc/bridgehead config --unset credential.helper
-fi
-
-# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
-# Let's remove it to avoid confusion. This line can be removed at some point the future when we
-# believe that it was removed on all/most production servers.
-git -C /srv/docker/bridgehead config --unset credential.helper
+CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
 CHANGES=""
 
@@ -81,6 +45,10 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ -n "$OUT" ]; then
     report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
+  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
+    log "INFO" "Configuring repo to use bridgehead git credential helper."
+    git -C $DIR config credential.helper "$CREDHELPER"
+  fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
     log "INFO" "Git is using no proxy!"
@@ -90,8 +58,7 @@ for DIR in /etc/bridgehead $(pwd); do
     OUT=$(retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR fetch 2>&1 && retry 5 git -c http.proxy=$HTTPS_PROXY_FULL_URL -c https.proxy=$HTTPS_PROXY_FULL_URL -C $DIR pull 2>&1)
   fi
   if [ $? -ne 0 ]; then
-    OUT_SAN=$(echo $OUT | sed -E 's|://[^:]+:[^@]+@|://credentials@|g')
-    report_error log "Unable to update git $DIR: $OUT_SAN"
+    report_error log "Unable to update git $DIR: $OUT"
   fi
 
   new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"

minimal/modules/nngm-compose.yml

@@ -11,6 +11,7 @@ services:
       CTS_API_KEY: ${NNGM_CTS_APIKEY}
       CRYPT_KEY: ${NNGM_CRYPTKEY}
       #CTS_MAGICPL_SITE: ${SITE_ID}TODO
+    restart: always
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.connector.rule=PathPrefix(`/nngm-connector`)"

versions/prod

@@ -1,2 +0,0 @@
-FOCUS_TAG=main
-BEAM_TAG=main

versions/test

@@ -1,2 +0,0 @@
-FOCUS_TAG=develop
-BEAM_TAG=develop