Test blaze 0.28

feat: unify version handeling (#265 )
fix: properly load oidc secrets (#267 )
2025-06-16 23:00:15 +02:00 · 2025-01-29 19:32:31 +01:00 · 2025-01-29 13:17:59 +01:00 · 2025-01-29 10:59:27 +01:00 · 2025-01-29 09:52:26 +01:00 · 2025-01-28 14:53:49 +01:00
9 changed files with 85 additions and 72 deletions
--- a/README.md
+++ b/README.md
@ -76,7 +76,7 @@ The following URLs need to be accessible (prefix with `https://`):
  * git.verbis.dkfz.de
 * To fetch docker images
  * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
    * hub.docker.com
    * registry-1.docker.io
    * production.cloudflare.docker.com
--- a/49
+++ b/49
@ -53,17 +53,44 @@ case "$PROJECT" in
 		;;
 esac
 # Loads config variables and runs the projects setup script
 loadVars() {
 	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
 	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
 	# Source the project specific local config file if present
 	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
 	# Set execution environment on main default to prod else test
 	if [[ -z "${ENVIRONMENT+x}" ]]; then
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
 			ENVIRONMENT="test"
 		fi
 	fi
 	# Source the versions of the images components 
 	case "$ENVIRONMENT" in
 		"production")
 			source ./versions/prod
 			;;
 		"test")
 			source ./versions/test
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod
 			;;
 	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
 	optimizeBlazeMemoryUsage
 	# Run project specific setup if it exists
 	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
 	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
@ -79,26 +106,6 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
 	# Set some project-independent default values
 	: ${ENVIRONMENT:=production}
 	export ENVIRONMENT
 	case "$ENVIRONMENT" in
 		"production")
 			export FOCUS_TAG=main
 			export BEAM_TAG=main
 			;;
 		"test")
 			export FOCUS_TAG=develop
 			export BEAM_TAG=develop
 			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			export FOCUS_TAG=main
 			export BEAM_TAG=main
 			;;
 	esac
 }
 case "$ACTION" in
--- a/ccp/docker-compose.yml
+++ b/ccp/docker-compose.yml
@ -2,7 +2,7 @@ version: "3.7"
 services:
  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
    container_name: bridgehead-ccp-blaze
    environment:
      BASE_URL: "http://bridgehead-ccp-blaze:8080"
--- a/lib/functions.sh
+++ b/lib/functions.sh
@ -318,7 +318,7 @@ function sync_secrets() {
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
    set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/*
+    source /var/cache/bridgehead/secrets/oidc
    set +a # Export variables in the regular way
 }
--- a/lib/gitlab-token-helper.sh
+++ b/lib/gitlab-token-helper.sh
@ -0,0 +1,11 @@
 #!/bin/bash
 [ "$1" = "get" ] || exit
 source /var/cache/bridgehead/secrets/gitlab_token
 # Any non-empty username works, only the token matters
 cat << EOF
 username=bk
 password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
 EOF
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@ -1,41 +0,0 @@
 #!/bin/bash
 if [ "$1" != "get" ]; then
 	echo "Usage: $0 get"
 	exit 1
 fi
 baseDir() {
 	# see https://stackoverflow.com/questions/59895
 	SOURCE=${BASH_SOURCE[0]}
 	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
 		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
 		SOURCE=$(readlink "$SOURCE")
 		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
        done
        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
        echo $DIR
 }
 BASE=$(baseDir)
 cd $BASE
 source lib/functions.sh
 assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
 PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 fetchVarsFromVault GIT_PASSWORD
 if [ -z "${GIT_PASSWORD}" ]; then
 	fail_and_report 1 "gitpassword.sh failed: Git password not found."
 fi
 cat <<EOF
 protocol=https
 host=$GITHOST
 username=bk-${SITE_ID}
 password=${GIT_PASSWORD}
 EOF
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@ -19,7 +19,7 @@ fi
 hc_send log "Checking for bridgehead updates ..."
-CONFFILE=/etc/bridgehead/$1.conf
+CONFFILE=/etc/bridgehead/$PROJECT.conf
 if [ ! -e $CONFFILE ]; then
  fail_and_report 1 "Configuration file $CONFFILE not found."
@ -33,7 +33,43 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
-CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
+# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
 # If it is missing or expired, Secret Sync will create a new token and write it to the file.
 # The git credential helper reads the token from the file during git pull.
 mkdir -p /var/cache/bridgehead/secrets
 touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
 log "INFO" "Running Secret Sync for the GitLab token"
 docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
 docker run --rm \
  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
  -e NO_PROXY=localhost,127.0.0.1 \
  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
  -e PROXY_ID=$PROXY_ID \
  -e BROKER_URL=$BROKER_URL \
  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
 if [ $? -eq 0 ]; then
  log "INFO" "Secret Sync was successful"
  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
  # Set the git credential helper
  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
 else
  log "WARN" "Secret Sync failed"
  # Remove the git credential helper
  git -C /etc/bridgehead config --unset credential.helper
 fi
 # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
 # Let's remove it to avoid confusion. This line can be removed at some point the future when we
 # believe that it was removed on all/most production servers.
 git -C /srv/docker/bridgehead config --unset credential.helper
 CHANGES=""
@ -45,10 +81,6 @@ for DIR in /etc/bridgehead $(pwd); do
  if [ -n "$OUT" ]; then
    report_error log "The working directory $DIR is modified. Changed files: $OUT"
  fi
  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
    log "INFO" "Configuring repo to use bridgehead git credential helper."
    git -C $DIR config credential.helper "$CREDHELPER"
  fi
  old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
  if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
    log "INFO" "Git is using no proxy!"
--- a/versions/prod
+++ b/versions/prod
@ -0,0 +1,2 @@
 FOCUS_TAG=main
 BEAM_TAG=main
--- a/versions/test
+++ b/versions/test
@ -0,0 +1,2 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
Author	SHA1	Message	Date
djuarezgf	da069b7473	Test blaze 0.28	2025-01-29 19:32:31 +01:00
Jan	e3553370b6	feat: unify version handeling (#265 )	2025-01-29 13:17:59 +01:00
Jan	1ad73d8f82	fix: properly load oidc secrets (#267 )	2025-01-29 10:59:27 +01:00
Tobias Kussel	0b6fa439ba	Merge pull request #266 from samply/fix/docker-hub-link Fixed Docker Hub URL list link	2025-01-29 09:52:26 +01:00
Martin Lablans	615990b92a	Use secret-sync for gitpassword (#257 ) --------- Co-authored-by: Tim Schumacher <tim@tschumacher.net> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> Co-authored-by: Tim Schumacher <tim.schumacher@dkfz-heidelberg.de>	2025-01-28 14:53:49 +01:00
Tobias Kussel	db950d6d87	Fixed Docker Hub URL list link	2025-01-28 08:59:57 +00:00