Merge pull request #338 from samply/develop

Develop Main

README.md

@@ -85,6 +85,8 @@ The following URLs need to be accessible (prefix with `https://`):
     * hub.docker.com
     * registry-1.docker.io
     * production.cloudflare.docker.com
+  * GitHub Container Registry - (for use of DNPM:DIP)
+    * ghcr.io
 * To report bridgeheads operational status
   * healthchecks.verbis.dkfz.de
 * only for DKTK/CCP
@@ -95,7 +97,7 @@ The following URLs need to be accessible (prefix with `https://`):
 * only for German Biobank Node
   * broker.bbmri.de
 
-> 📝 This URL list is subject to change. Instead of the individual names, we highly recommend whitelisting wildcard domains: *.dkfz.de, github.com, *.docker.com, *.docker.io, *.samply.de, *.bbmri.de.
+> 📝 This URL list is subject to change. Instead of the individual names, we highly recommend whitelisting wildcard domains: *.dkfz.de, github.com, *.docker.com, *.docker.io, *.ghcr.io, *.samply.de, *.bbmri.de.
 
 > 📝 Ubuntu's pre-installed uncomplicated firewall (ufw) is known to conflict with Docker, more info [here](https://github.com/chaifeng/ufw-docker).
 

bbmri/modules/teiler-compose.yml

@@ -19,7 +19,7 @@ services:
       HTTP_RELATIVE_PATH: "/bbmri-teiler"
 
   teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
     container_name: bridgehead-teiler-dashboard
     labels:
       - "traefik.enable=true"
@@ -32,9 +32,6 @@ services:
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
       TEILER_BACKEND_URL: "/bbmri-teiler-backend"
       TEILER_DASHBOARD_URL: "/bbmri-teiler-dashboard"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
       TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
       TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
       TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@@ -42,8 +39,6 @@ services:
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
       TEILER_ORCHESTRATOR_URL: "/bbmri-teiler"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/bbmri-teiler"
-      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
       REPORTER_DEFAULT_TEMPLATE_ID: "bbmri-qb"
       EXPORTER_DEFAULT_TEMPLATE_ID: "bbmri"
 

cce/modules/teiler-compose.yml

@@ -19,7 +19,7 @@ services:
       HTTP_RELATIVE_PATH: "/cce-teiler"
 
   teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
     container_name: bridgehead-teiler-dashboard
     labels:
       - "traefik.enable=true"
@@ -32,9 +32,6 @@ services:
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
       TEILER_BACKEND_URL: "/cce-teiler-backend"
       TEILER_DASHBOARD_URL: "/cce-teiler-dashboard"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
       TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
       TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
       TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
@@ -42,8 +39,6 @@ services:
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
       TEILER_ORCHESTRATOR_URL: "/cce-teiler"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/cce-teiler"
-      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
       REPORTER_DEFAULT_TEMPLATE_ID: "cce-qb"
       EXPORTER_DEFAULT_TEMPLATE_ID: "cce"
 

ccp/modules/datashield-compose.yml

@@ -25,7 +25,7 @@ services:
       APP_CONTEXT_PATH: "/opal"
       OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
       OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
-      OIDC_URL: "${OIDC_URL}"
+      OIDC_URL: "${OIDC_PRIVATE_URL}"
       OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
       OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
       OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"

ccp/modules/dnpm-node-compose.yml

@@ -43,7 +43,7 @@ services:
       - "traefik.http.routers.dnpm-auth.tls=true"
 
   dnpm-portal:
-    image: ghcr.io/dnpm-dip/portal:latest
+    image: ghcr.io/dnpm-dip/portal:${DNPM_IMAGE_TAG:-latest}
     container_name: bridgehead-dnpm-portal
     environment:
       - NUXT_API_URL=http://dnpm-backend:9000/
@@ -58,7 +58,7 @@ services:
 
   dnpm-backend:
     container_name: bridgehead-dnpm-backend
-    image: ghcr.io/dnpm-dip/backend:latest
+    image: ghcr.io/dnpm-dip/api-gateway:latest
     environment:
       - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
       - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}

ccp/modules/id-management-compose.yml

@@ -14,6 +14,7 @@ services:
       MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
       MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
       MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
+      MAGICPL_OIDC_PROVIDER: ${OIDC_PRIVATE_URL}
     depends_on:
       - patientlist
       - traefik-forward-auth
@@ -71,12 +72,14 @@ services:
       - https_proxy=http://forward_proxy:3128
       - OAUTH2_PROXY_PROVIDER=oidc
       - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
-      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master
-      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
-      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
+      - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
+      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
       - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
       - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
       - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
+      - OAUTH2_PROXY_COOKIE_REFRESH=4m
+      - OAUTH2_PROXY_COOKIE_EXPIRE=24h
       - OAUTH2_PROXY_HTTP_ADDRESS=:4180
       - OAUTH2_PROXY_REVERSE_PROXY=true
       - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
@@ -87,8 +90,8 @@ services:
       - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
       - OAUTH2_PROXY_SET_XAUTHREQUEST=true
       # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
-      - OAUTH2_PROXY_COOKIE_REFRESH=60s
-      - OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN
+      - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_PSP_GROUP}
+      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
       - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
     labels:
       - "traefik.enable=true"

ccp/modules/id-management-setup.sh

@@ -14,6 +14,8 @@ function idManagementSetup() {
 
 		# Ensure old ids are working !!!
 		export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID")
+
+		add_private_oidc_redirect_url "/oauth2-idm/callback"
 	fi
 }
 

ccp/modules/mtba-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   mtba:
-    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
+    image: docker.verbis.dkfz.de/cache/samply/mtba:${MTBA_TAG}
     container_name: bridgehead-mtba
     environment:
       BLAZE_STORE_URL: http://blaze:8080
@@ -22,8 +22,14 @@ services:
       HTTP_RELATIVE_PATH: "/mtba"
       OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
       OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      OIDC_URL: "${OIDC_URL}"
+      # TODO: Add following variables after moving to Authentik:
+      #OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      #OIDC_URL: "${OIDC_URL}"
+      # TODO: Remove following variables after moving to Authentik:
+      # Please add KECLOAK_CLIENT_SECRET in ccp.conf
+      OIDC_CLIENT_SECRET: "${KEYCLOAK_CLIENT_SECRET}"
+      OIDC_URL: "https://login.verbis.dkfz.de/realms/test-realm-01"
+      OIDC_ADMIN_URL: "https://login.verbis.dkfz.de/admin/realms/test-realm-01"
 
     labels:
       - "traefik.enable=true"

ccp/modules/teiler-compose.yml

@@ -19,7 +19,7 @@ services:
       HTTP_RELATIVE_PATH: "/ccp-teiler"
 
   teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
     container_name: bridgehead-teiler-dashboard
     labels:
       - "traefik.enable=true"

ccp/vars

@@ -10,9 +10,11 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL
 
 OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
 OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
+OIDC_PSP_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_PSP"
 OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
 OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
-OIDC_URL="https://login.verbis.dkfz.de/realms/test-realm-01"
+OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/"
+OIDC_PRIVATE_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PRIVATE_CLIENT_ID}/"
 OIDC_GROUP_CLAIM="groups"
 
 for module in $PROJECT/modules/*.sh

dhki/docker-compose.yml

@@ -39,7 +39,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

kr/docker-compose.yml

@@ -40,7 +40,7 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}

kr/modules/exporter-compose.yml

@@ -1,9 +1,10 @@
 version: "3.7"
 
 services:
+
   exporter:
     image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
-    container_name: bridgehead-ccp-exporter
+    container_name: bridgehead-kr-exporter
     environment:
       JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
       LOG_LEVEL: "INFO"
@@ -12,39 +13,51 @@ services:
       EXPORTER_DB_USER: "exporter"
       EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
       EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
-      HTTP_RELATIVE_PATH: "/ccp-exporter"
+      HTTP_RELATIVE_PATH: "/kr-exporter"
       SITE: "${SITE_ID}"
       HTTP_SERVLET_REQUEST_SCHEME: "https"
       OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
-      - "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
-      - "traefik.http.routers.exporter_ccp.tls=true"
-      - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
-      - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
+      - "traefik.http.routers.exporter_kr.rule=PathPrefix(`/kr-exporter`)"
+      - "traefik.http.services.exporter_kr.loadbalancer.server.port=8092"
+      - "traefik.http.routers.exporter_kr.tls=true"
+      - "traefik.http.middlewares.exporter_kr_strip.stripprefix.prefixes=/kr-exporter"
+      - "traefik.http.routers.exporter_kr.middlewares=exporter_kr_strip"
+      # Main router
+      - "traefik.http.routers.exporter_kr.priority=20"
+
+      # API router
+      - "traefik.http.routers.exporter_kr_api.middlewares=exporter_kr_strip,exporter_auth"
+      - "traefik.http.routers.exporter_kr_api.rule=PathRegexp(`/kr-exporter/.+`)"
+      - "traefik.http.routers.exporter_kr_api.tls=true"
+      - "traefik.http.routers.exporter_kr_api.priority=25"
+
+      # Shared middlewares
+      - "traefik.http.middlewares.exporter_auth.basicauth.users=${EXPORTER_USER}"
+
     volumes:
-      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
+      - "/var/cache/bridgehead/kr/exporter-files:/app/exporter-files/output"
 
   exporter-db:
     image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
-    container_name: bridgehead-ccp-exporter-db
+    container_name: bridgehead-kr-exporter-db
     environment:
       POSTGRES_USER: "exporter"
       POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
       POSTGRES_DB: "exporter"
     volumes:
       # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
-      - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
+      - "/var/cache/bridgehead/kr/exporter-db:/var/lib/postgresql/data"
 
   reporter:
     image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
-    container_name: bridgehead-ccp-reporter
+    container_name: bridgehead-kr-reporter
     environment:
       JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
       LOG_LEVEL: "INFO"
       CROSS_ORIGINS: "https://${HOST}"
-      HTTP_RELATIVE_PATH: "/ccp-reporter"
+      HTTP_RELATIVE_PATH: "/kr-reporter"
       SITE: "${SITE_ID}"
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
       EXPORTER_URL: "http://exporter:8092"
@@ -52,16 +65,23 @@ services:
       HTTP_SERVLET_REQUEST_SCHEME: "https"
 
     # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
-    # However, in the first executions in the CCP sites, this volume seems to be very important. A report is
+    # However, in the first executions in the kr sites, this volume seems to be very important. A report is
     # a process that can take several hours, because it depends on the exporter.
     # There is a risk that the bridgehead restarts, losing the already created export.
 
     volumes:
-      - "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
+      - "/var/cache/bridgehead/kr/reporter-files:/app/reports"
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
-      - "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095"
-      - "traefik.http.routers.reporter_ccp.tls=true"
-      - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
-      - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
+      - "traefik.http.routers.reporter_kr.rule=PathPrefix(`/kr-reporter`)"
+      - "traefik.http.services.reporter_kr.loadbalancer.server.port=8095"
+      - "traefik.http.routers.reporter_kr.tls=true"
+      - "traefik.http.middlewares.reporter_kr_strip.stripprefix.prefixes=/kr-reporter"
+      - "traefik.http.routers.reporter_kr.middlewares=reporter_kr_strip"
+      - "traefik.http.routers.reporter_kr.priority=20"
+
+      - "traefik.http.routers.reporter_kr_api.middlewares=reporter_kr_strip,exporter_auth"
+      - "traefik.http.routers.reporter_kr_api.rule=PathRegexp(`/kr-reporter/.+`)"
+      - "traefik.http.routers.reporter_kr_api.tls=true"
+      - "traefik.http.routers.reporter_kr_api.priority=25"
+

kr/modules/exporter.md

@@ -1,15 +0,0 @@
-# Exporter and Reporter
-
-
-## Exporter
-The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
-It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
-
-## Exporter-DB
-It is a database to save queries for its execution in the exporter. 
-The exporter manages also the different executions of the same query in through the database.
-
-## Reporter
-This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
-It is compatible with different template engines as Groovy, Thymeleaf,...
-It is perfect to generate a document as our traditional CCP quality report.

kr/modules/teiler-compose.yml

@@ -7,73 +7,58 @@ services:
     container_name: bridgehead-teiler-orchestrator
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.teiler_orchestrator_ccp.rule=PathPrefix(`/ccp-teiler`)"
-      - "traefik.http.services.teiler_orchestrator_ccp.loadbalancer.server.port=9000"
-      - "traefik.http.routers.teiler_orchestrator_ccp.tls=true"
-      - "traefik.http.middlewares.teiler_orchestrator_ccp_strip.stripprefix.prefixes=/ccp-teiler"
-      - "traefik.http.routers.teiler_orchestrator_ccp.middlewares=teiler_orchestrator_ccp_strip"
+      - "traefik.http.routers.teiler_orchestrator_kr.rule=PathPrefix(`/kr-teiler`)"
+      - "traefik.http.services.teiler_orchestrator_kr.loadbalancer.server.port=9000"
+      - "traefik.http.routers.teiler_orchestrator_kr.tls=true"
+      - "traefik.http.middlewares.teiler_orchestrator_kr_strip.stripprefix.prefixes=/kr-teiler"
+      - "traefik.http.routers.teiler_orchestrator_kr.middlewares=teiler_orchestrator_kr_strip"
     environment:
-      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
+      TEILER_BACKEND_URL: "/kr-teiler-backend"
+      TEILER_DASHBOARD_URL: "/kr-teiler-dashboard"
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
-      HTTP_RELATIVE_PATH: "/ccp-teiler"
+      HTTP_RELATIVE_PATH: "/kr-teiler"
 
   teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
     container_name: bridgehead-teiler-dashboard
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.teiler_dashboard_ccp.rule=PathPrefix(`/ccp-teiler-dashboard`)"
-      - "traefik.http.services.teiler_dashboard_ccp.loadbalancer.server.port=80"
-      - "traefik.http.routers.teiler_dashboard_ccp.tls=true"
-      - "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
-      - "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
+      - "traefik.http.routers.teiler_dashboard_kr.rule=PathPrefix(`/kr-teiler-dashboard`)"
+      - "traefik.http.services.teiler_dashboard_kr.loadbalancer.server.port=80"
+      - "traefik.http.routers.teiler_dashboard_kr.tls=true"
+      - "traefik.http.middlewares.teiler_dashboard_kr_strip.stripprefix.prefixes=/kr-teiler-dashboard"
+      - "traefik.http.routers.teiler_dashboard_kr.middlewares=teiler_dashboard_kr_strip"
     environment:
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
-      OIDC_URL: "${OIDC_URL}"
-      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
-      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
+      TEILER_BACKEND_URL: "/kr-teiler-backend"
+      TEILER_DASHBOARD_URL: "/kr-teiler-dashboard"
       TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
       TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
       TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
       TEILER_PROJECT: "${PROJECT}"
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
-      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_USER: "${OIDC_USER_GROUP}"
-      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
+      TEILER_ORCHESTRATOR_URL: "/kr-teiler"
+      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/kr-teiler"
       REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
       EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
 
 
   teiler-backend:
-    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
+    image: docker.verbis.dkfz.de/ccp/kr-teiler-backend:latest
     container_name: bridgehead-teiler-backend
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.teiler_backend_ccp.rule=PathPrefix(`/ccp-teiler-backend`)"
-      - "traefik.http.services.teiler_backend_ccp.loadbalancer.server.port=8085"
-      - "traefik.http.routers.teiler_backend_ccp.tls=true"
-      - "traefik.http.middlewares.teiler_backend_ccp_strip.stripprefix.prefixes=/ccp-teiler-backend"
-      - "traefik.http.routers.teiler_backend_ccp.middlewares=teiler_backend_ccp_strip"
+      - "traefik.http.routers.teiler_backend_kr.rule=PathPrefix(`/kr-teiler-backend`)"
+      - "traefik.http.services.teiler_backend_kr.loadbalancer.server.port=8085"
+      - "traefik.http.routers.teiler_backend_kr.tls=true"
+      - "traefik.http.middlewares.teiler_backend_kr_strip.stripprefix.prefixes=/kr-teiler-backend"
+      - "traefik.http.routers.teiler_backend_kr.middlewares=teiler_backend_kr_strip"
     environment:
       LOG_LEVEL: "INFO"
       APPLICATION_PORT: "8085"
-      APPLICATION_ADDRESS: "${HOST}"
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
-      CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
-      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
-      TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
-      TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
-      TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
+      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/kr-teiler"
+      TEILER_ORCHESTRATOR_URL: "/kr-teiler"
+      TEILER_DASHBOARD_DE_URL: "/kr-teiler-dashboard/de"
+      TEILER_DASHBOARD_EN_URL: "/kr-teiler-dashboard/en"
       HTTP_PROXY: "http://forward_proxy:3128"
-      ENABLE_MTBA: "${ENABLE_MTBA}"
-      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-    secrets:
-      - ccp.conf
-
-secrets:
-  ccp.conf:
-    file: /etc/bridgehead/ccp.conf

kr/modules/teiler-setup.sh

@@ -3,7 +3,6 @@
 if [ "$ENABLE_TEILER" == true ];then
   log INFO "Teiler setup detected -- will start Teiler services."
   OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
-  TEILER_DEFAULT_LANGUAGE=DE
+  TEILER_DEFAULT_LANGUAGE=EN
   TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
-  add_public_oidc_redirect_url "/ccp-teiler/*"
 fi

kr/modules/teiler.md

@@ -1,19 +0,0 @@
-# Teiler
-This module orchestrates the different microfrontends of the bridgehead as a single page application.  
-
-## Teiler Orchestrator
-Single SPA component that consists on the root HTML site of the single page application and a javascript code that
-gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
-resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly. 
-
-The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
-This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
-There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
-
-## Teiler Dashboard
-It consists on the main dashboard and a set of embedded services.
-### Login
-user and password in ccp.local.conf
-
-## Teiler Backend
-In this component, the microfrontends are configured.

lib/functions.sh

@@ -301,19 +301,33 @@ function sync_secrets() {
     if [[ $secret_sync_args == "" ]]; then
         return
     fi
+
+    if [ "$PROJECT" == "bbmri" ]; then
+        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
+        proxy_id=$ERIC_PROXY_ID
+        broker_url=$ERIC_BROKER_URL
+        broker_id=$ERIC_BROKER_ID
+        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
+    else
+        proxy_id=$PROXY_ID
+        broker_url=$BROKER_URL
+        broker_id=$BROKER_ID
+        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
+    fi
+
     mkdir -p /var/cache/bridgehead/secrets/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/secrets/'. Please run sudo './bridgehead install $PROJECT' again."
     touch /var/cache/bridgehead/secrets/oidc
     docker run --rm \
         -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \
         -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
         -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
         -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
         -e NO_PROXY=localhost,127.0.0.1 \
         -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-        -e PROXY_ID=$PROXY_ID \
-        -e BROKER_URL=$BROKER_URL \
-        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \
+        -e PROXY_ID=$proxy_id \
+        -e BROKER_URL=$broker_url \
+        -e OIDC_PROVIDER=secret-sync-central.test-secret-sync.$broker_id \
         -e SECRET_DEFINITIONS=$secret_sync_args \
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
 

minimal/modules/dnpm-node-compose.yml

@@ -43,7 +43,7 @@ services:
       - "traefik.http.routers.dnpm-auth.tls=true"
 
   dnpm-portal:
-    image: ghcr.io/dnpm-dip/portal:latest
+    image: ghcr.io/dnpm-dip/portal:${DNPM_IMAGE_TAG:-latest}
     container_name: bridgehead-dnpm-portal
     environment:
       - NUXT_API_URL=http://dnpm-backend:9000/
@@ -58,7 +58,7 @@ services:
 
   dnpm-backend:
     container_name: bridgehead-dnpm-backend
-    image: ghcr.io/dnpm-dip/backend:latest
+    image: ghcr.io/dnpm-dip/api-gateway:latest
     environment:
       - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
       - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}

modules/transfair-compose.yml

@@ -10,7 +10,7 @@ services:
       - TTP_GW_SOURCE
       - TTP_GW_EPIX_DOMAIN
       - TTP_GW_GPAS_DOMAIN
-      - TTP_TYPE
+      - TTP_GW_GPAS_URL
       - TTP_AUTH
       - PROJECT_ID_SYSTEM
       - FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
@@ -26,6 +26,7 @@ services:
       - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false}
       - NO_PROXY=${TRANSFAIR_NO_PROXIES}
       - ALL_PROXY=http://forward_proxy:3128
+    command: dic ${TTP_TYPE}
     volumes:
       - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro

versions/acceptance

@@ -1,4 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
 BLAZE_TAG=main
-POSTGRES_TAG=15.13-alpine
+POSTGRES_TAG=15.13-alpine
+TEILER_DASHBOARD_TAG=develop
+MTBA_TAG=develop

versions/prod

@@ -1,4 +1,6 @@
 FOCUS_TAG=main
 BEAM_TAG=main
 BLAZE_TAG=0.32
-POSTGRES_TAG=15.13-alpine
+POSTGRES_TAG=15.13-alpine
+TEILER_DASHBOARD_TAG=main
+MTBA_TAG=main

versions/test

@@ -1,4 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
 BLAZE_TAG=main
-POSTGRES_TAG=15.13-alpine
+POSTGRES_TAG=15.13-alpine
+TEILER_DASHBOARD_TAG=develop
+MTBA_TAG=develop