Merge pull request #287 from tm16-medma/patch-1

Update ovis-compose.yml

.github/CODEOWNERS

@@ -1 +0,0 @@
-*  @samply/bridgehead-developers

README.md

@@ -22,13 +22,11 @@ This repository is the starting point for any information and tools you will nee
     - [TLS terminating proxies](#tls-terminating-proxies)
     - [File structure](#file-structure)
     - [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed)
-    - [Directory sync tool](#directory-sync-tool)
     - [Loading data](#loading-data)
 4. [Things you should know](#things-you-should-know)
     - [Auto-Updates](#auto-updates)
     - [Auto-Backups](#auto-backups)
     - [Non-Linux OS](#non-linux-os)
-    - [FAQ](#faq)
 5. [Troubleshooting](#troubleshooting)
     - [Docker Daemon Proxy Configuration](#docker-daemon-proxy-configuration)
     - [Monitoring](#monitoring)
@@ -303,38 +301,26 @@ Once you have added your biobank to the Directory you got persistent identifier
 
 ### Directory sync tool
 
-The Bridgehead's **Directory Sync** is an optional feature that keeps the BBMRI-ERIC Directory up to date with your local data, e.g. number of samples. Conversely, it can also update the local FHIR store with the latest contact details etc. from the  BBMRI-ERIC Directory.
+The Bridgehead's **Directory Sync** is an optional feature that keeps the Directory up to date with your local data, e.g. number of samples. Conversely, it also updates the local FHIR store with the latest contact details etc. from the Directory. You must explicitly set your country specific directory URL, username and password to enable this feature.
 
 You should talk with your local data protection group regarding the information that is published by Directory sync.
 
-To enable it, you will need to explicitly set the username and password variables for BBMRI-ERIC Directory login in the configuration file of your GitLab repository (e.g. ```bbmri.conf```). Here is an example minimal config:
+Full details can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
+
+To enable it, you will need to set these variables to the ```bbmri.conf``` file of your GitLab repository. Here is an example config:
 
 ```
 DS_DIRECTORY_USER_NAME=your_directory_username
 DS_DIRECTORY_USER_PASS=your_directory_password
 ```
-Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials.
+Please contact your National Node to obtain this information.
 
-The following environment variables can be used from within your config file to control the behavior of Directory sync:
+Optionally, you **may** change when you want Directory sync to run by specifying a [cron](https://crontab.guru) expression, e.g. `DS_TIMER_CRON="0 22 * * *"` for 10 pm every evening.
 
-| Variable                           | Purpose                                                                                                                                                              | Default if not specified               |
-|:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------|
-| DS_DIRECTORY_URL                   | Base URL of the Directory                                                                                                                                            | https://directory-backend.molgenis.net |
-| DS_DIRECTORY_USER_NAME             | User name for logging in to Directory **Mandatory**                                                                                                                  |                                        |
-| DS_DIRECTORY_USER_PASS             | Password for logging in to Directory **Mandatory**                                                                                                                   |                                        |
-| DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples                                                                                                                        |                                        |
-| DS_DIRECTORY_ALLOW_STAR_MODEL      | Set to 'True' to send star model info to Directory                                                                                                                   | True                                  |
-| DS_FHIR_STORE_URL                  | URL for FHIR store                                                                                                                                                   | http://bridgehead-bbmri-blaze:8080     |
-| DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 0 22 * * *                             |
-| DS_IMPORT_BIOBANKS                 | Set to 'True' to import biobank metadata from Directory                                                                                                              | True                                  |
-| DS_IMPORT_COLLECTIONS              | Set to 'True' to import collection metadata from Directory                                                                                                           | True                                  |
-
-Once you have finished editing the config, the Bridgehead will autoupdate the config with the values and will sync data at regular intervals, using the time specified in DS_TIMER_CRON.
+Once you edited the gitlab config, the bridgehead will autoupdate the config with the values and will sync the data.
 
 There will be a delay before the effects of Directory sync become visible. First, you will need to wait until the time you have specified in ```TIMER_CRON```. Second, the information will then be synchronized from your national node with the central European Directory. This can take up to 24 hours.
 
-More details of Directory sync can be found in [directory_sync_service](https://github.com/samply/directory_sync_service).
-
 ### Loading data
 
 The data accessed by the federated search is held in the Bridgehead in a FHIR store (we use Blaze).
@@ -354,24 +340,6 @@ The storage space on your hard drive will depend on the number of FHIR resources
 
 For more information on Blaze performance, please refer to [import performance](https://github.com/samply/blaze/blob/master/docs/performance/import.md).
 
-### Clearing data
-
-The Bridgehead's FHIR store, Blaze, saves its data in a Docker volume. This means that the data will persist even if you stop the Bridgehead. You can clear existing data from the FHIR store by deleting the relevant Docker volume.
-
-First, stop the Bridgehead:
-```shell
-sudo systemctl stop bridgehead@<PROJECT>.service
-```
-Now remove the volume:
-```shell
-docker volume rm <PROJECT>_blaze-data
-```
-Finally, restart the Bridgehead:
-```shell
-sudo systemctl start bridgehead@<PROJECT>.service
-```
-You will need to do this for example if you are using a VM as a test environment and you subsequently want to use the same VM for production.
-
 #### ETL for BBMRI and GBA
 
 Normally, you will need to build your own ETL to feed the Bridgehead. However, there is one case where a short cut might be available:
@@ -418,54 +386,6 @@ We have tested the installation procedure with an Ubuntu 22.04 guest system runn
 
 Installation under WSL ought to work, but we have not tested this.
 
-### FAQ
-
-**Q: How is the security of GitHub pulls, volumes/containers, and image signing ensured?**
-
-A: Changes to Git branches that could be delivered to sites (main and develop) must be accepted via a pull request with at least two positive reviews.
-Containers/images are not built manually, but rather automatically through a CI/CD pipeline, so that an image can be rolled back to a defined code version at any time without changes.
-**Note:** If firewall access for (outgoing) connections to GitHub and/or Docker Hub is problematic at the site, mirrors for both services are available, operated by the DKFZ.
-
-**Q: How is authentication between users and components regulated?**
-
-A: When setting up a Bridgehead, a private key and a so-called Certificate Sign Request (CSR) are generated locally. This CSR is manually signed by the broker operator, which allows the Bridgehead access to the network infrastructure.
-All communication runs via Samply.Beam and is therefore end-to-end encrypted, but also signed. This allows the integrity and authenticity of the sender to be technically verified (which happens automatically both in the broker and at the recipients).
-The connection to the broker is additionally secured using traditional TLS (transport encryption over https).
-
-**Q: Are there any statistics on incoming traffic from the Bridgehead (what goes in and what goes out)?**
-
-A: Incoming and outgoing traffic can only enter/leave the Bridgehead via a forward or reverse proxy, respectively. These components log all connections.
-Statistical analysis is not currently being conducted, but is on the roadmap for some projects. We are also working on a dashboard for all tasks/responses delivered via Samply.Beam.
-
-**Q: How is container access controlled, and what permission level is used?**
-
-A: Currently, it is not possible to run the Bridgehead "out-of-the-box" as a rootless Docker Compose stack. The main reason is the operation of the reverse proxy (Traefik), which binds to the privileged ports 80 (HTTP) and 443 (HTTPS).
-Otherwise, there are no known technical obstacles, although we don't have concrete experience implementing this.
-At the file system level, a "bridgehead" user is created during installation, which manages the configuration and Bridgehead folders.
-
-**Q: Is a cloud installation (not a company-owned one, but an external service provider) possible?**
-
-A: Technically, yes. This is primarily a data protection issue between the participant and their cloud provider.
-The Bridgehead contains a data storage system that, during use, contains sensitive patient and sample data.
-There are cloud providers with whom appropriately worded contracts can be concluded to make this possible.
-Of course, the details must be discussed with the responsible data protection officer.
-
-**Q: What needs to be considered regarding the Docker distribution/registry, and how is it used here?**
-
-A: The Bridgehead images are located both in Docker Hub and mirrored in a registry operated by the DKFZ.
-The latter is used by default, avoiding potential issues with Docker Hub URL activation or rate limits.
-When using automatic updates (highly recommended), an daily check is performed for:
-- site configuration updates
-- Bridgehead software updates
-- container image updates
-
-If updates are found, they are downloaded and applied.
-See the first question for the control mechanism.
-
-**Q: Is data only transferred one-way (Bridgehead/FHIR Store → Central/Locator), or is two-way access necessary?**
-
-A: By using Samply.Beam, only one outgoing connection to the broker is required at the network level (i.e., Bridgehead → Broker).
-
 ## Troubleshooting
 
 ### Docker Daemon Proxy Configuration

bbmri/docker-compose.yml

@@ -4,7 +4,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
     container_name: bridgehead-bbmri-blaze
     environment:
       BASE_URL: "http://bridgehead-bbmri-blaze:8080"

bbmri/modules/directory-sync-compose.yml

@@ -12,7 +12,5 @@ services:
       DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
       DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
       DS_DIRECTORY_COUNTRY: ${DS_DIRECTORY_COUNTRY}
-      DS_IMPORT_BIOBANKS: ${DS_IMPORT_BIOBANKS:-true}
-      DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true}
     depends_on:
       - "blaze"

bbmri/modules/eric-setup.sh

@@ -10,10 +10,6 @@ if [ "${ENABLE_ERIC}" == "true" ]; then
 			export ERIC_BROKER_ID=broker.bbmri.samply.de
 			export ERIC_ROOT_CERT=eric
 			;;
-		"acceptance")
-			export ERIC_BROKER_ID=broker-acc.bbmri-acc.samply.de
-			export ERIC_ROOT_CERT=eric.acc
-			;;
 		"test")
 			export ERIC_BROKER_ID=broker-test.bbmri-test.samply.de
 			export ERIC_ROOT_CERT=eric.test

bbmri/modules/eric.acc.root.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUE/wu6FmI+KSMOalI65b+lI3HI4cwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwOTE2MTUyMzU0WhcNMzQw
-OTE0MTUyNDI0WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOt1I1FQt2bI4Nnjtg8JBYid29cBIkDT4MMb45Jr
-ays24y4R3WO7VJK9UjNduSq/A1jlA0W0A/szDf8Ojq6bBtg+uL92PTDjYH1QXwX0
-c7eMo2tvvyyrs/cb2/ovDBQ1lpibcxVmVAv042ASmil3SdqKKXpv3ATnF9I7V4cv
-fwB56FChaGIov5EK+9JOMjTx6oMlBEgUFR6qq/lSqM9my0HYwUFbX2W+nT9EKEIP
-9UP1eyfRZR3E/+oticnm/cS20BGCbjoYrNgLthXKyaASuhGoElKs8EZ3h9MiI+u0
-DpR0KpePhAkMLugBrgYWqkMwwD1684LfC4YVQrsLwzo5OW8CAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPbXs3g3lMjH
-1JMe0a5aVbN7lB92MB8GA1UdIwQYMBaAFPbXs3g3lMjH1JMe0a5aVbN7lB92MBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBM5RsXb2HN
-FpC1mYfocXAn20Zu4d603qmc/IqkiOWbp36pWo+jk1AxejyRS9hEpQalgSnvcRPQ
-1hPEhGU+wvI0WWVi/01iNjVbXmJNPQEouXQWAT17dyp9vqQkPw8LNzpSV/qdPgbT
-Z9o3sZrjUsSLsK7A7Q5ky4ePkiJBaMsHeAD+wqGwpiJ4D2Xhp8e1v36TWM0qt2EA
-gySx9isx/jeGGPBmDqYB9BCal5lrihPN56jd+5pCkyXeZqKWiiXFJKXwcwxctYZc
-ADHIiTLLPXE8LHTUJAO51it1NAZ1S24aMzax4eWDXcWO7/ybbx5pkYkMd6EqlKHd
-8riQJIhY4huX
------END CERTIFICATE-----

bridgehead

@@ -35,9 +35,6 @@ case "$PROJECT" in
 	cce)
 		#nothing extra to do
 		;;
-	pscc)
-		#nothing extra to do
-		;;
 	itcc)
 		#nothing extra to do
 		;;
@@ -72,7 +69,7 @@ loadVars() {
 		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
 			ENVIRONMENT="production"
 		else
-			ENVIRONMENT="test" # we have acceptance environment in BBMRI ERIC and it would be more appropriate to default to that one in case the data they have in BH is real, but I'm gonna leave it as is for backward compatibility
+			ENVIRONMENT="test"
 		fi
 	fi
 	# Source the versions of the images components 
@@ -83,9 +80,6 @@ loadVars() {
 		"test")
 			source ./versions/test
 			;;
-		"acceptance")
-			source ./versions/acceptance
-			;;
 		*)
 			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
 			source ./versions/prod

cce/docker-compose.yml

@@ -2,14 +2,13 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
     container_name: bridgehead-cce-blaze
     environment:
       BASE_URL: "http://bridgehead-cce-blaze:8080"
       JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
       DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
       - "blaze-data:/app/data"
@@ -32,10 +31,6 @@ services:
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
       EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-    volumes:
-      - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro
     depends_on:
       - "beam-proxy"
       - "blaze"

cce/modules/pscc-compose.yml

@@ -1,65 +0,0 @@
-version: "3.7"
-
-services:
-  blaze-pscc:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-pscc-blaze
-    environment:
-      BASE_URL: "http://bridgehead-pscc-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-data-pscc:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_pscc.rule=PathPrefix(`/pscc-localdatamanagement`)"
-      - "traefik.http.middlewares.pscc_b_strip.stripprefix.prefixes=/pscc-localdatamanagement"
-      - "traefik.http.services.blaze_pscc.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_pscc.middlewares=pscc_b_strip"
-      - "traefik.http.routers.blaze_pscc.tls=true"
-
-  focus-pscc:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
-    container_name: bridgehead-pscc-focus
-    environment:
-      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID_PSCC}
-      PROXY_ID: ${PROXY_ID_PSCC}
-      BLAZE_URL: "http://bridgehead-pscc-blaze:8080/fhir/"
-      BEAM_PROXY_URL: http://beam-proxy-pscc:8081
-      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      EPSILON: 0.28
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-    depends_on:
-      - "beam-proxy"
-      - "blaze"
-
-  beam-proxy-pscc:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
-    container_name: bridgehead-pscc-beam-proxy
-    environment:
-      BROKER_URL: ${BROKER_URL_PSCC}
-      PROXY_ID: ${PROXY_ID_PSCC}
-      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/pscc/root.crt.pem:/conf/root.crt.pem:ro
-
-
-volumes:
-  blaze-data-pscc:
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

cce/modules/pscc-setup.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_PSCC" ];then
-  OVERRIDE+=" -f ./$PROJECT/modules/pscc-compose.yml"
-fi

cce/queries_to_cache.conf

@@ -1,2 +0,0 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0FHRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIGljZDEwOiAnaHR0cDovL2ZoaXIuZGUvQ29kZVN5c3RlbS9iZmFybS9pY2QtMTAtZ20nCmNvZGVzeXN0ZW0gbW9ycGg6ICd1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjYuNDMuMScKCmNvbnRleHQgUGF0aWVudAoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9BR0VfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgooKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQKKChleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODE0MC8zJykgb3IKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvcgooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yCihleGlzdHMgZnJvbSBbT2JzZXJ2YXRpb246IENvZGUgJzU5ODQ3LTQnIGZyb20gbG9pbmNdIE8Kd2hlcmUgTy52YWx1ZS5jb2RpbmcuY29kZSBjb250YWlucyAnODUwMC8zJykpKQ==

cce/vars

@@ -1,9 +1,6 @@
 BROKER_ID=test-no-real-data.broker.samply.de
-BROKER_ID_PSCC=test-no-real-data.broker.samply.de
 BROKER_URL=https://${BROKER_ID}
-BROKER_URL_PSCC=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
-PROXY_ID_PSCC=${SITE_ID}.${BROKER_ID_PSCC}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=manoj.waikar@dkfz-heidelberg.de

ccp/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
     container_name: bridgehead-ccp-blaze
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze:8080"
@@ -35,7 +35,7 @@ services:
       QUERIES_TO_CACHE: '/queries_to_cache.conf'
       ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
     volumes:
-      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf:ro
+      - /srv/docker/bridgehead/ccp/queries_to_cache.conf:/queries_to_cache.conf
     depends_on:
       - "beam-proxy"
       - "blaze"

ccp/modules/blaze-secondary-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze-secondary:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
     container_name: bridgehead-ccp-blaze-secondary
     environment:
       BASE_URL: "http://bridgehead-ccp-blaze-secondary:8080"

ccp/modules/obds2fhir-rest-compose.yml

@@ -3,7 +3,7 @@ version: "3.7"
 services:
   obds2fhir-rest:
     container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
+    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
     environment:
       IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
       MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}

ccp/modules/ovis-compose.yml

@@ -0,0 +1,112 @@
+version: '3.7'
+
+services:
+
+  ovis-traefik-forward-auth:
+      image: quay.io/oauth2-proxy/oauth2-proxy:latest
+      environment:
+        - http_proxy=${http_proxy:-http://forward_proxy:3128}
+        - https_proxy=${https_proxy:-http://forward_proxy:3128}
+        - OAUTH2_PROXY_PROVIDER=oidc
+        - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
+        - OAUTH2_PROXY_OIDC_ISSUER_URL=${OAUTH_ISSUER_URL}
+        - OAUTH2_PROXY_CLIENT_ID=${OAUTH_CLIENT_ID}
+        - OAUTH2_PROXY_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
+        - OAUTH2_PROXY_COOKIE_SECRET=${AUTHENTICATION_SECRET}
+        - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST:-localhost}
+        - OAUTH2_PROXY_COOKIE_REFRESH=4m
+        - OAUTH2_PROXY_COOKIE_EXPIRE=24h
+        - OAUTH2_PROXY_HTTP_ADDRESS=:4180
+        - OAUTH2_PROXY_REVERSE_PROXY=true
+        - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST:-localhost}
+        - OAUTH2_PROXY_UPSTREAMS=static://202
+        - OAUTH2_PROXY_EMAIL_DOMAINS=*
+        #- OAUTH2_PROXY_ALLOWED_GROUPS=app-ovis
+        #- OAUTH2_PROXY_ERRORS_TO_INFO_LOG=true
+        - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=S256
+        # For some reason, login.verbis.dkfz.de does not have a "groups" scope but this comes automatically through a
+        # scope called microprofile-jwt. Remove the following line once we have a "groups" scope.
+        - OAUTH2_PROXY_SCOPE=openid profile email
+        # Pass Authorization Header and some user information to spot
+        - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
+        - OAUTH2_PROXY_SET_XAUTHREQUEST=true
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.address=http://ovis-traefik-forward-auth:4180"
+        - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.authResponseHeaders=Authorization, X-Forwarded-User, X-Auth-Request-User, X-Auth-Request-Email"
+        - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
+        - "traefik.http.routers.oauth2.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/oauth2-ovis/`)"
+        - "traefik.http.routers.oauth2.tls=true"
+
+  fhir-transformer:
+    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-fhir-transformer:latest
+    restart: on-failure
+    environment:
+      - FHIR_SERVER_URL=${FHIR_SERVER_URL:-http://bridgehead-ccp-blaze:8080/fhir}
+      - FHIR_USERNAME=${FHIR_USERNAME}
+      - FHIR_PASSWORD=${FHIR_PASSWORD}
+    volumes:
+      - /var/cache/bridgehead/ccp/ovis/shared_data:/app/output
+
+  mongo:
+    image: mongo:${MONGO_VER:-latest}
+    restart: always
+    command: mongod
+      - /var/cache/bridgehead/ccp/ovis/mongo/init/init.js:/docker-entrypoint-initdb.d/init.js
+
+  backend:
+    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-backend:latest
+    restart: always
+    user: root
+    working_dir: /app
+    environment:
+      - APOLLO_PORT=${APOLLO_PORT:-4001}
+      - CREDOS_PORT=${CREDOS_PORT:-4000}
+      - MONGO_VER=latest
+      - CORS_ORIGIN=*
+      - DB=${DB:-onc_test}
+      - ADRESS=${ADRESS:-mongodb://mongo:27017}
+    depends_on:
+      - mongo
+      - fhir-transformer
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:${APOLLO_PORT:-4001}/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+      start_period: 10s
+    entrypoint: >
+      sh -c "
+        # First run the initialization process
+        while [ ! -f /shared/omock.json ]; do
+          echo 'Waiting for omock.json...'
+          sleep 5
+        done;
+        mkdir -p ./prep &&
+        cp /shared/omock.json ./prep/omock.json &&
+        node ./mgDB/prep/preprocessor.mjs &&
+        echo 'Processing complete' &&
+        exec node --watch index.js"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ovis-backend.rule=Host(`${HOST:-localhost}`) && PathPrefix(`/graphql`)"
+      - "traefik.http.routers.ovis-backend.tls=true"
+      - "traefik.http.services.ovis-backend.loadbalancer.server.port=${APOLLO_PORT:-4001}"
+    volumes:
+      - /var/cache/bridgehead/ccp/ovis/shared_data:/shared
+
+  frontend:
+    image: docker.verbis.dkfz.de/ovis/adt-mon-gql-frontend:latest
+    restart: always
+    environment:
+      - PUBLIC_GRAPHQL_URL=https://${HOST:-localhost}/graphql
+    depends_on:
+      backend:
+        condition: service_healthy
+    working_dir: /app
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ovis-frontend.tls=true"
+      - "traefik.http.routers.ovis-frontend.rule=Host(`${HOST:-localhost}`)"
+      - "traefik.http.routers.ovis-frontend.middlewares=traefik-forward-auth"
+      - "traefik.http.services.ovis-frontend.loadbalancer.server.port=5173"

ccp/modules/ovis-setup.sh

@@ -0,0 +1,108 @@
+#!/bin/bash -e
+
+if [ -n "$ENABLE_OVIS" ];then
+    # Setup MongoDB initialization directory if it doesn't exist
+    mkdir -p "/var/cache/bridgehead/ccp/ovis/mongo/init"
+    
+    # Generate MongoDB initialization script directly
+    cat > "/var/cache/bridgehead/ccp/ovis/mongo/init/init.js" << 'EOF'
+db = db.getSiblingDB("test_credos");
+db.createCollection("user");
+db.user.insertMany([{
+    "_id": "OVIS-Root",
+    "createdAt": new Date(),
+    "createdBy": "system",
+    "role": "super-admin",
+    "status": "active",
+    "pseudonymization": false,
+    "darkMode": false,
+    "colorTheme": "CCCMunich",
+    "language":  "de",
+}]);
+
+db = db.getSiblingDB("onc_test");
+db.createCollection("user");
+db.user.insertMany([{
+    "_id": "OVIS-Root",
+    "createdAt": new Date(),
+    "createdBy": "system",
+    "role": "super-admin",
+    "status": "active",
+    "pseudonymization": false,
+    "darkMode": false,
+    "colorTheme": "CCCMunich",
+    "language":  "de",
+}]);
+
+db.ops.insertMany([
+    {"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an Nervensystem und endokrinen Organen "},
+    {"OPSC_4":"1-44","OPS_Gruppen_Text":"Biopsie ohne Inzision an den Verdauungsorganen"},
+    {"OPSC_4":"1-40","OPS_Gruppen_Text":"Biopsie ohne Inzision an anderen Organen und Geweben"},
+    {"OPSC_4":"1-50","OPS_Gruppen_Text":"Biopsie an Haut, Mamma, Knochen und Muskeln durch Inzision"},
+    {"OPSC_4":"1-51","OPS_Gruppen_Text":"Biopsie an Nervengewebe, Hypophyse, Corpus pineale durch Inzision und Trepanation von Schädelknochen "},
+    {"OPSC_4":"1-55","OPS_Gruppen_Text":"Biopsie an anderen Verdauungsorganen, Zwerchfell und (Retro-)Peritoneum durch Inzision "},
+    {"OPSC_4":"1-56","OPS_Gruppen_Text":"Biopsie an Harnwegen und männlichen Geschlechtsorgannen durch Inzision"},
+    {"OPSC_4":"1-58","OPS_Gruppen_Text":"Biopsie an anderen Organen durch Inzision "},
+    {"OPSC_4":"1-63","OPS_Gruppen_Text":"Diagnostische Endoskopie des oberen Verdauungstraktes"},
+    {"OPSC_4":"1-65","OPS_Gruppen_Text":"Diagnostische Endoskopie des unteren Verdauungstraktes"},
+    {"OPSC_4":"1-69","OPS_Gruppen_Text":"Diagnostische Endoskopie durch Inzision und intraoperativ "},
+    {"OPSC_4":"5-01","OPS_Gruppen_Text":"Inzision (Trepanation) und Exzision an Schädel, Gehirn und Hirnhäuten"},
+    {"OPSC_4":"5-02","OPS_Gruppen_Text":"Andere Operationen  an Schädel, Gehirn und Hirnhäuten"},
+    {"OPSC_4":"5-03","OPS_Gruppen_Text":"Operationen an Rückenmark, Rückenmarkhäuten und Spinalkanal"},
+    {"OPSC_4":"5-05","OPS_Gruppen_Text":"Andere Operationen an Nerven und Nervenganglien "},
+    {"OPSC_4":"5-06","OPS_Gruppen_Text":"Operationen an Schilddrüse und Nebenschilddrüse "},
+    {"OPSC_4":"5-07","OPS_Gruppen_Text":"Operationen an anderen endokrinen Drüsen "},
+    {"OPSC_4":"5-20","OPS_Gruppen_Text":"Andere Operationen an Mittel- und Innenohr "},
+    {"OPSC_4":"5-25","OPS_Gruppen_Text":"Operationen an der Zunge "},
+    {"OPSC_4":"5-31","OPS_Gruppen_Text":"Andere Larynxoperationen und Operationen an der Trachea "},
+    {"OPSC_4":"5-32","OPS_Gruppen_Text":"Exzision und Resektion an Lunge und Bronchus "},
+    {"OPSC_4":"5-33","OPS_Gruppen_Text":"Andere Operationen an Lunge und Bronchus"},
+    {"OPSC_4":"5-34","OPS_Gruppen_Text":"Operationen an Brustwand, Pleura, Mediastinum und Zwerchfell "},
+    {"OPSC_4":"5-37","OPS_Gruppen_Text":"Rhythmuschirurgie und andere Operationen an Herz und Perikard"},
+    {"OPSC_4":"5-38","OPS_Gruppen_Text":"Inzision, Exzision und Verschluß von Blutgefäßen "},
+    {"OPSC_4":"5-39","OPS_Gruppen_Text":"Andere Operationen an Blutgefäßen "},
+    {"OPSC_4":"5-40","OPS_Gruppen_Text":"Operationen am Lymphgewebe "},
+    {"OPSC_4":"5-41","OPS_Gruppen_Text":"Operationen an Milz und Knochenmark "},
+    {"OPSC_4":"5-42","OPS_Gruppen_Text":"Operationen am Ösophagus "},
+    {"OPSC_4":"5-43","OPS_Gruppen_Text":"Inzision, Exzision und Resektion am Magen "},
+    {"OPSC_4":"5-44","OPS_Gruppen_Text":"Erweiterte Magenresektion und andere Operationen am Magen "},
+    {"OPSC_4":"5-45","OPS_Gruppen_Text":"Inzision, Exzision, Resektion und Anastomose an Dünn- und Dickdarm "},
+    {"OPSC_4":"5-46","OPS_Gruppen_Text":"Andere Operationen an Dünn- und Dickdarm "},
+    {"OPSC_4":"5-47","OPS_Gruppen_Text":"Operationen an der Appendix "},
+    {"OPSC_4":"5-48","OPS_Gruppen_Text":"Operationen am Rektum "},
+    {"OPSC_4":"5-49","OPS_Gruppen_Text":"Operationen am Anus "},
+    {"OPSC_4":"5-50","OPS_Gruppen_Text":"Operationen an der Leber "},
+    {"OPSC_4":"5-51","OPS_Gruppen_Text":"Operationen an Gallenblase und Gallenwegen "},
+    {"OPSC_4":"5-52","OPS_Gruppen_Text":"Operationen am Pankreas "},
+    {"OPSC_4":"5-53","OPS_Gruppen_Text":"Verschluß abdominaler Hernien "},
+    {"OPSC_4":"5-54","OPS_Gruppen_Text":"Andere Operationen in der Bauchregion "},
+    {"OPSC_4":"5-55","OPS_Gruppen_Text":"Operationen an der Niere "},
+    {"OPSC_4":"5-56","OPS_Gruppen_Text":"Operationen am Ureter "},
+    {"OPSC_4":"5-57","OPS_Gruppen_Text":"Operationen an der Harnblase "},
+    {"OPSC_4":"5-59","OPS_Gruppen_Text":"Andere Operationen an den Harnorganen "},
+    {"OPSC_4":"5-60","OPS_Gruppen_Text":"Operationen an Prostata und Vesiculae seminales "},
+    {"OPSC_4":"5-61","OPS_Gruppen_Text":"Operationen an Skrotum und Tunica vaginalis testis"},
+    {"OPSC_4":"5-62","OPS_Gruppen_Text":"Operationen am Hoden "},
+    {"OPSC_4":"5-65","OPS_Gruppen_Text":"Operationen am Ovar "},
+    {"OPSC_4":"5-68","OPS_Gruppen_Text":"Inzision, Exzision und Exstirpation des Uterus "},
+    {"OPSC_4":"5-70","OPS_Gruppen_Text":"Operationen an Vagina und Douglasraum "},
+    {"OPSC_4":"5-71","OPS_Gruppen_Text":"Operationen an der Vulva "},
+    {"OPSC_4":"5-85","OPS_Gruppen_Text":"Operationen an Muskeln, Sehnen, Faszien und Schleimbeuteln"},
+    {"OPSC_4":"5-87","OPS_Gruppen_Text":"Exzision und Resektion der Mamma "},
+    {"OPSC_4":"5-89","OPS_Gruppen_Text":"Operationen an Haut und Unterhaut "},
+    {"OPSC_4":"5-90","OPS_Gruppen_Text":"Operative Wiederherstellung und Rekonstruktion von Haut und Unterhaut"},
+    {"OPSC_4":"5-91","OPS_Gruppen_Text":"Andere Operationen an Haut und Unterhaut "},
+    {"OPSC_4":"5-93","OPS_Gruppen_Text":"Angaben zum Transplantat und zu verwendeten Materialien"},
+    {"OPSC_4":"5-98","OPS_Gruppen_Text":"Spezielle Operationstechniken und Operationen bei speziellen Versorgungssituationen "},
+    {"OPSC_4":"8-13","OPS_Gruppen_Text":"Manipulation am Harntrakt"},
+    {"OPSC_4":"8-14","OPS_Gruppen_Text":"Therapeutische Kathedirisierung, Aspiration, Punktion und Spülung "},
+    {"OPSC_4":"8-15","OPS_Gruppen_Text":"Therapeutische Aspiration und Entleerung durch Punktion "},
+    {"OPSC_4":"8-17","OPS_Gruppen_Text":"Spülung (Lavage) "},
+    {"OPSC_4":"8-19","OPS_Gruppen_Text":"Verbände "},
+    {"OPSC_4":"8-77","OPS_Gruppen_Text":"Maßnahmen im Rahmen der Reanimation "},
+    {"OPSC_4":"8-92","OPS_Gruppen_Text":"Neurologisches Monitoring "},
+])
+EOF
+    
+    OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
+fi

ccp/modules/teiler-compose.yml

@@ -31,7 +31,6 @@ services:
     environment:
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
       TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
       OIDC_URL: "${OIDC_URL}"
       OIDC_REALM: "${OIDC_REALM}"
       OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
@@ -42,6 +41,7 @@ services:
       TEILER_PROJECT: "${PROJECT}"
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
+      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
       TEILER_USER: "${OIDC_USER_GROUP}"
       TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
@@ -69,10 +69,10 @@ services:
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
       TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
       TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
+      CENTRAX_URL: "${CENTRAXX_URL}"
       HTTP_PROXY: "http://forward_proxy:3128"
       ENABLE_MTBA: "${ENABLE_MTBA}"
       ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
-      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active
     secrets:
       - ccp.conf
 

ccp/queries_to_cache.conf

@@ -1,3 +1,2 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfUkVQTEFDRV9TUEVDSU1FTl9TVFJBVElGSUVSaWYgSW5Jbml0aWFsUG9wdWxhdGlvbiB0aGVuIFtTcGVjaW1lbl0gZWxzZSB7fSBhcyBMaXN0PFNwZWNpbWVuPgpES1RLX1NUUkFUX1BST0NFRFVSRV9TVFJBVElGSUVSCgpES1RLX1NUUkFUX01FRElDQVRJT05fU1RSQVRJRklFUgoKICBES1RLX1JFUExBQ0VfSElTVE9MT0dZX1NUUkFUSUZJRVIKIGlmIGhpc3RvLmNvZGUuY29kaW5nLndoZXJlKGNvZGUgPSAnNTk4NDctNCcpLmNvZGUuZmlyc3QoKSBpcyBudWxsIHRoZW4gMCBlbHNlIDEKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OCnRydWU=
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1JFUExBQ0VfU1BFQ0lNRU5fU1RSQVRJRklFUmlmIEluSW5pdGlhbFBvcHVsYXRpb24gdGhlbiBbU3BlY2ltZW5dIGVsc2Uge30gYXMgTGlzdDxTcGVjaW1lbj4KREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19SRVBMQUNFX0hJU1RPTE9HWV9TVFJBVElGSUVSCiBpZiBoaXN0by5jb2RlLmNvZGluZy53aGVyZShjb2RlID0gJzU5ODQ3LTQnKS5jb2RlLmZpcnN0KCkgaXMgbnVsbCB0aGVuIDAgZWxzZSAxCkRLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTihleGlzdHMgW0NvbmRpdGlvbjogQ29kZSAnQzYxJyBmcm9tIGljZDEwXSkgYW5kIAooKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4MTQ3LzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NDgwLzMnKSBvciAKKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNTk4NDctNCcgZnJvbSBsb2luY10gTwp3aGVyZSBPLnZhbHVlLmNvZGluZy5jb2RlIGNvbnRhaW5zICc4NTAwLzMnKSk=
-ORGANOID_DASHBOARD_PUBLIC
+bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCgpjb250ZXh0IFBhdGllbnQKCgpES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCgpES1RLX1NUUkFUX1BSSU1BUllfRElBR05PU0lTX05PX1NPUlRfU1RSQVRJRklFUgpES1RLX1NUUkFUX0FHRV9DTEFTU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RFQ0VBU0VEX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfRElBR05PU0lTX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfU1BFQ0lNRU5fU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUk9DRURVUkVfU1RSQVRJRklFUgoKREtUS19TVFJBVF9NRURJQ0FUSU9OX1NUUkFUSUZJRVIKCiAgREtUS19TVFJBVF9ISVNUT0xPR1lfU1RSQVRJRklFUgpES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KdHJ1ZQ==
+bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwoKY29kZXN5c3RlbSBsb2luYzogJ2h0dHA6Ly9sb2luYy5vcmcnCmNvZGVzeXN0ZW0gaWNkMTA6ICdodHRwOi8vZmhpci5kZS9Db2RlU3lzdGVtL2JmYXJtL2ljZC0xMC1nbScKY29kZXN5c3RlbSBtb3JwaDogJ3VybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuNi40My4xJwoKY29udGV4dCBQYXRpZW50CgoKREtUS19TVFJBVF9HRU5ERVJfU1RSQVRJRklFUgoKREtUS19TVFJBVF9QUklNQVJZX0RJQUdOT1NJU19OT19TT1JUX1NUUkFUSUZJRVIKREtUS19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgoKREtUS19TVFJBVF9ERUNFQVNFRF9TVFJBVElGSUVSCgpES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCgpES1RLX1NUUkFUX1NQRUNJTUVOX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfUFJPQ0VEVVJFX1NUUkFUSUZJRVIKCkRLVEtfU1RSQVRfTUVESUNBVElPTl9TVFJBVElGSUVSCgogIERLVEtfU1RSQVRfSElTVE9MT0dZX1NUUkFUSUZJRVIKREtUS19TVFJBVF9ERUZfSU5fSU5JVElBTF9QT1BVTEFUSU9OKGV4aXN0cyBbQ29uZGl0aW9uOiBDb2RlICdDNjEnIGZyb20gaWNkMTBdKSBhbmQgCigoZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzgxNDcvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg0ODAvMycpIG9yIAooZXhpc3RzIGZyb20gW09ic2VydmF0aW9uOiBDb2RlICc1OTg0Ny00JyBmcm9tIGxvaW5jXSBPCndoZXJlIE8udmFsdWUuY29kaW5nLmNvZGUgY29udGFpbnMgJzg1MDAvMycpKQ==

ccp/vars

@@ -29,12 +29,4 @@ done
 idManagementSetup
 mtbaSetup
 obds2fhirRestSetup
-blazeSecondarySetup
-
-for module in modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done
-
-transfairSetup
+blazeSecondarySetup

dhki/docker-compose.yml

@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
     container_name: bridgehead-dhki-blaze
     environment:
       BASE_URL: "http://bridgehead-dhki-blaze:8080"
@@ -33,7 +33,7 @@ services:
       EPSILON: 0.28
       QUERIES_TO_CACHE: '/queries_to_cache.conf'
     volumes:
-      - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf:ro
+      - /srv/docker/bridgehead/dhki/queries_to_cache.conf:/queries_to_cache.conf
     depends_on:
       - "beam-proxy"
       - "blaze"

itcc/docker-compose.yml

@@ -2,14 +2,13 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
     container_name: bridgehead-itcc-blaze
     environment:
       BASE_URL: "http://bridgehead-itcc-blaze:8080"
       JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
       DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
       ENFORCE_REFERENTIAL_INTEGRITY: "false"
     volumes:
       - "blaze-data:/app/data"
@@ -32,10 +31,6 @@ services:
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
       EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-    volumes:
-      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
     depends_on:
       - "beam-proxy"
       - "blaze"

itcc/queries_to_cache.conf

@@ -1,2 +0,0 @@
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwoKY29udGV4dCBQYXRpZW50CkRLVEtfU1RSQVRfR0VOREVSX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RJQUdOT1NJU19TVFJBVElGSUVSCiAgSVRDQ19TVFJBVF9BR0VfQ0xBU1NfU1RSQVRJRklFUgogIERLVEtfU1RSQVRfREVGX0lOX0lOSVRJQUxfUE9QVUxBVElPTgp0cnVl
-bGlicmFyeSBSZXRyaWV2ZQp1c2luZyBGSElSIHZlcnNpb24gJzQuMC4wJwppbmNsdWRlIEZISVJIZWxwZXJzIHZlcnNpb24gJzQuMC4wJwpjb2Rlc3lzdGVtIFNhbXBsZU1hdGVyaWFsVHlwZTogJ2h0dHBzOi8vZmhpci5iYm1yaS5kZS9Db2RlU3lzdGVtL1NhbXBsZU1hdGVyaWFsVHlwZScKCmNvZGVzeXN0ZW0gbG9pbmM6ICdodHRwOi8vbG9pbmMub3JnJwpjb2Rlc3lzdGVtIG1vbGVjdWxhck1hcmtlcjogJ2h0dHA6Ly93d3cuZ2VuZW5hbWVzLm9yZycKCmNvbnRleHQgUGF0aWVudApES1RLX1NUUkFUX0dFTkRFUl9TVFJBVElGSUVSCiAgREtUS19TVFJBVF9ESUFHTk9TSVNfU1RSQVRJRklFUgogIElUQ0NfU1RSQVRfQUdFX0NMQVNTX1NUUkFUSUZJRVIKICBES1RLX1NUUkFUX0RFRl9JTl9JTklUSUFMX1BPUFVMQVRJT04KKGV4aXN0cyBmcm9tIFtPYnNlcnZhdGlvbjogQ29kZSAnNjk1NDgtNicgZnJvbSBsb2luY10gTwp3aGVyZSBPLmNvbXBvbmVudC53aGVyZShjb2RlLmNvZGluZyBjb250YWlucyBDb2RlICc0ODAxOC02JyBmcm9tIGxvaW5jKS52YWx1ZS5jb2RpbmcgY29udGFpbnMgQ29kZSAnQlJBRicgZnJvbSBtb2xlY3VsYXJNYXJrZXIp

kr/docker-compose.yml

@@ -6,7 +6,7 @@ services:
       replicas: 0 #deactivate landing page
 
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.31
     container_name: bridgehead-kr-blaze
     environment:
       BASE_URL: "http://bridgehead-kr-blaze:8080"

kr/modules/teiler-compose.yml

@@ -31,7 +31,6 @@ services:
     environment:
       DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
       TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
-      TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
       OIDC_URL: "${OIDC_URL}"
       OIDC_REALM: "${OIDC_REALM}"
       OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
@@ -42,6 +41,7 @@ services:
       TEILER_PROJECT: "${PROJECT}"
       EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
+      TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
       TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
       TEILER_USER: "${OIDC_USER_GROUP}"
       TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
@@ -69,6 +69,7 @@ services:
       TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
       TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
       TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
+      CENTRAX_URL: "${CENTRAXX_URL}"
       HTTP_PROXY: "http://forward_proxy:3128"
       ENABLE_MTBA: "${ENABLE_MTBA}"
       ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"

lib/functions.sh

@@ -313,7 +313,7 @@ function sync_secrets() {
         -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
         -e PROXY_ID=$PROXY_ID \
         -e BROKER_URL=$BROKER_URL \
-        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$BROKER_ID \
+        -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
         -e SECRET_DEFINITIONS=$secret_sync_args \
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
 
@@ -322,73 +322,6 @@ function sync_secrets() {
     set +a # Export variables in the regular way
 }
 
-function secret_sync_gitlab_token() {
-    # Map the origin of the git repository /etc/bridgehead to the prefix recognized by Secret Sync
-    local gitlab
-    case "$(git -C /etc/bridgehead remote get-url origin)" in
-        *git.verbis.dkfz.de*) gitlab=verbis;;
-        *gitlab.bbmri-eric.eu*) gitlab=bbmri;;
-        *)
-            log "WARN" "Not running Secret Sync because the git repository /etc/bridgehead has unknown origin"
-            return
-            ;;
-    esac
-
-    if [ "$PROJECT" == "bbmri" ]; then
-        # If the project is BBMRI, use the BBMRI-ERIC broker and not the GBN broker
-        proxy_id=$ERIC_PROXY_ID
-        broker_url=$ERIC_BROKER_URL
-        broker_id=$ERIC_BROKER_ID
-        root_crt_file="/srv/docker/bridgehead/bbmri/modules/${ERIC_ROOT_CERT}.root.crt.pem"
-    else
-        proxy_id=$PROXY_ID
-        broker_url=$BROKER_URL
-        broker_id=$BROKER_ID
-        root_crt_file="/srv/docker/bridgehead/$PROJECT/root.crt.pem"
-    fi
-
-    # Create a temporary directory for Secret Sync that is valid per boot
-    secret_sync_tempdir="/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)"
-    mkdir -p $secret_sync_tempdir
-
-    # Use Secret Sync to validate the GitLab token in $secret_sync_tempdir/cache.
-    # If it is missing or expired, Secret Sync will create a new token and write it to the file.
-    # The git credential helper reads the token from the file during git pull.
-    log "INFO" "Running Secret Sync for the GitLab token (gitlab=$gitlab)"
-    docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
-    docker run --rm \
-        -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-        -v $root_crt_file:/run/secrets/root.crt.pem:ro \
-        -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-        -v $secret_sync_tempdir:/secret-sync/ \
-        -e CACHE_PATH=/secret-sync/gitlab-token \
-        -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-        -e NO_PROXY=localhost,127.0.0.1 \
-        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-        -e PROXY_ID=$proxy_id \
-        -e BROKER_URL=$broker_url \
-        -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
-        -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN:$gitlab \
-        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
-    if [ $? -eq 0 ]; then
-        log "INFO" "Secret Sync was successful"
-        # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
-        CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
-        git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
-        # Set the git credential helper
-        git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
-    else
-        log "WARN" "Secret Sync failed"
-        # Remove the git credential helper
-        git -C /etc/bridgehead config --unset credential.helper
-    fi
-
-    # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
-    # Let's remove it to avoid confusion. This line can be removed at some point the future when we
-    # believe that it was removed on all/most production servers.
-    git -C /srv/docker/bridgehead config --unset credential.helper
-}
-
 capitalize_first_letter() {
     input="$1"
     capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}"

lib/gitlab-token-helper.sh

@@ -2,7 +2,7 @@
 
 [ "$1" = "get" ] || exit
 
-source "/tmp/bridgehead/secret-sync.boot-$(cat /proc/sys/kernel/random/boot_id)/gitlab-token"
+source /var/cache/bridgehead/secrets/gitlab_token
 
 # Any non-empty username works, only the token matters
 cat << EOF

lib/install-bridgehead.sh

@@ -41,14 +41,6 @@ if [ ! -z "$NNGM_CTS_APIKEY" ] && [ -z "$NNGM_AUTH" ]; then
   add_basic_auth_user "nngm" $generated_passwd "NNGM_AUTH" $PROJECT
 fi
 
-if [ -z "$TRANSFAIR_AUTH" ]; then
-  if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
-    log "INFO" "Now generating basic auth user for transfair API (see adduser in bridgehead for more information). "
-    generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)"
-    add_basic_auth_user "transfair" $generated_passwd "TRANSFAIR_AUTH" $PROJECT
-  fi
-fi
-
 log "INFO" "Registering system units for bridgehead and bridgehead-update"
 cp -v \
     lib/systemd/bridgehead\@.service \

lib/prepare-system.sh

@@ -55,9 +55,6 @@ case "$PROJECT" in
 	cce)
 		site_configuration_repository_middle="git.verbis.dkfz.de/cce-sites/"
 		;;
-	pscc)
-		site_configuration_repository_middle="git.verbis.dkfz.de/pscc-sites/"
-		;;
 	itcc)
 		site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/"
         ;;

lib/update-bridgehead.sh

@@ -33,7 +33,43 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
-secret_sync_gitlab_token
+# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+# If it is missing or expired, Secret Sync will create a new token and write it to the file.
+# The git credential helper reads the token from the file during git pull.
+mkdir -p /var/cache/bridgehead/secrets
+touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
+log "INFO" "Running Secret Sync for the GitLab token"
+docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
+docker run --rm \
+  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
+  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
+  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
+  -e NO_PROXY=localhost,127.0.0.1 \
+  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
+  -e PROXY_ID=$PROXY_ID \
+  -e BROKER_URL=$BROKER_URL \
+  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
+  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
+  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+if [ $? -eq 0 ]; then
+  log "INFO" "Secret Sync was successful"
+  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
+  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
+  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
+  # Set the git credential helper
+  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
+else
+  log "WARN" "Secret Sync failed"
+  # Remove the git credential helper
+  git -C /etc/bridgehead config --unset credential.helper
+fi
+
+# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
+# Let's remove it to avoid confusion. This line can be removed at some point the future when we
+# believe that it was removed on all/most production servers.
+git -C /srv/docker/bridgehead config --unset credential.helper
 
 CHANGES=""
 

modules/ssh-tunnel-compose.yml

@@ -1,17 +0,0 @@
-version: "3.7"
-
-services:
-  ssh-tunnel:
-    image: docker.verbis.dkfz.de/cache/samply/ssh-tunnel
-    container_name: bridgehead-ccp-ssh-tunnel
-    environment:
-      SSH_TUNNEL_USERNAME: "${SSH_TUNNEL_USERNAME}"
-      SSH_TUNNEL_HOST: "${SSH_TUNNEL_HOST}"
-      SSH_TUNNEL_PORT: "${SSH_TUNNEL_PORT:-22}"
-    volumes:
-      - "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro"
-    secrets:
-      - privkey
-secrets:
-  privkey:
-    file: /etc/bridgehead/pki/ssh-tunnel.priv.pem

modules/ssh-tunnel-setup.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_SSH_TUNNEL" ]; then
-	log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
-	OVERRIDE+=" -f ./modules/ssh-tunnel-compose.yml"
-fi

modules/ssh-tunnel.md

@@ -1,19 +0,0 @@
-# SSH Tunnel Module
-
-This module enables SSH tunneling capabilities for the Bridgehead installation.
-The primary use case for this is to connect bridgehead components that are hosted externally due to security concerns.
-To connect the new components to the locally running bridgehead infra one is supposed to write a docker-compose.override.yml changing the urls to point to the corresponding forwarded port of the ssh-tunnel container.
-
-## Configuration Variables
-
-- `ENABLE_SSH_TUNNEL`: Required to enable the module
-- `SSH_TUNNEL_USERNAME`: Username for SSH connection
-- `SSH_TUNNEL_HOST`: Target host for SSH tunnel
-- `SSH_TUNNEL_PORT`: SSH port (defaults to 22)
-
-## Configuration Files
-
-The module requires the following files to be present:
-
-- `/etc/bridgehead/ssh-tunnel.conf`: SSH tunnel configuration file. Detailed information can be found [here](https://github.com/samply/ssh-tunnel?tab=readme-ov-file#configuration).
-- `/etc/bridgehead/pki/ssh-tunnel.priv.pem`: The SSH private key used to connect to the `SSH_TUNNEL_HOST`. **Passphrases for the key are not supported!**

modules/transfair-compose.yml

@@ -5,13 +5,8 @@ services:
     container_name: bridgehead-transfair
     environment:
       # NOTE: Those 3 variables need only to be passed if their set, otherwise transfair will complain about empty url values
-      - TTP_URL
-      - TTP_ML_API_KEY
-      - TTP_GW_SOURCE
-      - TTP_GW_EPIX_DOMAIN
-      - TTP_GW_GPAS_DOMAIN
-      - TTP_TYPE
-      - TTP_AUTH
+      - INSTITUTE_TTP_URL
+      - INSTITUTE_TTP_API_KEY
       - PROJECT_ID_SYSTEM
       - FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
       - FHIR_INPUT_URL=${FHIR_INPUT_URL}
@@ -22,27 +17,11 @@ services:
       - EXCHANGE_ID_SYSTEM=${EXCHANGE_ID_SYSTEM:-SESSION_ID}
       - DATABASE_URL=sqlite://transfair/data_requests.sql?mode=rwc
       - RUST_LOG=${RUST_LOG:-info}
-      - TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs
-      - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false}
-      - NO_PROXY=${TRANSFAIR_NO_PROXIES}
-      - ALL_PROXY=http://forward_proxy:3128
     volumes:
       - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.middlewares.transfair-strip.stripprefix.prefixes=/transfair"
-      - "traefik.http.routers.transfair.middlewares=transfair-strip,transfair-auth"
-      - "traefik.http.routers.transfair.rule=PathPrefix(`/transfair`)"
-      - "traefik.http.services.transfair.loadbalancer.server.port=8080"
-      - "traefik.http.routers.transfair.tls=true"
-  
-  traefik:
-    labels:
-      - "traefik.http.middlewares.transfair-auth.basicauth.users=${TRANSFAIR_AUTH}"
 
   transfair-input-blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
     container_name: bridgehead-transfair-input-blaze
     environment:
       BASE_URL: "http://bridgehead-transfair-input-blaze:8080"
@@ -53,19 +32,12 @@ services:
     volumes:
       - "transfair-input-blaze-data:/app/data"
     profiles: ["transfair-input-blaze"]
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.transfair-input-blaze.rule=PathPrefix(`/data-delivery`)"
-      - "traefik.http.middlewares.transfair-input-strip.stripprefix.prefixes=/data-delivery"
-      - "traefik.http.services.transfair-input-blaze.loadbalancer.server.port=8080"
-      - "traefik.http.routers.transfair-input-blaze.middlewares=transfair-input-strip,transfair-auth"
-      - "traefik.http.routers.transfair-input-blaze.tls=true"
 
   transfair-request-blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-transfair-request-blaze
+    image: docker.verbis.dkfz.de/cache/samply/blaze:0.28
+    container_name: bridgehead-transfair-requests-blaze
     environment:
-      BASE_URL: "http://bridgehead-transfair-request-blaze:8080"
+      BASE_URL: "http://bridgehead-transfair-requests-blaze:8080"
       JAVA_TOOL_OPTIONS: "-Xmx1024m"
       DB_BLOCK_CACHE_SIZE: 1024
       CQL_EXPR_CACHE_SIZE: 8
@@ -73,13 +45,6 @@ services:
     volumes:
       - "transfair-request-blaze-data:/app/data"
     profiles: ["transfair-request-blaze"]
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.transfair-request-blaze.rule=PathPrefix(`/data-requests`)"
-      - "traefik.http.middlewares.transfair-request-strip.stripprefix.prefixes=/data-requests"
-      - "traefik.http.services.transfair-request-blaze.loadbalancer.server.port=8080"
-      - "traefik.http.routers.transfair-request-blaze.middlewares=transfair-request-strip,transfair-auth"
-      - "traefik.http.routers.transfair-request-blaze.tls=true"
 
 volumes:
   transfair-input-blaze-data:

modules/transfair-setup.sh

@@ -1,7 +1,7 @@
 #!/bin/bash -e
 
 function transfairSetup() {
-    if [[ -n "$TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
+    if [[ -n "$INSTITUTE_TTP_URL" || -n "$EXCHANGE_ID_SYSTEM" ]]; then
         echo "Starting transfair."
 	    OVERRIDE+=" -f ./modules/transfair-compose.yml"
 	    if [ -n "$FHIR_INPUT_URL" ]; then
@@ -15,21 +15,8 @@ function transfairSetup() {
 		    log INFO "TransFAIR request fhir store set to external $FHIR_REQUEST_URL"
 	    else
 		    log INFO "TransFAIR request fhir store not set writing to internal blaze"
-		    FHIR_REQUEST_URL="http://transfair-request-blaze:8080"
+		    FHIR_REQUEST_URL="http://transfair-requests-blaze:8080"
 		    OVERRIDE+=" --profile transfair-request-blaze"
 	    fi
-	    if [ -n "$TTP_GW_SOURCE" ]; then
-		    log INFO "TransFAIR configured with greifswald as ttp"
-		    TTP_TYPE="greifswald"
-	    elif [ -n "$TTP_ML_API_KEY" ]; then
-		    log INFO "TransFAIR configured with mainzelliste as ttp"
-		    TTP_TYPE="mainzelliste"
-        else
-		    log INFO "TransFAIR configured without ttp"
-	    fi
-        TRANSFAIR_NO_PROXIES="transfair-input-blaze,blaze,transfair-requests-blaze"
-        if [ -n "${TRANSFAIR_NO_PROXY}" ]; then
-            TRANSFAIR_NO_PROXIES+=",${TRANSFAIR_NO_PROXY}"
-        fi
     fi
 }

pscc/docker-compose.yml

@@ -1,65 +0,0 @@
-version: "3.7"
-
-services:
-  blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-pscc-blaze
-    environment:
-      BASE_URL: "http://bridgehead-pscc-blaze:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_pscc.rule=PathPrefix(`/pscc-localdatamanagement`)"
-      - "traefik.http.middlewares.pscc_b_strip.stripprefix.prefixes=/pscc-localdatamanagement"
-      - "traefik.http.services.blaze_pscc.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze_pscc.middlewares=pscc_b_strip"
-      - "traefik.http.routers.blaze_pscc.tls=true"
-
-  focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
-    container_name: bridgehead-focus
-    environment:
-      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      BEAM_APP_ID_LONG: focus.${PROXY_ID}
-      PROXY_ID: ${PROXY_ID}
-      BLAZE_URL: "http://bridgehead-pscc-blaze:8080/fhir/"
-      BEAM_PROXY_URL: http://beam-proxy:8081
-      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
-      EPSILON: 0.28
-      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-    depends_on:
-      - "beam-proxy"
-      - "blaze"
-
-  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
-    container_name: bridgehead-beam-proxy
-    environment:
-      BROKER_URL: ${BROKER_URL}
-      PROXY_ID: ${PROXY_ID}
-      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
-      PRIVKEY_FILE: /run/secrets/proxy.pem
-      ALL_PROXY: http://forward_proxy:3128
-      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
-      ROOTCERT_FILE: /conf/root.crt.pem
-    secrets:
-      - proxy.pem
-    depends_on:
-      - "forward_proxy"
-    volumes:
-      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
-      - /srv/docker/bridgehead/pscc/root.crt.pem:/conf/root.crt.pem:ro
-
-
-volumes:
-  blaze-data:
-
-secrets:
-  proxy.pem:
-    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

pscc/modules/lens-compose.yml

@@ -1,34 +0,0 @@
-version: "3.7"
-services:
-  landing:
-    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/dashboard/pscc-explorer
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=5173"
-      - "traefik.http.routers.landing.middlewares=auth"
-      - "traefik.http.routers.landing.tls=true"
-
-#  spot:
-#    image: docker.verbis.dkfz.de/ccp-private/central-spot
-#    environment:
-#      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-#      BEAM_URL: http://beam-proxy:8081
-#      BEAM_PROXY_ID: ${SITE_ID}
-#      BEAM_BROKER_ID: ${BROKER_ID}
-#      BEAM_APP_ID: "focus"
-#      PROJECT_METADATA: "cce_supervisors"
-#    depends_on:
-#      - "beam-proxy"
-#    labels:
-#      - "traefik.enable=true"
-#      - "traefik.http.services.spot.loadbalancer.server.port=8080"
-#      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
-#      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
-#      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
-#      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-#      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-#      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
-#      - "traefik.http.routers.spot.tls=true"
-#      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"

pscc/modules/lens-setup.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_LENS" ];then
-  OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
-fi

pscc/root.crt.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
-MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
-TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
-OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
-XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
-pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
-K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
-poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
-AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
-fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
-3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
-n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
-7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
-Rtup0MTxSJtN
------END CERTIFICATE-----

pscc/vars

@@ -1,14 +0,0 @@
-BROKER_ID=test-no-real-data.broker.samply.de
-BROKER_URL=https://${BROKER_ID}
-PROXY_ID=${SITE_ID}.${BROKER_ID}
-FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
-FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=denis.koether@dkfz-heidelberg.de
-PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
-BROKER_URL_FOR_PREREQ=$BROKER_URL
-
-for module in $PROJECT/modules/*.sh
-do
-    log DEBUG "sourcing $module"
-    source $module
-done

versions/acceptance

@@ -1,3 +0,0 @@
-FOCUS_TAG=develop
-BEAM_TAG=develop
-BLAZE_TAG=main

versions/prod

@@ -1,3 +1,2 @@
 FOCUS_TAG=main
-BEAM_TAG=main
-BLAZE_TAG=0.32
+BEAM_TAG=main

versions/test

@@ -1,3 +1,2 @@
 FOCUS_TAG=develop
-BEAM_TAG=develop
-BLAZE_TAG=main
+BEAM_TAG=develop