samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2025-06-16 23:00:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: samply:feature/feedback-agent
Branches Tags
samply:main samply:transfair-cli samply:develop samply:feature/exporter-docu samply:test/teiler-dashboard samply:feature/add-pscc samply:feature/authentik samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:prototype/beamFile samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:ovis samply:test/airgapped-blaze samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:Threated-patch-1 samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:feat/central-rstudio samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration
..
compare: samply:feat/central-rstudio
Branches Tags
samply:transfair-cli samply:develop samply:feature/exporter-docu samply:main samply:test/teiler-dashboard samply:feature/add-pscc samply:feature/authentik samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:prototype/beamFile samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:ovis samply:test/airgapped-blaze samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:Threated-patch-1 samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:feat/central-rstudio samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration

3 Commits
feature/fe ... feat/centr

Author SHA1 Message Date
janskiba
96c1b8ede5 chore: update datashield beam-connect mappings 2024-05-23 09:55:22 +02:00
janskiba
eac9374815 feat: Add file-dispatcher to exporter compose 2024-05-23 09:38:37 +02:00
janskiba
8b33912fee feat: Move to central rstudio 2024-04-17 14:25:59 +02:00
18 changed files with 20 additions and 343 deletions
Expand all files Collapse all files

2
bbmri/docker-compose.yml
View File

@ -1,6 +1,6 @@
version: "3.7" version: "3.7"
# This includes only the shared persistence for BBMRI-ERIC and GBN. Federation components are included as modules, see ccp vars. # This includes only the shared persistence for BBMRI-ERIC and GBN. Federation components are included as modules, see vars.
services: services:
blaze: blaze:

67
bbmri/modules/exporter-compose.yml
View File

@ -1,67 +0,0 @@
version: "3.7"
services:
exporter:
image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
container_name: bridgehead-ccp-exporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
CROSS_ORIGINS: "https://${HOST}"
EXPORTER_DB_USER: "exporter"
EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
HTTP_RELATIVE_PATH: "/ccp-exporter"
SITE: "${SITE_ID}"
HTTP_SERVLET_REQUEST_SCHEME: "https"
OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
- "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
- "traefik.http.routers.exporter_ccp.tls=true"
- "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
- "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
volumes:
- "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
exporter-db:
image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
container_name: bridgehead-ccp-exporter-db
environment:
POSTGRES_USER: "exporter"
POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
POSTGRES_DB: "exporter"
volumes:
# Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
- "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
reporter:
image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
container_name: bridgehead-ccp-reporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
CROSS_ORIGINS: "https://${HOST}"
HTTP_RELATIVE_PATH: "/ccp-reporter"
SITE: "${SITE_ID}"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
EXPORTER_URL: "http://exporter:8092"
LOG_FHIR_VALIDATION: "false"
HTTP_SERVLET_REQUEST_SCHEME: "https"
# In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
# However, in the first executions in the CCP sites, this volume seems to be very important. A report is
# a process that can take several hours, because it depends on the exporter.
# There is a risk that the bridgehead restarts, losing the already created export.
volumes:
- "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
labels:
- "traefik.enable=true"
- "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
- "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095"
- "traefik.http.routers.reporter_ccp.tls=true"
- "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
- "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"

8
bbmri/modules/exporter-setup.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash -e
if [ "$ENABLE_EXPORTER" == true ]; then
log INFO "Exporter setup detected -- will start Exporter service."
OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
fi

15
bbmri/modules/exporter.md
View File

@ -1,15 +0,0 @@
# Exporter and Reporter
## Exporter
The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
## Exporter-DB
It is a database to save queries for its execution in the exporter.
The exporter manages also the different executions of the same query in through the database.
## Reporter
This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
It is compatible with different template engines as Groovy, Thymeleaf,...
It is perfect to generate a document as our traditional CCP quality report.

81
bbmri/modules/teiler-compose.yml
View File

@ -1,81 +0,0 @@
version: "3.7"
services:
teiler-orchestrator:
image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
container_name: bridgehead-teiler-orchestrator
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_orchestrator_ccp.rule=PathPrefix(`/ccp-teiler`)"
- "traefik.http.services.teiler_orchestrator_ccp.loadbalancer.server.port=9000"
- "traefik.http.routers.teiler_orchestrator_ccp.tls=true"
- "traefik.http.middlewares.teiler_orchestrator_ccp_strip.stripprefix.prefixes=/ccp-teiler"
- "traefik.http.routers.teiler_orchestrator_ccp.middlewares=teiler_orchestrator_ccp_strip"
environment:
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard"
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
HTTP_RELATIVE_PATH: "/ccp-teiler"
teiler-dashboard:
image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
container_name: bridgehead-teiler-dashboard
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_dashboard_ccp.rule=PathPrefix(`/ccp-teiler-dashboard`)"
- "traefik.http.services.teiler_dashboard_ccp.loadbalancer.server.port=80"
- "traefik.http.routers.teiler_dashboard_ccp.tls=true"
- "traefik.http.middlewares.teiler_dashboard_ccp_strip.stripprefix.prefixes=/ccp-teiler-dashboard"
- "traefik.http.routers.teiler_dashboard_ccp.middlewares=teiler_dashboard_ccp_strip"
environment:
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend"
OIDC_URL: "${OIDC_URL}"
OIDC_REALM: "${OIDC_REALM}"
OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
TEILER_PROJECT: "${PROJECT}"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
TEILER_USER: "${OIDC_USER_GROUP}"
TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
REPORTER_DEFAULT_TEMPLATE_ID: "bbmri-qb"
EXPORTER_DEFAULT_TEMPLATE_ID: "bbmri"
teiler-backend:
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
container_name: bridgehead-teiler-backend
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_backend_ccp.rule=PathPrefix(`/ccp-teiler-backend`)"
- "traefik.http.services.teiler_backend_ccp.loadbalancer.server.port=8085"
- "traefik.http.routers.teiler_backend_ccp.tls=true"
- "traefik.http.middlewares.teiler_backend_ccp_strip.stripprefix.prefixes=/ccp-teiler-backend"
- "traefik.http.routers.teiler_backend_ccp.middlewares=teiler_backend_ccp_strip"
environment:
LOG_LEVEL: "INFO"
APPLICATION_PORT: "8085"
APPLICATION_ADDRESS: "${HOST}"
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler"
TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler"
TEILER_DASHBOARD_DE_URL: "https://${HOST}/ccp-teiler-dashboard/de"
TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en"
CENTRAX_URL: "${CENTRAXX_URL}"
HTTP_PROXY: "http://forward_proxy:3128"
ENABLE_MTBA: "${ENABLE_MTBA}"
ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
secrets:
- ccp.conf
secrets:
ccp.conf:
file: /etc/bridgehead/ccp.conf

9
bbmri/modules/teiler-setup.sh
View File

@ -1,9 +0,0 @@
#!/bin/bash -e
if [ "$ENABLE_TEILER" == true ];then
log INFO "Teiler setup detected -- will start Teiler services."
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
TEILER_DEFAULT_LANGUAGE=DE
TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
add_public_oidc_redirect_url "/ccp-teiler/*"
fi

19
bbmri/modules/teiler.md
View File

@ -1,19 +0,0 @@
# Teiler
This module orchestrates the different microfrontends of the bridgehead as a single page application.
## Teiler Orchestrator
Single SPA component that consists on the root HTML site of the single page application and a javascript code that
gets the information about the microfrontend calling the teiler backend and is responsible for registering them. With the
resulting mapping, it can initialize, mount and unmount the required microfrontends on the fly.
The microfrontends run independently in different containers and can be based on different frameworks (Angular, Vue, React,...)
This microfrontends can run as single alone but need an extension with Single-SPA (https://single-spa.js.org/docs/ecosystem).
There are also available three templates (Angular, Vue, React) to be directly extended to be used directly in the teiler.
## Teiler Dashboard
It consists on the main dashboard and a set of embedded services.
### Login
user and password in ccp.local.conf
## Teiler Backend
In this component, the microfrontends are configured.

12
bbmri/vars
View File

@ -7,18 +7,6 @@
FOCUS_RETRY_COUNT=32 FOCUS_RETRY_COUNT=32
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
# Use "test-realm-01" for testing
OIDC_REALM="${OIDC_REALM:-master}"
OIDC_URL="https://login.verbis.dkfz.de"
OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}"
OIDC_GROUP_CLAIM="groups"
POSTGRES_TAG=15.6-alpine
for module in $PROJECT/modules/*.sh for module in $PROJECT/modules/*.sh
do do
log DEBUG "sourcing $module" log DEBUG "sourcing $module"

84
ccp/modules/datashield-compose.yml
View File

@ -1,25 +1,6 @@
version: "3.7" version: "3.7"
services: services:
rstudio:
container_name: bridgehead-rstudio
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
environment:
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled
DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
HTTP_RELATIVE_PATH: "/rstudio"
ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
labels:
- "traefik.enable=true"
- "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
- "traefik.http.routers.rstudio_ccp.tls=true"
- "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
networks:
- rstudio
opal: opal:
container_name: bridgehead-opal container_name: bridgehead-opal
image: docker.verbis.dkfz.de/ccp/dktk-opal:latest image: docker.verbis.dkfz.de/ccp/dktk-opal:latest
@ -93,79 +74,14 @@ services:
- beam-proxy - beam-proxy
volumes: volumes:
- /tmp/bridgehead/opal-map/:/map/:ro - /tmp/bridgehead/opal-map/:/map/:ro
networks:
- default
- rstudio
traefik:
labels:
- "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
- "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
- "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
networks:
- default
- rstudio
forward_proxy:
networks:
- default
- rstudio
beam-proxy: beam-proxy:
environment: environment:
APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}
# TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
# Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
# --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
oauth2-proxy:
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
container_name: bridgehead-oauth2proxy
command: >-
--allowed-group=DataSHIELD
--oidc-groups-claim=${OIDC_GROUP_CLAIM}
--auth-logging=true
--whitelist-domain=${HOST}
--http-address="0.0.0.0:4180"
--reverse-proxy=true
--upstream="static://202"
--email-domain="*"
--cookie-name="_BRIDGEHEAD_oauth2"
--cookie-secret="${OAUTH2_PROXY_SECRET}"
--cookie-expire="12h"
--cookie-secure="true"
--cookie-httponly="true"
#OIDC settings
--provider="keycloak-oidc"
--provider-display-name="VerbIS Login"
--client-id="${OIDC_PRIVATE_CLIENT_ID}"
--client-secret="${OIDC_CLIENT_SECRET}"
--redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
--oidc-issuer-url="${OIDC_ISSUER_URL}"
--scope="openid email profile"
--code-challenge-method="S256"
--skip-provider-button=true
#X-Forwarded-Header settings - true/false depending on your needs
--pass-basic-auth=true
--pass-user-headers=false
--pass-access-token=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
- "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
- "traefik.http.routers.oauth2_proxy.tls=true"
environment:
http_proxy: "http://forward_proxy:3128"
https_proxy: "http://forward_proxy:3128"
depends_on:
forward_proxy:
condition: service_healthy
secrets: secrets:
opal-cert.pem: opal-cert.pem:
file: /tmp/bridgehead/opal-cert.pem file: /tmp/bridgehead/opal-cert.pem
opal-key.pem: opal-key.pem:
file: /tmp/bridgehead/opal-key.pem file: /tmp/bridgehead/opal-key.pem
networks:
rstudio:

19
ccp/modules/datashield-setup.sh
View File

@ -5,17 +5,12 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then
log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'." log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'."
fi fi
OAUTH2_CALLBACK=/oauth2/callback
OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
add_private_oidc_redirect_url "${OAUTH2_CALLBACK}"
log INFO "DataSHIELD setup detected -- will start DataSHIELD services." log INFO "DataSHIELD setup detected -- will start DataSHIELD services."
OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml"
EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")"
TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")"
OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)" OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)"
OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")"
RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")"
DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)" DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)"
TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)" TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)"
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
@ -23,17 +18,11 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE" openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE"
fi fi
mkdir -p /tmp/bridgehead/opal-map mkdir -p /tmp/bridgehead/opal-map
sites="$(cat ./$PROJECT/modules/datashield-sites.json)" echo '{"sites": []}' >/tmp/bridgehead/opal-map/central.json
echo "$sites" | docker_jq -n --args '{"sites": input | map({ echo '[{
"name": ., "external": "'$SITE_ID':443",
"id": .,
"virtualhost": "\(.):443",
"beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'"
})}' $sites >/tmp/bridgehead/opal-map/central.json
echo "$sites" | docker_jq -n --args '[{
"external": "'"$SITE_ID"':443",
"internal": "opal:8443", "internal": "opal:8443",
"allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") "allowed": ["central-ds-orchestrator.'$BROKER_ID'"]
}]' > /tmp/bridgehead/opal-map/local.json }]' > /tmp/bridgehead/opal-map/local.json
if [ "$USER" == "root" ]; then if [ "$USER" == "root" ]; then
chown -R bridgehead:docker /tmp/bridgehead chown -R bridgehead:docker /tmp/bridgehead

14
ccp/modules/datashield-sites.json
View File

@ -1,14 +0,0 @@
[
"berlin",
"muenchen-lmu",
"dresden",
"freiburg",
"muenchen-tum",
"tuebingen",
"mainz",
"frankfurt",
"essen",
"dktk-datashield-test",
"dktk-test",
"mannheim"
]

13
ccp/modules/exporter-compose.yml
View File

@ -65,3 +65,16 @@ services:
- "traefik.http.routers.reporter_ccp.tls=true" - "traefik.http.routers.reporter_ccp.tls=true"
- "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter" - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
- "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip" - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"
file-dispatcher:
image: docker.verbis.dkfz.de/cache/samply/file-dispatcher:latest
environment:
- BEAM_ID=file-dispatcher.${PROXY_ID}
- PROJECT_MANAGER_ID=project-manager.request-manager.${BROKER_ID}
- BEAM_SECRET=${FILE_DISPATCHER_BEAM_SECRET} # Generated in exporter-setup.sh
- BEAM_URL=http://beam-proxy:8081
- EXPORTER_URL=http://exporter:8092
beam-proxy:
environment:
- APP_file-dispatcher_KEY=${FILE_DISPATCHER_BEAM_SECRET}

1
ccp/modules/exporter-setup.sh
View File

@ -5,4 +5,5 @@ if [ "$ENABLE_EXPORTER" == true ]; then
OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
FILE_DISPATCHER_BEAM_SECRET="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
fi fi

1
ccp/modules/id-management-compose.yml
View File

@ -29,7 +29,6 @@ services:
container_name: bridgehead-patientlist container_name: bridgehead-patientlist
environment: environment:
- TOMCAT_REVERSEPROXY_FQDN=${HOST} - TOMCAT_REVERSEPROXY_FQDN=${HOST}
- TOMCAT_REVERSEPROXY_SSL=true
- ML_SITE=${IDMANAGEMENT_FRIENDLY_ID} - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
- ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD} - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
- ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}

4
lib/functions.sh
View File

@ -367,7 +367,3 @@ generate_simple_password(){
local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret."
echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g' echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g'
} }
docker_jq() {
docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@"
}

3
minimal/docker-compose.yml
View File

@ -42,9 +42,6 @@ services:
- /var/spool/squid - /var/spool/squid
volumes: volumes:
- /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro
healthcheck:
# Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet.
test: ["CMD", "sleep", "1"]
landing: landing:
container_name: bridgehead-landingpage container_name: bridgehead-landingpage

2
minimal/modules/bbmri vars
View File

@ -1,2 +0,0 @@
OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"

7
minimal/modules/ccp vars
View File

@ -1,7 +0,0 @@
OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
# Use "test-realm-01" for testing
OIDC_REALM="${OIDC_REALM:-master}"
OIDC_URL="https://login.verbis.dkfz.de"
OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}"
OIDC_GROUP_CLAIM="groups"