samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2026-04-18 00:20:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

merge into: samply:fix/alternative-proxy-handling
Branches Tags
samply:main samply:develop samply:ovis samply:feature/ml-itcc samply:fix/traefik-dashboard-route samply:feature/cce-enable-osiris2fhir samply:fix/alternative-proxy-handling samply:test/airgapped-blaze samply:test/airgapped-blaze-staging samply:mainzelliste-itcc samply:feat/proxy-escape-chars-readme samply:hotfix/secretsync samply:test/ast samply:feature/pscc-lens samply:feature/cce samply:feat/nngm samply:test/pscc-spot samply:hotfix/itcc samply:prototype/beamFile samply:timakro-patch-1 samply:feature/teiler-roles samply:test/opal5 samply:test/keycloak samply:feat/selinux samply:feature/remove-rstudio samply:test/teiler-dashboard samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration
...
pull from: samply:ovis
Branches Tags
samply:main samply:develop samply:ovis samply:feature/ml-itcc samply:fix/traefik-dashboard-route samply:feature/cce-enable-osiris2fhir samply:fix/alternative-proxy-handling samply:test/airgapped-blaze samply:test/airgapped-blaze-staging samply:mainzelliste-itcc samply:feat/proxy-escape-chars-readme samply:hotfix/secretsync samply:test/ast samply:feature/pscc-lens samply:feature/cce samply:feat/nngm samply:test/pscc-spot samply:hotfix/itcc samply:prototype/beamFile samply:timakro-patch-1 samply:feature/teiler-roles samply:test/opal5 samply:test/keycloak samply:feat/selinux samply:feature/remove-rstudio samply:test/teiler-dashboard samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration

47 Commits
fix/altern ... ovis

Author SHA1 Message Date
Skiba Jan
87bc6fada3 allow /ccp-ovis* urls 2026-03-30 16:34:48 +02:00
tm16-medma
c504cddff0 Update OVIS frontend configuration in ovis-compose.yml 
Replaced the APP_DOMAIN variable with ORIGIN for improved clarity in the OVIS frontend service configuration. Additionally, removed the stripprefix middleware from the Traefik router setup to streamline routing and enhance service management.
 2026-03-30 16:05:44 +02:00
tm16-medma
04757fbc76 Add APP_DOMAIN environment variable to OVIS services in ovis-compose.yml 
Introduced the APP_DOMAIN variable to the OVIS service configuration, allowing for dynamic domain assignment based on the HOST environment variable. This enhancement improves flexibility in service deployment.
 2026-03-30 13:40:30 +02:00
tm16-medma
5099fdbaf4 Refactor Traefik middleware configuration for OVIS services in ovis-compose.yml 
Removed outdated labels for the ovis-backend service and updated the middleware configuration for the ovis-frontend-ccp service to ensure proper routing and authentication. This streamlines the service setup and enhances clarity in the configuration.
 2026-03-30 13:29:17 +02:00
Skiba Jan
9ca6d0f178 auto generate ovis cookie secret 2026-03-27 10:50:57 +01:00
tm16-medma
c8bb9259db Remove unused CA certificate handling from OVIS setup script and compose file 
Eliminated the environment variables and volume mounts related to trusted CA certificates in both the ovis-compose.yml and ovis-setup.sh files. This streamlines the configuration by relying solely on the system trust store for OIDC provider communication, simplifying the initialization process for the OVIS module.
 2026-03-26 17:03:53 +01:00
tm16-medma
d010ad8bcb Refine OVIS CA file handling and logging in setup script 
Updated the ovis-setup.sh script to support both .crt and .pem certificate files for OIDC providers. Enhanced validation of CA candidates with improved logging to indicate skipped non-certificate files and clarified messages regarding the presence of valid CA files. This ensures better feedback during the OVIS module initialization process.
 2026-03-26 16:28:09 +01:00
tm16-medma
875ce8d71a Add detailed logging for OVIS module initialization in setup script 
Enhanced the ovis-setup.sh script to include a comprehensive log message when the OVIS module is enabled. This update provides clear visual feedback during the initialization process, indicating that OVIS services will start with local oauth2-proxy middleware.
 2026-03-26 16:18:50 +01:00
tm16-medma
3cb1d70416 Enhance OVIS setup script to handle missing CA directory and refine logging 
Updated the ovis-setup.sh script to improve handling of the trusted CA directory, ensuring that the oauth2-proxy uses the system trust store if the directory is missing. Adjusted logging messages for clarity regarding the detection of custom OIDC CA files, specifically focusing on .crt files. Additionally, added a new environment variable for TLS_CA_CERTIFICATES_DIR in the ovis-compose.yml file to support trusted CA certificates.
 2026-03-26 16:16:21 +01:00
tm16-medma
fd2cf2dead Add custom CA file support for OVIS oauth2-proxy in setup script and compose file 
Enhanced the OVIS setup by introducing support for custom OIDC CA files in the oauth2-proxy configuration. Updated the ovis-compose.yml to include new environment variables and volume mounts for trusted CA certificates. Modified the ovis-setup.sh script to detect and log the presence of custom CA files, ensuring secure communication with OIDC providers.
 2026-03-26 15:41:03 +01:00
Tobias Kussel
1e1d0e99d0 Add ovis oidc redirect path 2026-03-26 13:25:47 +01:00
tm16-medma
8e52874b5f Update OVIS frontend image reference in ovis-compose.yml 
Changed the image reference for the ovis-frontend service to use the updated `ovis-frontend` tag, ensuring consistency with the latest deployment standards.
 2026-03-26 12:07:47 +01:00
tm16-medma
e2103666ce Update Traefik service configuration for OVIS frontend in ovis-compose.yml 
Changed the service name for the OVIS frontend load balancer from `ovis-frontend` to `ovis-frontend-ccp`, ensuring consistency with the updated routing setup.
 2026-03-26 10:06:49 +01:00
tm16-medma
f6ba693b25 Comment out middleware configuration for OVIS frontend in ovis-compose.yml. This change temporarily disables the integration of the slash-redirect and prefix-strip middlewares for the ovis-frontend-ccp router, allowing for further testing and adjustments. 2026-03-26 10:05:32 +01:00
tm16-medma
d4a2f72f91 Update Traefik middleware configuration for OVIS frontend in ovis-compose.yml 
Replaced the existing middleware for path prefix stripping with a new middleware, ensuring proper handling of the `/ccp-ovis` path. This change enhances the routing setup by integrating both the slash-redirect and prefix-strip middlewares for improved service accessibility.
 2026-03-26 09:28:39 +01:00
tm16-medma
91dcc3f18e Add environment variables for OVIS frontend in ovis-compose.yml 
Configured new environment variables for the ovis-frontend service, including OVIS_PUBLIC_BASE_PATH, PUBLIC_GRAPHQL_URL, PUBLIC_LOGIN_ENABLED, and PUBLIC_OVIS_IMPORT, to enhance service configuration and accessibility.
 2026-03-26 09:24:24 +01:00
tm16-medma
55d629c343 Add oauth2-proxy middleware for OVIS services in ovis-compose.yml 
Introduced a new service, `ovis-traefik-forward-auth`, to handle authentication via oauth2-proxy. Updated Traefik routing for existing services to integrate the new middleware, ensuring secure access control. Adjusted logging in ovis-setup.sh to reflect the addition of the oauth2-proxy middleware in the OVIS setup process.
 2026-03-26 09:04:42 +01:00
tm16-medma
d955627da7 Update OVIS frontend image reference in ovis-compose.yml 
Changed the image for the ovis-frontend service to use the new `ovis-frontend-ccp` tag, reflecting the latest version. Removed unnecessary environment variables to streamline the configuration.
 2026-03-23 13:26:06 +01:00
tm16-medma
e292a67ded refactor: simplify OVIS frontend Traefik routing to single CCP router 
Collapse the `/ccp-ovis` slash-redirect and prefix-strip flow into one `ovis-frontend-ccp` router by attaching both middlewares in order (redirect, then strip). This removes redundant router labels while preserving canonical `/ccp-ovis -> /ccp-ovis/` behavior and mounted-path forwarding to the frontend service.
 2026-03-23 13:11:27 +01:00
tm16-medma
014933ab61 Cleanup FHIR configuration in ovis-compose.yml 
Removed unused FHIR configuration variables from ovis-compose.yml.
 2026-03-23 12:33:40 +01:00
tm16-medma
6ef1fb7b87 Clean up proxy settings in ovis-compose.yml 
Removed proxy configuration from ovis-compose.yml.
 2026-03-23 12:32:16 +01:00
tm16-medma
191f5f24da refactor: align Bridgehead OVIS CCP overlay with upstream runtime contracts 
Apply the PR #375 review feedback by removing Bridgehead-specific compose/setup overrides
that duplicated upstream OVIS behavior and by switching to the upstream-built Mongo image
that already contains init logic.
- rename CCP OVIS services to consistent upstream-style names (`ovis-*`) and update internal dependencies
- switch Mongo service image from direct `mongo:latest` + host-mounted init script to `docker.verbis.dkfz.de/ovis/ovis-backend-mongodb:latest`
- remove obsolete Mongo init bind mount (`/docker-entrypoint-initdb.d/init.js`) from compose
- drop redundant runtime overrides from compose (`restart`, `command`, `user`, `working_dir`)
- remove duplicated app-default/preprocessor env overrides (`OVIS_PREPROC_*`, misc backend defaults) and keep deployment wiring only
- fix Mongo connection env usage to `ADDRESS` and point services to `ovis-backend-database-mongodb`
- remove temporary root-compat Traefik redirect shim and keep mounted `/ccp-ovis` routing labels
- remove setup-time generation of Mongo init.js and related cache directory prep from `ccp/modules/ovis-setup.sh`
 2026-03-23 11:34:55 +01:00
tm16-medma
921bac11d2 Update Traefik rules in ovis-compose.yml 2026-03-23 11:34:55 +01:00
tm16-medma
b7f787890e Remove blaze service dependency from ovis-compose.yml 
Removed dependency condition on the blaze service.
 2026-03-23 11:34:55 +01:00
tm16-medma
1755298c07 Add dependency condition for blaze service 2026-03-23 11:34:55 +01:00
tm16-medma
1981a08a30 Clear FHIR_USERNAME and FHIR_PASSWORD 
Updated FHIR credentials to empty strings in ovis-compose.yml
 2026-03-23 11:34:55 +01:00
tm16-medma
72021fefc4 Update ovis-compose.yml for backend image and import settings 2026-03-23 11:34:55 +01:00
tm16-medma
3d4f2a4fea Add Traefik labels for ovis-frontend routing 2026-03-23 11:34:55 +01:00
tm16-medma
47b5bb0d80 Clean up Traefik router settings in ovis-compose.yml 
Removed unnecessary Traefik router configurations for compatibility.
 2026-03-23 11:34:55 +01:00
tm16-medma
87e8c786ae Add Traefik labels for ovis-frontend routing 2026-03-23 11:34:55 +01:00
tm16-medma
1a0d12f1a4 Add Traefik labels for ovis-backend services 2026-03-23 11:34:55 +01:00
tm16-medma
57308d0c2c Add Traefik labels for ovis-frontend-ccp routes 2026-03-23 11:34:55 +01:00
tm16-medma
fb027b79e5 Add OVIS_PUBLIC_BASE_PATH environment variable 2026-03-23 11:34:55 +01:00
Skiba Jan
d1624c1068 fix treafik routers 2026-03-23 11:34:55 +01:00
tm16-medma
f3009f347e Refactor ovis-compose.yml to add new services 2026-03-17 15:59:15 +01:00
Skiba, Jan
d386766e13 Merge branch 'develop' into ovis 2026-03-17 15:38:01 +01:00
tm16-medma
4c8f7cb119 Refactor OVIS setup script for MongoDB initialization 2026-03-02 09:14:39 +01:00
tm16-medma
28a93b191c Refactor ovis-compose.yml for latest OVis version 2026-03-02 09:14:05 +01:00
Torben Brenner
324c2b336d Merge pull request #287 from tm16-medma/patch-1 
Update ovis-compose.yml
 2025-04-14 08:19:20 +02:00
tm16-medma
e8cb85eade adjusted traefik parameters 2025-04-09 14:00:39 +00:00
tm16-medma
c59c425ad4 Merge branch 'patch-1' of https://github.com/tm16-medma/bridgehead into patch-1 2025-04-09 13:45:01 +00:00
tm16-medma
e3f7f5d32b Refactor Docker Compose 
- Replaced GUI_HOST with HOST
- Removed NODE_ENV
- Combine init_onco and backend service
- removed node_modules and .svelte-kit volumes
- removed mongodb volumes
- adjusted http_proxy and https_proxy
- adjusted path prefix from oaut2 to oauth2-ovis
- removed network-mode "host" in fhir-transformer service
 2025-04-09 13:43:53 +00:00
tm16-medma
1b01bd81ff Updated the fhir-transformer image and init_onco container to sleep after finishing 2025-04-03 15:04:01 +02:00
tm16-medma
86a2b78d8f corrected a syntax error 2025-04-01 10:57:02 +00:00
tm16-medma
cf1ba43d39 refactor: restructure ovis-compose.yml and added MongoDB initialization to sh 
- Removed the traefik service and renamed traefik-forward-auth to ovis- with ovis-traefik-forward-auth the labels, however would need help there as i got no knowledge of how OAuth2 works (Torben initialized that container)
- Updated MongoDB service configuration to include a direct initialization script for user and operation collections in the sh instead of in the compose directly
- Adjusted volume paths to only use the /var/cache/bridgehead/ccp directory
- Adjusted frontend and backend service labels for Traefik routing to not use ports
- Cleaned up unnecessary network definitions and volumes.
- Renamed FHIR Server URL to bridgehead-ccp-blaze:8080/fhir
- Removed redundant entrypoint (python main.py) of fhir transformer
 2025-04-01 10:46:48 +00:00
tm16-medma
3b49faaeb4 Update ovis-compose.yml 
Please ignore the command in mongo :) It will be replaced soon with proper user authentication
 2025-03-26 11:21:58 +01:00
janskiba
5ba9efe8d3 ovis wip 2025-02-12 10:45:48 +00:00
2 changed files with 113 additions and 0 deletions
Expand all files Collapse all files

104
ccp/modules/ovis-compose.yml Normal file
View File

@@ -0,0 +1,104 @@
version: "3.7"
services:
ovis-traefik-forward-auth:
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
environment:
- http_proxy=http://forward_proxy:3128
- https_proxy=http://forward_proxy:3128
- OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
- OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
- OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
- OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
- OAUTH2_PROXY_COOKIE_SECRET=${OVIS_AUTH_COOKIE_SECRET}
- OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_ovis
- OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
- OAUTH2_PROXY_COOKIE_REFRESH=4m
- OAUTH2_PROXY_COOKIE_EXPIRE=24h
- OAUTH2_PROXY_HTTP_ADDRESS=:4180
- OAUTH2_PROXY_REVERSE_PROXY=true
- OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
- OAUTH2_PROXY_UPSTREAMS=static://202
- OAUTH2_PROXY_EMAIL_DOMAINS=*
- OAUTH2_PROXY_SCOPE=openid profile email
- OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true
- OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_USER_GROUP}
- OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
- OAUTH2_PROXY_PROXY_PREFIX=/oauth2-ovis
labels:
- "traefik.enable=true"
- "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
- "traefik.http.routers.ovis-traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-ovis`)"
- "traefik.http.routers.ovis-traefik-forward-auth.tls=true"
- "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.address=http://ovis-traefik-forward-auth:4180"
- "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.authResponseHeaders=Authorization"
depends_on:
forward_proxy:
condition: service_healthy
ovis-backend-database-mongodb:
image: docker.verbis.dkfz.de/ovis/ovis-backend-mongodb:latest
container_name: bridgehead-ccp-ovis-mongo
ovis-backend-mongodb-data-preprocessing:
image: docker.verbis.dkfz.de/ovis/ovis-backend-preprocessor:latest
container_name: bridgehead-ccp-ovis-preprocessing
environment:
ADDRESS: mongodb://ovis-backend-database-mongodb:27017
depends_on:
- ovis-backend-database-mongodb
healthcheck:
test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:9000/health', res => process.exit(res.statusCode===200?0:1)).on('error', () => process.exit(1));\""]
interval: 10s
timeout: 5s
retries: 6
start_period: 5s
ovis-backend-data-import:
image: docker.verbis.dkfz.de/ovis/ovis-backend-data-import-ccp:latest
container_name: bridgehead-ccp-ovis-import
depends_on:
ovis-backend-mongodb-data-preprocessing:
condition: service_healthy
environment:
FHIR_SERVER_URL: http://bridgehead-ccp-blaze:8080/fhir
ovis-backend-apollo:
image: docker.verbis.dkfz.de/ovis/ovis-backend-apollo:latest
container_name: bridgehead-ccp-ovis-backend
environment:
ADDRESS: mongodb://ovis-backend-database-mongodb:27017
depends_on:
- ovis-backend-database-mongodb
- ovis-backend-mongodb-data-preprocessing
- ovis-backend-data-import
healthcheck:
test: ["CMD-SHELL", "test -d /app/node_modules/mongodb"]
interval: 10s
timeout: 5s
retries: 5
# Internal only - no direct Traefik exposure. GraphQL is accessed via frontend internal proxy.
ovis-frontend:
image: docker.verbis.dkfz.de/ovis/ovis-frontend:latest
container_name: bridgehead-ccp-ovis-frontend
environment:
OVIS_PUBLIC_BASE_PATH: /ccp-ovis
PUBLIC_LOGIN_ENABLED: "false"
PUBLIC_OVIS_IMPORT: ccp
ORIGIN: https://${HOST}
depends_on:
ovis-backend-apollo:
condition: service_healthy
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.regex=^https?://([^/]+)/ccp-ovis$"
- "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.replacement=https://$${1}/ccp-ovis/"
- "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.permanent=true"
- "traefik.http.routers.ovis-frontend-ccp.tls=true"
- "traefik.http.routers.ovis-frontend-ccp.rule=PathPrefix(`/ccp-ovis`)"
- "traefik.http.routers.ovis-frontend-ccp.middlewares=traefik-forward-auth-ovis,ovis-frontend-ccp-slash-redirect"
- "traefik.http.services.ovis-frontend-ccp.loadbalancer.server.port=5173"

9
ccp/modules/ovis-setup.sh Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash -e
if [ -n "$ENABLE_OVIS" ]; then
log INFO "OVIS setup detected -- will start OVIS services with local oauth2-proxy middleware."
OVERRIDE+=" -f ./$PROJECT/modules/ovis-compose.yml"
add_private_oidc_redirect_url "/oauth2-ovis/callback"
add_private_oidc_redirect_url "/ccp-ovis*"
OVIS_AUTH_COOKIE_SECRET="$(generate_simple_password 'ovisCookieSecret' | head -c 16)"
fi