Changes to make deployed CCE explorer work properly. (#368 )

* Changes to make deployed CCE explorer work properly. In the lens environment section in services: - add PUBLIC_SPOT_URL value
update beam proxy server used for oauth enrollment (#366 )
2026-04-17 17:20:15 +02:00 · 2026-01-28 13:40:51 +01:00 · 2026-01-28 13:40:51 +01:00 · 2026-01-28 13:40:51 +01:00 · 2026-01-28 13:40:51 +01:00 · 2026-01-28 13:40:51 +01:00
20 changed files with 73 additions and 237 deletions
--- a/bbmri/modules/directory-sync.sh
+++ b/bbmri/modules/directory-sync.sh
@@ -1,6 +1,6 @@
 #!/bin/bash

-if [ -n "${DS_DIRECTORY_USER_NAME}" ] || [ -n "${DS_DIRECTORY_USER_TOKEN}" ]; then
+if [ -n "${DS_DIRECTORY_USER_NAME}" ]; then
 	log INFO "Directory sync setup detected -- will start directory sync service."
 	OVERRIDE+=" -f ./$PROJECT/modules/directory-sync-compose.yml"
 fi
--- a/cce/modules/airgapped-blaze-compose.yml
+++ b/cce/modules/airgapped-blaze-compose.yml
@@ -0,0 +1,25 @@
+version: "3.7"
+
+services:
+  blaze-airgapped:
+    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    container_name: bridgehead-cce-blaze-airgapped
+    environment:
+      BASE_URL: "http://bridgehead-cce-blaze-airgapped:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
+      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "blaze-airgapped-data:/app/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.blaze-airgapped_cce.rule=PathPrefix(`/cce-localdatamanagement-airgapped`)"
+      - "traefik.http.middlewares.cce_b-a_strip.stripprefix.prefixes=/cce-localdatamanagement-airgapped"
+      - "traefik.http.services.blaze-airgapped_cce.loadbalancer.server.port=8080"
+      - "traefik.http.routers.blaze-airgapped_cce.middlewares=cce_b-a_strip,auth"
+      - "traefik.http.routers.blaze-airgapped_cce.tls=true"
+
+volumes:
+  blaze-airgapped-data:
--- a/cce/modules/airgapped-blaze-setup.sh
+++ b/cce/modules/airgapped-blaze-setup.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+OVERRIDE+=" -f ./$PROJECT/modules/airgapped-blaze-compose.yml"
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@@ -15,7 +15,7 @@ services:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_itcc.rule=Host(`${HOST}`) && PathPrefix(`/itcc-localdatamanagement`)"
+      - "traefik.http.routers.blaze_itcc.rule=PathPrefix(`/itcc-localdatamanagement`)"
      - "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement"
      - "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth"
@@ -34,6 +34,7 @@ services:
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
+      CQL_PROJECTS_ENABLED: "itcc"
    volumes:
      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
--- a/itcc/modules/itcc-omics-ingest.sh
+++ b/itcc/modules/itcc-omics-ingest.sh
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-if [ -n "$ENABLE_OMICS" ];then
-  OVERRIDE+=" -f ./$PROJECT/modules/itcc-omics-ingest.yaml"
-  GENERATE_API_KEY="$(generate_simple_password 'omics')"
-fi
--- a/itcc/modules/itcc-omics-ingest.yaml
+++ b/itcc/modules/itcc-omics-ingest.yaml
@@ -1,14 +0,0 @@
-services:
-  omics-endpoint:
-    image: ghcr.io/samply/itcc-omics-ingest:main
-    environment:
-      - API_KEY=${GENERATE_API_KEY}
-    volumes:
-      - /var/cache/bridgehead/omics/data:/data/uploads
-    labels:
-      - "traefik.http.routers.omics.rule=Host(`${HOST}`) && PathPrefix(`/api/omics`)"
-      - "traefik.enable=true"
-      - "traefik.http.services.omics.loadbalancer.server.port=6080"
-      - "traefik.http.routers.omics.tls=true"
-      - "traefik.http.middlewares.omics-stripprefix.stripprefix.prefixes=/api"
-      - "traefik.http.routers.omics.middlewares=omics-stripprefix"
--- a/itcc/modules/lens-compose.yml
+++ b/itcc/modules/lens-compose.yml
@@ -1,47 +1,33 @@
 version: "3.7"
 services:
-  itcc-explorer:
-    container_name: lens_itcc_explorer
-    image: samply/itcc-explorer:main
-    environment:
-      HOST: "0.0.0.0"
-      BIND_ADDR: "0.0.0.0:3000"
-      PUBLIC_ENVIRONMENT: ${PUBLIC_ENVIRONMENT}
+  landing:
+    container_name: lens_federated-search
+    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.itcc.rule=Host(`${HOST}`) && PathPrefix(`/`)"
-      - "traefik.http.routers.itcc.entrypoints=websecure"
-      - "traefik.http.services.itcc.loadbalancer.server.port=3000"
-      - "traefik.http.routers.itcc.tls=true"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"

  spot:
-    image: samply/rustyspot:latest
+    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_PROXY_URL: http://beam-proxy:8081
+      BEAM_URL: http://beam-proxy:8081
      BEAM_PROXY_ID: ${SITE_ID}
      BEAM_BROKER_ID: ${BROKER_ID}
-      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
-      CORS_ORIGIN: "https://${HOST}"
-      SITES: ${SITES}
-      TRANSFORM: LENS
-      PROJECT: "itcc"
-      BIND_ADDR: 0.0.0.0:8055
+      BEAM_APP_ID: "focus"
+      PROJECT_METADATA: "itcc"
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8055"
+      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
-
-  beam-proxy:
-    environment:
-      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/itcc/vars
+++ b/itcc/vars
@@ -6,7 +6,6 @@ FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
-PUBLIC_ENVIRONMENT=prod

 for module in $PROJECT/modules/*.sh
 do
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@@ -12,8 +12,7 @@ services:
      BASE_URL: "http://bridgehead-kr-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
--- a/kr/modules/export-and-qb.curl-templates
+++ b/kr/modules/export-and-qb.curl-templates
@@ -0,0 +1,6 @@
+# Full Excel Export
+curl --location --request POST 'https://${HOST}/ccp-exporter/request?query=Patient&query-format=FHIR_PATH&template-id=ccp&output-format=EXCEL' \
+--header 'x-api-key: ${EXPORT_API_KEY}'
+
+# QB
+curl --location --request POST 'https://${HOST}/ccp-reporter/generate?template-id=ccp'
--- a/kr/modules/lens-compose.yml
+++ b/kr/modules/lens-compose.yml
@@ -4,41 +4,32 @@ services:
    deploy:
      replicas: 1 #reactivate if lens is in use
    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/kr-explorer:main
-    environment:
-      PUBLIC_SPOT_URL: https://${HOST}/prod
+    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
-      - "traefik.http.services.lens.loadbalancer.server.port=3000"
      - "traefik.enable=true"
-      - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
-      - "traefik.http.routers.lens.tls=true"
+      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.landing.tls=true"

  spot:
-    image: samply/rustyspot:latest
+    image: docker.verbis.dkfz.de/ccp-private/central-spot
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_PROXY_URL: http://beam-proxy:8081
-      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
-      CORS_ORIGIN: "https://${HOST}"
-      SITES: ${SITES}
-      TRANSFORM: LENS
-      PROJECT: kr
-      BIND_ADDR: 0.0.0.0:8055
+      BEAM_URL: http://beam-proxy:8081
+      BEAM_PROXY_ID: ${SITE_ID}
+      BEAM_BROKER_ID: ${BROKER_ID}
+      BEAM_APP_ID: "focus"
+      PROJECT_METADATA: "kr_supervisors"
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8055"
+      - "traefik.http.services.spot.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
-      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
      - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
-
-  beam-proxy:
-    environment:
-      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"
--- a/kr/modules/obds2fhir-rest-compose.yml
+++ b/kr/modules/obds2fhir-rest-compose.yml
@@ -3,7 +3,7 @@ version: "3.7"
 services:
  obds2fhir-rest:
    container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
+    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
--- a/kr/vars
+++ b/kr/vars
@@ -3,7 +3,7 @@ BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=p.delpy@dkfz-heidelberg.de
+SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL

--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -9,15 +9,6 @@ detectCompose() {
 	fi
 }

-# Encodes all characters not in unrestricted character set of RFC3986 Section 2.3
-urlencode() {
-  for ((i=0;i<${#1};i++)); do
-    local c=${1:i:1}
-    [[ "$c" =~ [a-zA-Z0-9._~-] ]] && printf '%s' "$c" || printf '%%%02X' "'$c"
-  done
-  echo
-}
-
 setupProxy() {
 	### Note: As the current data protection concepts do not allow communication via HTTP,
 	### we are not setting a proxy for HTTP requests.
@@ -31,12 +22,9 @@ setupProxy() {
 		HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')"
 		HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')"
 		if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then
-			local ESCAPED_PASSWORD="$(echo $HTTPS_PROXY_PASSWORD | od -An -v -t x1 | sed -e 's/[[:space:]]//g' -e 's/\([0-9a-f][0-9a-f]\)/%\1/g' | tr -d '\n')"
-			local CURL_ESCAPED_PW="$(urlencode $HTTPS_PROXY_PASSWORD)"
 			local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e 's,^\(.*://\).*,\1,g')"
 			local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})"
-			HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$ESCAPED_PASSWORD@$fqdn)"
-			CURL_HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$CURL_ESCAPED_PW@$fqdn)"
+			HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)"
 			https="authenticated"
 		else
 			HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL
@@ -45,7 +33,7 @@ setupProxy() {
 	fi

 	log INFO "Configuring proxy servers: $http http proxy (we're not supporting unencrypted comms), $https https proxy"
-	export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL CURL_HTTPS_PROXY_FULL_URL
+	export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL
 }

 exitIfNotRoot() {
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -47,8 +47,8 @@ function hc_send(){

    if [ -n "$2" ]; then
        MSG="$2\n\nDocker stats:\n$UPTIME"
-        echo -e "$MSG" | https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
    else
-        https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
    fi
 }
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -71,7 +71,7 @@ source ${PROJECT}/vars

 if [ "${PROJECT}" != "minimal" ]; then
  set +e
-  SERVERTIME="$(https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
+  SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
  RET=$?
  set -e
  if [ $RET -ne 0 ]; then
--- a/lib/tests/test_proxyparsing.sh
+++ b/lib/tests/test_proxyparsing.sh
@@ -1,123 +0,0 @@
-source ../functions.sh
-
-test_setupProxy() {
-  # simple logger for tests
-  log() { :; }
-
-  local failures=0
-  local total=0
-
-  assert_eq() {
-    local label="$1" got="$2" expected="$3"
-    total=$((total + 1))
-    if [[ "$got" != "$expected" ]]; then
-      failures=$((failures + 1))
-      printf 'FAIL: %s\n  got:      %q\n  expected: %q\n\n' "$label" "$got" "$expected"
-    else
-      printf 'ok: %s\n' "$label"
-    fi
-  }
-
-  run_case() {
-    local name="$1"
-    local url="$2"
-    local u="$3"
-    local p="$4"
-    local exp_host="$5"
-    local exp_port="$6"
-    local exp_full="$7"
-
-    HTTPS_PROXY_URL="$url"
-    HTTPS_PROXY_USERNAME="$u"
-    HTTPS_PROXY_PASSWORD="$p"
-
-    setupProxy >/dev/null 2>&1
-
-    assert_eq "$name host" "$HTTPS_PROXY_HOST" "$exp_host"
-    assert_eq "$name port" "$HTTPS_PROXY_PORT" "$exp_port"
-    assert_eq "$name full" "$HTTPS_PROXY_FULL_URL" "$exp_full"
-  }
-
-  echo "Running setupProxy tests..."
-  echo
-
-  # 1) Basic https host:port
-  run_case "basic https" \
-    "https://proxy.example.org:8443" "" "" \
-    "proxy.example.org" "8443" \
-    "https://proxy.example.org:8443"
-
-  # 2) https without port -> default 443
-  run_case "https no port" \
-    "https://proxy.example.org" "" "" \
-    "proxy.example.org" "443" \
-    "https://proxy.example.org"
-
-  # 3) no scheme, host:port -> defaults scheme=https
-  run_case "no scheme hostport" \
-    "proxy.example.org:3128" "" "" \
-    "proxy.example.org" "3128" \
-    "https://proxy.example.org:3128"
-
-  # 4) URL with path/query/fragment
-  run_case "ignores path" \
-    "https://proxy.example.org:8443/some/path?x=1#y" "" "" \
-    "proxy.example.org" "8443" \
-    "https://proxy.example.org:8443"
-
-  # 5) explicit env creds inserted
-  run_case "env creds override" \
-    "https://proxy.example.org:8443" "alice" "secret" \
-    "proxy.example.org" "8443" \
-    "https://alice:secret@proxy.example.org:8443"
-
-  # 6) embedded creds used if env creds absent
-  run_case "embedded creds" \
-    "https://bob:pw@proxy.example.org:8443" "" "" \
-    "proxy.example.org" "8443" \
-    "https://bob:pw@proxy.example.org:8443"
-
-  # 7) env creds override embedded creds
-  run_case "env overrides embedded" \
-    "https://bob:pw@proxy.example.org:8443" "alice" "secret" \
-    "proxy.example.org" "8443" \
-    "https://alice:secret@proxy.example.org:8443"
-
-  # 8) IPv6 literal with port
-  run_case "ipv6 with port" \
-    "https://[2001:db8::1]:8080" "" "" \
-    "2001:db8::1" "8080" \
-    "https://[2001:db8::1]:8080"
-
-  # 9) IPv6 literal without port -> default 443
-  run_case "ipv6 no port" \
-    "https://[2001:db8::1]" "" "" \
-    "2001:db8::1" "443" \
-    "https://[2001:db8::1]"
-
-  # 10) http scheme rejected -> outputs empty
-  HTTPS_PROXY_URL="http://proxy.example.org:8080"
-  HTTPS_PROXY_USERNAME=""
-  HTTPS_PROXY_PASSWORD=""
-  setupProxy >/dev/null 2>&1
-  assert_eq "http rejected host" "${HTTPS_PROXY_HOST:-}" ""
-  assert_eq "http rejected port" "${HTTPS_PROXY_PORT:-}" ""
-  assert_eq "http rejected full" "${HTTPS_PROXY_FULL_URL:-}" ""
-
-  # 11) empty URL -> outputs empty but no failure
-  HTTPS_PROXY_URL=""
-  setupProxy >/dev/null 2>&1
-  assert_eq "empty url host" "${HTTPS_PROXY_HOST:-}" ""
-  assert_eq "empty url port" "${HTTPS_PROXY_PORT:-}" ""
-  assert_eq "empty url full" "${HTTPS_PROXY_FULL_URL:-}" ""
-
-  echo
-  echo "Tests complete: $((total - failures))/$total passed."
-  if (( failures > 0 )); then
-    echo "Some tests failed."
-    return 1
-  fi
-  return 0
-}
-
-test_setupProxy
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@@ -32,7 +32,7 @@ services:

  forward_proxy:
    container_name: bridgehead-forward-proxy
-    image: samply/bridgehead-forward-proxy:pr-16
+    image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest
    environment:
      HTTPS_PROXY: ${HTTPS_PROXY_URL}
      HTTPS_PROXY_USERNAME: ${HTTPS_PROXY_USERNAME}
--- a/pscc/modules/osiris2fhir-compose.yml
+++ b/pscc/modules/osiris2fhir-compose.yml
@@ -1,13 +0,0 @@
-services:
-  osiris2fhir:
-    container_name: bridgehead-osiris2fhir
-    image: docker.verbis.dkfz.de/ccp/osiris2fhir:${SITE_ID}
-    environment:
-      SALT: ${LOCAL_SALT}
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.osiris2fhir.rule=PathPrefix(`/osiris2fhir`)"
-      - "traefik.http.middlewares.osiris2fhir_strip.stripprefix.prefixes=/osiris2fhir"
-      - "traefik.http.services.osiris2fhir.loadbalancer.server.port=8080"
-      - "traefik.http.routers.osiris2fhir.tls=true"
-      - "traefik.http.routers.osiris2fhir.middlewares=osiris2fhir_strip,auth"
--- a/pscc/modules/osiris2fhir-setup.sh
+++ b/pscc/modules/osiris2fhir-setup.sh
@@ -1,6 +0,0 @@
-#!/bin/bash
-if [ -n "$ENABLE_OSIRIS2FHIR" ]; then
-  log INFO "oBDS2FHIR-REST setup detected -- will start osiris2fhir module."
-  OVERRIDE+=" -f ./pscc/modules/osiris2fhir-compose.yml"
-  LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-fi
Author	SHA1	Message	Date
Manoj Waikar	d18e56f381	Changes to make deployed CCE explorer work properly. (#368 ) * Changes to make deployed CCE explorer work properly. In the lens environment section in services: - add PUBLIC_SPOT_URL value	2026-01-28 13:40:51 +01:00
Jan	dba80052a2	update beam proxy server used for oauth enrollment (#366 )	2026-01-28 13:40:51 +01:00
Enola Knezevic	03673ff1ac	test version blaze (#364 ) This is the one we need urgently	2026-01-28 13:40:51 +01:00
Enola Knezevic	663709b569	obfuscate BBMRI ERIC way, test blaze version (#363 )	2026-01-28 13:40:51 +01:00
Manoj Waikar	6f6be2d30e	Use the cce-explorer:main image from docker hub (instead of ghcr). (#362 )	2026-01-28 13:40:51 +01:00
Pierre Delpy	11d5b0efdd	feat: migrate pscc to orange cloud broker (#361 )	2026-01-28 13:40:51 +01:00
Manoj Waikar	5b5f7b7ffc	Use the main image name for cce explorer. (#360 ) - instead of pr1 name	2026-01-28 13:40:51 +01:00
Manoj Waikar	59d64c39a4	Add APP_spot_KEY env var under the beam-proxy section. (#358 )	2026-01-28 13:40:51 +01:00
Niklas Reimer	2e78f5a033	feat(dnpm): set timezone to Europe/Berlin (#359 )	2026-01-28 13:40:51 +01:00
DavidCroftDKFZ	06b44382f8	Directory sync: token login and cron change (#351 ) The Directory team have requested that we allow token login to the Directory, where a user uses LSAAI credentials to obtain a token from the Directory, and then uses this to authenticate Directory sync. This has been implemented via an environment variable, in an analogous way to the already existing username/password method. The default start time for the Directory sync has been shifted to 22:30, to prevent conflicts with the Bridgehead auto-update. Relevant changes have been made to the documentation. Co-authored-by: Torben Brenner <76154651+torbrenner@users.noreply.github.com> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>	2026-01-28 13:40:51 +01:00
djuarezgf	713a7f951a	feat: add nNGM project (#340 )	2026-01-28 13:40:50 +01:00
Pierre Delpy	d5fe238460	feat: add PSCC * add pscc and prepare lens2 deployment --------- Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2026-01-28 13:40:50 +01:00
DavidCroftDKFZ	863aa52f1d	Directory sync: inherit host timezone (#354 ) Directory sync needs to be able to launch at specific times of day, and in order to do this in a predictable way, the timezone used inside the Docker container should be the same as the host. To do this, two files need to be mounted from the host. One file contains information about the time zone, the other file contains the file zone name.	2026-01-28 13:40:50 +01:00
djuarezgf	7924dfab87	docs: add initial documentation for Samply.Exporter and Samply.Teiler (#350 )	2026-01-28 13:40:50 +01:00
Tim Schumacher	4e134e7e95	Update focus tags: no project specific images anymore	2026-01-28 13:40:50 +01:00
Jan	2afbb99de6	fix: don't run secret sync for minimal (#349 )	2026-01-28 13:40:50 +01:00
Jan	099ccac238	feat: add bridgehead check command (#342 )	2026-01-28 13:40:50 +01:00
Jan	35d6b3d155	fix: only pass CQL_PROJECTS_ENABLED to focus if set (#344 )	2026-01-28 13:40:50 +01:00
Jan	b7a47475a0	feat: allow cql queries for exliquid (#343 )	2026-01-28 13:40:50 +01:00
Tim Schumacher	2029ca30ca	feat: add scout module (#339 )	2026-01-28 13:40:50 +01:00
Jan	4d3ee91acc	feat(dnpm): change to new `api-gateway` image (#337 )	2026-01-28 13:40:50 +01:00
Jan	f0095cf629	chore: add more options to transfair (#325 )	2026-01-28 13:40:50 +01:00
Jan	f151c19f5e	fix: adapt to transfair cli changes (#319 )	2026-01-28 13:40:50 +01:00
djuarezgf	528c8c85ea	Replace hardcoded image: ...:develop references with version variables (#335 ) * added: Teiler Dashboard Version * added: MTBA Version * added: beam proxy tag version	2026-01-28 13:40:50 +01:00
Paul-Christian Volkmer	f43ab20e75	docs: Add ghcr.io to URL list (#321 )	2026-01-28 13:40:50 +01:00
Jan	4c33c2d58e	fix(dnpm): fix env subsitution (#333 )	2026-01-28 13:40:50 +01:00
djuarezgf	001df6d384	mtba: fallback to keycloak test server pending migration	2026-01-28 13:40:50 +01:00
djuarezgf	ced6791f26	feat: migrate PSP to Authentik (#329 )	2026-01-28 13:40:50 +01:00
Jan	6694c0a28e	feat(dnpm): allow setting custom dnpm image tag (#326 )	2026-01-28 13:40:50 +01:00
djuarezgf	b4d13bff62	Fixed: Authentik URL for Opal (#328 ) * Fixed: Authentik URL for Opal * Removed: Unnecessary OIDC config in CCE and BBMRI * KR with basic auth instead of OIDC	2026-01-28 13:40:50 +01:00
djuarezgf	3d33fd6778	feat: migrate OIDC Configuration from Keycloak to Authentik (#327 ) * Change: Authentik instead of Keycloak in CCP Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> --------- Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2026-01-28 13:40:50 +01:00
Jan	281a1b2cb6	feat: remove local rstudio (#322 )	2026-01-28 13:40:50 +01:00
djuarezgf	4ddc906fcd	CCE Teiler and Export (#323 ) * Added Exporter to CCE * Add Teiler to CCE * Add EXPORTER_USER to adduser function	2026-01-28 13:40:50 +01:00
Pierre Delpy	fa36558d2e	fix: add obfuscation and basic auth to spot in cce and itcc (#324 ) Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de>	2026-01-28 13:40:50 +01:00
djuarezgf	af8ad48e2c	Use relative paths in teiler (#320 )	2026-01-28 13:40:50 +01:00
Tobias Kussel	ecd8d60e99	docs: close Exporter code block in readme (#318 )	2026-01-28 13:40:50 +01:00
djuarezgf	0a5da028db	fix: Create Exporter User only if Exporter is enabled (#317 )	2026-01-28 13:40:50 +01:00
Enola Knezevic	c45c6eb0ea	chore: update eric.acc.root.crt.pem (#316 )	2026-01-28 13:40:50 +01:00
djuarezgf	01173c9857	docs: add Teiler and Exporter to the main README.md (#315 ) Co-authored-by: Tobias Kussel <TKussel@users.noreply.github.com>	2026-01-28 13:40:50 +01:00
djuarezgf	ac0c37cba3	feat: add Teiler and Exporter in BBMRI (#312 ) Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2026-01-28 13:40:50 +01:00
Martin Lablans	31b6c3bee3	chore: externalize POSTGRES_TAG and bump postgres to 15.13 (#313 )	2026-01-28 13:40:50 +01:00
Tim Schumacher	8ddcfc123f	Cache public organoid dashboard SQL query (#309 )	2026-01-28 13:40:50 +01:00
DavidCroftDKFZ	9e23059ef2	docs: add faq (#288 )	2026-01-28 13:40:50 +01:00
DavidCroftDKFZ	87e4ad595f	docs: Control import from Directory, improve README (#297 )	2026-01-28 13:40:50 +01:00
DavidCroftDKFZ	4d7ba813e0	Added section relating to clearing data from Blaze (#303 )	2026-01-28 13:40:50 +01:00
djuarezgf	84f73fc1fb	chore: change some teiler variables (#307 )	2026-01-28 13:40:50 +01:00
djuarezgf	7d177a0b03	fix: add own url to teiler dashboard to make it offline compatible (#305 )	2026-01-28 13:40:50 +01:00
Torben Brenner	5caaad26f2	fix: Ensure transfair can properly communicate with the fhir server for requests (#304 )	2026-01-28 13:40:50 +01:00
Jan	b778da3f56	feat: allow transfair to talk to services behind the proxy (#296 )	2026-01-28 13:40:50 +01:00
Jan	f9586f27b1	chore(transfair): update transfair config (#298 )	2026-01-28 13:40:50 +01:00
Martin Lablans	8846efde85	Code review: Move to /tmp/bridgehead/...	2026-01-28 13:40:50 +01:00
Tim Schumacher	46ff2e9882	Use temp directory for secret sync cache	2026-01-28 13:40:50 +01:00
Jan	50263c767d	chore(transfair): add option to disable tls verification (#295 )	2026-01-28 13:40:50 +01:00
Enola Knezevic	7b3327ec24	chore: add BBMRI ERIC acceptance env (#294 )	2026-01-28 13:40:50 +01:00
Jan	2c9a50149b	fix: ssh-tunnel-setup.sh (#293 )	2026-01-28 13:40:50 +01:00
Jan	e0c21625cc	feat: ssh tunnel (#292 ) * Added ccp module for a ssh tunnel Usage details under https://github.com/samply/ssh-tunnel * chore: update ssh-tunnel image to harbor * feat: ssh tunnel support diffrent port * chore: fix indentation * chore: move to top level modules * docs: add ssh-tunnel docs --------- Co-authored-by: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>	2026-01-28 13:40:50 +01:00
Jan	5ac8042742	chore(transfair): add new gw option (#291 )	2026-01-28 13:40:50 +01:00
Jan	3267dd088c	feat: expose transfair via traefik (#290 ) Note: Requires a bridgehead install to generate the basic auth user	2026-01-28 13:40:50 +01:00
Tim Schumacher	9cd5042ebc	Fix GitLab token syncing for BBMRI	2026-01-28 13:40:50 +01:00
janskiba	265c7bee33	feat: add transfair setup to ccp	2026-01-28 13:40:50 +01:00
janskiba	d79e74ca90	chore!: update transfair config	2026-01-28 13:40:50 +01:00
Manoj Waikar	82841a6f04	Fix airgapped-blaze-compose.yml file. - BASE_URL & traefik settings	2025-03-25 15:23:16 +01:00
Manoj Waikar	ba6f2c3b11	Modify container name (as it was a duplicate).	2025-03-24 09:50:06 +01:00
Manoj Waikar	39a4231c1f	Add airgapped-blaze-{compose,setup} files in cce modules. - for testing out airgapped-blaze at VHIO	2025-03-21 15:15:03 +01:00