samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2026-04-17 20:50:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: samply:hotfix/itcc
Branches Tags
samply:main samply:develop samply:ovis samply:feature/ml-itcc samply:fix/traefik-dashboard-route samply:feature/cce-enable-osiris2fhir samply:fix/alternative-proxy-handling samply:test/airgapped-blaze samply:test/airgapped-blaze-staging samply:mainzelliste-itcc samply:feat/proxy-escape-chars-readme samply:hotfix/secretsync samply:test/ast samply:feature/pscc-lens samply:feature/cce samply:feat/nngm samply:test/pscc-spot samply:hotfix/itcc samply:prototype/beamFile samply:timakro-patch-1 samply:feature/teiler-roles samply:test/opal5 samply:test/keycloak samply:feat/selinux samply:feature/remove-rstudio samply:test/teiler-dashboard samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration
..
compare: samply:fix/alternative-proxy-handling
Branches Tags
samply:main samply:develop samply:ovis samply:feature/ml-itcc samply:fix/traefik-dashboard-route samply:feature/cce-enable-osiris2fhir samply:fix/alternative-proxy-handling samply:test/airgapped-blaze samply:test/airgapped-blaze-staging samply:mainzelliste-itcc samply:feat/proxy-escape-chars-readme samply:hotfix/secretsync samply:test/ast samply:feature/pscc-lens samply:feature/cce samply:feat/nngm samply:test/pscc-spot samply:hotfix/itcc samply:prototype/beamFile samply:timakro-patch-1 samply:feature/teiler-roles samply:test/opal5 samply:test/keycloak samply:feat/selinux samply:feature/remove-rstudio samply:test/teiler-dashboard samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration

21 Commits
hotfix/itc ... fix/altern

Author SHA1 Message Date
Tobias Kussel
a14da73ccc add additional credential encoding for curl 
Curl seems not to like full percent-encoding of all characters which might be related to https://github.com/curl/curl/issues/5448#event-3371269895. The version in this PR escapes a lot and strictly follows RFC3986 section 2.3 for unescaped characters
 2026-03-05 14:31:05 +01:00
Tobias Kussel
467613ad31 fix proxy credential escaping 2026-03-05 14:21:37 +01:00
Tobias Kussel
82ee757e17 Use new proxy escaping and forward-proxy test image 2026-03-04 09:26:22 +01:00
Pierre Delpy
c1de9b8314 WIP: enable osiris2fhir in PSCC for GR (#372) 
enable osiris2fhir in PSCC for GR
 2026-02-24 12:09:39 +01:00
DavidCroftDKFZ
9d3ec957a2 Activate Directory token login (#371) 
Right now, Directory sync will only be activated if a username has been
specified. It also needs to run if a login token has been specified,
hence the change in this commit.
 2026-02-20 09:27:47 +01:00
Martin Jurk
7a9f80537b sites moved to etc itcc.comf (#369) 2026-02-10 16:04:33 +01:00
Pierre Delpy
bff06a6bb0 fix kr deployment (#370) 2026-02-10 11:21:36 +01:00
Martin Jurk
6923ead6ce feat: itcc lens2 (#365) 2026-01-28 14:28:09 +01:00
Manoj Waikar
7dc9e2e663 Changes to make deployed CCE explorer work properly. (#368) 
* Changes to make deployed CCE explorer work properly.

In the lens environment section in services:
- add PUBLIC_SPOT_URL value
 2026-01-13 10:42:10 +01:00
Jan
85cfc2514d update beam proxy server used for oauth enrollment (#366) 2025-12-11 11:33:29 +01:00
Enola Knezevic
dd3387c2f1 test version blaze (#364) 
This is the one we need urgently
 2025-12-01 12:54:57 +01:00
Enola Knezevic
a5120ba75b obfuscate BBMRI ERIC way, test blaze version (#363) 2025-12-01 12:50:07 +01:00
Manoj Waikar
d0c87b40a6 Use the cce-explorer:main image from docker hub (instead of ghcr). (#362) 2025-11-21 14:52:42 +01:00
Pierre Delpy
57f49ab5fc feat: migrate pscc to orange cloud broker (#361) 2025-11-21 10:42:21 +01:00
Manoj Waikar
e2569f4737 Use the main image name for cce explorer. (#360) 
- instead of pr1 name
 2025-11-20 14:34:33 +01:00
Manoj Waikar
56a8aac326 Add APP_spot_KEY env var under the beam-proxy section. (#358) 2025-11-19 09:33:18 +01:00
Niklas Reimer
ab6e05826f feat(dnpm): set timezone to Europe/Berlin (#359) 2025-11-12 10:25:20 +01:00
DavidCroftDKFZ
394dcc2567 Directory sync: token login and cron change (#351) 
The Directory team have requested that we allow token login to the
Directory, where a user uses LSAAI credentials to obtain a token from
the Directory, and then uses this to authenticate Directory sync. This
has been implemented via an environment variable, in an analogous way to
the already existing username/password method.

The default start time for the Directory sync has been shifted to 22:30,
to prevent conflicts with the Bridgehead auto-update.

Relevant changes have been made to the documentation.

Co-authored-by: Torben Brenner <76154651+torbrenner@users.noreply.github.com>
Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>
Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>
 2025-11-11 09:43:08 +01:00
djuarezgf
58d3e6487c feat: add nNGM project (#340) 2025-11-06 16:47:50 +01:00
Pierre Delpy
230ff1debb feat: add PSCC 
* add pscc and prepare lens2 deployment
---------

Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de>
Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>
 2025-11-05 15:18:00 +01:00
DavidCroftDKFZ
6dea7c8fef Directory sync: inherit host timezone (#354) 
Directory sync needs to be able to launch at specific times of day, and in order to do this in a predictable way, the timezone used inside the Docker container should be the same as the host. To do this, two files need to be mounted from the host. One file contains information about the time zone, the other file contains the file zone name.
 2025-11-05 11:02:26 +01:00
42 changed files with 728 additions and 73 deletions
Expand all files Collapse all files

13
README.md
View File

@@ -318,6 +318,12 @@ To enable it, you will need to explicitly set the username and password variable
DS_DIRECTORY_USER_NAME=your_directory_username DS_DIRECTORY_USER_NAME=your_directory_username
DS_DIRECTORY_USER_PASS=your_directory_password DS_DIRECTORY_USER_PASS=your_directory_password
``` ```
Alternatively, if you have obtained a token from the Directory, you can insert the following into the configuration file:
```
DS_DIRECTORY_USER_TOKEN=your_directory_token
```
If you don't supply any authentification information (either login credentials or a token), Directory sync will not start.
Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials. Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials.
The following environment variables can be used from within your config file to control the behavior of Directory sync: The following environment variables can be used from within your config file to control the behavior of Directory sync:
@@ -325,12 +331,13 @@ The following environment variables can be used from within your config file to
| Variable | Purpose | Default if not specified | | Variable | Purpose | Default if not specified |
|:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------| |:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------|
| DS_DIRECTORY_URL | Base URL of the Directory | https://directory-backend.molgenis.net | | DS_DIRECTORY_URL | Base URL of the Directory | https://directory-backend.molgenis.net |
| DS_DIRECTORY_USER_NAME | User name for logging in to Directory **Mandatory** | | | DS_DIRECTORY_USER_NAME | User name for logging in to Directory | |
| DS_DIRECTORY_USER_PASS | Password for logging in to Directory **Mandatory** | | | DS_DIRECTORY_USER_PASS | Password for logging in to Directory | |
| DS_DIRECTORY_USER_TOKEN | Token for logging in to Directory | |
| DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples | | | DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples | |
| DS_DIRECTORY_ALLOW_STAR_MODEL | Set to 'True' to send star model info to Directory | True | | DS_DIRECTORY_ALLOW_STAR_MODEL | Set to 'True' to send star model info to Directory | True |
| DS_FHIR_STORE_URL | URL for FHIR store | http://bridgehead-bbmri-blaze:8080 | | DS_FHIR_STORE_URL | URL for FHIR store | http://bridgehead-bbmri-blaze:8080 |
| DS_TIMER_CRON | Execution interval for Directory sync, [cron](https://crontab.guru) format | 0 22 * * * | | DS_TIMER_CRON | Execution interval for Directory sync, [cron](https://crontab.guru) format | 30 22 * * * |
| DS_IMPORT_BIOBANKS | Set to 'True' to import biobank metadata from Directory | True | | DS_IMPORT_BIOBANKS | Set to 'True' to import biobank metadata from Directory | True |
| DS_IMPORT_COLLECTIONS | Set to 'True' to import collection metadata from Directory | True | | DS_IMPORT_COLLECTIONS | Set to 'True' to import collection metadata from Directory | True |

6
bbmri/modules/directory-sync-compose.yml
View File

@@ -7,7 +7,8 @@ services:
DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu} DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu}
DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME} DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS} DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS}
DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *} DS_DIRECTORY_USER_TOKEN: ${DS_DIRECTORY_USER_TOKEN}
DS_TIMER_CRON: ${DS_TIMER_CRON:-30 22 * * *}
DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true} DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true}
DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK} DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID} DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
@@ -16,3 +17,6 @@ services:
DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true} DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true}
depends_on: depends_on:
- "blaze" - "blaze"
volumes:
- /etc/localtime:/etc/localtime:ro # inherit host timezone
- /etc/timezone:/etc/timezone:ro # inherit host timezone name

2
bbmri/modules/directory-sync.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
if [ -n "${DS_DIRECTORY_USER_NAME}" ]; then if [ -n "${DS_DIRECTORY_USER_NAME}" ] || [ -n "${DS_DIRECTORY_USER_TOKEN}" ]; then
log INFO "Directory sync setup detected -- will start directory sync service." log INFO "Directory sync setup detected -- will start directory sync service."
OVERRIDE+=" -f ./$PROJECT/modules/directory-sync-compose.yml" OVERRIDE+=" -f ./$PROJECT/modules/directory-sync-compose.yml"
fi fi

1
bbmri/modules/eric-compose.yml
View File

@@ -11,6 +11,7 @@ services:
BLAZE_URL: "http://blaze:8080/fhir/" BLAZE_URL: "http://blaze:8080/fhir/"
BEAM_PROXY_URL: http://beam-proxy-eric:8081 BEAM_PROXY_URL: http://beam-proxy-eric:8081
RETRY_COUNT: ${FOCUS_RETRY_COUNT} RETRY_COUNT: ${FOCUS_RETRY_COUNT}
OBFUSCATE_BBMRI_ERIC_WAY: "true"
depends_on: depends_on:
- "beam-proxy-eric" - "beam-proxy-eric"
- "blaze" - "blaze"

6
bridgehead
View File

@@ -35,6 +35,9 @@ case "$PROJECT" in
cce) cce)
#nothing extra to do #nothing extra to do
;; ;;
pscc)
#nothing extra to do
;;
itcc) itcc)
#nothing extra to do #nothing extra to do
;; ;;
@@ -44,6 +47,9 @@ case "$PROJECT" in
dhki) dhki)
#nothing extra to do #nothing extra to do
;; ;;
nngm)
#nothing extra to do
;;
minimal) minimal)
#nothing extra to do #nothing extra to do
;; ;;

3
cce/docker-compose.yml
View File

@@ -22,7 +22,7 @@ services:
- "traefik.http.routers.blaze_cce.tls=true" - "traefik.http.routers.blaze_cce.tls=true"
focus: focus:
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
container_name: bridgehead-focus container_name: bridgehead-focus
environment: environment:
API_KEY: ${FOCUS_BEAM_SECRET_SHORT} API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@@ -34,7 +34,6 @@ services:
EPSILON: 0.28 EPSILON: 0.28
QUERIES_TO_CACHE: '/queries_to_cache.conf' QUERIES_TO_CACHE: '/queries_to_cache.conf'
ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze} ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
CQL_PROJECTS_ENABLED: "cce"
volumes: volumes:
- /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro - /srv/docker/bridgehead/cce/queries_to_cache.conf:/queries_to_cache.conf:ro
depends_on: depends_on:

41
cce/modules/lens-compose.yml
View File

@@ -1,33 +1,46 @@
version: "3.7" version: "3.7"
services: services:
landing: lens:
container_name: lens_federated-search container_name: lens_federated-search
image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} image: samply/cce-explorer:main
environment:
PUBLIC_SPOT_URL: https://${HOST}/prod
labels: labels:
- "traefik.http.services.lens.loadbalancer.server.port=3000"
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.landing.rule=PathPrefix(`/`)" - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
- "traefik.http.services.landing.loadbalancer.server.port=80" - "traefik.http.routers.lens.tls=true"
- "traefik.http.routers.landing.tls=true"
spot: spot:
image: docker.verbis.dkfz.de/ccp-private/central-spot image: samply/rustyspot:latest
environment: environment:
HTTP_PROXY: ${HTTP_PROXY_URL}
HTTPS_PROXY: ${HTTPS_PROXY_URL}
NO_PROXY: beam-proxy
BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}" BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
BEAM_URL: http://beam-proxy:8081 BEAM_PROXY_URL: http://beam-proxy:8081
BEAM_PROXY_ID: ${SITE_ID} BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
BEAM_BROKER_ID: ${BROKER_ID} CORS_ORIGIN: "https://${HOST}"
BEAM_APP_ID: "focus" SITES: ${SITES}
PROJECT_METADATA: "cce" TRANSFORM: LENS
PROJECT: cce
BIND_ADDR: 0.0.0.0:8055
depends_on: depends_on:
- "beam-proxy" - "beam-proxy"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.services.spot.loadbalancer.server.port=8080" - "traefik.http.services.spot.loadbalancer.server.port=8055"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
- "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)" - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
- "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend" - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
- "traefik.http.routers.spot.tls=true" - "traefik.http.routers.spot.tls=true"
- "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth" - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
beam-proxy:
environment:
APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}

1
ccp/modules/dnpm-node-compose.yml
View File

@@ -66,6 +66,7 @@ services:
- HATEOAS_HOST=https://${HOST} - HATEOAS_HOST=https://${HOST}
- CONNECTOR_TYPE=broker - CONNECTOR_TYPE=broker
- AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000 - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
- TZ=Europe/Berlin
volumes: volumes:
- /etc/bridgehead/dnpm/config:/dnpm_config - /etc/bridgehead/dnpm/config:/dnpm_config
- /var/cache/bridgehead/dnpm/backend-data:/dnpm_data - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data

5
itcc/docker-compose.yml
View File

@@ -15,14 +15,14 @@ services:
- "blaze-data:/app/data" - "blaze-data:/app/data"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.blaze_itcc.rule=PathPrefix(`/itcc-localdatamanagement`)" - "traefik.http.routers.blaze_itcc.rule=Host(`${HOST}`) && PathPrefix(`/itcc-localdatamanagement`)"
- "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement" - "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement"
- "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080" - "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080"
- "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth" - "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth"
- "traefik.http.routers.blaze_itcc.tls=true" - "traefik.http.routers.blaze_itcc.tls=true"
focus: focus:
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}-dktk image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
container_name: bridgehead-focus container_name: bridgehead-focus
environment: environment:
API_KEY: ${FOCUS_BEAM_SECRET_SHORT} API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
@@ -34,7 +34,6 @@ services:
EPSILON: 0.28 EPSILON: 0.28
QUERIES_TO_CACHE: '/queries_to_cache.conf' QUERIES_TO_CACHE: '/queries_to_cache.conf'
ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze} ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
CQL_PROJECTS_ENABLED: "itcc"
volumes: volumes:
- /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
depends_on: depends_on:

6
itcc/modules/itcc-omics-ingest.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
if [ -n "$ENABLE_OMICS" ];then
OVERRIDE+=" -f ./$PROJECT/modules/itcc-omics-ingest.yaml"
GENERATE_API_KEY="$(generate_simple_password 'omics')"
fi

14
itcc/modules/itcc-omics-ingest.yaml Normal file
View File

@@ -0,0 +1,14 @@
services:
omics-endpoint:
image: ghcr.io/samply/itcc-omics-ingest:main
environment:
- API_KEY=${GENERATE_API_KEY}
volumes:
- /var/cache/bridgehead/omics/data:/data/uploads
labels:
- "traefik.http.routers.omics.rule=Host(`${HOST}`) && PathPrefix(`/api/omics`)"
- "traefik.enable=true"
- "traefik.http.services.omics.loadbalancer.server.port=6080"
- "traefik.http.routers.omics.tls=true"
- "traefik.http.middlewares.omics-stripprefix.stripprefix.prefixes=/api"
- "traefik.http.routers.omics.middlewares=omics-stripprefix"

40
itcc/modules/lens-compose.yml
View File

@@ -1,33 +1,47 @@
version: "3.7" version: "3.7"
services: services:
landing: itcc-explorer:
container_name: lens_federated-search container_name: lens_itcc_explorer
image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} image: samply/itcc-explorer:main
environment:
HOST: "0.0.0.0"
BIND_ADDR: "0.0.0.0:3000"
PUBLIC_ENVIRONMENT: ${PUBLIC_ENVIRONMENT}
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.landing.rule=PathPrefix(`/`)" - "traefik.http.routers.itcc.rule=Host(`${HOST}`) && PathPrefix(`/`)"
- "traefik.http.services.landing.loadbalancer.server.port=80" - "traefik.http.routers.itcc.entrypoints=websecure"
- "traefik.http.routers.landing.tls=true" - "traefik.http.services.itcc.loadbalancer.server.port=3000"
- "traefik.http.routers.itcc.tls=true"
spot: spot:
image: docker.verbis.dkfz.de/ccp-private/central-spot image: samply/rustyspot:latest
environment: environment:
BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}" BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
BEAM_URL: http://beam-proxy:8081 BEAM_PROXY_URL: http://beam-proxy:8081
BEAM_PROXY_ID: ${SITE_ID} BEAM_PROXY_ID: ${SITE_ID}
BEAM_BROKER_ID: ${BROKER_ID} BEAM_BROKER_ID: ${BROKER_ID}
BEAM_APP_ID: "focus" BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
PROJECT_METADATA: "itcc" CORS_ORIGIN: "https://${HOST}"
SITES: ${SITES}
TRANSFORM: LENS
PROJECT: "itcc"
BIND_ADDR: 0.0.0.0:8055
depends_on: depends_on:
- "beam-proxy" - "beam-proxy"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.services.spot.loadbalancer.server.port=8080" - "traefik.http.services.spot.loadbalancer.server.port=8055"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
- "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)" - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
- "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend" - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
- "traefik.http.routers.spot.tls=true" - "traefik.http.routers.spot.tls=true"
- "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth" - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
beam-proxy:
environment:
APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}

1
itcc/vars
View File

@@ -6,6 +6,7 @@ FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
BROKER_URL_FOR_PREREQ=$BROKER_URL BROKER_URL_FOR_PREREQ=$BROKER_URL
PUBLIC_ENVIRONMENT=prod
for module in $PROJECT/modules/*.sh for module in $PROJECT/modules/*.sh
do do

3
kr/docker-compose.yml
View File

@@ -12,7 +12,8 @@ services:
BASE_URL: "http://bridgehead-kr-blaze:8080" BASE_URL: "http://bridgehead-kr-blaze:8080"
JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m" JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000} DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
ENFORCE_REFERENTIAL_INTEGRITY: "false" ENFORCE_REFERENTIAL_INTEGRITY: "false"
volumes: volumes:
- "blaze-data:/app/data" - "blaze-data:/app/data"

6
kr/modules/export-and-qb.curl-templates
View File

@@ -1,6 +0,0 @@
# Full Excel Export
curl --location --request POST 'https://${HOST}/ccp-exporter/request?query=Patient&query-format=FHIR_PATH&template-id=ccp&output-format=EXCEL' \
--header 'x-api-key: ${EXPORT_API_KEY}'
# QB
curl --location --request POST 'https://${HOST}/ccp-reporter/generate?template-id=ccp'

37
kr/modules/lens-compose.yml
View File

@@ -4,32 +4,41 @@ services:
deploy: deploy:
replicas: 1 #reactivate if lens is in use replicas: 1 #reactivate if lens is in use
container_name: lens_federated-search container_name: lens_federated-search
image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID} image: docker.verbis.dkfz.de/ccp/kr-explorer:main
environment:
PUBLIC_SPOT_URL: https://${HOST}/prod
labels: labels:
- "traefik.http.services.lens.loadbalancer.server.port=3000"
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.landing.rule=PathPrefix(`/`)" - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
- "traefik.http.services.landing.loadbalancer.server.port=80" - "traefik.http.routers.lens.tls=true"
- "traefik.http.routers.landing.tls=true"
spot: spot:
image: docker.verbis.dkfz.de/ccp-private/central-spot image: samply/rustyspot:latest
environment: environment:
BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}" BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
BEAM_URL: http://beam-proxy:8081 BEAM_PROXY_URL: http://beam-proxy:8081
BEAM_PROXY_ID: ${SITE_ID} BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
BEAM_BROKER_ID: ${BROKER_ID} CORS_ORIGIN: "https://${HOST}"
BEAM_APP_ID: "focus" SITES: ${SITES}
PROJECT_METADATA: "kr_supervisors" TRANSFORM: LENS
PROJECT: kr
BIND_ADDR: 0.0.0.0:8055
depends_on: depends_on:
- "beam-proxy" - "beam-proxy"
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.services.spot.loadbalancer.server.port=8080" - "traefik.http.services.spot.loadbalancer.server.port=8055"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1" - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
- "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)" - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
- "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend" - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
- "traefik.http.routers.spot.tls=true" - "traefik.http.routers.spot.tls=true"
- "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot" - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
beam-proxy:
environment:
APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}

2
kr/modules/obds2fhir-rest-compose.yml
View File

@@ -3,7 +3,7 @@ version: "3.7"
services: services:
obds2fhir-rest: obds2fhir-rest:
container_name: bridgehead-obds2fhir-rest container_name: bridgehead-obds2fhir-rest
image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
environment: environment:
IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY} MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}

2
kr/vars
View File

@@ -3,7 +3,7 @@ BROKER_URL=https://${BROKER_ID}
PROXY_ID=${SITE_ID}.${BROKER_ID} PROXY_ID=${SITE_ID}.${BROKER_ID}
FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)" FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de SUPPORT_EMAIL=p.delpy@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
BROKER_URL_FOR_PREREQ=$BROKER_URL BROKER_URL_FOR_PREREQ=$BROKER_URL

23
lib/functions.sh
View File

@@ -9,6 +9,15 @@ detectCompose() {
fi fi
} }
# Encodes all characters not in unrestricted character set of RFC3986 Section 2.3
urlencode() {
for ((i=0;i<${#1};i++)); do
local c=${1:i:1}
[[ "$c" =~ [a-zA-Z0-9._~-] ]] && printf '%s' "$c" || printf '%%%02X' "'$c"
done
echo
}
setupProxy() { setupProxy() {
### Note: As the current data protection concepts do not allow communication via HTTP, ### Note: As the current data protection concepts do not allow communication via HTTP,
### we are not setting a proxy for HTTP requests. ### we are not setting a proxy for HTTP requests.
@@ -22,9 +31,12 @@ setupProxy() {
HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')" HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')"
HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')" HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')"
if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then
local ESCAPED_PASSWORD="$(echo $HTTPS_PROXY_PASSWORD | od -An -v -t x1 | sed -e 's/[[:space:]]//g' -e 's/\([0-9a-f][0-9a-f]\)/%\1/g' | tr -d '\n')"
local CURL_ESCAPED_PW="$(urlencode $HTTPS_PROXY_PASSWORD)"
local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e 's,^\(.*://\).*,\1,g')" local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e 's,^\(.*://\).*,\1,g')"
local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})" local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})"
HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)" HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$ESCAPED_PASSWORD@$fqdn)"
CURL_HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$CURL_ESCAPED_PW@$fqdn)"
https="authenticated" https="authenticated"
else else
HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL
@@ -33,7 +45,7 @@ setupProxy() {
fi fi
log INFO "Configuring proxy servers: $http http proxy (we're not supporting unencrypted comms), $https https proxy" log INFO "Configuring proxy servers: $http http proxy (we're not supporting unencrypted comms), $https https proxy"
export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL CURL_HTTPS_PROXY_FULL_URL
} }
exitIfNotRoot() { exitIfNotRoot() {
@@ -54,7 +66,7 @@ checkOwner(){
printUsage() { printUsage() {
echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|check|install|uninstall|adduser|enroll PROJECTNAME" echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|check|install|uninstall|adduser|enroll PROJECTNAME"
echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki" echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki|nngm"
} }
checkRequirements() { checkRequirements() {
@@ -327,7 +339,7 @@ function sync_secrets() {
-e ALL_PROXY=$HTTPS_PROXY_FULL_URL \ -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$proxy_id \ -e PROXY_ID=$proxy_id \
-e BROKER_URL=$broker_url \ -e BROKER_URL=$broker_url \
-e OIDC_PROVIDER=secret-sync-central.test-secret-sync.$broker_id \ -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
-e SECRET_DEFINITIONS=$secret_sync_args \ -e SECRET_DEFINITIONS=$secret_sync_args \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
@@ -338,6 +350,7 @@ function sync_secrets() {
function secret_sync_gitlab_token() { function secret_sync_gitlab_token() {
if [[ "$PROJECT" != "dktk" && "$PROJECT" != "bbmri" ]]; then if [[ "$PROJECT" != "dktk" && "$PROJECT" != "bbmri" ]]; then
log "INFO" "Not running Secret Sync for project minimal"
return return
fi fi
# Map the origin of the git repository /etc/bridgehead to the prefix recognized by Secret Sync # Map the origin of the git repository /etc/bridgehead to the prefix recognized by Secret Sync
@@ -397,7 +410,7 @@ function secret_sync_gitlab_token() {
else else
log "WARN" "Secret Sync failed" log "WARN" "Secret Sync failed"
# Remove the git credential helper # Remove the git credential helper
git -C /etc/bridgehead config --unset credential.helpera git -C /etc/bridgehead config --unset credential.helper
fi fi
# In the past the git credential helper was also set for /srv/docker/bridgehead but never used. # In the past the git credential helper was also set for /srv/docker/bridgehead but never used.

4
lib/monitoring.sh
View File

@@ -47,8 +47,8 @@ function hc_send(){
if [ -n "$2" ]; then if [ -n "$2" ]; then
MSG="$2\n\nDocker stats:\n$UPTIME" MSG="$2\n\nDocker stats:\n$UPTIME"
echo -e "$MSG" | https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" echo -e "$MSG" | https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
else else
https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1" https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
fi fi
} }

6
lib/prepare-system.sh
View File

@@ -55,6 +55,9 @@ case "$PROJECT" in
cce) cce)
site_configuration_repository_middle="git.verbis.dkfz.de/cce-sites/" site_configuration_repository_middle="git.verbis.dkfz.de/cce-sites/"
;; ;;
pscc)
site_configuration_repository_middle="git.verbis.dkfz.de/pscc-sites/"
;;
itcc) itcc)
site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/" site_configuration_repository_middle="git.verbis.dkfz.de/itcc-sites/"
;; ;;
@@ -67,6 +70,9 @@ case "$PROJECT" in
dhki) dhki)
site_configuration_repository_middle="git.verbis.dkfz.de/dhki/" site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
;; ;;
nngm)
site_configuration_repository_middle="git.verbis.dkfz.de/nngm/"
;;
minimal) minimal)
site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/" site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/"
;; ;;

2
lib/prerequisites.sh
View File

@@ -71,7 +71,7 @@ source ${PROJECT}/vars
if [ "${PROJECT}" != "minimal" ]; then if [ "${PROJECT}" != "minimal" ]; then
set +e set +e
SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')" SERVERTIME="$(https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
RET=$? RET=$?
set -e set -e
if [ $RET -ne 0 ]; then if [ $RET -ne 0 ]; then

123
lib/tests/test_proxyparsing.sh Executable file
View File

@@ -0,0 +1,123 @@
source ../functions.sh
test_setupProxy() {
# simple logger for tests
log() { :; }
local failures=0
local total=0
assert_eq() {
local label="$1" got="$2" expected="$3"
total=$((total + 1))
if [[ "$got" != "$expected" ]]; then
failures=$((failures + 1))
printf 'FAIL: %s\n got: %q\n expected: %q\n\n' "$label" "$got" "$expected"
else
printf 'ok: %s\n' "$label"
fi
}
run_case() {
local name="$1"
local url="$2"
local u="$3"
local p="$4"
local exp_host="$5"
local exp_port="$6"
local exp_full="$7"
HTTPS_PROXY_URL="$url"
HTTPS_PROXY_USERNAME="$u"
HTTPS_PROXY_PASSWORD="$p"
setupProxy >/dev/null 2>&1
assert_eq "$name host" "$HTTPS_PROXY_HOST" "$exp_host"
assert_eq "$name port" "$HTTPS_PROXY_PORT" "$exp_port"
assert_eq "$name full" "$HTTPS_PROXY_FULL_URL" "$exp_full"
}
echo "Running setupProxy tests..."
echo
# 1) Basic https host:port
run_case "basic https" \
"https://proxy.example.org:8443" "" "" \
"proxy.example.org" "8443" \
"https://proxy.example.org:8443"
# 2) https without port -> default 443
run_case "https no port" \
"https://proxy.example.org" "" "" \
"proxy.example.org" "443" \
"https://proxy.example.org"
# 3) no scheme, host:port -> defaults scheme=https
run_case "no scheme hostport" \
"proxy.example.org:3128" "" "" \
"proxy.example.org" "3128" \
"https://proxy.example.org:3128"
# 4) URL with path/query/fragment
run_case "ignores path" \
"https://proxy.example.org:8443/some/path?x=1#y" "" "" \
"proxy.example.org" "8443" \
"https://proxy.example.org:8443"
# 5) explicit env creds inserted
run_case "env creds override" \
"https://proxy.example.org:8443" "alice" "secret" \
"proxy.example.org" "8443" \
"https://alice:secret@proxy.example.org:8443"
# 6) embedded creds used if env creds absent
run_case "embedded creds" \
"https://bob:pw@proxy.example.org:8443" "" "" \
"proxy.example.org" "8443" \
"https://bob:pw@proxy.example.org:8443"
# 7) env creds override embedded creds
run_case "env overrides embedded" \
"https://bob:pw@proxy.example.org:8443" "alice" "secret" \
"proxy.example.org" "8443" \
"https://alice:secret@proxy.example.org:8443"
# 8) IPv6 literal with port
run_case "ipv6 with port" \
"https://[2001:db8::1]:8080" "" "" \
"2001:db8::1" "8080" \
"https://[2001:db8::1]:8080"
# 9) IPv6 literal without port -> default 443
run_case "ipv6 no port" \
"https://[2001:db8::1]" "" "" \
"2001:db8::1" "443" \
"https://[2001:db8::1]"
# 10) http scheme rejected -> outputs empty
HTTPS_PROXY_URL="http://proxy.example.org:8080"
HTTPS_PROXY_USERNAME=""
HTTPS_PROXY_PASSWORD=""
setupProxy >/dev/null 2>&1
assert_eq "http rejected host" "${HTTPS_PROXY_HOST:-}" ""
assert_eq "http rejected port" "${HTTPS_PROXY_PORT:-}" ""
assert_eq "http rejected full" "${HTTPS_PROXY_FULL_URL:-}" ""
# 11) empty URL -> outputs empty but no failure
HTTPS_PROXY_URL=""
setupProxy >/dev/null 2>&1
assert_eq "empty url host" "${HTTPS_PROXY_HOST:-}" ""
assert_eq "empty url port" "${HTTPS_PROXY_PORT:-}" ""
assert_eq "empty url full" "${HTTPS_PROXY_FULL_URL:-}" ""
echo
echo "Tests complete: $((total - failures))/$total passed."
if (( failures > 0 )); then
echo "Some tests failed."
return 1
fi
return 0
}
test_setupProxy

2
minimal/docker-compose.yml
View File

@@ -32,7 +32,7 @@ services:
forward_proxy: forward_proxy:
container_name: bridgehead-forward-proxy container_name: bridgehead-forward-proxy
image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest image: samply/bridgehead-forward-proxy:pr-16
environment: environment:
HTTPS_PROXY: ${HTTPS_PROXY_URL} HTTPS_PROXY: ${HTTPS_PROXY_URL}
HTTPS_PROXY_USERNAME: ${HTTPS_PROXY_USERNAME} HTTPS_PROXY_USERNAME: ${HTTPS_PROXY_USERNAME}

1
minimal/modules/dnpm-node-compose.yml
View File

@@ -66,6 +66,7 @@ services:
- HATEOAS_HOST=https://${HOST} - HATEOAS_HOST=https://${HOST}
- CONNECTOR_TYPE=broker - CONNECTOR_TYPE=broker
- AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000 - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
- TZ=Europe/Berlin
volumes: volumes:
- /etc/bridgehead/dnpm/config:/dnpm_config - /etc/bridgehead/dnpm/config:/dnpm_config
- /var/cache/bridgehead/dnpm/backend-data:/dnpm_data - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data

65
nngm/docker-compose.yml Normal file
View File

@@ -0,0 +1,65 @@
version: "3.7"
services:
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
container_name: bridgehead-nngm-blaze
environment:
BASE_URL: "http://bridgehead-nngm-blaze:8080"
JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
ENFORCE_REFERENTIAL_INTEGRITY: "false"
volumes:
- "blaze-data:/app/data"
labels:
- "traefik.enable=true"
- "traefik.http.routers.blaze_nngm.rule=PathPrefix(`/nngm-localdatamanagement`)"
- "traefik.http.middlewares.nngm_b_strip.stripprefix.prefixes=/nngm-localdatamanagement"
- "traefik.http.services.blaze_nngm.loadbalancer.server.port=8080"
- "traefik.http.routers.blaze_nngm.middlewares=nngm_b_strip,auth"
- "traefik.http.routers.blaze_nngm.tls=true"
focus:
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
container_name: bridgehead-focus
environment:
- API_KEY=${FOCUS_BEAM_SECRET_SHORT}
- BEAM_APP_ID_LONG=focus.${PROXY_ID}
- PROXY_ID=${PROXY_ID}
- BLAZE_URL=http://bridgehead-nngm-blaze:8080/fhir/
- BEAM_PROXY_URL=http://beam-proxy:8081
- RETRY_COUNT=${FOCUS_RETRY_COUNT}
- EPSILON=0.28
- ENDPOINT_TYPE=${FOCUS_ENDPOINT_TYPE:-blaze}
- CQL_PROJECTS_ENABLED
depends_on:
- "beam-proxy"
- "blaze"
beam-proxy:
image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
container_name: bridgehead-beam-proxy
environment:
BROKER_URL: ${BROKER_URL}
PROXY_ID: ${PROXY_ID}
APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
PRIVKEY_FILE: /run/secrets/proxy.pem
ALL_PROXY: http://forward_proxy:3128
TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
ROOTCERT_FILE: /conf/root.crt.pem
secrets:
- proxy.pem
depends_on:
- "forward_proxy"
volumes:
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
- /srv/docker/bridgehead/nngm/root.crt.pem:/conf/root.crt.pem:ro
volumes:
blaze-data:
secrets:
proxy.pem:
file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

72
nngm/modules/exporter-compose.yml Normal file
View File

@@ -0,0 +1,72 @@
version: "3.7"
services:
exporter:
image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
container_name: bridgehead-nngm-exporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
CROSS_ORIGINS: "https://${HOST}"
EXPORTER_DB_USER: "exporter"
EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
HTTP_RELATIVE_PATH: "/nngm-exporter"
SITE: "${SITE_ID}"
HTTP_SERVLET_REQUEST_SCHEME: "https"
OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.exporter_nngm.rule=PathPrefix(`/nngm-exporter`)"
- "traefik.http.services.exporter_nngm.loadbalancer.server.port=8092"
- "traefik.http.routers.exporter_nngm.tls=true"
- "traefik.http.middlewares.exporter_nngm_strip.stripprefix.prefixes=/nngm-exporter"
- "traefik.http.routers.exporter_nngm.middlewares=exporter_nngm_strip"
volumes:
- "/var/cache/bridgehead/nngm/exporter-files:/app/exporter-files/output"
exporter-db:
image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
container_name: bridgehead-nngm-exporter-db
environment:
POSTGRES_USER: "exporter"
POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
POSTGRES_DB: "exporter"
volumes:
# Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
- "/var/cache/bridgehead/nngm/exporter-db:/var/lib/postgresql/data"
reporter:
image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
container_name: bridgehead-nngm-reporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
CROSS_ORIGINS: "https://${HOST}"
HTTP_RELATIVE_PATH: "/nngm-reporter"
SITE: "${SITE_ID}"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
EXPORTER_URL: "http://exporter:8092"
LOG_FHIR_VALIDATION: "false"
HTTP_SERVLET_REQUEST_SCHEME: "https"
# In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
# However, in the first executions in the CCP sites, this volume seems to be very important. A report is
# a process that can take several hours, because it depends on the exporter.
# There is a risk that the bridgehead restarts, losing the already created export.
volumes:
- "/var/cache/bridgehead/nngm/reporter-files:/app/reports"
labels:
- "traefik.enable=true"
- "traefik.http.routers.reporter_nngm.rule=PathPrefix(`/nngm-reporter`)"
- "traefik.http.services.reporter_nngm.loadbalancer.server.port=8095"
- "traefik.http.routers.reporter_nngm.tls=true"
- "traefik.http.middlewares.reporter_nngm_strip.stripprefix.prefixes=/nngm-reporter"
- "traefik.http.routers.reporter_nngm.middlewares=reporter_nngm_strip"
focus:
environment:
EXPORTER_URL: "http://exporter:8092"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}"

8
nngm/modules/exporter-setup.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash -e
if [ "$ENABLE_EXPORTER" == true ]; then
log INFO "Exporter setup detected -- will start Exporter service."
OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
fi

73
nngm/modules/teiler-compose.yml Normal file
View File

@@ -0,0 +1,73 @@
version: "3.7"
services:
teiler-orchestrator:
image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
container_name: bridgehead-teiler-orchestrator
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_orchestrator_nngm.rule=PathPrefix(`/nngm-teiler`)"
- "traefik.http.services.teiler_orchestrator_nngm.loadbalancer.server.port=9000"
- "traefik.http.routers.teiler_orchestrator_nngm.tls=true"
- "traefik.http.middlewares.teiler_orchestrator_nngm_strip.stripprefix.prefixes=/nngm-teiler"
- "traefik.http.routers.teiler_orchestrator_nngm.middlewares=teiler_orchestrator_nngm_strip"
environment:
TEILER_BACKEND_URL: "/nngm-teiler-backend"
TEILER_DASHBOARD_URL: "/nngm-teiler-dashboard"
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
HTTP_RELATIVE_PATH: "/nngm-teiler"
teiler-dashboard:
image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
container_name: bridgehead-teiler-dashboard
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_dashboard_nngm.rule=PathPrefix(`/nngm-teiler-dashboard`)"
- "traefik.http.services.teiler_dashboard_nngm.loadbalancer.server.port=80"
- "traefik.http.routers.teiler_dashboard_nngm.tls=true"
- "traefik.http.middlewares.teiler_dashboard_nngm_strip.stripprefix.prefixes=/nngm-teiler-dashboard"
- "traefik.http.routers.teiler_dashboard_nngm.middlewares=teiler_dashboard_nngm_strip"
environment:
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
TEILER_BACKEND_URL: "/nngm-teiler-backend"
TEILER_DASHBOARD_URL: "/nngm-teiler-dashboard"
OIDC_URL: "${OIDC_URL}"
OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
TEILER_PROJECT: "${PROJECT}"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
TEILER_ORCHESTRATOR_URL: "/nngm-teiler"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/nngm-teiler"
TEILER_USER: "${OIDC_USER_GROUP}"
TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
# TODO: Replace dktk-teiler-backend with nngm-teiler-backend
teiler-backend:
image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
container_name: bridgehead-teiler-backend
labels:
- "traefik.enable=true"
- "traefik.http.routers.teiler_backend_nngm.rule=PathPrefix(`/nngm-teiler-backend`)"
- "traefik.http.services.teiler_backend_nngm.loadbalancer.server.port=8085"
- "traefik.http.routers.teiler_backend_nngm.tls=true"
- "traefik.http.middlewares.teiler_backend_nngm_strip.stripprefix.prefixes=/nngm-teiler-backend"
- "traefik.http.routers.teiler_backend_nngm.middlewares=teiler_backend_nngm_strip"
environment:
LOG_LEVEL: "INFO"
APPLICATION_PORT: "8085"
DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/nngm-teiler"
TEILER_ORCHESTRATOR_URL: "/nngm-teiler"
TEILER_DASHBOARD_DE_URL: "/nngm-teiler-dashboard/de"
TEILER_DASHBOARD_EN_URL: "/nngm-teiler-dashboard/en"
HTTP_PROXY: "http://forward_proxy:3128"
ENABLE_MTBA: "${ENABLE_MTBA}"
ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active

8
nngm/modules/teiler-setup.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash -e
if [ "$ENABLE_TEILER" == true ];then
log INFO "Teiler setup detected -- will start Teiler services."
OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
TEILER_DEFAULT_LANGUAGE=DE
TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
fi

20
nngm/root.crt.pem Normal file
View File

@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUWHMDQFPJR5y8RKZ5FC72iOOla4kwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUxMDI3MTQwMjU1WhcNMzUx
MDI1MTQwMzI1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKoghRqAo6s9xjDao+ZC9HpZDBgzOgRMRHrl352k
Y0Gti1p3m8ldwVQV+nlBE6g/Dowo+iaOwUBiHMHOI2BK7vqkGNp0tZ63ZKR4cyOD
hCDOl71lWxjYD5XmF7l/SbrLFfET0EEorhLDDOMuWrNpxKFfKdvhld6K5BZ3oSfH
/5W5y5jWRFWEYRzddzil2GOiU2vzAygA0I1nr5oHCgZoteDDXztAYHJ5vnPA9RNQ
YFoe/5fVOiJo869zYyBwMuY/dV5ff7eIe/HRKzFLZ6iJEOJcBFWx/aWEvj5gSWxS
x4OzkwoHsZOkRN9wSTXvdO5kPFzmPq8Nq7Hmw4tLVzP1eRECAwEAAaN7MHkwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP9BHa86rz94
nvMj2JhM5V3L3TWCMB8GA1UdIwQYMBaAFP9BHa86rz94nvMj2JhM5V3L3TWCMBYG
A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCkWBXRUGx5
XFWEEAVbAMcEuXAr6+HtSs+NTORQ01LhNST8Z9HhOaAjfH/dJiLvOjHvOuiOK9y9
ZGkIIwqkkbhlv1ZcfQBWXh+xDNbq9Q2MaIWY3ZzPTKFgNkxFcEF43MMB+o5pK1Bf
jJIiSxuEfM0yHg9o+jc3V3XRhU9leXNPkfJezTGfVuWr/B/kTmnQ8zrOCapB+NnX
vuu1ayNyXflDkj8Gg0X4TarxGhSP6Dpxd9ViEQD9DFG8q42bH0mYveHcAIUN0FJX
4F2NChiL7dCSFFe6xKdRFDtNe12JrHRjU1rMAcxhYjBRbqt2o2HfDPajSJrhRheY
T35rRWxDupkP
-----END CERTIFICATE-----

32
nngm/vars Normal file
View File

@@ -0,0 +1,32 @@
BROKER_ID=broker.nngm.dkfz.de
BROKER_URL=https://${BROKER_ID}
PROXY_ID=${SITE_ID}.${BROKER_ID}
FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
# TODO: Add real nNGM-Support email
SUPPORT_EMAIL=support-nngm@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
BROKER_URL_FOR_PREREQ=$BROKER_URL
# TODO: Replace with nNGM OIDC Server
OIDC_USER_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})"
OIDC_ADMIN_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})_Verwalter"
OIDC_PSP_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})_PSP"
OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/"
OIDC_PRIVATE_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PRIVATE_CLIENT_ID}/"
OIDC_GROUP_CLAIM="groups"
for module in $PROJECT/modules/*.sh
do
log DEBUG "sourcing $module"
source $module
done
for module in modules/*.sh
do
log DEBUG "sourcing $module"
source $module
done

67
pscc/docker-compose.yml Normal file
View File

@@ -0,0 +1,67 @@
version: "3.7"
services:
blaze:
image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
container_name: bridgehead-pscc-blaze
environment:
BASE_URL: "http://bridgehead-pscc-blaze:8080"
JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
ENFORCE_REFERENTIAL_INTEGRITY: "false"
volumes:
- "blaze-data:/app/data"
labels:
- "traefik.enable=true"
- "traefik.http.routers.blaze_pscc.rule=PathPrefix(`/pscc-localdatamanagement`)"
- "traefik.http.middlewares.pscc_b_strip.stripprefix.prefixes=/pscc-localdatamanagement"
- "traefik.http.services.blaze_pscc.loadbalancer.server.port=8080"
- "traefik.http.routers.blaze_pscc.middlewares=pscc_b_strip,auth"
- "traefik.http.routers.blaze_pscc.tls=true"
focus:
image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
container_name: bridgehead-focus
environment:
API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
BEAM_APP_ID_LONG: focus.${PROXY_ID}
PROXY_ID: ${PROXY_ID}
BLAZE_URL: "http://bridgehead-pscc-blaze:8080/fhir/"
BEAM_PROXY_URL: http://beam-proxy:8081
RETRY_COUNT: ${FOCUS_RETRY_COUNT}
EPSILON: 0.28
ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
depends_on:
- "beam-proxy"
- "blaze"
beam-proxy:
image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
container_name: bridgehead-beam-proxy
environment:
BROKER_URL: ${BROKER_URL}
PROXY_ID: ${PROXY_ID}
APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
PRIVKEY_FILE: /run/secrets/proxy.pem
ALL_PROXY: http://forward_proxy:3128
TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
ROOTCERT_FILE: /conf/root.crt.pem
secrets:
- proxy.pem
depends_on:
- "forward_proxy"
volumes:
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
- /srv/docker/bridgehead/pscc/root.crt.pem:/conf/root.crt.pem:ro
landing:
profiles: [deactivated]
volumes:
blaze-data:
secrets:
proxy.pem:
file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

40
pscc/modules/lens-compose.yml Normal file
View File

@@ -0,0 +1,40 @@
version: "3.7"
services:
lens:
container_name: lens-federated-search
image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
labels:
- "traefik.http.services.lens.loadbalancer.server.port=3000"
- "traefik.enable=true"
- "traefik.http.routers.lens.rule=Host(`${HOST}`)"
- "traefik.http.routers.lens.tls=true"
spot:
image: samply/rustyspot:latest
platform: linux/amd64
environment:
HTTP_PROXY: ${HTTP_PROXY_URL}
HTTPS_PROXY: ${HTTPS_PROXY_URL}
NO_PROXY: beam-proxy
BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
BEAM_PROXY_URL: http://beam-proxy:8081
BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
CORS_ORIGIN: "https://${HOST}"
SITES: ${SITES}
TRANSFORM: LENS
PROJECT: pscc
BIND_ADDR: 0.0.0.0:8055
depends_on:
- "beam-proxy"
labels:
- "traefik.enable=true"
- "traefik.http.services.spot.loadbalancer.server.port=8055"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
- "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
- "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
- "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
- "traefik.http.routers.spot.tls=true"
- "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"

5
pscc/modules/lens-setup.sh Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
if [ -n "$ENABLE_LENS" ];then
OVERRIDE+=" -f ./$PROJECT/modules/lens-compose.yml"
fi

13
pscc/modules/osiris2fhir-compose.yml Normal file
View File

@@ -0,0 +1,13 @@
services:
osiris2fhir:
container_name: bridgehead-osiris2fhir
image: docker.verbis.dkfz.de/ccp/osiris2fhir:${SITE_ID}
environment:
SALT: ${LOCAL_SALT}
labels:
- "traefik.enable=true"
- "traefik.http.routers.osiris2fhir.rule=PathPrefix(`/osiris2fhir`)"
- "traefik.http.middlewares.osiris2fhir_strip.stripprefix.prefixes=/osiris2fhir"
- "traefik.http.services.osiris2fhir.loadbalancer.server.port=8080"
- "traefik.http.routers.osiris2fhir.tls=true"
- "traefik.http.routers.osiris2fhir.middlewares=osiris2fhir_strip,auth"

6
pscc/modules/osiris2fhir-setup.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
if [ -n "$ENABLE_OSIRIS2FHIR" ]; then
log INFO "oBDS2FHIR-REST setup detected -- will start osiris2fhir module."
OVERRIDE+=" -f ./pscc/modules/osiris2fhir-compose.yml"
LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
fi

20
pscc/root.crt.pem Normal file
View File

@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUVC1Y1tx0q5PNR33gArAyyBm8PMQwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUxMTAzMTQxODQ5WhcNMzUx
MTAxMTQxOTE5WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMB1yd7zkh7Io/ReQYindBcAdA1b4ogdVnrdSLRN
N3zLSh6jN5KIXgs34BdRXx0so0m96q+9xlgacTXGRBn1Tu5SKMRyXdxnCLMzHAYU
rNKhqF5HeZCYkVyh/tsAyFfDwZDVzsdX64V+0r5+raev2X0gJnlgmF83DIKjkVUS
2+c+3BnXa9LOdXks0qygJjvaFyi+5MA3DinLnmMLCQ3yAvaZYWyP3xCnGIoVrZFq
a+YioMCmHrbByuXPoZsXcFY7Z85LQkCtSVt1dH4kkN2/JehXG099nqwMqO8FpLZZ
xG7/U3P/slX1MMLs97nqRCRoW7Cha2ci1NBYLll+34ekhxMCAwEAAaN7MHkwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJHTpnuyIGHw
yvC/mmh+S/JKYVrAMB8GA1UdIwQYMBaAFJHTpnuyIGHwyvC/mmh+S/JKYVrAMBYG
A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQAeDc/k28yb
I5MLC/LdaA+MKsW2FWF9HT+tsbtltTaQIRnnkwfU/40Ius3gzUU5z+kPqq5+kxhy
3T646Rbau85Zw24gdNmiVKAAG5ntKoQ7XnyR/06PYyXNGLqnb6aKvbcIPoWtU/+2
8f5hHdQ/4271aHws7dKcBNWu9V5WmxMZ3YTfnBR5lEda+DhVwHqtmun8EpSbwthD
aLLIOHJpetr+KWUVFHQdGbO23Qg1Else0Akcn5Gzf/sKkVCVxjHE6jeo4ZwHtstG
KMoff+ETC+DL5kMZ4CV5VaQ4HxVK7N0qiUxmijWe+EyRZseum1c0s2OEi2L52Q9K
P4N3yD4ed4p/
-----END CERTIFICATE-----

14
pscc/vars Normal file
View File

@@ -0,0 +1,14 @@
BROKER_ID=broker.pscc.org
BROKER_URL=https://${BROKER_ID}
PROXY_ID=${SITE_ID}.${BROKER_ID}
FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
SUPPORT_EMAIL=denis.koether@dkfz-heidelberg.de
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
BROKER_URL_FOR_PREREQ=$BROKER_URL
for module in $PROJECT/modules/*.sh
do
log DEBUG "sourcing $module"
source $module
done

2
versions/acceptance
View File

@@ -1,6 +1,6 @@
FOCUS_TAG=develop FOCUS_TAG=develop
BEAM_TAG=develop BEAM_TAG=develop
BLAZE_TAG=main BLAZE_TAG=0.32
POSTGRES_TAG=15.13-alpine POSTGRES_TAG=15.13-alpine
TEILER_DASHBOARD_TAG=develop TEILER_DASHBOARD_TAG=develop
MTBA_TAG=develop MTBA_TAG=develop

2
versions/test
View File

@@ -1,6 +1,6 @@
FOCUS_TAG=develop FOCUS_TAG=develop
BEAM_TAG=develop BEAM_TAG=develop
BLAZE_TAG=main BLAZE_TAG=0.32
POSTGRES_TAG=15.13-alpine POSTGRES_TAG=15.13-alpine
TEILER_DASHBOARD_TAG=develop TEILER_DASHBOARD_TAG=develop
MTBA_TAG=develop MTBA_TAG=develop