samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2025-06-16 20:40:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: samply:metadata_fb
Branches Tags
samply:main samply:transfair-cli samply:develop samply:feature/exporter-docu samply:test/teiler-dashboard samply:feature/add-pscc samply:feature/authentik samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:prototype/beamFile samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:ovis samply:test/airgapped-blaze samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:Threated-patch-1 samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:feat/central-rstudio samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration
..
compare: samply:dnpm-etl-rewrite
Branches Tags
samply:transfair-cli samply:develop samply:feature/exporter-docu samply:main samply:test/teiler-dashboard samply:feature/add-pscc samply:feature/authentik samply:feature/teiler-for-ccp-and-bbmri samply:qr-bbmri-v2 samply:prototype/beamFile samply:test/exporter-no-python samply:cherry-pick-tmp-pr samply:test/obds2fhir-batch-import samply:ovis samply:test/airgapped-blaze samply:pr-secret-sync-gitlab-bbmri samply:feature/add-qb-to-cce samply:Threated-patch-1 samply:torbrenner-patch-1 samply:feat/routine-connector-minor-fixes samply:metadata_fb samply:feat/dnpm-dip samply:bugfix/test-old-blaze samply:dnpm-etl-rewrite samply:feature/qr-basic-auth samply:refactor/logging samply:feature/opal-client-for-new-token-manager samply:test/onkofdz samply:feature/addExporterAndTeilerToEric samply:set_env_variables_needed_for_fhir2sql samply:feature/externalize-versions samply:fix/kr-deactivate-landingpage samply:refactor/datashield-auth-config samply:refactor/independent-modules samply:feature/dnpm-extra-broker samply:revert-223-feat/add-dkfz-hector-ki-project samply:ehds2_develop samply:ehds2 samply:feature/auto-pr samply:qr_bbmri samply:feature/cBioPortal samply:feat/blaze-frontend samply:feat/central-rstudio samply:pro/lemedart samply:feature/feedback-agent samply:feature/component-moniotring samply:feature/cbioportal-datashield samply:documentation/blaze_resources samply:feat/cBioPortal samply:test-switch-branch samply:feature/nngm-rest samply:feature/opal samply:feature/snap samply:feature/accessTokenFromConfiguration

12 Commits
metadata_f ... dnpm-etl-r

Author SHA1 Message Date
janskiba
f90a0a33e3 fix(dnpm): rewrite old etl endpoint to new one 2025-01-27 15:41:08 +00:00
Niklas Reimer
eb8cb669a6 fix authup redirect (#262) 
When a OIDC provider is configured, you'll get redirected to authup by Keycloak which redirects you to the DNPM:DIP. 

Currently the url looks like this: https://myserver/authup//someurl
and produces an error. Manually removing the additional / fixes the issue.
 2025-01-27 10:34:50 +01:00
Niklas
0eff362690 dnpm: Secure endpoints for ETL and p2p communications (#254) 2025-01-21 12:39:57 +00:00
janskiba
4e8eb6218a chore: pin mysql 2025-01-21 12:39:57 +00:00
janskiba
5807a3c260 chore: change dnpm images 2025-01-21 12:39:57 +00:00
janskiba
7acf7b06c3 dnpm: replace named volumes with fs volumes 2025-01-21 12:39:57 +00:00
janskiba
af88abfae2 dnpm: add uksh to central targets 2025-01-21 12:39:57 +00:00
janskiba
2a11b6cab1 dnpm: add goettingen to central targets 2025-01-21 12:39:57 +00:00
janskiba
6ed1cd402b host central targets in git 2025-01-21 12:39:57 +00:00
janskiba
eed1fe79bf use SITE_NAME for dnpm LOCAL_SITE 2025-01-21 12:39:57 +00:00
janskiba
839207702b hardcode dnpm connector type to broker 2025-01-21 12:39:57 +00:00
janskiba
a4039672a5 feat: migrate to new dnpm:dip node 2025-01-21 12:39:57 +00:00
18 changed files with 77 additions and 273 deletions
Expand all files Collapse all files

24
README.md
View File

@ -23,7 +23,6 @@ This repository is the starting point for any information and tools you will nee
- [File structure](#file-structure) - [File structure](#file-structure)
- [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed) - [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed)
- [Loading data](#loading-data) - [Loading data](#loading-data)
- [Metadata feedback](#metadata-feedback)
4. [Things you should know](#things-you-should-know) 4. [Things you should know](#things-you-should-know)
- [Auto-Updates](#auto-updates) - [Auto-Updates](#auto-updates)
- [Auto-Backups](#auto-backups) - [Auto-Backups](#auto-backups)
@ -77,7 +76,7 @@ The following URLs need to be accessible (prefix with `https://`):
* git.verbis.dkfz.de * git.verbis.dkfz.de
* To fetch docker images * To fetch docker images
* docker.verbis.dkfz.de * docker.verbis.dkfz.de
* Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/)) * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
* hub.docker.com * hub.docker.com
* registry-1.docker.io * registry-1.docker.io
* production.cloudflare.docker.com * production.cloudflare.docker.com
@ -156,7 +155,6 @@ Clone the bridgehead repository:
```shell ```shell
sudo mkdir -p /srv/docker/ sudo mkdir -p /srv/docker/
sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
sudo git checkout metadata_fb # Only needed if you want to use metadata feedback
``` ```
Then, run the installation script: Then, run the installation script:
@ -349,26 +347,6 @@ Normally, you will need to build your own ETL to feed the Bridgehead. However, t
You can find the profiles for generating FHIR in [Simplifier](https://simplifier.net/bbmri.de/~resources?category=Profile). You can find the profiles for generating FHIR in [Simplifier](https://simplifier.net/bbmri.de/~resources?category=Profile).
### Metadata feedback
The Bridgehead comes with a tool that allows you to associate metadata with samples. Multiple arbitrary text strings are allowed. A typical use case would be publications based on research using a sample. Here, one could lay down the DOI of the publication in the sample.
Full details of the system can be found [here](https://github.com/samply/feedback-deployment). To avail yourself of this feature, you need to
- Use the bbmri project.
- work with the ```metadata_fb``` branch of the Bridgehead repository.
- Build the feedback-agent Docker container (more details [here](https://github.com/samply/feedback-agent/)).
- Build the feedback-agent-ui Docker container (more details [here](https://github.com/samply/feedback-agent-ui/)).
The following extra environment variables need to be added to your ```/etc/bridgehead/bbmri.conf``` file:
``` code
ENABLE_EXPORTER=true
ENABLE_FEEDBACK_AGENT=true
FEEDBACK_HUB_URL=<URL for central feedback hub backend API>
FOCUS_RETRY_COUNT=256
```
## Things you should know ## Things you should know
### Auto-Updates ### Auto-Updates

1
bbmri/modules/eric-compose.yml
View File

@ -22,7 +22,6 @@ services:
BROKER_URL: ${ERIC_BROKER_URL} BROKER_URL: ${ERIC_BROKER_URL}
PROXY_ID: ${ERIC_PROXY_ID} PROXY_ID: ${ERIC_PROXY_ID}
APP_focus_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT} APP_focus_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
APP_feedback-agent_KEY: ${FEEDBACK_AGENT_BEAM_SECRET}
PRIVKEY_FILE: /run/secrets/proxy.pem PRIVKEY_FILE: /run/secrets/proxy.pem
ALL_PROXY: http://forward_proxy:3128 ALL_PROXY: http://forward_proxy:3128
TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs

67
bbmri/modules/exporter-compose.yml
View File

@ -1,67 +0,0 @@
version: "3.7"
services:
exporter:
image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
container_name: bridgehead-ccp-exporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
CROSS_ORIGINS: "https://${HOST}"
EXPORTER_DB_USER: "exporter"
EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}"
EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
HTTP_RELATIVE_PATH: "/ccp-exporter"
SITE: "${SITE_ID}"
HTTP_SERVLET_REQUEST_SCHEME: "https"
OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
labels:
- "traefik.enable=true"
- "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
- "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
- "traefik.http.routers.exporter_ccp.tls=true"
- "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
- "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
volumes:
- "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
exporter-db:
image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
container_name: bridgehead-ccp-exporter-db
environment:
POSTGRES_USER: "exporter"
POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}"
POSTGRES_DB: "exporter"
volumes:
# Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
- "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
reporter:
image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
container_name: bridgehead-ccp-reporter
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
LOG_LEVEL: "INFO"
CROSS_ORIGINS: "https://${HOST}"
HTTP_RELATIVE_PATH: "/ccp-reporter"
SITE: "${SITE_ID}"
EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
EXPORTER_URL: "http://exporter:8092"
LOG_FHIR_VALIDATION: "false"
HTTP_SERVLET_REQUEST_SCHEME: "https"
# In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
# However, in the first executions in the CCP sites, this volume seems to be very important. A report is
# a process that can take several hours, because it depends on the exporter.
# There is a risk that the bridgehead restarts, losing the already created export.
volumes:
- "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
labels:
- "traefik.enable=true"
- "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
- "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095"
- "traefik.http.routers.reporter_ccp.tls=true"
- "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
- "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"

9
bbmri/modules/exporter-setup.sh
View File

@ -1,9 +0,0 @@
#!/bin/bash -e
if [ "$ENABLE_EXPORTER" == true ]; then
log INFO "Exporter setup detected -- will start Exporter service."
OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
POSTGRES_TAG=15.6-alpine
fi

15
bbmri/modules/exporter.md
View File

@ -1,15 +0,0 @@
# Exporter and Reporter
## Exporter
The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
## Exporter-DB
It is a database to save queries for its execution in the exporter.
The exporter manages also the different executions of the same query in through the database.
## Reporter
This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
It is compatible with different template engines as Groovy, Thymeleaf,...
It is perfect to generate a document as our traditional CCP quality report.

59
bbmri/modules/feedback-agent-compose.yml
View File

@ -1,59 +0,0 @@
version: "3.7"
services:
feedback-agent-ui:
image: "samply/feedback-agent-ui"
environment:
- VUE_APP_EXPORTER_URL=https://localhost/ccp-exporter
- VUE_APP_FB_BACKEND_URL=http://localhost:8072
labels:
- traefik.enable=true
# HTTPS
- traefik.http.routers.feedback_agent_ui_ccp_https.rule=PathPrefix(`/ccp-feedback-agent-ui`)
- traefik.http.services.feedback_agent_ui_ccp_https.loadbalancer.server.port=8096
- traefik.http.routers.feedback_agent_ui_ccp_https.entrypoints=websecure
- traefik.http.routers.feedback_agent_ui_ccp_https.tls=true
feedback-agent:
image: "samply/feedback-agent"
environment:
- SPRING_DATASOURCE_URL=jdbc:postgresql://feedback-agent-db:5432/compose-postgres
- SPRING_DATASOURCE_USERNAME=compose-postgres
- SPRING_DATASOURCE_PASSWORD=${FEEDBACK_AGENT_DB_PASSWORD}
- SPRING_JPA_HIBERNATE_DDL_AUTO=update
- BEAM_PROXY_URI=http://beam-proxy-eric:8081
- FEEDBACK_HUB_URL=${FEEDBACK_HUB_URL}
- BLAZE_BASE_URL=http://blaze:8080/fhir
- FEEDBACK_AGENT_SECRET=${FEEDBACK_AGENT_BEAM_SECRET}
- FEEDBACK_AGENT_BEAM_ID=feedback-agent.${ERIC_PROXY_ID}
- FEEDBACK_HUB_BEAM_ID=feedback-hub.feedback-central.${ERIC_BROKER_ID}
- EXPORTER_API_KEY=${EXPORTER_API_KEY}
- CORS_ALLOWED_ORIGINS="https://${HOST}
networks:
# Only needed for local testing.
- feedback
- default
labels:
- traefik.enable=true
# HTTPS
- traefik.http.routers.feedback_agent_ccp_https.rule=PathPrefix(`/ccp-feedback-agent`)
- traefik.http.services.feedback_agent_ccp_https.loadbalancer.server.port=8072
- traefik.http.routers.feedback_agent_ccp_https.entrypoints=websecure
- traefik.http.middlewares.feedback_agent_ccp_https_strip.stripprefix.prefixes=/ccp-feedback-agent
- traefik.http.routers.feedback_agent_ccp_https.middlewares=feedback_agent_ccp_https_strip
- traefik.http.routers.feedback_agent_ccp_https.tls=true
feedback-agent-db:
image: 'postgres:13.1-alpine'
container_name: feedback-agent-db
environment:
- POSTGRES_USER=compose-postgres
- POSTGRES_PASSWORD=${FEEDBACK_AGENT_DB_PASSWORD}
# This is needed when you run both agent and hub locally in a test
# environment. Not necessary in production, though it probably won't
# cause any problems.
networks:
# Network to connect agent and hub.
feedback:
name: feedback
driver: bridge

8
bbmri/modules/feedback-agent-setup.sh
View File

@ -1,8 +0,0 @@
#!/bin/bash
if [ "$ENABLE_FEEDBACK_AGENT" == true ]; then
OVERRIDE+=" -f ./$PROJECT/modules/feedback-agent-compose.yml"
FEEDBACK_AGENT_BEAM_SECRET="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
FEEDBACK_AGENT_DB_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
fi

6
bbmri/modules/feedback-agent.md
View File

@ -1,6 +0,0 @@
# Metadata feedback agent
This component can be used to choose the sample to be associated
with a given piece of metadata (generally the ID of a publication
relating to research done with the sample).

49
bridgehead
View File

@ -53,44 +53,17 @@ case "$PROJECT" in
;; ;;
esac esac
# Loads config variables and runs the projects setup script
loadVars() { loadVars() {
# Load variables from /etc/bridgehead and /srv/docker/bridgehead
set -a set -a
# Source the project specific config file
source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found" source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
# Source the project specific local config file if present
# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
log INFO "Applying /etc/bridgehead/$PROJECT.local.conf" log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import" source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
fi fi
# Set execution environment on main default to prod else test
if [[ -z "${ENVIRONMENT+x}" ]]; then
if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
ENVIRONMENT="production"
else
ENVIRONMENT="test"
fi
fi
# Source the versions of the images components
case "$ENVIRONMENT" in
"production")
source ./versions/prod
;;
"test")
source ./versions/test
;;
*)
report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
source ./versions/prod
;;
esac
fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile" fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
setHostname setHostname
optimizeBlazeMemoryUsage optimizeBlazeMemoryUsage
# Run project specific setup if it exists
# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
# This is also where projects specify which modules to load
[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
set +a set +a
@ -106,6 +79,26 @@ loadVars() {
fi fi
detectCompose detectCompose
setupProxy setupProxy
# Set some project-independent default values
: ${ENVIRONMENT:=production}
export ENVIRONMENT
case "$ENVIRONMENT" in
"production")
export FOCUS_TAG=main
export BEAM_TAG=main
;;
"test")
export FOCUS_TAG=develop
export BEAM_TAG=develop
;;
*)
report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
export FOCUS_TAG=main
export BEAM_TAG=main
;;
esac
} }
case "$ACTION" in case "$ACTION" in

4
ccp/modules/dnpm-node-compose.yml
View File

@ -83,6 +83,10 @@ services:
- "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)" - "traefik.http.routers.dnpm-backend-etl.rule=PathRegexp(`^/api(/.*)?etl(/.*)?$`)"
- "traefik.http.routers.dnpm-backend-etl.tls=true" - "traefik.http.routers.dnpm-backend-etl.tls=true"
- "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend" - "traefik.http.routers.dnpm-backend-etl.service=dnpm-backend"
# TODO: add to minimal and document
- "traefik.http.middlewares.rewrite-mtbfile.replacepathregex.regex=^(.*)/MTBFile$"
- "traefik.http.middlewares.rewrite-mtbfile.replacepathregex.replacement=$1"
- "traefik.http.routers.dnpm-backend-etl.middlewares=rewrite-mtbfile"
# this needs an ETL processor with support for basic auth # this needs an ETL processor with support for basic auth
- "traefik.http.routers.dnpm-backend-etl.middlewares=auth" - "traefik.http.routers.dnpm-backend-etl.middlewares=auth"
# except peer-to-peer # except peer-to-peer

2
ccp/modules/dnpm-node-setup.sh
View File

@ -10,7 +10,7 @@ if [ -n "${ENABLE_DNPM_NODE}" ]; then
exit 1 exit 1
fi fi
mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions." mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1} DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')" DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')" DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
fi fi

4
lib/functions.sh
View File

@ -116,7 +116,7 @@ assertVarsNotEmpty() {
MISSING_VARS="" MISSING_VARS=""
for VAR in $@; do for VAR in $@; do
if [ -z "${!VAR}" ]; then if [ -z "${!VAR}" ]; then
MISSING_VARS+="$VAR " MISSING_VARS+="$VAR "
fi fi
done done
@ -318,7 +318,7 @@ function sync_secrets() {
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
set -a # Export variables as environment variables set -a # Export variables as environment variables
source /var/cache/bridgehead/secrets/oidc source /var/cache/bridgehead/secrets/*
set +a # Export variables in the regular way set +a # Export variables in the regular way
} }

11
lib/gitlab-token-helper.sh
View File

@ -1,11 +0,0 @@
#!/bin/bash
[ "$1" = "get" ] || exit
source /var/cache/bridgehead/secrets/gitlab_token
# Any non-empty username works, only the token matters
cat << EOF
username=bk
password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
EOF

41
lib/gitpassword.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
if [ "$1" != "get" ]; then
echo "Usage: $0 get"
exit 1
fi
baseDir() {
# see https://stackoverflow.com/questions/59895
SOURCE=${BASH_SOURCE[0]}
while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
SOURCE=$(readlink "$SOURCE")
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
done
DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
echo $DIR
}
BASE=$(baseDir)
cd $BASE
source lib/functions.sh
assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
PARAMS="$(cat)"
GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
fetchVarsFromVault GIT_PASSWORD
if [ -z "${GIT_PASSWORD}" ]; then
fail_and_report 1 "gitpassword.sh failed: Git password not found."
fi
cat <<EOF
protocol=https
host=$GITHOST
username=bk-${SITE_ID}
password=${GIT_PASSWORD}
EOF

44
lib/update-bridgehead.sh
View File

@ -19,7 +19,7 @@ fi
hc_send log "Checking for bridgehead updates ..." hc_send log "Checking for bridgehead updates ..."
CONFFILE=/etc/bridgehead/$PROJECT.conf CONFFILE=/etc/bridgehead/$1.conf
if [ ! -e $CONFFILE ]; then if [ ! -e $CONFFILE ]; then
fail_and_report 1 "Configuration file $CONFFILE not found." fail_and_report 1 "Configuration file $CONFFILE not found."
@ -33,43 +33,7 @@ export SITE_ID
checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead" checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead" checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token. CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
# If it is missing or expired, Secret Sync will create a new token and write it to the file.
# The git credential helper reads the token from the file during git pull.
mkdir -p /var/cache/bridgehead/secrets
touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
log "INFO" "Running Secret Sync for the GitLab token"
docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
docker run --rm \
-v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
-v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
-v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
-v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
-e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
-e NO_PROXY=localhost,127.0.0.1 \
-e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
-e PROXY_ID=$PROXY_ID \
-e BROKER_URL=$BROKER_URL \
-e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
-e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
if [ $? -eq 0 ]; then
log "INFO" "Secret Sync was successful"
# In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
# Set the git credential helper
git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
else
log "WARN" "Secret Sync failed"
# Remove the git credential helper
git -C /etc/bridgehead config --unset credential.helper
fi
# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
# Let's remove it to avoid confusion. This line can be removed at some point the future when we
# believe that it was removed on all/most production servers.
git -C /srv/docker/bridgehead config --unset credential.helper
CHANGES="" CHANGES=""
@ -81,6 +45,10 @@ for DIR in /etc/bridgehead $(pwd); do
if [ -n "$OUT" ]; then if [ -n "$OUT" ]; then
report_error log "The working directory $DIR is modified. Changed files: $OUT" report_error log "The working directory $DIR is modified. Changed files: $OUT"
fi fi
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
log "INFO" "Configuring repo to use bridgehead git credential helper."
git -C $DIR config credential.helper "$CREDHELPER"
fi
old_git_hash="$(git -C $DIR rev-parse --verify HEAD)" old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
if [ -z "$HTTPS_PROXY_FULL_URL" ]; then if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
log "INFO" "Git is using no proxy!" log "INFO" "Git is using no proxy!"

2
minimal/modules/dnpm-node-setup.sh
View File

@ -10,7 +10,7 @@ if [ -n "${ENABLE_DNPM_NODE}" ]; then
exit 1 exit 1
fi fi
mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions." mkdir -p /var/cache/bridgehead/dnpm/ || fail_and_report 1 "Failed to create '/var/cache/bridgehead/dnpm/'. Please run sudo './bridgehead install $PROJECT' again to fix the permissions."
DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1} DNPM_SYNTH_NUM=${DNPM_SYNTH_NUM:--1}
DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')" DNPM_MYSQL_ROOT_PASSWORD="$(generate_simple_password 'dnpm mysql')"
DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')" DNPM_AUTHUP_SECRET="$(generate_simple_password 'dnpm authup')"
fi fi

2
versions/prod
View File

@ -1,2 +0,0 @@
FOCUS_TAG=main
BEAM_TAG=main

2
versions/test
View File

@ -1,2 +0,0 @@
FOCUS_TAG=develop
BEAM_TAG=develop