Use onkofdz specific broker

feature: log git branches to healthchecks and code refactoring

lib/prerequisites.sh

@@ -3,14 +3,16 @@
 source lib/functions.sh
 
 detectCompose
+CONFIG_DIR="/etc/bridgehead/"
+COMPONENT_DIR="/srv/docker/bridgehead/"
 
 if ! id "bridgehead" &>/dev/null; then
   log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT"
   exit 1
 fi
 
-checkOwner /srv/docker/bridgehead bridgehead || exit 1
-checkOwner /etc/bridgehead bridgehead || exit 1
+checkOwner "${CONFIG_DIR}" bridgehead || exit 1
+checkOwner "${COMPONENT_DIR}" bridgehead || exit 1
 
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
@@ -32,31 +34,31 @@ fi
 log INFO "Checking configuration ..."
 
 ## Download submodule
-if [ ! -d "/etc/bridgehead/" ]; then
-  fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
+if [ ! -d "${CONFIG_DIR}" ]; then
+  fail_and_report 1 "Please set up the config folder at ${CONFIG_DIR}. Instruction are in the readme."
 fi
 
 # TODO: Check all required variables here in a generic loop
 
 #check if project env is present
-if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
-   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
+if [ -d "${CONFIG_DIR}${PROJECT}.conf" ]; then
+   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under ${CONFIG_DIR}${PROJECT}.conf."
 fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
 
 log INFO "Checking ssl cert for accessing bridgehead via https"
 
-if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
+if [ ! -d "${CONFIG_DIR}traefik-tls" ]; then
   log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
   mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
+if [ ! -e "${CONFIG_DIR}traefik-tls/fullchain.pem" ]; then
   openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
 fi
 
-if [ -e /etc/bridgehead/vault.conf ]; then
+if [ -e "${CONFIG_DIR}"vault.conf ]; then
   if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
     fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
   fi
@@ -64,7 +66,7 @@ fi
 
 log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
 
-source /etc/bridgehead/${PROJECT}.conf
+source "${CONFIG_DIR}${PROJECT}".conf
 source ${PROJECT}/vars
 
 if [ "${PROJECT}" != "minimal" ]; then
@@ -92,10 +94,10 @@ if [ "${PROJECT}" != "minimal" ]; then
   fi
 fi
 checkPrivKey() {
-  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+  if [ -e "${CONFIG_DIR}pki/${SITE_ID}.priv.pem" ]; then
     log INFO "Success - private key found."
   else
-    log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
+    log ERROR "Unable to find private key at ${CONFIG_DIR}pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
     return 1
   fi
   return 0
@@ -107,6 +109,11 @@ else
   checkPrivKey || exit 1
 fi
 
+for dir in  "${CONFIG_DIR}" "${COMPONENT_DIR}"; do
+  log INFO "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
+  hc_send log "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
+done
+
 log INFO "Success - all prerequisites are met!"
 hc_send log "Success - all prerequisites are met!"
 

minimal/docker-compose.yml

@@ -10,13 +10,13 @@ services:
       - --providers.docker=true
       - --providers.docker.exposedbydefault=false
       - --providers.file.directory=/configuration/
-      - --api.dashboard=true
+      - --api.dashboard=false
       - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard/`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"

minimal/modules/onko.root.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUcGXxIZMxUOoI2kf8FArsOvQfvwwwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQxMDMxMDkxOTUwWhcNMzQx
+MDI5MDkyMDIwWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALX+8X4r2mWki4HLs2E5dXR9oGL+8Zos1s9Rmeaz
+FgxnpKf6wlop4ZlJd01Pgi3HNFo7XPFi76zalRsHS+rWN3tOy6r5KIjCYiqPb3AY
+luZuy7jAQOBGHKODVfJH1QCRqsvEwRbOU6nNFAkMcjSxt5+PmwB1U7+Kvmly4sYI
+i4t/gyVvcfEsiZ5LYQ7IpEf+or2Ugpb6j4KlTn+gKFzSfgl+yRhE0bnFEf0eBa+r
+HLLpq4hL16+pb6/WZ4DfM9QDioX6Tj2Hje9Va4RJ2dROENuq5sJugdE28hH9qEwE
+2bmKh6qvblgwkI3rJFkYH+scBtLEUH0KJY+SZ1iYHkoEaCkCAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOe/txl3B7Sd
+NFE+615Z3rfzqBR4MB8GA1UdIwQYMBaAFOe/txl3B7SdNFE+615Z3rfzqBR4MBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQA3kVJlBOHn
+Tscsk1FKLYNWE/fr3oUNPUYzXi4lln+UNdRHSdXUPzBp4B5oIi3uymdYg2Rzq9Su
+/xjE7++thgQJ37l/DpCm/TUmUFfH5ZqcaMPA+L21mw9G129teCP1nVuXjtYhwnBk
+fRiz1tzpO1rZCxC+vxIhcPeYSKbaAQTywtJu0MpduGFrfIwLtrxa4GLRQFD06KPx
+Ijq6Pt6kC2abcYtKCMCWmpzttQAq4csWbmWINKkD6GMkuJVpzEx3csg8rCyPCaX0
+HedLiKRqaSOzDRnIWfD2CQX6qMg8TNtnxFnZTlc9honxnwcGaeLZKNEg+1oPA40V
+NOffBIMF4DAV
+-----END CERTIFICATE-----

minimal/modules/onkofdz-compose.yml

@@ -0,0 +1,91 @@
+version: "3.7"
+
+services:
+  beam-proxy:
+    image: samply/beam-proxy:develop-sockets
+    container_name: bridgehead-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
+      APP_beamsel_KEY: ${BEAMSEL_SECRET}
+    secrets:
+      - proxy.pem
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - /srv/docker/bridgehead/minimal/modules/onko.root.pem:/conf/root.crt.pem:ro
+  postgres:
+    image: postgres:9.5-alpine
+    container_name: bridgehead-onkofdz-postgres
+    environment:
+      POSTGRES_DB: mainzelliste-sel
+      POSTGRES_USER: mainzelliste-sel
+      POSTGRES_PASSWORD: ${MAINZELLISTE_DB_PASSWORD}
+    volumes:
+      # - ./postgres-logs:/var/log/postgresql
+      - ml-data:/var/lib/postgresql/data
+    depends_on:
+      - secureepilinker
+  mainzelliste:
+    image: medicalinformatics/mainzelliste:secureepilinker-alpha
+    container_name: bridgehead-onkofdz-mainzelliste
+    environment:
+      ML_API_KEY: ${LOCAL_SEL_API_KEY}
+      ML_DB_HOST: postgres
+      ML_DB_PORT: 5432
+      ML_DB_USER: mainzelliste-sel
+      ML_DB_NAME: mainzelliste-sel
+      ML_DB_PASS: ${MAINZELLISTE_DB_PASSWORD}
+      ML_LOCAL_ID: ${SITE_ID}
+      ML_LOCAL_SEL_URL: http://secureepilinker:8161
+      ML_LOCAL_CALLBACK_LINK_URL: http://mainzelliste:8080/Communicator/linkCallback
+      ML_LOCAL_CALLBACK_MATCH_URL: http://mainzelliste:8080/Communicator/matchCallback/${REMOTE_SEL_SITE}
+      ML_LOCAL_DATA_SERVICE_URL: http://mainzelliste:8080/Communicator/getAllRecords
+      ML_LOCAL_AUTHENTICATION_TYPE: apiKey
+      ML_LOCAL_API_KEY: ${LOCAL_SEL_API_KEY}
+      ML_SERVER_0_REMOTEID: ${REMOTE_SEL_SITE}
+      ML_SERVER_0_IDTYPE: link-${SITE_ID}-${REMOTE_SEL_SITE}
+      ML_SERVER_0_REMOTE_SEL_URL: http://beamsel:8080
+      ML_SERVER_0_APIKEY: ${REMOTE_SEL_API_KEY}
+      ### Linkage Service not used for matching
+      ML_SERVER_0_LINKAGE_SERVICE_BASE_URL: ${LS_SEL_URL}
+      ML_SERVER_0_LINKAGE_SERVICE_AUTH_TYPE: apiKey
+      ML_SERVER_0_LINKAGE_SERVICE_SHARED_KEY: ${LS_SEL_SHARED_KEY}
+      ML_LOG_MODE: stdout #stdout=stdout everything else =logging in mainzelliste.log
+      ML_LOG_LEVEL: INFO
+      no_proxy: "localhost,secureepilinker"
+    volumes:
+      # - ./logs:/usr/local/tomcat/logs/
+      - /etc/bridgehead/onkofdz/config/mainzelliste.conf.docker:/run/secrets/mainzelliste.docker.conf
+      - /etc/bridgehead/onkofdz/config/sel.conf.docker:/run/secrets/sel.docker.conf
+    depends_on:
+      - postgres
+      - secureepilinker
+  secureepilinker:
+    image: docker.verbis.dkfz.de/onkofdz/secureepilinker:beamsel
+    container_name: bridgehead-onkofdz-secureepilinker
+    environment:
+      no_proxy: "mainzelliste,beamsel"
+    volumes:
+      - "/etc/bridgehead/onkofdz/config/epilinker.serverconf.json:/data/serverconf.json"
+    command: '-vvvv'
+  beamsel:
+    image: docker.verbis.dkfz.de/onkofdz/beam-sel
+    container_name: bridgehead-onkofdz-beamsel
+    environment:
+      BEAM_URL: "http://beam-proxy:8081"
+      BEAM_SECRET: ${BEAMSEL_SECRET}
+      BEAM_ID: beamsel.${PROXY_ID}
+      SEL_ADDR: "secureepilinker:8161"
+    depends_on:
+      - secureepilinker
+volumes:
+  ml-data:
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

minimal/modules/onkofdz-setup.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ -n "${ENABLE_ONKOFDZ}" ]; then
+  BROKER_ID=test.broker.onkofdz.samply.de
+  BROKER_URL=https://${BROKER_ID}
+  PROXY_ID=${SITE_ID}.${BROKER_ID}
+  BEAMSEL_SECRET="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+  SUPPORT_EMAIL=tobias.kussel@dkfz-heidelberg.de
+  PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+
+  BROKER_URL_FOR_PREREQ=$BROKER_URL
+
+  log INFO "Loading OnkoFDZ module"
+  OVERRIDE+=" -f ./$PROJECT/modules/onkofdz-compose.yml"
+fi