Merge pull request #338 from samply/develop

Develop Main
feat(dnpm): change to new api-gateway image (#337 )
2025-09-11 14:51:22 +02:00 · 2025-08-20 11:10:18 +02:00 · 2025-08-19 16:35:52 +02:00 · 2025-08-19 16:32:41 +02:00 · 2025-08-19 15:48:05 +02:00 · 2025-07-30 11:21:10 +02:00
17 changed files with 44 additions and 23 deletions
--- a/README.md
+++ b/README.md
@@ -85,6 +85,8 @@ The following URLs need to be accessible (prefix with `https://`):
    * hub.docker.com
    * registry-1.docker.io
    * production.cloudflare.docker.com
+  * GitHub Container Registry - (for use of DNPM:DIP)
+    * ghcr.io
 * To report bridgeheads operational status
  * healthchecks.verbis.dkfz.de
 * only for DKTK/CCP
@@ -95,7 +97,7 @@ The following URLs need to be accessible (prefix with `https://`):
 * only for German Biobank Node
  * broker.bbmri.de

-> 📝 This URL list is subject to change. Instead of the individual names, we highly recommend whitelisting wildcard domains: *.dkfz.de, github.com, *.docker.com, *.docker.io, *.samply.de, *.bbmri.de.
+> 📝 This URL list is subject to change. Instead of the individual names, we highly recommend whitelisting wildcard domains: *.dkfz.de, github.com, *.docker.com, *.docker.io, *.ghcr.io, *.samply.de, *.bbmri.de.

 > 📝 Ubuntu's pre-installed uncomplicated firewall (ufw) is known to conflict with Docker, more info [here](https://github.com/chaifeng/ufw-docker).

--- a/bbmri/modules/teiler-compose.yml
+++ b/bbmri/modules/teiler-compose.yml
@@ -19,7 +19,7 @@ services:
      HTTP_RELATIVE_PATH: "/bbmri-teiler"

  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
--- a/cce/modules/teiler-compose.yml
+++ b/cce/modules/teiler-compose.yml
@@ -19,7 +19,7 @@ services:
      HTTP_RELATIVE_PATH: "/cce-teiler"

  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@@ -43,7 +43,7 @@ services:
      - "traefik.http.routers.dnpm-auth.tls=true"

  dnpm-portal:
-    image: ghcr.io/dnpm-dip/portal:{DNPM_IMAGE_TAG:-latest}
+    image: ghcr.io/dnpm-dip/portal:${DNPM_IMAGE_TAG:-latest}
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
@@ -58,7 +58,7 @@ services:

  dnpm-backend:
    container_name: bridgehead-dnpm-backend
-    image: ghcr.io/dnpm-dip/backend:{DNPM_IMAGE_TAG:-latest}
+    image: ghcr.io/dnpm-dip/api-gateway:latest
    environment:
      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
--- a/ccp/modules/id-management-compose.yml
+++ b/ccp/modules/id-management-compose.yml
@@ -14,6 +14,7 @@ services:
      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
+      MAGICPL_OIDC_PROVIDER: ${OIDC_PRIVATE_URL}
    depends_on:
      - patientlist
      - traefik-forward-auth
@@ -71,12 +72,14 @@ services:
      - https_proxy=http://forward_proxy:3128
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
-      - OAUTH2_PROXY_OIDC_ISSUER_URL=https://login.verbis.dkfz.de/realms/master
-      - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
-      - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
+      - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
+      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
+      - OAUTH2_PROXY_COOKIE_REFRESH=4m
+      - OAUTH2_PROXY_COOKIE_EXPIRE=24h
      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
@@ -87,8 +90,8 @@ services:
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
-      - OAUTH2_PROXY_COOKIE_REFRESH=60s
-      - OAUTH2_PROXY_ALLOWED_GROUPS=DKTK-CCP-PPSN
+      - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_PSP_GROUP}
+      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
    labels:
      - "traefik.enable=true"
--- a/ccp/modules/id-management-setup.sh
+++ b/ccp/modules/id-management-setup.sh
@@ -14,6 +14,8 @@ function idManagementSetup() {

 		# Ensure old ids are working !!!
 		export IDMANAGEMENT_FRIENDLY_ID=$(legacyIdMapping "$SITE_ID")
+
+		add_private_oidc_redirect_url "/oauth2-idm/callback"
 	fi
 }

--- a/ccp/modules/mtba-compose.yml
+++ b/ccp/modules/mtba-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"

 services:
  mtba:
-    image: docker.verbis.dkfz.de/cache/samply/mtba:develop
+    image: docker.verbis.dkfz.de/cache/samply/mtba:${MTBA_TAG}
    container_name: bridgehead-mtba
    environment:
      BLAZE_STORE_URL: http://blaze:8080
@@ -22,8 +22,14 @@ services:
      HTTP_RELATIVE_PATH: "/mtba"
      OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
      OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
-      OIDC_URL: "${OIDC_URL}"
+      # TODO: Add following variables after moving to Authentik:
+      #OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
+      #OIDC_URL: "${OIDC_URL}"
+      # TODO: Remove following variables after moving to Authentik:
+      # Please add KECLOAK_CLIENT_SECRET in ccp.conf
+      OIDC_CLIENT_SECRET: "${KEYCLOAK_CLIENT_SECRET}"
+      OIDC_URL: "https://login.verbis.dkfz.de/realms/test-realm-01"
+      OIDC_ADMIN_URL: "https://login.verbis.dkfz.de/admin/realms/test-realm-01"

    labels:
      - "traefik.enable=true"
--- a/ccp/modules/teiler-compose.yml
+++ b/ccp/modules/teiler-compose.yml
@@ -19,7 +19,7 @@ services:
      HTTP_RELATIVE_PATH: "/ccp-teiler"

  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
--- a/ccp/vars
+++ b/ccp/vars
@@ -10,6 +10,7 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL

 OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})"
 OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter"
+OIDC_PSP_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_PSP"
 OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
 OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
 OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/"
--- a/dhki/docker-compose.yml
+++ b/dhki/docker-compose.yml
@@ -39,7 +39,7 @@ services:
      - "blaze"

  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@@ -40,7 +40,7 @@ services:
      - "blaze"

  beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
--- a/kr/modules/teiler-compose.yml
+++ b/kr/modules/teiler-compose.yml
@@ -19,7 +19,7 @@ services:
      HTTP_RELATIVE_PATH: "/kr-teiler"

  teiler-dashboard:
-    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop
+    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@@ -43,7 +43,7 @@ services:
      - "traefik.http.routers.dnpm-auth.tls=true"

  dnpm-portal:
-    image: ghcr.io/dnpm-dip/portal:{DNPM_IMAGE_TAG:-latest}
+    image: ghcr.io/dnpm-dip/portal:${DNPM_IMAGE_TAG:-latest}
    container_name: bridgehead-dnpm-portal
    environment:
      - NUXT_API_URL=http://dnpm-backend:9000/
@@ -58,7 +58,7 @@ services:

  dnpm-backend:
    container_name: bridgehead-dnpm-backend
-    image: ghcr.io/dnpm-dip/backend:{DNPM_IMAGE_TAG:-latest}
+    image: ghcr.io/dnpm-dip/api-gateway:latest
    environment:
      - LOCAL_SITE=${ZPM_SITE}:${SITE_NAME}   # Format: {Site-ID}:{Site-name}, e.g. UKT:Tübingen
      - RD_RANDOM_DATA=${DNPM_SYNTH_NUM:--1}
--- a/modules/transfair-compose.yml
+++ b/modules/transfair-compose.yml
@@ -10,7 +10,7 @@ services:
      - TTP_GW_SOURCE
      - TTP_GW_EPIX_DOMAIN
      - TTP_GW_GPAS_DOMAIN
-      - TTP_TYPE
+      - TTP_GW_GPAS_URL
      - TTP_AUTH
      - PROJECT_ID_SYSTEM
      - FHIR_REQUEST_URL=${FHIR_REQUEST_URL}
@@ -26,6 +26,7 @@ services:
      - TLS_DISABLE=${TRANSFAIR_TLS_DISABLE:-false}
      - NO_PROXY=${TRANSFAIR_NO_PROXIES}
      - ALL_PROXY=http://forward_proxy:3128
+    command: dic ${TTP_TYPE}
    volumes:
      - /var/cache/bridgehead/${PROJECT}/transfair:/transfair
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
--- a/versions/acceptance
+++ b/versions/acceptance
@@ -1,4 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
 BLAZE_TAG=main
-POSTGRES_TAG=15.13-alpine
+POSTGRES_TAG=15.13-alpine
+TEILER_DASHBOARD_TAG=develop
+MTBA_TAG=develop
--- a/versions/prod
+++ b/versions/prod
@@ -1,4 +1,6 @@
 FOCUS_TAG=main
 BEAM_TAG=main
 BLAZE_TAG=0.32
-POSTGRES_TAG=15.13-alpine
+POSTGRES_TAG=15.13-alpine
+TEILER_DASHBOARD_TAG=main
+MTBA_TAG=main
--- a/versions/test
+++ b/versions/test
@@ -1,4 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
 BLAZE_TAG=main
-POSTGRES_TAG=15.13-alpine
+POSTGRES_TAG=15.13-alpine
+TEILER_DASHBOARD_TAG=develop
+MTBA_TAG=develop
Author	SHA1	Message	Date
Jan	af3b7cc3a2	Merge pull request #338 from samply/develop Develop Main	2025-08-20 11:10:18 +02:00
Jan	e0754853d8	feat(dnpm): change to new `api-gateway` image (#337 )	2025-08-19 16:35:52 +02:00
Jan	4407a87644	chore: add more options to transfair (#325 )	2025-08-19 16:32:41 +02:00
Jan	d0851d80a0	fix: adapt to transfair cli changes (#319 )	2025-08-19 15:48:05 +02:00
djuarezgf	ada3226044	Replace hardcoded image: ...:develop references with version variables (#335 ) * added: Teiler Dashboard Version * added: MTBA Version * added: beam proxy tag version	2025-07-30 11:21:10 +02:00
Jan	fad2283e6d	Merge pull request #334 from samply/develop Develop Main	2025-07-25 11:27:14 +02:00
Paul-Christian Volkmer	a2e7330cee	docs: Add ghcr.io to URL list (#321 )	2025-07-25 10:58:56 +02:00
Jan	9c8d0ee8f5	fix(dnpm): fix env subsitution (#333 )	2025-07-25 10:58:07 +02:00
Jan	ecbef2cd0c	Merge pull request #331 from samply/develop Develop to Main	2025-07-24 16:15:05 +02:00
djuarezgf	fcad7104f0	mtba: fallback to keycloak test server pending migration	2025-07-23 09:53:14 +02:00
djuarezgf	7e13e251f8	feat: migrate PSP to Authentik (#329 )	2025-07-22 11:34:49 +02:00
Jan	66fe90ff98	Merge pull request #314 from samply/develop	2025-06-11 11:29:09 +02:00
Jan	03b520bfcc	Merge pull request #308 from samply/develop	2025-05-21 15:45:39 +02:00
Jan	4082292f99	Merge pull request #306 from samply/develop	2025-05-20 11:52:02 +02:00
Martin Lablans	e22ac4b066	Merge pull request #300 from samply/develop Merge develop into main	2025-05-09 09:31:47 +02:00
Jan	cd38957dd7	Merge pull request #289 from samply/develop Merge develop into main	2025-04-15 10:17:11 +02:00
Jan	4ef585bfc5	Merge pull request #281 from samply/develop Merge develop into main	2025-03-17 10:02:58 +01:00
Torben Brenner	6ca67ca082	Merge pull request #270 from samply/develop	2025-02-20 15:46:40 +01:00