Add documentation for proxy (credential) special character escaping

update beam proxy server used for oauth enrollment (#366 )
test version blaze (#364 )
2025-12-12 19:17:32 +01:00 · 2025-12-12 11:26:42 +01:00 · 2025-12-11 11:33:29 +01:00 · 2025-12-01 12:54:57 +01:00 · 2025-12-01 12:50:07 +01:00 · 2025-11-21 14:52:42 +01:00
24 changed files with 372 additions and 63 deletions
--- a/README.md
+++ b/README.md
@@ -73,7 +73,7 @@ We recommend to install Docker(-compose) from its official sources as described
 A Bridgehead communicates to all central components via outgoing HTTPS connections.
-Your site might require an outgoing proxy (i.e. HTTPS forward proxy) to connect to external servers; you should discuss this with your local systems administration. In that case, you will need to note down the URL of the proxy. If the proxy requires authentication, you will also need to make a note of its username and password. This information will be used later on during the installation process. TLS terminating proxies are also supported, see [here](#tls-terminating-proxies). Apart from the Bridgehead itself, you may also need to configure the proxy server in [git](https://gist.github.com/evantoli/f8c23a37eb3558ab8765) and [docker](https://docs.docker.com/network/proxy/).
+Your site might require an outgoing proxy (i.e. HTTPS forward proxy) to connect to external servers; you should discuss this with your local systems administration. In that case, you will need to note down the URL of the proxy. If the proxy requires authentication, you will also need to make a note of its username and password. This information will be used later on during the installation process. Special characters in the proxy values, e.g. in the access credentials, must be [URL-encoded](https://en.wikipedia.org/wiki/Percent-encoding), e.g. by replacing `@` with `%40`, `/` with `%2F` and so on. TLS terminating proxies are also supported, see [here](#tls-terminating-proxies). Apart from the Bridgehead itself, you may also need to configure the proxy server in [git](https://gist.github.com/evantoli/f8c23a37eb3558ab8765) and [docker](https://docs.docker.com/network/proxy/).
 The following URLs need to be accessible (prefix with `https://`):
 * To fetch code and configuration from git repositories
@@ -318,6 +318,12 @@ To enable it, you will need to explicitly set the username and password variable
 DS_DIRECTORY_USER_NAME=your_directory_username
 DS_DIRECTORY_USER_PASS=your_directory_password
 ```
 Alternatively, if you have obtained a token from the Directory, you can insert the following into the configuration file:
 ```
 DS_DIRECTORY_USER_TOKEN=your_directory_token
 ```
 If you don't supply any authentification information (either login credentials or a token), Directory sync will not start.
 Please contact your National Node or Directory support (directory-dev@helpdesk.bbmri-eric.eu) to obtain these credentials.
 The following environment variables can be used from within your config file to control the behavior of Directory sync:
@@ -325,12 +331,13 @@ The following environment variables can be used from within your config file to
 | Variable                           | Purpose                                                                                                                                                              | Default if not specified               |
 |:-----------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------|
 | DS_DIRECTORY_URL                   | Base URL of the Directory                                                                                                                                            | https://directory-backend.molgenis.net |
-| DS_DIRECTORY_USER_NAME             | User name for logging in to Directory **Mandatory**                                                                                                                  |                                        |
+| DS_DIRECTORY_USER_NAME             | User name for logging in to Directory                                                                                                                                |                                        |
-| DS_DIRECTORY_USER_PASS             | Password for logging in to Directory **Mandatory**                                                                                                                   |                                        |
+| DS_DIRECTORY_USER_PASS             | Password for logging in to Directory                                                                                                                                 |                                        |
 | DS_DIRECTORY_USER_TOKEN            | Token for logging in to Directory                                                                                                                                    |                                        |
 | DS_DIRECTORY_DEFAULT_COLLECTION_ID | ID of collection to be used if not in samples                                                                                                                        |                                        |
 | DS_DIRECTORY_ALLOW_STAR_MODEL      | Set to 'True' to send star model info to Directory                                                                                                                   | True                                  |
 | DS_FHIR_STORE_URL                  | URL for FHIR store                                                                                                                                                   | http://bridgehead-bbmri-blaze:8080     |
-| DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 0 22 * * *                             |
+| DS_TIMER_CRON                      | Execution interval for Directory sync, [cron](https://crontab.guru) format                                                                                           | 30 22 * * *                            |
 | DS_IMPORT_BIOBANKS                 | Set to 'True' to import biobank metadata from Directory                                                                                                              | True                                  |
 | DS_IMPORT_COLLECTIONS              | Set to 'True' to import collection metadata from Directory                                                                                                           | True                                  |
@@ -529,6 +536,8 @@ and restart the docker daemon:
 sudo systemctl restart docker
 ```
 Please note that special characters in the proxy value, such as `#?!()[]{}`, must be double escaped using `%%`.
 For more information, please consult the [official documentation](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy).
 ### Monitoring
--- a/bbmri/modules/directory-sync-compose.yml
+++ b/bbmri/modules/directory-sync-compose.yml
@@ -7,7 +7,8 @@ services:
      DS_DIRECTORY_URL: ${DS_DIRECTORY_URL:-https://directory.bbmri-eric.eu}
      DS_DIRECTORY_USER_NAME: ${DS_DIRECTORY_USER_NAME}
      DS_DIRECTORY_USER_PASS: ${DS_DIRECTORY_USER_PASS}
-      DS_TIMER_CRON: ${DS_TIMER_CRON:-0 22 * * *}
+      DS_DIRECTORY_USER_TOKEN: ${DS_DIRECTORY_USER_TOKEN}
      DS_TIMER_CRON: ${DS_TIMER_CRON:-30 22 * * *}
      DS_DIRECTORY_ALLOW_STAR_MODEL: ${DS_DIRECTORY_ALLOW_STAR_MODEL:-true}
      DS_DIRECTORY_MOCK: ${DS_DIRECTORY_MOCK}
      DS_DIRECTORY_DEFAULT_COLLECTION_ID: ${DS_DIRECTORY_DEFAULT_COLLECTION_ID}
@@ -16,3 +17,6 @@ services:
      DS_IMPORT_COLLECTIONS: ${DS_IMPORT_COLLECTIONS:-true}
    depends_on:
      - "blaze"
    volumes:
      - /etc/localtime:/etc/localtime:ro # inherit host timezone
      - /etc/timezone:/etc/timezone:ro   # inherit host timezone name
--- a/bbmri/modules/eric-compose.yml
+++ b/bbmri/modules/eric-compose.yml
@@ -11,6 +11,7 @@ services:
      BLAZE_URL: "http://blaze:8080/fhir/"
      BEAM_PROXY_URL: http://beam-proxy-eric:8081
      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
      OBFUSCATE_BBMRI_ERIC_WAY: "true"
    depends_on:
      - "beam-proxy-eric"
      - "blaze"
--- a/3
+++ b/3
@@ -47,6 +47,9 @@ case "$PROJECT" in
 	dhki)
 		#nothing extra to do
 		;;
 	nngm)
 		#nothing extra to do
 		;;
 	minimal)
 		#nothing extra to do
 		;;
--- a/cce/modules/lens-compose.yml
+++ b/cce/modules/lens-compose.yml
@@ -1,32 +1,44 @@
 version: "3.7"
 services:
-  landing:
+  lens:
    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
+    image: samply/cce-explorer:main
    labels:
      - "traefik.http.services.lens.loadbalancer.server.port=3000"
      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
+      - "traefik.http.routers.lens.tls=true"
      - "traefik.http.routers.landing.tls=true"
  spot:
-    image: docker.verbis.dkfz.de/ccp-private/central-spot
+    image: samply/rustyspot:latest
    environment:
      HTTP_PROXY: ${HTTP_PROXY_URL}
      HTTPS_PROXY: ${HTTPS_PROXY_URL}
      NO_PROXY: beam-proxy
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_URL: http://beam-proxy:8081
+      BEAM_PROXY_URL: http://beam-proxy:8081
-      BEAM_PROXY_ID: ${SITE_ID}
+      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
-      BEAM_BROKER_ID: ${BROKER_ID}
+      CORS_ORIGIN: "https://${HOST}"
-      BEAM_APP_ID: "focus"
+      SITES: ${SITES}
      TRANSFORM: LENS
      PROJECT: cce
      BIND_ADDR: 0.0.0.0:8055
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8080"
+      - "traefik.http.services.spot.loadbalancer.server.port=8055"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
  beam-proxy:
    environment:
      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/cce/vars
+++ b/cce/vars
@@ -11,4 +11,4 @@ for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
-done
+done
--- a/ccp/modules/dnpm-node-compose.yml
+++ b/ccp/modules/dnpm-node-compose.yml
@@ -66,6 +66,7 @@ services:
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
      - TZ=Europe/Berlin
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@@ -34,6 +34,7 @@ services:
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
      CQL_PROJECTS_ENABLED: "itcc"
    volumes:
      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
--- a/itcc/modules/lens-compose.yml
+++ b/itcc/modules/lens-compose.yml
@@ -17,6 +17,7 @@ services:
      BEAM_PROXY_ID: ${SITE_ID}
      BEAM_BROKER_ID: ${BROKER_ID}
      BEAM_APP_ID: "focus"
      PROJECT_METADATA: "itcc"
    depends_on:
      - "beam-proxy"
    labels:
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -54,7 +54,7 @@ checkOwner(){
 printUsage() {
 	echo "Usage: bridgehead start|stop|logs|docker-logs|is-running|update|check|install|uninstall|adduser|enroll PROJECTNAME"
-	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki"
+	echo "PROJECTNAME should be one of ccp|bbmri|cce|itcc|kr|dhki|nngm"
 }
 checkRequirements() {
@@ -327,7 +327,7 @@ function sync_secrets() {
        -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
        -e PROXY_ID=$proxy_id \
        -e BROKER_URL=$broker_url \
-        -e OIDC_PROVIDER=secret-sync-central.test-secret-sync.$broker_id \
+        -e OIDC_PROVIDER=secret-sync-central.central-secret-sync.$broker_id \
        -e SECRET_DEFINITIONS=$secret_sync_args \
        docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
@@ -337,7 +337,7 @@ function sync_secrets() {
 }
 function secret_sync_gitlab_token() {
-    if [ "$PROJECT" == "minimal" ]; then
+    if [[ "$PROJECT" != "dktk" && "$PROJECT" != "bbmri" ]]; then
        log "INFO" "Not running Secret Sync for project minimal"
        return
    fi
--- a/lib/prepare-system.sh
+++ b/lib/prepare-system.sh
@@ -70,6 +70,9 @@ case "$PROJECT" in
 	dhki)
 		site_configuration_repository_middle="git.verbis.dkfz.de/dhki/"
 		;;
 	nngm)
 		site_configuration_repository_middle="git.verbis.dkfz.de/nngm/"
 		;;
 	minimal)
 		site_configuration_repository_middle="git.verbis.dkfz.de/minimal-bridgehead-configs/"
 		;;
--- a/minimal/modules/dnpm-node-compose.yml
+++ b/minimal/modules/dnpm-node-compose.yml
@@ -66,6 +66,7 @@ services:
      - HATEOAS_HOST=https://${HOST}
      - CONNECTOR_TYPE=broker
      - AUTHUP_URL=robot://system:${DNPM_AUTHUP_SECRET}@http://dnpm-authup:3000
      - TZ=Europe/Berlin
    volumes:
      - /etc/bridgehead/dnpm/config:/dnpm_config
      - /var/cache/bridgehead/dnpm/backend-data:/dnpm_data
--- a/nngm/docker-compose.yml
+++ b/nngm/docker-compose.yml
@@ -0,0 +1,65 @@
 version: "3.7"
 services:
  blaze:
    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
    container_name: bridgehead-nngm-blaze
    environment:
      BASE_URL: "http://bridgehead-nngm-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.blaze_nngm.rule=PathPrefix(`/nngm-localdatamanagement`)"
      - "traefik.http.middlewares.nngm_b_strip.stripprefix.prefixes=/nngm-localdatamanagement"
      - "traefik.http.services.blaze_nngm.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_nngm.middlewares=nngm_b_strip,auth"
      - "traefik.http.routers.blaze_nngm.tls=true"
  focus:
    image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG}
    container_name: bridgehead-focus
    environment:
    - API_KEY=${FOCUS_BEAM_SECRET_SHORT}
    - BEAM_APP_ID_LONG=focus.${PROXY_ID}
    - PROXY_ID=${PROXY_ID}
    - BLAZE_URL=http://bridgehead-nngm-blaze:8080/fhir/
    - BEAM_PROXY_URL=http://beam-proxy:8081
    - RETRY_COUNT=${FOCUS_RETRY_COUNT}
    - EPSILON=0.28
    - ENDPOINT_TYPE=${FOCUS_ENDPOINT_TYPE:-blaze}
    - CQL_PROJECTS_ENABLED
    depends_on:
      - "beam-proxy"
      - "blaze"
  beam-proxy:
    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
    container_name: bridgehead-beam-proxy
    environment:
      BROKER_URL: ${BROKER_URL}
      PROXY_ID: ${PROXY_ID}
      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
      PRIVKEY_FILE: /run/secrets/proxy.pem
      ALL_PROXY: http://forward_proxy:3128
      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
      ROOTCERT_FILE: /conf/root.crt.pem
    secrets:
      - proxy.pem
    depends_on:
      - "forward_proxy"
    volumes:
      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
      - /srv/docker/bridgehead/nngm/root.crt.pem:/conf/root.crt.pem:ro
 volumes:
  blaze-data:
 secrets:
  proxy.pem:
    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem
--- a/nngm/modules/exporter-compose.yml
+++ b/nngm/modules/exporter-compose.yml
@@ -0,0 +1,72 @@
 version: "3.7"
 services:
  exporter:
    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
    container_name: bridgehead-nngm-exporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      CROSS_ORIGINS: "https://${HOST}"
      EXPORTER_DB_USER: "exporter"
      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
      HTTP_RELATIVE_PATH: "/nngm-exporter"
      SITE: "${SITE_ID}"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.exporter_nngm.rule=PathPrefix(`/nngm-exporter`)"
      - "traefik.http.services.exporter_nngm.loadbalancer.server.port=8092"
      - "traefik.http.routers.exporter_nngm.tls=true"
      - "traefik.http.middlewares.exporter_nngm_strip.stripprefix.prefixes=/nngm-exporter"
      - "traefik.http.routers.exporter_nngm.middlewares=exporter_nngm_strip"
    volumes:
      - "/var/cache/bridgehead/nngm/exporter-files:/app/exporter-files/output"
  exporter-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-nngm-exporter-db
    environment:
      POSTGRES_USER: "exporter"
      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}" # Set in exporter-setup.sh
      POSTGRES_DB: "exporter"
    volumes:
      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
      - "/var/cache/bridgehead/nngm/exporter-db:/var/lib/postgresql/data"
  reporter:
    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
    container_name: bridgehead-nngm-reporter
    environment:
      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
      LOG_LEVEL: "INFO"
      CROSS_ORIGINS: "https://${HOST}"
      HTTP_RELATIVE_PATH: "/nngm-reporter"
      SITE: "${SITE_ID}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}" # Set in exporter-setup.sh
      EXPORTER_URL: "http://exporter:8092"
      LOG_FHIR_VALIDATION: "false"
      HTTP_SERVLET_REQUEST_SCHEME: "https"
    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
    # However, in the first executions in the CCP sites, this volume seems to be very important. A report is
    # a process that can take several hours, because it depends on the exporter.
    # There is a risk that the bridgehead restarts, losing the already created export.
    volumes:
      - "/var/cache/bridgehead/nngm/reporter-files:/app/reports"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.reporter_nngm.rule=PathPrefix(`/nngm-reporter`)"
      - "traefik.http.services.reporter_nngm.loadbalancer.server.port=8095"
      - "traefik.http.routers.reporter_nngm.tls=true"
      - "traefik.http.middlewares.reporter_nngm_strip.stripprefix.prefixes=/nngm-reporter"
      - "traefik.http.routers.reporter_nngm.middlewares=reporter_nngm_strip"
  focus:
    environment:
      EXPORTER_URL: "http://exporter:8092"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
--- a/nngm/modules/exporter-setup.sh
+++ b/nngm/modules/exporter-setup.sh
@@ -0,0 +1,8 @@
 #!/bin/bash -e
 if [ "$ENABLE_EXPORTER" == true ]; then
  log INFO "Exporter setup detected -- will start Exporter service."
  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
 fi
--- a/nngm/modules/teiler-compose.yml
+++ b/nngm/modules/teiler-compose.yml
@@ -0,0 +1,73 @@
 version: "3.7"
 services:
  teiler-orchestrator:
    image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest
    container_name: bridgehead-teiler-orchestrator
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_orchestrator_nngm.rule=PathPrefix(`/nngm-teiler`)"
      - "traefik.http.services.teiler_orchestrator_nngm.loadbalancer.server.port=9000"
      - "traefik.http.routers.teiler_orchestrator_nngm.tls=true"
      - "traefik.http.middlewares.teiler_orchestrator_nngm_strip.stripprefix.prefixes=/nngm-teiler"
      - "traefik.http.routers.teiler_orchestrator_nngm.middlewares=teiler_orchestrator_nngm_strip"
    environment:
      TEILER_BACKEND_URL: "/nngm-teiler-backend"
      TEILER_DASHBOARD_URL: "/nngm-teiler-dashboard"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE_LOWER_CASE}"
      HTTP_RELATIVE_PATH: "/nngm-teiler"
  teiler-dashboard:
    image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:${TEILER_DASHBOARD_TAG}
    container_name: bridgehead-teiler-dashboard
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_dashboard_nngm.rule=PathPrefix(`/nngm-teiler-dashboard`)"
      - "traefik.http.services.teiler_dashboard_nngm.loadbalancer.server.port=80"
      - "traefik.http.routers.teiler_dashboard_nngm.tls=true"
      - "traefik.http.middlewares.teiler_dashboard_nngm_strip.stripprefix.prefixes=/nngm-teiler-dashboard"
      - "traefik.http.routers.teiler_dashboard_nngm.middlewares=teiler_dashboard_nngm_strip"
    environment:
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_BACKEND_URL: "/nngm-teiler-backend"
      TEILER_DASHBOARD_URL: "/nngm-teiler-dashboard"
      OIDC_URL: "${OIDC_URL}"
      OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}"
      OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}"
      TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
      TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
      TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
      TEILER_PROJECT: "${PROJECT}"
      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
      TEILER_ORCHESTRATOR_URL: "/nngm-teiler"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/nngm-teiler"
      TEILER_USER: "${OIDC_USER_GROUP}"
      TEILER_ADMIN: "${OIDC_ADMIN_GROUP}"
      REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb"
      EXPORTER_DEFAULT_TEMPLATE_ID: "ccp"
 # TODO: Replace dktk-teiler-backend with nngm-teiler-backend
  teiler-backend:
    image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest
    container_name: bridgehead-teiler-backend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teiler_backend_nngm.rule=PathPrefix(`/nngm-teiler-backend`)"
      - "traefik.http.services.teiler_backend_nngm.loadbalancer.server.port=8085"
      - "traefik.http.routers.teiler_backend_nngm.tls=true"
      - "traefik.http.middlewares.teiler_backend_nngm_strip.stripprefix.prefixes=/nngm-teiler-backend"
      - "traefik.http.routers.teiler_backend_nngm.middlewares=teiler_backend_nngm_strip"
    environment:
      LOG_LEVEL: "INFO"
      APPLICATION_PORT: "8085"
      DEFAULT_LANGUAGE: "${TEILER_DEFAULT_LANGUAGE}"
      TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/nngm-teiler"
      TEILER_ORCHESTRATOR_URL: "/nngm-teiler"
      TEILER_DASHBOARD_DE_URL: "/nngm-teiler-dashboard/de"
      TEILER_DASHBOARD_EN_URL: "/nngm-teiler-dashboard/en"
      HTTP_PROXY: "http://forward_proxy:3128"
      ENABLE_MTBA: "${ENABLE_MTBA}"
      ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}"
      IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active
--- a/nngm/modules/teiler-setup.sh
+++ b/nngm/modules/teiler-setup.sh
@@ -0,0 +1,8 @@
 #!/bin/bash -e
 if [ "$ENABLE_TEILER" == true ];then
  log INFO "Teiler setup detected -- will start Teiler services."
  OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml"
  TEILER_DEFAULT_LANGUAGE=DE
  TEILER_DEFAULT_LANGUAGE_LOWER_CASE=${TEILER_DEFAULT_LANGUAGE,,}
 fi
--- a/nngm/root.crt.pem
+++ b/nngm/root.crt.pem
@@ -0,0 +1,20 @@
 -----BEGIN CERTIFICATE-----
 MIIDNTCCAh2gAwIBAgIUWHMDQFPJR5y8RKZ5FC72iOOla4kwDQYJKoZIhvcNAQEL
 BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUxMDI3MTQwMjU1WhcNMzUx
 MDI1MTQwMzI1WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
 AQEBBQADggEPADCCAQoCggEBAKoghRqAo6s9xjDao+ZC9HpZDBgzOgRMRHrl352k
 Y0Gti1p3m8ldwVQV+nlBE6g/Dowo+iaOwUBiHMHOI2BK7vqkGNp0tZ63ZKR4cyOD
 hCDOl71lWxjYD5XmF7l/SbrLFfET0EEorhLDDOMuWrNpxKFfKdvhld6K5BZ3oSfH
 /5W5y5jWRFWEYRzddzil2GOiU2vzAygA0I1nr5oHCgZoteDDXztAYHJ5vnPA9RNQ
 YFoe/5fVOiJo869zYyBwMuY/dV5ff7eIe/HRKzFLZ6iJEOJcBFWx/aWEvj5gSWxS
 x4OzkwoHsZOkRN9wSTXvdO5kPFzmPq8Nq7Hmw4tLVzP1eRECAwEAAaN7MHkwDgYD
 VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP9BHa86rz94
 nvMj2JhM5V3L3TWCMB8GA1UdIwQYMBaAFP9BHa86rz94nvMj2JhM5V3L3TWCMBYG
 A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCkWBXRUGx5
 XFWEEAVbAMcEuXAr6+HtSs+NTORQ01LhNST8Z9HhOaAjfH/dJiLvOjHvOuiOK9y9
 ZGkIIwqkkbhlv1ZcfQBWXh+xDNbq9Q2MaIWY3ZzPTKFgNkxFcEF43MMB+o5pK1Bf
 jJIiSxuEfM0yHg9o+jc3V3XRhU9leXNPkfJezTGfVuWr/B/kTmnQ8zrOCapB+NnX
 vuu1ayNyXflDkj8Gg0X4TarxGhSP6Dpxd9ViEQD9DFG8q42bH0mYveHcAIUN0FJX
 4F2NChiL7dCSFFe6xKdRFDtNe12JrHRjU1rMAcxhYjBRbqt2o2HfDPajSJrhRheY
 T35rRWxDupkP
 -----END CERTIFICATE-----
--- a/nngm/vars
+++ b/nngm/vars
@@ -0,0 +1,32 @@
 BROKER_ID=broker.nngm.dkfz.de
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 # TODO: Add real nNGM-Support email
 SUPPORT_EMAIL=support-nngm@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 # TODO: Replace with nNGM OIDC Server
 OIDC_USER_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})"
 OIDC_ADMIN_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})_Verwalter"
 OIDC_PSP_GROUP="NNGM_$(capitalize_first_letter ${SITE_ID})_PSP"
 OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private
 OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public
 OIDC_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PUBLIC_CLIENT_ID}/"
 OIDC_PRIVATE_URL="https://sso.verbis.dkfz.de/application/o/${OIDC_PRIVATE_CLIENT_ID}/"
 OIDC_GROUP_CLAIM="groups"
 for module in $PROJECT/modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
 for module in modules/*.sh
 do
    log DEBUG "sourcing $module"
    source $module
 done
--- a/pscc/modules/lens-compose.yml
+++ b/pscc/modules/lens-compose.yml
@@ -1,45 +1,40 @@
 version: "3.7"
 services:
  lens:
-    container_name: lens_federated-search
+    container_name: lens-federated-search
    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
    labels:
      - "traefik.http.services.lens.loadbalancer.server.port=3000"
      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=3000"
+      - "traefik.http.routers.lens.tls=true"
      - "traefik.http.routers.landing.middlewares=auth"
      - "traefik.http.routers.landing.tls=true"
  spot:
-    image: samply/rustyspot:main
+    image: samply/rustyspot:latest
    platform: linux/amd64
    environment:
      HTTP_PROXY: ${HTTP_PROXY_URL}
      HTTPS_PROXY: ${HTTPS_PROXY_URL}
      NO_PROXY: beam-proxy
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
      BEAM_PROXY_URL: http://beam-proxy:8081
      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
      CORS_ORIGIN: "https://${HOST}"
-      SITES: "${SITE_ID}"
+      SITES: ${SITES}
      TRANSFORM: LENS
      BIND_ADDR: 0.0.0.0:8055
      RUST_LOG: "debug"
      LOG_FILE: /logs/requests.log
      PROJECT: pscc
-    volumes:
+      BIND_ADDR: 0.0.0.0:8055
      - /etc/bridgehead/logs:/logs
      - /etc/bridgehead/query:/query:ro
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.spot.loadbalancer.server.port=8055"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
      - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"
+      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
  beam-proxy:
    environment:
      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/pscc/root.crt.pem
+++ b/pscc/root.crt.pem
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDNTCCAh2gAwIBAgIUW34NEb7bl0+Ywx+I1VKtY5vpAOowDQYJKoZIhvcNAQEL
+MIIDNTCCAh2gAwIBAgIUVC1Y1tx0q5PNR33gArAyyBm8PMQwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwMTIyMTMzNzEzWhcNMzQw
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjUxMTAzMTQxODQ5WhcNMzUx
-MTE5MTMzNzQzWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+MTAxMTQxOTE5WjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAL5UegLXTlq3XRRj8LyFs3aF0tpRPVoW9RXp5kFI
+AQEBBQADggEPADCCAQoCggEBAMB1yd7zkh7Io/ReQYindBcAdA1b4ogdVnrdSLRN
-TnBvyO6qjNbMDT/xK+4iDtEX4QQUvsxAKxfXbe9i1jpdwjgH7JHaSGm2IjAiKLqO
+N3zLSh6jN5KIXgs34BdRXx0so0m96q+9xlgacTXGRBn1Tu5SKMRyXdxnCLMzHAYU
-OXQQtguWwfNmmp96Ql13ArLj458YH08xMO/w2NFWGwB/hfARa4z/T0afFuc/tKJf
+rNKhqF5HeZCYkVyh/tsAyFfDwZDVzsdX64V+0r5+raev2X0gJnlgmF83DIKjkVUS
-XbGCG9xzJ9tmcG45QN8NChGhVvaTweNdVxGWlpHxmi0Mn8OM9CEuB7nPtTTiBuiu
+2+c+3BnXa9LOdXks0qygJjvaFyi+5MA3DinLnmMLCQ3yAvaZYWyP3xCnGIoVrZFq
-pRC2zVVmNjVp4ktkAqL7IHOz+/F5nhiz6tOika9oD3376Xj055lPznLcTQn2+4d7
+a+YioMCmHrbByuXPoZsXcFY7Z85LQkCtSVt1dH4kkN2/JehXG099nqwMqO8FpLZZ
-K7ZrBopCFxIQPjkgmYRLfPejbpdUjK1UVJw7hbWkqWqH7JMCAwEAAaN7MHkwDgYD
+xG7/U3P/slX1MMLs97nqRCRoW7Cha2ci1NBYLll+34ekhxMCAwEAAaN7MHkwDgYD
-VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjvRcaIP4HM
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJHTpnuyIGHw
-poIguUAK9YL2n7fbMB8GA1UdIwQYMBaAFGjvRcaIP4HMpoIguUAK9YL2n7fbMBYG
+yvC/mmh+S/JKYVrAMB8GA1UdIwQYMBaAFJHTpnuyIGHwyvC/mmh+S/JKYVrAMBYG
-A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQCbzycJSaDm
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQAeDc/k28yb
-AXXNJqQ88djrKs5MDXS8RIjS/cu2ayuLaYDe+BzVmUXNA0Vt9nZGdaz63SLLcjpU
+I5MLC/LdaA+MKsW2FWF9HT+tsbtltTaQIRnnkwfU/40Ius3gzUU5z+kPqq5+kxhy
-fNSxBfKbwmf7s30AK8Cnfj9q4W/BlBeVizUHQsg1+RQpDIdMrRQrwkXv8mfLw+w5
+3T646Rbau85Zw24gdNmiVKAAG5ntKoQ7XnyR/06PYyXNGLqnb6aKvbcIPoWtU/+2
-3oaXNW6W/8KpBp/H8TBZ6myl6jCbeR3T8EMXBwipMGop/1zkbF01i98Xpqmhx2+l
+8f5hHdQ/4271aHws7dKcBNWu9V5WmxMZ3YTfnBR5lEda+DhVwHqtmun8EpSbwthD
-n+80ofPsSspOo5XmgCZym8CD/m/oFHmjcvOfpOCvDh4PZ+i37pmbSlCYoMpla3u/
+aLLIOHJpetr+KWUVFHQdGbO23Qg1Else0Akcn5Gzf/sKkVCVxjHE6jeo4ZwHtstG
-7MJMP5lugfLBYNDN2p+V4KbHP/cApCDT5UWLOeAWjgiZQtHH5ilDeYqEc1oPjyJt
+KMoff+ETC+DL5kMZ4CV5VaQ4HxVK7N0qiUxmijWe+EyRZseum1c0s2OEi2L52Q9K
-Rtup0MTxSJtN
+P4N3yD4ed4p/
 -----END CERTIFICATE-----
--- a/pscc/vars
+++ b/pscc/vars
@@ -1,4 +1,4 @@
-BROKER_ID=test-no-real-data.broker.samply.de
+BROKER_ID=broker.pscc.org
 BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
--- a/versions/acceptance
+++ b/versions/acceptance
@@ -1,6 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
-BLAZE_TAG=main
+BLAZE_TAG=0.32
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=develop
 MTBA_TAG=develop
--- a/versions/test
+++ b/versions/test
@@ -1,6 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
-BLAZE_TAG=main
+BLAZE_TAG=0.32
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=develop
-MTBA_TAG=develop
+MTBA_TAG=develop
Author	SHA1	Message	Date
Tobias Kussel	74c913cd0c	Add documentation for proxy (credential) special character escaping	2025-12-12 11:26:42 +01:00
Jan	85cfc2514d	update beam proxy server used for oauth enrollment (#366 )	2025-12-11 11:33:29 +01:00
Enola Knezevic	dd3387c2f1	test version blaze (#364 ) This is the one we need urgently	2025-12-01 12:54:57 +01:00
Enola Knezevic	a5120ba75b	obfuscate BBMRI ERIC way, test blaze version (#363 )	2025-12-01 12:50:07 +01:00
Manoj Waikar	d0c87b40a6	Use the cce-explorer:main image from docker hub (instead of ghcr). (#362 )	2025-11-21 14:52:42 +01:00
Pierre Delpy	57f49ab5fc	feat: migrate pscc to orange cloud broker (#361 )	2025-11-21 10:42:21 +01:00
Manoj Waikar	e2569f4737	Use the main image name for cce explorer. (#360 ) - instead of pr1 name	2025-11-20 14:34:33 +01:00
Manoj Waikar	56a8aac326	Add APP_spot_KEY env var under the beam-proxy section. (#358 )	2025-11-19 09:33:18 +01:00
Niklas Reimer	ab6e05826f	feat(dnpm): set timezone to Europe/Berlin (#359 )	2025-11-12 10:25:20 +01:00
DavidCroftDKFZ	394dcc2567	Directory sync: token login and cron change (#351 ) The Directory team have requested that we allow token login to the Directory, where a user uses LSAAI credentials to obtain a token from the Directory, and then uses this to authenticate Directory sync. This has been implemented via an environment variable, in an analogous way to the already existing username/password method. The default start time for the Directory sync has been shifted to 22:30, to prevent conflicts with the Bridgehead auto-update. Relevant changes have been made to the documentation. Co-authored-by: Torben Brenner <76154651+torbrenner@users.noreply.github.com> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>	2025-11-11 09:43:08 +01:00
djuarezgf	58d3e6487c	feat: add nNGM project (#340 )	2025-11-06 16:47:50 +01:00
Pierre Delpy	230ff1debb	feat: add PSCC * add pscc and prepare lens2 deployment --------- Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2025-11-05 15:18:00 +01:00
DavidCroftDKFZ	6dea7c8fef	Directory sync: inherit host timezone (#354 ) Directory sync needs to be able to launch at specific times of day, and in order to do this in a predictable way, the timezone used inside the Docker container should be the same as the host. To do this, two files need to be mounted from the host. One file contains information about the time zone, the other file contains the file zone name.	2025-11-05 11:02:26 +01:00