bridgehead/ccp/modules/id-management-compose.yml

version: "3.7"

services:
  id-manager:
    image: docker.verbis.dkfz.de/bridgehead/magicpl
    container_name: bridgehead-id-manager
    environment:
      TOMCAT_REVERSEPROXY_FQDN: ${HOST}
      TOMCAT_REVERSEPROXY_SSL: "true"
      MAGICPL_SITE: ${IDMANAGEMENT_FRIENDLY_ID}
      MAGICPL_ALLOWED_ORIGINS: https://${HOST}
      MAGICPL_LOCAL_PATIENTLIST_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      MAGICPL_CENTRAXX_APIKEY: ${IDMANAGER_UPLOAD_APIKEY}
      MAGICPL_CONNECTOR_APIKEY: ${IDMANAGER_READ_APIKEY}
      MAGICPL_CENTRAL_PATIENTLIST_APIKEY: ${IDMANAGER_CENTRAL_PATIENTLIST_APIKEY}
      MAGICPL_CONTROLNUMBERGENERATOR_APIKEY: ${IDMANAGER_CONTROLNUMBERGENERATOR_APIKEY}
      MAGICPL_OIDC_PROVIDER: ${OIDC_PRIVATE_URL}
    depends_on:
      - patientlist
      - traefik-forward-auth
    labels:
      - "traefik.enable=true"
      # Router with Authentication
      - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
      - "traefik.http.routers.id-manager.tls=true"
      - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"
      - "traefik.http.routers.id-manager.service=id-manager-service"
      # Router without Authentication
      - "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)"
      - "traefik.http.routers.id-manager-compatibility.tls=true"
      - "traefik.http.routers.id-manager-compatibility.service=id-manager-service"
      # Definition of Service
      - "traefik.http.services.id-manager-service.loadbalancer.server.port=8080"
      - "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http"

  patientlist:
    image: docker.verbis.dkfz.de/bridgehead/mainzelliste
    container_name: bridgehead-patientlist
    environment:
      - TOMCAT_REVERSEPROXY_FQDN=${HOST}
      - TOMCAT_REVERSEPROXY_SSL=true
      - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
      - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
      - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      - ML_UPLOAD_API_KEY=${IDMANAGER_UPLOAD_APIKEY}
      # Add Variables from /etc/patientlist-id-generators.env
      - PATIENTLIST_SEEDS_TRANSFORMED
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.patientlist.rule=PathPrefix(`/patientlist`)"
      - "traefik.http.services.patientlist.loadbalancer.server.port=8080"
      - "traefik.http.routers.patientlist.tls=true"
    depends_on:
      - patientlist-db

  patientlist-db:
    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
    container_name: bridgehead-patientlist-db
    environment:
      POSTGRES_USER: "mainzelliste"
      POSTGRES_DB: "mainzelliste"
      POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
    volumes:
      - "patientlist-db-data:/var/lib/postgresql/data"
      # NOTE: Add backups here. This is only imported if /var/lib/bridgehead/data/patientlist/ is empty!!!
      - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"

  traefik-forward-auth:
    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
    environment:
      - http_proxy=http://forward_proxy:3128
      - https_proxy=http://forward_proxy:3128
      - OAUTH2_PROXY_PROVIDER=oidc
      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
      - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
      - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
      - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
      - OAUTH2_PROXY_COOKIE_REFRESH=4m
      - OAUTH2_PROXY_COOKIE_EXPIRE=24h
      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
      - OAUTH2_PROXY_REVERSE_PROXY=true
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
      - OAUTH2_PROXY_UPSTREAMS=static://202
      - OAUTH2_PROXY_EMAIL_DOMAINS=*
      - OAUTH2_PROXY_SCOPE=openid profile email
      # Pass Authorization Header and some user information to backend services
      - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
      - OAUTH2_PROXY_SET_XAUTHREQUEST=true
      # Keycloak has an expiration time of 60s therefore oauth2-proxy needs to refresh after that
      - OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_PSP_GROUP}
      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
      - OAUTH2_PROXY_PROXY_PREFIX=/oauth2-idm
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4180"
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-idm`)"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.address=http://traefik-forward-auth:4180"
      - "traefik.http.middlewares.traefik-forward-auth-idm.forwardauth.authResponseHeaders=Authorization"
    depends_on:
      forward_proxy:
        condition: service_healthy

  ccp-patient-project-identificator:
    image: docker.verbis.dkfz.de/cache/samply/ccp-patient-project-identificator
    container_name: bridgehead-ccp-patient-project-identificator
    environment:
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
      SITE_NAME: ${IDMANAGEMENT_FRIENDLY_ID}

volumes:
  patientlist-db-data: