samply/bridgehead
1
0
Fork 0
mirror of https://github.com/samply/bridgehead.git synced 2026-03-31 19:10:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
3cb1d7041648486ce14f9ae0a21582700702753d
bridgehead/ccp/modules/ovis-compose.yml
tm16-medma 3cb1d70416 Enhance OVIS setup script to handle missing CA directory and refine logging 
Updated the ovis-setup.sh script to improve handling of the trusted CA directory, ensuring that the oauth2-proxy uses the system trust store if the directory is missing. Adjusted logging messages for clarity regarding the detection of custom OIDC CA files, specifically focusing on .crt files. Additionally, added a new environment variable for TLS_CA_CERTIFICATES_DIR in the ovis-compose.yml file to support trusted CA certificates.
2026-03-26 16:16:21 +01:00

122 lines
5.5 KiB
YAML
Raw Blame History

version: "3.7"
services:
ovis-traefik-forward-auth:
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
environment:
- http_proxy=http://forward_proxy:3128
- https_proxy=http://forward_proxy:3128
- TLS_CA_CERTIFICATES_DIR=/etc/bridgehead/trusted-ca-certs
- OAUTH2_PROXY_USE_SYSTEM_TRUST_STORE=true
- OAUTH2_PROXY_PROVIDER_CA_FILES=${OVIS_OAUTH2_PROXY_PROVIDER_CA_FILES}
- OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
- OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_PRIVATE_URL}
- OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
- OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
- OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
- OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_ovis
- OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
- OAUTH2_PROXY_COOKIE_REFRESH=4m
- OAUTH2_PROXY_COOKIE_EXPIRE=24h
- OAUTH2_PROXY_HTTP_ADDRESS=:4180
- OAUTH2_PROXY_REVERSE_PROXY=true
- OAUTH2_PROXY_WHITELIST_DOMAINS=.${HOST}
- OAUTH2_PROXY_UPSTREAMS=static://202
- OAUTH2_PROXY_EMAIL_DOMAINS=*
- OAUTH2_PROXY_SCOPE=openid profile email
- OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true
- OAUTH2_PROXY_ALLOWED_GROUPS=${OIDC_USER_GROUP}
- OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
- OAUTH2_PROXY_PROXY_PREFIX=/oauth2-ovis
volumes:
- /etc/bridgehead/trusted-ca-certs:/etc/bridgehead/trusted-ca-certs:ro
labels:
- "traefik.enable=true"
- "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180"
- "traefik.http.routers.ovis-traefik-forward-auth.rule=Host(`${HOST}`) && PathPrefix(`/oauth2-ovis`)"
- "traefik.http.routers.ovis-traefik-forward-auth.tls=true"
- "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.address=http://ovis-traefik-forward-auth:4180"
- "traefik.http.middlewares.traefik-forward-auth-ovis.forwardauth.authResponseHeaders=Authorization"
depends_on:
forward_proxy:
condition: service_healthy
ovis-backend-database-mongodb:
image: docker.verbis.dkfz.de/ovis/ovis-backend-mongodb:latest
container_name: bridgehead-ccp-ovis-mongo
ovis-backend-mongodb-data-preprocessing:
image: docker.verbis.dkfz.de/ovis/ovis-backend-preprocessor:latest
container_name: bridgehead-ccp-ovis-preprocessing
environment:
ADDRESS: mongodb://ovis-backend-database-mongodb:27017
depends_on:
- ovis-backend-database-mongodb
healthcheck:
test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:9000/health', res => process.exit(res.statusCode===200?0:1)).on('error', () => process.exit(1));\""]
interval: 10s
timeout: 5s
retries: 6
start_period: 5s
ovis-backend-data-import:
image: docker.verbis.dkfz.de/ovis/ovis-backend-data-import-ccp:latest
container_name: bridgehead-ccp-ovis-import
depends_on:
ovis-backend-mongodb-data-preprocessing:
condition: service_healthy
environment:
FHIR_SERVER_URL: http://bridgehead-ccp-blaze:8080/fhir
ovis-backend-apollo:
image: docker.verbis.dkfz.de/ovis/ovis-backend-apollo:latest
container_name: bridgehead-ccp-ovis-backend
environment:
ADDRESS: mongodb://ovis-backend-database-mongodb:27017
depends_on:
- ovis-backend-database-mongodb
- ovis-backend-mongodb-data-preprocessing
- ovis-backend-data-import
healthcheck:
test: ["CMD-SHELL", "test -d /app/node_modules/mongodb"]
interval: 10s
timeout: 5s
retries: 5
labels:
- "traefik.enable=true"
- "traefik.http.routers.ovis-backend.rule=PathPrefix(`/graphql`)"
- "traefik.http.routers.ovis-backend.tls=true"
- "traefik.http.routers.ovis-backend.middlewares=traefik-forward-auth-ovis"
- "traefik.http.routers.ovis-backend.service=ovis-backend"
- "traefik.http.routers.ovis-backend-ccp.rule=PathPrefix(`/ccp-ovis/graphql`)"
- "traefik.http.routers.ovis-backend-ccp.tls=true"
- "traefik.http.middlewares.ovis-backend-ccp-strip.stripprefix.prefixes=/ccp-ovis"
- "traefik.http.routers.ovis-backend-ccp.middlewares=ovis-backend-ccp-strip,traefik-forward-auth-ovis"
- "traefik.http.routers.ovis-backend-ccp.service=ovis-backend"
- "traefik.http.services.ovis-backend.loadbalancer.server.port=4001"
ovis-frontend:
image: docker.verbis.dkfz.de/ovis/ovis-frontend:latest
container_name: bridgehead-ccp-ovis-frontend
environment:
OVIS_PUBLIC_BASE_PATH: /ccp-ovis
PUBLIC_GRAPHQL_URL: https://${HOST}/ccp-ovis/graphql
PUBLIC_LOGIN_ENABLED: "false"
PUBLIC_OVIS_IMPORT: ccp
depends_on:
ovis-backend-apollo:
condition: service_healthy
labels:
- "traefik.enable=true"
- "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.regex=^https?://([^/]+)/ccp-ovis$"
- "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.replacement=https://$${1}/ccp-ovis/"
- "traefik.http.middlewares.ovis-frontend-ccp-slash-redirect.redirectregex.permanent=true"
- "traefik.http.routers.ovis-frontend-ccp.tls=true"
- "traefik.http.routers.ovis-frontend-ccp.rule=PathPrefix(`/ccp-ovis`)"
- "traefik.http.middlewares.ovis-frontend-ccp-strip.stripprefix.prefixes=/ccp-ovis"
#- "traefik.http.routers.ovis-frontend-ccp.middlewares=ovis-frontend-ccp-slash-redirect,ovis-frontend-ccp-strip,traefik-forward-auth-ovis"
- "traefik.http.services.ovis-frontend-ccp.loadbalancer.server.port=5173"
Reference in New Issue View Git Blame Copy Permalink