Merge branch 'feature/samplyBeam' into fix/proxyFix
This commit is contained in:
Martin Lablans
GitHub
8
.gitignore
vendored
8
.gitignore
vendored
@@ -3,10 +3,4 @@
|
||||
site-config/*
|
||||
|
||||
## Ignore site configuration
|
||||
config/**/*
|
||||
!config/**/*.default
|
||||
landing/*
|
||||
docker-compose.override.yml
|
||||
site.conf
|
||||
auth/*
|
||||
certs/*
|
||||
*/docker-compose.override.yml
|
||||
|
||||
@@ -77,6 +77,14 @@ case "$ACTION" in
|
||||
uninstall)
|
||||
exec ./lib/remove-bridgehead-units.sh $PROJECT
|
||||
;;
|
||||
enroll)
|
||||
if [ -e $PRIVATEKEYFILENAME ]; then
|
||||
echo "Private key already exists at $PRIVATEKEYFILENAME. Please delete first to proceed."
|
||||
exit 1
|
||||
fi
|
||||
docker run --rm -ti -v /etc/bridgehead/pki:/etc/bridgehead/pki samply/beam-enroll:latest --output-file $PRIVATEKEYFILENAME --proxy-id $PROXY_ID --admin-email $SUPPORT_EMAIL
|
||||
chmod 600 $PRIVATEKEYFILENAME
|
||||
;;
|
||||
preRun | preUpdate)
|
||||
fixPermissions
|
||||
;;
|
||||
|
||||
@@ -25,7 +25,7 @@ services:
|
||||
- 80:80
|
||||
- 443:443
|
||||
volumes:
|
||||
- ../certs:/tools/certs:ro
|
||||
- /etc/bridgehead/traefik-tls:/certs:ro
|
||||
- ../lib/traefik-configuration/:/configuration:ro
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
|
||||
|
||||
2
ccp/vars
2
ccp/vars
@@ -5,3 +5,5 @@ SPOT_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | he
|
||||
SPOT_BEAM_SECRET_LONG="ApiKey spot.${PROXY_ID} ${SPOT_BEAM_SECRET_SHORT}"
|
||||
REPORTHUB_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
|
||||
REPORTHUB_BEAM_SECRET_LONG="ApiKey report-hub.${PROXY_ID} ${REPORTHUB_BEAM_SECRET_SHORT}"
|
||||
SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de
|
||||
PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
|
||||
|
||||
@@ -19,7 +19,7 @@ checkOwner(){
|
||||
}
|
||||
|
||||
printUsage() {
|
||||
echo "Usage: bridgehead start|stop|update|install|uninstall PROJECTNAME"
|
||||
echo "Usage: bridgehead start|stop|update|install|uninstall|enroll PROJECTNAME"
|
||||
echo "PROJECTNAME should be one of ccp|nngm|gbn"
|
||||
}
|
||||
|
||||
|
||||
116
lib/generate.sh
116
lib/generate.sh
@@ -1,116 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ! -d ./landing ]
|
||||
then
|
||||
mkdir landing
|
||||
fi
|
||||
|
||||
if [ ! -f ./landing/index.html ]
|
||||
then
|
||||
touch index.html
|
||||
fi
|
||||
|
||||
CENTRAL_SERVICES=" <tr>
|
||||
<td>CCP-IT</td>
|
||||
<td><a href=\"https://monitor.vmitro.de/icingaweb2/dashboard\">Monitoring Service</td>
|
||||
</tr>"
|
||||
|
||||
LOCAL_SERVICES=" <tr>
|
||||
<td>Bridgehead</td>
|
||||
<td>Reverse Proxy <a href=\"http://${HOST}:8080/\">Traefik</a></td>
|
||||
</tr>"
|
||||
|
||||
if [ "$project" = "dktk" ] || [ "$project" = "c4" ] || [ "$project" = "dktk-fed" ]
|
||||
then
|
||||
CENTRAL_SERVICES+=" <tr>
|
||||
<td>CCP-IT</td>
|
||||
<td><a href=\"https://patientlist.ccp-it.dktk.dkfz.de\">Zentrale Patientenliste</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>CCP-IT</td>
|
||||
<td><a href=\"https://decentralsearch.ccp-it.dktk.dkfz.de\">Dezentrale Suche</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>CCP-IT</td>
|
||||
<td><a href=\"https://centralsearch.ccp-it.dktk.dkfz.de\">Zentrale Suche</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>CCP-IT</td>
|
||||
<td><a href=\"https://deployment.ccp-it.dktk.dkfz.de\">Deployment-Server</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>CCP-IT</td>
|
||||
<td><a href=\"https://dktk-kne.kgu.de\">Zentraler Kontrollnummernerzeuger</td>
|
||||
</tr>
|
||||
"
|
||||
fi
|
||||
|
||||
if [ "$project" = "dktk-fed" ]
|
||||
then
|
||||
LOCAL_SERVICES+=" <tr>
|
||||
<td>DKTK</td>
|
||||
<td><a href=\"https://${HOST}/dktk-localdatamanagement/fhir/\">Blaze</a></td>
|
||||
</tr>
|
||||
"
|
||||
fi
|
||||
|
||||
cat > ./landing/index.html <<EOL
|
||||
<html lang="en">
|
||||
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<meta name="description" content="">
|
||||
<title>Bridgehead Overview</title>
|
||||
<!-- Bootstrap core CSS -->
|
||||
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet"
|
||||
integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
|
||||
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
|
||||
integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
|
||||
crossorigin="anonymous"></script>
|
||||
|
||||
</head>
|
||||
|
||||
<body class="d-flex flex-column min-vh-100">
|
||||
|
||||
<nav class="navbar navbar-light" style="background-color: #aad7f6;">
|
||||
<h2 class="pb-2 border-bottom">Bridgehead ${site_name}</h2>
|
||||
</nav>
|
||||
<div class="container px-4 py-5" id="featured-3">
|
||||
<div>
|
||||
<h2>Components</h2>
|
||||
<h3>Central</h3>
|
||||
<table class="table">
|
||||
<thead class="thead-dark">
|
||||
<tr>
|
||||
<th style="width: 50%">Group</th>
|
||||
<th style="width: 50%">Service</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
${CENTRAL_SERVICES}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<div>
|
||||
<h3>Local</h3>
|
||||
<table class="table">
|
||||
<thead class="thead-dark">
|
||||
<tr>
|
||||
<th style="width: 50%">Project</th>
|
||||
<th style="width: 50%">Services</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
${LOCAL_SERVICES}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<footer class="footer mt-auto py-3">
|
||||
<a href="https://dktk.dkfz.de/"><img src="https://www.oncoray.de/fileadmin/files/bilder_gruppen/DKTK/Logo_DKTK_neu_2016.jpg" style="max-width: 30%; height: auto;"></a> DKTK 2022<span style="float: right;"><a href="https://github.com/samply/bridgehead"><button type="button" class="btn btn-primary">Documentaion</button></a></span>
|
||||
</footer>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
EOL
|
||||
0
lib/log.sh
Normal file → Executable file
0
lib/log.sh
Normal file → Executable file
@@ -43,21 +43,30 @@ fi
|
||||
|
||||
# TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
|
||||
|
||||
log INFO "Checking ssl cert"
|
||||
log INFO "Checking ssl cert for accessing bridgehead via https"
|
||||
|
||||
if [ ! -d "certs" ]; then
|
||||
log WARN "TLS cert missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...)"
|
||||
mkdir -p certs
|
||||
if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
|
||||
log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
|
||||
mkdir -p /etc/bridgehead/traefik-tls
|
||||
fi
|
||||
|
||||
if [ ! -e "certs/traefik.crt" ]; then
|
||||
openssl req -x509 -newkey rsa:4096 -nodes -keyout certs/traefik.key -out certs/traefik.crt -days 3650 -subj "/CN=$HOST"
|
||||
if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
|
||||
openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
|
||||
fi
|
||||
|
||||
if [ -e /etc/bridgehead/vault.conf ]; then
|
||||
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
|
||||
if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
|
||||
fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
log INFO "Checking your beam proxy private key"
|
||||
|
||||
if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
|
||||
log INFO "Success - private key found."
|
||||
else
|
||||
log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run bridgehead enroll ${PROJECT} and follow the instructions".
|
||||
exit 1
|
||||
fi
|
||||
|
||||
log INFO "Success - all prerequisites are met!"
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
tls:
|
||||
certificates:
|
||||
- certFile: /certs/traefik.crt
|
||||
keyFile: /certs/traefik.key
|
||||
- certFile: /certs/fullchain.pem
|
||||
keyFile: /certs/privkey.pem
|
||||
|
||||
@@ -1,6 +1,17 @@
|
||||
#!/bin/bash
|
||||
source lib/functions.sh
|
||||
|
||||
AUTO_HOUSEKEEPING=${AUTO_HOUSEKEEPING:-true}
|
||||
|
||||
if [ "$AUTO_HOUSEKEEPING" == "true" ]; then
|
||||
A="Performing automatic maintenance: Cleaning docker images."
|
||||
hc_send log "$A"
|
||||
log INFO "$A"
|
||||
docker system prune -a -f
|
||||
else
|
||||
log WARN "Automatic housekeeping disabled (variable AUTO_HOUSEKEEPING != \"true\")"
|
||||
fi
|
||||
|
||||
hc_send log "Checking for bridgehead updates ..."
|
||||
|
||||
CONFFILE=/etc/bridgehead/$1.conf
|
||||
@@ -19,7 +30,10 @@ checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong
|
||||
|
||||
CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
|
||||
|
||||
CHANGES=""
|
||||
|
||||
# Check git updates
|
||||
git_updated="false"
|
||||
for DIR in /etc/bridgehead $(pwd); do
|
||||
log "INFO" "Checking for updates to git repo $DIR ..."
|
||||
if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
|
||||
@@ -37,9 +51,10 @@ for DIR in /etc/bridgehead $(pwd); do
|
||||
git -c http.proxy=$HTTP_PROXY_URL -c https.proxy=$HTTPS_PROXY_URL -C $DIR pull 2>&1
|
||||
fi
|
||||
new_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
|
||||
git_updated="false"
|
||||
if [ "$old_git_hash" != "$new_git_hash" ]; then
|
||||
log "INFO" "Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
|
||||
CHANGE="Updated git repository in ${DIR} from commit $old_git_hash to $new_git_hash"
|
||||
CHANGES+="- $CHANGE\n"
|
||||
log "INFO" "$CHANGE"
|
||||
# NOTE: Link generation doesn't work on repositories placed at an self-hosted instance of bitbucket.
|
||||
# See: https://community.atlassian.com/t5/Bitbucket-questions/BitBucket-4-14-diff-between-any-two-commits/qaq-p/632974
|
||||
git_repository_url="$(git -C $DIR remote get-url origin)"
|
||||
@@ -63,14 +78,16 @@ docker_updated="false"
|
||||
for IMAGE in $(cat $PROJECT/docker-compose.yml | grep "image:" | sed -e 's_^.*image: \(.*\).*$_\1_g; s_\"__g'); do
|
||||
log "INFO" "Checking for Updates of Image: $IMAGE"
|
||||
if docker pull $IMAGE | grep "Downloaded newer image"; then
|
||||
log "INFO" "$IMAGE updated."
|
||||
CHANGE="Image $IMAGE updated."
|
||||
CHANGES+="- $CHANGE\n"
|
||||
log "INFO" "$CHANGE"
|
||||
docker_updated="true"
|
||||
fi
|
||||
done
|
||||
|
||||
# If anything is updated, restart service
|
||||
if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
|
||||
RES="Update detected, now restarting bridgehead"
|
||||
RES="Updates detected, now restarting bridgehead:\n$CHANGES"
|
||||
log "INFO" "$RES"
|
||||
hc_send log "$RES"
|
||||
sudo /bin/systemctl restart bridgehead@*.service
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
#!/bin/bash
|
||||
### This is the configuration file for secrets, only your site should know
|
||||
|
||||
##Setting Network properties
|
||||
export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
|
||||
export HOST=
|
||||
|
||||
export site_name=
|
||||
### Write the Project you want to start with the brigdehead
|
||||
##Exmaple project=dktk-fed
|
||||
export project=
|
||||
Reference in New Issue
Block a user