Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exporter, Teiler, QB, DataSHIELD #164

Merged
merged 216 commits into from
Mar 19, 2024
Merged

Exporter, Teiler, QB, DataSHIELD #164

Show file tree
Hide file tree
Changes from 213 commits
Commits
Show all changes
216 commits
Select commit Hold shift + click to select a range
2e6edb6
Add Teiler UI and Teiler module
djuarezgf Feb 10, 2023
20e2b2a
Add nngm and exliquid modules
djuarezgf Feb 10, 2023
c916a35
Change images of dktk-teiler and dktk-keycloak
djuarezgf Feb 10, 2023
6340acd
Bugfix: services in teiler-ui-compose.yml
djuarezgf Feb 10, 2023
eb17d8c
Configure login extern URLs
djuarezgf Feb 13, 2023
6626f86
Rename teiler to exporter
djuarezgf Feb 13, 2023
49be101
Rename teiler to exporter (bugfix)
djuarezgf Feb 13, 2023
38c7f3c
beautiful config
Feb 14, 2023
c66dac9
update keykloak config
Feb 20, 2023
8fe03a6
Add original Keycloak config
djuarezgf Feb 14, 2023
efc04ce
Update Teiler Core config
djuarezgf Feb 15, 2023
4d1a9bb
Add Endpoint for Teiler
djuarezgf Feb 21, 2023
17f52a7
Add Teiler Core
djuarezgf Feb 21, 2023
c9b1975
Tidy teiler and mtba volumes
djuarezgf Mar 15, 2023
9299a20
Deactivate traffik for mtba
djuarezgf Mar 15, 2023
e2d1095
Add forward strategy to teiler-core
djuarezgf Mar 15, 2023
3e0bf38
Add forward strategy to teiler-core
djuarezgf Mar 15, 2023
c794508
Add stripprefix to teiler-core
djuarezgf Mar 16, 2023
0a17bbc
Add stripprefix to teiler-ui
djuarezgf Mar 16, 2023
4bbd2a1
Change volume names for teiler components
djuarezgf Mar 22, 2023
3a91259
Add keycloak teiler app to teiler-ui
djuarezgf Mar 22, 2023
fe07c63
Adapt teiler-ui to traefik
djuarezgf Mar 22, 2023
0cfe1d3
Change salt string for exporter and login
djuarezgf Apr 11, 2023
32de51e
Merge id-management-setup with main
djuarezgf Apr 11, 2023
72255e6
Bugfix: cross origins of exporter
djuarezgf Apr 11, 2023
0b1e047
Add DataSHIELD
djuarezgf Apr 12, 2023
dfde7c1
Experiment
djuarezgf Apr 12, 2023
bedc2ca
Add beam connect to docekr-compose
lablans Apr 25, 2023
68782d1
Experiment
djuarezgf Apr 25, 2023
325ae1d
beam connect and move beam-connect config
lablans Apr 25, 2023
b5ce188
Fix beam connect app id
lablans Apr 25, 2023
996f53a
expose beam connect ports
lablans Apr 25, 2023
43ab595
Add Opal Password in Exporter
djuarezgf Apr 25, 2023
04cf512
Remove mongo db
djuarezgf Apr 26, 2023
5e376b1
Remove unnecessary volumes
djuarezgf Apr 27, 2023
687dbba
Add opal certificate
djuarezgf May 16, 2023
e9e1ce5
ccp.conf in teiler-core as secret
djuarezgf May 16, 2023
f2f4886
Change cert permission and location
Threated May 24, 2023
6438fc5
Change beam-connect version and load opal cert
Threated May 24, 2023
bc239c0
change to dockerhub image
Threated May 24, 2023
276f886
secrets are readonly by default
Threated May 24, 2023
20c6533
Switch to `no-auth` branch of beam-connect
Threated May 25, 2023
2d7d1d7
Add reporter
djuarezgf Jul 5, 2023
5148e33
Add parameter LOG_FHIR_VALIDATION to exporter
djuarezgf Jul 6, 2023
50360d3
update new broker
djuarezgf Jul 7, 2023
c003999
Migrate to new app key syntax
Threated Jul 17, 2023
36ac8d4
Add http scheme to exporter
djuarezgf Jul 18, 2023
09aa33c
Generate passwords only if modules are enabled
djuarezgf Jul 19, 2023
a1e76a6
Remove ports of beam-connect in datashield-compose.yml
djuarezgf Jul 19, 2023
0866cac
User postgres if docker.verbis.dkfz.de
djuarezgf Aug 2, 2023
c8bafb2
R-Server rock-base:6.3
djuarezgf Aug 3, 2023
e182e2f
Remove unnecessary version of docker-compose.override files
djuarezgf Aug 3, 2023
43c45f0
Remove todo in rstudio
djuarezgf Aug 3, 2023
840096d
Enable only if true
djuarezgf Aug 3, 2023
73d969e
Use LDM_PASSWORD for all admin passwords
lablans Aug 4, 2023
9b8331e
Update ccp/modules/datashield-compose.yml
lablans Aug 4, 2023
4441536
Update ccp/modules/datashield-compose.yml
lablans Aug 4, 2023
50d28d2
Generate DATASHIELD_CONNECT_SECRET automatically
lablans Aug 4, 2023
f3745b9
User default user rstudio in rstudio
djuarezgf Aug 9, 2023
a6443a6
Remove IS_DKTK_SITE
djuarezgf Aug 9, 2023
75c86b7
Add Teiler Admin to Keycloak
djuarezgf Aug 9, 2023
10a362c
Add explanation why is the volume of exporter-db currently so importa…
djuarezgf Aug 9, 2023
be9adcb
Remove clean temp files configuration of exporter
djuarezgf Aug 9, 2023
c4c4f74
Remove updater cron of teiler-core
djuarezgf Aug 9, 2023
e7f6c0b
Add default language to ccp
djuarezgf Aug 9, 2023
d97ac56
Generate exporter api key automatically
djuarezgf Aug 9, 2023
7ed24f6
Export and QB Curl templates
djuarezgf Aug 9, 2023
2616523
Enable Login, Teiler and Exporter
djuarezgf Aug 9, 2023
bb7451d
Add JAVA_OPTS to reporter and exporter
djuarezgf Aug 10, 2023
846e9c2
Add DataSHIELD module documentation
djuarezgf Aug 10, 2023
adeaf43
Add Exporter module documentation
djuarezgf Aug 10, 2023
e3b8a73
Add login module documentation
djuarezgf Aug 10, 2023
b4805af
Add some docs about beam-connect
Threated Aug 10, 2023
957fa64
Add teiler-ui module documentation
djuarezgf Aug 10, 2023
c52975f
Add mtba module documentation
djuarezgf Aug 10, 2023
5d8bec5
Bugfix: JAVA_OPTS for exporter
djuarezgf Aug 10, 2023
6cfb42d
Comment on export and report volumes
djuarezgf Aug 10, 2023
839e7a4
Comment on datashield volume
djuarezgf Aug 10, 2023
973b582
Remove old comment of exporter-setup.sh
djuarezgf Aug 10, 2023
f26a8f7
Fix comment in login-compose.yml
djuarezgf Aug 10, 2023
4b0b174
Comment Keycloak volume
djuarezgf Aug 10, 2023
2b61775
Enable datashield
djuarezgf Aug 11, 2023
765613b
Bugfix: MTBA path prefix
djuarezgf Aug 11, 2023
963144c
Disable datashield
djuarezgf Aug 11, 2023
cfc3c7c
Bugfix: exporter
djuarezgf Aug 11, 2023
8d38adc
Bugfix: mtba labels
djuarezgf Aug 11, 2023
ff1f790
Add forward proxy to teiler-core
djuarezgf Aug 14, 2023
14aece4
Add site to exporter and reporter
djuarezgf Aug 14, 2023
2b3eabe
Rename Teiler Backend, Teiler Dashboard and Teiler Orchestrator
djuarezgf Aug 17, 2023
7207832
Bugfix: LDM_AUTH instead of LDM_PASSWORD
djuarezgf Sep 4, 2023
ccf0b91
#!/bin/bash -e
djuarezgf Sep 4, 2023
4aa8f0f
Bugfix: Add version in every docker compose file
djuarezgf Sep 11, 2023
862e452
Cache opal in /var/cache/bridgehead
lablans Sep 15, 2023
b5ca5ea
Autogenerate maps for Opal's beam-connect. To be completed by @Threat…
lablans Sep 15, 2023
f38d9f8
Rework commented sections
lablans Sep 15, 2023
c33726d
Exporter cache
lablans Sep 15, 2023
13a74e5
Move exporter db to /var/cache/bridgehead
lablans Sep 15, 2023
9cdcf2a
Rewrite comments
lablans Sep 15, 2023
7714527
Add ccp to /var/cache/bridgehead/* volumes
djuarezgf Sep 15, 2023
5c7da0d
Auto generate mappings
Threated Sep 15, 2023
452946a
Add all sites
Threated Sep 15, 2023
e2f31b6
Make sure copy works and the correct owner is set
Threated Sep 15, 2023
dcddbf2
Bugfix: Add version of docker-compose
djuarezgf Sep 18, 2023
3a6520a
Update ccp/modules/mtba.md
djuarezgf Sep 18, 2023
3dfc4cf
Postgres 15.4 in datashield, exporter and login
djuarezgf Sep 19, 2023
c8fc355
Bugfix: Exporter and Reporter /var/cache volumes
djuarezgf Sep 19, 2023
2237562
Prevent anonymous volume creation
lablans Sep 22, 2023
c1020c5
Bugfix: datashield local.json as array
djuarezgf Sep 22, 2023
0039efa
Add docu about login in teiler
djuarezgf Sep 22, 2023
89c90d3
/var/cache for mtba
djuarezgf Sep 26, 2023
ec64074
Update export template script: FHIR_QUERY to FHIR_PATH
djuarezgf Oct 10, 2023
058d1c8
Use newest version of `beam-connect`
Threated Oct 23, 2023
876c4ef
Make Opal use proxy server
lablans Oct 24, 2023
77240ff
Use Bridgehead's internal http proxy
lablans Oct 24, 2023
178867c
Prevent creation of volumes
lablans Oct 25, 2023
a2c2425
Remove nngmSetup in vars
djuarezgf Nov 3, 2023
8d4f487
MTBA 1.0.0
djuarezgf Nov 29, 2023
90ee8d6
Externalize postgres version
lablans Feb 9, 2024
afb6330
Remove unnecessary version of docker-compose.override files
djuarezgf Aug 3, 2023
b87d746
Remove unnecessary version of docker-compose.override files
djuarezgf Aug 3, 2023
d3edb5e
Bugfix: Add version in every docker compose file
djuarezgf Sep 11, 2023
8e171b7
Remove unnecessary version of docker-compose.override files
djuarezgf Aug 3, 2023
3d13695
Bugfix: Add version in every docker compose file
djuarezgf Sep 11, 2023
cec3dfe
Add secret sync to the bridgehead
Threated Nov 7, 2023
f854ab5
Update to new secret-sync semantics
Threated Nov 13, 2023
4115319
Setup hostname earlier
Threated Nov 16, 2023
93a9132
Make sure path exists
Threated Nov 16, 2023
dc3d549
Integrate central Keycloak in Teiler
djuarezgf Nov 17, 2023
0015365
Generate addtional redirect url
Threated Nov 20, 2023
3c8ec73
Update oidc provider to new url
Threated Nov 21, 2023
bb076c5
Add function generate_redirect_urls
djuarezgf Nov 23, 2023
043e12b
Remove port handeling when generating redirect url
Threated Nov 23, 2023
131b52f
Account for ip address host values
Threated Nov 23, 2023
9ebbf2e
Bugfix: Export /var/cache/bridgehead/secrets as environment variables
djuarezgf Nov 23, 2023
163650f
Add generate_password function
djuarezgf Nov 23, 2023
8486abe
Add R-Studio Admin Password
djuarezgf Nov 23, 2023
e32f484
Add keycloak configuration
djuarezgf Nov 24, 2023
903ef0d
Add Keycloak to MTBA
djuarezgf Nov 27, 2023
ae965fd
Add proxy to R-Studio for loading R packages
djuarezgf Nov 28, 2023
f696585
Add comment about PASSWORD and DISABLE_AUTH in R-Studio
djuarezgf Nov 28, 2023
0cd4ede
Add oauth2_proxy
djuarezgf Nov 29, 2023
b44a208
Better redirect url handeling
Threated Nov 30, 2023
5d4d040
fix: public client generation
Threated Nov 30, 2023
f9b26b6
Use develop branch for mtba
djuarezgf Nov 30, 2023
25ac4d2
mtba latest
djuarezgf Nov 30, 2023
0b2e64a
add /oauth2/callback and /mtba to Keycloak private client
djuarezgf Nov 30, 2023
e411883
mtba develop
djuarezgf Nov 30, 2023
28a612f
add default template-ids of exporter and reporter
djuarezgf Dec 1, 2023
148e873
move OAUTH2_SECRET
djuarezgf Dec 1, 2023
0a2dbb4
fix: Restrict rstudio network access
Threated Dec 8, 2023
3710973
feat: Add token-manager to beam
Threated Dec 12, 2023
9f31e95
fix: generate the right beam connect mappings
Threated Dec 13, 2023
b73ddc8
fix: Change permissions on new bridgehead dirs
Threated Dec 13, 2023
1edcdce
fix: beam connect site renaming
Threated Dec 13, 2023
b34f4f2
fix: chown syntax
Threated Dec 13, 2023
d3da426
fix: opal ssl cert
Threated Dec 13, 2023
2a024e7
fix: only change permissions on related files
Threated Dec 13, 2023
fa141f8
fix: undo permission changes on startup
Threated Dec 13, 2023
8e5ddc4
teiler-orchestrator and teiler-dashboard latest
djuarezgf Dec 13, 2023
f6dac70
Only users of group DataSHIELD can use R-Studio
djuarezgf Dec 13, 2023
44d7b34
Use last version of mtba
djuarezgf Dec 13, 2023
0793ea9
Use develop version of mtba
djuarezgf Dec 13, 2023
37f100d
Default values for MTBA
djuarezgf Dec 13, 2023
643e9e6
Added: Enable MTBA and Enable DataSHIELD to Teiler Backend
djuarezgf Dec 14, 2023
977ad13
Added: allowed-groups
djuarezgf Dec 14, 2023
d62f5a4
Add central token manager beam id
Threated Dec 21, 2023
2f04e51
Add test sites
Threated Dec 21, 2023
e54475f
Added: volume for opal metadata db
djuarezgf Dec 21, 2023
01efc6f
Added: volume for opal metadata db (II)
djuarezgf Dec 21, 2023
935c45b
Added: volume for opal metadata db (III)
djuarezgf Dec 21, 2023
f0a05b1
fix: Generate stable passwords
Threated Dec 22, 2023
c60c9fc
fix: Use strong pw for opal
Threated Dec 22, 2023
4e3cd68
Only sync secrets on startup
Threated Jan 22, 2024
92a1f4b
Add `dsCCPhos`
Threated Jan 22, 2024
01d3a38
refactor: Use jq from docker
Threated Jan 31, 2024
224c147
fix: Correctly set file permissions
Threated Jan 31, 2024
32ffb33
fix: Only give writeable dirs the docker role
Threated Feb 5, 2024
51e8888
Use latest jq
Threated Feb 6, 2024
af3e523
Added: Proxy to R-Studio oauth2-proxy
djuarezgf Feb 6, 2024
4a9427a
fix: Use forward proxy for secret sync
Threated Feb 6, 2024
b241fee
fix: Pull oauth2 proxy from harbor
Threated Feb 7, 2024
f3fa1ce
fix: secret sync account for minimal override
Threated Feb 7, 2024
64250d9
refactor: Use beam proxy directly as proxy
Threated Feb 8, 2024
1995997
fix: Wait for forward proxy to start
Threated Feb 8, 2024
97a558d
Removed:Login-compose
djuarezgf Feb 13, 2024
cea577b
Removed: login-compose
djuarezgf Feb 14, 2024
ef8866b
fix: Start oauth proxy after forward_proxy is ready
Threated Feb 15, 2024
2eb56e6
Integrate central Keycloak in Teiler
djuarezgf Nov 17, 2023
29d2bc0
Add Keycloak to MTBA
djuarezgf Nov 27, 2023
8a197ce
Add oauth2_proxy
djuarezgf Nov 29, 2023
9a1860c
Removed: / from groups
djuarezgf Feb 13, 2024
19d0fef
Changed: master realm
djuarezgf Feb 13, 2024
f72e7c7
Changed: replace keycloak with oidc
djuarezgf Feb 13, 2024
3e44dab
chore: Remame datashield mappings to datashield sites
Threated Feb 19, 2024
fb4da54
chore: Add mannheim to datashield sites
Threated Feb 19, 2024
74eb86f
fix: Update permissions on update
Threated Feb 21, 2024
db96927
fix: Fix if syntrax
Threated Feb 21, 2024
7245ddc
Merge pull request #158 from samply/main
Threated Feb 28, 2024
7478d80
refactor: Move vars to their setup files
Threated Mar 11, 2024
1a233b8
Merge pull request #163 from samply/refactor/datashield
djuarezgf Mar 13, 2024
f88dfb5
Merge pull request #145 from samply/feature/datashield-central-keycloak
djuarezgf Mar 13, 2024
5a6322f
refactor: Move oauth2 proxy related things to datashield setup
Threated Mar 14, 2024
1f17fad
fix: Dont change ownership of all files under /tmp/bridgehead and /va…
Threated Mar 14, 2024
6969a7a
Remove unnecessary comment
djuarezgf Mar 18, 2024
ff06782
Remove todo
djuarezgf Mar 18, 2024
349027e
Rename oauth2_proxy docker service to oauth2-proxy
djuarezgf Mar 18, 2024
591d95e
Remove empty line
djuarezgf Mar 18, 2024
8cb33c2
Add warning if ENABLE_EXPORTER is not set or set to true
djuarezgf Mar 18, 2024
3a8df37
Update lib/functions.sh
djuarezgf Mar 18, 2024
3180d0f
Replace | openssl rsautl -sign with | sha1sum | openssl pkeyutl -sign
djuarezgf Mar 18, 2024
d8b9498
Update minimal/docker-compose.yml
djuarezgf Mar 18, 2024
480bbe0
Changed: TEILER_DEFAULT_LANGUAGE
djuarezgf Mar 18, 2024
adf8e35
Remove empty file (teiler-ui-compose.yml)
djuarezgf Mar 18, 2024
896b24b
Use bridgehead log functions in datashield setup
TKussel Mar 19, 2024
ec6f930
Fix spelling of log WARN
TKussel Mar 19, 2024
4fac079
Merge branch 'main' into feature/datashield
patrickskowronekdkfz Mar 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
##Ignore site configuration
.gitmodules
site-config/*

.idea
djuarezgf marked this conversation as resolved.
Show resolved Hide resolved
## Ignore site configuration
*/docker-compose.override.yml

Expand Down
2 changes: 2 additions & 0 deletions bbmri/modules/directory-sync-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
version: "3.7"

services:
directory_sync_service:
image: "docker.verbis.dkfz.de/cache/samply/directory_sync_service"
Expand Down
3 changes: 2 additions & 1 deletion bridgehead
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ loadVars() {
source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
fi
fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
setHostname
[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
set +a

Expand All @@ -64,7 +65,6 @@ loadVars() {
OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml"
fi
detectCompose
setHostname
setupProxy

# Set some project-independent default values
Expand All @@ -89,6 +89,7 @@ case "$ACTION" in
loadVars
hc_send log "Bridgehead $PROJECT startup: Checking requirements ..."
checkRequirements
sync_secrets
hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..."
exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit
;;
Expand Down
171 changes: 171 additions & 0 deletions ccp/modules/datashield-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
version: "3.7"

services:
rstudio:
container_name: bridgehead-rstudio
image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest
environment:
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled
DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
HTTP_RELATIVE_PATH: "/rstudio"
ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
labels:
- "traefik.enable=true"
- "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
- "traefik.http.routers.rstudio_ccp.tls=true"
- "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
networks:
- rstudio

opal:
container_name: bridgehead-opal
image: docker.verbis.dkfz.de/ccp/dktk-opal:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.opal_ccp.rule=PathPrefix(`/opal`)"
- "traefik.http.services.opal_ccp.loadbalancer.server.port=8080"
- "traefik.http.routers.opal_ccp.tls=true"
links:
- opal-rserver
- opal-db
environment:
JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128"
djuarezgf marked this conversation as resolved.
Show resolved Hide resolved
# OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes
OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}"
POSTGRESDATA_HOST: "opal-db"
POSTGRESDATA_DATABASE: "opal"
POSTGRESDATA_USER: "opal"
POSTGRESDATA_PASSWORD: "${OPAL_DB_PASSWORD}"
ROCK_HOSTS: "opal-rserver:8085"
APP_URL: "https://${HOST}/opal"
APP_CONTEXT_PATH: "/opal"
OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem"
OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem"
OIDC_URL: "${OIDC_URL}"
OIDC_REALM: "${OIDC_REALM}"
OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}"
OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}"
TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}"
EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
BEAM_APP_ID: token-manager.${PROXY_ID}
BEAM_SECRET: ${TOKEN_MANAGER_SECRET}
BEAM_DATASHIELD_PROXY: request-manager
volumes:
- "/var/cache/bridgehead/ccp/opal-metadata-db:/srv" # Opal metadata
secrets:
- opal-cert.pem
- opal-key.pem

opal-db:
container_name: bridgehead-opal-db
image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
environment:
POSTGRES_PASSWORD: "${OPAL_DB_PASSWORD}" # Set in datashield-setup.sh
POSTGRES_USER: "opal"
POSTGRES_DB: "opal"
volumes:
- "/var/cache/bridgehead/ccp/opal-db:/var/lib/postgresql/data" # Opal project data (imported from exporter)

opal-rserver:
container_name: bridgehead-opal-rserver
image: docker.verbis.dkfz.de/ccp/dktk-rserver # datashield/rock-base + dsCCPhos
tmpfs:
- /srv

beam-connect:
image: docker.verbis.dkfz.de/cache/samply/beam-connect:develop
container_name: bridgehead-datashield-connect
environment:
PROXY_URL: "http://beam-proxy:8081"
TLS_CA_CERTIFICATES_DIR: /run/secrets
APP_ID: datashield-connect.${SITE_ID}.${BROKER_ID}
PROXY_APIKEY: ${DATASHIELD_CONNECT_SECRET}
DISCOVERY_URL: "./map/central.json"
LOCAL_TARGETS_FILE: "./map/local.json"
NO_AUTH: "true"
secrets:
- opal-cert.pem
depends_on:
- beam-proxy
volumes:
- /tmp/bridgehead/opal-map/:/map/:ro
networks:
- default
- rstudio

traefik:
labels:
- "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/"
- "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
- "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
networks:
- default
- rstudio
forward_proxy:
networks:
- default
- rstudio

beam-proxy:
environment:
APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET}
APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET}

# TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time:
# Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider):
# --allowed-groups=/DataSHIELD,OIDC_USER_GROUP
oauth2-proxy:
image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
container_name: bridgehead-oauth2proxy
command: >-
--allowed-group=DataSHIELD
--oidc-groups-claim=${OIDC_GROUP_CLAIM}
--auth-logging=true
--whitelist-domain=${HOST}
--http-address="0.0.0.0:4180"
--reverse-proxy=true
--upstream="static://202"
--email-domain="*"
--cookie-name="_BRIDGEHEAD_oauth2"
--cookie-secret="${OAUTH2_PROXY_SECRET}"
--cookie-expire="12h"
--cookie-secure="true"
--cookie-httponly="true"
#OIDC settings
--provider="keycloak-oidc"
--provider-display-name="VerbIS Login"
--client-id="${OIDC_PRIVATE_CLIENT_ID}"
--client-secret="${OIDC_CLIENT_SECRET}"
--redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
--oidc-issuer-url="${OIDC_ISSUER_URL}"
--scope="openid email profile"
--code-challenge-method="S256"
--skip-provider-button=true
#X-Forwarded-Header settings - true/false depending on your needs
--pass-basic-auth=true
--pass-user-headers=false
--pass-access-token=false
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
- "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
- "traefik.http.routers.oauth2_proxy.tls=true"
environment:
http_proxy: "http://forward_proxy:3128"
https_proxy: "http://forward_proxy:3128"
depends_on:
forward_proxy:
condition: service_healthy

secrets:
opal-cert.pem:
file: /tmp/bridgehead/opal-cert.pem
opal-key.pem:
file: /tmp/bridgehead/opal-key.pem

networks:
rstudio:
Loading