Add Ovis to the CCP modules in the bridgehead#375
Open
tm16-medma wants to merge 49 commits into
Open
Conversation
Please ignore the command in mongo :) It will be replaced soon with proper user authentication
…on to sh - Removed the traefik service and renamed traefik-forward-auth to ovis- with ovis-traefik-forward-auth the labels, however would need help there as i got no knowledge of how OAuth2 works (Torben initialized that container) - Updated MongoDB service configuration to include a direct initialization script for user and operation collections in the sh instead of in the compose directly - Adjusted volume paths to only use the /var/cache/bridgehead/ccp directory - Adjusted frontend and backend service labels for Traefik routing to not use ports - Cleaned up unnecessary network definitions and volumes. - Renamed FHIR Server URL to bridgehead-ccp-blaze:8080/fhir - Removed redundant entrypoint (python main.py) of fhir transformer
- Replaced GUI_HOST with HOST - Removed NODE_ENV - Combine init_onco and backend service - removed node_modules and .svelte-kit volumes - removed mongodb volumes - adjusted http_proxy and https_proxy - adjusted path prefix from oaut2 to oauth2-ovis - removed network-mode "host" in fhir-transformer service
Update ovis-compose.yml
lablans
requested changes
Mar 19, 2026
Threated
reviewed
Mar 19, 2026
Author
|
Thanks for the comments and your time, we will adjust most of them, others need changes in the application itself for that to work, which takes a bit longer. |
TKussel
reviewed
Mar 19, 2026
tm16-medma
added a commit
that referenced
this pull request
Mar 23, 2026
…tracts Apply the PR #375 review feedback by removing Bridgehead-specific compose/setup overrides that duplicated upstream OVIS behavior and by switching to the upstream-built Mongo image that already contains init logic. - rename CCP OVIS services to consistent upstream-style names (`ovis-*`) and update internal dependencies - switch Mongo service image from direct `mongo:latest` + host-mounted init script to `docker.verbis.dkfz.de/ovis/ovis-backend-mongodb:latest` - remove obsolete Mongo init bind mount (`/docker-entrypoint-initdb.d/init.js`) from compose - drop redundant runtime overrides from compose (`restart`, `command`, `user`, `working_dir`) - remove duplicated app-default/preprocessor env overrides (`OVIS_PREPROC_*`, misc backend defaults) and keep deployment wiring only - fix Mongo connection env usage to `ADDRESS` and point services to `ovis-backend-database-mongodb` - remove temporary root-compat Traefik redirect shim and keep mounted `/ccp-ovis` routing labels - remove setup-time generation of Mongo init.js and related cache directory prep from `ccp/modules/ovis-setup.sh`
Removed unnecessary Traefik router configurations for compatibility.
Updated FHIR credentials to empty strings in ovis-compose.yml
Removed dependency condition on the blaze service.
Removed proxy configuration from ovis-compose.yml.
Removed unused FHIR configuration variables from ovis-compose.yml.
Threated
requested changes
Mar 23, 2026
Collapse the `/ccp-ovis` slash-redirect and prefix-strip flow into one `ovis-frontend-ccp` router by attaching both middlewares in order (redirect, then strip). This removes redundant router labels while preserving canonical `/ccp-ovis -> /ccp-ovis/` behavior and mounted-path forwarding to the frontend service.
patrick-skowronek
requested changes
Mar 23, 2026
Threated
approved these changes
Mar 23, 2026
Changed the image for the ovis-frontend service to use the new `ovis-frontend-ccp` tag, reflecting the latest version. Removed unnecessary environment variables to streamline the configuration.
TKussel
approved these changes
Mar 23, 2026
patrick-skowronek
approved these changes
Mar 23, 2026
Introduced a new service, `ovis-traefik-forward-auth`, to handle authentication via oauth2-proxy. Updated Traefik routing for existing services to integrate the new middleware, ensuring secure access control. Adjusted logging in ovis-setup.sh to reflect the addition of the oauth2-proxy middleware in the OVIS setup process.
Configured new environment variables for the ovis-frontend service, including OVIS_PUBLIC_BASE_PATH, PUBLIC_GRAPHQL_URL, PUBLIC_LOGIN_ENABLED, and PUBLIC_OVIS_IMPORT, to enhance service configuration and accessibility.
Member
|
For the oauth to work you need to add: add_private_oidc_redirect_url "/oauth2-ovis/callback"to your setup.sh |
…pose.yml Replaced the existing middleware for path prefix stripping with a new middleware, ensuring proper handling of the `/ccp-ovis` path. This change enhances the routing setup by integrating both the slash-redirect and prefix-strip middlewares for improved service accessibility.
…e.yml. This change temporarily disables the integration of the slash-redirect and prefix-strip middlewares for the `ovis-frontend-ccp` router, allowing for further testing and adjustments.
…e.yml Changed the service name for the OVIS frontend load balancer from `ovis-frontend` to `ovis-frontend-ccp`, ensuring consistency with the updated routing setup.
Changed the image reference for the ovis-frontend service to use the updated `ovis-frontend` tag, ensuring consistency with the latest deployment standards.
…compose file Enhanced the OVIS setup by introducing support for custom OIDC CA files in the oauth2-proxy configuration. Updated the ovis-compose.yml to include new environment variables and volume mounts for trusted CA certificates. Modified the ovis-setup.sh script to detect and log the presence of custom CA files, ensuring secure communication with OIDC providers.
…ogging Updated the ovis-setup.sh script to improve handling of the trusted CA directory, ensuring that the oauth2-proxy uses the system trust store if the directory is missing. Adjusted logging messages for clarity regarding the detection of custom OIDC CA files, specifically focusing on .crt files. Additionally, added a new environment variable for TLS_CA_CERTIFICATES_DIR in the ovis-compose.yml file to support trusted CA certificates.
Enhanced the ovis-setup.sh script to include a comprehensive log message when the OVIS module is enabled. This update provides clear visual feedback during the initialization process, indicating that OVIS services will start with local oauth2-proxy middleware.
Updated the ovis-setup.sh script to support both .crt and .pem certificate files for OIDC providers. Enhanced validation of CA candidates with improved logging to indicate skipped non-certificate files and clarified messages regarding the presence of valid CA files. This ensures better feedback during the OVIS module initialization process.
…ose file Eliminated the environment variables and volume mounts related to trusted CA certificates in both the ovis-compose.yml and ovis-setup.sh files. This streamlines the configuration by relying solely on the system trust store for OIDC provider communication, simplifying the initialization process for the OVIS module.
…ompose.yml Removed outdated labels for the ovis-backend service and updated the middleware configuration for the ovis-frontend-ccp service to ensure proper routing and authentication. This streamlines the service setup and enhances clarity in the configuration.
Introduced the APP_DOMAIN variable to the OVIS service configuration, allowing for dynamic domain assignment based on the HOST environment variable. This enhancement improves flexibility in service deployment.
Replaced the APP_DOMAIN variable with ORIGIN for improved clarity in the OVIS frontend service configuration. Additionally, removed the stripprefix middleware from the Traefik router setup to streamline routing and enhance service management.
patrick-skowronek
requested changes
Mar 31, 2026
| version: "3.7" | ||
|
|
||
| services: | ||
| ovis-traefik-forward-auth: |
Contributor
There was a problem hiding this comment.
container_name missing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.