Conversation
Please ignore the command in mongo :) It will be replaced soon with proper user authentication
…on to sh - Removed the traefik service and renamed traefik-forward-auth to ovis- with ovis-traefik-forward-auth the labels, however would need help there as i got no knowledge of how OAuth2 works (Torben initialized that container) - Updated MongoDB service configuration to include a direct initialization script for user and operation collections in the sh instead of in the compose directly - Adjusted volume paths to only use the /var/cache/bridgehead/ccp directory - Adjusted frontend and backend service labels for Traefik routing to not use ports - Cleaned up unnecessary network definitions and volumes. - Renamed FHIR Server URL to bridgehead-ccp-blaze:8080/fhir - Removed redundant entrypoint (python main.py) of fhir transformer
ccp/modules/ovis-compose.yml
Outdated
| - "traefik.enable=true" | ||
| - "traefik.http.routers.ovis-frontend.tls=true" | ||
| - "traefik.http.routers.ovis-frontend.rule=Host(`${GUI_HOST:-localhost}`)" | ||
| # - "traefik.http.routers.lens.middlewares=traefik-forward-auth" |
There was a problem hiding this comment.
To activate authentication, this needs to be uncommented
ccp/modules/ovis-compose.yml
Outdated
| - "traefik.http.routers.ovis-frontend.rule=Host(`${GUI_HOST:-localhost}`)" | ||
| # - "traefik.http.routers.lens.middlewares=traefik-forward-auth" | ||
| - "traefik.http.services.ovis-frontend.loadbalancer.server.port=5173" | ||
| volumes: |
There was a problem hiding this comment.
What purpose does this volume serve? As far as i know, /app/.svelte-kit contains the application (frontend and backend) and besides using docker watch for faster development iterations i don't see any benefit in having this.
ccp/modules/ovis-compose.yml
Outdated
| fhir-transformer: | ||
| image: docker.verbis.dkfz.de/ovis/adt-mon-gql-fhir-transformer:latest | ||
| restart: on-failure | ||
| network_mode: "host" |
There was a problem hiding this comment.
Is network_mode host relevant? The fhir transformer seems to access the fhir db via internal docker service name, so the container shouldn't need to jump in on the host network.
There was a problem hiding this comment.
Its not relevant, so has also been removed
ccp/modules/ovis-compose.yml
Outdated
| - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.address=http://ovis-traefik-forward-auth:4180" | ||
| - "traefik.http.middlewares.ovis-traefik-forward-auth.forwardauth.authResponseHeaders=Authorization, X-Forwarded-User, X-Auth-Request-User, X-Auth-Request-Email" | ||
| - "traefik.http.services.ovis-traefik-forward-auth.loadbalancer.server.port=4180" | ||
| - "traefik.http.routers.oauth2.rule=Host(`${GUI_HOST:-localhost}`) && PathPrefix(`/oauth2/`)" |
There was a problem hiding this comment.
Here it would be good to use /oauth2-ovis/ as PathPrefix. This is necessary to avoid conflicts with the id-management (ccp/modules/id-management-compose.yml) or datashield modules.
There was a problem hiding this comment.
path prefix changed from oauth2 to oauth2-ovis
ccp/modules/ovis-compose.yml
Outdated
| ovis-traefik-forward-auth: | ||
| image: quay.io/oauth2-proxy/oauth2-proxy:latest | ||
| environment: | ||
| - http_proxy=${http_proxy} |
There was a problem hiding this comment.
best is to use http://forward_proxy:3128 for http_proxy and https_proxy. The forward proxy is commonly established by the minimal module and handles communication with site proxy.
There was a problem hiding this comment.
http://forward_proxy:3128 now set as default value for http_proxy and https_proxy
ccp/modules/ovis-compose.yml
Outdated
| - OAUTH2_PROXY_CLIENT_ID=${OAUTH_CLIENT_ID} | ||
| - OAUTH2_PROXY_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} | ||
| - OAUTH2_PROXY_COOKIE_SECRET=${AUTHENTICATION_SECRET} | ||
| - OAUTH2_PROXY_COOKIE_DOMAINS=.${GUI_HOST:-localhost} |
There was a problem hiding this comment.
in the bridgehead we already have the environment variable HOST defined. I would adjust all occurences of GUI_HOST to HOST
There was a problem hiding this comment.
GUI_HOST environmental variable has been now changed to HOST
ccp/modules/ovis-compose.yml
Outdated
| command: mongod | ||
| volumes: | ||
| - /var/cache/bridgehead/ccp/ovis/mongo/mongo_db:/data/db | ||
| - /var/cache/bridgehead/ccp/ovis/mongo/mongo_conf:/data/configdb |
There was a problem hiding this comment.
is it necessary to mount mongo_conf to the host? Is this needed to persist the configuration across restarts, or will the init.js script automatically apply the necessary config with each restart?
There was a problem hiding this comment.
mongo_conf and mongo_db has now been removed as OVis is unaffected when both volumes are removed
ccp/modules/ovis-compose.yml
Outdated
| - ADRESS=${ADRESS:-mongodb://mongo:27017} | ||
| volumes: | ||
| - /var/cache/bridgehead/ccp/ovis/shared_data:/shared | ||
| - /var/cache/bridgehead/ccp/ovis/init_onco/node_modules:/app/node_modules |
There was a problem hiding this comment.
is it necessary to mount the node modules outside of the container?
There was a problem hiding this comment.
nodemodules have been removed, assumed they were necessary as they were in the initial ovis docker file, but it is not, same with every other volume like .svelte-kit, it got included in the original Dockerfile, so i left it, but yeah, now all those unnecessary volumes got removed.
ccp/modules/ovis-compose.yml
Outdated
| - /var/cache/bridgehead/ccp/ovis/mongo/mongo_conf:/data/configdb | ||
| - /var/cache/bridgehead/ccp/ovis/mongo/init/init.js:/docker-entrypoint-initdb.d/init.js | ||
|
|
||
| init_onco: |
There was a problem hiding this comment.
What is the purpose of init_onco? It is the same container as backend but with another entrypoint?
There was a problem hiding this comment.
init_onco's entrypoint has now been merged with backend, so init_onco thus has been removed.
ccp/modules/ovis-compose.yml
Outdated
| restart: always | ||
| environment: | ||
| - NODE_ENV=development | ||
| - VITE_GRAPHQL_URL=http://localhost:${APOLLO_PORT:-4001}/graphql |
There was a problem hiding this comment.
Will ovis do the call to the graphql backend via the browser or a backend in the frontend application? If via frontend, you would need to replace localhost with ${HOST}. If via backend the service name should be enough backend.
Maybe the NODE_ENV should also not be development, what happens if this is removed?
There was a problem hiding this comment.
Its via frontend, so localhost got replaced with HOST but is still set to localhost as default value, because i could only test it locally.
- Replaced GUI_HOST with HOST - Removed NODE_ENV - Combine init_onco and backend service - removed node_modules and .svelte-kit volumes - removed mongodb volumes - adjusted http_proxy and https_proxy - adjusted path prefix from oaut2 to oauth2-ovis - removed network-mode "host" in fhir-transformer service
3 participants
Please ignore the command in mongo :) It will be replaced soon with proper user authentication