diff --git a/dbrepo-gateway-service/dbrepo.conf b/dbrepo-gateway-service/dbrepo.conf
index fe98534bd8ddc43e42bdb1a55ad0192a86236621..659300566efe5e3aad1b80ea2450791e5bbb92e6 100644
--- a/dbrepo-gateway-service/dbrepo.conf
+++ b/dbrepo-gateway-service/dbrepo.conf
@@ -18,9 +18,9 @@ server {
location /dashboard/ {
rewrite ^/dashboard/(.*) /$1 break;
- proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dashboard-ui:3000;
proxy_read_timeout 90;
@@ -29,9 +29,9 @@ server {
# Proxy Grafana Live WebSocket connections.
location /dashboard/api/live/ {
rewrite ^/dashboard/(.*) /$1 break;
- proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
@@ -42,9 +42,9 @@ server {
# Proxy Keycloak OIDC connections, c.f. https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations
location /realms {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://auth-service:8080;
proxy_read_timeout 90;
@@ -52,45 +52,45 @@ server {
# Proxy Keycloak assets, c.f. https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations
location /resources {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://auth-service:8080;
proxy_read_timeout 90;
}
location /api/search {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://search-service:8080;
proxy_read_timeout 90;
}
location /api/datasource {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dashboard-service:8080;
proxy_read_timeout 90;
}
location /api/dashboard {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dashboard-service:8080;
proxy_read_timeout 90;
}
location /api/upload {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_pass http://data-service:8080;
@@ -102,63 +102,63 @@ server {
}
location /api/analyse {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://analyse-service:8080;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/table/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/(data|statistic|history)" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://data-service:8080;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/view/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/(data|statistic)" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://data-service:8080;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/view" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service:8080;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/subset" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://data-service:8080;
proxy_read_timeout 600;
}
location ~ "/api/(database|concept|container|identifier|image|message|license|oai|ontology|unit|user)" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service:8080;
proxy_read_timeout 90;
}
location ~ "/api/identifier/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service:8080;
proxy_read_timeout 90;
@@ -166,18 +166,18 @@ server {
location ~ "/pid/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})" {
rewrite /pid/(.*) /api/identifier/$1 break;
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service:8080;
proxy_read_timeout 90;
}
location / {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://ui:3000;
proxy_read_timeout 90;
diff --git a/helm/dbrepo/README.md b/helm/dbrepo/README.md
index 2fd53053375841cfb6bd4934aa6630ed4ce279df..c5edf4d2a87083190f6f26b03aeee264522ff51e 100644
--- a/helm/dbrepo/README.md
+++ b/helm/dbrepo/README.md
@@ -94,7 +94,6 @@ The command removes all the Kubernetes components associated with the chart and
| `authservice.enabled` | Enable the Auth Service. | `true` |
| `authservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
| `authservice.endpoint` | The hostname for the microservices. | `http://auth-service` |
-| `authservice.extraStartupArgs` | Extra arguments for the Keycloak container. | `--hostname-strict false --proxy-headers xforwarded` |
| `authservice.resourcesPreset` | The container resource presets | `small` |
| `authservice.jwt.pubkey` | The JWT public key from the `dbrepo-client`. | `MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqnHQ2BWWW9vDNLRCcxD++xZg/16oqMo/c1l+lcFEjjAIJjJp/HqrPYU/U9GvquGE6PbVFtTzW1KcKawOW+FJNOA3CGo8Q1TFEfz43B8rZpKsFbJKvQGVv1Z4HaKPvLUm7iMm8Hv91cLduuoWx6Q3DPe2vg13GKKEZe7UFghF+0T9u8EKzA/XqQ0OiICmsmYPbwvf9N3bCKsB/Y10EYmZRb8IhCoV9mmO5TxgWgiuNeCTtNCv2ePYqL/U0WvyGFW0reasIK8eg3KrAUj8DpyOgPOVBn3lBGf+3KFSYi+0bwZbJZWqbC/Xlk20Go1YfeJPRIt7ImxD27R/lNjgDO/MwIDAQAB` |
| `authservice.client.id` | The client id for the microservices. | `dbrepo-client` |
@@ -344,39 +343,42 @@ mqtt.prefetch = 10
### User Interface
-| Name | Description | Value |
-| ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | ----------------------- |
-| `ui.enabled` | Enable the Broker Service. | `true` |
-| `ui.podSecurityContext.enabled` | Enable pods' Security Context | `true` |
-| `ui.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
-| `ui.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
-| `ui.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
-| `ui.podSecurityContext.fsGroup` | Set RabbitMQ pod's Security Context fsGroup | `1001` |
-| `ui.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
-| `ui.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
-| `ui.containerSecurityContext.runAsUser` | Set RabbitMQ containers' Security Context runAsUser | `1001` |
-| `ui.containerSecurityContext.runAsGroup` | Set RabbitMQ containers' Security Context runAsGroup | `1001` |
-| `ui.containerSecurityContext.runAsNonRoot` | Set RabbitMQ container's Security Context runAsNonRoot | `true` |
-| `ui.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
-| `ui.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
-| `ui.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` |
-| `ui.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
-| `ui.resourcesPreset` | The container resource preset | `micro` |
-| `ui.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
-| `ui.public.api.client` | The endpoint for the client api. Defaults to the value of `gateway`. | `""` |
-| `ui.public.api.server` | The endpoint for the server api. Defaults to the value of `gateway`. | `""` |
-| `ui.public.upload.client` | The endpoint for the upload client. Defaults to the value of `gateway` and path `/api/upload/files`. | `""` |
-| `ui.public.title` | The user interface title. | `Database Repository` |
-| `ui.public.logo` | The user interface logo. | `/logo.svg` |
-| `ui.public.icon` | The user interface icon. | `/favicon.ico` |
-| `ui.public.touch` | The user interface apple touch icon. | `/apple-touch-icon.png` |
-| `ui.public.broker.host` | The displayed broker hostname. | `example.com` |
-| `ui.public.broker.extra` | Extra metadata displayed. | `""` |
-| `ui.public.database.extra` | Extra metadata displayed. | `""` |
-| `ui.public.pid.default.publisher` | The default dataset publisher for persisted identifiers. | `Example University` |
-| `ui.public.doi.enabled` | Enable the display that DOIs are minted. | `false` |
-| `ui.public.doi.endpoint` | The DOI proxy. | `https://doi.org` |
-| `ui.replicaCount` | The number of replicas. | `1` |
+| Name | Description | Value |
+| ------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- |
+| `ui.enabled` | Enable the Broker Service. | `true` |
+| `ui.oidc.authSessionSecret` | This should be a at least 48 characters random string. It is used to encrypt the user session. | `qJteD-fvcHNafjwDtJOT3pF7IrN1OEzQRcIyPO0xAT4gzct0` |
+| `ui.oidc.sessionSecret` | This should be a at least 48 characters random string. It is used to encrypt the user session. | `TjOH1lFnocixYmy5ol2I5cOdsYUdrd5_jZsGxo6aMVPNNDkh` |
+| `ui.oidc.tokenKey` | This needs to be a random cryptographic AES key in base64. Used to encrypt the server side token store. You can generate a key in JS with await subtle.exportKey('raw', await subtle.generateKey({ name: 'AES-GCM', length: 256, }, true, ['encrypt', 'decrypt'])). You just have to encode it to base64 afterwards. | `data:;base64,ntxOAfrF6yw22Ec1AFHK21iFz7L3PZmz9857Uqwyme0=` |
+| `ui.podSecurityContext.enabled` | Enable pods' Security Context | `true` |
+| `ui.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `ui.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `ui.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `ui.podSecurityContext.fsGroup` | Set RabbitMQ pod's Security Context fsGroup | `1001` |
+| `ui.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `ui.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
+| `ui.containerSecurityContext.runAsUser` | Set RabbitMQ containers' Security Context runAsUser | `1001` |
+| `ui.containerSecurityContext.runAsGroup` | Set RabbitMQ containers' Security Context runAsGroup | `1001` |
+| `ui.containerSecurityContext.runAsNonRoot` | Set RabbitMQ container's Security Context runAsNonRoot | `true` |
+| `ui.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
+| `ui.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
+| `ui.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` |
+| `ui.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `ui.resourcesPreset` | The container resource preset | `micro` |
+| `ui.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+| `ui.public.api.client` | The endpoint for the client api. Defaults to the value of `gateway`. | `""` |
+| `ui.public.api.server` | The endpoint for the server api. Defaults to the value of `gateway`. | `""` |
+| `ui.public.upload.client` | The endpoint for the upload client. Defaults to the value of `gateway` and path `/api/upload/files`. | `""` |
+| `ui.public.title` | The user interface title. | `Database Repository` |
+| `ui.public.logo` | The user interface logo. | `/logo.svg` |
+| `ui.public.icon` | The user interface icon. | `/favicon.ico` |
+| `ui.public.touch` | The user interface apple touch icon. | `/apple-touch-icon.png` |
+| `ui.public.broker.host` | The displayed broker hostname. | `example.com` |
+| `ui.public.broker.extra` | Extra metadata displayed. | `""` |
+| `ui.public.database.extra` | Extra metadata displayed. | `""` |
+| `ui.public.pid.default.publisher` | The default dataset publisher for persisted identifiers. | `Example University` |
+| `ui.public.doi.enabled` | Enable the display that DOIs are minted. | `false` |
+| `ui.public.doi.endpoint` | The DOI proxy. | `https://doi.org` |
+| `ui.replicaCount` | The number of replicas. | `1` |
### Dashboard Service
diff --git a/helm/dbrepo/charts/seaweedfs-4.2.1.tgz b/helm/dbrepo/charts/seaweedfs-4.2.1.tgz
index 3b21c83737040745d9723e6662e83b1cdef9966e..5a28b277d8fadee69e1b4dd171105febb34e1182 100644
Binary files a/helm/dbrepo/charts/seaweedfs-4.2.1.tgz and b/helm/dbrepo/charts/seaweedfs-4.2.1.tgz differ
diff --git a/helm/dbrepo/templates/auth-configmap.yaml b/helm/dbrepo/templates/auth-configmap.yaml
index 6fe5b9ed1df612dee53a095413d9d48183383f42..8d8340bd9bb3db42e8a1385cdf4a0e631963f525 100644
--- a/helm/dbrepo/templates/auth-configmap.yaml
+++ b/helm/dbrepo/templates/auth-configmap.yaml
@@ -11,6 +11,7 @@ data:
AUTH_SERVICE_ADMIN: "{{ .Values.authservice.auth.adminUser }}"
AUTH_SERVICE_ADMIN_PASSWORD: "{{ .Values.authservice.auth.adminPassword }}"
AUTH_SERVICE_ENDPOINT: "{{ .Values.authservice.endpoint }}"
+ KEYCLOAK_HOSTNAME: "{{ .Values.gateway }}"
LDAP_ROOT: "{{ .Values.identityservice.global.ldapDomain }}"
LDAP_ADMIN_DN: "cn={{ .Values.identityservice.global.adminUser }},{{ .Values.identityservice.global.ldapDomain }}"
LDAP_ADMIN_PASSWORD: "{{ .Values.identityservice.global.adminPassword }}"
diff --git a/helm/dbrepo/templates/gateway-configmap.yaml b/helm/dbrepo/templates/gateway-configmap.yaml
index 79078be7ea5b7457e28b0d17d34c18f847f49cb0..6b8a912db78d4e2d92d331c5158e6fd14f39aa60 100644
--- a/helm/dbrepo/templates/gateway-configmap.yaml
+++ b/helm/dbrepo/templates/gateway-configmap.yaml
@@ -30,11 +30,11 @@ data:
autoindex_localtime on;
}
- location /dashboard {
+ location /dashboard/ {
rewrite ^/dashboard/(.*) /$1 break;
- proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dashboard-ui;
proxy_read_timeout 90;
@@ -43,9 +43,9 @@ data:
# Proxy Grafana Live WebSocket connections.
location /dashboard/api/live/ {
rewrite ^/dashboard/(.*) /$1 break;
- proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
@@ -56,9 +56,9 @@ data:
# Proxy Keycloak OIDC connections, c.f. https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations
location /realms {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://auth-service;
proxy_read_timeout 90;
@@ -66,45 +66,46 @@ data:
# Proxy Keycloak assets, c.f. https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations
location /resources {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://auth-service;
proxy_read_timeout 90;
}
location /api/search {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://search-service;
proxy_read_timeout 90;
}
location /api/datasource {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dashboard-service;
proxy_read_timeout 90;
}
location /api/dashboard {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $host;
proxy_pass http://dashboard-service;
proxy_read_timeout 90;
}
location /api/upload {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_pass http://data-service;
@@ -116,63 +117,63 @@ data:
}
location /api/analyse {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://analyse-service;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/table/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/(data|statistic|history)" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://data-service;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/view/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/(data|statistic)" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://data-service;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/view" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service;
proxy_read_timeout 90;
}
location ~ "/api/database/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})/subset" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://data-service;
proxy_read_timeout 600;
}
location ~ "/api/(database|concept|container|identifier|image|message|license|oai|ontology|unit|user)" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service;
proxy_read_timeout 90;
}
location ~ "/api/identifier/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})" {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service;
proxy_read_timeout 90;
@@ -180,18 +181,18 @@ data:
location ~ "/pid/([0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})" {
rewrite /pid/(.*) /api/identifier/$1 break;
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://metadata-service;
proxy_read_timeout 90;
}
location / {
- proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://ui;
proxy_read_timeout 90;
diff --git a/helm/dbrepo/templates/ui-secret.yaml b/helm/dbrepo/templates/ui-secret.yaml
index a84ac8f5cef024c88fa41ce085f494cca396df9f..54340220811040bad5eb5a4db79d5eb7d18541e7 100644
--- a/helm/dbrepo/templates/ui-secret.yaml
+++ b/helm/dbrepo/templates/ui-secret.yaml
@@ -31,4 +31,7 @@ stringData:
NUXT_OIDC_PROVIDERS_KEYCLOAK_REDIRECT_URI: "{{ .Values.gateway }}/auth/keycloak/callback"
NUXT_OIDC_PROVIDERS_KEYCLOAK_TOKEN_URL: "{{ .Values.gateway }}/realms/dbrepo/protocol/openid-connect/token"
NUXT_OIDC_PROVIDERS_KEYCLOAK_USER_INFO_URL: "{{ .Values.gateway }}/realms/dbrepo/protocol/openid-connect/userinfo"
+ NUXT_OIDC_SESSION_SECRET: "{{ .Values.ui.oidc.sessionSecret }}"
+ NUXT_OIDC_TOKEN_KEY: "{{ .Values.ui.oidc.tokenKey }}"
+ NUXT_OIDC_AUTH_SESSION_SECRET: "{{ .Values.ui.oidc.authSessionSecret }}"
{{- end }}
diff --git a/helm/dbrepo/values.schema.json b/helm/dbrepo/values.schema.json
index dcb506dba44127137a146ce53222abed01054db1..05b4e8a5f66d2f5ad38db8afb05e252cc8120c2b 100644
--- a/helm/dbrepo/values.schema.json
+++ b/helm/dbrepo/values.schema.json
@@ -129,9 +129,6 @@
"extraEnvVarsCM": {
"type": "string"
},
- "extraStartupArgs": {
- "type": "string"
- },
"extraVolumeMounts": {
"items": {
"properties": {
@@ -230,6 +227,9 @@
},
"type": "object"
},
+ "proxyHeaders": {
+ "type": "string"
+ },
"replicaCount": {
"type": "integer"
},
@@ -1836,6 +1836,20 @@
},
"type": "object"
},
+ "oidc": {
+ "properties": {
+ "authSessionSecret": {
+ "type": "string"
+ },
+ "sessionSecret": {
+ "type": "string"
+ },
+ "tokenKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
"podSecurityContext": {
"properties": {
"enabled": {
diff --git a/helm/dbrepo/values.yaml b/helm/dbrepo/values.yaml
index 56ac85d0be9f0ef60d0de523b121b8b58410773e..def9f0cca1ac70fe3e6e5cf937999f152403ca66 100644
--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -85,8 +85,8 @@ authservice:
debug: false
## @param authservice.endpoint The hostname for the microservices.
endpoint: http://auth-service
- ## @param authservice.extraStartupArgs Extra arguments for the Keycloak container.
- extraStartupArgs: --hostname-strict false --proxy-headers xforwarded
+ ## @skip authservice.proxyHeaders
+ proxyHeaders: xforwarded
## @skip authservice.postgresql
postgresql:
enabled: true
@@ -790,6 +790,14 @@ ui:
image:
## @skip ui.image.name
name: registry.datalab.tuwien.ac.at/dbrepo/ui:1.8.0
+ ## https://stackblitz.com/edit/nuxt-oidc-auth-keygen?file=index.js
+ oidc:
+ ## @param ui.oidc.authSessionSecret This should be a at least 48 characters random string. It is used to encrypt the user session.
+ authSessionSecret: qJteD-fvcHNafjwDtJOT3pF7IrN1OEzQRcIyPO0xAT4gzct0
+ ## @param ui.oidc.sessionSecret This should be a at least 48 characters random string. It is used to encrypt the user session.
+ sessionSecret: TjOH1lFnocixYmy5ol2I5cOdsYUdrd5_jZsGxo6aMVPNNDkh
+ ## @param ui.oidc.tokenKey This needs to be a random cryptographic AES key in base64. Used to encrypt the server side token store. You can generate a key in JS with await subtle.exportKey('raw', await subtle.generateKey({ name: 'AES-GCM', length: 256, }, true, ['encrypt', 'decrypt'])). You just have to encode it to base64 afterwards.
+ tokenKey: data:;base64,ntxOAfrF6yw22Ec1AFHK21iFz7L3PZmz9857Uqwyme0=
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
## @param ui.podSecurityContext.enabled Enable pods' Security Context
diff --git a/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/Serialize.java b/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/Serialize.java
deleted file mode 100644
index 073a7c669901c33384a9b402b2c247cb50993694..0000000000000000000000000000000000000000
--- a/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/Serialize.java
+++ /dev/null
@@ -1,32 +0,0 @@
-package at.ac.tuwien.ifs.dbrepo.core;
-
-import at.ac.tuwien.ifs.dbrepo.core.test.BaseTest;
-import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.SerializationFeature;
-import com.fasterxml.jackson.datatype.hibernate6.Hibernate6Module;
-import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
-import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
-
-import java.io.IOException;
-import java.util.TimeZone;
-
-public class Serialize extends BaseTest {
-
- public static ObjectMapper objectMapper() {
- final ObjectMapper objectMapper = new ObjectMapper();
- objectMapper.registerModule(new Jdk8Module());
- objectMapper.registerModule(new JavaTimeModule());
- objectMapper.registerModule(new Hibernate6Module()); /* lazy load mapping on REST endpoints */
- objectMapper.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false);
- objectMapper.setTimeZone(TimeZone.getTimeZone("UTC"));
- objectMapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
- objectMapper.enable(SerializationFeature.INDENT_OUTPUT);
- return objectMapper;
- }
-
- public static void main(String[] args) throws IOException {
-// objectMapper().writeValue(new File("./src/main/resources/database-1.json"), IDENTIFIER_1);
- }
-
-}
diff --git a/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/test/BaseTest.java b/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/test/BaseTest.java
index b26e623cefa35b4c8a9691f2e55e56c5f74c1085..5209b40ce42e0675cf3c94570444f184f382b3e6 100644
--- a/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/test/BaseTest.java
+++ b/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/test/BaseTest.java
@@ -42,6 +42,7 @@ import at.ac.tuwien.ifs.dbrepo.core.api.orcid.person.name.OrcidNameDto;
import at.ac.tuwien.ifs.dbrepo.core.api.orcid.person.name.OrcidValueDto;
import at.ac.tuwien.ifs.dbrepo.core.api.semantics.*;
import at.ac.tuwien.ifs.dbrepo.core.api.user.*;
+import at.ac.tuwien.ifs.dbrepo.core.api.user.UserAttributesDto;
import at.ac.tuwien.ifs.dbrepo.core.api.user.internal.UpdateUserPasswordDto;
import at.ac.tuwien.ifs.dbrepo.core.entity.container.Container;
import at.ac.tuwien.ifs.dbrepo.core.entity.container.image.ContainerImage;
diff --git a/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/test/pom.xml b/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/test/pom.xml
deleted file mode 100644
index a7995dec69978781b8286d235d583a93e55bb4d3..0000000000000000000000000000000000000000
--- a/lib/java/dbrepo-core/src/main/java/at/ac/tuwien/ifs/dbrepo/core/test/pom.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <parent>
- <groupId>at.tuwien</groupId>
- <artifactId>dbrepo-metadata-service</artifactId>
- <version>1.8.0</version>
- </parent>
-
- <artifactId>dbrepo-metadata-service-test</artifactId>
- <name>dbrepo-metadata-service-test</name>
- <version>1.8.0</version>
-
- <dependencies>
- <dependency>
- <groupId>at.tuwien</groupId>
- <artifactId>dbrepo-metadata-service-entities</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>at.tuwien</groupId>
- <artifactId>dbrepo-metadata-service-api</artifactId>
- <version>${project.version}</version>
- </dependency>
- </dependencies>
-
-</project>
\ No newline at end of file