From 0f4ec01cdcb6377f9cc7226fca993c832043fe35 Mon Sep 17 00:00:00 2001 From: Alexander Kiel Date: Fri, 27 Feb 2026 12:22:49 +0100 Subject: [PATCH] Cleanup Blaze Config --- .github/workflows/ci.yml | 5 +- data-node/fhir-server/.backend-env.default | 57 ++++++ data-node/fhir-server/.env.default | 173 ------------------ data-node/fhir-server/.frontend-env.default | 34 ++++ data-node/fhir-server/.keycloak-env.default | 70 +++++++ data-node/fhir-server/docker-compose.yml | 17 +- .../fhir-server/keycloak.docker-compose.yml | 3 +- data-node/initialise-node-env-files.sh | 2 +- data-node/start-node.sh | 6 +- data-node/terminology-server/.env.default | 7 +- .../terminology-server/docker-compose.yml | 2 +- 11 files changed, 187 insertions(+), 189 deletions(-) create mode 100644 data-node/fhir-server/.backend-env.default delete mode 100644 data-node/fhir-server/.env.default create mode 100644 data-node/fhir-server/.frontend-env.default create mode 100644 data-node/fhir-server/.keycloak-env.default diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3e36afd1..6351a1db 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,9 +56,10 @@ jobs: sed -i -r -e 's#^(VALIDATION_ENABLED)=.*$#\1="false"#' \ data-node/fhir-validator/.env sed -i -r -e 's#^(OPENID_PROVIDER_URL)=.*$#\1="https://auth.localhost:444/realms/blaze"#' \ - -e 's#^(KC_HOSTNAME)=.*$#\1="https://auth.localhost:444/"#' \ + data-node/fhir-server/.backend-env + sed -i -r -e 's#^(KC_HOSTNAME)=.*$#\1="https://auth.localhost:444/"#' \ -e 's#^(KC_HTTP_RELATIVE_PATH)=.*$#\1=/#' \ - data-node/fhir-server/.env + data-node/fhir-server/.keycloak-env sed -i -r -e 's#^(FHIR_SERVER_HOSTNAME)=.*$#\1="fhir.localhost"#' \ -e 's#^(FLARE_HOSTNAME)=.*$#\1="flare.localhost"#' \ -e 's#^(KEYCLOAK_HOSTNAME)=.*$#\1="auth.localhost"#' \ diff --git a/data-node/fhir-server/.backend-env.default b/data-node/fhir-server/.backend-env.default new file mode 100644 index 00000000..ed60fe86 --- /dev/null +++ b/data-node/fhir-server/.backend-env.default @@ -0,0 +1,57 @@ +# --- Backend Configuration --- + +# --- Base Configuration --- +# Base URL for the FHIR server +# Default: http://fhir-server:8080 +BASE_URL="http://fhir-server:8080" + +# Logging level (trace, debug, info, warn, error) +# Default: info +LOG_LEVEL="debug" + +# --- JVM Performance Tuning --- +# Java tool options for memory allocation +# Default: system dependent +JAVA_TOOL_OPTIONS="-Xmx4g" + +# --- Database Configuration --- +# Database block cache size in MB +# Default: 128 +DB_BLOCK_CACHE_SIZE="1024" + +# Database resource cache ratio (number of resources) +# Default: 0.25 +# DB_RESOURCE_CACHE_SIZE_RATIO="0.25" + +# CQL expression cache size +# Default: disabled +CQL_EXPR_CACHE_SIZE="128" + +# --- Server Configuration --- +# Local port binding for FHIR server +# Default: 127.0.0.1:8081 +PORT_FHIR_SERVER_LOCALHOST="127.0.0.1:8081" + +# Enforce referential integrity in FHIR resources +# Default: true +# ENFORCE_REFERENTIAL_INTEGRITY="true" + +# External terminology service URL +# Default: disabled +EXTERN_TERMINOLOGY_SERVICE_URL="http://terminology-server:8080/fhir" + +# Enable admin API endpoints +# Default: false +ENABLE_ADMIN_API="true" + +# --- FHIR Server Authentication Configuration --- +# OpenID Connect provider URL +# Default: disabled +OPENID_PROVIDER_URL="https://auth.localhost:444/realms/blaze" + +# Local OpenID client trust store path +# Default: ../auth/trust-store.p12 +# LOCAL_OPENID_CLIENT_TRUST_STORE="../auth/trust-store.p12" + +# Trust store password +OPENID_CLIENT_TRUST_STORE_PASS="insecure" diff --git a/data-node/fhir-server/.env.default b/data-node/fhir-server/.env.default deleted file mode 100644 index ba610450..00000000 --- a/data-node/fhir-server/.env.default +++ /dev/null @@ -1,173 +0,0 @@ -# --- Base Configuration --- -# Base URL for the FHIR server -# Default: http://fhir-server:8080 -BASE_URL="http://fhir-server:8080" - -# Logging level (trace, debug, info, warn, error) -# Default: info -LOG_LEVEL="debug" - -# --- JVM Performance Tuning --- -# Java tool options for memory allocation -# Default: system dependent -JAVA_TOOL_OPTIONS="-Xmx4g" - -# --- Database Configuration --- -# Database block cache size in MB -# Default: 256 -DB_BLOCK_CACHE_SIZE="256" - -# Database resource cache ratio (number of resources) -# Default: 0.25 -DB_RESOURCE_CACHE_SIZE_RATIO="0.25" - -# CQL expression cache size -# Default: 128 -CQL_EXPR_CACHE_SIZE="128" - -# Path to custom search parameters bundle -# Default: /app/custom-search-parameters.json -DB_SEARCH_PARAM_BUNDLE="/app/custom-search-parameters.json" - -# --- Server Configuration --- -# Local port binding for FHIR server -# Default: 127.0.0.1:8081 -PORT_FHIR_SERVER_LOCALHOST="127.0.0.1:8081" - -# Enforce referential integrity in FHIR resources -# Default: true -ENFORCE_REFERENTIAL_INTEGRITY="true" - -# External terminology service URL -# Default: http://terminology-server:8080/fhir -EXTERN_TERMINOLOGY_SERVICE_URL="http://terminology-server:8080/fhir" - -# Enable admin API endpoints -# Default: true -ENABLE_ADMIN_API="true" - -# --- FHIR Server Authentication Configuration --- -# OpenID Connect provider URL -# Default: https://auth.localhost:444/realms/blaze -OPENID_PROVIDER_URL="https://auth.localhost:444/realms/blaze" - -# Authentication issuer URL -# Default: https://auth.localhost:444/realms/blaze -AUTH_ISSUER="https://auth.localhost:444/realms/blaze" - -# Path to OpenID client trust store -# Default: /app/trust-store.p12 -OPENID_CLIENT_TRUST_STORE="/app/trust-store.p12" - -# Trust store password -# Default: insecure -OPENID_CLIENT_TRUST_STORE_PASS="insecure" - -# CORS origin configuration -# Default: https://fhir.localhost:444 -ORIGIN="https://fhir.localhost:444" - -# Backend base URL for internal communication -# Default: http://fhir-server:8080 -BACKEND_BASE_URL="http://fhir-server:8080" - -# Path to CA certificate -# Default: ../auth/cert.pem -CA_CERT="../auth/cert.pem" - -# OAuth client ID -# Default: account -AUTH_CLIENT_ID="account" - -# OAuth client secret -# Default: insecure -AUTH_CLIENT_SECRET="insecure" - -# Authentication secret -# Default: insecure -AUTH_SECRET="insecure" - -# HTTP header for protocol forwarding -# Default: X-Forwarded-Proto -PROTOCOL_HEADER="X-Forwarded-Proto" - -# HTTP header for host forwarding -# Default: X-Forwarded-Host -HOST_HEADER="X-Forwarded-Host" - -# Node.js extra CA certificates path -# Default: /app/cert.pem -NODE_EXTRA_CA_CERTS="/app/cert.pem" - -# Enable Keycloak authentication -# Default: true -KEYCLOAK_ENABLED="true" - -# Local OpenID client trust store path -# Default: ../auth/trust-store.p12 -LOCAL_OPENID_CLIENT_TRUST_STORE="../auth/trust-store.p12" - -# --- Keycloak Configuration --- -# Keycloak database name -# Default: keycloakdb -KC_DB_URL_DB="keycloakdb" - -# Keycloak database username -# Default: keycloakdbuser -KC_DB_USERNAME="keycloakdbuser" - -# Keycloak database password -# Default: keycloakdbpw -KC_DB_PASSWORD="keycloakdbpw" - -# Keycloak bootstrap admin username -# Default: admin -KC_BOOTSTRAP_ADMIN_USERNAME="admin" - -# Keycloak bootstrap admin password -# Default: admin -KC_BOOTSTRAP_ADMIN_PASSWORD="admin" - -# Keycloak HTTP relative path -# Default: / -KC_HTTP_RELATIVE_PATH="/" - -# Keycloak hostname (public URL) -# Default: https://auth.localhost:444 -KC_HOSTNAME="https://auth.localhost:444" - -# Keycloak admin console hostname -# Default: https://auth.localhost:444 -KC_HOSTNAME_ADMIN="https://auth.localhost:444" - -# Keycloak logging level -# Default: info -KC_LOG_LEVEL="info" - -# Enable Keycloak health endpoints -# Default: true -KC_HEALTH_ENABLED="true" - -# Enable Keycloak metrics endpoints -# Default: true -KC_METRICS_ENABLED="true" - -# Keycloak proxy headers mode -# Default: xforwarded -KC_PROXY_HEADERS="xforwarded" - -# Enable Keycloak HTTP (non-HTTPS) mode -# Default: true -KC_HTTP_ENABLED="true" - -# Keycloak client ID -# Default: account -KEYCLOAK_CLIENT_ID="account" - -# Keycloak client secret -# Default: insecure -KEYCLOAK_CLIENT_SECRET="insecure" - -# Keycloak client host URL -# Default: https://fhir.localhost:444 -KEYCLOAK_CLIENT_HOST_URL="https://fhir.localhost:444" diff --git a/data-node/fhir-server/.frontend-env.default b/data-node/fhir-server/.frontend-env.default new file mode 100644 index 00000000..165933bf --- /dev/null +++ b/data-node/fhir-server/.frontend-env.default @@ -0,0 +1,34 @@ +# --- Frontend Configuration --- + +# The base URL of the frontend as accessed by the browser. +ORIGIN="https://fhir.localhost:444" + +# Backend base URL for internal communication +BACKEND_BASE_URL="http://fhir-server:8080" + +# The client ID of the OAuth client used to communicate with the auth +# provider. +AUTH_CLIENT_ID="account" + +# The client secret of the OAuth client used to communicate with the +# auth provider. +AUTH_CLIENT_SECRET="insecure" + +# Authentication issuer URL +AUTH_ISSUER="https://auth.localhost:444/realms/blaze" + +# A secret random string that is used to encrypt the session cookie. +# +# This should be a minimum of 32 characters, random string. On UNIX +# systems you can use `openssl rand -hex 32` to generate one. +AUTH_SECRET="6a0ca3f8e38a939c7c44caf61eb7e9c0055fde920b58929439789bc70c7073f6" + +# HTTP header for protocol forwarding +PROTOCOL_HEADER="X-Forwarded-Proto" + +# HTTP header for host forwarding +HOST_HEADER="X-Forwarded-Host" + +# Path to CA certificate +# Default: ../auth/cert.pem +# CA_CERT="../auth/cert.pem" diff --git a/data-node/fhir-server/.keycloak-env.default b/data-node/fhir-server/.keycloak-env.default new file mode 100644 index 00000000..8e56d350 --- /dev/null +++ b/data-node/fhir-server/.keycloak-env.default @@ -0,0 +1,70 @@ +# --- Keycloak Configuration --- + +# Enable Keycloak authentication +# Default: true +KEYCLOAK_ENABLED="true" + +# --- Keycloak Configuration --- +# Keycloak database name +# Default: keycloakdb +KC_DB_URL_DB="keycloakdb" + +# Keycloak database username +# Default: keycloakdbuser +KC_DB_USERNAME="keycloakdbuser" + +# Keycloak database password +# Default: keycloakdbpw +KC_DB_PASSWORD="keycloakdbpw" + +# Keycloak bootstrap admin username +# Default: admin +KC_BOOTSTRAP_ADMIN_USERNAME="admin" + +# Keycloak bootstrap admin password +# Default: admin +KC_BOOTSTRAP_ADMIN_PASSWORD="admin" + +# Keycloak HTTP relative path +# Default: / +KC_HTTP_RELATIVE_PATH="/" + +# Keycloak hostname (public URL) +# Default: https://auth.localhost:444 +KC_HOSTNAME="https://auth.localhost:444" + +# Keycloak admin console hostname +# Default: https://auth.localhost:444 +KC_HOSTNAME_ADMIN="https://auth.localhost:444" + +# Keycloak logging level +# Default: info +KC_LOG_LEVEL="info" + +# Enable Keycloak health endpoints +# Default: true +KC_HEALTH_ENABLED="true" + +# Enable Keycloak metrics endpoints +# Default: true +KC_METRICS_ENABLED="true" + +# Keycloak proxy headers mode +# Default: xforwarded +KC_PROXY_HEADERS="xforwarded" + +# Enable Keycloak HTTP (non-HTTPS) mode +# Default: true +KC_HTTP_ENABLED="true" + +# Keycloak client ID +# Default: account +KEYCLOAK_CLIENT_ID="account" + +# Keycloak client secret +# Default: insecure +KEYCLOAK_CLIENT_SECRET="insecure" + +# Keycloak client host URL +# Default: https://fhir.localhost:444 +KEYCLOAK_CLIENT_HOST_URL="https://fhir.localhost:444" diff --git a/data-node/fhir-server/docker-compose.yml b/data-node/fhir-server/docker-compose.yml index 5587090b..9208c372 100644 --- a/data-node/fhir-server/docker-compose.yml +++ b/data-node/fhir-server/docker-compose.yml @@ -1,14 +1,17 @@ services: fhir-server: - image: samply/blaze:1.6.0 + image: "samply/blaze:1.6.0@sha256:76b8d0947a8463921e4cd5db291b14d58c221d4ca474a582eea3f16294ef8b3d" healthcheck: - test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/health"] + test: [ "CMD", "wget", "--spider", "http://localhost:8080/health" ] interval: 5s timeout: 5s retries: 3 start_period: 60s + environment: + DB_SEARCH_PARAM_BUNDLE: "/app/custom-search-parameters.json" + OPENID_CLIENT_TRUST_STORE: "/app/trust-store.p12" env_file: - - .env + - .backend-env ports: - ${PORT_FHIR_SERVER_LOCALHOST:-127.0.0.1:8081}:8080 extra_hosts: @@ -17,17 +20,19 @@ services: volumes: - "./custom-search-parameters.json:/app/custom-search-parameters.json:ro" - "blaze-data:/app/data" - - "${LOCAL_OPENID_CLIENT_TRUST_STORE:-../auth/trust-store.p12}:/app/trust-store.p12" + - "${LOCAL_OPENID_CLIENT_TRUST_STORE:-../auth/trust-store.p12}:/app/trust-store.p12:ro" fhir-server-frontend: - image: samply/blaze-frontend:1.6.0 + image: "samply/blaze-frontend:1.6.0@sha256:c9a455b168c1f15c087f859939e721f0ae81b47aa897bd3796a85be6bf3c5012" healthcheck: test: ["CMD-SHELL", "wget --spider http://127.0.0.1:3000/fhir/"] interval: 5s timeout: 5s retries: 3 + environment: + NODE_EXTRA_CA_CERTS: "/app/cert.pem" env_file: - - .env + - .frontend-env ports: - ${PORT_FHIR_SERVER_FRONTEND_LOCALHOST:-127.0.0.1:8300}:3000 extra_hosts: diff --git a/data-node/fhir-server/keycloak.docker-compose.yml b/data-node/fhir-server/keycloak.docker-compose.yml index a5a8d4e8..91709bf4 100644 --- a/data-node/fhir-server/keycloak.docker-compose.yml +++ b/data-node/fhir-server/keycloak.docker-compose.yml @@ -14,6 +14,7 @@ services: start_period: 80s volumes: - "fhir-server-keycloak-db:/var/lib/postgresql/data" + fhir-server-frontend-keycloak: image: quay.io/keycloak/keycloak:26.3.1 command: ["start", "--import-realm"] @@ -35,7 +36,7 @@ services: timeout: 2s retries: 20 env_file: - - .env + - .keycloak-env environment: KC_DB: postgres KC_DB_URL: "jdbc:postgresql://fhir-server-keycloak-db:5432/${KC_DB_URL_DB:-keycloakdb}" diff --git a/data-node/initialise-node-env-files.sh b/data-node/initialise-node-env-files.sh index 5f136e23..8a94fa13 100755 --- a/data-node/initialise-node-env-files.sh +++ b/data-node/initialise-node-env-files.sh @@ -1,7 +1,7 @@ #!/bin/bash BASE_DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 || exit 1 ; pwd -P )" -envfiles=( "$BASE_DIR/fhir-server/.env" "$BASE_DIR/flare/.env" "$BASE_DIR/torch/.env" "$BASE_DIR/rev-proxy/.env" "$BASE_DIR/fhir-data-evaluator/.env" "$BASE_DIR/terminology-server/.env" "$BASE_DIR/fhir-pseudonymizer/.env" "$BASE_DIR/fhir-flattener/.env" "$BASE_DIR/fhir-validator/.env") +envfiles=( "$BASE_DIR/fhir-server/.backend-env" "$BASE_DIR/fhir-server/.frontend-env" "$BASE_DIR/fhir-server/.keycloak-env" "$BASE_DIR/flare/.env" "$BASE_DIR/torch/.env" "$BASE_DIR/rev-proxy/.env" "$BASE_DIR/fhir-data-evaluator/.env" "$BASE_DIR/terminology-server/.env" "$BASE_DIR/fhir-pseudonymizer/.env" "$BASE_DIR/fhir-flattener/.env" "$BASE_DIR/fhir-validator/.env") for file in "${envfiles[@]}" do diff --git a/data-node/start-node.sh b/data-node/start-node.sh index 009c82a5..64b25be1 100755 --- a/data-node/start-node.sh +++ b/data-node/start-node.sh @@ -21,11 +21,11 @@ else fi # Fhir Server (Blaze) with frontend and keycloak -if [ -f "$BASE_DIR/fhir-server/.env" ] && grep -qE '^KEYCLOAK_ENABLED="?true"?\s*$' "$BASE_DIR/fhir-server/.env"; then +if [ -f "$BASE_DIR/fhir-server/.keycloak-env" ] && grep -qE '^KEYCLOAK_ENABLED="?true"?\s*$' "$BASE_DIR/fhir-server/.keycloak-env"; then if [ ! -f "$BASE_DIR/rev-proxy/conf.d/keycloak.conf" ]; then cp "$BASE_DIR/rev-proxy/conf.d/keycloak.conf.template" "$BASE_DIR/rev-proxy/conf.d/keycloak.conf" fi - COMPOSE_IGNORE_ORPHANS=True docker compose -p "$COMPOSE_PROJECT" -f "$BASE_DIR"/fhir-server/keycloak.docker-compose.yml up -d --wait + COMPOSE_IGNORE_ORPHANS=True docker compose -p "$COMPOSE_PROJECT" -f "$BASE_DIR"/fhir-server/keycloak.docker-compose.yml up --wait else if [ -f "$BASE_DIR/rev-proxy/conf.d/keycloak.conf" ]; then rm "$BASE_DIR/rev-proxy/conf.d/keycloak.conf" @@ -36,7 +36,7 @@ fi if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then if [ -f "$TRUST_STORE_FILE" ]; then COMPOSE_IGNORE_ORPHANS=True docker compose -p "$COMPOSE_PROJECT" -f "$BASE_DIR"/rev-proxy/docker-compose.yml up -d - COMPOSE_IGNORE_ORPHANS=True docker compose -p "$COMPOSE_PROJECT" -f "$BASE_DIR"/fhir-server/docker-compose.yml up -d --wait + COMPOSE_IGNORE_ORPHANS=True docker compose -p "$COMPOSE_PROJECT" -f "$BASE_DIR"/fhir-server/docker-compose.yml up --wait else echo "Trust store ($TRUST_STORE_FILE) file is missing. Please run '$BASE_DIR/generate-cert.sh' and then retry." exit 1 diff --git a/data-node/terminology-server/.env.default b/data-node/terminology-server/.env.default index cb419420..bda80c1d 100644 --- a/data-node/terminology-server/.env.default +++ b/data-node/terminology-server/.env.default @@ -31,11 +31,11 @@ JAVA_TOOL_OPTIONS="-Xmx8g" # --- Database Performance Tuning --- # Size of the block cache in MiB (Off-heap) # Default: 128 -# DB_BLOCK_CACHE_SIZE="2048" +DB_BLOCK_CACHE_SIZE="2048" # Database resource cache ratio (number of resources) # Default: 0.25 -#DB_RESOURCE_CACHE_SIZE_RATIO="0.25" +# DB_RESOURCE_CACHE_SIZE_RATIO="0.25" # --- Terminology Service --- # Enables the Terminology Service @@ -54,6 +54,9 @@ ENABLE_TERMINOLOGY_LOINC="true" # Default: false # ENABLE_TERMINOLOGY_SNOMED_CT="false" +# Path of an official SNOMED CT release. +# SNOMED_CT_RELEASE_PATH="" + # --- Admin API --- # Enables the Admin API # Default: false diff --git a/data-node/terminology-server/docker-compose.yml b/data-node/terminology-server/docker-compose.yml index b01c8083..28cfa62b 100644 --- a/data-node/terminology-server/docker-compose.yml +++ b/data-node/terminology-server/docker-compose.yml @@ -2,7 +2,7 @@ services: terminology-server: image: samply/blaze:1.6.0 healthcheck: - test: ["CMD-SHELL", "curl --fail -s http://localhost:8080/health"] + test: [ "CMD", "wget", "--spider", "http://localhost:8080/health" ] interval: 5s timeout: 5s retries: 3