Merge branch 'master' into chore/install_go_jenkinsCIWorker

uc-cdis · Aug 10, 2023 · ce02ec3 · ce02ec3
2 parents eb1d382 + 62d2d89
commit ce02ec3
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 9 deletions.
diff --git a/gen3/bin/kube-roll-all.sh b/gen3/bin/kube-roll-all.sh
@@ -243,6 +243,12 @@ else
   gen3_log_info "not deploying dicom-viewer - no manifest entry for '.versions[\"dicom-viewer\"]'"
 fi
 
+if g3k_manifest_lookup '.versions["cohort-middleware"]' 2> /dev/null; then
+  gen3 kube-setup-cohort-middleware
+else
+  gen3_log_info "not deploying cohort-middleware - no manifest entry for .versions[\"cohort-middleware\"]"
+fi
+
 gen3 kube-setup-revproxy
 
 if [[ "$GEN3_ROLL_FAST" != "true" ]]; then

diff --git a/gen3/bin/kube-setup-cohort-middleware.sh b/gen3/bin/kube-setup-cohort-middleware.sh
@@ -46,17 +46,17 @@ EOM
     fi
 
     gen3 secrets sync "initialize cohort-middleware/development.yaml"
-
-    # envsubst <"${GEN3_HOME}/kube/services/cohort-middleware/development.yaml" | g3kubectl create secret generic cohort-middleware-config --from-file=development.yaml=/dev/stdin
   )
 }
 
 # main --------------------------------------
-setup_secrets
-
-gen3 roll cohort-middleware
-g3kubectl apply -f "${GEN3_HOME}/kube/services/cohort-middleware/cohort-middleware-service.yaml"
 
-cat <<EOM
+if setup_secrets; then
+  gen3 roll cohort-middleware
+  g3kubectl apply -f "${GEN3_HOME}/kube/services/cohort-middleware/cohort-middleware-service.yaml"
+  cat <<EOM
 The cohort-middleware service has been deployed onto the k8s cluster.
 EOM
+else
+  gen3_log_err "unable to find db creds for ohdsi service (was Atlas deployed?)"
+fi
diff --git a/kube/services/ohdsi-atlas/ohdsi-atlas-deploy.yaml b/kube/services/ohdsi-atlas/ohdsi-atlas-deploy.yaml
@@ -72,12 +72,12 @@ spec:
           volumeMounts:
             - name: ohdsi-atlas-config-local
               readOnly: true
-              mountPath: /usr/share/nginx/html/atlas/js/config-local.js
+              mountPath: /etc/atlas/config-local.js
               subPath: config-local.js
           imagePullPolicy: Always
           resources:
             requests:
               cpu: 100m
               memory: 100Mi
             limits:
-              memory: 500Mi  
+              memory: 500Mi
diff --git a/kube/services/revproxy/gen3.nginx.conf/gen3ff-as-root/frontend-framework-service.conf b/kube/services/revproxy/gen3.nginx.conf/gen3ff-as-root/frontend-framework-service.conf
@@ -2,6 +2,10 @@
               if ($csrf_check !~ ^ok-\S.+$) {
                 return 403 "failed csrf check";
               }             
+
+              # added to avoid click-jacking attacks
+              add_header X-Frame-Options "SAMEORIGIN";
+
               set $proxy_service  "frontend-framework";
               set $upstream http://frontend-framework-service.$namespace.svc.cluster.local;
               proxy_pass $upstream;

diff --git a/kube/services/revproxy/gen3.nginx.conf/gen3ff-as-root/portal-service.conf b/kube/services/revproxy/gen3.nginx.conf/gen3ff-as-root/portal-service.conf
@@ -21,5 +21,8 @@
                 rewrite ^/(.*)$ /dashboard/Public/maintenance-page/index.html redirect;
               }
 
+              # added to avoid click-jacking attacks
+              add_header X-Frame-Options "SAMEORIGIN";
+
               proxy_pass $upstream;
           }
diff --git a/kube/services/revproxy/gen3.nginx.conf/portal-as-root/frontend-framework-service.conf b/kube/services/revproxy/gen3.nginx.conf/portal-as-root/frontend-framework-service.conf
@@ -6,6 +6,10 @@
               if ($csrf_check !~ ^ok-\S.+$) {
                 return 403 "failed csrf check";
               }             
+
+              # added to avoid click-jacking attacks
+              add_header X-Frame-Options "SAMEORIGIN";
+
               set $proxy_service  "frontend-framework";
               # frontend framework service expects the /ff/ prefix, so no path rewrite
               set $upstream http://frontend-framework-service.$namespace.svc.cluster.local;