v2.1.0 changes

Author: schwzr

docs/src/.vuepress/components/ImageVerification.vue

@@ -8,10 +8,10 @@
       Verify the signature before using the image in production:
     </p>
     <pre><code>cosign verify \
-  ghcr.io/datasharingframework/{{ image }}:{{ tag }}@sha256:{{ digestDisplay }} \
+  ghcr.io/datasharingframework/{{ image }}:{{ resolvedTag }}@sha256:{{ digestDisplay }} \
   --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"</code></pre>
-    <p v-if="!digest">
+    <p v-if="!resolvedDigest">
       Replace <code>&lt;digest&gt;</code> with the immutable digest of the image
       you intend to deploy. See
       <a :href="guide">How to Verify Image Signatures</a>
@@ -24,18 +24,32 @@
   </div>
 </template>
 
-<script>
-export default {
-  props: {
-    image: { type: String, required: true },
-    tag: { type: String, default: '2.1.0' },
-    digest: { type: String, default: '' },
-    guide: { type: String, default: '../image-verification' }
-  },
-  computed: {
-    digestDisplay() {
-      return this.digest ? this.digest.replace(/^sha256:/, '') : '<digest>';
-    }
-  }
-}
+<script setup lang="ts">
+import { computed } from 'vue';
+import { useRoute } from 'vue-router';
+import { getReleaseFromPath } from '../data/releases';
+
+const props = defineProps<{
+  image: string;
+  tag?: string;
+  digest?: string;
+  guide?: string;
+}>();
+
+const route = useRoute();
+
+const release = computed(() => getReleaseFromPath(route.path));
+
+const resolvedTag = computed(() => props.tag ?? release.value?.tag ?? '<tag>');
+
+const resolvedDigest = computed(() => {
+  if (props.digest) return props.digest.replace(/^sha256:/, '');
+  const fromData = release.value?.images[props.image as keyof NonNullable<typeof release.value>['images']]?.digest;
+  if (fromData && fromData !== 'sha256:TODO') return fromData.replace(/^sha256:/, '');
+  return '';
+});
+
+const digestDisplay = computed(() => resolvedDigest.value || '<digest>');
+
+const guide = computed(() => props.guide ?? '../image-verification');
 </script>

docs/src/.vuepress/config.ts

@@ -1,6 +1,8 @@
 import { viteBundler } from '@vuepress/bundler-vite';
 import { defineUserConfig } from "vuepress";
 import theme from "./theme.js";
+import { releaseVarsPlugin, replaceReleaseTokens } from "./markdown/releaseVarsPlugin.js";
+import { getReleaseFromPath } from "./data/releases.js";
 
 
 export default defineUserConfig({
@@ -28,7 +30,32 @@ export default defineUserConfig({
     },
   },*/
   plugins: [
-    
+    {
+      name: 'release-vars',
+      extendsMarkdown: (md) => {
+        md.use(releaseVarsPlugin);
+      },
+      extendsPage: (page) => {
+        const lookup = page.filePathRelative ? '/' + page.filePathRelative : page.path;
+        const release = getReleaseFromPath(lookup);
+        if (!release) return;
+        const walk = (obj: Record<string, unknown> | undefined) => {
+          if (!obj) return;
+          for (const key of Object.keys(obj)) {
+            const v = obj[key];
+            if (typeof v === 'string') {
+              obj[key] = replaceReleaseTokens(v, release);
+            }
+          }
+        };
+        walk(page.frontmatter as Record<string, unknown>);
+        walk(page.routeMeta as Record<string, unknown>);
+        walk(page.data as unknown as Record<string, unknown>);
+        if (typeof page.title === 'string') {
+          page.title = replaceReleaseTokens(page.title, release);
+        }
+      },
+    },
    ],
 
   // Enable it with pwa

docs/src/.vuepress/data/releases.ts

@@ -0,0 +1,40 @@
+export interface ReleaseImage {
+  digest?: string;
+}
+
+export interface Release {
+  tag: string;
+  previousTag?: string;
+  images: {
+    fhir: ReleaseImage;
+    fhir_proxy: ReleaseImage;
+    bpe: ReleaseImage;
+    bpe_proxy: ReleaseImage;
+  };
+}
+
+export const releases: Record<string, Release> = {
+  '2.1.0': {
+    tag: '2.1.0',
+    previousTag: '2.0.2',
+    images: {
+      fhir:       { digest: 'sha256:TODO' },
+      fhir_proxy: { digest: 'sha256:TODO' },
+      bpe:        { digest: 'sha256:2087a12f2cc8386a019bc9706f8bcfdcd5ee9e12da07ca2bd5f09aaaba8133d7' },
+      bpe_proxy:  { digest: 'sha256:TODO' },
+    },
+  },
+};
+
+export const latestVersion = '2.1.0';
+
+export function getReleaseFromPath(path: string): Release | undefined {
+  const versionMatch = path.match(/(?:^|\/)operations\/v(\d+\.\d+\.\d+)\//);
+  if (versionMatch) return releases[versionMatch[1]];
+  if (/(?:^|\/)operations\/latest\//.test(path)) return releases[latestVersion];
+  return undefined;
+}
+
+export function tagUnderscored(tag: string): string {
+  return tag.replace(/\./g, '_');
+}

docs/src/.vuepress/markdown/releaseVarsPlugin.ts

@@ -0,0 +1,51 @@
+import type { PluginSimple } from 'markdown-it';
+import { getReleaseFromPath, tagUnderscored, type Release } from '../data/releases.js';
+
+const TOKEN_RE = /\{\{\s*release\.([a-zA-Z0-9_.]+)\s*\}\}/g;
+
+export function replaceReleaseTokens(input: string, release: Release): string {
+  return input.replace(TOKEN_RE, (match, key) => {
+    const value = resolve(release, key);
+    return value !== undefined ? value : match;
+  });
+}
+
+function resolve(release: Release, key: string): string | undefined {
+  if (key === 'tag') return release.tag;
+  if (key === 'tagUnderscored') return tagUnderscored(release.tag);
+  if (key === 'previousTag') return release.previousTag;
+  if (key === 'previousTagUnderscored')
+    return release.previousTag ? tagUnderscored(release.previousTag) : undefined;
+
+  const imageMatch = key.match(/^image\.([a-z_]+)$/);
+  if (imageMatch) {
+    const name = imageMatch[1] as keyof Release['images'];
+    if (release.images[name]) return `ghcr.io/datasharingframework/${name}:${release.tag}`;
+  }
+  const previousImageMatch = key.match(/^previousImage\.([a-z_]+)$/);
+  if (previousImageMatch && release.previousTag) {
+    const name = previousImageMatch[1] as keyof Release['images'];
+    if (release.images[name]) return `ghcr.io/datasharingframework/${name}:${release.previousTag}`;
+  }
+  const digestMatch = key.match(/^digest\.([a-z_]+)$/);
+  if (digestMatch) {
+    const name = digestMatch[1] as keyof Release['images'];
+    const digest = release.images[name]?.digest;
+    if (!digest || /TODO/i.test(digest)) return '<digest>';
+    return digest.replace(/^sha256:/, '');
+  }
+  return undefined;
+}
+
+export const releaseVarsPlugin: PluginSimple = (md) => {
+  md.core.ruler.before('normalize', 'release-vars', (state) => {
+    const env = state.env ?? {};
+    const filePath: string = env.filePathRelative ?? env.filePath ?? '';
+    if (!filePath) return;
+
+    const release = getReleaseFromPath('/' + filePath.replace(/^\/+/, ''));
+    if (!release) return;
+
+    state.src = replaceReleaseTokens(state.src, release);
+  });
+};

docs/src/.vuepress/sidebar/operations-v2.ts

@@ -4,7 +4,7 @@ export function generate_v2_latest_sidebar() {
 		icon: "tool",
 		link: "./",
 	},
-		"release-notes", "install", "upgrade-from-2", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", "image-verification", {
+		"release-notes", "install", "upgrade-from-2", "upgrade-from-1", "allowList-mgm", "root-certificates", "passwords-secrets", "image-verification", "hardening-measures", {
 		text: "FHIR Reverse Proxy",
 		icon: "module",
 		prefix: "fhir-reverse-proxy/",

docs/src/operations/v2.1.0/bpe-reverse-proxy/README.md

@@ -5,18 +5,23 @@ icon: module
 
 ## Purpose
 
-The **DSF BPE Reverse Proxy** is an Apache HTTP Server based front for the [BPE Server](../bpe/).
-It terminates TLS for the BPE's web UI and OIDC-authenticated administrative
-endpoints, and forwards authenticated requests to the BPE backend. Unlike the
-[FHIR Reverse Proxy](../fhir-reverse-proxy/), it is intended for internal
-operator and administrator access only, not for DSF-to-DSF traffic.
+The **DSF BPE Reverse Proxy** is an Apache HTTP Server based front for the [BPE Server](../bpe/). It terminates TLS for the BPE's web UI and OIDC-authenticated administrative endpoints, and forwards authenticated requests to the BPE backend. Unlike the [FHIR Reverse Proxy](../fhir-reverse-proxy/), it is intended for internal operator and administrator access only, not for DSF-to-DSF traffic.
 
 ## Docker Image
 
 - Registry: [`ghcr.io/datasharingframework/bpe_proxy`](https://github.com/datasharingframework/dsf/pkgs/container/bpe_proxy)
-- Tag for this release: `2.1.0`
+- Tag for this release: `{{release.tag}}`
 
-<ImageVerification image="bpe_proxy" tag="2.1.0" guide="../image-verification" />
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+  {{release.image.bpe_proxy}}@sha256:{{release.digest.bpe_proxy}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
 
 ## Useful Pages
 

docs/src/operations/v2.1.0/bpe/README.md

@@ -5,20 +5,23 @@ icon: module
 
 ## Purpose
 
-The **DSF Business Process Engine (BPE)** executes the BPMN 2.0 workflows that
-drive distributed data sharing processes between DSF instances. It listens for
-new `Task` resources on the local FHIR Server, runs the corresponding process
-plugin, and creates follow-up `Task` resources on remote FHIR Servers via its
-configured FHIR client connections. The BPE is an internal component and is not
-exposed to the public network — it talks to local systeme (e.g., the local FHIR Store) and to remote
-DSF FHIR Servers through their reverse proxies.
+The **DSF Business Process Engine (BPE)** executes the BPMN 2.0 workflows that drive distributed data sharing processes between DSF instances. It listens for new `Task` resources on the local FHIR Server, runs the corresponding process plugin, and creates follow-up `Task` resources on remote FHIR Servers via its configured FHIR client connections. The BPE is an internal component and is not exposed to the public network — it talks to local systeme (e.g., the local FHIR Store) and to remote DSF FHIR Servers through their reverse proxies.
 
 ## Docker Image
 
 - Registry: [`ghcr.io/datasharingframework/bpe`](https://github.com/datasharingframework/dsf/pkgs/container/bpe)
-- Tag for this release: `2.1.0`
+- Tag for this release: `{{release.tag}}`
 
-<ImageVerification image="bpe" tag="2.1.0" guide="../image-verification" />
+## Verify Image Signature
+
+Verify the signed image before deploying. See [How to Verify Image Signatures](../image-verification) for prerequisites, SBOM verification, and troubleshooting.
+
+```bash
+cosign verify \
+  {{release.image.bpe}}@sha256:{{release.digest.bpe}} \
+  --certificate-identity-regexp "https://github.com/datasharingframework/dsf/.*" \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
 
 ## Useful Pages