Skip to content

Commit 87a2846

Browse files
committed
move to github packages and add oci vault support
1 parent 100fef5 commit 87a2846

7 files changed

Lines changed: 113 additions & 32 deletions

File tree

.github/workflows/publish-release.yml

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4,29 +4,28 @@ on:
44
release:
55
types: [ published ]
66

7+
permissions:
8+
contents: write
9+
packages: write
10+
711
jobs:
812
deploy:
913
name: Publish
1014
runs-on: ubuntu-latest
1115

1216
steps:
1317
- name: Checkout
14-
uses: actions/checkout@v2
15-
16-
- name: Configure AWS credentials
17-
uses: aws-actions/configure-aws-credentials@v1
18-
with:
19-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
20-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
21-
aws-region: ap-northeast-2
18+
uses: actions/checkout@v4
2219

2320
- name: Set up JDK 21
24-
uses: actions/setup-java@v3
21+
uses: actions/setup-java@v4
2522
with:
2623
java-version: '21'
2724
distribution: 'temurin'
2825

2926
- name: Publish release
27+
env:
28+
GITHUB_TOKEN: ${{ github.token }}
3029
run: |
3130
./gradlew clean publish -Pversion=${{ github.event.release.tag_name }}
3231
@@ -42,4 +41,4 @@ jobs:
4241
git checkout main
4342
git add ./gradle.properties
4443
git commit -m "Automated commit by GitHub Actions"
45-
git push
44+
git push

.github/workflows/publish-snapshot.yml

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4,28 +4,27 @@ on:
44
push:
55
branches: [ main ]
66

7+
permissions:
8+
contents: read
9+
packages: write
10+
711
jobs:
812
deploy:
913
name: Publish
1014
runs-on: ubuntu-latest
1115

1216
steps:
1317
- name: Checkout
14-
uses: actions/checkout@v2
15-
16-
- name: Configure AWS credentials
17-
uses: aws-actions/configure-aws-credentials@v1
18-
with:
19-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
20-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
21-
aws-region: ap-northeast-2
18+
uses: actions/checkout@v4
2219

2320
- name: Set up JDK 21
24-
uses: actions/setup-java@v3
21+
uses: actions/setup-java@v4
2522
with:
2623
java-version: '21'
2724
distribution: 'temurin'
2825

2926
- name: Publish snapshot
27+
env:
28+
GITHUB_TOKEN: ${{ github.token }}
3029
run: |
31-
./gradlew clean publish
30+
./gradlew clean publish

build.gradle.kts

Lines changed: 5 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,6 @@ plugins {
1212
id("maven-publish")
1313
}
1414

15-
java.sourceCompatibility = JavaVersion.VERSION_21
16-
java.targetCompatibility = JavaVersion.VERSION_21
17-
1815
allprojects {
1916
repositories {
2017
mavenCentral()
@@ -29,6 +26,8 @@ allprojects {
2926
}
3027

3128
java {
29+
sourceCompatibility = JavaVersion.VERSION_21
30+
targetCompatibility = JavaVersion.VERSION_21
3231
withSourcesJar()
3332
withJavadocJar()
3433
}
@@ -48,16 +47,10 @@ allprojects {
4847
publishing {
4948
repositories {
5049
maven {
51-
val authToken =
52-
properties["codeArtifactAuthToken"] as String? ?: ProcessBuilder(
53-
"aws", "codeartifact", "get-authorization-token",
54-
"--domain", "wafflestudio", "--domain-owner", "405906814034",
55-
"--query", "authorizationToken", "--region", "ap-northeast-1", "--output", "text",
56-
).start().inputStream.bufferedReader().readText().trim()
57-
url = uri("https://wafflestudio-405906814034.d.codeartifact.ap-northeast-1.amazonaws.com/maven/spring-waffle/")
50+
url = uri("https://maven.pkg.github.com/wafflestudio/spring-waffle")
5851
credentials {
59-
username = "aws"
60-
password = authToken
52+
username = "wafflestudio"
53+
password = findProperty("gpr.key") as String? ?: System.getenv("GITHUB_TOKEN") ?: ""
6154
}
6255
}
6356
}

settings.gradle.kts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ rootProject.name = "waffle-spring"
33
include(
44
"spring-boot-starter-waffle",
55
"spring-boot-starter-waffle-secret-manager",
6+
"spring-boot-starter-waffle-oci-vault",
67
"truffle",
78
"truffle:truffle-core",
89
"truffle:truffle-logback",
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
group = "com.wafflestudio.spring"
2+
3+
dependencies {
4+
implementation("org.springframework.boot:spring-boot")
5+
6+
implementation("com.oracle.oci.sdk:oci-java-sdk-secrets:3.80.1")
7+
implementation("com.oracle.oci.sdk:oci-java-sdk-common-httpclient-jersey3:3.80.1")
8+
implementation("com.oracle.oci.sdk:oci-java-sdk-addons-oke-workload-identity:3.80.1")
9+
10+
testImplementation(kotlin("test"))
11+
}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
package com.wafflestudio.spring.ocivault.config
2+
3+
import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
4+
import com.fasterxml.jackson.module.kotlin.readValue
5+
import com.oracle.bmc.Region
6+
import com.oracle.bmc.auth.BasicAuthenticationDetailsProvider
7+
import com.oracle.bmc.auth.ConfigFileAuthenticationDetailsProvider
8+
import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider
9+
import com.oracle.bmc.secrets.SecretsClient
10+
import com.oracle.bmc.secrets.model.Base64SecretBundleContentDetails
11+
import com.oracle.bmc.secrets.requests.GetSecretBundleRequest
12+
import org.springframework.boot.EnvironmentPostProcessor
13+
import org.springframework.boot.SpringApplication
14+
import org.springframework.core.env.ConfigurableEnvironment
15+
import org.springframework.core.env.MapPropertySource
16+
import java.util.Base64
17+
18+
class OciVaultEnvironmentPostProcessor : EnvironmentPostProcessor {
19+
private val objectMapper = jacksonObjectMapper()
20+
21+
override fun postProcessEnvironment(
22+
environment: ConfigurableEnvironment,
23+
application: SpringApplication,
24+
) {
25+
val isAotProcessing = environment.getProperty("spring.aot.processing", Boolean::class.java, false)
26+
if (isAotProcessing) {
27+
return
28+
}
29+
val secretIdsProperty = environment.getProperty("oci-vault-secret-ids") ?: return
30+
val secretIds = secretIdsProperty.split(",").map { it.trim() }
31+
val region = Region.fromRegionId(
32+
environment.getProperty("oci.vault.region", "ap-chuncheon-1"),
33+
)
34+
35+
val authProvider = createAuthProvider(environment)
36+
val client = SecretsClient.builder().region(region).build(authProvider)
37+
val secrets = mutableMapOf<String, Any>()
38+
39+
try {
40+
secretIds.forEach { secretId ->
41+
val secretString = getSecretString(client, secretId)
42+
val parsedSecrets = objectMapper.readValue<Map<String, Any>>(secretString)
43+
secrets.putAll(
44+
parsedSecrets.filterKeys {
45+
environment.getProperty(it).isNullOrEmpty()
46+
},
47+
)
48+
}
49+
} finally {
50+
client.close()
51+
}
52+
53+
if (secrets.isNotEmpty()) {
54+
environment.propertySources.addFirst(
55+
MapPropertySource("oci-vault-secrets", secrets),
56+
)
57+
}
58+
}
59+
60+
private fun createAuthProvider(environment: ConfigurableEnvironment): BasicAuthenticationDetailsProvider {
61+
val profiles = environment.activeProfiles.toSet()
62+
return if (profiles.contains("dev") || profiles.contains("prod")) {
63+
OkeWorkloadIdentityAuthenticationDetailsProvider.builder().build()
64+
} else {
65+
ConfigFileAuthenticationDetailsProvider("DEFAULT")
66+
}
67+
}
68+
69+
private fun getSecretString(client: SecretsClient, secretId: String): String {
70+
val request = GetSecretBundleRequest.builder()
71+
.secretId(secretId)
72+
.build()
73+
val response = client.getSecretBundle(request)
74+
val content = (response.secretBundle.secretBundleContent as Base64SecretBundleContentDetails).content
75+
return String(Base64.getDecoder().decode(content))
76+
}
77+
}
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
org.springframework.boot.EnvironmentPostProcessor=com.wafflestudio.spring.ocivault.config.OciVaultEnvironmentPostProcessor

0 commit comments

Comments
 (0)