4.1.7: Use helidon.oci prefix for OCI Config and allow some oci auth …

…types to accept federation-endpoint and tenancy-id (helidon-io#9765) * Use helidon.oci prefix for OCI Config and allow some oci auth types to accept federation-endpoint and tenancy-id (helidon-io#9740) The PR fixes Issues 9681 and 9734 which includes the following: 1. Allow instance-principal, resource-principal and oke-workload-identity to accept federation-endpoint and tenancy-id as config parameters. This is originally targeted just for oke-workload-identity where Instance Metadata Service (IMDS) does not work on an OKE environment. Because of these, it is unable to assemble the target endpoint as it needs the IMDS to retrieve the region. To resolve the issue, the federation-endpoint configuration is now allowed to be explicitly specified to avoid generation of endpoint using the region from IMDS. In some examples of the use of oke-workload-identity, the tenancy id is required, so this configuration parameter is also added as an option. Furthermore, because instance-principal and resource-principal providers extends AbstractRequestingAuthenticationDetailsProvider similar to oke-workload-instance, hence they are included in the change to allow those optional parameters. 2. Fix a bug where the oci configuration does not work when prefixed with "helidon.oci". 3. Add comprehensive testing coverage for above changes. 4. Remove unnecessary Weight annotation with default value and replace WARNING message with TRACE when oci config does not use "helidon.oci" * Adjust unit tests because of a problem with combineDependencies in the generated sources --------- Co-authored-by: Keith Lustria <[email protected]>
barchetta · Feb 10, 2025 · 5e8864f · 5e8864f
1 parent 1a13241
commit 5e8864f
Show file tree

Hide file tree

Showing 18 changed files with 380 additions and 40 deletions.
diff --git a/etc/copyright-exclude.txt b/etc/copyright-exclude.txt
@@ -30,6 +30,7 @@ jaxb.index
 /MANIFEST.MF
 /README
 /CONTRIBUTING.md
+.crt
 .pem
 .p8
 .pkcs8.pem

diff --git a/integrations/oci/authentication/README.md b/integrations/oci/authentication/README.md
@@ -11,7 +11,7 @@ Helidon supports the following Authentication Methods:
   - `config-file`: based on OCI config file
 - `instance-principal`: instance principal (Such as an OCI VM)
 - `resource-prinicpal`: resource principal (Such as server-less functions)
-- `workload`: workload running on a k8s cluster
+- `oke-workload-identity`: identity of workload running on a k8s cluster
 
 The first two types are always available through `helidon-integrations-oci` module.
-Instance, resource, and workload support can be added through modules in this project module.
+Instance, resource, and workload support can be added through modules in this project module.
diff --git a/...lidon/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipal.java b/...lidon/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package io.helidon.integrations.oci.authentication.instance;
 
 import java.util.Optional;
+import java.util.function.Supplier;
 
 import io.helidon.common.LazyValue;
 import io.helidon.common.Weight;
@@ -42,7 +43,7 @@ class AuthenticationMethodInstancePrincipal implements OciAuthenticationMethod {
     private final LazyValue<Optional<BasicAuthenticationDetailsProvider>> provider;
 
     AuthenticationMethodInstancePrincipal(OciConfig config,
-                                          InstancePrincipalsAuthenticationDetailsProviderBuilder builder) {
+                                          Supplier<Optional<InstancePrincipalsAuthenticationDetailsProviderBuilder>> builder) {
         provider = createProvider(config, builder);
     }
 
@@ -58,10 +59,11 @@ public Optional<BasicAuthenticationDetailsProvider> provider() {
 
     private static LazyValue<Optional<BasicAuthenticationDetailsProvider>>
     createProvider(OciConfig config,
-                   InstancePrincipalsAuthenticationDetailsProviderBuilder builder) {
+                   Supplier<Optional<InstancePrincipalsAuthenticationDetailsProviderBuilder>> builder) {
         return LazyValue.create(() -> {
             if (HelidonOci.imdsAvailable(config)) {
-                return Optional.of(builder.build());
+                return builder.get()
+                        .map(InstancePrincipalsAuthenticationDetailsProviderBuilder::build);
             }
             if (LOGGER.isLoggable(System.Logger.Level.TRACE)) {
                 LOGGER.log(System.Logger.Level.TRACE, "OCI Metadata service is not available, "

diff --git a/...io/helidon/integrations/oci/authentication/instance/InstancePrincipalBuilderProvider.java b/...io/helidon/integrations/oci/authentication/instance/InstancePrincipalBuilderProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,8 +39,8 @@ class InstancePrincipalBuilderProvider implements Supplier<InstancePrincipalsAut
 
     @Override
     public InstancePrincipalsAuthenticationDetailsProviderBuilder get() {
-        var builder = InstancePrincipalsAuthenticationDetailsProvider.builder()
-                .timeoutForEachRetry((int) config.authenticationTimeout().toMillis());
+        var builder = getBuilder();
+        builder.timeoutForEachRetry((int) config.authenticationTimeout().toMillis());
 
         config.imdsDetectRetries()
                 .ifPresent(builder::detectEndpointRetries);
@@ -50,8 +50,14 @@ public InstancePrincipalsAuthenticationDetailsProviderBuilder get() {
         config.imdsBaseUri()
                 .map(URI::toString)
                 .ifPresent(builder::metadataBaseUrl);
+        config.tenantId()
+                .ifPresent(builder::tenancyId);
 
         return builder;
     }
 
+    InstancePrincipalsAuthenticationDetailsProviderBuilder getBuilder() {
+        return InstancePrincipalsAuthenticationDetailsProvider.builder();
+    }
+
 }
diff --git a/...n/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipalTest.java b/...n/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipalTest.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.integrations.oci.authentication.instance;
+
+import java.util.Properties;
+
+import io.helidon.service.registry.ServiceRegistry;
+import io.helidon.service.registry.ServiceRegistryManager;
+
+import com.oracle.bmc.auth.InstancePrincipalsAuthenticationDetailsProvider;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+public class AuthenticationMethodInstancePrincipalTest {
+    private static ServiceRegistryManager registryManager;
+    private static ServiceRegistry registry;
+
+    void setUp(Properties p) {
+        p.put("helidon.oci.authentication-method", "instance-principal");
+        p.put("helidon.oci.imds-timeout", "PT1S");
+        p.put("helidon.oci.imds-detect-retries", "0");
+        System.setProperties(p);
+
+        registryManager = ServiceRegistryManager.create();
+        registry = registryManager.registry();
+    }
+
+    @AfterEach
+    void cleanUp() {
+        registry = null;
+        if (registryManager != null) {
+            registryManager.shutdown();
+        }
+    }
+
+    @Test
+    public void testInstancePrincipalConfigurationAndInstantiation() {
+        final String IMDS_BASE_URI = "http://localhost:8000/opc/v2/";
+        final String FEDERATION_ENDPOINT = "https://auth.us-myregion-1.oraclecloud.com";
+        final String TENANT_ID = "ocid1.tenancy.oc1..mytenancyid";
+
+        Properties p = System.getProperties();
+        p.put("helidon.oci.imds-base-uri", IMDS_BASE_URI);
+        p.put("helidon.oci.federation-endpoint", FEDERATION_ENDPOINT);
+        p.put("helidon.oci.tenant-id", TENANT_ID);
+        setUp(p);
+
+        var builder = registry.get(InstancePrincipalsAuthenticationDetailsProvider.InstancePrincipalsAuthenticationDetailsProviderBuilder.class);
+        // The following validation indicates that the instance principal provider has been configured properly
+        assertThat(builder.getMetadataBaseUrl(), is(IMDS_BASE_URI));
+        assertThat(builder.getFederationEndpoint(), is(FEDERATION_ENDPOINT));
+        assertThat(builder.getTenancyId(), is(TENANT_ID));
+    }
+}
diff --git a/integrations/oci/authentication/oke-workload/pom.xml b/integrations/oci/authentication/oke-workload/pom.xml
@@ -67,6 +67,11 @@
             <artifactId>slf4j-jdk14</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-common-httpclient-jersey3</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -111,6 +116,18 @@
                     </dependency>
                 </dependencies>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <!--
+                        This will allow AuthenticationMethodOkeWorkload.available() to work during testing
+                    -->
+                    <environmentVariables>
+                        <OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH>${project.build.testResources[0].directory}/dummy-ca.crt</OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH>
+                    </environmentVariables>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
     <profiles>

diff --git a/.../helidon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkload.java b/.../helidon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkload.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,22 +21,22 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Optional;
+import java.util.function.Supplier;
 
 import io.helidon.common.LazyValue;
 import io.helidon.common.Weight;
 import io.helidon.common.Weighted;
-import io.helidon.integrations.oci.OciConfig;
 import io.helidon.integrations.oci.spi.OciAuthenticationMethod;
 import io.helidon.service.registry.Service;
 
 import com.oracle.bmc.auth.BasicAuthenticationDetailsProvider;
-import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider;
+import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder;
 
 /**
- * Instance principal authentication method, uses the
- * {@link com.oracle.bmc.auth.InstancePrincipalsAuthenticationDetailsProvider}.
+ * OKE workload identity authentication method, uses the
+ * {@link com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider}.
  */
-@Weight(Weighted.DEFAULT_WEIGHT - 40)
+@Weight(Weighted.DEFAULT_WEIGHT - 50)
 @Service.Provider
 class AuthenticationMethodOkeWorkload implements OciAuthenticationMethod {
     private static final System.Logger LOGGER = System.getLogger(AuthenticationMethodOkeWorkload.class.getName());
@@ -53,8 +53,8 @@ class AuthenticationMethodOkeWorkload implements OciAuthenticationMethod {
 
     private final LazyValue<Optional<BasicAuthenticationDetailsProvider>> provider;
 
-    AuthenticationMethodOkeWorkload(OciConfig config) {
-        provider = createProvider(config);
+    AuthenticationMethodOkeWorkload(Supplier<Optional<OkeWorkloadIdentityAuthenticationDetailsProviderBuilder>> builder) {
+        provider = createProvider(builder);
     }
 
     @Override
@@ -67,11 +67,12 @@ public Optional<BasicAuthenticationDetailsProvider> provider() {
         return provider.get();
     }
 
-    private static LazyValue<Optional<BasicAuthenticationDetailsProvider>> createProvider(OciConfig config) {
+    private static LazyValue<Optional<BasicAuthenticationDetailsProvider>> createProvider(
+            Supplier<Optional<OkeWorkloadIdentityAuthenticationDetailsProviderBuilder>> builder) {
         return LazyValue.create(() -> {
             if (available()) {
-                return Optional.of(OkeWorkloadIdentityAuthenticationDetailsProvider.builder()
-                                           .build());
+                return builder.get()
+                        .map(OkeWorkloadIdentityAuthenticationDetailsProviderBuilder::build);
 
             }
             return Optional.empty();

diff --git a/...va/io/helidon/integrations/oci/authentication/okeworkload/OkeWorkloadBuilderProvider.java b/...va/io/helidon/integrations/oci/authentication/okeworkload/OkeWorkloadBuilderProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@
 import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder;
 
 /**
- * OKE Workload  builder provider, uses the
+ * OKE Workload Identity builder provider, uses the
  * {@link OkeWorkloadIdentityAuthenticationDetailsProviderBuilder}.
  */
 @Service.Provider
@@ -50,6 +50,8 @@ public OkeWorkloadIdentityAuthenticationDetailsProviderBuilder get() {
         config.imdsBaseUri()
                 .map(URI::toString)
                 .ifPresent(builder::metadataBaseUrl);
+        config.tenantId()
+                .ifPresent(builder::tenancyId);
 
         return builder;
     }

diff --git a/...idon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkloadTest.java b/...idon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkloadTest.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.integrations.oci.authentication.okeworkload;
+
+import java.util.Properties;
+
+import io.helidon.service.registry.ServiceRegistry;
+import io.helidon.service.registry.ServiceRegistryManager;
+
+import com.oracle.bmc.auth.BasicAuthenticationDetailsProvider;
+import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class AuthenticationMethodOkeWorkloadTest {
+    private static ServiceRegistryManager registryManager;
+    private static ServiceRegistry registry;
+
+    void setUp(Properties p) {
+        p.put("helidon.oci.authentication-method", "oke-workload-identity");
+        System.setProperties(p);
+
+        registryManager = ServiceRegistryManager.create();
+        registry = registryManager.registry();
+    }
+
+    @AfterEach
+    void cleanUp() {
+        registry = null;
+        if (registryManager != null) {
+            registryManager.shutdown();
+        }
+    }
+
+    @Test
+    public void testOkeWorkloadIdentityConfigurationAndInstantiation() {
+        final String FEDERATION_ENDPOINT = "https://auth.us-myregion-1.oraclecloud.com";
+        final String TENANT_ID = "ocid1.tenancy.oc1..mytenancyid";
+
+        Properties p = System.getProperties();
+        p.put("helidon.oci.federation-endpoint", FEDERATION_ENDPOINT);
+        p.put("helidon.oci.tenant-id", TENANT_ID);
+        setUp(p);
+
+        // This error indicates that the oke-workload-identity provider has been instantiated
+        var thrown = assertThrows(IllegalArgumentException.class,
+                                  () -> registry.get(BasicAuthenticationDetailsProvider.class));
+        assertThat(thrown.getMessage(), containsString("Invalid Kubernetes ca certification"));
+
+        var builder = registry.get(OkeWorkloadIdentityAuthenticationDetailsProviderBuilder.class);
+        // The following validation indicates that the oke-workload-identity provider has been configured properly
+        assertThat(builder.getFederationEndpoint(), is(FEDERATION_ENDPOINT));
+        assertThat(builder.getTenancyId(), is(TENANT_ID));
+    }
+}
diff --git a/integrations/oci/authentication/oke-workload/src/test/resources/dummy-ca.crt b/integrations/oci/authentication/oke-workload/src/test/resources/dummy-ca.crt
@@ -0,0 +1,4 @@
+NOTICE:
+=======
+This file represents a dummy ca.crt that will be used by the AuthenticationMethodOkeWorkload to validate if it can proceed with
+authentication processing.
diff --git a/integrations/oci/authentication/resource/pom.xml b/integrations/oci/authentication/resource/pom.xml
@@ -107,6 +107,18 @@
                     </dependency>
                 </dependencies>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <!--
+                        This will allow test to reach Resource Principal provider build
+                    -->
+                    <environmentVariables>
+                        <OCI_RESOURCE_PRINCIPAL_VERSION>2.2</OCI_RESOURCE_PRINCIPAL_VERSION>
+                    </environmentVariables>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
     <profiles>
-Original file line number
+Diff line change
@@ Expand Up / @@ -30,6 +30,7 @@ jaxb.index @@
     /MANIFEST.MF
     /README
     /CONTRIBUTING.md
+    .crt
     .pem
     .p8
     .pkcs8.pem
@@ Expand Down @@