This is a simple Helidon MP project that retrieves datasource configuration parameters from application.yaml, except
for the password which is fetched from the Oci Vault/Secret. The Oci Vault/Secret data fetching is performed using
Custom Config Source in CustomOciSecretConfigSource.java.
This is registered as a service via src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource.
The rest of the parameters will be retrieved from the default Config Source which in this case will be data coming from
src/main/resources/application.yaml.
The custom config source will use the Oci SDK for Vault/Secrets to retrieve the encrypted target data which in this sample application is the datasource password. The parameters for the Oci SDK invocation will be retrieved from the same src/main/resources/application.yaml. To disable custom config source, you can either delete CustomOciSecretConfigSource.java or src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource. Without the custom config source, the application will go back to retrieving the password from the default config source, i.e. from the application.yaml.
- OCI Vault Key and Secrets need to be created. There is a good example guide for this in Protect Your Sensitive Data With Secrets In The Oracle Cloud.
Once created, get the OCID of the secret entry representing the
datasource password
and use that as the value foroci.secret.id
in application.yaml. There's another commented out approach in CustomOciSecretConfigSource.java for retrieving the same data which uses the secret name. If this option is the preferred way, fill in parameter values foroci.secret.name
andoci.vault.id
. - When authenticating using user principal, make sure to set up user credentials in ~/.oci/config.
- For more details about Helidon Custom Config Sources, please consult Creating Custom Config Sources section in Helidon Microprofile Config Sources.
- Details about Oci Vault/Secrets SDK can be found in Managing Secrets.
- JDK 11+
- mvn 3.8.3+
- Helidon 2.5.0
mvn package
java -jar target/helidon-config-vault.jar
curl http://localhost:8080/datasource
{"javax.sql.DataSource.slDataSource.dataSourceClassName":"org.h2.jdbcx.JdbcDataSource","javax.sql.DataSource.slDataSource.dataSource.url":"jdbc:h2:mem:slPU","javax.sql.DataSource.slDataSource.dataSource.user":"sa","javax.sql.DataSource.slDataSource.dataSource.password":"Password123!"}
Ensure that the response contain the correct password value in javax.sql.DataSource.slDataSource.dataSource.password
and is exactly
what was created in the Oci Vault/Secret.