diff --git a/.github/workflows/dev-cd.yml b/.github/workflows/dev-cd.yml index 09916f8b..61bdab10 100644 --- a/.github/workflows/dev-cd.yml +++ b/.github/workflows/dev-cd.yml @@ -63,7 +63,7 @@ jobs: username: ubuntu host: ${{ secrets.DEV_EC2_HOST }} key: ${{ secrets.DEV_EC2_SSH_KEY }} - envs: DOCKERHUB_USERNAME,DEV_MYSQL_HOST,MYSQL_PORT,DB_NAME,DB_USERNAME,DB_PASSWORD,REDIS_HOST,REDIS_PORT,REDIS_PASSWORD,DEV_KAKAO_CLIENT_ID,DEV_KAKAO_CLIENT_SECRET,DEV_APPLE_CLIENT_ID,DEV_APPLE_CLIENT_SECRET,JWT_ACCESS_TOKEN_SECRET,JWT_REFRESH_TOKEN_SECRET,JWT_ACCESS_TOKEN_EXPIRATION_TIME,JWT_REFRESH_TOKEN_EXPIRATION_TIME,JWT_ISSUER,DEV_AWS_ACCESS_KEY_ID,DEV_AWS_SECRET_ACCESS_KEY,AWS_REGION,DEV_S3_BUCKET,DEV_S3_ENDPOINT,SWAGGER_USERNAME,SWAGGER_PASSWORD,FIREBASE_TYPE,FIREBASE_PROJECT_ID,FIREBASE_PRIVATE_KEY_ID,FIREBASE_PRIVATE_KEY,FIREBASE_CLIENT_EMAIL,FIREBASE_CLIENT_ID,FIREBASE_AUTH_URI,FIREBASE_TOKEN_URI,FIREBASE_AUTH_PROVIDER_X509_CERT_URL,FIREBASE_CLIENT_X509_CERT_URL + envs: DOCKERHUB_USERNAME,DEV_MYSQL_HOST,MYSQL_PORT,DB_NAME,DB_USERNAME,DB_PASSWORD,REDIS_HOST,REDIS_PORT,REDIS_PASSWORD,DEV_KAKAO_CLIENT_ID,DEV_KAKAO_CLIENT_SECRET,DEV_APPLE_CLIENT_ID,DEV_APPLE_CLIENT_SECRET,JWT_ACCESS_TOKEN_SECRET,JWT_REFRESH_TOKEN_SECRET,JWT_ACCESS_TOKEN_EXPIRATION_TIME,JWT_REFRESH_TOKEN_EXPIRATION_TIME,JWT_ISSUER,DEV_AWS_ACCESS_KEY_ID,DEV_AWS_SECRET_ACCESS_KEY,AWS_REGION,DEV_S3_BUCKET,DEV_S3_ENDPOINT,SWAGGER_USERNAME,SWAGGER_PASSWORD,FIREBASE_SA_JSON_B64 script: | export DOCKERHUB_NAME=${{ secrets.DOCKERHUB_USERNAME }} export DOCKER_TAG=dev-app @@ -99,16 +99,11 @@ jobs: export SWAGGER_USERNAME=${{ secrets.SWAGGER_USERNAME }} export SWAGGER_PASSWORD=${{ secrets.SWAGGER_PASSWORD }} - export FIREBASE_TYPE=${{ secrets.FIREBASE_TYPE }} - export FIREBASE_PROJECT_ID=${{ secrets.FIREBASE_PROJECT_ID }} - export FIREBASE_PRIVATE_KEY_ID=${{ secrets.FIREBASE_PRIVATE_KEY_ID }} - export FIREBASE_PRIVATE_KEY=${{ secrets.FIREBASE_PRIVATE_KEY }} - export FIREBASE_CLIENT_EMAIL=${{ secrets.FIREBASE_CLIENT_EMAIL }} - export FIREBASE_CLIENT_ID=${{ secrets.FIREBASE_CLIENT_ID }} - export FIREBASE_AUTH_URI=${{ secrets.FIREBASE_AUTH_URI }} - export FIREBASE_TOKEN_URI=${{ secrets.FIREBASE_TOKEN_URI }} - export FIREBASE_AUTH_PROVIDER_X509_CERT_URL=${{ secrets.FIREBASE_AUTH_PROVIDER_X509_CERT_URL }} - export FIREBASE_CLIENT_X509_CERT_URL=${{ secrets.FIREBASE_CLIENT_X509_CERT_URL }} + sudo mkdir -p /home/ubuntu/secrets + echo "${{ secrets.FIREBASE_SA_JSON_B64 }}" | base64 -d | sudo tee /home/ubuntu/secrets/firebase-sa.json > /dev/null + sudo chmod 600 /home/ubuntu/secrets/firebase-sa.json + + export FIREBASE_CREDENTIALS_PATH=/run/secrets/firebase-sa.json echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin diff --git a/.github/workflows/prod-cd.yml b/.github/workflows/prod-cd.yml index 94d22497..afc7bac0 100644 --- a/.github/workflows/prod-cd.yml +++ b/.github/workflows/prod-cd.yml @@ -73,7 +73,7 @@ jobs: username: ubuntu host: ${{ secrets.PROD_EC2_HOST }} key: ${{ secrets.PROD_EC2_SSH_KEY }} - envs: DOCKERHUB_USERNAME,SPRING_PROFILES_ACTIVE,PROD_MYSQL_HOST,MYSQL_PORT,DB_NAME,DB_USERNAME,DB_PASSWORD,REDIS_HOST,REDIS_PORT,REDIS_PASSWORD,PROD_KAKAO_CLIENT_ID,PROD_KAKAO_CLIENT_SECRET,PROD_APPLE_CLIENT_ID,PROD_APPLE_CLIENT_SECRET,JWT_ACCESS_TOKEN_SECRET,JWT_REFRESH_TOKEN_SECRET,JWT_ACCESS_TOKEN_EXPIRATION_TIME,JWT_REFRESH_TOKEN_EXPIRATION_TIME,JWT_ISSUER,PROD_AWS_ACCESS_KEY_ID,PROD_AWS_SECRET_ACCESS_KEY,AWS_REGION,PROD_S3_BUCKET,PROD_S3_ENDPOINT,SWAGGER_USERNAME,SWAGGER_PASSWORD,FIREBASE_TYPE,FIREBASE_PROJECT_ID,FIREBASE_PRIVATE_KEY_ID,FIREBASE_PRIVATE_KEY,FIREBASE_CLIENT_EMAIL,FIREBASE_CLIENT_ID,FIREBASE_AUTH_URI,FIREBASE_TOKEN_URI,FIREBASE_AUTH_PROVIDER_X509_CERT_URL,FIREBASE_CLIENT_X509_CERT_URL + envs: DOCKERHUB_USERNAME,SPRING_PROFILES_ACTIVE,PROD_MYSQL_HOST,MYSQL_PORT,DB_NAME,DB_USERNAME,DB_PASSWORD,REDIS_HOST,REDIS_PORT,REDIS_PASSWORD,PROD_KAKAO_CLIENT_ID,PROD_KAKAO_CLIENT_SECRET,PROD_APPLE_CLIENT_ID,PROD_APPLE_CLIENT_SECRET,JWT_ACCESS_TOKEN_SECRET,JWT_REFRESH_TOKEN_SECRET,JWT_ACCESS_TOKEN_EXPIRATION_TIME,JWT_REFRESH_TOKEN_EXPIRATION_TIME,JWT_ISSUER,PROD_AWS_ACCESS_KEY_ID,PROD_AWS_SECRET_ACCESS_KEY,AWS_REGION,PROD_S3_BUCKET,PROD_S3_ENDPOINT,SWAGGER_USERNAME,SWAGGER_PASSWORD,FIREBASE_SA_JSON_B64 script: | export DOCKERHUB_NAME=${{ secrets.DOCKERHUB_USERNAME }} export DOCKER_TAG=prod-app @@ -109,16 +109,11 @@ jobs: export SWAGGER_USERNAME=${{ secrets.SWAGGER_USERNAME }} export SWAGGER_PASSWORD=${{ secrets.SWAGGER_PASSWORD }} - export FIREBASE_TYPE=${{ secrets.FIREBASE_TYPE }} - export FIREBASE_PROJECT_ID=${{ secrets.FIREBASE_PROJECT_ID }} - export FIREBASE_PRIVATE_KEY_ID=${{ secrets.FIREBASE_PRIVATE_KEY_ID }} - export FIREBASE_PRIVATE_KEY=${{ secrets.FIREBASE_PRIVATE_KEY }} - export FIREBASE_CLIENT_EMAIL=${{ secrets.FIREBASE_CLIENT_EMAIL }} - export FIREBASE_CLIENT_ID=${{ secrets.FIREBASE_CLIENT_ID }} - export FIREBASE_AUTH_URI=${{ secrets.FIREBASE_AUTH_URI }} - export FIREBASE_TOKEN_URI=${{ secrets.FIREBASE_TOKEN_URI }} - export FIREBASE_AUTH_PROVIDER_X509_CERT_URL=${{ secrets.FIREBASE_AUTH_PROVIDER_X509_CERT_URL }} - export FIREBASE_CLIENT_X509_CERT_URL=${{ secrets.FIREBASE_CLIENT_X509_CERT_URL }} + sudo mkdir -p /home/ubuntu/secrets + echo "${{ secrets.FIREBASE_SA_JSON_B64 }}" | base64 -d | sudo tee /home/ubuntu/secrets/firebase-sa.json > /dev/null + sudo chmod 600 /home/ubuntu/secrets/firebase-sa.json + + export FIREBASE_CREDENTIALS_PATH=/run/secrets/firebase-sa.json echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin diff --git a/clokey-api/dev-compose.yml b/clokey-api/dev-compose.yml index 360a9c13..d210dd10 100644 --- a/clokey-api/dev-compose.yml +++ b/clokey-api/dev-compose.yml @@ -30,16 +30,7 @@ services: APPLE_CLIENT_SECRET: ${APPLE_CLIENT_SECRET} # Firebase - FIREBASE_TYPE: ${FIREBASE_TYPE} - FIREBASE_PROJECT_ID: ${FIREBASE_PROJECT_ID} - FIREBASE_PRIVATE_KEY_ID: ${FIREBASE_PRIVATE_KEY_ID} - FIREBASE_PRIVATE_KEY: ${FIREBASE_PRIVATE_KEY} - FIREBASE_CLIENT_EMAIL: ${FIREBASE_CLIENT_EMAIL} - FIREBASE_CLIENT_ID: ${FIREBASE_CLIENT_ID} - FIREBASE_AUTH_URI: ${FIREBASE_AUTH_URI} - FIREBASE_TOKEN_URI: ${FIREBASE_TOKEN_URI} - FIREBASE_AUTH_PROVIDER_X509_CERT_URL: ${FIREBASE_AUTH_PROVIDER_X509_CERT_URL} - FIREBASE_CLIENT_X509_CERT_URL: ${FIREBASE_CLIENT_X509_CERT_URL} + FIREBASE_CREDENTIALS_PATH: /run/secrets/firebase-sa.json # JWT JWT_ACCESS_TOKEN_SECRET: ${JWT_ACCESS_TOKEN_SECRET} @@ -58,6 +49,10 @@ services: # Swagger SWAGGER_USERNAME: ${SWAGGER_USERNAME} SWAGGER_PASSWORD: ${SWAGGER_PASSWORD} + + volumes: + - /home/ubuntu/secrets/firebase-sa.json:/run/secrets/firebase-sa.json:ro + networks: - app_network diff --git a/clokey-api/prod-compose.yml b/clokey-api/prod-compose.yml index 57cc3c3c..55e4b97c 100644 --- a/clokey-api/prod-compose.yml +++ b/clokey-api/prod-compose.yml @@ -30,16 +30,7 @@ services: APPLE_CLIENT_SECRET: ${APPLE_CLIENT_SECRET} # Firebase - FIREBASE_TYPE: ${FIREBASE_TYPE} - FIREBASE_PROJECT_ID: ${FIREBASE_PROJECT_ID} - FIREBASE_PRIVATE_KEY_ID: ${FIREBASE_PRIVATE_KEY_ID} - FIREBASE_PRIVATE_KEY: ${FIREBASE_PRIVATE_KEY} - FIREBASE_CLIENT_EMAIL: ${FIREBASE_CLIENT_EMAIL} - FIREBASE_CLIENT_ID: ${FIREBASE_CLIENT_ID} - FIREBASE_AUTH_URI: ${FIREBASE_AUTH_URI} - FIREBASE_TOKEN_URI: ${FIREBASE_TOKEN_URI} - FIREBASE_AUTH_PROVIDER_X509_CERT_URL: ${FIREBASE_AUTH_PROVIDER_X509_CERT_URL} - FIREBASE_CLIENT_X509_CERT_URL: ${FIREBASE_CLIENT_X509_CERT_URL} + FIREBASE_CREDENTIALS_PATH: /run/secrets/firebase-sa.json # JWT JWT_ACCESS_TOKEN_SECRET: ${JWT_ACCESS_TOKEN_SECRET} @@ -58,6 +49,10 @@ services: # Swagger SWAGGER_USERNAME: ${SWAGGER_USERNAME} SWAGGER_PASSWORD: ${SWAGGER_PASSWORD} + + volumes: + - /home/ubuntu/secrets/firebase-sa.json:/run/secrets/firebase-sa.json:ro + networks: - app_network diff --git a/clokey-api/src/main/resources/application-dev.yml b/clokey-api/src/main/resources/application-dev.yml index 1f3344e6..a1526773 100644 --- a/clokey-api/src/main/resources/application-dev.yml +++ b/clokey-api/src/main/resources/application-dev.yml @@ -86,13 +86,4 @@ spring-doc: doc-expansion : none firebase: - type: ${FIREBASE_TYPE} - project-id: ${FIREBASE_PROJECT_ID} - private-key-id: ${FIREBASE_PRIVATE_KEY_ID} - private-key: ${FIREBASE_PRIVATE_KEY} - client-email: ${FIREBASE_CLIENT_EMAIL} - client-id: ${FIREBASE_CLIENT_ID} - auth-uri: ${FIREBASE_AUTH_URI} - token-uri: ${FIREBASE_TOKEN_URI} - auth-provider-x509-cert-url: ${FIREBASE_AUTH_PROVIDER_X509_CERT_URL} - client-x509-cert-url: ${FIREBASE_CLIENT_X509_CERT_URL} + credentials-path: ${FIREBASE_CREDENTIALS_PATH} diff --git a/clokey-api/src/main/resources/application-local.yml b/clokey-api/src/main/resources/application-local.yml index 61584579..65dd285e 100644 --- a/clokey-api/src/main/resources/application-local.yml +++ b/clokey-api/src/main/resources/application-local.yml @@ -87,14 +87,4 @@ logging: org.hibernate.orm.jdbc.bind: TRACE firebase: - type: ${FIREBASE_TYPE} - project-id: ${FIREBASE_PROJECT_ID} - private-key-id: ${FIREBASE_PRIVATE_KEY_ID} - private-key: ${FIREBASE_PRIVATE_KEY} - client-email: ${FIREBASE_CLIENT_EMAIL} - client-id: ${FIREBASE_CLIENT_ID} - auth-uri: ${FIREBASE_AUTH_URI} - token-uri: ${FIREBASE_TOKEN_URI} - auth-provider-x509-cert-url: ${FIREBASE_AUTH_PROVIDER_X509_CERT_URL} - client-x509-cert-url: ${FIREBASE_CLIENT_X509_CERT_URL} - + credentials-path: ${FIREBASE_CREDENTIALS_PATH} diff --git a/clokey-api/src/main/resources/application-prod.yml b/clokey-api/src/main/resources/application-prod.yml index 8888e4dc..8ed0a788 100644 --- a/clokey-api/src/main/resources/application-prod.yml +++ b/clokey-api/src/main/resources/application-prod.yml @@ -73,13 +73,4 @@ aws: endpoint: ${PROD_S3_ENDPOINT:https://s3.ap-northeast-2.amazonaws.com} firebase: - type: ${FIREBASE_TYPE} - project-id: ${FIREBASE_PROJECT_ID} - private-key-id: ${FIREBASE_PRIVATE_KEY_ID} - private-key: ${FIREBASE_PRIVATE_KEY} - client-email: ${FIREBASE_CLIENT_EMAIL} - client-id: ${FIREBASE_CLIENT_ID} - auth-uri: ${FIREBASE_AUTH_URI} - token-uri: ${FIREBASE_TOKEN_URI} - auth-provider-x509-cert-url: ${FIREBASE_AUTH_PROVIDER_X509_CERT_URL} - client-x509-cert-url: ${FIREBASE_CLIENT_X509_CERT_URL} + credentials-path: ${FIREBASE_CREDENTIALS_PATH} diff --git a/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseConfig.java b/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseConfig.java index bdc769d6..bb6a9bec 100644 --- a/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseConfig.java +++ b/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseConfig.java @@ -4,7 +4,7 @@ import com.google.firebase.FirebaseApp; import com.google.firebase.FirebaseOptions; import com.google.firebase.messaging.FirebaseMessaging; -import java.io.ByteArrayInputStream; +import java.io.FileInputStream; import java.io.IOException; import java.util.List; import org.springframework.beans.factory.annotation.Autowired; @@ -32,29 +32,16 @@ private FirebaseApp getFirebaseApp() throws IOException { } } + String path = firebaseProperties.getCredentialsPath(); + if (path == null || path.isBlank()) { + throw new IllegalStateException("FIREBASE_CREDENTIALS_PATH is empty"); + } + FirebaseOptions options = FirebaseOptions.builder() - .setCredentials( - GoogleCredentials.fromStream( - new ByteArrayInputStream( - getFirebaseConfigJson().getBytes()))) + .setCredentials(GoogleCredentials.fromStream(new FileInputStream(path))) .build(); return FirebaseApp.initializeApp(options); } - - private String getFirebaseConfigJson() { - return String.format( - "{ \"type\": \"%s\", \"project_id\": \"%s\", \"private_key_id\": \"%s\", \"private_key\": \"%s\", \"client_email\": \"%s\", \"client_id\": \"%s\", \"auth_uri\": \"%s\", \"token_uri\": \"%s\", \"auth_provider_x509_cert_url\": \"%s\", \"client_x509_cert_url\": \"%s\" }", - firebaseProperties.getType(), - firebaseProperties.getProjectId(), - firebaseProperties.getPrivateKeyId(), - firebaseProperties.getPrivateKey().replace("\\n", "\n"), // 줄바꿈 처리 - firebaseProperties.getClientEmail(), - firebaseProperties.getClientId(), - firebaseProperties.getAuthUri(), - firebaseProperties.getTokenUri(), - firebaseProperties.getAuthProviderX509CertUrl(), - firebaseProperties.getClientX509CertUrl()); - } } diff --git a/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseProperties.java b/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseProperties.java index 7f095d50..2823fad3 100644 --- a/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseProperties.java +++ b/clokey-infrastructure/src/main/java/org/clokey/config/FirebaseProperties.java @@ -10,14 +10,5 @@ @Configuration @ConfigurationProperties(prefix = "firebase") public class FirebaseProperties { - private String type; - private String projectId; - private String privateKeyId; - private String privateKey; - private String clientEmail; - private String clientId; - private String authUri; - private String tokenUri; - private String authProviderX509CertUrl; - private String clientX509CertUrl; + private String credentialsPath; }