helidon-io · barchetta · Feb 10, 2025 · Feb 7, 2025 · Feb 10, 2025
diff --git a/etc/copyright-exclude.txt b/etc/copyright-exclude.txt
@@ -30,6 +30,7 @@ jaxb.index
 /MANIFEST.MF
 /README
 /CONTRIBUTING.md
+.crt
 .pem
 .p8
 .pkcs8.pem

diff --git a/integrations/oci/authentication/README.md b/integrations/oci/authentication/README.md
@@ -11,7 +11,7 @@ Helidon supports the following Authentication Methods:
   - `config-file`: based on OCI config file
 - `instance-principal`: instance principal (Such as an OCI VM)
 - `resource-prinicpal`: resource principal (Such as server-less functions)
-- `workload`: workload running on a k8s cluster
+- `oke-workload-identity`: identity of workload running on a k8s cluster
 
 The first two types are always available through `helidon-integrations-oci` module.
-Instance, resource, and workload support can be added through modules in this project module.
+Instance, resource, and workload support can be added through modules in this project module.
diff --git a/...lidon/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipal.java b/...lidon/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipal.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package io.helidon.integrations.oci.authentication.instance;
 
 import java.util.Optional;
+import java.util.function.Supplier;
 
 import io.helidon.common.LazyValue;
 import io.helidon.common.Weight;
@@ -42,7 +43,7 @@ class AuthenticationMethodInstancePrincipal implements OciAuthenticationMethod {
     private final LazyValue<Optional<BasicAuthenticationDetailsProvider>> provider;
 
     AuthenticationMethodInstancePrincipal(OciConfig config,
-                                          InstancePrincipalsAuthenticationDetailsProviderBuilder builder) {
+                                          Supplier<Optional<InstancePrincipalsAuthenticationDetailsProviderBuilder>> builder) {
         provider = createProvider(config, builder);
     }
 
@@ -58,10 +59,11 @@ public Optional<BasicAuthenticationDetailsProvider> provider() {
 
     private static LazyValue<Optional<BasicAuthenticationDetailsProvider>>
     createProvider(OciConfig config,
-                   InstancePrincipalsAuthenticationDetailsProviderBuilder builder) {
+                   Supplier<Optional<InstancePrincipalsAuthenticationDetailsProviderBuilder>> builder) {
         return LazyValue.create(() -> {
             if (HelidonOci.imdsAvailable(config)) {
-                return Optional.of(builder.build());
+                return builder.get()
+                        .map(InstancePrincipalsAuthenticationDetailsProviderBuilder::build);
             }
             if (LOGGER.isLoggable(System.Logger.Level.TRACE)) {
                 LOGGER.log(System.Logger.Level.TRACE, "OCI Metadata service is not available, "

diff --git a/...io/helidon/integrations/oci/authentication/instance/InstancePrincipalBuilderProvider.java b/...io/helidon/integrations/oci/authentication/instance/InstancePrincipalBuilderProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,8 +39,8 @@ class InstancePrincipalBuilderProvider implements Supplier<InstancePrincipalsAut
 
     @Override
     public InstancePrincipalsAuthenticationDetailsProviderBuilder get() {
-        var builder = InstancePrincipalsAuthenticationDetailsProvider.builder()
-                .timeoutForEachRetry((int) config.authenticationTimeout().toMillis());
+        var builder = getBuilder();
+        builder.timeoutForEachRetry((int) config.authenticationTimeout().toMillis());
 
         config.imdsDetectRetries()
                 .ifPresent(builder::detectEndpointRetries);
@@ -50,8 +50,14 @@ public InstancePrincipalsAuthenticationDetailsProviderBuilder get() {
         config.imdsBaseUri()
                 .map(URI::toString)
                 .ifPresent(builder::metadataBaseUrl);
+        config.tenantId()
+                .ifPresent(builder::tenancyId);
 
         return builder;
     }
 
+    InstancePrincipalsAuthenticationDetailsProviderBuilder getBuilder() {
+        return InstancePrincipalsAuthenticationDetailsProvider.builder();
+    }
+
 }
diff --git a/...n/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipalTest.java b/...n/integrations/oci/authentication/instance/AuthenticationMethodInstancePrincipalTest.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.integrations.oci.authentication.instance;
+
+import java.util.Properties;
+
+import io.helidon.service.registry.ServiceRegistry;
+import io.helidon.service.registry.ServiceRegistryManager;
+
+import com.oracle.bmc.auth.InstancePrincipalsAuthenticationDetailsProvider;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+public class AuthenticationMethodInstancePrincipalTest {
+    private static ServiceRegistryManager registryManager;
+    private static ServiceRegistry registry;
+
+    void setUp(Properties p) {
+        p.put("helidon.oci.authentication-method", "instance-principal");
+        p.put("helidon.oci.imds-timeout", "PT1S");
+        p.put("helidon.oci.imds-detect-retries", "0");
+        System.setProperties(p);
+
+        registryManager = ServiceRegistryManager.create();
+        registry = registryManager.registry();
+    }
+
+    @AfterEach
+    void cleanUp() {
+        registry = null;
+        if (registryManager != null) {
+            registryManager.shutdown();
+        }
+    }
+
+    @Test
+    public void testInstancePrincipalConfigurationAndInstantiation() {
+        final String IMDS_BASE_URI = "http://localhost:8000/opc/v2/";
+        final String FEDERATION_ENDPOINT = "https://auth.us-myregion-1.oraclecloud.com";
+        final String TENANT_ID = "ocid1.tenancy.oc1..mytenancyid";
+
+        Properties p = System.getProperties();
+        p.put("helidon.oci.imds-base-uri", IMDS_BASE_URI);
+        p.put("helidon.oci.federation-endpoint", FEDERATION_ENDPOINT);
+        p.put("helidon.oci.tenant-id", TENANT_ID);
+        setUp(p);
+
+        var builder = registry.get(InstancePrincipalsAuthenticationDetailsProvider.InstancePrincipalsAuthenticationDetailsProviderBuilder.class);
+        // The following validation indicates that the instance principal provider has been configured properly
+        assertThat(builder.getMetadataBaseUrl(), is(IMDS_BASE_URI));
+        assertThat(builder.getFederationEndpoint(), is(FEDERATION_ENDPOINT));
+        assertThat(builder.getTenancyId(), is(TENANT_ID));
+    }
+}
diff --git a/integrations/oci/authentication/oke-workload/pom.xml b/integrations/oci/authentication/oke-workload/pom.xml
@@ -67,6 +67,11 @@
             <artifactId>slf4j-jdk14</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.oracle.oci.sdk</groupId>
+            <artifactId>oci-java-sdk-common-httpclient-jersey3</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -111,6 +116,18 @@
                     </dependency>
                 </dependencies>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <!--
+                        This will allow AuthenticationMethodOkeWorkload.available() to work during testing
+                    -->
+                    <environmentVariables>
+                        <OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH>${project.build.testResources[0].directory}/dummy-ca.crt</OCI_KUBERNETES_SERVICE_ACCOUNT_CERT_PATH>
+                    </environmentVariables>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
     <profiles>

diff --git a/.../helidon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkload.java b/.../helidon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkload.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,22 +21,22 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Optional;
+import java.util.function.Supplier;
 
 import io.helidon.common.LazyValue;
 import io.helidon.common.Weight;
 import io.helidon.common.Weighted;
-import io.helidon.integrations.oci.OciConfig;
 import io.helidon.integrations.oci.spi.OciAuthenticationMethod;
 import io.helidon.service.registry.Service;
 
 import com.oracle.bmc.auth.BasicAuthenticationDetailsProvider;
-import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider;
+import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder;
 
 /**
- * Instance principal authentication method, uses the
- * {@link com.oracle.bmc.auth.InstancePrincipalsAuthenticationDetailsProvider}.
+ * OKE workload identity authentication method, uses the
+ * {@link com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider}.
  */
-@Weight(Weighted.DEFAULT_WEIGHT - 40)
+@Weight(Weighted.DEFAULT_WEIGHT - 50)
 @Service.Provider
 class AuthenticationMethodOkeWorkload implements OciAuthenticationMethod {
     private static final System.Logger LOGGER = System.getLogger(AuthenticationMethodOkeWorkload.class.getName());
@@ -53,8 +53,8 @@ class AuthenticationMethodOkeWorkload implements OciAuthenticationMethod {
 
     private final LazyValue<Optional<BasicAuthenticationDetailsProvider>> provider;
 
-    AuthenticationMethodOkeWorkload(OciConfig config) {
-        provider = createProvider(config);
+    AuthenticationMethodOkeWorkload(Supplier<Optional<OkeWorkloadIdentityAuthenticationDetailsProviderBuilder>> builder) {
+        provider = createProvider(builder);
     }
 
     @Override
@@ -67,11 +67,12 @@ public Optional<BasicAuthenticationDetailsProvider> provider() {
         return provider.get();
     }
 
-    private static LazyValue<Optional<BasicAuthenticationDetailsProvider>> createProvider(OciConfig config) {
+    private static LazyValue<Optional<BasicAuthenticationDetailsProvider>> createProvider(
+            Supplier<Optional<OkeWorkloadIdentityAuthenticationDetailsProviderBuilder>> builder) {
         return LazyValue.create(() -> {
             if (available()) {
-                return Optional.of(OkeWorkloadIdentityAuthenticationDetailsProvider.builder()
-                                           .build());
+                return builder.get()
+                        .map(OkeWorkloadIdentityAuthenticationDetailsProviderBuilder::build);
 
             }
             return Optional.empty();

diff --git a/...va/io/helidon/integrations/oci/authentication/okeworkload/OkeWorkloadBuilderProvider.java b/...va/io/helidon/integrations/oci/authentication/okeworkload/OkeWorkloadBuilderProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2024 Oracle and/or its affiliates.
+ * Copyright (c) 2024, 2025 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@
 import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder;
 
 /**
- * OKE Workload  builder provider, uses the
+ * OKE Workload Identity builder provider, uses the
  * {@link OkeWorkloadIdentityAuthenticationDetailsProviderBuilder}.
  */
 @Service.Provider
@@ -50,6 +50,8 @@ public OkeWorkloadIdentityAuthenticationDetailsProviderBuilder get() {
         config.imdsBaseUri()
                 .map(URI::toString)
                 .ifPresent(builder::metadataBaseUrl);
+        config.tenantId()
+                .ifPresent(builder::tenancyId);
 
         return builder;
     }

diff --git a/...idon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkloadTest.java b/...idon/integrations/oci/authentication/okeworkload/AuthenticationMethodOkeWorkloadTest.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.integrations.oci.authentication.okeworkload;
+
+import java.util.Properties;
+
+import io.helidon.service.registry.ServiceRegistry;
+import io.helidon.service.registry.ServiceRegistryManager;
+
+import com.oracle.bmc.auth.BasicAuthenticationDetailsProvider;
+import com.oracle.bmc.auth.okeworkloadidentity.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class AuthenticationMethodOkeWorkloadTest {
+    private static ServiceRegistryManager registryManager;
+    private static ServiceRegistry registry;
+
+    void setUp(Properties p) {
+        p.put("helidon.oci.authentication-method", "oke-workload-identity");
+        System.setProperties(p);
+
+        registryManager = ServiceRegistryManager.create();
+        registry = registryManager.registry();
+    }
+
+    @AfterEach
+    void cleanUp() {
+        registry = null;
+        if (registryManager != null) {
+            registryManager.shutdown();
+        }
+    }
+
+    @Test
+    public void testOkeWorkloadIdentityConfigurationAndInstantiation() {
+        final String FEDERATION_ENDPOINT = "https://auth.us-myregion-1.oraclecloud.com";
+        final String TENANT_ID = "ocid1.tenancy.oc1..mytenancyid";
+
+        Properties p = System.getProperties();
+        p.put("helidon.oci.federation-endpoint", FEDERATION_ENDPOINT);
+        p.put("helidon.oci.tenant-id", TENANT_ID);
+        setUp(p);
+
+        // This error indicates that the oke-workload-identity provider has been instantiated
+        var thrown = assertThrows(IllegalArgumentException.class,
+                                  () -> registry.get(BasicAuthenticationDetailsProvider.class));
+        assertThat(thrown.getMessage(), containsString("Invalid Kubernetes ca certification"));
+
+        var builder = registry.get(OkeWorkloadIdentityAuthenticationDetailsProviderBuilder.class);
+        // The following validation indicates that the oke-workload-identity provider has been configured properly
+        assertThat(builder.getFederationEndpoint(), is(FEDERATION_ENDPOINT));
+        assertThat(builder.getTenancyId(), is(TENANT_ID));
+    }
+}
diff --git a/integrations/oci/authentication/oke-workload/src/test/resources/dummy-ca.crt b/integrations/oci/authentication/oke-workload/src/test/resources/dummy-ca.crt
@@ -0,0 +1,4 @@
+NOTICE:
+=======
+This file represents a dummy ca.crt that will be used by the AuthenticationMethodOkeWorkload to validate if it can proceed with
+authentication processing.
diff --git a/integrations/oci/authentication/resource/pom.xml b/integrations/oci/authentication/resource/pom.xml
@@ -107,6 +107,18 @@
                     </dependency>
                 </dependencies>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <!--
+                        This will allow test to reach Resource Principal provider build
+                    -->
+                    <environmentVariables>
+                        <OCI_RESOURCE_PRINCIPAL_VERSION>2.2</OCI_RESOURCE_PRINCIPAL_VERSION>
+                    </environmentVariables>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
     <profiles>
-Original file line number
+Diff line change
@@ Expand Up / @@ -30,6 +30,7 @@ jaxb.index @@
     /MANIFEST.MF
     /README
     /CONTRIBUTING.md
+    .crt
     .pem
     .p8
     .pkcs8.pem
@@ Expand Down @@