Merge pull request #1580 from oracle-devrel/oci-devops-aifunction-fix

auth mods
oracle-devrel · Feb 12, 2025 · 8aa94d7 · 8aa94d7
2 parents 3436c44 + 9fc8c36
commit 8aa94d7
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 14 deletions.
diff --git a/...tainers/functions/java-helloworld-AI-with-local-dev-and-oci-functions/README.md b/...tainers/functions/java-helloworld-AI-with-local-dev-and-oci-functions/README.md
@@ -53,21 +53,35 @@ This example is based on the <a href="../java-helloworld-with-local-dev-and-oci-
 
 <p>
 
-To do the OCI SDK authentication and authorization to use the GenAI services the function uses two options:
+To do the OCI SDK authentication and authorization to use the GenAI services the function has three options:
 <ul>
-<li><b>IAM regular user</b> for the local dev and test on mac (lines 79-84 in HelloAIFunction.java)</li>
-<li><b>ResourcePrincipal</b> for the OCI Function</li>
+<li><b>ResourcePrincipal</b> for the OCI Function to run in OCI. This allows Function to be authorized as part of
+a OCI Dynamic Group that has OCI Policies attached to for the Function to do it's job.</li>
+<li><b>IAM regular user</b> for the local dev and test on mac and passing the vars in source code (lines 79-84 in HelloAIFunction.java). This works for testing locally but the container should not be distributed!</li>
+<li><b>IAM regular user</b> for the local dev and test on mac using OCI CLI config file (usually located in ~/.oci). Again, this works for testing locally but the container should not be distributed!</li>
 </ul>
 
 <p>
 IAM user option will work on both cases above, as local and as OCI Function. ResourcePrincipal is the default for OCI Function.
+<p>
 
 ## Build and test
 
 Following the steps of the <a href="../java-helloworld-with-local-dev-and-oci-functions">Hello function example </a> adjust the  <a href="https://github.com/oracle-devrel/technology-engineering/blob/main/app-dev/devops-and-containers/functions/java-helloworld-AI-with-local-dev-and-oci-functions/files/src/main/java/com/example/HelloAIFunction.java#76">line 76</a> to match your <code>compartment OCID</code> and the <a href="https://github.com/oracle-devrel/technology-engineering/blob/main/app-dev/devops-and-containers/functions/java-helloworld-AI-with-local-dev-and-oci-functions/files/src/main/java/com/example/HelloAIFunction.java#77">line 77</a> to match your <code>GenAI service model OCID</code>. 
 
 <p>
 
+To use <code>.oci config</code> for testing locally replace the contents of Dockerfile with the contents from <a href="Dockerfile.local_oci">Dockerfile.local_oci</a>. Then copy your <code>~/.oci</code> -directory under the project root and build the Function with Fn:
+
+<pre>
+fn --verbose deploy --app hellofunction --local
+fn invoke hellofunction helloaifunc
+</pre>
+
+<i>Note! Do not distribute this container since it contains your OCI credentials. Use this only for local testing purposes.</i>
+
+<p>
+
 Testing with curl (or copy-pasting the API Gateway deployment url to a browser):
 
 <p>

diff --git a/.../functions/java-helloworld-AI-with-local-dev-and-oci-functions/files/Dockerfile.local_oci b/.../functions/java-helloworld-AI-with-local-dev-and-oci-functions/files/Dockerfile.local_oci
@@ -0,0 +1,21 @@
+FROM fnproject/fn-java-fdk-build:jdk17-1.0-latest as build-stage
+WORKDIR /function
+ENV MAVEN_OPTS -Dhttp.proxyHost= -Dhttp.proxyPort= -Dhttps.proxyHost= -Dhttps.proxyPort= -Dhttp.nonProxyHosts= -Dmaven.repo.local=/usr/share/maven/ref/repository
+ADD pom.xml /function/pom.xml
+RUN ["mvn", "package", "dependency:copy-dependencies", "-DincludeScope=runtime", "-DskipTests=true", "-Dmdep.prependGroupId=true", "-DoutputDirectory=target", "--fail-never"]
+ADD src /function/src
+RUN ["mvn", "package"]
+FROM fnproject/fn-java-fdk:jre17-1.0.187
+WORKDIR /function
+COPY --from=build-stage /function/target/*.jar /function/app/
+RUN echo "**** WARNING ***"
+RUN echo "**** THIS CONTAINER CONTAINS OCI CREDENTIALS - DO NOT DISTRIBUTE ***"
+RUN echo "Copy your OCI CLI .oci dir under this dir before running this Dockerfile "
+RUN echo "OCI API KEYFILE is expected to be without any path in the config e.g. key_file = oci_api_key.pem"
+ADD .oci/config /
+ADD .oci/oci_api_key.pem /
+RUN chmod 777 /config
+RUN chmod 777 /oci_api_key.pem
+RUN sed -i '/^key_file/d' /config
+RUN echo "key_file = /oci_api_key.pem" >> /config
+CMD ["com.example.HelloAIFunction::handleRequest"]
diff --git a/...-AI-with-local-dev-and-oci-functions/files/src/main/java/com/example/HelloAIFunction.java b/...-AI-with-local-dev-and-oci-functions/files/src/main/java/com/example/HelloAIFunction.java
@@ -101,21 +101,31 @@ public String handleRequest(String input) {
 
         } catch (Exception e) {
                 try {
-                        AuthenticationDetailsProvider authenticationDetailsProvider =
-                                SimpleAuthenticationDetailsProvider.builder()
-                                        .tenantId(TENANCY_ID)
-                                        .userId(USER_ID)
-                                        .fingerprint(FINGERPRINT)
-                                        .privateKeySupplier(new StringPrivateKeySupplier(PRIVATEKEY))
-                                        .passPhrase(PASSPHRASE)
-                                        .build();
+                        ConfigFileAuthenticationDetailsProvider configFileAuthenticationDetailsProvider =
+                                new ConfigFileAuthenticationDetailsProvider("/config", "DEFAULT");
                         generativeAiInferenceClient =
                                 GenerativeAiInferenceClient.builder()
                                         .region(REGION)
                                         .endpoint(ENDPOINT)
-                                        .build(authenticationDetailsProvider);
+                                        .build(configFileAuthenticationDetailsProvider);
                 } catch (Exception ee) {
-                        answer = answer + "\n" + ee.getMessage();
+                        try {
+                                AuthenticationDetailsProvider authenticationDetailsProvider =
+                                        SimpleAuthenticationDetailsProvider.builder()
+                                                .tenantId(TENANCY_ID)
+                                                .userId(USER_ID)
+                                                .fingerprint(FINGERPRINT)
+                                                .privateKeySupplier(new StringPrivateKeySupplier(PRIVATEKEY))
+                                                .passPhrase(PASSPHRASE)
+                                                .build();
+                                generativeAiInferenceClient =
+                                        GenerativeAiInferenceClient.builder()
+                                                .region(REGION)
+                                                .endpoint(ENDPOINT)
+                                                .build(authenticationDetailsProvider);
+                        } catch (Exception eee) {
+                                answer = answer + "\n" + eee.getMessage();
+                        }
                 }
         }
 
@@ -156,5 +166,4 @@ public String handleRequest(String input) {
         }
         return answer;
     }
-
 }