added secrets for ecs container

Author: axel-nagel

src/main/java/eu/openanalytics/containerproxy/backend/ecs/EcsBackend.java

@@ -63,6 +63,7 @@
 import software.amazon.awssdk.services.ecs.model.RegisterTaskDefinitionResponse;
 import software.amazon.awssdk.services.ecs.model.RunTaskResponse;
 import software.amazon.awssdk.services.ecs.model.RuntimePlatform;
+import software.amazon.awssdk.services.ecs.model.Secret;
 import software.amazon.awssdk.services.ecs.model.Tag;
 import software.amazon.awssdk.services.ecs.model.Task;
 import software.amazon.awssdk.services.ecs.model.Volume;
@@ -281,6 +282,8 @@ private String getTaskDefinition(Authentication user, ContainerSpec spec, EcsSpe
 
         Pair<List<Volume>, List<MountPoint>> volumes = getVolumes(spec, specExtension);
 
+        List<Secret> secrets = getSecrets(spec, specExtension);
+        
         EphemeralStorage ephemeralStorage = EphemeralStorage
             .builder()
             .sizeInGiB(specExtension.ecsEphemeralStorageSize.getValueOrDefault(21))
@@ -295,8 +298,9 @@ private String getTaskDefinition(Authentication user, ContainerSpec spec, EcsSpe
                 .environment(env)
                 .stopTimeout(2)
                 .dockerLabels(dockerLabels)
-                .logConfiguration(getLogConfiguration(proxy.getSpecId()))
+                .logConfiguration(getLogConfiguration(proxy.getId()))
                 .mountPoints(volumes.getSecond())
+                .secrets(secrets)
                 .build())
             .networkMode(NetworkMode.AWSVPC) // only option when using fargate
             .requiresCompatibilities(Compatibility.FARGATE)
@@ -391,6 +395,17 @@ private Pair<List<Volume>, List<MountPoint>> getVolumes(ContainerSpec spec, EcsS
         return Pair.of(efsVolumeConfigurations, mountPoints);
     }
 
+    private List<Secret> getSecrets(ContainerSpec spec, EcsSpecExtension specExtension) {
+        List<Secret> secrets = new ArrayList<>();
+        for (EcsManagedSecret managedSecrets : specExtension.getEcsManagedSecrets()) {
+            Secret.Builder secretBuilder  = Secret.builder();
+            secretBuilder.name(managedSecrets.getName().getValue());
+            secretBuilder.valueFrom(managedSecrets.getValueFrom().getValue());            
+            secrets.add(secretBuilder.build());
+        }
+        return secrets;
+    }
+
     @Override
     protected void doStopProxy(Proxy proxy) throws Exception {
         for (Container container : proxy.getContainers()) {

src/main/java/eu/openanalytics/containerproxy/backend/ecs/EcsManagedSecret.java

@@ -0,0 +1,57 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2024 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.backend.ecs;
+
+import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
+import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
+import eu.openanalytics.containerproxy.spec.expression.SpelField;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+
+@Data
+@Setter
+@Getter
+@Builder(toBuilder = true)
+@AllArgsConstructor(access = AccessLevel.PRIVATE) // force Spring to not use constructor
+@NoArgsConstructor(force = true, access = AccessLevel.PRIVATE) // Jackson deserialize compatibility
+public class EcsManagedSecret {
+
+    @Builder.Default
+    SpelField.String name = new SpelField.String();
+
+    @Builder.Default
+    SpelField.String valueFrom = new SpelField.String();
+
+
+    public EcsManagedSecret resolve(SpecExpressionResolver resolver, SpecExpressionContext context) {
+        return toBuilder()
+            .name(name.resolve(resolver, context))
+            .valueFrom(valueFrom.resolve(resolver, context))
+            .build();
+    }
+
+}

src/main/java/eu/openanalytics/containerproxy/backend/ecs/EcsSpecExtension.java

@@ -65,6 +65,9 @@ public class EcsSpecExtension extends AbstractSpecExtension {
     @Builder.Default
     List<EcsEfsVolume> ecsEfsVolumes = new ArrayList<>();
 
+    @Builder.Default
+    List<EcsManagedSecret> ecsManagedSecrets = new ArrayList<>();
+
     @Builder.Default
     SpelField.Boolean ecsEnableExecuteCommand = new SpelField.Boolean();
 
@@ -77,6 +80,7 @@ public ISpecExtension firstResolve(SpecExpressionResolver resolver, SpecExpressi
             .ecsOperationSystemFamily(ecsOperationSystemFamily.resolve(resolver, context))
             .ecsEphemeralStorageSize(ecsEphemeralStorageSize.resolve(resolver, context))
             .ecsEfsVolumes(ecsEfsVolumes.stream().map(p -> p.resolve(resolver, context)).collect(Collectors.toList()))
+            .ecsManagedSecrets(ecsManagedSecrets.stream().map(p -> p.resolve(resolver, context)).collect(Collectors.toList()))
             .ecsEnableExecuteCommand(ecsEnableExecuteCommand.resolve(resolver, context))
             .build();
     }