diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 5e484c64..8a431683 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -32,11 +32,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Create Apple Private Key file - run: | - mkdir -p src/main/resources/keys - echo "${{ secrets.APPLE_PRIVATE_KEY }}" > src/main/resources/keys/AuthKey_${{ secrets.APPLE_KEY_ID }}.p8 - - name: Login to DockerHub uses: docker/login-action@v3 with: @@ -71,7 +66,6 @@ jobs: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} APPLE_CLIENT_ID: ${{ secrets.APPLE_CLIENT_ID }} - APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }} JWT_SECRET: ${{ secrets.JWT_SECRET }} JWT_REDIRECT_URI: ${{ secrets.JWT_REDIRECT_URI }} JWT_REDIRECT_URI_DEV: ${{ secrets.JWT_REDIRECT_URI_DEV }} @@ -92,6 +86,22 @@ jobs: source: "docker/,scripts/deploy.sh" target: "~/deploy/" + - name: Place Apple private key on server + uses: appleboy/ssh-action@v1 + env: + APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }} + APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} + with: + host: ${{ secrets.EC2_HOST }} + username: ${{ secrets.EC2_USERNAME }} + key: ${{ secrets.EC2_SSH_KEY }} + envs: APPLE_PRIVATE_KEY,APPLE_KEY_ID + script: | + mkdir -p ~/keys + chmod 700 ~/keys + printf '%s' "$APPLE_PRIVATE_KEY" > ~/keys/AuthKey_${APPLE_KEY_ID}.p8 + chmod 600 ~/keys/AuthKey_${APPLE_KEY_ID}.p8 + - name: Deploy with blue-green strategy uses: appleboy/ssh-action@v1 with: @@ -103,7 +113,7 @@ jobs: DOCKER_IMAGE,BRANCH,SPRING_PROFILES_ACTIVE,DB_URL,DB_PASSWORD,REDIS_PASSWORD, DISCORD_WEBHOOK_URL,ANTHROPIC_API_KEY,OPENAI_API_KEY, KAKAO_REST_API_KEY,KAKAO_CLIENT_SECRET, - APPLE_TEAM_ID,APPLE_KEY_ID,APPLE_CLIENT_ID,APPLE_PRIVATE_KEY, + APPLE_TEAM_ID,APPLE_KEY_ID,APPLE_CLIENT_ID, JWT_SECRET,JWT_REDIRECT_URI,JWT_REDIRECT_URI_DEV,JWT_LOGIN_FAILURE_REDIRECT_URI,JWT_LOGIN_FAILURE_REDIRECT_URI_DEV,SERVER_DOMAIN script: | cd ~/deploy diff --git a/.gitignore b/.gitignore index 24e7deb3..dbe08ede 100644 --- a/.gitignore +++ b/.gitignore @@ -56,7 +56,7 @@ stop-dev-tunnel.sh .env ### Apple Private Keys ### -src/main/resources/keys/ +/keys *.p8 ### Test json files ### diff --git a/docker/docker-compose.blue.yml b/docker/docker-compose.blue.yml index e493ca79..7777b793 100644 --- a/docker/docker-compose.blue.yml +++ b/docker/docker-compose.blue.yml @@ -18,11 +18,13 @@ services: - APPLE_TEAM_ID=${APPLE_TEAM_ID} - APPLE_KEY_ID=${APPLE_KEY_ID} - APPLE_CLIENT_ID=${APPLE_CLIENT_ID} - - APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8 + - APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8 - JWT_SECRET=${JWT_SECRET} - JWT_REDIRECT_URI=${JWT_REDIRECT_URI} - JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI} - SERVER_DOMAIN=${SERVER_DOMAIN} + volumes: + - ~/keys:/app/keys:ro networks: techfork-network: aliases: diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml index 393bb697..773d16e4 100644 --- a/docker/docker-compose.dev.yml +++ b/docker/docker-compose.dev.yml @@ -18,11 +18,13 @@ services: - APPLE_TEAM_ID=${APPLE_TEAM_ID} - APPLE_KEY_ID=${APPLE_KEY_ID} - APPLE_CLIENT_ID=${APPLE_CLIENT_ID} - - APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8 + - APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8 - JWT_SECRET=${JWT_SECRET} - JWT_REDIRECT_URI=${JWT_REDIRECT_URI_DEV} - JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI_DEV} - SERVER_DOMAIN=${SERVER_DOMAIN} + volumes: + - ~/keys:/app/keys:ro networks: techfork-network: aliases: diff --git a/docker/docker-compose.green.yml b/docker/docker-compose.green.yml index 8349968b..b9b82664 100644 --- a/docker/docker-compose.green.yml +++ b/docker/docker-compose.green.yml @@ -18,11 +18,13 @@ services: - APPLE_TEAM_ID=${APPLE_TEAM_ID} - APPLE_KEY_ID=${APPLE_KEY_ID} - APPLE_CLIENT_ID=${APPLE_CLIENT_ID} - - APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8 + - APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8 - JWT_SECRET=${JWT_SECRET} - JWT_REDIRECT_URI=${JWT_REDIRECT_URI} - JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI} - SERVER_DOMAIN=${SERVER_DOMAIN} + volumes: + - ~/keys:/app/keys:ro networks: techfork-network: aliases: diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 3d38a072..7cd9cd27 100644 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -102,7 +102,7 @@ trap cleanup EXIT # Generate .env from SSH-injected environment variables log "Writing .env file..." -env | grep -E '^(DOCKER_IMAGE|BRANCH|SPRING_PROFILES_ACTIVE|DB_|REDIS_|ANTHROPIC_|OPENAI_|DISCORD_|KAKAO_|APPLE_|JWT_|SERVER_)' > "${DOCKER_DIR}/.env" +env | grep -E '^(DOCKER_IMAGE|BRANCH|SPRING_PROFILES_ACTIVE|DB_|REDIS_|ANTHROPIC_|OPENAI_|DISCORD_|KAKAO_|APPLE_TEAM_ID|APPLE_KEY_ID|APPLE_CLIENT_ID|JWT_|SERVER_)' > "${DOCKER_DIR}/.env" chmod 600 "${DOCKER_DIR}/.env" # Step 1: Ensure Docker network exists diff --git a/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java b/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java index 4e891ff5..e124318f 100644 --- a/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java +++ b/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java @@ -4,11 +4,11 @@ import io.jsonwebtoken.SignatureAlgorithm; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; -import org.springframework.core.io.ClassPathResource; import org.springframework.stereotype.Component; import java.io.IOException; import java.nio.file.Files; +import java.nio.file.Paths; import java.security.KeyFactory; import java.security.PrivateKey; import java.security.spec.PKCS8EncodedKeySpec; @@ -65,8 +65,7 @@ public String generateClientSecret() { */ private PrivateKey getPrivateKey() throws Exception { try { - ClassPathResource resource = new ClassPathResource(privateKeyPath); - String privateKeyContent = new String(Files.readAllBytes(resource.getFile().toPath())); + String privateKeyContent = new String(Files.readAllBytes(Paths.get(privateKeyPath))); // PEM 파일에서 헤더/푸터 제거 privateKeyContent = privateKeyContent diff --git a/src/main/resources/application-dev.yml b/src/main/resources/application-dev.yml index c74af667..9329f70d 100644 --- a/src/main/resources/application-dev.yml +++ b/src/main/resources/application-dev.yml @@ -42,4 +42,7 @@ logging: com.techfork: INFO org.springframework.batch: INFO org.hibernate.SQL: INFO - org.hibernate.type.descriptor.sql.BasicBinder: WARN \ No newline at end of file + org.hibernate.type.descriptor.sql.BasicBinder: WARN + +apple: + private-key-path: /app/keys/AuthKey_${APPLE_KEY_ID}.p8 \ No newline at end of file diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 7b32bb04..42e507d6 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -77,7 +77,7 @@ jwt: apple: team-id: ${APPLE_TEAM_ID} key-id: ${APPLE_KEY_ID} - private-key-path: ${APPLE_PRIVATE_KEY_PATH:keys/AppleAuthKey.p8} + private-key-path: keys/AppleAuthKey.p8 server: domain: ${SERVER_DOMAIN:localhost}