add datadog certificate for java Dockerfile (#3265)

* add datadog certificate to keystore * for debugging: disable nondraft-pr condition * import the public cert into the truststore instead of keystore * validate api key and warn if invalid * move authentication check to a try/catch why: authentication check will throw a 403 if the key is invalid; and while that's informative, we don't want it to be grounds for the app to fail to start up * fix lint and typos * Revert "for debugging: disable nondraft-pr condition" This reverts commit 093e0e1. * update comment to note the certificate is public * oops. delete invalid script introduced in 47a842f while i was experimenting * restore method signature had modified while experimenting in this PR, but should be restored to show that the method may throw an Exception --------- Co-authored-by: Lisa Chung <[email protected]>
department-of-veterans-affairs · Aug 3, 2024 · 5157613 · 5157613
1 parent b046987
commit 5157613
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/gradle-plugins/src/main/resources/docker/Dockerfile-java b/gradle-plugins/src/main/resources/docker/Dockerfile-java
@@ -6,7 +6,7 @@ FROM eclipse-temurin:17.0.10_7-jre-alpine
 
 # curl is needed for HEALTHCHECK
 # hadolint ignore=DL3018
-RUN apk add --no-cache curl sudo gcompat libxml2 && \
+RUN apk add --no-cache curl sudo gcompat libxml2 openssl && \
     apk upgrade --available
 
 WORKDIR /app
@@ -19,6 +19,13 @@ ARG JAR_FILE
 ENV JAR_FILENAME=${JAR_FILE}
 COPY ${JAR_FILE} fat.jar
 
+# add public datadog certificate to truststore
+RUN openssl s_client -showcerts -connect www.ddog-gov.com:443 2>&1 |\
+    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > temp.pem
+RUN openssl x509 -in temp.pem -out real.pem
+RUN keytool -importcert -alias ddog -file real.pem -cacerts -storepass changeit --noprompt
+RUN rm -f real.pem temp.pem
+
 RUN adduser --no-create-home --disabled-password tron
 RUN chmod +x ./*.sh && chown -R tron /app
 USER tron

diff --git a/svc-bip-api/src/main/java/gov/va/vro/bip/config/DatadogClientConfig.java b/svc-bip-api/src/main/java/gov/va/vro/bip/config/DatadogClientConfig.java
@@ -2,7 +2,9 @@
 
 import com.datadog.api.client.ApiClient;
 import com.datadog.api.client.RetryConfig;
+import com.datadog.api.client.v1.api.AuthenticationApi;
 import com.datadog.api.client.v1.api.MetricsApi;
+import com.datadog.api.client.v1.model.AuthenticationValidationResponse;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -51,13 +53,24 @@ public ApiClient apiClient() throws Exception {
         log.info("initialized Datadog API Client");
       } else {
         apiClient = ApiClient.getDefaultApiClient();
-        log.info("initializing default Datadog default API Client");
+        log.info("initializing default Datadog API Client");
       }
       apiClient.setRetry(new RetryConfig(true, 2, 2, 3));
     } catch (Exception e) {
       log.warn(String.format("error initializing Datadog API Client: %s", e.getMessage()));
       throw e;
     }
+
+    try {
+      AuthenticationValidationResponse authValidation =
+          (new AuthenticationApi(apiClient)).validate();
+      if (Boolean.FALSE.equals(authValidation.getValid())) {
+        throw new Exception("validation failed");
+      }
+    } catch (Exception e) {
+      log.warn(String.format("api key validation failed: %s", e.getMessage()));
+    }
+
     return apiClient;
   }
 }