feat(aio): support passing secrets as files to the docker container

aio/aio-builds-setup/dockerbuild/Dockerfile

@@ -6,22 +6,22 @@ LABEL name="angular.io PR preview" \
       vendor="Angular" \
       version="1.0"
 
+VOLUME /aio-secrets
 VOLUME /var/www/aio-builds
 
 EXPOSE 80 443
 
-ENV AIO_BUILDS_DIR=/var/www/aio-builds             TEST_AIO_BUILDS_DIR=/tmp/aio-builds              \
+ENV AIO_BUILDS_DIR=/var/www/aio-builds             TEST_AIO_BUILDS_DIR=/tmp/aio-builds         \
     AIO_DOMAIN_NAME=ngbuilds.io                    TEST_AIO_DOMAIN_NAME=test-ngbuilds.io       \
-    AIO_GITHUB_TOKEN=                              TEST_AIO_GITHUB_TOKEN=                           \
+    AIO_NGINX_HOSTNAME=nginx.localhost             TEST_AIO_NGINX_HOSTNAME=nginx.localhost     \
-    AIO_NGINX_HOSTNAME=nginx.localhost             TEST_AIO_NGINX_HOSTNAME=nginx.localhost          \
+    AIO_NGINX_PORT_HTTP=80                         TEST_AIO_NGINX_PORT_HTTP=8080               \
-    AIO_NGINX_PORT_HTTP=80                         TEST_AIO_NGINX_PORT_HTTP=8080                    \
+    AIO_NGINX_PORT_HTTPS=443                       TEST_AIO_NGINX_PORT_HTTPS=4433              \
-    AIO_NGINX_PORT_HTTPS=443                       TEST_AIO_NGINX_PORT_HTTPS=4433                   \
+    AIO_REPO_SLUG=angular/angular                  TEST_AIO_REPO_SLUG=                         \
-    AIO_REPO_SLUG=angular/angular                  TEST_AIO_REPO_SLUG=                              \
+    AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js                                               \
-    AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js                                                    \
+    AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh                                               \
-    AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh                                                    \
+    AIO_UPLOAD_HOSTNAME=upload.localhost           TEST_AIO_UPLOAD_HOSTNAME=upload.localhost   \
-    AIO_UPLOAD_HOSTNAME=upload.localhost           TEST_AIO_UPLOAD_HOSTNAME=upload.localhost        \
+    AIO_UPLOAD_MAX_SIZE=20971520                   TEST_AIO_UPLOAD_MAX_SIZE=20971520           \
-    AIO_UPLOAD_MAX_SIZE=20971520                   TEST_AIO_UPLOAD_MAX_SIZE=20971520                \
+    AIO_UPLOAD_PORT=3000                           TEST_AIO_UPLOAD_PORT=3001                   \
-    AIO_UPLOAD_PORT=3000                           TEST_AIO_UPLOAD_PORT=3001                        \
     NODE_ENV=production
 
 

aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh

@@ -1,6 +1,10 @@
 #!/bin/bash
 set -e -o pipefail
 
+# Set up env variables for production
+export AIO_GITHUB_TOKEN=$(head -c -1 /aio-secrets/GITHUB_TOKEN 2>/dev/null)
+export AIO_PREVIEW_DEPLOYMENT_TOKEN=$(head -c -1 /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN 2>/dev/null)
+
 # Start the upload-server instance
 # TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user.
 #                (Currently, there doesn't seem to be a straight forward way.)

aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh

@@ -3,11 +3,13 @@ set -e -o pipefail
 
 # Set up env variables for testing
 export AIO_BUILDS_DIR=$TEST_AIO_BUILDS_DIR
-export AIO_GITHUB_TOKEN=$TEST_AIO_GITHUB_TOKEN
 export AIO_REPO_SLUG=$TEST_AIO_REPO_SLUG
 export AIO_UPLOAD_HOSTNAME=$TEST_AIO_UPLOAD_HOSTNAME
 export AIO_UPLOAD_PORT=$TEST_AIO_UPLOAD_PORT
 
+export AIO_GITHUB_TOKEN=$(head -c -1 /aio-secrets/TEST_GITHUB_TOKEN 2>/dev/null)
+export AIO_PREVIEW_DEPLOYMENT_TOKEN=$(head -c -1 /aio-secrets/TEST_PREVIEW_DEPLOYMENT_TOKEN 2>/dev/null)
+
 # Start the upload-server instance
 # TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user.
 #                (Currently, there doesn't seem to be a straight forward way.)

aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md

@@ -0,0 +1,44 @@
+# VM Setup - Set up secrets
+
+
+## Overview
+
+Necessary secrets:
+
+1. `GITHUB_TOKEN`
+   - Used for:
+     - Retrieving open PRs without rate-limiting.
+     - Retrieving PR author.
+     - Retrieving members of the `angular-core` team.
+     - Posting comments with preview links on PRs.
+
+2. `PREVIEW_DEPLOYMENT_TOKEN`
+   - Used for:
+     - Decoding the JWT tokens received with `/create-build` requests.
+
+**Note:**
+`TEST_GITHUB_TOKEN` and `TEST_PREVIEW_DEPLOYMENT_TOKEN` can also be created similar to their
+non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it currently not
+clear if/how they can be used in tests.
+
+
+## Create secrets
+
+1. `GITHUB_TOKEN`
+   - Visit https://github.com/settings/tokens.
+   - Generate new token with the `public_repo` scope.
+
+2. `PREVIEW_DEPLOYMENT_TOKEN`
+   - Just generate a hard-to-guess character sequence.
+   - Add it to `.travis.yml` under `addons -> jwt -> secure`.
+     Can be added automatically with: `travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=<access-key>`
+
+
+## Save secrets on the VM
+
+- `sudo mkdir /aio-secrets`
+- `sudo touch /aio-secrets/GITHUB_TOKEN`
+- Insert `<github-token>` into `/aio-secrets/GITHUB_TOKEN`.
+- `sudo touch /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN`
+- Insert `<access-token>` into `/aio-secrets/PREVIEW_DEPLOYMENT_TOKEN`.
+- `sudo chmod 400 /aio-secrets/*`

aio/aio-builds-setup/docs/NOTES.md

@@ -1,5 +1,6 @@
 # VM Setup Instructions
 
+- Set up secrets (access tokens, passwords, etc)
 - Set up docker
 - Attach persistent disk
 - Build docker image (+ checkout repo)
@@ -18,6 +19,7 @@
      -p 80:80 \
      -p 443:443 \
     [-v <host-cert-dir>:/etc/ssl/localcerts:ro] \
+     -v <host-secrets-dir>:/aio-secrets:ro \
      -v <host-builds-dir>:/var/www/aio-builds \
      <name>[:<tag>]
   `