From 028b274750f509697406910ddcfdea7285181d86 Mon Sep 17 00:00:00 2001 From: Georgios Kalpakas Date: Tue, 28 Feb 2017 21:09:44 +0200 Subject: [PATCH] feat(aio): support passing secrets as files to the docker container --- aio/aio-builds-setup/dockerbuild/Dockerfile | 22 +++++----- .../scripts-sh/upload-server-prod.sh | 4 ++ .../scripts-sh/upload-server-test.sh | 4 +- .../docs/01. VM setup - Set up secrets.md | 44 +++++++++++++++++++ ...ker.md => 02. VM setup - Set up docker.md} | 0 ... 03. VM setup - Attach persistent disk.md} | 0 aio/aio-builds-setup/docs/NOTES.md | 2 + 7 files changed, 64 insertions(+), 12 deletions(-) mode change 100644 => 100755 aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh create mode 100644 aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md rename aio/aio-builds-setup/docs/{01. VM setup - Set up docker.md => 02. VM setup - Set up docker.md} (100%) rename aio/aio-builds-setup/docs/{02. VM setup - Attach persistent disk.md => 03. VM setup - Attach persistent disk.md} (100%) diff --git a/aio/aio-builds-setup/dockerbuild/Dockerfile b/aio/aio-builds-setup/dockerbuild/Dockerfile index 3d8469a606..0fcfc6e2da 100644 --- a/aio/aio-builds-setup/dockerbuild/Dockerfile +++ b/aio/aio-builds-setup/dockerbuild/Dockerfile @@ -6,22 +6,22 @@ LABEL name="angular.io PR preview" \ vendor="Angular" \ version="1.0" +VOLUME /aio-secrets VOLUME /var/www/aio-builds EXPOSE 80 443 -ENV AIO_BUILDS_DIR=/var/www/aio-builds TEST_AIO_BUILDS_DIR=/tmp/aio-builds \ +ENV AIO_BUILDS_DIR=/var/www/aio-builds TEST_AIO_BUILDS_DIR=/tmp/aio-builds \ AIO_DOMAIN_NAME=ngbuilds.io TEST_AIO_DOMAIN_NAME=test-ngbuilds.io \ - AIO_GITHUB_TOKEN= TEST_AIO_GITHUB_TOKEN= \ - AIO_NGINX_HOSTNAME=nginx.localhost TEST_AIO_NGINX_HOSTNAME=nginx.localhost \ - AIO_NGINX_PORT_HTTP=80 TEST_AIO_NGINX_PORT_HTTP=8080 \ - AIO_NGINX_PORT_HTTPS=443 TEST_AIO_NGINX_PORT_HTTPS=4433 \ - AIO_REPO_SLUG=angular/angular TEST_AIO_REPO_SLUG= \ - AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js \ - AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh \ - AIO_UPLOAD_HOSTNAME=upload.localhost TEST_AIO_UPLOAD_HOSTNAME=upload.localhost \ - AIO_UPLOAD_MAX_SIZE=20971520 TEST_AIO_UPLOAD_MAX_SIZE=20971520 \ - AIO_UPLOAD_PORT=3000 TEST_AIO_UPLOAD_PORT=3001 \ + AIO_NGINX_HOSTNAME=nginx.localhost TEST_AIO_NGINX_HOSTNAME=nginx.localhost \ + AIO_NGINX_PORT_HTTP=80 TEST_AIO_NGINX_PORT_HTTP=8080 \ + AIO_NGINX_PORT_HTTPS=443 TEST_AIO_NGINX_PORT_HTTPS=4433 \ + AIO_REPO_SLUG=angular/angular TEST_AIO_REPO_SLUG= \ + AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js \ + AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh \ + AIO_UPLOAD_HOSTNAME=upload.localhost TEST_AIO_UPLOAD_HOSTNAME=upload.localhost \ + AIO_UPLOAD_MAX_SIZE=20971520 TEST_AIO_UPLOAD_MAX_SIZE=20971520 \ + AIO_UPLOAD_PORT=3000 TEST_AIO_UPLOAD_PORT=3001 \ NODE_ENV=production diff --git a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh old mode 100644 new mode 100755 index ac153b9763..b660d2da5c --- a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh +++ b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh @@ -1,6 +1,10 @@ #!/bin/bash set -e -o pipefail +# Set up env variables for production +export AIO_GITHUB_TOKEN=$(head -c -1 /aio-secrets/GITHUB_TOKEN 2>/dev/null) +export AIO_PREVIEW_DEPLOYMENT_TOKEN=$(head -c -1 /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN 2>/dev/null) + # Start the upload-server instance # TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user. # (Currently, there doesn't seem to be a straight forward way.) diff --git a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh index f7d93f14f2..c02da29551 100644 --- a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh +++ b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-test.sh @@ -3,11 +3,13 @@ set -e -o pipefail # Set up env variables for testing export AIO_BUILDS_DIR=$TEST_AIO_BUILDS_DIR -export AIO_GITHUB_TOKEN=$TEST_AIO_GITHUB_TOKEN export AIO_REPO_SLUG=$TEST_AIO_REPO_SLUG export AIO_UPLOAD_HOSTNAME=$TEST_AIO_UPLOAD_HOSTNAME export AIO_UPLOAD_PORT=$TEST_AIO_UPLOAD_PORT +export AIO_GITHUB_TOKEN=$(head -c -1 /aio-secrets/TEST_GITHUB_TOKEN 2>/dev/null) +export AIO_PREVIEW_DEPLOYMENT_TOKEN=$(head -c -1 /aio-secrets/TEST_PREVIEW_DEPLOYMENT_TOKEN 2>/dev/null) + # Start the upload-server instance # TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user. # (Currently, there doesn't seem to be a straight forward way.) diff --git a/aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md b/aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md new file mode 100644 index 0000000000..b9d73bd722 --- /dev/null +++ b/aio/aio-builds-setup/docs/01. VM setup - Set up secrets.md @@ -0,0 +1,44 @@ +# VM Setup - Set up secrets + + +## Overview + +Necessary secrets: + +1. `GITHUB_TOKEN` + - Used for: + - Retrieving open PRs without rate-limiting. + - Retrieving PR author. + - Retrieving members of the `angular-core` team. + - Posting comments with preview links on PRs. + +2. `PREVIEW_DEPLOYMENT_TOKEN` + - Used for: + - Decoding the JWT tokens received with `/create-build` requests. + +**Note:** +`TEST_GITHUB_TOKEN` and `TEST_PREVIEW_DEPLOYMENT_TOKEN` can also be created similar to their +non-TEST counterparts and they will be loaded when running `aio-verify-setup`, but it currently not +clear if/how they can be used in tests. + + +## Create secrets + +1. `GITHUB_TOKEN` + - Visit https://github.com/settings/tokens. + - Generate new token with the `public_repo` scope. + +2. `PREVIEW_DEPLOYMENT_TOKEN` + - Just generate a hard-to-guess character sequence. + - Add it to `.travis.yml` under `addons -> jwt -> secure`. + Can be added automatically with: `travis encrypt --add addons.jwt PREVIEW_DEPLOYMENT_TOKEN=` + + +## Save secrets on the VM + +- `sudo mkdir /aio-secrets` +- `sudo touch /aio-secrets/GITHUB_TOKEN` +- Insert `` into `/aio-secrets/GITHUB_TOKEN`. +- `sudo touch /aio-secrets/PREVIEW_DEPLOYMENT_TOKEN` +- Insert `` into `/aio-secrets/PREVIEW_DEPLOYMENT_TOKEN`. +- `sudo chmod 400 /aio-secrets/*` diff --git a/aio/aio-builds-setup/docs/01. VM setup - Set up docker.md b/aio/aio-builds-setup/docs/02. VM setup - Set up docker.md similarity index 100% rename from aio/aio-builds-setup/docs/01. VM setup - Set up docker.md rename to aio/aio-builds-setup/docs/02. VM setup - Set up docker.md diff --git a/aio/aio-builds-setup/docs/02. VM setup - Attach persistent disk.md b/aio/aio-builds-setup/docs/03. VM setup - Attach persistent disk.md similarity index 100% rename from aio/aio-builds-setup/docs/02. VM setup - Attach persistent disk.md rename to aio/aio-builds-setup/docs/03. VM setup - Attach persistent disk.md diff --git a/aio/aio-builds-setup/docs/NOTES.md b/aio/aio-builds-setup/docs/NOTES.md index d4f4c1246f..05d640b048 100644 --- a/aio/aio-builds-setup/docs/NOTES.md +++ b/aio/aio-builds-setup/docs/NOTES.md @@ -1,5 +1,6 @@ # VM Setup Instructions +- Set up secrets (access tokens, passwords, etc) - Set up docker - Attach persistent disk - Build docker image (+ checkout repo) @@ -18,6 +19,7 @@ -p 80:80 \ -p 443:443 \ [-v :/etc/ssl/localcerts:ro] \ + -v :/aio-secrets:ro \ -v :/var/www/aio-builds \ [:] `