Build: Make access key a run-time ENV instead of build-time ARG

Krinkle · Krinkle · commit a88e7de0ea25 · 2021-08-22T20:48:20.000+01:00
This has a number of benefits: * Easier and more confident testing (the same image is tested and can then be deployed the same way). * No rebuild is needed to change between the modes, which allows for faster recovery and avoids e.g. having to accept new commits or changes to upstream base images as part of a rebuild when all you want is to switch modes. * The resulting image contains no private information, thus safe to publish to a public container registry. As example, I've enabled publishing to GitHub's ghcr.io registry, for use in another experiment. This can be removed later if we don't need it. Ref https://github.com/jquery/infrastructure/issues/474.
diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
@@ -1,47 +1,37 @@
 name: CI
 on:
-  # Manually
   workflow_dispatch:
-  # Note that we deploy regularly from main.
-  # To test ahead of time, push to a new branch first, or open a PR.
   push:
   pull_request:
 
 jobs:
-  docker-test-dev:
+  docker-test:
     # Includes PHP 7.4, Python 3, Node 14
     # https://github.com/actions/virtual-environments/blob/ubuntu20/20210816.1/images/linux/Ubuntu2004-README.md
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v2
 
       - name: Build the image
-        run: docker build -t codeorigin-dev:$GITHUB_SHA ./
+        run: docker build -t codeorigin ./
 
-      - name: Test the container
+      - name: Test the container in open mode
         run: |
-          docker run --rm -p 4000:80/tcp --detach codeorigin-dev:$GITHUB_SHA
+          docker run --rm -p 4000:80/tcp --detach codeorigin
           # The first error is "Empty reply from server", which curl
           # considers an HTTP failure rather than a connection or network failure.
           # once GitHub's images come with curl 7.71.0+, use --retry-all-errors
           # instead of hardcoded sleep. --krinkle 2021-08-21
-          sleep 1
-          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://127.0.0.1:4000/jquery-3.0.0.js
-          php test/static-dev.php
+          sleep 2
+          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://localhost:4000/jquery-3.0.0.js
+          php test/static-open.php
+          docker kill $(docker ps -q -f ancestor=codeorigin)
 
-  docker-test-strict:
-    runs-on: ubuntu-20.04
-    env:
-      CDN_ACCESS_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Build the image
-        run: docker build -t codeorigin-strict:$GITHUB_SHA --build-arg "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" ./
-
-      - name: Test the container
+      - name: Test the container in strict mode
+        env:
+          CDN_ACCESS_KEY: aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccdddddddddddddddd
         run: |
-          docker run --rm -p 4000:80/tcp --detach codeorigin-strict:$GITHUB_SHA
-          sleep 1
-          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://127.0.0.1:4000/jquery-3.0.0.js
+          docker run --rm -p 4000:80/tcp -e "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" --detach codeorigin
+          sleep 2
+          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://localhost:4000/jquery-3.0.0.js
           php test/static-strict.php
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -0,0 +1,44 @@
+name: deploy
+on:
+  # On commit to the main branch
+  push:
+    branches:
+      - main
+
+jobs:
+  docker-push:
+    # For included software, refer to:
+    # https://github.com/actions/virtual-environments/blob/ubuntu20/20210816.1/images/linux/Ubuntu2004-README.md
+    runs-on: ubuntu-20.04
+    # https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
+    permissions:
+      packages: write
+    env:
+      IMAGE_NAME: codeorigin
+      IMAGE_ID: ghcr.io/jquery/codeorigin
+      IMAGE_VERSION: ${{ github.sha }}
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build the image
+        run: docker build -t ${{ env.IMAGE_NAME }} ./
+
+      - name: Test the container
+        run: |
+          docker run --rm -p 4000:80/tcp --detach ${{ env.IMAGE_NAME }}
+          sleep 2
+          curl -f --retry 5 --retry-delay 1 --retry-connrefused -I http://127.0.0.1:4000/jquery-3.0.0.js
+          php test/static-open.php
+
+      # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio
+      - name: Login to Container Registry
+        run: |
+          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
+
+      # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio
+      - name: Publish image to Container Registry
+        run: |
+          docker tag $IMAGE_NAME $IMAGE_ID:$IMAGE_VERSION
+          docker tag $IMAGE_NAME $IMAGE_ID:latest
+          docker push $IMAGE_ID:$IMAGE_VERSION
+          docker push $IMAGE_ID:latest
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Allow patch updates
 # https://hub.docker.com/_/nginx/
-FROM nginx:1-alpine
+FROM nginx:1.21.1-alpine
 
 RUN apk add vim openrc
 
@@ -35,23 +35,12 @@ COPY cdn/ /var/www/cdn/
 RUN find /var/www/cdn/ -type f -print0 | TZ=UTC xargs -0 -P 4 -n 50 touch --date='1991-10-18 12:00:00' {} +
 
 # Define the environment variable that will be used in the origin pull magic header
-ARG CDN_ACCESS_KEY=''
+# Set this via `docker run`
+ENV CDN_ACCESS_KEY=''
 
 # Copy in the necessary config files
 COPY cfg/vimrc /etc/vim/vimrc
-COPY cfg/default.conf /etc/nginx/conf.d/default.conf
-
-# If the CDN_ACCESS_KEY environment variable is *not* set, operate in "break glass" mode where the
-# container serves files without restriction. Otherwise, it responds with redirects to requests
-# that don't carry an x-cdn-access request header with the correct key.
-#
-# Note: We're substituting the config file because nginx does not currently have a way to
-# access environment variables without significant workarounds.
-RUN if [ -n "$CDN_ACCESS_KEY" ]; then \
-    sed -i s/CDN_ACCESS_KEY_PLACEHOLDER/$CDN_ACCESS_KEY/g /etc/nginx/conf.d/default.conf; \
-  else \
-    sed -i s/^.*REQUIRE_XCDNACCESS$//g /etc/nginx/conf.d/default.conf; \
-  fi
+COPY cfg/default.conf /etc/nginx/templates/default.conf.template
 
 EXPOSE 80
 
diff --git a/README.md b/README.md
@@ -17,12 +17,20 @@ Prerequisites:
 
 ### Local development
 
-**Test the container**:
+**Build the image**:
+
+Build the image, by running the following in a clone of this repo:
+
+```
+docker build -t codeorigin ./
+```
+
+**Test the container in open mode**:
 
-1. Build the image, by running in a clone of this repo:
-   `docker build -t codeorigin-dev ./`
 1. Start a container, exposing port 80:
-   `docker run --rm -p 4000:80/tcp codeorigin-dev`
+   ```
+   docker run --rm -p 4000:80/tcp codeorigin
+   ```
 1. The site is now running at <http://localhost:4000/jquery-3.0.0.js>.
    To stop the container, press `ctrl+c`
 
@@ -32,22 +40,33 @@ Run it with a shell entrypoint and set interactive/tty mode by adding the parame
 Note that when inspecting the container, nginx will not be started.
 
 ```
-docker run --rm -p 4000:80/tcp -i -t --entrypoint /bin/sh codeorigin-dev
+docker run --rm -p 4000:80/tcp -it --entrypoint /bin/sh codeorigin
+
+# /docker-entrypoint.d/20-envsubst-on-templates.sh 3>&1
+...
+# cat /etc/nginx/conf.d/default.conf
+...
+```
+
+Inspect restricted mode:
+
+```
+docker run --rm -p 4000:80/tcp -e "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" -it --entrypoint /bin/sh codeorigin
 ```
 
 **Debug nginx**:
 
-In `cfg/defualt.cong`, change `error_log … crit` to `error_log … debug` and then build+run as usual.
+In `cfg/defualt.conf`, change `error_log … crit` to `error_log … debug` and then build+run as usual.
 
 **Test the container in restricted mode**:
 
 There is a restricted mode, which responds to unauthorized static file requests with a redirect instead of serving files.
 
 1. Run `export CDN_ACCESS_KEY="$(openssl rand -hex 32)"`
-1. Build the image, by running in a clone of this repo:
-   `docker build -t codeorigin-strict --build-arg "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" ./`
-1. Start a container, exposing port 80:
-   `docker run --rm -p 4000:80/tcp codeorigin-strict`
+1. Start a container, exposing port 80, and given the environment variable:
+   ```
+   docker run --rm -p 4000:80/tcp -e "CDN_ACCESS_KEY=$CDN_ACCESS_KEY" codeorigin
+   ````
 1. The site is now running at <http://localhost:4000/jquery-3.0.0.js>.
    To stop the container, press `ctrl+c`
 
@@ -60,7 +79,7 @@ In the restricted mode:
 ### Production deployment
 
 1. First, generate a CDN access key: `openssl rand -hex 32`.
-1. At a hosting platform of your choosing, build a container from the Dockerfile in this repository, and pass the CDN access key as build arguments.
+1. At a hosting platform of your choosing, build or pull the container, and pass the CDN access key as run environment variable.
 1. Finally, configure the CDN to use the container address as its origin, with special handling to augment origin pulls with a `Host: code.jquery.com` header, and a `x-cdn-access` header with the access key.
 
 ### In case of emergency
diff --git a/cfg/default.conf b/cfg/default.conf
@@ -15,8 +15,25 @@
 # Increase map_hash_bucket_size to accommodate longer CDN tokens
 map_hash_bucket_size 128;
 
-# Do not change the following line. The Dockerfile will insert the access key or remove the line.
-map $http_x_cdn_access $reroute_to_cdn { default 1; CDN_ACCESS_KEY_PLACEHOLDER 0; } #REQUIRE_XCDNACCESS
+# If the CDN_ACCESS_KEY environment variable is *not* set, operate in "break glass" mode where the
+# container openly serves files without restriction. Otherwise, it responds with redirects to requests
+# that don't carry a matching x-cdn-access request header.
+#
+# NOTE: We're using the "envsubst" feature that comes with docker-nginx because nginx does not
+# currently have a way to access environment variables without significant workarounds.
+# This is interpreted at run-time just before the server starts.
+#
+# This is preferred over substitution at build-time in Dockerfile as that would put the
+# credentials inside the image, making it unsuitable to push to a public container registry.
+map "${CDN_ACCESS_KEY}" $origin_mode {
+    ""                  open;
+    default             key;
+}
+map $origin_mode  $key_input { key $http_x_cdn_access; default none; }
+map $origin_mode  $key_expect {
+    key           "${CDN_ACCESS_KEY}";
+    default       none;
+}
 
 server {
   listen        80;
@@ -60,10 +77,8 @@ server {
     # Applies to charset_types (mainly for JS and CSS)
     charset utf-8;
 
-    # Let rerouting responses be cached for a shorter time for fast recovery
-    #
-    # Do not change the following line. The Dockerfile will remove the line if needed.
-    if ($reroute_to_cdn) { expires 5m; return 301 https://code.jquery.com$uri; } #REQUIRE_XCDNACCESS
+    # Let rerouting responses be cached for a shorter time for faster recovery from mistakes
+    if ($key_expect != $key_input) { expires 5m; return 302 https://code.jquery.com$uri; }
   }
 
   # Legacy redirects for renamed files
diff --git a/test/static-open.php b/test/static-open.php
@@ -2,9 +2,9 @@
 /**
  * Usage:
  *
- *     $ php test/static-dev.php
+ *     $ php test/static-open.php
  *
- *     $ php test/static-dev.php "localhost:4000"
+ *     $ php test/static-open.php "localhost:4000"
  */
 
 require_once __DIR__ . '/Unit.php';
@@ -80,6 +80,25 @@
 	'accept-ranges' => 'bytes',
 ] );
 
+// Static asset with a key when no key is required
+
+Unit::testHttp( $server, '/jquery-3.0.0.js', [
+	"x-cdn-access: there-is-no-spoon"
+], [
+	'status' => '200 OK',
+	'server' => 'nginx',
+	'content-type' => 'application/javascript; charset=utf-8',
+	'content-length' => '263268',
+	'last-modified' => 'Fri, 18 Oct 1991 12:00:00 GMT',
+	'connection' => 'keep-alive',
+	'vary' => 'Accept-Encoding, x-cdn-access',
+	'etag' => '"28feccc0-40464"',
+	'expires' => 'Thu, 31 Dec 2037 23:55:55 GMT',
+	'cache-control' => 'max-age=315360000, public, no-transform',
+	'access-control-allow-origin' => '*',
+	'accept-ranges' => 'bytes',
+] );
+
 // Renamed files
 
 Unit::testHttp( $server, '/jquery-git2.js', [], [
diff --git a/test/static-strict.php b/test/static-strict.php
@@ -27,7 +27,7 @@
 	'location' => 'https://releases.jquery.com/',
 ] );
 
-// Static asset with key
+// Static asset with correct key
 
 Unit::testHttp( $server, '/jquery-3.0.0.js', [
 	"x-cdn-access: $key"
@@ -46,10 +46,23 @@
 	'accept-ranges' => 'bytes',
 ] );
 
-// Static asset without key
+// Reroute asset without key
 
 Unit::testHttp( $server, '/jquery-3.0.0.js', [], [
-	'status' => '301 Moved Permanently',
+	'status' => '302 Moved Temporarily',
+	'server' => 'nginx',
+	'location' => 'https://code.jquery.com/jquery-3.0.0.js',
+	'vary' => 'x-cdn-access',
+	'cache-control' => 'max-age=300, public, no-transform',
+	'access-control-allow-origin' => '*',
+] );
+
+// Reroute asset with incorrect key
+
+Unit::testHttp( $server, '/jquery-3.0.0.js', [
+	"x-cdn-access: there-is-no-spoon"
+], [
+	'status' => '302 Moved Temporarily',
 	'server' => 'nginx',
 	'location' => 'https://code.jquery.com/jquery-3.0.0.js',
 	'vary' => 'x-cdn-access',
