[#30] Do not use the default secret when deploying the api-server

Added a script to generate random secret Updated Dockerfile to generate a random secret into .env Removed unused commands in Dockerfile Updated README Change stage name from BUILD_IMAGE to build-image in Dockerfile ref: https://docs.docker.com/reference/build-checks/stage-name-casing/
artemiscloud · Nov 18, 2024 · b13545d · b13545d
1 parent 646ea16
commit b13545d
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi8/nodejs-20:latest AS BUILD_IMAGE
+FROM registry.access.redhat.com/ubi8/nodejs-20:latest AS build-image
 
 ### BEGIN REMOTE SOURCE
 # Use the COPY instruction only inside the REMOTE SOURCE block
@@ -25,23 +25,19 @@ RUN yarn install  --network-timeout 1000000
 
 ## Build application
 RUN yarn build
+RUN NEWKEY=`/usr/src/app/jwt-key-gen.sh` && sed -i "s/^SECRET_ACCESS_TOKEN=.*/SECRET_ACCESS_TOKEN=$NEWKEY/" /usr/src/app/.env
 
 ## Gather productization dependencies
 RUN yarn install --network-timeout 1000000 --modules-folder node_modules_prod --production
 
 FROM registry.access.redhat.com/ubi8/nodejs-20-minimal:latest
 
-COPY --from=BUILD_IMAGE /usr/src/app/dist /usr/share/amq-spp/dist
-COPY --from=BUILD_IMAGE /usr/src/app/.env /usr/share/amq-spp/.env
-COPY --from=BUILD_IMAGE /usr/src/app/node_modules_prod /usr/share/amq-spp/node_modules
+COPY --from=build-image /usr/src/app/dist /usr/share/amq-spp/dist
+COPY --from=build-image /usr/src/app/.env /usr/share/amq-spp/.env
+COPY --from=build-image /usr/src/app/node_modules_prod /usr/share/amq-spp/node_modules
 
 WORKDIR /usr/share/amq-spp
 
-USER root
-
-RUN echo "node /usr/share/amq-spp/dist/app.js" > run.sh
-RUN chmod +x run.sh
-
 USER 1001
 
 ENV NODE_ENV=production

diff --git a/README.md b/README.md
@@ -59,3 +59,14 @@ To undeploy, run
 ```sh
 ./undeploy.sh
 ```
+
+### Notes about the JWT secret
+
+The api server uses SECRET_ACCESS_TOKEN env var to get the secret for generating
+jwt tokens. It has a default value in .env for dev purposes.
+
+In production you should override it with your own secret.
+
+The jwt-key-gen.sh is a tool to generate a random key and used in Dockerfile. 
+It makes sure when you build the api server image a new random key is used.
+
diff --git a/jwt-key-gen.sh b/jwt-key-gen.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+# generate a new jwt secret
+node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+