Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow passing into the crypto key via ASTRO_KEY #11879

Merged
merged 11 commits into from
Sep 6, 2024
Merged

Allow passing into the crypto key via ASTRO_KEY #11879

merged 11 commits into from
Sep 6, 2024

Conversation

matthewp
Copy link
Contributor

@matthewp matthewp commented Aug 29, 2024
edited
Loading

Changes

  • This makes it possible to pass in the cryptography used via the ASTRO_KEY environment variable.

  • This allows you to reuse the key in each build, ensuring that if you have separate server and client deployments that the keys are never out of sync.

  • Fixes Astro Islands fails with rolling update #11851

  • Keys are generated using astro create-key command.

Testing

  • New E2E test

Docs

N/A

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 29, 2024
edited
Loading

🦋 Changeset detected

Latest commit: c7c8cd8

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Aug 29, 2024
@matthewp
Copy link
Contributor Author

!preview crypto-env

@github-actions github-actions bot added the pr: preview This PR has a preview release label Aug 29, 2024
@github-actions GitHub Actions
Copy link
Contributor

Snapshots have been released for the following packages:

  • astro@experimental--crypto-env
Publish Log 
🦋  warn ===============================IMPORTANT!===============================
🦋  warn Packages will be released under the experimental--crypto-env tag
🦋  warn ----------------------------------------------------------------------
🦋  info npm info astro
🦋  info npm info @astrojs/prism
🦋  info npm info @astrojs/rss
🦋  info npm info create-astro
🦋  info npm info @astrojs/db
🦋  info npm info @astrojs/alpinejs
🦋  info npm info @astrojs/lit
🦋  info npm info @astrojs/markdoc
🦋  info npm info @astrojs/mdx
🦋  info npm info @astrojs/node
🦋  info npm info @astrojs/partytown
🦋  info npm info @astrojs/preact
🦋  info npm info @astrojs/react
🦋  info npm info @astrojs/sitemap
🦋  info npm info @astrojs/solid-js
🦋  info npm info @astrojs/svelte
🦋  info npm info @astrojs/tailwind
🦋  info npm info @astrojs/vercel
🦋  info npm info @astrojs/vue
🦋  info npm info @astrojs/web-vitals
🦋  info npm info @astrojs/internal-helpers
🦋  info npm info @astrojs/markdown-remark
🦋  info npm info @astrojs/studio
🦋  info npm info @astrojs/telemetry
🦋  info npm info @astrojs/underscore-redirects
🦋  info npm info @astrojs/upgrade
🦋  info astro is being published because our local version (0.0.0-crypto-env-20240829194602) has not been published on npm
🦋  warn @astrojs/prism is not being published because version 3.1.0 is already published on npm
🦋  warn @astrojs/rss is not being published because version 4.0.7 is already published on npm
🦋  warn create-astro is not being published because version 4.8.4 is already published on npm
🦋  warn @astrojs/db is not being published because version 0.14.0 is already published on npm
🦋  warn @astrojs/alpinejs is not being published because version 0.4.0 is already published on npm
🦋  warn @astrojs/lit is not being published because version 4.3.0 is already published on npm
🦋  warn @astrojs/markdoc is not being published because version 0.11.4 is already published on npm
🦋  warn @astrojs/mdx is not being published because version 3.1.5 is already published on npm
🦋  warn @astrojs/node is not being published because version 8.3.3 is already published on npm
🦋  warn @astrojs/partytown is not being published because version 2.1.2 is already published on npm
🦋  warn @astrojs/preact is not being published because version 3.5.2 is already published on npm
🦋  warn @astrojs/react is not being published because version 3.6.2 is already published on npm
🦋  warn @astrojs/sitemap is not being published because version 3.1.6 is already published on npm
🦋  warn @astrojs/solid-js is not being published because version 4.4.1 is already published on npm
🦋  warn @astrojs/svelte is not being published because version 5.7.0 is already published on npm
🦋  warn @astrojs/tailwind is not being published because version 5.1.0 is already published on npm
🦋  warn @astrojs/vercel is not being published because version 7.8.0 is already published on npm
🦋  warn @astrojs/vue is not being published because version 4.5.0 is already published on npm
🦋  warn @astrojs/web-vitals is not being published because version 3.0.0 is already published on npm
🦋  warn @astrojs/internal-helpers is not being published because version 0.4.1 is already published on npm
🦋  warn @astrojs/markdown-remark is not being published because version 5.2.0 is already published on npm
🦋  warn @astrojs/studio is not being published because version 0.1.1 is already published on npm
🦋  warn @astrojs/telemetry is not being published because version 3.1.0 is already published on npm
🦋  warn @astrojs/underscore-redirects is not being published because version 0.3.4 is already published on npm
🦋  warn @astrojs/upgrade is not being published because version 0.3.3 is already published on npm
🦋  info Publishing "astro" at "0.0.0-crypto-env-20240829194602"
🦋  success packages published successfully:
🦋  astro@0.0.0-crypto-env-20240829194602
🦋  Creating git tag...
🦋  New tag:  astro@0.0.0-crypto-env-20240829194602
Build Log 

> root@0.0.0 build /home/runner/work/astro/astro
> turbo run build --filter=astro --filter=create-astro --filter="@astrojs/*" --filter="@benchmark/*"

• Packages in scope: @astrojs/alpinejs, @astrojs/cloudflare, @astrojs/db, @astrojs/internal-helpers, @astrojs/lit, @astrojs/markdoc, @astrojs/markdown-remark, @astrojs/mdx, @astrojs/netlify, @astrojs/node, @astrojs/partytown, @astrojs/preact, @astrojs/prism, @astrojs/react, @astrojs/rss, @astrojs/sitemap, @astrojs/solid-js, @astrojs/studio, @astrojs/svelte, @astrojs/tailwind, @astrojs/telemetry, @astrojs/underscore-redirects, @astrojs/upgrade, @astrojs/vercel, @astrojs/vue, @astrojs/web-vitals, @benchmark/timer, astro, create-astro
• Running build in 29 packages
• Remote caching enabled
::group::@astrojs/prism:build
cache miss, executing ec38c3061c9f5e5d

> @astrojs/prism@3.1.0 build /home/runner/work/astro/astro/packages/astro-prism
> astro-scripts build "src/**/*.ts" && tsc -p ./tsconfig.json

::endgroup::
::group::@astrojs/telemetry:build
cache miss, executing 8cb93cad2d623b64

> @astrojs/telemetry@3.1.0 build /home/runner/work/astro/astro/packages/telemetry
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/internal-helpers:build
cache miss, executing d78990e7c760256b

> @astrojs/internal-helpers@0.4.1 build /home/runner/work/astro/astro/packages/internal-helpers
> astro-scripts build "src/**/*.ts" && tsc -p tsconfig.json

::endgroup::
::group::@astrojs/upgrade:build
cache miss, executing 8bacd5c4b4fcad1d

> @astrojs/upgrade@0.3.3 build /home/runner/work/astro/astro/packages/upgrade
> astro-scripts build "src/index.ts" --bundle && tsc

::endgroup::
::group::create-astro:build
cache miss, executing 45454b7cdb315c91

> create-astro@4.8.4 build /home/runner/work/astro/astro/packages/create-astro
> astro-scripts build "src/index.ts" --bundle && tsc

::endgroup::
::group::@astrojs/markdown-remark:build
cache miss, executing d2b9e8add948fc98

> @astrojs/markdown-remark@5.2.0 build /home/runner/work/astro/astro/packages/markdown/remark
> astro-scripts build "src/**/*.ts" && tsc -p tsconfig.json

::endgroup::
::group::astro:build
cache miss, executing 4024ff925f2f3c76

> astro@0.0.0-crypto-env-20240829194602 build /home/runner/work/astro/astro/packages/astro
> pnpm run prebuild && astro-scripts build "src/**/*.{ts,js}" --copy-wasm && tsc


> astro@0.0.0-crypto-env-20240829194602 prebuild /home/runner/work/astro/astro/packages/astro
> astro-scripts prebuild --to-string "src/runtime/server/astro-island.ts" "src/runtime/client/{idle,load,media,only,visible}.ts"

::endgroup::
::group::@astrojs/partytown:build
cache miss, executing 4b57e596deed5251

> @astrojs/partytown@2.1.2 build /home/runner/work/astro/astro/packages/integrations/partytown
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/react:build
cache miss, executing 881a1742739c9399

> @astrojs/react@3.6.2 build /home/runner/work/astro/astro/packages/integrations/react
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/tailwind:build
cache miss, executing 691376296c480b87

> @astrojs/tailwind@5.1.0 build /home/runner/work/astro/astro/packages/integrations/tailwind
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/vercel:build
cache miss, executing 627b490058629d02

> @astrojs/vercel@7.8.0 build /home/runner/work/astro/astro/packages/integrations/vercel
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/node:build
cache miss, executing a789d80aa92ee4fc

> @astrojs/node@8.3.3 build /home/runner/work/astro/astro/packages/integrations/node
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/solid-js:build
cache miss, executing 1ee7e50f79298d6c

> @astrojs/solid-js@4.4.1 build /home/runner/work/astro/astro/packages/integrations/solid
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/mdx:build
cache miss, executing 096a95595c60562c

> @astrojs/mdx@3.1.5 build /home/runner/work/astro/astro/packages/integrations/mdx
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/svelte:build
cache miss, executing 0691b2eb46f72e1c

> @astrojs/svelte@5.7.0 build /home/runner/work/astro/astro/packages/integrations/svelte
> astro-scripts build "src/index.ts" && astro-scripts build "src/editor.cts" --force-cjs --no-clean-dist && tsc

::endgroup::
::group::@astrojs/vue:build
cache miss, executing 1a47681e3cef2ae0

> @astrojs/vue@4.5.0 build /home/runner/work/astro/astro/packages/integrations/vue
> astro-scripts build "src/index.ts" && astro-scripts build "src/editor.cts" --force-cjs --no-clean-dist && tsc

::endgroup::
::group::@astrojs/markdoc:build
cache miss, executing ca7880b9f502ac8c

> @astrojs/markdoc@0.11.4 build /home/runner/work/astro/astro/packages/integrations/markdoc
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/studio:build
cache miss, executing c44ed3e26bc0292c

> @astrojs/studio@0.1.1 build /home/runner/work/astro/astro/packages/studio
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/lit:build
cache miss, executing 19c06fb57846392c

> @astrojs/lit@4.3.0 build /home/runner/work/astro/astro/packages/integrations/lit
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/alpinejs:build
cache miss, executing 01985c49d18a3e75

> @astrojs/alpinejs@0.4.0 build /home/runner/work/astro/astro/packages/integrations/alpinejs
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@benchmark/timer:build
cache miss, executing e15dc9b1fefc863b

> @benchmark/timer@0.0.0 build /home/runner/work/astro/astro/benchmark/packages/timer
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/rss:build
cache miss, executing 65f1927e926dce04

> @astrojs/rss@4.0.7 build /home/runner/work/astro/astro/packages/astro-rss
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/underscore-redirects:build
cache miss, executing 153685bc845e5b0d

> @astrojs/underscore-redirects@0.3.4 build /home/runner/work/astro/astro/packages/underscore-redirects
> astro-scripts build "src/**/*.ts" && tsc -p tsconfig.json

::endgroup::
::group::@astrojs/sitemap:build
cache miss, executing 9b4ed2856a5750b9

> @astrojs/sitemap@3.1.6 build /home/runner/work/astro/astro/packages/integrations/sitemap
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/preact:build
cache miss, executing 1be6e54a73bd2055

> @astrojs/preact@3.5.2 build /home/runner/work/astro/astro/packages/integrations/preact
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::
::group::@astrojs/db:build
cache miss, executing 242c8992a6e543b9

> @astrojs/db@0.14.0 build /home/runner/work/astro/astro/packages/db
> astro-scripts build "src/**/*.ts" && tsc && pnpm types:virtual


> @astrojs/db@0.14.0 types:virtual /home/runner/work/astro/astro/packages/db
> tsc -p ./tsconfig.virtual.json

::endgroup::
::group::@astrojs/web-vitals:build
cache miss, executing dfc9f11d0ac5a7d5

> @astrojs/web-vitals@3.0.0 build /home/runner/work/astro/astro/packages/integrations/web-vitals
> astro-scripts build "src/**/*.ts" && tsc

::endgroup::

 Tasks:    27 successful, 27 total
Cached:    0 cached, 27 total
  Time:    53.537s

@sasoria
Copy link
Contributor

sasoria commented Aug 30, 2024
edited
Loading

I've tested this at least five times by generating an AES-256 key and adding this to package.json:

"build": ASTRO_KEY=MY_KEY astro build

The application was then built with,

npm run build

and deployed to a kubernetes cluster. I did not see any of the errors I've seen before during deploys, so this should fix the issue I had with rolling updates. Thank you for fixing this so quickly.

@matthewp
Copy link
Contributor Author

Thanks @sasoria, I still need to write a test so this probably won't go out today.

@matthewp matthewp marked this pull request as ready for review September 3, 2024 13:44
ascorbic
ascorbic reviewed Sep 6, 2024
View reviewed changes
packages/astro/src/core/build/index.ts Outdated
if(!hasKey && opts.settings.config.experimental.serverIslands) {
this.logger.info('build', `This build generated a key to encrypt props passed to Server islands. To reuse the same key across builds, set this value as ASTRO_KEY in an environment variable on your build server.

ASTRO_KEY=${await encodeKey(await keyPromise)}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it safe to print this? I'd be worried it would show in public logs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yeah good point. Hm, I'm not sure what to do then. The only other way I can think to do this is with a new command. Something like astro generate-key or something.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's probably a better way to go. Will update the PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New output is like:

Generated a key to encrypt props passed to Server islands. To reuse the same key across builds, set this value as ASTRO_KEY in an environment variable on your build server.

ASTRO_KEY=P90X3r0+nEqzystDC1pg01VS4s/+jINyDTYSNlEO0HQ=

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it. Not a blocker, but I wonder if it would make sense to write it to the user's .env if there isn't already one set.

@matthewp matthewp merged commit bd1d4aa into main Sep 6, 2024
14 checks passed
@matthewp matthewp deleted the key-reuse branch September 6, 2024 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ascorbic ascorbic ascorbic approved these changes

Assignees
No one assigned
Labels
pkg: astro Related to the core `astro` package (scope) pr: preview This PR has a preview release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Astro Islands fails with rolling update
3 participants
@matthewp @sasoria @ascorbic