Build Rails app for production environment

.gitignore

@@ -7,3 +7,4 @@
 # ruby-on-rails
 **/ruby-on-rails/tmp
 **/ruby-on-rails/log
+master.key

sample-apps/manual-instrumentation/ruby-on-rails/Dockerfile

@@ -8,4 +8,11 @@ RUN bundle install
 
 ENV HOME=/
 
+ENV RACK_ENV=production
+
+# DO NOT follow this pattern of committing your master key into source code.
+# This is just required to run a `production` rails app.
+
+ENV RAILS_MASTER_KEY=e6780fe49c28c60ed2b594459981580c
+
 CMD rails server

sample-apps/manual-instrumentation/ruby-on-rails/README.md

@@ -30,6 +30,40 @@ Sending metrics to Amazon CloudWatch is not yet validated. Check out the [OpenTe
 
 ## Application structure
 
-Although this app was created with the `ruby new ruby-on-rails --minimal` command, it has been even further stripped down to focus on the OpenTelemetry changes needed to get tracing in this ruby on rails app.
+This section describes the decisions made when designing the sample apps instrumented with ADOT Ruby.
+
+### A minimal app
+
+Although this app was created with the `rails new ruby-on-rails --minimal` command, it has been even further stripped down to focus on the OpenTelemetry changes needed to get tracing in this ruby on rails app.
 
 The changes needed to trace with OpenTelemetry are found in [sample-apps/manual-instrumentation/ruby-on-rails/config/initializers/opentelemetry.rb](sample-apps/manual-instrumentation/ruby-on-rails/config/initializers/opentelemetry.rb).
+
+### Running the app in `production` for tests
+
+We build our application for a `production` environment because of https://github.com/aws-observability/aws-otel-ruby/pull/10.
+
+However, to allow for a `production` environment, the rails app requires a "secret_base_key". Otherwise it will flood the log output with warnings thereby hiding useful logs.
+
+To solve this, we added **dummy credentials** which don't do anything. Because this is an example, **we directly commit the security credentials in the Dockerfile** but this is **NOT GOOD PRACTICE FOR REAL PRODUCTION ENVIRONMENTS**. We allow it to be like this because we want this demo to work out-of-the-box for any public user.
+
+You can confirm the credentials work and view the encrypted contents of the sample app by doing the following command:
+
+```bash
+$ cd sample-apps/manual-instrumentation/ruby-on-rails
+$ RAILS_MASTER_KEY=<KEY_IN_SAMPLE-APP_DOCKERFILE> bin/rails credentials:edit
+```
+
+This will show the following contents:
+
+```yaml
+# NOTE: DO NOT USE THIS IN PRODUCTION ENVIRONMENTS, WE ONLY SET THIS TO SIMULATE A REAL RAILS APP.
+
+# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
+secret_key_base: DO_NOT_STORE_A_SECRET_THIS_IS_JUST_FOR_AN_EXAMPLE
+```
+
+We cannot use something like `RAILS_MASTER_KEY=DUMMY_KEY` because the rails app would fail to start in the test with the following message:
+
+```yaml
+app_1 | 2022-02-04 22:18:51 +0000 Rack app ("GET /outgoing-http-call" - (172.18.0.4)): #<ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage>
+```

sample-apps/manual-instrumentation/ruby-on-rails/config/credentials.yml.enc

@@ -0,0 +1 @@
+HuW+UqYwDMY5cxouXkoD+0COlk6eGJv5s3evlSyjOzw0NT1aFarbTaDpHhxiPfB2IrZ/hD7yMg7MvcFU9S5KxlJABOSK5jBQ9eZV2BQcW6/vJsPca4dntwTuf6wDbD6YVFnsF5MJ1lDjUjNy4SGrxsxwqUhx73fZIfbllNais2lV5uGAgIpGQA6x/DPZ2QOcTYd46tMdz7TxHyv9vWIgJensUMZoQ5L2+vlXhHRJ3XVoM+Dz2AU3ubll95gglTOd33BqEbUcen5VvdYB49ugg8WE+7mayC9DTzsLkOe72Vbw7T2m5KXJzsR+ZesSFaW+oJQaeDseHRM0kHfHqdk9Nr3dpaLQXdWG93uap2rh+pw=--koERuqkTE0/631gF--1ZFLVbmAiutXQs+cTnTlAA==

sample-apps/manual-instrumentation/ruby-on-rails/config/environments/production.rb

@@ -18,7 +18,7 @@
 
   # Ensures that a master key has been made available in either ENV['RAILS_MASTER_KEY']
   # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
-  # config.require_master_key = true
+  config.require_master_key = true
 
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.