kamal 0.16.0

data/lib/kamal/configuration/ssh.rb

@@ -0,0 +1,38 @@
+class Kamal::Configuration::Ssh
+  LOGGER = ::Logger.new(STDERR)
+
+  def initialize(config:)
+    @config = config.raw_config.ssh || {}
+  end
+
+  def user
+    config.fetch("user", "root")
+  end
+
+  def proxy
+    if (proxy = config["proxy"])
+      Net::SSH::Proxy::Jump.new(proxy.include?("@") ? proxy : "root@#{proxy}")
+    elsif (proxy_command = config["proxy_command"])
+      Net::SSH::Proxy::Command.new(proxy_command)
+    end
+  end
+
+  def options
+    { user: user, proxy: proxy, auth_methods: [ "publickey" ], logger: logger, keepalive: true, keepalive_interval: 30 }.compact
+  end
+
+  def to_h
+    options.except(:logger).merge(log_level: log_level)
+  end
+
+  private
+    attr_accessor :config
+
+    def logger
+      LOGGER.tap { |logger| logger.level = log_level }
+    end
+
+    def log_level
+      config.fetch("log_level", :fatal)
+    end
+end

data/lib/kamal/configuration/sshkit.rb

@@ -0,0 +1,20 @@
+class Kamal::Configuration::Sshkit
+  def initialize(config:)
+    @options = config.raw_config.sshkit || {}
+  end
+
+  def max_concurrent_starts
+    options.fetch("max_concurrent_starts", 30)
+  end
+
+  def pool_idle_timeout
+    options.fetch("pool_idle_timeout", 900)
+  end
+
+  def to_h
+    options
+  end
+
+  private
+    attr_accessor :options
+end

data/lib/kamal/configuration.rb

@@ -0,0 +1,251 @@
+require "active_support/ordered_options"
+require "active_support/core_ext/string/inquiry"
+require "active_support/core_ext/module/delegation"
+require "pathname"
+require "erb"
+require "net/ssh/proxy/jump"
+
+class Kamal::Configuration
+  delegate :service, :image, :servers, :env, :labels, :registry, :stop_wait_time, :hooks_path, to: :raw_config, allow_nil: true
+  delegate :argumentize, :argumentize_env_with_secrets, :optionize, to: Kamal::Utils
+
+  attr_accessor :destination
+  attr_accessor :raw_config
+
+  class << self
+    def create_from(config_file:, destination: nil, version: nil)
+      raw_config = load_config_files(config_file, *destination_config_file(config_file, destination))
+
+      new raw_config, destination: destination, version: version
+    end
+
+    private
+      def load_config_files(*files)
+        files.inject({}) { |config, file| config.deep_merge! load_config_file(file) }
+      end
+
+      def load_config_file(file)
+        if file.exist?
+          YAML.load(ERB.new(IO.read(file)).result).symbolize_keys
+        else
+          raise "Configuration file not found in #{file}"
+        end
+      end
+
+      def destination_config_file(base_config_file, destination)
+        base_config_file.sub_ext(".#{destination}.yml") if destination
+      end
+  end
+
+  def initialize(raw_config, destination: nil, version: nil, validate: true)
+    @raw_config = ActiveSupport::InheritableOptions.new(raw_config)
+    @destination = destination
+    @declared_version = version
+    valid? if validate
+  end
+
+
+  def version=(version)
+    @declared_version = version
+  end
+
+  def version
+    @declared_version.presence || ENV["VERSION"] || git_version
+  end
+
+  def abbreviated_version
+    Kamal::Utils.abbreviate_version(version)
+  end
+
+
+  def roles
+    @roles ||= role_names.collect { |role_name| Role.new(role_name, config: self) }
+  end
+
+  def role(name)
+    roles.detect { |r| r.name == name.to_s }
+  end
+
+  def accessories
+    @accessories ||= raw_config.accessories&.keys&.collect { |name| Kamal::Configuration::Accessory.new(name, config: self) } || []
+  end
+
+  def accessory(name)
+    accessories.detect { |a| a.name == name.to_s }
+  end
+
+
+  def all_hosts
+    roles.flat_map(&:hosts).uniq
+  end
+
+  def primary_web_host
+    role(:web).primary_host
+  end
+
+  def traefik_hosts
+    roles.select(&:running_traefik?).flat_map(&:hosts).uniq
+  end
+
+  def boot
+    Kamal::Configuration::Boot.new(config: self)
+  end
+
+
+  def repository
+    [ raw_config.registry["server"], image ].compact.join("/")
+  end
+
+  def absolute_image
+    "#{repository}:#{version}"
+  end
+
+  def latest_image
+    "#{repository}:latest"
+  end
+
+  def service_with_version
+    "#{service}-#{version}"
+  end
+
+
+  def env_args
+    if raw_config.env.present?
+      argumentize_env_with_secrets(raw_config.env)
+    else
+      []
+    end
+  end
+
+  def volume_args
+    if raw_config.volumes.present?
+      argumentize "--volume", raw_config.volumes
+    else
+      []
+    end
+  end
+
+  def logging_args
+    if raw_config.logging.present?
+      optionize({ "log-driver" => raw_config.logging["driver"] }.compact) +
+        argumentize("--log-opt", raw_config.logging["options"])
+    else
+      argumentize("--log-opt", { "max-size" => "10m" })
+    end
+  end
+
+
+  def ssh
+    Kamal::Configuration::Ssh.new(config: self)
+  end
+
+  def sshkit
+    Kamal::Configuration::Sshkit.new(config: self)
+  end
+
+
+  def healthcheck
+    { "path" => "/up", "port" => 3000, "max_attempts" => 7 }.merge(raw_config.healthcheck || {})
+  end
+
+  def readiness_delay
+    raw_config.readiness_delay || 7
+  end
+
+  def minimum_version
+    raw_config.minimum_version
+  end
+
+  def valid?
+    ensure_required_keys_present && ensure_valid_kamal_version
+  end
+
+
+  def to_h
+    {
+      roles: role_names,
+      hosts: all_hosts,
+      primary_host: primary_web_host,
+      version: version,
+      repository: repository,
+      absolute_image: absolute_image,
+      service_with_version: service_with_version,
+      env_args: env_args,
+      volume_args: volume_args,
+      ssh_options: ssh.to_h,
+      sshkit: sshkit.to_h,
+      builder: builder.to_h,
+      accessories: raw_config.accessories,
+      logging: logging_args,
+      healthcheck: healthcheck
+    }.compact
+  end
+
+  def traefik
+    raw_config.traefik || {}
+  end
+
+  def hooks_path
+    raw_config.hooks_path || ".kamal/hooks"
+  end
+
+  def builder
+    Kamal::Configuration::Builder.new(config: self)
+  end
+
+  # Will raise KeyError if any secret ENVs are missing
+  def ensure_env_available
+    env_args
+    roles.each(&:env_args)
+
+    true
+  end
+
+  private
+    # Will raise ArgumentError if any required config keys are missing
+    def ensure_required_keys_present
+      %i[ service image registry servers ].each do |key|
+        raise ArgumentError, "Missing required configuration for #{key}" unless raw_config[key].present?
+      end
+
+      if raw_config.registry["username"].blank?
+        raise ArgumentError, "You must specify a username for the registry in config/deploy.yml"
+      end
+
+      if raw_config.registry["password"].blank?
+        raise ArgumentError, "You must specify a password for the registry in config/deploy.yml (or set the ENV variable if that's used)"
+      end
+
+      roles.each do |role|
+        if role.hosts.empty?
+          raise ArgumentError, "No servers specified for the #{role.name} role"
+        end
+      end
+
+      true
+    end
+
+    def ensure_valid_kamal_version
+      if minimum_version && Gem::Version.new(minimum_version) > Gem::Version.new(Kamal::VERSION)
+        raise ArgumentError, "Current version is #{Kamal::VERSION}, minimum required is #{minimum_version}"
+      end
+
+      true
+    end
+
+
+    def role_names
+      raw_config.servers.is_a?(Array) ? [ "web" ] : raw_config.servers.keys.sort
+    end
+
+    def git_version
+      @git_version ||=
+        if system("git rev-parse")
+          uncommitted_suffix = Kamal::Utils.uncommitted_changes.present? ? "_uncommitted_#{SecureRandom.hex(8)}" : ""
+
+          "#{`git rev-parse HEAD`.strip}#{uncommitted_suffix}"
+        else
+          raise "Can't use commit hash as version, no git repository found in #{Dir.pwd}"
+        end
+    end
+end

data/lib/kamal/sshkit_with_ext.rb

@@ -0,0 +1,104 @@
+require "sshkit"
+require "sshkit/dsl"
+require "active_support/core_ext/hash/deep_merge"
+require "json"
+
+class SSHKit::Backend::Abstract
+  def capture_with_info(*args, **kwargs)
+    capture(*args, **kwargs, verbosity: Logger::INFO)
+  end
+
+  def capture_with_debug(*args, **kwargs)
+    capture(*args, **kwargs, verbosity: Logger::DEBUG)
+  end
+
+  def capture_with_pretty_json(*args, **kwargs)
+    JSON.pretty_generate(JSON.parse(capture(*args, **kwargs)))
+  end
+
+  def puts_by_host(host, output, type: "App")
+    puts "#{type} Host: #{host}\n#{output}\n\n"
+  end
+
+  # Our execution pattern is for the CLI execute args lists returned
+  # from commands, but this doesn't support returning execution options
+  # from the command.
+  #
+  # Support this by using kwargs for CLI options and merging with the
+  # args-extracted options.
+  module CommandEnvMerge
+    private
+
+    # Override to merge options returned by commands in the args list with
+    # options passed by the CLI and pass them along as kwargs.
+    def command(args, options)
+      more_options, args = args.partition { |a| a.is_a? Hash }
+      more_options << options
+
+      build_command(args, **more_options.reduce(:deep_merge))
+    end
+
+    # Destructure options to pluck out env for merge
+    def build_command(args, env: nil, **options)
+      # Rely on native Ruby kwargs precedence rather than explicit Hash merges
+      SSHKit::Command.new(*args, **default_command_options, **options, env: env_for(env))
+    end
+
+    def default_command_options
+      { in: pwd_path, host: @host, user: @user, group: @group }
+    end
+
+    def env_for(env)
+      @env.to_h.merge(env.to_h)
+    end
+  end
+  prepend CommandEnvMerge
+end
+
+class SSHKit::Backend::Netssh::Configuration
+  attr_accessor :max_concurrent_starts
+end
+
+class SSHKit::Backend::Netssh
+  module LimitConcurrentStartsClass
+    attr_reader :start_semaphore
+
+    def configure(&block)
+      super &block
+      # Create this here to avoid lazy creation by multiple threads
+      if config.max_concurrent_starts
+        @start_semaphore = Concurrent::Semaphore.new(config.max_concurrent_starts)
+      end
+    end
+  end
+
+  class << self
+    prepend LimitConcurrentStartsClass
+  end
+
+  module LimitConcurrentStartsInstance
+    private
+      def with_ssh(&block)
+        host.ssh_options = self.class.config.ssh_options.merge(host.ssh_options || {})
+        self.class.pool.with(
+          method(:start_with_concurrency_limit),
+          String(host.hostname),
+          host.username,
+          host.netssh_options,
+          &block
+        )
+      end
+
+      def start_with_concurrency_limit(*args)
+        if self.class.start_semaphore
+          self.class.start_semaphore.acquire do
+            Net::SSH.start(*args)
+          end
+        else
+          Net::SSH.start(*args)
+        end
+      end
+  end
+
+  prepend LimitConcurrentStartsInstance
+end

data/lib/kamal/tags.rb

@@ -0,0 +1,39 @@
+require "time"
+
+class Kamal::Tags
+  attr_reader :config, :tags
+
+  class << self
+    def from_config(config, **extra)
+      new(**default_tags(config), **extra)
+    end
+
+    def default_tags(config)
+      { recorded_at: Time.now.utc.iso8601,
+        performer: `whoami`.chomp,
+        destination: config.destination,
+        version: config.version,
+        service_version: service_version(config) }
+    end
+
+    def service_version(config)
+      [ config.service, config.abbreviated_version ].compact.join("@")
+    end
+  end
+
+  def initialize(**tags)
+    @tags = tags.compact
+  end
+
+  def env
+    tags.transform_keys { |detail| "KAMAL_#{detail.upcase}" }
+  end
+
+  def to_s
+    tags.values.map { |value| "[#{value}]" }.join(" ")
+  end
+
+  def except(*tags)
+    self.class.new(**self.tags.except(*tags))
+  end
+end

data/lib/kamal/utils/healthcheck_poller.rb

@@ -0,0 +1,39 @@
+class Kamal::Utils::HealthcheckPoller
+  TRAEFIK_HEALTHY_DELAY = 2
+
+  class HealthcheckError < StandardError; end
+
+  class << self
+    def wait_for_healthy(pause_after_ready: false, &block)
+      attempt = 1
+      max_attempts = KAMAL.config.healthcheck["max_attempts"]
+
+      begin
+        case status = block.call
+        when "healthy"
+          sleep TRAEFIK_HEALTHY_DELAY if pause_after_ready
+        when "running" # No health check configured
+          sleep KAMAL.config.readiness_delay if pause_after_ready
+        else
+          raise HealthcheckError, "container not ready (#{status})"
+        end
+      rescue HealthcheckError => e
+        if attempt <= max_attempts
+          info "#{e.message}, retrying in #{attempt}s (attempt #{attempt}/#{max_attempts})..."
+          sleep attempt
+          attempt += 1
+          retry
+        else
+          raise
+        end
+      end
+
+      info "Container is healthy!"
+    end
+
+    private
+      def info(message)
+        SSHKit.config.output.info(message)
+      end
+  end
+end

data/lib/kamal/utils/sensitive.rb

@@ -0,0 +1,19 @@
+require "active_support/core_ext/module/delegation"
+
+class Kamal::Utils::Sensitive
+  # So SSHKit knows to redact these values.
+  include SSHKit::Redaction
+
+  attr_reader :unredacted, :redaction
+  delegate :to_s, to: :unredacted
+  delegate :inspect, to: :redaction
+
+  def initialize(value, redaction: "[REDACTED]")
+    @unredacted, @redaction = value, redaction
+  end
+
+  # Sensitive values won't leak into YAML output.
+  def encode_with(coder)
+    coder.represent_scalar nil, redaction
+  end
+end

data/lib/kamal/utils.rb

@@ -0,0 +1,100 @@
+module Kamal::Utils
+  extend self
+
+  DOLLAR_SIGN_WITHOUT_SHELL_EXPANSION_REGEX = /\$(?!{[^\}]*\})/
+
+  # Return a list of escaped shell arguments using the same named argument against the passed attributes (hash or array).
+  def argumentize(argument, attributes, sensitive: false)
+    Array(attributes).flat_map do |key, value|
+      if value.present?
+        attr = "#{key}=#{escape_shell_value(value)}"
+        attr = self.sensitive(attr, redaction: "#{key}=[REDACTED]") if sensitive
+        [ argument, attr]
+      else
+        [ argument, key ]
+      end
+    end
+  end
+
+  # Return a list of shell arguments using the same named argument against the passed attributes,
+  # but redacts and expands secrets.
+  def argumentize_env_with_secrets(env)
+    if (secrets = env["secret"]).present?
+      argumentize("-e", secrets.to_h { |key| [ key, ENV.fetch(key) ] }, sensitive: true) + argumentize("-e", env["clear"])
+    else
+      argumentize "-e", env.fetch("clear", env)
+    end
+  end
+
+  # Returns a list of shell-dashed option arguments. If the value is true, it's treated like a value-less option.
+  def optionize(args, with: nil)
+    options = if with
+      flatten_args(args).collect { |(key, value)| value == true ? "--#{key}" : "--#{key}#{with}#{escape_shell_value(value)}" }
+    else
+      flatten_args(args).collect { |(key, value)| [ "--#{key}", value == true ? nil : escape_shell_value(value) ] }
+    end
+
+    options.flatten.compact
+  end
+
+  # Flattens a one-to-many structure into an array of two-element arrays each containing a key-value pair
+  def flatten_args(args)
+    args.flat_map { |key, value| value.try(:map) { |entry| [key, entry] } || [ [ key, value ] ] }
+  end
+
+  # Marks sensitive values for redaction in logs and human-visible output.
+  # Pass `redaction:` to change the default `"[REDACTED]"` redaction, e.g.
+  # `sensitive "#{arg}=#{secret}", redaction: "#{arg}=xxxx"
+  def sensitive(...)
+    Kamal::Utils::Sensitive.new(...)
+  end
+
+  def redacted(value)
+    case
+    when value.respond_to?(:redaction)
+      value.redaction
+    when value.respond_to?(:transform_values)
+      value.transform_values { |value| redacted value }
+    when value.respond_to?(:map)
+      value.map { |element| redacted element }
+    else
+      value
+    end
+  end
+
+  def unredacted(value)
+    case
+    when value.respond_to?(:unredacted)
+      value.unredacted
+    when value.respond_to?(:transform_values)
+      value.transform_values { |value| unredacted value }
+    when value.respond_to?(:map)
+      value.map { |element| unredacted element }
+    else
+      value
+    end
+  end
+
+  # Escape a value to make it safe for shell use.
+  def escape_shell_value(value)
+    value.to_s.dump
+      .gsub(/`/, '\\\\`')
+      .gsub(DOLLAR_SIGN_WITHOUT_SHELL_EXPANSION_REGEX, '\$')
+  end
+
+  # Abbreviate a git revhash for concise display
+  def abbreviate_version(version)
+    if version
+      # Don't abbreviate <sha>_uncommitted_<etc>
+      if version.include?("_")
+        version
+      else
+        version[0...7]
+      end
+    end
+  end
+
+  def uncommitted_changes
+    `git status --porcelain`.strip
+  end
+end

data/lib/kamal/version.rb

@@ -0,0 +1,3 @@
+module Kamal
+  VERSION = "0.16.0"
+end

data/lib/kamal.rb

@@ -0,0 +1,10 @@
+module Kamal
+end
+
+require "active_support"
+require "zeitwerk"
+
+loader = Zeitwerk::Loader.for_gem
+loader.ignore("#{__dir__}/kamal/sshkit_with_ext.rb")
+loader.setup
+loader.eager_load # We need all commands loaded.