kamal 1.6.0 → 1.7.0

data/lib/kamal/configuration/docs/configuration.yml

@@ -0,0 +1,157 @@
+# Kamal Configuration
+#
+# Configuration is read from the `config/deploy.yml`
+#
+# When running commands, you can specify a destination with the `-d` flag,
+# e.g. `kamal deploy -d staging`
+#
+# In this case the configuration will also be read from `config/deploy.staging.yml`
+# and merged with the base configuration.
+#
+# The available configuration options are explained below.
+
+# The service name
+# This is a required value. It is used as the container name prefix.
+service: myapp
+
+# The Docker image name
+#
+# The image will be pushed to the configured registry.
+image: my-image
+
+# Labels
+#
+# Additional labels to add to the container
+labels:
+  my-label: my-value
+
+# Additional volumes to mount into the container
+volumes:
+  - /path/on/host:/path/in/container:ro
+
+# Registry
+#
+# The Docker registry configuration, see kamal docs registry
+registry:
+  ...
+
+# Servers
+#
+# The servers to deploy to, optionally with custom roles, see kamal docs servers
+servers:
+  ...
+
+# Environment variables
+#
+# See kamal docs env
+env:
+  ...
+
+# Asset Bridging
+#
+# Used for asset bridging across deployments, default to `nil`
+#
+# If there are changes to CSS or JS files, we may get requests
+# for the old versions on the new container and vice-versa.
+#
+# To avoid 404s we can specify an asset path.
+# Kamal will replace that path in the container with a mapped
+# volume containing both sets of files.
+# This requires that file names change when the contents change
+# (e.g. by including a hash of the contents in the name).
+
+# To configure this, set the path to the assets:
+asset_path: /path/to/assets
+
+# Path to hooks, defaults to `.kamal/hooks`
+# See https://kamal-deploy.org/docs/hooks for more information
+hooks_path: /user_home/kamal/hooks
+
+# Require destinations
+#
+# Whether deployments require a destination to be specified, defaults to `false`
+require_destination: true
+
+# The primary role
+#
+# This defaults to `web`, but if you have no web role, you can change this
+primary_role: workers
+
+# Allowing empty roles
+#
+# Whether roles with no servers are allowed. Defaults to `false`.
+allow_empty_roles: false
+
+# Stop wait time
+#
+# How long we wait for a container to stop before killing it, defaults to 30 seconds
+stop_wait_time: 60
+
+# Retain containers
+#
+# How many old containers and images we retain, defaults to 5
+retain_containers: 3
+
+# Minimum version
+#
+# The minimum version of Kamal required to deploy this configuration, defaults to nil
+minimum_version: 1.3.0
+
+# Readiness delay
+#
+# Seconds to wait for a container to boot after is running, default 7
+# This only applies to containers that do not specify a healthcheck
+readiness_delay: 4
+
+# Run directory
+#
+# Directory to store kamal runtime files in on the host, default `.kamal`
+run_directory: /etc/kamal
+
+# SSH options
+#
+# See kamal docs ssh
+ssh:
+  ...
+
+# Builder options
+#
+# See kamal docs builder
+builder:
+  ...
+
+# Accessories
+#
+# Additionals services to run in Docker, see kamal docs accessory
+accessories:
+  ...
+
+# Traefik
+#
+# The Traefik proxy is used for zero-downtime deployments, see kamal docs traefik
+traefik:
+  ...
+
+# SSHKit
+#
+# See kamal docs sshkit
+sshkit:
+  ...
+
+# Boot options
+#
+# See kamal docs boot
+boot:
+  ...
+
+# Healthcheck
+#
+# Configuring healthcheck commands, intervals and timeouts, see kamal docs healthcheck
+healthcheck:
+  ...
+
+# Logging
+#
+# Docker logging configuration, see kamal docs logging
+logging:
+  ...

data/lib/kamal/configuration/docs/env.yml

@@ -0,0 +1,72 @@
+# Environment variables
+#
+# Environment variables can be set directory in the Kamal configuration or
+# for loaded from a .env file, for secrets that should not be checked into Git.
+
+# Reading environment variables from the configuration
+#
+# Environment variables can be set directly in the configuration file.
+#
+# These are passed to the docker run command when deploying.
+env:
+  DATABASE_HOST: mysql-db1
+  DATABASE_PORT: 3306
+
+# Using .env file to load required environment variables
+#
+# Kamal uses dotenv to automatically load environment variables set in the .env file present
+# in the application root.
+#
+# This file can be used to set variables like KAMAL_REGISTRY_PASSWORD or database passwords.
+# But for this reason you must ensure that .env files are not checked into Git or included
+# in your Dockerfile! The format is just key-value like:
+# ```
+# KAMAL_REGISTRY_PASSWORD=pw
+# DB_PASSWORD=secret123
+# ```
+# See https://kamal-deploy.org/docs/commands/envify/ for how to use generated .env files.
+#
+# To pass the secrets you should list them under the `secret` key. When you do this the
+# other variables need to be moved under the `clear` key.
+#
+# Unlike clear valies, secrets are not passed directly to the container,
+# but are stored in an env file on the host
+# The file is not updated when deploying, only when running `kamal envify` or `kamal env push`.
+env:
+  clear:
+    DB_USER: app
+  secret:
+    - DB_PASSWORD
+
+# Tags
+#
+# Tags are used to add extra env variables to specific hosts.
+# See kamal docs servers for how to tag hosts.
+#
+# Tags are only allowed in the top level env configuration (i.e not under a role specific env).
+#
+# The env variables can be specified with secret and clear values as explained above.
+env:
+  tags:
+    <tag1>:
+      MYSQL_USER: monitoring
+    <tag2>:
+      clear:
+        MYSQL_USER: readonly
+      secret:
+        - MYSQL_PASSWORD
+
+# Example configuration
+env:
+  clear:
+    MYSQL_USER: app
+  secret:
+    - MYSQL_PASSWORD
+  tags:
+    monitoring:
+      MYSQL_USER: monitoring
+    replica:
+      clear:
+        MYSQL_USER: readonly
+      secret:
+        - READONLY_PASSWORD

data/lib/kamal/configuration/docs/healthcheck.yml

@@ -0,0 +1,59 @@
+# Healthcheck configuration
+#
+# On roles that are running Traefik, Kamal will supply a default healthcheck to `docker run`.
+# For other roles, by default no healthcheck is supplied.
+#
+# If no healthcheck is supplied and the image does not define one, they we wait for the container
+# to reach a running state and then pause for the readiness delay.
+#
+# The default healthcheck is `curl -f http://localhost:<port>/<path>`, so it assumes that `curl`
+# is available within the container.
+
+# Healthcheck options
+#
+# These go under the `healthcheck` key in the root or role configuration.
+healthcheck:
+
+  # Command
+  #
+  # The command to run, defaults to `curl -f http://localhost:<port>/<path>` on roles running Traefik
+  cmd: "curl -f http://localhost"
+
+  # Interval
+  #
+  # The Docker healthcheck interval, defaults to `1s`
+  interval: 10s
+
+  # Max attempts
+  #
+  # The maximum number of times we poll the container to see if it is healthy, defaults to `7`
+  # Each check is separated by an increasing interval starting with 1 second.
+  max_attempts: 3
+
+  # Port
+  #
+  # The port to use in the healthcheck, defaults to `3000`
+  port: "80"
+
+  # Path
+  #
+  # The path to use in the healthcheck, defaults to `/up`
+  path: /health
+
+  # Cords for zero-downtime deployments
+  #
+  # The cord file is used for zero-downtime deployments. The healthcheck is augmented with a check
+  # for the existance of the file. This allows us to delete the file and force the container to
+  # become unhealthy, causing Traefik to stop routing traffic to it.
+  #
+  # Kamal mounts a volume at this location and creates the file before starting the container.
+  # You can set the value to `false` to disable the cord file, but this loses the zero-downtime
+  # guarantee.
+  #
+  # The default value is `/tmp/kamal-cord`
+  cord: /cord
+
+  # Log lines
+  #
+  # Number of lines to log from the container when the healthcheck fails, defaults to `50`
+  log_lines: 100

data/lib/kamal/configuration/docs/logging.yml

@@ -0,0 +1,21 @@
+# Custom logging configuration
+#
+# Set these to control the Docker logging driver and options.
+
+# Logging settings
+#
+# These go under the logging key in the configuration file.
+#
+# This can be specified in the root level or for a specific role.
+logging:
+
+  # Driver
+  #
+  # The logging driver to use, passed to Docker via `--log-driver`
+  driver: json-file
+
+  # Options
+  #
+  # Any logging options to pass to the driver, passed to Docker via `--log-opt`
+  options:
+    max-size: 100m

data/lib/kamal/configuration/docs/registry.yml

@@ -0,0 +1,49 @@
+# Registry
+#
+# The default registry is Docker Hub, but you can change it using registry/server:
+#
+# A reference to secret (in this case DOCKER_REGISTRY_TOKEN) will look up the secret
+# in the local environment.
+
+registry:
+  server: registry.digitalocean.com
+  username:
+    - DOCKER_REGISTRY_TOKEN
+  password:
+    - DOCKER_REGISTRY_TOKEN
+
+# Using AWS ECR as the container registry
+# You will need to have the aws CLI installed locally for this to work.
+# AWS ECR’s access token is only valid for 12hrs. In order to not have to manually regenerate the token every time, you can use ERB in the deploy.yml file to shell out to the aws cli command, and obtain the token:
+
+registry:
+  server: <your aws account id>.dkr.ecr.<your aws region id>.amazonaws.com
+  username: AWS
+  password: <%= %x(aws ecr get-login-password) %>
+
+# Using GCP Artifact Registry as the container registry
+# To sign into Artifact Registry, you would need to
+# [create a service account](https://cloud.google.com/iam/docs/service-accounts-create#creating)
+# and [set up roles and permissions](https://cloud.google.com/artifact-registry/docs/access-control#permissions).
+# Normally, assigning a roles/artifactregistry.writer role should be sufficient.
+#
+# Once the service account is ready, you need to generate and download a JSON key, base64 encode it and add to .env:
+#
+# ```shell
+# echo "KAMAL_REGISTRY_PASSWORD=$(base64 -i /path/to/key.json)" | tr -d "\\n"  >> .env
+# ```
+# Use the env variable as password along with _json_key_base64 as username.
+# Here’s the final configuration:
+
+registry:
+  server: <your registry region>-docker.pkg.dev
+  username: _json_key_base64
+  password:
+    - KAMAL_REGISTRY_PASSWORD
+
+# Validating the configuration
+#
+# You can validate the configuration by running:
+# ```shell
+# kamal registry login
+# ```

data/lib/kamal/configuration/docs/role.yml

@@ -0,0 +1,52 @@
+# Roles
+#
+# Roles are used to configure different types of servers in the deployment.
+# The most common use for this is to run a web servers and job servers.
+#
+# Kamal expects there to be a `web` role, unless you set a different `primary_role`
+# in the root configuration.
+
+# Role configuration
+#
+# Roles are specified under the servers key
+servers:
+
+  # Simple role configuration
+  #
+  #
+  # This can be a list of hosts, if you don't need custom configuration for the role.
+  #
+  # You can set tags on the hosts for custom env variables (see kamal docs env)
+  web:
+    - 172.1.0.1
+    - 172.1.0.2: experiment1
+    - 172.1.0.2: [ experiment1, experiment2 ]
+
+  # Custom role configuration
+  #
+  # When there are other options to set, the list of hosts goes under the `hosts` key
+  #
+  # By default only the primary role uses Traefik, but you can set `traefik` to change
+  # it.
+  #
+  # You can also set a custom cmd to run in the container, and overwrite other settings
+  # from the root configuration.
+  workers:
+    hosts:
+      - 172.1.0.3
+      - 172.1.0.4: experiment1
+    traefik: true
+    cmd: "bin/jobs"
+    options:
+      memory: 2g
+      cpus: 4
+    healthcheck:
+      ...
+    logging:
+      ...
+    labels:
+      my-label: workers
+    env:
+      ...
+    asset_path: /public
+

data/lib/kamal/configuration/docs/servers.yml

@@ -0,0 +1,27 @@
+# Servers
+#
+# Servers are split into different roles, with each role having its own configuration.
+#
+# For simpler deployments though where all servers are identical, you can just specify a list of servers
+# They will be implicitly assigned to the `web` role.
+servers:
+  - 172.0.0.1
+  - 172.0.0.2
+  - 172.0.0.3
+
+# Tagging servers
+#
+# Servers can be tagged, with the tags used to add custom env variables (see kamal docs env).
+servers:
+  - 172.0.0.1
+  - 172.0.0.2: experiments
+  - 172.0.0.3: [ experiments, three ]
+
+# Roles
+#
+# For more complex deployments (e.g. if you are running job hosts), you can specify roles, and configure each separately (see kamal docs role)
+servers:
+  web:
+    ...
+  workers:
+    ...

data/lib/kamal/configuration/docs/ssh.yml

@@ -0,0 +1,46 @@
+# SSH configuration
+#
+# Kamal uses SSH to connect run commands on your hosts.
+# By default it will attempt to connect to the root user on port 22
+#
+# If you are using non-root user, you may need to bootstrap your servers manually, before using them with Kamal. On Ubuntu, you’d do:
+#
+# ```shell
+# sudo apt update
+# sudo apt upgrade -y
+# sudo apt install -y docker.io curl git
+# sudo usermod -a -G docker app
+# ```
+
+
+# SSH options
+#
+# The options are specified under the ssh key in the configuration file.
+ssh:
+
+  # The SSH user
+  #
+  # Defaults to `root`
+  #
+  user: app
+
+  # The SSH port
+  #
+  # Defaults to 22
+  port: "2222"
+
+  # Proxy host
+  #
+  # Specified in the form <host> or <user>@<host>
+  proxy: root@proxy-host
+
+  # Proxy command
+  #
+  # A custom proxy command, required for older versions of SSH
+  proxy_command: "ssh -W %h:%p user@proxy"
+
+  # Log level
+  #
+  # Defaults to `fatal`. Set this to debug if you are having
+  # SSH connection issues.
+  log_level: debug

data/lib/kamal/configuration/docs/sshkit.yml

@@ -0,0 +1,23 @@
+# SSHKit
+#
+# [SSHKit](https://github.com/capistrano/sshkit) is the SSH toolkit used by Kamal.
+#
+# The default settings should be sufficient for most use cases, but
+# when connecting to a large number of hosts you may need to adjust
+
+# SSHKit options
+#
+# The options are specified under the sshkit key in the configuration file.
+sshkit:
+
+  # Max concurrent starts
+  #
+  # Creating SSH connections concurrently can be an issue when deploying to many servers.
+  # By default Kamal will limit concurrent connection starts to 30 at a time.
+  max_concurrent_starts: 10
+
+  # Pool idle timeout
+  #
+  # Kamal sets a long idle timeout of 900 seconds on connections to try to avoid
+  # re-connection storms after an idle period, like building an image or waiting for CI.
+  pool_idle_timeout: 300

data/lib/kamal/configuration/docs/traefik.yml

@@ -0,0 +1,62 @@
+# Traefik
+#
+# Traefik is a reverse proxy, used by Kamal for zero-downtime deployments.
+#
+# We start an instance on the hosts in it's own container.
+#
+# During a deployment:
+# 1. We start a new container which Traefik automatically detects due to the labels we have applied
+# 2. Traefik starts routing traffic to the new container
+# 3. We force the old container to fail it's healthcheck, causing Traefik to stop routing traffic to it
+# 4. We stop the old container
+
+# Traefik settings
+#
+# Traekik is configured in the root configuration under `traefik`.
+traefik:
+
+  # Image
+  #
+  # The Traefik image to use, defaults to `traefik:v2.10`
+  image: traefik:v2.9
+
+  # Host port
+  #
+  # The host port to publish the Traefik container on, defaults to `80`
+  host_port: "8080"
+
+  # Disabling publishing
+  #
+  # To avoid publishing the Traefik container, set this to `false`
+  publish: false
+
+  # Labels
+  #
+  # Additional labels to apply to the Traefik container
+  labels:
+    traefik.http.routers.catchall.entryPoints: http
+    traefik.http.routers.catchall.rule: PathPrefix(`/`)
+    traefik.http.routers.catchall.service: unavailable
+    traefik.http.routers.catchall.priority: "1"
+    traefik.http.services.unavailable.loadbalancer.server.port: "0"
+
+  # Arguments
+  #
+  # Additional arguments to pass to the Traefik container
+  args:
+    entryPoints.http.address: ":80"
+    entryPoints.http.forwardedHeaders.insecure: true
+    accesslog: true
+    accesslog.format: json
+
+  # Options
+  #
+  # Additional options to pass to `docker run`
+  options:
+    cpus: 2
+
+  # Environment variables
+  #
+  # See kamal docs env
+  env:
+    ...

data/lib/kamal/configuration/env/tag.rb

@@ -7,6 +7,6 @@ class Kamal::Configuration::Env::Tag
   end
 
   def env
-    Kamal::Configuration::Env.from_config(config: config)
+    Kamal::Configuration::Env.new(config: config)
   end
 end

data/lib/kamal/configuration/env.rb

@@ -1,18 +1,15 @@
 class Kamal::Configuration::Env
-  attr_reader :secrets_keys, :clear, :secrets_file
-  delegate :argumentize, to: Kamal::Utils
-
-  def self.from_config(config:, secrets_file: nil)
-    secrets_keys = config.fetch("secret", [])
-    clear = config.fetch("clear", config.key?("secret") || config.key?("tags") ? {} : config)
+  include Kamal::Configuration::Validation
 
-    new clear: clear, secrets_keys: secrets_keys, secrets_file: secrets_file
-  end
+  attr_reader :secrets_keys, :clear, :secrets_file, :context
+  delegate :argumentize, to: Kamal::Utils
 
-  def initialize(clear:, secrets_keys:, secrets_file:)
-    @clear = clear
-    @secrets_keys = secrets_keys
+  def initialize(config:, secrets_file: nil, context: "env")
+    @clear = config.fetch("clear", config.key?("secret") || config.key?("tags") ? {} : config)
+    @secrets_keys = config.fetch("secret", [])
     @secrets_file = secrets_file
+    @context = context
+    validate! config, context: context, with: Kamal::Configuration::Validator::Env
   end
 
   def args
@@ -33,8 +30,7 @@ class Kamal::Configuration::Env
 
   def merge(other)
     self.class.new \
-      clear: @clear.merge(other.clear),
-      secrets_keys: @secrets_keys | other.secrets_keys,
-      secrets_file: secrets_file
+      config: { "clear" => clear.merge(other.clear), "secret" => secrets_keys | other.secrets_keys },
+      secrets_file: secrets_file || other.secrets_file
   end
 end

data/lib/kamal/configuration/healthcheck.rb

@@ -0,0 +1,63 @@
+class Kamal::Configuration::Healthcheck
+  include Kamal::Configuration::Validation
+
+  attr_reader :healthcheck_config
+
+  def initialize(healthcheck_config:, context: "healthcheck")
+    @healthcheck_config = healthcheck_config || {}
+    validate! @healthcheck_config, context: context
+  end
+
+  def merge(other)
+    self.class.new healthcheck_config: healthcheck_config.deep_merge(other.healthcheck_config)
+  end
+
+  def cmd
+    healthcheck_config.fetch("cmd", http_health_check)
+  end
+
+  def port
+    healthcheck_config.fetch("port", 3000)
+  end
+
+  def path
+    healthcheck_config.fetch("path", "/up")
+  end
+
+  def max_attempts
+    healthcheck_config.fetch("max_attempts", 7)
+  end
+
+  def interval
+    healthcheck_config.fetch("interval", "1s")
+  end
+
+  def cord
+    healthcheck_config.fetch("cord", "/tmp/kamal-cord")
+  end
+
+  def log_lines
+    healthcheck_config.fetch("log_lines", 50)
+  end
+
+  def set_port_or_path?
+    healthcheck_config["port"].present? || healthcheck_config["path"].present?
+  end
+
+  def to_h
+    {
+      "cmd" => cmd,
+      "interval" => interval,
+      "max_attempts" => max_attempts,
+      "port" => port,
+      "path" => path,
+      "cord" => cord,
+      "log_lines" => log_lines
+    }
+  end
+
+  private
+    def http_health_check
+      "curl -f #{URI.join("http://localhost:#{port}", path)} || exit 1" if path.present? || port.present?
+    end
+end