kamal 1.8.3 → 2.0.0.beta1

data/lib/kamal/configuration/role.rb

@@ -1,10 +1,9 @@
 class Kamal::Configuration::Role
   include Kamal::Configuration::Validation
 
-  CORD_FILE = "cord"
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :name, :config, :specialized_env, :specialized_logging, :specialized_healthcheck
+  attr_reader :name, :config, :specialized_env, :specialized_logging, :specialized_proxy
 
   alias to_s name
 
@@ -18,16 +17,14 @@ class Kamal::Configuration::Role
 
     @specialized_env = Kamal::Configuration::Env.new \
       config: specializations.fetch("env", {}),
-      secrets_file: File.join(config.host_env_directory, "roles", "#{container_prefix}.env"),
+      secrets: config.secrets,
       context: "servers/#{name}/env"
 
     @specialized_logging = Kamal::Configuration::Logging.new \
       logging_config: specializations.fetch("logging", {}),
       context: "servers/#{name}/logging"
 
-    @specialized_healthcheck = Kamal::Configuration::Healthcheck.new \
-      healthcheck_config: specializations.fetch("healthcheck", {}),
-      context: "servers/#{name}/healthcheck"
+    initialize_specialized_proxy
   end
 
   def primary_host
@@ -55,7 +52,7 @@ class Kamal::Configuration::Role
   end
 
   def labels
-    default_labels.merge(traefik_labels).merge(custom_labels)
+    default_labels.merge(custom_labels)
   end
 
   def label_args
@@ -70,87 +67,53 @@ class Kamal::Configuration::Role
     @logging ||= config.logging.merge(specialized_logging)
   end
 
-
-  def env(host)
-    @envs ||= {}
-    @envs[host] ||= [ config.env, specialized_env, *env_tags(host).map(&:env) ].reduce(:merge)
+  def proxy
+    @proxy ||= config.proxy.merge(specialized_proxy) if running_proxy?
   end
 
-  def env_args(host)
-    env(host).args
+  def running_proxy?
+    @running_proxy
   end
 
-  def asset_volume_args
-    asset_volume&.docker_args
+  def ssl?
+    running_proxy? && proxy.ssl?
   end
 
+  def stop_args
+    # When deploying with the proxy, kamal-proxy will drain request before returning so we don't need to wait.
+    timeout = running_proxy? ? nil : config.drain_timeout
 
-  def health_check_args(cord: true)
-    if running_traefik? || healthcheck.set_port_or_path?
-      if cord && uses_cord?
-        optionize({ "health-cmd" => health_check_cmd_with_cord, "health-interval" => healthcheck.interval })
-          .concat(cord_volume.docker_args)
-      else
-        optionize({ "health-cmd" => healthcheck.cmd, "health-interval" => healthcheck.interval })
-      end
-    else
-      []
-    end
+    [ *argumentize("-t", timeout) ]
   end
 
-  def healthcheck
-    @healthcheck ||=
-      if running_traefik?
-        config.healthcheck.merge(specialized_healthcheck)
-      else
-        specialized_healthcheck
-      end
-  end
-
-  def health_check_cmd_with_cord
-    "(#{healthcheck.cmd}) && (stat #{cord_container_file} > /dev/null || exit 1)"
-  end
-
-
-  def running_traefik?
-    if specializations["traefik"].nil?
-      primary?
-    else
-      specializations["traefik"]
-    end
+  def env(host)
+    @envs ||= {}
+    @envs[host] ||= [ config.env, specialized_env, *env_tags(host).map(&:env) ].reduce(:merge)
   end
 
-  def primary?
-    self == @config.primary_role
+  def env_args(host)
+    [ *env(host).clear_args, *argumentize("--env-file", secrets_path) ]
   end
 
-
-  def uses_cord?
-    running_traefik? && cord_volume && healthcheck.cmd.present?
+  def env_directory
+    File.join(config.env_directory, "roles")
   end
 
-  def cord_host_directory
-    File.join config.run_directory_as_docker_volume, "cords", [ container_prefix, config.run_id ].join("-")
+  def secrets_io(host)
+    env(host).secrets_io
   end
 
-  def cord_volume
-    if (cord = healthcheck.cord)
-      @cord_volume ||= Kamal::Configuration::Volume.new \
-        host_path: File.join(config.run_directory, "cords", [ container_prefix, config.run_id ].join("-")),
-        container_path: cord
-    end
+  def secrets_path
+    File.join(config.env_directory, "roles", "#{name}.env")
   end
 
-  def cord_host_file
-    File.join cord_volume.host_path, CORD_FILE
+  def asset_volume_args
+    asset_volume&.docker_args
   end
 
-  def cord_container_directory
-    health_check_options.fetch("cord", nil)
-  end
 
-  def cord_container_file
-    File.join cord_volume.container_path, CORD_FILE
+  def primary?
+    name == @config.primary_role_name
   end
 
 
@@ -168,25 +131,52 @@ class Kamal::Configuration::Role
   end
 
   def assets?
-    asset_path.present? && running_traefik?
+    asset_path.present? && running_proxy?
   end
 
-  def asset_volume(version = nil)
+  def asset_volume(version = config.version)
     if assets?
       Kamal::Configuration::Volume.new \
-        host_path: asset_volume_path(version), container_path: asset_path
+        host_path: asset_volume_directory(version), container_path: asset_path
     end
   end
 
-  def asset_extracted_path(version = nil)
-    File.join config.run_directory, "assets", "extracted", container_name(version)
+  def asset_extracted_directory(version = config.version)
+    File.join config.assets_directory, "extracted", [ name, version ].join("-")
   end
 
-  def asset_volume_path(version = nil)
-    File.join config.run_directory, "assets", "volumes", container_name(version)
+  def asset_volume_directory(version = config.version)
+    File.join config.assets_directory, "volumes", [ name, version ].join("-")
+  end
+
+  def ensure_one_host_for_ssl
+    if running_proxy? && proxy.ssl? && hosts.size > 1
+      raise Kamal::ConfigurationError, "SSL is only supported on a single server, found #{hosts.size} servers for role #{name}"
+    end
   end
 
   private
+    def initialize_specialized_proxy
+      proxy_specializations = specializations["proxy"]
+
+      if primary?
+        # only false means no proxy for non-primary roles
+        @running_proxy = proxy_specializations != false
+      else
+        # false and nil both mean no proxy for non-primary roles
+        @running_proxy = !!proxy_specializations
+      end
+
+      if running_proxy?
+        proxy_config = proxy_specializations == true || proxy_specializations.nil? ? {} : proxy_specializations
+
+        @specialized_proxy = Kamal::Configuration::Proxy.new \
+          config: config,
+          proxy_config: proxy_config,
+          context: "servers/#{name}/proxy"
+      end
+    end
+
     def tagged_hosts
       {}.tap do |tagged_hosts|
         extract_hosts_from_config.map do |host_config|
@@ -221,27 +211,6 @@ class Kamal::Configuration::Role
       end
     end
 
-    def traefik_labels
-      if running_traefik?
-        {
-          # Setting a service property ensures that the generated service name will be consistent between versions
-          "traefik.http.services.#{traefik_service}.loadbalancer.server.scheme" => "http",
-
-          "traefik.http.routers.#{traefik_service}.rule" => "PathPrefix(`/`)",
-          "traefik.http.routers.#{traefik_service}.priority" => "2",
-          "traefik.http.middlewares.#{traefik_service}-retry.retry.attempts" => "5",
-          "traefik.http.middlewares.#{traefik_service}-retry.retry.initialinterval" => "500ms",
-          "traefik.http.routers.#{traefik_service}.middlewares" => "#{traefik_service}-retry@docker"
-        }
-      else
-        {}
-      end
-    end
-
-    def traefik_service
-      container_prefix
-    end
-
     def custom_labels
       Hash.new.tap do |labels|
         labels.merge!(config.labels) if config.labels.present?

data/lib/kamal/configuration/validator/alias.rb

@@ -0,0 +1,15 @@
+class Kamal::Configuration::Validator::Alias < Kamal::Configuration::Validator
+  def validate!
+    super
+
+    name = context.delete_prefix("aliases/")
+
+    if name !~ /\A[a-z0-9_-]+\z/
+      error "Invalid alias name: '#{name}'. Must only contain lowercase letters, alphanumeric, hyphens and underscores."
+    end
+
+    if Kamal::Cli::Main.commands.include?(name)
+      error "Alias '#{name}' conflicts with a built-in command."
+    end
+  end
+end

data/lib/kamal/configuration/validator/builder.rb

@@ -5,5 +5,9 @@ class Kamal::Configuration::Validator::Builder < Kamal::Configuration::Validator
     if config["cache"] && config["cache"]["type"]
       error "Invalid cache type: #{config["cache"]["type"]}" unless [ "gha", "registry" ].include?(config["cache"]["type"])
     end
+
+    error "Builder arch not set" unless config["arch"].present?
+
+    error "Cannot disable local builds, no remote is set" if config["local"] == false && config["remote"].blank?
   end
 end

data/lib/kamal/configuration/validator/proxy.rb

@@ -0,0 +1,11 @@
+class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
+  def validate!
+    unless config.nil?
+      super
+
+      if config["host"].blank? && config["ssl"]
+        error "Must set a host to enable automatic SSL"
+      end
+    end
+  end
+end

data/lib/kamal/configuration/validator.rb

@@ -13,32 +13,40 @@ class Kamal::Configuration::Validator
 
   private
     def validate_against_example!(validation_config, example)
-      validate_type! validation_config, Hash
-
-      check_unknown_keys! validation_config, example
-
-      validation_config.each do |key, value|
-        next if extension?(key)
-        with_context(key) do
-          example_value = example[key]
-
-          if example_value == "..."
-            validate_type! value, *(Array if key == :servers), Hash
-          elsif key == "hosts"
-            validate_servers! value
-          elsif example_value.is_a?(Array)
-            validate_array_of! value, example_value.first.class
-          elsif example_value.is_a?(Hash)
-            case key.to_s
-            when "options", "args"
-              validate_type! value, Hash
-            when "labels"
-              validate_hash_of! value, example_value.first[1].class
+      validate_type! validation_config, example.class
+
+      if example.class == Hash
+        check_unknown_keys! validation_config, example
+
+        validation_config.each do |key, value|
+          next if extension?(key)
+          with_context(key) do
+            example_value = example[key]
+
+            if example_value == "..."
+              unless key.to_s == "proxy" && boolean?(value.class)
+                validate_type! value, *(Array if key == :servers), Hash
+              end
+            elsif key == "hosts"
+              validate_servers! value
+            elsif example_value.is_a?(Array)
+              if key == "arch"
+                validate_array_of_or_type! value, example_value.first.class
+              else
+                validate_array_of! value, example_value.first.class
+              end
+            elsif example_value.is_a?(Hash)
+              case key.to_s
+              when "options", "args"
+                validate_type! value, Hash
+              when "labels"
+                validate_hash_of! value, example_value.first[1].class
+              else
+                validate_against_example! value, example_value
+              end
             else
-              validate_against_example! value, example_value
+              validate_type! value, example_value.class
             end
-          else
-            validate_type! value, example_value.class
           end
         end
       end
@@ -69,6 +77,16 @@ class Kamal::Configuration::Validator
       value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(Numeric) || value.is_a?(TrueClass) || value.is_a?(FalseClass)
     end
 
+    def validate_array_of_or_type!(value, type)
+      if value.is_a?(Array)
+        validate_array_of! value, type
+      else
+        validate_type! value, type
+      end
+    rescue Kamal::ConfigurationError
+      type_error(Array, type)
+    end
+
     def validate_array_of!(array, type)
       validate_type! array, Array
 

data/lib/kamal/configuration.rb

@@ -2,19 +2,22 @@ require "active_support/ordered_options"
 require "active_support/core_ext/string/inquiry"
 require "active_support/core_ext/module/delegation"
 require "active_support/core_ext/hash/keys"
-require "pathname"
 require "erb"
 require "net/ssh/proxy/jump"
 
 class Kamal::Configuration
-  delegate :service, :image, :labels, :stop_wait_time, :hooks_path, to: :raw_config, allow_nil: true
+  delegate :service, :image, :labels, :hooks_path, to: :raw_config, allow_nil: true
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :destination, :raw_config
-  attr_reader :accessories, :boot, :builder, :env, :healthcheck, :logging, :traefik, :servers, :ssh, :sshkit, :registry
+  attr_reader :destination, :raw_config, :secrets
+  attr_reader :accessories, :aliases, :boot, :builder, :env, :logging, :proxy, :servers, :ssh, :sshkit, :registry
 
   include Validation
 
+  PROXY_MINIMUM_VERSION = "v0.3.0"
+  PROXY_HTTP_PORT = 80
+  PROXY_HTTPS_PORT = 443
+
   class << self
     def create_from(config_file:, destination: nil, version: nil)
       raw_config = load_config_files(config_file, *destination_config_file(config_file, destination))
@@ -49,18 +52,20 @@ class Kamal::Configuration
 
     validate! raw_config, example: validation_yml.symbolize_keys, context: "", with: Kamal::Configuration::Validator::Configuration
 
+    @secrets = Kamal::Secrets.new(destination: destination)
+
     # Eager load config to validate it, these are first as they have dependencies later on
     @servers = Servers.new(config: self)
     @registry = Registry.new(config: self)
 
     @accessories = @raw_config.accessories&.keys&.collect { |name| Accessory.new(name, config: self) } || []
+    @aliases = @raw_config.aliases&.keys&.to_h { |name| [ name, Alias.new(name, config: self) ] } || {}
     @boot = Boot.new(config: self)
     @builder = Builder.new(config: self)
-    @env = Env.new(config: @raw_config.env || {})
+    @env = Env.new(config: @raw_config.env || {}, secrets: secrets)
 
-    @healthcheck = Healthcheck.new(healthcheck_config: @raw_config.healthcheck)
     @logging = Logging.new(logging_config: @raw_config.logging)
-    @traefik = Traefik.new(config: self)
+    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy || {})
     @ssh = Ssh.new(config: self)
     @sshkit = Sshkit.new(config: self)
 
@@ -69,6 +74,9 @@ class Kamal::Configuration
     ensure_valid_kamal_version
     ensure_retain_containers_valid
     ensure_valid_service_name
+    ensure_no_traefik_reboot_hooks
+    ensure_one_host_for_ssl_roles
+    ensure_unique_hosts_for_ssl_roles
   end
 
 
@@ -129,16 +137,16 @@ class Kamal::Configuration
     raw_config.allow_empty_roles
   end
 
-  def traefik_roles
-    roles.select(&:running_traefik?)
+  def proxy_roles
+    roles.select(&:running_proxy?)
   end
 
-  def traefik_role_names
-    traefik_roles.flat_map(&:name)
+  def proxy_role_names
+    proxy_roles.flat_map(&:name)
   end
 
-  def traefik_hosts
-    traefik_roles.flat_map(&:hosts).uniq
+  def proxy_hosts
+    proxy_roles.flat_map(&:hosts).uniq
   end
 
   def repository
@@ -183,31 +191,44 @@ class Kamal::Configuration
   end
 
 
-  def healthcheck_service
-    [ "healthcheck", service, destination ].compact.join("-")
-  end
-
   def readiness_delay
     raw_config.readiness_delay || 7
   end
 
-  def run_id
-    @run_id ||= SecureRandom.hex(16)
+  def deploy_timeout
+    raw_config.deploy_timeout || 30
+  end
+
+  def drain_timeout
+    raw_config.drain_timeout || 30
   end
 
 
   def run_directory
-    raw_config.run_directory || ".kamal"
+    ".kamal"
   end
 
-  def run_directory_as_docker_volume
-    if Pathname.new(run_directory).absolute?
-      run_directory
-    else
-      File.join "$(pwd)", run_directory
-    end
+  def apps_directory
+    File.join run_directory, "apps"
   end
 
+  def app_directory
+    File.join apps_directory, [ service, destination ].compact.join("-")
+  end
+
+  def proxy_directory
+    File.join run_directory, "proxy"
+  end
+
+  def env_directory
+    File.join app_directory, "env"
+  end
+
+  def assets_directory
+    File.join app_directory, "assets"
+  end
+
+
   def hooks_path
     raw_config.hooks_path || ".kamal/hooks"
   end
@@ -217,13 +238,9 @@ class Kamal::Configuration
   end
 
 
-  def host_env_directory
-    File.join(run_directory, "env")
-  end
-
   def env_tags
     @env_tags ||= if (tags = raw_config.env["tags"])
-      tags.collect { |name, config| Env::Tag.new(name, config: config) }
+      tags.collect { |name, config| Env::Tag.new(name, config: config, secrets: secrets) }
     else
       []
     end
@@ -233,6 +250,24 @@ class Kamal::Configuration
     env_tags.detect { |t| t.name == name.to_s }
   end
 
+  def proxy_publish_args
+    argumentize "--publish", [ "#{PROXY_HTTP_PORT}:#{PROXY_HTTP_PORT}", "#{PROXY_HTTPS_PORT}:#{PROXY_HTTPS_PORT}" ]
+  end
+
+  def proxy_image
+    "basecamp/kamal-proxy:#{PROXY_MINIMUM_VERSION}"
+  end
+
+  def proxy_container_name
+    "kamal-proxy"
+  end
+
+  def proxy_config_volume
+    Kamal::Configuration::Volume.new \
+      host_path: File.join(proxy_directory, "config"),
+      container_path: "/home/kamal-proxy/.config/kamal-proxy"
+  end
+
 
   def to_h
     {
@@ -248,8 +283,7 @@ class Kamal::Configuration
       sshkit: sshkit.to_h,
       builder: builder.to_h,
       accessories: raw_config.accessories,
-      logging: logging_args,
-      healthcheck: healthcheck.to_h
+      logging: logging_args
     }.compact
   end
 
@@ -307,6 +341,30 @@ class Kamal::Configuration
       true
     end
 
+    def ensure_no_traefik_reboot_hooks
+      hooks = %w[ pre-traefik-reboot post-traefik-reboot ].select { |hook_file| File.exist?(File.join(hooks_path, hook_file)) }
+
+      if hooks.any?
+        raise Kamal::ConfigurationError, "Found #{hooks.join(", ")}, these should be renamed to (pre|post)-proxy-reboot"
+      end
+
+      true
+    end
+
+    def ensure_one_host_for_ssl_roles
+      roles.each(&:ensure_one_host_for_ssl)
+
+      true
+    end
+
+    def ensure_unique_hosts_for_ssl_roles
+      hosts = roles.select(&:ssl?).map { |role| role.proxy.host }
+      duplicates = hosts.tally.filter_map { |host, count| host if count > 1 }
+
+      raise Kamal::ConfigurationError, "Different roles can't share the same host for SSL: #{duplicates.join(", ")}" if duplicates.any?
+
+      true
+    end
 
     def role_names
       raw_config.servers.is_a?(Array) ? [ "web" ] : raw_config.servers.keys.sort

data/lib/kamal/env_file.rb

@@ -15,6 +15,10 @@ class Kamal::EnvFile
     env_file.presence || "\n"
   end
 
+  def to_io
+    StringIO.new(to_s)
+  end
+
   alias to_str to_s
 
   private

data/lib/kamal/secrets/adapters/base.rb

@@ -0,0 +1,18 @@
+class Kamal::Secrets::Adapters::Base
+  delegate :optionize, to: Kamal::Utils
+
+  def fetch(secrets, account:, from: nil)
+    session = login(account)
+    full_secrets = secrets.map { |secret| [ from, secret ].compact.join("/") }
+    fetch_secrets(full_secrets, account: account, session: session)
+  end
+
+  private
+    def login(...)
+      raise NotImplementedError
+    end
+
+    def fetch_secrets(...)
+      raise NotImplementedError
+    end
+end

data/lib/kamal/secrets/adapters/bitwarden.rb

@@ -0,0 +1,64 @@
+class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      status = run_command("status")
+
+      if status["status"] == "unauthenticated"
+        run_command("login #{account.shellescape}", raw: true)
+        status = run_command("status")
+      end
+
+      if status["status"] == "locked"
+        session = run_command("unlock --raw", raw: true).presence
+        status = run_command("status", session: session)
+      end
+
+      raise RuntimeError, "Failed to login to and unlock Bitwarden" unless status["status"] == "unlocked"
+
+      run_command("sync", session: session, raw: true)
+      raise RuntimeError, "Failed to sync Bitwarden" unless $?.success?
+
+      session
+    end
+
+    def fetch_secrets(secrets, account:, session:)
+      {}.tap do |results|
+        items_fields(secrets).each do |item, fields|
+          item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
+          raise RuntimeError, "Could not read #{secret} from Bitwarden" unless $?.success?
+          item_json = JSON.parse(item_json)
+
+          if fields.any?
+            fields.each do |field|
+              item_field = item_json["fields"].find { |f| f["name"] == field }
+              raise RuntimeError, "Could not find field #{field} in item #{item} in Bitwarden" unless item_field
+              value = item_field["value"]
+              results["#{item}/#{field}"] = value
+            end
+          else
+            results[item] = item_json["login"]["password"]
+          end
+        end
+      end
+    end
+
+    def items_fields(secrets)
+      {}.tap do |items|
+        secrets.each do |secret|
+          item, field = secret.split("/")
+          items[item] ||= []
+          items[item] << field
+        end
+      end
+    end
+
+    def signedin?(account)
+      run_command("status")["status"] != "unauthenticated"
+    end
+
+    def run_command(command, session: nil, raw: false)
+      full_command = [ *("BW_SESSION=#{session.shellescape}" if session), "bw", command ].join(" ")
+      result = `#{full_command}`.strip
+      raw ? result : JSON.parse(result)
+    end
+end