kamal 1.8.3 → 2.7.0

data/lib/kamal/configuration/role.rb

@@ -1,33 +1,30 @@
 class Kamal::Configuration::Role
   include Kamal::Configuration::Validation
 
-  CORD_FILE = "cord"
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :name, :config, :specialized_env, :specialized_logging, :specialized_healthcheck
+  attr_reader :name, :config, :specialized_env, :specialized_logging, :specialized_proxy
 
   alias to_s name
 
   def initialize(name, config:)
     @name, @config = name.inquiry, config
     validate! \
-      specializations,
+      role_config,
       example: validation_yml["servers"]["workers"],
       context: "servers/#{name}",
       with: Kamal::Configuration::Validator::Role
 
     @specialized_env = Kamal::Configuration::Env.new \
       config: specializations.fetch("env", {}),
-      secrets_file: File.join(config.host_env_directory, "roles", "#{container_prefix}.env"),
+      secrets: config.secrets,
       context: "servers/#{name}/env"
 
     @specialized_logging = Kamal::Configuration::Logging.new \
       logging_config: specializations.fetch("logging", {}),
       context: "servers/#{name}/logging"
 
-    @specialized_healthcheck = Kamal::Configuration::Healthcheck.new \
-      healthcheck_config: specializations.fetch("healthcheck", {}),
-      context: "servers/#{name}/healthcheck"
+    initialize_specialized_proxy
   end
 
   def primary_host
@@ -55,7 +52,7 @@ class Kamal::Configuration::Role
   end
 
   def labels
-    default_labels.merge(traefik_labels).merge(custom_labels)
+    default_labels.merge(custom_labels)
   end
 
   def label_args
@@ -70,87 +67,53 @@ class Kamal::Configuration::Role
     @logging ||= config.logging.merge(specialized_logging)
   end
 
-
-  def env(host)
-    @envs ||= {}
-    @envs[host] ||= [ config.env, specialized_env, *env_tags(host).map(&:env) ].reduce(:merge)
+  def proxy
+    @proxy ||= specialized_proxy.merge(config.proxy) if running_proxy?
   end
 
-  def env_args(host)
-    env(host).args
+  def running_proxy?
+    @running_proxy
   end
 
-  def asset_volume_args
-    asset_volume&.docker_args
+  def ssl?
+    running_proxy? && proxy.ssl?
   end
 
+  def stop_args
+    # When deploying with the proxy, kamal-proxy will drain request before returning so we don't need to wait.
+    timeout = running_proxy? ? nil : config.drain_timeout
 
-  def health_check_args(cord: true)
-    if running_traefik? || healthcheck.set_port_or_path?
-      if cord && uses_cord?
-        optionize({ "health-cmd" => health_check_cmd_with_cord, "health-interval" => healthcheck.interval })
-          .concat(cord_volume.docker_args)
-      else
-        optionize({ "health-cmd" => healthcheck.cmd, "health-interval" => healthcheck.interval })
-      end
-    else
-      []
-    end
+    [ *argumentize("-t", timeout) ]
   end
 
-  def healthcheck
-    @healthcheck ||=
-      if running_traefik?
-        config.healthcheck.merge(specialized_healthcheck)
-      else
-        specialized_healthcheck
-      end
-  end
-
-  def health_check_cmd_with_cord
-    "(#{healthcheck.cmd}) && (stat #{cord_container_file} > /dev/null || exit 1)"
-  end
-
-
-  def running_traefik?
-    if specializations["traefik"].nil?
-      primary?
-    else
-      specializations["traefik"]
-    end
+  def env(host)
+    @envs ||= {}
+    @envs[host] ||= [ config.env, specialized_env, *env_tags(host).map(&:env) ].reduce(:merge)
   end
 
-  def primary?
-    self == @config.primary_role
+  def env_args(host)
+    [ *env(host).clear_args, *argumentize("--env-file", secrets_path) ]
   end
 
-
-  def uses_cord?
-    running_traefik? && cord_volume && healthcheck.cmd.present?
+  def env_directory
+    File.join(config.env_directory, "roles")
   end
 
-  def cord_host_directory
-    File.join config.run_directory_as_docker_volume, "cords", [ container_prefix, config.run_id ].join("-")
+  def secrets_io(host)
+    env(host).secrets_io
   end
 
-  def cord_volume
-    if (cord = healthcheck.cord)
-      @cord_volume ||= Kamal::Configuration::Volume.new \
-        host_path: File.join(config.run_directory, "cords", [ container_prefix, config.run_id ].join("-")),
-        container_path: cord
-    end
+  def secrets_path
+    File.join(config.env_directory, "roles", "#{name}.env")
   end
 
-  def cord_host_file
-    File.join cord_volume.host_path, CORD_FILE
+  def asset_volume_args
+    asset_volume&.docker_args
   end
 
-  def cord_container_directory
-    health_check_options.fetch("cord", nil)
-  end
 
-  def cord_container_file
-    File.join cord_volume.container_path, CORD_FILE
+  def primary?
+    name == @config.primary_role_name
   end
 
 
@@ -168,25 +131,54 @@ class Kamal::Configuration::Role
   end
 
   def assets?
-    asset_path.present? && running_traefik?
+    asset_path.present? && running_proxy?
   end
 
-  def asset_volume(version = nil)
+  def asset_volume(version = config.version)
     if assets?
       Kamal::Configuration::Volume.new \
-        host_path: asset_volume_path(version), container_path: asset_path
+        host_path: asset_volume_directory(version), container_path: asset_path
     end
   end
 
-  def asset_extracted_path(version = nil)
-    File.join config.run_directory, "assets", "extracted", container_name(version)
+  def asset_extracted_directory(version = config.version)
+    File.join config.assets_directory, "extracted", [ name, version ].join("-")
+  end
+
+  def asset_volume_directory(version = config.version)
+    File.join config.assets_directory, "volumes", [ name, version ].join("-")
   end
 
-  def asset_volume_path(version = nil)
-    File.join config.run_directory, "assets", "volumes", container_name(version)
+  def ensure_one_host_for_ssl
+    if running_proxy? && proxy.ssl? && hosts.size > 1 && !proxy.custom_ssl_certificate?
+      raise Kamal::ConfigurationError, "SSL is only supported on a single server unless you provide custom certificates, found #{hosts.size} servers for role #{name}"
+    end
   end
 
   private
+    def initialize_specialized_proxy
+      proxy_specializations = specializations["proxy"]
+
+      if primary?
+        # only false means no proxy for non-primary roles
+        @running_proxy = proxy_specializations != false
+      else
+        # false and nil both mean no proxy for non-primary roles
+        @running_proxy = !!proxy_specializations
+      end
+
+      if running_proxy?
+        proxy_config = proxy_specializations == true || proxy_specializations.nil? ? {} : proxy_specializations
+
+        @specialized_proxy = Kamal::Configuration::Proxy.new \
+          config: config,
+          proxy_config: proxy_config,
+          secrets: config.secrets,
+          role_name: name,
+          context: "servers/#{name}/proxy"
+      end
+    end
+
     def tagged_hosts
       {}.tap do |tagged_hosts|
         extract_hosts_from_config.map do |host_config|
@@ -214,32 +206,11 @@ class Kamal::Configuration::Role
     end
 
     def specializations
-      if config.raw_config.servers.is_a?(Array) || config.raw_config.servers[name].is_a?(Array)
-        {}
-      else
-        config.raw_config.servers[name]
-      end
-    end
-
-    def traefik_labels
-      if running_traefik?
-        {
-          # Setting a service property ensures that the generated service name will be consistent between versions
-          "traefik.http.services.#{traefik_service}.loadbalancer.server.scheme" => "http",
-
-          "traefik.http.routers.#{traefik_service}.rule" => "PathPrefix(`/`)",
-          "traefik.http.routers.#{traefik_service}.priority" => "2",
-          "traefik.http.middlewares.#{traefik_service}-retry.retry.attempts" => "5",
-          "traefik.http.middlewares.#{traefik_service}-retry.retry.initialinterval" => "500ms",
-          "traefik.http.routers.#{traefik_service}.middlewares" => "#{traefik_service}-retry@docker"
-        }
-      else
-        {}
-      end
+      @specializations ||= role_config.is_a?(Array) ? {} : role_config
     end
 
-    def traefik_service
-      container_prefix
+    def role_config
+      @role_config ||= config.raw_config.servers.is_a?(Array) ? {} : config.raw_config.servers[name]
     end
 
     def custom_labels

data/lib/kamal/configuration/servers.rb

@@ -13,6 +13,13 @@ class Kamal::Configuration::Servers
 
   private
     def role_names
-      servers_config.is_a?(Array) ? [ "web" ] : servers_config.keys.sort
+      case servers_config
+      when Array
+        [ "web" ]
+      when NilClass
+        []
+      else
+        servers_config.keys.sort
+      end
     end
 end

data/lib/kamal/configuration/validator/accessory.rb

@@ -2,8 +2,12 @@ class Kamal::Configuration::Validator::Accessory < Kamal::Configuration::Validat
   def validate!
     super
 
-    if (config.keys & [ "host", "hosts", "roles" ]).size != 1
-      error "specify one of `host`, `hosts` or `roles`"
+    if (config.keys & [ "host", "hosts", "role", "roles", "tag", "tags" ]).size != 1
+      error "specify one of `host`, `hosts`, `role`, `roles`, `tag` or `tags`"
     end
+
+    validate_labels!(config["labels"])
+
+    validate_docker_options!(config["options"])
   end
 end

data/lib/kamal/configuration/validator/alias.rb

@@ -0,0 +1,15 @@
+class Kamal::Configuration::Validator::Alias < Kamal::Configuration::Validator
+  def validate!
+    super
+
+    name = context.delete_prefix("aliases/")
+
+    if name !~ /\A[a-z0-9_-]+\z/
+      error "Invalid alias name: '#{name}'. Must only contain lowercase letters, alphanumeric, hyphens and underscores."
+    end
+
+    if Kamal::Cli::Main.commands.include?(name)
+      error "Alias '#{name}' conflicts with a built-in command."
+    end
+  end
+end

data/lib/kamal/configuration/validator/builder.rb

@@ -5,5 +5,11 @@ class Kamal::Configuration::Validator::Builder < Kamal::Configuration::Validator
     if config["cache"] && config["cache"]["type"]
       error "Invalid cache type: #{config["cache"]["type"]}" unless [ "gha", "registry" ].include?(config["cache"]["type"])
     end
+
+    error "Builder arch not set" unless config["arch"].present?
+
+    error "buildpacks only support building for one arch" if config["pack"] && config["arch"].is_a?(Array) && config["arch"].size > 1
+
+    error "Cannot disable local builds, no remote is set" if config["local"] == false && config["remote"].blank?
   end
 end

data/lib/kamal/configuration/validator/proxy.rb

@@ -0,0 +1,25 @@
+class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
+  def validate!
+    unless config.nil?
+      super
+
+      if config["host"].blank? && config["hosts"].blank? && config["ssl"]
+        error "Must set a host to enable automatic SSL"
+      end
+
+      if (config.keys & [ "host", "hosts" ]).size > 1
+        error "Specify one of 'host' or 'hosts', not both"
+      end
+
+      if config["ssl"].is_a?(Hash)
+        if config["ssl"]["certificate_pem"].present? && config["ssl"]["private_key_pem"].blank?
+          error "Missing private_key_pem setting (required when certificate_pem is present)"
+        end
+
+        if config["ssl"]["private_key_pem"].present? && config["ssl"]["certificate_pem"].blank?
+          error "Missing certificate_pem setting (required when private_key_pem is present)"
+        end
+      end
+    end
+  end
+end

data/lib/kamal/configuration/validator/role.rb

@@ -3,9 +3,11 @@ class Kamal::Configuration::Validator::Role < Kamal::Configuration::Validator
     validate_type! config, Array, Hash
 
     if config.is_a?(Array)
-      validate_servers! "servers", config
+      validate_servers!(config)
     else
       super
+      validate_labels!(config["labels"])
+      validate_docker_options!(config["options"])
     end
   end
 end

data/lib/kamal/configuration/validator/servers.rb

@@ -1,6 +1,6 @@
 class Kamal::Configuration::Validator::Servers < Kamal::Configuration::Validator
   def validate!
-    validate_type! config, Array, Hash
+    validate_type! config, Array, Hash, NilClass
 
     validate_servers! config if config.is_a?(Array)
   end

data/lib/kamal/configuration/validator.rb

@@ -13,32 +13,42 @@ class Kamal::Configuration::Validator
 
   private
     def validate_against_example!(validation_config, example)
-      validate_type! validation_config, Hash
-
-      check_unknown_keys! validation_config, example
-
-      validation_config.each do |key, value|
-        next if extension?(key)
-        with_context(key) do
-          example_value = example[key]
-
-          if example_value == "..."
-            validate_type! value, *(Array if key == :servers), Hash
-          elsif key == "hosts"
-            validate_servers! value
-          elsif example_value.is_a?(Array)
-            validate_array_of! value, example_value.first.class
-          elsif example_value.is_a?(Hash)
-            case key.to_s
-            when "options", "args"
-              validate_type! value, Hash
-            when "labels"
-              validate_hash_of! value, example_value.first[1].class
+      validate_type! validation_config, example.class
+
+      if example.class == Hash
+        check_unknown_keys! validation_config, example
+
+        validation_config.each do |key, value|
+          next if extension?(key)
+          with_context(key) do
+            example_value = example[key]
+
+            if example_value == "..."
+              if key.to_s == "ssl"
+                validate_type! value, TrueClass, FalseClass, Hash
+              elsif key.to_s != "proxy" || !boolean?(value.class)
+                validate_type! value, *(Array if key == :servers), Hash
+              end
+            elsif key == "hosts"
+              validate_servers! value
+            elsif example_value.is_a?(Array)
+              if key == "arch"
+                validate_array_of_or_type! value, example_value.first.class
+              else
+                validate_array_of! value, example_value.first.class
+              end
+            elsif example_value.is_a?(Hash)
+              case key.to_s
+              when "options", "args"
+                validate_type! value, Hash
+              when "labels"
+                validate_hash_of! value, example_value.first[1].class
+              else
+                validate_against_example! value, example_value
+              end
             else
-              validate_against_example! value, example_value
+              validate_type! value, example_value.class
             end
-          else
-            validate_type! value, example_value.class
           end
         end
       end
@@ -69,6 +79,16 @@ class Kamal::Configuration::Validator
       value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(Numeric) || value.is_a?(TrueClass) || value.is_a?(FalseClass)
     end
 
+    def validate_array_of_or_type!(value, type)
+      if value.is_a?(Array)
+        validate_array_of! value, type
+      else
+        validate_type! value, type
+      end
+    rescue Kamal::ConfigurationError
+      type_error(Array, type)
+    end
+
     def validate_array_of!(array, type)
       validate_type! array, Array
 
@@ -150,4 +170,22 @@ class Kamal::Configuration::Validator
       unknown_keys.reject! { |key| extension?(key) } if allow_extensions?
       unknown_keys_error unknown_keys if unknown_keys.present?
     end
+
+    def validate_labels!(labels)
+      return true if labels.blank?
+
+      with_context("labels") do
+        labels.each do |key, _|
+          with_context(key) do
+            error "invalid label. destination, role, and service are reserved labels" if %w[destination role service].include?(key)
+          end
+        end
+      end
+    end
+
+    def validate_docker_options!(options)
+      if options
+        error "Cannot set restart policy in docker options, unless-stopped is required" if options["restart"]
+      end
+    end
 end