kamal 2.2.2 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7da17dcbc307380fd036004d67e3007ea6824a4b634f161c2882776b5c2020df
-  data.tar.gz: c394f629044adecac7c2bc65a8ea6615269a010d68be8051c4fd4c579e5be686
+  metadata.gz: 246d570a9a6f85698245aa14237986648b39f5e32750bd6f76fd401f96e2398a
+  data.tar.gz: 02a6b0c3aff13021ee86381e5c10bd4f5b7708d8f9c13c92e03ddd46ed5fa9d5
 SHA512:
-  metadata.gz: 41028ff1893c92dfea1d1de5f5289e60fd719f28445f7f827b513482463e364e3640a88003ef68b24b4fcb4f502f88dbb3daf9c4e04d956fc8a03e09d4f64d90
-  data.tar.gz: b6db1eb9d4acbd57ce4fcce79798a2f1ad47cd043e2624c03ee940a86fc32bf49bf0446c70142e98e7d87e06cc5c6ee6dd89448533b5c2577fd2d6ee57faaa87
+  metadata.gz: 31365397457be212570677a8dfa4fd3aac1701a4f251bc989100f4ea043edc0f29265d92c9bdde432b323ceadb62c7ccc491c8f6bc9c88b49d0835d193447f83
+  data.tar.gz: cc6f0cbce224c0234bbaba0ed5bf78001cbb9e888a969154e2728b07b36e8fb6e7a24fa1db2b5a52159f49de5fcee66d28de816ba5b9a8f95285a0e75f08a090

data/lib/kamal/cli/accessory.rb

@@ -18,6 +18,11 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
             execute *accessory.ensure_env_directory
             upload! accessory.secrets_io, accessory.secrets_path, mode: "0600"
             execute *accessory.run
+
+            if accessory.running_proxy?
+              target = capture_with_info(*accessory.container_id_for(container_name: accessory.service_name, only_running: true)).strip
+              execute *accessory.deploy(target: target)
+            end
           end
         end
       end
@@ -75,6 +80,10 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
         on(hosts) do
           execute *KAMAL.auditor.record("Started #{name} accessory"), verbosity: :debug
           execute *accessory.start
+          if accessory.running_proxy?
+            target = capture_with_info(*accessory.container_id_for(container_name: accessory.service_name, only_running: true)).strip
+            execute *accessory.deploy(target: target)
+          end
         end
       end
     end
@@ -87,6 +96,11 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
         on(hosts) do
           execute *KAMAL.auditor.record("Stopped #{name} accessory"), verbosity: :debug
           execute *accessory.stop, raise_on_non_zero_exit: false
+
+          if accessory.running_proxy?
+            target = capture_with_info(*accessory.container_id_for(container_name: accessory.service_name, only_running: true)).strip
+            execute *accessory.remove if target
+          end
         end
       end
     end
@@ -112,14 +126,15 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
     end
   end
 
-  desc "exec [NAME] [CMD]", "Execute a custom command on servers (use --help to show options)"
+  desc "exec [NAME] [CMD...]", "Execute a custom command on servers within the accessory container (use --help to show options)"
   option :interactive, aliases: "-i", type: :boolean, default: false, desc: "Execute command over ssh for an interactive shell (use for console/bash)"
   option :reuse, type: :boolean, default: false, desc: "Reuse currently running container instead of starting a new one"
-  def exec(name, cmd)
+  def exec(name, *cmd)
+    cmd = Kamal::Utils.join_commands(cmd)
     with_accessory(name) do |accessory, hosts|
       case
       when options[:interactive] && options[:reuse]
-        say "Launching interactive command with via SSH from existing container...", :magenta
+        say "Launching interactive command via SSH from existing container...", :magenta
         run_locally { exec accessory.execute_in_existing_container_over_ssh(cmd) }
 
       when options[:interactive]
@@ -128,16 +143,16 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
 
       when options[:reuse]
         say "Launching command from existing container...", :magenta
-        on(hosts) do
+        on(hosts) do |host|
           execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{name} accessory"), verbosity: :debug
-          capture_with_info(*accessory.execute_in_existing_container(cmd))
+          puts_by_host host, capture_with_info(*accessory.execute_in_existing_container(cmd))
         end
 
       else
         say "Launching command from new container...", :magenta
-        on(hosts) do
+        on(hosts) do |host|
           execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on #{name} accessory"), verbosity: :debug
-          capture_with_info(*accessory.execute_in_new_container(cmd))
+          puts_by_host host, capture_with_info(*accessory.execute_in_new_container(cmd))
         end
       end
     end
@@ -147,7 +162,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
   option :since, aliases: "-s", desc: "Show logs since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)"
   option :lines, type: :numeric, aliases: "-n", desc: "Number of log lines to pull from each server"
   option :grep, aliases: "-g", desc: "Show lines with grep match only (use this to fetch specific requests by id)"
-  option :grep_options, aliases: "-o", desc: "Additional options supplied to grep"
+  option :grep_options, desc: "Additional options supplied to grep"
   option :follow, aliases: "-f", desc: "Follow logs on primary server (or specific host set by --hosts)"
   option :skip_timestamps, type: :boolean, aliases: "-T", desc: "Skip appending timestamps to logging output"
   def logs(name)

data/lib/kamal/cli/app/boot.rb

@@ -45,7 +45,7 @@ class Kamal::Cli::App::Boot
 
     def start_new_version
       audit "Booted app version #{version}"
-      hostname = "#{host.to_s[0...51].gsub(/\.+$/, '')}-#{SecureRandom.hex(6)}"
+      hostname = "#{host.to_s[0...51].chomp(".")}-#{SecureRandom.hex(6)}"
 
       execute *app.ensure_env_directory
       upload! role.secrets_io(host), role.secrets_path, mode: "0600"
@@ -91,7 +91,7 @@ class Kamal::Cli::App::Boot
       if barrier.close
         info "First #{KAMAL.primary_role} container is unhealthy on #{host}, not booting any other roles"
         begin
-          error capture_with_info(*app.logs(version: version))
+          error capture_with_info(*app.logs(container_id: app.container_id_for_version(version)))
           error capture_with_info(*app.container_health_log(version: version))
         rescue SSHKit::Command::Failed
           error "Could not fetch logs for #{version}"

data/lib/kamal/cli/app.rb

@@ -94,9 +94,15 @@ class Kamal::Cli::App < Kamal::Cli::Base
   option :interactive, aliases: "-i", type: :boolean, default: false, desc: "Execute command over ssh for an interactive shell (use for console/bash)"
   option :reuse, type: :boolean, default: false, desc: "Reuse currently running container instead of starting a new one"
   option :env, aliases: "-e", type: :hash, desc: "Set environment variables for the command"
+  option :detach, type: :boolean, default: false, desc: "Execute command in a detached container"
   def exec(*cmd)
+    if (incompatible_options = [ :interactive, :reuse ].select { |key| options[:detach] && options[key] }.presence)
+      raise ArgumentError, "Detach is not compatible with #{incompatible_options.join(" or ")}"
+    end
+
     cmd = Kamal::Utils.join_commands(cmd)
     env = options[:env]
+    detach = options[:detach]
     case
     when options[:interactive] && options[:reuse]
       say "Get current version of running container...", :magenta unless options[:version]
@@ -138,7 +144,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
           roles.each do |role|
             execute *KAMAL.auditor.record("Executed cmd '#{cmd}' on app version #{version}"), verbosity: :debug
-            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_new_container(cmd, env: env))
+            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).execute_in_new_container(cmd, env: env, detach: detach))
           end
         end
       end
@@ -186,15 +192,17 @@ class Kamal::Cli::App < Kamal::Cli::Base
   option :since, aliases: "-s", desc: "Show lines since timestamp (e.g. 2013-01-02T13:23:37Z) or relative (e.g. 42m for 42 minutes)"
   option :lines, type: :numeric, aliases: "-n", desc: "Number of lines to show from each server"
   option :grep, aliases: "-g", desc: "Show lines with grep match only (use this to fetch specific requests by id)"
-  option :grep_options, aliases: "-o", desc: "Additional options supplied to grep"
+  option :grep_options, desc: "Additional options supplied to grep"
   option :follow, aliases: "-f", desc: "Follow log on primary server (or specific host set by --hosts)"
   option :skip_timestamps, type: :boolean, aliases: "-T", desc: "Skip appending timestamps to logging output"
+  option :container_id, desc: "Docker container ID to fetch logs"
   def logs
     # FIXME: Catch when app containers aren't running
 
     grep = options[:grep]
     grep_options = options[:grep_options]
     since = options[:since]
+    container_id = options[:container_id]
     timestamps = !options[:skip_timestamps]
 
     if options[:follow]
@@ -207,8 +215,8 @@ class Kamal::Cli::App < Kamal::Cli::Base
         role = KAMAL.roles_on(KAMAL.primary_host).first
 
         app = KAMAL.app(role: role, host: host)
-        info app.follow_logs(host: KAMAL.primary_host, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
-        exec app.follow_logs(host: KAMAL.primary_host, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
+        info app.follow_logs(host: KAMAL.primary_host, container_id: container_id, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
+        exec app.follow_logs(host: KAMAL.primary_host, container_id: container_id, timestamps: timestamps, lines: lines, grep: grep, grep_options: grep_options)
       end
     else
       lines = options[:lines].presence || ((since || grep) ? nil : 100) # Default to 100 lines if since or grep isn't set
@@ -218,7 +226,7 @@ class Kamal::Cli::App < Kamal::Cli::Base
 
         roles.each do |role|
           begin
-            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).logs(timestamps: timestamps, since: since, lines: lines, grep: grep, grep_options: grep_options))
+            puts_by_host host, capture_with_info(*KAMAL.app(role: role, host: host).logs(container_id: container_id, timestamps: timestamps, since: since, lines: lines, grep: grep, grep_options: grep_options))
           rescue SSHKit::Command::Failed
             puts_by_host host, "Nothing found"
           end

data/lib/kamal/cli/proxy.rb

@@ -14,7 +14,7 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
         version = capture_with_info(*KAMAL.proxy.version).strip.presence
 
         if version && Kamal::Utils.older_version?(version, Kamal::Configuration::PROXY_MINIMUM_VERSION)
-          raise "kamal-proxy version #{version} is too old, please reboot to update to at least #{Kamal::Configuration::PROXY_MINIMUM_VERSION}"
+          raise "kamal-proxy version #{version} is too old, run `kamal proxy reboot` in order to update to at least #{Kamal::Configuration::PROXY_MINIMUM_VERSION}"
         end
         execute *KAMAL.proxy.start_or_run
       end

data/lib/kamal/cli/secrets.rb

@@ -1,11 +1,17 @@
 class Kamal::Cli::Secrets < Kamal::Cli::Base
   desc "fetch [SECRETS...]", "Fetch secrets from a vault"
   option :adapter, type: :string, aliases: "-a", required: true, desc: "Which vault adapter to use"
-  option :account, type: :string, required: true, desc: "The account identifier or username"
+  option :account, type: :string, required: false, desc: "The account identifier or username"
   option :from, type: :string, required: false, desc: "A vault or folder to fetch the secrets from"
   option :inline, type: :boolean, required: false, hidden: true
   def fetch(*secrets)
-    results = adapter(options[:adapter]).fetch(secrets, **options.slice(:account, :from).symbolize_keys)
+    adapter = initialize_adapter(options[:adapter])
+
+    if adapter.requires_account? && options[:account].blank?
+      return puts "No value provided for required options '--account'"
+    end
+
+    results = adapter.fetch(secrets, **options.slice(:account, :from).symbolize_keys)
 
     return_or_puts JSON.dump(results).shellescape, inline: options[:inline]
   end
@@ -29,7 +35,7 @@ class Kamal::Cli::Secrets < Kamal::Cli::Base
   end
 
   private
-    def adapter(adapter)
+    def initialize_adapter(adapter)
       Kamal::Secrets::Adapters.lookup(adapter)
     end
 

data/lib/kamal/cli/templates/deploy.yml

@@ -13,13 +13,14 @@ servers:
   #     - 192.168.0.1
   #   cmd: bin/jobs
 
-# Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server).
-# If using something like Cloudflare, it is recommended to set encryption mode 
-# in Cloudflare's SSL/TLS setting to "Full" to enable end-to-end encryption. 
-proxy: 
+# Enable SSL auto certification via Let's Encrypt and allow for multiple apps on a single web server.
+# Remove this section when using multiple web servers and ensure you terminate SSL at your load balancer.
+#
+# Note: If using Cloudflare, set encryption mode in SSL/TLS setting to "Full" to enable CF-to-app encryption.
+proxy:
   ssl: true
   host: app.example.com
-  # kamal-proxy connects to your container over port 80, use `app_port` to specify a different port.
+  # Proxy connects to your container on port 80 by default.
   # app_port: 3000
 
 # Credentials for your image host.
@@ -35,6 +36,9 @@ registry:
 # Configure builder setup.
 builder:
   arch: amd64
+  # Pass in additional build args needed for your Dockerfile.
+  # args:
+  #   RUBY_VERSION: <%= File.read('.ruby-version').strip %>
 
 # Inject ENV variables into containers (secrets come from .kamal/secrets).
 #
@@ -90,7 +94,7 @@ builder:
 #     directories:
 #       - data:/var/lib/mysql
 #   redis:
-#     image: redis:7.0
+#     image: valkey/valkey:8
 #     host: 192.168.0.2
 #     port: 6379
 #     directories:

data/lib/kamal/commands/accessory/proxy.rb

@@ -0,0 +1,16 @@
+module Kamal::Commands::Accessory::Proxy
+  delegate :proxy_container_name, to: :config
+
+  def deploy(target:)
+    proxy_exec :deploy, service_name, *proxy.deploy_command_args(target: target)
+  end
+
+  def remove
+    proxy_exec :remove, service_name
+  end
+
+  private
+    def proxy_exec(*command)
+      docker :exec, proxy_container_name, "kamal-proxy", *command
+    end
+end

data/lib/kamal/commands/accessory.rb

@@ -1,9 +1,13 @@
 class Kamal::Commands::Accessory < Kamal::Commands::Base
+  include Proxy
+
   attr_reader :accessory_config
   delegate :service_name, :image, :hosts, :port, :files, :directories, :cmd,
-           :publish_args, :env_args, :volume_args, :label_args, :option_args,
-           :secrets_io, :secrets_path, :env_directory,
+           :network_args, :publish_args, :env_args, :volume_args, :label_args, :option_args,
+           :secrets_io, :secrets_path, :env_directory, :proxy, :running_proxy?,
            to: :accessory_config
+  delegate :proxy_container_name, to: :config
+
 
   def initialize(config, name:)
     super(config)
@@ -15,7 +19,7 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
       "--name", service_name,
       "--detach",
       "--restart", "unless-stopped",
-      "--network", "kamal",
+      *network_args,
       *config.logging_args,
       *publish_args,
       *env_args,
@@ -64,7 +68,7 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
     docker :run,
       ("-it" if interactive),
       "--rm",
-      "--network", "kamal",
+      *network_args,
       *env_args,
       *volume_args,
       image,

data/lib/kamal/commands/app/containers.rb

@@ -2,7 +2,7 @@ module Kamal::Commands::App::Containers
   DOCKER_HEALTH_LOG_FORMAT    = "'{{json .State.Health}}'"
 
   def list_containers
-    docker :container, :ls, "--all", *filter_args
+    docker :container, :ls, "--all", *container_filter_args
   end
 
   def list_container_names
@@ -20,7 +20,7 @@ module Kamal::Commands::App::Containers
   end
 
   def remove_containers
-    docker :container, :prune, "--force", *filter_args
+    docker :container, :prune, "--force", *container_filter_args
   end
 
   def container_health_log(version:)

data/lib/kamal/commands/app/execution.rb

@@ -7,13 +7,15 @@ module Kamal::Commands::App::Execution
       *command
   end
 
-  def execute_in_new_container(*command, interactive: false, env:)
+  def execute_in_new_container(*command, interactive: false, detach: false, env:)
     docker :run,
       ("-it" if interactive),
-      "--rm",
+      ("--detach" if detach),
+      ("--rm" unless detach),
       "--network", "kamal",
       *role&.env_args(host),
       *argumentize("--env", env),
+      *role.logging_args,
       *config.volume_args,
       *role&.option_args,
       config.absolute_image,

data/lib/kamal/commands/app/images.rb

@@ -4,7 +4,7 @@ module Kamal::Commands::App::Images
   end
 
   def remove_images
-    docker :image, :prune, "--all", "--force", *filter_args
+    docker :image, :prune, "--all", "--force", *image_filter_args
   end
 
   def tag_latest_image

data/lib/kamal/commands/app/logging.rb

@@ -1,18 +1,28 @@
 module Kamal::Commands::App::Logging
-  def logs(version: nil, timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
+  def logs(container_id: nil, timestamps: true, since: nil, lines: nil, grep: nil, grep_options: nil)
     pipe \
-      version ? container_id_for_version(version) : current_running_container_id,
+      container_id_command(container_id),
       "xargs docker logs#{" --timestamps" if timestamps}#{" --since #{since}" if since}#{" --tail #{lines}" if lines} 2>&1",
       ("grep '#{grep}'#{" #{grep_options}" if grep_options}" if grep)
   end
 
-  def follow_logs(host:, timestamps: true, lines: nil, grep: nil, grep_options: nil)
+  def follow_logs(host:, container_id: nil, timestamps: true, lines: nil, grep: nil, grep_options: nil)
     run_over_ssh \
       pipe(
-        current_running_container_id,
+        container_id_command(container_id),
         "xargs docker logs#{" --timestamps" if timestamps}#{" --tail #{lines}" if lines} --follow 2>&1",
         (%(grep "#{grep}"#{" #{grep_options}" if grep_options}) if grep)
       ),
       host: host
   end
+
+  private
+
+  def container_id_command(container_id)
+    case container_id
+    when Array then container_id
+    when String, Symbol then "echo #{container_id}"
+    else current_running_container_id
+    end
+  end
 end

data/lib/kamal/commands/app.rb

@@ -47,7 +47,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
   end
 
   def info
-    docker :ps, *filter_args
+    docker :ps, *container_filter_args
   end
 
 
@@ -67,7 +67,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
 
   def list_versions(*docker_args, statuses: nil)
     pipe \
-      docker(:ps, *filter_args(statuses: statuses), *docker_args, "--format", '"{{.Names}}"'),
+      docker(:ps, *container_filter_args(statuses: statuses), *docker_args, "--format", '"{{.Names}}"'),
       extract_version_from_name
   end
 
@@ -91,11 +91,15 @@ class Kamal::Commands::App < Kamal::Commands::Base
     end
 
     def latest_container(format:, filters: nil)
-      docker :ps, "--latest", *format, *filter_args(statuses: ACTIVE_DOCKER_STATUSES), argumentize("--filter", filters)
+      docker :ps, "--latest", *format, *container_filter_args(statuses: ACTIVE_DOCKER_STATUSES), argumentize("--filter", filters)
     end
 
-    def filter_args(statuses: nil)
-      argumentize "--filter", filters(statuses: statuses)
+    def container_filter_args(statuses: nil)
+      argumentize "--filter", container_filters(statuses: statuses)
+    end
+
+    def image_filter_args
+      argumentize "--filter", image_filters
     end
 
     def extract_version_from_name
@@ -103,13 +107,17 @@ class Kamal::Commands::App < Kamal::Commands::Base
       %(while read line; do echo ${line##{role.container_prefix}-}; done)
     end
 
-    def filters(statuses: nil)
+    def container_filters(statuses: nil)
       [ "label=service=#{config.service}" ].tap do |filters|
-        filters << "label=destination=#{config.destination}" if config.destination
+        filters << "label=destination=#{config.destination}"
         filters << "label=role=#{role}" if role
         statuses&.each do |status|
           filters << "status=#{status}"
         end
       end
     end
+
+    def image_filters
+      [ "label=service=#{config.service}" ]
+    end
 end

data/lib/kamal/commands/base.rb

@@ -11,7 +11,7 @@ module Kamal::Commands
     end
 
     def run_over_ssh(*command, host:)
-      "ssh#{ssh_proxy_args} -t #{config.ssh.user}@#{host} -p #{config.ssh.port} '#{command.join(" ").gsub("'", "'\\\\''")}'"
+      "ssh#{ssh_proxy_args}#{ssh_keys_args} -t #{config.ssh.user}@#{host} -p #{config.ssh.port} '#{command.join(" ").gsub("'", "'\\\\''")}'"
     end
 
     def container_id_for(container_name:, only_running: false)
@@ -94,5 +94,15 @@ module Kamal::Commands
           " -o ProxyCommand='#{config.ssh.proxy.command_line_template}'"
         end
       end
+
+      def ssh_keys_args
+        "#{ ssh_keys.join("") if ssh_keys}" + "#{" -o IdentitiesOnly=yes" if config.ssh&.keys_only}"
+      end
+
+      def ssh_keys
+        config.ssh.keys&.map do |key|
+          " -i #{key}"
+        end
+      end
   end
 end

data/lib/kamal/commands/builder/base.rb

@@ -6,7 +6,7 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
   delegate :argumentize, to: Kamal::Utils
   delegate \
     :args, :secrets, :dockerfile, :target, :arches, :local_arches, :remote_arches, :remote,
-    :cache_from, :cache_to, :ssh, :driver, :docker_driver?,
+    :cache_from, :cache_to, :ssh, :provenance, :sbom, :driver, :docker_driver?,
     to: :builder_config
 
   def clean
@@ -37,7 +37,7 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
   end
 
   def build_options
-    [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh ]
+    [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh, *builder_provenance, *builder_sbom ]
   end
 
   def build_context
@@ -97,6 +97,14 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
       argumentize "--ssh", ssh if ssh.present?
     end
 
+    def builder_provenance
+      argumentize "--provenance", provenance unless provenance.nil?
+    end
+
+    def builder_sbom
+      argumentize "--sbom", sbom unless sbom.nil?
+    end
+
     def builder_config
       config.builder
     end

data/lib/kamal/configuration/accessory.rb

@@ -1,9 +1,11 @@
 class Kamal::Configuration::Accessory
   include Kamal::Configuration::Validation
 
+  DEFAULT_NETWORK = "kamal"
+
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :name, :accessory_config, :env
+  attr_reader :name, :accessory_config, :env, :proxy
 
   def initialize(name, config:)
     @name, @config, @accessory_config = name.inquiry, config, config.raw_config["accessories"][name]
@@ -18,6 +20,8 @@ class Kamal::Configuration::Accessory
       config: accessory_config.fetch("env", {}),
       secrets: config.secrets,
       context: "accessories/#{name}/env"
+
+    initialize_proxy if running_proxy?
   end
 
   def service_name
@@ -38,6 +42,10 @@ class Kamal::Configuration::Accessory
     end
   end
 
+  def network_args
+    argumentize "--network", network
+  end
+
   def publish_args
     argumentize "--publish", port if port
   end
@@ -100,6 +108,17 @@ class Kamal::Configuration::Accessory
     accessory_config["cmd"]
   end
 
+  def running_proxy?
+    @accessory_config["proxy"].present?
+  end
+
+  def initialize_proxy
+    @proxy = Kamal::Configuration::Proxy.new \
+      config: config,
+      proxy_config: accessory_config["proxy"],
+      context: "accessories/#{name}/proxy"
+  end
+
   private
     attr_accessor :config
 
@@ -123,7 +142,7 @@ class Kamal::Configuration::Accessory
     end
 
     def read_dynamic_file(local_file)
-      StringIO.new(ERB.new(IO.read(local_file)).result)
+      StringIO.new(ERB.new(File.read(local_file)).result)
     end
 
     def expand_remote_file(remote_file)
@@ -170,7 +189,13 @@ class Kamal::Configuration::Accessory
 
     def hosts_from_roles
       if accessory_config.key?("roles")
-        accessory_config["roles"].flat_map { |role| config.role(role).hosts }
+        accessory_config["roles"].flat_map do |role|
+          config.role(role)&.hosts || raise(Kamal::ConfigurationError, "Unknown role in accessories config: '#{role}'")
+        end
       end
     end
+
+    def network
+      accessory_config["network"] || DEFAULT_NETWORK
+    end
 end

data/lib/kamal/configuration/builder.rb

@@ -111,6 +111,14 @@ class Kamal::Configuration::Builder
     builder_config["ssh"]
   end
 
+  def provenance
+    builder_config["provenance"]
+  end
+
+  def sbom
+    builder_config["sbom"]
+  end
+
   def git_clone?
     Kamal::Git.used? && builder_config["context"].nil?
   end
@@ -166,7 +174,7 @@ class Kamal::Configuration::Builder
     end
 
     def cache_to_config_for_registry
-      [ "type=registry", builder_config["cache"]&.fetch("options", nil), "ref=#{cache_image_ref}" ].compact.join(",")
+      [ "type=registry", "ref=#{cache_image_ref}", builder_config["cache"]&.fetch("options", nil) ].compact.join(",")
     end
 
     def repo_basename

data/lib/kamal/configuration/docs/accessory.yml

@@ -43,8 +43,8 @@ accessories:
 
     # Port mappings
     #
-    # See https://docs.docker.com/network/, and especially note the warning about the security
-    # implications of exposing ports publicly.
+    # See [https://docs.docker.com/network/](https://docs.docker.com/network/), and
+    # especially note the warning about the security implications of exposing ports publicly.
     port: "127.0.0.1:3306:3306"
 
     # Labels
@@ -90,3 +90,15 @@ accessories:
     # They are not created or copied before mounting:
     volumes:
       - /path/to/mysql-logs:/var/log/mysql
+
+    # Network
+    #
+    # The network the accessory will be attached to.
+    #
+    # Defaults to kamal:
+    network: custom
+
+    # Proxy
+    #
+    proxy:
+      ...

data/lib/kamal/configuration/docs/alias.yml

@@ -5,12 +5,12 @@
 # For example, for a Rails app, you might open a console with:
 #
 # ```shell
-# kamal app exec -i -r console "rails console"
+# kamal app exec -i --reuse "bin/rails console"
 # ```
 #
 # By defining an alias, like this:
 aliases:
-  console: app exec -r console -i "rails console"
+  console: app exec -i --reuse "bin/rails console"
 # You can now open the console with:
 #
 # ```shell

data/lib/kamal/configuration/docs/builder.yml

@@ -102,3 +102,15 @@ builder:
   #
   # The build driver to use, defaults to `docker-container`:
   driver: docker
+
+  # Provenance
+  #
+  # It is used to configure provenance attestations for the build result.
+  # The value can also be a boolean to enable or disable provenance attestations.
+  provenance: mode=max
+
+  # SBOM (Software Bill of Materials)
+  #
+  # It is used to configure SBOM generation for the build result.
+  # The value can also be a boolean to enable or disable SBOM generation.
+  sbom: true

data/lib/kamal/configuration/docs/proxy.yml

@@ -46,9 +46,22 @@ proxy:
   # The host value must point to the server we are deploying to, and port 443 must be
   # open for the Let's Encrypt challenge to succeed.
   #
+  # If you set `ssl` to `true`, `kamal-proxy` will stop forwarding headers to your app,
+  # unless you explicitly set `forward_headers: true`
+  #
   # Defaults to `false`:
   ssl: true
 
+  # Forward headers
+  #
+  # Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
+  #
+  # If you are behind a trusted proxy, you can set this to `true` to forward the headers.
+  #
+  # By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
+  # will forward them if it is set to `false`.
+  forward_headers: true
+
   # Response timeout
   #
   # How long to wait for requests to complete before timing out, defaults to 30 seconds:
@@ -93,13 +106,3 @@ proxy:
     response_headers:
       - X-Request-ID
       - X-Request-Start
-
-  # Forward headers
-  #
-  # Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
-  #
-  # If you are behind a trusted proxy, you can set this to `true` to forward the headers.
-  #
-  # By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
-  # will forward them if it is set to `false`.
-  forward_headers: true

data/lib/kamal/configuration/docs/registry.yml

@@ -2,6 +2,10 @@
 #
 # The default registry is Docker Hub, but you can change it using `registry/server`.
 #
+# By default, Docker Hub creates public repositories. To avoid making your images public,
+# set up a private repository before deploying, or change the default repository privacy
+# settings to private in your [Docker Hub settings](https://hub.docker.com/repository-settings/default-privacy).
+#
 # A reference to a secret (in this case, `DOCKER_REGISTRY_TOKEN`) will look up the secret
 # in the local environment:
 registry:

data/lib/kamal/configuration.rb

@@ -14,7 +14,7 @@ class Kamal::Configuration
 
   include Validation
 
-  PROXY_MINIMUM_VERSION = "v0.8.1"
+  PROXY_MINIMUM_VERSION = "v0.8.4"
   PROXY_HTTP_PORT = 80
   PROXY_HTTPS_PORT = 443
   PROXY_LOG_MAX_SIZE = "10m"
@@ -37,7 +37,7 @@ class Kamal::Configuration
         if file.exist?
           # Newer Psych doesn't load aliases by default
           load_method = YAML.respond_to?(:unsafe_load) ? :unsafe_load : :load
-          YAML.send(load_method, ERB.new(IO.read(file)).result).symbolize_keys
+          YAML.send(load_method, ERB.new(File.read(file)).result).symbolize_keys
         else
           raise "Configuration file not found in #{file}"
         end
@@ -254,7 +254,7 @@ class Kamal::Configuration
   end
 
   def proxy_logging_args(max_size)
-    argumentize "--log-opt", "max-size=#{max_size}"
+    argumentize "--log-opt", "max-size=#{max_size}" if max_size.present?
   end
 
   def proxy_options_default

data/lib/kamal/env_file.rb

@@ -37,6 +37,8 @@ class Kamal::EnvFile
     def escape_docker_env_file_ascii_value(value)
       # Doublequotes are treated literally in docker env files
       # so remove leading and trailing ones and unescape any others
-      value.to_s.dump[1..-2].gsub(/\\"/, "\"")
+      value.to_s.dump[1..-2]
+        .gsub(/\\"/, "\"")
+        .gsub(/\\#/, "#")
     end
 end

data/lib/kamal/secrets/adapters/aws_secrets_manager.rb

@@ -0,0 +1,42 @@
+class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base
+  private
+    def login(_account)
+      nil
+    end
+
+    def fetch_secrets(secrets, account:, session:)
+      {}.tap do |results|
+        get_from_secrets_manager(secrets, account: account).each do |secret|
+          secret_name = secret["Name"]
+          secret_string = JSON.parse(secret["SecretString"])
+
+          secret_string.each do |key, value|
+            results["#{secret_name}/#{key}"] = value
+          end
+        rescue JSON::ParserError
+          results["#{secret_name}"] = secret["SecretString"]
+        end
+      end
+    end
+
+    def get_from_secrets_manager(secrets, account:)
+      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
+        raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
+
+        secrets = JSON.parse(secrets)
+
+        return secrets["SecretValues"] unless secrets["Errors"].present?
+
+        raise RuntimeError, secrets["Errors"].map { |error| "#{error['SecretId']}: #{error['Message']}" }.join(" ")
+      end
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "AWS CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `aws --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/base.rb

@@ -1,12 +1,20 @@
 class Kamal::Secrets::Adapters::Base
   delegate :optionize, to: Kamal::Utils
 
-  def fetch(secrets, account:, from: nil)
+  def fetch(secrets, account: nil, from: nil)
+    raise RuntimeError, "Missing required option '--account'" if requires_account? && account.blank?
+
+    check_dependencies!
+
     session = login(account)
     full_secrets = secrets.map { |secret| [ from, secret ].compact.join("/") }
     fetch_secrets(full_secrets, account: account, session: session)
   end
 
+  def requires_account?
+    true
+  end
+
   private
     def login(...)
       raise NotImplementedError
@@ -15,4 +23,8 @@ class Kamal::Secrets::Adapters::Base
     def fetch_secrets(...)
       raise NotImplementedError
     end
+
+    def check_dependencies!
+      raise NotImplementedError
+    end
 end

data/lib/kamal/secrets/adapters/bitwarden.rb

@@ -25,18 +25,15 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
       {}.tap do |results|
         items_fields(secrets).each do |item, fields|
           item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
-          raise RuntimeError, "Could not read #{secret} from Bitwarden" unless $?.success?
+          raise RuntimeError, "Could not read #{item} from Bitwarden" unless $?.success?
           item_json = JSON.parse(item_json)
-
           if fields.any?
-            fields.each do |field|
-              item_field = item_json["fields"].find { |f| f["name"] == field }
-              raise RuntimeError, "Could not find field #{field} in item #{item} in Bitwarden" unless item_field
-              value = item_field["value"]
-              results["#{item}/#{field}"] = value
-            end
+            results.merge! fetch_secrets_from_fields(fields, item, item_json)
           elsif item_json.dig("login", "password")
             results[item] = item_json.dig("login", "password")
+          elsif item_json["fields"]&.any?
+            fields = item_json["fields"].pluck("name")
+            results.merge! fetch_secrets_from_fields(fields, item, item_json)
           else
             raise RuntimeError, "Item #{item} is not a login type item and no fields were specified"
           end
@@ -44,6 +41,15 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
       end
     end
 
+    def fetch_secrets_from_fields(fields, item, item_json)
+      fields.to_h do |field|
+        item_field = item_json["fields"].find { |f| f["name"] == field }
+        raise RuntimeError, "Could not find field #{field} in item #{item} in Bitwarden" unless item_field
+        value = item_field["value"]
+        [ "#{item}/#{field}", value ]
+      end
+    end
+
     def items_fields(secrets)
       {}.tap do |items|
         secrets.each do |secret|
@@ -63,4 +69,13 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
       result = `#{full_command}`.strip
       raw ? result : JSON.parse(result)
     end
+
+    def check_dependencies!
+      raise RuntimeError, "Bitwarden CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `bw --version 2> /dev/null`
+      $?.success?
+    end
 end

data/lib/kamal/secrets/adapters/doppler.rb

@@ -0,0 +1,53 @@
+class Kamal::Secrets::Adapters::Doppler < Kamal::Secrets::Adapters::Base
+  def requires_account?
+    false
+  end
+
+  private
+    def login(*)
+      unless loggedin?
+        `doppler login -y`
+        raise RuntimeError, "Failed to login to Doppler" unless $?.success?
+      end
+    end
+
+    def loggedin?
+      `doppler me --json 2> /dev/null`
+      $?.success?
+    end
+
+    def fetch_secrets(secrets, **)
+      project_and_config_flags = ""
+      unless service_token_set?
+        project, config, _ = secrets.first.split("/")
+
+        unless project && config
+          raise RuntimeError, "Missing project or config from '--from=project/config' option"
+        end
+
+        project_and_config_flags = "-p #{project.shellescape} -c #{config.shellescape}"
+      end
+
+      secret_names = secrets.collect { |s| s.split("/").last }
+
+      items = `doppler secrets get #{secret_names.map(&:shellescape).join(" ")} --json #{project_and_config_flags}`
+      raise RuntimeError, "Could not read #{secrets} from Doppler" unless $?.success?
+
+      items = JSON.parse(items)
+
+      items.transform_values { |value| value["computed"] }
+    end
+
+    def service_token_set?
+      ENV["DOPPLER_TOKEN"] && ENV["DOPPLER_TOKEN"][0, 5] == "dp.st"
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "Doppler CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `doppler --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/last_pass.rb

@@ -27,4 +27,13 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
         end
       end
     end
+
+    def check_dependencies!
+      raise RuntimeError, "LastPass CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `lpass --version 2> /dev/null`
+      $?.success?
+    end
 end

data/lib/kamal/secrets/adapters/one_password.rb

@@ -58,4 +58,13 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
         raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
       end
     end
+
+    def check_dependencies!
+      raise RuntimeError, "1Password CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `op --version 2> /dev/null`
+      $?.success?
+    end
 end

data/lib/kamal/secrets/adapters/test.rb

@@ -7,4 +7,8 @@ class Kamal::Secrets::Adapters::Test < Kamal::Secrets::Adapters::Base
     def fetch_secrets(secrets, account:, session:)
       secrets.to_h { |secret| [ secret, secret.reverse ] }
     end
+
+    def check_dependencies!
+      # no op
+    end
 end

data/lib/kamal/secrets/adapters/test_optional_account.rb

@@ -0,0 +1,5 @@
+class Kamal::Secrets::Adapters::TestOptionalAccount < Kamal::Secrets::Adapters::Test
+  def requires_account?
+    false
+  end
+end

data/lib/kamal/secrets.rb

@@ -1,13 +1,10 @@
 require "dotenv"
 
 class Kamal::Secrets
-  attr_reader :secrets_files
-
   Kamal::Secrets::Dotenv::InlineCommandSubstitution.install!
 
   def initialize(destination: nil)
-    @secrets_files = \
-      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{destination}" if destination)}" ].select { |f| File.exist?(f) }
+    @destination = destination
     @mutex = Mutex.new
   end
 
@@ -17,10 +14,10 @@ class Kamal::Secrets
       secrets.fetch(key)
     end
   rescue KeyError
-    if secrets_files
+    if secrets_files.present?
       raise Kamal::ConfigurationError, "Secret '#{key}' not found in #{secrets_files.join(", ")}"
     else
-      raise Kamal::ConfigurationError, "Secret '#{key}' not found, no secret files provided"
+      raise Kamal::ConfigurationError, "Secret '#{key}' not found, no secret files (#{secrets_filenames.join(", ")}) provided"
     end
   end
 
@@ -28,10 +25,18 @@ class Kamal::Secrets
     secrets
   end
 
+  def secrets_files
+    @secrets_files ||= secrets_filenames.select { |f| File.exist?(f) }
+  end
+
   private
     def secrets
       @secrets ||= secrets_files.inject({}) do |secrets, secrets_file|
-        secrets.merge!(::Dotenv.parse(secrets_file))
+        secrets.merge!(::Dotenv.parse(secrets_file, overwrite: true))
       end
     end
+
+    def secrets_filenames
+      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{@destination}" if @destination)}" ]
+    end
 end

data/lib/kamal/utils.rb

@@ -12,6 +12,8 @@ module Kamal::Utils
         attr = "#{key}=#{escape_shell_value(value)}"
         attr = self.sensitive(attr, redaction: "#{key}=[REDACTED]") if sensitive
         [ argument, attr ]
+      elsif value == false
+        [ argument, "#{key}=false" ]
       else
         [ argument, key ]
       end

data/lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.2.2"
+  VERSION = "2.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kamal
 version: !ruby/object:Gem::Version
-  version: 2.2.2
+  version: 2.4.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-10 00:00:00.000000000 Z
+date: 2024-12-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -50,14 +50,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '7.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '7.3'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -90,16 +90,22 @@ dependencies:
   name: zeitwerk
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.6.18
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.5'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.6.18
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.5'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: ed25519
   requirement: !ruby/object:Gem::Requirement
@@ -241,6 +247,7 @@ files:
 - lib/kamal/commander/specifics.rb
 - lib/kamal/commands.rb
 - lib/kamal/commands/accessory.rb
+- lib/kamal/commands/accessory/proxy.rb
 - lib/kamal/commands/app.rb
 - lib/kamal/commands/app/assets.rb
 - lib/kamal/commands/app/containers.rb
@@ -306,11 +313,14 @@ files:
 - lib/kamal/git.rb
 - lib/kamal/secrets.rb
 - lib/kamal/secrets/adapters.rb
+- lib/kamal/secrets/adapters/aws_secrets_manager.rb
 - lib/kamal/secrets/adapters/base.rb
 - lib/kamal/secrets/adapters/bitwarden.rb
+- lib/kamal/secrets/adapters/doppler.rb
 - lib/kamal/secrets/adapters/last_pass.rb
 - lib/kamal/secrets/adapters/one_password.rb
 - lib/kamal/secrets/adapters/test.rb
+- lib/kamal/secrets/adapters/test_optional_account.rb
 - lib/kamal/secrets/dotenv/inline_command_substitution.rb
 - lib/kamal/sshkit_with_ext.rb
 - lib/kamal/tags.rb