kamal 2.3.0 → 2.7.0

data/lib/kamal/configuration/proxy.rb

@@ -6,11 +6,14 @@ class Kamal::Configuration::Proxy
 
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :config, :proxy_config
+  attr_reader :config, :proxy_config, :role_name, :secrets
 
-  def initialize(config:, proxy_config:, context: "proxy")
+  def initialize(config:, proxy_config:, role_name: nil, secrets:, context: "proxy")
     @config = config
     @proxy_config = proxy_config
+    @proxy_config = {} if @proxy_config.nil?
+    @role_name = role_name
+    @secrets = secrets
     validate! @proxy_config, with: Kamal::Configuration::Validator::Proxy, context: context
   end
 
@@ -26,10 +29,46 @@ class Kamal::Configuration::Proxy
     proxy_config["hosts"] || proxy_config["host"]&.split(",") || []
   end
 
+  def custom_ssl_certificate?
+    ssl = proxy_config["ssl"]
+    return false unless ssl.is_a?(Hash)
+    ssl["certificate_pem"].present? && ssl["private_key_pem"].present?
+  end
+
+  def certificate_pem_content
+    ssl = proxy_config["ssl"]
+    return nil unless ssl.is_a?(Hash)
+    secrets[ssl["certificate_pem"]]
+  end
+
+  def private_key_pem_content
+    ssl = proxy_config["ssl"]
+    return nil unless ssl.is_a?(Hash)
+    secrets[ssl["private_key_pem"]]
+  end
+
+  def host_tls_cert
+    tls_path(config.proxy_boot.tls_directory, "cert.pem")
+  end
+
+  def host_tls_key
+    tls_path(config.proxy_boot.tls_directory, "key.pem")
+  end
+
+  def container_tls_cert
+    tls_path(config.proxy_boot.tls_container_directory, "cert.pem")
+  end
+
+  def container_tls_key
+    tls_path(config.proxy_boot.tls_container_directory, "key.pem") if custom_ssl_certificate?
+  end
+
   def deploy_options
     {
       host: hosts,
-      tls: proxy_config["ssl"].presence,
+      tls: ssl? ? true : nil,
+      "tls-certificate-path": container_tls_cert,
+      "tls-private-key-path": container_tls_key,
       "deploy-timeout": seconds_duration(config.deploy_timeout),
       "drain-timeout": seconds_duration(config.drain_timeout),
       "health-check-interval": seconds_duration(proxy_config.dig("healthcheck", "interval")),
@@ -41,9 +80,13 @@ class Kamal::Configuration::Proxy
       "buffer-memory": proxy_config.dig("buffering", "memory"),
       "max-request-body": proxy_config.dig("buffering", "max_request_body"),
       "max-response-body": proxy_config.dig("buffering", "max_response_body"),
+      "path-prefix": proxy_config.dig("path_prefix"),
+      "strip-path-prefix": proxy_config.dig("strip_path_prefix"),
       "forward-headers": proxy_config.dig("forward_headers"),
+      "tls-redirect": proxy_config.dig("ssl_redirect"),
       "log-request-header": proxy_config.dig("logging", "request_headers") || DEFAULT_LOG_REQUEST_HEADERS,
-      "log-response-header": proxy_config.dig("logging", "response_headers")
+      "log-response-header": proxy_config.dig("logging", "response_headers"),
+      "error-pages": error_pages
     }.compact
   end
 
@@ -51,12 +94,31 @@ class Kamal::Configuration::Proxy
     optionize ({ target: "#{target}:#{app_port}" }).merge(deploy_options), with: "="
   end
 
+  def stop_options(drain_timeout: nil, message: nil)
+    {
+      "drain-timeout": seconds_duration(drain_timeout),
+      message: message
+    }.compact
+  end
+
+  def stop_command_args(**options)
+    optionize stop_options(**options), with: "="
+  end
+
   def merge(other)
-    self.class.new config: config, proxy_config: proxy_config.deep_merge(other.proxy_config)
+    self.class.new config: config, proxy_config: other.proxy_config.deep_merge(proxy_config), role_name: role_name, secrets: secrets
   end
 
   private
+    def tls_path(directory, filename)
+      File.join([ directory, role_name, filename ].compact) if custom_ssl_certificate?
+    end
+
     def seconds_duration(value)
       value ? "#{value}s" : nil
     end
+
+    def error_pages
+      File.join config.proxy_boot.error_pages_container_directory, config.version if config.error_pages_path
+    end
 end

data/lib/kamal/configuration/registry.rb

@@ -1,12 +1,10 @@
 class Kamal::Configuration::Registry
   include Kamal::Configuration::Validation
 
-  attr_reader :registry_config, :secrets
-
-  def initialize(config:)
-    @registry_config = config.raw_config.registry || {}
-    @secrets = config.secrets
-    validate! registry_config, with: Kamal::Configuration::Validator::Registry
+  def initialize(config:, secrets:, context: "registry")
+    @registry_config = config["registry"] || {}
+    @secrets = secrets
+    validate! registry_config, context: context, with: Kamal::Configuration::Validator::Registry
   end
 
   def server
@@ -22,6 +20,8 @@ class Kamal::Configuration::Registry
   end
 
   private
+    attr_reader :registry_config, :secrets
+
     def lookup(key)
       if registry_config[key].is_a?(Array)
         secrets[registry_config[key].first]

data/lib/kamal/configuration/role.rb

@@ -10,7 +10,7 @@ class Kamal::Configuration::Role
   def initialize(name, config:)
     @name, @config = name.inquiry, config
     validate! \
-      specializations,
+      role_config,
       example: validation_yml["servers"]["workers"],
       context: "servers/#{name}",
       with: Kamal::Configuration::Validator::Role
@@ -68,7 +68,7 @@ class Kamal::Configuration::Role
   end
 
   def proxy
-    @proxy ||= config.proxy.merge(specialized_proxy) if running_proxy?
+    @proxy ||= specialized_proxy.merge(config.proxy) if running_proxy?
   end
 
   def running_proxy?
@@ -150,8 +150,8 @@ class Kamal::Configuration::Role
   end
 
   def ensure_one_host_for_ssl
-    if running_proxy? && proxy.ssl? && hosts.size > 1
-      raise Kamal::ConfigurationError, "SSL is only supported on a single server, found #{hosts.size} servers for role #{name}"
+    if running_proxy? && proxy.ssl? && hosts.size > 1 && !proxy.custom_ssl_certificate?
+      raise Kamal::ConfigurationError, "SSL is only supported on a single server unless you provide custom certificates, found #{hosts.size} servers for role #{name}"
     end
   end
 
@@ -173,6 +173,8 @@ class Kamal::Configuration::Role
         @specialized_proxy = Kamal::Configuration::Proxy.new \
           config: config,
           proxy_config: proxy_config,
+          secrets: config.secrets,
+          role_name: name,
           context: "servers/#{name}/proxy"
       end
     end
@@ -204,11 +206,11 @@ class Kamal::Configuration::Role
     end
 
     def specializations
-      if config.raw_config.servers.is_a?(Array) || config.raw_config.servers[name].is_a?(Array)
-        {}
-      else
-        config.raw_config.servers[name]
-      end
+      @specializations ||= role_config.is_a?(Array) ? {} : role_config
+    end
+
+    def role_config
+      @role_config ||= config.raw_config.servers.is_a?(Array) ? {} : config.raw_config.servers[name]
     end
 
     def custom_labels

data/lib/kamal/configuration/servers.rb

@@ -13,6 +13,13 @@ class Kamal::Configuration::Servers
 
   private
     def role_names
-      servers_config.is_a?(Array) ? [ "web" ] : servers_config.keys.sort
+      case servers_config
+      when Array
+        [ "web" ]
+      when NilClass
+        []
+      else
+        servers_config.keys.sort
+      end
     end
 end

data/lib/kamal/configuration/validator/accessory.rb

@@ -2,8 +2,12 @@ class Kamal::Configuration::Validator::Accessory < Kamal::Configuration::Validat
   def validate!
     super
 
-    if (config.keys & [ "host", "hosts", "roles" ]).size != 1
-      error "specify one of `host`, `hosts` or `roles`"
+    if (config.keys & [ "host", "hosts", "role", "roles", "tag", "tags" ]).size != 1
+      error "specify one of `host`, `hosts`, `role`, `roles`, `tag` or `tags`"
     end
+
+    validate_labels!(config["labels"])
+
+    validate_docker_options!(config["options"])
   end
 end

data/lib/kamal/configuration/validator/builder.rb

@@ -8,6 +8,8 @@ class Kamal::Configuration::Validator::Builder < Kamal::Configuration::Validator
 
     error "Builder arch not set" unless config["arch"].present?
 
+    error "buildpacks only support building for one arch" if config["pack"] && config["arch"].is_a?(Array) && config["arch"].size > 1
+
     error "Cannot disable local builds, no remote is set" if config["local"] == false && config["remote"].blank?
   end
 end

data/lib/kamal/configuration/validator/proxy.rb

@@ -10,6 +10,16 @@ class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
       if (config.keys & [ "host", "hosts" ]).size > 1
         error "Specify one of 'host' or 'hosts', not both"
       end
+
+      if config["ssl"].is_a?(Hash)
+        if config["ssl"]["certificate_pem"].present? && config["ssl"]["private_key_pem"].blank?
+          error "Missing private_key_pem setting (required when certificate_pem is present)"
+        end
+
+        if config["ssl"]["private_key_pem"].present? && config["ssl"]["certificate_pem"].blank?
+          error "Missing certificate_pem setting (required when private_key_pem is present)"
+        end
+      end
     end
   end
 end

data/lib/kamal/configuration/validator/role.rb

@@ -3,9 +3,11 @@ class Kamal::Configuration::Validator::Role < Kamal::Configuration::Validator
     validate_type! config, Array, Hash
 
     if config.is_a?(Array)
-      validate_servers! "servers", config
+      validate_servers!(config)
     else
       super
+      validate_labels!(config["labels"])
+      validate_docker_options!(config["options"])
     end
   end
 end

data/lib/kamal/configuration/validator/servers.rb

@@ -1,6 +1,6 @@
 class Kamal::Configuration::Validator::Servers < Kamal::Configuration::Validator
   def validate!
-    validate_type! config, Array, Hash
+    validate_type! config, Array, Hash, NilClass
 
     validate_servers! config if config.is_a?(Array)
   end

data/lib/kamal/configuration/validator.rb

@@ -24,7 +24,9 @@ class Kamal::Configuration::Validator
             example_value = example[key]
 
             if example_value == "..."
-              unless key.to_s == "proxy" && boolean?(value.class)
+              if key.to_s == "ssl"
+                validate_type! value, TrueClass, FalseClass, Hash
+              elsif key.to_s != "proxy" || !boolean?(value.class)
                 validate_type! value, *(Array if key == :servers), Hash
               end
             elsif key == "hosts"
@@ -168,4 +170,22 @@ class Kamal::Configuration::Validator
       unknown_keys.reject! { |key| extension?(key) } if allow_extensions?
       unknown_keys_error unknown_keys if unknown_keys.present?
     end
+
+    def validate_labels!(labels)
+      return true if labels.blank?
+
+      with_context("labels") do
+        labels.each do |key, _|
+          with_context(key) do
+            error "invalid label. destination, role, and service are reserved labels" if %w[destination role service].include?(key)
+          end
+        end
+      end
+    end
+
+    def validate_docker_options!(options)
+      if options
+        error "Cannot set restart policy in docker options, unless-stopped is required" if options["restart"]
+      end
+    end
 end

data/lib/kamal/configuration.rb

@@ -10,15 +10,10 @@ class Kamal::Configuration
   delegate :argumentize, :optionize, to: Kamal::Utils
 
   attr_reader :destination, :raw_config, :secrets
-  attr_reader :accessories, :aliases, :boot, :builder, :env, :logging, :proxy, :servers, :ssh, :sshkit, :registry
+  attr_reader :accessories, :aliases, :boot, :builder, :env, :logging, :proxy, :proxy_boot, :servers, :ssh, :sshkit, :registry
 
   include Validation
 
-  PROXY_MINIMUM_VERSION = "v0.8.2"
-  PROXY_HTTP_PORT = 80
-  PROXY_HTTPS_PORT = 443
-  PROXY_LOG_MAX_SIZE = "10m"
-
   class << self
     def create_from(config_file:, destination: nil, version: nil)
       ENV["KAMAL_DESTINATION"] = destination
@@ -37,7 +32,7 @@ class Kamal::Configuration
         if file.exist?
           # Newer Psych doesn't load aliases by default
           load_method = YAML.respond_to?(:unsafe_load) ? :unsafe_load : :load
-          YAML.send(load_method, ERB.new(IO.read(file)).result).symbolize_keys
+          YAML.send(load_method, ERB.new(File.read(file)).result).symbolize_keys
         else
           raise "Configuration file not found in #{file}"
         end
@@ -59,7 +54,7 @@ class Kamal::Configuration
 
     # Eager load config to validate it, these are first as they have dependencies later on
     @servers = Servers.new(config: self)
-    @registry = Registry.new(config: self)
+    @registry = Registry.new(config: @raw_config, secrets: secrets)
 
     @accessories = @raw_config.accessories&.keys&.collect { |name| Accessory.new(name, config: self) } || []
     @aliases = @raw_config.aliases&.keys&.to_h { |name| [ name, Alias.new(name, config: self) ] } || {}
@@ -68,7 +63,8 @@ class Kamal::Configuration
     @env = Env.new(config: @raw_config.env || {}, secrets: secrets)
 
     @logging = Logging.new(logging_config: @raw_config.logging)
-    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy || {})
+    @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy, secrets: secrets)
+    @proxy_boot = Proxy::Boot.new(config: self)
     @ssh = Ssh.new(config: self)
     @sshkit = Sshkit.new(config: self)
 
@@ -82,7 +78,6 @@ class Kamal::Configuration
     ensure_unique_hosts_for_ssl_roles
   end
 
-
   def version=(version)
     @declared_version = version
   end
@@ -106,6 +101,9 @@ class Kamal::Configuration
     raw_config.minimum_version
   end
 
+  def service_and_destination
+    [ service, destination ].compact.join("-")
+  end
 
   def roles
     servers.roles
@@ -119,11 +117,14 @@ class Kamal::Configuration
     accessories.detect { |a| a.name == name.to_s }
   end
 
-
   def all_hosts
     (roles + accessories).flat_map(&:hosts).uniq
   end
 
+  def app_hosts
+    roles.flat_map(&:hosts).uniq
+  end
+
   def primary_host
     primary_role&.primary_host
   end
@@ -148,8 +149,12 @@ class Kamal::Configuration
     proxy_roles.flat_map(&:name)
   end
 
+  def proxy_accessories
+    accessories.select(&:running_proxy?)
+  end
+
   def proxy_hosts
-    proxy_roles.flat_map(&:hosts).uniq
+    (proxy_roles.flat_map(&:hosts) + proxy_accessories.flat_map(&:hosts)).uniq
   end
 
   def repository
@@ -180,7 +185,6 @@ class Kamal::Configuration
     raw_config.retain_containers || 5
   end
 
-
   def volume_args
     if raw_config.volumes.present?
       argumentize "--volume", raw_config.volumes
@@ -193,7 +197,6 @@ class Kamal::Configuration
     logging.args
   end
 
-
   def readiness_delay
     raw_config.readiness_delay || 7
   end
@@ -206,7 +209,6 @@ class Kamal::Configuration
     raw_config.drain_timeout || 30
   end
 
-
   def run_directory
     ".kamal"
   end
@@ -216,7 +218,7 @@ class Kamal::Configuration
   end
 
   def app_directory
-    File.join apps_directory, [ service, destination ].compact.join("-")
+    File.join apps_directory, service_and_destination
   end
 
   def env_directory
@@ -227,7 +229,6 @@ class Kamal::Configuration
     File.join app_directory, "assets"
   end
 
-
   def hooks_path
     raw_config.hooks_path || ".kamal/hooks"
   end
@@ -236,6 +237,9 @@ class Kamal::Configuration
     raw_config.asset_path
   end
 
+  def error_pages_path
+    raw_config.error_pages_path
+  end
 
   def env_tags
     @env_tags ||= if (tags = raw_config.env["tags"])
@@ -249,35 +253,6 @@ class Kamal::Configuration
     env_tags.detect { |t| t.name == name.to_s }
   end
 
-  def proxy_publish_args(http_port, https_port)
-    argumentize "--publish", [ "#{http_port}:#{PROXY_HTTP_PORT}", "#{https_port}:#{PROXY_HTTPS_PORT}" ]
-  end
-
-  def proxy_logging_args(max_size)
-    argumentize "--log-opt", "max-size=#{max_size}" if max_size.present?
-  end
-
-  def proxy_options_default
-    [ *proxy_publish_args(PROXY_HTTP_PORT, PROXY_HTTPS_PORT), *proxy_logging_args(PROXY_LOG_MAX_SIZE) ]
-  end
-
-  def proxy_image
-    "basecamp/kamal-proxy:#{PROXY_MINIMUM_VERSION}"
-  end
-
-  def proxy_container_name
-    "kamal-proxy"
-  end
-
-  def proxy_directory
-    File.join run_directory, "proxy"
-  end
-
-  def proxy_options_file
-    File.join proxy_directory, "options"
-  end
-
-
   def to_h
     {
       roles: role_names,
@@ -307,22 +282,26 @@ class Kamal::Configuration
     end
 
     def ensure_required_keys_present
-      %i[ service image registry servers ].each do |key|
+      %i[ service image registry ].each do |key|
         raise Kamal::ConfigurationError, "Missing required configuration for #{key}" unless raw_config[key].present?
       end
 
-      unless role(primary_role_name).present?
-        raise Kamal::ConfigurationError, "The primary_role #{primary_role_name} isn't defined"
-      end
+      if raw_config.servers.nil?
+        raise Kamal::ConfigurationError, "No servers or accessories specified" unless raw_config.accessories.present?
+      else
+        unless role(primary_role_name).present?
+          raise Kamal::ConfigurationError, "The primary_role #{primary_role_name} isn't defined"
+        end
 
-      if primary_role.hosts.empty?
-        raise Kamal::ConfigurationError, "No servers specified for the #{primary_role.name} primary_role"
-      end
+        if primary_role.hosts.empty?
+          raise Kamal::ConfigurationError, "No servers specified for the #{primary_role.name} primary_role"
+        end
 
-      unless allow_empty_roles?
-        roles.each do |role|
-          if role.hosts.empty?
-            raise Kamal::ConfigurationError, "No servers specified for the #{role.name} role. You can ignore this with allow_empty_roles: true"
+        unless allow_empty_roles?
+          roles.each do |role|
+            if role.hosts.empty?
+              raise Kamal::ConfigurationError, "No servers specified for the #{role.name} role. You can ignore this with allow_empty_roles: true"
+            end
           end
         end
       end

data/lib/kamal/docker.rb

@@ -0,0 +1,30 @@
+require "tempfile"
+require "open3"
+
+module Kamal::Docker
+  extend self
+  BUILD_CHECK_TAG = "kamal-local-build-check"
+
+  def included_files
+    Tempfile.create do |dockerfile|
+      dockerfile.write(<<~DOCKERFILE)
+        FROM busybox
+        COPY . app
+        WORKDIR app
+        CMD find . -type f | sed "s|^\./||"
+      DOCKERFILE
+      dockerfile.close
+
+      cmd = "docker buildx build -t=#{BUILD_CHECK_TAG} -f=#{dockerfile.path} ."
+      system(cmd) || raise("failed to build check image")
+    end
+
+    cmd = "docker run --rm #{BUILD_CHECK_TAG}"
+    out, err, status = Open3.capture3(cmd)
+    unless status
+      raise "failed to run check image:\n#{err}"
+    end
+
+    out.lines.map(&:strip)
+  end
+end

data/lib/kamal/git.rb

@@ -24,4 +24,14 @@ module Kamal::Git
   def root
     `git rev-parse --show-toplevel`.strip
   end
+
+  # returns an array of relative path names of files with uncommitted changes
+  def uncommitted_files
+    `git ls-files --modified`.lines.map(&:strip)
+  end
+
+  # returns an array of relative path names of untracked files, including gitignored files
+  def untracked_files
+    `git ls-files --others`.lines.map(&:strip)
+  end
 end

data/lib/kamal/secrets/adapters/aws_secrets_manager.rb

@@ -0,0 +1,51 @@
+class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base
+  def requires_account?
+    false
+  end
+
+  private
+    def login(_account)
+      nil
+    end
+
+    def fetch_secrets(secrets, from:, account: nil, session:)
+      {}.tap do |results|
+        get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
+          secret_name = secret["Name"]
+          secret_string = JSON.parse(secret["SecretString"])
+
+          secret_string.each do |key, value|
+            results["#{secret_name}/#{key}"] = value
+          end
+        rescue JSON::ParserError
+          results["#{secret_name}"] = secret["SecretString"]
+        end
+      end
+    end
+
+    def get_from_secrets_manager(secrets, account: nil)
+      args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
+      args += [ "--profile", account.shellescape ] if account
+      args += [ "--output", "json" ]
+      cmd = args.join(" ")
+
+      `#{cmd}`.tap do |secrets|
+        raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
+
+        secrets = JSON.parse(secrets)
+
+        return secrets["SecretValues"] unless secrets["Errors"].present?
+
+        raise RuntimeError, secrets["Errors"].map { |error| "#{error['SecretId']}: #{error['Message']}" }.join(" ")
+      end
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "AWS CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `aws --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/base.rb

@@ -1,11 +1,17 @@
 class Kamal::Secrets::Adapters::Base
   delegate :optionize, to: Kamal::Utils
 
-  def fetch(secrets, account:, from: nil)
+  def fetch(secrets, account: nil, from: nil)
+    raise RuntimeError, "Missing required option '--account'" if requires_account? && account.blank?
+
     check_dependencies!
+
     session = login(account)
-    full_secrets = secrets.map { |secret| [ from, secret ].compact.join("/") }
-    fetch_secrets(full_secrets, account: account, session: session)
+    fetch_secrets(secrets, from: from, account: account, session: session)
+  end
+
+  def requires_account?
+    true
   end
 
   private
@@ -20,4 +26,8 @@ class Kamal::Secrets::Adapters::Base
     def check_dependencies!
       raise NotImplementedError
     end
+
+    def prefixed_secrets(secrets, from:)
+      secrets.map { |secret| [ from, secret ].compact.join("/") }
+    end
 end

data/lib/kamal/secrets/adapters/bitwarden.rb

@@ -21,9 +21,9 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
       session
     end
 
-    def fetch_secrets(secrets, account:, session:)
+    def fetch_secrets(secrets, from:, account:, session:)
       {}.tap do |results|
-        items_fields(secrets).each do |item, fields|
+        items_fields(prefixed_secrets(secrets, from: from)).each do |item, fields|
           item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
           raise RuntimeError, "Could not read #{item} from Bitwarden" unless $?.success?
           item_json = JSON.parse(item_json)