kamal 2.4.0 → 2.5.0

data/lib/kamal/secrets/adapters/gcp_secret_manager.rb

@@ -0,0 +1,112 @@
+class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      # Since only the account option is passed from the cli, we'll use it for both account and service account
+      # impersonation.
+      #
+      # Syntax:
+      # ACCOUNT: USER | USER "|" DELEGATION_CHAIN
+      # USER: DEFAULT_USER | EMAIL
+      # DELEGATION_CHAIN: EMAIL | EMAIL "," DELEGATION_CHAIN
+      # EMAIL: <The email address of the user or service account, like "my-user@example.com" >
+      # DEFAULT_USER: "default"
+      #
+      # Some valid examples:
+      # - "my-user@example.com" sets the user
+      # - "my-user@example.com|my-service-user@example.com" will use my-user and enable service account impersonation as my-service-user
+      # - "default" will use the default user and no impersonation
+      # - "default|my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user
+      # - "default|my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain
+
+      unless logged_in?
+        `gcloud auth login`
+        raise RuntimeError, "could not login to gcloud" unless logged_in?
+      end
+
+      nil
+    end
+
+    def fetch_secrets(secrets, from:, account:, session:)
+      user, service_account = parse_account(account)
+
+      {}.tap do |results|
+        secrets_with_metadata(prefixed_secrets(secrets, from: from)).each do |secret, (project, secret_name, secret_version)|
+          item_name = "#{project}/#{secret_name}"
+          results[item_name] = fetch_secret(project, secret_name, secret_version, user, service_account)
+          raise RuntimeError, "Could not read #{item_name} from Google Secret Manager" unless $?.success?
+        end
+      end
+    end
+
+    def fetch_secret(project, secret_name, secret_version, user, service_account)
+      secret = run_command(
+        "secrets versions access #{secret_version.shellescape} --secret=#{secret_name.shellescape}",
+        project: project,
+        user: user,
+        service_account: service_account
+      )
+      Base64.decode64(secret.dig("payload", "data"))
+    end
+
+    # The secret needs to at least contain a secret name, but project name, and secret version can also be specified.
+    #
+    # The string "default" can be used to refer to the default project configured for gcloud.
+    #
+    # The version can be either the string "latest", or a version number.
+    #
+    # The following formats are valid:
+    #
+    # - The following are all equivalent, and sets project: default, secret name: my-secret, version: latest
+    #   - "my-secret"
+    #   - "default/my-secret"
+    #   - "default/my-secret/latest"
+    #   - "my-secret/latest" in combination with --from=default
+    # - "my-secret/123" (only in combination with --from=some-project) -> project: some-project, secret name: my-secret, version: 123
+    # - "some-project/my-secret/123" -> project: some-project, secret name: my-secret, version: 123
+    def secrets_with_metadata(secrets)
+      {}.tap do |items|
+        secrets.each do |secret|
+          parts = secret.split("/")
+          parts.unshift("default") if parts.length == 1
+          project = parts.shift
+          secret_name = parts.shift
+          secret_version = parts.shift || "latest"
+
+          items[secret] = [ project, secret_name, secret_version ]
+        end
+      end
+    end
+
+    def run_command(command, project: "default", user: "default", service_account: nil)
+      full_command = [ "gcloud", command ]
+      full_command << "--project=#{project.shellescape}" unless project == "default"
+      full_command << "--account=#{user.shellescape}" unless user == "default"
+      full_command << "--impersonate-service-account=#{service_account.shellescape}" if service_account
+      full_command << "--format=json"
+      full_command = full_command.join(" ")
+
+      result = `#{full_command}`.strip
+      JSON.parse(result)
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "gcloud CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `gcloud --version 2> /dev/null`
+      $?.success?
+    end
+
+    def logged_in?
+      JSON.parse(`gcloud auth list --format=json`).any?
+    end
+
+    def parse_account(account)
+      account.split("|", 2)
+    end
+
+    def is_user?(candidate)
+      candidate.include?("@")
+    end
+end

data/lib/kamal/secrets/adapters/last_pass.rb

@@ -11,7 +11,8 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
       `lpass status --color never`.strip == "Logged in as #{account}."
     end
 
-    def fetch_secrets(secrets, account:, session:)
+    def fetch_secrets(secrets, from:, account:, session:)
+      secrets = prefixed_secrets(secrets, from: from)
       items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
       raise RuntimeError, "Could not read #{secrets} from LastPass" unless $?.success?
 
@@ -23,7 +24,7 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
         end
 
         if (missing_items = secrets - results.keys).any?
-          raise RuntimeError, "Could not find #{missing_items.join(", ")} in LassPass"
+          raise RuntimeError, "Could not find #{missing_items.join(", ")} in LastPass"
         end
       end
     end

data/lib/kamal/secrets/adapters/one_password.rb

@@ -15,9 +15,9 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
       $?.success?
     end
 
-    def fetch_secrets(secrets, account:, session:)
+    def fetch_secrets(secrets, from:, account:, session:)
       {}.tap do |results|
-        vaults_items_fields(secrets).map do |vault, items|
+        vaults_items_fields(prefixed_secrets(secrets, from: from)).map do |vault, items|
           items.each do |item, fields|
             fields_json = JSON.parse(op_item_get(vault, item, fields, account: account, session: session))
             fields_json = [ fields_json ] if fields.one?

data/lib/kamal/secrets/adapters/test.rb

@@ -4,8 +4,8 @@ class Kamal::Secrets::Adapters::Test < Kamal::Secrets::Adapters::Base
       true
     end
 
-    def fetch_secrets(secrets, account:, session:)
-      secrets.to_h { |secret| [ secret, secret.reverse ] }
+    def fetch_secrets(secrets, from:, account:, session:)
+      prefixed_secrets(secrets, from: from).to_h { |secret| [ secret, secret.reverse ] }
     end
 
     def check_dependencies!

data/lib/kamal/secrets/adapters.rb

@@ -3,6 +3,8 @@ module Kamal::Secrets::Adapters
   def self.lookup(name)
     name = "one_password" if name.downcase == "1password"
     name = "last_pass" if name.downcase == "lastpass"
+    name = "gcp_secret_manager" if name.downcase == "gcp"
+    name = "bitwarden_secrets_manager" if name.downcase == "bitwarden-sm"
     adapter_class(name)
   end
 

data/lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.4.0"
+  VERSION = "2.5.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kamal
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.5.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-13 00:00:00.000000000 Z
+date: 2025-02-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -236,8 +236,10 @@ files:
 - lib/kamal/cli/server.rb
 - lib/kamal/cli/templates/deploy.yml
 - lib/kamal/cli/templates/sample_hooks/docker-setup.sample
+- lib/kamal/cli/templates/sample_hooks/post-app-boot.sample
 - lib/kamal/cli/templates/sample_hooks/post-deploy.sample
 - lib/kamal/cli/templates/sample_hooks/post-proxy-reboot.sample
+- lib/kamal/cli/templates/sample_hooks/pre-app-boot.sample
 - lib/kamal/cli/templates/sample_hooks/pre-build.sample
 - lib/kamal/cli/templates/sample_hooks/pre-connect.sample
 - lib/kamal/cli/templates/sample_hooks/pre-deploy.sample
@@ -260,6 +262,7 @@ files:
 - lib/kamal/commands/builder.rb
 - lib/kamal/commands/builder/base.rb
 - lib/kamal/commands/builder/clone.rb
+- lib/kamal/commands/builder/cloud.rb
 - lib/kamal/commands/builder/hybrid.rb
 - lib/kamal/commands/builder/local.rb
 - lib/kamal/commands/builder/remote.rb
@@ -309,6 +312,7 @@ files:
 - lib/kamal/configuration/validator/role.rb
 - lib/kamal/configuration/validator/servers.rb
 - lib/kamal/configuration/volume.rb
+- lib/kamal/docker.rb
 - lib/kamal/env_file.rb
 - lib/kamal/git.rb
 - lib/kamal/secrets.rb
@@ -316,11 +320,13 @@ files:
 - lib/kamal/secrets/adapters/aws_secrets_manager.rb
 - lib/kamal/secrets/adapters/base.rb
 - lib/kamal/secrets/adapters/bitwarden.rb
+- lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb
 - lib/kamal/secrets/adapters/doppler.rb
+- lib/kamal/secrets/adapters/enpass.rb
+- lib/kamal/secrets/adapters/gcp_secret_manager.rb
 - lib/kamal/secrets/adapters/last_pass.rb
 - lib/kamal/secrets/adapters/one_password.rb
 - lib/kamal/secrets/adapters/test.rb
-- lib/kamal/secrets/adapters/test_optional_account.rb
 - lib/kamal/secrets/dotenv/inline_command_substitution.rb
 - lib/kamal/sshkit_with_ext.rb
 - lib/kamal/tags.rb
@@ -346,7 +352,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.22
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Deploy web apps in containers to servers running Docker with zero downtime.

data/lib/kamal/secrets/adapters/test_optional_account.rb

@@ -1,5 +0,0 @@
-class Kamal::Secrets::Adapters::TestOptionalAccount < Kamal::Secrets::Adapters::Test
-  def requires_account?
-    false
-  end
-end