kamal 2.7.0 → 2.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e1cf57d731a8b129a8ccbb86faddd3e813bc4d17895e6e538fe904f5bb65d27
-  data.tar.gz: 2d7d81b3a34f42fb427bfed18f9cf0ed1955d38e4b4783c1407bc1db6de5cef6
+  metadata.gz: 80ba6d51041312c99d659a1bfaac13bfa0ed7d1e758bde65e5475c0e51d88238
+  data.tar.gz: f0cc94a905da2cfb5dcf4f5d9ead2194df1b0ed46fd3b8671a59bfc333b10fbf
 SHA512:
-  metadata.gz: f3144c40082cfa24c78e2a1ebf2f433e491be3f5966e45cfc5488c3a11f5a3f513f097f7818cbc9e34d20b79986e64212055a87030fd4aa386a1d82bbb7d0efe
-  data.tar.gz: c6b796497a6f7a68815d340664b34fb9943f55ea7121122994aa3fdadaa5b12a18fb4078ff194cffb6060917a74611fdf31017afa75f2515d94ec259e0809251
+  metadata.gz: e33ddb40f46e587364d9121bbd2f2d829beddeb956f4bf1d8399e5ac835285180914f51e1365bee96ec4b82a02c0e88df8ff513a68bf95e44a8dc7e0ce081509
+  data.tar.gz: 8a0b1a90bbacd96d072cbbe5cec3371e5f7fe6d213cfa5dac3203f6d4ef02fadbddd1e3458909f3051adcd9218d69d6edb5b193f86fca6fac28b49b00bd2dd91

data/lib/kamal/cli/accessory.rb

@@ -77,6 +77,7 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
         KAMAL.accessory_names.each { |accessory_name| reboot(accessory_name) }
       else
         prepare(name)
+        pull_image(name)
         stop(name)
         remove_container(name)
         boot(name, prepare: false)
@@ -203,6 +204,18 @@ class Kamal::Cli::Accessory < Kamal::Cli::Base
     end
   end
 
+  desc "pull_image [NAME]", "Pull accessory image on host", hide: true
+  def pull_image(name)
+    with_lock do
+      with_accessory(name) do |accessory, hosts|
+        on(hosts) do
+          execute *KAMAL.auditor.record("Pull #{name} accessory image"), verbosity: :debug
+          execute *accessory.pull_image
+        end
+      end
+    end
+  end
+
   desc "remove [NAME]", "Remove accessory container, image and data directory from host (use NAME=all to remove all accessories)"
   option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
   def remove(name)

data/lib/kamal/cli/build.rb

@@ -11,6 +11,7 @@ class Kamal::Cli::Build < Kamal::Cli::Base
 
   desc "push", "Build and push app image to registry"
   option :output, type: :string, default: "registry", banner: "export_type", desc: "Exported type for the build result, and may be any exported type supported by 'buildx --output'."
+  option :no_cache, type: :boolean, default: false, desc: "Build without using Docker's build cache"
   def push
     cli = self
 
@@ -19,7 +20,7 @@ class Kamal::Cli::Build < Kamal::Cli::Base
     pre_connect_if_required
 
     ensure_docker_installed
-    login_to_registry_locally
+    login_to_registry_locally if KAMAL.builder.login_to_registry_locally?
 
     run_hook "pre-build"
 
@@ -56,10 +57,10 @@ class Kamal::Cli::Build < Kamal::Cli::Base
         end
 
         # Get the command here to ensure the Dir.chdir doesn't interfere with it
-        push = KAMAL.builder.push(cli.options[:output])
+        push = KAMAL.builder.push(cli.options[:output], no_cache: cli.options[:no_cache])
 
         KAMAL.with_verbosity(:debug) do
-          Dir.chdir(KAMAL.config.builder.build_directory) { execute *push }
+          Dir.chdir(KAMAL.config.builder.build_directory) { execute *push, env: KAMAL.builder.push_env }
         end
       end
     end
@@ -67,16 +68,18 @@ class Kamal::Cli::Build < Kamal::Cli::Base
 
   desc "pull", "Pull app image from registry onto servers"
   def pull
-    login_to_registry_remotely
-
-    if (first_hosts = mirror_hosts).any?
-      #  Pull on a single host per mirror first to seed them
-      say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
-      pull_on_hosts(first_hosts)
-      say "Pulling image on remaining hosts...", :magenta
-      pull_on_hosts(KAMAL.app_hosts - first_hosts)
-    else
-      pull_on_hosts(KAMAL.app_hosts)
+    login_to_registry_remotely unless KAMAL.registry.local?
+
+    forward_local_registry_port do
+      if (first_hosts = mirror_hosts).any?
+        #  Pull on a single host per mirror first to seed them
+        say "Pulling image on #{first_hosts.join(", ")} to seed the #{"mirror".pluralize(first_hosts.count)}...", :magenta
+        pull_on_hosts(first_hosts)
+        say "Pulling image on remaining hosts...", :magenta
+        pull_on_hosts(KAMAL.app_hosts - first_hosts)
+      else
+        pull_on_hosts(KAMAL.app_hosts)
+      end
     end
   end
 
@@ -119,6 +122,7 @@ class Kamal::Cli::Build < Kamal::Cli::Base
 
   desc "dev", "Build using the working directory, tag it as dirty, and push to local image store."
   option :output, type: :string, default: "docker", banner: "export_type", desc: "Exported type for the build result, and may be any exported type supported by 'buildx --output'."
+  option :no_cache, type: :boolean, default: false, desc: "Build without using Docker's build cache"
   def dev
     cli = self
 
@@ -144,7 +148,7 @@ class Kamal::Cli::Build < Kamal::Cli::Base
 
     with_env(KAMAL.config.builder.secrets) do
       run_locally do
-        build = KAMAL.builder.push(cli.options[:output], tag_as_dirty: true)
+        build = KAMAL.builder.push(cli.options[:output], tag_as_dirty: true, no_cache: cli.options[:no_cache])
         KAMAL.with_verbosity(:debug) do
           execute(*build)
         end
@@ -192,7 +196,11 @@ class Kamal::Cli::Build < Kamal::Cli::Base
 
     def login_to_registry_locally
       run_locally do
-        execute *KAMAL.registry.login
+        if KAMAL.registry.local?
+          execute *KAMAL.registry.setup
+        else
+          execute *KAMAL.registry.login
+        end
       end
     end
 
@@ -201,4 +209,14 @@ class Kamal::Cli::Build < Kamal::Cli::Base
         execute *KAMAL.registry.login
       end
     end
+
+    def forward_local_registry_port(&block)
+      if KAMAL.config.registry.local?
+        Kamal::Cli::PortForwarding.
+          new(KAMAL.hosts, KAMAL.config.registry.local_port).
+          forward(&block)
+      else
+        yield
+      end
+    end
 end

data/lib/kamal/cli/main.rb

@@ -1,6 +1,7 @@
 class Kamal::Cli::Main < Kamal::Cli::Base
   desc "setup", "Setup all accessories, push the env, and deploy app to servers"
   option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
+  option :no_cache, type: :boolean, default: false, desc: "Build without using Docker's build cache"
   def setup
     print_runtime do
       with_lock do
@@ -16,6 +17,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
 
   desc "deploy", "Deploy app to servers"
   option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
+  option :no_cache, type: :boolean, default: false, desc: "Build without using Docker's build cache"
   def deploy(boot_accessories: false)
     runtime = print_runtime do
       invoke_options = deploy_options
@@ -51,6 +53,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
 
   desc "redeploy", "Deploy app to servers without bootstrapping servers, starting kamal-proxy and pruning"
   option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip image build and push"
+  option :no_cache, type: :boolean, default: false, desc: "Build without using Docker's build cache"
   def redeploy
     runtime = print_runtime do
       invoke_options = deploy_options
@@ -182,7 +185,7 @@ class Kamal::Cli::Main < Kamal::Cli::Base
         invoke "kamal:cli:app:remove", [], options.without(:confirmed)
         invoke "kamal:cli:proxy:remove", [], options.without(:confirmed)
         invoke "kamal:cli:accessory:remove", [ "all" ], options
-        invoke "kamal:cli:registry:logout", [], options.without(:confirmed).merge(skip_local: true)
+        invoke "kamal:cli:registry:remove", [], options.without(:confirmed).merge(skip_local: true)
       end
     end
   end
@@ -272,6 +275,8 @@ class Kamal::Cli::Main < Kamal::Cli::Base
     end
 
     def deploy_options
-      { "version" => KAMAL.config.version }.merge(options.without("skip_push"))
+      base_options = options.without("skip_push")
+      base_options = base_options.except("no_cache") unless base_options["no_cache"]
+      { "version" => KAMAL.config.version }.merge(base_options)
     end
 end

data/lib/kamal/cli/port_forwarding.rb

@@ -0,0 +1,42 @@
+class Kamal::Cli::PortForwarding
+  attr_reader :hosts, :port
+
+  def initialize(hosts, port)
+    @hosts = hosts
+    @port = port
+  end
+
+  def forward
+    @done = false
+    forward_ports
+
+    yield
+  ensure
+    stop
+  end
+
+  private
+
+  def stop
+    @done = true
+    @threads.to_a.each(&:join)
+  end
+
+  def forward_ports
+    @threads = hosts.map do |host|
+      Thread.new do
+        Net::SSH.start(host, KAMAL.config.ssh.user, **{ proxy: KAMAL.config.ssh.proxy }.compact) do |ssh|
+          ssh.forward.remote(port, "localhost", port, "localhost")
+          ssh.loop(0.1) do
+            if @done
+              ssh.forward.cancel_remote(port, "localhost")
+              break
+            else
+              true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/kamal/cli/registry.rb

@@ -1,19 +1,27 @@
 class Kamal::Cli::Registry < Kamal::Cli::Base
-  desc "login", "Log in to registry locally and remotely"
+  desc "setup", "Setup local registry or log in to remote registry locally and remotely"
   option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
   option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
-  def login
+  def setup
     ensure_docker_installed unless options[:skip_local]
 
-    run_locally    { execute *KAMAL.registry.login } unless options[:skip_local]
-    on(KAMAL.hosts) { execute *KAMAL.registry.login } unless options[:skip_remote]
+    if KAMAL.registry.local?
+      run_locally    { execute *KAMAL.registry.setup } unless options[:skip_local]
+    else
+      run_locally    { execute *KAMAL.registry.login } unless options[:skip_local]
+      on(KAMAL.hosts) { execute *KAMAL.registry.login } unless options[:skip_remote]
+    end
   end
 
-  desc "logout", "Log out of registry locally and remotely"
+  desc "remove", "Remove local registry or log out of remote registry locally and remotely"
   option :skip_local, aliases: "-L", type: :boolean, default: false, desc: "Skip local login"
   option :skip_remote, aliases: "-R", type: :boolean, default: false, desc: "Skip remote login"
-  def logout
-    run_locally    { execute *KAMAL.registry.logout } unless options[:skip_local]
-    on(KAMAL.hosts) { execute *KAMAL.registry.logout } unless options[:skip_remote]
+  def remove
+    if KAMAL.registry.local?
+      run_locally    { execute *KAMAL.registry.remove, raise_on_non_zero_exit: false } unless options[:skip_local]
+    else
+      run_locally    { execute *KAMAL.registry.logout } unless options[:skip_local]
+      on(KAMAL.hosts) { execute *KAMAL.registry.logout } unless options[:skip_remote]
+    end
   end
 end

data/lib/kamal/cli/templates/deploy.yml

@@ -25,13 +25,14 @@ proxy:
 
 # Credentials for your image host.
 registry:
+  server: localhost:5555
   # Specify the registry server, if you're not using Docker Hub
   # server: registry.digitalocean.com / ghcr.io / ...
-  username: my-user
+  # username: my-user
 
   # Always use an access token rather than real password (pulled from .kamal/secrets).
-  password:
-    - KAMAL_REGISTRY_PASSWORD
+  # password:
+  #   - KAMAL_REGISTRY_PASSWORD
 
 # Configure builder setup.
 builder:

data/lib/kamal/cli/templates/secrets

@@ -3,7 +3,7 @@
 # password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
 
 # Option 1: Read secrets from the environment
-KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+# KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 
 # Option 2: Read secrets via a command
 # RAILS_MASTER_KEY=$(cat config/master.key)

data/lib/kamal/commander.rb

@@ -21,7 +21,7 @@ class Kamal::Commander
   end
 
   def config
-    @config ||= Kamal::Configuration.create_from(**@config_kwargs).tap do |config|
+    @config ||= Kamal::Configuration.create_from(**@config_kwargs.to_h).tap do |config|
       @config_kwargs = nil
       configure_sshkit_with(config)
     end

data/lib/kamal/commands/accessory.rb

@@ -90,6 +90,10 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
     end
   end
 
+  def pull_image
+    docker :image, :pull, image
+  end
+
   def remove_service_directory
     [ :rm, "-rf", service_name ]
   end

data/lib/kamal/commands/app.rb

@@ -23,6 +23,7 @@ class Kamal::Commands::App < Kamal::Commands::Base
       "--env", "KAMAL_CONTAINER_NAME=\"#{container_name}\"",
       "--env", "KAMAL_VERSION=\"#{config.version}\"",
       "--env", "KAMAL_HOST=\"#{host}\"",
+      "--env", "KAMAL_DESTINATION=\"#{config.destination}\"",
       *role.env_args(host),
       *role.logging_args,
       *config.volume_args,

data/lib/kamal/commands/builder/base.rb

@@ -14,13 +14,14 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
     docker :image, :rm, "--force", config.absolute_image
   end
 
-  def push(export_action = "registry", tag_as_dirty: false)
+  def push(export_action = "registry", tag_as_dirty: false, no_cache: false)
     docker :buildx, :build,
       "--output=type=#{export_action}",
       *platform_options(arches),
       *([ "--builder", builder_name ] unless docker_driver?),
       *build_tag_options(tag_as_dirty: tag_as_dirty),
       *build_options,
+      *([ "--no-cache" ] if no_cache),
       build_context,
       "2>&1"
   end
@@ -60,6 +61,14 @@ class Kamal::Commands::Builder::Base < Kamal::Commands::Base
     docker(:info, "--format '{{index .RegistryConfig.Mirrors 0}}'")
   end
 
+  def login_to_registry_locally?
+    true
+  end
+
+  def push_env
+    {}
+  end
+
   private
     def build_tag_names(tag_as_dirty: false)
       tag_names = [ config.absolute_image, config.latest_image ]

data/lib/kamal/commands/builder/local.rb

@@ -1,6 +1,15 @@
 class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
   def create
-    docker :buildx, :create, "--name", builder_name, "--driver=#{driver}" unless docker_driver?
+    return if docker_driver?
+
+    options =
+      if KAMAL.registry.local?
+        "--driver=#{driver} --driver-opt network=host"
+      else
+        "--driver=#{driver}"
+      end
+
+    docker :buildx, :create, "--name", builder_name, options
   end
 
   def remove
@@ -9,6 +18,10 @@ class Kamal::Commands::Builder::Local < Kamal::Commands::Builder::Base
 
   private
     def builder_name
-      "kamal-local-#{driver}"
+      if KAMAL.registry.local?
+        "kamal-local-registry-#{driver}"
+      else
+        "kamal-local-#{driver}"
+      end
     end
 end

data/lib/kamal/commands/builder/pack.rb

@@ -1,7 +1,7 @@
 class Kamal::Commands::Builder::Pack < Kamal::Commands::Builder::Base
-  def push(export_action = "registry")
+  def push(export_action = "registry", tag_as_dirty: false, no_cache: false)
     combine \
-      build,
+      build(tag_as_dirty: tag_as_dirty, no_cache: no_cache),
       export(export_action)
   end
 
@@ -13,15 +13,15 @@ class Kamal::Commands::Builder::Pack < Kamal::Commands::Builder::Base
   alias_method :inspect_builder, :info
 
   private
-    def build
+    def build(tag_as_dirty: false, no_cache: false)
       pack(:build,
         config.repository,
         "--platform", platform,
         "--creation-time", "now",
         "--builder", pack_builder,
         buildpacks,
-        "-t", config.absolute_image,
-        "-t", config.latest_image,
+        *build_tag_options(tag_as_dirty: tag_as_dirty),
+        *([ "--clear-cache" ] if no_cache),
         "--env", "BP_IMAGE_LABELS=service=#{config.service}",
         *argumentize("--env", args),
         *argumentize("--env", secrets, sensitive: true),

data/lib/kamal/commands/builder/remote.rb

@@ -19,11 +19,19 @@ class Kamal::Commands::Builder::Remote < Kamal::Commands::Builder::Base
 
   def inspect_builder
     combine \
-      combine inspect_buildx, inspect_remote_context,
+      combine(inspect_buildx, inspect_remote_context),
       [ "(echo no compatible builder && exit 1)" ],
       by: "||"
   end
 
+  def login_to_registry_locally?
+    false
+  end
+
+  def push_env
+    { "BUILDKIT_NO_CLIENT_TOKEN" => "1" }
+  end
+
   private
     def builder_name
       "kamal-remote-#{remote.gsub(/[^a-z0-9_-]/, "-")}"

data/lib/kamal/commands/builder.rb

@@ -1,8 +1,14 @@
 require "active_support/core_ext/string/filters"
 
 class Kamal::Commands::Builder < Kamal::Commands::Base
-  delegate :create, :remove, :dev, :push, :clean, :pull, :info, :inspect_builder, :validate_image, :first_mirror, to: :target
-  delegate :local?, :remote?, :pack?, :cloud?, to: "config.builder"
+  delegate \
+    :create, :remove, :dev, :push, :clean, :pull, :info, :inspect_builder,
+    :validate_image, :first_mirror, :login_to_registry_locally?, :push_env,
+    to: :target
+
+  delegate \
+    :local?, :remote?, :pack?, :cloud?,
+    to: "config.builder"
 
   include Clone
 

data/lib/kamal/commands/registry.rb

@@ -2,6 +2,8 @@ class Kamal::Commands::Registry < Kamal::Commands::Base
   def login(registry_config: nil)
     registry_config ||= config.registry
 
+    return if registry_config.local?
+
     docker :login,
       registry_config.server,
       "-u", sensitive(Kamal::Utils.escape_shell_value(registry_config.username)),
@@ -13,4 +15,24 @@ class Kamal::Commands::Registry < Kamal::Commands::Base
 
     docker :logout, registry_config.server
   end
+
+  def setup(registry_config: nil)
+    registry_config ||= config.registry
+
+    combine \
+      docker(:start, "kamal-docker-registry"),
+      docker(:run, "--detach", "-p", "127.0.0.1:#{registry_config.local_port}:5000", "--name", "kamal-docker-registry", "registry:3"),
+      by: "||"
+  end
+
+  def remove
+    combine \
+      docker(:stop, "kamal-docker-registry"),
+      docker(:rm, "kamal-docker-registry"),
+      by: "&&"
+  end
+
+  def local?
+    config.registry.local?
+  end
 end

data/lib/kamal/configuration/docs/proxy.yml

@@ -45,27 +45,23 @@ proxy:
   # unless you explicitly set `forward_headers: true`
   #
   # Defaults to `false`:
-  ssl: ...
+  ssl: true
 
   # Custom SSL certificate
   #
   # In some cases, using Let's Encrypt for automatic certificate management is not an
-  # option, for example if you are running from host than one host. Or you may already
-  # have SSL certificates issued by a different Certificate Authority (CA).
-  # Kamal supports loading custom SSL certificates
-  # directly from secrets.
-  #
-  # Examples:
-  #   ssl: true              # Enable SSL with Let's Encrypt
-  #   ssl: false             # Disable SSL
-  #   ssl:                   # Enable custom SSL
-  #     certificate_pem: CERTIFICATE_PEM
-  #     private_key_pem: PRIVATE_KEY_PEM
+  # option, for example if you are running from more than one host.
   #
+  # Or you may already have SSL certificates issued by a different Certificate Authority (CA).
+  #
+  # Kamal supports loading custom SSL certificates directly from secrets. You should
+  # pass a hash mapping the `certificate_pem` and `private_key_pem` to the secret names.
+  ssl:
+    certificate_pem: CERTIFICATE_PEM
+    private_key_pem: PRIVATE_KEY_PEM
   # ### Notes
-  # - If the certificate or key is missing or invalid, kamal-proxy will fail to start.
-  # - Always handle SSL certificates and private keys securely. Avoid hard-coding them in deploy.yml files or source control.
-  # - For automated certificate management, consider using the built-in Let's Encrypt integration instead.
+  # - If the certificate or key is missing or invalid, deployments will fail.
+  # - Always handle SSL certificates and private keys securely. Avoid hard-coding them in source control.
 
   # SSL redirect
   #
@@ -93,9 +89,21 @@ proxy:
   #
   # For applications that split their traffic to different services based on the request path,
   # you can use path-based routing to mount services under different path prefixes.
-  path_prefix: '/api'
+  # Usage sample: path_prefix: '/api'
+  #
+  # You can also specify multiple paths in two ways.
+  #
+  # When using path_prefix you can supply multiple routes separated by commas.
+  path_prefix: "/api,/oauth_callback"
+  # You can also specify paths as a list of paths, the configuration will be
+  # rolled together into a comma separated string.
+  path_prefixes:
+    - "/api"
+    - "/oauth_callback"
   # By default, the path prefix will be stripped from the request before it is forwarded upstream.
+  #
   # So in the example above, a request to /api/users/123 will be forwarded to web-1 as /users/123.
+  #
   # To instead forward the request with the original path (including the prefix),
   # specify --strip-path-prefix=false
   strip_path_prefix: false

data/lib/kamal/configuration/proxy.rb

@@ -63,6 +63,10 @@ class Kamal::Configuration::Proxy
     tls_path(config.proxy_boot.tls_container_directory, "key.pem") if custom_ssl_certificate?
   end
 
+  def path_prefixes
+    proxy_config["path_prefixes"] || proxy_config["path_prefix"]&.split(",") || []
+  end
+
   def deploy_options
     {
       host: hosts,
@@ -80,7 +84,7 @@ class Kamal::Configuration::Proxy
       "buffer-memory": proxy_config.dig("buffering", "memory"),
       "max-request-body": proxy_config.dig("buffering", "max_request_body"),
       "max-response-body": proxy_config.dig("buffering", "max_response_body"),
-      "path-prefix": proxy_config.dig("path_prefix"),
+      "path-prefix": path_prefixes,
       "strip-path-prefix": proxy_config.dig("strip_path_prefix"),
       "forward-headers": proxy_config.dig("forward_headers"),
       "tls-redirect": proxy_config.dig("ssl_redirect"),

data/lib/kamal/configuration/registry.rb

@@ -19,6 +19,14 @@ class Kamal::Configuration::Registry
     lookup("password")
   end
 
+  def local?
+    server.to_s.match?("^localhost[:$]")
+  end
+
+  def local_port
+    local? ? (server.split(":").last.to_i || 80) : nil
+  end
+
   private
     attr_reader :registry_config, :secrets
 

data/lib/kamal/configuration/validator/registry.rb

@@ -15,10 +15,12 @@ class Kamal::Configuration::Validator::Registry < Kamal::Configuration::Validato
       with_context(key) do
         value = config[key]
 
-        error "is required" unless value.present?
+        unless config["server"]&.match?("^localhost[:$]")
+          error "is required" unless value.present?
 
-        unless value.is_a?(String) || (value.is_a?(Array) && value.size == 1 && value.first.is_a?(String))
-          error "should be a string or an array with one string (for secret lookup)"
+          unless value.is_a?(String) || (value.is_a?(Array) && value.size == 1 && value.first.is_a?(String))
+            error "should be a string or an array with one string (for secret lookup)"
+          end
         end
       end
     end

data/lib/kamal/configuration/validator.rb

@@ -24,11 +24,11 @@ class Kamal::Configuration::Validator
             example_value = example[key]
 
             if example_value == "..."
-              if key.to_s == "ssl"
-                validate_type! value, TrueClass, FalseClass, Hash
-              elsif key.to_s != "proxy" || !boolean?(value.class)
+              unless key.to_s == "proxy" && boolean?(value.class)
                 validate_type! value, *(Array if key == :servers), Hash
               end
+            elsif key.to_s == "ssl"
+                validate_type! value, TrueClass, FalseClass, Hash
             elsif key == "hosts"
               validate_servers! value
             elsif example_value.is_a?(Array)

data/lib/kamal/configuration.rb

@@ -6,7 +6,7 @@ require "erb"
 require "net/ssh/proxy/jump"
 
 class Kamal::Configuration
-  delegate :service, :image, :labels, :hooks_path, to: :raw_config, allow_nil: true
+  delegate :service, :labels, :hooks_path, to: :raw_config, allow_nil: true
   delegate :argumentize, :optionize, to: Kamal::Utils
 
   attr_reader :destination, :raw_config, :secrets
@@ -157,6 +157,13 @@ class Kamal::Configuration
     (proxy_roles.flat_map(&:hosts) + proxy_accessories.flat_map(&:hosts)).uniq
   end
 
+  def image
+    name = raw_config&.image.presence
+    name ||= raw_config&.service if registry.local?
+
+    name
+  end
+
   def repository
     [ registry.server, image ].compact.join("/")
   end
@@ -282,10 +289,12 @@ class Kamal::Configuration
     end
 
     def ensure_required_keys_present
-      %i[ service image registry ].each do |key|
+      %i[ service registry ].each do |key|
         raise Kamal::ConfigurationError, "Missing required configuration for #{key}" unless raw_config[key].present?
       end
 
+      raise Kamal::ConfigurationError, "Missing required configuration for image" if image.blank?
+
       if raw_config.servers.nil?
         raise Kamal::ConfigurationError, "No servers or accessories specified" unless raw_config.accessories.present?
       else

data/lib/kamal/secrets/adapters/one_password.rb

@@ -17,7 +17,7 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
 
     def fetch_secrets(secrets, from:, account:, session:)
       if secrets.blank?
-        fetch_all_secrets(from: from, account: account, session: session) if secrets.blank?
+        fetch_all_secrets(from: from, account: account, session: session)
       else
         fetch_specified_secrets(secrets, from: from, account: account, session: session)
       end

data/lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.7.0"
+  VERSION = "2.8.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kamal
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 2.8.0
 platform: ruby
 authors:
 - David Heinemeier Hansson
@@ -229,6 +229,7 @@ files:
 - lib/kamal/cli/healthcheck/poller.rb
 - lib/kamal/cli/lock.rb
 - lib/kamal/cli/main.rb
+- lib/kamal/cli/port_forwarding.rb
 - lib/kamal/cli/proxy.rb
 - lib/kamal/cli/prune.rb
 - lib/kamal/cli/registry.rb
@@ -355,7 +356,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Deploy web apps in containers to servers running Docker with zero downtime.
 test_files: []