kamal 2.8.2 → 2.10.0

data/lib/kamal/configuration/proxy/run.rb

@@ -0,0 +1,143 @@
+class Kamal::Configuration::Proxy::Run
+  MINIMUM_VERSION = "v0.9.0"
+  DEFAULT_HTTP_PORT = 80
+  DEFAULT_HTTPS_PORT = 443
+  DEFAULT_LOG_MAX_SIZE = "10m"
+
+  attr_reader :config, :run_config
+  delegate :argumentize, :optionize, to: Kamal::Utils
+
+  def initialize(config, run_config:, context: "proxy/run")
+    @config = config
+    @run_config = run_config
+    @context = context
+  end
+
+  def debug?
+    run_config.fetch("debug", nil)
+  end
+
+  def publish?
+    run_config.fetch("publish", true)
+  end
+
+  def http_port
+    run_config.fetch("http_port", DEFAULT_HTTP_PORT)
+  end
+
+  def https_port
+    run_config.fetch("https_port", DEFAULT_HTTPS_PORT)
+  end
+
+  def bind_ips
+    run_config.fetch("bind_ips", nil)
+  end
+
+  def publish_args
+    if publish?
+      (bind_ips || [ nil ]).map do |bind_ip|
+        bind_ip = format_bind_ip(bind_ip)
+        publish_http = [ bind_ip, http_port, DEFAULT_HTTP_PORT ].compact.join(":")
+        publish_https = [ bind_ip, https_port, DEFAULT_HTTPS_PORT ].compact.join(":")
+
+        argumentize "--publish", [ publish_http, publish_https ]
+      end.join(" ")
+    end
+  end
+
+  def log_max_size
+    run_config.fetch("log_max_size", DEFAULT_LOG_MAX_SIZE)
+  end
+
+  def logging_args
+    argumentize "--log-opt", "max-size=#{log_max_size}" if log_max_size.present?
+  end
+
+  def version
+    run_config.fetch("version", MINIMUM_VERSION)
+  end
+
+  def registry
+    run_config.fetch("registry", nil)
+  end
+
+  def repository
+    run_config.fetch("repository", "basecamp/kamal-proxy")
+  end
+
+  def image
+    "#{[ registry, repository ].compact.join("/")}:#{version}"
+  end
+
+  def container_name
+    "kamal-proxy"
+  end
+
+  def options_args
+    if args = run_config["options"]
+      optionize args
+    end
+  end
+
+  def run_command
+    [ "kamal-proxy", "run", *optionize(run_command_options) ].join(" ")
+  end
+
+  def metrics_port
+    run_config["metrics_port"]
+  end
+
+  def run_command_options
+    { debug: debug? || nil, "metrics-port": metrics_port }.compact
+  end
+
+  def docker_options_args
+    [
+      *apps_volume_args,
+      *publish_args,
+      *logging_args,
+      *("--expose=#{metrics_port}" if metrics_port.present?),
+      *options_args
+    ].compact
+  end
+
+  def host_directory
+    File.join config.run_directory, "proxy"
+  end
+
+  def apps_directory
+    File.join host_directory, "apps-config"
+  end
+
+  def apps_container_directory
+    "/home/kamal-proxy/.apps-config"
+  end
+
+  def apps_volume
+    Kamal::Configuration::Volume.new \
+      host_path: apps_directory,
+      container_path: apps_container_directory
+  end
+
+  def apps_volume_args
+    [ apps_volume.docker_args ]
+  end
+
+  def app_directory
+    File.join apps_directory, config.service_and_destination
+  end
+
+  def app_container_directory
+    File.join apps_container_directory, config.service_and_destination
+  end
+
+  private
+    def format_bind_ip(ip)
+      # Ensure IPv6 address inside square brackets - e.g. [::1]
+      if ip =~ Resolv::IPv6::Regex && ip !~ /\A\[.*\]\z/
+        "[#{ip}]"
+      else
+        ip
+      end
+    end
+end

data/lib/kamal/configuration/proxy.rb

@@ -6,8 +6,7 @@ class Kamal::Configuration::Proxy
 
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :config, :proxy_config, :role_name, :secrets
-
+  attr_reader :config, :proxy_config, :role_name, :run, :secrets
   def initialize(config:, proxy_config:, role_name: nil, secrets:, context: "proxy")
     @config = config
     @proxy_config = proxy_config
@@ -15,6 +14,7 @@ class Kamal::Configuration::Proxy
     @role_name = role_name
     @secrets = secrets
     validate! @proxy_config, with: Kamal::Configuration::Validator::Proxy, context: context
+    @run = Kamal::Configuration::Proxy::Run.new(config, run_config: @proxy_config["run"], context: "#{context}/run") if @proxy_config && @proxy_config["run"].present?
   end
 
   def app_port

data/lib/kamal/configuration/role.rb

@@ -36,7 +36,7 @@ class Kamal::Configuration::Role
   end
 
   def env_tags(host)
-    tagged_hosts.fetch(host).collect { |tag| config.env_tag(tag) }
+    tagged_hosts.fetch(host).collect { |tag| config.env_tag(tag) }.compact
   end
 
   def cmd
@@ -127,7 +127,7 @@ class Kamal::Configuration::Role
 
 
   def asset_path
-    specializations["asset_path"] || config.asset_path
+    asset_path_config&.dig(0)
   end
 
   def assets?
@@ -137,10 +137,14 @@ class Kamal::Configuration::Role
   def asset_volume(version = config.version)
     if assets?
       Kamal::Configuration::Volume.new \
-        host_path: asset_volume_directory(version), container_path: asset_path
+        host_path: asset_volume_directory(version), container_path: asset_path, options: asset_path_options
     end
   end
 
+  def asset_path_options
+    asset_path_config&.dig(1)
+  end
+
   def asset_extracted_directory(version = config.version)
     File.join config.assets_directory, "extracted", [ name, version ].join("-")
   end
@@ -219,4 +223,12 @@ class Kamal::Configuration::Role
         labels.merge!(specializations["labels"]) if specializations["labels"].present?
       end
     end
+
+    def asset_path_config
+      raw_path = specializations["asset_path"] || config.asset_path
+      return nil unless raw_path.present?
+
+      parts = raw_path.split(":", 2)
+      [ parts[0], parts[1] ]
+    end
 end

data/lib/kamal/configuration/ssh.rb

@@ -3,10 +3,11 @@ class Kamal::Configuration::Ssh
 
   include Kamal::Configuration::Validation
 
-  attr_reader :ssh_config
+  attr_reader :ssh_config, :secrets
 
   def initialize(config:)
     @ssh_config = config.raw_config.ssh || {}
+    @secrets = config.secrets
     validate! ssh_config
   end
 
@@ -35,11 +36,25 @@ class Kamal::Configuration::Ssh
   end
 
   def key_data
-    ssh_config["key_data"]
+    key_data = ssh_config["key_data"]
+    return unless key_data
+
+    key_data.map do |k|
+      if secrets.key?(k)
+        secrets[k]
+      else
+        warn "Inline key_data usage is deprecated and will be removed in Kamal 3. Please store your key_data in a secret."
+        k
+      end
+    end
+  end
+
+  def config
+    ssh_config["config"]
   end
 
   def options
-    { user: user, port: port, proxy: proxy, logger: logger, keepalive: true, keepalive_interval: 30, keys_only: keys_only, keys: keys, key_data: key_data }.compact
+    { user: user, port: port, proxy: proxy, logger: logger, keepalive: true, keepalive_interval: 30, keys_only: keys_only, keys: keys, key_data: key_data, config: config  }.compact
   end
 
   def to_h

data/lib/kamal/configuration/sshkit.rb

@@ -16,6 +16,10 @@ class Kamal::Configuration::Sshkit
     sshkit_config.fetch("pool_idle_timeout", 900)
   end
 
+  def dns_retries
+    Integer(sshkit_config.fetch("dns_retries", 3))
+  end
+
   def to_h
     sshkit_config
   end

data/lib/kamal/configuration/validator/proxy.rb

@@ -20,6 +20,26 @@ class Kamal::Configuration::Validator::Proxy < Kamal::Configuration::Validator
           error "Missing certificate_pem setting (required when private_key_pem is present)"
         end
       end
+
+      if run_config = config["run"]
+        if run_config["bind_ips"].present?
+          ensure_valid_bind_ips(config["bind_ips"])
+        end
+
+        if run_config["publish"] == false
+          if run_config["bind_ips"].present? || run_config["http_port"].present? || run_config["https_port"].present?
+            error "Cannot set http_port, https_port or bind_ips when publish is false"
+          end
+        end
+      end
     end
   end
+
+  private
+    def ensure_valid_bind_ips(bind_ips)
+      bind_ips.present? && bind_ips.each do |ip|
+        next if ip =~ Resolv::IPv4::Regex || ip =~ Resolv::IPv6::Regex
+        error "Invalid publish IP address: #{ip}"
+      end
+    end
 end

data/lib/kamal/configuration/validator.rb

@@ -34,6 +34,10 @@ class Kamal::Configuration::Validator
             elsif example_value.is_a?(Array)
               if key == "arch"
                 validate_array_of_or_type! value, example_value.first.class
+              elsif key.to_s == "config"
+                validate_ssh_config!(value)
+              elsif key.to_s == "files" || key.to_s == "directories"
+                validate_paths!(value)
               else
                 validate_array_of! value, example_value.first.class
               end
@@ -129,6 +133,34 @@ class Kamal::Configuration::Validator
       end
     end
 
+    def validate_ssh_config!(config)
+      if config.is_a?(Array)
+        validate_array_of! config, String
+      elsif boolean?(config.class) || config.is_a?(String)
+        # Booleans and Strings are allowed
+      else
+        type_error(TrueClass, FalseClass, String, Array)
+      end
+    end
+
+    def validate_paths!(paths)
+      validate_type! paths, Array
+
+      paths.each_with_index do |path, index|
+        with_context(index) do
+          validate_type! path, String, Hash
+
+          if path.is_a?(Hash)
+            %w[local remote mode owner options].each do |key|
+              with_context(key) do
+                validate_type! path[key], String if path.key?(key)
+              end
+            end
+          end
+        end
+      end
+    end
+
     def validate_type!(value, *types)
       type_error(*types) unless types.any? { |type| valid_type?(value, type) }
     end
@@ -138,7 +170,8 @@ class Kamal::Configuration::Validator
     end
 
     def type_error(*expected_types)
-      error "should be #{expected_types.map { |type| type_description(type) }.join(" or ")}"
+      descriptions = expected_types.map { |type| type_description(type) }.uniq
+      error "should be #{descriptions.join(" or ")}"
     end
 
     def unknown_keys_error(unknown_keys)

data/lib/kamal/configuration/volume.rb

@@ -1,14 +1,21 @@
 class Kamal::Configuration::Volume
-  attr_reader :host_path, :container_path
+  attr_reader :host_path, :container_path, :options
   delegate :argumentize, to: Kamal::Utils
 
-  def initialize(host_path:, container_path:)
+  def initialize(host_path:, container_path:, options: nil)
     @host_path = host_path
     @container_path = container_path
+    @options = options
   end
 
   def docker_args
-    argumentize "--volume", "#{host_path_for_docker_volume}:#{container_path}"
+    argumentize "--volume", docker_args_string
+  end
+
+  def docker_args_string
+    volume_string = "#{host_path_for_docker_volume}:#{container_path}"
+    volume_string += ":#{options}" if options.present?
+    volume_string
   end
 
   private
@@ -16,7 +23,7 @@ class Kamal::Configuration::Volume
       if Pathname.new(host_path).absolute?
         host_path
       else
-        File.join "$(pwd)", host_path
+        "$PWD/#{host_path}"
       end
     end
 end

data/lib/kamal/configuration.rb

@@ -50,7 +50,7 @@ class Kamal::Configuration
 
     validate! raw_config, example: validation_yml.symbolize_keys, context: "", with: Kamal::Configuration::Validator::Configuration
 
-    @secrets = Kamal::Secrets.new(destination: destination)
+    @secrets = Kamal::Secrets.new(destination: destination, secrets_path: secrets_path)
 
     # Eager load config to validate it, these are first as they have dependencies later on
     @servers = Servers.new(config: self)
@@ -77,6 +77,7 @@ class Kamal::Configuration
     ensure_one_host_for_ssl_roles
     ensure_unique_hosts_for_ssl_roles
     ensure_local_registry_remote_builder_has_ssh_url
+    ensure_no_conflicting_proxy_runs
   end
 
   def version=(version)
@@ -122,6 +123,14 @@ class Kamal::Configuration
     (roles + accessories).flat_map(&:hosts).uniq
   end
 
+  def host_roles(host)
+    roles.select { |role| role.hosts.include?(host) }
+  end
+
+  def host_accessories(host)
+    accessories.select { |accessory| accessory.hosts.include?(host) }
+  end
+
   def app_hosts
     roles.flat_map(&:hosts).uniq
   end
@@ -165,6 +174,11 @@ class Kamal::Configuration
     name
   end
 
+  def proxy_run(host)
+    # We validate that all the config are identical for a host
+    proxy_runs(host.to_s).first
+  end
+
   def repository
     [ registry.server, image ].compact.join("/")
   end
@@ -241,6 +255,10 @@ class Kamal::Configuration
     raw_config.hooks_path || ".kamal/hooks"
   end
 
+  def secrets_path
+    raw_config.secrets_path || ".kamal/secrets"
+  end
+
   def asset_path
     raw_config.asset_path
   end
@@ -374,6 +392,19 @@ class Kamal::Configuration
       true
     end
 
+    def ensure_no_conflicting_proxy_runs
+      all_hosts.each do |host|
+        run_configs = proxy_runs(host)
+        if run_configs.uniq.size > 1
+          raise Kamal::ConfigurationError, "Conflicting proxy run configurations for host #{host}"
+        end
+      end
+    end
+
+    def proxy_runs(host)
+      (host_roles(host) + host_accessories(host)).map(&:proxy).compact.map(&:run).compact
+    end
+
     def role_names
       raw_config.servers.is_a?(Array) ? [ "web" ] : raw_config.servers.keys.sort
     end

data/lib/kamal/secrets/adapters/passbolt.rb

@@ -47,9 +47,8 @@ class Kamal::Secrets::Adapters::Passbolt < Kamal::Secrets::Adapters::Base
       end
 
       filter_condition = filter_conditions.any? ? "--filter '#{filter_conditions.join(" || ")}'" : ""
-      items = `passbolt list resources #{filter_condition} #{folders.map { |item| "--folder #{item["id"]}" }.join(" ")} --json`
+      items = `passbolt list resources #{filter_condition} #{folders.map { |item| "--folder #{item["id"].to_s.shellescape}" }.join(" ")} --json`
       raise RuntimeError, "Could not read #{secrets} from Passbolt" unless $?.success?
-
       items = JSON.parse(items)
       found_names = items.map { |item| item["name"] }
       missing_secrets = secret_names - found_names

data/lib/kamal/secrets/adapters/test.rb

@@ -5,7 +5,9 @@ class Kamal::Secrets::Adapters::Test < Kamal::Secrets::Adapters::Base
     end
 
     def fetch_secrets(secrets, from:, account:, session:)
-      prefixed_secrets(secrets, from: from).to_h { |secret| [ secret, secret.reverse ] }
+      prefixed_secrets(secrets, from: from).to_h do |secret|
+        [ secret, secret.gsub("LPAREN", "(").gsub("RPAREN", ")").reverse ]
+      end
     end
 
     def check_dependencies!

data/lib/kamal/secrets/dotenv/inline_command_substitution.rb

@@ -1,4 +1,18 @@
 class Kamal::Secrets::Dotenv::InlineCommandSubstitution
+  # Unlike dotenv, this regex does not match escaped
+  # parentheses when looking for command substitutions.
+  INTERPOLATED_SHELL_COMMAND = /
+    (?<backslash>\\)?          # is it escaped with a backslash?
+    \$                         # literal $
+    (?<cmd>                    # collect command content for eval
+      \(                       # require opening paren
+      (?:\\.|[^()\\]|\g<cmd>)+ # allow any number of non-parens or escaped
+                               # parens (by nesting the <cmd> expression
+                               # recursively)
+      \)                       # require closing paren
+    )
+  /x
+
   class << self
     def install!
       ::Dotenv::Parser.substitutions.map! { |sub| sub == ::Dotenv::Substitutions::Command ? self : sub }
@@ -6,7 +20,7 @@ class Kamal::Secrets::Dotenv::InlineCommandSubstitution
 
     def call(value, env, overwrite: false)
       # Process interpolated shell commands
-      value.gsub(Dotenv::Substitutions::Command.singleton_class::INTERPOLATED_SHELL_COMMAND) do |*|
+      value.gsub(INTERPOLATED_SHELL_COMMAND) do |*|
         # Eliminate opening and closing parentheses
         command = $LAST_MATCH_INFO[:cmd][1..-2]
 

data/lib/kamal/secrets.rb

@@ -3,16 +3,14 @@ require "dotenv"
 class Kamal::Secrets
   Kamal::Secrets::Dotenv::InlineCommandSubstitution.install!
 
-  def initialize(destination: nil)
+  def initialize(destination: nil, secrets_path:)
     @destination = destination
+    @secrets_path = secrets_path
     @mutex = Mutex.new
   end
 
   def [](key)
-    # Fetching secrets may ask the user for input, so ensure only one thread does that
-    @mutex.synchronize do
-      secrets.fetch(key)
-    end
+    synchronized_fetch(key)
   rescue KeyError
     if secrets_files.present?
       raise Kamal::ConfigurationError, "Secret '#{key}' not found in #{secrets_files.join(", ")}"
@@ -29,6 +27,12 @@ class Kamal::Secrets
     @secrets_files ||= secrets_filenames.select { |f| File.exist?(f) }
   end
 
+  def key?(key)
+    synchronized_fetch(key).present?
+  rescue KeyError
+    false
+  end
+
   private
     def secrets
       @secrets ||= secrets_files.inject({}) do |secrets, secrets_file|
@@ -37,6 +41,13 @@ class Kamal::Secrets
     end
 
     def secrets_filenames
-      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{@destination}" if @destination)}" ]
+      [ "#{@secrets_path}-common", "#{@secrets_path}#{(".#{@destination}" if @destination)}" ]
+    end
+
+    def synchronized_fetch(key)
+      # Fetching secrets may ask the user for input, so ensure only one thread does that
+      @mutex.synchronize do
+        secrets.fetch(key)
+      end
     end
 end