spacebar/kamal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't git ignore .kamal/secrets

Browse Source 
Secrets should be interpolated at runtime so we do want the file in git.

But add a warning at the top to avoid adding secrets or git ignore the
file if you do.

Also provide examples of the three options for interpolating secrets.
This commit is contained in:
Donal McBreen
2024-09-11 12:16:18 +01:00
parent 63d0b5ddfa
commit 0cb69a84f5
4 changed files with 18 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/kamal/cli/main.rb
View File

@@ -152,12 +152,6 @@ class Kamal::Cli::Main < Kamal::Cli::Base
FileUtils.mkdir_p secrets_file.dirname
FileUtils.cp_r Pathname.new(File.expand_path("templates/secrets", __dir__)), secrets_file
puts "Created .kamal/secrets file"
gitignore = Pathname.new(File.expand_path(".gitignore"))
if gitignore.exist? && !gitignore.read.include?(".kamal/secrets")
gitignore.open("a") { |f| f.puts "\n.kamal/secrets*" }
puts "Added .kamal/secrets* to .gitignore"
end
end
unless (hooks_dir = Pathname.new(File.expand_path(".kamal/hooks"))).exist?

20
lib/kamal/cli/templates/secrets
View File

@@ -1,6 +1,16 @@
# SECRETS=$(kamal secrets --adapter 1password --from Vault/Item Section1/KAMAL_REGISTRY_PASSWORD Section2/RAILS_MASTER_KEY)
# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
# WARNING: Avoid adding secrets directly to this file
# If you must, then add `.kamal/secrets*` to your .gitignore file
KAMAL_REGISTRY_PASSWORD=change-this
RAILS_MASTER_KEY=another-env
# Option 1: Read secrets from the environment
KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
# Option 2: Read secrets via a command
# RAILS_MASTER_KEY=$(cat config/master.key)
# Option 3: Read secrets via kamal secrets helpers
# These will handle logging in and fetching the secrets in as few calls as possible
# There are adapters for 1Password, LastPass + Bitwarden
#
# SECRETS=$(kamal secrets fetch --adapter 1password --account my-account --from MyVault/MyItem KAMAL_REGISTRY_PASSWORD RAILS_MASTER_KEY)
# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD $SECRETS)
# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY $SECRETS)