spacebar/kamal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Split env into separate secrets/clear envs

Browse Source 
Split each env file in two on the deploy hosts, one for secrets and
one for clear values. This will allow us to update them independently.
This commit is contained in:
Donal McBreen
2024-03-05 15:49:55 +00:00
parent 6563393d9a
commit 1fa25200cc
20 changed files with 241 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
test/configuration/accessory_test.rb
View File

@@ -113,19 +113,27 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
end
test "env args" do
assert_equal ["--env-file", ".kamal/env/accessories/app-mysql.env"], @config.accessory(:mysql).env_args
assert_equal ["--env-file", ".kamal/env/accessories/app-redis.env"], @config.accessory(:redis).env_args
assert_equal \
["--env-file", ".kamal/env/accessories/app-mysql-secret.env", "--env-file", ".kamal/env/accessories/app-mysql-clear.env"],
@config.accessory(:mysql).env_args
assert_equal \
["--env-file", ".kamal/env/accessories/app-redis-secret.env", "--env-file", ".kamal/env/accessories/app-redis-clear.env"],
@config.accessory(:redis).env_args
end
test "env file with secret" do
ENV["MYSQL_ROOT_PASSWORD"] = "secret123"
expected = <<~ENV
expected_secret = <<~ENV
MYSQL_ROOT_PASSWORD=secret123
ENV
expected_clear = <<~ENV
MYSQL_ROOT_HOST=%
ENV
assert_equal expected, @config.accessory(:mysql).env_file.to_s
assert_equal expected_secret, @config.accessory(:mysql).env_file.secret
assert_equal expected_clear, @config.accessory(:mysql).env_file.clear
ensure
ENV["MYSQL_ROOT_PASSWORD"] = nil
end
@@ -134,8 +142,12 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
assert_equal ".kamal/env/accessories", @config.accessory(:mysql).host_env_directory
end
test "host_env_file_path" do
assert_equal ".kamal/env/accessories/app-mysql.env", @config.accessory(:mysql).host_env_file_path
test "host_secret_env_file_path" do
assert_equal ".kamal/env/accessories/app-mysql-secret.env", @config.accessory(:mysql).host_secret_env_file_path
end
test "host_clear_env_file_path" do
assert_equal ".kamal/env/accessories/app-mysql-clear.env", @config.accessory(:mysql).host_clear_env_file_path
end
test "volume args" do

47
test/configuration/role_test.rb
View File

@@ -77,7 +77,8 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
WEB_CONCURRENCY=4
ENV
assert_equal expected_env, @config_with_roles.role(:workers).env_file.to_s
assert_equal "\n", @config_with_roles.role(:workers).env_file.secret
assert_equal expected_env, @config_with_roles.role(:workers).env_file.clear
end
test "container name" do
@@ -90,7 +91,9 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
end
test "env args" do
assert_equal ["--env-file", ".kamal/env/roles/app-workers.env"], @config_with_roles.role(:workers).env_args
assert_equal \
["--env-file", ".kamal/env/roles/app-workers-secret.env", "--env-file", ".kamal/env/roles/app-workers-clear.env"],
@config_with_roles.role(:workers).env_args
end
test "env secret overwritten by role" do
@@ -116,14 +119,18 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
ENV["REDIS_PASSWORD"] = "secret456"
ENV["DB_PASSWORD"] = "secret&\"123"
expected = <<~ENV
expected_secret = <<~ENV
REDIS_PASSWORD=secret456
DB_PASSWORD=secret&\"123
ENV
expected_clear = <<~ENV
REDIS_URL=redis://a/b
WEB_CONCURRENCY=4
ENV
assert_equal expected, @config_with_roles.role(:workers).env_file.to_s
assert_equal expected_secret, @config_with_roles.role(:workers).env_file.secret
assert_equal expected_clear, @config_with_roles.role(:workers).env_file.clear
ensure
ENV["REDIS_PASSWORD"] = nil
ENV["DB_PASSWORD"] = nil
@@ -142,13 +149,17 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
ENV["DB_PASSWORD"] = "secret123"
expected = <<~ENV
expected_secret = <<~ENV
DB_PASSWORD=secret123
ENV
expected_clear = <<~ENV
REDIS_URL=redis://a/b
WEB_CONCURRENCY=4
ENV
assert_equal expected, @config_with_roles.role(:workers).env_file.to_s
assert_equal expected_secret, @config_with_roles.role(:workers).env_file.secret
assert_equal expected_clear, @config_with_roles.role(:workers).env_file.clear
ensure
ENV["DB_PASSWORD"] = nil
end
@@ -165,13 +176,17 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
ENV["REDIS_PASSWORD"] = "secret456"
expected = <<~ENV
expected_secret = <<~ENV
REDIS_PASSWORD=secret456
ENV
expected_clear = <<~ENV
REDIS_URL=redis://a/b
WEB_CONCURRENCY=4
ENV
assert_equal expected, @config_with_roles.role(:workers).env_file.to_s
assert_equal expected_secret, @config_with_roles.role(:workers).env_file.secret
assert_equal expected_clear, @config_with_roles.role(:workers).env_file.clear
ensure
ENV["REDIS_PASSWORD"] = nil
end
@@ -194,12 +209,16 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
ENV["REDIS_PASSWORD"] = "secret456"
expected = <<~ENV
expected_secret = <<~ENV
REDIS_PASSWORD=secret456
ENV
expected_clear = <<~ENV
REDIS_URL=redis://c/d
ENV
assert_equal expected, @config_with_roles.role(:workers).env_file.to_s
assert_equal expected_secret, @config_with_roles.role(:workers).env_file.secret
assert_equal expected_clear, @config_with_roles.role(:workers).env_file.clear
ensure
ENV["REDIS_PASSWORD"] = nil
end
@@ -208,8 +227,12 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
assert_equal ".kamal/env/roles", @config_with_roles.role(:workers).host_env_directory
end
test "host_env_file_path" do
assert_equal ".kamal/env/roles/app-workers.env", @config_with_roles.role(:workers).host_env_file_path
test "host_secret_env_file_path" do
assert_equal ".kamal/env/roles/app-workers-secret.env", @config_with_roles.role(:workers).host_secret_env_file_path
end
test "host_clear_env_file_path" do
assert_equal ".kamal/env/roles/app-workers-clear.env", @config_with_roles.role(:workers).host_clear_env_file_path
end
test "uses cord" do