Merge branch 'main' into feature/docker-build-cloud

2025-01-17 15:49:28 +00:00
parent b420b2613d a388937de8
commit 2c9bba3f88
54 changed files with 1154 additions and 196 deletions
--- a/test/cli/accessory_test.rb
+++ b/test/cli/accessory_test.rb
@@ -14,8 +14,8 @@ class CliAccessoryTest < CliTestCase
    Kamal::Cli::Accessory.any_instance.expects(:upload).with("mysql")

    run_command("boot", "mysql").tap do |output|
-      assert_match /docker login.*on 1.1.1.3/, output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" mysql:5.7 on 1.1.1.3", output
+      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
    end
  end

@@ -24,17 +24,21 @@ class CliAccessoryTest < CliTestCase
    Kamal::Cli::Accessory.any_instance.expects(:upload).with("mysql")
    Kamal::Cli::Accessory.any_instance.expects(:directories).with("redis")
    Kamal::Cli::Accessory.any_instance.expects(:upload).with("redis")
+    Kamal::Cli::Accessory.any_instance.expects(:directories).with("busybox")
+    Kamal::Cli::Accessory.any_instance.expects(:upload).with("busybox")

    run_command("boot", "all").tap do |output|
-      assert_match /docker login.*on 1.1.1.3/, output
-      assert_match /docker login.*on 1.1.1.1/, output
-      assert_match /docker login.*on 1.1.1.2/, output
+      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.3", output
+      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.1", output
+      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.2", output
+      assert_match "docker login other.registry -u [REDACTED] -p [REDACTED] on 1.1.1.3", output
      assert_match /docker network create kamal.*on 1.1.1.1/, output
      assert_match /docker network create kamal.*on 1.1.1.2/, output
      assert_match /docker network create kamal.*on 1.1.1.3/, output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" mysql:5.7 on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.2", output
+      assert_match "docker run --name custom-box --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --env-file .kamal/apps/app/env/accessories/busybox.env --label service=\"custom-box\" other.registry/busybox:latest on 1.1.1.3", output
    end
  end

@@ -60,13 +64,16 @@ class CliAccessoryTest < CliTestCase
  end

  test "reboot all" do
-    Kamal::Commands::Registry.any_instance.expects(:login).times(3)
+    Kamal::Commands::Registry.any_instance.expects(:login).times(4)
    Kamal::Cli::Accessory.any_instance.expects(:stop).with("mysql")
    Kamal::Cli::Accessory.any_instance.expects(:remove_container).with("mysql")
    Kamal::Cli::Accessory.any_instance.expects(:boot).with("mysql", prepare: false)
    Kamal::Cli::Accessory.any_instance.expects(:stop).with("redis")
    Kamal::Cli::Accessory.any_instance.expects(:remove_container).with("redis")
    Kamal::Cli::Accessory.any_instance.expects(:boot).with("redis", prepare: false)
+    Kamal::Cli::Accessory.any_instance.expects(:stop).with("busybox")
+    Kamal::Cli::Accessory.any_instance.expects(:remove_container).with("busybox")
+    Kamal::Cli::Accessory.any_instance.expects(:boot).with("busybox", prepare: false)

    run_command("reboot", "all")
  end
@@ -94,7 +101,7 @@ class CliAccessoryTest < CliTestCase
  end

  test "details with non-existent accessory" do
-    assert_equal "No accessory by the name of 'hello' (options: mysql and redis)", stderred { run_command("details", "hello") }
+    assert_equal "No accessory by the name of 'hello' (options: mysql, redis, and busybox)", stderred { run_command("details", "hello") }
  end

  test "details with all" do
@@ -180,6 +187,10 @@ class CliAccessoryTest < CliTestCase
    Kamal::Cli::Accessory.any_instance.expects(:remove_container).with("redis")
    Kamal::Cli::Accessory.any_instance.expects(:remove_image).with("redis")
    Kamal::Cli::Accessory.any_instance.expects(:remove_service_directory).with("redis")
+    Kamal::Cli::Accessory.any_instance.expects(:stop).with("busybox")
+    Kamal::Cli::Accessory.any_instance.expects(:remove_container).with("busybox")
+    Kamal::Cli::Accessory.any_instance.expects(:remove_image).with("busybox")
+    Kamal::Cli::Accessory.any_instance.expects(:remove_service_directory).with("busybox")

    run_command("remove", "all", "-y")
  end
@@ -189,7 +200,7 @@ class CliAccessoryTest < CliTestCase
  end

  test "remove_image" do
-    assert_match "docker image rm --force mysql", run_command("remove_image", "mysql")
+    assert_match "docker image rm --force private.registry/mysql:5.7", run_command("remove_image", "mysql")
  end

  test "remove_service_directory" do
@@ -201,8 +212,8 @@ class CliAccessoryTest < CliTestCase
    Kamal::Cli::Accessory.any_instance.expects(:upload).with("redis")

    run_command("boot", "redis", "--hosts", "1.1.1.1").tap do |output|
-      assert_match /docker login.*on 1.1.1.1/, output
-      assert_no_match /docker login.*on 1.1.1.2/, output
+      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.1", output
+      assert_no_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.2", output
      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
      assert_no_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.2", output
    end
@@ -213,8 +224,8 @@ class CliAccessoryTest < CliTestCase
    Kamal::Cli::Accessory.any_instance.expects(:upload).with("redis")

    run_command("boot", "redis", "--hosts", "1.1.1.1,1.1.1.3").tap do |output|
-      assert_match /docker login.*on 1.1.1.1/, output
-      assert_no_match /docker login.*on 1.1.1.3/, output
+      assert_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.1", output
+      assert_no_match "docker login private.registry -u [REDACTED] -p [REDACTED] on 1.1.1.3", output
      assert_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.1", output
      assert_no_match "docker run --name app-redis --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 6379:6379 --env-file .kamal/apps/app/env/accessories/redis.env --volume $PWD/app-redis/data:/data --label service=\"app-redis\" redis:latest on 1.1.1.3", output
    end
@@ -225,7 +236,7 @@ class CliAccessoryTest < CliTestCase
      assert_match "Upgrading all accessories on 1.1.1.3,1.1.1.1,1.1.1.2...", output
      assert_match "docker network create kamal on 1.1.1.3", output
      assert_match "docker container stop app-mysql on 1.1.1.3", output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" mysql:5.7 on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
      assert_match "Upgraded all accessories on 1.1.1.3,1.1.1.1,1.1.1.2...", output
    end
  end
@@ -235,14 +246,13 @@ class CliAccessoryTest < CliTestCase
      assert_match "Upgrading all accessories on 1.1.1.3...", output
      assert_match "docker network create kamal on 1.1.1.3", output
      assert_match "docker container stop app-mysql on 1.1.1.3", output
-      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" mysql:5.7 on 1.1.1.3", output
+      assert_match "docker run --name app-mysql --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --publish 3306:3306 --env MYSQL_ROOT_HOST="%" --env-file .kamal/apps/app/env/accessories/mysql.env --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" private.registry/mysql:5.7 on 1.1.1.3", output
      assert_match "Upgraded all accessories on 1.1.1.3", output
    end
  end

-
  private
    def run_command(*command)
-      stdouted { Kamal::Cli::Accessory.start([ *command, "-c", "test/fixtures/deploy_with_accessories.yml" ]) }
+      stdouted { Kamal::Cli::Accessory.start([ *command, "-c", "test/fixtures/deploy_with_accessories_with_different_registries.yml" ]) }
    end
 end
--- a/test/cli/app_test.rb
+++ b/test/cli/app_test.rb
@@ -73,7 +73,7 @@ class CliAppTest < CliTestCase
    run_command("boot", config: :with_assets).tap do |output|
      assert_match "docker tag dhh/app:latest dhh/app:latest", output
      assert_match "/usr/bin/env mkdir -p .kamal/apps/app/assets/volumes/web-latest ; cp -rnT .kamal/apps/app/assets/extracted/web-latest .kamal/apps/app/assets/volumes/web-latest ; cp -rnT .kamal/apps/app/assets/extracted/web-latest .kamal/apps/app/assets/volumes/web-123 || true ; cp -rnT .kamal/apps/app/assets/extracted/web-123 .kamal/apps/app/assets/volumes/web-latest || true", output
-      assert_match "/usr/bin/env mkdir -p .kamal/apps/app/assets/extracted/web-latest && docker stop -t 1 app-web-assets 2> /dev/null || true && docker run --name app-web-assets --detach --rm --entrypoint sleep dhh/app:latest 1000000 && docker cp -L app-web-assets:/public/assets/. .kamal/apps/app/assets/extracted/web-latest && docker stop -t 1 app-web-assets", output
+      assert_match "/usr/bin/env mkdir -p .kamal/apps/app/assets/extracted/web-latest && docker container rm app-web-assets 2> /dev/null || true && docker container create --name app-web-assets dhh/app:latest && docker container cp -L app-web-assets:/public/assets/. .kamal/apps/app/assets/extracted/web-latest && docker container rm app-web-assets", output
      assert_match /docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} /, output
      assert_match "docker container ls --all --filter name=^app-web-123$ --quiet | xargs docker stop", output
      assert_match "/usr/bin/env find .kamal/apps/app/assets/extracted -maxdepth 1 -name 'web-*' ! -name web-latest -exec rm -rf \"{}\" + ; find .kamal/apps/app/assets/volumes -maxdepth 1 -name 'web-*' ! -name web-latest -exec rm -rf \"{}\" +", output
@@ -382,8 +382,10 @@ class CliAppTest < CliTestCase


  test "version through main" do
-    stdouted { Kamal::Cli::Main.start([ "app", "version", "-c", "test/fixtures/deploy_with_accessories.yml", "--hosts", "1.1.1.1" ]) }.tap do |output|
-      assert_match "sh -c 'docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | while read line; do echo ${line#app-web-}; done", output
+    with_argv([ "app", "version", "-c", "test/fixtures/deploy_with_accessories.yml", "--hosts", "1.1.1.1" ]) do
+      stdouted { Kamal::Cli::Main.start }.tap do |output|
+        assert_match "sh -c 'docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | while read line; do echo ${line#app-web-}; done", output
+      end
    end
  end

--- a/test/cli/build_test.rb
+++ b/test/cli/build_test.rb
@@ -155,7 +155,7 @@ class CliBuildTest < CliTestCase
      .raises(SSHKit::Command::Failed.new("no buildx"))

    Kamal::Commands::Builder.any_instance.stubs(:native_and_local?).returns(false)
-    assert_raises(Kamal::Cli::Build::BuildError) { run_command("push") }
+    assert_raises(Kamal::Cli::DependencyError) { run_command("push") }
  end

  test "push pre-build hook failure" do
@@ -286,17 +286,4 @@ class CliBuildTest < CliTestCase
      SSHKit::Backend::Abstract.any_instance.stubs(:execute)
        .with { |*args| args[0..1] == [ :docker, :buildx ] }
    end
-
-    def with_build_directory
-      build_directory = File.join Dir.tmpdir, "kamal-clones", "app-#{pwd_sha}", "kamal"
-      FileUtils.mkdir_p build_directory
-      FileUtils.touch File.join build_directory, "Dockerfile"
-      yield build_directory + "/"
-    ensure
-      FileUtils.rm_rf build_directory
-    end
-
-    def pwd_sha
-      Digest::SHA256.hexdigest(Dir.pwd)[0..12]
-    end
 end
--- a/test/cli/cli_test_case.rb
+++ b/test/cli/cli_test_case.rb
@@ -51,4 +51,17 @@ class CliTestCase < ActiveSupport::TestCase
    ensure
      ARGV.replace(old_argv)
    end
+
+    def with_build_directory
+      build_directory = File.join Dir.tmpdir, "kamal-clones", "app-#{pwd_sha}", "kamal"
+      FileUtils.mkdir_p build_directory
+      FileUtils.touch File.join build_directory, "Dockerfile"
+      yield build_directory + "/"
+    ensure
+      FileUtils.rm_rf build_directory
+    end
+
+    def pwd_sha
+      Digest::SHA256.hexdigest(Dir.pwd)[0..12]
+    end
 end
--- a/test/cli/main_test.rb
+++ b/test/cli/main_test.rb
@@ -8,8 +8,7 @@ class CliMainTest < CliTestCase
    invoke_options = { "config_file" => "test/fixtures/deploy_simple.yml", "version" => "999", "skip_hooks" => false }

    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:server:bootstrap", [], invoke_options)
-    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:accessory:boot", [ "all" ], invoke_options)
-    Kamal::Cli::Main.any_instance.expects(:deploy)
+    Kamal::Cli::Main.any_instance.expects(:deploy).with(boot_accessories: true)

    run_command("setup").tap do |output|
      assert_match /Ensure Docker is installed.../, output
@@ -460,6 +459,7 @@ class CliMainTest < CliTestCase

  test "run an alias for a console" do
    run_command("console", config_file: "deploy_with_aliases").tap do |output|
+      assert_no_match "App Host: 1.1.1.4", output
      assert_match "docker exec app-console-999 bin/console on 1.1.1.5", output
      assert_match "App Host: 1.1.1.5", output
    end
@@ -486,6 +486,33 @@ class CliMainTest < CliTestCase
    end
  end

+  test "switch config file with an alias" do
+    with_config_files do
+      with_argv([ "other_config" ]) do
+        stdouted { Kamal::Cli::Main.start }.tap do |output|
+          assert_match ":service_with_version: app2-999", output
+        end
+      end
+    end
+  end
+
+  test "switch destination with an alias" do
+    with_config_files do
+      with_argv([ "other_destination_config" ]) do
+        stdouted { Kamal::Cli::Main.start }.tap do |output|
+          assert_match ":service_with_version: app3-999", output
+        end
+      end
+    end
+  end
+
+  test "run on primary via alias" do
+    run_command("primary_details", config_file: "deploy_with_aliases").tap do |output|
+      assert_match "App Host: 1.1.1.1", output
+      assert_no_match "App Host: 1.1.1.2", output
+    end
+  end
+
  test "upgrade" do
    invoke_options = { "config_file" => "test/fixtures/deploy_with_accessories.yml", "skip_hooks" => false, "confirmed" => true, "rolling" => false }
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:upgrade", [], invoke_options)
@@ -530,6 +557,20 @@ class CliMainTest < CliTestCase
      end
    end

+    def with_config_files
+      Dir.mktmpdir do |tmpdir|
+        config_dir = File.join(tmpdir, "config")
+        FileUtils.mkdir_p(config_dir)
+        FileUtils.cp "test/fixtures/deploy.yml", config_dir
+        FileUtils.cp "test/fixtures/deploy2.yml", config_dir
+        FileUtils.cp "test/fixtures/deploy.elsewhere.yml", config_dir
+
+        Dir.chdir(tmpdir) do
+          yield
+        end
+      end
+    end
+
    def assert_file(file, content)
      assert_match content, File.read(file)
    end
--- a/test/cli/proxy_test.rb
+++ b/test/cli/proxy_test.rb
@@ -281,6 +281,32 @@ class CliProxyTest < CliTestCase
    end
  end

+  test "boot_config set bind IP" do
+    run_command("boot_config", "set", "--publish-host-ip", "127.0.0.1").tap do |output|
+      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
+        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
+        assert_match "Uploading \"--publish 127.0.0.1:80:80 --publish 127.0.0.1:443:443 --log-opt max-size=10m\" to .kamal/proxy/options on #{host}", output
+      end
+    end
+  end
+
+  test "boot_config set multiple bind IPs" do
+    run_command("boot_config", "set", "--publish-host-ip", "127.0.0.1", "--publish-host-ip", "::1").tap do |output|
+      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
+        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
+        assert_match "Uploading \"--publish 127.0.0.1:80:80 --publish 127.0.0.1:443:443 --publish [::1]:80:80 --publish [::1]:443:443 --log-opt max-size=10m\" to .kamal/proxy/options on #{host}", output
+      end
+    end
+  end
+
+  test "boot_config set invalid bind IPs" do
+    exception = assert_raises do
+      run_command("boot_config", "set", "--publish-host-ip", "1.2.3.invalidIP", "--publish-host-ip", "::1")
+    end
+
+    assert_includes exception.message, "Invalid publish IP address: 1.2.3.invalidIP"
+  end
+
  test "boot_config set docker options" do
    run_command("boot_config", "set", "--docker_options", "label=foo=bar", "add_host=thishost:thathost").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
--- a/test/cli/registry_test.rb
+++ b/test/cli/registry_test.rb
@@ -43,6 +43,16 @@ class CliRegistryTest < CliTestCase
    end
  end

+  test "login with no docker" do
+    stub_setup
+    SSHKit::Backend::Abstract.any_instance.stubs(:execute)
+      .with(:docker, "--version", "&&", :docker, :buildx, "version")
+      .raises(SSHKit::Command::Failed.new("command not found"))
+
+    assert_raises(Kamal::Cli::DependencyError) { run_command("login") }
+  end
+
+
  private
    def run_command(*command)
      stdouted { Kamal::Cli::Registry.start([ *command, "-c", "test/fixtures/deploy_with_accessories.yml" ]) }
--- a/test/cli/secrets_test.rb
+++ b/test/cli/secrets_test.rb
@@ -13,12 +13,6 @@ class CliSecretsTest < CliTestCase
      run_command("fetch", "foo", "bar", "baz", "--adapter", "test")
  end

-  test "fetch without required --account" do
-    assert_equal \
-      "\\{\\\"foo\\\":\\\"oof\\\",\\\"bar\\\":\\\"rab\\\",\\\"baz\\\":\\\"zab\\\"\\}",
-      run_command("fetch", "foo", "bar", "baz", "--adapter", "test_optional_account")
-  end
-
  test "extract" do
    assert_equal "oof", run_command("extract", "foo", "{\"foo\":\"oof\", \"bar\":\"rab\", \"baz\":\"zab\"}")
  end
--- a/test/commands/accessory_test.rb
+++ b/test/commands/accessory_test.rb
@@ -5,7 +5,9 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
    setup_test_secrets("secrets" => "MYSQL_ROOT_PASSWORD=secret123")

    @config = {
-      service: "app", image: "dhh/app", registry: { "server" => "private.registry", "username" => "dhh", "password" => "secret" },
+      service: "app",
+      image: "dhh/app",
+      registry: { "server" => "private.registry", "username" => "dhh", "password" => "secret" },
      servers: [ "1.1.1.1" ],
      builder: { "arch" => "amd64" },
      accessories: {
@@ -39,6 +41,7 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
        "busybox" => {
          "service" => "custom-busybox",
          "image" => "busybox:latest",
+          "registry" => { "server" => "other.registry", "username" => "user", "password" => "pw" },
          "host" => "1.1.1.7",
          "proxy" => {
            "host" => "busybox.example.com"
@@ -62,7 +65,7 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
      new_command(:redis).run.join(" ")

    assert_equal \
-      "docker run --name custom-busybox --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --env-file .kamal/apps/app/env/accessories/busybox.env --label service=\"custom-busybox\" busybox:latest",
+      "docker run --name custom-busybox --detach --restart unless-stopped --network kamal --log-opt max-size=\"10m\" --env-file .kamal/apps/app/env/accessories/busybox.env --label service=\"custom-busybox\" other.registry/busybox:latest",
      new_command(:busybox).run.join(" ")
  end

@@ -70,7 +73,7 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
    @config[:logging] = { "driver" => "local", "options" => { "max-size" => "100m", "max-file" => "3" } }

    assert_equal \
-      "docker run --name custom-busybox --detach --restart unless-stopped --network kamal --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" --env-file .kamal/apps/app/env/accessories/busybox.env --label service=\"custom-busybox\" busybox:latest",
+      "docker run --name custom-busybox --detach --restart unless-stopped --network kamal --log-driver \"local\" --log-opt max-size=\"100m\" --log-opt max-file=\"3\" --env-file .kamal/apps/app/env/accessories/busybox.env --label service=\"custom-busybox\" other.registry/busybox:latest",
      new_command(:busybox).run.join(" ")
  end

@@ -100,7 +103,6 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
      new_command(:mysql).info.join(" ")
  end

-
  test "execute in new container" do
    assert_equal \
      "docker run --rm --network kamal --env MYSQL_ROOT_HOST=\"%\" --env-file .kamal/apps/app/env/accessories/mysql.env private.registry/mysql:8.0 mysql -u root",
@@ -127,8 +129,6 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
    end
  end

-
-
  test "logs" do
    assert_equal \
      "docker logs app-mysql --timestamps 2>&1",
--- a/test/commands/app_test.rb
+++ b/test/commands/app_test.rb
@@ -469,10 +469,10 @@ class CommandsAppTest < ActiveSupport::TestCase
  test "extract assets" do
    assert_equal [
      :mkdir, "-p", ".kamal/apps/app/assets/extracted/web-999", "&&",
-      :docker, :stop, "-t 1", "app-web-assets", "2> /dev/null", "|| true", "&&",
-      :docker, :run, "--name", "app-web-assets", "--detach", "--rm", "--entrypoint", "sleep", "dhh/app:999", "1000000", "&&",
-      :docker, :cp, "-L", "app-web-assets:/public/assets/.", ".kamal/apps/app/assets/extracted/web-999", "&&",
-      :docker, :stop, "-t 1", "app-web-assets"
+      :docker, :container, :rm, "app-web-assets", "2> /dev/null", "|| true", "&&",
+      :docker, :container, :create, "--name", "app-web-assets", "dhh/app:999", "&&",
+      :docker, :container, :cp, "-L", "app-web-assets:/public/assets/.", ".kamal/apps/app/assets/extracted/web-999", "&&",
+      :docker, :container, :rm, "app-web-assets"
    ], new_command(asset_path: "/public/assets").extract_assets
  end

--- a/test/commands/registry_test.rb
+++ b/test/commands/registry_test.rb
@@ -2,14 +2,27 @@ require "test_helper"

 class CommandsRegistryTest < ActiveSupport::TestCase
  setup do
-    @config = { service: "app",
+    @config = {
+      service: "app",
      image: "dhh/app",
-      registry: { "username" => "dhh",
+      registry: {
+        "username" => "dhh",
        "password" => "secret",
        "server" => "hub.docker.com"
      },
      builder: { "arch" => "amd64" },
-      servers: [ "1.1.1.1" ]
+      servers: [ "1.1.1.1" ],
+      accessories: {
+        "db" => {
+          "image" => "mysql:8.0",
+          "hosts" => [ "1.1.1.1" ],
+          "registry" => {
+            "username" => "user",
+            "password" => "pw",
+            "server" => "other.hub.docker.com"
+          }
+        }
+      }
    }
  end

@@ -19,13 +32,24 @@ class CommandsRegistryTest < ActiveSupport::TestCase
      registry.login.join(" ")
  end

+  test "given registry login" do
+    assert_equal \
+      "docker login other.hub.docker.com -u \"user\" -p \"pw\"",
+      registry.login(registry_config: accessory_registry_config).join(" ")
+  end
+
  test "registry login with ENV password" do
-    with_test_secrets("secrets" => "KAMAL_REGISTRY_PASSWORD=more-secret") do
+    with_test_secrets("secrets" => "KAMAL_REGISTRY_PASSWORD=more-secret\nKAMAL_MYSQL_REGISTRY_PASSWORD=secret-pw") do
      @config[:registry]["password"] = [ "KAMAL_REGISTRY_PASSWORD" ]
+      @config[:accessories]["db"]["registry"]["password"] = [ "KAMAL_MYSQL_REGISTRY_PASSWORD" ]

      assert_equal \
        "docker login hub.docker.com -u \"dhh\" -p \"more-secret\"",
        registry.login.join(" ")
+
+      assert_equal \
+        "docker login other.hub.docker.com -u \"user\" -p \"secret-pw\"",
+        registry.login(registry_config: accessory_registry_config).join(" ")
    end
  end

@@ -55,8 +79,22 @@ class CommandsRegistryTest < ActiveSupport::TestCase
      registry.logout.join(" ")
  end

+  test "given registry logout" do
+    assert_equal \
+      "docker logout other.hub.docker.com",
+      registry.logout(registry_config: accessory_registry_config).join(" ")
+  end
+
  private
    def registry
-      Kamal::Commands::Registry.new Kamal::Configuration.new(@config)
+      Kamal::Commands::Registry.new main_config
+    end
+
+    def main_config
+      Kamal::Configuration.new(@config)
+    end
+
+    def accessory_registry_config
+      main_config.accessory("db").registry
    end
 end
--- a/test/configuration/accessory_test.rb
+++ b/test/configuration/accessory_test.rb
@@ -3,7 +3,9 @@ require "test_helper"
 class ConfigurationAccessoryTest < ActiveSupport::TestCase
  setup do
    @deploy = {
-      service: "app", image: "dhh/app", registry: { "username" => "dhh", "password" => "secret" },
+      service: "app",
+      image: "dhh/app",
+      registry: { "username" => "dhh", "password" => "secret" },
      servers: {
        "web" => [ "1.1.1.1", "1.1.1.2" ],
        "workers" => [ "1.1.1.3", "1.1.1.4" ]
@@ -12,7 +14,7 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
      env: { "REDIS_URL" => "redis://x/y" },
      accessories: {
        "mysql" => {
-          "image" => "mysql:8.0",
+          "image" => "public.registry/mysql:8.0",
          "host" => "1.1.1.5",
          "port" => "3306",
          "env" => {
@@ -52,6 +54,7 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
        "monitoring" => {
          "service" => "custom-monitoring",
          "image" => "monitoring:latest",
+          "registry" => { "server" => "other.registry", "username" => "user", "password" => "pw" },
          "roles" => [ "web" ],
          "port" => "4321:4321",
          "labels" => {
@@ -80,6 +83,21 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
    assert_equal "custom-monitoring", @config.accessory(:monitoring).service_name
  end

+  test "image" do
+    assert_equal "public.registry/mysql:8.0", @config.accessory(:mysql).image
+    assert_equal "redis:latest", @config.accessory(:redis).image
+    assert_equal "other.registry/monitoring:latest", @config.accessory(:monitoring).image
+  end
+
+  test "registry" do
+    assert_nil @config.accessory(:mysql).registry
+    assert_nil @config.accessory(:redis).registry
+    monitoring_registry = @config.accessory(:monitoring).registry
+    assert_equal "other.registry", monitoring_registry.server
+    assert_equal "user", monitoring_registry.username
+    assert_equal "pw", monitoring_registry.password
+  end
+
  test "port" do
    assert_equal "3306:3306", @config.accessory(:mysql).port
    assert_equal "6379:6379", @config.accessory(:redis).port
--- a/test/fixtures/deploy.elsewhere.yml
+++ b/test/fixtures/deploy.elsewhere.yml
@@ -0,0 +1,12 @@
+service: app3
+image: dhh/app3
+servers:
+  - "1.1.1.3"
+  - "1.1.1.4"
+registry:
+  username: user
+  password: pw
+builder:
+  arch: amd64
+aliases:
+  other_config: config -c config/deploy2.yml
--- a/test/fixtures/deploy.yml
+++ b/test/fixtures/deploy.yml
@@ -0,0 +1,13 @@
+service: app
+image: dhh/app
+servers:
+  - "1.1.1.1"
+  - "1.1.1.2"
+registry:
+  username: user
+  password: pw
+builder:
+  arch: amd64
+aliases:
+  other_config: config -c config/deploy2.yml
+  other_destination_config: config -d elsewhere
--- a/test/fixtures/deploy2.yml
+++ b/test/fixtures/deploy2.yml
@@ -0,0 +1,12 @@
+service: app2
+image: dhh/app2
+servers:
+  - "1.1.1.1"
+  - "1.1.1.2"
+registry:
+  username: user2
+  password: pw2
+builder:
+  arch: amd64
+aliases:
+  other_config: config -c config/deploy2.yml
--- a/test/fixtures/deploy_with_accessories_with_different_registries.yml
+++ b/test/fixtures/deploy_with_accessories_with_different_registries.yml
@@ -0,0 +1,47 @@
+service: app
+image: dhh/app
+servers:
+  web:
+    - "1.1.1.1"
+    - "1.1.1.2"
+  workers:
+    - "1.1.1.3"
+    - "1.1.1.4"
+registry:
+  server: private.registry
+  username: user
+  password: pw
+builder:
+  arch: amd64
+
+accessories:
+  mysql:
+    image: private.registry/mysql:5.7
+    host: 1.1.1.3
+    port: 3306
+    env:
+      clear:
+        MYSQL_ROOT_HOST: '%'
+      secret:
+        - MYSQL_ROOT_PASSWORD
+    files:
+      - test/fixtures/files/my.cnf:/etc/mysql/my.cnf
+    directories:
+      - data:/var/lib/mysql
+  redis:
+    image: redis:latest
+    roles:
+      - web
+    port: 6379
+    directories:
+      - data:/data
+  busybox:
+    service: custom-box
+    image: busybox:latest
+    host: 1.1.1.3
+    registry:
+      server: other.registry
+      username: other_user
+      password: other_pw
+
+readiness_delay: 0
--- a/test/fixtures/deploy_with_aliases.yml
+++ b/test/fixtures/deploy_with_aliases.yml
@@ -21,3 +21,6 @@ aliases:
  console: app exec --reuse -p -r console "bin/console"
  exec: app exec --reuse -p -r console
  rails: app exec --reuse -p -r console rails
+  primary_details: details -p
+  deploy_secondary: deploy -d secondary
+
--- a/test/integration/main_test.rb
+++ b/test/integration/main_test.rb
@@ -90,9 +90,9 @@ class MainTest < IntegrationTest
  test "setup and remove" do
    @app = "app_with_roles"

-    kamal :proxy, :set_config,
+    kamal :proxy, :boot_config, "set",
      "--publish=false",
-      "--options=label=traefik.http.services.kamal_proxy.loadbalancer.server.scheme=http",
+      "--docker-options=label=traefik.http.services.kamal_proxy.loadbalancer.server.scheme=http",
      "label=traefik.http.routers.kamal_proxy.rule=PathPrefix\\\(\\\`/\\\`\\\)",
      "label=traefik.http.routers.kamal_proxy.priority=2"

--- a/test/secrets/bitwarden_secrets_manager_adapter_test.rb
+++ b/test/secrets/bitwarden_secrets_manager_adapter_test.rb
@@ -0,0 +1,119 @@
+require "test_helper"
+
+class BitwardenSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fetch with no parameters" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch")))
+    end
+    assert_equal("You must specify what to retrieve from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch all" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret list -o env")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"\nMY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "all"))
+    assert_equal expected, actual
+  end
+
+  test "fetch all with from" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret list -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"\nMY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "all", "--from", "82aeb5bd-6958-4a89-8197-eacab758acce"))
+    assert_equal expected, actual
+  end
+
+  test "fetch item" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password"}'
+    actual = shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce"))
+    assert_equal expected, actual
+  end
+
+  test "fetch with multiple items" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"")
+    stub_ticks
+      .with("bws secret get -o env 6f8cdf27-de2b-4c77-a35d-07df8050e332")
+      .returns("MY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce", "6f8cdf27-de2b-4c77-a35d-07df8050e332"))
+    assert_equal expected, actual
+  end
+
+  test "fetch all empty" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks_with("bws secret list -o env", succeed: false).returns("Error:\n0: Received error message from server")
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "all")))
+    end
+    assert_equal("Could not read secrets from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch nonexistent item" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks_with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce", succeed: false)
+      .returns("ERROR (RuntimeError): Could not read 82aeb5bd-6958-4a89-8197-eacab758acce from Bitwarden Secrets Manager")
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce")))
+    end
+    assert_equal("Could not read 82aeb5bd-6958-4a89-8197-eacab758acce from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch with no access token" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_ticks_with("bws run 'echo OK'", succeed: false)
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "all")))
+    end
+    assert_equal("Could not authenticate to Bitwarden Secrets Manager. Did you set a valid access token?", error.message)
+  end
+
+  test "fetch without CLI installed" do
+    stub_ticks_with("bws --version 2> /dev/null", succeed: false)
+
+    error = assert_raises RuntimeError do
+      shellunescape(run_command("fetch"))
+    end
+    assert_equal "Bitwarden Secrets Manager CLI is not installed", error.message
+  end
+
+  private
+    def stub_login
+      stub_ticks.with("bws run 'echo OK'").returns("OK")
+    end
+
+    def run_command(*command)
+      stdouted do
+        Kamal::Cli::Secrets.start \
+          [ *command,
+            "--adapter", "bitwarden-sm" ]
+      end
+    end
+end
--- a/test/secrets/enpass_adapter_test.rb
+++ b/test/secrets/enpass_adapter_test.rb
@@ -0,0 +1,81 @@
+require "test_helper"
+
+class EnpassAdapterTest < SecretAdapterTestCase
+  test "fetch without CLI installed" do
+    stub_ticks_with("enpass-cli version 2> /dev/null", succeed: false)
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "mynote")))
+    end
+
+    assert_equal "Enpass CLI is not installed", error.message
+  end
+
+  test "fetch one item" do
+    stub_ticks_with("enpass-cli version 2> /dev/null")
+
+    stub_ticks
+      .with("enpass-cli -json -vault vault-path show FooBar")
+      .returns(<<~JSON)
+      [{"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}]
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1")))
+
+    expected_json = { "FooBar/SECRET_1" => "my-password-1" }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch multiple items" do
+    stub_ticks_with("enpass-cli version 2> /dev/null")
+
+    stub_ticks
+      .with("enpass-cli -json -vault vault-path show FooBar")
+      .returns(<<~JSON)
+      [
+        {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"}
+      ]
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1", "FooBar/SECRET_2")))
+
+    expected_json = { "FooBar/SECRET_1" => "my-password-1", "FooBar/SECRET_2" => "my-password-2" }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch all with from" do
+    stub_ticks_with("enpass-cli version 2> /dev/null")
+
+    stub_ticks
+      .with("enpass-cli -json -vault vault-path show FooBar")
+      .returns(<<~JSON)
+      [
+        {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"},
+        {"category":"computer","label":"","login":"","password":"my-password-3","title":"FooBar","type":"password"}
+      ]
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "FooBar")))
+
+    expected_json = { "FooBar/SECRET_1" => "my-password-1", "FooBar/SECRET_2" => "my-password-2", "FooBar" => "my-password-3" }
+
+    assert_equal expected_json, json
+  end
+
+  private
+    def run_command(*command)
+      stdouted do
+        Kamal::Cli::Secrets.start \
+          [ *command,
+            "-c", "test/fixtures/deploy_with_accessories.yml",
+            "--adapter", "enpass",
+            "--from", "vault-path" ]
+      end
+    end
+end
--- a/test/secrets/gcp_secret_manager_adapter_test.rb
+++ b/test/secrets/gcp_secret_manager_adapter_test.rb
@@ -0,0 +1,220 @@
+require "test_helper"
+
+class GcpSecretManagerAdapterTest < SecretAdapterTestCase
+  test "fetch" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_mypassword
+
+    json = JSON.parse(shellunescape(run_command("fetch", "mypassword")))
+
+    expected_json = { "default/mypassword"=>"secret123" }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch unauthenticated" do
+    stub_ticks.with("gcloud --version 2> /dev/null")
+
+    stub_mypassword
+    stub_unauthenticated
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "mypassword")))
+    end
+
+    assert_match(/could not login to gcloud/, error.message)
+  end
+
+  test "fetch with from" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_items(0, project: "other-project")
+    stub_items(1, project: "other-project")
+    stub_items(2, project: "other-project")
+
+    json = JSON.parse(shellunescape(run_command("fetch", "--from", "other-project", "item1", "item2", "item3")))
+
+    expected_json = {
+      "other-project/item1"=>"secret1", "other-project/item2"=>"secret2", "other-project/item3"=>"secret3"
+    }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch with multiple projects" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_items(0, project: "some-project")
+    stub_items(1, project: "project-confidence")
+    stub_items(2, project: "manhattan-project")
+
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1", "project-confidence/item2", "manhattan-project/item3")))
+
+    expected_json = {
+      "some-project/item1"=>"secret1", "project-confidence/item2"=>"secret2", "manhattan-project/item3"=>"secret3"
+    }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch with specific version" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_items(0, project: "some-project", version: "123")
+
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123")))
+
+    expected_json = {
+      "some-project/item1"=>"secret1"
+    }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch with non-default account" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_items(0, project: "some-project", version: "123", account: "email@example.com")
+
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "email@example.com")))
+
+    expected_json = {
+      "some-project/item1"=>"secret1"
+    }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch with service account impersonation" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_items(0, project: "some-project", version: "123", impersonate_service_account: "service-user@example.com")
+
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "default|service-user@example.com")))
+
+    expected_json = {
+      "some-project/item1"=>"secret1"
+    }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch with delegation chain and specific user" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_items(0, project: "some-project", version: "123", account: "user@example.com", impersonate_service_account: "service-user@example.com,service-user2@example.com")
+
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "user@example.com|service-user@example.com,service-user2@example.com")))
+
+    expected_json = {
+      "some-project/item1"=>"secret1"
+    }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch with non-default account and service account impersonation" do
+    stub_gcloud_version
+    stub_authenticated
+    stub_items(0, project: "some-project", version: "123", account: "email@example.com", impersonate_service_account: "service-user@example.com")
+
+    json = JSON.parse(shellunescape(run_command("fetch", "some-project/item1/123", account: "email@example.com|service-user@example.com")))
+
+    expected_json = {
+      "some-project/item1"=>"secret1"
+    }
+
+    assert_equal expected_json, json
+  end
+
+  test "fetch without CLI installed" do
+    stub_gcloud_version(succeed: false)
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "item1")))
+    end
+    assert_equal "gcloud CLI is not installed", error.message
+  end
+
+  private
+    def run_command(*command, account: "default")
+      stdouted do
+        Kamal::Cli::Secrets.start \
+          [ *command,
+            "-c", "test/fixtures/deploy_with_accessories.yml",
+            "--adapter", "gcp_secret_manager",
+            "--account", account ]
+      end
+    end
+
+    def stub_gcloud_version(succeed: true)
+      stub_ticks_with("gcloud --version 2> /dev/null", succeed: succeed)
+    end
+
+    def stub_authenticated
+      stub_ticks
+        .with("gcloud auth list --format=json")
+        .returns(<<~JSON)
+          [
+            {
+              "account": "email@example.com",
+              "status": "ACTIVE"
+            }
+          ]
+        JSON
+    end
+
+    def stub_unauthenticated
+      stub_ticks
+        .with("gcloud auth list --format=json")
+        .returns("[]")
+
+      stub_ticks
+        .with("gcloud auth login")
+        .returns(<<~JSON)
+          {
+            "expired": false,
+            "valid": true
+          }
+        JSON
+    end
+
+    def stub_mypassword
+      stub_ticks
+        .with("gcloud secrets versions access latest --secret=mypassword --format=json")
+        .returns(<<~JSON)
+          {
+            "name": "projects/000000000/secrets/mypassword/versions/1",
+            "payload": {
+              "data": "c2VjcmV0MTIz",
+              "dataCrc32c": "2522602764"
+            }
+          }
+        JSON
+    end
+
+    def stub_items(n, project: nil, account: nil, version: "latest", impersonate_service_account: nil)
+      payloads = [
+        { data: "c2VjcmV0MQ==", checksum: 1846998209 },
+        { data: "c2VjcmV0Mg==", checksum: 2101741365 },
+        { data: "c2VjcmV0Mw==", checksum: 2402124854 }
+      ]
+      stub_ticks
+        .with("gcloud secrets versions access #{version} " \
+              "--secret=item#{n + 1}" \
+              "#{" --project=#{project}" if project}" \
+              "#{" --account=#{account}" if account}" \
+              "#{" --impersonate-service-account=#{impersonate_service_account}" if impersonate_service_account} " \
+              "--format=json")
+        .returns(<<~JSON)
+          {
+            "name": "projects/000000001/secrets/item1/versions/1",
+            "payload": {
+              "data": "#{payloads[n][:data]}",
+              "dataCrc32c": "#{payloads[n][:checksum]}"
+            }
+          }
+        JSON
+  end
+end
--- a/test/secrets_test.rb
+++ b/test/secrets_test.rb
@@ -20,6 +20,20 @@ class SecretsTest < ActiveSupport::TestCase
    end
  end

+  test "env references" do
+    with_test_secrets("secrets" => "SECRET1=$SECRET1") do
+      ENV["SECRET1"] = "ABC"
+      assert_equal "ABC", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
+  test "secrets file value overrides env" do
+    with_test_secrets("secrets" => "SECRET1=DEF") do
+      ENV["SECRET1"] = "ABC"
+      assert_equal "DEF", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
  test "destinations" do
    with_test_secrets("secrets.dest" => "SECRET=DEF", "secrets" => "SECRET=ABC", "secrets-common" => "SECRET=GHI\nSECRET2=JKL") do
      assert_equal "ABC", Kamal::Secrets.new["SECRET"]