Always send the clear env to the container

Secret and clear env variables have different lifecycles. The clear ones are part of the repo, so it makes sense to always deploy them with the rest of the repo. The secret ones are external so we can't be sure that they are up to date, therefore they require an explicit push via `envify` or `env push`. We'll keep the env file, but now it just contains secrets. The clear values are passed directly to `docker run`.
2024-03-20 16:37:09 +00:00
parent 5f58575b62
commit 49afdbb09a
17 changed files with 201 additions and 200 deletions
--- a/lib/kamal/cli/env.rb
+++ b/lib/kamal/cli/env.rb
@@ -9,20 +9,20 @@ class Kamal::Cli::Env < Kamal::Cli::Base

        KAMAL.roles_on(host).each do |role|
          execute *KAMAL.app(role: role).make_env_directory
-          upload! StringIO.new(role.env_file), role.host_env_file_path, mode: 400
+          upload! role.env.secrets_io, role.env.secrets_file, mode: 400
        end
      end

      on(KAMAL.traefik_hosts) do
        execute *KAMAL.traefik.make_env_directory
-        upload! StringIO.new(KAMAL.traefik.env_file), KAMAL.traefik.host_env_file_path, mode: 400
+        upload! KAMAL.traefik.env.secrets_io, KAMAL.traefik.env.secrets_file, mode: 400
      end

      on(KAMAL.accessory_hosts) do
        KAMAL.accessories_on(host).each do |accessory|
          accessory_config = KAMAL.config.accessory(accessory)
          execute *KAMAL.accessory(accessory).make_env_directory
-          upload! StringIO.new(accessory_config.env_file), accessory_config.host_env_file_path, mode: 400
+          upload! accessory_config.env.secrets_io, accessory_config.env.secrets_file, mode: 400
        end
      end
    end
--- a/lib/kamal/commands/accessory.rb
+++ b/lib/kamal/commands/accessory.rb
@@ -99,11 +99,11 @@ class Kamal::Commands::Accessory < Kamal::Commands::Base
  end

  def make_env_directory
-    make_directory accessory_config.host_env_directory
+    make_directory accessory_config.env.secrets_directory
  end

  def remove_env_file
-    [ :rm, "-f", accessory_config.host_env_file_path ]
+    [ :rm, "-f", accessory_config.env.secrets_file ]
  end

  private
--- a/lib/kamal/commands/app.rb
+++ b/lib/kamal/commands/app.rb
@@ -68,11 +68,11 @@ class Kamal::Commands::App < Kamal::Commands::Base


  def make_env_directory
-    make_directory role.host_env_directory
+    make_directory role.env.secrets_directory
  end

  def remove_env_file
-    [ :rm, "-f", role.host_env_file_path ]
+    [ :rm, "-f", role.env.secrets_file ]
  end


--- a/lib/kamal/commands/traefik.rb
+++ b/lib/kamal/commands/traefik.rb
@@ -71,20 +71,18 @@ class Kamal::Commands::Traefik < Kamal::Commands::Base
    "#{host_port}:#{CONTAINER_PORT}"
  end

-  def env_file
-    Kamal::EnvFile.new(config.traefik.fetch("env", {}))
-  end
-
-  def host_env_file_path
-    File.join host_env_directory, "traefik.env"
+  def env
+    Kamal::Configuration::Env.from_config \
+      config: config.traefik.fetch("env", {}),
+      secrets_file: File.join(config.host_env_directory, "traefik", "traefik.env")
  end

  def make_env_directory
-    make_directory(host_env_directory)
+    make_directory(env.secrets_directory)
  end

  def remove_env_file
-    [ :rm, "-f", host_env_file_path ]
+    [ :rm, "-f", env.secrets_file ]
  end

  private
@@ -97,11 +95,7 @@ class Kamal::Commands::Traefik < Kamal::Commands::Base
    end

    def env_args
-      argumentize "--env-file", host_env_file_path
-    end
-
-    def host_env_directory
-      File.join config.host_env_directory, "traefik"
+      env.args
    end

    def labels
--- a/lib/kamal/configuration.rb
+++ b/lib/kamal/configuration.rb
@@ -6,7 +6,7 @@ require "erb"
 require "net/ssh/proxy/jump"

 class Kamal::Configuration
-  delegate :service, :image, :servers, :env, :labels, :registry, :stop_wait_time, :hooks_path, :logging, to: :raw_config, allow_nil: true
+  delegate :service, :image, :servers, :labels, :registry, :stop_wait_time, :hooks_path, :logging, to: :raw_config, allow_nil: true
  delegate :argumentize, :optionize, to: Kamal::Utils

  attr_reader :destination, :raw_config
@@ -216,12 +216,17 @@ class Kamal::Configuration
    raw_config.hooks_path || ".kamal/hooks"
  end

+  def asset_path
+    raw_config.asset_path
+  end
+
+
  def host_env_directory
    "#{run_directory}/env"
  end

-  def asset_path
-    raw_config.asset_path
+  def env
+    raw_config.env || {}
  end


--- a/lib/kamal/configuration/accessory.rb
+++ b/lib/kamal/configuration/accessory.rb
@@ -42,23 +42,13 @@ class Kamal::Configuration::Accessory
  end

  def env
-    specifics["env"] || {}
-  end
-
-  def env_file
-    Kamal::EnvFile.new(env)
-  end
-
-  def host_env_directory
-    File.join config.host_env_directory, "accessories"
-  end
-
-  def host_env_file_path
-    File.join host_env_directory, "#{service_name}.env"
+    Kamal::Configuration::Env.from_config \
+      config: specifics.fetch("env", {}),
+      secrets_file: File.join(config.host_env_directory, "accessories", "#{service_name}.env")
  end

  def env_args
-    argumentize "--env-file", host_env_file_path
+    env.args
  end

  def files
@@ -111,10 +101,10 @@ class Kamal::Configuration::Accessory
    end

    def with_clear_env_loaded
-      (env["clear"] || env).each { |k, v| ENV[k] = v }
+      env.clear.each { |k, v| ENV[k] = v }
      yield
    ensure
-      (env["clear"] || env).each { |k, v| ENV.delete(k) }
+      env.clear.each { |k, v| ENV.delete(k) }
    end

    def read_dynamic_file(local_file)
--- a/lib/kamal/configuration/env.rb
+++ b/lib/kamal/configuration/env.rb
@@ -0,0 +1,40 @@
+class Kamal::Configuration::Env
+  attr_reader :secrets_keys, :clear, :secrets_file
+  delegate :argumentize, to: Kamal::Utils
+
+  def self.from_config(config:, secrets_file: nil)
+    secrets_keys = config.fetch("secret", [])
+    clear = config.fetch("clear", config.key?("secret") ? {} : config)
+
+    new clear: clear, secrets_keys: secrets_keys, secrets_file: secrets_file
+  end
+
+  def initialize(clear:, secrets_keys:, secrets_file:)
+    @clear = clear
+    @secrets_keys = secrets_keys
+    @secrets_file = secrets_file
+  end
+
+  def args
+    [ "--env-file", secrets_file, *argumentize("--env", clear) ]
+  end
+
+  def secrets_io
+    StringIO.new(Kamal::EnvFile.new(secrets).to_s)
+  end
+
+  def secrets
+    @secrets ||= secrets_keys.to_h { |key| [ key, ENV.fetch(key) ] }
+  end
+
+  def secrets_directory
+    File.dirname(secrets_file)
+  end
+
+  def merge(other)
+    self.class.new \
+      clear: @clear.merge(other.clear),
+      secrets_keys: @secrets_keys | other.secrets_keys,
+      secrets_file: secrets_file
+  end
+end
--- a/lib/kamal/configuration/role.rb
+++ b/lib/kamal/configuration/role.rb
@@ -51,27 +51,11 @@ class Kamal::Configuration::Role


  def env
-    if config.env && config.env["secret"]
-      merged_env_with_secrets
-    else
-      merged_env
-    end
-  end
-
-  def env_file
-    Kamal::EnvFile.new(env)
-  end
-
-  def host_env_directory
-    File.join config.host_env_directory, "roles"
-  end
-
-  def host_env_file_path
-    File.join host_env_directory, "#{[ config.service, name, config.destination ].compact.join("-")}.env"
+    @env ||= base_env.merge(specialized_env)
  end

  def env_args
-    argumentize "--env-file", host_env_file_path
+    env.args
  end

  def asset_volume_args
@@ -217,7 +201,7 @@ class Kamal::Configuration::Role
    end

    def traefik_service
-      [ config.service, name, config.destination ].compact.join("-")
+      container_prefix
    end

    def custom_labels
@@ -236,24 +220,14 @@ class Kamal::Configuration::Role
    end

    def specialized_env
-      specializations["env"] || {}
-    end
-
-    def merged_env
-      config.env&.merge(specialized_env) || {}
+      Kamal::Configuration::Env.from_config config: specializations.fetch("env", {})
    end

    # Secrets are stored in an array, which won't merge by default, so have to do it by hand.
-    def merged_env_with_secrets
-      merged_env.tap do |new_env|
-        new_env["secret"] = Array(config.env["secret"]) + Array(specialized_env["secret"])
-
-        # If there's no secret/clear split, everything is clear
-        clear_app_env  = config.env["secret"] ? Array(config.env["clear"]) : Array(config.env["clear"] || config.env)
-        clear_role_env = specialized_env["secret"] ? Array(specialized_env["clear"]) : Array(specialized_env["clear"] || specialized_env)
-
-        new_env["clear"] = clear_app_env.to_h.merge(clear_role_env.to_h)
-      end
+    def base_env
+      Kamal::Configuration::Env.from_config \
+        config: config.env,
+        secrets_file: File.join(config.host_env_directory, "roles", "#{container_prefix}.env")
    end

    def http_health_check(port:, path:)
--- a/lib/kamal/env_file.rb
+++ b/lib/kamal/env_file.rb
@@ -6,18 +6,8 @@ class Kamal::EnvFile

  def to_s
    env_file = StringIO.new.tap do |contents|
-      if (secrets = @env["secret"]).present?
-        @env.fetch("secret", @env)&.each do |key|
-          contents << docker_env_file_line(key, ENV.fetch(key))
-        end
-
-        @env["clear"]&.each do |key, value|
-          contents << docker_env_file_line(key, value)
-        end
-      else
-        @env.fetch("clear", @env)&.each do |key, value|
-          contents << docker_env_file_line(key, value)
-        end
+      @env.each do |key, value|
+        contents << docker_env_file_line(key, value)
      end
    end.string