Merge branch 'basecamp:main' into buildpacks

lib/kamal/cli/proxy.rb

@@ -21,6 +21,36 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
     end
   end
 
+  desc "boot_config <set|get|clear>", "Mange kamal-proxy boot configuration"
+  option :publish, type: :boolean, default: true, desc: "Publish the proxy ports on the host"
+  option :http_port, type: :numeric, default: Kamal::Configuration::PROXY_HTTP_PORT, desc: "HTTP port to publish on the host"
+  option :https_port, type: :numeric, default: Kamal::Configuration::PROXY_HTTPS_PORT, desc: "HTTPS port to publish on the host"
+  option :docker_options, type: :array, default: [], desc: "Docker options to pass to the proxy container", banner: "option=value option2=value2"
+  def boot_config(subcommand)
+    case subcommand
+    when "set"
+      boot_options = [
+        *(KAMAL.config.proxy_publish_args(options[:http_port], options[:https_port]) if options[:publish]),
+        *options[:docker_options].map { |option| "--#{option}" }
+      ]
+
+      on(KAMAL.proxy_hosts) do |host|
+        execute(*KAMAL.proxy.ensure_proxy_directory)
+        upload! StringIO.new(boot_options.join(" ")), KAMAL.config.proxy_options_file
+      end
+    when "get"
+      on(KAMAL.proxy_hosts) do |host|
+        puts "Host #{host}: #{capture_with_info(*KAMAL.proxy.get_boot_options)}"
+      end
+    when "reset"
+      on(KAMAL.proxy_hosts) do |host|
+        execute *KAMAL.proxy.reset_boot_options
+      end
+    else
+      raise ArgumentError, "Unknown boot_config subcommand #{subcommand}"
+    end
+  end
+
   desc "reboot", "Reboot proxy on servers (stop container, remove container, start new container)"
   option :rolling, type: :boolean, default: false, desc: "Reboot proxy on hosts in sequence, rather than in parallel"
   option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
@@ -169,6 +199,7 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
         stop
         remove_container
         remove_image
+        remove_proxy_directory
       end
     end
   end
@@ -193,6 +224,15 @@ class Kamal::Cli::Proxy < Kamal::Cli::Base
     end
   end
 
+  desc "remove_proxy_directory", "Remove the proxy directory from servers", hide: true
+  def remove_proxy_directory
+    with_lock do
+      on(KAMAL.proxy_hosts) do
+        execute *KAMAL.proxy.remove_proxy_directory, raise_on_non_zero_exit: false
+      end
+    end
+  end
+
   private
     def removal_allowed?(force)
       on(KAMAL.proxy_hosts) do |host|

lib/kamal/cli/templates/deploy.yml

@@ -2,11 +2,22 @@
 service: my-app
 
 # Name of the container image.
-image: user/my-app
+image: my-user/my-app
 
 # Deploy to these servers.
 servers:
-  - 192.168.0.1
+  web:
+    - 192.168.0.1
+  # job:
+  #   hosts:
+  #     - 192.168.0.1
+  #   cmd: bin/jobs
+
+# Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server).
+# Set ssl: false if using something like Cloudflare to terminate SSL (but keep host!).
+proxy:
+  ssl: true
+  host: app.example.com
 
 # Credentials for your image host.
 registry:
@@ -14,7 +25,7 @@ registry:
   # server: registry.digitalocean.com / ghcr.io / ...
   username: my-user
 
-  # Always use an access token rather than real password when possible.
+  # Always use an access token rather than real password (pulled from .kamal/secrets).
   password:
     - KAMAL_REGISTRY_PASSWORD
 
@@ -22,19 +33,44 @@ registry:
 builder:
   arch: amd64
 
-# Inject ENV variables into containers (secrets come from .env).
-# Remember to run `kamal env push` after making changes!
+# Inject ENV variables into containers (secrets come from .kamal/secrets).
+#
 # env:
 #   clear:
 #     DB_HOST: 192.168.0.2
 #   secret:
 #     - RAILS_MASTER_KEY
 
+# Aliases are triggered with "bin/kamal <alias>". You can overwrite arguments on invocation:
+# "bin/kamal logs -r job" will tail logs from the first server in the job section.
+#
+# aliases:
+#   shell: app exec --interactive --reuse "bash"
+
 # Use a different ssh user than root
+#
 # ssh:
 #   user: app
 
-# Use accessory services (secrets come from .env).
+# Use a persistent storage volume.
+#
+# volumes:
+#   - "app_storage:/app/storage"
+
+# Bridge fingerprinted assets, like JS and CSS, between versions to avoid
+# hitting 404 on in-flight requests. Combines all files from new and old
+# version inside the asset_path.
+#
+# asset_path: /app/public/assets
+
+# Configure rolling deploys by setting a wait time between batches of restarts.
+#
+# boot:
+#   limit: 10 # Can also specify as a percentage of total hosts, such as "25%"
+#   wait: 2
+
+# Use accessory services (secrets come from .kamal/secrets).
+#
 # accessories:
 #   db:
 #     image: mysql:8.0
@@ -56,29 +92,3 @@ builder:
 #     port: 6379
 #     directories:
 #       - data:/data
-
-# Bridge fingerprinted assets, like JS and CSS, between versions to avoid
-# hitting 404 on in-flight requests. Combines all files from new and old
-# version inside the asset_path.
-#
-# If your app is using the Sprockets gem, ensure it sets `config.assets.manifest`.
-# See https://github.com/basecamp/kamal/issues/626 for details
-#
-# asset_path: /rails/public/assets
-
-# Configure rolling deploys by setting a wait time between batches of restarts.
-# boot:
-#   limit: 10 # Can also specify as a percentage of total hosts, such as "25%"
-#   wait: 2
-
-# Configure the role used to determine the primary_host. This host takes
-# deploy locks, runs health checks during the deploy, and follow logs, etc.
-#
-# Caution: there's no support for role renaming yet, so be careful to cleanup
-#          the previous role on the deployed hosts.
-# primary_role: web
-
-# Controls if we abort when see a role with no hosts. Disabling this may be
-# useful for more complex deploy configurations.
-#
-# allow_empty_roles: false

lib/kamal/cli/templates/sample_hooks/pre-proxy-reboot.sample

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-echo "Rebooting Traefik on $KAMAL_HOSTS..."
+echo "Rebooting kamal-proxy on $KAMAL_HOSTS..."

lib/kamal/cli/templates/secrets

@@ -1,5 +1,6 @@
-# WARNING: Avoid adding secrets directly to this file
-# If you must, then add `.kamal/secrets*` to your .gitignore file
+# Secrets defined here are available for reference under registry/password, env/secret, builder/secrets,
+# and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
+# password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
 
 # Option 1: Read secrets from the environment
 KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD

lib/kamal/commands/proxy.rb

@@ -7,9 +7,8 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
       "--network", "kamal",
       "--detach",
       "--restart", "unless-stopped",
-      *config.proxy_publish_args,
       "--volume", "kamal-proxy-config:/home/kamal-proxy/.config/kamal-proxy",
-      *config.logging_args,
+      "\$\(#{get_boot_options.join(" ")}\)",
       config.proxy_image
   end
 
@@ -65,6 +64,22 @@ class Kamal::Commands::Proxy < Kamal::Commands::Base
       )
   end
 
+  def ensure_proxy_directory
+    make_directory config.proxy_directory
+  end
+
+  def remove_proxy_directory
+    remove_directory config.proxy_directory
+  end
+
+  def get_boot_options
+    combine [ :cat, config.proxy_options_file ], [ :echo, "\"#{config.proxy_options_default.join(" ")}\"" ], by: "||"
+  end
+
+  def reset_boot_options
+    remove_file config.proxy_options_file
+  end
+
   private
     def container_name
       config.proxy_container_name

lib/kamal/configuration.rb

@@ -14,7 +14,7 @@ class Kamal::Configuration
 
   include Validation
 
-  PROXY_MINIMUM_VERSION = "v0.4.0"
+  PROXY_MINIMUM_VERSION = "v0.6.0"
   PROXY_HTTP_PORT = 80
   PROXY_HTTPS_PORT = 443
 
@@ -246,8 +246,12 @@ class Kamal::Configuration
     env_tags.detect { |t| t.name == name.to_s }
   end
 
-  def proxy_publish_args
-    argumentize "--publish", [ "#{PROXY_HTTP_PORT}:#{PROXY_HTTP_PORT}", "#{PROXY_HTTPS_PORT}:#{PROXY_HTTPS_PORT}" ]
+  def proxy_publish_args(http_port, https_port)
+    argumentize "--publish", [ "#{http_port}:#{PROXY_HTTP_PORT}", "#{https_port}:#{PROXY_HTTPS_PORT}" ]
+  end
+
+  def proxy_options_default
+    proxy_publish_args PROXY_HTTP_PORT, PROXY_HTTPS_PORT
   end
 
   def proxy_image
@@ -258,6 +262,14 @@ class Kamal::Configuration
     "kamal-proxy"
   end
 
+  def proxy_directory
+    File.join run_directory, "proxy"
+  end
+
+  def proxy_options_file
+    File.join proxy_directory, "options"
+  end
+
 
   def to_h
     {

lib/kamal/configuration/proxy.rb

@@ -29,7 +29,7 @@ class Kamal::Configuration::Proxy
   def deploy_options
     {
       host: proxy_config["host"],
-      tls: proxy_config["ssl"],
+      tls: proxy_config["ssl"] ? true : nil,
       "deploy-timeout": seconds_duration(config.deploy_timeout),
       "drain-timeout": seconds_duration(config.drain_timeout),
       "health-check-interval": seconds_duration(proxy_config.dig("healthcheck", "interval")),

lib/kamal/secrets/adapters/last_pass.rb

@@ -3,7 +3,7 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
     def login(account)
       unless loggedin?(account)
         `lpass login #{account.shellescape}`
-        raise RuntimeError, "Failed to login to 1Password" unless $?.success?
+        raise RuntimeError, "Failed to login to LastPass" unless $?.success?
       end
     end
 
@@ -13,7 +13,7 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
 
     def fetch_secrets(secrets, account:, session:)
       items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
-      raise RuntimeError, "Could not read #{secrets} from 1Password" unless $?.success?
+      raise RuntimeError, "Could not read #{secrets} from LastPass" unless $?.success?
 
       items = JSON.parse(items)
 

lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "2.0.0.rc2"
+  VERSION = "2.0.0"
 end