Use env files for secrets
Add env files back in for secrets - hides them from process lists and allows you to pick up the latest env file when running `kamal app exec` without reusing.
This commit is contained in:
@@ -119,8 +119,10 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
|
||||
with_test_secrets("secrets" => "MYSQL_ROOT_PASSWORD=secret123") do
|
||||
config = Kamal::Configuration.new(@deploy)
|
||||
|
||||
assert_equal [ "--env", "MYSQL_ROOT_HOST=\"%\"", "--env", "MYSQL_ROOT_PASSWORD=\"secret123\"" ], config.accessory(:mysql).env_args.map(&:to_s)
|
||||
assert_equal [ "--env", "SOMETHING=\"else\"" ], @config.accessory(:redis).env_args
|
||||
assert_equal [ "--env", "MYSQL_ROOT_HOST=\"%\"", "--env-file", ".kamal/env/accessories/app-mysql.env" ], config.accessory(:mysql).env_args.map(&:to_s)
|
||||
assert_equal "MYSQL_ROOT_PASSWORD=secret123\n", config.accessory(:mysql).secrets_io.string
|
||||
assert_equal [ "--env", "SOMETHING=\"else\"", "--env-file", ".kamal/env/accessories/app-redis.env" ], @config.accessory(:redis).env_args
|
||||
assert_equal "\n", config.accessory(:redis).secrets_io.string
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -6,20 +6,20 @@ class ConfigurationEnvTest < ActiveSupport::TestCase
|
||||
test "simple" do
|
||||
assert_config \
|
||||
config: { "foo" => "bar", "baz" => "haz" },
|
||||
results: { "foo" => "bar", "baz" => "haz" }
|
||||
clear: { "foo" => "bar", "baz" => "haz" }
|
||||
end
|
||||
|
||||
test "clear" do
|
||||
assert_config \
|
||||
config: { "clear" => { "foo" => "bar", "baz" => "haz" } },
|
||||
results: { "foo" => "bar", "baz" => "haz" }
|
||||
clear: { "foo" => "bar", "baz" => "haz" }
|
||||
end
|
||||
|
||||
test "secret" do
|
||||
with_test_secrets("secrets" => "PASSWORD=hello") do
|
||||
assert_config \
|
||||
config: { "secret" => [ "PASSWORD" ] },
|
||||
results: { "PASSWORD" => "hello" }
|
||||
secrets: { "PASSWORD" => "hello" }
|
||||
end
|
||||
end
|
||||
|
||||
@@ -28,7 +28,7 @@ class ConfigurationEnvTest < ActiveSupport::TestCase
|
||||
"secret" => [ "PASSWORD" ]
|
||||
}
|
||||
|
||||
assert_raises(Kamal::ConfigurationError) { Kamal::Configuration::Env.new(config: { "secret" => [ "PASSWORD" ] }, secrets: Kamal::Secrets.new).args }
|
||||
assert_raises(Kamal::ConfigurationError) { Kamal::Configuration::Env.new(config: { "secret" => [ "PASSWORD" ] }, secrets: Kamal::Secrets.new).secrets_io }
|
||||
end
|
||||
|
||||
test "secret and clear" do
|
||||
@@ -43,14 +43,17 @@ class ConfigurationEnvTest < ActiveSupport::TestCase
|
||||
|
||||
assert_config \
|
||||
config: config,
|
||||
results: { "foo" => "bar", "baz" => "haz", "PASSWORD" => "hello" }
|
||||
clear: { "foo" => "bar", "baz" => "haz" },
|
||||
secrets: { "PASSWORD" => "hello" }
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
def assert_config(config:, results:)
|
||||
def assert_config(config:, clear: {}, secrets: {})
|
||||
env = Kamal::Configuration::Env.new config: config, secrets: Kamal::Secrets.new
|
||||
expected_args = results.to_a.flat_map { |key, value| [ "--env", "#{key}=\"#{value}\"" ] }
|
||||
assert_equal expected_args, env.args.map(&:to_s) # to_s removes the redactions
|
||||
expected_clear_args = clear.to_a.flat_map { |key, value| [ "--env", "#{key}=\"#{value}\"" ] }
|
||||
assert_equal expected_clear_args, env.clear_args.map(&:to_s) # to_s removes the redactions
|
||||
expected_secrets = secrets.to_a.flat_map { |key, value| "#{key}=#{value}" }.join("\n") + "\n"
|
||||
assert_equal expected_secrets, env.secrets_io.string
|
||||
end
|
||||
end
|
||||
|
||||
@@ -69,10 +69,13 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
test "env overwritten by role" do
|
||||
assert_equal "redis://a/b", config_with_roles.role(:workers).env("1.1.1.3").clear["REDIS_URL"]
|
||||
|
||||
assert_equal [
|
||||
"--env", "REDIS_URL=\"redis://a/b\"",
|
||||
"--env", "WEB_CONCURRENCY=\"4\"" ],
|
||||
config_with_roles.role(:workers).env_args("1.1.1.3")
|
||||
assert_equal \
|
||||
[ "--env", "REDIS_URL=\"redis://a/b\"", "--env", "WEB_CONCURRENCY=\"4\"", "--env-file", ".kamal/env/roles/app-workers.env" ],
|
||||
config_with_roles.role(:workers).env_args("1.1.1.3").map(&:to_s)
|
||||
|
||||
assert_equal \
|
||||
"\n",
|
||||
config_with_roles.role(:workers).secrets_io("1.1.1.3").read
|
||||
end
|
||||
|
||||
test "container name" do
|
||||
@@ -85,7 +88,13 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
end
|
||||
|
||||
test "env args" do
|
||||
assert_equal [ "--env", "REDIS_URL=\"redis://a/b\"", "--env", "WEB_CONCURRENCY=\"4\"" ], config_with_roles.role(:workers).env_args("1.1.1.3")
|
||||
assert_equal \
|
||||
[ "--env", "REDIS_URL=\"redis://a/b\"", "--env", "WEB_CONCURRENCY=\"4\"", "--env-file", ".kamal/env/roles/app-workers.env" ],
|
||||
config_with_roles.role(:workers).env_args("1.1.1.3").map(&:to_s)
|
||||
|
||||
assert_equal \
|
||||
"\n",
|
||||
config_with_roles.role(:workers).secrets_io("1.1.1.3").read
|
||||
end
|
||||
|
||||
test "env secret overwritten by role" do
|
||||
@@ -109,12 +118,13 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
]
|
||||
}
|
||||
|
||||
assert_equal [
|
||||
"--env", "REDIS_URL=\"redis://a/b\"",
|
||||
"--env", "WEB_CONCURRENCY=\"4\"",
|
||||
"--env", "REDIS_PASSWORD=\"secret456\"",
|
||||
"--env", "DB_PASSWORD=\"secret&\\\"123\"" ],
|
||||
assert_equal \
|
||||
[ "--env", "REDIS_URL=\"redis://a/b\"", "--env", "WEB_CONCURRENCY=\"4\"", "--env-file", ".kamal/env/roles/app-workers.env" ],
|
||||
config_with_roles.role(:workers).env_args("1.1.1.3").map(&:to_s)
|
||||
|
||||
assert_equal \
|
||||
"REDIS_PASSWORD=secret456\nDB_PASSWORD=secret&\"123\n",
|
||||
config_with_roles.role(:workers).secrets_io("1.1.1.3").read
|
||||
end
|
||||
end
|
||||
|
||||
@@ -130,11 +140,13 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
]
|
||||
}
|
||||
|
||||
assert_equal [
|
||||
"--env", "REDIS_URL=\"redis://a/b\"",
|
||||
"--env", "WEB_CONCURRENCY=\"4\"",
|
||||
"--env", "DB_PASSWORD=\"secret123\"" ],
|
||||
assert_equal \
|
||||
[ "--env", "REDIS_URL=\"redis://a/b\"", "--env", "WEB_CONCURRENCY=\"4\"", "--env-file", ".kamal/env/roles/app-workers.env" ],
|
||||
config_with_roles.role(:workers).env_args("1.1.1.3").map(&:to_s)
|
||||
|
||||
assert_equal \
|
||||
"DB_PASSWORD=secret123\n",
|
||||
config_with_roles.role(:workers).secrets_io("1.1.1.3").read
|
||||
end
|
||||
end
|
||||
|
||||
@@ -149,11 +161,13 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
]
|
||||
}
|
||||
|
||||
assert_equal [
|
||||
"--env", "REDIS_URL=\"redis://a/b\"",
|
||||
"--env", "WEB_CONCURRENCY=\"4\"",
|
||||
"--env", "REDIS_PASSWORD=\"secret456\"" ],
|
||||
assert_equal \
|
||||
[ "--env", "REDIS_URL=\"redis://a/b\"", "--env", "WEB_CONCURRENCY=\"4\"", "--env-file", ".kamal/env/roles/app-workers.env" ],
|
||||
config_with_roles.role(:workers).env_args("1.1.1.3").map(&:to_s)
|
||||
|
||||
assert_equal \
|
||||
"REDIS_PASSWORD=secret456\n",
|
||||
config_with_roles.role(:workers).secrets_io("1.1.1.3").read
|
||||
end
|
||||
end
|
||||
|
||||
@@ -174,11 +188,13 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
|
||||
}
|
||||
}
|
||||
|
||||
config = config_with_roles
|
||||
assert_equal [
|
||||
"--env", "REDIS_URL=\"redis://c/d\"",
|
||||
"--env", "REDIS_PASSWORD=\"secret456\"" ],
|
||||
config.role(:workers).env_args("1.1.1.3").map(&:to_s)
|
||||
assert_equal \
|
||||
[ "--env", "REDIS_URL=\"redis://c/d\"", "--env-file", ".kamal/env/roles/app-workers.env" ],
|
||||
config_with_roles.role(:workers).env_args("1.1.1.3").map(&:to_s)
|
||||
|
||||
assert_equal \
|
||||
"REDIS_PASSWORD=secret456\n",
|
||||
config_with_roles.role(:workers).secrets_io("1.1.1.3").read
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user