Merge pull request #931 from basecamp/dont-git-ignore-dot-kamal-secrets

Don't git ignore .kamal/secrets

lib/kamal/cli/main.rb

@@ -152,12 +152,6 @@ class Kamal::Cli::Main < Kamal::Cli::Base
       FileUtils.mkdir_p secrets_file.dirname
       FileUtils.cp_r Pathname.new(File.expand_path("templates/secrets", __dir__)), secrets_file
       puts "Created .kamal/secrets file"
-
-      gitignore = Pathname.new(File.expand_path(".gitignore"))
-      if gitignore.exist? && !gitignore.read.include?(".kamal/secrets")
-        gitignore.open("a") { |f| f.puts "\n.kamal/secrets*" }
-        puts "Added .kamal/secrets* to .gitignore"
-      end
     end
 
     unless (hooks_dir = Pathname.new(File.expand_path(".kamal/hooks"))).exist?

lib/kamal/cli/templates/secrets

@@ -1,6 +1,16 @@
-# SECRETS=$(kamal secrets --adapter 1password --from Vault/Item Section1/KAMAL_REGISTRY_PASSWORD Section2/RAILS_MASTER_KEY)
-# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
-# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
+# WARNING: Avoid adding secrets directly to this file
+# If you must, then add `.kamal/secrets*` to your .gitignore file
 
-KAMAL_REGISTRY_PASSWORD=change-this
-RAILS_MASTER_KEY=another-env
+# Option 1: Read secrets from the environment
+KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+
+# Option 2: Read secrets via a command
+# RAILS_MASTER_KEY=$(cat config/master.key)
+
+# Option 3: Read secrets via kamal secrets helpers
+# These will handle logging in and fetching the secrets in as few calls as possible
+# There are adapters for 1Password, LastPass + Bitwarden
+#
+# SECRETS=$(kamal secrets fetch --adapter 1password --account my-account --from MyVault/MyItem KAMAL_REGISTRY_PASSWORD RAILS_MASTER_KEY)
+# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD $SECRETS)
+# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY $SECRETS)