Bump version for 1.8.3

Build both arches with remote multarch builder

.github/workflows/ci.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - main
+      - 1-8-stable
   pull_request:
 jobs:
   rubocop:

Dockerfile

@@ -1,7 +1,7 @@
 # Use the official Ruby 3.2.0 Alpine image as the base image
 FROM ruby:3.2.0-alpine
 
-# Install  docker/buildx-bin
+# Install docker/buildx-bin
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 
 # Set the working directory to /kamal
@@ -14,7 +14,7 @@ COPY Gemfile Gemfile.lock kamal.gemspec ./
 COPY lib/kamal/version.rb /kamal/lib/kamal/version.rb
 
 # Install system dependencies
-RUN apk add --no-cache --update build-base git docker openrc openssh-client-default \
+RUN apk add --no-cache build-base git docker openrc openssh-client-default \
     && rc-update add docker boot \
     && gem install bundler --version=2.4.3 \
     && bundle install

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    kamal (1.8.0)
+    kamal (1.8.3)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)

lib/kamal/cli/build.rb

@@ -140,7 +140,7 @@ class Kamal::Cli::Build < Kamal::Cli::Base
         mirror_hosts = Concurrent::Hash.new
         on(KAMAL.hosts) do |host|
           first_mirror = capture_with_info(*KAMAL.builder.first_mirror).strip.presence
-          mirror_hosts[first_mirror] ||= host if first_mirror
+          mirror_hosts[first_mirror] ||= host.to_s if first_mirror
         rescue SSHKit::Command::Failed => e
           raise unless e.message =~ /error calling index: reflect: slice index out of range/
         end

lib/kamal/commands/builder/clone.rb

@@ -6,7 +6,7 @@ module Kamal::Commands::Builder::Clone
   end
 
   def clone
-    git :clone, Kamal::Git.root, path: clone_directory
+    git :clone, Kamal::Git.root, "--recurse-submodules", path: clone_directory
   end
 
   def clone_reset_steps
@@ -14,7 +14,8 @@ module Kamal::Commands::Builder::Clone
       git(:remote, "set-url", :origin, Kamal::Git.root, path: build_directory),
       git(:fetch, :origin, path: build_directory),
       git(:reset, "--hard", Kamal::Git.revision, path: build_directory),
-      git(:clean, "-fdx", path: build_directory)
+      git(:clean, "-fdx", path: build_directory),
+      git(:submodule, :update, "--init", path: build_directory)
     ]
   end
 

lib/kamal/commands/builder/multiarch/remote.rb

@@ -58,4 +58,8 @@ class Kamal::Commands::Builder::Multiarch::Remote < Kamal::Commands::Builder::Mu
     def remove_context(arch)
       docker :context, :rm, builder_name_with_arch(arch)
     end
+
+    def platform_names
+      "linux/#{local_arch},linux/#{remote_arch}"
+    end
 end

lib/kamal/configuration.rb

@@ -47,7 +47,7 @@ class Kamal::Configuration
     @destination = destination
     @declared_version = version
 
-    validate! raw_config, example: validation_yml.symbolize_keys, context: ""
+    validate! raw_config, example: validation_yml.symbolize_keys, context: "", with: Kamal::Configuration::Validator::Configuration
 
     # Eager load config to validate it, these are first as they have dependencies later on
     @servers = Servers.new(config: self)

lib/kamal/configuration/docs/configuration.yml

@@ -2,13 +2,24 @@
 #
 # Configuration is read from the `config/deploy.yml`
 #
+
+# Destinations
+#
 # When running commands, you can specify a destination with the `-d` flag,
 # e.g. `kamal deploy -d staging`
 #
 # In this case the configuration will also be read from `config/deploy.staging.yml`
 # and merged with the base configuration.
+
+# Extensions
 #
-# The available configuration options are explained below.
+# Kamal will not accept unrecognized keys in the configuration file.
+#
+# However, you might want to declare a configuration block using YAML anchors
+# and aliases to avoid repetition.
+#
+# You can use prefix a configuration section with `x-` to indicate that it is an
+# extension. Kamal will ignore the extension and not raise an error.
 
 # The service name
 # This is a required value. It is used as the container name prefix.

lib/kamal/configuration/docs/env.yml

@@ -29,7 +29,7 @@ env:
 # To pass the secrets you should list them under the `secret` key. When you do this the
 # other variables need to be moved under the `clear` key.
 #
-# Unlike clear valies, secrets are not passed directly to the container,
+# Unlike clear values, secrets are not passed directly to the container,
 # but are stored in an env file on the host
 # The file is not updated when deploying, only when running `kamal envify` or `kamal env push`.
 env:

lib/kamal/configuration/validator.rb

@@ -15,11 +15,10 @@ class Kamal::Configuration::Validator
     def validate_against_example!(validation_config, example)
       validate_type! validation_config, Hash
 
-      if (unknown_keys = validation_config.keys - example.keys).any?
-        unknown_keys_error unknown_keys
-      end
+      check_unknown_keys! validation_config, example
 
       validation_config.each do |key, value|
+        next if extension?(key)
         with_context(key) do
           example_value = example[key]
 
@@ -137,4 +136,18 @@ class Kamal::Configuration::Validator
     ensure
       @context = old_context
     end
+
+    def allow_extensions?
+      false
+    end
+
+    def extension?(key)
+      key.to_s.start_with?("x-")
+    end
+
+    def check_unknown_keys!(config, example)
+      unknown_keys = config.keys - example.keys
+      unknown_keys.reject! { |key| extension?(key) } if allow_extensions?
+      unknown_keys_error unknown_keys if unknown_keys.present?
+    end
 end

lib/kamal/configuration/validator/configuration.rb

@@ -0,0 +1,6 @@
+class Kamal::Configuration::Validator::Configuration < Kamal::Configuration::Validator
+  private
+    def allow_extensions?
+      true
+    end
+end

lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "1.8.0"
+  VERSION = "1.8.3"
 end

test/cli/build_test.rb

@@ -42,7 +42,7 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd)
+        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
         .raises(SSHKit::Command::Failed.new("fatal: destination path 'kamal' already exists and is not an empty directory"))
         .then
         .returns(true)
@@ -50,6 +50,7 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :fetch, :origin)
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :reset, "--hard", Kamal::Git.revision)
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :clean, "-fdx")
+      SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :submodule, :update, "--init")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
         .with(:docker, :buildx, :build, "--push", "--platform", "linux/amd64,linux/arm64", "--builder", "kamal-app-multiarch", "-t", "dhh/app:999", "-t", "dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".")
@@ -88,7 +89,7 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd)
+        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
         .raises(SSHKit::Command::Failed.new("fatal: destination path 'kamal' already exists and is not an empty directory"))
         .then
         .returns(true)
@@ -185,7 +186,7 @@ class CliBuildTest < CliTestCase
     run_command("pull").tap do |output|
       assert_match /Pulling image on 1\.1\.1\.\d to seed the mirror\.\.\./, output
       assert_match "Pulling image on remaining hosts...", output
-      assert_match /docker pull dhh\/app:999/, output
+      assert_equal 4, output.scan(/docker pull dhh\/app:999/).size, output
       assert_match "docker inspect -f '{{ .Config.Labels.service }}' dhh/app:999 | grep -x app || (echo \"Image dhh/app:999 is missing the 'service' label\" && exit 1)", output
     end
   end
@@ -199,7 +200,7 @@ class CliBuildTest < CliTestCase
     run_command("pull").tap do |output|
       assert_match /Pulling image on 1\.1\.1\.\d, 1\.1\.1\.\d to seed the mirrors\.\.\./, output
       assert_match "Pulling image on remaining hosts...", output
-      assert_match /docker pull dhh\/app:999/, output
+      assert_equal 4, output.scan(/docker pull dhh\/app:999/).size, output
       assert_match "docker inspect -f '{{ .Config.Labels.service }}' dhh/app:999 | grep -x app || (echo \"Image dhh/app:999 is missing the 'service' label\" && exit 1)", output
     end
   end

test/cli/cli_test_case.rb

@@ -42,12 +42,13 @@ class CliTestCase < ActiveSupport::TestCase
     end
 
     def assert_hook_ran(hook, output, version:, service_version:, hosts:, command:, subcommand: nil, runtime: false)
-      performer = Kamal::Git.email.presence || `whoami`.chomp
+      whoami = `whoami`.chomp
+      performer = Kamal::Git.email.presence || whoami
       service = service_version.split("@").first
 
       assert_match "Running the #{hook} hook...\n", output
 
-      expected = %r{Running\s/usr/bin/env\s\.kamal/hooks/#{hook}\sas\s#{performer}@localhost\n\s
+      expected = %r{Running\s/usr/bin/env\s\.kamal/hooks/#{hook}\sas\s#{whoami}@localhost\n\s
         DEBUG\s\[[0-9a-f]*\]\sCommand:\s\(\sexport\s
         KAMAL_RECORDED_AT=\"\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ\"\s
         KAMAL_PERFORMER=\"#{performer}\"\s

test/commands/builder_test.rb

@@ -30,10 +30,10 @@ class CommandsBuilderTest < ActiveSupport::TestCase
   end
 
   test "target multiarch remote when local and remote is set" do
-    builder = new_builder_command(builder: { "local" => {}, "remote" => {}, "cache" => { "type" => "gha" } })
+    builder = new_builder_command(builder: { "local" => { "arch" => "arm64" }, "remote" => { "arch" => "amd64" }, "cache" => { "type" => "gha" } })
     assert_equal "multiarch/remote", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder kamal-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --push --platform linux/arm64,linux/amd64 --builder kamal-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
       builder.push.join(" ")
   end
 

test/configuration_test.rb

@@ -344,4 +344,12 @@ class ConfigurationTest < ActiveSupport::TestCase
 
     assert_raises(Kamal::ConfigurationError) { Kamal::Configuration.new(@deploy_with_roles.merge(retain_containers: 0)) }
   end
+
+  test "extensions" do
+    dest_config_file = Pathname.new(File.expand_path("fixtures/deploy_with_extensions.yml", __dir__))
+
+    config = Kamal::Configuration.create_from config_file: dest_config_file
+    assert_equal config.role(:web_tokyo).running_traefik?, true
+    assert_equal config.role(:web_chicago).running_traefik?, true
+  end
 end

test/fixtures/deploy_with_extensions.yml

@@ -0,0 +1,24 @@
+
+x-web: &web
+  traefik: true
+
+service: app
+image: dhh/app
+servers:
+  web_chicago:
+    <<: *web
+    hosts:
+      - 1.1.1.1
+      - 1.1.1.2
+  web_tokyo:
+    <<: *web
+    hosts:
+      - 1.1.1.3
+      - 1.1.1.4
+env:
+  REDIS_URL: redis://x/y
+registry:
+  server: registry.digitalocean.com
+  username: user
+  password: pw
+primary_role: web_tokyo

test/integration/docker-compose.yml

@@ -29,8 +29,6 @@ services:
       context: docker/registry
     environment:
       - REGISTRY_HTTP_ADDR=0.0.0.0:4443
-      - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-      - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
     volumes:
       - shared:/shared
       - registry:/var/lib/registry/

test/integration/docker/deployer/Dockerfile

@@ -22,7 +22,6 @@ COPY app_with_roles/ app_with_roles/
 
 RUN rm -rf /root/.ssh
 RUN ln -s /shared/ssh /root/.ssh
-RUN mkdir -p /etc/docker/certs.d/registry:4443 && ln -s /shared/certs/domain.crt /etc/docker/certs.d/registry:4443/ca.crt
 
 RUN git config --global user.email "deployer@example.com"
 RUN git config --global user.name "Deployer"

test/integration/docker/deployer/boot.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-dockerd --max-concurrent-downloads 1 &
+dockerd --max-concurrent-downloads 1 --insecure-registry registry:4443 &
 
 exec sleep infinity

test/integration/docker/registry/boot.sh

@@ -1,5 +1,3 @@
 #!/bin/sh
 
-while [ ! -f /certs/domain.crt ]; do sleep 1; done
-
 exec /entrypoint.sh /etc/docker/registry/config.yml

test/integration/docker/shared/Dockerfile

@@ -10,8 +10,6 @@ RUN mkdir ssh && \
 COPY registry-dns.conf .
 COPY boot.sh .
 
-RUN mkdir certs && openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key   -x509 -days 365 -out certs/domain.crt   -subj '/CN=registry' -extensions EXT -config registry-dns.conf
-
 HEALTHCHECK --interval=1s CMD pgrep sleep
 
 CMD ["./boot.sh"]

test/integration/docker/vm/Dockerfile

@@ -5,7 +5,6 @@ WORKDIR /work
 RUN apt-get update --fix-missing && apt-get -y install openssh-client openssh-server docker.io
 
 RUN mkdir /root/.ssh && ln -s /shared/ssh/id_rsa.pub /root/.ssh/authorized_keys
-RUN mkdir -p /etc/docker/certs.d/registry:4443 && ln -s /shared/certs/domain.crt /etc/docker/certs.d/registry:4443/ca.crt
 
 RUN echo "HOST_TOKEN=abcd" >> /etc/environment
 

test/integration/docker/vm/boot.sh

@@ -4,6 +4,6 @@ while [ ! -f /root/.ssh/authorized_keys ]; do echo "Waiting for ssh keys"; sleep
 
 service ssh restart
 
-dockerd --max-concurrent-downloads 1 &
+dockerd --max-concurrent-downloads 1 --insecure-registry registry:4443 &
 
 exec sleep infinity