Replace .env* with .kamal/env*

By default look for the env file in .kamal/env to avoid clashes with
other tools using .env.

For now we'll still load .env and issue a deprecation warning, but in
future we'll stop reading those.

.github/workflows/ci.yml

@@ -3,7 +3,6 @@ on:
   push:
     branches:
       - main
-      - 1-8-stable
   pull_request:
 jobs:
   rubocop:

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    kamal (1.8.3)
+    kamal (1.8.1)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)

lib/kamal/cli/base.rb

@@ -37,9 +37,22 @@ module Kamal::Cli
 
       def load_env
         if destination = options[:destination]
-          Dotenv.load(".env.#{destination}", ".env")
+          if File.exist?(".kamal/env.#{destination}") || File.exist?(".kamal/env")
+            Dotenv.load(".kamal/env.#{destination}", ".kamal/env")
+          else
+            loading_files = [ (".env" if File.exist?(".env")), (".env.#{destination}" if File.exist?(".env.#{destination}")) ].compact
+            if loading_files.any?
+              warn "Loading #{loading_files.join(" and ")} from the project root, use .kamal/env* instead"
+              Dotenv.load(".env.#{destination}", ".env")
+            end
+          end
         else
-          Dotenv.load(".env")
+          if File.exist?(".kamal/env")
+            Dotenv.load(".kamal/env")
+          elsif File.exist?(".env")
+            warn "Loading .env from the project root is deprecated, use .kamal/env instead"
+            Dotenv.load(".env")
+          end
         end
       end
 

lib/kamal/cli/main.rb

@@ -183,11 +183,25 @@ class Kamal::Cli::Main < Kamal::Cli::Base
   option :skip_push, aliases: "-P", type: :boolean, default: false, desc: "Skip .env file push"
   def envify
     if destination = options[:destination]
-      env_template_path = ".env.#{destination}.erb"
+      env_template_path = ".kamal/env.#{destination}.erb"
-      env_path          = ".env.#{destination}"
+      env_path          = ".kamal/env.#{destination}"
     else
-      env_template_path = ".env.erb"
+      env_template_path = ".kamal/env.erb"
-      env_path          = ".env"
+      env_path          = ".kamal/env"
+    end
+
+    unless Pathname.new(File.expand_path(env_template_path)).exist?
+      if destination = options[:destination]
+        env_template_path = ".env.#{destination}.erb"
+        env_path          = ".env.#{destination}"
+      else
+        env_template_path = ".env.erb"
+        env_path          = ".env"
+      end
+
+      if Pathname.new(File.expand_path(env_template_path)).exist?
+        warn "Loading #{env_template_path} from the project root is deprecated, use .kamal/env[.<DESTINATION>].erb instead"
+      end
     end
 
     if Pathname.new(File.expand_path(env_template_path)).exist?

lib/kamal/commands/builder/clone.rb

@@ -6,7 +6,7 @@ module Kamal::Commands::Builder::Clone
   end
 
   def clone
-    git :clone, Kamal::Git.root, "--recurse-submodules", path: clone_directory
+    git :clone, Kamal::Git.root, path: clone_directory
   end
 
   def clone_reset_steps
@@ -14,8 +14,7 @@ module Kamal::Commands::Builder::Clone
       git(:remote, "set-url", :origin, Kamal::Git.root, path: build_directory),
       git(:fetch, :origin, path: build_directory),
       git(:reset, "--hard", Kamal::Git.revision, path: build_directory),
-      git(:clean, "-fdx", path: build_directory),
+      git(:clean, "-fdx", path: build_directory)
-      git(:submodule, :update, "--init", path: build_directory)
     ]
   end
 

lib/kamal/commands/builder/multiarch/remote.rb

@@ -58,8 +58,4 @@ class Kamal::Commands::Builder::Multiarch::Remote < Kamal::Commands::Builder::Mu
     def remove_context(arch)
       docker :context, :rm, builder_name_with_arch(arch)
     end
-
-    def platform_names
-      "linux/#{local_arch},linux/#{remote_arch}"
-    end
 end

lib/kamal/configuration/docs/env.yml

@@ -29,7 +29,7 @@ env:
 # To pass the secrets you should list them under the `secret` key. When you do this the
 # other variables need to be moved under the `clear` key.
 #
-# Unlike clear values, secrets are not passed directly to the container,
+# Unlike clear valies, secrets are not passed directly to the container,
 # but are stored in an env file on the host
 # The file is not updated when deploying, only when running `kamal envify` or `kamal env push`.
 env:

lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "1.8.3"
+  VERSION = "1.8.1"
 end

test/cli/build_test.rb

@@ -42,7 +42,7 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
+        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd)
         .raises(SSHKit::Command::Failed.new("fatal: destination path 'kamal' already exists and is not an empty directory"))
         .then
         .returns(true)
@@ -50,7 +50,6 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :fetch, :origin)
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :reset, "--hard", Kamal::Git.revision)
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :clean, "-fdx")
-      SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:git, "-C", build_directory, :submodule, :update, "--init")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
         .with(:docker, :buildx, :build, "--push", "--platform", "linux/amd64,linux/arm64", "--builder", "kamal-app-multiarch", "-t", "dhh/app:999", "-t", "dhh/app:latest", "--label", "service=\"app\"", "--file", "Dockerfile", ".")
@@ -89,7 +88,7 @@ class CliBuildTest < CliTestCase
       SSHKit::Backend::Abstract.any_instance.expects(:execute).with(:docker, "--version", "&&", :docker, :buildx, "version")
 
       SSHKit::Backend::Abstract.any_instance.expects(:execute)
-        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd, "--recurse-submodules")
+        .with(:git, "-C", "#{Dir.tmpdir}/kamal-clones/app-#{pwd_sha}", :clone, Dir.pwd)
         .raises(SSHKit::Command::Failed.new("fatal: destination path 'kamal' already exists and is not an empty directory"))
         .then
         .returns(true)

test/cli/main_test.rb

@@ -447,9 +447,9 @@ class CliMainTest < CliTestCase
   end
 
   test "envify" do
-    with_test_dotenv(".env.erb": "HELLO=<%= 'world' %>") do
+    with_test_env_files("env.erb": "HELLO=<%= 'world' %>") do
       run_command("envify")
-      assert_equal("HELLO=world", File.read(".env"))
+      assert_equal("HELLO=world", File.read(".kamal/env"))
     end
   end
 
@@ -461,32 +461,32 @@ class CliMainTest < CliTestCase
       <% end  -%>
     EOF
 
-    with_test_dotenv(".env.erb": file) do
+    with_test_env_files("env.erb": file) do
       run_command("envify")
-      assert_equal("HELLO=world\nKEY=value\n", File.read(".env"))
+      assert_equal("HELLO=world\nKEY=value\n", File.read(".kamal/env"))
     end
   end
 
   test "envify with destination" do
-    with_test_dotenv(".env.world.erb": "HELLO=<%= 'world' %>") do
+    with_test_env_files("env.world.erb": "HELLO=<%= 'world' %>") do
       run_command("envify", "-d", "world", config_file: "deploy_for_dest")
-      assert_equal "HELLO=world", File.read(".env.world")
+      assert_equal "HELLO=world", File.read(".kamal/env.world")
     end
   end
 
   test "envify with skip_push" do
-    Pathname.any_instance.expects(:exist?).returns(true).times(1)
+    Pathname.any_instance.expects(:exist?).returns(true).times(2)
-    File.expects(:read).with(".env.erb").returns("HELLO=<%= 'world' %>")
+    File.expects(:read).with(".kamal/env.erb").returns("HELLO=<%= 'world' %>")
-    File.expects(:write).with(".env", "HELLO=world", perm: 0600)
+    File.expects(:write).with(".kamal/env", "HELLO=world", perm: 0600)
 
     Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:env:push").never
     run_command("envify", "--skip-push")
   end
 
   test "envify with clean env" do
-    with_test_dotenv(".env": "HELLO=already", ".env.erb": "HELLO=<%= ENV.fetch 'HELLO', 'never' %>") do
+    with_test_env_files("env": "HELLO=already", "env.erb": "HELLO=<%= ENV.fetch 'HELLO', 'never' %>") do
       run_command("envify", "--skip-push")
-      assert_equal "HELLO=never", File.read(".env")
+      assert_equal "HELLO=never", File.read(".kamal/env")
     end
   end
 
@@ -542,15 +542,18 @@ class CliMainTest < CliTestCase
       stdouted { Kamal::Cli::Main.start([ *command, "-c", "test/fixtures/#{config_file}.yml" ]) }
     end
 
-    def with_test_dotenv(**files)
+    def with_test_env_files(**files)
       Dir.mktmpdir do |dir|
         fixtures_dup = File.join(dir, "test")
         FileUtils.mkdir_p(fixtures_dup)
         FileUtils.cp_r("test/fixtures/", fixtures_dup)
 
         Dir.chdir(dir) do
-          files.each do |filename, contents|
+          FileUtils.mkdir_p(".kamal")
-            File.binwrite(filename.to_s, contents)
+          Dir.chdir(".kamal") do
+            files.each do |filename, contents|
+              File.binwrite(filename.to_s, contents)
+            end
           end
           yield
         end

test/commands/builder_test.rb

@@ -30,10 +30,10 @@ class CommandsBuilderTest < ActiveSupport::TestCase
   end
 
   test "target multiarch remote when local and remote is set" do
-    builder = new_builder_command(builder: { "local" => { "arch" => "arm64" }, "remote" => { "arch" => "amd64" }, "cache" => { "type" => "gha" } })
+    builder = new_builder_command(builder: { "local" => {}, "remote" => {}, "cache" => { "type" => "gha" } })
     assert_equal "multiarch/remote", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/arm64,linux/amd64 --builder kamal-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
+      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder kamal-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --cache-to type=gha --cache-from type=gha --label service=\"app\" --file Dockerfile .",
       builder.push.join(" ")
   end
 

test/integration/docker-compose.yml

@@ -29,6 +29,8 @@ services:
       context: docker/registry
     environment:
       - REGISTRY_HTTP_ADDR=0.0.0.0:4443
+      - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
+      - REGISTRY_HTTP_TLS_KEY=/certs/domain.key
     volumes:
       - shared:/shared
       - registry:/var/lib/registry/

test/integration/docker/deployer/Dockerfile

@@ -22,6 +22,7 @@ COPY app_with_roles/ app_with_roles/
 
 RUN rm -rf /root/.ssh
 RUN ln -s /shared/ssh /root/.ssh
+RUN mkdir -p /etc/docker/certs.d/registry:4443 && ln -s /shared/certs/domain.crt /etc/docker/certs.d/registry:4443/ca.crt
 
 RUN git config --global user.email "deployer@example.com"
 RUN git config --global user.name "Deployer"

test/integration/docker/deployer/boot.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-dockerd --max-concurrent-downloads 1 --insecure-registry registry:4443 &
+dockerd --max-concurrent-downloads 1 &
 
 exec sleep infinity

test/integration/docker/registry/boot.sh

@@ -1,3 +1,5 @@
 #!/bin/sh
 
+while [ ! -f /certs/domain.crt ]; do sleep 1; done
+
 exec /entrypoint.sh /etc/docker/registry/config.yml

test/integration/docker/shared/Dockerfile

@@ -10,6 +10,8 @@ RUN mkdir ssh && \
 COPY registry-dns.conf .
 COPY boot.sh .
 
+RUN mkdir certs && openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key   -x509 -days 365 -out certs/domain.crt   -subj '/CN=registry' -extensions EXT -config registry-dns.conf
+
 HEALTHCHECK --interval=1s CMD pgrep sleep
 
 CMD ["./boot.sh"]

test/integration/docker/vm/Dockerfile

@@ -5,6 +5,7 @@ WORKDIR /work
 RUN apt-get update --fix-missing && apt-get -y install openssh-client openssh-server docker.io
 
 RUN mkdir /root/.ssh && ln -s /shared/ssh/id_rsa.pub /root/.ssh/authorized_keys
+RUN mkdir -p /etc/docker/certs.d/registry:4443 && ln -s /shared/certs/domain.crt /etc/docker/certs.d/registry:4443/ca.crt
 
 RUN echo "HOST_TOKEN=abcd" >> /etc/environment
 

test/integration/docker/vm/boot.sh

@@ -4,6 +4,6 @@ while [ ! -f /root/.ssh/authorized_keys ]; do echo "Waiting for ssh keys"; sleep
 
 service ssh restart
 
-dockerd --max-concurrent-downloads 1 --insecure-registry registry:4443 &
+dockerd --max-concurrent-downloads 1 &
 
 exec sleep infinity

test/integration/main_test.rb

@@ -97,7 +97,7 @@ class MainTest < IntegrationTest
 
   private
     def assert_local_env_file(contents)
-      assert_equal contents, deployer_exec("cat .env", capture: true)
+      assert_equal contents, deployer_exec("cat .kamal/env", capture: true)
     end
 
     def assert_envs(version:)
@@ -127,7 +127,7 @@ class MainTest < IntegrationTest
     end
 
     def remove_local_env_file
-      deployer_exec("rm .env")
+      deployer_exec("rm .kamal/env")
     end
 
     def assert_remote_env_file(contents, vm:)