Merge pull request #1614 from basecamp/dependabot/bundler/bundler-f02c9c4a61

Bump the bundler group across 1 directory with 2 updates

Gemfile.lock

@@ -82,15 +82,15 @@ GEM
     net-sftp (4.0.0)
       net-ssh (>= 5.0.0, < 8.0.0)
     net-ssh (7.3.0)
-    nokogiri (1.18.8-aarch64-linux-musl)
+    nokogiri (1.18.9-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.8-arm64-darwin)
+    nokogiri (1.18.9-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-darwin)
+    nokogiri (1.18.9-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-gnu)
+    nokogiri (1.18.9-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.8-x86_64-linux-musl)
+    nokogiri (1.18.9-x86_64-linux-musl)
       racc (~> 1.4)
     ostruct (0.6.1)
     parallel (1.26.3)
@@ -169,7 +169,7 @@ GEM
       net-ssh (>= 2.8.0)
       ostruct
     stringio (3.1.2)
-    thor (1.3.2)
+    thor (1.4.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (3.1.2)

lib/kamal/commands/builder/remote.rb

@@ -19,7 +19,7 @@ class Kamal::Commands::Builder::Remote < Kamal::Commands::Builder::Base
 
   def inspect_builder
     combine \
-      combine inspect_buildx, inspect_remote_context,
+      combine(inspect_buildx, inspect_remote_context),
       [ "(echo no compatible builder && exit 1)" ],
       by: "||"
   end

lib/kamal/configuration/docs/proxy.yml

@@ -45,27 +45,23 @@ proxy:
   # unless you explicitly set `forward_headers: true`
   #
   # Defaults to `false`:
-  ssl: ...
+  ssl: true
 
   # Custom SSL certificate
   #
   # In some cases, using Let's Encrypt for automatic certificate management is not an
-  # option, for example if you are running from host than one host. Or you may already
-  # have SSL certificates issued by a different Certificate Authority (CA).
-  # Kamal supports loading custom SSL certificates
-  # directly from secrets.
+  # option, for example if you are running from more than one host.
   #
-  # Examples:
-  #   ssl: true              # Enable SSL with Let's Encrypt
-  #   ssl: false             # Disable SSL
-  #   ssl:                   # Enable custom SSL
-  #     certificate_pem: CERTIFICATE_PEM
-  #     private_key_pem: PRIVATE_KEY_PEM
+  # Or you may already have SSL certificates issued by a different Certificate Authority (CA).
   #
+  # Kamal supports loading custom SSL certificates directly from secrets. You should
+  # pass a hash mapping the `certificate_pem` and `private_key_pem` to the secret names.
+  ssl:
+    certificate_pem: CERTIFICATE_PEM
+    private_key_pem: PRIVATE_KEY_PEM
   # ### Notes
-  # - If the certificate or key is missing or invalid, kamal-proxy will fail to start.
-  # - Always handle SSL certificates and private keys securely. Avoid hard-coding them in deploy.yml files or source control.
-  # - For automated certificate management, consider using the built-in Let's Encrypt integration instead.
+  # - If the certificate or key is missing or invalid, deployments will fail.
+  # - Always handle SSL certificates and private keys securely. Avoid hard-coding them in source control.
 
   # SSL redirect
   #

lib/kamal/configuration/validator.rb

@@ -24,11 +24,11 @@ class Kamal::Configuration::Validator
             example_value = example[key]
 
             if example_value == "..."
-              if key.to_s == "ssl"
-                validate_type! value, TrueClass, FalseClass, Hash
-              elsif key.to_s != "proxy" || !boolean?(value.class)
+              unless key.to_s == "proxy" && boolean?(value.class)
                 validate_type! value, *(Array if key == :servers), Hash
               end
+            elsif key.to_s == "ssl"
+                validate_type! value, TrueClass, FalseClass, Hash
             elsif key == "hosts"
               validate_servers! value
             elsif example_value.is_a?(Array)

lib/kamal/secrets/adapters/one_password.rb

@@ -17,7 +17,7 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
 
     def fetch_secrets(secrets, from:, account:, session:)
       if secrets.blank?
-        fetch_all_secrets(from: from, account: account, session: session) if secrets.blank?
+        fetch_all_secrets(from: from, account: account, session: session)
       else
         fetch_specified_secrets(secrets, from: from, account: account, session: session)
       end

test/cli/build_test.rb

@@ -31,6 +31,24 @@ class CliBuildTest < CliTestCase
     end
   end
 
+  test "push with remote builder checks both the builder and the remote context" do
+    with_build_directory do |build_directory|
+      Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)
+
+      SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
+        .with(:git, "-C", anything, :"rev-parse", :HEAD)
+        .returns(Kamal::Git.revision)
+
+      SSHKit::Backend::Abstract.any_instance.expects(:capture_with_info)
+        .with(:git, "-C", anything, :status, "--porcelain")
+        .returns("")
+
+      run_command("push", "--verbose", fixture: :with_remote_builder).tap do |output|
+        assert_match "docker buildx inspect kamal-remote-ssh---app-1-1-1-5 | grep -q Endpoint:.*kamal-remote-ssh---app-1-1-1-5-context && docker context inspect kamal-remote-ssh---app-1-1-1-5-context --format '{{.Endpoints.docker.Host}}' | grep -xq ssh://app@1.1.1.5 || (echo no compatible builder && exit 1)", output
+      end
+    end
+  end
+
   test "push --output=docker" do
     with_build_directory do |build_directory|
       Kamal::Commands::Hook.any_instance.stubs(:hook_exists?).returns(true)