You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(cli): deliver env.secret to containers via remote env file (#2957) (#3167)
* feat(cli): deliver env.secret to containers via remote env file (#2957)
Implements the env.secret delivery feature #3008 deliberately deferred (its
EnvSecretUnsupported fail-fast pointed users at #2957). Kamal model:
- Values resolve through the SecretResolver the ConfigLoader already builds
(new secretResolver() accessor); env-file content renders once per verb.
- The remote file is created and chmod'd 600 BEFORE content lands (mkdir +
touch + chmod 600), then the content travels over SFTP via uploadString —
values never enter argv, dry-run output, or exception command summaries.
- docker run references the file via --env-file
(.kamal/apps/<service[-destination]>/env/roles/<role>.env; accessories use
.../env/accessories/<name>.env).
- Wired into deploy(), app boot, and accessory boot/reboot. rollback/start
reuse the env baked into the existing container.
- A declared name with no resolvable value throws
Wheels.Deploy.EnvSecretMissing (missing names only, values never read)
before the lock or any remote call. Base.$rejectEnvSecrets is removed.
- env.clear stays as escaped -e pairs; per-role env merge remains out of
scope (#3088 note unchanged).
Specs: FakeSshPool ordering (ensure -> upload -> run), 600 perms in the
command, secret values absent from every command summary, dry-run redaction,
fail-fast with zero pool calls. CLI suite (lucee7 docker harness): 1004
pass / 0 fail / 2 tolerated docker-env artifacts. Real SSH delivery is
unverifiable in-harness; FakeSshPool + --dry-run flows are the bar.
Guides updated: deployment/secrets, config-reference, accessories,
first-deploy, migrating-from-kamal now describe delivery on 4.0.4+ builds
vs silent drop on released 4.0.3.
Refs #2957
Signed-off-by: Peter Amiri <peter@alurium.com>
* fix(cli): keep deploy env files at 600 perms through the SFTP upload
sshj's SFTPFileTransfer defaults preserveAttributes=true and
FileSystemFile.getPermissions() hardcodes 0644 for regular files, so
every SFTPClient.put() chmod'ed the remote file to 0644 right after the
ensure command had locked it to 600 — with the secret content inside
(verified against the bundled sshj-0.39.0 bytecode).
- SshClient.upload(): setPreserveAttributes(false) so an upload never
touches remote permissions. FakeSshPool cannot regression-test this
(it records calls without SFTP attribute semantics) — documented at
the call site.
- $deliverEnvFile (all three mirrors): dispatch a relock command
(chmod 600) after the upload as belt-and-braces; this leg IS pinned
by the FakeSshPool specs (ensure -> upload -> relock -> docker run).
- New AppCommands.relock_env_file() / AccessoryCommands
.relock_env_file() builders over Base.$relockEnvFileCmd().
- Docs/changelog updated to state the file is re-locked after upload.
CLI suite: 1006 pass / 0 fail / 2 errors (known docker-not-found
artifacts in SshClientSpec/SshPoolSpec inside the harness container).
Real-SSH SFTP behavior is unverifiable in-harness; the fake-pool specs
plus the dispatched relock are the testable bar.
Signed-off-by: Peter Amiri <peter@alurium.com>
---------
Signed-off-by: Peter Amiri <peter@alurium.com>
Signed-off-by: Peter Amiri <petera@pai.com>
Co-authored-by: Peter Amiri <petera@pai.com>
-`wheels deploy` now delivers `env.secret` values to app and accessory containers via a remote env file (Kamal model): the file is created with 600 permissions before any content lands and re-locked to 600 right after the upload (the SFTP layer is also told not to carry local file attributes onto the remote), values travel over SFTP only (never argv, dry-run output, or exception summaries), and `docker run` references it with `--env-file`. A declared secret with no resolvable `.kamal/secrets` value fails fast with `Wheels.Deploy.EnvSecretMissing` (names only) before any remote call; the `Wheels.Deploy.EnvSecretUnsupported` fail-fast from #3008 is retired (#2957)
0 commit comments