search

basecamp / kamal

Deploy web apps anywhere.
https://kamal-deploy.org
MIT License
10.6k stars 408 forks source link

SSH: Allow User and Port to Be Secrets #1001

Closed mike-weiner closed 4 days ago

mike-weiner commented 5 days ago

Per the ssh docs, the user and port fields currently have to be specified in plain text, something like:

ssh:
  user: root
  port: "22"

I attempted to use secrets for these values: 

ssh:
  user:
    - KAMAL_SSH_USER
  port:
    - KAMAL_SSH_PORT

and received: 

ERROR (Kamal::ConfigurationError): ssh/user: should be a string

I would prefer not to specify the user or port that I'm using for SSH to do these deployments in plain-text as I'd like to commit my config to Github. Is there a technical limitation requiring these to be strings?

mike-weiner commented 5 days ago

This is already possible via: Correct config would look something like:

ssh:
  user: KAMAL_SSH_USERNAME
  port: KAMAL_SSH_PORT
mike-weiner commented 5 days ago

Doesn't look like the above config is a fix either. Still seeing: 

ERROR (Socket::ResolutionError): Exception while executing on host XXX.XXX.XXX.XXX: getaddrinfo: nodename nor servname provided, or not known
mike-weiner commented 4 days ago

The goal I'm looking to achieve here is for .kamal/secrets-common to look something like:

KAMAL_REGISTRY_USERNAME=$KAMAL_REGISTRY_USERNAME
KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
KAMAL_SSH_USERNAME=$KAMAL_SSH_USERNAME
KAMAL_SSH_PORT=$KAMAL_SSH_PORT

There seems to be a slightly difference in behavior that I'd like to understand. Per https://kamal-deploy.org/docs/configuration/docker-registry/:

A reference to secret (in this case DOCKER_REGISTRY_TOKEN) will look up the secret in the local environment.

This makes it sound as if DOCKER_REGISTRY_TOKEN is special and can only be placed as a secret in .kamal/secrets. Looking at this source for how this is fetched, I don't think I could use something like 1Password for this secret: https://github.com/basecamp/kamal/blob/main/lib/kamal/configuration/registry.rb#L25-L31

Looking at the source for the SSH config, it looks like I could use a password manager to specify the SSH username and port: https://github.com/basecamp/kamal/blob/main/lib/kamal/configuration/ssh.rb#L13-L19. However, it doesn't look like placing it in .kamal/secrets is supported.

If the above is accurate, why the difference in behavior?

imWildCat commented 4 days ago 
ssh:
  user: <%= ENV['KAMAL_SSH_USERNAME'] %>
  port: <%= ENV['KAMAL_SSH_PORT'] %>

this works.

make sure you define these env vars before running kamal deploy.

mike-weiner commented 4 days ago

Thanks, @imWildCat. Exactly what I was looking for. As usual, user error on my part.