feat: ssh: use secret in key_data

basecamp · Feb 22, 2025 · 2f3147f · 2f3147f
1 parent 6f29d4e
commit 2f3147f
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 6 deletions.
diff --git a/lib/kamal/configuration.rb b/lib/kamal/configuration.rb
@@ -69,7 +69,7 @@ def initialize(raw_config, destination: nil, version: nil, validate: true)
 
     @logging = Logging.new(logging_config: @raw_config.logging)
     @proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy || {})
-    @ssh = Ssh.new(config: self)
+    @ssh = Ssh.new(config: self, secrets: secrets)
     @sshkit = Sshkit.new(config: self)
 
     ensure_destination_if_required

diff --git a/lib/kamal/configuration/docs/ssh.yml b/lib/kamal/configuration/docs/ssh.yml
@@ -58,8 +58,8 @@ ssh:
 
   # Key data
   #
-  # An array of strings, with each element of the array being
-  # a raw private key in PEM format.
+  # Can be a string (for secret lookup) or array with each
+  # element of the array being a raw private key in PEM format.
   key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ]
 
   # Config

diff --git a/lib/kamal/configuration/ssh.rb b/lib/kamal/configuration/ssh.rb
@@ -5,9 +5,10 @@ class Kamal::Configuration::Ssh
 
   attr_reader :ssh_config
 
-  def initialize(config:)
+  def initialize(config:, secrets:)
     @ssh_config = config.raw_config.ssh || {}
-    validate! ssh_config
+    @secrets = secrets
+    validate! ssh_config, with: Kamal::Configuration::Validator::Ssh
   end
 
   def user
@@ -35,7 +36,7 @@ def keys
   end
 
   def key_data
-    ssh_config["key_data"]
+    lookup("key_data")
   end
 
   def options
@@ -47,11 +48,20 @@ def to_h
   end
 
   private
+  attr_reader :secrets
     def logger
       LOGGER.tap { |logger| logger.level = log_level }
     end
 
     def log_level
       ssh_config.fetch("log_level", :fatal)
     end
+
+    def lookup(key)
+      if ssh_config[key].is_a?(Array)
+        ssh_config[key]
+      else
+        secrets[ssh_config[key]]
+      end
+    end
 end
diff --git a/lib/kamal/configuration/validator/ssh.rb b/lib/kamal/configuration/validator/ssh.rb
@@ -0,0 +1,20 @@
+class Kamal::Configuration::Validator::Ssh < Kamal::Configuration::Validator
+  def validate!
+    validate_against_example!(
+      config.except("key_data"),
+      example.except("key_data")
+    )
+
+    validate_string_or_array! "key_data"
+  end
+
+  private
+  def validate_string_or_array!(key)
+    value = config[key]
+
+    unless value.is_a?(String) || value.is_a?(Array)
+      error "should be a string (for secret lookup) or an array"
+    end
+  end
+
+end