Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: ssh: use secret in key_data #1425

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: ssh: use secret in key_data #1425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
72fa028
feat: ssh: use secret in key_data
idrista Feb 22, 2025
4665bf3
fix rubocop
idrista Mar 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/kamal/configuration.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ def initialize(raw_config, destination: nil, version: nil, validate: true)

@logging = Logging.new(logging_config: @raw_config.logging)
@proxy = Proxy.new(config: self, proxy_config: @raw_config.proxy || {})
@ssh = Ssh.new(config: self)
@ssh = Ssh.new(config: self, secrets: secrets)
@sshkit = Sshkit.new(config: self)

ensure_destination_if_required
Expand Down
4 changes: 2 additions & 2 deletions lib/kamal/configuration/docs/ssh.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,8 @@ ssh:

# Key data
#
# An array of strings, with each element of the array being
# a raw private key in PEM format.
# Can be a string (for secret lookup) or array with each
# element of the array being a raw private key in PEM format.
key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ]

# Config
Expand Down
16 changes: 13 additions & 3 deletions lib/kamal/configuration/ssh.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,10 @@ class Kamal::Configuration::Ssh

attr_reader :ssh_config

def initialize(config:)
def initialize(config:, secrets:)
@ssh_config = config.raw_config.ssh || {}
validate! ssh_config
@secrets = secrets
validate! ssh_config, with: Kamal::Configuration::Validator::Ssh
end

def user
Expand Down Expand Up @@ -35,7 +36,7 @@ def keys
end

def key_data
ssh_config["key_data"]
lookup("key_data")
end

def options
Expand All @@ -47,11 +48,20 @@ def to_h
end

private
attr_reader :secrets
def logger
LOGGER.tap { |logger| logger.level = log_level }
end

def log_level
ssh_config.fetch("log_level", :fatal)
end

def lookup(key)
if ssh_config[key].is_a?(String)
secrets[ssh_config[key]]
else
ssh_config[key]
end
end
end
21 changes: 21 additions & 0 deletions lib/kamal/configuration/validator/ssh.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
class Kamal::Configuration::Validator::Ssh < Kamal::Configuration::Validator
def validate!
validate_against_example!(
config.except("key_data"),
example.except("key_data")
)

validate_string_or_array! "key_data"
end

private
def validate_string_or_array!(key)
value = config[key]

return unless value.present?

unless value.is_a?(String) || value.is_a?(Array)
error "should be a string (for secret lookup) or an array"
end
end
end