Skip to content

Adds the ability to alias/map secrets#1439

Merged
djmb merged 1 commit intobasecamp:mainfrom
matthewbjones:feature/aliased-secrets
Mar 10, 2025
Merged

Adds the ability to alias/map secrets#1439
djmb merged 1 commit intobasecamp:mainfrom
matthewbjones:feature/aliased-secrets

Conversation

@matthewbjones
Copy link
Contributor

@matthewbjones matthewbjones commented Mar 2, 2025

If you find yourself in a situation where you need to declare secrets for an accessory, etc. but the value of the secret is defined in your .kamal/secrets but under a different name, with the current implementation of kamal, there is no way to support this concept of aliasing/mapping.

The use case here is when you have two (or more) accessories that require the same ENV variable name, but the value is different for each accessory. For example, when defining two different Postgres backup accessories, one for your main Rails database, and another accessory for a supplementary/other database, it is not possible to have the two accessories have their own DB_PASSWORD, for example.

This PR modifies the way secrets work to support the concept of aliasing/mapping by using : as a separator. This will then allow you to declare secrets like:

accessories:
  main_db_accessory:
    env:
      secret:
        - DB_PASSWORD:MAIN_DB_PASSWORD
  secondary_db_accessory:
    env:
      secret:
        - DB_PASSWORD:SECONDARY_DB_PASSWORD

Where your .kama/secrets could look like:

SECRETS=$(kamal secrets fetch ...)
MAIN_DB_PASSWORD=$(kamal secrets extract MAIN_DB_PASSWORD $SECRETS)
SECONDARY_DB_PASSWORD=$(kamal secrets extract SECONDARY_DB_PASSWORD $SECRETS)

djmb
djmb reviewed Mar 4, 2025
View reviewed changes
Copy link
Collaborator

@djmb djmb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely something we need to fix and this seems like a good solution. Just had one minor suggestion

@matthewbjones matthewbjones force-pushed the feature/aliased-secrets branch from 966acc0 to 973fa1a Compare March 4, 2025 14:23
@matthewbjones
Copy link
Contributor Author

matthewbjones commented Mar 6, 2025

@djmb ready for another review, LMK if you intended something else: https://github.com/basecamp/kamal/pull/1439/files#diff-712f1f995500a82c490e99de70b1622438c2c2d87250b77bc4d245b03d432c57R31

@djmb djmb merged commit 0d034ec into basecamp:main Mar 10, 2025
8 checks passed
visini added a commit to visini/kamal that referenced this pull request Mar 22, 2025
@visini
Add ability to alias secrets within tags
426891b 
Aliasing for secrets was introduced in basecamp#1439, but only supported
"top-level" secrets. This adds for aliasing/mapping secrets within tags.
visini added a commit to visini/kamal that referenced this pull request Mar 22, 2025
@visini
Add ability to alias secrets for tags
67951a2 
Aliasing for secrets was introduced in basecamp#1439, but only supported
"top-level" secrets. This adds support for aliasing/mapping secrets
for tags.
visini added a commit to visini/kamal that referenced this pull request Mar 22, 2025
@visini
Add ability to alias secrets for tags
c1d8ce7 
Aliasing for secrets was introduced in basecamp#1439, but only supported
"top-level" secrets. This adds support for aliasing/mapping secrets
for tags.
@visini visini mentioned this pull request Mar 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djmb djmb djmb left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewbjones @djmb