Add credentials:fetch command

[n-studio]

Motivation / Background

With Kamal 2, secrets are now stored in .kamal/secrets. We are expected to use a 3rd party password manager such as 1password to fetch secrets such as KAMAL_REGISTRY_PASSWORD.

eg. KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})

I think it would be interesting to be able to fetch the password directly from Rails credentials.

eg. KAMAL_REGISTRY_PASSWORD=$(bin/rails credentials:fetch kamal_registry/password)

In order to allow it, I introduce the new command credentials:fetch.

Detail

Usage:

# credentials.yml.enc
secret_key_base: ****
kamal_registry:
  password: abcd1234

bin/rails credentials:fetch kamal_registry/password
# abcd1234

Additional information

Checklist

Before submitting the PR make sure the following are checked:

• This Pull Request is related to one change. Unrelated changes should be opened in separate PRs.
• Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
• Tests are added or updated if you fix a bug or add a feature.
• CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

[MatheusRich]

This looks very useful. I've been using KAMAL_REGISTRY_PASSWORD=$(rails runner "print Rails.application.credentials.kamal_registry_password") currently, which is very cumbersome.

[zzak]

I'm not super familiar but it seems like kamal secrets is preferred for fetching the password:

rails/railties/lib/rails/generators/rails/app/templates/kamal-secrets.tt

Line 7 in ced8607

# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})

[n-studio]

@zzak I can make a PR to add an adapter in kamal, but I would still need the credentials:fetch command line in Rails. Unless I use rails runner instead.

Maybe I can remove the comments in kamal-secrets.tt for now and see what the maintainers of Kamal think?

[zzak]

I'm not sure but if new apps are using that why can't old ones? Maybe I'm missing something.

[MatheusRich]

@zzak I believe Kamal secrets fetches a secrets from passeord managers like 1password/Bitwarden. There's no specific Rails support.

[dhh]

This is really clever. I like the concept that for some apps, they can just use rails credentials. We should add that as an example in the default .kamal/secrets file that we generate.

cc @djmb

[byroot]

There's some work needed, but I'll take care of it.

[byroot]

We should return an error if the key is missing. Also I think . is much more logical to nagigate than /.

[byroot]

Suggested change

	say missing_credentials_message
	say_error missing_credentials_message

Error message should go on stderr, not stdout, it also should exit with non zero status code, otherwise this is very hard to use in a script.

[keithschacht]

I noticed the default kamal/secrets file never got this added as an example. I skimmed the open PRs and did not see one there. This is the current status of the secrets template: https://github.com/basecamp/kamal/blob/4b88852aea58bf94009a6d854afdc630a5c111b5/lib/kamal/cli/templates/secrets#L4