Add a mutex around loading secrets

Loading secrets may ask for use input, so we need to ensure only one thread does it at a time.
basecamp · Sep 16, 2024 · 6bbbd81 · 6bbbd81
1 parent 876eebc
commit 6bbbd81
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/lib/kamal/configuration.rb b/lib/kamal/configuration.rb
@@ -9,7 +9,7 @@ class Kamal::Configuration
   delegate :service, :image, :labels, :stop_wait_time, :hooks_path, to: :raw_config, allow_nil: true
   delegate :argumentize, :optionize, to: Kamal::Utils
 
-  attr_reader :destination, :raw_config
+  attr_reader :destination, :raw_config, :secrets
   attr_reader :accessories, :aliases, :boot, :builder, :env, :healthcheck, :logging, :traefik, :servers, :ssh, :sshkit, :registry
 
   include Validation
@@ -64,6 +64,8 @@ def initialize(raw_config, destination: nil, version: nil, validate: true)
     @ssh = Ssh.new(config: self)
     @sshkit = Sshkit.new(config: self)
 
+    @secrets = Kamal::Secrets.new(destination: destination)
+
     ensure_destination_if_required
     ensure_required_keys_present
     ensure_valid_kamal_version

diff --git a/lib/kamal/secrets.rb b/lib/kamal/secrets.rb
@@ -8,10 +8,14 @@ class Kamal::Secrets
   def initialize(destination: nil)
     @secrets_files = \
       [ ".kamal/secrets-common", ".kamal/secrets#{(".#{destination}" if destination)}" ].select { |f| File.exist?(f) }
+    @mutex = Mutex.new
   end
 
   def [](key)
-    secrets.fetch(key)
+    # Fetching secrets may ask the user for input, so ensure only one thread does that
+    @mutex.synchronize do
+      secrets.fetch(key)
+    end
   rescue KeyError
     if secrets_files
       raise Kamal::ConfigurationError, "Secret '#{key}' not found in #{secrets_files.join(", ")}"