kamal app exec includes secrets #1223
Conversation
|
Not requiring the secrets allows someone to run This means you can do things like giving someone access to a Rails console without having to set up authentication for wherever the secrets come from. It is a little bit janky in that you need a deployment first to ensure the right secrets are in place, but I think that's worth it. |
Not requiring secrets is certainly beneficial, that's how I want Kamal to be too. This PR doesn't change that; if you haven't set any secrets, the behavior remains the same as it was without this PR.
Yes— that specific low-friction onboarding experience is important to me too and should be kept. This PR doesn't affect it. (In my case, the Rails console is not usable by default without the secrets, because
I don't intend for this PR to make secrets required. :) I only wanted this PR to inject any secrets which have been set. Lmk if I'm on the same page as you! Thanks for the review. |
Oh sorry, I wasn't very clear there! What I mean is a situation where you have multiple users and some have the secret access set up and some don't. So you do have secrets, but you want the commands that don't need them to work for everyone. This is for simplicity and not security though - anyone who can run commands can SSH to the servers and read the secrets anyway. Where you have integrated a secret manager, your PR will make setting up secret access required for the app exec command because the secrets are lazy loaded by If you have deployed to a server already, the secrets should be there, so I think this should only be an issue if that's not the case. |
|
I would be more than happy with a |
Currently, containers created by
kamal app execdon't have secrets. It would be helpful if they did have secrets, as env vars, like Kamal's other containers. This PR does that.Resolves #1180.