Merge branch 'main' into feat-secrets-add-doppler-adapter-instructions

_config.yml

@@ -16,6 +16,7 @@ exclude:
   - Gemfile
   - Gemfile.lock
   - README.md
+  - bin
 
 sass:
   style: compressed

_data/github.yml

@@ -1,3 +1,3 @@
-tag_name: 2.2.2
+tag_name: 2.4.0
 v1:
   tag_name: 1.9.2

_data/nav.yml

@@ -1,7 +1,7 @@
 - title: "Documentation"
   url: /docs/
   options:
-  - title: "Version 2.2.2"
+  - title: "Version 2.4.0"
     url: /docs/
   - title: "Version 1.9.2"
     url: /v1/docs/

_sass/base/_elements.scss

@@ -140,6 +140,13 @@ video {
   width: 100%;
 }
 
+video::cue {
+  font-family: var(--font-family);
+  font-size: var(--font-size-small);
+  font-weight: 500;
+  line-height: 1;
+}
+
 code {
   background: var(--color-base-dark);
   border-radius: 0.15em;

_sass/modules/_video.scss

@@ -38,7 +38,7 @@
         transition: opacity var(--transition-slow);
       }
 
-      span {
+      &:after {
         backdrop-filter: blur(5px);
         -webkit-backdrop-filter: blur(5px);
         background: url('../images/play.svg') center center / 0.65em auto no-repeat rgba(var(--rgb-white), 0.8);
@@ -47,8 +47,10 @@
           0 20px 30px -20px rgba(var(--rgb-black), 0.3),
           0 10px 20px -10px rgba(var(--rgb-black), 0.5)
         ;
+        content: '';
         display: inline-flex;
         height: 2.2em;
+        pointer-events: none;
         position: relative;
         transition:
           background-color var(--transition-slow),
@@ -81,7 +83,7 @@
           opacity: 0.9;
         }
 
-        span {
+        &:after {
           background-color: var(--color-white);
           transform: scale(1.04);
         }

bin/dev

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+bundle install
+bundle exec jekyll serve --livereload

docs/commands/proxy.md

@@ -43,6 +43,8 @@ Options:
                                                       # Default: 80
       [--https-port=N]                                # HTTPS port to publish on the host
                                                       # Default: 443
+      [--log-max-size=LOG_MAX_SIZE]                   # Max size of proxy logs
+                                                      # Default: 10m
       [--docker-options=option=value option2=value2]  # Docker options to pass to the proxy container
 ```
 

docs/commands/secrets.md

@@ -55,6 +55,8 @@ kamal secrets extract MyVault/MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
 
 ## LastPass
 
+First, install and configure [the LastPass CLI](https://github.com/lastpass/lastpass-cli).
+
 Use the adapter `lastpass`:
 
 ```bash
@@ -74,6 +76,8 @@ kamal secrets extract MyFolder/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
 
 ## Bitwarden
 
+First, install and configure [the Bitwarden CLI](https://bitwarden.com/help/cli/).
+
 Use the adapter `bitwarden`:
 
 ```bash
@@ -91,6 +95,29 @@ kamal secrets extract REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
 kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
 ```
 
+## AWS Secrets Manager
+
+First, install and configure [the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+
+Use the adapter `aws_secrets_manager`:
+
+```bash
+# Fetch passwords
+kamal secrets fetch --adapter aws_secrets_manager --account default REGISTRY_PASSWORD DB_PASSWORD
+
+# Fetch passwords from an item
+kamal secrets fetch --adapter aws_secrets_manager --account default --from myapp/ REGISTRY_PASSWORD DB_PASSWORD
+
+# Fetch passwords from multiple items
+kamal secrets fetch --adapter aws_secrets_manager --account default myapp/REGISTRY_PASSWORD myapp/DB_PASSWORD
+
+# Extract the secret
+kamal secrets extract REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
+kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
+```
+
+**Note:** The `--account` option should be set to your AWS CLI profile name, which is typically `default`. Ensure that your AWS CLI is configured with the necessary permissions to access AWS Secrets Manager.
+
 ## Doppler
 
 First, install and configure [the Doppler CLI](https://docs.doppler.com/docs/install-cli).
@@ -111,4 +138,4 @@ kamal secrets extract DB_PASSWORD <SECRETS-FETCH-OUTPUT>
 
 Doppler organizes secrets in "projects" (like `my-awesome-project`) and "configs" (like `prod`, `stg`, etc), use the pattern `project/config` when defining the `--from` option.
 
-The doppler adapter does not use the `--account` option, if given it will be ignored.
+The doppler adapter does not use the `--account` option, if given it will be ignored.

docs/commands/version.md

@@ -8,5 +8,5 @@ Returns the version of Kamal you have installed.
 
 ```bash
 $ kamal version
-2.2.2
+2.4.0
 ```

docs/configuration/accessories.md

@@ -64,8 +64,8 @@ You can set a custom command to run in the container if you do not want to use t
 
 ## [Port mappings](#port-mappings)
 
-See https://docs.docker.com/network/, and especially note the warning about the security
-implications of exposing ports publicly.
+See [https://docs.docker.com/network/](https://docs.docker.com/network/), and
+especially note the warning about the security implications of exposing ports publicly.
 
 ```yaml
     port: "127.0.0.1:3306:3306"
@@ -132,3 +132,22 @@ They are not created or copied before mounting:
     volumes:
       - /path/to/mysql-logs:/var/log/mysql
 ```
+
+## [Network](#network)
+
+The network the accessory will be attached to.
+
+Defaults to kamal:
+
+```yaml
+    network: custom
+```
+
+## [Proxy](#proxy)
+
+You can run your accessory behind the Kamal proxy. See [Proxy](../proxy) for more information.
+
+```yaml
+    proxy:
+      ...
+```

docs/configuration/aliases.md

@@ -11,14 +11,14 @@ Aliases are shortcuts for Kamal commands.
 For example, for a Rails app, you might open a console with:
 
 ```shell
-kamal app exec -i -r console "rails console"
+kamal app exec -i --reuse "bin/rails console"
 ```
 
 By defining an alias, like this:
 
 ```yaml
 aliases:
-  console: app exec -r console -i "rails console"
+  console: app exec -i --reuse "bin/rails console"
 ```
 
 You can now open the console with:

docs/configuration/builders.md

@@ -144,3 +144,21 @@ The build driver to use, defaults to `docker-container`:
 ```yaml
   driver: docker
 ```
+
+## [Provenance](#provenance)
+
+It is used to configure provenance attestations for the build result.
+The value can also be a boolean to enable or disable provenance attestations.
+
+```yaml
+  provenance: mode=max
+```
+
+## [SBOM (Software Bill of Materials)](#sbom-(software-bill-of-materials))
+
+It is used to configure SBOM generation for the build result.
+The value can also be a boolean to enable or disable SBOM generation.
+
+```yaml
+  sbom: true
+```

docs/configuration/cron.md

@@ -12,7 +12,7 @@ servers:
     hosts:
       - 192.168.0.1
     cmd:
-      bash -c "cat config/crontab | crontab - && cron -f"
+      bash -c "(env && cat config/crontab) | crontab - && cron -f"
 ```
 
-This assumes that the Cron settings are stored in `config/crontab`.
+This assumes that the Cron settings are stored in `config/crontab`. Cron does not automatically propagate environment variables, the example above copies them into the crontab.

docs/configuration/docker-registry.md

@@ -8,6 +8,10 @@ title: Registry
 
 The default registry is Docker Hub, but you can change it using `registry/server`.
 
+By default, Docker Hub creates public repositories. To avoid making your images public,
+set up a private repository before deploying, or change the default repository privacy
+settings to private in your [Docker Hub settings](https://hub.docker.com/repository-settings/default-privacy).
+
 A reference to a secret (in this case, `DOCKER_REGISTRY_TOKEN`) will look up the secret
 in the local environment:
 

docs/configuration/proxy.md

@@ -61,12 +61,28 @@ This requires that we are deploying to one server and the host option is set.
 The host value must point to the server we are deploying to, and port 443 must be
 open for the Let's Encrypt challenge to succeed.
 
+If you set `ssl` to `true`, `kamal-proxy` will stop forwarding headers to your app,
+unless you explicitly set `forward_headers: true`
+
 Defaults to `false`:
 
 ```yaml
   ssl: true
 ```
 
+## [Forward headers](#forward-headers)
+
+Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
+
+If you are behind a trusted proxy, you can set this to `true` to forward the headers.
+
+By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
+will forward them if it is set to `false`.
+
+```yaml
+  forward_headers: true
+```
+
 ## [Response timeout](#response-timeout)
 
 How long to wait for requests to complete before timing out, defaults to 30 seconds:
@@ -123,16 +139,3 @@ By default, `Cache-Control`, `Last-Modified`, and `User-Agent` request headers a
       - X-Request-ID
       - X-Request-Start
 ```
-
-## [Forward headers](#forward-headers)
-
-Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
-
-If you are behind a trusted proxy, you can set this to `true` to forward the headers.
-
-By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
-will forward them if it is set to `false`.
-
-```yaml
-  forward_headers: true
-```

docs/installation/index.md

@@ -10,7 +10,7 @@ If you have a Ruby environment available, you can install Kamal globally with:
 gem install kamal
 ```
 
-Otherwise, you can run a dockerized version via an alias (add this to your `~/.bashrc` or similar to simplify reuse).
+Otherwise, you can run a dockerized version via an alias (add this to your `~/.bashrc`, `~/.zshrc` or similar to simplify reuse).
 
 On macOS, use:
 

docs/search/index.md

@@ -16,7 +16,7 @@ search: false
     {% unless page.path contains 'v1/' %}
       "{{ page.url | slugify }}": {
         "title": "{{ page.title | smartify | xml_escape }}",
-        "content": {{ page.content | markdownify | strip_html | strip_newlines | jsonify }},
+        "content": {{ page.content | markdownify | strip_html | normalize_whitespace | jsonify }},
         "section": "{{ page.url }}".split("/").filter(element => element !== "").slice(1).join("/"),
         "url": "{{ page.url | xml_escape }}"
       }{% unless forloop.last %},{% endunless %}

docs/upgrading/proxy-changes.md

@@ -32,7 +32,7 @@ These use cases were unsupported and error-prone, though, and we wanted to provi
 
 ### Hard to understand errors
 
-Traefik has its own domain language — Routers, Services, Endpoints. So if it failed, the errors would be in that language and disconnected from what Kamal was doing. This made it tricky to diagnose failures.
+Traefik has its own domain language — Routers, Services, EntryPoints. So if it failed, the errors would be in that language and disconnected from what Kamal was doing. This made it tricky to diagnose failures.
 
 ### Other options
 

docs/upgrading/secrets-changes.md

@@ -6,7 +6,7 @@ title: Secrets changes
 
 Secrets have moved from `.env`/`.env.rb` to `.kamal/secrets`.
 
-If you are using destinations, secrets will be read from `.kamal/secrets.<DESTINATION>` first or `.kamal/secrets` if it is not found.
+If you are using destinations, secrets will be read from `.kamal/secrets.<DESTINATION>` first or `.kamal/secrets-common` if it is not found.
 
 ## [Interpolating secrets](#interpolating-secrets)
 

index.html

@@ -12,10 +12,10 @@ <h1>Deploy web apps anywhere.</h1>
 
 <div class="video">
   <div class="video__content">
-    <video poster="{{ '/assets/videos/kamal-demo.webp' | absolute_url }}" src="https://d2biiyjlsh52uh.cloudfront.net/kamal/kamal-demo.mp4" type="video/mp4" width="100%" data-event="Kamal Demo" playsinline preload="none"></video>
-    <button aria-label="Play video about Kamal">
-      <span></span>
-    </button>
+    <video data-event="Kamal Demo" poster="https://d2biiyjlsh52uh.cloudfront.net/kamal/kamal-demo.webp" src="https://d2biiyjlsh52uh.cloudfront.net/kamal/kamal-demo.mp4" preload="metadata" crossorigin playsinline>
+      <track src="https://d2biiyjlsh52uh.cloudfront.net/kamal/kamal-demo-en.vtt" kind="captions" label="English" srclang="en" default>
+    </video>
+    <button aria-label="Play video about Kamal"></button>
   </div>
 </div>