Merge branch 'basecamp:main' into yml-anchors

_config.yml

@@ -16,6 +16,7 @@ exclude:
   - Gemfile
   - Gemfile.lock
   - README.md
+  - bin
 
 sass:
   style: compressed

_data/github.yml

@@ -1,3 +1,3 @@
-tag_name: 2.3.0
+tag_name: 2.4.0
 v1:
   tag_name: 1.9.2

_data/nav.yml

@@ -1,7 +1,7 @@
 - title: "Documentation"
   url: /docs/
   options:
-  - title: "Version 2.3.0"
+  - title: "Version 2.4.0"
     url: /docs/
   - title: "Version 1.9.2"
     url: /v1/docs/

bin/dev

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+bundle install
+bundle exec jekyll serve --livereload

docs/commands/proxy.md

@@ -45,6 +45,7 @@ Options:
                                                       # Default: 443
       [--log-max-size=LOG_MAX_SIZE]                   # Max size of proxy logs
                                                       # Default: 10m
+      [--docker-options=option=value option2=value2]  # Docker options to pass to the proxy container
 ```
 
 When set, the config will be stored on the server the proxy runs on.

docs/commands/secrets.md

@@ -94,3 +94,48 @@ kamal secrets fetch --adapter bitwarden --account [email protected] MyItem/REGIS
 kamal secrets extract REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
 kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
 ```
+
+## AWS Secrets Manager
+
+First, install and configure [the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+
+Use the adapter `aws_secrets_manager`:
+
+```bash
+# Fetch passwords
+kamal secrets fetch --adapter aws_secrets_manager --account default REGISTRY_PASSWORD DB_PASSWORD
+
+# Fetch passwords from an item
+kamal secrets fetch --adapter aws_secrets_manager --account default --from myapp/ REGISTRY_PASSWORD DB_PASSWORD
+
+# Fetch passwords from multiple items
+kamal secrets fetch --adapter aws_secrets_manager --account default myapp/REGISTRY_PASSWORD myapp/DB_PASSWORD
+
+# Extract the secret
+kamal secrets extract REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
+kamal secrets extract MyItem/REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
+```
+
+**Note:** The `--account` option should be set to your AWS CLI profile name, which is typically `default`. Ensure that your AWS CLI is configured with the necessary permissions to access AWS Secrets Manager.
+
+## Doppler
+
+First, install and configure [the Doppler CLI](https://docs.doppler.com/docs/install-cli).
+
+Use the adapter `doppler`:
+
+```bash
+# Fetch passwords
+kamal secrets fetch --adapter doppler --from my-project/prd REGISTRY_PASSWORD DB_PASSWORD
+
+# The project/config pattern is also supported in this way
+kamal secrets fetch --adapter doppler my-project/prd/REGISTRY_PASSWORD my-project/prd/DB_PASSWORD
+
+# Extract the secret
+kamal secrets extract REGISTRY_PASSWORD <SECRETS-FETCH-OUTPUT>
+kamal secrets extract DB_PASSWORD <SECRETS-FETCH-OUTPUT>
+```
+
+Doppler organizes secrets in "projects" (like `my-awesome-project`) and "configs" (like `prod`, `stg`, etc), use the pattern `project/config` when defining the `--from` option.
+
+The doppler adapter does not use the `--account` option, if given it will be ignored.

docs/commands/version.md

@@ -8,5 +8,5 @@ Returns the version of Kamal you have installed.
 
 ```bash
 $ kamal version
-2.3.0
+2.4.0
 ```

docs/configuration/accessories.md

@@ -64,8 +64,8 @@ You can set a custom command to run in the container if you do not want to use t
 
 ## [Port mappings](#port-mappings)
 
-See [https://docs.docker.com/network/](https://docs.docker.com/network/), and especially note the warning about the security
-implications of exposing ports publicly.
+See [https://docs.docker.com/network/](https://docs.docker.com/network/), and
+especially note the warning about the security implications of exposing ports publicly.
 
 ```yaml
     port: "127.0.0.1:3306:3306"
@@ -142,3 +142,12 @@ Defaults to kamal:
 ```yaml
     network: custom
 ```
+
+## [Proxy](#proxy)
+
+You can run your accessory behind the Kamal proxy. See [Proxy](../proxy) for more information.
+
+```yaml
+    proxy:
+      ...
+```

docs/configuration/aliases.md

@@ -18,7 +18,7 @@ By defining an alias, like this:
 
 ```yaml
 aliases:
-  console: app exec --reuse -i "bin/rails console"
+  console: app exec -i --reuse "bin/rails console"
 ```
 
 You can now open the console with:

docs/configuration/builders.md

@@ -153,3 +153,12 @@ The value can also be a boolean to enable or disable provenance attestations.
 ```yaml
   provenance: mode=max
 ```
+
+## [SBOM (Software Bill of Materials)](#sbom-(software-bill-of-materials))
+
+It is used to configure SBOM generation for the build result.
+The value can also be a boolean to enable or disable SBOM generation.
+
+```yaml
+  sbom: true
+```

docs/configuration/cron.md

@@ -12,7 +12,7 @@ servers:
     hosts:
       - 192.168.0.1
     cmd:
-      bash -c "cat config/crontab | crontab - && cron -f"
+      bash -c "(env && cat config/crontab) | crontab - && cron -f"
 ```
 
-This assumes that the Cron settings are stored in `config/crontab`.
+This assumes that the Cron settings are stored in `config/crontab`. Cron does not automatically propagate environment variables, the example above copies them into the crontab.

docs/configuration/docker-registry.md

@@ -8,7 +8,9 @@ title: Registry
 
 The default registry is Docker Hub, but you can change it using `registry/server`.
 
-By default, Docker Hub creates public repositories. To avoid making your images public, set up a private repository before deploying, or change the default repository privacy settings to private in your [Docker Hub settings](https://hub.docker.com/repository-settings/default-privacy).
+By default, Docker Hub creates public repositories. To avoid making your images public,
+set up a private repository before deploying, or change the default repository privacy
+settings to private in your [Docker Hub settings](https://hub.docker.com/repository-settings/default-privacy).
 
 A reference to a secret (in this case, `DOCKER_REGISTRY_TOKEN`) will look up the secret
 in the local environment:

docs/configuration/proxy.md

@@ -61,12 +61,28 @@ This requires that we are deploying to one server and the host option is set.
 The host value must point to the server we are deploying to, and port 443 must be
 open for the Let's Encrypt challenge to succeed.
 
+If you set `ssl` to `true`, `kamal-proxy` will stop forwarding headers to your app,
+unless you explicitly set `forward_headers: true`
+
 Defaults to `false`:
 
 ```yaml
   ssl: true
 ```
 
+## [Forward headers](#forward-headers)
+
+Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
+
+If you are behind a trusted proxy, you can set this to `true` to forward the headers.
+
+By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
+will forward them if it is set to `false`.
+
+```yaml
+  forward_headers: true
+```
+
 ## [Response timeout](#response-timeout)
 
 How long to wait for requests to complete before timing out, defaults to 30 seconds:
@@ -123,16 +139,3 @@ By default, `Cache-Control`, `Last-Modified`, and `User-Agent` request headers a
       - X-Request-ID
       - X-Request-Start
 ```
-
-## [Forward headers](#forward-headers)
-
-Whether to forward the `X-Forwarded-For` and `X-Forwarded-Proto` headers.
-
-If you are behind a trusted proxy, you can set this to `true` to forward the headers.
-
-By default, kamal-proxy will not forward the headers if the `ssl` option is set to `true`, and
-will forward them if it is set to `false`.
-
-```yaml
-  forward_headers: true
-```

docs/upgrading/proxy-changes.md

@@ -32,7 +32,7 @@ These use cases were unsupported and error-prone, though, and we wanted to provi
 
 ### Hard to understand errors
 
-Traefik has its own domain language — Routers, Services, Endpoints. So if it failed, the errors would be in that language and disconnected from what Kamal was doing. This made it tricky to diagnose failures.
+Traefik has its own domain language — Routers, Services, EntryPoints. So if it failed, the errors would be in that language and disconnected from what Kamal was doing. This made it tricky to diagnose failures.
 
 ### Other options