Kamal secrets and github actions deployment

[ehutzelman]

Now that I've upgraded to kamal 2, I see the secrets no longer have a separate lifecycle and they are pushed on every deployment. While this simplifies the whole process, it does remove some of the flexibility that kamal 1.x provided with the ability to manage secrets independently of the deployment. I would manage the uploading of secrets (env push) from my local machine, and then leave the grunt work of deployment to github actions. This meant that all my app secrets didn't have to be duplicated in github secrets as well, and github only needed the basics like the KAMAL_REGISTRY_PASSWORD and SSH_KEY to do a deploy.

Curious how others are managing their secrets with github actions and kamal, as maybe I'm missing some path that makes this easier with kamal 2. Kamal 2 has been much easier to get up and going, so maybe this is just a tradeoff of making the whole deployment process more simple and bulletproof.

Thanks!

[dhh]

You can use GH Secrets as ENVs, which you can then refer to in .kamal/secrets. See https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions.

[gaultierq]

I am having the same issue, deploying an app using a CI/CD service fails unless the CI/CD executor has access to the project's secrets. The process breaks during the secrets upload step.

Uploading my secrets to GH isn’t a viable solution for me, as :

1. it would require constant updates
2. my secrets would be duplicated in my un-versioned .kamal/secrets and the CI/CD configuration
3. It somehow violates the principle of least privilege, as most of these secrets are only needed at runtime, not during build time.

I understand it is important to fail fast if some secret are missing, but maybe this check can happen on the host directly ?

My best option is a dedicated secret manager, or a git-crypt approach (it would still not solve 3.).