You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all, thank you for the amazing work on Kamal. It’s a powerful tool that brings the simplicity of Capistrano-style deployments to the container world. The developer experience overall is great, and it’s impressive how much has been streamlined with just a few YAML files.
That said, I’d like to raise a concern about the current approach to managing secrets.
In particular, the .kamal/secrets script ends up being extremely repetitive and verbose, especially when using external secret providers like Doppler. For example, I have to run kamal secrets extract for every single variable:
This repetition is not only tedious but also increases the risk of human error. If you forget to extract one of the variables, your deployment or accessory config might fail in non-obvious ways. It's also hard to keep the .kamal/secrets file in sync with all the references in deploy.yml.
Suggestion:
Could we have a more concise or declarative way to map secrets from a provider into environment variables, perhaps automatically injecting all fetched secrets into the environment by default? Or maybe support a batch extraction with kamal secrets extract-all that can populate ENV directly?
Again, thanks for the awesome tool — just hoping to see the secrets workflow made as elegant as the rest of Kamal.
Best regards,
Camilo
The text was updated successfully, but these errors were encountered:
Hi Kamal team 👋
First of all, thank you for the amazing work on Kamal. It’s a powerful tool that brings the simplicity of Capistrano-style deployments to the container world. The developer experience overall is great, and it’s impressive how much has been streamlined with just a few YAML files.
That said, I’d like to raise a concern about the current approach to managing secrets.
In particular, the .kamal/secrets script ends up being extremely repetitive and verbose, especially when using external secret providers like Doppler. For example, I have to run kamal secrets extract for every single variable:
This repetition is not only tedious but also increases the risk of human error. If you forget to extract one of the variables, your deployment or accessory config might fail in non-obvious ways. It's also hard to keep the .kamal/secrets file in sync with all the references in deploy.yml.
Suggestion:
Could we have a more concise or declarative way to map secrets from a provider into environment variables, perhaps automatically injecting all fetched secrets into the environment by default? Or maybe support a batch extraction with kamal secrets extract-all that can populate ENV directly?
Again, thanks for the awesome tool — just hoping to see the secrets workflow made as elegant as the rest of Kamal.
Best regards,
Camilo
The text was updated successfully, but these errors were encountered: