Add secret support for SSH key_data

jclusso · jclusso · commit d284dae0193c · 2025-08-04T21:27:10.000-04:00
I've modified `key_data` under `ssh` to read from secrets. This is backwards compatible with the insecure method of storing directly in the deploy.yml. I limited the documentation to only showing the secure way since there is no reason to suggest insecure methods.
diff --git a/lib/kamal/configuration/docs/ssh.yml b/lib/kamal/configuration/docs/ssh.yml
@@ -58,9 +58,9 @@ ssh:
 
   # Key data
   #
-  # An array of strings, with each element of the array being
-  # a raw private key in PEM format.
-  key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ]
+  # An array of strings, with each element of the array being a secret name.
+  key_data:
+    - SSH_PRIVATE_KEY
 
   # Config
   #
diff --git a/lib/kamal/configuration/ssh.rb b/lib/kamal/configuration/ssh.rb
@@ -3,10 +3,11 @@ class Kamal::Configuration::Ssh
 
   include Kamal::Configuration::Validation
 
-  attr_reader :ssh_config
+  attr_reader :ssh_config, :secrets
 
   def initialize(config:)
     @ssh_config = config.raw_config.ssh || {}
+    @secrets = config.secrets
     validate! ssh_config
   end
 
@@ -35,7 +36,10 @@ def keys
   end
 
   def key_data
-    ssh_config["key_data"]
+    key_data = ssh_config["key_data"]
+    return unless key_data
+
+    key_data.map { |k| k.include?("-----BEGIN") ? k : secrets[k] }
   end
 
   def options
diff --git a/test/configuration/ssh_test.rb b/test/configuration/ssh_test.rb
@@ -37,4 +37,24 @@ class ConfigurationSshTest < ActiveSupport::TestCase
     config = Kamal::Configuration.new(@deploy.tap { |c| c.merge!(ssh: { "proxy" => "app@1.2.3.4" }) })
     assert_equal "app@1.2.3.4", config.ssh.options[:proxy].jump_proxies
   end
+
+  test "ssh key_data with plain value array" do
+    config = Kamal::Configuration.new(@deploy.tap { |c| c.merge!(ssh: { "key_data" => ["-----BEGIN OPENSSH PRIVATE KEY-----"] }) })
+    assert_equal ["-----BEGIN OPENSSH PRIVATE KEY-----"], config.ssh.options[:key_data]
+  end
+
+  test "ssh key_data with array containing one secret string" do
+    with_test_secrets("secrets" => "SSH_PRIVATE_KEY=secret_ssh_key") do
+      config = Kamal::Configuration.new(@deploy.tap { |c| c.merge!(ssh: { "key_data" => ["SSH_PRIVATE_KEY"] }) })
+      assert_equal ["secret_ssh_key"], config.ssh.options[:key_data]
+    end
+  end
+
+  test "ssh key_data with array containing multiple secret strings" do
+    with_test_secrets("secrets" => "SSH_PRIVATE_KEY=secret_ssh_key\nSECOND_KEY=second_secret_ssh_key") do
+      config = Kamal::Configuration.new(@deploy.tap { |c| c.merge!(ssh: { "key_data" => ["SSH_PRIVATE_KEY", "SECOND_KEY"] }) })
+      assert_equal ["secret_ssh_key", "second_secret_ssh_key"], config.ssh.options[:key_data]
+    end
+  end
+
 end

Original file line number	Diff line number	Diff line change
`@@ -58,9 +58,9 @@ ssh:`
`58`	`58`
`59`	`59`	`# Key data`
`60`	`60`	`#`
`61`		`- # An array of strings, with each element of the array being`
`62`		`- # a raw private key in PEM format.`
`63`		`- key_data: [ "-----BEGIN OPENSSH PRIVATE KEY-----" ]`
	`61`	`+ # An array of strings, with each element of the array being a secret name.`
	`62`	`+ key_data:`
	`63`	`+ - SSH_PRIVATE_KEY`
`64`	`64`
`65`	`65`	`# Config`
`66`	`66`	`#`