Rails Credentials
Rails Credentials is a neat feature allowing developers to skip password managers and encrypt secrets directly in the repository. We could run rails credentials
commands to add and edit secrets and remember a single secret to manage them all. The credentials are stored in an encrypted file called credentials.yml.enc
, which is located in the config
directory of the Rails application. Since it's encrypted we can then check-in the file into source control.
Docker registry
However, this didn't work well with Kamal since Kamal is a separate application from Rails and Kamal needed to log in into a Docker registry as part of the deploy process. Now you needed to maintain a separate secret for Kamal. Most people settled at maintaining an extra secret, but it never felt right. Luckily with Rails 8.1 we can finally encrypt the registry password for Kamal together with other credentials and use rails credentials:fetch
to get it.
Here's how we would get the Docker registry password from the Rails Credentials:
# .kamal/secrets
KAMAL_REGISTRY_PASSWORD=$(rails credentials:fetch kamal.registry_password)
This way KAMAL_REGISTRY_PASSWORD
is populated directly from your encrypted file.
Local registry
But what's even better then not populating the secret? Not having the secret in the first place. Kamal 2.8 now let's us skip an external registry altogether by setting up a local registry. So if you don't need a shared registry, you can save one secret.
