00:00:10.000
okay hi everyone let's see there we go
00:00:14.480
okay um yes so uh let's go back one
00:00:18.720
right that's me Don MCB I'm a programmer
00:00:21.000
at uh 37 signals and so uh yeah Kamal 2
00:00:25.000
is the tool we're currently using to
00:00:27.080
deploy hay so I'm going to talk uh a
00:00:29.279
little bit just about Cal in general how
00:00:31.039
it works and then more specifically
00:00:33.399
about what we've added for Cal 2 so we
00:00:36.800
sort of had the history already so we'll
00:00:38.320
go through this I won't take too long
00:00:40.520
but where we were at the start was we
00:00:42.600
were running a bunch of applications in
00:00:44.640
AWS uh on their managed kubernetes
00:00:47.480
service eks and we wanted to bring them
00:00:49.960
inhouse and run them on our own Hardware
00:00:52.120
so we needed a way to run them so one
00:00:54.480
option would be to uh start using
00:00:56.399
kubernetes locally but we looked at that
00:00:59.320
and we didn't really fancy it we were
00:01:02.840
like that looks quite uh you know tricky
00:01:06.159
um we were looking at we already had
00:01:09.439
base camp our uh biggest application had
00:01:12.640
always run on our own hardware and we
00:01:15.119
were just using Capistrano to deploy it
00:01:17.720
and when we looked at what we were doing
00:01:19.360
in AWS it was like well we don't really
00:01:21.880
like this kubernetes part that looks a
00:01:23.560
bit tricky and we don't really need it
00:01:25.360
but this doer bit looks great because we
00:01:27.479
won't need to like artisanally manage
00:01:29.280
our servers anymore to make sure we can
00:01:31.720
you know compile the latest Ruby and
00:01:34.119
make sure all the gems install correctly
00:01:36.119
so we're like well we do like the uh
00:01:37.880
Docker part so uh what we decided we
00:01:41.159
needed was Capistrano for containers um
00:01:45.320
so if you H don't know what Capistrano
00:01:48.680
is so in the days before Capistrano uh
00:01:51.680
you would you know deploy your
00:01:53.399
applications by running some scripts
00:01:55.399
You' made up or sshing into a server and
00:01:57.560
just typing some random commands and
00:01:59.119
hope that it worked
00:02:00.560
and Capistrano which was uh originally
00:02:04.200
built by jamus bu who's actually talking
00:02:06.600
right now in the other room um was a way
00:02:10.119
to make this simpler so the idea was you
00:02:13.560
would SSH you'd have capistran would SSH
00:02:16.319
to your servers for you and have a bunch
00:02:18.480
of recipes that it would run that would
00:02:20.080
deploy your app and you'd have
00:02:21.160
repeatable buildt and that was what we
00:02:24.440
decided we needed so kamal's kind of a
00:02:26.000
modern take on Capistrano but decided to
00:02:28.280
run with Docker and it's a ruby gem
00:02:30.920
built on top of SSH kit so SSH kit is a
00:02:34.280
library extracted from Capistrano and
00:02:36.720
that helps you you know run uh commands
00:02:39.760
over SSH concurrently and wait for them
00:02:41.599
all to return and just makes that really
00:02:43.480
easy to do uh and then the idea is
00:02:46.000
you've just got some Linux servers
00:02:47.800
running Docker or about to run Docker
00:02:50.159
that you want to deploy
00:02:52.360
to okay so these were the three um kind
00:02:56.800
of big goals we had first was that it
00:02:58.760
would be Zero D time so if you do very
00:03:01.319
naive version of just running Docker
00:03:03.400
you're going to have your application
00:03:04.840
you'll Boot It Up sort of sit there on
00:03:06.959
Port 80 and then you've got a new
00:03:08.360
version of the application and what you
00:03:09.959
need to do so that it can sit on Port J
00:03:12.080
is take the first one down and bring the
00:03:13.400
other one up and you've got a big gap
00:03:14.799
there where you're going to be serving
00:03:16.319
error pages so we wanted to avoid that
00:03:19.920
the second thing was that it would be an
00:03:22.799
imperative tool and what this means is
00:03:26.200
that we're going to run a command and
00:03:28.799
then we're going to wait and when the
00:03:30.080
command is finished we're done there's
00:03:31.480
nothing else going on so something like
00:03:33.720
uh kubernetes is more declarative and I
00:03:35.760
think the difference between the two is
00:03:37.360
imperative means I insist and
00:03:39.840
declarative means I suggest so with this
00:03:43.280
we're saying I insist you deploy and you
00:03:46.040
tell me whether you've deployed or not
00:03:47.560
and once the command's over we're
00:03:49.480
done and then if we're going to wait for
00:03:51.959
you well to complete we need to be as
00:03:55.280
fast as possible so um we're going to be
00:03:58.519
deploying docker images so you know
00:04:01.040
you've got to build them and move them
00:04:02.599
around so if that takes a long time well
00:04:04.079
that's going to take a long time but we
00:04:05.319
wanted Cal to be as fast as possible and
00:04:08.560
avoid adding any extra overhead if
00:04:12.799
possible okay so um the prerequisites if
00:04:17.120
you want to run Cal on an app so you
00:04:19.359
need you'll need an app with a Docker
00:04:20.639
file so you can build your Docker image
00:04:22.479
now it doesn't have to be rails it can
00:04:23.680
be any kind of web app that uh you can
00:04:26.479
package up as a Docker image and uh as
00:04:30.800
David said earlier you do need a Docker
00:04:32.639
registry right now and we have some
00:04:34.080
ideas on how to get rid of that part
00:04:35.560
because it's really really annoying but
00:04:37.440
you have toiv that for now and finally
00:04:40.759
you need a bunch of servers that you
00:04:42.199
have SSH access
00:04:44.320
to okay so and then if we want to
00:04:47.240
install well with rails 8 it will come
00:04:49.720
installed already unless you add the
00:04:51.560
skip Comm command uh option to the
00:04:55.360
command uh otherwise if you want to try
00:04:57.600
and try it out on an existing
00:04:59.280
application you can install the gem or
00:05:01.320
you put it in your bundle uh so you do
00:05:04.199
that and then run Cala nit which will
00:05:07.039
create a bunch of files um so uh the
00:05:11.280
main one here being config deployed. AML
00:05:13.479
so uh we
00:05:14.720
saw that earlier but this is kind of the
00:05:18.360
minimal version you need so servers
00:05:20.440
you're deploying to details on your
00:05:22.319
registry and what architecture you want
00:05:24.840
to build
00:05:25.960
for okay so here's our really simple
00:05:29.720
looking infrastructure we've got a host
00:05:31.160
we're deploying from that could be your
00:05:32.639
laptop could be you know a special host
00:05:35.520
to use somewhere for deploying from and
00:05:37.800
a host we want to deploy to and we're
00:05:39.240
going to talk over SSH you might have
00:05:41.840
multiple hosts that's fine um it'll do
00:05:45.199
all that all the work to deploy in
00:05:46.960
parallel if that's the
00:05:48.440
case though H you will need your own
00:05:51.039
load balancer somewhere to uh balance
00:05:54.280
things out over those
00:05:56.680
hosts and we'll go through we'll just
00:05:59.880
use one host here so we've got our
00:06:01.360
deployment host we've got our
00:06:02.520
application
00:06:03.639
host and we've got our Docker registry
00:06:06.000
for now
00:06:07.319
anyway and what we do is we run Cal
00:06:10.800
setup and when you run this you're going
00:06:12.919
to it's going to spit out this kind of
00:06:14.680
output which is uh kind of the standard
00:06:17.479
SS SSH kit output and it's quite handy
00:06:21.120
because you can do a deployment and then
00:06:22.840
just inspect that and it will just tell
00:06:24.240
you here are the commands the Cal does
00:06:26.240
so if you're like what is it doing you
00:06:27.759
just run a deployment and then just go
00:06:29.639
and start digging those logs and you can
00:06:31.759
see exactly what's there it's just the
00:06:34.280
Heritage from Capistrano which is really
00:06:37.560
handy uh okay so when we run Cal setup
00:06:43.120
the first thing it's going to do is it's
00:06:44.520
going to check on the application host
00:06:46.880
as to whether docker's install if it's
00:06:48.400
not it'll try and install it if it can't
00:06:50.840
well you'll have to sort that out
00:06:51.960
yourself manually but otherwise we'll
00:06:54.840
get Docker installed on
00:06:57.120
there uh and then we'll do a Docker
00:06:59.199
build on our deployment host and that's
00:07:01.319
going to build uh our application image
00:07:04.000
on our host and we'll push it so do a
00:07:06.960
Docker
00:07:08.199
push and then we will SSH over to our
00:07:12.680
application host and do a Docker pull so
00:07:15.919
now we have our container sitting on our
00:07:18.840
application
00:07:20.120
host okay so the next part is the
00:07:22.280
deployment phase and we'll zoom into the
00:07:24.360
application host for that bit so we've
00:07:27.280
got our commands coming in over SSH from
00:07:30.360
our deployment
00:07:32.000
host and uh we've got Docker installed
00:07:34.800
here we've just copied our image on the
00:07:36.960
first thing we're going to do is boot a
00:07:38.280
proxy so this is in Cal 2 is going to be
00:07:41.879
an instance of Cal proxy which is the
00:07:44.599
new a proxy we built and my colleague
00:07:46.720
Kevin is giving a talk on that uh after
00:07:49.120
this so if you're interested in knowing
00:07:50.479
more uh come along to
00:07:52.680
that but how we use it is we then boot
00:07:55.919
up our uh application container and then
00:08:00.159
we tell the proxy send the traffic
00:08:01.960
through to that container so now we're
00:08:04.240
done we're Ser requests are coming in uh
00:08:07.520
the proxy forwarding them to our
00:08:10.960
application okay so the next phase is I
00:08:14.000
want to deploy a second version of
00:08:16.000
applications you've made your changes
00:08:17.599
you've committed them and you want to do
00:08:19.840
that so you're going to run Cal deploy
00:08:21.639
So Cal setup is kind of just the initial
00:08:24.759
setup and then a deployment and then
00:08:26.479
this one is just that sort of second
00:08:28.000
phase to the kind of deployment part
00:08:30.479
so to start with it's going to um do
00:08:35.399
that kind of dance of building the image
00:08:38.399
and pushing it and then pulling it so
00:08:40.479
we've now got uh the second version of
00:08:43.640
our application sitting on our
00:08:45.680
application host um and this is where
00:08:48.720
where we left things off after our last
00:08:50.519
deployment so we'll just uh boost up a
00:08:53.360
container running the second version of
00:08:55.640
the
00:08:56.640
application and then we'll tell Cal
00:08:58.920
proxy please send the traffic over there
00:09:02.120
and we're done so that's uh a very sort
00:09:06.040
of the the simple version of how it
00:09:08.880
works now there's more to the things
00:09:10.399
like um you know if you want to have if
00:09:12.880
you've got job servers where you don't
00:09:14.120
need a proxy it'll handle those and you
00:09:16.240
can configure all that
00:09:19.399
separately okay oh yeah and then we we
00:09:22.040
can now turn off the old container
00:09:24.399
because we're
00:09:26.279
done so one interesting part in this
00:09:30.279
that uh I thought it would be worth
00:09:32.160
discussing is uh what we call Asset
00:09:34.720
bridging so if you have the n n version
00:09:38.120
of the deployment kind of as I described
00:09:40.040
there you have a problem as the new
00:09:42.600
version is going out especially if
00:09:44.240
you're running on multiple application
00:09:45.600
hosts and they're all deploying at a
00:09:47.240
slightly different rate you've got your
00:09:48.839
new containers floating around you've
00:09:50.360
got your old containers floating around
00:09:52.800
um and you have uh yeah so say you've
00:09:56.720
got a build and you've
00:09:59.480
changed your CSS so now the fingerprint
00:10:01.480
on the file has changed and you've got
00:10:03.560
this new
00:10:04.760
asset that you want that sits on your
00:10:07.640
new containers and this old asset
00:10:09.240
sitting on your old containers but you
00:10:10.959
have no guarantee about which container
00:10:12.680
the requests are going to come to so
00:10:14.480
what are you going to get as you deploy
00:10:16.000
you're going to get four or fours you're
00:10:17.200
going to get a few random unstyled pages
00:10:19.959
and if people are watching carefully
00:10:21.200
they can tell when you're deploying
00:10:22.880
which is not what we want we want that
00:10:24.640
to be zero time downtime and
00:10:27.200
invisible Okay so
00:10:30.000
this is a common problem and like loads
00:10:32.360
of rails apps have this step beforehand
00:10:34.560
where you'll like take your assets and
00:10:36.600
copy them up to an S3 bucket or
00:10:38.240
something and like have some separate
00:10:40.120
asset host to make sure that they're
00:10:41.600
there but we wanted to make it so if
00:10:43.200
you're using Cal you just don't have to
00:10:44.680
worry about this so um if you go and uh
00:10:50.079
create a new rails H app and look in the
00:10:53.279
config there you'll find this line asset
00:10:55.279
path rails public assets so we're
00:10:57.880
telling Cal where in our Docker image it
00:11:00.920
can find the
00:11:02.639
assets and what we'll do with that
00:11:04.760
information is that we will um boot up
00:11:09.160
our application image but we're going to
00:11:11.720
change the entry point and just set it
00:11:13.079
to sleep so it just boots up and does
00:11:14.680
nothing and just sits there hanging
00:11:16.560
around waiting and then we copy the
00:11:18.360
assets out into a folder on the
00:11:20.760
application host so outside Docker in a
00:11:22.720
separate folder and now we've got those
00:11:24.560
assets we can stop uh stop our
00:11:28.000
container so got those assets and what
00:11:30.959
we're going to do is well the last time
00:11:33.360
we deployed we did the same thing so we
00:11:35.200
have the assets from the last deployer
00:11:36.519
lying around as well so we'll take the
00:11:39.320
new assets and the old assets copy them
00:11:41.800
into a combined asset folder and then
00:11:44.079
we've got a folder containing all the
00:11:46.120
assets um and uh when came up with this
00:11:51.040
idea I got this far and I was like now I
00:11:53.120
don't know what to do with them and
00:11:54.320
luckily uh Lu my colleague Jeremy had
00:11:57.600
the very what now seems very obvious
00:11:59.800
point of what you should do with them
00:12:01.519
which is just map that folder back over
00:12:03.800
rail's public assets when you actually
00:12:05.360
boot your container so when you boot up
00:12:07.760
the new um applica the new version of
00:12:11.160
your application rails public assets
00:12:13.360
contains the old assets and the new
00:12:15.079
assets so you don't care which container
00:12:17.160
it hits and you've got you've still got
00:12:18.880
the problem with your old containers but
00:12:22.560
you can fix that because you already had
00:12:24.079
a uh folder mapped in for those so
00:12:26.880
before you boot up this new one you copy
00:12:28.560
those new assets back into that folder
00:12:30.440
and is can also serve both versions of
00:12:32.480
your
00:12:34.480
assets so you get no 404s you don't need
00:12:38.240
to mess around with like trying to CD
00:12:40.120
see the CDN or hoping that like you'll
00:12:42.720
just get hits from your CDN uh I'm not
00:12:46.120
saying you don't need a CDN you might
00:12:47.399
need a CDN but you don't need it for
00:12:48.959
this uh and you don't need to like set
00:12:51.079
up these special asset hosts to deal
00:12:53.440
with this so H yeah that's us a
00:12:57.040
bridging okay so now uh just to go to
00:13:01.839
just to say yes it is releasing today no
00:13:04.880
it has not released yet not as Brave as
00:13:07.399
Rosa releasing the thing and then doing
00:13:09.360
a talk I decided it would be better to
00:13:10.920
do it the other way around so um the
00:13:14.600
main thing that means is the
00:13:15.519
documentation is not up to date so if
00:13:16.920
you've gone to look at the documentation
00:13:18.560
it's not got the information for the new
00:13:20.639
version but it will be there later today
00:13:22.920
okay so what's new well the biggest
00:13:25.920
thing is that we're changing the proxy
00:13:27.920
we're using so so we used in Cal 1 we
00:13:30.519
used to use uh traffic as this proxy
00:13:32.760
that we use to uh
00:13:35.040
switch uh between
00:13:37.600
containers um and so traffic is it's an
00:13:41.000
open source application proxy um and
00:13:44.760
it's designed to kind of configure
00:13:46.920
itself automatically and dynamically and
00:13:49.639
so what how we would use it is we would
00:13:53.160
uh it has a Docker provider and when you
00:13:56.639
boot up your container if you put some
00:13:59.120
labels on us it will notice those labels
00:14:00.880
and start sending traffic through to
00:14:02.360
your container based on the labels um so
00:14:05.320
that's what we were using
00:14:07.600
um but there was kind of problems with
00:14:11.600
this that it just became obvious more we
00:14:13.360
were trying to make all the like you
00:14:15.199
know get rid of all the little ede cases
00:14:17.199
and make sure that things deployment
00:14:18.600
went smoothly without dropping anything
00:14:20.519
and the main one is this there's this
00:14:21.759
kind of declarative imper of mismatch
00:14:24.040
with with Kamal we're you know we're
00:14:26.720
saying I want to call this command I
00:14:29.240
want this thing to happen we're you know
00:14:31.639
we're we're insisting we're not
00:14:33.199
suggesting but traffic only takes
00:14:35.160
suggestions so you have to like boot up
00:14:38.440
the container with the labels and then
00:14:40.959
you have to start polling and waiting
00:14:42.360
for it to notice the labels and then
00:14:43.800
suddenly it looks like okay it's picked
00:14:45.160
it up and actually I think we just had a
00:14:47.040
bit where we go and now we'll wait three
00:14:48.560
seconds and assume it's got R to it um
00:14:51.120
and that's just not great it's not not a
00:14:52.720
great match and the biggest problem we
00:14:54.639
found was it was really difficult to
00:14:56.040
drain requests because container lay
00:14:59.040
labels are immutable so you can boot up
00:15:00.920
your container and say send traffic to
00:15:02.959
this container but you can't get rid of
00:15:04.800
those labels it's just going to keep
00:15:06.199
sending the requests to the container
00:15:08.199
until the container goes away so you get
00:15:10.160
this problem as you're trying to stop it
00:15:12.440
before you stop it you want to say don't
00:15:14.399
send any more requests let's finish up
00:15:16.199
the requests that are there and then
00:15:17.560
we'll stop we couldn't do that with
00:15:19.120
traffic really we had to resort to like
00:15:21.759
really horrible hacks where we started
00:15:23.440
messing with um the health check and
00:15:27.600
deleting files so the health Che would
00:15:29.360
fail and traffic would go oh better not
00:15:31.040
send any traffic any requests to this
00:15:33.120
container so wasn't great and the third
00:15:36.160
thing is like it was hard to understand
00:15:38.800
what was going on when things went wrong
00:15:40.240
and this isn't traffic's fault this is
00:15:42.199
just you're getting errors in traffic's
00:15:45.000
language and traffic is a general
00:15:46.920
purpose proxy and it's got It's kind of
00:15:49.399
all these kind of quite um you know it's
00:15:53.560
got these different concepts that allow
00:15:55.480
you to do all kinds of things but we
00:15:57.120
just wanted it to do one thing so you
00:15:58.639
get these errors about entry points and
00:16:00.839
rouers and services and it's just like
00:16:02.959
well how does that connect to what I was
00:16:04.360
trying to do so we figured yes this is
00:16:07.600
not really working and what we decided
00:16:11.079
was we would build a our own proxy to
00:16:14.720
replace traffic and this proxy was built
00:16:17.399
with Cal exactly in mind so it's zero is
00:16:21.040
config basically what we're saying there
00:16:23.199
is one one of the things we want to do
00:16:25.240
is be able to run multiple applications
00:16:27.160
so if you have boot time configuration
00:16:30.240
then you can't vary it between the
00:16:31.839
applications so we have as little config
00:16:34.920
as possible when you boot the proxy and
00:16:38.120
there's this kind of onetoone command
00:16:39.920
mapping so when we want to deploy you
00:16:43.959
you type command deploy Cal deploy goes
00:16:46.279
to the proxy says deploy the proxy
00:16:48.040
deploys says I've done it we say yes
00:16:49.920
we've done it and everything is just
00:16:51.199
nice and streamlined everything Maps up
00:16:54.120
it's quick because you're not polling
00:16:55.759
and waiting and waiting um and that's
00:16:58.480
yeah that's kind of one of the reasons
00:17:00.160
we built it and as I said Kevin's going
00:17:02.000
to talk a lot more and there's some
00:17:03.560
really cool features that we're planning
00:17:05.760
to introduce into Kamal he's going to
00:17:07.120
show later
00:17:09.280
on okay so one of the things we wanted
00:17:11.959
to uh be able to do this so when we
00:17:14.160
built the first version of Cal it was
00:17:17.120
really designed specifically for our use
00:17:19.319
case in mind which was you've got you've
00:17:21.240
got an application you've already got a
00:17:23.199
load balancer you've got lots and lots
00:17:25.319
of um hosts that you're deploying to for
00:17:28.240
this one application
00:17:29.559
but a lot of people who are using Cal
00:17:31.200
had a different kind of setup where they
00:17:33.080
you know you've just got your sort of
00:17:34.679
brand new app you just want to run it on
00:17:36.400
a single server uh or you don't even
00:17:39.559
want to you know you've got six
00:17:41.039
different apps and you don't want six
00:17:42.160
different you don't need six different
00:17:43.240
servers or you don't mess around and
00:17:44.480
creating lots of EMS you just like to
00:17:45.960
run them all on that one single host so
00:17:48.919
we built in support for these we kind of
00:17:51.000
saw this earlier H in um David's keynote
00:17:56.080
but you just configure the host and say
00:17:58.280
SSL through and that should uh it'll go
00:18:01.799
and do the let's encryption dance so
00:18:03.679
what you need here for this to work is
00:18:05.640
that fu. example.com points directly to
00:18:08.400
this server and the port 443 is open on
00:18:12.159
that server and then the proxy will just
00:18:14.640
automatically do all the rest for you
00:18:16.520
you just deploy it should just
00:18:19.080
work and then multiple apps board we saw
00:18:21.600
this again you can just set the two
00:18:24.120
proxies in each app's configuration they
00:18:27.120
can deploy to the same server
00:18:29.360
and you will end up with a uh situation
00:18:32.640
that looks um a bit like this so we've
00:18:36.000
got a proxy here and we've got two
00:18:37.400
separate applications and it's using
00:18:39.080
host Bas routing to send the correct
00:18:42.080
requests to each container and now we
00:18:44.360
can go and do our deployments that we
00:18:46.080
saw earlier and deploy each container uh
00:18:49.080
independently at the same time it'll do
00:18:51.080
that dance of switching one version and
00:18:52.919
the other version out first um and yeah
00:18:56.360
it should just work um the thing was
00:18:59.480
that uh you know traffic one of the
00:19:01.880
things about traffic was that it was
00:19:03.200
very very flexible and we allowed you to
00:19:04.880
add all kinds of any labels you wanted
00:19:06.640
to so people have worked out how to do
00:19:09.039
these things in traffic one but it was
00:19:11.840
not it was like that was just people's
00:19:13.320
engineuity we had not designed it to do
00:19:14.960
that and there were certain things that
00:19:16.000
just didn't map well so we've kind of
00:19:17.760
gone back and tried to make sure that
00:19:19.000
it's specifically designed so that these
00:19:21.760
things just should
00:19:24.600
work um okay so next
00:19:30.039
right so if you haven't used Cal at all
00:19:32.799
this will be meaningless if you have
00:19:34.679
you've probably struggled with these
00:19:36.240
commands wondering when am I supposed to
00:19:37.799
run these what do they do like and
00:19:39.640
what's going on so the these were
00:19:41.520
commands we used for handling secrets so
00:19:44.520
we would um store secrets in uh in
00:19:49.440
theend file in the root of your
00:19:51.600
application and use the Cal N5 as a
00:19:54.919
command to build that from a template
00:19:56.880
and then push would then push them to
00:19:59.400
the servers and they had uh a different
00:20:02.520
life cycle to the rest of the commands
00:20:04.720
and you had to remember which things you
00:20:06.400
were supposed to run when and it was all
00:20:07.720
very complicated and we find it very
00:20:10.240
confusing so if you find it very
00:20:12.720
confusing you were not alone um so what
00:20:16.520
we wanted to do was yeah just simplify
00:20:19.400
this so we're using the rubyn gem so
00:20:23.520
that's do EnV and it has support built
00:20:26.840
in for variable command substitution so
00:20:30.120
we thought we'll just lean on that so
00:20:32.640
now here's what our secrets will look
00:20:34.880
like and this is what you should get in
00:20:36.120
the default rails at app uh we've moved
00:20:39.240
them they used to be in the end file but
00:20:41.240
that was like you know it clashed with
00:20:44.159
things like Forman so we' moved them
00:20:46.120
into a separate file and we're using the
00:20:48.960
interpolation to load these at kind of
00:20:51.480
run time so when you run your command we
00:20:53.280
will pull these in at that point so we
00:20:54.760
don't need templates that build other
00:20:57.640
files we don't need to store your
00:20:59.360
secrets on disk anywhere we can just uh
00:21:02.240
run it like this so what's happening in
00:21:03.640
that first line is it's just reading the
00:21:06.440
registry password in from uh the
00:21:09.240
environment which does mean you have to
00:21:11.080
set it up in your environment which is
00:21:12.360
annoying but we're hoping to get rid of
00:21:13.559
the registry all together so if we do
00:21:15.400
that then that problem goes away and
00:21:17.760
then the second command is using the
00:21:19.960
second line we're using H command
00:21:22.640
substitution so we're going to read the
00:21:25.200
configuration file uh directly from
00:21:28.159
config master key and that will just go
00:21:30.960
into uh reals master key again at
00:21:36.320
runtime okay so that sort of uh made
00:21:39.960
life a bit easier we don't need to store
00:21:41.640
the secrets as I said uh on the file
00:21:44.600
system you can commit this file into
00:21:47.080
your Source control um you can just put
00:21:49.720
your passwords directly in here if you
00:21:51.480
do take it out of source control um but
00:21:54.919
yeah it should just work but um there
00:21:58.840
there's one flaw here in what I'm saying
00:22:00.640
which is uh I'm saying they're not on
00:22:02.520
disk but actually if you look yes they
00:22:04.080
are on disk they're just in a different
00:22:05.880
file so uh what we what you know if you
00:22:09.559
start a new rails app and you have your
00:22:11.159
master key sitting in config master. key
00:22:14.279
you should probably put it somewhere a
00:22:15.520
bit safer as soon as possible so uh
00:22:19.360
We've also added some secret helpers to
00:22:21.400
kind of Aid doing this so um this is
00:22:25.799
kind of looks uh more like the version
00:22:28.200
we have running in Hay so what we've
00:22:30.200
done is we've added a couple of commands
00:22:32.480
into Cal and this first one Cal Secrets
00:22:35.640
fetch H we've got a bunch of different
00:22:37.960
adapters so there's one for one password
00:22:41.240
last pass and bit Warden at the moment
00:22:43.640
but we can we can add more as they go we
00:22:46.799
use one password so probably that one is
00:22:50.600
H the other ones may have uh
00:22:53.320
slightly uh rougher edges but we we'll
00:22:56.480
get there with those um and we call this
00:22:59.840
Cal Secrets fetch command and that is
00:23:01.919
going to go and manage getting the
00:23:05.000
secrets from our password manager for us
00:23:06.880
so it's going to check are you logged in
00:23:08.440
and if you're not logged in it's going
00:23:09.799
to ask you for your password or let you
00:23:11.919
you know put your fingerprint in and
00:23:14.520
authenticate with your password manager
00:23:16.559
and then as efficiently as possible it's
00:23:18.679
going to extract your passwords from
00:23:20.919
your password manager so in the case of
00:23:22.360
one password this means instead of
00:23:24.640
having to run separate commands for
00:23:26.159
every password if you store them all in
00:23:27.880
one item you can grab them all in one go
00:23:30.000
which can be much more efficient so
00:23:32.039
that's the first part and because we've
00:23:34.360
got them all in one go we've kind of we
00:23:36.919
then need a way to separate them out
00:23:38.919
into the different variables so we're
00:23:40.679
going to store them under secrets and
00:23:42.960
then we'll run uh Cal Secrets extract
00:23:46.000
which honestly is just a glorified
00:23:48.320
version of JQ but you're definitely
00:23:50.640
going to have Cal installed because
00:23:52.000
you're using Cal and you may not have or
00:23:53.880
want to make sure that you've got JQ Q
00:23:56.200
installed so that will then pull CL out
00:23:58.919
and store them in there so those
00:24:02.039
uh yeah those are the secret
00:24:05.279
outl uh okay so uh
00:24:11.159
next we've got uh so this uh David kind
00:24:15.080
of showed this uh a bit earlier but this
00:24:17.679
is the command you can run to open a
00:24:19.720
rails console and you can do this right
00:24:21.240
now in Camal one so app exac is a CALA
00:24:26.919
command that will
00:24:29.080
uh either boot up a new container
00:24:32.399
running your latest application image or
00:24:34.559
EXA into an existing container and run
00:24:37.240
the command ju Supply so you can just
00:24:39.039
pass rails console and there you go
00:24:41.120
you've got a running rails console in
00:24:43.919
production but the problem is that it
00:24:47.600
might be uh you know this is a bit of a
00:24:49.760
mouthful there also like you might have
00:24:52.000
very specific requirements you might
00:24:53.559
want the people always open the console
00:24:56.360
on a specific host so you can a host
00:24:59.080
parameter here you could pass minus H
00:25:00.760
the host you want people to open the
00:25:02.440
console but you want everyone to get the
00:25:04.760
same thing so that's where aliases come
00:25:06.960
in which you shown uh saw earlier but
00:25:09.559
here's how they look in uh the config so
00:25:12.760
you can just set an
00:25:14.159
alias um and you can say right who's
00:25:17.799
console and when you typ console it
00:25:20.240
means this command here and rails I
00:25:23.000
think will ship with console for opening
00:25:25.520
a console shell for opening a b shell
00:25:27.640
and logs for um just tailing logs on one
00:25:31.840
one of your
00:25:33.039
servers so yeah so that's the aliases
00:25:36.640
and that's how it works then you can
00:25:38.080
just run Cal console so if you've
00:25:39.760
deployed with Cal that should be enough
00:25:41.520
out of the box at rails eight to get
00:25:43.760
yourself a console uh that's up and
00:25:48.760
running okay so um yeah just to say in
00:25:53.840
conclusion uh So Cal one that was really
00:25:57.159
we built that with our speci ofic use
00:25:58.880
case in mine but with Cal 2 what we were
00:26:01.159
really looking at was say you know
00:26:04.399
you're you're just typing rails new you
00:26:07.080
using rails eight with Cal 2 say you've
00:26:10.760
just bought a domain and you've got like
00:26:12.200
a $6 a month uh like digital Ocean
00:26:14.919
droplet or something and you just want
00:26:16.159
to go as quickly as possible from rails
00:26:18.240
new to it just running on HPS we saw
00:26:21.080
from David's demo that you can do that
00:26:22.880
really really quickly so that's kind of
00:26:24.440
all the steps we've been uh doing here
00:26:27.080
to try and make that uh process as uh
00:26:30.880
smooth as possible so uh one other thing
00:26:34.080
I'll just say about Cal 2 is yes it's
00:26:36.799
not been released yet as I said before
00:26:39.640
it will be released later today uh Kevin
00:26:42.240
is going to help me uh with that because
00:26:44.360
he's dealing with Kamal proxy so we'll
00:26:46.080
wait till after he's talked as well and
00:26:48.440
then we should be uh ready to go and uh
00:26:51.720
yeah there'll be some up up uh updates
00:26:54.600
to the documentation at that point um
00:26:58.000
and yeah really good to know what you
00:27:02.240
think okay uh and I'll just leave you
00:27:05.640
with some links here that is the
00:27:07.679
currently Cal 1 documentation site soon
00:27:09.960
to be Cal 2 uh these are the repos for
00:27:13.320
Cal itself the gem and then for Cal
00:27:15.760
proxy the go uh proxy and that's me
00:27:21.159
thank you very much
