Introduce new option to bypass validation of registry configuration

[mike-weiner]

Closes #1646.

This PR adds a new field to the registry section of the configuration file to bypass all validation of the registry config.

The primary use case here is to be able to run commands like kamal app containers or kamal app version without having to specify image registry credentials in the configuration file.

This new bypass is opt-in only. By default, users will get the safeguard of the validation. skip_validation: false is not an option. You either include skip_validation: true or you leave it out.

For those that want to potentially shoot themselves in the foot by being able to bypass the registry config validation, they can now do something like:

registry:
  skip_validation: true

[djmb]

I'm not clear on why we would need this. You can use secrets to specify the values in the config (DOCKER_REGISTRY_TOKEN etc).

Those secrets should only be read when attempting to login to the registry, so if you want to run commands that don't login to the registry like kamal app containers then that should still work, even if you don't have access to them. If it doesn't work like that right now, we should fix that rather than add an option to skip the validations.

[mike-weiner]

@djmb - My PR description was confusing. Let me try to clear things up.

If I wanted to run kamal app version (which shouldn't require any registry login), and my configuration file doesn't specify registry at all, I get this error:

weiner kenyonwx (main) % kamal app version
  ERROR (Kamal::ConfigurationError): registry/username: is required

If I then update my configuration file to list:

registry:
  username:
    - ""
  password:
    - ""

I can then successfully run kamal app containers. I don't want to speak for the author of #1646, but I think that is the heart of the issue.

I'm not a fan of including blank values. With this PR I suggested being able to do something like:

registry:
  skip_validation: true

That would get around the ERROR (Kamal::ConfigurationError): registry/username: is required.

Bottom line is that I don't feel like kamal should require registry configuration to be present for commands that don't invoke registry operations. With the way kamal is currently structured, it does all validation up-front before any command logic is run.

What are your thoughts?

[djmb]

I'm not sold on this - it means that you have two different configuration files, one with the registry details and the other with skip_validation: true.

It seems simpler to have one configuration file and inject the secrets into it at runtime. Kamal lazy loads secrets, so you don't need access to them for commands that don't use them.

[mike-weiner]

@djmb -

What is the expected way to handle the situation where I don't want folks to have access to a container registry but want them to be able to use Kamal to view app logs?

Just put in empty strings?

[djmb]

Hi @mike-weiner!

It would be to have something like:

# config/deploy.yml
registry:
  username: <name>
  password:
    - KAMAL_REGISTRY_PASSWORD

# .kamal/secrets-common
KAMAL_REGISTRY_PASSWORD=$(command-to-fetch-password)

Then only kamal commands that need the password should call command-to-fetch-password. kamal app version shouldn't do that so it should work ok without access.

[mike-weiner]

Hi, @djmb!

Okay, I'm fine with that solution and closing this PR.