Browse Source

Move Airflow web container into Shipyard pod

Moves the airflow web server container from its own pod into the
Shipyard pod. This removes exposed network surface area from the
Shipyard suite of software. Shipyard, after this change accesses the
Airflow API using localhost in the same k8s pod.

Change-Id: Ied4bd415a8d78c393b7256ead27a6a2176f4a2d6
Bryan Strassner 3 months ago
parent
commit
a11e962eef

+ 3
- 3
charts/shipyard/templates/deployment-airflow-scheduler.yaml View File

@@ -61,9 +61,9 @@ spec:
61 61
           env:
62 62
           - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
63 63
             valueFrom:
64
-                secretKeyRef:
65
-                    name: {{ .Values.secrets.postgresql_airflow_db.user }}
66
-                    key: AIRFLOW_DATABASE_URI
64
+              secretKeyRef:
65
+                name: {{ .Values.secrets.postgresql_airflow_db.user }}
66
+                key: AIRFLOW_DATABASE_URI
67 67
           # Set to -1 to stop scheduler from going into crash loops
68 68
           args: ["scheduler", "-n", "-1" ]
69 69
           volumeMounts:

+ 0
- 92
charts/shipyard/templates/deployment-airflow-web.yaml View File

@@ -1,92 +0,0 @@
1
-# Copyright 2017 The Openstack-Helm Authors.
2
-# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
3
-#
4
-# Licensed under the Apache License, Version 2.0 (the "License");
5
-# you may not use this file except in compliance with the License.
6
-# You may obtain a copy of the License at
7
-#
8
-#     http://www.apache.org/licenses/LICENSE-2.0
9
-#
10
-# Unless required by applicable law or agreed to in writing, software
11
-# distributed under the License is distributed on an "AS IS" BASIS,
12
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
-# See the License for the specific language governing permissions and
14
-# limitations under the License.
15
-
16
-{{- if .Values.manifests.deployment_airflow_web }}
17
-{{- $envAll := . }}
18
-{{- $serviceAccountName := "airflow-web" }}
19
-{{ tuple $envAll "airflow_server" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
20
-{{- $mounts_airflow_web := .Values.pod.mounts.airflow_web.airflow_web }}
21
-{{- $mounts_airflow_web_init := .Values.pod.mounts.airflow_web.init_container }}
22
----
23
-apiVersion: apps/v1beta1
24
-kind: Deployment
25
-metadata:
26
-  name: airflow-web
27
-  annotations:
28
-    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
29
-spec:
30
-  replicas: {{ .Values.pod.replicas.airflow.web }}
31
-{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
32
-  template:
33
-    metadata:
34
-      labels:
35
-{{ tuple $envAll "airflow" "web" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
36
-      annotations:
37
-        configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
38
-        configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
39
-    spec:
40
-      serviceAccountName: {{ $serviceAccountName }}
41
-      nodeSelector:
42
-        {{ .Values.labels.airflow.node_selector_key }}: {{ .Values.labels.airflow.node_selector_value }}
43
-      restartPolicy: Always
44
-      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.airflow.timeout | default "30" }}
45
-      initContainers:
46
-{{ tuple $envAll "airflow_server" $mounts_airflow_web_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
47
-      containers:
48
-        - name: airflow-web
49
-          image: {{ .Values.images.tags.airflow }}
50
-          imagePullPolicy: {{ .Values.images.pull_policy }}
51
-{{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
52
-          env:
53
-          - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
54
-            valueFrom:
55
-                secretKeyRef:
56
-                    name: {{ .Values.secrets.postgresql_airflow_db.user }}
57
-                    key: AIRFLOW_DATABASE_URI
58
-          ports:
59
-            - containerPort: {{ .Values.network.airflow.web.port }}
60
-          args: ["webserver"]
61
-          readinessProbe:
62
-            tcpSocket:
63
-              port: {{ .Values.network.airflow.web.port }}
64
-          volumeMounts:
65
-            - name: airflow-etc
66
-              mountPath: {{ .Values.conf.airflow_config_file.path }}
67
-              subPath: airflow.cfg
68
-              readOnly: true
69
-            - name: shipyard-etc
70
-              mountPath: /usr/local/airflow/plugins/shipyard.conf
71
-              subPath: shipyard.conf
72
-              readOnly: true
73
-            - name: airflow-logs
74
-              mountPath: {{ .Values.conf.airflow.core.base_log_folder }}
75
-{{ if $mounts_airflow_web.volumeMounts }}{{ toYaml $mounts_airflow_web.volumeMounts | indent 12 }}{{ end }}
76
-      volumes:
77
-        - name: airflow-etc
78
-          configMap:
79
-            name: airflow-etc
80
-            defaultMode: 0444
81
-        - name: shipyard-etc
82
-          configMap:
83
-            name: shipyard-etc
84
-            defaultMode: 0444
85
-        - name: airflow-bin
86
-          configMap:
87
-            name: airflow-bin
88
-            defaultMode: 0555
89
-        - name: airflow-logs
90
-          emptyDir: {}
91
-{{ if $mounts_airflow_web.volumes }}{{ toYaml $mounts_airflow_web.volumes | indent 8 }}{{ end }}
92
-{{- end }}

+ 38
- 3
charts/shipyard/templates/deployment-shipyard.yaml View File

@@ -15,9 +15,10 @@
15 15
 
16 16
 {{- if .Values.manifests.deployment_shipyard }}
17 17
 {{- $envAll := . }}
18
+{{- $serviceAccountName := "shipyard" }}
18 19
 {{- $mounts_shipyard := .Values.pod.mounts.shipyard.shipyard }}
19 20
 {{- $mounts_shipyard_init := .Values.pod.mounts.shipyard.init_container }}
20
-{{- $serviceAccountName := "shipyard" }}
21
+
21 22
 {{ tuple $envAll "shipyard" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
22 23
 ---
23 24
 apiVersion: apps/v1beta1
@@ -34,8 +35,10 @@ spec:
34 35
       labels:
35 36
 {{ tuple $envAll "shipyard" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
36 37
       annotations:
37
-        configmap-bin-hash: {{ tuple "configmap-shipyard-bin.yaml" . | include "helm-toolkit.utils.hash" }}
38
-        configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }}
38
+        shipyard-configmap-bin-hash: {{ tuple "configmap-shipyard-bin.yaml" . | include "helm-toolkit.utils.hash" }}
39
+        shipyard-configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }}
40
+        airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
41
+        airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
39 42
     spec:
40 43
       serviceAccountName: {{ $serviceAccountName }}
41 44
       nodeSelector:
@@ -88,6 +91,28 @@ spec:
88 91
             - name: tmp-profiles
89 92
               mountPath: /tmp/profiles
90 93
 {{ end }}
94
+        - name: airflow-web
95
+          image: {{ .Values.images.tags.airflow }}
96
+          imagePullPolicy: {{ .Values.images.pull_policy }}
97
+{{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
98
+          env:
99
+          - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
100
+            valueFrom:
101
+              secretKeyRef:
102
+                name: {{ .Values.secrets.postgresql_airflow_db.user }}
103
+                key: AIRFLOW_DATABASE_URI
104
+          args: ["webserver"]
105
+          volumeMounts:
106
+            - name: airflow-etc
107
+              mountPath: {{ .Values.conf.airflow_config_file.path }}
108
+              subPath: airflow.cfg
109
+              readOnly: true
110
+            - name: shipyard-etc
111
+              mountPath: /usr/local/airflow/plugins/shipyard.conf
112
+              subPath: shipyard.conf
113
+              readOnly: true
114
+            - name: airflow-logs
115
+              mountPath: {{ .Values.conf.airflow.core.base_log_folder }}
91 116
 {{ if $mounts_shipyard.volumeMounts }}{{ toYaml $mounts_shipyard.volumeMounts | indent 12 }}{{ end }}
92 117
       volumes:
93 118
 {{ if .Values.conf.shipyard.base.profiler }}
@@ -100,5 +125,15 @@ spec:
100 125
           configMap:
101 126
             name: shipyard-etc
102 127
             defaultMode: 0444
128
+        - name: airflow-etc
129
+          configMap:
130
+            name: airflow-etc
131
+            defaultMode: 0444
132
+        - name: airflow-bin
133
+          configMap:
134
+            name: airflow-bin
135
+            defaultMode: 0555
136
+        - name: airflow-logs
137
+          emptyDir: {}
103 138
 {{ if $mounts_shipyard.volumes }}{{ toYaml $mounts_shipyard.volumes | indent 8 }}{{ end }}
104 139
 {{- end }}

+ 0
- 49
charts/shipyard/templates/ingress-airflow-api.yaml View File

@@ -1,49 +0,0 @@
1
-{{/*
2
-Copyright 2017 The Openstack-Helm Authors.
3
-Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4
-
5
-Licensed under the Apache License, Version 2.0 (the "License");
6
-you may not use this file except in compliance with the License.
7
-You may obtain a copy of the License at
8
-
9
-   http://www.apache.org/licenses/LICENSE-2.0
10
-
11
-Unless required by applicable law or agreed to in writing, software
12
-distributed under the License is distributed on an "AS IS" BASIS,
13
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
-See the License for the specific language governing permissions and
15
-limitations under the License.
16
-*/}}
17
-
18
-{{- if .Values.manifests.ingress_airflow_api }}
19
-{{- $envAll := . }}
20
-{{- if .Values.network.airflow.ingress.public }}
21
-{{- $backendServiceType := "airflow_web" }}
22
-{{- $backendPort := "http" }}
23
-{{- $ingressName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
24
-{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
25
-{{- $hostName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
26
-{{- $hostNameNamespaced := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
27
-{{- $hostNameFull := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
28
----
29
-apiVersion: extensions/v1beta1
30
-kind: Ingress
31
-metadata:
32
-  name: {{ $ingressName }}
33
-  annotations:
34
-    kubernetes.io/ingress.class: "nginx"
35
-    ingress.kubernetes.io/rewrite-target: /
36
-    nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.network.airflow.ingress.proxy_read_timeout | quote }}
37
-spec:
38
-  rules:
39
-{{- range $key1, $vHost := tuple $hostName $hostNameNamespaced $hostNameFull }}
40
-  - host: {{ $vHost }}
41
-    http:
42
-      paths:
43
-      - path: /
44
-        backend:
45
-          serviceName: {{ $backendName }}
46
-          servicePort: {{ $backendPort }}
47
-{{- end }}
48
-{{- end }}
49
-{{- end }}

+ 0
- 33
charts/shipyard/templates/service-airflow-ingress.yaml View File

@@ -1,33 +0,0 @@
1
-{{/*
2
-Copyright 2017 The Openstack-Helm Authors.
3
-Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4
-
5
-Licensed under the Apache License, Version 2.0 (the "License");
6
-you may not use this file except in compliance with the License.
7
-You may obtain a copy of the License at
8
-
9
-   http://www.apache.org/licenses/LICENSE-2.0
10
-
11
-Unless required by applicable law or agreed to in writing, software
12
-distributed under the License is distributed on an "AS IS" BASIS,
13
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
-See the License for the specific language governing permissions and
15
-limitations under the License.
16
-*/}}
17
-
18
-{{- if .Values.manifests.service_airflow_ingress }}
19
-{{- $envAll := . }}
20
-{{- if .Values.network.airflow.ingress.public }}
21
----
22
-apiVersion: v1
23
-kind: Service
24
-metadata:
25
-  name: {{ tuple "airflow_web" "public" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
26
-spec:
27
-  ports:
28
-  - name: http
29
-    port: 80
30
-  selector:
31
-    app: ingress-api
32
-{{- end }}
33
-{{- end }}

+ 0
- 44
charts/shipyard/templates/service-airflow-web.yaml View File

@@ -1,44 +0,0 @@
1
-{{/*
2
-Copyright 2017 The Openstack-Helm Authors.
3
-Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4
-
5
-Licensed under the Apache License, Version 2.0 (the "License");
6
-you may not use this file except in compliance with the License.
7
-You may obtain a copy of the License at
8
-
9
-   http://www.apache.org/licenses/LICENSE-2.0
10
-
11
-Unless required by applicable law or agreed to in writing, software
12
-distributed under the License is distributed on an "AS IS" BASIS,
13
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
-See the License for the specific language governing permissions and
15
-limitations under the License.
16
-*/}}
17
-
18
-{{- if .Values.manifests.service_airflow_web }}
19
-{{- $envAll := . }}
20
----
21
-apiVersion: v1
22
-kind: Service
23
-metadata:
24
-  name: {{ tuple "airflow_web" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
25
-spec:
26
-  ports:
27
-    {{ if .Values.network.airflow.web.enable_node_port }}
28
-    - name: http
29
-      nodePort: {{ .Values.network.airflow.web.node_port }}
30
-      port: {{ .Values.network.airflow.web.port }}
31
-      protocol: TCP
32
-      targetPort: {{ .Values.network.airflow.web.port }}
33
-    {{ else }}
34
-    - name: http
35
-      port: {{ .Values.network.airflow.web.port }}
36
-      protocol: TCP
37
-      targetPort: {{ .Values.network.airflow.web.port }}
38
-    {{ end }}
39
-  selector:
40
-{{ tuple $envAll "airflow" "web" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
41
-  {{ if .Values.network.airflow.web.enable_node_port }}
42
-  type: NodePort
43
-  {{ end }}
44
-{{- end }}

+ 3
- 3
charts/shipyard/templates/statefulset-airflow-worker.yaml View File

@@ -101,9 +101,9 @@ spec:
101 101
           env:
102 102
           - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
103 103
             valueFrom:
104
-                secretKeyRef:
105
-                    name: {{ .Values.secrets.postgresql_airflow_db.user }}
106
-                    key: AIRFLOW_DATABASE_URI
104
+              secretKeyRef:
105
+                name: {{ .Values.secrets.postgresql_airflow_db.user }}
106
+                key: AIRFLOW_DATABASE_URI
107 107
           # Set to -1 to stop scheduler from going into crash loops
108 108
           args: ["scheduler", "-n", "-1" ]
109 109
           volumeMounts:

+ 10
- 46
charts/shipyard/values.yaml View File

@@ -65,14 +65,6 @@ network:
65 65
     node_port: 31901
66 66
     enable_node_port: false
67 67
   airflow:
68
-    ingress:
69
-      public: true
70
-      proxy_read_timeout: 600
71
-    web:
72
-      name: airflow-web
73
-      port: 8080
74
-      node_port: 32080
75
-      enable_node_port: false
76 68
     worker:
77 69
       name: airflow-worker
78 70
       port: 8793
@@ -87,8 +79,6 @@ dependencies:
87 79
       services:
88 80
         - service: postgresql_shipyard_db
89 81
           endpoint: internal
90
-        - service: airflow_web
91
-          endpoint: internal
92 82
     shipyard_db_sync:
93 83
       jobs:
94 84
         - shipyard-db-init
@@ -131,8 +121,6 @@ dependencies:
131 121
         - shipyard-ks-user
132 122
         - shipyard-ks-endpoints
133 123
       services:
134
-        - service: airflow_web
135
-          endpoint: internal
136 124
         - service: identity
137 125
           endpoint: internal
138 126
         - service: postgresql_shipyard_db
@@ -213,21 +201,6 @@ endpoints:
213 201
       #   tls:
214 202
       #     crt: null
215 203
       #     key: null
216
-  airflow_web:
217
-    name: airflow-web
218
-    hosts:
219
-      default: airflow-web-int
220
-      public: airflow-web
221
-    port:
222
-      airflow_web:
223
-        default: 8080
224
-        public: 80
225
-    path:
226
-     default: /
227
-    scheme:
228
-      default: http
229
-    host_fqdn_override:
230
-      default: null
231 204
   airflow_worker:
232 205
     name: airflow-worker
233 206
     hosts:
@@ -394,7 +367,7 @@ conf:
394 367
       paste.filter_factory: keystonemiddleware.auth_token:filter_factory
395 368
   shipyard:
396 369
     base:
397
-      web_server:
370
+      web_server: http://localhost:8080/
398 371
       pool_size: 15
399 372
       pool_pre_ping: true
400 373
       pool_timeout: 30
@@ -507,7 +480,9 @@ conf:
507 480
       worker_precheck: "False"
508 481
     cli:
509 482
       api_client: airflow.api.client.local_client
510
-      # endpoint_url is extracted from endpoints by the configmap template
483
+      # if endpoint_url is not set, it is extracted from endpoints by the
484
+      # configmap template
485
+      endpoint_url: http://localhost/
511 486
     api:
512 487
       auth_backend: airflow.api.auth.backend.default
513 488
     lineage:
@@ -530,8 +505,12 @@ conf:
530 505
       # Shipyard is not using this
531 506
       default_hive_mapred_queue: ""
532 507
     webserver:
533
-      # base_url is extracted from endpoints by the configmap template
534
-      web_server_host: 0.0.0.0
508
+      # if base_url is not set, is extracted from endpoints by the configmap
509
+      # template
510
+      base_url: http://localhost/
511
+      # set web_server_host to 0.0.0.0 to bind to all interfaces. By default
512
+      # only bind to loopback
513
+      web_server_host: 127.0.0.1
535 514
       web_server_port: 8080
536 515
       web_server_ssl_cert: ""
537 516
       web_server_ssl_key: ""
@@ -706,9 +685,6 @@ pod:
706 685
       init_container: null
707 686
       airflow_worker:
708 687
       airflow_scheduler:
709
-    airflow_web:
710
-      init_container: null
711
-      airflow_web:
712 688
     shipyard:
713 689
       init_container: null
714 690
       shipyard:
@@ -722,7 +698,6 @@ pod:
722 698
     shipyard:
723 699
       api: 2
724 700
     airflow:
725
-      web: 2
726 701
       worker: 2
727 702
       scheduler: 2
728 703
   lifecycle:
@@ -841,13 +816,6 @@ pod:
841 816
         requests:
842 817
           memory: "128Mi"
843 818
           cpu: "100m"
844
-      airflow:
845
-        limits:
846
-          memory: "128Mi"
847
-          cpu: "100m"
848
-        requests:
849
-          memory: "128Mi"
850
-          cpu: "100m"
851 819
 
852 820
 manifests:
853 821
   configmap_shipyard_bin: true
@@ -858,9 +826,7 @@ manifests:
858 826
   #   running the scheduler
859 827
   deployment_airflow_scheduler: true
860 828
   deployment_shipyard: true
861
-  deployment_airflow_web: true
862 829
   statefulset_airflow_worker: true
863
-  ingress_airflow_api: true
864 830
   ingress_shipyard_api: true
865 831
   job_shipyard_db_init: true
866 832
   job_shipyard_db_sync: true
@@ -875,10 +841,8 @@ manifests:
875 841
   secret_ingress_tls: true
876 842
   secret_keystone: true
877 843
   secret_rabbitmq: true
878
-  service_airflow_ingress: true
879 844
   service_shipyard: true
880 845
   service_shipyard_ingress: true
881
-  service_airflow_web: true
882 846
   service_airflow_worker: true
883 847
   service_discovery_airflow_worker: true
884 848
   test_shipyard_api: true

+ 12
- 1
doc/source/_static/shipyard.policy.yaml.sample View File

@@ -40,10 +40,16 @@
40 40
 # POST  /api/v1.0/configdocs/{collection_id}
41 41
 #"workflow_orchestrator:create_configdocs": "rule:admin_required"
42 42
 
43
-# Retrieve a collection of configuration documents
43
+# Retrieve a collection of configuration documents with redacted
44
+# secrets
44 45
 # GET  /api/v1.0/configdocs/{collection_id}
45 46
 #"workflow_orchestrator:get_configdocs": "rule:admin_required"
46 47
 
48
+# Retrieve a collection of configuration documents with cleartext
49
+# secrets.
50
+# GET  /api/v1.0/configdocs/{collection_id}
51
+#"workflow_orchestrator:get_configdocs_cleartext": "rule:admin_required"
52
+
47 53
 # Move documents from the Shipyard buffer to the committed documents
48 54
 # POST  /api/v1.0/commitconfigdocs
49 55
 #"workflow_orchestrator:commit_configdocs": "rule:admin_required"
@@ -53,6 +59,11 @@
53 59
 # GET  /api/v1.0/renderedconfigdocs
54 60
 #"workflow_orchestrator:get_renderedconfigdocs": "rule:admin_required"
55 61
 
62
+# Retrieve the configuration documents with cleartext secrets rendered
63
+# by Deckhand into a complete design
64
+# GET  /api/v1.0/renderedconfigdocs
65
+#"workflow_orchestrator:get_renderedconfigdocs_cleartext": "rule:admin_required"
66
+
56 67
 # Retrieve the list of workflows (DAGs) that have been invoked in
57 68
 # Airflow, whether via Shipyard or scheduled
58 69
 # GET  /api/v1.0/workflows

+ 12
- 1
src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample View File

@@ -40,10 +40,16 @@
40 40
 # POST  /api/v1.0/configdocs/{collection_id}
41 41
 #"workflow_orchestrator:create_configdocs": "rule:admin_required"
42 42
 
43
-# Retrieve a collection of configuration documents
43
+# Retrieve a collection of configuration documents with redacted
44
+# secrets
44 45
 # GET  /api/v1.0/configdocs/{collection_id}
45 46
 #"workflow_orchestrator:get_configdocs": "rule:admin_required"
46 47
 
48
+# Retrieve a collection of configuration documents with cleartext
49
+# secrets.
50
+# GET  /api/v1.0/configdocs/{collection_id}
51
+#"workflow_orchestrator:get_configdocs_cleartext": "rule:admin_required"
52
+
47 53
 # Move documents from the Shipyard buffer to the committed documents
48 54
 # POST  /api/v1.0/commitconfigdocs
49 55
 #"workflow_orchestrator:commit_configdocs": "rule:admin_required"
@@ -53,6 +59,11 @@
53 59
 # GET  /api/v1.0/renderedconfigdocs
54 60
 #"workflow_orchestrator:get_renderedconfigdocs": "rule:admin_required"
55 61
 
62
+# Retrieve the configuration documents with cleartext secrets rendered
63
+# by Deckhand into a complete design
64
+# GET  /api/v1.0/renderedconfigdocs
65
+#"workflow_orchestrator:get_renderedconfigdocs_cleartext": "rule:admin_required"
66
+
56 67
 # Retrieve the list of workflows (DAGs) that have been invoked in
57 68
 # Airflow, whether via Shipyard or scheduled
58 69
 # GET  /api/v1.0/workflows

Loading…
Cancel
Save