Pipelines

Controls access to the Spinnaker pipelines API. Can be used to prevent a user from creating a pipeline.

Most usecases for this API call are better authored against the opa.pipelines package.

  • Path: pipelines
  • Method: Post
  • Package: spinnaker.http.authz

Example Payload

Click to expand
{
  "input": {
    "body": {
      "application": "hostname",
      "expectedArtifacts": [
        {
          "defaultArtifact": {
            "artifactAccount": "myUserName",
            "id": "4aa85178-0618-46c4-b530-6883d393656d",
            "name": "manifests/deploy-spinnaker.yaml",
            "reference": "Https://api.github.com/repos/myUserName/hostname/contents/manifests/deploy-spinnaker.yaml",
            "type": "github/file",
            "version": "master"
          },
          "displayName": "hostname-deploy",
          "id": "0cf98032-1b0f-48db-9314-09c69293b3a6",
          "matchArtifact": {
            "artifactAccount": "myUserName",
            "customKind": true,
            "id": "3f72ed8e-cb95-454f-9119-2323682121ff",
            "name": "manifests/deploy-spinnaker.yaml",
            "type": "github/file"
          },
          "useDefaultArtifact": true,
          "usePriorArtifact": false
        },
        {
          "defaultArtifact": {
            "artifactAccount": "myUserName",
            "id": "e79162ab-69cb-4ff7-acf4-a8f2875ef8ef",
            "name": "manifests/service-spinnaker.yaml",
            "reference": "Https://api.github.com/repos/myUserName/hostname/contents/manifests/service-spinnaker.yaml",
            "type": "github/file"
          },
          "displayName": "service-hostname",
          "id": "425d20a8-2942-4902-8d2b-277769a1492c",
          "matchArtifact": {
            "artifactAccount": "myUserName",
            "customKind": true,
            "id": "d7ac7eca-0131-4d54-ab8f-880ff0041e4f",
            "name": "manifests/service-spinnaker",
            "type": "github/file"
          },
          "useDefaultArtifact": true,
          "usePriorArtifact": false
        }
      ],
      "id": "7db1e350-dedb-4dc1-9976-e71f97b5f132",
      "index": 0,
      "keepWaitingPipelines": false,
      "lastModifiedBy": "myUserName",
      "limitConcurrent": true,
      "name": "scale deployments",
      "parameterConfig": [
        {
          "default": "",
          "description": "",
          "hasOptions": false,
          "label": "",
          "name": "replicas",
          "options": [
            {
              "value": ""
            }
          ],
          "pinned": false,
          "required": false
        },
        {
          "default": "staging",
          "description": "",
          "hasOptions": false,
          "label": "",
          "name": "namespace",
          "options": [
            {
              "value": ""
            }
          ],
          "pinned": false,
          "required": true
        }
      ],
      "spelEvaluator": "v4",
      "stages": [
        {
          "account": "spinnaker",
          "cloudProvider": "kubernetes",
          "manifestArtifactId": "0cf98032-1b0f-48db-9314-09c69293b3a6",
          "moniker": {
            "app": "hostname"
          },
          "name": "Deploy (Manifest) g",
          "refId": "2",
          "requisiteStageRefIds": [],
          "skipExpressionEvaluation": false,
          "source": "artifact",
          "trafficManagement": {
            "enabled": false,
            "options": {
              "enableTraffic": false,
              "services": []
            }
          },
          "type": "deployManifest"
        },
        {
          "account": "spinnaker",
          "cloudProvider": "kubernetes",
          "manifestArtifactId": "425d20a8-2942-4902-8d2b-277769a1492c",
          "moniker": {
            "app": "hostname"
          },
          "name": "Deploy service (Manifest)",
          "refId": "3",
          "requisiteStageRefIds": [],
          "skipExpressionEvaluation": false,
          "source": "artifact",
          "trafficManagement": {
            "enabled": false,
            "options": {
              "enableTraffic": false,
              "services": []
            }
          },
          "type": "deployManifest"
        },
        {
          "completeOtherBranchesThenFail": false,
          "continuePipeline": true,
          "failPipeline": false,
          "instructions": "is the new service working?",
          "judgmentInputs": [],
          "name": "Manual Judgment",
          "notifications": [],
          "refId": "4",
          "requisiteStageRefIds": [
            "2",
            "3"
          ],
          "stageTimeoutMs": 60000,
          "type": "manualJudgment"
        },
        {
          "account": "spinnaker",
          "app": "hostname",
          "cloudProvider": "kubernetes",
          "location": "staging",
          "manifestName": "deployment hostname",
          "mode": "static",
          "name": "Scale (Manifest)",
          "refId": "5",
          "replicas": "10",
          "requisiteStageRefIds": [
            "4"
          ],
          "type": "scaleManifest"
        }
      ],
      "triggers": [
        {
          "branch": "master",
          "enabled": true,
          "expectedArtifactIds": [
            "0cf98032-1b0f-48db-9314-09c69293b3a6",
            "425d20a8-2942-4902-8d2b-277769a1492c"
          ],
          "project": "myUserName",
          "secret": "spinnaker",
          "slug": "hostname",
          "source": "github",
          "type": "git"
        }
      ],
      "updateTs": "1620677311000"
    },
    "method": "POST",
    "path": [
      "pipelines"
    ],
    "user": {
      "isAdmin": false,
      "roles": [],
      "username": "myUserName"
    }
  }
}

Example Policy

package spinnaker.http.authz
default message=""
allow=message==""

message="Only admins can save pipelines"{
    input.path[0]!="pipelines"
    input.method="POST"
    input.user.isAdmin!=true
}

Keys

input

KeyTypeDescription
input.methodstringPost
input.path[]string["pipelines"]

input.body

KeyTypeDescription
input.body.applicationstringThe application for which a pipeline is being saved.
input.body.expectedArtifacts[]arraySee artifacts for more information.
input.body.idstringThe unique ID of the pipeline.
input.body.indexnumber
input.body.keepWaitingPipelinesboolean
input.body.lastModifiedBystringThe ID of the last user that modified the pipeline, should match the user in the input.users field.
input.body.limitConcurrentboolean
input.body.namestring
input.body.parameterConfig[].defaultstring
input.body.parameterConfig[].descriptionstring
input.body.parameterConfig[].hasOptionsboolean
input.body.parameterConfig[].labelstring
input.body.parameterConfig[].namestring
input.body.parameterConfig[].options[].valuestring
input.body.parameterConfig[].pinnedboolean
input.body.parameterConfig[].requiredboolean
input.body.spelEvaluatorstring
input.body.updateTsstring

input.body.stages

These fields are all stage specific, and may or may not be present depending on the stage type.

KeyTypeDescription
input.body.stages[].accountstringThe account the stage deploys to. Applies to the following stage types: deployManifest, scaleManifest, deploy.
input.body.stages[].appstringThe name of the application being deployed. Use input.body.application instead. Applies to the following stage types: deployManifest, scaleManifest.
input.body.stages[].baseAmistringOnly available for the bake stage.
If Base AMI is specified, this is used instead of the Base OS provided.
input.body.stages[].baseLabelstringOnly available for the bake stage.
Possible values are release, candidate, previous, or unstable.
input.body.stages[].baseOsstringOnly available for the bake stage.
Defines what OS should be used to identify a Base AMI if none is specified.
input.body.stages[].cloudProviderTypestringOnly available for the bake stage.
Defines what cloud provider type is being used.
input.body.stages[].cloudProviderstringWhich specific cloud provider is being used. Applies to the following stage types: deployManifest, scaleManifest, and deploy.
input.body.stages[].clusters[].accountstringOnly available on the deploy stage.
This is the cluster the stage will deploy to.
input.body.stages[].clusters[].applicationstringOnly available on the deploy stage.
This is the application being deployed.
input.body.stages[].clusters[].availabilityZones.<Region>[]stringOnly available on the deploy stage.
Specifies what availability zones to deploy to.
input.body.stages[].clusters[].capacity.desirednumberOnly available on the deploy stage.
The desired number of instances in the autoscaling group.
input.body.stages[].clusters[].capacity.maxnumberOnly available on the deploy stage.
The maximum number of instances in the autoscaling group.
input.body.stages[].clusters[].capacity.minnumberOnly available on the deploy stage.
The minimum number of instances in the autoscaling group.
input.body.stages[].clusters[].cloudProviderstringOnly available on the deploy stage.
Which cloud provider is being used.
input.body.stages[].clusters[].cooldownnumberOnly available on the deploy stage.
A scaling cooldown helps you prevent your Auto Scaling group from launching or terminating additional instances before the effects of previous activities are visible.
input.body.stages[].clusters[].copySourceCustomBlockDeviceMappingsbooleanOnly available on the deploy stage.
If true, Spinnaker will use the block device mappings of the existing server group when deploying a new server group.
input.body.stages[].clusters[].delayBeforeDisableSecnumberOnly available on the deploy stage.
input.body.stages[].clusters[].delayBeforeScaleDownSecnumberOnly available on the deploy stage.
input.body.stages[].clusters[].ebsOptimizedbooleanOnly available on the deploy stage.
True if instances are optomized for EBS.
input.body.stages[].clusters[].freeFormDetailsstringOnly available on the deploy stage.
A string of free-form alphanumeric characters and hyphens to describe any other variables in naming a cluster.
input.body.stages[].clusters[].healthCheckGracePeriodnumberOnly available on the deploy stage.
When an instance launches, Amazon EC2 Auto Scaling uses the value of the healthCheckGracePeriod for the Auto Scaling group to determine how long to wait before checking the health status of the instance.
input.body.stages[].clusters[].healthCheckTypestringOnly available on the deploy stage.
The value can be either ELB or EC2.
input.body.stages[].clusters[].iamRolestringOnly available on the deploy stage.
What role is being used to run the instances.
input.body.stages[].clusters[].instanceMonitoringbooleanOnly available on the deploy stage.
Determines whether to enable detailed monitoring of instances.
input.body.stages[].clusters[].instanceTypestringOnly available on the deploy stage.
The type of instances to deploy to.
input.body.stages[].clusters[].keyPairstringOnly available on the deploy stage.
The set of security credentials that can be used to connect to this instance.
input.body.stages[].clusters[].maxRemainingAsgsnumberOnly available on the deploy stage.
How many auto scaling groups from prior deployments for this application should be left up and running once the new deployment is complete.
input.body.stages[].clusters[].providerstringOnly available on the deploy stage.
Defines the cloud provider.
input.body.stages[].clusters[].rollback.onFailurebooleanOnly available on the deploy stage.
True if the deploy should be automatically rolled back on failure.
input.body.stages[].clusters[].scaleDownbooleanOnly available on the deploy stage.
input.body.stages[].clusters[].spotPricestringOnly available on the deploy stage.
input.body.stages[].clusters[].stackstringOnly available on the deploy stage.
input.body.stages[].clusters[].strategystringOnly available on the deploy stage.
The deployment strategy tells Spinnaker what to do with the previous version of the server group.
input.body.stages[].clusters[].subnetTypestringOnly available on the deploy stage.
The subnet selection determines the VPC in which your server group will run. Options vary by account and region.
input.body.stages[].clusters[].tags.NamestringOnly available on the deploy stage.
Tags are propagated to the instances in this cluster.
input.body.stages[].clusters[].targetHealthyDeployPercentagenumberOnly available on the deploy stage.
input.body.stages[].clusters[].terminationPolicies[]stringOnly available on the deploy stage.
The name of the policy to determine how old instances are terminated.
input.body.stages[].clusters[].useAmiBlockDeviceMappingsbooleanOnly available on the deploy stage.
If true, Spinnaker will use the block device mappings from the selected AMI when deploying a new server group.
input.body.stages[].completeOtherBranchesThenFailbooleanPrevents any stages that depend on this stage from running, but allows other branches of the pipeline to run. The pipeline is marked as failed once complete. Available for all stages.
input.body.stages[].continuePipelinebooleanContinues execution of downstream stages, marking this stage as failed/continuing. Available for all stages.
input.body.stages[].failPipelinebooleanImmediately halts execution of all running stages and fails the entire execution if this stage fails. Available for all stages.
input.body.stages[].instructionsstringOnly available on the manual judgement stage.
Instructions are shown to the user when making a manual judgment.
input.body.stages[].locationstringOnly available on the scale manifest stage.
The namespace to scale the manifest in.
input.body.stages[].manifestArtifactIdstringOnly available on the deploy manifest stage.
The artifact ID to deploy.
input.body.stages[].manifestNamestringOnly available on the scale manifest stage.
The name of the manifest to scale.
input.body.stages[].modestringOnly available on the scale manifest stage.
Determines whether the stage uses a static or a dynamic selector.
input.body.stages[].moniker.appstringThe application being deployed.
input.body.stages[].namestringThe name of the stage.
input.body.stages[].refIdstringThe unique ID for the stage in the stage graph.
input.body.stages[].regionstringThe region in which to bake, only available on the bake stage.
input.body.stages[].regions[]stringThe regions in which to bake, only available on the bake stage.
input.body.stages[].replicasstring
input.body.stages[].requisiteStageRefIds[]stringThe unique IDs of other stages that must complete before this stage.
input.body.stages[].skipExpressionEvaluationbooleanIf true then SpEL is not evaluated in artifacts referenced by the stage.
input.body.stages[].sourcestringOnly applicable to the deploy manifest stage.
Specifies whether the manifest should be read from an artifact, or provided as text in the pipeline definition.
input.body.stages[].stageTimeoutMsnumberOnly applicable to the manual judgement stage.
Specifies how long the user has to provide a judgement.
input.body.stages[].storeTypestringOnly applicable in the bake stage.
input.body.stages[].trafficManagement.enabledbooleanOnly applicable to the deploy manifest stage.
Allow Spinnaker to associate each ReplicaSet deployed in this stage with one or more Services, and manage traffic based on your selected rollout strategy options.
input.body.stages[].trafficManagement.options.enableTrafficbooleanOnly applicable to the deploy manifest stage.
Sends client requests to new pods when traffic management is enabled.
input.body.stages[].typestringThe type of the stage.
input.body.stages[].userstringOnly applicable in the bake stage.
input.body.stages[].vmTypestringOnly applicable in the bake stage.

input.body.triggers

KeyTypeDescription
input.body.triggers[].branchstringWhich branch of the git repository triggers this pipeline.
input.body.triggers[].enabledbooleanTrue if the trigger is enabled.
input.body.triggers[].expectedArtifactIds[]string
input.body.triggers[].projectstringA change in what project will trigger this pipeline.
input.body.triggers[].secretstringThe secret that the trigger uses to authenticate with Spinnaker.
input.body.triggers[].slugstringThe trigger’s slug. For example, with a GitHub trigger this is the project name.
input.body.triggers[].sourcestringThe type of the source for the trigger. For some trigger types this can be used to disambiguate amongst multiple trigger invokers.
input.body.triggers[].typestringThe configured type of the trigger.

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.


Last modified August 18, 2023: (02b163b7)