upperLimit(e, cfg.commitSha().map(String::length).orElse(0), MAX_COMMIT_SHA_LENGTH, "commitSha too long"); upperLimit(e, cfg.secret().map(s -> s.name().length()).orElse(0), MAX_SECRET_NAME_LENGTH, "secret name too long"); upperLimit(e, cfg.secret().map(s -> s.mountPath().length()).orElse(0), MAX_SECRET_MOUNT_PATH_LENGTH, "secret mount path too long"); upperLimit(e, cfg.serviceAccount().map(String::length).orElse(0),
private Optional<WorkflowConfiguration.Secret> ensureCustomSecret( WorkflowInstance workflowInstance, RunSpec runSpec) { return runSpec.secret().map(specSecret -> { if (specSecret.name().startsWith(STYX_WORKFLOW_SA_SECRET_NAME)) { LOG.warn("[AUDIT] Workflow {} refers to secret {} with managed service account key secret name prefix, " + "denying execution", workflowInstance.workflowId(), specSecret.name()); throw new InvalidExecutionException( "Referenced secret '" + specSecret.name() + "' has the managed service account key secret name prefix"); } // if it ever happens, that feels more like a hack than pure luck so let's be paranoid if (STYX_WORKFLOW_SA_SECRET_MOUNT_PATH.equals(specSecret.mountPath())) { LOG.warn("[AUDIT] Workflow {} tries to mount secret {} to the reserved path", workflowInstance.workflowId(), specSecret.name()); throw new InvalidExecutionException( "Referenced secret '" + specSecret.name() + "' has the mount path " + STYX_WORKFLOW_SA_SECRET_MOUNT_PATH + " defined that is reserved"); } final Secret secret = client.secrets().withName(specSecret.name()).get(); if (secret == null) { LOG.warn("[AUDIT] Workflow {} refers to a non-existent secret {}", workflowInstance.workflowId(), specSecret.name()); throw new InvalidExecutionException( "Referenced secret '" + specSecret.name() + "' was not found"); } else { LOG.info("[AUDIT] Workflow {} refers to secret {}", workflowInstance.workflowId(), specSecret.name()); } return specSecret; }); }
@Override public void printWorkflow(Workflow wf, WorkflowState state) { System.out.println(Joiner.on(' ').join( wf.componentId(), wf.id().id(), wf.configuration().schedule(), wf.configuration().offset().orElse(""), wf.configuration().dockerImage().orElse(""), wf.configuration().dockerArgs().orElse(Collections.emptyList()), wf.configuration().dockerTerminationLogging(), wf.configuration().secret().map(s -> s.name() + ':' + s.mountPath()).orElse(""), wf.configuration().serviceAccount().map(Object::toString).orElse(""), wf.configuration().resources(), wf.configuration().env(), wf.configuration().runningTimeout().map(Duration::toString).orElse(""), wf.configuration().commitSha().orElse(""), state.enabled().map(Object::toString).orElse(""), state.nextNaturalTrigger().map(Object::toString).orElse(""), state.nextNaturalOffsetTrigger().map(Object::toString).orElse(""))); }
@Override public void printWorkflow(Workflow wf, WorkflowState state) { System.out.println("Component: " + wf.componentId()); System.out.println(" Workflow: " + wf.id().id()); System.out.println(" Schedule: " + wf.configuration().schedule()); System.out.println(" Offset: " + wf.configuration().offset().orElse("")); System.out.println(" Image: " + wf.configuration().dockerImage().orElse("")); System.out.println(" Args: " + wf.configuration().dockerArgs().orElse(Collections.emptyList())); System.out.println(" TermLog: " + wf.configuration().dockerTerminationLogging()); System.out.println(" Secret: " + wf.configuration().secret().map(s -> s.name() + ':' + s.mountPath()).orElse("")); System.out.println(" Svc Acct: " + wf.configuration().serviceAccount().orElse("")); System.out.println("Resources: " + wf.configuration().resources()); System.out.println(" Env: " + Joiner.on(' ').withKeyValueSeparator('=').join(wf.configuration().env())); System.out.println(" Timeout: " + wf.configuration().runningTimeout().map(Duration::toString).orElse("")); System.out.println(" Commit: " + wf.configuration().commitSha().orElse("")); System.out.println(" Enabled: " + state.enabled().map(Object::toString).orElse("")); System.out.println(" Trig: " + state.nextNaturalTrigger().map(Object::toString).orElse("")); System.out.println("Ofst Trig: " + state.nextNaturalOffsetTrigger().map(Object::toString).orElse("")); }
static Secret create( String name, String mountPath) { return builder() .name(name) .mountPath(mountPath) .build(); }