Armory Docs – Tasks

Plugins: Task Type: createApplication

Mon, 01 Jan 0001 00:00:00 +0000

Path: tasks
Method: Post
Package: spinnaker.http.authz

Example Payload

Click to expand

{
 "input": {
 "body": {
 "application": "aftest",
 "description": "Create Application: aftest",
 "job": [
 {
 "application": {
 "cloudProviders": "",
 "email": "af@test.com",
 "instancePort": 80,
 "name": "aftest"
 },
 "type": "createApplication",
 "user": "myUserName"
 }
 ]
 },
 "method": "POST",
 "path": [
 "tasks"
 ],
 "user": {
 "isAdmin": false,
 "roles": [
 {
 "name": "armory-io",
 "source": "GITHUB_TEAMS"
 },
 {
 "name": "productmanagers",
 "source": "GITHUB_TEAMS"
 }
 ],
 "username": "myUserName"
 }
 }
}

Example Policy

This policy disables the ability to create new applications for non-admin users unless their role is ‘applicationCreators’.

package spinnaker.http.authz
default message=""
allow = message==""
message = "Your role lacks permissions to create new applications"{
 createsTaskOfType("createApplication")
 input.user.isAdmin!=true
 not hasRole("applicationCreators")
}
hasRole(role){
 input.user.roles[_].name=role
}
createsTaskOfType(tasktype){
 input.method="POST"
 input.path=["tasks"]
 input.body.job[_].type=tasktype
}

This policy disables the ability to create new applications, or update existing applications unless the applications have specified at least 1 role with ‘write’ permissions. Note: The spinnaker UI is not currently able to display an error message when this policy denies the action.

package spinnaker.http.authz

allow = message==""

default message=""
message="You must provide at least 1 user with full execute permissions"{
 not(hasWritePermissions(input.body.job[0]))
 createsTaskOfType(["createApplication","updateApplication"][_])
}

hasWritePermissions(job) {
 count(job.application.permissions.WRITE)>0
}

createsTaskOfType(tasktype){
 input.method="POST"
 input.path=["tasks"]
 input.body.job[_].type=tasktype
}

Keys

Key	Type	Description
`input.body.application`	`string`	The name of the application being created.
`input.body.description`	`string`	The description of the application being created.
`input.body.job[].application.cloudProviders`	`string`	The applications allowed cloud providers.
`input.body.job[].application.email`	`string`	The email address of the owner of the application.
`input.body.job[].application.instancePort`	`number`
`input.body.job[].application.name`	`string`	The name of the application being created.
`input.body.job[].type`	`string`	The type of task being run, in this case `createApplication`
`input.body.job[].user`	`string`	The ID of the user to run the job as.
`input.method`	`string`	The HTTP method by which the API is being called. When creating a task this is `POST`
`input.path[]`	`string`	The API path of the job. When creating a new task this is the array `["tasks"]`
`input.body.job[].application.description`	`string`	The description of the application being created.
`input.body.job[].application.permissions.EXECUTE[]`	`string`	The list of roles that have execute permission to the application.
`input.body.job[].application.permissions.READ[]`	`string`	The list of roles that have read permission to the application.
`input.body.job[].application.permissions.WRITE[]`	`string`	The list of roles that have write permission to the application.
`input.body.job[].application.repoProjectKey`	`string`	The unique ID of the project in source control.
`input.body.job[].application.repoSlug`	`string`	The slug for the source code repo. Typically the repository’s owner or organization ID.
`input.body.job[].application.repoType`	`string`	With what type of sourcecode repo is this application associated.

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.

Plugins: Task Type: deleteManifest

Mon, 01 Jan 0001 00:00:00 +0000

Path: tasks
Method: Post
Package: spinnaker.http.authz

Compatibility note

Starting in 2.26, the UI has been updated to more closely follow immutable infrastructure principles.

When you navigate to the Infrastructure tab in the UI for an application that has the Kubernetes provider configured, actions that change the Kubernetes infrastructure (such as Create or Delete), including Clusters, Load Balancers, and Firewalls, are no longer available.

Impact

Users do not see these actions in the UI by default. You must configure the UI to display them if you want your users to be able to perform them through the UI. To write policies that control which user roles can see the UI actions and be able to use them, you must enable the actions.

Workaround

Whether or not these actions are available in the UI is controlled by the following property in settings-local.yml:

window.spinnakerSettings.kubernetesAdHocInfraWritesEnabled = <boolean>;

Note that disabling the UI does not completely prevent users from performing these actions. For that, you must create policies.

Set this property to true. Setting the value to false hides the buttons for all users regardless of whether you grant specific users access to the buttons through the Policy Engine.

Example Payload

Click to expand

{
 "input": {
 "body": {
 "application": "hostname",
 "description": "Delete manifest",
 "job": [
 {
 "account": "spinnaker",
 "cloudProvider": "kubernetes",
 "location": "staging",
 "manifestName": "deployment hostname",
 "options": {
 "gracePeriodSeconds": 5,
 "orphanDependants": false
 },
 "reason": null,
 "type": "deleteManifest",
 "user": "myUserName"
 }
 ]
 },
 "method": "POST",
 "path": [
 "tasks"
 ],
 "user": {
 "isAdmin": false,
 "roles": [],
 "username": "myUserName"
 }
 }
}

Example Policy

This example prevents users from deleting deployed manifests from production accounts on the ‘Clusters’ tab of the spinnaker UI.

package spinnaker.http.authz
default message=""
allow = message==""

isProductionAccount(account){
 ["prodAccount1","prodAccount2"][_]==account
}

message = "Manifests cannot be deleted outside of a pipeline in production accounts"{
 createsTaskOfType("deleteManifest")
 isProductionAccount(input.body.job[_].account)
}
createsTaskOfType(tasktype){
 input.method="POST"
 input.path=["tasks"]
 input.body.job[_].type=tasktype
}

Keys

Key	Type	Description
`input.body.application`	`string`	The name of the application that deployed the manifest being deleted.
`input.body.description`	`string`	The phrase “Delete Manifest”.
`input.body.job[].account`	`string`	The spinnaker account that will delete the manifest.
`input.body.job[].cloudProvider`	`string`	The cloud provider running the manifest, typically “kubernetes”.
`input.body.job[].location`	`string`	The namespace from which the manifest is deleted.
`input.body.job[].manifestName`	`string`	The name of the manifest to delete.
`input.body.job[].options.gracePeriodSeconds`	`number`	How many seconds the resource identified by the manifest is given to shut down gracefully before being forcefully terminated.
`input.body.job[].options.orphanDependants`	`boolean`	If `false` dependant kubernetes resources will also be deleted, if `true` they are orphaned.
`input.body.job[].reason`
`input.body.job[].type`	`string`	“deleteManifest”
`input.body.job[].user`	`string`	The ID of the user who started the job. More information is available under the `input.user` fields.
`input.method`	`string`	`POST`
`input.path[]`	`string`	`[tasks]`

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.

Plugins: Task Type: deployManifest

Mon, 01 Jan 0001 00:00:00 +0000

Path: tasks
Method: Post
Package: spinnaker.http.authz

Compatibility note

Starting in 2.26, the UI has been updated to more closely follow immutable infrastructure principles.

Impact

Workaround

Whether or not these actions are available in the UI is controlled by the following property in settings-local.yml:

window.spinnakerSettings.kubernetesAdHocInfraWritesEnabled = <boolean>;

Note that disabling the UI does not completely prevent users from performing these actions. For that, you must create policies.

Set this property to true. Setting the value to false hides the buttons for all users regardless of whether you grant specific users access to the buttons through the Policy Engine.

Example Payload

Click to expand

{
 "input": {
 "body": {
 "application": "hostname",
 "description": "Deploy manifest",
 "job": [
 {
 "account": "spinnaker",
 "cloudProvider": "kubernetes",
 "manifest": null,
 "manifestArtifactAccount": "embedded-artifact",
 "manifests": [
 {
 "apiVersion": "apps/v1",
 "kind": "Deployment",
 "metadata": {
 "annotations": {
 "artifact.spinnaker.io/location": "staging",
 "artifact.spinnaker.io/name": "hostname",
 "artifact.spinnaker.io/type": "kubernetes/deployment",
 "artifact.spinnaker.io/version": "",
 "moniker.spinnaker.io/application": "hostname",
 "moniker.spinnaker.io/cluster": "deployment hostname"
 },
 "labels": {
 "app.kubernetes.io/managed-by": "spinnaker",
 "app.kubernetes.io/name": "hostname"
 },
 "name": "hostname",
 "namespace": "staging"
 },
 "spec": {
 "replicas": 4,
 "selector": {
 "matchLabels": {
 "app": "hostname",
 "version": "v1"
 }
 },
 "strategy": {
 "rollingUpdate": {
 "maxSurge": 1,
 "maxUnavailable": 1
 },
 "type": "RollingUpdate"
 },
 "template": {
 "metadata": {
 "annotations": {
 "artifact.spinnaker.io/location": "staging",
 "artifact.spinnaker.io/name": "hostname",
 "artifact.spinnaker.io/type": "kubernetes/deployment",
 "artifact.spinnaker.io/version": "",
 "moniker.spinnaker.io/application": "hostname",
 "moniker.spinnaker.io/cluster": "deployment hostname",
 "prometheus.io/port": "9113",
 "prometheus.io/scrape": "true"
 },
 "labels": {
 "app": "hostname",
 "app.kubernetes.io/managed-by": "spinnaker",
 "app.kubernetes.io/name": "hostname",
 "version": "v1"
 }
 },
 "spec": {
 "containers": [
 {
 "image": "rstarmer/hostname:v1",
 "imagePullPolicy": "Always",
 "name": "hostname",
 "resources": {},
 "volumeMounts": [
 {
 "mountPath": "/etc/nginx/conf.d/nginx-status.conf",
 "name": "nginx-status-conf",
 "readOnly": true,
 "subPath": "nginx.status.conf"
 }
 ]
 },
 {
 "args": [
 "-nginx.scrape-uri=http://localhost:8090/nginx_status"
 ],
 "image": "nginx/nginx-prometheus-exporter:0.3.0",
 "imagePullPolicy": "Always",
 "name": "nginx-exporter",
 "ports": [
 {
 "containerPort": 9113,
 "name": "nginx-ex-port",
 "protocol": "TCP"
 }
 ]
 }
 ],
 "restartPolicy": "Always",
 "volumes": [
 {
 "configMap": {
 "defaultMode": 420,
 "name": "nginx-status-conf-v000"
 },
 "name": "nginx-status-conf"
 }
 ]
 }
 }
 }
 }
 ],
 "moniker": {
 "app": "hostname",
 "cluster": "deployment hostname"
 },
 "relationships": {
 "loadBalancers": [],
 "securityGroups": []
 },
 "source": "text",
 "type": "deployManifest",
 "user": "myUserName",
 "versioned": null
 }
 ]
 },
 "method": "POST",
 "path": [
 "tasks"
 ],
 "user": {
 "isAdmin": false,
 "roles": [],
 "username": "myUserName"
 }
 }
}

Example Policy

Prevents editing manifests from outside of a pipeline on production accounts.

package spinnaker.http.authz
default message=""
allow = message==""

isProductionAccount(account){
 ["prodAccount1","prodAccount2"][_]==account
}

message = "Manifests cannot be deployed outside of a pipeline in production accounts"{
 createsTaskOfType("deployManifest")
 isProductionAccount(input.body.job[_].account)
}
createsTaskOfType(tasktype){
 input.method="POST"
 input.path=["tasks"]
 input.body.job[_].type=tasktype
}

Keys

Key	Type	Description
`input.body.application`	`string`	The name of the application for which a manifest is deployed.
`input.body.description`	`string`	“Deploy Manifest”.
`input.body.job[].account`	`string`	The account to which the manifest is deployed.
`input.body.job[].cloudProvider`	`string`	The cloud provider for the account, typically ‘kubernetes’.
`input.body.job[].manifestArtifactAccount`	`string`	The account from which the manifest artifact should be read, if any.
`input.body.job[].manifests[].*`	`*`	The set of manifests that are deployed. Can be referenced to require certain conditions on manifests that are being deployed.
`input.body.job[].moniker.app`	`string`	The name of the application for which a manifest is deployed.
`input.body.job[].moniker.cluster`	`string`	What existing resource cluster is having its manifest updated.
`input.body.job[].source`	`string`
`input.body.job[].type`	`string`	“deployManifest”
`input.body.job[].user`	`string`	The username of the user who is trying to deploy. More information is available under the `input.user` fields.
`input.body.job[].versioned`
`input.method`	`string`	`POST`
`input.path[]`	`string`	`[tasks]`

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.

Plugins: Task Type: scaleManifest

Mon, 01 Jan 0001 00:00:00 +0000

Path: tasks
Method: Post
Package: spinnaker.http.authz

Compatibility note

Starting in 2.26, the UI has been updated to more closely follow immutable infrastructure principles.

Impact

Workaround

Whether or not these actions are available in the UI is controlled by the following property in settings-local.yml:

window.spinnakerSettings.kubernetesAdHocInfraWritesEnabled = <boolean>;

Note that disabling the UI does not completely prevent users from performing these actions. For that, you must create policies.

Set this property to true. Setting the value to false hides the buttons for all users regardless of whether you grant specific users access to the buttons through the Policy Engine.

Example Payload

Click to expand

{
 "input": {
 "body": {
 "application": "hostname",
 "description": "Scale manifest",
 "job": [
 {
 "account": "spinnaker",
 "cloudProvider": "kubernetes",
 "location": "staging",
 "manifestName": "deployment hostname",
 "reason": null,
 "replicas": "5",
 "type": "scaleManifest",
 "user": "myUserName"
 }
 ]
 },
 "method": "POST",
 "path": [
 "tasks"
 ],
 "user": {
 "isAdmin": false,
 "roles": [],
 "username": "myUserName"
 }
 }
}

Example Policy

This policy prevents requires users to enter a reason when performing a scale from outside or a pipeline.

package spinnaker.http.authz
default message=""
allow = message==""
message = "You must provide a reason when scaling a manifest outside of a pipeline."{
 createsTaskOfType("scaleManifest")
 object.get(input.body.job[_],"reason",null)==null
}

createsTaskOfType(tasktype){
 input.method="POST"
 input.path=["tasks"]
 input.body.job[_].type=tasktype
}

This policy prevents non-admin users from initiating a scaleManifest from the ‘clusters’ tab of an application.

package spinnaker.http.authz
default message=""
allow = message==""
message = "Your role lacks permissions to scale applications outside of pipelines"{
 createsTaskOfType("scaleManifest")
 input.user.isAdmin!=true
}

createsTaskOfType(tasktype){
 input.method="POST"
 input.path=["tasks"]
 input.body.job[_].type=tasktype
}

Keys

Key	Type	Description
`input.body.application`	`string`	The name of the application for which the manifest is being scaled.
`input.body.description`	`string`	Always “Scale Manifest”.
`input.body.job[].account`	`string`	The name of the account in which the manifest is scaled.
`input.body.job[].cloudProvider`	`string`	The name of the cloud provider in which the manifest is being scaled.
`input.body.job[].location`	`string`	The namespace of the manifest beign scaled.
`input.body.job[].manifestName`	`string`	The name of the manifest being scaled.
`input.body.job[].reason`	`string`	The reason the user entered to explain the change.
`input.body.job[].replicas`	`string`	The desired number of running pods after scaling.
`input.body.job[].type`	`string`	Always “scaleManifest”
`input.body.job[].user`	`string`	The username of the user starting the task. It is reccomended to write rules using `input.user` instead.
`input.method`	`string`	`POST`
`input.path[]`	`string`	`["tasks"]`

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.

Plugins: Task Type: undoRolloutManifest

Mon, 01 Jan 0001 00:00:00 +0000

Path: tasks
Method: Post
Package: spinnaker.http.authz

Compatibility note

Starting in 2.26, the UI has been updated to more closely follow immutable infrastructure principles.

Impact

Workaround

Whether or not these actions are available in the UI is controlled by the following property in settings-local.yml:

window.spinnakerSettings.kubernetesAdHocInfraWritesEnabled = <boolean>;

Note that disabling the UI does not completely prevent users from performing these actions. For that, you must create policies.

Set this property to true. Setting the value to false hides the buttons for all users regardless of whether you grant specific users access to the buttons through the Policy Engine.

Example Payload

Click to expand

{
 "input": {
 "body": {
 "application": "hostname",
 "description": "Undo rollout of manifest",
 "job": [
 {
 "account": "spinnaker",
 "cloudProvider": "kubernetes",
 "location": "staging",
 "manifestName": "deployment hostname",
 "reason": "someReason",
 "revision": "3",
 "type": "undoRolloutManifest",
 "user": "myUserName"
 }
 ]
 },
 "method": "POST",
 "path": [
 "tasks"
 ],
 "user": {
 "isAdmin": false,
 "roles": [],
 "username": "myUserName"
 }
 }
}

Keys

Key	Type	Description
`input.body.application`	`string`	The name of the application that is being rolled back.
`input.body.description`	`string`	Always “Undo rollout of manifest”.
`input.body.job[].account`	`string`	The account in which the deployment is being rolled back.
`input.body.job[].cloudProvider`	`string`	The cloud provider of the account in which the rollback will occur.
`input.body.job[].location`	`string`	The namespace of the manifest being rolled back.
`input.body.job[].manifestName`	`string`	The type and name of the manifest being rolled back.
`input.body.job[].reason`	`string`	The reason provided by the user for initiating the rollback.
`input.body.job[].revision`	`string`	The revision to which the manifest should be rolled back.
`input.body.job[].type`	`string`	Always “undoRolloutManifest”
`input.body.job[].user`	`string`	the ID of the user who initiated the rollback.
`input.method`	`string`	`POST`
`input.path[]`	`string`	`["tasks"]`
`input.user.isAdmin`	`boolean`
`input.user.username`	`string`

Plugins: Task Type: updateApplication

Mon, 01 Jan 0001 00:00:00 +0000

Path: tasks
Method: Post
Package: spinnaker.http.authz

Example Payload

Click to expand

{
 "input": {
 "body": {
 "application": "aftest2",
 "description": "Update Application: aftest2",
 "job": [
 {
 "application": {
 "cloudProviders": "kubernetes",
 "dataSources": {
 "disabled": [],
 "enabled": []
 },
 "description": "description2",
 "email": "dasdasd@trest.com",
 "instancePort": 80,
 "lastModifiedBy": "myUserName",
 "name": "aftest2",
 "permissions": {
 "EXECUTE": [
 "productmanagers"
 ],
 "READ": [
 "productmanagers"
 ],
 "WRITE": [
 "productmanagers"
 ]
 },
 "repoProjectKey": "project",
 "repoSlug": "name",
 "repoType": "github",
 "trafficGuards": [],
 "updateTs": "1621444448000",
 "user": "myUserName"
 },
 "type": "updateApplication",
 "user": "myUserName"
 }
 ]
 },
 "method": "POST",
 "path": [
 "tasks"
 ],
 "user": {
 "isAdmin": false,
 "roles": [
 {
 "name": "armory-io",
 "source": "GITHUB_TEAMS"
 },
 {
 "name": "productmanagers",
 "source": "GITHUB_TEAMS"
 }
 ],
 "username": "myUserName"
 }
 }
}

Example Policy

This policy disables the ability to create new applications, or update existing applications unless the applications have specified at least 1 role with ‘write’ permissions.

Note: The UI is not currently able to display an error message when this policy denies the action.

package spinnaker.http.authz

allow = message==""

default message=""
message="You must provide at least 1 user with full execute permissions"{
 not(hasWritePermissions(input.body.job[0]))
 createsTaskOfType(["createApplication","updateApplication"][_])
}

hasWritePermissions(job) {
 count(job.application.permissions.WRITE)>0
}

createsTaskOfType(tasktype){
 input.method="POST"
 input.path=["tasks"]
 input.body.job[_].type=tasktype
}

Keys

Key	Type	Description
`input.body.application`	`string`	The name of the application being created.
`input.body.description`	`string`	The description of the application being created.
`input.body.job[].application.cloudProviders`	`string`	The application’s allowed cloud providers.
`input.body.job[].application.email`	`string`	The email address of the owner of the application.
`input.body.job[].application.instancePort`	`number`
`input.body.job[].application.name`	`string`	The name of the application being created.
`input.body.job[].type`	`string`	The type of task being run, in this case “createApplication”.
`input.body.job[].user`	`string`	The ID of the user to run the job as.
`input.method`	`string`	The HTTP method by which the API is being called. When creating a task this is `POST`
`input.path[]`	`string`	The API path of the job. When creating a new task this is the array `["tasks"]`
`input.user.isAdmin`	`boolean`
`input.user.roles[].name`	`string`
`input.user.roles[].source`	`string`
`input.user.username`	`string`
`input.body.job[].application.description`	`string`	The description of the application being created.
`input.body.job[].application.permissions.EXECUTE[]`	`string`	The list of roles that have execute permission to the application.
`input.body.job[].application.permissions.READ[]`	`string`	The list of roles that have read permission to the application.
`input.body.job[].application.permissions.WRITE[]`	`string`	The list of roles that have write permission to the application.
`input.body.job[].application.repoProjectKey`	`string`	What is the unique ID of the project in source control.
`input.body.job[].application.repoSlug`	`string`	What is the slug for the source code repo? Typically the repository’s owner or organization ID.
`input.body.job[].application.repoType`	`string`	With what type of sourcecode repo is this application associated.

Plugins: Task Type: upsertProject

Mon, 01 Jan 0001 00:00:00 +0000

Path: tasks
Method: Post
Package: spinnaker.http.authz

Example Payload

Click to expand

{
 "input": {
 "body": {
 "application": "spinnaker",
 "description": "Create project: testProjectName",
 "job": [
 {
 "project": {
 "config": {
 "applications": [
 "hostname"
 ],
 "clusters": [
 {
 "account": "spinnaker",
 "detail": "*",
 "stack": "*"
 }
 ],
 "pipelineConfigs": [
 {
 "application": "hostname",
 "pipelineConfigId": "7db1e350-dedb-4dc1-9976-e71f97b5f132"
 }
 ]
 },
 "email": "myUser@company.com",
 "name": "testProjectName"
 },
 "type": "upsertProject",
 "user": "myUserName"
 }
 ],
 "project": "testProjectName"
 },
 "method": "POST",
 "path": [
 "tasks"
 ],
 "user": {
 "isAdmin": false,
 "roles": [],
 "username": "myUserName"
 }
 }
}

Example Policy

Keys

Key	Type	Description
`input.body.application`	`string`
`input.body.description`	`string`
`input.body.job[].project.config.applications[]`	`string`
`input.body.job[].project.config.clusters[].account`	`string`
`input.body.job[].project.config.clusters[].detail`	`string`
`input.body.job[].project.config.clusters[].stack`	`string`
`input.body.job[].project.config.pipelineConfigs[].application`	`string`
`input.body.job[].project.config.pipelineConfigs[].pipelineConfigId`	`string`
`input.body.job[].project.email`	`string`
`input.body.job[].project.name`	`string`
`input.body.job[].type`	`string`
`input.body.job[].user`	`string`
`input.body.project`	`string`
`input.method`	`string`
`input.path[]`	`string`
`input.user.isAdmin`	`boolean`
`input.user.username`	`string`
`input.body.job[].project.config.clusters[].applications`
`input.body.job[].project.createTs`	`number`
`input.body.job[].project.id`	`string`
`input.body.job[].project.lastModifiedBy`	`string`
`input.body.job[].project.updateTs`	`number`