summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBryan Strassner <strassner.bryan@gmail.com>2019-01-18 15:50:31 -0600
committerBryan Strassner <strassner.bryan@gmail.com>2019-01-29 09:41:16 -0600
commita11e962eef5a5aa8f8fc15c4a324dfa6b2465061 (patch)
tree67b9f00c20f0d5a2518a0b89fb0f92f6e97637a6
parent9725b0f337ebdc7523973b50afecbf4caf2b7e6c (diff)
Move Airflow web container into Shipyard pod
Moves the airflow web server container from its own pod into the Shipyard pod. This removes exposed network surface area from the Shipyard suite of software. Shipyard, after this change accesses the Airflow API using localhost in the same k8s pod. Change-Id: Ied4bd415a8d78c393b7256ead27a6a2176f4a2d6
Notes
Notes (review): Code-Review+2: Sean Eagan <sean.eagan@att.com> Code-Review+1: Nishant Kumar <nishant.e.kumar@ericsson.com> Code-Review+2: Scott Hussey <sthussey@att.com> Workflow+1: Scott Hussey <sthussey@att.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Mon, 04 Feb 2019 16:44:53 +0000 Reviewed-on: https://review.openstack.org/631890 Project: openstack/airship-shipyard Branch: refs/heads/master
-rw-r--r--charts/shipyard/templates/deployment-airflow-scheduler.yaml6
-rw-r--r--charts/shipyard/templates/deployment-airflow-web.yaml92
-rw-r--r--charts/shipyard/templates/deployment-shipyard.yaml41
-rw-r--r--charts/shipyard/templates/ingress-airflow-api.yaml49
-rw-r--r--charts/shipyard/templates/service-airflow-ingress.yaml33
-rw-r--r--charts/shipyard/templates/service-airflow-web.yaml44
-rw-r--r--charts/shipyard/templates/statefulset-airflow-worker.yaml6
-rw-r--r--charts/shipyard/values.yaml56
-rw-r--r--doc/source/_static/shipyard.policy.yaml.sample13
-rw-r--r--src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample13
10 files changed, 78 insertions, 275 deletions
diff --git a/charts/shipyard/templates/deployment-airflow-scheduler.yaml b/charts/shipyard/templates/deployment-airflow-scheduler.yaml
index ff278aa..c8fccf1 100644
--- a/charts/shipyard/templates/deployment-airflow-scheduler.yaml
+++ b/charts/shipyard/templates/deployment-airflow-scheduler.yaml
@@ -61,9 +61,9 @@ spec:
61 env: 61 env:
62 - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB 62 - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
63 valueFrom: 63 valueFrom:
64 secretKeyRef: 64 secretKeyRef:
65 name: {{ .Values.secrets.postgresql_airflow_db.user }} 65 name: {{ .Values.secrets.postgresql_airflow_db.user }}
66 key: AIRFLOW_DATABASE_URI 66 key: AIRFLOW_DATABASE_URI
67 # Set to -1 to stop scheduler from going into crash loops 67 # Set to -1 to stop scheduler from going into crash loops
68 args: ["scheduler", "-n", "-1" ] 68 args: ["scheduler", "-n", "-1" ]
69 volumeMounts: 69 volumeMounts:
diff --git a/charts/shipyard/templates/deployment-airflow-web.yaml b/charts/shipyard/templates/deployment-airflow-web.yaml
deleted file mode 100644
index 648f556..0000000
--- a/charts/shipyard/templates/deployment-airflow-web.yaml
+++ /dev/null
@@ -1,92 +0,0 @@
1# Copyright 2017 The Openstack-Helm Authors.
2# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16{{- if .Values.manifests.deployment_airflow_web }}
17{{- $envAll := . }}
18{{- $serviceAccountName := "airflow-web" }}
19{{ tuple $envAll "airflow_server" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
20{{- $mounts_airflow_web := .Values.pod.mounts.airflow_web.airflow_web }}
21{{- $mounts_airflow_web_init := .Values.pod.mounts.airflow_web.init_container }}
22---
23apiVersion: apps/v1beta1
24kind: Deployment
25metadata:
26 name: airflow-web
27 annotations:
28 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
29spec:
30 replicas: {{ .Values.pod.replicas.airflow.web }}
31{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
32 template:
33 metadata:
34 labels:
35{{ tuple $envAll "airflow" "web" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
36 annotations:
37 configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
38 configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
39 spec:
40 serviceAccountName: {{ $serviceAccountName }}
41 nodeSelector:
42 {{ .Values.labels.airflow.node_selector_key }}: {{ .Values.labels.airflow.node_selector_value }}
43 restartPolicy: Always
44 terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.airflow.timeout | default "30" }}
45 initContainers:
46{{ tuple $envAll "airflow_server" $mounts_airflow_web_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
47 containers:
48 - name: airflow-web
49 image: {{ .Values.images.tags.airflow }}
50 imagePullPolicy: {{ .Values.images.pull_policy }}
51{{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
52 env:
53 - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
54 valueFrom:
55 secretKeyRef:
56 name: {{ .Values.secrets.postgresql_airflow_db.user }}
57 key: AIRFLOW_DATABASE_URI
58 ports:
59 - containerPort: {{ .Values.network.airflow.web.port }}
60 args: ["webserver"]
61 readinessProbe:
62 tcpSocket:
63 port: {{ .Values.network.airflow.web.port }}
64 volumeMounts:
65 - name: airflow-etc
66 mountPath: {{ .Values.conf.airflow_config_file.path }}
67 subPath: airflow.cfg
68 readOnly: true
69 - name: shipyard-etc
70 mountPath: /usr/local/airflow/plugins/shipyard.conf
71 subPath: shipyard.conf
72 readOnly: true
73 - name: airflow-logs
74 mountPath: {{ .Values.conf.airflow.core.base_log_folder }}
75{{ if $mounts_airflow_web.volumeMounts }}{{ toYaml $mounts_airflow_web.volumeMounts | indent 12 }}{{ end }}
76 volumes:
77 - name: airflow-etc
78 configMap:
79 name: airflow-etc
80 defaultMode: 0444
81 - name: shipyard-etc
82 configMap:
83 name: shipyard-etc
84 defaultMode: 0444
85 - name: airflow-bin
86 configMap:
87 name: airflow-bin
88 defaultMode: 0555
89 - name: airflow-logs
90 emptyDir: {}
91{{ if $mounts_airflow_web.volumes }}{{ toYaml $mounts_airflow_web.volumes | indent 8 }}{{ end }}
92{{- end }}
diff --git a/charts/shipyard/templates/deployment-shipyard.yaml b/charts/shipyard/templates/deployment-shipyard.yaml
index 2d2700c..a8cb104 100644
--- a/charts/shipyard/templates/deployment-shipyard.yaml
+++ b/charts/shipyard/templates/deployment-shipyard.yaml
@@ -15,9 +15,10 @@
15 15
16{{- if .Values.manifests.deployment_shipyard }} 16{{- if .Values.manifests.deployment_shipyard }}
17{{- $envAll := . }} 17{{- $envAll := . }}
18{{- $serviceAccountName := "shipyard" }}
18{{- $mounts_shipyard := .Values.pod.mounts.shipyard.shipyard }} 19{{- $mounts_shipyard := .Values.pod.mounts.shipyard.shipyard }}
19{{- $mounts_shipyard_init := .Values.pod.mounts.shipyard.init_container }} 20{{- $mounts_shipyard_init := .Values.pod.mounts.shipyard.init_container }}
20{{- $serviceAccountName := "shipyard" }} 21
21{{ tuple $envAll "shipyard" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} 22{{ tuple $envAll "shipyard" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
22--- 23---
23apiVersion: apps/v1beta1 24apiVersion: apps/v1beta1
@@ -34,8 +35,10 @@ spec:
34 labels: 35 labels:
35{{ tuple $envAll "shipyard" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} 36{{ tuple $envAll "shipyard" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
36 annotations: 37 annotations:
37 configmap-bin-hash: {{ tuple "configmap-shipyard-bin.yaml" . | include "helm-toolkit.utils.hash" }} 38 shipyard-configmap-bin-hash: {{ tuple "configmap-shipyard-bin.yaml" . | include "helm-toolkit.utils.hash" }}
38 configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }} 39 shipyard-configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }}
40 airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
41 airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
39 spec: 42 spec:
40 serviceAccountName: {{ $serviceAccountName }} 43 serviceAccountName: {{ $serviceAccountName }}
41 nodeSelector: 44 nodeSelector:
@@ -88,6 +91,28 @@ spec:
88 - name: tmp-profiles 91 - name: tmp-profiles
89 mountPath: /tmp/profiles 92 mountPath: /tmp/profiles
90{{ end }} 93{{ end }}
94 - name: airflow-web
95 image: {{ .Values.images.tags.airflow }}
96 imagePullPolicy: {{ .Values.images.pull_policy }}
97{{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
98 env:
99 - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
100 valueFrom:
101 secretKeyRef:
102 name: {{ .Values.secrets.postgresql_airflow_db.user }}
103 key: AIRFLOW_DATABASE_URI
104 args: ["webserver"]
105 volumeMounts:
106 - name: airflow-etc
107 mountPath: {{ .Values.conf.airflow_config_file.path }}
108 subPath: airflow.cfg
109 readOnly: true
110 - name: shipyard-etc
111 mountPath: /usr/local/airflow/plugins/shipyard.conf
112 subPath: shipyard.conf
113 readOnly: true
114 - name: airflow-logs
115 mountPath: {{ .Values.conf.airflow.core.base_log_folder }}
91{{ if $mounts_shipyard.volumeMounts }}{{ toYaml $mounts_shipyard.volumeMounts | indent 12 }}{{ end }} 116{{ if $mounts_shipyard.volumeMounts }}{{ toYaml $mounts_shipyard.volumeMounts | indent 12 }}{{ end }}
92 volumes: 117 volumes:
93{{ if .Values.conf.shipyard.base.profiler }} 118{{ if .Values.conf.shipyard.base.profiler }}
@@ -100,5 +125,15 @@ spec:
100 configMap: 125 configMap:
101 name: shipyard-etc 126 name: shipyard-etc
102 defaultMode: 0444 127 defaultMode: 0444
128 - name: airflow-etc
129 configMap:
130 name: airflow-etc
131 defaultMode: 0444
132 - name: airflow-bin
133 configMap:
134 name: airflow-bin
135 defaultMode: 0555
136 - name: airflow-logs
137 emptyDir: {}
103{{ if $mounts_shipyard.volumes }}{{ toYaml $mounts_shipyard.volumes | indent 8 }}{{ end }} 138{{ if $mounts_shipyard.volumes }}{{ toYaml $mounts_shipyard.volumes | indent 8 }}{{ end }}
104{{- end }} 139{{- end }}
diff --git a/charts/shipyard/templates/ingress-airflow-api.yaml b/charts/shipyard/templates/ingress-airflow-api.yaml
deleted file mode 100644
index f9c2deb..0000000
--- a/charts/shipyard/templates/ingress-airflow-api.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
1{{/*
2Copyright 2017 The Openstack-Helm Authors.
3Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4
5Licensed under the Apache License, Version 2.0 (the "License");
6you may not use this file except in compliance with the License.
7You may obtain a copy of the License at
8
9 http://www.apache.org/licenses/LICENSE-2.0
10
11Unless required by applicable law or agreed to in writing, software
12distributed under the License is distributed on an "AS IS" BASIS,
13WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14See the License for the specific language governing permissions and
15limitations under the License.
16*/}}
17
18{{- if .Values.manifests.ingress_airflow_api }}
19{{- $envAll := . }}
20{{- if .Values.network.airflow.ingress.public }}
21{{- $backendServiceType := "airflow_web" }}
22{{- $backendPort := "http" }}
23{{- $ingressName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
24{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
25{{- $hostName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
26{{- $hostNameNamespaced := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
27{{- $hostNameFull := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
28---
29apiVersion: extensions/v1beta1
30kind: Ingress
31metadata:
32 name: {{ $ingressName }}
33 annotations:
34 kubernetes.io/ingress.class: "nginx"
35 ingress.kubernetes.io/rewrite-target: /
36 nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.network.airflow.ingress.proxy_read_timeout | quote }}
37spec:
38 rules:
39{{- range $key1, $vHost := tuple $hostName $hostNameNamespaced $hostNameFull }}
40 - host: {{ $vHost }}
41 http:
42 paths:
43 - path: /
44 backend:
45 serviceName: {{ $backendName }}
46 servicePort: {{ $backendPort }}
47{{- end }}
48{{- end }}
49{{- end }}
diff --git a/charts/shipyard/templates/service-airflow-ingress.yaml b/charts/shipyard/templates/service-airflow-ingress.yaml
deleted file mode 100644
index a398906..0000000
--- a/charts/shipyard/templates/service-airflow-ingress.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
1{{/*
2Copyright 2017 The Openstack-Helm Authors.
3Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4
5Licensed under the Apache License, Version 2.0 (the "License");
6you may not use this file except in compliance with the License.
7You may obtain a copy of the License at
8
9 http://www.apache.org/licenses/LICENSE-2.0
10
11Unless required by applicable law or agreed to in writing, software
12distributed under the License is distributed on an "AS IS" BASIS,
13WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14See the License for the specific language governing permissions and
15limitations under the License.
16*/}}
17
18{{- if .Values.manifests.service_airflow_ingress }}
19{{- $envAll := . }}
20{{- if .Values.network.airflow.ingress.public }}
21---
22apiVersion: v1
23kind: Service
24metadata:
25 name: {{ tuple "airflow_web" "public" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
26spec:
27 ports:
28 - name: http
29 port: 80
30 selector:
31 app: ingress-api
32{{- end }}
33{{- end }}
diff --git a/charts/shipyard/templates/service-airflow-web.yaml b/charts/shipyard/templates/service-airflow-web.yaml
deleted file mode 100644
index bb68fe6..0000000
--- a/charts/shipyard/templates/service-airflow-web.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
1{{/*
2Copyright 2017 The Openstack-Helm Authors.
3Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4
5Licensed under the Apache License, Version 2.0 (the "License");
6you may not use this file except in compliance with the License.
7You may obtain a copy of the License at
8
9 http://www.apache.org/licenses/LICENSE-2.0
10
11Unless required by applicable law or agreed to in writing, software
12distributed under the License is distributed on an "AS IS" BASIS,
13WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14See the License for the specific language governing permissions and
15limitations under the License.
16*/}}
17
18{{- if .Values.manifests.service_airflow_web }}
19{{- $envAll := . }}
20---
21apiVersion: v1
22kind: Service
23metadata:
24 name: {{ tuple "airflow_web" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
25spec:
26 ports:
27 {{ if .Values.network.airflow.web.enable_node_port }}
28 - name: http
29 nodePort: {{ .Values.network.airflow.web.node_port }}
30 port: {{ .Values.network.airflow.web.port }}
31 protocol: TCP
32 targetPort: {{ .Values.network.airflow.web.port }}
33 {{ else }}
34 - name: http
35 port: {{ .Values.network.airflow.web.port }}
36 protocol: TCP
37 targetPort: {{ .Values.network.airflow.web.port }}
38 {{ end }}
39 selector:
40{{ tuple $envAll "airflow" "web" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
41 {{ if .Values.network.airflow.web.enable_node_port }}
42 type: NodePort
43 {{ end }}
44{{- end }}
diff --git a/charts/shipyard/templates/statefulset-airflow-worker.yaml b/charts/shipyard/templates/statefulset-airflow-worker.yaml
index c71b63e..64a3997 100644
--- a/charts/shipyard/templates/statefulset-airflow-worker.yaml
+++ b/charts/shipyard/templates/statefulset-airflow-worker.yaml
@@ -101,9 +101,9 @@ spec:
101 env: 101 env:
102 - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB 102 - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
103 valueFrom: 103 valueFrom:
104 secretKeyRef: 104 secretKeyRef:
105 name: {{ .Values.secrets.postgresql_airflow_db.user }} 105 name: {{ .Values.secrets.postgresql_airflow_db.user }}
106 key: AIRFLOW_DATABASE_URI 106 key: AIRFLOW_DATABASE_URI
107 # Set to -1 to stop scheduler from going into crash loops 107 # Set to -1 to stop scheduler from going into crash loops
108 args: ["scheduler", "-n", "-1" ] 108 args: ["scheduler", "-n", "-1" ]
109 volumeMounts: 109 volumeMounts:
diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 998a429..5e78018 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -65,14 +65,6 @@ network:
65 node_port: 31901 65 node_port: 31901
66 enable_node_port: false 66 enable_node_port: false
67 airflow: 67 airflow:
68 ingress:
69 public: true
70 proxy_read_timeout: 600
71 web:
72 name: airflow-web
73 port: 8080
74 node_port: 32080
75 enable_node_port: false
76 worker: 68 worker:
77 name: airflow-worker 69 name: airflow-worker
78 port: 8793 70 port: 8793
@@ -87,8 +79,6 @@ dependencies:
87 services: 79 services:
88 - service: postgresql_shipyard_db 80 - service: postgresql_shipyard_db
89 endpoint: internal 81 endpoint: internal
90 - service: airflow_web
91 endpoint: internal
92 shipyard_db_sync: 82 shipyard_db_sync:
93 jobs: 83 jobs:
94 - shipyard-db-init 84 - shipyard-db-init
@@ -131,8 +121,6 @@ dependencies:
131 - shipyard-ks-user 121 - shipyard-ks-user
132 - shipyard-ks-endpoints 122 - shipyard-ks-endpoints
133 services: 123 services:
134 - service: airflow_web
135 endpoint: internal
136 - service: identity 124 - service: identity
137 endpoint: internal 125 endpoint: internal
138 - service: postgresql_shipyard_db 126 - service: postgresql_shipyard_db
@@ -213,21 +201,6 @@ endpoints:
213 # tls: 201 # tls:
214 # crt: null 202 # crt: null
215 # key: null 203 # key: null
216 airflow_web:
217 name: airflow-web
218 hosts:
219 default: airflow-web-int
220 public: airflow-web
221 port:
222 airflow_web:
223 default: 8080
224 public: 80
225 path:
226 default: /
227 scheme:
228 default: http
229 host_fqdn_override:
230 default: null
231 airflow_worker: 204 airflow_worker:
232 name: airflow-worker 205 name: airflow-worker
233 hosts: 206 hosts:
@@ -394,7 +367,7 @@ conf:
394 paste.filter_factory: keystonemiddleware.auth_token:filter_factory 367 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
395 shipyard: 368 shipyard:
396 base: 369 base:
397 web_server: 370 web_server: http://localhost:8080/
398 pool_size: 15 371 pool_size: 15
399 pool_pre_ping: true 372 pool_pre_ping: true
400 pool_timeout: 30 373 pool_timeout: 30
@@ -507,7 +480,9 @@ conf:
507 worker_precheck: "False" 480 worker_precheck: "False"
508 cli: 481 cli:
509 api_client: airflow.api.client.local_client 482 api_client: airflow.api.client.local_client
510 # endpoint_url is extracted from endpoints by the configmap template 483 # if endpoint_url is not set, it is extracted from endpoints by the
484 # configmap template
485 endpoint_url: http://localhost/
511 api: 486 api:
512 auth_backend: airflow.api.auth.backend.default 487 auth_backend: airflow.api.auth.backend.default
513 lineage: 488 lineage:
@@ -530,8 +505,12 @@ conf:
530 # Shipyard is not using this 505 # Shipyard is not using this
531 default_hive_mapred_queue: "" 506 default_hive_mapred_queue: ""
532 webserver: 507 webserver:
533 # base_url is extracted from endpoints by the configmap template 508 # if base_url is not set, is extracted from endpoints by the configmap
534 web_server_host: 0.0.0.0 509 # template
510 base_url: http://localhost/
511 # set web_server_host to 0.0.0.0 to bind to all interfaces. By default
512 # only bind to loopback
513 web_server_host: 127.0.0.1
535 web_server_port: 8080 514 web_server_port: 8080
536 web_server_ssl_cert: "" 515 web_server_ssl_cert: ""
537 web_server_ssl_key: "" 516 web_server_ssl_key: ""
@@ -706,9 +685,6 @@ pod:
706 init_container: null 685 init_container: null
707 airflow_worker: 686 airflow_worker:
708 airflow_scheduler: 687 airflow_scheduler:
709 airflow_web:
710 init_container: null
711 airflow_web:
712 shipyard: 688 shipyard:
713 init_container: null 689 init_container: null
714 shipyard: 690 shipyard:
@@ -722,7 +698,6 @@ pod:
722 shipyard: 698 shipyard:
723 api: 2 699 api: 2
724 airflow: 700 airflow:
725 web: 2
726 worker: 2 701 worker: 2
727 scheduler: 2 702 scheduler: 2
728 lifecycle: 703 lifecycle:
@@ -841,13 +816,6 @@ pod:
841 requests: 816 requests:
842 memory: "128Mi" 817 memory: "128Mi"
843 cpu: "100m" 818 cpu: "100m"
844 airflow:
845 limits:
846 memory: "128Mi"
847 cpu: "100m"
848 requests:
849 memory: "128Mi"
850 cpu: "100m"
851 819
852manifests: 820manifests:
853 configmap_shipyard_bin: true 821 configmap_shipyard_bin: true
@@ -858,9 +826,7 @@ manifests:
858 # running the scheduler 826 # running the scheduler
859 deployment_airflow_scheduler: true 827 deployment_airflow_scheduler: true
860 deployment_shipyard: true 828 deployment_shipyard: true
861 deployment_airflow_web: true
862 statefulset_airflow_worker: true 829 statefulset_airflow_worker: true
863 ingress_airflow_api: true
864 ingress_shipyard_api: true 830 ingress_shipyard_api: true
865 job_shipyard_db_init: true 831 job_shipyard_db_init: true
866 job_shipyard_db_sync: true 832 job_shipyard_db_sync: true
@@ -875,10 +841,8 @@ manifests:
875 secret_ingress_tls: true 841 secret_ingress_tls: true
876 secret_keystone: true 842 secret_keystone: true
877 secret_rabbitmq: true 843 secret_rabbitmq: true
878 service_airflow_ingress: true
879 service_shipyard: true 844 service_shipyard: true
880 service_shipyard_ingress: true 845 service_shipyard_ingress: true
881 service_airflow_web: true
882 service_airflow_worker: true 846 service_airflow_worker: true
883 service_discovery_airflow_worker: true 847 service_discovery_airflow_worker: true
884 test_shipyard_api: true 848 test_shipyard_api: true
diff --git a/doc/source/_static/shipyard.policy.yaml.sample b/doc/source/_static/shipyard.policy.yaml.sample
index 1692ac5..63a4c9c 100644
--- a/doc/source/_static/shipyard.policy.yaml.sample
+++ b/doc/source/_static/shipyard.policy.yaml.sample
@@ -40,10 +40,16 @@
40# POST /api/v1.0/configdocs/{collection_id} 40# POST /api/v1.0/configdocs/{collection_id}
41#"workflow_orchestrator:create_configdocs": "rule:admin_required" 41#"workflow_orchestrator:create_configdocs": "rule:admin_required"
42 42
43# Retrieve a collection of configuration documents 43# Retrieve a collection of configuration documents with redacted
44# secrets
44# GET /api/v1.0/configdocs/{collection_id} 45# GET /api/v1.0/configdocs/{collection_id}
45#"workflow_orchestrator:get_configdocs": "rule:admin_required" 46#"workflow_orchestrator:get_configdocs": "rule:admin_required"
46 47
48# Retrieve a collection of configuration documents with cleartext
49# secrets.
50# GET /api/v1.0/configdocs/{collection_id}
51#"workflow_orchestrator:get_configdocs_cleartext": "rule:admin_required"
52
47# Move documents from the Shipyard buffer to the committed documents 53# Move documents from the Shipyard buffer to the committed documents
48# POST /api/v1.0/commitconfigdocs 54# POST /api/v1.0/commitconfigdocs
49#"workflow_orchestrator:commit_configdocs": "rule:admin_required" 55#"workflow_orchestrator:commit_configdocs": "rule:admin_required"
@@ -53,6 +59,11 @@
53# GET /api/v1.0/renderedconfigdocs 59# GET /api/v1.0/renderedconfigdocs
54#"workflow_orchestrator:get_renderedconfigdocs": "rule:admin_required" 60#"workflow_orchestrator:get_renderedconfigdocs": "rule:admin_required"
55 61
62# Retrieve the configuration documents with cleartext secrets rendered
63# by Deckhand into a complete design
64# GET /api/v1.0/renderedconfigdocs
65#"workflow_orchestrator:get_renderedconfigdocs_cleartext": "rule:admin_required"
66
56# Retrieve the list of workflows (DAGs) that have been invoked in 67# Retrieve the list of workflows (DAGs) that have been invoked in
57# Airflow, whether via Shipyard or scheduled 68# Airflow, whether via Shipyard or scheduled
58# GET /api/v1.0/workflows 69# GET /api/v1.0/workflows
diff --git a/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample b/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample
index 1692ac5..63a4c9c 100644
--- a/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample
+++ b/src/bin/shipyard_airflow/etc/shipyard/policy.yaml.sample
@@ -40,10 +40,16 @@
40# POST /api/v1.0/configdocs/{collection_id} 40# POST /api/v1.0/configdocs/{collection_id}
41#"workflow_orchestrator:create_configdocs": "rule:admin_required" 41#"workflow_orchestrator:create_configdocs": "rule:admin_required"
42 42
43# Retrieve a collection of configuration documents 43# Retrieve a collection of configuration documents with redacted
44# secrets
44# GET /api/v1.0/configdocs/{collection_id} 45# GET /api/v1.0/configdocs/{collection_id}
45#"workflow_orchestrator:get_configdocs": "rule:admin_required" 46#"workflow_orchestrator:get_configdocs": "rule:admin_required"
46 47
48# Retrieve a collection of configuration documents with cleartext
49# secrets.
50# GET /api/v1.0/configdocs/{collection_id}
51#"workflow_orchestrator:get_configdocs_cleartext": "rule:admin_required"
52
47# Move documents from the Shipyard buffer to the committed documents 53# Move documents from the Shipyard buffer to the committed documents
48# POST /api/v1.0/commitconfigdocs 54# POST /api/v1.0/commitconfigdocs
49#"workflow_orchestrator:commit_configdocs": "rule:admin_required" 55#"workflow_orchestrator:commit_configdocs": "rule:admin_required"
@@ -53,6 +59,11 @@
53# GET /api/v1.0/renderedconfigdocs 59# GET /api/v1.0/renderedconfigdocs
54#"workflow_orchestrator:get_renderedconfigdocs": "rule:admin_required" 60#"workflow_orchestrator:get_renderedconfigdocs": "rule:admin_required"
55 61
62# Retrieve the configuration documents with cleartext secrets rendered
63# by Deckhand into a complete design
64# GET /api/v1.0/renderedconfigdocs
65#"workflow_orchestrator:get_renderedconfigdocs_cleartext": "rule:admin_required"
66
56# Retrieve the list of workflows (DAGs) that have been invoked in 67# Retrieve the list of workflows (DAGs) that have been invoked in
57# Airflow, whether via Shipyard or scheduled 68# Airflow, whether via Shipyard or scheduled
58# GET /api/v1.0/workflows 69# GET /api/v1.0/workflows