User-Provided Metadata»
Occasionally you might want to add additional information to your Runs which isn’t handled on a first-class basis by Spacelift. You can attach this kind of information using the run metadata parameter, which is available through spacectl as well as the GraphQL API.
Usage»
Let’s start with a small example. You’ll need a private worker for this.
On the machine where the worker resides, create a simple policy in a file:
1 2 |
|
And then start the worker with an additional environment variable:
1 |
|
This policy will make our launcher sample each initialization policy evaluation and print it as a log on stderr.
We’ll also need a Stack to which this worker is attached.
We can now trigger a run and provide an arbitrary metadata string:
1 2 3 |
|
And in the private worker logs we should suitably see (formatted for readability):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
|
- The metadata string
Great!
We can now go ahead and confirm this run:
1 2 3 |
|
In the policy sample log for the relevant metadata key we’ll see an additional entry, which was added when confirming:
1 2 3 4 |
|
And that's basically it! It's a very flexible building block which lets you build various automation and compliance helper tooling.
Run signatures»
A standard use case for this feature would be to sign your runs when you’re creating them.
You'll have to bring the infrastructure for managing keys and signatures yourself - usually you'll already have something like that internally. But in short you can create a cryptographic signature of the parameters for a run you’re about to create - based on the commit SHA, run type, stack, date, etc. - and then you can pass that signature to Spacelift when creating the run.
Later, in the initialization policy you can use the exec function to run your custom binary for verifying that signature. This way - for your most sensitive stacks - you can verify whether runs you are receiving from the Spacelift backend are legit, intentionally created by an employee of your company.
Tip
We created a reference implementation to demonstrate how to sign runs and verify signatures.