forked from spotify/styx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
styx-standalone.conf
99 lines (81 loc) · 3.93 KB
/
styx-standalone.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# ttls for stale states in ISO-8601 duration format
styx.stale-state-ttls = {
new = "PT30M"
creating = "PT30M"
submitted = "PT10M"
running = "PT24H"
terminated = "PT30M"
failed = "PT30M"
awaiting_retry = "PT8H"
# applies to all other states
default = "P2D"
}
# gke cluster
styx.gke.default.project-id = ""
styx.gke.default.cluster-zone = ""
styx.gke.default.cluster-id = ""
styx.gke.default.namespace = ""
# k8s request timeout in ms
styx.k8s.request-timeout = 60000
# bigtable instance
styx.bigtable.project-id = ""
styx.bigtable.instance-id = ""
# datastore config
styx.datastore.project-id = ""
styx.datastore.namespace = ""
# configuration for http interface
http.server.port = 8080
http.server.port = ${?HTTP_PORT}
# styx environment that will be injected into container as environment variable STYX_ENVIRONMENT
styx.environment = "production"
# A flag to disable the warmup of resource IDs cache used for authentication and only fill in cache when needed.
# Default to false
styx.authentication.disable-resource-id-cache-warmup = false
# A white list of domains whose users should be granted access to perform non-GET requests against the Styx API.
styx.authentication.domain-whitelist = [
# "foo.com",
# "bar.com",
]
# A white list of GCP Organizations, folders and projects whose service accounts should be granted
# access to perform non-GET requests against the Styx API. Access is hierarchically inherited.
styx.authentication.resource-whitelist = [
# { type: "organization", id: "foo-4711" },
# { type: "folder", id: "bar-4711" },
# { type: "project", id: "baz-4711" },
]
# A list of allowed audiences for ID tokens. If enabled, non-GET requests must be authorized with an ID token with
# one or more of the target audiences in this list. This prevents Styx from accepting ID tokens intended for other
# service APIs.
# styx.authentication.allowed-audiences = [
# "https://styx.example.net",
# "123456789012-823nsdf8whq4r4tbsjdhg923nksrgj04.apps.googleusercontent.com",
# ]
# A list of styx system administrators that should be authorized to manipulate any workflow and use any service account.
# Note: The principal type must be prefixed as below in the commented out example.
# styx.authorization.administrators = [
# "user:[email protected]",
# "serviceAccount:[email protected]",
# "group:[email protected]"
# ]
# A list of principals that should not be authorized to manipulate any workflows nor use any service accounts,
# even if authorized to do so by users.
# styx.authorization.blacklist = [
# "user:[email protected]",
# "serviceAccount:[email protected]",
# "group:[email protected]"
# ]
# The role that a principal should have either on the workflow service account or in the
# gcp project of the workflow service account in order to be allowed to create/modify a workflow using it.
# If unset, authenticated users can use any service account in their workflows.
# styx.authorization.service-account-user-role = "organizations/3141592/roles/StyxWorkflowServiceAccountUser"
# The GSuite user that should be impersonated when making GSuite Directory API requests.
# Required if styx.authorization.service-account-user-role is set.
# styx.authorization.gsuite-user = [email protected]
# Whether styx should require authorization for all workflows. Default: false.
# styx.authorization.require.all = false
# A list of workflows that require authorization. Has no effect if authorization for all
# workflows is enabled using `styx.authorization.require.all = true`.
# styx.authorization.require.workflows = ["component#workflow-id"]
# A message to include in the 403 Forbidden response to user requests that fail authorization. Can be used to
# E.g. refer to organization-specific documentation on how users can set up authorization.
# styx.authorization.message = "See instructions at https://example.com/docs/styx/auth."