Introduction to Pipeline Chaining
Pipeline chaining involves using the output of one pipeline as input for another. You can link multiple processing steps together and execute them sequentially, creating a more complex workflow.
We have detailed documentation on pipeline chaining here : Pipeline chaining in Harness | Harness Developer Hub
Problem Statement
Suppose you have a parent and a child pipeline, and the child pipeline uses pipeline output variables, and all of these variables will be available from parent pipeline to child pipeline. Some of the variables from parent pipeline might contain some sensitive information which you would like to scope for local pipeline variables so that they won’t be available to access from the parent pipeline?
Solution
Here is an example OPA policy to restrict user from using a particular expression of a variable :
-
create a policy on parent pipeline module - expression validation which will prevent any user to use
that expression in the pipeline you can provide the expression fqn which they do not want to allow
anyone to use it. -
Create a policy set to enable the above policy.
Here is an example policy :
package pipeline
# Deny pipelines that don't have an approval step
# NOTE: Try removing the HarnessApproval step from your input to see the policy fail
deny[msg] {
# Find all stages that are Deployments ...
input.pipeline.stages[i].stage.type == "Pipeline"
# ... that are not in the set of stages with HarnessApproval steps
not stages_with_approval[i]
# Show a human-friendly error message
msg := ("deployment stage does not have a HarnessApproval step")
}
# Find the set of stages that contain a HarnessApproval step
stages_with_approval[i] {
input.pipeline.stages[i].stage.spec.outputs[_].value != "<+pipeline.name>"
#<+pipeline.name> is the expression which you used, you can use expression as per your requirement
}
And the policy set to apply
Finally an example evaluation :
That’s all for this article Happy Building Deploying and Much more with Harness 