Feature #13135

Updated by Peter Amstutz over 2 years ago

string type * inputs to a workflow can be marked "secret: true"

arvados-cwl-runner ensures that secrets are obscured using "secret_mounts" in container requests.

Secrets are entered into a "secrets" list inside workflow runner.

When submitting a job, any mount or environment variable that contains any string in the "secrets" list is placed in "secret_mounts" or "secret_environment".

In addition, any command line argument that contains a secret could go into a "secret_command". (In container request, this is merged with the regular command line. Something like a list

* semantics
of null values or strings, null values are skipped, strings replace the corresponding position in the command line.)

Assumption: workflows don't modify the contents of secrets. This seems reasonable.

a-c-r logger has a filter that checks if any strings in the "secrets" list appears in output and obscures it.

When submitting workflow runner, any
secrets are placed in file literals in "secret_mounts", the secret parameters appear in input.json file as an $include which reads the secret file contents when the runner executes.