_ __ __
___ _ __ (_)/ _|/ _| _ _
/ __| '_ \| | |_| |_ _| |_ _| |_
\__ \ |_) | | _| _|_ _|_ _|
|___/ .__/|_|_| |_| |_| |_|
|_|
NOTE: Active development on spiff is currently paused, including Pull Requests. spiff++
is a fork of spiff that provides a compatible extension to spiff based on the latest version offering a rich set of new features not yet available in spiff. All fixes provided by the original spiff project will be incorporated into spiff++, also. Because there will be no way back to the spiff source base a new independent spiff++ repository has been created to continue development of spiff++.
spiff is a command line tool and declarative in-domain hybrid YAML templating system. While regular templating systems process a template file by substituting the template expressions by values taken from external data sources, in-domain means that the templating engine knows about the syntax and structure of the processed template. It therefore can take the values for the template expressions directly from the document processed, including those parts denoted by the template expressions itself.
For example:
resource:
name: bosh deployment
version: 25
url: (( "http://resource.location/bosh?version=" version ))
description: (( "This document describes a " name " located at " url ))
Instead of using only external value sources spiff provides a merging mechanism to merge a template with any number of merging stubs to produce a final document.
It is a command line tool and declarative YAML templating system, specially designed for generating deployment manifests (for example BOSH, Kubernetes or Landscaper manifests).
Besides the CLI there is a golang library enabling the usage of the spiff template processing in any GO program (for example Landscaper).
The templating engine offers enabling access to the filesystem based on a configurable virtual filesystem or the process system to execute commands and incorporate the output into the template processing.
Contents:
- Installation
- Usage
- Feature Flags
- Libraries
- dynaml Templating Language
- (( foo ))
- (( foo.bar.[1].baz ))
- (( foo.[bar].baz ))
- (( list.[1..3] ))
- (( tag::foo ))
- (( 1.2e4 ))
- (( "foo" ))
- (( [ 1, 2, 3 ] ))
- (( { "alice" = 25 } ))
- (( ( "alice" = 25 ) alice ))
- (( foo bar ))
- (( auto ))
- (( merge ))
- (( a || b ))
- (( 1 + 2 * foo ))
- (( "10.10.10.10" - 11 ))
- (( a > 1 ? foo :bar ))
- (( 5 -or 6 ))
- Functions
- (( format( "%s %d", alice, 25) ))
- (( join( ", ", list) ))
- (( split( ",", string) ))
- (( trim(string) ))
- (( element(list, index) ))
- (( element(map, key) ))
- (( compact(list) ))
- (( uniq(list) ))
- (( contains(list, "foobar") ))
- (( index(list, "foobar") ))
- (( lastindex(list, "foobar") ))
- (( basename(path) ))
- (( dirname(path) ))
- (( parseurl("http://github.com") ))
- (( sort(list) ))
- (( replace(string, "foo", "bar") ))
- (( substr(string, 1, 3) ))
- (( match("(f.)(b.)", "xxxfoobar") ))
- (( keys(map) ))
- (( length(list) ))
- (( base64(string) ))
- (( hash(string) ))
- (( bcrypt("password", 10) ))
- (( bcrypt_check("password", hash) ))
- (( md5crypt("password") ))
- (( md5crypt_check("password", hash) ))
- (( decrypt("secret") ))
- (( rand("[:alnum:]", 10) ))
- (( type(foobar) ))
- (( defined(foobar) ))
- (( valid(foobar) ))
- (( require(foobar) ))
- (( stub(foo.bar) ))
- (( tagdef("tag", value) ))
- (( eval(foo "." bar ) ))
- (( env( HOME" ) ))
- (( static_ips(0, 1, 3) ))
- (( ipset(ranges, 3, 3,4,5,6) ))
- (( list_to_map(list, "key") ))
- (( makemap(fieldlist) ))
- (( makemap(key, value) ))
- (( merge(map1, map2) ))
- (( intersect(list1, list2) ))
- (( reverse(list) ))
- (( parse(yamlorjson) ))
- (( asjson(expr) ))
- (( asyaml(expr) ))
- (( catch(expr) ))
- (( validate(value,"dnsdomain") ))
- (( check(value,"dnsdomain") ))
- (( error("message") ))
- Math
- Conversions
- Accessing External Content
- Semantic Versioning Functions
- (( semver("v1.2-beta.1") ))
- (( semverrelease("v1.2.3-beta.1") ))
- (( semvermajor("1.2.3-beta.1") ))
- (( semverminor("1.2.3-beta.1") ))
- (( semverpatch("1.2.3-beta.1") ))
- (( semverprerelease("1.2.3-beta.1") ))
- (( semvermetadata("1.2.3+demo") ))
- (( semvercmp("1.2.3", "1.2.3-beta.1") ))
- (( semvermatch("1.2.3", "~1.2") ))
- (( semversort("1.2.3", "1.2.1") ))
- X509 Functions
- Wireguard Functions
- (( lambda |x|->x ":" port ))
- (( catch[expr|v,e|->v] ))
- (( sync[expr|v,e|->defined(v.field),v.field|10] ))
- Inline List Expansion (( [a, list..., b] ))
- Mappings
- Aggregations
- Projections
- Markers
- Tags
- Templates
- Scope References
- Special Literals
- Access to evaluation context
- Operation Priorities
- String Interpolation
- YAML-based Control Structures
- Structural Auto-Merge
- Bringing it all together
- Useful to Know
- Error Reporting
- Using spiff as Go Library
Official release executable binaries can be downloaded via Github releases for Darwin, Linux and PowerPC machines (and virtual machines).
Some of spiff's dependencies have changed since the last official release, and spiff will not be updated to keep up with these dependencies. Working dependencies are vendored in the Godeps
directory (more information on the godep
tool is available here). As such, trying to go get
spiff will likely fail; the only supported way to use spiff is to use an official binary release.
Merge a bunch of template files into one manifest, printing it out.
See 'dynaml templating language' for details of the template file, or examples/ subdir for more complicated examples.
Example:
spiff merge cf-release/templates/cf-deployment.yml my-cloud-stub.yml
It is possible to read one file from standard input by using the file
name -
. It may be used only once. This allows using spiff as part of a
pipeline to just process a single stream or to process a stream based on
several templates/stubs.
The template file (first argument) may be a multiple-document stream
containing multiple YAML documents separated by a line containing only ---
.
Each YAML document will be processed independently with the given stub files.
The result is the stream of processed documents in the same order.
If a document's root node is marked as temporary, the document is omitted
from the output stream.
For example, this can be used to generate kubernetes manifests to be used
by kubectl
.
The merge
command offers several options:
-
The option
--partial
. If this option is given spiff handles incomplete expression evaluation. All errors are ignored and the unresolvable parts of the yaml document are returned as strings. -
With the option
--json
the output will be in JSON format instead of YAML. -
The option
--path <path>
can be used to output a nested path, instead of the the complete processed document. -
If the output is a list, the option
--split
outputs every list element as separate documen. The yaml format uses as usual---
as separator line. The json format outputs a sequence of json documents, one per line. -
With
--select <field path>
it is possible to select a dedicated field of the processed document for the output -
With
--evaluate <dynaml expression>
it is possible to evaluate a given dynaml expression on the processed document for the output. The expression is evaluated before the selection path is applied, which will then work on the evaluation result. -
The option
--state <path>
enables the state support of spiff. If the given file exists it is put on top of the configured stub list for the given file exists it is put on top of the configured stub list for the merge processing. Additionally to the output of the processed document it is filtered for nodes marked with the&state
marker. This filtered document is then stored under the denoted file, saving the old state file with the.bak
suffix. This can be used together with a manual merging as offered by the state utility library. -
With option
--bindings <path>
a yaml file can be specified, whose content is used to build additional bindings for the processing. The yaml document must consist of a map. Each key is used as additional binding. The bindings document is not processed, the values are used as defined. -
With option
--tag <tag>:<path>
a yaml file can be specified, whose content is used as value for a predefined global tag (see Tags). Tags can be accessed by reference expressions of the form<tag>::<ref>
. In contrast to bindings tagged content does not compete with the nodes in the document, it uses another reference namespace. -
With option
--define <key>=<value>
(shorthand-D
) additional binding values can be specified on the command line overriding binding values from the binding file. The option may occur multiple times. -
The option
--preserve-escapes
will preserve the escaping for dynaml expressions and list/map merge directives. This option can be used if further processing steps of a processing result with spiff is intended. -
The option
--preserve-temporary
will preserve the fields marked as temporary in the final document. -
The option
--features=<featurelist>
will enable this given features. New features that are incompatible with the old behaviour must be explicitly enabled. Typically those feature do not break the common behavior but introduce a dedicated interpretation for yaml values that were used as regular values before.
The folder libraries offers some useful utility libraries. They can also be used as an example for the power of this templating engine.
Show structural differences between two deployment manifests. Here streams with multiple documents are supported, also. To indicate no difference the number of documents in both streams must be identical and each document in the first stream must have no difference compared to the document with the same index in the second stream. Found differences are shown for each document separately.
Unlike basic diffing tools and even bosh diff
, this command has semantic
knowledge of a deployment manifest, and is not just text-based. For example,
if two manifests are the same except they have some jobs listed in different
orders, spiff diff
will detect this, since job order matters in a manifest.
On the other hand, if two manifests differ only in the order of their
resource pools, for instance, then it will yield and empty diff since
resource pool order doesn't actually matter for a deployment.
Also unlike bosh diff
, this command doesn't modify either file.
It's tailed for checking differences between one deployment and the next.
Typical flow:
$ spiff merge template.yml [templates...] > deployment.yml
$ bosh download manifest [deployment] current.yml
$ spiff diff deployment.yml current.yml
$ bosh deployment deployment.yml
$ bosh deploy
The convert
sub command can be used to convert input files to json or
just to normalize the order of the fields.
Available options are --json
, --path
, --split
or --select
according
to their meanings for the merge
sub command.
The encrypt
sub command can be used to encrypt or decrypt data
according to the encrypt
dynaml function.
The password can be given as second argument or it is taken from the
environment variable SPIFF_ENCRYPTION_KEY
. The last argument can be used
to pass the encryption method (see encrypt
function)
The data is taken from the specified file. If -
is given, it is read from
stdin.
If the option -d
is given, the data is decrypted, otherwise the data is
read as yaml document and the encrypted result is printed.
New features that are incompatible with the old behaviour must be explicitly enabled. Typically those features do not break the common behavior but introduce a dedicated interpretation for yaml values that were used as regular values before and can therefore break existing use cases.
The following feature flags are currently supported:
Feature | Since | State | Meaning |
---|---|---|---|
interpolation |
1.7.0-beta-1 | alpha | dynaml as part of yaml strings |
control |
1.7.0-beta-4 | alpha | yaml based control structures |
Active feature flags can be queried using the dynaml function
features()
as list of strings. If this function is called with a string
argument, it returns whether the given feature is currenty enabled.
Features can be enabled by command line using the --features
option,
by the go library using the WithFeatures
function or generally
by setting the environment variable SPIFF_FEATURES
to a feature list.
This setting is alwas used as default. By using the Plain()
spiff
settings from the go library all environment variables are ignored.
A feature can be specified by name or by name prepended with the prefix no
to disable it.
The libraries folder contains some useful spiff template libraries. These are basically just stubs that are added to the merge file list to offer the utility functions for the merge processing.
Spiff uses a declarative, logic-free templating language called 'dynaml' (dynamic yaml).
Every dynaml node is guaranteed to resolve to a YAML node. It is not string interpolation. This keeps developers from having to think about how a value will render in the resulting template.
A dynaml node appears in the .yml file as a string denoting an expression
surrounded by two parentheses (( <dynaml> ))
. They can be used as the
value of a map or an entry in a list. The expression might span multiple
lines. In any case the yaml string value must not end with a newline
(for example using |-
)
If a parenthesized value should not be interpreted as an dynaml expression and kept as it is in the output, it can be escaped by an exclamation mark directly after the openeing brackets.
For example, ((! .field ))
maps to the string value (( .field ))
and
((!! .field ))
maps to the string value ((! .field ))
.
The following is a complete list of dynaml expressions:
Look for the nearest 'foo' key (i.e. lexical scoping) in the current template and bring it in.
e.g.:
fizz:
buzz:
foo: 1
bar: (( foo ))
bar: (( foo ))
foo: 3
bar: (( foo ))
This example will resolve to:
fizz:
buzz:
foo: 1
bar: 1
bar: 3
foo: 3
bar: 3
The following will not resolve because the key name is the same as the value to be merged in:
foo: 1
hi:
foo: (( foo ))
Look for the nearest 'foo' key, and from there follow through to .bar.[1].baz
.
A path is a sequence of steps separated by dots. A step is either a word for maps, or digits surrounded by brackets for list indexing. The index might be negative (a minus followed by digits). Negative indices are taken from then end of the list (effective index = index + length(list)).
A path that cannot be resolved lead to an evaluation error. If a reference is expected to sometimes not be provided, it should be used in combination with '||' (see below) to guarantee resolution.
Note: The dynaml grammer has been reworked to enable the usual index syntax,
now. Instead of foo.bar.[1]
it is possible now to use foo.bar[1]
.
Note: References are always within the template or stub, and order does not matter. You can refer to another dynamic node and presume it's resolved, and the reference node will just eventually resolve once the dependent node resolves.
e.g.:
properties:
foo: (( something.from.the.stub ))
something: (( merge ))
This will resolve as long as 'something' is resolveable, and as long as it brings in something like this:
from:
the:
stub: foo
If the path starts with a dot (.
) the path is always evaluated from the root
of the document.
List entries consisting of a map with name
field can directly be addressed
by their name value as path component.
e.g.:
The age of alice in
list:
- name: alice
age: 25
can be referenced by using the path list.alice.age
, instead of list[0].age
.
By default a field with name name
is used as key field. If another field
should be used as key field, it can be marked in one list entry as key by
prefixing the field name with the keyword key:
. This keyword is removed
from by the processing and will not be part of the final processing result.
e.g.:
list:
- key:person: alice
age: 25
alice: (( list.alice ))
will be resolved to
list:
- person: alice
age: 25
alice:
person: alice
age: 25
This new key field will also be observed during the merging of lists.
Look for the nearest 'foo' key, and from there follow through to the
field(s) described by the expression bar
and then to .baz.
The index may be an integer constant (without spaces) as described in the last section. But it might also be an arbitrary dynaml expression (even an integer, but with spaces). If the expression evaluates to a string, it lookups the dedicated field. If the expression evaluates to an integer, the array element with this index is addressed.
e.g.:
properties:
name: alice
foo: (( values.[name].bar ))
values:
alice:
bar: 42
This will resolve foo
to the value 42
. The dynamic index may also be at
the end of the expression (without .bar
).
Basically this is the simplier way to express something like eval("values." name ".bar")
If the expression evaluates to a list, the list elements (strings or integers) are used as path elements to access deeper fields.
e.g.:
properties:
name:
- foo
- bar
foo: (( values.[name] ))
values:
foo:
bar: 42
resolves foo
again to the value 42
.
The slice expression can be used to extract a dedicated sub list from a list
expression. The range start ..
end extracts a list of the length
end-start+1 with the elements from
index start to end. If the start index is negative the slice is taken
from the end of the list from length+start to length+end. If the end
index is lower than the start index, the result is an empty array.
e.g.:
list:
- a
- b
- c
foo: (( list.[1..length(list) - 1] ))
The start or end index might be omitted. It is then selected according to the
actual size of the list. Therefore list.[1..length(list)]
is equivalent
to list.[1..]
.
evaluates foo
to the list [b,c]
.
Number literatls are supported for integers and floating point values.
String literal. All json string encodings are supported
(for exmple \n
, \"
or \uxxxx
).
List literal. The list elements might again be expressions. There is a special list literal [1 .. -1]
, that can be used to resolve an increasing or descreasing number range to a list.
e.g.:
list: (( [ 1 .. -1 ] ))
yields
list:
- 1
- 0
- -1
The map literal can be used to describe maps as part of a dynaml expression. Both,
the key and the value, might again be expressions, whereby the key expression must
evaluate to a string. This way it is possible to create maps with non-static keys.
The assignment operator =
has been chosen instead of the regular colon :
character used in yaml, because this would result in conflicts with the yaml
syntax.
A map literal might consist of any number of field assignments separated by a
comma ,
.
e.g.:
name: peter
age: 23
map: (( { "alice" = {}, name = age } ))
yields
name: peter
age: 23
map:
alice: {}
peter: 23
Another way to compose lists based on expressions are the functions
makemap
and list_to_map
.
Any expression may be preluded by any number of explicit scope literals. A scope literal describes a map whose values are available for relative reference resolution of the expression (static scope). It creates an additional local binding for given names.
A scope literal might consist of any number of field assignments separated by a
comma ,
. The key as well as the value are given by expressions, whereas the
key expression must evaluate to a string. All expressions are evaluated in the
next outer scope, this means later settings in a scope cannot use earlier
settings in the same scope literal.
e.g.:
scoped: (( ( "alice" = 25, "bob" = 26 ) alice + bob ))
yields
scoped: 51
A field name might also be denoted by a symbol ($
name).
Concatenation expression used to concatenate a sequence of dynaml expressions.
Concatenation (where bar is another dynaml expr). Any sequences of simple values (string, integer and boolean) can be concatenated, given by any dynaml expression.
e.g.:
domain: example.com
uri: (( "https://" domain ))
In this example uri
will resolve to the value "https://example.com"
.
Concatenation of lists as expression (where bar is another dynaml expr). Any sequences of lists can be concatenated, given by any dynaml expression.
e.g.:
other_ips: [ 10.0.0.2, 10.0.0.3 ]
static_ips: (( ["10.0.1.2","10.0.1.3"] other_ips ))
In this example static_ips
will resolve to the value [ 10.0.1.2, 10.0.1.3, 10.0.0.2, 10.0.0.3 ]
.
If the second expression evaluates to a value other than a list (integer, boolean, string or map), the value is appended to the first list.
e.g.:
foo: 3
bar: (( [1] 2 foo "alice" ))
yields the list [ 1, 2, 3, "alice" ]
for bar
.
Concatenation of maps as expression. Any sequences of maps can be concatenated, given by any dynaml expression. Thereby entries will be merged. Entries with the same key are overwritten from left to right.
e.g.:
foo:
alice: 24
bob: 25
bar:
bob: 26
paul: 27
concat: (( foo bar ))
yields
foo:
alice: 24
bob: 25
bar:
bob: 26
paul: 27
concat:
alice: 24
bob: 26
paul: 27
Context-sensitive automatic value calculation.
In a resource pool's 'size' attribute, this means calculate based on the total instances of all jobs that declare themselves to be in the current resource pool.
e.g.:
resource_pools:
- name: mypool
size: (( auto ))
jobs:
- name: myjob
resource_pool: mypool
instances: 2
- name: myotherjob
resource_pool: mypool
instances: 3
- name: yetanotherjob
resource_pool: otherpool
instances: 3
In this case the resource pool size will resolve to '5'.
Bring the current path in from the stub files that are being merged in.
e.g.:
foo:
bar:
baz: (( merge ))
Will try to bring in foo.bar.baz
from the first stub, or the second, etc.,
returning the value from the last stub that provides it.
If the corresponding value is not defined, it will return nil. This then has the
same semantics as reference expressions; a nil merge is an unresolved template.
See ||
.
Merging of maps or lists with the content of the same element found in some stub.
** Attention **
This form of merge
has a compatibility propblem. In versions before 1.0.8, this expression
was never parsed, only the existence of the key <<:
was relevant. Therefore there are often
usages of <<: (( merge ))
where <<: (( merge || nil ))
is meant. The first variant would
require content in at least one stub (as always for the merge operator). Now this expression
is evaluated correctly, but this would break existing manifest template sets, which use the
first variant, but mean the second. Therfore this case is explicitly handled to describe an
optional merge. If really a required merge is meant an additional explicit qualifier has to
Note: Instead of using a <<:
insert field to place merge expressions it is
possible now to use <<<:
, also, which allows to use regular yaml parsers for
spiff-like yaml documents. <<:
is kept for backward compatibility.
be used ((( merge required ))
).
If the merge key should not be interpreted as regular key instead of a merge
directive, it can be escaped by an excalamtion mark (!
).
For example, a map key <<<!
will result in a string key <<<
and <<<!!
will result in a string key <<<!
values.yml
foo:
a: 1
b: 2
template.yml
foo:
<<: (( merge ))
b: 3
c: 4
spiff merge template.yml values.yml
yields:
foo:
a: 1
b: 2
c: 4
values.yml
foo:
- 1
- 2
template.yml
foo:
- 3
- <<: (( merge ))
- 4
spiff merge template.yml values.yml
yields:
foo:
- 3
- 1
- 2
- 4
spiff
is able to merge lists of maps with a key field. Those lists are handled like maps with the value of the key field as key. By default the key name
is used. But with the selector on
an arbitrary key name can be specified for a list-merge expression.
e.g.:
list:
- <<: (( merge on key ))
- key: alice
age: 25
- key: bob
age: 24
merged with
list:
- key: alice
age: 20
- key: peter
age: 13
yields
list:
- key: peter
age: 13
- key: alice
age: 20
- key: bob
age: 24
If no insertion of new entries is desired (as requested by the insertion merge expression), but only overriding of existent entries, one existing key field can be prefixed with the tag key:
to indicate a non-standard key name, for example - key:key: alice
.
Replaces the complete content of an element by the content found in some stub instead of doing a deep merge for the existing content.
values.yml
foo:
a: 1
b: 2
template.yml
foo:
<<: (( merge replace ))
b: 3
c: 4
spiff merge template.yml values.yml
yields:
foo:
a: 1
b: 2
values.yml
foo:
- 1
- 2
template.yml
foo:
- <<: (( merge replace ))
- 3
- 4
spiff merge template.yml values.yml
yields:
foo:
- 1
- 2
Merging of maps and lists found in the same template or stub.
foo:
a: 1
b: 2
bar:
<<: (( foo )) # any dynaml expression
b: 3
yields:
foo:
a: 1
b: 2
bar:
a: 1
b: 3
This expression just adds new entries to the actual list. It does not merge existing entries with the content described by the merge expression.
bar:
- 1
- 2
foo:
- 3
- <<: (( bar ))
- 4
yields:
bar:
- 1
- 2
foo:
- 3
- 1
- 2
- 4
A common use-case for this is merging lists of static ips or ranges into a list of ips. Another possibility is to use a single concatenation expression.
Merging of maps or lists with the content of an arbitrary element found in some stub (Redirecting merge). There will be no further (deep) merge with the element of the same name found in some stub. (Deep merge of lists requires maps with field name
)
Redirecting merges can be used as direct field value, also. They can be combined with replacing merges like (( merge replace foo ))
.
values.yml
foo:
a: 10
b: 20
bar:
a: 1
b: 2
template.yml
foo:
<<: (( merge bar))
b: 3
c: 4
spiff merge template.yml values.yml
yields:
foo:
a: 1
b: 2
c: 4
Another way doing a merge with another element in some stub could also be done the traditional way:
values.yml
foo:
a: 10
b: 20
bar:
a: 1
b: 2
template.yml
bar:
<<: (( merge ))
b: 3
c: 4
foo: (( bar ))
But in this scenario the merge still performs the deep merge with the original element name. Therefore
spiff merge template.yml values.yml
yields:
bar:
a: 1
b: 2
c: 4
foo:
a: 10
b: 20
c: 4
values.yml
foo:
- 10
- 20
bar:
- 1
- 2
template.yml
foo:
- 3
- <<: (( merge bar ))
- 4
spiff merge template.yml values.yml
yields:
foo:
- 3
- 1
- 2
- 4
If the reference of an redirecting merge is set to the constant none
,
no merge is done at all. This expressions always yields the nil value.
e.g.: for
template.yml
map:
<<: (( merge none ))
value: notmerged
values.yml
map:
value: merged
spiff merge template.yml values.yml
yields:
map:
value: notmerged
This can be used for explicit field merging using the stub
function
to access dedicated parts of upstream stubs.
e.g.:
template.yml
map:
<<: (( merge none ))
value: (( "alice" "+" stub(map.value) ))
values.yml
map:
value: bob
spiff merge template.yml values.yml
yields:
test:
value: alice+bob
This also works for dedicated fields:
template.yml
map:
value: (( merge none // "alice" "+" stub() ))
values.yml
map:
value: bob
spiff merge template.yml values.yml
yields:
test:
value: alice+bob
Uses a, or b if a cannot be resolved.
e.g.:
foo:
bar:
- name: some
- name: complicated
- name: structure
mything:
complicated_structure: (( merge || foo.bar ))
This will try to merge in mything.complicated_structure
, or, if it cannot be
merged in, use the default specified in foo.bar
.
The operator //
additionally checks, whether a
can be solved to a valid
value (not equal ~
).
Dynaml expressions can be used to execute arithmetic integer and floating-point calculations. Supported operations are +
, -
, *
, and /
.
The modulo operator (%
) only supports integer operands.
e.g.:
values.yml
foo: 3
bar: (( 1 + 2 * foo ))
spiff merge values.yml
yields 7
for bar
. This can be combined with concatentions (calculation has higher priority than concatenation in dynaml expressions):
foo: 3
bar: (( foo " times 2 yields " 2 * foo ))
The result is the string 3 times 2 yields 6
.
Besides arithmetic on integers it is also possible to use addition and subtraction on ip addresses and cidrs.
e.g.:
ip: 10.10.10.10
range: (( ip "-" ip + 247 + 256 * 256 ))
yields
ip: 10.10.10.10
range: 10.10.10.10-10.11.11.1
Subtraction also works on two IP addresses or cidrs to calculate the number of IP addresses between two IP addresses.
e.g.:
diff: (( 10.0.1.0 - 10.0.0.1 + 1 ))
yields the value 256. IP address constants can be directly used in dynaml expressions. They are implicitly converted to strings and back to IP addresses if required by an operation.
Multiplication and division can be used to handle IP range shifts on CIDRs. With division a network can be partioned. The network size is increased to allow at least a dedicated number of subnets below the original CIDR. Multiplication then can be used to get the n-th next subnet of the same size.
e.g.:
subnet: (( "10.1.2.1/24" / 12 )) # first subnet CIDR for 16 subnets
next: (( "10.1.2.1/24" / 12 * 2)) # 2nd next (3rd) subnet CIDRS
yields
subnet: 10.1.2.0/28
next: 10.1.2.32/28
Additionally there are functions working on IPv4 CIDRs:
cidr: 192.168.0.1/24
range: (( min_ip(cidr) "-" max_ip(cidr) ))
next: (( max_ip(cidr) + 1 ))
num: (( min_ip(cidr) "+" num_ip(cidr) "=" min_ip(cidr) + num_ip(cidr) ))
contains: (( contains_ip(cidr, "192.168.0.2") ))
yields
cidr: 192.168.0.1/24
range: 192.168.0.0-192.168.0.255
next: 192.168.1.0
num: 192.168.0.0+256=192.168.1.0
contains: true
Dynaml supports the comparison operators <
, <=
, ==
, !=
, >=
and >
. The comparison operators work on
integer values. The checks for equality also work on lists and maps. The result is always a boolean value. To negate a condition the unary not opertor (!
) can be used.
Additionally there is the ternary conditional operator ?:
, that can be used to evaluate expressions depending on a condition. The first operand is used as condition. The expression is evaluated to the second operand, if the condition is true, and to the third one, otherwise.
e.g.:
foo: alice
bar: bob
age: 24
name: (( age > 24 ? foo :bar ))
yields the value bob
for the property name
.
An expression is considered to be false
if it evaluates to
- the boolean value
false
- the integer value 0
- an empty string, map or list
Otherwise it is considered to be true
Remark
The use of the symbol :
may collide with the yaml syntax, if the complete expression is not a quoted string value.
The operators -or
and -and
can be used to combine comparison operators to compose more complex conditions.
Remark:
The more traditional operator symbol ||
(and &&
) cannot be used here, because the operator ||
already exists in dynaml with a different semantic, that does not hold for logical operations. The expression false || true
evaluates to false
, because it yields the first operand, if it is defined, regardless of its value. To be as compatible as possible this cannot be changed and the bare symbols or
and and
cannot be be used, because this would invalidate the concatenation of references with such names.
If both sides of an -or
or -and
operator evaluate to integer values, a bit-wise operation is executed and the result is again an integer. Therefore the expression 5 -or 6
evaluates to 7
.
Dynaml supports a set of predefined functions. A function is generally called like
result: (( functionname(arg, arg, ...) ))
Additional functions may be defined as part of the yaml document using lambda expressions. The function name then is either a grouped expression or the path to the node hosting the lambda expression.
Format a string based on arguments given by dynaml expressions. There is a second flavor of this function: error
formats an error message and sets the evaluation to failed.
Join entries of lists or direct values to a single string value using a given separator string. The arguments to join can be dynaml expressions evaluating to lists, whose values again are strings or integers, or string or integer values.
e.g.:
alice: alice
list:
- foo
- bar
join: (( join(", ", "bob", list, alice, 10) ))
yields the string value bob, foo, bar, alice, 10
for join
.
Split a string for a dedicated separator. The result is a list. Instead of a separator string an integer value might be given, which splits the give string into list of length limited strings. The length is counted in runes, not bytes.
e.g.:
list: (( split("," "alice, bob") ))
limited: (( split(4, "1234567890") ))
yields:
list:
- alice
- ' bob'
limited:
- "1234"
- "5678"
- "90"
An optional 3rd argument might be specified. It limits the number of returned list entries. The value -1 leads to an unlimited list length.
If a regular expression should
be used as separator string, the function split_match
can be used.
Trim a string or all elements of a list of strings. There is an optional second string argument. It can be used to specify a set of characters that will be cut. The default cut set consists of a space and a tab character.
e.g.:
list: (( trim(split("," "alice, bob")) ))
yields:
list:
- alice
- bob
Return a dedicated list element given by its index.
e.g.:
list: (( trim(split("," "alice, bob")) ))
elem: (( element(list,1) ))
yields:
list:
- alice
- bob
elem: bob
Return a dedicated map field given by its key.
map:
alice: 24
bob: 25
elem: (( element(map,"bob") ))
yields:
map:
alice: 24
bob: 25
elem: 25
This function is also able to handle keys containing dots (.).
Filter a list omitting empty entries.
e.g.:
list: (( compact(trim(split("," "alice, , bob"))) ))
yields:
list:
- alice
- bob
Uniq provides a list without dupliates.
e.g.:
list:
- a
- b
- a
- c
- a
- b
- 0
- "0"
uniq: (( uniq(list) ))
yields for field uniq
:
uniq:
- a
- b
- c
- 0
Checks whether a list contains a dedicated value. Values might also be lists or maps.
e.g.:
list:
- foo
- bar
- foobar
contains: (( contains(list, "foobar") ))
yields:
list:
- foo
- bar
- foobar
contains: true
The function contains
also works on strings to look for sub strings.
e.g.:
contains: (( contains("foobar", "bar") ))
yields true
.
The function basename
returns the name of the last element of a path.
The argument may either be a regular path name or a URL.
e.g.:
pathbase: (( basename("alice/bob") ))
urlbase: (( basename("http://foobar/alice/bob?any=parameter") ))
yields:
pathbase: bob
urlbase: bob
The function dirname
returns the parent directory of a path.
The argument may either be a regular path name or a URL.
e.g.:
pathbase: (( dirname("alice/bob") ))
urlbase: (( dirname("http://foobar/alice/bob?any=parameter") ))
yields:
pathbase: alice
urlbase: /alice
This function parses a URL and yield a map with all elements of an URL.
The fields port
, userinfo
and password
are optional.
e.g.:
url: (( parseurl("https://user:[email protected]:443/mandelsoft/spiff?branch=master&tag=v1#anchor") ))
yields:
url:
scheme: https
host: github.com
port: 443
path: /mandelsoft/spiff
fragment: anchor
query: branch=master&tag=v1
values:
branch: [ master ]
tag: [ v1 ]
userinfo:
username: user
password: pass
Checks whether a list contains a dedicated value and returns the index of the first match.
Values might also be lists or maps. If no entry could be found -1
is returned.
e.g.:
list:
- foo
- bar
- foobar
index: (( index(list, "foobar") ))
yields:
list:
- foo
- bar
- foobar
index: 2
The function index
also works on strings to look for sub strings.
e.g.:
index: (( index("foobar", "bar") ))
yields 3
.
The function lastindex
works like index
but the index of the last occurence is returned.
The function sort
can be used to sort integer or string lists. The sort
operation is stable.
e.g.:
list:
- alice
- foobar
- bob
sorted: (( sort(list) ))
yields for sorted
- alice
- bob
- foobar
If other types should be sorted, especially complex types like lists or maps, or
a different comparison rule is required, a
compare function can be specified as an optional second argument. The compare
function must be a lambda expression taking two arguments. The result type
must be integer
or bool
indicating whether a is less then b. If an
integer is returned it should be
- negative, if a<b
- zero, if a==b and
- positive if a>b
e.g.:
list:
- alice
- foobar
- bob
sorted: (( sort(list, |a,b|->length(a) < length(b)) ))
yields for sorted
- bob
- alice
- foobar
Replace all occurences of a sub string in a string by a replacement string. With an optional fourth integer argument the number of substitutions can be limited (-1 mean unlimited).
e.g.:
string: (( replace("foobar", "o", "u") ))
yields fuubar
.
If a regular expression should be used as search string the function
replace_match
can be used. Here the search string is evaluated as regular
expression. It may conatain sub expressions.
These matches can be used in the replacement string
e.g.:
string: (( replace_match("foobar", "(o*)b", "b${1}") ))
yields fbooar
.
The replacement argument might also be a lambda function. In this case, for every match the function is called to determine the replacement value. The single input argument is a list of actual sub expression matches.
e.g.:
string: (( replace_match("foobar-barfoo", "(o*)b", |m|->upper(m.[1]) "b" ) ))
yields fOObar-barfoo
.
Extract a stub string from a string, starting from a given start index up to an optional end index (exclusive). If no end index is given the sub struvt up to the end of the string is extracted. Both indices might be negative. In this case they are taken from the end of the string.
e.g.:
string: "foobar"
end1: (( substr(string,-2) ))
end2: (( substr(string,3) ))
range: (( substr(string,1,-1) ))
evaluates to
string: foobar
end1: ar
end2: bar
range: ooba
Returns the match of a regular expression for a given string value. The match is a list of the matched values for the sub expressions contained in the regular expression. Index 0 refers to the match of the complete regular expression. If the string value does not match an empty list is returned.
e.g.:
matches: (( match("(f.*)*(b.*)", "xxxfoobar") ))
yields:
matches:
- foobar
- foo
- bar
A third argument of type integer may be given to request a multi match of a maximum of n repetitions. If the value is negative all repetions are reported. The result is a list of all matches, each in the format described above.
Determine the sorted list of keys used in a map.
e.g.:
map:
alice: 25
bob: 25
keys: (( keys(map) ))
yields:
map:
alice: 25
bob: 25
keys:
- alice
- bob
Determine the length of a list, a map or a string value.
e.g.:
list:
- alice
- bob
length: (( length(list) ))
yields:
list:
- alice
- bob
length: 2
The function base64
generates a base64 encoding of a given string. base64_decode
decodes a base64 encoded string.
e.g.:
base64: (( base64("test") ))
test: (( base64_decode(base64)))
evaluates to
base54: dGVzdA==
test: test
An optional second argument can be used to specify the maximum line length. In this case the result will be multi-line string.
The function hash
generates several kinds of hashes for the given string.
By default as sha256
hash is generated. An optional second argument specifies
the hash type. Possible types are md4
, md5
, sha1
, sha224
, sha256
,
sha384
, sha2512
, sha512/224
or sha512/256
.
md5
hashes can still be generated by the deprecated finctio md5(string)
.
e.g.:
data: alice
hash:
deprecated: (( md5(data) ))
md4: (( hash(data,"md4") ))
md5: (( hash(data,"md5") ))
sha1: (( hash(data,"sha1") ))
sha224: (( hash(data,"sha224") ))
sha256: (( hash(data,"sha256") ))
sha384: (( hash(data,"sha384") ))
sha512: (( hash(data,"sha512") ))
sha512_224: (( hash(data,"sha512/224") ))
sha512_256: (( hash(data,"sha512/256") ))
evaluates to
data: alice
hash:
deprecated: 6384e2b2184bcbf58eccf10ca7a6563c
md4: 616c69636531d6cfe0d16ae931b73c59d7e0c089c0
md5: 6384e2b2184bcbf58eccf10ca7a6563c
sha1: 522b276a356bdf39013dfabea2cd43e141ecc9e8
sha224: 38b7e5d5651aaf85694a7a7c6d5db1275af86a6df93a36b8a4a2e771
sha256: 2bd806c97f0e00af1a1fc3328fa763a9269723c8db8fac4f93af71db186d6e90
sha384: 96a5353e625adc003a01bdcd9b21b21189bdd9806851829f45b81d3dfc6721ee21f6e0e98c4dd63bc559f66c7a74233a
sha512: 408b27d3097eea5a46bf2ab6433a7234a33d5e49957b13ec7acc2ca08e1a13c75272c90c8d3385d47ede5420a7a9623aad817d9f8a70bd100a0acea7400daa59
sha512_224: c3b8cfaa37ae15922adf3d21606e3a9836ba2a9d7838b040b7c96fd7
sha512_256: ad0a339b08dc090fe3b16eae376f7e162836e8728da9c45466842e19508d7627
The function bcrypt
generates a bcrypt password hash for the given string
using the specified cost factor (defaulted to 10, if missing).
e.g.:
hash: (( bcrypt("password", 10) ))
evaluates to
hash: $2a$10$b9RKb8NLuHB.tM9haPD3N.qrCsWrZy8iaCD4/.cCFFCRmWO4h.koe
The function bcrypt_check
validates a password against a given bcrypt hash.
e.g.:
hash: $2a$10$b9RKb8NLuHB.tM9haPD3N.qrCsWrZy8iaCD4/.cCFFCRmWO4h.koe
valid: (( bcrypt_check("password", hash) ))
evaluates to
hash: $2a$10$b9RKb8NLuHB.tM9haPD3N.qrCsWrZy8iaCD4/.cCFFCRmWO4h.koe
valid: true
The function md5crypt
generates an Apache MD5 encrypted password hash for the
given string.
e.g.:
hash: (( md5crypt("password") ))
evaluates to
hash: $apr1$3Qc1aanY$16Sb5h7U1QrcqwZbDJIYZ0
The function md5crypt_check
validates a password against a given Apache MD5 encrypted hash.
e.g.:
hash: $2a$10$b9RKb8NLuHB.tM9haPD3N.qrCsWrZy8iaCD4/.cCFFCRmWO4h.koe
valid: (( bcrypt_check("password", hash) ))
evaluates to
hash: $apr1$B77VuUUZ$NkNFhkvXHW8wERSRoi74O1
valid: true
This function can be used to store encrypted secrets in a spiff yaml file. The processed result will then contain the decrypted value. All node types can be encrypted and decrypted, including complete maps and lists.
The password for the decryption can either be given as second argument, or
(the preferred way) it can be specified by the environment variable
SPIFF_ENCRYPTION_KEY
.
An optional last argument may select the encryption method. The only method
supported so far is 3DES
. Other methods may be added for dedicated
spiff versions by using the encryption method registration offered by the spiff
library.
A value can be encrypted by using the encrypt("secret")
function.
e.g.:
password: this a very secret secret and may never be exposed to unauthorized people
encrypted: (( encrypt("spiff is a cool tool", password) ))
decrypted: (( decrypt(encrypted, password) ))
evaluated to something like
decrypted: spiff is a cool tool
encrypted: d889f9e4cc7ae13effcbc8bb8cd0c38d1fb2197738444f753c48796d7946083e6639e5a1bf8f77648f2a1ddf37023c65ff57d52d0519d1d92cbcf87d3e263cba
password: this a very secret secret and may never be exposed to unauthorized people
The function rand
generates random values. The first argument
decides what kind of values are requested. With no argument it generates
a positive random number in the int64
range.
argument type | result |
---|---|
int | integer value in the range [0,n) for positive n and (n,0] for negative n |
bool | boolean value |
string | one rune string, where the rune is in the given character range, any combination of character classes or character ranges usable for regexp can be used. If an additional length argument is specified the resulting string will have the given length. |
e.g.:
int: (( rand() ))
int10: (( rand(10) ))
neg10: (( rand(-10) ))
bool: (( rand(true) ))
string: (( rand("[:alpha:][:digit:]-", 10) ))
upper: (( rand("A-Z", 10) ))
punct: (( rand("[:punct:]", 10) ))
alnum: (( rand("[:alnum:]", 10) ))
evaluates to
int: 8037669378456096839
int10: 7
neg10: -5
bool: true
string: ghhjAYPMlD
upper: LBZQFRSURL
alnum: 0p6KS7EhAj
punct: '&{;,^])"(#'
The function type
yields a string denoting the type of the given expression.
e.g.:
template:
<<: (( &template ))
types:
- int: (( type(1) ))
- float: (( type(1.0) ))
- bool: (( type(true) ))
- string: (( type("foobar") ))
- list: (( type([]) ))
- map: (( type({}) ))
- lambda: (( type(|x|->x) ))
- template: (( type(.template) ))
- nil: (( type(~) ))
- undef: (( type(~~) ))
evaluates types to
types:
- int: int
- float: float
- bool: bool
- string: string
- list: list
- map: map
- lambda: lambda
- template: template
The function defined
checks whether an expression can successfully be evaluated. It yields the boolean value true
, if the expression can be evaluated, and false
otherwise.
e.g.:
zero: 0
div_ok: (( defined(1 / zero ) ))
zero_def: (( defined( zero ) ))
null_def: (( defined( null ) ))
evaluates to
zero: 0
div_ok: false
zero_def: true
null_def: false
This function can be used in combination of the conditional operator to evaluate expressions depending on the resolvability of another expression.
The function valid
checks whether an expression can successfully be evaluated and evaluates to a defined value not equals to nil
. It yields the boolean value true
, if the expression can be evaluated, and false
otherwise.
e.g.:
zero: 0
empty:
map: {}
list: []
div_ok: (( valid(1 / zero ) ))
zero_def: (( valid( zero ) ))
null_def: (( valid( ~ ) ))
empty_def: (( valid( empty ) ))
map_def: (( valid( map ) ))
list_def: (( valid( list ) ))
evaluates to
zero: 0
empty: null
map: {}
list: []
div_ok: false
zero_def: true
null_def: false
empty_def: false
map_def: true
list_def: true
The function require
yields an error if the given argument is undefined or nil
, otherwise it yields the given value.
e.g.:
foo: ~
bob: (( foo || "default" ))
alice: (( require(foo) || "default" ))
evaluates to
foo: ~
bob: ~
alice: default
The function stub
yields the value of a dedicated field found in the first
upstream stub defining it.
e.g.:
template.yml
value: (( stub(foo.bar) ))
merged with stub
stub.yml
foo:
bar: foobar
evaluates to
value: foobar
The argument passed to this function must either be a reference literal or
an expression evaluating to either a string denoting a reference or a string
list denoting the list of path elements for the reference.
If no argument or an undefined (~~
) is given, the actual field path is used.
Please note, that a given sole reference will not be evaluated as expression,
if its value should be used, it must be transformed to an expression, for example
by denoting (ref)
or [] ref
for a list expression.
Alternatively the merge
operation could be used, for example merge foo.bar
. The difference is that stub
does not merge, therefore the field will still be merged (with the original path in the document).
The function tagdef
can be used to define dynamic tags (see Tags).
In contrast to the tag marker this function aloows to specify the tag name
and its intended value by an expression. Therefit can be used in composing
elements like map
or sum
to create dynamic tag with calculated values.
An optional third argument can be used to specify the intended scope
(local
or global
). By default a local tag is created. Local tags are visible
only at the actual processing level (template or sub), while global tags,
once defined, can be used in all further processing levels (stub or template).
Alternatively the tag name can be prefixed with a start (*
) to declare
a global tag.
The specified tag value will be used as result for the function.
e.g.:
template.yml
value: (( tagdef("tag:alice", 25) ))
alice: (( tag:alice::. ))
evaluates to
value: 25
alice: 25
Evaluate the evaluation result of a string expression again as dynaml expression. This can, for example, be used to realize indirections.
e.g.: the expression in
alice:
bob: married
foo: alice
bar: bob
status: (( eval( foo "." bar ) ))
calculates the path to a field, which is then evaluated again to yield the value of this composed field:
alice:
bob: married
foo: alice
bar: bob
status: married
Read the value of an environment variable whose name is given as dynaml expression. If the environment variable is not set the evaluation fails.
In a second flavor the function env
accepts multiple arguments and/or list arguments, which are joined to a single list. Every entry in this list is used as name of an environment variable and the result of the function is a map of the given given variables as yaml element. Hereby non-existent environment variables are omitted.
Parse a yaml or json string and return the content as yaml value. It can therefore be used for further dynaml evaluation.
e.g.:
json: |
{ "alice": 25 }
result: (( parse( json ).alice ))
yields the value 25
for the field result
.
The function parse
supports an optional second argument, the parse mode.
Here the same modes are possible as for the read function.
The default parsing mode is import
, the content is just parsed and there is
no further evaluation during this step.
This function transforms a yaml value given by its argument to a json string.
The corresponding function asyaml
yields the yaml value as yaml document string.
e.g.:
data:
alice: 25
mapped:
json: (( asjson(.data) ))
yaml: (( asyaml(.data) ))
resolves to
data:
alice: 25
mapped:
json: '{"alice":25}'
yaml: |+
alice: 25
This function executes an expression and yields some evaluation info map. It always succeeds, even if the expression fails. The map includes the following fields:
name | type | meaning |
---|---|---|
valid |
bool | expression is valid |
error |
string | the error message text of the evaluation |
value |
any | the value of the expression, if evaluation was successful |
e.g.:
data:
fail: (( catch(1 / 0) ))
valid: (( catch( 5 * 5) ))
resolves to
data:
fail:
error: division by zero
valid: false
valid:
error: ""
valid: true
value: 25
Generate a list of static IPs for a job.
e.g.:
jobs:
- name: myjob
instances: 2
networks:
- name: mynetwork
static_ips: (( static_ips(0, 3, 4) ))
This will create 3 IPs from mynetwork
s subnet, and return two entries, as
there are only two instances. The two entries will be the 0th and 3rd offsets
from the static IP ranges defined by the network.
For example, given the file bye.yml:
networks: (( merge ))
jobs:
- name: myjob
instances: 3
networks:
- name: cf1
static_ips: (( static_ips(0,3,60) ))
and file hi.yml:
networks:
- name: cf1
subnets:
- cloud_properties:
security_groups:
- cf-0-vpc-c461c7a1
subnet: subnet-e845bab1
dns:
- 10.60.3.2
gateway: 10.60.3.1
name: default_unused
range: 10.60.3.0/24
reserved:
- 10.60.3.2 - 10.60.3.9
static:
- 10.60.3.10 - 10.60.3.70
type: manual
spiff merge bye.yml hi.yml
returns
jobs:
- instances: 3
name: myjob
networks:
- name: cf1
static_ips:
- 10.60.3.10
- 10.60.3.13
- 10.60.3.70
networks:
- name: cf1
subnets:
- cloud_properties:
security_groups:
- cf-0-vpc-c461c7a1
subnet: subnet-e845bab1
dns:
- 10.60.3.2
gateway: 10.60.3.1
name: default_unused
range: 10.60.3.0/24
reserved:
- 10.60.3.2 - 10.60.3.9
static:
- 10.60.3.10 - 10.60.3.70
type: manual
.
If bye.yml was instead
networks: (( merge ))
jobs:
- name: myjob
instances: 2
networks:
- name: cf1
static_ips: (( static_ips(0,3,60) ))
spiff merge bye.yml hi.yml
instead returns
jobs:
- instances: 2
name: myjob
networks:
- name: cf1
static_ips:
- 10.60.3.10
- 10.60.3.13
networks:
- name: cf1
subnets:
- cloud_properties:
security_groups:
- cf-0-vpc-c461c7a1
subnet: subnet-e845bab1
dns:
- 10.60.3.2
gateway: 10.60.3.1
name: default_unused
range: 10.60.3.0/24
reserved:
- 10.60.3.2 - 10.60.3.9
static:
- 10.60.3.10 - 10.60.3.70
type: manual
static_ips
also accepts list arguments, as long as all transitivly contained elements are either again lists or integer values. This allows to abbreviate the list of IPs as follows:
static_ips: (( static_ips([1..5]) ))
While the function static_ips for historical reasons relies on the structure of a bosh manifest and works only at dedicated locations in the manifest, the function ipset offers a similar calculation purely based on its arguments. So, the available ip ranges and the required numbers of IPs are passed as arguments.
The first (ranges) argument can be a single range as a simple string or a list of strings. Every string might be
- a single IP address
- an explicit IP range described by two IP addresses separated by a dash (-)
- a CIDR
The second argument specifies the requested number of IP addresses in the result set.
The additional arguments specify the indices of the IPs to choose (starting from 0) in the given ranges. Here again lists of indices might be used.
e.g.:
ranges:
- 10.0.0.0 - 10.0.0.255
- 10.0.2.0/24
ipset: (( ipset(ranges,3,[256..260]) ))
resolves ipset to [ 10.0.2.0, 10.0.2.1, 10.0.2.2 ]
.
If no IP indices are specified (only two arguments), the IPs are chosen starting from the beginning of the first range up to the end of the last given range, without indirection.
A list of map entries with explicit name/key fields will be mapped to a map with the dedicated keys. By default the key field name
is used, which can changed by the optional second argument. An explicitly denoted key field in the list will also be taken into account.
e.g.:
list:
- key:foo: alice
age: 24
- foo: bob
age: 30
map: (( list_to_map(list) ))
will be mapped to
list:
- foo: alice
age: 24
- foo: bob
age: 30
map:
alice:
age: 24
bob:
age: 30
In combination with templates and lambda expressions this can be used to generate maps with arbitrarily named key values, although dynaml expressions are not allowed for key values.
In this flavor makemap
creates a map with entries described by the given field list.
The list is expected to contain maps with the entries key
and value
, describing
dedicated map entries.
e.g.:
list:
- key: alice
value: 24
- key: bob
value: 25
- key: 5
value: 25
map: (( makemap(list) ))
yields
list:
- key: alice
value: 24
- key: bob
value: 25
- key: 5
value: 25
map:
"5": 25
alice: 24
bob: 25
If the key value is a boolean or an integer it will be mapped to a string.
In this flavor makemap
creates a map with entries described by the given argument
pairs. The arguments may be a sequence of key/values pairs (given by separate arguments).
e.g.:
map: (( makemap("peter", 23, "paul", 22) ))
yields
map:
paul: 22
peter: 23
In contrast to the previous makemap
flavor, this one could also be handled by
map literals.
Beside the keyword merge
there is also a function called merge
(It must always be followed by an opening bracket). It can be used to merge severals maps taken from the actual document analogous to the stub merge process. If the maps are specified by reference expressions, they cannot contain
any dynaml expressions, because they are always evaluated in the context of the actual document before evaluating the arguments.
e.g.:
map1:
alice: 24
bob: (( alice ))
map2:
alice: 26
peter: 8
result: (( merge(map1,map2) ))
resolves result
to
result:
alice: 26
bob: 24 # <---- expression evaluated before mergeing
Alternatively map templates can be passed (without evaluation operator!). In this case the dynaml expressions from the template are evaluated while merging the given documents as for regular calls of spiff merge.
e.g.:
map1:
<<: (( &template ))
alice: 24
bob: (( alice ))
map2:
alice: 26
peter: 8
result: (( merge(map1,map2) ))
resolves result
to
result:
alice: 26
bob: 26
A map might also be given by a map expression. Here it is possible to specify dynaml expressions using the usual syntax:
e.g.:
map1:
alice: 24
bob: 25
map2:
alice: 26
peter: 8
result: (( merge(map1, map2, { "bob"="(( carl ))", "carl"=100 }) ))
resolves result
to
result:
alice: 26
bob: 100
Instead of multiple arguments a single list argument can be given. The list must contain the maps to be merged.
Nested merges have access to all outer bindings. Relative references are first
searched in the actual document. If they are not found there all outer bindings
are used to lookup the reference, from inner to outer bindings. Additionally the
context (__ctx
) offers a field OUTER
,
which is a list of all outer documents of the nested merges, which can be used
to lookup absolute references.
e.g.:
data:
alice:
age: 24
template:
<<: (( &template ))
bob: 25
outer1: (( __ctx.OUTER.[0].data )) # absolute access to outer context
outer2: (( data.alice.age )) # relative access to outer binding
sum: (( .bob + .outer2 ))
merged: (( merge(template) ))
resolves merged
to
merged:
bob: 25
outer1:
alice:
age: 24
outer2: 24
sum: 49
The function intersect
intersects multiple lists. A list may contain entries
of any type.
e.g.:
list1:
- - a
- - b
- a
- b
- { a: b }
- { b: c }
- 0
- 1
- "0"
- "1"
list2:
- - a
- - c
- a
- c
- { a: b }
- { b: b }
- 0
- 2
- "0"
- "2"
intersect: (( intersect(list1, list2) ))
resolves intersect
to
intersect:
- - a
- a
- { a: b }
- 0
- "0"
The function reverse
reverses the order of a list. The list may contain entries
of any type.
e.g.:
list:
- - a
- b
- { a: b }
- { b: c }
- 0
- 1
reverse: (( reverse(list) ))
resolves reverse
to
reverse:
- 1
- 0
- { b: c }
- { a: b }
- b
- - a
The function validate
validates an expression using a set of validators.
The first argument is the value to validate and all other arguments are
validators that must succeed to accept the value. If at least one validator
fails an appropriate error message is generated that explains the fail reason.
A validator is denoted by a string or a list containing the validator type
as string and its arguments. A validator can be negated with a preceeding
!
in its name.
The following validators are available:
Type | Arguments | Meaning |
---|---|---|
empty |
none | empty list, map or string |
dnsdomain |
none | dns domain name |
wildcarddnsdomain |
none | wildcard dns domain name |
dnslabel |
none | dns label |
dnsname |
none | dns domain or wildcard domain |
ip |
none | ip address |
cidr |
none | cidr |
publickey |
none | public key in pem format |
privatekey |
none | private key in pem format |
certificate |
none | certificate in pem format |
ca |
none | certificate for CA |
semver |
optional list of constraints | validate semver version against constraints |
type |
list of accepted type keys | at least one type key must match |
valueset |
list argument with values | possible values |
value or = |
value | check dedicated value |
gt or > |
value | greater than (number/string) |
lt or < |
value | less than (number/string) |
ge or >= |
value | greater or equal to (number/string) |
le or <= |
value | less or equal to (number/string) |
match or ~= |
regular expression | string value matching regular expression |
list |
optional list of entry validators | is list and entries match given validators |
map |
[[ <key validator>, ] <entry validator> ] | is map and keys and entries match given validators |
mapfield |
<field name> [ , <validator>] | required entry in map |
optionalfield |
<field name> [ , <validator>] | optional entry in map |
and |
list of validators | all validators must succeed |
or |
list of validators | at least one validator must succeed |
not or ! |
validator | negate the validator argument(s) |
If the validation succeeds the value is returned.
e.g.:
dnstarget: (( validate("192.168.42.42", [ "or", "ip", "dnsdomain" ]) ))
evaluates to
dnstarget: 192.168.42.42
If the validation fails an error explaining the failure reason is generated.
e.g.:
dnstarget: (( validate("alice+bob", [ "or", "ip", "dnsdomain" ]) ))
yields the following error:
*condition 1 failed: (is no ip address: alice+bob and is no dns domain: [a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')])
A validator might also be a lambda expression taking at least one argument and returning a boolean value. This way it is possible to provide own validators as part of the yaml document.
e.g.:
val: (( validate( 0, |x|-> x > 1 ) ))
If more than one parameter is declared the additional arguments must be specified as validator arguments. The first argument is always the value to check.
e.g.:
val: (( validate( 0, [|x,m|-> x > m, 5] ) ))
The lambda function may return a list with 1, 2 or 3 elements, also. This can be used to provide appropriate messages.
Index | Meaning |
---|---|
0 | the first index always is the match result, it must be evaluatable as boolean |
1 | if two elements are given, the second index is the message describing the actual result |
2 | here index 1 decribes the success message and 2 the failure message |
e.g.:
val: (( validate( 6, [|x,m|-> [x > m, "is larger than " m, "is less than or equal to " m], 5] ) ))
Just to mention, the validator specification might be given inline as shown
in the examples above, but as reference expressions, also. The not
, and
and or
validators accept deeply nested validator specifications.
e.g.:
dnsrecords:
domain: 1.2.3.4
validator:
- map
- - or # key validator
- dnsdomain
- wildcarddnsdomain
- ip # entry validator
val: (( validate( map, validator) ))
The function check
can be used to match a yaml structure against a yaml
based value checker. Hereby the same check description already described for
validate can be used. The result of the call is
a boolean value indicating the match result. It does not fail if the check
fails.
The function error
can be used to cause explicit evaluation failures with
a dedicated message.
This can be used, for example, to reduce a complex processing error to a meaningful message by appending the error function as default for the potentially failing comples expression.
e.g.:
value: (( <some complex potentially failing expression> || error("this was an error my friend") ))
Another scenario could be omitting a descriptive message for missing required fields by using an error expression as (default) value for a field intended to be defined in an upstream stub.
dynaml support various math functions:
returning integers: ceil
, floor
, round
and roundtoeven
returning floats or integers: abs
returning floats: sin
,cos
, sinh
, cosh
, asin
, acos
, asinh
,acosh
,
sqrt
, exp
, log
, log10
,
dynaml supports various type conversions between integer
, float
, bool
and string
values by appropriate functions.
e.g.:
value: (( integer("5") ))
converts a string to an integer value.
Converting an integer to a string accepts an optional additional integer
argument for specifying the base for conversion, for example string(55,2)
will result in "110111"
. The default base is 10. The base must be between
2 and 36.
Spiff supports access to content outside of the template and sub files. It is possible to read files, execute commands and pipelines. All those functions exist in two flavors.
- A cached flavor executes the operation ones and caches the result for subsequent identical operations. This speeds up the processing, especially for command executions.
- If the result evolves over time, it might be useful to always get the latest
content. This is the case if the
sync
function is used, which is intended to synchronize the template processing with a dedicate state (provided by external content). Here the caching operations would not be useful, therefore there is a second uncached flavor. Every function is available with the suffix_uncached
(for exampleread_uncached()
)
Read a file and return its content. There is support for three content types:
yaml
files,text
files and binary
files. Reading in binary mode will
result in a base64 encoded multi-line string.
If the file suffix is .yml
, .yaml
or .json
,
by default the yaml type is used. If the file should be read as text
, this
type must be explicitly specified.
In all other cases the default is text
, therefore reading a binary file
(for example an archive) urgently requires specifying the binary
mode.
An optional second parameter can be used to explicitly specifiy the desired
return type: yaml
or text
. For yaml documents some addtional
types are supported: multiyaml
, template
, templates
, import
and
importmulti
.
A yaml document will be parsed and the tree is returned. The elements of the tree can be accessed by regular dynaml expressions.
Additionally the yaml file may again contain dynaml expressions. All included dynaml expressions will be evaluated in the context of the reading expression. This means that the same file included at different places in a yaml document may result in different sub trees, depending on the used dynaml expressions.
If is possible to read a multi-document yaml, also. If the type multiyaml
is given, a list node with the yaml document root nodes is returned.
The yaml or json document can also read as template by specifying the type
template
. Here the result will be a template value, that can be used like
regular inline templates. If templates
is specified, a multi-document is
mapped to a list of templates.
If the read type is set to import
, the file content is read as yaml document
and the root node is used to substitute the expression. Potential dynaml
expressions contained in the document will not be evaluated with the actual
binding of the expression together with the read call,
but as it would have been part of the original file.
Therefore this mode can only be used, if there is no further processing
of the read result or the delivered values are unprocessed.
This can be used together with a chained reference
(for examle (( read(...).selection ))
) to delect a dedicated fragment of
the imported document. Then, the evaluatio will be done for the selected
portion, only. Expressions and references in the other parts are not
evalauted and at all and cannot lead to error.
e.g.:
template.yaml
ages:
alice: 25
data: (( read("import.yaml", "import").first ))
import.yaml
first:
age: (( ages.alice ))
second:
age: (( ages.bob ))
will not fail, because the second
section is never evaluated.
This mode should be taken with caution, because it often leads to unexpected results.
The read type importmulti
can be used to import multi-document yaml files as a
list of nodes.
A text document will be returned as single string.
It is possible to read binary documents, also. The content cannot be used
as a string (or yaml document), directly. Therefore the read mode binary
has
to be specified. The content is returned as a base64 encoded multi-line string
value.
Execute a command. Arguments can be any dynaml expressions including reference expressions evaluated to lists or maps. Lists or maps are passed as single arguments containing a yaml document with the given fragment.
The result is determined by parsing the standard output of the command. It might be a yaml document or a single multi-line string or integer value. A yaml document should start with the document prefix ---
. If the command fails the expression is handled as undefined.
e.g.
arg:
- a
- b
list: (( exec( "echo", arg ) ))
string: (( exec( "echo", arg.[0] ) ))
yields
arg:
- a
- b
list:
- a
- b
string: a
Alternatively exec
can be called with a single list argument completely describing the command line.
The same command will be executed once, only, even if it is used in multiple expressions.
Execute a command and feed its standard input with dedicated data. The command argument must be a string. Arguments for the command can be any dynaml expressions including reference expressions evaluated to lists or maps. Lists or maps are passed as single arguments containing a yaml document with the given fragment.
The input stream is generated from the given data. If this is a simple type its
string representation is used. Otherwise a yaml document is generated from the
input data. The result is determined by parsing the standard output of the
command. It might be a yaml document or a single multi-line string or integer
value. A yaml document should start with the document prefix ---
. If
the command fails the expression is handled as undefined.
e.g.
data:
- a
- b
list: (( pipe( data, "tr", "a", "z") ))
yields
arg:
- a
- b
list:
- z
- b
Alternatively pipe
can be called with data and a list argument completely describing the command line.
The same command will be executed once, only, even if it is used in multiple expressions.
Write a file and return its content. If the result can be parsed as yaml document,
the document is returned. An optional 3rd argument can be used to pass the
write options.
The option arguments might be an integer denoting file permissions (default is 0644
)
or a comma separated string with options. Supported options are
binary
: data is base64 decoded before writing- integer string: file permissions, a leading
0
is indicating an octal value.
Write a a temporary file and return its path name. An optional 3rd argument can
be used to pass write options. It basically behavies
like write
Attention: A temporary file only exists during the merge processing. It will be deleted afterwards.
It can be used, for example, to provide a temporary file argument for the
exec
function.
Lookup a file is a list of directories. The result is a list of existing
files. With lookup_dir
it is possible to lookup a directory, instead.
If no existing files can be found the empty list is returned.
It is possible to pass multiple list or string arguments to compose the search path.
Create a directory and all its intermediate directories if they do not exist yet.
The permission part is optional (default 0755). The path of the directory might be given by atring like value or as a list of path components.
List files in a directory. The result is a list of existing
files. With list_dirs
it is possible to list directories, instead.
Create an archive of the given type (default is tar
) containing the listed
files. The result is the base64 encoded archive.
Supported archive types are tar
and targz
.
files
might be a list or map of file entries. In case of a map, the map key
is used as default for the file path. A file entry is a map with the
following fields:
field | type | meaning |
---|---|---|
path |
string | optional for maps, the file path in the archive, defaulted by the map key |
mode |
int or int string | file mode or write options. It basically behavies like the option argument for write . |
data |
any | file content, yaml will be marshalled as yaml document. If mode indicates binary mode, a string value will be base64 decoded. |
base64 |
string | base64 encoded binary data |
e.g.:
yaml:
alice: 26
bob: 27
files:
"data/a/test.yaml":
data: (( yaml ))
"data/b/README.md":
data: |+
### Test Docu
**Note**: This is a test
archive: (( archive(files,"targz") ))
content: (( split("\n", exec_uncached("tar", "-tvf", tempfile(archive,"binary"))) ))
yields:
archive: |-
H4sIAAAAAAAA/+zVsQqDMBAG4Mx5igO3gHqJSQS3go7tUHyBqIEKitDEoW9f
dLRDh6KlJd/yb8ll+HOd8SY1qbfOJw8zDmQHiIhayjURcZuIQhOeSZlphVwL
glwsAXvM8mJ23twJ4qfnbB/3I+I4pmboW1uA0LSZmgJETr89VXCUtf9Neq1O
5blKxm6PO972X/FN/7nKVej/EaIogto6D+XUzpQydpm8ZayA+tY76B0YWHYD
DV9CEATBf3kGAAD//5NlAmIADAAA
content:
- -rw-r--r-- 0/0 22 2019-03-18 09:01 data/a/test.yaml
- -rw-r--r-- 0/0 41 2019-03-18 09:01 data/b/README.md
files:
data/a/test.yaml:
data:
alice: 26
bob: 27
data/b/README.md:
data: |+
### Test Docu
**Note**: This is a test
yaml:
alice: 26
bob: 27
Spiff supports handling of semantic version names. It supports all functionality
from the Masterminds Semver Package
accepting versions with or without a leading v
.
Check whether a given string is a semantic version and return
its normalized form (without leading v
and complete release part with major,
minor and and patch version number).
e.g.:
normalized: (( semver("v1.2-beta.1") ))
resolves to
normalized: 1.2.0-beta.1
Return the release part of a semantic version omitting metadata and prerelease information.
e.g.:
release: (( semverrelease("v1.2.3-beta.1") ))
resolves to
release: v1.2.3
If an additional string argument is given this function replaces the release by the release of the given semantic version preserving metadata and prerelease information.
e.g.:
new: (( semverrelease("1.2.3-beta.1", "1.2.1) ))
resolves to
new: 1.2.1-beta.1
Determine the major version number of the given semantic version. The result is an integer.
e.g.:
major: (( semvermajor("1.2.3-beta.1") ))
resolves to
major: 1
The function semverincmajor
can be used to increment the
major version number and reset the minor version, patch version
and release suffixes.
e.g.:
new: (( semverincmajor("1.2.3-beta.1") ))
resolves to
new: 2.0.0
Determine the minor version number of the given semantic version. The result is an integer.
e.g.:
minor: (( semverminor("1.2.3-beta.1") ))
resolves to
minor: 2
The function semverincminor
can be used to increment the
minor version number and reset the patch version
and release suffixes.
e.g.:
new: (( semverincmajor("v1.2.3-beta.1") ))
resolves to
new: v1.3.0
Determine the patch version number of the given semantic version. The result is an integer.
e.g.:
patch: (( semverpatch("1.2.3-beta.1") ))
resolves to
patch: 3
The function semverincpatch
can be used to increment the
patch version number or reset the release suffixes.
If there are rlease suffixes, they are removed and the release
info is kept unchanged, otherwise the patch version number
is increased.
e.g.:
final: (( semverincpatch("1.2.3-beta.1") ))
new: (( semverincpatch(final) ))
resolves to
final: 1.2.3
new: 1.2.4
Determine the prerelease of the given semantic version. The result is a string.
e.g.:
prerelease: (( semverprerelease("1.2.3-beta.1") ))
resolves to
prerelease: beta.1
If an additional string argument is given this function sets, replaces or clears (if set to empty string) the prerelease
e.g.:
new: (( semverprerelease("1.2.3-beta.1", "beta.2) ))
resolves to
new: 1.2.3-beta.2
Determine the metadata of the given semantic version. The result is a string.
e.g.:
metadata: (( semvermetadata("1.2.3+demo") ))
resolves to
metadata: demo
If an additional string argument is given this function sets, replaces or clears (if set to empty string) the metadata.
e.g.:
new: (( semvermetadata("1.2.3-test", "demo) ))
resolves to
new: 1.2.3+demo
Compare two semantic versions. A prerelease is always smaller than the final release. The result is an integer with the following values:
result | meaning |
---|---|
-1 | first version is before the second version |
0 | both versions are equal |
1 | first versuon is after the second one |
e.g.:
compare: (( semvercmp("1.2.3", "1.2.3-beta.1") ))
resolves to
compare: 1
Match the given semantic version against a list of contraints. The result is a boolean. It is possible to specify any number of version constraints. If no constraint is given, the function just checks whether the given string is a semantic version.
e.g.:
match: (( semvermatch("1.2.3", "~1.2") ))
resolves to
match: true
The complete list of possible constraints specification can be found here.
Sort a list of versions in ascending order. A leading v
is preserved.
e.g.:
sorted: (( semversort("1.2.3", "1.2.1") ))
resolves to
sorted:
- 1.2.1
- 1.2.3
The list of versions to be sorted may also be specified with a single list argument.
Spiff supports some useful functions to work with X509 certificates and keys. Please refer also to the Useful to Know section to find some tips for providing state.
This function can be used generate private RSA or ECDSA keys. The result will be a PEM encoded key as multi line string value. If a key size (integer or string) is given as argument, an RSA key will be generated with the given key size (for example 2048). Given one of the string values
- "P224"
- "P256"
- "P384"
- "P521"
the function will generate an appropriate ECDSA key.
e.g.:
keys:
key: (( x509genkey(2048) ))
resolves to something like
key: |+
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwxdZDfzxqz4hlRwTL060pm1J12mkJlXF0VnqpQjpnRTq0rns
CxMxvSfb4crmWg6BRaI1cEN/zmNcT2sO+RZ4jIOZ2Vi8ujqcbzxqyoBQuMNwdb32
...
oqMC9QKBgQDEVP7FDuJEnCpzqddiXTC+8NsC+1+2/fk+ypj2qXMxcNiNG1Az95YE
gRXbnghNU7RUajILoimAHPItqeeskd69oB77gig4bWwrzkijFXv0dOjDhQlmKY6c
pNWsImF7CNhjTP7L27LKk49a+IGutyYLnXmrlarcNYeCQBin1meydA==
-----END RSA PRIVATE KEY-----
For a given key or certificate in PEM format (for example generated with the x509genkey function) this function extracts the public key and returns it again in PEM format as a multi-line string.
e.g.:
keys:
key: (( x509genkey(2048) ))
public: (( x509publickey(key)
resolves to something like
key: |+
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwxdZDfzxqz4hlRwTL060pm1J12mkJlXF0VnqpQjpnRTq0rns
CxMxvSfb4crmWg6BRaI1cEN/zmNcT2sO+RZ4jIOZ2Vi8ujqcbzxqyoBQuMNwdb32
...
oqMC9QKBgQDEVP7FDuJEnCpzqddiXTC+8NsC+1+2/fk+ypj2qXMxcNiNG1Az95YE
gRXbnghNU7RUajILoimAHPItqeeskd69oB77gig4bWwrzkijFXv0dOjDhQlmKY6c
pNWsImF7CNhjTP7L27LKk49a+IGutyYLnXmrlarcNYeCQBin1meydA==
-----END RSA PRIVATE KEY-----
public: |+
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwxdZDfzxqz4hlRwTL060pm1J12mkJlXF0VnqpQjpnRTq0rnsCxMx
vSfb4crmWg6BRaI1cEN/zmNcT2sO+RZ4jIOZ2Vi8ujqcbzxqyoBQuMNwdb325Bf/
...
VzYqyeQyvvRbNe73BXc5temCaQayzsbghkoWK+Wrc33yLsvpeVQBcB93Xhus+Lt1
1lxsoIrQf/HBsiu/5Q3M8L6klxeAUcDbYwIDAQAB
-----END RSA PUBLIC KEY-----
To generate an ssh public key an optional additional format argument can be set
to ssh
. The result will then be a regular public key format usable for ssh.
The default format is pem
providing the pem output format shown above.
RSA keys are by default marshalled in PKCS#1 format(RSA PUBLIC KEY
) in pem.
If the generic PKIX format (PUBLIC KEY
) is required the format
argument pkix
must be given.
Using the format ssh
this function can also be used to convert a pem formatted
public key into an ssh key,
The function x509cert
creates locally signed certificates, either a self signed
one or a certificate signed by a given ca. It returns a PEM encoded certificate
as a multi-line string value.
The single spec parameter take a map with some optional and non optional fields used to specify the certificate information. It can be an inline map expression or any map reference into the rest of the yaml document.
The following map fields are observed:
Field Name | Type | Required | Meaning |
---|---|---|---|
commonName |
string | optional | Common Name field of the subject |
organization |
string or string list | optional | Organization field of the subject |
country |
string or string list | optional | Country field of the subject |
isCA |
bool | optional | CA option of certificate |
usage |
string or string list | required | usage keys for the certificate (see below) |
validity |
integer | optional | validity interval in hours |
validFrom |
string | optional | start time in the format "Jan 1 01:22:31 2019" |
hosts |
string or string list | optional | List of DNS names or IP addresses |
privateKey |
string | required or publicKey | private key to generate the certificate for |
publicKey |
string | required or privateKey | public key to generate the certificate for |
caCert |
string | optional | certificate to sign with |
caPrivateKey |
string | optional | priavte key for caCert |
For self-signed certificates, the privateKey
field must be set. publicKey
and the ca
fields should be omitted. If the caCert
field is given, the caKey
field is required, also. If the privateKey
field is given together with the
caCert
, the public key for the certificate is extracted from the private key.
Additional fields are silently ignored.
The following usage keys are supported (case is ignored):
Key | Meaning |
---|---|
Signature |
x509.KeyUsageDigitalSignature |
Commitment |
x509.KeyUsageContentCommitment |
KeyEncipherment |
x509.KeyUsageKeyEncipherment |
DataEncipherment |
x509.KeyUsageDataEncipherment |
KeyAgreement |
x509.KeyUsageKeyAgreement |
CertSign |
x509.KeyUsageCertSign |
CRLSign |
x509.KeyUsageCRLSign |
EncipherOnly |
x509.KeyUsageEncipherOnly |
DecipherOnly |
x509.KeyUsageDecipherOnly |
Any |
x509.ExtKeyUsageAny |
ServerAuth |
x509.ExtKeyUsageServerAuth |
ClientAuth |
x509.ExtKeyUsageClientAuth |
codesigning |
x509.ExtKeyUsageCodeSigning |
EmailProtection |
x509.ExtKeyUsageEmailProtection |
IPSecEndSystem |
x509.ExtKeyUsageIPSECEndSystem |
IPSecTunnel |
x509.ExtKeyUsageIPSECTunnel |
IPSecUser |
x509.ExtKeyUsageIPSECUser |
TimeStamping |
x509.ExtKeyUsageTimeStamping |
OCSPSigning |
x509.ExtKeyUsageOCSPSigning |
MicrosoftServerGatedCrypto |
x509.ExtKeyUsageMicrosoftServerGatedCrypto |
NetscapeServerGatedCrypto |
x509.ExtKeyUsageNetscapeServerGatedCrypto |
MicrosoftCommercialCodeSigning |
x509.ExtKeyUsageMicrosoftCommercialCodeSigning |
MicrosoftKernelCodeSigning |
x509.ExtKeyUsageMicrosoftKernelCodeSigning |
e.g.:
spec:
<<: (( &local ))
ca:
organization: Mandelsoft
commonName: Uwe Krueger
privateKey: (( data.cakey ))
isCA: true
usage:
- Signature
- KeyEncipherment
data:
cakey: (( x509genkey(2048) ))
cacert: (( x509cert(spec.ca) ))
generates a self-signed root certificate and resolves to something like
cakey: |+
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwxdZDfzxqz4hlRwTL060pm1J12mkJlXF0VnqpQjpnRTq0rns
CxMxvSfb4crmWg6BRaI1cEN/zmNcT2sO+RZ4jIOZ2Vi8ujqcbzxqyoBQuMNwdb32
...
oqMC9QKBgQDEVP7FDuJEnCpzqddiXTC+8NsC+1+2/fk+ypj2qXMxcNiNG1Az95YE
gRXbnghNU7RUajILoimAHPItqeeskd69oB77gig4bWwrzkijFXv0dOjDhQlmKY6c
pNWsImF7CNhjTP7L27LKk49a+IGutyYLnXmrlarcNYeCQBin1meydA==
-----END RSA PRIVATE KEY-----
cacert: |+
-----BEGIN CERTIFICATE-----
MIIDCjCCAfKgAwIBAgIQb5ex4iGfyCcOa1RvnKSkMDANBgkqhkiG9w0BAQsFADAk
MQ8wDQYDVQQKEwZTQVAgU0UxETAPBgNVBAMTCGdhcmRlbmVyMB4XDTE4MTIzMTE0
...
pOUBE3Tgim5rnpa9K9RJ/m8IVqlupcONlxQmP3cCXm/lBEREjODPRNhU11DJwDdJ
5fd+t5SMEit2BvtTNFXLAwz48EKTxsDPdnHgiQKcbIV8NmgUNPHwXaqRMBLqssKl
Cyvds9xGtAtmZRvYNI0=
-----END CERTIFICATE-----
This function parses a certificate given in PEM format and returns a map of fields:
Field Name | Type | Required | Meaning |
---|---|---|---|
commonName |
string | optional | Common Name field of the subject |
organization |
string list | optional | Organization field of the subject |
country |
string list | optional | Country field of the subject |
isCA |
bool | always | CA option of certificate |
usage |
string list | always | usage keys for the certificate (see below) |
validity |
integer | always | validity interval in hours |
validFrom |
string | always | start time in the format "Jan 1 01:22:31 2019" |
validUntil |
string | always | start time in the format "Jan 1 01:22:31 2019" |
hosts |
string list | optional | List of DNS names or IP addresses |
dnsNames |
string list | optional | List of DNS names |
ipAddresses |
string list | optional | List of IP addresses |
publicKey |
string | always | public key to generate the certificate for |
e.g.:
data:
<<: (( &temporary ))
spec:
commonName: test
organization: org
validity: 100
isCA: true
privateKey: (( gen.key ))
hosts:
- localhost
- 127.0.0.1
usage:
- ServerAuth
- ClientAuth
- CertSign
gen:
key: (( x509genkey() ))
cert: (( x509cert(spec) ))
cert: (( x509parsecert(data.gen.cert) ))
resolves to
cert:
commonName: test
dnsNames:
- localhost
hosts:
- 127.0.0.1
- localhost
ipAddresses:
- 127.0.0.1
isCA: true
organization:
- org
publickey: |+
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA+UIZQUTa/j+WlXC394bccBTltV+Ig3+zB1l4T6Vo36pMBmU4JIkJ
...
TCsrEC5ey0cCeFij2FijOJ5kmm4cK8jpkkb6fLeQhFEt1qf+QqgBw3targ3LnZQf
uE9t5MIR2X9ycCQSDNBxcuafHSwFrVuy7wIDAQAB
-----END RSA PUBLIC KEY-----
usage:
- CertSign
- ServerAuth
- ClientAuth
validFrom: Mar 11 15:34:36 2019
validUntil: Mar 15 19:34:36 2019
validity: 99 # yepp, that's right, there has already time passed since the creation
spiff supports some useful functions to work with wireguard keys. Please refer also to the Useful to Know section to find some tips for providing state.
This function can be used generate private wireguard key. The result will base64 encoded.
e.g.:
keys:
key: (( wggenkey() ))
resolves to something like
key: WH9xNVJuSuh7sDVIyUAlmxc+woFDJg4QA6tGUVBtGns=
For a given key (for example generated with the wggenkey function) this function extracts the public key and returns it again in base64 format-
e.g.:
keys:
key: (( wggenkey() ))
public: (( wgpublickey(key)
resolves to something like
key: WH9xNVJuSuh7sDVIyUAlmxc+woFDJg4QA6tGUVBtGns=
public: n405KfwLpfByhU9pOu0A/ENwp0njcEmmQQJvfYHHQ2M=
Lambda expressions can be used to define additional anonymous functions. They can be assigned to yaml nodes as values and referenced with path expressions to call the function with approriate arguments in other dynaml expressions. For the final document they are mapped to string values.
There are two forms of lambda expressions. While
lvalue: (( lambda |x|->x ":" port ))
yields a function taking one argument by directly taking the elements from the dynaml expression,
string: "|x|->x \":\" port"
lvalue: (( lambda string ))
evaluates the result of an expression to a function. The expression must evaluate to a function or string. If the expression is evaluated to a string it parses the function from the string.
Since the evaluation result of a lambda expression is a regular value, it can also be passed as argument to function calls and merged as value along stub processing.
A complete example could look like this:
lvalue: (( lambda |x,y|->x + y ))
mod: (( lambda|x,y,m|->(lambda m)(x, y) + 3 ))
value: (( .mod(1,2, lvalue) ))
yields
lvalue: lambda |x,y|->x + y
mod: lambda|x,y,m|->(lambda m)(x, y) + 3
value: 6
If a complete expression is a lambda expression the keyword lambda
can be omitted.
Lambda expressions evaluate to lambda values, that are used as final values in yaml documents processed by spiff.
Note: If the final document still contains lambda values, they are transferred to a textual representation. It is not guaranteed that this representation can correctly be parsed again, if the document is re-processed by spiff. Especially for complex scoped and curried functions this is not possible.
Therefore function nodes should always be temporary or local to be available during processing or merging, but being omitted for the final document.
A typical function call uses positional arguments. Here the given arguments satisfy the declared function parameters in the given order. For lambda values it is also possible to use named arguments in the call expression. Here an argument is assigned to a dedicated parameter as declared by the lambda expression. The order of named arguments can be arbitrarily chosen.
e.g.:
func: (( |a,b,c|->{$a=a, $b=b, $c=c } ))
result: (( .func(c=1, b=2, a=1) ))
It is also posible to combine named with positional arguments. Hereby the positional arguments must follow the named ones.
e.g.:
func: (( |a,b,c|->{$a=a, $b=b, $c=c } ))
result: (( .func(c=1, 1, 2) ))
The same argument MUST NOT be satified by both, a named and a positional argument.
Instead of using the parameter name it is also possible to use the parameter index, instead.
e.g.:
func: (( |a,b,c|->{$a=a, $b=b, $c=c } ))
result: (( .func(3=1, 1) ))
As such, this feature seems to be quite useless, but it shows its power if combined with optional parameters or currying as shown in the next paragraphs.
A lambda expression might refer to absolute or relative nodes of the actual yaml document of the call. Relative references are evaluated in the context of the function call. Therefore
lvalue: (( lambda |x,y|->x + y + offset ))
offset: 0
values:
offset: 3
value: (( .lvalue(1,2) ))
yields 6
for values.value
.
Besides the specified parameters, there is an implicit name (_
), that can be
used to refer to the function itself. It can be used to define self recursive
function. Together with the logical and conditional operators a fibunacci
function can be defined:
fibonacci: (( lambda |x|-> x <= 0 ? 0 :x == 1 ? 1 :_(x - 2) + _( x - 1 ) ))
value: (( .fibonacci(5) ))
yields the value 8
for the value
property.
By default reference expressions in a lambda expression are evaluated in the static scope of the lambda dedinition followed by the static yaml scope of the caller. Absolute references are always evalated in the document scope of the caller.
The name _
can also be used as an anchor to refer to the static definition
scope of the lambda expression in the yaml document that was used to define
the lambda function. Those references are always interpreted as relative
references related to the this static yaml document scope. There is no
denotation for accessing the root element of this definition scope.
Relative names can be used to access the static definition scope given inside the dynaml expression (outer scope literals and parameters of outer lambda parameters)
e.g.:
env:
func: (( |x|->[ x, scope, _, _.scope ] ))
scope: definition
call:
result: (( env.func("arg") ))
scope: call
yields the result
list:
call:
result:
- arg
- call
- (( lambda|x|->[x, scope, _, _.scope] )) # the lambda expression as lambda value
- definition
This also works across multiple stubs. The definition context is the stub the lambda expression is defined in, even if it is used in stubs down the chain. Therefore it is possible to use references in the lambda expression, not visible at the caller location, they carry the static yaml document scope of their definition with them.
Inner lambda expressions remember the local binding of outer lambda expressions. This can be used to return functions based on arguments of the outer function.
e.g.:
mult: (( lambda |x|-> lambda |y|-> x * y ))
mult2: (( .mult(2) ))
value: (( .mult2(3) ))
yields 6
for property value
.
Trailing parameters may be defaulted in the lambda expression by assigning values in the declaration. Those parameter are then optional, it is not required to specify arguments for those parameters in function calls.
e.g.:
mult: (( lambda |x,y=2|-> x * y ))
value: (( .mult(3) ))
yields 6
for property value
.
It is possible to default all parameters of a lambda expression. The function can then be called without arguments. There might be no non-defaulted parameters after a defaulted one.
A call with positional arguments may only omit arguments for optional parameters from right to left. If there should be an explicit argument for the right most parameter, arguments for all parameters must be specified or named arguments must be used. Here the desired optional parameter can explicitly be set prior to the regular positional arguments.
e.g.:
func: (( |a,b=1,c=2|->{$a=a, $b=b, $c=c } ))
result: (( .func(c=3, 2) ))
evaluates result
to
result:
a: 2
b: 1
c: 3
The expression for the default does not need to be a constant value or even expression, it might refer to other nodes in the yaml document. The default expression is always evaluated in the scope of the lambda expression declaration at the time the lambda expression is evaluated.
e.g.:
stub.yaml
default: 2
mult: (( lambda |x,y=default * 2|-> x * y ))
template.yaml
mult: (( merge ))
scope:
default: 3
value: (( .mult(3) ))
evaluates value
to 12
The last parameter in the parameter list of a lambda expression may be a varargs parameter consuming additional argument in a fnction call. This parameter is always a list of values, one entry per additional argument.
A varargs parameter is denoted by a ...
following the last parameter name.
e.g.:
func: (( |a,b...|-> [a] b ))
result: (( .func(1,2,3) ))
yields the list [1, 2, 3]
for property result
.
If no argument is given for the varargs parameter its value is the empty list.
The ...
operator can also be used for inline list expansion.
If a vararg parameter should be set by a named argument its value must be a list.
Using the currying operator (*(
) a lambda function may be transformed to
another function with less parameters by specifying leading argument values.
The result is a new function taking the missing arguments (currying) and using the original function body with a static binding for the specified parameters.
e.g.:
mult: (( lambda |x,y|-> x * y ))
mult2: (( .mult*(2) ))
value: (( .mult2(3) ))
Currying may be combined with defaulted parameters. But the resulting function does not default the leading parameters, it is just a new function with less parameters pinning the specified ones.
If the original function uses a variable argument list, the currying may span any number of the variable argument part, but once at least one such argument is given, the parameter for the variable part is satisfied. It cannot be extended by a function call of the curried function.
e.g.:
func: (( |a,b...|->join(a,b) ))
func1: (( .func*(",","a","b")))
#invalid: (( .func1("c") ))
value: (( .func1() ))
evaluates value
to "a,b"
.
It is also possible to use currying for builtin functions, like
join
.
e.g.:
stringlist: (( join*(",") ))
value: (( .stringlist("a", "b") ))
evaluates value
to "a,b"
.
There are several builtin functions acting on unevaluated or unevaluatable
arguments, like defined
. For these functions currying is
not possible.
Using positional arguments currying is only possible from right to left. But currying can also be done for named arguments. Here any parameter combination, regardless of the position in the parameter list, can be preset. The resulting function then has the unsatisfied parameters in their original order. Switching the parameter order is not possible.
e.g.:
func: (( |a,b=1,c=2|->{$a=a, $b=b, $c=c } ))
curry: (( .func(c=3, 2) ))
result: (( .curry(5) ))
evalutes result
to
result:
a: 2
b: 5
c: 3
The resulting function keeps the parameter b
. Hereby the default value will
be kept. Therefore it can just be called without argument (.curry()
), which
would produce
result:
a: 2
b: 1
c: 3
Attention:
For compatibility reasons currying is also done, if a lambda function without defaulted parameters is called with less arguments than declared parameters.
This behaviour is deprecated and will be removed in the future. It is replaced by the currying operator.
e.g.:
mult: (( lambda |x,y|-> x * y ))
mult2: (( .mult(2) ))
value: (( .mult2(3) ))
evaluates value
to 6.
This expression evaluates an expression (expr
) and then
executes a lambda function with the evaluation state of the expression.
It always succeeds, even if the expression fails.
The lambda function may take one or two arguments, the first
is always the evaluated value (or nil
in case of an error).
The optional second argument gets the error message the evaluation of
the expression failed (or nil
otherwise)
The result of the function is the result of the whole expression. If the function fails, the complete expression fails.
e.g.:
data:
fail: (( catch[1 / 0|v,e|->{$value=v, $error=e}] ))
valid: (( catch[5 * 5|v,e|->{$value=v, $error=e}] ))
resolves to
data:
fail:
error: division by zero
value: null
valid:
error: null
value: 25
If an expression expr
may return different results for different evaluations,
it is possible to synchronize the final output with a dedicated condition
on the expression value. Such an expression could, for example, be an
uncached read
, exec
or pipe
call.
The second element must evaluate to a lambda value, given by either a
regular expression or by a lambda literal as shown in the title.
It may take one or two arguments, the actual value of the value expression
and optionally an error message in case of a failing evaluation.
The result of the evaluation of the lamda expression decides whether
the state of the evaluation of the value expression is acceptable (true
)
or not (false
).
If the value is accepted, an optional third expression is used to determine
the final result of the sync[]
expression. It might be given as an expression
evaluating to a lambda value, or by a comma separated expression using the
same binding as the preceeding lambda literal.
If not given, the value of the synched expression is returned.
If the value is not acceptable, the evaluation is repeated until a timeout applies. The timeout in seconds is given by an optional fourth expression (default is 5 min). Either the fourth, or the both, the third and the fourth elements may be omitted.
The lambda values might be given as literal, or by expression, leading to the following flavors:
sync[expr|v,e|->cond,value|10]
sync[expr|v,e|->cond|valuelambda|10]
sync[expr|v,e|->cond|v|->value|10]
sync[expr|condlambda|valuelambda|10]
sync[expr|condlambda|v|->value|10]
with or without the timeout expression.
e.g.:
data:
alice: 25
result: (( sync[data|v|->defined(v.alice),v.alice] ))
resolves to
data:
alice: 25
result: 25
This example is quite useless, because the sync expression is a constant. It just demonstrates the usage.
Mappings are used to produce a new list from the entries of a list or map,
or a new map from entries of a map containing the entries processed by a
dynaml expression. The expression is
given by a lambda function. There are two basic forms of
the mapping function: It can be inlined as in (( map[list|x|->x ":" port] ))
,
or it can be determined by a regular dynaml expression evaluating to a lambda
function as in (( map[list|mapping.expression))
(here the mapping is taken
from the property mapping.expression
, which should hold an approriate lambda
function).
The mapping comes in two target flavors: with []
or {}
in the syntax. The first
flavor always produces a list from the entries of the given source. The
second one takes only a map source and produces a filtered or transformed map.
Additionally the mapping uses three basic mapping behaviours:
- transforming the values using the keyword
map
. Here the result of the lambda function is used as new value to replace the original one. Or - filtering using the keywork
select
. Here the result of the lambda function is used as a boolean to decide whether the entry should be kept (true
) or omitted (false
). - composing using the keyword
sum
. Here always the list flavor is used, but the result type and content is completely determined by the parameterization of the statement by successively aggregating one entry after the other into an arbitrary initial value.
Note: The special reference _
is not set for inlined lambda functions as part of
the mapping syntax. Therefore the mapping statements (and all other statements using
inlined lambda functions as part of their syntax) can be used inside regular lambda
functions without hampering the meaning of this special refrence for the surrounding
explicit lambda expression.
Execute a mapping expression on members of a list to produce a new (mapped) list. The first expression (list
) must resolve to a list. The last expression (x ":" port
) defines the mapping expression used to map all members of the given list. Inside this expression an arbitrarily declared simple reference name (here x
) can be used to access the actually processed list element.
e.g.
port: 4711
hosts:
- alice
- bob
mapped: (( map[hosts|x|->x ":" port] ))
yields
port: 4711
hosts:
- alice
- bob
mapped:
- alice:4711
- bob:4711
This expression can be combined with others, for example:
port: 4711
list:
- alice
- bob
joined: (( join( ", ", map[list|x|->x ":" port] ) ))
which magically provides a comma separated list of ported hosts:
port: 4711
list:
- alice
- bob
joined: alice:4711, bob:4711
In this variant, the first argument idx
is provided with the index and the
second elem
with the value for the index.
e.g.
list:
- name: alice
age: 25
- name: bob
age: 24
ages: (( map[list|i,p|->i + 1 ". " p.name " is " p.age ] ))
yields
list:
- name: alice
age: 25
- name: bob
age: 24
ages:
- 1. alice is 25
- 2. bob is 24
Mapping of a map to a list using a mapping expression. The expression may have access to the key and/or the value. If two references are declared, both values are passed to the expression, the first one is provided with the key and the second one with the value for the key. If one reference is declared, only the value is provided.
e.g.
ages:
alice: 25
bob: 24
keys: (( map[ages|k,v|->k] ))
yields
ages:
alice: 25
bob: 24
keys:
- alice
- bob
Using {}
instead of []
in the mapping syntax, the result is again a map
with the old keys and the new entry values. As for a list mapping additionally
a key variable can be specified in the variable list.
persons:
alice: 27
bob: 26
older: (( map{persons|x|->x + 1} ) ))
just increments the value of all entries by one in the field older
:
older:
alice: 28
bob: 27
Remark
An alternate way to express the same is to use sum[persons|{}|s,k,v|->s { k = v + 1 }]
.
Using {}
instead of []
together with a list in the mapping syntax, the result is again a map
with the list elements as key and the mapped entry values. For this all list entries must be strings.
As for a list mapping additionally an index variable can be specified in the variable list.
persons:
- alice
- bob
length: (( map{persons|x|->length(x)} ) ))
just creates a map mapping the list entries to their length:
length:
alice: 5
bob: 3
With select
a map or list can be filtered by evaluating a boolean expression
for every entry. An entry is selected if the expression evaluates to true
equivalent value. (see conditions).
Basically it offers all the mapping flavors available for map[]
e.g.
list:
- name: alice
age: 25
- name: bob
age: 26
selected: (( select[list|v|->v.age > 25 ] ))
evaluates selected to
selected:
- name: bob
age: 26
Remark
An alternate way to express the same is to use map[list|v|->v.age > 25 ? v :~]
.
Using {}
instead of []
in the mapping syntax, the result is again a map
with the old keys filtered by the given expression.
persons:
alice: 25
bob: 26
older: (( select{persons|x|->x > 25} ))
just keeps all entries with a value greater than 25 and omits all others:
selected:
bob: 26
This flavor only works on maps.
Remark
An alternate way to express the same is to use sum[persons|{}|s,k,v|->v > 25 ? s {k = v} :s]
.
Aggregations are used to produce a single result from the entries of a list or map aggregating the entries by a dynaml expression. The expression is given by a lambda function. There are two basic forms of the aggregation function: It can be inlined as in (( sum[list|0|s,x|->s + x] ))
, or it can be determined by a regular dynaml expression evaluating to a lambda function as in (( sum[list|0|aggregation.expression))
(here the aggregation function is taken from the property aggregation.expression
, which should hold an approriate lambda function).
Execute an aggregation expression on members of a list to produce an aggregation result. The first expression (list
) must resolve to a list. The second expression is used as initial value for the aggregation. The last expression (s + x
) defines the aggregation expression used to aggregate all members of the given list. Inside this expression an arbitrarily declared simple reference name (here s
) can be used to access the intermediate aggregation result and a second reference name (here x
) can be used to access the actually processed list element.
e.g.
list:
- 1
- 2
sum: (( sum[list|0|s,x|->s + x] ))
yields
list:
- 1
- 2
sum: 3
In this variant, the second argument idx
is provided with the index and the
third elem
with the value for the index.
e.g.
list:
- 1
- 2
- 3
prod: (( sum[list|0|s,i,x|->s + i * x ] ))
yields
list:
- 1
- 2
- 3
prod: 8
Aggregation of the elements of a map to a single result using an aggregation expression. The expression may have access to the key and/or the value. The first argument is always the intermediate aggregation result. If three references are declared, both values are passed to the expression, the second one is provided with the key and the third one with the value for the key. If two references are declared, only the second one is provided with the value of the map entry.
e.g.
ages:
alice: 25
bob: 24
sum: (( map[ages|0|s,k,v|->s + v] ))
yields
ages:
alice: 25
bob: 24
sum: 49
Projections work over the elements of a list or map yielding a result list. Hereby every element is mapped by an optional subsequent reference expression. This may contain again projections, dynamic references or lambda calls. Basically this is a simplified form of the more general mapping yielding a list working with a lambda function using only a reference expression based on the elements.
All elements of a map or list given by the expression expr
are dereferenced with the subsequent reference expression (here .expr
). If this expression works on a map the elements are ordered accoring to their key values. If the subsequent reference expression is omitted, the complete value list isreturned. For a list expression this means the identity operation.
e.g.:
list:
- name: alice
age: 25
- name: bob
age: 26
- name: peter
age: 24
names: (( list.[*].name ))
yields for names
:
names:
- alice
- bob
- peter
or for maps:
networks:
ext:
cidr: 10.8.0.0/16
zone1:
cidr: 10.9.0.0/16
cidrs: (( .networks.[*].cidr ))
yields for cidrs
:
cidrs:
- 10.8.0.0/16
- 10.9.0.0/16
This projection flavor only works for lists. The projection is done for a dedicated slice of the initial list.
e.g.:
list:
- name: alice
age: 25
- name: bob
age: 26
- name: peter
age: 24
names: (( list.[1..2].name ))
yields for names
:
names:
- bob
- peter
In argument lists or list literals the list expansion operator (...
) can be
used. It is a postfix operator on any list expression. It substituted
the list expression by a sequence of the list members. It can be be used
in combination with static list argument denotation.
e.g.:
list:
- a
- b
result: (( [ 1, list..., 2, list... ] ))
evaluates result
to
result:
- 1
- a
- b
- 2
- a
- b
The following example demonstrates the usage in combination with the varargs operator in functions:
func: (( |a,b...|-> [a] b ))
list:
- a
- b
a: (( .func(1,2,3) ))
b: (( .func("x",list..., "z") ))
c: (( [ "x", .func(list...)..., "z" ] ))
evaluates the following results:
a:
- 1
- 2
- 3
b:
- x
- a
- b
- z
c:
- x
- a
- b
- z
Please note, that the list expansion might span multiple arguments (including the varargs parameter) in lambda function calls.
Nodes of the yaml document can be marked to enable dedicated behaviours for this
node. Such markers are part of the dynaml syntax and may be prepended to
any dynaml expression. They are denoted by the &
character directly followed
by a marker name. If the expression is a combination of markers and regular
expressions, the expression follows the marker list enclosed in brackets
(for example (( &temporary( a + b ) ))
).
Note: Instead of using a <<:
insert field to place markers it is possible
now to use <<<:
, also, which allows to use regular yaml parsers for spiff-like
yaml documents. <<:
is kept for backward compatibility.
Maps, lists or simple value nodes can be marked as temporary. Temporary nodes are removed from the final output document, but are available during merging and dynaml evaluation.
e.g.:
temp:
<<: (( &temporary ))
foo: bar
value: (( temp.foo ))
yields:
value: bar
Adding - <<: (( &temporary ))
to a list can be used to mark a list as temporary.
The temporary marker can be combined with regular dynaml expressions to tag plain fields. Hereby the parenthesised expression is just appended to the marker
e.g.:
data:
alice: (( &temporary ( "bar" ) ))
foo: (( alice ))
yields:
data:
foo: bar
The temporary marker can be combined with the template marker to omit templates from the final output.
The marker &local
acts similar to &temporary
but local nodes are always
removed from a stub directly after resolving dynaml expressions. Such nodes
are therefore not available for merging and they are not used for further
merging of stubs and finally the template.
This marker can be used to mark a template expression (direct or referenced)
to enforce the re-evaluation of the template in the usage context whenever the
node is used to override or inject a node value along the processing chain.
It can also be used together with
&inject
or &default
.
e.g.:
template.yaml
data: 1
merged with
stub.yaml
id: (( &dynamic &inject &template(__ctx.FILE) ))
will resolve to
id: template.yaml
data: 1
The original template is kept along the merge chain and is evaluated separately in the context of the very stub or template it is used.
Using this marker for nodes not evaluationg to a template value is not possible.
This marker requests the marked item to be injected into the next stub level, even is the hosting element (list or map) does not requests a merge. This only works if the next level stub already contains the hosting element.
e.g.:
template.yaml
alice:
foo: 1
stub.yaml
alice:
bar: (( &inject(2) ))
nope: not injected
bob:
<<: (( &inject ))
foobar: yep
is merged to
alice:
foo: 1
bar: 2
bob:
foobar: yep
Nodes marked as default will be used as default values
for downstream stub levels. If no such entry is set there it will behave like
&inject
and implicitly add this node, but existing settings will not be
overwritten.
Maps (or lists) marked as default will be considered as values. The map is used as a whole as default if no such field is defined downstream.
e.g.:
template.yaml
data: { }
stub.yaml
data:
foobar:
<<: (( &default ))
foo: claude
bar: peter
is merged to
data:
foobar:
foo: claude
bar: peter
Their entries will neither be used for overwriting existing downstream values nor for defaulting non-existng fields of a not defaulted map field.
e.g.:
template.yaml
data:
foobar:
bar: bob
stub.yaml
data:
foobar:
<<: (( &default ))
foo: claude
bar: peter
is merged to
data:
foobar:
bar: bob
If sub sequent defaulting is desired, the fields of a default map must again be marked as default.
e.g.:
template.yaml
data:
foobar:
bar: bob
stub.yaml
data:
foobar:
<<: (( &default ))
foo: (( &default ("claude") ))
bar: peter
is merged to
data:
foobar:
foo: claude
bar: bob
Note: The behaviour of list entries marked as default is undefined.
Nodes marked as state are handled during the merge processing as if the
marker would not be present. But there will be a special handling for enabled
state processing (option --state <path>
) at the end of the
template processing.
Additionally to the regular output a document consisting only of state nodes
(plus all nested nodes) will be written to a state file. This file will be used
as top-level stub for further merge processings with enabled state support.
This enables to keep state between two merge processings. For regular merging sich nodes are only processed during the first processing. Later processings will keep the state from the first one, because those nodes will be overiden by the state stub added to the end of the sub list.
If those nodes additionally disable merging (for example using
(( &state(merge none) ))
) dynaml expressions in sub level nodes may
perform explicit merging using the function stub()
to refer to
values provided by already processed stubs (especially the implicitly added
state stub). For an example please refer to the
state library.
Nodes marked as template will not be evaluated at the place of their occurrence. Instead, they will result in a template value stored as value for the node. They can later be instantiated inside a dynaml expression (see below).
The tag marker can be used to assign a logical name to a node value. This name can then be used in tagged reference expressions to refer to this node value (see below).
A tagged reference has the form <tagname>::<path>
. The <path>
may denote any
sub node of a tagged node. If the value of a complete node
(or a simple value node) should be used, the <path>
must denote the root path
(.
).
Tags can be used to label node values in multi-document streams (used as template). After defined for a document the tag can then be used to reference node values from the actual or previous document(s) of a document sequence in a multi-document stream. Tags can be added for complex or simple value nodes. A tagged reference may be used to refer to the tagged value as a whole or sub structure.
This syntax is used to tag a node whose value is defined by a dynaml expression. It can also be used to denote tagged simple value nodes. (As usual the value part is optional for adding markers to structured values (see Markers).)
e.g.:
template.yaml
data:
<<: (( &tag:persons ))
alice: (( &tag:alice(25)
If the name is prefixed with a star (*
), the tag is defined globally.
Gobal tags surive stub processing and their value is visible in subsequent
stub (and template) processings.
A tag name may consist of multiple components separated by a colon (:
).
Tags can also be defined dynamically by the dynaml function tagdef.
Reference a sub path of the value of a tagged node.
e.g.:
template.yaml
data:
<<: (( &tag:persons ))
alice: 25
tagref: (( persons::alice ))
resolves tagref
to 25
Reference the whole (structured) value of tagged node.
e.g.:
template.yaml
data:
alice: (( &tag:alice(25) ))
tagref: (( alice::. ))
resolves tagref
to 25
Tag names may be structured. A tag name consists of a non-empty list of
tag components separated by a dot or colon (:
). A tag component may
contain ASCII letters or numbers, starting wit a letter.
Multi-component tags are subject to Tag Resolution.
A tag reference always contains a tag name and a path separated by a double
colon (::
).
The standard use-case is to describe a dedicated sub node for a tagged
node value.
for example, if the tag X
describes the value
data:
alice: 25
bob: 24
the tagged reference X::data.alice
describes the value 25
.
For tagged references with a path other than .
(the whole tag value),
structured tags feature a more sophisticated resolution mechanism. A structured
tag consist of multiple tag components separated by a colon (:
), for
example lib:mylib
. Therefore tags span a tree of namespaces or scopes
used to resolve path references. A tag-less reference just uses
the actual document or binding to resolve a path extression.
Evaluation of a path reference for a tag tries to resolve the path in the first tag tree level where the path is available (breadth-first search). If this level contains multiple tags that could resolve the given path, the resolution fails because it cannot be unambigiously resolved.
For example:
tags:
- <<: (( &tag:lib:alice ))
data: alice.alice
- <<: (( &tag:lib:alice:v1))
data: alice.v1
- <<: (( &tag:lib:bob))
other: bob
usage:
data: (( lib::data ))
effectively resolves usage.data
to lib:alice::data
and therefore to the value
alice.alice
.
To achieve this all matching sub tags are orderd by their number of
tag components. The first sub-level tag containing such a
given path is selected. For this level, the matching tag must be non-ambigious.
There must only be one tag with this level containing a matching path.
If there are multiple ones the evaluation fails. In the above example this would
be the case if tag lib:bob
would contain a field data
instead of or
additional to other
.
This feature can be used in library stubs to provide qualified names for their elements that can be used with merging the containing document nodes into the template.
If the template file is a multi-document stream the tags are preserved during the complete processing. This means tags defined in a earlier document can be used in all following documents, also. But the tag names must be unique across all documents in a multi-document stream.
e.g.:
template.yaml
<<: (( &temporary ))
data:
<<: (( &tag:persons ))
alice: 25
bob: 24
---
alice: (( persons::alice ))
---
bob: (( persons::bob ))
resolves to
---
alice: 25
---
bob: 24
Tags defined by tag markers are available for stubs and templates. Global tags are available down the stub processing to the templates. Local tags are only avaialble on the processing level they are declared.
Additionally to the tags explicitly set by tag markers, there are implicit
document tags given by the document index during the processing of a
(multi-document) template. The implicit document tags are qualified with the
prefix doc.
. This prefix should not be used to own tags in the documents
e.g.:
template.yaml
<<: (( &temporary ))
data:
<<: (( &tag:persons ))
alice: 25
bob: 24
---
alice: (( persons::alice ))
prev: (( doc.1::. ))
---
bob: (( persons::bob ))
prev: (( doc.2::. ))
resolves to
---
alice: 25
prev:
data:
alice: 25
bob: 24
---
bob: 24
prev:
alice: 25
prev:
data:
alice: 25
bob: 24
If the given document index is negative it denotes the document relative to the
one actually processed (so, the tag doc.-1
denotes the previous document).
The index doc.0
can be used to denote the actual document. Here always a path
must be specified, it is not possible to refer to the complete document
(with .
).
A map can be tagged by a dynaml expression to be used as template. Dynaml expressions in a template are not evaluated at its definition location in the document, but can be inserted at other locations using dynaml. At every usage location it is evaluated separately.
The dynaml expression &template
can be used to tag a map node as template:
e.g.:
foo:
bar:
<<: (( &template ))
alice: alice
bob: (( verb " " alice ))
The template will be the value of the node foo.bar
. As such it can be overwritten as a whole by settings in a stub during the merge process. Dynaml expressions in the template are not evaluated. A map can have only a single <<
field. Therefore it is possible to combine the template marker with an expression just by adding the expression in parenthesis.
Adding - <<: (( &template ))
to a list it is also possible to define list templates.
It is also possible to convert a single expression value into a simple template by adding the template
marker to the expression, for example foo: (( &template (expression) ))
The template marker can be combined with the temporary marker to omit templates from the final output.
Note: Instead of using a <<:
insert field to place the template marker it is
possible now to use <<<:
, also, which allows to use regular yaml parsers for
spiff-like yaml documents. <<:
is kept for backward compatibility.
The dynaml expression *<reference expression>
can be used to evaluate a template somewhere in the yaml document.
Dynaml expressions in the template are evaluated in the context of this expression.
e.g.:
foo:
bar:
<<: (( &template ))
alice: alice
bob: (( verb " " alice ))
use:
subst: (( *foo.bar ))
verb: loves
verb: hates
evaluates to
foo:
bar:
<<: (( &template ))
alice: alice
bob: (( verb " " alice ))
use:
subst:
alice: alice
bob: loves alice
verb: loves
verb: hates
The special reference _
(self) can be used inside of lambda functions
and templates. They refer to the containing element (the lambda function or
template).
Additionally it can be used to lookup relative reference expressions starting with the defining document scope of the element skipping intermediate scopes.
e.g.:
node:
data:
scope: data
funcs:
a: (( |x|->scope ))
b: (( |x|->_.scope ))
c: (( |x|->_.data.scope ))
scope: funcs
call:
scope: call
a: (( node.funcs.a(1) ))
b: (( node.funcs.b(1) ))
c: (( node.funcs.c(1) ))
evaluates call
to
call:
a: call
b: funcs
c: data
scope: call
The special reference __
can be used to lookup references as relative
references starting with the document node hosting the actually evaluated
dynaml expression skipping intermediate scopes.
This can, for example be used to relatively access a lambda value field besides the actual field in a map. The usage of plain function names is reserved for builtin functions and are not used as relative references.
This special reference is also available in expressions in templates and refer to the map node in the template hosting the actually evaluated expression.
e.g.:
templates:
templ:
<<: (( &template ))
self: (( _ ))
value: (( ($self="value") __.self ))
result: (( scope ))
templ: (( _.scope ))
scope: templates
result:
inst: (( *templates.templ ))
scope: result
evaluates result
to
result:
inst:
result: result
templ: templates
self:
<<: (( &template ))
result: (( scope ))
self: (( _ ))
templ: (( _.scope ))
value: (( ($self="value") __.self ))
value:
<<: (( &template ))
result: (( scope ))
self: (( _ ))
templ: (( _.scope ))
value: (( ($self="value") __.self ))
scope: result
or with referencing upper nodes:
templates:
templ:
<<: (( &template ))
alice: root
data:
foo: (( ($bob="local") __.bob ))
bar: (( ($alice="local") __.alice ))
bob: static
result: (( *templates.templ ))
evaluates result
to
result:
alice: root
data:
bar: root
foo: static
bob: static
The special reference ___
can be used to lookup references in the outer most
scope. It can therefore be used to access processing bindings specified for a
document processing via command line or API. If no bindings are specified
the document root is used.
Calling spiff merge template.yaml --bindings bindings.yaml
with a binding of
bindings.yaml
input1: binding1
input2: binding2
and the template
template.yaml
input1: top1
map:
input: map
input1: map1
results:
frommap: (( input1 ))
fromroot: (( .input1 ))
frombinding1: (( ___.input1 ))
frombinding2: (( input2 ))
evaluates map.results
to
results:
frombinding1: binding1
frombinding2: binding2
frommap: map1
fromroot: top1
The context field OUTER
is used for nested merges.
It is a list of documents, index 0 is the next outer document, and so on.
Provides an empty map.
Provides an empty list. Basically this is not a dedicated literal, but just a regular list expression without a value.
Provides the null value.
This literal evaluates to an undefined expression. The element (list entry or map field) carrying this value, although defined, will be removed from the document and handled as undefined for further merges and the evaluation of referential expressions.
e.g.:
foo: (( ~~ ))
bob: (( foo || ~~ ))
alice: (( bob || "default"))
evaluates to
alice: default
Inside every dynaml expression a virtual field __ctx
is available. It allows access to information about the actual evaluation context. It can be accessed by a relative reference expression.
The following fields are supported:
Field Name | Type | Meaning |
---|---|---|
VERSION |
string | current version of spiff |
FILE |
string | name of actually processed template file |
DIR |
string | name of directory of actually processed template file |
RESOLVED_FILE |
string | name of actually processed template file with resolved symbolic links |
RESOLVED_DIR |
string | name of directory of actually processed template file with resolved symbolic links |
PATHNAME |
string | path name of actually processed field |
PATH |
list[string] | path name as component list |
OUTER |
yaml doc | outer documents for nested merges, index 0 is the next outer document |
BINDINGS |
yaml doc | the external bindings for the actual processing (see also ___) |
If external bindings are specified they are the last elements in OUTER
.
e.g.:
template.yml
foo:
bar:
path: (( __ctx.PATH ))
str: (( __ctx.PATHNAME ))
file: (( __ctx.FILE ))
dir: (( __ctx.DIR ))
evaluates to
e.g.:
foo:
bar:
dir: .
file: template.yml
path:
- foo
- bar
- path
str: foo.bar.str
Dynaml expressions are evaluated obeying certain priority levels. This means operations with a higher priority are evaluated first. For example the expression 1 + 2 * 3
is evaluated in the order 1 + ( 2 * 3 )
. Operations with the same priority are evaluated from left to right (in contrast to version 1.0.7). This means the expression 6 - 3 - 2
is evaluated as ( 6 - 3 ) - 2
.
The following levels are supported (from low priority to high priority)
||
,//
- White-space separated sequence as concatenation operation (
foo bar
) -or
,-and
==
,!=
,<=
,<
,>
,>=
+
,-
*
,/
,%
- Grouping
( )
,!
, constants, references (foo.bar
),merge
,auto
,lambda
,map[]
, and functions
The complete grammar can be found in dynaml.peg.
Feature state: alpha
Attention: This is an alpha feature. It must be enabled on the command
line with the --interpolation
or --features=interpolation
option.
Also for the spiff library it must
explicitly be enabled. By adding the key interpolation
to the feature list
stored in the environment variable SPIFF_FEATURES
this feature will be enabled
by default.
Typically a complete value can either be a literal or a dynaml expression. For string literals it is possible to use an interpolation syntax to embed dynaml expressions into strings.
For example
data: test
interpolation: this is a (( data ))
replaces the part between the double brackets by the result
of the described expression evaluation. Here the brackets can be escaped
by the usual escaping (((!
) syntax.
Those string literals will implicitly be converted to complete flat dynaml expressions. The example above will therefore be converted into
(( "this is a " data ))
which is the regular dynaml equivalent. The escaping is very ticky, and may be there are still problems. Quotes inside an embedded dynaml expression can be escaped to enable quotes in string literals.
Incomplete or partial interpolation expressions will be ignored and just used a s string.
Strings inside a dynaml expression are NOT directly interpolated again, thus
data: "test"
interpolated: "this is a (( length(\"(( data ))\") data ))"
will resolve interpolation
to this is 10test
and not to this is 4test
.
But if the final string after the expression evaluation again describes a string interpolation it will be processed, again.
data: test
interpolation: this is a (( "(( data ))" data ))
will resolve interpolation
to this is testtest
.
The embedded dynaml expression must be concatenatable with strings.
Feature state: alpha
In addition to describe conditions and loops with dynaml expressions it is also possible to use elements of the document structure to embed control structures.
Such a YAML-based control structure is always described as a map in YAML/JSON.
The syntactical elements are expressed as map fields starting with <<
.
Additionally, depending on the control structure, regular fields are possible.
Control structures finally represent a value for the containing node.
They may contain marker expressions (<<
), also.
e.g.:
temp:
<<: (( &temporary ))
<<if: (( features("control") ))
<<then:
alice: 25
bob: 26
resolves to
final:
alice: 25
bob: 26
Tu use this alpha feature the feature flag control
must be enabled.
Please be aware: Control structure maps typically are always completely resolved before they are evaluated.
A control structure itself is always a dedicated map node in a document. It is substituted by a regular value node determined by the execution of the control structure.
The fields of a control structure map are not subject to overwriting by stubs, but the complete structure can be overwritten.
If used as value for a map field the resulting value is just used as effective value for this field.
If a map should be enriched by maps resulting from multiple control structures
the special control structure <<merge:
can be used. It allows to
specify a list of maps which should be merged with the actual control structure
map to finally build the result value.
A control structure can be used as list value, also. In this case there is a dedicated interpretation of the resulting value of the control structure. If it is NOT a list value, for convenience, the value is directly used as list entry and substitutes the control structure map.
If the resulting value is again a list, it is inserted into the containing list at the place of occurrence of the control structure. So, if a list value should be used as dedicated entry in a list, the result of a control structure must be a list with the intended list as entry.
e.g.:
list:
- <<if: (( features("control") ))
<<then: alice
- <<if: (( features("control") ))
<<then:
- - peter
- <<if: (( features("control") ))
<<then:
- bob
resolves to
list:
- alice
- - peter
- bob
The condition structure is defined by the syntax field <<if
. It additionally
accepts the fields <<then
and <<else
.
The condition field must provide a boolean value.
If it is true
the optional <<then
field is used to substitute the control
structure, otherwise the optional <<else
field is used.
If the appropriate case is not specified, the result is the undefined (( ~~ ))
value. The containing field is therefore completely omitted from the output.
.e.g.:
x: test1
cond:
field:
<<if: (( x == "test" ))
<<then: alice
<<else: bob
evaluates cond.field
to bob
If the else case is omitted, the cond
field would be an empty map (field
is omitted, because the contained control structure evaluates to undefined)
A comparable way to do this with regular dynaml could look like this:
cond: (( x == "test" ? "alice" :"bob" ))
A better way more suitable for complex cases would be:
local:
<<: (( &local))
then: alice
else: bob
cond: (( x == "test" ? local.then :local.else ))
The switch
control structure evaluates the switch value of the <<switch
field to a string and uses it to select an appropriate regular field
in the control map.
If it is not found the value of the optional field <<default
is used. If no default
is specified, the control structure evaluates to an error, if no appropriate
regular field is available.
The nil value matches the default
case. If the switch value is undefined
the control evaluates to the undefined value (( ~~ ))
.
e.g.:
x: alice
value:
<<switch: (( x ))
alice: 25
bob: 26
<<default: other
evaluates value
to 25
.
A comparable way to do this with regular dynaml could look like this:
local:
<<: (( &local))
cases:
alice: 25
bob: 26
default: other
value: (( local.cases[x] || local.default ))
The type
control structure evaluates the type of the value of the <<type
field and uses it to select an appropriate regular field
in the control map.
If it is not found the value of the optional field <<default
is used. If no default
is specified, the control structure evaluates to an error, if no appropriate
regular field is available.
e.g.:
x: alice
value:
<<type: (( x ))
string: alice
<<default: unknown
evaluates value
to alice
.
A comparable way to do this with regular dynaml could look like this:
local:
<<: (( &local))
cases:
string: alice
default: unknown
value: (( local.cases[type(x)] || local.default ))
For more complex scenarios not only switching on strings a second syntax
can be used. Instead of using fields in the control map as cases, a dedicated
field <<cases
may contain a list of cases, that are checked sequentially
(In this flavor regular fields are not allowed anymore).
Every case is described again by a map containing the fields:
case
: the expected value to match the switch valuematch
: a lambda function taking one argument and yielding a boolean value used to match the given switch valuevalue
: (optional) the resulting value in case of a match. If not defined the result will be the undefined value.
One of case
or match
must be present.
e.g.:
x: 5
selected:
<<switch: (( x ))
<<cases:
- case:
alice: 25
value: alice
- match: (( |v|->v == 5 ))
value: bob
<<default: unknown
resolves to
x: 5
selected: bob
If x
would be set to the complex value
x:
alice: 25
it would resolve to
x:
alice: 25
selected: alice
The loop control is able to execute a multi-dimensional loop and produce a list or map based on the value combinations.
The loop ranges are specified by the value of the <<for
field.
It is possible ol loop over lists or maps.
The range specification can be given by either a map or list:
-
map: the keys of the map are the names of the control variables and the values must be lists or maps specifying the ranges.
The map key might optionally be a comma-separated pair (for example
key,value
) of variable names. In this case the first name is the name for the index variable and the second one for the value variable.If multiple ranges are specified iterations are alphabetically ordered by value variable name (first) and index variable name (second) to determine the traversing order.
-
list: if the control variables are defined by a list, each list element must contain two mandatory and one optional field(s):
name
: the name of the (list or map entry value) control variablevalues
: a list to define the value range.index
: (optional) the name of the variable providing the list index or map key of the loop range (defaulted toindex-<name>
)
Here the order in the list determine the traversal order.
Traversal is done by recursively iterating follow up ranges for every entry in the actual range. This means the last range is completely iterated for the first values of the first ranges first.
If no index variable is specified for a loop range there is an additional
implicit binding for every control variable describing the actual list index
or map key of the processed value for this dimension. It is denoted by
index-<control variable>
If multiple loop ranges are specified, the ranges may mix iterations over maps and lists.
The iteration result value is determined by the value of the <<do
field.
It is implicitly handled as template and is evaluated for every
set of iteration values.
The result of the evaluation using only the <<do
value field is a list.
e.g.:
alice:
- a
- b
bob:
- 1
- 2
- 3
list:
<<for:
key,alice: (( .alice )) # sorted by using alice as primary sort key
bob: (( .bob ))
<<do:
value: (( alice "-" key "-" bob "-" index-bob ))
evaluates list
to
list:
- value: a-0-1-0
- value: a-0-2-1
- value: a-0-3-2
- value: b-1-1-0
- value: b-1-2-1
- value: b-1-3-2
It first iterates over the values for alice
. For each such value it then
iterates over the values of bob
.
A comparable way to do this with regular dynaml could look like this:
list: (( sum[alice|[]|s,key,alice|-> s sum[bob|[]|s,index_bob,bob|->s (alice "-" key "-" bob "-" index_bob)]] ))
A result list may omit entries if the value expression evaluates to the undefined
value (~~
). The nil value (~
) is kept. This way a for
control can be used
to filter lists.
e.g.:
bob:
- 1
- 2
- 3
filtered:
<<for:
bob: (( .bob ))
<<do: (( bob == 2 ? ~~ :bob ))
resolves to
bob:
- 1
- 2
- 3
filtered:
- 1
- 3
If the result should be a map it is required to additionally specify a
key value for every iteration. This is specified by the optional <<mapkey
field. Like the <<do
field it is implicitly handled as template and re-evaluated
for every iteration.
e.g.:
x: suffix
alice:
- a
- b
bob:
- 1
- 2
- 3
map:
<<for:
- name: alice
values: (( .alice ))
- name: bob
values: (( .bob ))
<<mapkey: (( alice bob ))
<<do:
value: (( alice bob x ))
evaluates the field map
to
map:
a1:
value: a1suffix
a2:
value: a2suffix
a3:
value: a3suffix
b1:
value: b1suffix
b2:
value: b2suffix
b3:
value: b3suffix
Here the traversal order is irrelevant as long as the generated key values are unique. If several evaluations of the key expression yield the same value the last one will win.
A comparable way to do this with regular dynaml could look like this:
map: (( sum[alice|{}|s,index_alice,alice|-> s sum[bob|{}|s,index_bob,bob|->s {(alice bob)=alice bob x}]] ))
An iteration value is ignored if the key or the value evaluate to the undefined
value (( ~~ ))
. Additionally the key may evaluate to the nil value (( ~ ))
, also.
e.g.:
bob:
b1: 1
b2: 2
b3: 3
filtered:
<<for:
key,bob: (( .bob ))
<<mapkey: (( key ))
<<do: (( bob == 2 ? ~~ :bob ))
or
bob:
b1: 1
b2: 2
b3: 3
filtered:
<<for:
key,bob: (( .bob ))
<<mapkey: (( bob == 2 ? ~~ :key ))
<<do: (( bob ))
resolve to
bob:
b1: 1
b2: 2
b3: 3
filtered:
b1: 1
b3: 3
With merge
it is possible to merge maps given as list value of the
<<merge
field with regular map fields from the control structure
to determine the final map value.
The value for <<merge:
may be a single map or a list of maps to join
with the directly given fields.
e.g.:
map:
<<merge:
- bob: 26
charlie: 1
- charlie: 27
alice: 25
charlie: 2
resolves to
map:
alice: 25
bob: 26
charlie: 27
If multiple maps contain the same key, the last value (in order of list) will win.
This might be combined with other control structures, for example to conditionally merge multiple maps:
e.g.:
x: charlie
map:
<<merge:
- <<if: (( x == "charlie" ))
<<then:
charlie: 27
- <<if: (( x == "alice" ))
<<then:
alice: 20
alice: 25
charlie: 2
resolves to
x: charlie
map:
alice: 25
charlie: 27
By default spiff
performs a deep structural merge of its first argument, the template file, with the given stub files. The merge is processed from right to left, providing an intermediate merged stub for every step. This means, that for every step all expressions must be locally resolvable.
Structural merge means, that besides explicit dynaml merge
expressions, values will be overridden by values of equivalent nodes found in right-most stub files. In general, flat value lists are not merged. Only lists of maps can be merged by entries in a stub with a matching index.
There is a special support for the auto-merge of lists containing maps, if the
maps contain a name
field. Hereby the list is handled like a map with
entries according to the value of the list entries' name
field. If another
key field than name
should be used, the key field of one list entry can be
tagged with the prefix key:
to indicate the indended key name. Such tags
will be removed for the processed output.
In general the resolution of matching nodes in stubs is done using the same rules that apply for the reference expressions (( foo.bar.[1].baz )).
For example, given the file template.yml:
foo:
- name: alice
bar: template
- name: bob
bar: template
plip:
- id: 1
plop: template
- id: 2
plop: template
bar:
- foo: template
list:
- a
- b
and file stub.yml:
foo:
- name: bob
bar: stub
plip:
- key:id: 1
plop: stub
bar:
- foo: stub
list:
- c
- d
spiff merge template.yml stub.yml
returns
foo:
- bar: template
name: alice
- bar: stub
name: bob
plip:
- id: 1
plop: stub
- id: 2
plop: template
bar:
- foo: stub
list:
- a
- b
Be careful that any name:
key in the template for the first element of the
plip
list will defeat the key:id: 1
selector from the stub. When a name
field exist in a list element, then this element can only be targeted by this
name. When the selector is defeated, the resulting value is the one provided
by the template.
Merging the following files in the given order
deployment.yml
networks: (( merge ))
cf.yml
utils: (( merge ))
network: (( merge ))
meta: (( merge ))
networks:
- name: cf1
<<: (( utils.defNet(network.base.z1,meta.deployment_no,30) ))
- name: cf2
<<: (( utils.defNet(network.base.z2,meta.deployment_no,30) ))
infrastructure.yml
network:
size: 16
block_size: 256
base:
z1: 10.0.0.0
z2: 10.1.0.0
rules.yml
utils:
defNet: (( |b,n,s|->(*.utils.network).net ))
network:
<<: (( &template ))
start: (( b + n * .network.block_size ))
first: (( start + ( n == 0 ? 2 :0 ) ))
lower: (( n == 0 ? [] :b " - " start - 1 ))
upper: (( start + .network.block_size " - " max_ip(net.subnets.[0].range) ))
net:
subnets:
- range: (( b "/" .network.size ))
reserved: (( [] lower upper ))
static:
- (( first " - " first + s - 1 ))
instance.yml
meta:
deployment_no: 1
will yield a network setting for a dedicated deployment
networks:
- name: cf1
subnets:
- range: 10.0.0.0/16
reserved:
- 10.0.0.0 - 10.0.0.255
- 10.0.2.0 - 10.0.255.255
static:
- 10.0.1.0 - 10.0.1.29
- name: cf2
subnets:
- range: 10.1.0.0/16
reserved:
- 10.1.0.0 - 10.1.0.255
- 10.1.2.0 - 10.1.255.255
static:
- 10.1.1.0 - 10.1.1.29
Using the same config for another deployment of the same type just requires the replacement of the instance.yml
.
Using a different instance.yml
meta:
deployment_no: 0
will yield a network setting for a second deployment providing the appropriate settings for a unique other IP block.
networks:
- name: cf1
subnets:
- range: 10.0.0.0/16
reserved:
- 10.0.1.0 - 10.0.255.255
static:
- 10.0.0.2 - 10.0.0.31
- name: cf2
subnets:
- range: 10.1.0.0/16
reserved:
- 10.1.1.0 - 10.1.255.255
static:
- 10.1.0.2 - 10.1.0.31
If you move to another infrastructure you might want to change the basic IP layout. You can do it just by adapting the infrastructure.yml
network:
size: 17
block_size: 128
base:
z1: 10.0.0.0
z2: 10.0.128.0
Without any change to your other settings you'll get
networks:
- name: cf1
subnets:
- range: 10.0.0.0/17
reserved:
- 10.0.0.128 - 10.0.127.255
static:
- 10.0.0.2 - 10.0.0.31
- name: cf2
subnets:
- range: 10.0.128.0/17
reserved:
- 10.0.128.128 - 10.0.255.255
static:
- 10.0.128.2 - 10.0.128.31
There are several scenarios yielding results that do not seem to be obvious. Here are some typical pitfalls.
-
The auto merge never adds nodes to existing structures
For example, merging
template.yml
foo: alice: 25
with
stub.yml
foo: alice: 24 bob: 26
yields
foo: alice: 24
Use <<: (( merge )) to change this behaviour, or explicitly add desired nodes to be merged:
template.yml
foo: alice: 25 bob: (( merge ))
-
Simple node values are replaced by values or complete structures coming from stubs, structures are deep merged.
For example, merging
template.yml
foo: (( ["alice"] ))
with
stub.yml
foo: - peter - paul
yields
foo: - peter - paul
But the template
foo: [ (( "alice" )) ]
is merged without any change.
-
Expressions are subject to be overridden as a whole
A consequence of the behaviour described above is that nodes described by an expession are basically overridden by a complete merged structure, instead of doing a deep merge with the structues resulting from the expression evaluation.
For example, merging
template.yml
men: - bob: 24 women: - alice: 25 people: (( women men ))
with
stub.yml
people: - alice: 13
yields
men: - bob: 24 women: - alice: 25 people: - alice: 24
To request an auto-merge of the structure resulting from the expression evaluation, the expression has to be preceeded with the modifier
prefer
((( prefer women men ))
). This would yield the desired result:men: - bob: 24 women: - alice: 25 people: - alice: 24 - bob: 24
-
Nested merge expressions use implied redirections
merge
expressions implicity use a redirection implied by an outer redirecting merge. In the following examplemeta: <<: (( merge deployments.cf )) properties: <<: (( merge )) alice: 42
the merge expression in
meta.properties
is implicity redirected to the pathdeployments.cf.properties
implied by the outer redirectingmerge
. Therefore merging withdeployments: cf: properties: alice: 24 bob: 42
yields
meta: properties: alice: 24 bob: 42
-
Functions and mappings can freely be nested
e.g.:
pot: (( lambda |x,y|-> y == 0 ? 1 :(|m|->m * m)(_(x, y / 2)) * ( 1 + ( y % 2 ) * ( x - 1 ) ) )) seq: (( lambda |b,l|->map[l|x|-> .pot(b,x)] )) values: (( .seq(2,[ 0..4 ]) ))
yields the list
[ 1,2,4,8,16 ]
for the propertyvalues
. -
Functions can be used to parameterize templates
The combination of functions with templates can be use to provide functions yielding complex structures. The parameters of a function are part of the scope used to resolve reference expressions in a template used in the function body.
e.g.:
relation: template: <<: (( &template )) bob: (( x " " y )) relate: (( |x,y|->*relation.template )) banda: (( relation.relate("loves","alice") ))
evaluates to
relation: relate: lambda|x,y|->*(relation.template) template: <<: (( &template )) bob: (( x " " y )) banda: bob: loves alice
-
Scopes can be used to parameterize templates
Scope literals are also considered when instantiating templates. Therefore they can be used to set explicit values for relative reference expressions used in templates.
e.g.:
alice: 1 template: <<: (( &template )) sum: (( alice + bob )) scoped: (( ( $alice = 25, "bob" = 26 ) *template ))
evaluates to
alice: 1 template: <<: (( &template )) sum: (( alice + bob )) scoped: sum: 51
-
Aggregations may yield complex values by using templates
The expression of an aggregation may return complex values by returning inline lists or instantiated templates. The binding of the function will be available (as usual) for the evaluation of the template. In the example below the aggregation provides a map with both the sum and the product of the list entries containing the integers from 1 to 4.
e.g.:
sum: (( sum[[1..4]|init|s,e|->*temp] )) temp: <<: (( &template )) sum: (( s.sum + e )) prd: (( s.prd * e )) init: sum: 0 prd: 1
yields for
sum
the valuesum: prd: 24 sum: 10
-
Taking advantage of the undefined value
At first glance it might look strange to introduce a value for undefined. But it can be really useful as will become apparent with the following examples.
-
Whenever a stub syntactically defines a field it overwrites the default in the template during merging. Therefore it would not be possible to define some expression for that field that eventually keeps the default value. Here the undefined value can help:
e.g.: merging
template.yml
alice: 24 bob: 25
with
stub.yml
alice: (( config.alice * 2 || ~ )) bob: (( config.bob * 3 || ~~ ))
yields
alice: ~ bob: 25
-
There is a problem accessing upstream values. This is only possible if the local stub contains the definition of the field to use. But then there will always be a value for this field, even if the upstream does not overwrite it.
Here the undefined value can help by providing optional access to upstream values. Optional means, that the field is only defined, if there is an upstream value. Otherwise it is undefined for the expressions in the local stub and potential downstream templates. This is possible because the field is formally defined, and will therefore be merged, only after evaluating the expression if it is not merged it will be removed again.
e.g.: merging
template.yml
alice: 24 bob: 25 peter: 26
with
mapping.yml
config: alice: (( ~~ )) bob: (( ~~ )) alice: (( config.alice || ~~ )) bob: (( config.bob || ~~ )) peter: (( config.peter || ~~ ))
and
config.yml
config: alice: 4711 peter: 0815
yields
alice: 4711 # transferred from config's config value bob: 25 # kept default value, because not set in config.yml peter: 26 # kept, because mapping source not available in mapping.yml
This can be used to add an intermediate stub, that offers a dedicated configuration interface and contains logic to map this interface to a manifest structure already defining default values.
-
-
Templates versus map literals
As described earlier templates can be used inside functions and mappings to easily describe complex data structures based on expressions refering to parameters. Before the introduction of map literals this was the only way to achieve such behaviour. The advantage is the possibility to describe the complex structure as regular part of a yaml document, which allows using the regular yaml formatting facilitating readability.
e.g.:
scaling: runner_z1: 10 router_z1: 4 jobs: (( sum[scaling|[]|s,k,v|->s [ *templates.job ] ] )) templates: job: <<: (( &template )) name: (( k )) instances: (( v ))
evaluates to
scaling: runner_z1: 10 router_z1: 4 jobs: - instances: 4 name: router_z1 - instances: 10 name: runner_z1 ...
With map literals this construct can significantly be simplified
scaling: runner_z1: 10 router_z1: 4 jobs: (( sum[scaling|[]|s,k,v|->s [ {"name"=k, "value"=v} ] ] ))
Nevertheless the first, template based version might still be useful, if the data structures are more complex, deeper or with complex value expressions. For such a scenario the description of the data structure as template should be preferred. It provides a much better readability, because every field, list entry and value expression can be put into dedicated lines.
But there is still a qualitative difference. While map literals are part of a single expression always evaluated as a whole before map fields are available for referencing, templates are evaluated as regular yaml documents that might contain multiple fields with separate expressions referencing each other.
e.g.:
range: (( (|cidr,first,size|->(*templates.addr).range)("10.0.0.0/16",10,255) )) templates: addr: <<: (( &template )) base: (( min_ip(cidr) )) start: (( base + first )) end: (( start + size - 1 )) range: (( start " - " end ))
evaluates
range
torange: 10.0.0.10 - 10.0.1.8 ...
-
Defaulting and Requiring Fields
Traditionally defaulting in spiff is done by a downstream template where the playload data file is used as stub.
Fields with simple values can just be specified with their values. They will be overwritten by stubs using the regular spiff document merging mechanisms.
It is more difficult for maps or lists. If a map is specified in the template only its fields will be merged (see above), but it is never replaced as a whole by settings in the playload definition files. And Lists are never merged.
Therefore maps and lists that should be defaulted as a whole must be specified as initial expressions (referential or inline) in the template file.
e.g.: merging of
template.yaml
defaults: <<: (( &temporary )) person: name: alice age: bob config: value1: defaultvalue value2: defaultvalue person: (( defaults.person ))
and
payload.yaml
config: value2: configured othervalue: I want this but don't get it
evaluates to
config: person: age: bob name: alice value1: defaultvalue value2: configured
In such a scenario the structure of the resulting document is defined by the template. All kinds of variable fields or sub-structures must be forseen by the template by using
<<: (( merge ))
expressions in maps.e.g.: changing template to
template.yaml
defaults: <<: (( &temporary )) person: name: alice age: bob config: <<: (( merge )) value1: defaultvalue value2: defaultvalue person: (( defaults.person ))
Known optional fields can be described using the undefined (
~~
) expression:template.yaml
config: optional: (( ~~ ))
Such fields will only be part of the final document if they are defined in an upstream stub, otherwise they will be completely removed.
Required fields can be defined with the expression
(( merge ))
. If no stub contains a value for this field, the merge cannot be fullfilled and an error is reported. If a dedicated message should be shown instead, the merge expression can be defaulted with an error function call.e.g.:
template.yaml
config: password: (( merge || error("the field password is required") ))
will produce the following error if no stub contains a value:
error generating manifest: unresolved nodes: (( merge || error("the field password is required") )) in c.yaml config.password () *the field password is required
This can be simplified by reducing the expression to the sole
error
expression.Besides this template based defaulting it is also possible to provide defaults by upstream stubs using the
&default
marker. Here the payload can be a downstream file. -
X509 and providing State
When generating keys or certificates with the X509 Functions there will be new keys or certificates for every execution of spiff. But it is also possible to use spiff to maintain key state. A very simple script could look like this:
#!/bin/bash DIR="$(dirname "$0")/state" if [ ! -f "$DIR/state.yaml" ]; then echo "state:" > "$DIR/state.yaml" fi spiff merge "$DIR/template.yaml" "$DIR/state.yaml" > "$DIR/.$$" && mv "$DIR/.$$" "$DIR/state.yaml"
It uses a template file (containing the rules) and a state file with the actual state as stub. The first time it is executed there is an empty state and the rules are not overridden, therefore the keys and certificates are generated. Later on, only additional new fields are calculated, the state fields already containing values just overrule the dynaml expressions for those fields in the template.
If a re-generation is required, the state file can just be deleted.
A template may look like this:
state/template.yaml
spec: <<: (( &local )) ca: organization: Mandelsoft commonName: rootca privateKey: (( state.cakey )) isCA: true usage: - Signature - KeyEncipherment peer: organization: Mandelsoft commonName: etcd publicKey: (( state.pub )) caCert: (( state.cacert )) caPrivateKey: (( state.cakey )) validity: 100 usage: - ServerAuth - ClientAuth - KeyEncipherment hosts: - etcd.mandelsoft.org state: cakey: (( x509genkey(2048) )) capub: (( x509publickey(cakey) )) cacert: (( x509cert(spec.ca) )) key: (( x509genkey(2048) )) pub: (( x509publickey(key) )) peer: (( x509cert(spec.peer) ))
The merge then generates a rootca and some TLS certificate signed with this CA.
-
Generating, Deploying and Accessing Status for Kubernetes Resources
The
sync
function offers the possibility to synchronize the template processing with external content. This can also be the output of a command execution. Therefore the template processing can not only be used to generate a deployment manifest, but also for applying this to a target system and retrieving deployment status values for the further processing.A typical scenario of this kind could be a kubernetes setup including a service of type LoadBalancer. Once deployed it gets assigned status information about the IP address or hostname of the assigned load balancer. This information might be required for some other deployment manifest.
A simple template for such a deployment could like this:
service: apiVersion: v1 kind: Service metadata: annotations: dns.mandelsoft.org/dnsnames: echo.test.garden.mandelsoft.org dns.mandelsoft.org/ttl: "500" name: test-service namespace: default spec: ports: - name: http port: 80 protocol: TCP targetPort: 8080 sessionAffinity: None type: LoadBalancer deployment: testservice: (( sync[pipe_uncached(service, "kubectl", "apply", "-f", "-", "-o", "yaml")|value|->defined(value.status.loadBalancer.ingress)] )) otherconfig: lb: (( deployment.testservice.status.loadBalancer.ingress ))
-
Crazy Shit: Graph Analaysis with spiff
It is easy to describe a simple graph with knots and edges (for example for a set of components and their dependencies) just by using a map of lists.
graph.yaml
graph: a: - b - c b: [] c: - b - a d: - b e: - d - b
Now it would be useful to figure out whether there are dependency cycles or to determine ordered transitive dependencies for a component.
Let's say something like this:
closures.yaml
graph: utilities: closures: (( utilities.graph.evaluate(graph) )) cycles: (( utilities.graph.cycles(closures) ))
Indeed, this can be done with spiff. The only thing required is a "small utilities stub".
utilities.yaml
utilities: <<: (( &temporary )) graph: _dep: (( |model,comp,closure|->contains(closure,comp) ? { $deps=[], $err=closure [comp]} :($deps=_._deps(model,comp,closure [comp]))($err=sum[deps|[]|s,e|-> length(s) >= length(e.err) ? s :e.err]) { $deps=_.join(map[deps|e|->e.deps]), $err=err} )) _deps: (( |model,comp,closure|->map[model.[comp]|dep|->($deps=_._dep(model,dep,closure)) { $deps=[dep] deps.deps, $err=deps.err }] )) join: (( |lists|->sum[lists|[]|s,e|-> s e] )) min: (( |list|->sum[list|~|s,e|-> s ? e < s ? e :s :e] )) normcycle: (( |cycle|->($min=_.min(cycle)) min ? sum[cycle|cycle|s,e|->s.[0] == min ? s :(s.[1..] [s.[1]])] :cycle )) cycle: (( |list|->list ? ($elem=list.[length(list) - 1]) _.normcycle(sum[list|[]|s,e|->s ? s [e] :e == elem ? [e] :s]) :list )) norm: (( |deps|->{ $deps=_.reverse(uniq(_.reverse(deps.deps))), $err=_.cycle(deps.err) } )) reverse: (( |list|->sum[list|[]|s,e|->[e] s] )) evaluate: (( |model|->sum[model|{}|s,k,v|->s { k=_.norm(_._dep(model,k,[]))}] )) cycles: (( |result|->uniq(sum[result|[]|s,k,v|-> v.err ? s [v.err] :s]) ))
And magically spiff does the work just by calling
spiff merge closure.yaml graph.yaml utilities.yaml
And the result is
closures: a: deps: - c - b - a err: - a - c - a b: deps: [] err: [] c: deps: - a - b - c err: - a - c - a d: deps: - b err: [] e: deps: - d - b err: [] cycles: - - a - c - a graph: a: - b - c b: [] c: - b - a d: - b e: - d - b
The evaluation of dynaml expressions may fail because of several reasons:
- it is not parseable
- involved references cannot be satisfied
- arguments to operations are of the wrong type
- operations fail
- there are cyclic dependencies among expressions
If a dynaml expression cannot be resolved to a value, it is reported by the
spiff merge
operation using the following layout:
(( <failed expression> )) in <file> <path to node> (<referred path>) <tag><issue>
Example
(( min_ip("10") )) in source.yml node.a.[0] () *CIDR argument required
Cyclic dependencies are detected by iterative evaluation until the document is unchanged after a step. Nodes involved in a cycle are therefore typically reported just as unresolved node without a specific issue.
The order of the reported unresolved nodes depends on a classification of the problem, denoted by a dedicated tag. The following tags are used (in reporting order):
Tag | Meaning |
---|---|
* |
error in local dynaml expression |
@ |
dependent or involved in cyclic dependencies |
- |
subsequent error because of refering to a yaml node with an error |
Problems occuring during inline template processing are reported as nested problems. The classification is propagated to the outer node.
If a problem occurs in nested lamba calls the call stack together with the lamba function and is local binding is listed.
Example
(( 2 + .func(2) )) in local/err.yaml value () *evaluation of lambda expression failed: lambda|x|->x > 0 ? _(x - 1) : *(template): {x: 2}
... evaluation of lambda expression failed: lambda|x|->x > 0 ? _(x - 1) : *(template): {x: 1}
... evaluation of lambda expression failed: lambda|x|->x > 0 ? _(x - 1) : *(template): {x: 0}
... resolution of template 'template' failed
(( z )) in local/err.yaml val ()*'z' not found
In case of parsing errors in dynaml expressions, the error location is shown now. If it is a multi line expression the line a character/symbol number in that line is show, otherwise the line numer is omitted.
Example
((
2 ++ .func(2)
)) in local/err.yaml faulty () *parse error near line 2 symbol 2 - line 2 symbol 3: " "
Spiff provides a Go package (spiffing
) that can be used to include spiff templates in Go programs.
An example program could look like this:
import (
"fmt"
"math"
"os"
"github.com/mandelsoft/spiff/dynaml"
"github.com/mandelsoft/spiff/spiffing"
)
func func_pow(arguments []interface{}, binding dynaml.Binding) (interface{}, dynaml.EvaluationInfo, bool) {
info := dynaml.DefaultInfo()
if len(arguments) != 2 {
return info.Error("pow takes 2 arguments")
}
a, b, err := dynaml.NumberOperands(arguments[0], arguments[1])
if err != nil {
return info.Error("%s", err)
}
_, i := a.(int64)
if i {
r := math.Pow(float64(a.(int64)), float64(b.(int64)))
if float64(int64(r)) == r {
return int64(r), info, true
}
return r, info, true
} else {
return math.Pow(a.(float64), b.(float64)), info, true
}
}
var state = `
state: {}
`
var stub = `
unused: (( input ))
ages:
alice: (( pow(2,5) ))
bob: (( alice + 1 ))
`
var template = `
state:
<<<: (( &state ))
random: (( rand("[:alnum:]", 10) ))
ages: (( &temporary ))
example:
name: (( input )) # direct reference to additional values
sum: (( sum[ages|0|s,k,v|->s + v] ))
int: (( pow(2,4) ))
float: 2.1
pow: (( pow(1.1e1,2.1) ))
`
func Error(err error) {
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %s\n", err)
os.Exit(1)
}
}
func main() {
values := map[string]interface{}{}
values["input"] = "this is an input"
functions := spiffing.NewFunctions()
functions.RegisterFunction("pow", func_pow)
spiff, err := spiffing.New().WithFunctions(functions).WithValues(values)
Error(err)
pstate, err := spiff.Unmarshal("state", []byte(state))
Error(err)
pstub, err := spiff.Unmarshal("stub", []byte(stub))
Error(err)
ptempl, err := spiff.Unmarshal("template", []byte(template))
Error(err)
result, err := spiff.Cascade(ptempl, []spiffing.Node{pstub}, pstate)
Error(err)
b, err := spiff.Marshal(result)
Error(err)
newstate, err := spiff.Marshal(spiff.DetermineState(result))
Error(err)
fmt.Printf("==== new state ===\n")
fmt.Printf("%s\n", string(newstate))
fmt.Printf("==== result ===\n")
fmt.Printf("%s\n", string(b))
}
It supports
- transforming file data to and from spiffs internal node representation
- the processing of stubs and templates with or without state handling
- defining an outer binding for injected path names
- defining additional spiff functions
- enabling/disabling command execution and/or filesystem operations
- using a virtual filesystem for file system operations