Demo to deploy using OPA agent into Openshift using helm, argoCD, tekton. This demo uses OpenShift 4.9 running on AWS (ROSA).
Install the following operators via OperatorHub in OpenShift Console using latest version available and using default settings:
Red Hat OpenShift GitOps
(version 1.7.0)Red Hat OpenShift Pipelines
(version 1.7.3)
This is the minimum viable configuration. Recommended only for POC purposes.
-
Login to OpenShift console via CLI using
oc login
-
Export project name to use:
NAMESPACE=opa
-
Create project
oc new-project $NAMESPACE
-
Create OPA resources:
oc apply -f iac/resources/deployment.yaml oc apply -f iac/resources/service.yaml oc apply -f iac/resources/route.yaml
-
Login to OpenShift console via CLI using
oc login
-
Export project name to use:
NAMESPACE=opa-helm
-
Checkout
helm
branchgit checkout helm
-
Create project
oc new-project $NAMESPACE
-
Change to
iac/helm
directory:cd iac/helm
-
Install
helm
chart:helm upgrade -i opa-helm opa-chart -f values/dev/values.yaml
-
Login to OpenShift console via CLI using
oc login
-
Export project name to use:
NAMESPACE=opa-gitops
-
Create project
oc new-project $NAMESPACE
-
Checkout
gitops
branchgit checkout gitops
-
Change to
iac/gitops
directory:cd iac/gitops
-
Install ArgoCD instance (prerequisite):
oc apply -f prereqs/argocd.yaml
-
Install
gitops-app-project
chart:helm upgrade -i opa-gitops gitops-app-project -f ../helm/values/dev/values.yaml \ --set "app.namespace=$NAMESPACE"
-
Login to OpenShift console via CLI using
oc login
-
Export project name to use:
NAMESPACE=opa-tekton
-
Create project
oc new-project $NAMESPACE
-
Checkout
main
branch (if not already there)git checkout main
-
Change to
iac/gitops
directory:cd iac/gitops
-
Install ArgoCD instance (prerequisite):
oc apply -f prereqs/argocd.yaml
-
Install
gitops-app-project
chart:helm upgrade -i opa-tekton gitops-app-project -f ../helm/values/dev/values.yaml \ --set "app.namespace=$NAMESPACE"
-
This will install OPA Agent but pods will fail to start because of missing
configmap
. -
Next run the
configure-opa
pipeline from OpenShift console.
-
Get route to service either from OpenShift Console or running this command:
URL=http://$(oc get route $NAMESPACE-opa-chart -o jsonpath='{.spec.host}')
-
Next attempt to query policies without authentication (expect success
200
):curl --location -i $URL/v1/policies/
-
Next attempt to insert new policy without authentication (expect error
403
):curl -i --location --request PUT $URL/v1/policies/example1 \ --data-raw 'package example1 default allow := false'
-
Next obtain a valid token, e.g. from http://jwt.io entering secret (in
Verify Signature
) section and specifying"client": "test"
in payload and save it on an environment variable namedJWT
(expect success200
)curl --location -i --request PUT $URL/v1/policies/example1 \ --header "Authorization: Bearer $JWT" \ --data-raw 'package example1 default allow := false'