/opa-demo

Demo to deploy using OPA agent into Openshift using helm, argoCD, tekton

Primary LanguageSmarty

opa-demo

Demo to deploy using OPA agent into Openshift using helm, argoCD, tekton. This demo uses OpenShift 4.9 running on AWS (ROSA).

Pre-requisites (for Phases 2 and 3)

Install the following operators via OperatorHub in OpenShift Console using latest version available and using default settings:

  1. Red Hat OpenShift GitOps (version 1.7.0)
  2. Red Hat OpenShift Pipelines (version 1.7.3)

Phase 0: Deploy Kubernetes Resources (POC)

This is the minimum viable configuration. Recommended only for POC purposes.

  1. Login to OpenShift console via CLI using oc login

  2. Export project name to use:

    NAMESPACE=opa

  3. Create project

    oc new-project $NAMESPACE

  4. Create OPA resources:

    oc apply -f iac/resources/deployment.yaml
oc apply -f iac/resources/service.yaml
oc apply -f iac/resources/route.yaml

Phase 1: Deploy using Helm

  1. Login to OpenShift console via CLI using oc login

  2. Export project name to use:

    NAMESPACE=opa-helm

  3. Checkout helm branch

    git checkout helm

  4. Create project

    oc new-project $NAMESPACE

  5. Change to iac/helm directory:

    cd iac/helm

  6. Install helm chart:

    helm upgrade -i opa-helm opa-chart -f values/dev/values.yaml

Phase 2: Deploy using GitOps (ArgoCD)

  1. Login to OpenShift console via CLI using oc login

  2. Export project name to use:

    NAMESPACE=opa-gitops

  3. Create project

    oc new-project $NAMESPACE

  4. Checkout gitops branch

    git checkout gitops

  5. Change to iac/gitops directory:

    cd iac/gitops

  6. Install ArgoCD instance (prerequisite):

    oc apply -f prereqs/argocd.yaml

  7. Install gitops-app-project chart:

    helm upgrade -i opa-gitops gitops-app-project -f ../helm/values/dev/values.yaml \
--set "app.namespace=$NAMESPACE"

Phase 3: Deploy using GitOps (ArgoCD) and Tekton pipeline

  1. Login to OpenShift console via CLI using oc login

  2. Export project name to use:

    NAMESPACE=opa-tekton

  3. Create project

    oc new-project $NAMESPACE

  4. Checkout main branch (if not already there)

    git checkout main

  5. Change to iac/gitops directory:

    cd iac/gitops

  6. Install ArgoCD instance (prerequisite):

    oc apply -f prereqs/argocd.yaml

  7. Install gitops-app-project chart:

    helm upgrade -i opa-tekton gitops-app-project -f ../helm/values/dev/values.yaml \
--set "app.namespace=$NAMESPACE"

  8. This will install OPA Agent but pods will fail to start because of missing configmap.

  9. Next run the configure-opa pipeline from OpenShift console.

Policy Validation

  1. Get route to service either from OpenShift Console or running this command:

    URL=http://$(oc get route $NAMESPACE-opa-chart -o jsonpath='{.spec.host}')

  2. Next attempt to query policies without authentication (expect success 200):

    curl --location -i $URL/v1/policies/

  3. Next attempt to insert new policy without authentication (expect error 403):

    curl -i --location --request PUT $URL/v1/policies/example1 \
--data-raw 'package example1
default allow := false'

  4. Next obtain a valid token, e.g. from http://jwt.io entering secret (in Verify Signature) section and specifying "client": "test" in payload and save it on an environment variable named JWT (expect success 200)

    curl --location -i --request PUT $URL/v1/policies/example1 \
--header "Authorization: Bearer $JWT" \
--data-raw 'package example1
default allow := false'