This repository has been archived by the owner on Feb 22, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Torin Sandall <torinsandall@gmail.com>
- Loading branch information
Showing
9 changed files
with
304 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
appVersion: "1.0" | ||
description: Open source, general-purpose policy engine. Enforce fine-grained invariants over arbitrary Kubernetes resources. | ||
name: opa | ||
keywords: | ||
- opa | ||
- admission control | ||
- policy | ||
version: 0.1.0 | ||
home: https://www.openpolicyagent.org | ||
icon: https://raw.githubusercontent.com/open-policy-agent/opa/master/logo/logo.png | ||
sources: | ||
- https://github.com/open-policy-agent/opa | ||
maintainers: | ||
- name: tsandall | ||
email: torinsandall@gmail.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# OPA | ||
|
||
[OPA](https://www.openpolicyagent.org) is an open source general-purpose policy | ||
engine designed for cloud-native environments. | ||
|
||
## Prerequisites | ||
|
||
- Kubernetes 1.9 (or newer) for validating and mutating webhook admission | ||
controller support. | ||
|
||
## Overview | ||
|
||
This helm chart installs OPA as a [Kubernetes admission | ||
controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). | ||
Using OPA, you can enforce fine-grained invariants over arbitrary resources your | ||
Kubernetes cluster. See the [OPA Kubernetes Admission Control | ||
tutorial](the://www.openpolicyagent.org/docs/kubernetes-admission-control.html) | ||
for an example of enforcing policies over Ingress resources. | ||
|
||
## Configuration | ||
|
||
All configuration settings are contained and described in [values.yaml](values.yaml). | ||
|
||
You must set the URL and credentials for the OPA to use to download policies. | ||
The URL should identify an HTTP endpoint that implements the [OPA Bundle | ||
API](https://www.openpolicyagent.org/docs/bundles.html). | ||
|
||
- `opa.services.controller.url` specifies the base URL of the OPA control plane. | ||
|
||
- `opa.services.controller.credentials.bearer.token` specifies a bearer token | ||
for the OPA to use to authenticate with the control plane. | ||
|
||
For more information on OPA-specific configuration see the [OPA Configuration | ||
Reference](https://www.openpolicyagent.org/docs/configuration.html). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
Please wait while the OPA is deployed on your cluster. | ||
|
||
For example policies that you can enforce with OPA see https://www.openpolicyagent.org. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "opa.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "opa.fullname" -}} | ||
{{- if .Values.fullnameOverride -}} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- if contains $name .Release.Name -}} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "opa.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ template "opa.fullname" . }} | ||
labels: | ||
app: {{ template "opa.fullname" . }} | ||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
spec: | ||
replicas: {{ .Values.replicas }} | ||
selector: | ||
matchLabels: | ||
app: {{ template "opa.fullname" . }} | ||
template: | ||
metadata: | ||
labels: | ||
app: {{ template "opa.fullname" . }} | ||
name: {{ template "opa.fullname" . }} | ||
spec: | ||
containers: | ||
- name: opa | ||
image: {{ .Values.image }}:{{ .Values.imageTag }} | ||
args: | ||
- "run" | ||
- "--server" | ||
- "--config-file=/config/config.yaml" | ||
- "--tls-cert-file=/certs/tls.crt" | ||
- "--tls-private-key-file=/certs/tls.key" | ||
- "--addr=0.0.0.0:443" | ||
volumeMounts: | ||
- name: certs | ||
readOnly: true | ||
mountPath: /certs | ||
- name: config | ||
readOnly: true | ||
mountPath: /config | ||
readinessProbe: | ||
{{ toYaml .Values.readinessProbe | indent 12 }} | ||
livenessProbe: | ||
{{ toYaml .Values.livenessProbe | indent 12 }} | ||
volumes: | ||
- name: certs | ||
secret: | ||
secretName: {{ template "opa.fullname" . }}-cert | ||
- name: config | ||
secret: | ||
secretName: {{ template "opa.fullname" . }}-config | ||
nodeSelector: | ||
{{ toYaml .Values.nodeSelector | indent 8 }} | ||
tolerations: | ||
{{ toYaml .Values.tolerations | indent 8 }} | ||
resources: | ||
{{ toYaml .Values.resources | indent 8 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ template "opa.fullname" . }}-config | ||
labels: | ||
app: {{ template "opa.fullname" . }} | ||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
type: Opaque | ||
data: | ||
config.yaml: {{ toYaml .Values.opa | b64enc }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
kind: Service | ||
apiVersion: v1 | ||
metadata: | ||
name: {{ template "opa.fullname" . }} | ||
labels: | ||
app: {{ template "opa.fullname" . }} | ||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
spec: | ||
selector: | ||
app: {{ template "opa.fullname" . }} | ||
ports: | ||
- name: https | ||
protocol: TCP | ||
port: 443 | ||
targetPort: 443 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
{{- $cn := printf "%s.%s.svc" ( include "opa.fullname" . ) .Release.Namespace }} | ||
{{- $ca := genCA "opa-admission-ca" 3650 -}} | ||
{{- $cert := genSignedCert $cn nil nil 3650 $ca -}} | ||
kind: {{ .Values.admissionControllerKind }} | ||
apiVersion: admissionregistration.k8s.io/v1beta1 | ||
metadata: | ||
name: {{ template "opa.fullname" . }} | ||
labels: | ||
app: {{ template "opa.fullname" . }} | ||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
webhooks: | ||
- name: webhook.openpolicyagent.org | ||
failurePolicy: {{ .Values.admissionControllerFailurePolicy }} | ||
rules: | ||
{{ toYaml .Values.admissionControllerRules | indent 6 }} | ||
clientConfig: | ||
{{ if .Values.generateAdmissionControllerCerts }} | ||
caBundle: {{ b64enc $ca.Cert }} | ||
{{ else }} | ||
caBundle: {{ b64enc .Values.admissionControllerCA }} | ||
{{ end }} | ||
service: | ||
name: {{ template "opa.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ template "opa.fullname" . }}-cert | ||
labels: | ||
app: {{ template "opa.fullname" . }} | ||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
type: Opaque | ||
data: | ||
{{ if .Values.generateAdmissionControllerCerts }} | ||
tls.crt: {{ b64enc $cert.Cert }} | ||
tls.key: {{ b64enc $cert.Key }} | ||
{{ else }} | ||
tls.crt: {{ b64enc .Values.admissionControllerCert }} | ||
tls.key: {{ b64enc .Values.admissionControllerKey }} | ||
{{ end }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# Default values for opa. | ||
# ----------------------- | ||
# | ||
# The 'opa' key embeds an OPA configuration file. See | ||
# https://www.openpolicyagent.org/docs/configuration.html for more details. | ||
# | ||
# You MUST set the controller URL and credentials below. | ||
opa: | ||
services: | ||
controller: | ||
url: "" | ||
credentials: | ||
bearer: | ||
token: "" | ||
bundle: | ||
service: controller | ||
name: "kubernetes/admission" | ||
decision_logs: | ||
service: controller | ||
status: | ||
service: controller | ||
|
||
# To enforce mutating policies, change to MutatingWebhookConfiguration. | ||
admissionControllerKind: ValidatingWebhookConfiguration | ||
|
||
# To _fail closed_ on failures, change to Fail. During initial testing, we | ||
# recommend leaving the failure policy as Ignore. | ||
admissionControllerFailurePolicy: Ignore | ||
|
||
# To restrict the kinds of operations and resources that are subject to OPA | ||
# policy checks, see the settings below. By default, all resources and | ||
# operations are subject to OPA policy checks. | ||
admissionControllerRules: | ||
- operations: ["*"] | ||
apiGroups: ["*"] | ||
apiVersions: ["*"] | ||
resources: ["*"] | ||
|
||
# The helm Chart will automatically generate a CA and server certificate for | ||
# the OPA. If you want to supply your own certificates, set the field below to | ||
# false and add the PEM encoded CA certificate and server key pair below. | ||
# | ||
# WARNING: The common name name in the server certificate MUST match the | ||
# hostname of the service that exposes the OPA to the apiserver. For example. | ||
# if the service name is created in the "default" nanamespace with name "opa" | ||
# the common name MUST be set to "opa.default.svc". | ||
# | ||
# If the common name is not set correctly, the apiserver will refuse to | ||
# communicate with the OPA. | ||
generateAdmissionControllerCerts: true | ||
admissionControllerCA: "" | ||
admissionControllerCert: "" | ||
admissionControllerKey: "" | ||
|
||
# Docker image and tag to deploy. | ||
image: openpolicyagent/opa | ||
imageTag: 0.10.1 | ||
|
||
# Number of OPA replicas to deploy. OPA maintains an eventually consistent | ||
# cache of policies and data. If you want high availability you can deploy two | ||
# or more replicas. | ||
replicas: 1 | ||
|
||
# To control how the OPA is scheduled on the cluster, set the tolerations and | ||
# nodeSelector values below. For example, to deploy OPA onto the master nodes: | ||
# | ||
# tolerations: [{key: "node-role.kubernetes.io/master", effect: NoSchedule, operator: Exists}] | ||
# nodeSelector: {"kubernetes.io/role": "master"} | ||
tolerations: [] | ||
nodeSelector: {} | ||
|
||
# To control the CPU and memory resource limits and requests for OPA, set the | ||
# field below. | ||
resources: {} | ||
|
||
# To control the liveness and readiness probes change the fields below. | ||
readinessProbe: | ||
httpGet: | ||
path: / | ||
scheme: HTTPS | ||
port: 443 | ||
initialDelaySeconds: 3 | ||
periodSeconds: 5 | ||
livenessProbe: | ||
httpGet: | ||
path: / | ||
scheme: HTTPS | ||
port: 443 | ||
initialDelaySeconds: 3 | ||
periodSeconds: 5 |