├── .dockerignore ├── .editorconfig ├── .github └── workflows │ ├── master.yaml │ └── release.yaml ├── .gitignore ├── .helmignore ├── .release-it.json ├── Chart.yaml ├── LICENSE ├── README.md ├── templates ├── _utils.tpl ├── cm.yaml ├── deployment-client.yaml ├── deployment-pgsql.yaml ├── deployment-server.yaml ├── secret-envsecrets.yaml ├── service-client.yaml ├── service-pgsql.yaml ├── service-server.yaml └── tests │ └── e2e.yaml ├── test ├── e2e │ ├── data.json │ ├── deploy.sh │ ├── k3d.yaml │ ├── rbac.rego │ ├── test.sh │ └── upd.sh └── linter │ ├── test.sh │ └── values-entries.yaml ├── values.schema.json └── values.yaml /.dockerignore: -------------------------------------------------------------------------------- 1 | venv 2 | *.json 3 | *.yaml 4 | .github 5 | .git 6 | *.adoc 7 | .editorconfig 8 | .gitignore 9 | .helmignore 10 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | end_of_line = lf 5 | charset = utf-8 6 | insert_final_newline = true 7 | trim_trailing_whitespace = true 8 | indent_style = space 9 | indent_size=2 10 | 11 | [*.py] 12 | indent_size = 4 13 | 14 | [README.adoc] 15 | max_line_length = 120 16 | -------------------------------------------------------------------------------- /.github/workflows/master.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - master 7 | push: 8 | branches: 9 | - master 10 | 11 | jobs: 12 | ci_job: 13 | name: Continous integration 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@v2 17 | - uses: azure/setup-helm@v1 18 | with: 19 | version: "3.3.4" 20 | - name: helm lint 21 | run: | 22 | jq --version 23 | ./test/linter/test.sh 24 | - name: start k8s with k3d 25 | uses: AbsaOSS/k3d-action@v1.4.0 26 | with: 27 | cluster-name: "opal" 28 | use-default-registry: false 29 | args: >- 30 | --config ./test/e2e/k3d.yaml 31 | - name: deploy opal 32 | run: | 33 | ./test/e2e/deploy.sh 34 | - name: e2e test 35 | run: | 36 | ./test/e2e/test.sh 37 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release OPAL Helm chart 2 | 3 | on: 4 | workflow_dispatch 5 | 6 | jobs: 7 | build_chart_job: 8 | name: Build Helm chart 9 | runs-on: ubuntu-latest 10 | outputs: 11 | opalVersion: ${{ steps.opalVersion.outputs.opalVersion }} 12 | steps: 13 | - name: checkout 14 | uses: actions/checkout@v2 15 | with: 16 | fetch-depth: 0 17 | - name: nodejs 12 18 | uses: actions/setup-node@v1 19 | with: 20 | node-version: '12.x' 21 | - name: cache node_modules 22 | id: nodeCache 23 | uses: actions/cache@v2 24 | with: 25 | path: | 26 | ./node_modules 27 | ./package-lock.json 28 | key: node-modules-14-0-2--2.0.0 29 | - run: npm install release-it@14.0.2 @release-it/conventional-changelog@2.0.0 30 | - name: releaseIt 31 | run: | 32 | git config user.email "helm@opal.ac" 33 | git config user.name "Helm Opal.Ac" 34 | npx release-it --ci 35 | env: 36 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 37 | - name: opal version 38 | id: opalVersion 39 | run: | 40 | cat /tmp/opal.version 41 | echo "::set-output name=opalVersion::$(cat /tmp/opal.version)" 42 | - uses: azure/setup-helm@v1 43 | - run: helm package . --version ${{ steps.opalVersion.outputs.opalVersion }} 44 | - name: upload artifact 45 | uses: actions/upload-artifact@v2 46 | with: 47 | name: "helm" 48 | path: "opal-${{ steps.opalVersion.outputs.opalVersion }}.tgz" 49 | 50 | publish_chart_job: 51 | name: Publish Helm chart 52 | runs-on: ubuntu-latest 53 | needs: build_chart_job 54 | steps: 55 | - name: checkout gh-pages 56 | uses: actions/checkout@v2 57 | with: 58 | ref: gh-pages 59 | - name: download artifact 60 | uses: actions/download-artifact@v4 61 | id: download 62 | with: 63 | name: helm 64 | path: /tmp/opal 65 | - uses: azure/setup-helm@v1 66 | - name: update index 67 | run: | 68 | helm repo index /tmp/opal --merge ./index.yaml 69 | mv -f /tmp/opal/* . 70 | - name: publish 71 | uses: actions-js/push@master 72 | with: 73 | github_token: ${{ secrets.GITHUB_TOKEN }} 74 | branch: gh-pages 75 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | venv 2 | CHANGELOG.md 3 | *.tgz 4 | node_modules 5 | package-lock.json 6 | package.json 7 | .idea 8 | values-dev.yaml 9 | README.md 10 | __pycache__ 11 | install.sh 12 | 13 | -------------------------------------------------------------------------------- /.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | 25 | venv 26 | *.tgz 27 | .github 28 | *.py 29 | *.adoc 30 | *.txt 31 | .release-it.json 32 | *.adoc 33 | skaffold.yaml 34 | values-lint.yaml 35 | node_modules 36 | README.adoc 37 | package-lock.json 38 | *.puml 39 | .editorconfig 40 | .dockerignore 41 | cmak2zk/ 42 | 43 | -------------------------------------------------------------------------------- /.release-it.json: -------------------------------------------------------------------------------- 1 | { 2 | "ci": true, 3 | "git": { 4 | "requireBranch": "master", 5 | "requireCommits": true, 6 | "commit": false, 7 | "tagAnnotation": "chore: release ${version}" 8 | }, 9 | "npm": false, 10 | "github": { 11 | "release": true 12 | }, 13 | "plugins": { 14 | "@release-it/conventional-changelog": { 15 | "preset": "conventionalcommits" 16 | } 17 | }, 18 | "hooks": { 19 | "after:release": "echo ${version} > /tmp/opal.version" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: opal 3 | type: application 4 | icon: https://www.opal.ac/icons/icon-192x192.png 5 | version: 0.0.0 # actual chart version is managed by git tags 6 | kubeVersion: ">= 1.18.0-0" 7 | appVersion: 0.7.12 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | opal 3 |

4 |

5 | OPAL Helm Chart for Kubernetes 6 |

7 | 8 | OPAL is an administration layer for Open Policy Agent (OPA), detecting changes to both policy and policy data in realtime and pushing live updates to your agents. 9 | 10 | OPAL brings open-policy up to the speed needed by live applications. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need (and only those they need). 11 | 12 | [Check out OPAL main repo here.](https://github.com/permitio/opal) 13 | 14 | ### Installation 15 | 16 | OPAL Helm chart could be installed only with [Helm 3](https://helm.sh/docs/). 17 | The chart is published to public Helm repository, [hosted on GitHub itself](https://permitio.github.io/opal-helm-chart/). It's recommended to install OPAL into a dedicated namespace. 18 | 19 | Add Helm repository 20 | 21 | ``` 22 | helm repo add permitio https://permitio.github.io/opal-helm-chart 23 | helm repo update 24 | ``` 25 | 26 | Install the latest version 27 | 28 | ``` 29 | helm install --create-namespace -n opal-ns opal permitio/opal 30 | ``` 31 | 32 | Search for all available versions 33 | 34 | ``` 35 | helm search repo opal --versions 36 | ``` 37 | 38 | ### Deploy OPAL to your Kubernetes cluster 39 | 40 | Install specific version (with default configuration): 41 | 42 | ``` 43 | helm install --create-namespace -n opal-ns --version x.x.x opal permitio/opal 44 | ``` 45 | 46 | Install specific version (with custom configuration provided as YAML): 47 | 48 | ``` 49 | helm install -f myvalues.yaml --create-namespace -n opal-ns --version x.x.x opal permitio/opal 50 | ``` 51 | 52 | `myvalues.yaml` must conform to the [json schema](https://raw.githubusercontent.com/permitio/opal-helm-chart/master/values.schema.json). 53 | 54 | ### Verify installation 55 | 56 | OPAL Client should populate embedded OPA instance with polices and data from configured Git repository. 57 | To validate it - one could create port-forwarding to OPAL client Pod. Port 8181 is the embedded OPA agent. 58 | 59 | ``` 60 | kubectl port-forward -n opal-ns service/opal-client 8181:8181 61 | ``` 62 | 63 | Then, open http://localhost:8181/v1/data/ in your browser to check OPA data document state. 64 | 65 | ### Important Configuration 66 | 67 | This is not a comprehensive list, but includes the main variables you have to think about 68 | 69 | | Variable | Description | 70 | | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | 71 | | `server.policyRepoUrl` | Git repository holding policy code (& optionally policy data) to be tracked by OPAL | 72 | | `server.dataConfigSources` | Data sources to be published to clients (and their managed OPAs) | 73 | | `server.dataConfigSources.config.entries` | Static list of data source entries (See [OPAL Docs](https://docs.opal.ac/getting-started/running-opal/run-opal-server/data-sources)) | 74 | | `server.dataConfigSources.external_source_url` | URL to dynamically fetch data sources entries from (See [OPAL Docs](https://docs.opal.ac/tutorials/configure_external_data_sources)) | 75 | | `server.broadcastUri` | Backend for broadcasting updates across multiple opal-server processes (necessary if either `server.uvicornWorkers` or `server.replicas` is > 1) | 76 | | `server.uvicornWorkers` | Count of gunicorn workers (/processes) per opal-server replica | 77 | | `server.replicas` | opal-server's deployment replica count | 78 | | `server.extraEnv` | Extra configuration for opal-server (see [OPAL Docs](https://docs.opal.ac/tutorials/configure_opal)) | 79 | | `client.extraEnv` | Extra configuration for opal-server [OPAL Docs](https://docs.opal.ac/tutorials/configure_opal) | 80 | 81 | **Note:** If you leave `server.dataConfigSources` with no entries - The chart would automatically set `OPAL_DATA_UPDATER_ENABLED: False` in `client.extraEnv` so client won't report an unhealthy state. 82 | -------------------------------------------------------------------------------- /templates/_utils.tpl: -------------------------------------------------------------------------------- 1 | {{- define "opal.serverName" -}} 2 | {{- if eq .Release.Name .Chart.Name }} 3 | {{- printf "%s-server" .Release.Name }} 4 | {{- else }} 5 | {{- printf "%s-%s-server" .Release.Name .Chart.Name }} 6 | {{- end -}} 7 | {{- end -}} 8 | 9 | {{- define "opal.clientName" -}} 10 | {{- if eq .Release.Name .Chart.Name }} 11 | {{- printf "%s-client" .Release.Name }} 12 | {{- else }} 13 | {{- printf "%s-%s-client" .Release.Name .Chart.Name }} 14 | {{- end -}} 15 | {{- end -}} 16 | 17 | {{- define "opal.pgsqlName" -}} 18 | {{- if eq .Release.Name .Chart.Name }} 19 | {{- printf "%s-pgsql" .Release.Name }} 20 | {{- else }} 21 | {{- printf "%s-%s-pgsql" .Release.Name .Chart.Name }} 22 | {{- end -}} 23 | {{- end -}} 24 | 25 | {{- define "opal.serverImage" -}} 26 | {{- printf "%s/%s:%s" (default "docker.io" .Values.image.server.registry) (default "permitio/opal-server" .Values.image.server.repository) (default .Chart.AppVersion .Values.image.server.tag) }} 27 | {{- end -}} 28 | 29 | {{- define "opal.clientImage" -}} 30 | {{- printf "%s/%s:%s" (default "docker.io" .Values.image.client.registry) (default "permitio/opal-client" .Values.image.client.repository) (default .Chart.AppVersion .Values.image.client.tag) }} 31 | {{- end -}} 32 | 33 | {{- define "opal.pgsqlImage" -}} 34 | {{- printf "%s/%s:%s" (default "docker.io" .Values.image.pgsql.registry) (default "postgres" .Values.image.pgsql.repository) (default "alpine" .Values.image.pgsql.tag) }} 35 | {{- end -}} 36 | 37 | {{- define "opal.envSecretsName" -}} 38 | {{- if eq .Release.Name .Chart.Name }} 39 | {{- printf "%s-env-secrets" .Release.Name }} 40 | {{- else }} 41 | {{- printf "%s-%s-env-secrets" .Release.Name .Chart.Name }} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{- define "opal.clientSelectorLabels" -}} 46 | app.kubernetes.io/name: {{ include "opal.clientName" . | quote }} 47 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 48 | opal.ac/role: client 49 | {{- end -}} 50 | 51 | {{- define "opal.serverSelectorLabels" -}} 52 | app.kubernetes.io/name: {{ include "opal.serverName" . | quote }} 53 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 54 | opal.ac/role: server 55 | {{- end -}} 56 | 57 | {{- define "opal.pgsqlSelectorLabels" -}} 58 | app.kubernetes.io/name: {{ include "opal.pgsqlName" . | quote }} 59 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 60 | opal.ac/role: pgsql 61 | {{- end -}} 62 | 63 | {{- define "opal.clientLabels" -}} 64 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 65 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 66 | helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | quote }} 67 | {{ include "opal.clientSelectorLabels" . }} 68 | {{- end -}} 69 | 70 | {{- define "opal.serverLabels" -}} 71 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 72 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 73 | helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | quote }} 74 | {{ include "opal.serverSelectorLabels" . }} 75 | {{- end -}} 76 | 77 | {{- define "opal.pgsqlLabels" -}} 78 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 79 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 80 | helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | quote }} 81 | {{ include "opal.pgsqlSelectorLabels" . }} 82 | {{- end -}} 83 | 84 | -------------------------------------------------------------------------------- /templates/cm.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.e2e }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: policy-repo-data 6 | data: 7 | upd.sh: | 8 | {{- .Files.Get "test/e2e/upd.sh" | nindent 4 }} 9 | data.json: | 10 | {{- .Files.Get "test/e2e/data.json" | nindent 4 }} 11 | rbac.rego: | 12 | {{- .Files.Get "test/e2e/rbac.rego" | nindent 4 }} 13 | {{- end }} 14 | --- 15 | {{- if .Values.client }} 16 | {{- if .Values.client.opaStartupData }} 17 | apiVersion: v1 18 | kind: ConfigMap 19 | metadata: 20 | name: opa-startup-data 21 | data: 22 | {{- range $name, $value := .Values.client.opaStartupData }} 23 | {{ $name }}: | 24 | {{ $value | nindent 4 }} 25 | {{- end }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /templates/deployment-client.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.client }} 2 | {{- if ne .Values.client.enabled false }} 3 | {{- $nm := include "opal.clientName" . | quote }} 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: {{ $nm }} 8 | labels: 9 | {{- include "opal.clientLabels" . | nindent 4 }} 10 | spec: 11 | replicas: {{ .Values.client.replicas }} 12 | selector: 13 | matchLabels: 14 | {{- include "opal.clientSelectorLabels" . | nindent 6 }} 15 | template: 16 | metadata: 17 | labels: 18 | {{- include "opal.clientLabels" . | nindent 8 }} 19 | spec: 20 | {{- with .Values.image.client.pullSecrets }} 21 | imagePullSecrets: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | {{- if or .Values.openshift.enabled .Values.client.securityContext }} 25 | securityContext: 26 | {{- if .Values.client.securityContext }} 27 | {{- toYaml .Values.client.securityContext | nindent 8 }} 28 | {{- else if .Values.openshift.enabled }} 29 | {{- toYaml .Values.openshift.securityContext | nindent 8 }} 30 | {{- end }} 31 | {{- end }} 32 | {{- if .Values.client.opaStartupData }} 33 | volumes: 34 | - name: opa-startup-data 35 | configMap: 36 | name: opa-startup-data 37 | defaultMode: 0444 38 | {{- end }} 39 | containers: 40 | - name: opal-client 41 | image: {{ include "opal.clientImage" . | quote }} 42 | imagePullPolicy: {{ .Values.client.imagePullPolicy | default "IfNotPresent" | quote }} 43 | {{- if or .Values.openshift.enabled .Values.client.containerSecurityContext }} 44 | securityContext: 45 | {{- if .Values.client.containerSecurityContext }} 46 | {{- toYaml .Values.client.containerSecurityContext | nindent 12 }} 47 | {{- else if .Values.openshift.enabled }} 48 | {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} 49 | {{- end }} 50 | {{- end }} 51 | ports: 52 | - name: http 53 | containerPort: {{ .Values.client.port }} 54 | protocol: TCP 55 | - name: opa 56 | containerPort: {{ .Values.client.opaPort }} 57 | protocol: TCP 58 | env: 59 | - name: UVICORN_NUM_WORKERS 60 | value: "1" 61 | {{- if .Values.server }} 62 | {{- if .Values.client.serverUrl }} 63 | - name: OPAL_SERVER_URL 64 | value: {{ .Values.client.serverUrl | quote }} 65 | {{- else }} 66 | - name: OPAL_SERVER_URL 67 | value: {{ printf "http://%s:%v" (include "opal.serverName" .) .Values.server.port | quote }} 68 | {{- end}} 69 | {{- if not (or (.Values.server.dataConfigSources.external_source_url) (.Values.server.dataConfigSources.config) (hasKey .Values.client.extraEnv "OPAL_DATA_UPDATER_ENABLED") ) }} 70 | - name: OPAL_DATA_UPDATER_ENABLED 71 | value: "False" 72 | {{- end }} 73 | {{- end }} 74 | {{- if .Values.client.extraEnv }} 75 | {{- range $name, $value := .Values.client.extraEnv }} 76 | - name: {{ $name }} 77 | value: {{ $value | quote }} 78 | {{- end }} 79 | {{- end }} 80 | {{- if .Values.client.secrets }} 81 | envFrom: 82 | {{- range $name := .Values.client.secrets }} 83 | - secretRef: 84 | name: {{ $name }} 85 | {{- end }} 86 | {{- end }} 87 | {{- if .Values.client.opaStartupData }} 88 | volumeMounts: 89 | - mountPath: /opt/opa/startup-data 90 | name: opa-startup-data 91 | readOnly: true 92 | {{- end }} 93 | readinessProbe: 94 | httpGet: 95 | path: /healthcheck 96 | port: http 97 | failureThreshold: 5 98 | initialDelaySeconds: 5 99 | timeoutSeconds: 10 100 | periodSeconds: 15 101 | 102 | livenessProbe: 103 | httpGet: 104 | path: /healthcheck 105 | port: http 106 | failureThreshold: 5 107 | timeoutSeconds: 10 108 | periodSeconds: 30 109 | {{- if .Values.client.resources }} 110 | resources: 111 | {{- toYaml .Values.client.resources | nindent 12 }} 112 | {{- end }} 113 | {{- end }} 114 | {{- end }} -------------------------------------------------------------------------------- /templates/deployment-pgsql.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server }} 2 | {{- if and .Values.server.broadcastPgsql (not .Values.server.broadcastUri) }} 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "opal.pgsqlName" . }} 7 | labels: 8 | {{- include "opal.pgsqlLabels" . | nindent 4 }} 9 | spec: 10 | replicas: {{ .Values.broadcastReplicas }} 11 | selector: 12 | matchLabels: 13 | {{- include "opal.pgsqlSelectorLabels" . | nindent 6 }} 14 | template: 15 | metadata: 16 | labels: 17 | {{- include "opal.pgsqlLabels" . | nindent 8 }} 18 | spec: 19 | {{- with .Values.image.client.pullSecrets }} 20 | imagePullSecrets: 21 | {{- toYaml . | nindent 8 }} 22 | {{- end }} 23 | {{- if or .Values.openshift.enabled .Values.postgresql.securityContext }} 24 | securityContext: 25 | {{- if .Values.postgresql.securityContext }} 26 | {{- toYaml .Values.postgresql.securityContext | nindent 8 }} 27 | {{- else if .Values.openshift.enabled }} 28 | {{- toYaml .Values.openshift.securityContext | nindent 8 }} 29 | {{- end }} 30 | {{- end }} 31 | {{- if .Values.openshift.enabled }} 32 | volumes: 33 | - name: postgres-data 34 | emptyDir: {} 35 | {{- end }} 36 | containers: 37 | - name: pgsql 38 | image: {{ include "opal.pgsqlImage" . | quote }} 39 | imagePullPolicy: IfNotPresent 40 | {{- if or .Values.openshift.enabled .Values.postgresql.containerSecurityContext }} 41 | securityContext: 42 | {{- if .Values.postgresql.containerSecurityContext }} 43 | {{- toYaml .Values.postgresql.containerSecurityContext | nindent 12 }} 44 | {{- else if .Values.openshift.enabled }} 45 | {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} 46 | {{- end }} 47 | {{- end }} 48 | {{- if .Values.openshift.enabled }} 49 | volumeMounts: 50 | - mountPath: /var/lib/postgresql/data 51 | name: postgres-data 52 | {{- end }} 53 | ports: 54 | - name: pgsql 55 | containerPort: 5432 56 | protocol: TCP 57 | env: 58 | - name: POSTGRES_DB 59 | value: postgres 60 | - name: POSTGRES_USER 61 | value: postgres 62 | - name: POSTGRES_PASSWORD 63 | value: postgres 64 | {{- if .Values.openshift.enabled }} 65 | - name: PGDATA 66 | value: "/var/lib/postgresql/data/pgdata" 67 | {{- end }} 68 | {{- if .Values.postgresql.extraEnv }} 69 | {{- range $name, $value := .Values.postgresql.extraEnv }} 70 | - name: {{ $name }} 71 | value: {{ $value | quote }} 72 | {{- end }} 73 | {{- end }} 74 | {{- end }} 75 | {{- end }} -------------------------------------------------------------------------------- /templates/deployment-server.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server }} 2 | {{- if ne .Values.server.enabled false }} 3 | {{- $nm := include "opal.serverName" . | quote }} 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: {{ $nm }} 8 | labels: 9 | {{- include "opal.serverLabels" . | nindent 4 }} 10 | spec: 11 | replicas: {{ .Values.server.replicas }} 12 | selector: 13 | matchLabels: 14 | {{- include "opal.serverSelectorLabels" . | nindent 6 }} 15 | template: 16 | metadata: 17 | labels: 18 | {{- include "opal.serverLabels" . | nindent 8 }} 19 | spec: 20 | {{- with .Values.image.server.pullSecrets }} 21 | imagePullSecrets: 22 | {{- toYaml . | nindent 8 }} 23 | {{- end }} 24 | {{- if or .Values.openshift.enabled .Values.server.securityContext }} 25 | securityContext: 26 | {{- if .Values.server.securityContext }} 27 | {{- toYaml .Values.server.securityContext | nindent 8 }} 28 | {{- else if .Values.openshift.enabled }} 29 | {{- toYaml .Values.openshift.securityContext | nindent 8 }} 30 | {{- end }} 31 | {{- end }} 32 | {{- if .Values.e2e }} 33 | volumes: 34 | - name: e2e 35 | emptyDir: {} 36 | - name: policy-repo-data 37 | configMap: 38 | name: policy-repo-data 39 | defaultMode: 0755 40 | {{- else if .Values.openshift.enabled }} 41 | volumes: 42 | - name: jwks-dir 43 | emptyDir: {} 44 | {{- end }} 45 | 46 | {{- if .Values.e2e }} 47 | initContainers: 48 | - name: git-init 49 | image: {{ include "opal.serverImage" . | quote }} 50 | imagePullPolicy: IfNotPresent 51 | {{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }} 52 | securityContext: 53 | {{- if .Values.server.containerSecurityContext }} 54 | {{- toYaml .Values.server.containerSecurityContext | nindent 12 }} 55 | {{- else if .Values.openshift.enabled }} 56 | {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} 57 | {{- end }} 58 | {{- end }} 59 | volumeMounts: 60 | - mountPath: /opt/e2e 61 | name: e2e 62 | - mountPath: /opt/e2e/policy-repo-data 63 | name: policy-repo-data 64 | readOnly: true 65 | command: 66 | - '/bin/sh' 67 | - '-c' 68 | - | 69 | set -x 70 | set -e 71 | 72 | git init --bare /opt/e2e/policy-repo.git 73 | git clone /opt/e2e/policy-repo.git /opt/e2e/policy-repo-working 74 | cp /opt/e2e/policy-repo-data/*.* /opt/e2e/policy-repo-working 75 | cd /opt/e2e/policy-repo-working 76 | git config user.email "opal@opal.ac" 77 | git config user.name "Opal Bot" 78 | git add . 79 | git commit -am 'chore: initial' 80 | git push 81 | 82 | echo ">>>> HEAD: $(git rev-parse --short HEAD) <<<<" 83 | {{- end }} 84 | containers: 85 | - name: opal-server 86 | image: {{ include "opal.serverImage" . | quote }} 87 | imagePullPolicy: {{ .Values.server.imagePullPolicy | default "IfNotPresent" | quote }} 88 | {{- if or .Values.openshift.enabled .Values.server.containerSecurityContext }} 89 | securityContext: 90 | {{- if .Values.server.containerSecurityContext }} 91 | {{- toYaml .Values.server.containerSecurityContext | nindent 12 }} 92 | {{- else if .Values.openshift.enabled }} 93 | {{- toYaml .Values.openshift.containerSecurityContext | nindent 12 }} 94 | {{- end }} 95 | {{- end }} 96 | {{- if .Values.e2e }} 97 | volumeMounts: 98 | - mountPath: /opt/e2e/policy-repo-data 99 | name: policy-repo-data 100 | readOnly: true 101 | - mountPath: /opt/e2e 102 | name: e2e 103 | {{- else if .Values.openshift.enabled }} 104 | volumeMounts: 105 | - mountPath: /opal/jwks_dir 106 | name: jwks-dir 107 | {{- end }} 108 | ports: 109 | - name: http 110 | containerPort: {{ .Values.server.port }} 111 | protocol: TCP 112 | env: 113 | - name: OPAL_POLICY_REPO_URL 114 | value: {{ .Values.server.policyRepoUrl | quote }} 115 | - name: OPAL_POLICY_REPO_POLLING_INTERVAL 116 | value: {{ .Values.server.pollingInterval | quote }} 117 | {{- if .Values.server.policyRepoClonePath }} 118 | - name: OPAL_POLICY_REPO_CLONE_PATH 119 | value: {{ .Values.server.policyRepoClonePath | quote }} 120 | {{- end }} 121 | {{- if .Values.server.policyRepoMainBranch }} 122 | - name: OPAL_POLICY_REPO_MAIN_BRANCH 123 | value: {{ .Values.server.policyRepoMainBranch | quote }} 124 | {{- end }} 125 | - name: UVICORN_NUM_WORKERS 126 | value: {{ .Values.server.uvicornWorkers | quote }} 127 | {{- if or .Values.server.dataConfigSources.config .Values.server.dataConfigSources.external_source_url }} 128 | - name: OPAL_DATA_CONFIG_SOURCES 129 | value: {{ .Values.server.dataConfigSources | toRawJson | squote }} 130 | {{- end}} 131 | {{- if .Values.server.broadcastUri }} 132 | - name: OPAL_BROADCAST_URI 133 | value: {{ .Values.server.broadcastUri | quote }} 134 | {{- else if .Values.server.broadcastPgsql }} 135 | - name: OPAL_BROADCAST_URI 136 | value: 'postgres://postgres:postgres@{{ include "opal.pgsqlName" . }}:5432/postgres' 137 | {{- end }} 138 | {{- if .Values.server.extraEnv }} 139 | {{- range $name, $value := .Values.server.extraEnv }} 140 | - name: {{ $name }} 141 | value: {{ $value | quote }} 142 | {{- end }} 143 | {{- end }} 144 | {{- if or .Values.server.secrets .Values.server.policyRepoSshKey }} 145 | envFrom: 146 | {{- range $name := .Values.server.secrets }} 147 | - secretRef: 148 | name: {{ $name }} 149 | {{- end }} 150 | {{- if .Values.server.policyRepoSshKey }} 151 | - secretRef: 152 | name: {{ include "opal.envSecretsName" . }} 153 | {{- end }} 154 | {{- end }} 155 | readinessProbe: 156 | httpGet: 157 | path: /healthcheck 158 | port: http 159 | failureThreshold: 5 160 | initialDelaySeconds: 5 161 | timeoutSeconds: 10 162 | periodSeconds: 15 163 | 164 | livenessProbe: 165 | httpGet: 166 | path: /healthcheck 167 | port: http 168 | failureThreshold: 5 169 | timeoutSeconds: 10 170 | periodSeconds: 30 171 | {{- if .Values.server.resources }} 172 | resources: 173 | {{- toYaml .Values.server.resources | nindent 12 }} 174 | {{- end }} 175 | {{- end }} 176 | {{- end }} -------------------------------------------------------------------------------- /templates/secret-envsecrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server.policyRepoSshKey }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "opal.envSecretsName" . }} 6 | type: Opaque 7 | data: 8 | OPAL_POLICY_REPO_SSH_KEY: {{ .Values.server.policyRepoSshKey | replace "\n" "_" | b64enc }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /templates/service-client.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.client }} 2 | {{- if ne .Values.client.enabled false }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ include "opal.clientName" . }} 7 | labels: 8 | {{- include "opal.clientLabels" . | nindent 4 }} 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: http 13 | port: {{ .Values.client.port }} 14 | targetPort: http 15 | protocol: TCP 16 | - name: opa 17 | port: {{ .Values.client.opaPort }} 18 | targetPort: opa 19 | protocol: TCP 20 | selector: 21 | {{- include "opal.clientSelectorLabels" . | nindent 4 }} 22 | 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /templates/service-pgsql.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server }} 2 | {{- if and .Values.server.broadcastPgsql (not .Values.server.broadcastUri) }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ include "opal.pgsqlName" . | quote }} 7 | labels: 8 | {{- include "opal.pgsqlLabels" . | nindent 4 }} 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: pgsql 13 | port: 5432 14 | targetPort: pgsql 15 | protocol: TCP 16 | selector: 17 | {{- include "opal.pgsqlSelectorLabels" . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /templates/service-server.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.server }} 2 | {{- if ne .Values.server.enabled false }} 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ include "opal.serverName" . | quote }} 7 | labels: 8 | {{- include "opal.serverLabels" . | nindent 4 }} 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: http 13 | port: {{ .Values.server.port }} 14 | targetPort: http 15 | protocol: TCP 16 | selector: 17 | {{- include "opal.serverSelectorLabels" . | nindent 4 }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /templates/tests/e2e.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.client }} 2 | {{- $url := printf "http://%v:%v/v1/data" (include "opal.clientName" .) .Values.client.opaPort -}} 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: opal-e2e 7 | annotations: 8 | "helm.sh/hook": test 9 | "helm.sh/hook-delete-policy": before-hook-creation 10 | spec: 11 | restartPolicy: Never 12 | containers: 13 | - name: e2e 14 | image: "apteno/alpine-jq:2021-04-25" 15 | command: 16 | - '/bin/sh' 17 | - '-c' 18 | - | 19 | set -x 20 | set -e 21 | 22 | sleep 15 23 | 24 | [ "$(curl -s {{ $url }} | jq '.result.users | keys | length')" -eq 3 ] 25 | [ "$(curl -s {{ $url }} | jq '.result.role_permissions | keys | length')" -eq 3 ] 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /test/e2e/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "users": { 3 | "alice": { 4 | "roles": [ 5 | "admin" 6 | ], 7 | "location": { 8 | "country": "US", 9 | "ip": "8.8.8.8" 10 | } 11 | }, 12 | "bob": { 13 | "roles": [ 14 | "employee", 15 | "billing" 16 | ], 17 | "location": { 18 | "country": "US", 19 | "ip": "8.8.8.8" 20 | } 21 | }, 22 | "eve": { 23 | "roles": [ 24 | "customer" 25 | ], 26 | "location": { 27 | "country": "US", 28 | "ip": "8.8.8.8" 29 | } 30 | } 31 | }, 32 | "role_permissions": { 33 | "customer": [ 34 | { 35 | "action": "read", 36 | "type": "dog" 37 | }, 38 | { 39 | "action": "read", 40 | "type": "cat" 41 | }, 42 | { 43 | "action": "adopt", 44 | "type": "dog" 45 | }, 46 | { 47 | "action": "adopt", 48 | "type": "cat" 49 | } 50 | ], 51 | "employee": [ 52 | { 53 | "action": "read", 54 | "type": "dog" 55 | }, 56 | { 57 | "action": "read", 58 | "type": "cat" 59 | }, 60 | { 61 | "action": "update", 62 | "type": "dog" 63 | }, 64 | { 65 | "action": "update", 66 | "type": "cat" 67 | } 68 | ], 69 | "billing": [ 70 | { 71 | "action": "read", 72 | "type": "finance" 73 | }, 74 | { 75 | "action": "update", 76 | "type": "finance" 77 | } 78 | ] 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /test/e2e/deploy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | if [ -z $MSYSTEM ]; then 7 | helm upgrade --install --wait --create-namespace -n opal myopal . \ 8 | --set e2e=true --set server.pollingInterval=5 \ 9 | --set server.policyRepoUrl='/opt/e2e/policy-repo.git' 10 | else 11 | helm upgrade --install --wait --create-namespace -n opal myopal . \ 12 | --set e2e=true --set server.pollingInterval=5 \ 13 | --set server.policyRepoUrl='//opt/e2e/policy-repo.git' 14 | fi 15 | 16 | kubectl logs -n opal service/myopal-server git-init 17 | -------------------------------------------------------------------------------- /test/e2e/k3d.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k3d.io/v1alpha2 2 | kind: Simple 3 | name: k3d 4 | image: rancher/k3s:v1.18.18-k3s1 5 | options: 6 | k3d: 7 | wait: true 8 | disableLoadbalancer: true 9 | k3s: 10 | extraServerArgs: 11 | - "--disable=metrics-server,servicelb,traefik" 12 | -------------------------------------------------------------------------------- /test/e2e/rbac.rego: -------------------------------------------------------------------------------- 1 | # Role-based Access Control (RBAC) 2 | # -------------------------------- 3 | # 4 | # This example defines an RBAC model for a Pet Store API. The Pet Store API allows 5 | # users to look at pets, adopt them, update their stats, and so on. The policy 6 | # controls which users can perform actions on which resources. The policy implements 7 | # a classic Role-based Access Control model where users are assigned to roles and 8 | # roles are granted the ability to perform some action(s) on some type of resource. 9 | # 10 | # This example shows how to: 11 | # 12 | # * Define an RBAC model in Rego that interprets role mappings represented in JSON. 13 | # * Iterate/search across JSON data structures (e.g., role mappings) 14 | # 15 | # For more information see: 16 | # 17 | # * Rego comparison to other systems: https://www.openpolicyagent.org/docs/latest/comparison-to-other-systems/ 18 | # * Rego Iteration: https://www.openpolicyagent.org/docs/latest/#iteration 19 | 20 | package app.rbac 21 | 22 | # By default, deny requests. 23 | default allow = false 24 | 25 | # Allow admins to do anything. 26 | allow { 27 | user_is_admin 28 | } 29 | 30 | # Allow the action if the user is granted permission to perform the action. 31 | allow { 32 | # Find permissions for the user. 33 | some permission 34 | user_is_granted[permission] 35 | 36 | # Check if the permission permits the action. 37 | input.action == permission.action 38 | input.type == permission.type 39 | 40 | # unless user location is outside US 41 | country := data.users[input.user]["location"]["country"] 42 | country == "US" 43 | } 44 | 45 | # user_is_admin is true if... 46 | user_is_admin { 47 | 48 | # for some `i`... 49 | some i 50 | 51 | # "admin" is the `i`-th element in the user->role mappings for the identified user. 52 | data.users[input.user]["roles"][i] == "admin" 53 | } 54 | 55 | # user_is_granted is a set of permissions for the user identified in the request. 56 | # The `permission` will be contained if the set `user_is_granted` for every... 57 | user_is_granted[permission] { 58 | some i, j 59 | 60 | # `role` assigned an element of the user_roles for this user... 61 | role := data.users[input.user]["roles"][i] 62 | 63 | # `permission` assigned a single permission from the permissions list for 'role'... 64 | permission := data.role_permissions[role][j] 65 | } 66 | -------------------------------------------------------------------------------- /test/e2e/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -x 4 | set -e 5 | 6 | helm test -n opal --logs myopal 7 | 8 | DATA_URL='http://localhost:8181/v1/data' 9 | 10 | [ $(kubectl exec -n opal service/myopal-client -- curl -s ${DATA_URL}/users) != "{}" ] 11 | if [ -z $MSYSTEM ]; then 12 | kubectl exec -n opal service/myopal-server -- /opt/e2e/policy-repo-data/upd.sh 13 | else 14 | kubectl exec -n opal service/myopal-server -- //opt/e2e/policy-repo-data/upd.sh 15 | fi 16 | 17 | sleep 7 18 | [ $(kubectl exec -n opal service/myopal-client -- curl -s ${DATA_URL}/users) == "{}" ] 19 | [ $(kubectl exec -n opal service/myopal-client -- curl -s ${DATA_URL}/losers) != "{}" ] 20 | -------------------------------------------------------------------------------- /test/e2e/upd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | cd /opt/e2e/policy-repo-working 4 | 5 | sed -i 's/users/losers/g' data.json 6 | 7 | git commit -am 'chore: update' 8 | git push 9 | -------------------------------------------------------------------------------- /test/linter/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | helm lint . --strict 4 | helm lint . --strict --set server=null 5 | helm lint . --strict --set client=null 6 | helm lint . --strict --set server.broadcastUri=zzz --set server.broadcastPgsql=true 7 | helm lint . --strict --set server.broadcastPgsql=true 8 | helm lint . --strict -f test/linter/values-entries.yaml 9 | -------------------------------------------------------------------------------- /test/linter/values-entries.yaml: -------------------------------------------------------------------------------- 1 | imageRegistry: docker.io 2 | imagePullSecrets: 3 | - name: my_awesome_secret 4 | 5 | server: 6 | dataConfigSources: 7 | config: 8 | entries: 9 | - url: "111" 10 | - url: "222" 11 | 12 | client: null 13 | -------------------------------------------------------------------------------- /values.schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "$id": "https://permitio.github.io/opal-helm-chart/", 4 | "title": "OPAL Helm values", 5 | 6 | "definitions": { 7 | "DataSourceEntry": { 8 | "type": "object", "title": "DataSourceEntry", "additionalProperties": true, 9 | "properties": { 10 | "url": {"type": "string", "title": "url source to query for data"}, 11 | "topics": {"type": "array", "title": "topics the data applies to", "items": { "type": "string" }}, 12 | "dst_path": {"type": "string", "title": "OPA data api path to store the document at"}, 13 | "data": {"type": "object", "title": "Data payload to embed within the data update (instead of having the client fetch it from the url)."}, 14 | "save_method": {"type": "string", "title": "Method used to write into OPA - PUT/PATCH"} 15 | } 16 | }, 17 | "ServerDataSourceConfig": { 18 | "type": "object", "title": "ServerDataSourceConfig", "additionalProperties": false, 19 | "properties": { 20 | "config": { 21 | "type": ["object", "null"], "title": "DataSourceConfig", "additionalProperties": false, 22 | "properties": { 23 | "entries": { 24 | "type": "array", "title": "list of data sources", "default": [], 25 | "items": { "$ref": "#/definitions/DataSourceEntry" } 26 | } 27 | } 28 | }, 29 | "external_source_url": {"type": "string", "title": "url to external data source"} 30 | } 31 | }, 32 | "SecurityContext": { 33 | "type": "object", 34 | "title": "SecurityContext", 35 | "additionalProperties": true, 36 | "properties": { 37 | "runAsUser": { "type": "integer" }, 38 | "runAsGroup": { "type": "integer" }, 39 | "fsGroup": { "type": "integer" } 40 | } 41 | }, 42 | "ContainerSecurityContext": { 43 | "type": "object", 44 | "title": "ContainerSecurityContext", 45 | "additionalProperties": true, 46 | "properties": { 47 | "runAsNonRoot": { "type": "boolean" }, 48 | "allowPrivilegeEscalation": { "type": "boolean" } 49 | } 50 | } 51 | }, 52 | 53 | "type": "object", "required": ["image"], 54 | "properties": { 55 | "openshift": { 56 | "type": "object", 57 | "title": "OpenShift compatibility settings", 58 | "additionalProperties": false, 59 | "properties": { 60 | "enabled": { 61 | "type": "boolean", 62 | "title": "Enable OpenShift compatibility", 63 | "default": false 64 | }, 65 | "securityContext": { "$ref": "#/definitions/SecurityContext" }, 66 | "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" } 67 | } 68 | }, 69 | "image": { 70 | "type": "object", "title": "image", "additionalProperties": false, 71 | "required": ["server", "client", "pgsql"], 72 | "properties": { 73 | "server": { 74 | "type": "object", "title": "server", "additionalProperties": false, 75 | "properties": { 76 | "registry": { 77 | "type": "string", 78 | "default": "docker.io", 79 | "title": "server docker image registry" 80 | }, 81 | "repository": { 82 | "type": "string", 83 | "default": "permitio/opal-server", 84 | "title": "server docker image repository" 85 | }, 86 | "tag": { 87 | "type": "string", 88 | "title": "server docker image tag. defaults to chart appVersion" 89 | }, 90 | "pullSecrets": { 91 | "type": "array", 92 | "default": [], 93 | "title": "server docker image pull secrets" 94 | } 95 | } 96 | }, 97 | "client": { 98 | "type": "object", "title": "client", "additionalProperties": false, 99 | "properties": { 100 | "registry": { 101 | "type": "string", 102 | "default": "docker.io", 103 | "title": "client docker image registry" 104 | }, 105 | "repository": { 106 | "type": "string", 107 | "default": "permitio/opal-client", 108 | "title": "client docker image repository" 109 | }, 110 | "tag": { 111 | "type": "string", 112 | "title": "client docker image tag. defaults to chart appVersion" 113 | }, 114 | "pullSecrets": { 115 | "type": "array", 116 | "default": [], 117 | "title": "client docker image pull secrets" 118 | } 119 | } 120 | }, 121 | "pgsql": { 122 | "type": "object", 123 | "title": "pgsql", 124 | "additionalProperties": false, 125 | "properties": { 126 | "registry": { 127 | "type": "string", 128 | "default": "docker.io", 129 | "title": "pgsql docker image registry" 130 | }, 131 | "repository": { 132 | "type": "string", 133 | "default": "postgres", 134 | "title": "pgsql docker image repository" 135 | }, 136 | "tag": { 137 | "type": "string", 138 | "default": "alpine", 139 | "title": "pgsql docker image tag" 140 | }, 141 | "pullSecrets": { 142 | "type": "array", 143 | "default": [], 144 | "title": "pgsql docker image pull secrets" 145 | } 146 | } 147 | } 148 | } 149 | }, 150 | "server": { 151 | "type": ["null", "object"], "additionalProperties": false, "title": "opal server settings", 152 | "required": ["port", "policyRepoUrl", "pollingInterval", "dataConfigSources", "broadcastPgsql", "uvicornWorkers", "replicas"], 153 | "properties": { 154 | "securityContext": { "$ref": "#/definitions/SecurityContext" }, 155 | "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }, 156 | "enabled": { 157 | "type": "boolean", "title": "enable server", "default": true 158 | }, 159 | "port": { 160 | "type": "integer", "title": "server listening port", "default": 7002 161 | }, 162 | "policyRepoUrl": { 163 | "type": "string", "title": "policy repo url", 164 | "default":"https://github.com/permitio/opal-example-policy-repo" 165 | }, 166 | "policyRepoSshKey": { 167 | "type": ["null", "string"], "title": "policy SSH key","default": null 168 | }, 169 | "policyRepoClonePath": { 170 | "type": ["null", "string"], "title": "policy clone path","default": null 171 | }, 172 | "policyRepoMainBranch": { 173 | "type": ["null", "string"], "title": "policy main branch","default": null 174 | }, 175 | "pollingInterval": { 176 | "type": "integer", "title": "polling interval (sec)", "default": 30 177 | }, 178 | "dataConfigSources": {"$ref": "#/definitions/ServerDataSourceConfig"}, 179 | "broadcastUri": { 180 | "type": ["null", "string"], "title": "broadcast url", "default": null 181 | }, 182 | "broadcastPgsql": { 183 | "type": "boolean", "title": "install broadcast pgsql", "default": true 184 | }, 185 | "broadcastReplicas": { 186 | "type": "integer", "title": "replicas for broadcast pgsql", "default": 1 187 | }, 188 | "uvicornWorkers": { 189 | "type": "integer", "title": "num of uvicorn workers per pod", "default": 4 190 | }, 191 | "replicas": { 192 | "type": "integer", "title": "num of replicas", "default": 1 193 | }, 194 | "extraEnv": { 195 | "type": "object", "title": "extra environment variables list", "default": null 196 | }, 197 | "secrets": { 198 | "type": "array", 199 | "title": "name of a kubernetes secret from where to fetch secret environment variables.", 200 | "default": null, 201 | "items": { "type": "string" } 202 | }, 203 | "resources": { 204 | "type": "object", 205 | "title": "resources", 206 | "default": null 207 | }, 208 | "imagePullPolicy": { 209 | "type": "string", 210 | "default": "IfNotPresent", 211 | "title": "when kubelet should pull specified image" 212 | } 213 | } 214 | }, 215 | "client": { 216 | "type": ["null", "object"], "additionalProperties": false, "title": "opal client settings", 217 | "required": ["port", "opaPort", "replicas"], 218 | "properties": { 219 | "securityContext": { "$ref": "#/definitions/SecurityContext" }, 220 | "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }, 221 | "enabled": { 222 | "type": "boolean", "title": "enable client", "default": true 223 | }, 224 | "port": { 225 | "type": "integer", "title": "client rest port", "default": 7000 226 | }, 227 | "opaPort": { 228 | "type": "integer", "title": "client embedded opa port", "default": 8181 229 | }, 230 | "replicas": { 231 | "type": "integer", "title": "num of replicas", "default": 1 232 | }, 233 | "extraEnv": { 234 | "type": "object", "title": "extra environment variables list", "default": null 235 | }, 236 | "opaStartupData": { 237 | "type": "object", "title": "client startup data for embedded opa", "default": null 238 | }, 239 | "serverUrl": { 240 | "type": "string", 241 | "title": "opal server url for client to connect to" 242 | }, 243 | "secrets": { 244 | "type": "array", 245 | "title": "name of a kubernetes secret from where to fetch secret environment variables.", 246 | "default": null, 247 | "items": { "type": "string" } 248 | }, 249 | "resources": { 250 | "type": "object", 251 | "title": "resources", 252 | "default": null 253 | }, 254 | "imagePullPolicy": { 255 | "type": "string", 256 | "default": "IfNotPresent", 257 | "title": "when kubelet should pull specified image" 258 | } 259 | } 260 | }, 261 | "postgresql": { 262 | "type": ["null", "object"], 263 | "additionalProperties": false, 264 | "title": "PostgreSQL settings", 265 | "properties": { 266 | "securityContext": { "$ref": "#/definitions/SecurityContext" }, 267 | "containerSecurityContext": { "$ref": "#/definitions/ContainerSecurityContext" }, 268 | "extraEnv": { 269 | "type": "object", 270 | "title": "extra environment variables list", 271 | "default": {} 272 | } 273 | } 274 | } 275 | } 276 | } 277 | -------------------------------------------------------------------------------- /values.yaml: -------------------------------------------------------------------------------- 1 | openshift: 2 | enabled: false 3 | securityContext: 4 | runAsUser: 1010180000 5 | runAsGroup: 1010180000 6 | fsGroup: 1010180000 7 | containerSecurityContext: 8 | runAsNonRoot: true 9 | allowPrivilegeEscalation: false 10 | 11 | image: 12 | client: 13 | registry: docker.io 14 | repository: permitio/opal-client 15 | server: 16 | registry: docker.io 17 | repository: permitio/opal-server 18 | pgsql: 19 | registry: docker.io 20 | repository: postgres 21 | tag: alpine 22 | 23 | server: 24 | port: 7002 25 | policyRepoUrl: "https://github.com/permitio/opal-example-policy-repo" 26 | policyRepoSshKey: null 27 | policyRepoClonePath: null 28 | policyRepoMainBranch: null 29 | pollingInterval: 30 30 | dataConfigSources: 31 | # Option #1 - No data sources 32 | config: 33 | entries: [] 34 | 35 | # Option #2 - Dynamically get data sources 36 | # external_source_url: "https://your-api.com/path/to/api/endpoint" 37 | 38 | # Option #3 - Example static data sources (endpoint is empty by default) 39 | # config: 40 | # entries: 41 | # - url: http://opal-server:7002/policy-data 42 | # topics: ["policy_data"] 43 | # dst_path: "/static" 44 | 45 | # Option #4 - Leave config empty and instead supply using the OPAL_DATA_CONFIG_SOURCES environment variable through env or secret 46 | # config: null 47 | 48 | broadcastUri: null 49 | broadcastPgsql: true 50 | uvicornWorkers: 4 51 | replicas: 1 52 | extraEnv: { 53 | # "CUSTOM_ENV_VAR": "VALUE" 54 | } 55 | securityContext: {} 56 | containerSecurityContext: {} 57 | 58 | client: 59 | port: 7000 60 | opaPort: 8181 61 | replicas: 1 62 | # If you need to specify a custom hostname for the opal-sever, configure the serverUrl property 63 | # serverUrl: http://custom-hostname-for-opal:opal-port 64 | extraEnv: {} 65 | securityContext: {} 66 | containerSecurityContext: {} 67 | 68 | postgresql: 69 | securityContext: {} 70 | containerSecurityContext: {} 71 | extraEnv: {} 72 | 73 | broadcastReplicas: 1 --------------------------------------------------------------------------------