Open Policy Agent Example #207
Conversation
product-auto-label
bot
added
api: run
|
/gcbrun |
|
/gcbrun |
| # Prerequsites | ||
|
|
||
| * An up to date gcloud SDK installed | ||
| * [opa](https://www.openpolicyagent.org/docs/latest/) installed |
There was a problem hiding this comment.
| * [opa](https://www.openpolicyagent.org/docs/latest/) installed | |
| * [opa](https://www.openpolicyagent.org/docs/latest/cli/) installed |
Tweaking url to point directly to the cli page.
There was a problem hiding this comment.
Thoughts on adding:
brew install opa- ref a direct link to homebrew site for folks to install opa? https://formulae.brew.sh/formula/opa
- minimum relese version to work the sample?
|
|
||
| The goal is to use a simple HTTP web server that accepts any HTTP GET request that you issue and echoes the OPA decision back as text. OPA will fetch policy bundles from a simple bundle server. OPA, the bundle server, and the web server will be run as containers in Cloud Run. In a production environment, you likely will have a different bundle server, but it's convenient to package it together here. | ||
|
|
||
| # Prerequsites |
There was a problem hiding this comment.
| # Prerequsites | |
| # Prerequisites |
| docker push us-central1-docker.pkg.dev/<CLOUD_PROJECT>/docker/<IMAGE_NAME> | ||
| ``` | ||
|
|
||
| Note: We assume Google Cloud Artifact Registry in this tutorial but any registry accessible to Cloud Run will work |
There was a problem hiding this comment.
Nice, do you mind moving this up the prereqs or in a section of required gcp apis like the sister sample https://github.com/GoogleCloudPlatform/cloud-run-samples/tree/main/multi-container/hello-nginx-sample#enable-required-apis?
| * Create a custom bundle server with [Dockerfile.nginx](./Dockerfile.nginx) and [nginx.conf.template](./nginx.conf.template) with the following command: | ||
|
|
||
| ```bash | ||
| docker build -f Dockerfile.nginx -t us-central1-docker.pkg.dev/<CLOUD_PROJECT>/docker/<IMAGE_NAME> . |
There was a problem hiding this comment.
Mind replacing this with the Cloud Build equivalent? Dockerfile can still be leveraged.
|
|
||
| # 1. Create and push a custom bundle server image | ||
|
|
||
| * Follow [Step 1](https://www.openpolicyagent.org/docs/latest/http-api-authorization/#1-create-a-policy-bundle) in the original tutorial, resulting in creating two files called `example.rego` and `bundle.tar.gz`. |
There was a problem hiding this comment.
Thoughts on itemizing these step by step here? It'll make the README easier to follow and the steps on the site could change later down the line without us realizing.
|
Hi @lawrenae! Just a friendly ping - happy to chat more about the sample. |
|
/gcbrun |
This is supporting material for how to create a cloud run instance where routes are authorized by Open Policy Agent.
Note: this solution includes building a custom docker container, and so part of the CI steps is using an Artifact Registry repository called
dockerin us-central1Permissions required on the cloud build service account:
Feedback most welcome!