opa
opa copied to clipboard
open-policy-agent
Resurrect Workload Identity Work
Why the changes in this PR are needed?
To allow for Azure kubernetes deployments to utilize workload identity, their newer approach to federating with identity providers.
What are the changes in this PR?
Adding new client credential attributes to support workload identity.
Notes to assist PR review:
Based on discussion in #6012
Further comments:
This is resurrecting the work started in #6014 and closed without explanation. Given the specialized support for AWS KMS, I could foresee the original approach here should be changed to more closely follow that approach.
Deploy Preview for openpolicyagent ready!
| Name | Link |
|---|---|
| Latest commit | 23a9f9a9bf320730b63e5f24a310fbe4844d08e5 |
| Latest deploy log | https://app.netlify.com/sites/openpolicyagent/deploys/6682c2be479cc10008692d86 |
| Deploy Preview | https://deploy-preview-6802--openpolicyagent.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for working on this! The change looks good to me. I'll assume you've tested this against Azure :)
Actually an unsafe assumption: we are still in the evaluation phase for OPA so no established deployments but we do have Azure environments with workload identity configured so I will try this out tomorrow.
Thanks for working on this! The change looks good to me. I'll assume you've tested this against Azure :)
Actually an unsafe assumption: we are still in the evaluation phase for OPA so no established deployments but we do have Azure environments with workload identity configured so I will try this out tomorrow.
I'm struggling to get the docker image to build locally (Mac M1, corporate network blocking download of the chainguard base images), so I've been trying to grab the image generated via the workflow and deploy it to my AKS cluster, but I'm seeing unexpected behavior (leading me to believe it isn't actually my work):
services:
azure_storage_account:
url: ${STORAGE_ACCOUNT_URL}
headers:
x-ms-version: 2017-11-09
response_header_timeout_seconds: 5
credentials:
oauth2:
grant_type: client_credentials
client_id: ${AZURE_CLIENT_ID}
client_assertion_path: /var/run/secrets/azure/tokens/azure-identity-token
token_url: https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token
scopes:
- https://storage.azure.com/.default
bundles:
authz:
service: azure_storage_account
resource: opa/policy.rego
persist: true
polling:
min_delay_seconds: 60
max_delay_seconds: 120
Is there a reliable image tag generated from my PR branch that I can reference?
I've pushed the latest tests to try to validate the rest-level config is getting picked up properly.
Further confirming this, if I just run the binary locally, I get an expected error (since I don't have that file locally):
@anderseknert Ok, after much finagling, I got this working (with the latest changes to include client_id in the body):
Service config:
services:
azure_storage_account:
url: https://${MY_STORAGE_ACCOUNT}.blob.core.windows.net/
headers:
x-ms-version: 2017-11-09
response_header_timeout_seconds: 5
credentials:
oauth2:
grant_type: client_credentials
client_id: "${AZURE_CLIENT_ID}"
client_assertion_path: "${AZURE_FEDERATED_TOKEN_FILE}"
token_url: "${AZURE_AUTHORITY_HOST}/${AZURE_TENANT_ID}/oauth2/v2.0/token"
scopes:
- https://storage.azure.com/.default
bundles:
authz:
service: azure_storage_account
resource: opa/policies.tar.gz
persist: true
polling:
min_delay_seconds: 60
max_delay_seconds: 120
deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: opa
labels:
app: opa
spec:
replicas: 1
selector:
matchLabels:
app: opa
template:
metadata:
labels:
app: opa
azure.workload.identity/use: "true"
name: opa
spec:
serviceAccountName: ${my_workload_identity_service}
containers:
- name: opa
image: ${OPA_IMAGE}
imagePullPolicy: Always
ports:
- name: http
containerPort: 8181
args:
- "run"
- "--ignore=.*" # exclude hidden dirs created by Kubernetes
- "--server"
- "--config-file=/config/service.yml"
volumeMounts:
- readOnly: true
mountPath: /config
name: config
- mountPath: /.opa
name: opa-volume
volumes:
- name: config
configMap:
name: workload-config
- name: opa-volume
emptyDir: {}
@ledbutter sorry for my delayed response! Happy to hear that! I'll take a closer look tonight 👍
Code looks good to me! There's no documentation provided in this PR though. Could you please add docs for the new configuration attributes, and perhaps something like the example you provided here for how to set this up? Thanks!
I added some docs, I tried to follow the existing layout/format, let me know if you want something more involved.