Share and distribute Open Policy Agent Bundles with OpenFaaS functions

What you will learn in this post?

What is OPA (Open Policy Agent)?

How can we deploy OPA co-located with our service?

How can OpenFaaS help us with the OPA?

Demo

Setup

1. Setup Tools

$ curl -sLS https://dl.get-arkade.dev | sudo sh
$ arkade get kind
$ arkade get kubectl
$ arkade get faas-cli

2. Set Up Cluster

$ arkade get kind
$ kind create cluster

3. Deploy OpenFaaS

$ arkade install openfaas
$ kubectl rollout status -n openfaas deploy/gateway
$ kubectl port-forward -n openfaas svc/gateway 8080:8080 &

4. Configure faas-cli

$ PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo)
$ echo -n $PASSWORD | faas-cli login --username admin --password-stdin

5. Deploy Function

$ cd functions
$ faas-cli template store pull golang-middleware
$ faas-cli up -f bundle-api.yml

6. Load Images

$ docker image pull openpolicyagent/opa:latest
$ kind load docker-image openpolicyagent/opa:latest
$ docker image pull openpolicyagent/demo-restful-api:0.2
$ kind load docker-image openpolicyagent/demo-restful-api:0.27. Deploy the application
$ cd ../hack/manifests <br>
$ kubectl apply -f deployment.yaml
$ kubectl rollout status deployment demo-restful-api
$ kubectl port-forward svc/demo-restful-api 5000:80 &

Test

Check that Alice can see her own salary

$ curl --user alice:password localhost:5000/finance/salary/alice

Check that bob CANNOT see charlie’s salary.

$ curl --user bob:password localhost:5000/finance/salary/charlie
$ curl --user bob:password localhost:5000/finance/salary/alice

Acknowledgments

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
developer-guy

developer-guy

I do mostly Go, Kubernetes, and cloud-native stuff ⛵️🐰🐳