independentid
commented
3 weeks ago Set up for auto-config. hexaOpa now calls keysupport to auto-generate self-signed keys if the configured key file missing. The "command" to start the image now passes the TLS key pem files as hard coded values. Note: was not able to find an environment variable for OPA.
The file path values of HEXA_SERVER_CERT and HEXA_SERVER_KEYPATH need to correspond with the parameters on the hexa-opa-sidecar "command" value. For example:
hexa-opa-sidecar:
image: hexaopa
container_name: hexa-opa-sidecar
ports:
- "8887:8887"
depends_on:
- hexa-opaBundle-server
command: /app/hexaOpa run --server --addr :8887 --tls-cert-file=/home/certs/hexaOpa-cert.pem --tls-private-key-file=/home/certs/hexaOpa-key.pem --log-level debug -c /home/config/config.yaml
environment:
# These environment values are referenced in ./deployments/hexaOpaServer/config/config.yaml
HEXA_CONFIG_URL: "https://hexa-bundle-server:8889"
HEXA_CA_CERT: "/home/certs/ca-cert.pem"
HEXA_CERT_DIRECTORY: "/home/certs"
HEXA_SERVER_CERT: "/home/certs/hexaOpa-cert.pem"
HEXA_SERVER_KEY_PATH: "/home/certs/hexaOpa-key.pem"
HEXA_SERVER_DNS_NAME: "hexa-opa-sidecar"
volumes:
- "./deployments/hexaOpaServer/config:/home/config:ro"
- "./deployments/hexaOpaServer/.opa:/app/.opa"
- "./.certs:/home/certs"
Currently hexaOpa can be configured to run TLS via the normal OPA procedure. This enhancement would use keygenerator to auto-create keys to auto-install and configure OPA to use them.