search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.61k stars 1.33k forks source link

Helm Chart for OPA #7109

Open LuciaCabanillasRodriguez opened 3 days ago

LuciaCabanillasRodriguez commented 3 days ago

Request for Helm Chart Support

Hello,

I'm currently looking to deploy Open Policy Agent (OPA) using Helm, and I would like to know if there is an existing Helm chart that supports both HTTP and HTTPS protocols.

Thank you for your help!

Best regards, Lucía

charlieegan3 commented 3 days ago

Hi @LuciaCabanillasRodriguez. OPA is relatively simple to deploy as a Deployment in Kubernetes environments.

There is an example of the YAML required to do so here, in one of the OPA tutorials on ingress validation: https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/#6-deploy-opa-as-an-admission-controller

Is your use case K8s admission related or something else? Is there a reason that you need a helm chart specifically over using a K8s deployment YAML alone?

HTTP and HTTPS protocols

It's relatively simple to have OPA load certificates from secret mounted as volumes from cert-manager (https://cert-manager.io). However, it's also common if OPA is running behind an ingress controller or gateway to terminate TLS there too.

LuciaCabanillasRodriguez commented 2 days ago

In my case, I’m not focused on deploying OPA as an Admission Controller. Instead, I want to deploy Open Policy Agent (OPA) as a general-purpose policy engine, which provides unified, context-aware policy enforcement across the entire stack.

I noticed there was a Helm chart available in helm/stable/opa, but it seems to be deprecated. I would need a current Helm chart for my deployment.

anderseknert commented 2 days ago

There's this one in kube-mgmt repo: https://github.com/open-policy-agent/kube-mgmt/tree/master/charts/opa-kube-mgmt

AFAIK, it can be used even when kube-mgmt is not used.

LuciaCabanillasRodriguez commented 2 days ago

It would be ideal if a Helm chart could be added directly to the OPA repository rather than relying on the kube-mgmt repository. This would help avoid confusion and provide a more straightforward deployment aligned with the intended use. Additionally, having a dedicated Helm chart for each purpose (such as policy management or enforcement) would offer greater flexibility, making it easier to deploy OPA for different use cases without relying on outdated or unrelated charts.

anderseknert commented 2 days ago

I think having things like Helm charts outside of the core project is reasonable, as OPA caters to a whole bunch of use cases of which many are unrelated to Kubernetes. But we could definitely do better to help users discover resources such as that one. For example, an entry for Helm under the ecosystem pages would likely help with discoverability.