ALT-828 Allow DRC2 calls with SPIRE

The DRC2 feature uses a new "ogopogod" API with SPIRE. Add this to the OPA policy to enable this feature.
Cray-HPE · Dec 19, 2023 · 8117bd1 · 8117bd1
1 parent 5adee70
commit 8117bd1
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/kubernetes/cray-opa/Chart.yaml b/kubernetes/cray-opa/Chart.yaml
@@ -23,7 +23,7 @@
 #
 apiVersion: v2
 name: cray-opa
-version: 1.33.0
+version: 1.33.1
 description: Cray Open Policy Agent
 keywords:
   - opa

diff --git a/kubernetes/cray-opa/templates/policies/spire.yaml b/kubernetes/cray-opa/templates/policies/spire.yaml
@@ -117,6 +117,11 @@ data:
             {"method": "HEAD", "path": `^/apis/jackaloped/.*$`},
             {"method": "POST", "path": `^/apis/jackaloped/.*$`},
             {"method": "DELETE", "path": `^/apis/jackaloped/.*$`},
+            # ogopogod - DRC2
+            {"method": "GET", "path": `^/apis/ogopogod/.*$`},
+            {"method": "HEAD", "path": `^/apis/ogopogod/.*$`},
+            {"method": "POST", "path": `^/apis/ogopogod/.*$`},
+            {"method": "DELETE", "path": `^/apis/ogopogod/.*$`},
         ],
         "heartbeat": [
         {{- if and (eq $.Values.opa.xnamePolicy.heartbeat true) (eq $.Values.opa.xnamePolicy.enabled true) }}

diff --git a/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl b/kubernetes/cray-opa/tests/opa/spire_test.rego.tpl
@@ -310,6 +310,13 @@ test_wlm {
   not allow.http_status with input as {"attributes": {"request": {"http": {"method": "DELETE", "path": "/apis/jackaloped/fabric/nics", "headers": {"authorization": spire_sub}}}}}
   # jackaloped - not allowed
   allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PUT", "path": "/apis/jackaloped/fabric/nics", "headers": {"authorization": spire_sub}}}}}
+  # ogopogod - allowed
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "GET", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "HEAD", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "POST", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}}
+  not allow.http_status with input as {"attributes": {"request": {"http": {"method": "DELETE", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}}
+  # ogopogod - not allowed
+  allow.http_status == 403 with input as {"attributes": {"request": {"http": {"method": "PUT", "path": "/apis/ogopogod/partitions", "headers": {"authorization": spire_sub}}}}}
 }
 
 test_tpm_provisioner_cray_spire {