Add Open Policy Agent (OPA) to Kubernetes cluster #1

mitchellhuang · 2020-07-12T01:04:35Z

Add Open Policy Agent (OPA) admission controller to the Kubernetes (k8s) cluster installed by Tectonic.
I tried to be as modular as possible, for example, re-using the Terraform tls module to generate OPA self-signed certs.

I assumed that by installing OPA, we meant the full OPA admission controller.
I assumed that we wanted the k8s manifests in HCL instead of YAML so I used the Terraform Kubernetes provider.
Looks like there is a bug with the Terraform k8s provider which causes Terraform to dial the k8s cluster during a terraform plan when specifying kubernetes_namespace so I have submitted my terraform plan without namespace.tf

I've identified two critical issues with my PR:

I did not implement the last step of the OPA admission controller documentation: the ValidatingWebhookConfiguration CRD. I have solved this by actually adding this step to the pull request (ha): 5c21bf9 09453ea
OPA was sharing the same CA with the Tectonic control panel. Because of how OPA works, I assume we either want to create an independent CA for OPA or use a user provided CA for OPA. I have gone ahead and added those variables to config.tf, and if they are not supplied, they will be auto-generated, similar to tls/kube/self-signed: 3bf71b8

Mitchell Huang added 7 commits July 11, 2020 17:29

Add .gitignore

fdb0a6b

Add opa to kubernetes

b721e36

Auto-gen certs for OPA installation

15a909c

Fix spacing

ca650ea

Add ValidatingWebhookConfiguration custom resource definition

5c21bf9

Use independent OPA certificate authority

3bf71b8

Add OPA ignore label to opa and kube-system namespaces

09453ea

mitchellhuang closed this Jul 21, 2020

Provide feedback