hack: add opa override and no-op setup

Signed-off-by: Alex Suraci <asuraci@pivotal.io>
2020-06-19 10:49:30 -04:00 · 2020-06-19 10:49:30 -04:00 · 4e0393d167
parent fd5e8b6a4d
commit 4e0393d167
2 changed files with 35 additions and 0 deletions
--- a/hack/opa/policy.rego
+++ b/hack/opa/policy.rego
@ -0,0 +1,8 @@
+package concourse
+
+# replace with 'false' to add rules
+default allow = true
+
+# allow {
+#   input.action == "ListContainers"
+# }
--- a/hack/overrides/opa.yml
+++ b/hack/overrides/opa.yml
@ -0,0 +1,27 @@
+# opa.yml - a docker-compose override that adds 'opa' to the stack.
+#
+# ref: https://www.openpolicyagent.org/
+# ref: https://docs.docker.com/compose/extends/
+#
+version: '3'
+
+services:
+  web:
+    environment:
+      CONCOURSE_OPA_URL: http://opa:8181/v1/data/concourse/allow
+      CONCOURSE_POLICY_CHECK_FILTER_HTTP_METHODS: PUT,POST
+
+      # uncomment to configure
+      # CONCOURSE_POLICY_CHECK_FILTER_ACTION: ListWorkers,ListContainers,UseImage
+      # CONCOURSE_POLICY_CHECK_FILTER_ACTION_SKIP: PausePipeline,UnpausePipeline
+
+  opa:
+    image: openpolicyagent/opa
+    command:
+    - run
+    - --server
+    - --log-level=debug
+    - --watch
+    - /concourse-opa
+    volumes:
+    - ./hack/opa:/concourse-opa