hack: add opa override and no-op setup
Signed-off-by: Alex Suraci <asuraci@pivotal.io>
This commit is contained in:
parent
fd5e8b6a4d
commit
4e0393d167
|
@ -0,0 +1,8 @@
|
|||
package concourse
|
||||
|
||||
# replace with 'false' to add rules
|
||||
default allow = true
|
||||
|
||||
# allow {
|
||||
# input.action == "ListContainers"
|
||||
# }
|
|
@ -0,0 +1,27 @@
|
|||
# opa.yml - a docker-compose override that adds 'opa' to the stack.
|
||||
#
|
||||
# ref: https://www.openpolicyagent.org/
|
||||
# ref: https://docs.docker.com/compose/extends/
|
||||
#
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
web:
|
||||
environment:
|
||||
CONCOURSE_OPA_URL: http://opa:8181/v1/data/concourse/allow
|
||||
CONCOURSE_POLICY_CHECK_FILTER_HTTP_METHODS: PUT,POST
|
||||
|
||||
# uncomment to configure
|
||||
# CONCOURSE_POLICY_CHECK_FILTER_ACTION: ListWorkers,ListContainers,UseImage
|
||||
# CONCOURSE_POLICY_CHECK_FILTER_ACTION_SKIP: PausePipeline,UnpausePipeline
|
||||
|
||||
opa:
|
||||
image: openpolicyagent/opa
|
||||
command:
|
||||
- run
|
||||
- --server
|
||||
- --log-level=debug
|
||||
- --watch
|
||||
- /concourse-opa
|
||||
volumes:
|
||||
- ./hack/opa:/concourse-opa
|
Loading…
Reference in New Issue