feat: property to disable https in opa server

Signed-off-by: Ievgenii Shepeliuk <[email protected]>

charts/opa/README.md

@@ -11,10 +11,9 @@ engine designed for cloud-native environments.
 
 ## Overview
 
-This helm chart installs OPA as a [Kubernetes admission
+This helm chart installs OPA and `kube-mgmt` that allows to manage policies via Kubernetes ConfigMaps.
+Also the chart is able to install as a [Kubernetes admission
 controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/).
-Using OPA, you can enforce fine-grained invariants over arbitrary resources in
-your Kubernetes cluster.
 
 ## Kick the tires
 
@@ -42,8 +41,7 @@ the admission controller.
 
 ## Configuration
 
-All configuration settings are contained and described in
-[values.yaml](values.yaml).
+All configuration settings are contained and described in [values.yaml](values.yaml).
 
 You should set the URL and credentials for the OPA to use to download policies.
 The URL should identify an HTTP endpoint that implements the [OPA Bundle
@@ -57,55 +55,3 @@ API](https://www.openpolicyagent.org/docs/bundles.html).
 For more information on OPA-specific configuration see the [OPA Configuration
 Reference](https://www.openpolicyagent.org/docs/configuration.html).
 
-| Parameter | Description | Default |
-| --- | --- | --- |
-| `certManager.enabled` | Setup the Webhook using cert-manager | `false` |
-| `certManager.rootCACertificateDuration` | Duration of the Webhook's root CA | `43800h` (5y) |
-| `certManager.servingCertificateDuration` | Duration of the Webhook's serving certificate | `8760h` (1y) |
-| `admissionController.enabled` | | `true` |
-| `admissionController.kind` | Type of admission controller to install. | `ValidatingWebhookConfiguration` |
-| `admissionController.annotations` | Annotations placed on all admissionController resources (Secret/Certificate/Issuer/AdmissionController). | `[]` |
-| `admissionController.failurePolicy` | Fail-open (`Ignore`) or fail-closed (`Fail`)? | `Ignore` |
-| `admissionController.rules` | Types of operations resources to check. | `*` |
-| `admissionController.namespaceSelector` | Namespace selector for the admission controller | See [values.yaml](values.yaml) |
-| `generateCerts` | Auto-generate TLS certificates. | `true` |
-| `CA` | Manually set TLS CA. | Unset |
-| `cert` | Manually set TLS certificate. | Unset |
-| `key` | Manually set TLS key. | Unset |
-| `podDisruptionBudget.enabled` | Enables creation of a PodDisruptionBudget for OPA. | `false` |
-| `podDisruptionBudget.minAvailable` | Sets the minimum number of pods to be available. Cannot be set at the same time as maxUnavailable. | `1` |
-| `podDisruptionBudget.maxUnavailable` | Sets the maximum number of pods to be unavailable. Cannot be set at the same time as minAvailable. | Unset |
-| `hostNetwork.enabled` | Use hostNetwork setting on OPA pod | `false` |
-| `dnsPolicyOverride` | DNS policy to use on OPA pod | `` |
-| `image.repository` | OPA image to deploy. | `openpolicyagent/opa` |
-| `image.tag` | OPA image tag to deploy. | See [values.yaml](values.yaml) |
-| `port` | Port in the pod to which OPA will bind itself. | `443` |
-| `logLevel` | Log level that OPA outputs at, (`debug`, `info` or `error`) | `info` |
-| `logFormat` | Log format that OPA produces (`text` or `json`) | `text` |
-| `replicas` | Number of admission controller replicas to deploy. | `1` |
-| `affinity` | Pod/Node affinity and anti-affinity | `{}` |
-| `tolerations` | List of node taint tolerations. | `[]` |
-| `nodeSelector` | Node labels for pod assignment. | `{}` |
-| `resources` | CPU and memory limits for OPA container. | `{}` |
-| `readinessProbe` | HTTP readiness probe for OPA container. | See [values.yaml](values.yaml) |
-| `livenessProbe` | HTTP liveness probe for OPA container. | See [values.yaml](values.yaml) |
-| `opa` | OPA configuration. | See [values.yaml](values.yaml) |
-| `mgmt` | kube-mgmt configuration. | See [values.yaml](values.yaml) |
-| `mgmt.port` | kube-mgmt/prometheus port used to communicate with opa. | See [values.yaml](values.yaml) |
-| `mgmt.extraEnv` | Additional environment variables to be added to the kube-mgmt container | `[]` |
-| `sar.resources` | CPU and memory limits for the sar container. | `{}` |
-| `priorityClassName` | The name of the priorityClass for the pods. | Unset |
-| `prometheus.enabled` | Flag to expose the `/metrics` endpoint to be scraped. | `false` |
-| `serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor | `false` |
-| `serviceMonitor.interval` | Interval that Prometheus scrapes Envoy metrics | `15s` |
-| `serviceMonitor.namespace` | Namespace which the operated Prometheus is running in | `` |
-| `annotations` | Annotations to be added to the deployment template. | `{}` |
-| `bootstrapPolicies` | Bootstrap policies to be loaded during OPA startup. | `{}` |
-| `timeoutSeconds` | Timeout for a webhook call in seconds. | `` |
-| `securityContext` | Security context for the containers | `{enabled: false, runAsNonRoot: true, runAsUser: 1}` |
-| `deploymentStrategy` | Specify deployment spec rollout strategy | `{}` |
-| `extraArgs` | Additional arguments to be added to the opa container | `[]` |
-| `extraEnv` | Additional environment variables to be added to the opa container | `[]` |
-| `extraContainers` | Additional containers to be added to the deployment | `[]` |
-| `extraVolumes` | Additional volumes to be added to the deployment | `[]` |
-| `extraPorts` | Additional ports to OPA service. Useful to expose `extraContainer` ports. | `[]` |

charts/opa/templates/deployment.yaml

@@ -85,11 +85,11 @@ spec:
       containers:
         - name: opa
           ports:
-          - name: https
+          - name: opa
             containerPort: {{ .Values.port }}
 {{- if .Values.prometheus.enabled }}
-          - name: http
-            containerPort: {{ .Values.mgmt.port }}
+          - name: diag
+            containerPort: {{ .Values.prometheus.port }}
 {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -105,8 +105,10 @@ spec:
 {{- if .Values.opa }}
             - "--config-file=/config/config.yaml"
 {{- end }}
+{{- if .Values.useHttps }}
             - "--tls-cert-file=/certs/tls.crt"
             - "--tls-private-key-file=/certs/tls.key"
+{{- end }}
             - "--addr=0.0.0.0:{{ .Values.port }}"
             - "--log-level={{ .Values.logLevel }}"
             - "--log-format={{ .Values.logFormat }}"
@@ -116,9 +118,7 @@ spec:
             - "--ignore=.*"
 {{- end }}
 {{- if .Values.prometheus.enabled }}
-            - "--addr=http://0.0.0.0:{{ .Values.mgmt.port }}"
-{{- else if .Values.mgmt.enabled }}
-            - "--addr=http://127.0.0.1:{{ .Values.mgmt.port }}"
+            - "--diagnostic-addr=http://0.0.0.0:{{ .Values.prometheus.port }}"
 {{- end }}
 {{- if or .Values.authz.enabled .Values.bootstrapPolicies }}
             - "/bootstrap"
@@ -143,15 +143,15 @@ spec:
           readinessProbe:
             httpGet:
               path: /health
-              scheme: HTTPS
-              port: {{ .Values.port }}
+              scheme: {{ .Values.useHttps | ternary "HTTPS" "HTTP" }}
+              port: opa
             initialDelaySeconds: 5
             periodSeconds: 10
           livenessProbe:
             httpGet:
               path: /health
-              scheme: HTTPS
-              port: {{ .Values.port }}
+              scheme: {{ .Values.useHttps | ternary "HTTPS" "HTTP" }}
+              port: opa
             initialDelaySeconds: 10
             periodSeconds: 15
 {{- if .Values.mgmt.enabled }}
@@ -168,7 +168,7 @@ spec:
 {{- if .Values.authz.enabled }}
             - --opa-auth-token-file=/bootstrap/mgmt-token
 {{- end }}
-            - --opa-url=http://127.0.0.1:{{ .Values.mgmt.port }}/v1
+            - --opa-url=http://127.0.0.1:{{ .Values.port }}/v1
             - --replicate-path={{ .Values.mgmt.replicate.path }}
             - --enable-data={{ .Values.mgmt.data.enabled }}
             - --enable-policies={{ .Values.mgmt.configmapPolicies.enabled }}

charts/opa/templates/service.yaml

@@ -8,13 +8,13 @@ spec:
   selector:
     app: {{ template "opa.fullname" . }}
   ports:
-  - name: https
-    protocol: TCP
-    port: 443
-    targetPort: {{ .Values.port }}
+  - name: opa
+    port: {{ .Values.port }}
+    targetPort: opa
 {{- if .Values.prometheus.enabled }}
-  - name: http
-    port: {{ .Values.mgmt.port }}
+  - name: diag
+    port: {{ .Values.prometheus.port }}
+    targetPort: diag
 {{- end }}
 {{- if .Values.extraPorts }}
 {{ toYaml .Values.extraPorts | indent 2}}

charts/opa/values.yaml

@@ -23,6 +23,7 @@ certManager:
 # Expose the prometheus scraping endpoint
 prometheus:
   enabled: false
+  port: 8182
 
 ## ServiceMonitor consumed by prometheus-operator
 serviceMonitor:
@@ -125,10 +126,12 @@ image:
 imagePullSecrets: []
 # - registrySecretName
 
-# Port to which the opa pod will bind itself
-# NOTE IF you use a different port make sure it maches the ones in the readinessProbe
-# and livenessProbe
-port: 443
+# Should OPA use TLS or not.
+useHttps: true
+
+# Port to which the opa pod will bind itself,
+# if useHttps is true - then 443, otherwise 8181 if not provided directly.
+port: 8181
 
 extraArgs: []
 
@@ -141,8 +144,6 @@ mgmt:
     repository: openpolicyagent/kube-mgmt
     tag: null # appVersion is used by default, set to desired value to override
     pullPolicy: IfNotPresent      
-# NOTE insecure http port conjointly used for mgmt access and prometheus metrics export
-  port: 8181
   extraArgs: []
   extraEnv: []
   resources: {}
@@ -272,3 +273,4 @@ extraPorts: []
 #   protocol: TCP
 #   name: http
 #   targetPort: http
+

test/linter/test.sh

@@ -35,6 +35,11 @@ if [ $? -ne 0 ]; then
   exit 1
 fi
 
+helm lint charts/opa --strict --set useHttps=false
+if [ $? -ne 0 ]; then
+  exit 1
+fi
+
 echo "=================================================================================="
 echo "                                LINT PASSED"
 echo "=================================================================================="