Armory OPA Lab

In this lab we will install Armory Enterprise with OPA (Open Policy Agent). We will configure OPA to prevent the creation of pipelines without at least one manual judgment step.

If a pipeline doesn’t have at least one manual judgment step, the pipeline will not be able to be saved.

This manual judgment OPA logic is a basic “hello world” style example. After creating this configuration we will go through examples of more complex OPA logic and will choose interesting ones to try out together.

1. Delete Namespace Spinnaker

kubectl delete ns spinnaker

2. Create Namespace Spinnaker

kubectl create ns spinnaker

3. Download kubectl command

curl -LO

4. Chmod +x kubectl command

chmod +x kubectl

5. Create secrets

cd spinnaker-kustomize-patches/secrets; ./

6. Edit kustomization.yml

  # ConfigMap holding OPA policy definitions to use by Armory's policy engine. Required by patch-policyengine.yml
  - name: spin-policies
      - armory/policies/manual-judgement.rego

7. Run kustomize

~/kubectl apply -k /home/ec2-user/spinnaker-kustomize-patches

8. Watch for Pods to Come Up

watch kubectl get pods -n spinnaker

9. Edit the spin-policies config map

kubectl edit configmap spin-policies-dc79h66kbm -n spinnaker
remove the 1 := 0, it is a rego null value

10. Get Spin Deck URL

kubectl get svc spin-deck -n spinnaker 


Now you can test it, Armory’s engine would not allow any application without Manual Judgement step.

  1. Create an application in your spinnaker installation

  2. Create a pipeline in your application

  3. Try to save a pipeline without a manual judgment

  4. Notice that the pipeline can not be saved due to the Open Policy Agent preventing it.


OPA Rules/Policies

kubectl -n spinnaker create configmap manual-judgment --from-file=manual-judgment.rego

kubectl -n spinnaker label configmap manual-judgment

Go over policy engine Example Policies