Enable Policy Engine Plugin in Armory Enterprise

Enable the Policy Engine Plugin and connect it to your OPA server. When enabled, you can write policies that the Policy Engine enforces during save time, runtime validation, or when a user interacts with Armory Enterprise.

Proprietary

Before you start

Make sure the following requirements are met:

Setup

You can enable the Policy Engine Plugin using the Armory Operator.

You can use the sample configuration to install the plugin, but keep the following in mind:

  • Make sure to replace the version number listed after &version with the version of the plugin you want to use. For a list of supported versions for each Enterprise release, see Release notes.
Show the manifest

This manifest is in the spinnaker-kustomize-patches repository.

#------------------------------------------------------------------------------
# Example configuration for enabling the Policy Agent plugin to enforce rules
# in Armory Enterprise pipelines.
#
# Feature documentation:
# https://docs.armory.io/docs/armory-admin/policy-engine/policy-engine-enable/policy-engine-plug-enable/
#
# Make sure you check the plugin compatibility for each release before deciding
# on a version. For example, for Armory Enterprise 2.27.1 you can find the
# matrix here:
# https://docs.armory.io/docs/release-notes/rn-armory-spinnaker/armoryspinnaker_v2-27-1/#plugin-compatibility
#
# Actual policies are defined in the "policies" folder and loaded into a
# ConfigMap.
#------------------------------------------------------------------------------
apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:
    profiles:
      # Configs in the spinnaker profile get applied to all services
      spinnaker:
        armory:
          policyEngine:
            opa:
              # Replace with the actual URL to your Open Policy Agent deployment
              baseUrl: http://opa:8181/v1/data
              # Optional. The number of seconds that the Policy Engine will wait for a response from the OPA server. Default is 10 seconds if omitted.
              # timeoutSeconds: <integer> 
        spinnaker:
          extensibility:
            repositories:
              policyEngine:
                enabled: true
                url: https://raw.githubusercontent.com/armory-plugins/policy-engine-releases/master/repositories.json
      gate:
        spinnaker:
          extensibility:
            plugins:
              Armory.PolicyEngine:
                enabled: true
            deck-proxy:
              enabled: true
              plugins:
                Armory.PolicyEngine:
                  enabled: true
                  version: &version 0.2.0

      orca:
        spinnaker:
          extensibility:
            plugins:
              Armory.PolicyEngine:
                enabled: true
                version: *version

      front50:
        spinnaker:
          extensibility:
            plugins:
              Armory.PolicyEngine:
                enabled: true
                version: *version

      clouddriver:
        spinnaker:
          extensibility:
            plugins:
              Armory.PolicyEngine:
                enabled: true
                version: *version

Optional settings

Timeout settings

You can configure the amount of time that the Policy Engine waits for a response from your OPA server. If you have network or latency issues, increasing the timeout can make Policy Engine more resilient. Use the following config to set the timeout in seconds: spec.spinnakerConfig.profiles.spinnaker.armory.policyEngine.opa.timeoutSeconds. The default timeout is 10 seconds if you omit the config.

JSON validation

You can configure strict JSON validation as a boolean in spec.spinnakerConfig.profiles.dinghy.jsonValidationDisabled:

spec:
  spinnakerConfig:
    profiles:
      dinghy:
        jsonValidationDisabled: <boolean>

The config is optional. If omitted, strict validation is on by default.

When strict validation is on, existing pipelines may fail if any JSON is invalid.

Release notes

  • 0.2.2 - Fixed bug for createApplication button with Spinnaker 1.28, to be included in 2.28 release
  • 0.2.1 - Fixed bug with the projects tab on deck for Armory Enterprise 2.27.1 and later
  • 0.2.0 - Update plugin to be compatible with Armory Enterprise 2.27.0 and later.
  • 0.1.6 - The Policy Engine Plugin is now generally available.
    • If you are new to using the Policy Engine, use the plugin instead of the extension project.
    • Entitlements using API Authorization no longer requires at least one policy. Previously, if you had no policies set, Policy Engine prevented any action from being taken. Now, Entitlements for Policy Engine allows any action to be taken if there are no policies set.
  • 0.1.4 - Adds the opa.timeoutSeconds property, which allows you to configure how long the Policy Engine waits for a response from the OPA server.
  • 0.1.3 - Fixes an issue introduced in v0.1.2 where the Project Configuration button’s name was changing when Policy Engine is enabled.
  • 0.1.2 - Adds support for writing policies against the package spinnaker.ui.entitlements.isFeatureEnabled to show/hide the following UI buttons:
    • Create Application
    • Application Config
    • Create Project
  • 0.0.25 - Fixes an unsatisfied dependency error in the API (Gate) when using SAML and x509 certificates. This fix requires Armory Enterprise 2.26.0 later.
  • 0.0.19 - Adds forced authentication feature and fixes NPE bug
  • 0.0.17 - Initial plugin release

Last modified September 12, 2022: (be43b5a)