[TT-13445] Add opa support (#350)

* Add opa support * Apply suggestions from code review Co-authored-by: Komal Sukhani <[email protected]> --------- Co-authored-by: Komal Sukhani <[email protected]> Co-authored-by: Bojan <[email protected]>
TykTechnologies · Nov 25, 2024 · 7f4e7d1 · 7f4e7d1
1 parent ba88220
commit 7f4e7d1
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 0 deletions.
diff --git a/components/tyk-dashboard/templates/deployment-dashboard.yaml b/components/tyk-dashboard/templates/deployment-dashboard.yaml
@@ -267,6 +267,14 @@ spec:
           - name:  TYK_DB_TIB_ENABLED
             value: {{ .Values.tib.enabled | quote }}
           {{- end }}
+          - name: TYK_DB_SECURITY_OPENPOLICY_ENABLED
+            value: {{ .Values.dashboard.opa.enabled | quote }}
+          - name: TYK_DB_SECURITY_OPENPOLICY_DEBUG
+            value: {{ .Values.dashboard.opa.debug | quote }}
+          - name: TYK_DB_SECURITY_OPENPOLICY_ENABLEAPI
+            value: {{ .Values.dashboard.opa.api | quote }}
+          - name: TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
+            value: {{ .Values.dashboard.opa.allowAdminPasswordReset | quote }}
 
           {{- if .Values.dashboard.extraEnvs }}
           {{- include "tyk-dashboard.tplvalues.render" (dict "value" .Values.dashboard.extraEnvs "context" $) | nindent 10 }}

diff --git a/components/tyk-dashboard/values.yaml b/components/tyk-dashboard/values.yaml
@@ -278,6 +278,20 @@ dashboard:
   # Enable support for users with the same email for multiple organisations
   # It is used to set TYK_DB_ENABLEMULTIORGUSERS
   enableMultiOrgUsers: true
+  opa:
+    # Enables OPA support.
+    # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLED
+    enabled: false
+    # Enables OPA debug mode which will allow more detailed logs about the policy execution.
+    # It is used to set TYK_DB_SECURITY_OPENPOLICY_DEBUG
+    debug: false
+    # Enables OPA API mode which allows you to manage the OPA policies via the Dashboard API
+    # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLEAPI
+    api: false
+    # If OPA is enabled with its default policies, you will need to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
+    # to avoid bootstrap job failure because of the OPA policy restrictions.
+    # It is used to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
+    allowAdminPasswordReset: true
 
   # replicaCount specifies number of replicas to be created if kind is Deployment.
   replicaCount: 1

diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml
@@ -1095,6 +1095,20 @@ tyk-dashboard:
     # Enable support for users with the same email for multiple organisations
     # It is used to set TYK_DB_ENABLEMULTIORGUSERS
     enableMultiOrgUsers: true
+    opa:
+      # Enables OPA support.
+      # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLED
+      enabled: false
+      # Enables OPA debug mode which will allow more detailed logs about the policy execution.
+      # It is used to set TYK_DB_SECURITY_OPENPOLICY_DEBUG
+      debug: false
+      # Enables OPA API mode which allows you to manage the OPA policies via the Dashboard API
+      # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLEAPI
+      api: false
+      # If OPA is enabled with its default policies you will need to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
+      # to avoid bootstrap job failure because of the OPA policy restrictions.
+      # It is used to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
+      allowAdminPasswordReset: true
 
 
     # replicaCount specifies number of replicas to be created if kind is Deployment.

diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml
@@ -1107,6 +1107,21 @@ tyk-dashboard:
     # Enable support for users with the same email for multiple organisations
     # It is used to set TYK_DB_ENABLEMULTIORGUSERS
     enableMultiOrgUsers: true
+    # Manage dashboard API Open Policy Agent(OPA) support
+    opa:
+      # Enables OPA support.
+      # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLED
+      enabled: false
+      # Enables OPA debug mode which will allow more detailed logs about the policy execution.
+      # It is used to set TYK_DB_SECURITY_OPENPOLICY_DEBUG
+      debug: false
+      # Enables OPA API mode which allows you to manage the OPA policies via the Dashboard API
+      # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLEAPI
+      api: false
+      # If OPA is enabled with its default policies you will need to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
+      # to avoid bootstrap job failure because of the OPA policy restrictions.
+      # It is used to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
+      allowAdminPasswordReset: true
 
     # replicaCount specifies number of replicas to be created if kind is Deployment.
     replicaCount: 1