Simple demonstration of bundle signing and verification for Open Policy Agent (OPA).
First of all, we'll need a key pair (a private key for signing and a public key for verification):
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
Given that we have a policy directory we'll want to create bundle from, we can now create a
.signatures.json
file, which we'll later use for bundle verification:
opa sign --signing-key private_key.pem --bundle policy/
Once created, move the .signatures.json
file into the bundle directory:
mv .signatures.json policy/
We're now ready to build the bundle, providing both the signing key and the verification key:
opa build --bundle --signing-key private_key.pem --verification-key public_key.pem policy/
Next, move bundle to bundle server. For the purpose of the example, we'll use an nginx server running locally. The below command is on Mac OS with nginx installed via brew โ the location of the nginx "www" directory may obviously vary.
mv bundle.tar.gz /opt/homebrew/var/www
opa-conf.yaml
services:
nginx:
url: http://localhost:8080
bundles:
policy:
service: nginx
resource: bundle.tar.gz
signing:
keyid: verifier
keys:
verifier:
key: changeme
We now have a signed bundle served from our bundle server, so let's start the OPA server
with a config file pointing out its location. Note especially the use of --set-file
to
point out the location of our public key. This is preferable over keeping keys embedded in
the configuration:
opa run --server \
--config-file=opa-conf.yaml \
--set-file="keys.verifier.key=public_key.pem"
Make sure you see "Bundle loaded and activated successfully." in the logs.
Done!