Update plugin to embed OPA as a library

These changes reduce the system administration overhead of deploying OPA as an authorization plugin. With these changes, opa-docker-authz can also be run as a container.
open-policy-agent · Feb 16, 2018 · 78f0350 · 78f0350
1 parent d0584c5
commit 78f0350
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 211 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,7 @@
+FROM alpine
+
+MAINTAINER Torin Sandall <torinsandall@gmail.com>
+
+ADD opa-docker-authz /opa-docker-authz
+
+ENTRYPOINT ["/opa-docker-authz"]
diff --git a/Makefile b/Makefile
@@ -1,7 +1,12 @@
 .PHONY: all build
 
+VERSION := 0.2
+
 all: build
 
 build:
-	@docker run -it --rm -v $(PWD):/go/src/github.com/open-policy-agent/opa-docker-authz golang:1.6 \
+	@docker run -it --rm -e VERSION=$(VERSION) -v $(PWD):/go/src/github.com/open-policy-agent/opa-docker-authz golang:1.8 \
 		/go/src/github.com/open-policy-agent/opa-docker-authz/build.sh
+
+image: build
+	@docker build -t openpolicyagent/opa-docker-authz:$(VERSION) -f Dockerfile .
diff --git a/README.md b/README.md
@@ -2,25 +2,26 @@
 
 This project is used to show how OPA can help policy-enable an existing service.
 
-In this example, we policy-enable the authorization functionality available in Docker 1.10 and later.
+In this example, we policy-enable the authorization functionality available in
+Docker 1.10 and later.
 
 ## Usage
 
-See the [detailed example](http://www.openpolicyagent.org/tutorials/docker-authorization/) to setup a running example of this plugin.
+See the [detailed example](http://www.openpolicyagent.org/docs/docker-authorization.html) to setup a running example of this plugin.
 
 ### Build
 
-To build the plugin, run (requires Docker):
-
-    $ make
+To build the plugin run `make`. The build requires Docker.
 
 ### Install
 
-The plugin can be started with no options. It may require sudo depending on your machine's Docker configuration permissions:
+The plugin can be started with no options. It may require sudo depending on your
+machine's Docker configuration permissions:
 
     $ opa-docker-authz
 
-- By default, the plugin will listen for requests (from Docker) on :8080 and contacts OPA on :8181.
+- By default, the plugin will listen for requests (from Docker) on :8080 and
+  read an OPA policy out of `policy.rego`. See `-h` for options.
 
 The following command line argument enables the authorization plugin within Docker:
 
@@ -36,7 +37,3 @@ On Ubuntu 16.04 this is done by overriding systemd configuration (requires root)
     EOF
     $ sudo systemctl daemon-reload
     $ sudo service docker restart
-
-### Testing
-
-The plugin will upsert a policy definition (by default, "example.rego") into OPA on startup and then establish a file watch to be notified when the definition changes. Each time the definition changes, the plugin will upsert into OPA.
diff --git a/build.sh b/build.sh
@@ -2,6 +2,8 @@
 
 set -ex
 
+echo "building version: $VERSION"
+
 cd /go/src/github.com/open-policy-agent/opa-docker-authz
 
 echo "install glide"
@@ -11,4 +13,4 @@ echo "install all the dependencies"
 glide install
 
 echo "build opa-docker-authz"
-go build -o opa-docker-authz
+CGO_ENABLED=0 go build -ldflags "-X github.com/open-policy-agent/opa-docker-authz.Version=$VERSION" -o opa-docker-authz
diff --git a/glide.lock b/glide.lock
diff --git a/glide.yaml b/glide.yaml
@@ -6,3 +6,5 @@ import:
   - authorization
 - package: github.com/fsnotify/fsnotify
   version: 4da3e2cfbabc9f751898f250b49f2439785783a1
+- package: github.com/open-policy-agent/opa
+  version: v0.6.0