Usage

After installation, the CRD for this operator must be created:

kubectl apply -f /etc/stackable/opa-operator/crd/openpolicyagent.crd.yaml

To create a single node OPA (v0.45.0) cluster with Prometheus metrics exposed on port 8081:

    apiVersion: opa.stackable.tech/v1alpha1
    kind: OpaCluster
    metadata:
      name: simple-opa
    spec:
      image:
        productVersion: 0.45.0
        stackableVersion: 0.3.0
      servers:
        roleGroups:
          default:
            selector:
              matchLabels:
                kubernetes.io/os: linux

Please note that the version you need to specify is not only the version of OPA which you want to roll out, but has to be amended with a Stackable version as shown. This Stackable version is the version of the underlying container image which is used to execute the processes. For a list of available versions please check our image registry. It should generally be safe to simply use the latest image version that is available.

Policy Language

Users can define policies by using Rego, OPAs policy language.

Policy definitionas are deployed as ConfigMap resources as described in implementation notes.

Here is an example:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: test
  labels:
    opa.stackable.tech/bundle: "true" (1)
data:
  test.rego: | (2)
    package test

    hello {
      true
    }

    world {
      false
    }

1	Mark this `ConfigMap` as a bundle source.
2	`test.rego` is the file name to use inside the bundle for these rules.

Monitoring

The managed OPA instances are automatically configured to export Prometheus metrics. See Monitoring for more details.

Configuration & Environment Overrides

The cluster definition also supports overriding configuration properties and environment variables, either per role or per role group, where the more specific override (role group) has precedence over the less specific one (role).

Do not override port numbers. This will lead to faulty installations.

Configuration Properties

Currently, not supported for config.yaml.

Environment Variables

Environment variables can be (over)written by adding the envOverrides property.

For example per role group:

servers:
  roleGroups:
    default:
      config: {}
      envOverrides:
        MY_ENV_VAR: "MY_VALUE"

or per role:

servers:
  envOverrides:
    MY_ENV_VAR: "MY_VALUE"
  roleGroups:
    default:
      config: {}

Storage for data volumes

The OPA Operator currently does not support using PersistentVolumeClaims for internal storage.

Memory requests

Stackable operators handle resource requests in a sligtly different manner than Kubernetes. Resource requests are defined on role or group level. See Roles and role groups for details on these concepts. On a role level this means that e.g. all workers will use the same resource requests and limits. This can be further specified on role group level (which takes priority to the role level) to apply different resources.

This is an example on how to specify CPU and memory resources using the Stackable Custom Resources:

---
apiVersion: example.stackable.tech/v1alpha1
kind: ExampleCluster
metadata:
  name: example
spec:
  workers: # role-level
    config:
      resources:
        cpu:
          min: 300m
          max: 600m
        memory:
          limit: 3Gi
    roleGroups: # role-group-level
      resources-from-role: # role-group 1
        replicas: 1
      resources-from-role-group: # role-group 2
        replicas: 1
        config:
          resources:
            cpu:
              min: 400m
              max: 800m
            memory:
              limit: 4Gi

In this case, the role group resources-from-role will inherit the resources specified on the role level. Resulting in a maximum of 3Gi memory and 600m CPU resources.

The role group resources-from-role-group has maximum of 4Gi memory and 800m CPU resources (which overrides the role CPU resources).

For Java products the actual used Heap memory is lower than the specified memory limit due to other processes in the Container requiring memory to run as well. Currently, 80% of the specified memory limits is passed to the JVM.

For memory only a limit can be specified, which will be set as memory request and limit in the Container. This is to always guarantee a Container the full amount memory during Kubernetes scheduling.

If no resource requests are configured explicitly, the OPA operator uses the following defaults:

servers:
  roleGroups:
    default:
      config:
        resources:
          cpu:
            min: '200m'
            max: "2"
          memory:
            limit: '2Gi'

The default values are most likely not sufficient to run a proper cluster in production. Please adapt according to your requirements.