Configuring S3 Bundle Registry with Google and SLP

The following section provides information and examples for configuring S3 Bundle Registry with Google and SLP.

For information on setting up and configuring cloud storage, see Cloud Storage.

1. GCP: Create two service accounts

   • For Styra DAS: Choose Storage Object Admin for write access or use custom role described in GS Bucket.

     • For this article: bundle-reg-das-write

   • For OPA: Choose Storage Object Viewer for write access.

     • For this article: bundle-reg-opa-read.

2. GCP: Create a new bucket and fill in the form according to your preferences (name, region, availability, and so on).

   • For this article: bundle-registry-test.

3. GCP: Create service account Hash-Based Message Authentication code (HMAC) access key for the Styra DAS service account

   • Navigate to Settings (left side) >> INTEROPERABILITY (top).

   • Create Service account HMAC access key for DAS service account bundle-reg-das-write.

4. Styra DAS: Create a System or navigate to an existing System.

   • For this article the System-type: Select Envoy:2.0.

   • Deployments of other systems and versions might look different.

5. DAS: Navigate to Settings >> Bundle Registry

   • Policy bundle registry: Google Storage
   • Region: keep Auto or select from dropdown
   • Bucket Name: bundle-registry-test
   • Endpoint: https://storage.googleapis.com
   • Access Key ID: (created in step 3 for service account bundle-reg-das-write)
   • Secret Access Key: (created in step 3 for service account bundle-reg-das-write)
   • Discovery bundle path (works with both of the following)
     1. /envoy/discovery.tgz
     2. discovery.tgz
   • Policy bundle path: /envoy/policy.tgz

6. Option 1: Use SLP with service account HMAC access key.

   a. GCP: Create another service account HMAC access key (see step 3) for the OPA service account bundle-reg-opa-read created in Step 1.

   b. TERMINAL: base64 encode the HMAC access key.

   # service account `bundle-reg-opa-read`: HMAC key
   OPA_AWS_ACCESS_KEY_ID=''
   OPA_AWS_SECRET_ACCESS_KEY=''
   OPA_AWS_REGION='auto'
   
   echo -n "$OPA_AWS_REGION" | base64
   echo -n "$OPA_AWS_ACCESS_KEY_ID" | base64 -w0 | xargs  echo
   echo -n "$OPA_AWS_SECRET_ACCESS_KEY" | base64

   c. Styra DAS: Download the SLP deployment.

   • For this article the System-type: Select Envoy:2.0.
   • Other systems and versions might look slightly different.

   d. Edit the SLP deployment.

   (i). Replace credential name: 'styra-bundles' with below configuration and update the bucket name in the URL.

   - name: styra-bundles
     url: https://storage.googleapis.com/< GCS bucket name >
     credentials:
       s3_signing:
         environment_credentials:
           aws_region: auto
         metadatacredentials: null
         webidentitycredentials: null

   (ii). Edit discovery.resource according to the input in DAS and update discovery.service to styra-bundles.

   discovery:
     name: discovery
     resource: < DAS policy bundle path >
     service: styra-bundles

   (iii). Add the das-slp-secret secret containing the base64 encoded AWS_REGION, AWS_ACCESS_KEY_ID, & AWS_SECRET_ACCESS_KEY to the downloaded YAML.

   kind: Secret
   apiVersion: v1
   metadata:
     name: das-slp-secret
   data:
     AWS_REGION: "< OPA_AWS_REGION | base64 >"
     AWS_ACCESS_KEY_ID: "< OPA_AWS_ACCESS_KEY_ID | base64 >"
     AWS_SECRET_ACCESS_KEY: "< OPA_AWS_SECRET_ACCESS_KEY | base64 >"

   (iv). Reference the secret in the SLP container.

   envFrom:
   - secretRef:
     name: das-slp-secret

7. Option 2: Use SLP with GCP IAM service account key (JSON).

   a. Prerequisites

   note

   The service account key is supported with this SLP image: 0.4.0 or greater.

   • SLP expects two services (both referenced in discovery.tar):

     • styra
     • styra-bundles

   • In contrary to the OPA docs the GCS bucket URL must look different.

     • OPA docs.

     • GCS docs.

   b. GCP: Navigate to IAM & Admin >> Service Accounts and create a new key for the OPA service account created in step 1. The downloaded file will be referenced as sa.json.

   Example service account key sa.json:

   {
       "type": "service_account",
       "project_id": "***redacted***",
       "private_key_id": "***redacted***",
       "private_key": "-----BEGIN PRIVATE KEY-----\n***redacted***\n-----END PRIVATE KEY-----\n",
       "client_email": "bundle-reg-opa-read@myproject.iam.gserviceaccount.com",
       "client_id": "***redacted***",
       "auth_uri": "https://accounts.google.com/o/oauth2/auth",
       "token_uri": "https://oauth2.googleapis.com/token",
       "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
       "client_x509_cert_url": "***redacted***"
   }

   c. Styra DAS: Download the SLP deployment.

   • For this article the System-type: Select Envoy:2.0.

   • Other systems and versions might look slightly different.

   d. Edit the SLP deployment.

   (i). Replace service.name: 'styra-bundles' with the following configuration and update the bucket name in the URL and the iss.

   - name: styra-bundles
     url: https://< GCS bucket name >.storage.googleapis.com
     credentials:
       oauth2:
         grant_type: jwt_bearer
         token_url: https://oauth2.googleapis.com/token
         signing_key: jwt_signing_key # references the key in `keys` below
         scopes:
         - https://www.googleapis.com/auth/devstorage.read_only
         additional_claims:
           aud: https://oauth2.googleapis.com/token
           iss: "< sa.json: client_email >"

   (ii). Edit discovery.resource according to the input in DAS and update discovery.service to styra-bundles.

   discovery:
     name: discovery
     resource: < DAS policy bundle path >
     service: styra-bundles

   (iii). Add a keys section containing the private_key from the downloaded sa.json key file.

   keys:
     jwt_signing_key:
       algorithm: RS256
       private_key: "< sa.json: private_key >"