Skip to main content

Frequently Asked Questions (FAQ)

This page aims to answer the FAQs about Bundle Registry.

How to configure S3 Bundle Registry with Google and SLP

For information on setting up and configuring cloud storage, see Cloud Storage.

  1. GCP: Create two service accounts

    • For DAS: Choose Storage Object Admin for write access or use custom role described in GS Bucket.

      • For this article: bundle-reg-das-write
    • For OPA: Choose Storage Object Viewer for write access.

      • For this article: bundle-reg-opa-read.
  2. GCP: Create a new bucket and fill in the form according to your preferences (name, region, availability, and so on).

    • For this article: bundle-registry-test.
  3. GCP: Create service account Hash-based message authentication code (HMAC) access key for DAS service account

    • Navigate to Settings (left side) >> INTEROPERABILITY (top).

    • Create Service account HMAC access key for DAS service account bundle-reg-das-write.

  4. DAS: Create a system or navigate to an existing system.

    • For this article the system-type: Select Envoy:2.0.
    • Deployments of other systems and versions might look different.
  5. DAS: Navigate to Settings >> Bundle Registry

    • Policy bundle registry: Google Storage
    • Region: keep Auto or select from dropdown
    • Bucket Name: bundle-registry-test
    • Endpoint: https://storage.googleapis.com
    • Access Key ID: (created in step 3 for service account bundle-reg-das-write)
    • Secret Access Key: (created in step 3 for service account bundle-reg-das-write)
    • Discovery bundle path (works with both of the following)
      1. /envoy/discovery.tgz
      2. discovery.tgz
    • Policy bundle path: /envoy/policy.tgz
  6. Option 1: Use SLP with service account HMAC access key.

    a. GCP: Create another service account HMAC access key (see step 3) for the OPA service account bundle-reg-opa-read created in Step 1.

    b. TERMINAL: base64 encode HMAC access key .

    # service account `bundle-reg-opa-read`: HMAC key
    OPA_AWS_ACCESS_KEY_ID=''
    OPA_AWS_SECRET_ACCESS_KEY=''
    OPA_AWS_REGION='auto'

    echo -n "$OPA_AWS_REGION" | base64
    echo -n "$OPA_AWS_ACCESS_KEY_ID" | base64 -w0 | xargs echo
    echo -n "$OPA_AWS_SECRET_ACCESS_KEY" | base64

    c. DAS: Download the SLP deployment.

    • For this article the system-type: Select Envoy:2.0.
    • Other systems and versions might look slightly different.

    d. Edit the SLP deployment.

    (i). Replace credential name: 'styra-bundles' with below configuration and update the bucket name in the URL.

    - name: styra-bundles
    url: https://storage.googleapis.com/< GCS bucket name >
    credentials:
    s3_signing:
    environment_credentials:
    aws_region: auto
    metadatacredentials: null
    webidentitycredentials: null

    (ii). Edit discovery.ressource according to the input in DAS and update discovery.service to styra-bundles.

    discovery:
    name: discovery
    resource: < DAS policy bundle path >
    service: styra-bundles

    (iii). Add the das-slp-secret secret containing the base64 encoded AWS_REGION, AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY to the downloaded yaml.

    kind: Secret
    apiVersion: v1
    metadata:
    name: das-slp-secret
    data:
    AWS_REGION: "< OPA_AWS_REGION | base64 >"
    AWS_ACCESS_KEY_ID: "< OPA_AWS_ACCESS_KEY_ID | base64 >"
    AWS_SECRET_ACCESS_KEY: "< OPA_AWS_SECRET_ACCESS_KEY | base64 >"

    (iv). Reference the secret in the SLP container.

    envFrom:
    - secretRef:
    name: das-slp-secret
  7. Option 2: Use SLP with GCP IAM service account key (JSON).

    a. Prerequisites

    note
    The service account key is supported with this SLP image: 0.4.0 or greater.
    • SLP expects two services (both referenced in discovery.tar):

      • styra
      • styra-bundles
    • In contrary to the OPA docs the GCS bucket URL must look different.

    b. GCP: Navigate to IAM & Admin >> Service Accounts and create a new key for the OPA service account created in step 1. The downloaded file will be referenced as sa.json.

    Example service account key sa.json:

    {
    "type": "service_account",
    "project_id": "***redacted***",
    "private_key_id": "***redacted***",
    "private_key": "-----BEGIN PRIVATE KEY-----\n***redacted***\n-----END PRIVATE KEY-----\n",
    "client_email": "bundle-reg-opa-read@myproject.iam.gserviceaccount.com",
    "client_id": "***redacted***",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "***redacted***"
    }

    c. DAS: Download the SLP deployment.

    • For this article the system-type: Select Envoy:2.0.

    • Other systems and versions might look slightly different.

    d. Edit the SLP deployment.

    (i). Replace service.name: 'styra-bundles' with the following configuration and update the bucket name in the URL and the iss.

    - name: styra-bundles
    url: https://< GCS bucket name >.storage.googleapis.com
    credentials:
    oauth2:
    grant_type: jwt_bearer
    token_url: https://oauth2.googleapis.com/token
    signing_key: jwt_signing_key # references the key in `keys` below
    scopes:
    - https://www.googleapis.com/auth/devstorage.read_only
    additional_claims:
    aud: https://oauth2.googleapis.com/token
    iss: "< sa.json: client_email >"

    (ii). Edit discovery.resource according to the input in DAS and update discovery.service to styra-bundles.

    discovery:
    name: discovery
    resource: < DAS policy bundle path >
    service: styra-bundles

    (iii). Add a keys section containing the private_key from the downloaded sa.json key file

    keys:
    jwt_signing_key:
    algorithm: RS256
    private_key: "< sa.json: private_key >"