OPA (Open Policy Agent) integration
OPA (Open Policy Agent) is becoming very popular since it entered the CNCF Sandbox in March 2018. Having this service running inside GitLab would enable many new features and integrations.
OPA is a policy engine that can run as a daemon, a CLI, or directly as a library to be called inside an application. This issue covers some use cases in order to discuss them and create specific issues if needed. While OPA is "Policy-based control for cloud native environments", it can be used in many different environments and use-cases.
Principle
The principle of OPA is simple: A decision can be requested to OPA by providing a request ("input"). OPA will evaluate the input (as JSON) again available policies (written in rego) along with potential available data (as JSON). The policies can generate arbitrary structured data as output (as JSON).
In other words, OPA takes JSON as an input and returns JSON as an output. That's why it's very easy to integrate it in existing configurations. When run as a service, OPA is lightweight and fast.
Use cases
Policies in CI/CD
OPA can already be used in GitLab CI/CD by leveraging the OPA docker image.
Compliance pipelines can be used to enforce these jobs across multiple projects/groups. The input for OPA can be job artifacts or files present in the repo. The output can be a job artifact (JSON file exposing violations) or job failure with detailed output explaining any non compliance.
An example of running opa within a pipeline can be found here. An example of how policies can be defined within GitLab using Rego can be found here.
Another (internal) example can be found the in opa-policies folders of this project.
Policies for Projects and Groups
If OPA was integrated as part of the GitLab architecture, it could be leveraged to create and enforce baseline configurations for projects, groups, and users. All changes in settings could be validated before getting stored in the DB.
graph LR
User[User] -->|Request| BE(GitLab Backend/API)
BE <--> OPA{OPA}
OPA -->|Approved| OK[Change stored]
OPA -->|Rejected| E[Change rejected]
Policies for Access Tokens
In this blueprint introducing Access Tokens Policies, OPA could be used to delegate authorization decisions.