voor/file1.yaml

## file1.yaml
#@ load("@ytt:base64", "base64")
#@ load("@ytt:data", "data")
#@ load("@ytt:yaml", "yaml")

#! rego
#@ load("policy.rego.lib.txt", "rego_auth_policy")

---
apiVersion: v1
data:
  policy.rego: #@ base64.encode(rego_auth_policy())
kind: Secret
metadata:
  name: opa-policy
  namespace: apps
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: opa
  namespace: apps
  labels:
    app: opa
spec:
  replicas: 1
  selector:
    matchLabels:
      app: opa
  template:
    metadata:
      labels:
        app: opa
      name: opa
    spec:
      containers:
      - name: opa
        image: openpolicyagent/opa:latest-envoy
        ports:
        - name: http
          containerPort: 8181
        args:
        - "run"
        - "--ignore=.*"  #! exclude hidden dirs created by Kubernetes
        - "--server"
        - "/policies"
        volumeMounts:
        - readOnly: true
          mountPath: /policies
          name: proxy-config
      volumes:
        - name: proxy-config
          secret:
            secretName: opa-policy

## policy.rego.lib.txt
# (@ def rego_auth_policy(): -@)
package envoy.authz

import input.attributes.request.http as http_request

default allow = false

token = {"valid": valid, "payload": payload} {
    [_, encoded] := split(http_request.headers.authorization, " ")
    [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"})
}

allow {
    is_token_valid
    action_allowed
}

is_token_valid {
  token.valid
  now := time.now_ns() / 1000000000
  token.payload.nbf <= now
  now < token.payload.exp
}

action_allowed {
  http_request.method == "GET"
  token.payload.role == "guest"
  glob.match("/people*", [], http_request.path)
}

action_allowed {
  http_request.method == "GET"
  token.payload.role == "admin"
  glob.match("/people*", [], http_request.path)
}

action_allowed {
  http_request.method == "POST"
  token.payload.role == "admin"
  glob.match("/people", [], http_request.path)
  lower(input.parsed_body.firstname) != base64url.decode(token.payload.sub)
}

# (@- end @)
	#@ load("@ytt:base64", "base64")
	#@ load("@ytt:data", "data")
	#@ load("@ytt:yaml", "yaml")

	#! rego
	#@ load("policy.rego.lib.txt", "rego_auth_policy")

	---
	apiVersion: v1
	data:
	policy.rego: #@ base64.encode(rego_auth_policy())
	kind: Secret
	metadata:
	name: opa-policy
	namespace: apps
	type: Opaque
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: opa
	namespace: apps
	labels:
	app: opa
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: opa
	template:
	metadata:
	labels:
	app: opa
	name: opa
	spec:
	containers:
	- name: opa
	image: openpolicyagent/opa:latest-envoy
	ports:
	- name: http
	containerPort: 8181
	args:
	- "run"
	- "--ignore=.*" #! exclude hidden dirs created by Kubernetes
	- "--server"
	- "/policies"
	volumeMounts:
	- readOnly: true
	mountPath: /policies
	name: proxy-config
	volumes:
	- name: proxy-config
	secret:
	secretName: opa-policy
	# (@ def rego_auth_policy(): -@)
	package envoy.authz

	import input.attributes.request.http as http_request

	default allow = false

	token = {"valid": valid, "payload": payload} {
	[_, encoded] := split(http_request.headers.authorization, " ")
	[valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"})
	}

	allow {
	is_token_valid
	action_allowed
	}

	is_token_valid {
	token.valid
	now := time.now_ns() / 1000000000
	token.payload.nbf <= now
	now < token.payload.exp
	}

	action_allowed {
	http_request.method == "GET"
	token.payload.role == "guest"
	glob.match("/people*", [], http_request.path)
	}

	action_allowed {
	http_request.method == "GET"
	token.payload.role == "admin"
	glob.match("/people*", [], http_request.path)
	}

	action_allowed {
	http_request.method == "POST"
	token.payload.role == "admin"
	glob.match("/people", [], http_request.path)
	lower(input.parsed_body.firstname) != base64url.decode(token.payload.sub)
	}

	# (@- end @)