This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Open Policy Agent in Apigee

Posted on 07-04-2022 09:32 AM
Checkmaterz10
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi, I am new to the OPA and our work requires using this on Apigee Edge. Any explanation, on implementing that to protect our backend and the ways how we can implement that on Apigee? 
All helps are appreciated. Thank you, Google community! 

0 2 387
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Arnaduga
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello

Thanks to initiate this dicussion!

I'm very interested in it as I'm looking at OPA since a while now. But unfortunately, I do not have clear answer, just some ideas to share.

 

Based on the few small exchanges I recently had with OPA and Google people, you will have to instanciate an OPA backend service, probably high availability. Maybe on the same K8S cluster you have installed Apigee Hybrid.

Note: OPA does not recommend a centralized OPA service, as it could become a single point of failure. Sidecar model is better. So, in the Apigee context, according to me, OPA HA instance should be dedicated to Apigee (not to be used by other systems), to keep it as Apigee Sidecar

Here is an example, shared by Sridhar: https://github.com/srinandan/apigee-opa/

As you will see in this repo, it is based on a service callout:

<ServiceCallout async="false" continueOnError="false" enabled="true" name="Call-OPA">
    ......
    <HTTPTargetConnection>
        <Properties/>
        <URL>http://opa.apps.svc.cluster.local:8181/v1/data/httpapi/authz</URL>
    </HTTPTargetConnection>
</ServiceCallout>

If, like me, you do not have hybrid instances but only SaaS, it would be the same target: you have to host somewhere an OPA server and interact with it in your proxies via service callout policy. It could be an onprem K8S cluster, a classical deployment on VM, etc...

 Hope this helps

Arnaud

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to Arnaduga
Reply posted on --/--/---- --:-- AM

Nandan's approach is a good one.  If you're using Apigee X, there's a more efficient way to to connect the Apigee proxy to the OPA, via ExternalCallout. But if you have Apigee Edge, then the ServiceCallout will work.  It will add some latency to each call, so it's important to wrap that in a cache, if you can. 

Top Solution Authors
View all