Tutorial
Sign in#
note
Before you sign in, you need to create an opcr.io account using your GitHub credentials.
$ policy login -u <your GitHub account> -p <GitHub PAT>CD into a directory with OPA policy source code#
If you already have an OPA policy:
$ cd <directory that has an OPA project - rego files / data files>Or, if you want to play with a sample OPA policy:
$ git clone https://github.com/aserto-dev/policy-peoplefinder$ cd policy-peoplefinderBuild the policy container image#
$ policy build ./src -t <your_organization>/peoplefinder:1.0.0
Created new image.digest: sha256:84dbd4e3b5572dd2f23c3c987c89443fdcb57af87d714ea296fc552192fb17e9
Tagging image.reference: omrigazitt1/peoplefinder:1.0.0List the policy images#
$ policy images
| REPOSITORY | TAG | SIZE | CREATED AT ||--------------------------|-------|-------|--------------|| omrigazitt1/peoplefinder | 1.0.0 | 555 B | 1 minute ago |Push the policy to opcr.io#
$ policy push omrigazitt1/peoplefinder:1.0.0
Resolved ref [opcr.io/omrigazitt1/peoplefinder:1.0.0].digest: sha256:84dbd4e3b5572dd2f23c3c987c89443fdcb57af87d714ea296fc552192fb17e9
Pushed ref [opcr.io/omrigazitt1/peoplefinder:1.0.0].digest: sha256:05e6ed84d86f6a252e24f33cb12138d9193780f1d89a1b2ff14ced315fdf8481Tag the policy#
$ policy tag omrigazitt1/peoplefinder:1.0.0 omrigazitt1/peoplefinder:latest
Tagging image.reference: omrigazitt1/peoplefinder:latestCheck out the new tag:
$ policy images
| REPOSITORY | TAG | SIZE | CREATED AT ||--------------------------|--------|-------|---------------|| omrigazitt1/peoplefinder | 1.0.0 | 555 B | 5 minutes ago || omrigazitt1/peoplefinder | latest | 555 B | 5 minutes ago |Remove a policy from the local cache#
$ policy rm omrigazitt1/peoplefinder:1.0.0
Removed reference.reference: omrigazitt1/peoplefinder:1.0.0It's gone!
$ policy images
| REPOSITORY | TAG | SIZE | CREATED AT ||--------------------------|--------|-------|---------------|| omrigazitt1/peoplefinder | latest | 555 B | 6 minutes ago |Pull the image back from the registry#
$ policy pull omrigazitt1/peoplefinder:1.0.0
Pulling.ref: omrigazitt1/peoplefinder:1.0.0
Pulled ref [opcr.io/omrigazitt1/peoplefinder:1.0.0].digest: sha256:84dbd4e3b5572dd2f23c3c987c89443fdcb57af87d714ea296fc552192fb17e9It's back!
$ policy images
| REPOSITORY | TAG | SIZE | CREATED AT ||--------------------------|--------|-------|---------------|| omrigazitt1/peoplefinder | latest | 555 B | 7 minutes ago || omrigazitt1/peoplefinder | 1.0.0 | 555 B | 7 minutes ago |Export a policy to a tarball#
$ policy save omrigazitt1/peoplefinder
Resolved ref [opcr.io/omrigazitt1/peoplefinder:1.0.0].digest: sha256:84dbd4e3b5572dd2f23c3c987c89443fdcb57af87d714ea296fc552192fb17e9You should now have a bundle.tar.gz file in your directory.
Sign and verify signatures#
Issue these commands to generate a key pair, sign the policy image, and verify its signature using the public key:
$ docker login -u <GitHub-account> opcr.io$ cosign initialize$ cosign generate-key-pair$ cosign sign --key cosign.key opcr.io/omrigazitt1/peoplefinder:1.0.0$ cosign verify --key cosign.pub opcr.io/omrigazitt1/peoplefinder:1.0.0note
For more detailed instructions, see the signing images docs.
Run the read-eval-print loop for this policy version#
$ policy repl omrigazitt1/peoplefinder:1.0.0
Pulling.ref: omrigazitt1/peoplefinder:1.0.0
Pulled ref [opcr.io/omrigazitt1/peoplefinder:1.0.0].digest: sha256:84dbd4e3b5572dd2f23c3c987c89443fdcb57af87d714ea296fc552192fb17e9running policy [omrigazitt1/peoplefinder:1.0.0]> data.system.bundles{ "/Users/ogazitt/.policy/policies-root/blobs/sha256/84dbd4e3b5572dd2f23c3c987c89443fdcb57af87d714ea296fc552192fb17e9": { "manifest": { "revision": "", "roots": [ "peoplefinder" ] } }}>