Gitops Overview
Foreword
Policy as Code
As a best practice Permit.io encourages you to manage your authorization policy as code; by managing policy as code. There are many benefits to having policy as code, including improved consistency, accuracy, and traceability. Defining policies using code provides you with the ability to ensure policies are consistently enforced across different systems and environments, which can help prevent policy violations and reduce the risk of unauthorized access to sensitive data or systems. Policy as code allows you to more easily manage and update. When managed as code, policies can be managed using the same tools and processes used to manage and deploy software. This makes it easier to track changes to policies over time, roll back changes if necessary, and in general, enjoy the well-thought-through best practices of the code world (e.g., GitOps). In short policy as code saves us from reinventing the wheel.
Policy as Code in Permit.io
While policy-as-code should be managed in a code repository, that doesn't mean it must be authored as pure code. By simplifying policy creation, we can make our work as developers easier, free ourselves from becoming bottlenecks, and empower other critical stakeholders (e.g., product managers, security, compliance, support, professional services, and sales) to participate in the policy creation process. Permit.io's low-code policy-editor generates code for you (primarily OpenPolicyAgent Rego code - see example here)
Gitops Flow
The policy code generated by the policy-editor is saved into a Git repository before being deployed to your PDP (Aka your microservice for authorization). You can own and manage this Git repository - allowing you full control of the code there, as well as setting a CI process between Permit environments. Adding tests, benchmarks, code-reviews, and adding more manual code - provide you with all the checks and balances you need before merging changes between Git branches (synced into different Permit environments)
Setting up Gitops
The feature is available to all Permit users , though is not self-service yet - message us in our Slack community to get the feature set up for you. Please share with us the workspace name, environment-id, and Git repository+branch url you'd like to set-up Gitops, We'll then provide you with a private key to add to that repository - to allow Permit secure access to it.
- Note the repository doesn't have to be the main code repository use use.
- The policy code can be nested in different folders within the repository
- Rego code you add can import and reference the auto-generated code.