Merge pull request #888 from nebius/feature/opa_gatekeeper

pbutler · web-flow · commit 3f666c1d85f9 · 2026-03-23T14:04:19.000-04:00
feat: enables installing OPA opa_gatekeeper
diff --git a/k8s-training/applications.tf b/k8s-training/applications.tf
@@ -44,4 +44,9 @@ module "kuberay-service" {
   min_gpu_replicas = var.kuberay_min_gpu_replicas
   max_gpu_replicas = var.kuberay_max_gpu_replicas
   serve_config_v2  = var.kuberay_serve_config_v2
-}
+}
+
+module "opa_gatekeeper" {
+  source = "../modules/opa_gatekeeper"
+  count  = var.enable_opa_gatekeeper ? 1 : 0
+}
diff --git a/k8s-training/terraform.tfvars b/k8s-training/terraform.tfvars
@@ -99,3 +99,5 @@ kuberay_max_gpu_replicas = 8
 # Enable to deploy KubeRay Operator with RayService CR 
 enable_kuberay_service = false
 
+# enable OPA gatekeeper (default: false)
+# enable_opa_gatekeeper = true 
diff --git a/k8s-training/variables.tf b/k8s-training/variables.tf
@@ -423,3 +423,9 @@ variable "filesystem_csi" {
   })
   default = {}
 }
+
+variable "enable_opa_gatekeeper" {
+  description = "Enable OPA Gatekeeper"
+  type        = bool
+  default     = false
+}
diff --git a/modules/opa_gatekeeper/README.md b/modules/opa_gatekeeper/README.md
@@ -0,0 +1,4 @@
+# Module for OPA Gatekeeper
+
+This is module for `k8s-training` that installs OPA Gatekeeper and
+optionally install a config/manifest of configs for it.
diff --git a/modules/opa_gatekeeper/main.tf b/modules/opa_gatekeeper/main.tf
@@ -0,0 +1,25 @@
+data "http" "gatekeeper_url" {
+  url = "https://raw.githubusercontent.com/open-policy-agent/gatekeeper/${var.gk_version}/deploy/gatekeeper.yaml"
+}
+
+data "kubectl_file_documents" "gatekeeper_install_documents" {
+  content = data.http.gatekeeper_url.response_body
+}
+
+# Use kubectl_file_documents to split multi-document into the kubectl_manifest resource
+resource "kubectl_manifest" "gatekeeper_manifests" {
+  for_each  = data.kubectl_file_documents.gatekeeper_install_documents.manifests
+  yaml_body = each.value
+}
+
+data "kubectl_file_documents" "gatekeeper_config_manifests" {
+  content = var.configs
+}
+
+resource "kubectl_manifest" "gatekeeper_configs" {
+  for_each  = data.kubectl_file_documents.gatekeeper_config_manifests.manifests
+  yaml_body = each.value
+  depends_on = [
+    kubectl_manifest.gatekeeper_manifests
+  ]
+}
diff --git a/modules/opa_gatekeeper/provider.tf b/modules/opa_gatekeeper/provider.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    http = {
+      source  = "hashicorp/http"
+      version = "3.5.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">=1.19.0"
+    }
+  }
+}
diff --git a/modules/opa_gatekeeper/variables.tf b/modules/opa_gatekeeper/variables.tf
@@ -0,0 +1,12 @@
+variable "configs" {
+  description = "A YAML file representing a config manifest for Gatekeeper"
+  type        = string
+  default     = ""
+}
+
+variable "gk_version" {
+  description = "A gatekeeper version string"
+  type        = string
+  default     = "v3.21.0"
+}
+
