When we first started using OPA [1], we were impressed with how flexible it is as a general-purpose decision engine. One thing we missed, though, is the ability to interact with policy bundles in the same way that we interact with docker images.
We created the policy CLI [2] to replicate the docker workflow for OPA policies, and the open policy registry [3] as a place where the OPA community can store and share policy images.
Can the tool push policies to other OCI registries like docker hub or the GitHub registry? I mean, it's nice to have a dedicated registry for OPA policies but are there alternatives?
There is currently a lot of special casing required, as the OCI spec laying out the Registry API and interactions are not very rich. This limits usability and performance.
But we certainly are going to add support for ohters, ghcr.io, acr etc.
First step was to make the explicit workflow build, tag, push, pull available for OPA while being compatible with the existing formats used by OPA. This enveloping approach, provides the workflow, explicit semantic versioning, labelling and optional signing, capabilities
Step two is to make OPA natively understand and support OCI images.
Next step would be special image types, and multi layering. For example I would love it if we have separate layers for rego, wasm, and data.json, as the data often needs to eleve independent of the rego and wasm code.
The policy CLI builds upon the ideas and direction described in https://github.com/open-policy-agent/opa/issues/1413 (May 2019) and attempts to provide a concrete solution for a standard workflow for Policy As Code creation, publishing, sharing, and consumption.
