Why using GitOps for authorization and access control is a good idea

Getting developers working in harmony is no easy task. Tools like GitHub make it much easier to manage code, but as infrastructure and deployment become more complex, issues arise with the systems projects are built on.

GitOps helps solve these problems. It’s a collection of practices that uses Git for more than just code. You can use it to help synchronize your project on every level, making sure vital information is recorded and changes are tracked.

In this article, you’ll learn more about GitOps and see some use cases where it can make a big difference. Then, you’ll learn about how to use GitOps with Cerbos, a service that helps you manage cloud-native applications.

Why Do You Need GitOps?

GitOps can help you formalize and improve your continuous integration practices. It acts as a source of truth that your team can use and modify. It effectively offers you the advantages Git brings to your codebase but applies them to your tooling.

With GitOps, you use configuration files along with file formats like YAML to build a declarative description of your infrastructure. It means you’re setting out exactly how to build your project’s environment before you even start coding.

That makes it easy for people to get up to speed with the project quickly, and gets them back on track if things go wrong. Since changes are logged, you can see who’s done what, which creates transparency and accountability and lets you solve problems more easily.

It also means fewer headaches, fewer unexplained crashes, and fewer things that work—somehow—even though no one’s sure how. Now you can all see that your intern is using v2.3 of a dependency that everyone else has at v2.4.

Some GitOps Use Cases

Using Git to store declarative data means you can spot variations or changes in your configuration files and make informed decisions on whether to keep them or not. You can also identify precisely where things have gone wrong, roll back changes that cause an issue, and track who introduced what.

Let’s run through some example scenarios where those things could benefit you. There are plenty more, and as you read through these, think about how the issues discussed could apply to your projects.

Enabling Continuous Deployment

Continuous deployment lets you immediately deploy the builds triggered by continuous integration, which automates builds using the code in your Git repository. It makes your teams more efficient, allowing you to make smaller, faster builds that can be initiated by anyone on the team.

With GitOps, you can implement continuous deployment from any environment without having to switch tools. It’s self-documenting, as changes are all recorded in the repo.

The transparency inherent in the practice prevents siloing and creates a comprehensive log of your project as it evolves. This makes it much easier than it otherwise would be to hunt for and identify problems, along with what caused them.

Tests are triggered with each deployment, and again, you have more opportunity to locate issues.

Improves Developer Buy-In

Developers are familiar with Git. They know it, and they know how to use and interact with it. Having your configuration data there means it’s easy to view at any time. You don’t have to worry about changes being lost, the canonical version of a file being disputed, or keeping track of who did what.

Your project files can become out of date, but if so, everyone can tell, as they can compare their version to what’s on the repo. That makes it much easier to make sure everyone is using a properly configured environment that reflects the most recent updates.

Working with Kubernetes

GitOps originated as a way to improve cluster management and is still closely associated with Kubernetes. While it has since grown beyond that, it’s still an excellent way to mitigate some of the problems of the complexity of Kubernetes.

Whether you’re provisioning clusters, altering configurations, or managing a deployment, GitOps lets you track the details as they change, compare different versions of them, and spot when they diverge across different setups.

Differentiating Your Services

GitOps is ideal for differentiating your services. Instead of just being a single source of truth, GitOps allows you to have multiple flavors of it. If your users have different plans to choose from, you can use GitOps to manage different configurations to support your various offerings.

Changing a configuration file that affects the services delivered by the same codebase is easy to do when you have control of those files.

How to Use GitOps with Cerbos

With GitOps, you use Git to store declarative files, as well as configuration data for practices like CI/CD. This can mean build data, pathways to data that needs to be included, and anything else, such as application code or documentation.

Cerbos uses GitOps natively and handles user authorization and access control. It makes getting started with GitOps easy, and this tutorial will walk you through a few simple steps to help you learn the basics. For further information, take a look at Cerbos’ documentation.

Getting Set Up

There are several ways to acquire Cerbos. You can install it from one of the binaries available for Linux and Mac. There’s also a Helm option if you prefer that.

Alternatively, you could install it with Homebrew:

brew tap cerbos/tap
brew install cerbos

Or you can install via Docker:

docker run --rm --name cerbos -p 3592:3592 ghcr.io/cerbos/cerbos:0.17.0

Calling the API

The API can be called via JSON requests, as the following example from the documentation illustrates. This is a call to /api/check:

{
  "requestId":  "test01",
  "action":  "approve",
  "resource":  {
	"policyVersion": "dev",
	"kind":  "leave_request",
	"attr":  {
  	"owner":  "alicia"
	}
  },
  "principal":  {
	"id":  "alicia",
	"policyVersion": "dev",
	"roles":  ["user"],
	"attr": {
  	"geography": "GB"
	}
  },
  "includeMeta": true,
  "auxData": {
	"jwt": {
  	"token": "xxx.yyy.zzz",
  	"keySetId": "ks-1"
	}
  }
}

You can call the admin API with a call such as GET /admin/auditlog/list/KIND_ACCESS or GET /admin/auditlog/list/KIND_DECISION.

For example, to view the last three decision log entries, you could call curl -k -u cerbos:cerbosAdmin \ 'https://localhost:3592/admin/auditlog/list/KIND_DECISION?tail=3' from the command line.

Using GitHub Actions

You can also use GitHub Actions with Cerbos.

The following action, taken from the Cerbos GitHub repo, downloads and installs the latest version:

steps:
  - name: Setup Cerbos
    uses: cerbos/cerbos-setup-action@v1
      with:
          version: latest

name: 'Cerbos Setup Action'
description: 'Setups Cerbos by downloading and adding to the path'
author: 'Cerbos'

Inputs:
  Version:
    description: 'Cerbos tooling version to download'
    required: true
      default: 'latest'

Runs:
  using: 'node12'
  main: 'dist/index.js'

Once Cerbos is downloaded and ready, you can compile it and validate and test your policies using the compile action. The following code shows how to do that:

- uses: actions/checkout@v2

- name: Setup Cerbos
  uses: cerbos/cerbos-setup-action@v1

- name: Compile with Cerbos
  uses: cerbos/cerbos-compile-action@v1
  with:
    policyDir: policies
    testDir: tests # Omit to skip tests

Which calls the following YAML:

name: 'Cerbos Compile Action'
description: 'Compile and test Cerbos policies'
author: 'Cerbos'

Inputs:
  policyDir:
    description: 'Policy directory'
    required: true
    default: '/policies'

  testDir:
	  description: 'Test directory'

Runs:
  using: 'node12'
  main: 'dist/index.js'

Getting Started with the Test Applications

There are several test applications in the Cerbos documentation. Running these and modifying them will give you an idea of how you can go further and develop your own projects with Cerbos.

The Photo application is a great place to start. It shows you how to install from Docker, create your own configuration files, and set up multiple user roles with different permissions.

If you have an authentication setup in place, check out the tutorials for JWT, Auth0, and Magic.

Conclusion

With GitOps, you can improve your build and deployment pipelines and make sure your CI/CD infrastructure is as accessible and transparent as your code. It opens it up to the whole team, allowing everyone to contribute.

As you’ve learned today, it isn’t hard to get started. There are services available that you can install from Docker in minutes and easily tailor to your specific situation.

Cerbos makes it easy to implement permissions and authorization. It fully supports GitOps, with both a built-in testing framework and integration for continuous integration and deployment. Try it today, and learn how you can simplify your workflows.