policy should look like the below - and can be auto assigned by the provider

{
  "policies": [
    {
      "id" : "anId",
      "meta": {
        "version": ""
      },

This pull request includes a number of small updates to the documentation for running the project and developing contributions.

It also introduces (optional) utilities for installing, configuring, building, testing, running things.

I have the demo running fine in the browser. I am trying to communicate directly with the orchestrator APIs using Postman.

I setup the Hawk Authorization method, but I always get a 401 Unauthorized response. The log shows "HAWK authentication failed: Bad MAC", but I already double checked the key.

we'll need something like the below to render the apps and integrations page by demo application deployment

{
  "project_id": "google_cloud:something_fun",
  "bundle_url": "https://bundle-server",
  "ca_cert": "<json encoded cert here>"
}

we should also update the readme and create integration web page

Always looking to improve the readme file for people who are downloading and building Hexa for the first time.

Is the documentation complete, are we making assumptions that should be clarified and documented?

When deployed locally, the OPA server gets its bundle config from another local service.

When deployed in the cloud, this story will implement a secure call to the bundle server

the method is currently hard coded for demonstration purposes - an incremental step toward current the idql version -

	return OpaQuery{map[string]interface{}{
		"method":    "http:GET:" +

the method is currently hard coded for demonstration purposes an incremental step toward current the idql version -

	return OpaQuery{map[string]interface{}{
		"method":    "http:GET:" +

there should be a few examples for postgresql. seems straight forward on the surface. we should ensure this works with docker-compose as well for local demonstrations.

[GET] /health [GET] /metrics [GET] /applications [GET] /applications/{id} [GET] /applications/{id}/policies [POST] /applications/{id}/policies [GET] /integrations [POST] /integrations [GET] /integrations/{id}

I am running the HexaOrchestrator (cloned repo today) and I am trying to make it work with GCP.

I created a project in GCP, created an AppEngine with IAP enabled and added some conditions of access to that AppEngine. (I am kind of trying to replicate the demo in this video). I also created a Service Account and basically gave all relevant Admin permissions (AppEngine Admin, Roles Manager,...).

I am able to import the Service Account key into Hexa and it identifies my project/AppEngine application. But the GCP policy is never loaded. It keeps showing an empty policy as in the image below:

Any ideas of what could be wrong?

UPDATE: I was able to get Hexa to load the GCP policy by changing the URL (file pkg/orchestratorproviders/googlecloud/google_client.go) it is using from: https://iap.googleapis.com/v1/projects/%s/iap_web/appengine-%s/services/default:getIamPolicy to https://iap.googleapis.com/v1/projects/%s/iap_web/appengine-%s:getIamPolicy

See the issue posted here: https://github.com/hexa-org/policy-orchestrator/issues/261

posted fix for this issue here:

https://github.com/hexa-org/policy-orchestrator/issues/261

As part of securing the call from the OPA agent to the bundle server, we want to add a layer of authentication between them.

From the docs, we can either implement Bearer Token or use client TLS certificates.

If the bundle server were to enforce these authentication mechanisms for the OPA agent, it would need to also enforce it from the policy orchestrator as well. That is, the integration config for the democonfig bundle server could potentially be

{
  "bundle_url": "https://bundleserver.com",
  "token": "1234567890asdf"
}

or

{
  "bundle_url": "https://bundleserver.com",
  "client_cert": "<json encoded client cert>",
  "client_key": "<json encoded client key>",
}

This is related to #195.