Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses.

Overview

hexa-logo

Hexa Policy Orchestrator

Build results

Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses.

The Hexa project contains three applications.

  • Policy Administrator web application
  • Policy Orchestrator server with IDQL translations
  • Demo application

Hexa Policy Orchestration (Hexa) and Identity Query Language (IDQL) were purpose-built to solve the proliferation of policy orchestration problems caused by today’s hybrid cloud and multi-cloud world. Together, Hexa and IDQL enable you to manage all of your policies consistently across clouds and vendors so you can unify access policy management.

Getting Started

Clone or download the codebase from GitHub to your local machine and install the following prerequisites.

cd /home/user/workspace/
git clone [email protected]:hexa-org/policy-orchestrator.git

Build a Hexa image with Pack. The newly created image will contain the policy administrator web application, policy orchestrator server, and demo application.

pack build hexa --builder heroku/buildpacks:20

We'll be using postgresql and need to execute the below shell scripts from docker-compose.

chmod 775 ./databases/docker_support/initdb.d/create-databases.sh
chmod 775 ./databases/docker_support/migrate-databases.sh

Run all three applications with docker compose.

docker-compose up

Cleaning up. Remove all docker containers and volumes.

docker rm -f $(docker ps -a -q)
docker volume rm -f $(docker volume ls -q)
docker system prune -a -f

Remove the local postgres database files.

rm -rf .postgres

Maintainers

Roadmap

Contributing

Join the Hexa community to stay up-to-date with the project and contribute.

Comments
  • idql policies should include a unique identifier

    idql policies should include a unique identifier

    policy should look like the below - and can be auto assigned by the provider

    {
      "policies": [
        {
          "id" : "anId",
          "meta": {
            "version": ""
          },
    
    enhancement question 
    opened by ggebel 5
  • Augment development and usage documentation and utilities

    Augment development and usage documentation and utilities

    This pull request includes a number of small updates to the documentation for running the project and developing contributions.

    It also introduces (optional) utilities for installing, configuring, building, testing, running things.

    opened by coreyti 3
  • Hawk authorization failing with Postman

    Hawk authorization failing with Postman

    I have the demo running fine in the browser. I am trying to communicate directly with the orchestrator APIs using Postman.

    I setup the Hawk Authorization method, but I always get a 401 Unauthorized response. The log shows "HAWK authentication failed: Bad MAC", but I already double checked the key.

    image
    opened by renatosc 2
  • include project_name in opa integration file, use for integration and application name and/or name prefix

    include project_name in opa integration file, use for integration and application name and/or name prefix

    we'll need something like the below to render the apps and integrations page by demo application deployment

    {
      "project_id": "google_cloud:something_fun",
      "bundle_url": "https://bundle-server",
      "ca_cert": "<json encoded cert here>"
    }
    

    we should also update the readme and create integration web page

    enhancement 
    opened by ggebel 2
  • Provide feedback on readme for first time contributor

    Provide feedback on readme for first time contributor

    Always looking to improve the readme file for people who are downloading and building Hexa for the first time.

    Is the documentation complete, are we making assumptions that should be clarified and documented?

    documentation 
    opened by ggebel 2
  • secure opa call to democonfig bundle

    secure opa call to democonfig bundle

    When deployed locally, the OPA server gets its bundle config from another local service.

    When deployed in the cloud, this story will implement a secure call to the bundle server

    enhancement security 
    opened by ggebel 2
  • Decision support library should determine protocol from request

    Decision support library should determine protocol from request

    the method is currently hard coded for demonstration purposes - an incremental step toward current the idql version -

    	return OpaQuery{map[string]interface{}{
    		"method":    "http:GET:" +
    
    enhancement good first issue 
    opened by ggebel 2
  • Decision support library should determine method from request

    Decision support library should determine method from request

    the method is currently hard coded for demonstration purposes an incremental step toward current the idql version -

    	return OpaQuery{map[string]interface{}{
    		"method":    "http:GET:" +
    
    enhancement good first issue 
    opened by ggebel 2
  • Postgres database should support TLS

    Postgres database should support TLS

    there should be a few examples for postgresql. seems straight forward on the surface. we should ensure this works with docker-compose as well for local demonstrations.

    enhancement security 
    opened by ggebel 2
  • Document policy orchestrator API

    Document policy orchestrator API

    [GET] /health [GET] /metrics [GET] /applications [GET] /applications/{id} [GET] /applications/{id}/policies [POST] /applications/{id}/policies [GET] /integrations [POST] /integrations [GET] /integrations/{id}

    enhancement good first issue 
    opened by identitynerd 2
  • Hexa not loading policy from GCP

    Hexa not loading policy from GCP

    I am running the HexaOrchestrator (cloned repo today) and I am trying to make it work with GCP.

    I created a project in GCP, created an AppEngine with IAP enabled and added some conditions of access to that AppEngine. (I am kind of trying to replicate the demo in this video). I also created a Service Account and basically gave all relevant Admin permissions (AppEngine Admin, Roles Manager,...).

    I am able to import the Service Account key into Hexa and it identifies my project/AppEngine application. But the GCP policy is never loaded. It keeps showing an empty policy as in the image below:

    image

    Any ideas of what could be wrong?

    UPDATE: I was able to get Hexa to load the GCP policy by changing the URL (file pkg/orchestratorproviders/googlecloud/google_client.go) it is using from: https://iap.googleapis.com/v1/projects/%s/iap_web/appengine-%s/services/default:getIamPolicy to https://iap.googleapis.com/v1/projects/%s/iap_web/appengine-%s:getIamPolicy

    opened by renatosc 1
  • Hawk Authentication failing with postman (issue #261 from github issues)

    Hawk Authentication failing with postman (issue #261 from github issues)

    See the issue posted here: https://github.com/hexa-org/policy-orchestrator/issues/261

    posted fix for this issue here:

    https://github.com/hexa-org/policy-orchestrator/issues/261

    opened by ggebel 0
  • authenticate opa requests to bundle server

    authenticate opa requests to bundle server

    As part of securing the call from the OPA agent to the bundle server, we want to add a layer of authentication between them.

    From the docs, we can either implement Bearer Token or use client TLS certificates.

    If the bundle server were to enforce these authentication mechanisms for the OPA agent, it would need to also enforce it from the policy orchestrator as well. That is, the integration config for the democonfig bundle server could potentially be

    {
      "bundle_url": "https://bundleserver.com",
      "token": "1234567890asdf"
    }
    

    or

    {
      "bundle_url": "https://bundleserver.com",
      "client_cert": "<json encoded client cert>",
      "client_key": "<json encoded client key>",
    }
    

    This is related to #195.

    opened by ggebel 0
Owner
Hexa Policy Orchestration
Open source policy orchestration software for multi-cloud and hybrid businesses
Hexa Policy Orchestration
Open, Multi-Cloud, Multi-Cluster Kubernetes Orchestration

Karmada Karmada: Open, Multi-Cloud, Multi-Cluster Kubernetes Orchestration Karmada (Kubernetes Armada) is a Kubernetes management system that enables

null 3k Dec 30, 2022
An open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developersAn open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developers

Developer-oriented Continuous Delivery Product ⁣ English | 简体中文 Table of Contents Zadig Table of Contents What is Zadig Quick start How to use? How to

null 0 Oct 19, 2021
provide api for cloud service like aliyun, aws, google cloud, tencent cloud, huawei cloud and so on

cloud-fitter 云适配 Communicate with public and private clouds conveniently by a set of apis. 用一套接口,便捷地访问各类公有云和私有云 对接计划 内部筹备中,后续开放,有需求欢迎联系。 开发者社区 开发者社区文档

null 24 Dec 20, 2022
Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)

Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA) In the beginning, I believe it is worth saying that this proje

Batuhan Apaydın 60 Nov 30, 2022
Kubernetes Pod Security Standards implementation

Pod Security Admission The Pod Security Standards are a set of best-practice profiles for running pods securely. This repository contains the codified

Kubernetes 72 Dec 30, 2022
runtime - an abstraction library on top of the Open Policy Agent (OPA)

runtime - an abstraction library on top of the Open Policy Agent (OPA) Introduction The "runtime" project is a library that sits on top of OPA. The go

 Aserto Inc 22 Nov 7, 2022
A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

opa-lambda-extension-plugin A custom plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension. To learn more about how Lambda Ex

GoDaddy 25 Jan 2, 2023
Moby: an open-source project created by Docker to enable and accelerate software containerization

The Moby Project Moby is an open-source project created by Docker to enable and accelerate software containerization. It provides a "Lego set" of tool

null 0 Dec 10, 2021
Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron is an open source software delivery workflow for kubernetes written in go.

Devtron Labs 2.8k Jan 8, 2023
Manages nodes in hybrid k8s self-hosted cluster

node-manager Manages nodes in hybrid k8s self-hosted cluster Supported providers Contabo Hetzner Robot (dedicated) Supported commands Heal - reboots a

webtor.io 0 Dec 23, 2021
Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers.

Cloud-Z Cloud-Z gathers information and perform benchmarks on cloud instances in multiple cloud providers. Cloud type, instance id, and type CPU infor

CloudSnorkel 16 Jun 8, 2022
K8s controller implementing Multi-Cluster Services API based on AWS Cloud Map.

AWS Cloud Map MCS Controller for K8s Introduction AWS Cloud Map multi-cluster service discovery for Kubernetes (K8s) is a controller that implements e

Amazon Web Services 69 Dec 17, 2022
🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥

CVE-2021-44228 Log4J Vulnerability can be detected at runtime and attack paths can be visualized by ThreatMapper. Live demo of Log4J Vulnerability her

null 2.6k Jan 1, 2023
Go WhatsApp Multi-Device Implementation in REST API with Multi-Session/Account Support

Go WhatsApp Multi-Device Implementation in REST API This repository contains example of implementation go.mau.fi/whatsmeow package with Multi-Session/

Dimas Restu H 62 Dec 3, 2022
Edge Orchestration project is to implement distributed computing between Docker Container enabled devices.

Edge Orchestration Introduction The main purpose of Edge Orchestration project is to implement distributed computing between Docker Container enabled

null 1 Dec 17, 2021
The open source public cloud platform. An AWS alternative for the next generation of developers.

M3O M3O is an open source public cloud platform. We are building an AWS alternative for the next generation of developers. Overview AWS was a first ge

Micro Services 2.2k Jan 2, 2023
Automated-gke-cilium-networkpolicy-demo - Quickly provision and tear down a GKE cluster with Cilium enabled for working with Network Policy.

Automated GKE Network Policy Demo Before running the automation, make sure you have the correct variables in env-automation/group_vars/all.yaml. There

Casey Wylie 0 Jan 1, 2022
Prevent Kubernetes misconfigurations from ever making it (again 😤) to production! The CLI integration provides policy enforcement solution to run automatic checks for rule violations. Docs: https://hub.datree.io

What is Datree? Datree helps to prevent Kubernetes misconfigurations from ever making it to production. The CLI integration can be used locally or in

datree.io 6.1k Jan 1, 2023