When a new edge authorizer is started, the discovery flow will be initiated:
- A configuration file (config.yaml) is passed to the authorizer when it is started
- The authorizer makes a discovery call to the control plane, passing the policy ID, authorizer API key, and tenant ID.
- The authorizer receives a response from the control plane including the configuration that the edge authorizer will need pointing it to the specific policy bundle.
- The authorizer validates and merges configuration settings
- Finally, the authorizer creates a runtime configuration
To create the configuration file needed to bootstrap the edge authorizer, you can either use the
aserto CLI or retrieve the credentials from the Aserto console and use them in the configuration template found below.
To generate the configuration file, you can use the
First, login to your Aserto account using the following command:
Then, use the following command to generate the configuration file:
aserto developer configure <POLICY_INSTANCE_NAME>
The configuration will be generated in the directory
Retrieving credentials from the Aserto Console
You can retrieve the configuration credentials from the console and copy them into the configuration file template found below.
- The discovery API key is located on the connections tab, under system connections. Click on the “discovery” connection to expose the information associated with the connection.
- The tenant and policy identifiers can be retrieved from the Policy Settings page of the policy instance which needs to get assigned to the edge authorizer instance.
These credentials map into the
To validate the correctness of the data used and to inspect what information is exchanged between the edge authorizer and the control plane, the following
curl command can be used to execute the discovery request:
curl --request GET \
--url https://discovery.aserto.com/api/v1/discovery/policies/<POLICY_ID>/opa/discovery \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'aserto-tenant-id: <TENANT_ID>' \
--header 'authorization: basic <DISCOVERY_API_KEY>'
The expected response should be:
"apikey": "<REDACTED directory API key>",
"token": "<REDACTED> registry download API key"
When the edge authorizer receives the discovery response, the information received will be replace the OPA element from the bootstrap configuration, resulting in the following configuration.
The edge authorizer runtime configuration is ephemeral and does not get persisted to disk.