Kubiya Stack Deployment Guide
Getting Okta Credentials:
Step 1: Set Environment Variables
Copy # Set your OKTA credentials
export OKTA_ORG_URL="your-token-endpoint-url" # example: kubiya.okta.com
export OKTA_CLIENT_ID="your-client-id"
export OKTA_PRIVATE_KEY_PATH="/path/to/your/private.pem"
export OPAL_POLICY_REPO_URL="https://YOUR/REPO/HERE.git"
export OPAL_POLICY_REPO_MAIN_BRANCH="YOUR_BRANCH" # example: main
# Base64 encode the values
export OKTA_TOKEN_ENDPOINT_B64=$(echo -n "https://$OKTA_ORG_URL/oauth2/v1/token" | base64)
export OKTA_BASE_URL_B64=$(echo -n "https://$OKTA_ORG_URL" | base64)
export OKTA_CLIENT_ID_B64=$(echo -n "$OKTA_CLIENT_ID" | base64)
export PRIVATE_KEY_B64=$(cat "$OKTA_PRIVATE_KEY_PATH" | base64)
export OPAL_POLICY_REPO_URL_B64=$(echo -n "$OPAL_POLICY_REPO_URL" | base64)
export OPAL_POLICY_REPO_MAIN_BRANCH_B64=$(echo -n "$OPAL_POLICY_REPO_MAIN_BRANCH" | base64)// Some code
Step 2: Verify Environment Variables (Optional)
Copy # Verify environment variables are set correctly
echo "Checking environment variables..."
echo "----------------------------------------"
# Check base variables
echo "Base Variables:"
echo "OKTA_ORG_URL: ${OKTA_ORG_URL:-(not set)}"
echo "OKTA_CLIENT_ID: ${OKTA_CLIENT_ID:-(not set)}"
echo "OKTA_PRIVATE_KEY_PATH: ${OKTA_PRIVATE_KEY_PATH:-(not set)}"
echo "OPAL_POLICY_REPO_URL: ${OPAL_POLICY_REPO_URL:-(not set)}"
echo "OPAL_POLICY_REPO_MAIN_BRANCH: ${OPAL_POLICY_REPO_MAIN_BRANCH:-(not set)}"
echo
# Check Base64 encoded variables (showing first 10 characters only)
echo "Base64 Encoded Variables (first 10 chars):"
echo "OKTA_TOKEN_ENDPOINT_B64: ${OKTA_TOKEN_ENDPOINT_B64:0:10}..."
echo "OKTA_BASE_URL_B64: ${OKTA_BASE_URL_B64:0:10}..."
echo "OKTA_CLIENT_ID_B64: ${OKTA_CLIENT_ID_B64:0:10}..."
echo "PRIVATE_KEY_B64: ${PRIVATE_KEY_B64:0:10}..."
echo "OPAL_POLICY_REPO_URL_B64: ${OPAL_POLICY_REPO_URL_B64:0:10}..."
echo "OPAL_POLICY_REPO_MAIN_BRANCH_B64: ${OPAL_POLICY_REPO_MAIN_BRANCH_B64:0:10}..."
echo
# Verify private key file exists
if [ -f "$OKTA_PRIVATE_KEY_PATH" ]; then
echo "Private key file exists: ✓"
else
echo "WARNING: Private key file not found at $OKTA_PRIVATE_KEY_PATH"
fi
echo "----------------------------------------"
# Final verification
if [ -n "$OKTA_ORG_URL" ] && [ -n "$OKTA_CLIENT_ID" ] && [ -n "$OKTA_PRIVATE_KEY_PATH" ] && [ -f "$OKTA_PRIVATE_KEY_PATH" ]; then
echo "Basic configuration appears correct ✓"
else
echo "WARNING: Some required variables are missing or invalid"
fi
Copy kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: opawatchdog-secrets
namespace: kubiya
type: Opaque
data:
POSTGRES_DB: cG9zdGdyZXM=
POSTGRES_USER: cG9zdGdyZXM=
POSTGRES_PASSWORD: cG9zdGdyZXM=
OPAL_POLICY_REPO_URL: ${OPAL_POLICY_REPO_URL_B64}
OPAL_POLICY_REPO_MAIN_BRANCH: ${OPAL_POLICY_REPO_MAIN_BRANCH_B64}
OKTA_BASE_URL: ${OKTA_BASE_URL_B64}
OKTA_TOKEN_ENDPOINT: ${OKTA_TOKEN_ENDPOINT_B64}
OKTA_CLIENT_ID: ${OKTA_CLIENT_ID_B64}
private.pem: ${PRIVATE_KEY_B64}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: enforcer
namespace: kubiya
spec:
replicas: 1
selector:
matchLabels:
app: enforcer
template:
metadata:
labels:
app: enforcer
spec:
containers:
- name: broadcast-kubiya
image: postgres:alpine
env:
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: POSTGRES_DB
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: POSTGRES_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: POSTGRES_PASSWORD
ports:
- containerPort: 5432
- name: opa-server-kubiya
image: permitio/opal-server:latest
env:
- name: OPAL_BROADCAST_URI
value: postgres://postgres:postgres@localhost:5432/postgres
- name: UVICORN_NUM_WORKERS
value: "4"
- name: OPAL_OPA_HEALTH_CHECK_POLICY_ENABLED
value: "true"
- name: OPAL_POLICY_REPO_URL
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: OPAL_POLICY_REPO_URL
- name: OPAL_POLICY_REPO_MAIN_BRANCH
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: OPAL_POLICY_REPO_MAIN_BRANCH
- name: OPAL_POLICY_REPO_POLLING_INTERVAL
value: "30"
- name: OPAL_DATA_CONFIG_SOURCES
value: '{"config":{"entries":[{"url":"http://localhost:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}'
- name: OPAL_LOG_FORMAT_INCLUDE_PID
value: "true"
ports:
- containerPort: 7002
- name: opal-client-kubiya
image: permitio/opal-client:latest
env:
- name: OPAL_SERVER_URL
value: http://localhost:7002
- name: OPAL_LOG_FORMAT_INCLUDE_PID
value: "true"
- name: OPAL_INLINE_OPA_LOG_FORMAT
value: http
ports:
- containerPort: 7000
- containerPort: 8181
command: ["sh", "-c", "./wait-for.sh localhost:7002 --timeout=20 -- ./start.sh"]
- name: enforcer
image: ghcr.io/kubiyabot/opawatchdog
env:
- name: OKTA_BASE_URL
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: OKTA_BASE_URL
- name: OKTA_TOKEN_ENDPOINT
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: OKTA_TOKEN_ENDPOINT
- name: OKTA_CLIENT_ID
valueFrom:
secretKeyRef:
name: opawatchdog-secrets
key: OKTA_CLIENT_ID
- name: OKTA_PRIVATE_KEY
value: /etc/okta/private.pem
volumeMounts:
- name: private-key-volume
mountPath: /etc/okta/private.pem`
subPath: private.pem
ports:
- containerPort: 5001
volumes:
- name: private-key-volume
secret:
secretName: opawatchdog-secrets
---
apiVersion: v1
kind: Service
metadata:
name: enforcer
namespace: kubiya
spec:
ports:
- name: enforcer
port: 5001
targetPort: 5001
selector:
app: enforcer
EOF Step 4: Verify Deployment
Copy # Check if pods are running
kubectl get pods -n kubiya
# Check if service is created
kubectl get svc -n kubiya
# Check secrets (without revealing values)
kubectl get secrets -n kubiya
Copy kubectl patch deployment tool-manager -n kubiya --type=json -p='[
{
"op": "add",
"path": "/spec/template/spec/containers/0/env/-",
"value": {
"name": "KUBIYA_AUTH_SERVER_URL",
"value": "http://enforcer.kubiya:5001"
}
}
]' Step 6: Clean Up Environment Variables (Optional)
Copy #!/bin/bash
# Unset all OKTA and OPAL related environment variables
unset OKTA_ORG_URL
unset OKTA_TOKEN_ENDPOINT_B64
unset OKTA_BASE_URL_B64
unset OKTA_CLIENT_ID
unset OKTA_CLIENT_ID_B64
unset OKTA_PRIVATE_KEY_PATH
unset PRIVATE_KEY_B64
unset OPAL_POLICY_REPO_URL
unset OPAL_POLICY_REPO_URL_B64
unset OPAL_POLICY_REPO_MAIN_BRANCH
unset OPAL_POLICY_REPO_MAIN_BRANCH_B64
# Print confirmation
echo "Environment variables have been unset:"
echo "- OKTA_ORG_URL"
echo "- OKTA_TOKEN_ENDPOINT_B64"
echo "- OKTA_BASE_URL_B64"
echo "- OKTA_CLIENT_ID"
echo "- OKTA_CLIENT_ID_B64"
echo "- OKTA_PRIVATE_KEY_PATH"
echo "- PRIVATE_KEY_B64"
echo "- OPAL_POLICY_REPO_URL"
echo "- OPAL_POLICY_REPO_URL_B64"
echo "- OPAL_POLICY_REPO_MAIN_BRANCH"
echo "- OPAL_POLICY_REPO_MAIN_BRANCH_B64"
# Verify cleanup
if [ -z "$OKTA_ORG_URL" ] && [ -z "$OKTA_TOKEN_ENDPOINT_B64" ] && [ -z "$OKTA_BASE_URL_B64" ]; then
echo "Cleanup completed successfully."
else
echo "Warning: Some variables may still be set. Please check your environment."
fi 
