Rajeev Garikipati
06/11/2024, 7:42 PMRajeev Garikipati
06/11/2024, 7:43 PMRajeev Garikipati
06/11/2024, 7:45 PMRajeev Garikipati
06/11/2024, 7:46 PMRajeev Garikipati
06/11/2024, 7:46 PMAsaf Cohen
06/11/2024, 8:00 PMRajeev Garikipati
06/11/2024, 8:44 PMPiyush Sardana
06/12/2024, 7:25 AMNicolae Moisa
06/12/2024, 11:50 AMOPAL_CLIENT_TOKEN
and use it to start the opal-client
The OPAL_CLIENT_TOKEN
generated is valid by default for 1 year, so for that time, clients can connect with the same client token, or if the opal-server is restarted, the already running clients reconnect to it using it. But if that year passes and if I restart the opal-server, the running clients are configured with the old OPAL_CLIENT_TOKEN
so now they cannot reconnect because the access token is expired. The workarounds are:
1. to restart the opal-clients first (to get a new client token) and then restart the server
2. set the ttl to 100 years or something
My question: is there a way for the opal-client to get a new OPAL_CLIENT_TOKEN
dynamically while still running?
Thanks in advance!K OM SENAPATI
06/13/2024, 11:50 AMK OM SENAPATI
06/13/2024, 11:50 AMK OM SENAPATI
06/13/2024, 12:57 PMK OM SENAPATI
06/13/2024, 3:34 PMC
06/13/2024, 5:06 PMGerard de Brieder
06/14/2024, 3:08 PM<https://github.com/permitio/opal-example-policy-repo>
and that works fine. I am now deploying to our Azure k8s environment, and the deploy works, but the server does seem to skip the repo download. I have no idea why... I double checked al the env vars, and OPAL_POLICY_REPO_URL is defined. It does pick up on all other vars as well. Would any of you have a pointer on where to start debugging this?Bhimesh Agrawal
06/15/2024, 6:24 AMBhimesh Agrawal
06/16/2024, 6:38 AMAndrea Di Saverio
06/17/2024, 7:14 AMOPAL_CLIENT_TOKEN
given that i'm in a k8s cluster. should it be fetched on container's boot (maybe in an init-container next to the client one) or should it be created "offline", and then added to container's env-vars? (or maybe something else?)Gerard de Brieder
06/17/2024, 9:46 AMOPAL_POLICY_REPO_SSH_KEY
with the private key, replacing all \n
with _
so its on one line. I've added the public key to github. When the server starts, it shows a log line like Cloning repo from <snip> to '/tmp/git/opal_repo_clone' (branch: 'master'
. It shows no errors or any other information relating to the git process. If I look at the server in the dir, it is empty. Im not sure how to debug this. What I did try so far is to echo the key from OPAL_POLICY_REPO_SSH_KEY
to a file, replaced all the _
with a \n
again, and ran the command like GIT_SSH_COMMAND='ssh -i /path/to/custom_key' git clone git@<snip>.git
This checks out the repo with no problems..,. Could anyone give me a pointer on how to debug this further?C
06/17/2024, 2:09 PMC
06/17/2024, 6:54 PMC
06/18/2024, 1:40 PMAndrea Di Saverio
06/19/2024, 7:48 AMpermitio/opal-client-standalone
) but i'm struggling to find configuration params to define the opal-server address, and the opa engine address itself. are those listed here: https://docs.opal.ac/getting-started/configuration/#opal-client-configuration-variables ? i guess the first one is OPAL_SERVER_URL
(not listed there but in other doc pages), but i was unable to find the one to define the opa address.
thank you 🙏🏼Gerard de Brieder
06/19/2024, 7:51 AMopa build -t wasm -e "app" ./policies -o wasm.tar.gz
. If I look at the .manifest I can see it only contains a partial set of the entry points. How can I debug why the missing ones are not included?Gerard de Brieder
06/19/2024, 6:00 PMGerard de Brieder
06/24/2024, 8:19 AMconst ws = new WebSocket('<ws://localhost:7002/ws>');
ws.onopen = () => {
console.log('connected, subscribing... ');
ws.send(JSON.stringify({"topics": ['policy:.', 'policy_data'], "client_id": "smeevil"}))
};
ws.onmessage = (e) => {
console.log("received message:")
console.log({e});
};
ws.onclose = () => {
console.log('Disconnected by server :/');
};
This seems to connect, but it never receives any messages. In the server I see the following logs:
2024-06-24 10:21:20 2024-06-24T08:21:20.812642+0000 | 20 | fastapi_websocket_pubsub.pub_sub_server |DEBUG | Leaving endpoint's main loop
2024-06-24 10:21:20 2024-06-24T08:21:20.825022+0000 | 20 | opal_common.authentication.deps |DEBUG | JWT verification disabled, cannot verify requests!
2024-06-24 10:21:20 2024-06-24T08:21:20.825418+0000 | 20 | fastapi_websocket_pubsub.event_broadc...|DEBUG | Did not subscribe to ALL_TOPICS: share count == 2
2024-06-24 10:21:20 2024-06-24T08:21:20.825547+0000 | 20 | fastapi_websocket_pubsub.pub_sub_server |DEBUG | Entering endpoint's main loop with broadcaster
2024-06-24 10:21:20 2024-06-24T08:21:20.825857+0000 | 20 | fastapi_websocket_rpc.websocket_rpc_e...| INFO | Client connected
2024-06-24 10:21:20 2024-06-24T08:21:20.826312+0000 | 20 | websockets.legacy.server | INFO | connection open
Would anyone have a pointer on what I could look at next?Christian Casazza
06/24/2024, 3:29 PMAlex Bihshtein
07/08/2024, 10:55 AMRotem Slootzky
07/10/2024, 10:39 AM