https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
o
Hi @Priya reddy 🙂 Not sure why you’d need to load policies via config-map, if you’re using OPAL - can you elaborate what your goal is here, I’d love to learn bout your use case. But anyhow - Yes, you’d just need to manage the policy package namespaces - so the policies loaded by OPAL won’t override the other ones. The two policies can still import / reference one another.
p
Thanks @Or Weis for the quick reply. My use case: I have some static policies autogenerated from protobuf, where I am trying to integrate it as a part of config-map. But there would be some additional policies needs to be updated on the fly where I would like to use them injecting through OPAL
Yes I have them with different package names -> package envoy.authz and package idc.authz but still I see they are overriding each other
o
Did you also load them as different file names in the repository? Cc: @Asaf Cohen
p
yes with different names
o
Can you share the details / the configuration you’re using for OPAL ? Would help figure out what we’re missing
👍 1
p
This is my opal-server configuration
Copy code
server:
  port: 7002
  policyRepoUrl: <https://github.com/*************************opa-policies>
  dataConfigSources:
    config:
      entries: [{
          "url": "<http://opal-server.opal.svc.cluster.local:7002/policy-data>",
          "topics": ["policy_data"],
          "data": {},
          "dst_path": "/static"
        }]
  policyRepoMainBranch: feature-new-policy
  pollingInterval: 10
  broadcastUri: null
  broadcastPgsql: true
  uvicornWorkers: 4
  replicas: 1
Copy code
- name: opal-client
        image: opal-client-standalone:latest
        imagePullPolicy: {{ .Values.opalclient.pullPolicy }}
        env:
          - name: UVICORN_NUM_WORKERS
            value: "1"
          - name: OPAL_POLICY_STORE_URL
            value: <http://localhost>:{{ .Values.opa.port }}  
          - name: OPAL_SERVER_URL
            value: <http://yyyyy.cluster.local:7002>
        ports:
          - name: http
            protocol: TCP
            containerPort: {{ .Values.opalclient.port }}
o
The layout of the git repository with the policies, and the policy names you’re pushing via config-map ? To make sure they are not conflicting You might also want to use a manifest file and the OPAL_BUNDLE_IGNORE env var to omit the names that are conflicting https://docs.opal.ac/tutorials/track_a_git_repo#4-opal-client-fetches-policy-bundles-from-opal-server
Re your use case:
My use case: I have some static policies autogenerated from protobuf, where I am trying to integrate it as a part of config-map. But there would be some additional policies needs to be updated on the fly where I would like to use them injecting through OPAL
Why not just push the autogenerated policies into Git and OPAL as well ?
It has the added benefit of having a single source of truth in Git
p
We thought about it but looks like we need to pick up the autogenerated file from a repository and move it to OPAL git not a big thing but I was just trying to see if we can manage it both the ways as a POC. By design, It seems it should be able to, but I am trying to figure it out
😎 1
I have the manifest file but one quick thing, do I need to add the cm policy name to the manifest file as well
o
I think I know what issue is. Looking at the code; it looks, like OPAL will delete policies that aren’t in the bundle coming from Git. https://github.com/permitio/opal/blob/cb4da1689edeeab36e01f456b71de05bfa2437cc/packages/opal-client/opal_client/policy_store/opa_client.py#L466
Trying to figure if we can work around this; without releasing a new version
p
Thank you so much @Or Weis that would be of great help.
o
I’m afraid it seems @Asaf Cohen did quite an airtight job here - I can’t see a quick workaround. We can change this, and add a new env-var like 
OPAL_DONT_REMOVE_MISSING_POLICIES=1
; but it would require code changes of course, and a release. If you’re okay with building an image from a branch ; I can write something quickly to implement this behavior - a full release would take longer of course.
p
Thank you OrWeis for the quick turnaround, how long would that take if we take this path of code changes and release? I am comfortable building image from your branch for testing and see if it fits in for the scenario, but I don't wanna trouble you over the weekend. It can wait till Monday.
o
Writing this shouldn’t take long. The official release of a new version of OPAL will probably be by the end of the month.
p
ok, Thank you! for the release, the timeline works for us. I will try to test from your branch by then , but it can still wait till a weekday.
o
Let me see if I can do something quickly 😉
p
Thank you so much!
o
Here’s the PR (And the branch is included in it) https://github.com/permitio/opal/pull/414 What I ended up doing is adding 
OPAL_POLICY_STORE_POLICY_PATHS_TO_IGNORE
it expects a list of string delimited by “,” each string is a path to a policy in OPA Paths that are listed there won’t be overwritten or deleted by in coming updates
p
Thank you for the fix OrWeis.
Open in Slack
PreviousNext
Powered by