This message was deleted Permit #opal

Join Slack

This message was deleted.

# opal

Slackbot

07/04/2023, 12:00 PM

This message was deleted.

👀 1

Or Weis

07/04/2023, 12:52 PM

Hi @Charlotte Brady 🙂 - first very cool- and thanks for sharing - It sounds like you’re transaction is failing on a timeout , and specifically on writing the data to OPA part itself (note that can take time as well - as loading the data requires OPA to create objects in memory (the more nested the data the longer it would take) ) I’d try and play with

OPAL_POLICY_STORE_CONN_RETRY

(retries around talking to OPA) and maybe

OPAL_POLICY_UPDATER_CONN_RETRY

(retries around fetching/processing the data) - shape of config object here Additionally you can look into breaking the update into multiple entries, gradually building up the object in OPA. ---- Other notes:

which we know will take a long time to respond (upwards of 30s)

That’s pretty extreme response times - perhaps you can add another caching layer in between ? --- Hope this helps 🙂 Keep us posted on your progress

👍 1

Charlotte Brady

07/04/2023, 2:09 PM

Thanks @Or Weis, we’ll start there!

Charlotte Brady

07/04/2023, 3:57 PM

Turns out the environment variable we were looking for was

OPAL_FETCHING_CALLBACK_TIMEOUT

(see here) - this has a default of 10s - meaning we make a call to our custom endpoint, wait 10s, then except a timeout error. Updating this to suit our custom endpoint worked, we now have happy healthy containers! 🙌 Thanks for you help & FYI we agree on the caching logic - this is a prototype for now which we will refactor in the longer term.

Doug Ramirez

07/11/2023, 6:00 PM

@Charlotte Brady We've been exploring OPAL and in particular hydrating a data store with k/v pairs for use by policies. I have not been able to find a good working example of this. Would you mind sharing an example rule that uses the k/v pairs? I have yet to see a rule that makes a call to the data store, and would love to figure that out.

2 Views

Open in Slack

Previous Next