https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
o
HI @Aren - welcome- and is sounds like you’re off to a great start - super happy to hear 🤘 To your question: Usually the OPAL-client and OPA instance run within the same container - so there’s only one sidecar per service. By default - The OPAL-client runs the OPA process as a subprocess. You can configure an independent OPA instance (at another container or in the same one) - but you don’t have to.
In the end result of either option - your services query OPA directly for policy decisions. The OPAL-client just needs to connect to the OPA instance to administer it with policy and data. I hope this answers the question 🙂
a
So OPA ships with OPAL-client out of the box?
o
Other way around (OPAL-client ships with OPA) - but yes
a
sorry its been a long day haha caffeine is starting to wear off haha. Perfect, so I'd have OPAL-client run as a sidecar alongside by application deployments
and my applications would be querying OPA(technically the opal-client)
o
No worries - I can relate 😉
Yes, to both 🙂
❤️ 1
a
THANK YOU! I was having a hard time understanding how exactly the architecture flowed and how we'd implement here, but you made it make A LOT of sense.
o
My pleasure 😇
a
helm chart doesn't include a sidecar injector correct?
o
You mean via a webhook trigger? No it doesn’t
a
in terms of injecting my current API deployments with the OPAL-client
totally understood no worries 😄
thanks again 💪
😊 1
Could you help me understand what the idea is behind how the helm chart installs right out of the box? It installs a client and a server into its own namespace. Is the idea to take the pieces from the helm chart and work them into our own services helm charts to get the client to spin up? Do I need to run the client in the namespace if the client is supposed to run as a sidecar with my application containers? Not sure if this is documented anywhere so I do apologize if I missed it.
and if my application is running the client as a sidecar is a Service still necessary for it? I thought it would query through localhost?
o
I think @Raz Co would do a better job than I explaining the details here. But to give it a quick go: You can control what gets deployed by tweaking the values; I believe the easiest way to mix this into your services as a sidecar would be forking this helm chart and adding your services (or the other way around). And yes, when running as a sidecar you can query through localhost- though having a namespace doesn’t hurt
❤️ 1
r
Hey Aren, As or said, Opal client will communicate with the OPA instance locally using localhost. In terms of namespaces and services, these are all k8s resources that implements the ideas of tenants and networking (loadbalancing). There are many options to deploy OPAL in your cluster, and deploying sidecar is one of them. As you said, running the opal client as a sidecar can make the service unnecessary.
I can suggest you to use the Opal-helm-chart to deploy OPAL Server, and for the client, just edit your existing helm (or any other deployment) of your application and add the client as a sidecar. In order to deploy only the server you’ll need to delete the 
client
section from the values.yaml of the chart.
💪 1
a
You guys are awesome! Thank you for the support in slack, for the prompt response, and the general guidance. Y'all have been an immense help! @Raz Co you mentioned there's multiple ways to configure opal. Do people generally go the route of sidecar-ing opal client to their existing deployments? Or do they set up opal server and opal client in its own NS and then query it from there? Just trying to understand what the community agreed upon usage is
o
Happy to be of help 💪 Most people do the sidecar model for sure - but I’m not sure most of them use HELM . 🙂 Sorry for stealing the questions from you @Raz Co - 😉 feel free of course to add your input
opal 1
👍 1
r
No worries 😉 I’ll add to Or’s answer that some users of OPAL have big workloads, and attaching an OPAL Client for each pod might be too much and very wasteful in terms of compute and money of course. The alternative we would suggest in this scenario is deploying a k8s Deployment or Daemonset of OPAL Clients. Of course it depends on your use case. Feel free to share your thoughts about this 🙂
👍 1
a
Thanks again guys. I've gotten it up and running and I've got the client deployed as a sidecar on my deployments now. Hooked everything but running into issues on the opal-server with git clone path. I'll be digging into that, just wanted to say thanks again.
o
Sure thing. Let us know if you need a hand with that issue as well.
Open in Slack
PreviousNext
Powered by