This message was deleted Permit #opal

Join Slack

This message was deleted.

# opal

Slackbot

01/18/2023, 10:52 AM

This message was deleted.

Or Weis

01/18/2023, 11:38 AM

Hi @Jack Geek this would require further investigation. Do you see OPAL retry ? Or did the server crash fully?

Or Weis

01/18/2023, 11:39 AM

How often does this happen. An a stop gap solution - Did you try restarting the server automatically following its healthcheck ? Does it succeed in pulling from Git at the point? CC: @Asaf Cohen

Asaf Cohen

01/18/2023, 12:37 PM

@Jack Geek typically exit code 1 means something in the git configuration (url, ssh key, branch name) is not configured correctly. i did not see it happening in other scenarios. where is your git repo stored?

Jack Geek

01/18/2023, 1:05 PM

@Or Weis it's stored in K8S secret (not changed), when I restarted the POD of the opal-server, it works. I did some investigation, I will start on the client side : • apparently the client throw an error because my rule contains "_"

Jack Geek

01/18/2023, 1:06 PM

This error started a loop of errors on the client side (throw errors, connects / disconnects from the server etc..) here are the screenshots:

Jack Geek

01/18/2023, 1:08 PM

## On the server side, that caused apparently a loop of errors also (new subscription, connection closed etc..) But I don't why that affacted the policy git polling:

Jack Geek

01/18/2023, 1:22 PM

Client errors

Asaf Cohen

01/18/2023, 2:19 PM

Hey @Jack Geek i don't think these are related

Asaf Cohen

01/18/2023, 2:21 PM

The

_ var is unsafe

can throw the client into a loop of errors, and the fix is simple - push valid rego. Loops of errors in the client connection flow are unrelated to the git fetch flow. There is probably a different reason why git pull failed.

Jack Geek

01/18/2023, 2:31 PM

Hello Asaf, I used the OPA playground to format / evaluate the policy and no errors were detected. Maybe the version of OPA is outdated ? Here is the warning I get (with the latest dokcer image of the client).

Asaf Cohen

01/18/2023, 2:37 PM

The version of OPA is probably outdated in the official image. Unfortunately since version 0.40.0 they made several breaking changes to the language. Try to download the older version of OPA and eval the policy. We will release a new official image next week.

Jack Geek

01/18/2023, 4:27 PM

ok thanks @Asaf Cohen

Jack Geek

02/08/2023, 6:17 PM

@Asaf Cohen, did you release the new image ?

Or Weis

02/08/2023, 7:28 PM

We did, as announced in #C01RY1X9SBC https://permit-io.slack.com/archives/C01RY1X9SBC/p1675370379720429

Jack Geek

02/09/2023, 12:10 PM

Hi @Or Weis thank you for the release. I have a question regarding the

OPAL_POLICY_REPO_WEBHOOK_PARAMS

env variable , is it mandatory in the OPAL server config ? (because I didn't see it when you made the example with Github)

Or Weis

02/09/2023, 1:00 PM

HI @Jack Geek - sorry for the late reply was being interviewed for a podcast. The default for

OPAL_POLICY_REPO_WEBHOOK_PARAMS

is Github - so you don’t have to change anything if you’re using Github

Jack Geek

02/09/2023, 2:37 PM

@Or Weis I'm using Gitlab, so the default param config will be an escaped string, isn't it ? (this is a k8s deployment var config)

- name: OPAL_POLICY_REPO_WEBHOOK_PARAMS

value: "{\"secret_header_name\":\"X-Gitlab-Token\",\"secret_type\":\"token\",\"secret_parsing_regex\":\"(.*)\",\"event_header_name\":\"X-Gitlab-Event\",\"push_event_value\":\"Push Hook\"}"

Or Weis

02/09/2023, 2:46 PM

Looks about right, yes 🙂

Open in Slack

Previous Next