https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
a
hey @Naveen maybe you are sending the updates on the wrong topic? we need a bit more data to help here. Maybe send logs, and also how you set up your opal server and client?
are you running OPAL server with the broadcast channel?
n
Yes I will send configuration and logs in a moment
@Asaf Cohen I was trying to solve myself. I thought the issue could be around OPAL_DATA_CONFIG_SOURCES. Once I remove this I got errors in Opal client please find the logs below
Copy code
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: opal-server-daemonset
  namespace: opal-impl
  labels:
    app: opal-server-daemonset
spec:
  selector:
    matchLabels:
      name: opal-server-daemonset
  template:
    metadata:
      labels:
        name: opal-server-daemonset
    spec:
      containers:
      - name: opal-server
        image: permitio/opal-server:latest
        ports:
        - containerPort: 7002
        env:
        - name: OPAL_BROADCAST_URI
          value: "<postgres://postgresadmin:admin123@broadcast-channel-service.opal-impl.svc:5432/postgres>"
        - name: UVICORN_NUM_WORKERS
          value: "3"
        - name: OPAL_POLICY_REPO_URL
          value: "<git hub url>"
        - name: OPAL_DATA_CONFIG_SOURCES
          value: '{"config":{"entries":[{"url":"<http://opal-server:7002/policy-data>","topics":["policy_data"],"dst_path":"/static"}]}}'
        - name: OPAL_LOG_FORMAT_INCLUDE_PID
          value: "true"
        - name: OPAL_POLICY_REPO_MAIN_BRANCH
          value: "master"
        - name: OPAL_POLICY_REPO_WEBHOOK_SECRET
          value: "<secret>"
new logs.txt
Copy code
- name: opal-client

        image: permitio/opal-client:latest

        ports:

            - containerPort: 7000

            - containerPort: 8181

        env:

        - name: OPAL_SERVER_URL

          value: "<opal server uri>"

        - name: OPAL_LOG_FORMAT_INCLUDE_PID

          value: "true"

        - name: OPAL_INLINE_OPA_LOG_FORMAT

          value: "http"
a
you are failing on not being able to download http://host.docker.internal:7002/policy-data from within kubernetes which is logical because this dns only works from within docker (compose).
you do setup the
Copy code
- name: OPAL_DATA_CONFIG_SOURCES
          value: '{"config":{"entries":[{"url":"<http://opal-server:7002/policy-data>","topics":["policy_data"],"dst_path":"/static"}]}}'
which means something in your config does not work correctly, because OPAL defaults to :
Copy code
DATA_CONFIG_SOURCES = confi.model(
        "DATA_CONFIG_SOURCES",
        ServerDataSourceConfig,
        confi.delay(
            lambda ALL_DATA_URL="", ALL_DATA_TOPIC="": {
                "config": {
                    "entries": [{"url": ALL_DATA_URL, "topics": [ALL_DATA_TOPIC]}]
                }
            }
        ),
        description="Configuration of data sources by topics",
    )
due to the pydantic models involved, i guess something in the way you encode the json does not compile and OPAL falls back to the default value
to make sure this is indeed the issue, you can try: 1. removing your definition of config var 
OPAL_DATA_CONFIG_SOURCES
2. define 
OPAL_ALL_DATA_URL
instead (set it to a dns that you know will be available from within the pod): a. (not sure 
<http://opal-server:7002/policy-data>
is actually a valid DNS)
try that, it should fix your issue
n
@Asaf Cohen When I remove OPAL_DATA_CONFIG_SOURCES that's when I am getting those errors which I have sent. So when I am trying to hit myurl:7002/policy-data. will that return actual policy? If so I am not getting it does that require any extra configuration? last but not least what should be dst_path in data_config_sources
With data_sources I don't have any errors but policy was not getting updated
a
myurl:7002/policy-data
should return a json file that represents your data that you want to load into OPA
Copy code
opal_client.data.fetcher                ←[0m|←[31m←[1mERROR  | Timeout while fetching url: <http://host.docker.internal:7002/policy-data←[0m>
←[33m←[1mTraceback (most recent call last):←[0m
this is caused because
Copy code
<http://host.docker.internal:7002/policy-data>
is not a url that the container can access (no such DNS)
(which makes sense because it's invalid in kubernetes)
n
that i understood but the major problem is when i change rego file the policy is not reflected in opalclienturl:8181/ v1/data
a
that's probably because there is a race condition between the default value of 
OPAL_DATA_CONFIG_SOURCES
(which writes to /v1/data) and the static data files that are sourced from git (that are also written to /v1/data), that is why /v1/data/static is important - to prevent collision
you can turn on OPA logs and see what is written to OPA
n
when i have data_configs in server env variables. there it is trying to fetch policy from url:7002/policydata in my case that is returning empty response
a
add this to your client: - OPAL_INLINE_OPA_LOG_FORMAT=http
it will tell you all the api calls opal client is doing to OPA
it will help us understand why the OPA cache is empty
n
ok, In that case if it's already turned on i can send this logs as well post modificatin tomorrow mrng IST time
a
ok, my response time tomorrow will be a bit delayed (i will be available but it might take me a few hours to respond, as this is the weekend)
👍 1
n
A couple of questions to proceed further The opal server yaml file which i have shared with that configuration myurl:7002/policydata should return json right? There is no other configuration I missed What should be the dest_path set to
a
send me everything you have, i will try to help
The opal server yaml file which i have shared with that configuration myurl:7002/policydata should return json right? There is no other configuration I missed
yes
Copy code
"dst_path":"/static"
is considered safe, but it can be any path that is not "/"
n
ok Thanks for the info, I will try with this and let you about the output. I will try and add more details for you to understand about my issue if it is a failure
a
👍
n
@Or Weis @Asaf Cohen After running my OPAL server in my local kubernetes and trying to hit "http://localhost:7002/policy-data". In my server logs throwing this warning " *Serving default all-data route, meaning DATA_CONFIG_SOURCES was not configured!*" and it is returning empty response
@Or Weis @Asaf Cohen As we discussed earlier I tried with the changes I am getting attached logs. Also provided my opal client and server configurations
opal-client.logopal-server.logopal-server-daemonset.yamlopal-client.yml
o
Hi @Naveen, We are actually off for the weekend today, we'll review this early on Sunday.
a
Hey @Naveen i think we can help you much quicker via zoom. Would you like to set up a 30 minutes meeting with me? https://calendly.com/asaf-cohen
n
@Asaf Cohen Happy New Year, As per our discussion I need to test this in cloud environment. Waiting to get new cluster for me as the previous week is Christmas and New Year haven't got one. Once I sort the things out I will update you my finding
🤘 1
Open in Slack
PreviousNext
Powered by