https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
r
Hey @Jack Geek, thank you for attaching the logs, it’s very helpful !
Have you deployed the server as well ? Port 
7002
is the default port of the opal-server. In addition, calling for 
host.docker.internal:<port>
means that you are looking for a service within the docker network interface that has this port exposed, so just make sure you are not using this url in k8s because that won’t work for you.
Also, there are many examples for using deploying OPAL with docker-compose in the repo - https://github.com/permitio/opal/tree/master/docker
j
Hi, for me the OPAL client and server are not in the same POD, the OPAL server has a public IP address like 100.101.102.103. Is there something else that I need to configure ?
r
And have you configured a Service for the OPAL Server ?
j
yes a LoadBalaner service, and I can get a status ok response with the public IP
r
Great, so if your service called 
opal-server
and it exists on the namespace - 
default
for example, you can configure the Client’s 
OPAL_SERVER_URL
variable to the service FQDN, which in this example will be - 
opal-server.default.svc
No need to configure the Client to communicate with the public IP of the Server, this will result in very high latency compare to in-cluster communication.
j
1. and if I have OPAL clients in multiple namepspaces, I must install multiple OPAL servers ? (one per namespace ?) 2. What do you think the cause of host.docker.internal ? Can we deactivate it ?
r
1. Same, you can use service FQDN to also communicate with services across different namespaces 🙂 2. You can see in the Dockerfile (https://github.com/permitio/opal/blob/master/docker/Dockerfile#L151) that the 
OPAL_ALL_DATA_URL
env var is used to control this endpoint call. When running both Client and Server on docker-compose this 
host.docker.internal
should work properly. So the question is do you run OPAL Server in your docker-compose as well ?
j
No it's the same public IP (from the loadbalancer) - I tested it on a docker-compose Client. on K8S, on the OPAL client, should I override OPAL_ALL_DATA_URL ?
r
No it’s the same public IP (from the loadbalancer) - I tested it on a docker-compose Client.
Sorry, I couldn’t understand for which part of my answer this sentence is referring to. In k8s I recommend you to change this variable to a k8s FQDN url.
j
Thanks @Raz Co, I will change it to 
<serviceName>.<namespaceName>.svc.cluster.local
instead of Public IP and I check if the DOCKER error is gone or not
Hi @Raz Co, It's working for me with FQDN of the opal-server kube service. But there is always the same docker problem
Here is my deployment spec :
r
Hey Jack, Can you try to set ‘OPAL_ALL_DATA_URL’ ? @Asaf Cohen you might have a quick answer for this
a
Hey @Jack Geek :) The reason you are seeing this issue is because OPAL_DATA_CONFIG_SOURCES is not configured correctly. You need to config a data source entry that is available to the opal client to fetch.
Let me know if you need any more help here :)
j
Hi @Asaf Cohen, at this stage, I don't need to fetch data (only policies are needed for the moment). How can we desactivate the mechanism ?
a
Hi @Jack Geek to run in "policy only mode": 1) set the following env var on OPAL server:
Copy code
OPAL_DATA_CONFIG_SOURCES={"entries":[]}
2) set the following env var on OPAL client:
Copy code
OPAL_DATA_UPDATER_ENABLED=false
j
Hi @Asaf Cohen, in kubernetes env vars, do you have an idea how to pass the object as string :
a
you want to escape the 
"
characters with 
\"
@Raz Co correct me if i'm wrong
r
Yes Asaf, JSON escaping will solve this for you, basically the right value will be -
Copy code
{\"enteries\":[]}
j
Thank you @Asaf Cohen and @Raz Co, I just configured it.
Open in Slack
PreviousNext
Powered by