https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
a
Hey @Dor Alon, we'll take a look in a sec and try to help! πŸ™‚
d
the complete opal client log
Copy code
[32m2022-11-13T13:31:14.953076+0000[0m | [34mopal_client.data.rpc                    [0m|[1m INFO  | Received notification of event: policy_data[0m
[32m2022-11-13T13:31:14.953271+0000[0m | [34mopal_client.data.updater                [0m|[1m INFO  | Updating policy data, reason: None[0m
[32m2022-11-13T13:31:14.953802+0000[0m | [34mopal_client.data.updater                [0m|[1m INFO  | Triggering data update with id: 9a417880e5ab4837a2f82b5e294ee24f[0m
[32m2022-11-13T13:31:14.953926+0000[0m | [34mopal_client.data.updater                [0m|[1m INFO  | Fetching policy data[0m
[32m2022-11-13T13:31:14.954054+0000[0m | [34mopal_client.data.fetcher                [0m|[1m INFO  | Fetching data from url: <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>[0m
[32m2022-11-13T13:31:20.881123+0000[0m | [34muvicorn.protocols.http.httptools_impl   [0m|[1m INFO  | 10.155.7.102:54478 - "GET /healthcheck HTTP/1.1" 200[0m
[32m2022-11-13T13:31:20.881448+0000[0m | [34muvicorn.protocols.http.httptools_impl   [0m|[1m INFO  | 10.155.7.102:54480 - "GET /healthcheck HTTP/1.1" 200[0m
[32m2022-11-13T13:31:24.954206+0000[0m | [34mopal_client.data.fetcher                [0m|[31m[1mERROR  | Timeout while fetching url: <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>[0m
[33m[1mTraceback (most recent call last):[0m

  File "/usr/local/lib/python3.10/asyncio/locks.py", line 214, in wait
    await fut
          β”” <Future cancelled>

[31m[1masyncio.exceptions.CancelledError[0m


[1mDuring handling of the above exception, another exception occurred:[0m


[33m[1mTraceback (most recent call last):[0m

  File "/usr/local/lib/python3.10/asyncio/tasks.py", line 456, in wait_for
    return fut.result()
           β”‚   β”” <method 'result' of '_asyncio.Task' objects>
           β”” <Task cancelled name='Task-20284' coro=<Event.wait() done, defined at /usr/local/lib/python3.10/asyncio/locks.py:201>>

[31m[1masyncio.exceptions.CancelledError[0m


[1mThe above exception was the direct cause of the following exception:[0m


[33m[1mTraceback (most recent call last):[0m

  File "/usr/local/bin/gunicorn", line 33, in <module>
    sys.exit(load_entry_point('gunicorn==20.1.0', 'console_scripts', 'gunicorn')())
    β”‚   β”‚    β”” <function importlib_load_entry_point at 0x7f8698c52cb0>
    β”‚   β”” <built-in function exit>
    β”” <module 'sys' (built-in)>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 67, in run
    WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]").run()
    β”” <class 'gunicorn.app.wsgiapp.WSGIApplication'>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 231, in run
    super().run()
  File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 72, in run
    Arbiter(self).run()
    β”‚       β”” <gunicorn.app.wsgiapp.WSGIApplication object at 0x7f8698c33cd0>
    β”” <class 'gunicorn.arbiter.Arbiter'>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 202, in run
    self.manage_workers()
    β”‚    β”” <function Arbiter.manage_workers at 0x7f86980eed40>
    β”” <gunicorn.arbiter.Arbiter object at 0x7f8697fcad40>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 551, in manage_workers
    self.spawn_workers()
    β”‚    β”” <function Arbiter.spawn_workers at 0x7f86980eee60>
    β”” <gunicorn.arbiter.Arbiter object at 0x7f8697fcad40>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 622, in spawn_workers
    self.spawn_worker()
    β”‚    β”” <function Arbiter.spawn_worker at 0x7f86980eedd0>
    β”” <gunicorn.arbiter.Arbiter object at 0x7f8697fcad40>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
    worker.init_process()
    β”‚      β”” <function UvicornWorker.init_process at 0x7f86965740d0>
    β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
  File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 66, in init_process
    super(UvicornWorker, self).init_process()
          β”‚              β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
          β”” <class 'uvicorn.workers.UvicornWorker'>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 142, in init_process
    self.run()
    β”‚    β”” <function UvicornWorker.run at 0x7f8696574280>
    β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
  File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 83, in run
    return asyncio.run(self._serve())
           β”‚       β”‚   β”‚    β”” <function UvicornWorker._serve at 0x7f86965741f0>
           β”‚       β”‚   β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
           β”‚       β”” <function run at 0x7f8697b11870>
           β”” <module 'asyncio' from '/usr/local/lib/python3.10/asyncio/__init__.py'>
  File "/usr/local/lib/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
           β”‚    β”‚                  β”” <coroutine object UvicornWorker._serve at 0x7f8695478740>
           β”‚    β”” <method 'run_until_complete' of 'uvloop.loop.Loop' objects>
           β”” <uvloop.Loop running=True closed=False debug=False>
> File "/usr/local/lib/python3.10/site-packages/opal_client-0.3.1-py3.10.egg/opal_client/data/fetcher.py", line 70, in handle_url
    response = await self._engine.handle_url(url, config=config)
                     β”‚    β”‚       β”‚          β”‚           β”” None
                     β”‚    β”‚       β”‚          β”” '<http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>'
                     β”‚    β”‚       β”” <function FetchingEngine.handle_url at 0x7f8695a136d0>
                     β”‚    β”” <opal_common.fetcher.engine.fetching_engine.FetchingEngine object at 0x7f86957a4d60>
                     β”” <opal_client.data.fetcher.DataFetcher object at 0x7f86957a62f0>
  File "/usr/local/lib/python3.10/site-packages/opal_common-0.3.1-py3.10.egg/opal_common/fetcher/engine/fetching_engine.py", line 114, in handle_url
    await asyncio.wait_for(wait_event.wait(), timeout)
          β”‚       β”‚        β”‚          β”‚       β”” 10
          β”‚       β”‚        β”‚          β”” <function Event.wait at 0x7f8697937f40>
          β”‚       β”‚        β”” <asyncio.locks.Event object at 0x7f86915cf310 [unset]>
          β”‚       β”” <function wait_for at 0x7f8697936dd0>
          β”” <module 'asyncio' from '/usr/local/lib/python3.10/asyncio/__init__.py'>
  File "/usr/local/lib/python3.10/asyncio/tasks.py", line 458, in wait_for
    raise exceptions.TimeoutError() from exc
          β”‚          β”” <class 'asyncio.exceptions.TimeoutError'>
          β”” <module 'asyncio.exceptions' from '/usr/local/lib/python3.10/asyncio/exceptions.py'>

[31m[1masyncio.exceptions.TimeoutError[0m
[32m2022-11-13T13:31:24.956714+0000[0m | [34mopal_client.data.updater                [0m|[31m[1mERROR  | Failed to fetch url <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>, got exception: [0m
[32m2022-11-13T13:31:24.957016+0000[0m | [34mopal_client...base_policy_store_client  [0m|[31m[1mERROR  | OPA transaction failed, transaction id=9a417880e5ab4837a2f82b5e294ee24f, actions=[], error=None[0m
[32m2022-11-13T13:31:35.880410+0000[0m | [34muvicorn.protocols.http.httptools_impl   [0m|[1m INFO  | 10.155.7.102:46604 - "GET /healthcheck HTTP/1.1" 200[0m
r
Hey Dor , It looks like you are trying to fetch data from
Copy code
<http://authz-opal-data-api:3000>
and getting timeout. Is it an internal k8s service ? Maybe you would want to use the K8s’ service FQDN - 
<svc_name>.<namespace>.cluster.local
also, is 
3000
the right port ? is it exposed ?
d
i'm able to curl that url from within the pod by running "kubectl -it ..."
r
Can you share the curl that works for you ?
a
yep @Dor Alon it would really help to share the full curl command that works
d
Copy code
curl <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>
a
@Raz Co any ideas? it should work the same way. did you try nslookup from within the pod? just to make sure the dns works?
d
if curl works, the dns works
r
True, might it be a large response that takes more than 10 sec ?
a
oh yes, it might also be a timeout
d
the response is small and very fast
Copy code
opal@opal-client-2mc5d:/opal$ curl <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>
{"roles":["role1","role2"],"bundles":["bundle4"],"resources_scope":{"listings":["12345","1234","1111","2222"]},"roles_scope":{"role1":["grn:guesty:listings/12345","grn:guesty:listings/1234","grn:guesty:listings/1111","grn:guesty:listings/2222"],"role2":["grn:guesty:listings/12345"]}}
opal client is deployed as k8s daemon set, any chance that might matter ?
r
I’m pretty sure it doesn’t really matter.
I would check if the 
authz-opal-data-api
is receiving any request to understand where the request fails
d
no GET requests were received at 
authz-opal-data-api
any chance you disregard the "save_method" parameter in the update request ?
@Raz Co @Asaf Cohen any idea why this happens ?
a
oh @Dor Alon i think i understand
you need to pass the type of http method inside the config of the data source, not as the save method
let me find you an example
instead of this:
Copy code
{
  "entries": [
    {
      "url": "<http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>",
      "topics": [
        "policy_data"
      ],
      "dst_path": "/user_5d48a21cdda60600237e0648",
      "save_method": "GET"
    }
  ]
}
do this:
Copy code
{
    "entries": [
        {
            "url": "<http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>",
            "topics": ["policy_data"],
            "dst_path": "/user_5d48a21cdda60600237e0648",
            "config": { // this is an instance of HttpFetcherConfig
                "method": "get"
                // "headers": { another example
                //     ...
                // }
            }
        }
    ]
}
the 
config
key inside an entry is passed directly to the fetcher (in this case the http fetcher)
the 
save_method
key (which is outside the config) affects the method we use to call the OPA api to store the data returned from the fetcher
d
it still fails the same way, but it doesn't seem to wait 10 seconds as before
a
do you see the request now (getting to your server?)
d
no
a
can you resend the new stack trace?
or is it the same, simply faster?
d
from opal client ?
a
yes
also attach the new update request you are sending.
d
Copy code
[32m2022-11-13T15:28:30.052463+0000[0m | [34mopal_client.data.rpc                    [0m|[1m INFO  | Received notification of event: policy_data[0m
[32m2022-11-13T15:28:30.052827+0000[0m | [34mopal_client.data.updater                [0m|[1m INFO  | Updating policy data, reason: None[0m
[32m2022-11-13T15:28:30.053125+0000[0m | [34mopal_client.data.updater                [0m|[1m INFO  | Triggering data update with id: d24fc44901664b83b03008debaad6d99[0m
[32m2022-11-13T15:28:30.053280+0000[0m | [34mopal_client.data.updater                [0m|[1m INFO  | Fetching policy data[0m
[32m2022-11-13T15:28:30.053450+0000[0m | [34mopal_client.data.fetcher                [0m|[1m INFO  | Fetching data from url: <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>[0m
[32m2022-11-13T15:28:35.880695+0000[0m | [34muvicorn.protocols.http.httptools_impl   [0m|[1m INFO  | 10.155.7.102:52124 - "GET /healthcheck HTTP/1.1" 200[0m
[32m2022-11-13T15:28:40.054390+0000[0m | [34mopal_client.data.fetcher                [0m|[31m[1mERROR  | Timeout while fetching url: <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>[0m
[33m[1mTraceback (most recent call last):[0m

  File "/usr/local/lib/python3.10/asyncio/locks.py", line 214, in wait
    await fut
          β”” <Future cancelled>

[31m[1masyncio.exceptions.CancelledError[0m


[1mDuring handling of the above exception, another exception occurred:[0m


[33m[1mTraceback (most recent call last):[0m

  File "/usr/local/lib/python3.10/asyncio/tasks.py", line 456, in wait_for
    return fut.result()
           β”‚   β”” <method 'result' of '_asyncio.Task' objects>
           β”” <Task cancelled name='Task-21123' coro=<Event.wait() done, defined at /usr/local/lib/python3.10/asyncio/locks.py:201>>

[31m[1masyncio.exceptions.CancelledError[0m


[1mThe above exception was the direct cause of the following exception:[0m


[33m[1mTraceback (most recent call last):[0m

  File "/usr/local/bin/gunicorn", line 33, in <module>
    sys.exit(load_entry_point('gunicorn==20.1.0', 'console_scripts', 'gunicorn')())
    β”‚   β”‚    β”” <function importlib_load_entry_point at 0x7f8698c52cb0>
    β”‚   β”” <built-in function exit>
    β”” <module 'sys' (built-in)>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 67, in run
    WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]").run()
    β”” <class 'gunicorn.app.wsgiapp.WSGIApplication'>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 231, in run
    super().run()
  File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 72, in run
    Arbiter(self).run()
    β”‚       β”” <gunicorn.app.wsgiapp.WSGIApplication object at 0x7f8698c33cd0>
    β”” <class 'gunicorn.arbiter.Arbiter'>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 202, in run
    self.manage_workers()
    β”‚    β”” <function Arbiter.manage_workers at 0x7f86980eed40>
    β”” <gunicorn.arbiter.Arbiter object at 0x7f8697fcad40>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 551, in manage_workers
    self.spawn_workers()
    β”‚    β”” <function Arbiter.spawn_workers at 0x7f86980eee60>
    β”” <gunicorn.arbiter.Arbiter object at 0x7f8697fcad40>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 622, in spawn_workers
    self.spawn_worker()
    β”‚    β”” <function Arbiter.spawn_worker at 0x7f86980eedd0>
    β”” <gunicorn.arbiter.Arbiter object at 0x7f8697fcad40>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
    worker.init_process()
    β”‚      β”” <function UvicornWorker.init_process at 0x7f86965740d0>
    β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
  File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 66, in init_process
    super(UvicornWorker, self).init_process()
          β”‚              β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
          β”” <class 'uvicorn.workers.UvicornWorker'>
  File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 142, in init_process
    self.run()
    β”‚    β”” <function UvicornWorker.run at 0x7f8696574280>
    β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
  File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 83, in run
    return asyncio.run(self._serve())
           β”‚       β”‚   β”‚    β”” <function UvicornWorker._serve at 0x7f86965741f0>
           β”‚       β”‚   β”” <uvicorn.workers.UvicornWorker object at 0x7f869690beb0>
           β”‚       β”” <function run at 0x7f8697b11870>
           β”” <module 'asyncio' from '/usr/local/lib/python3.10/asyncio/__init__.py'>
  File "/usr/local/lib/python3.10/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
           β”‚    β”‚                  β”” <coroutine object UvicornWorker._serve at 0x7f8695478740>
           β”‚    β”” <method 'run_until_complete' of 'uvloop.loop.Loop' objects>
           β”” <uvloop.Loop running=True closed=False debug=False>
> File "/usr/local/lib/python3.10/site-packages/opal_client-0.3.1-py3.10.egg/opal_client/data/fetcher.py", line 70, in handle_url
    response = await self._engine.handle_url(url, config=config)
                     β”‚    β”‚       β”‚          β”‚           β”” None
                     β”‚    β”‚       β”‚          β”” '<http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>'
                     β”‚    β”‚       β”” <function FetchingEngine.handle_url at 0x7f8695a136d0>
                     β”‚    β”” <opal_common.fetcher.engine.fetching_engine.FetchingEngine object at 0x7f86957a4d60>
                     β”” <opal_client.data.fetcher.DataFetcher object at 0x7f86957a62f0>
  File "/usr/local/lib/python3.10/site-packages/opal_common-0.3.1-py3.10.egg/opal_common/fetcher/engine/fetching_engine.py", line 114, in handle_url
    await asyncio.wait_for(wait_event.wait(), timeout)
          β”‚       β”‚        β”‚          β”‚       β”” 10
          β”‚       β”‚        β”‚          β”” <function Event.wait at 0x7f8697937f40>
          β”‚       β”‚        β”” <asyncio.locks.Event object at 0x7f8690ff7b50 [unset]>
          β”‚       β”” <function wait_for at 0x7f8697936dd0>
          β”” <module 'asyncio' from '/usr/local/lib/python3.10/asyncio/__init__.py'>
  File "/usr/local/lib/python3.10/asyncio/tasks.py", line 458, in wait_for
    raise exceptions.TimeoutError() from exc
          β”‚          β”” <class 'asyncio.exceptions.TimeoutError'>
          β”” <module 'asyncio.exceptions' from '/usr/local/lib/python3.10/asyncio/exceptions.py'>

[31m[1masyncio.exceptions.TimeoutError[0m
[32m2022-11-13T15:28:40.057551+0000[0m | [34mopal_client.data.updater                [0m|[31m[1mERROR  | Failed to fetch url <http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>, got exception: [0m
[32m2022-11-13T15:28:40.057920+0000[0m | [34mopal_client...base_policy_store_client  [0m|[31m[1mERROR  | OPA transaction failed, transaction id=d24fc44901664b83b03008debaad6d99, actions=[], error=None[0m
[32m2022-11-13T15:28:50.881306+0000[0m | [34muvicorn.protocols.http.httptools_impl   [0m|[1m INFO  | 10.155.7.102:58760 - "GET /healthcheck HTTP/1.1" 200[0m
Copy code
curl --location --request POST '10.155.11.1:7002/data/config' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9' \
--header 'Content-Type: application/json' \
--data-raw '{
  "entries": [
    {
      "url": "<http://authz-opal-data-api:3000/data-api/user_5d48a21cdda60600237e0648>",
      "topics": ["policy_data"],
      "dst_path": "/user_5d48a21cdda60600237e0648",
      "config": { "method": "GET"}
    }
  ]
}'
a
Just to cover my bases @Dor Alon can you try the same request with the method β€œget” instead of β€œGET”?
The symbol is lowercase inside the enum
d
already did, and it is the same
a
That is very strange, might be something else. Maybe we can schedule a call and try to help you 1:1?
d
sure, when are you available ?
a
I prefer @Ori Shavit to join, so tomorrow pretty much all day works.
d
I'm available tomorrow all day as well, feel free to send me a meeting invite dor.alon@guesty.com
btw. the initial data loading from the same url works
it is not the scenario I had. how can opal client recover from an error on loading the initial data at startup ?
a
Hey @Dor Alon, do you mean the issue persists? or do you know the cause?
d
1. how can opal client recover from an error on loading the initial data at startup ? 2. how can I control the initial data load timeout and retries count ?
a
1. Currently we are solving that with retries, We did thought of a new feature where we can have a fallback bundle, but we did not get around to implementing yet. BTW If you wish to contribute that back we'd be happy to guide you πŸ™‚ 2. mm there should be a way to do it, @Ori Shavit can you take a look at the config and help @Dor Alon?
d
@Asaf Cohen I think I understand the scenario: 1. opal client is unable to load the policy data on startup 2. the data is loaded successfully on one of the retries 3. it impossible to update data
a
Mmm just to be clear @Dor Alon - we so updates were working this morning in our zoom meeting. You are saying that you have reset all the pods and now data updates are still not working? --- (if this is the case i suggest we schedule the zoom meeting with @Shaul Kremer and @Ori Shavit as we discussed)
d
when I deleted all the pods at the same time, all the new pods tried to get the initial data at the same time and timed out. after a few retries the data was fetched. when trying to do rest api data update I get a timeout
a
@Ori Shavit can you schedule a meeting for the 3 of you? (also invite @Dor Alon and @Shaul Kremer)
o
sure thing. @Dor Alon - when are you available?
d
tomorrow @ 10:00 or 13:00 ?
o
let's do 1pm, I'll send the invite
πŸ‘ 1
d
@Ori Shavit do you guys have an ETA for the health check fix I've asked for ? I can't deploy to production before it is fixed
@Asaf Cohen @Raz Co
a
Hey @Dor Alon we will reply shortly cc @Ori Shavit
o
Hey @Dor Alon, we are aiming to have this released by the end of the week.
d
@Ori Shavit thanks
o
Hey @Dor Alon, we're working on it! We need a couple more days for this to work perfectly, but it should be release early next week.
d
@Ori Shavit do you have an ETA ?
a
Hey @Dor Alon we have a fix merged in OPAL master, i will push the images to docker hub today, but if you don't want to wait you can build the images from the repo directly
d
thanks
@Asaf Cohen did you push to docker hub ?
aren't you going to bump opal version ?
a
Hey @Dor Alon sorry for the delay, we will do it today.
d
thanks
a
sorry again for the delay
d
thanks
@Asaf Cohen I can't deploy v0.4.0-rc do I need to change some configuration like environment variables ?
I'm using <http://ip:7002/healthcheck%7Chttp://&lt;ip&gt;:7002/healthcheck> for opal server, it worked on v0.3.1 please advise
a
Hey @Dor Alon the change @Ori Shavit made will cause OPAL client to return 503 in the healthcheck until the OPA agent got all the data. You should probably change your healthcheck settings to be more forgiving (i.e: wait at least 30-60 seconds before killing the container)
did you try that? do you get a different error? did you try running the image in docker compose?
@Ori Shavit is unavailable today, help me understand the issue and i will fix it for you πŸ™‚
d
did something change in opal server ?
a
nothing that should affect you, what is the error you are getting in the logs?
i'm running this and it works ok:
Copy code
version: "3.8"
services:
  # When scaling the opal-server to multiple nodes and/or multiple workers, we use
  # a *broadcast* channel to sync between all the instances of opal-server.
  # Under the hood, this channel is implemented by encode/broadcaster (see link below).
  # At the moment, the broadcast channel can be either: postgresdb, redis or kafka.
  # The format of the broadcaster URI string (the one we pass to opal server as `OPAL_BROADCAST_URI`) is specified here:
  # <https://github.com/encode/broadcaster#available-backends>
  broadcast_channel:
    image: postgres:alpine
    environment:
      - POSTGRES_DB=postgres
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
  opal_server:
    # by default we run opal-server from latest official image
    image: permitio/opal-server:0.4.0-rc
    environment:
      # the broadcast backbone uri used by opal server workers (see comments above for: broadcast_channel)
      - OPAL_BROADCAST_URI=<postgres://postgres:postgres@broadcast_channel:5432/postgres>
      # number of uvicorn workers to run inside the opal-server container
      - UVICORN_NUM_WORKERS=4
      # the git repo hosting our policy
      # - if this repo is not public, you can pass an ssh key via `OPAL_POLICY_REPO_SSH_KEY`)
      # - the repo we pass in this example is *public* and acts as an example repo with dummy rego policy
      # - for more info, see: <https://docs.opal.ac/tutorials/track_a_git_repo>
      - OPAL_POLICY_REPO_URL=<https://github.com/permitio/opal-example-policy-repo>
      # in this example we will use a polling interval of 30 seconds to check for new policy updates (git commits affecting the rego policy).
      # however, it is better to utilize a git *webhook* to trigger the server to check for changes only when the repo has new commits.
      # for more info see: <https://docs.opal.ac/tutorials/track_a_git_repo>
      - OPAL_POLICY_REPO_POLLING_INTERVAL=30
      # configures from where the opal client should initially fetch data (when it first goes up, after disconnection, etc).
      # the data sources represents from where the opal clients should get a "complete picture" of the data they need.
      # after the initial sources are fetched, the client will subscribe only to update notifications sent by the server.
      - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"<http://opal_server:7002/policy-data>","topics":["policy_data"],"dst_path":"/static"}]}}
      - OPAL_LOG_FORMAT_INCLUDE_PID=true
    ports:
      # exposes opal server on the host machine, you can access the server at: <http://localhost:7002>
      - "7002:7002"
    depends_on:
      - broadcast_channel
  opal_client:
    # by default we run opal-client from latest official image
    image: permitio/opal-client:0.4.0-rc
    environment:
      - OPAL_SERVER_URL=<http://opal_server:7002>
      - OPAL_LOG_FORMAT_INCLUDE_PID=true
      - OPAL_INLINE_OPA_LOG_FORMAT=http
    ports:
      # exposes opal client on the host machine, you can access the client at: <http://localhost:7000>
      - "7766:7000"
      # exposes the OPA agent (being run by OPAL) on the host machine
      # you can access the OPA api that you know and love at: <http://localhost:8181>
      # OPA api docs are at: <https://www.openpolicyagent.org/docs/latest/rest-api/>
      - "8181:8181"
    depends_on:
      - opal_server
    # this command is not necessary when deploying OPAL for real, it is simply a trick for dev environments
    # to make sure that opal-server is already up before starting the client.
    command: sh -c "./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
d
I'm getting the following error when running opal server in k8s
Copy code
exec ./start.sh: exec format error
do you have a version change log ?
a
i know the dockerfile went through a bunch of changes, and it might be the reason
@Raz Co can you please follow up here? we need to try and figure out why this OPAL image does not run in k8s
r
Sure, i’ll connect to this shortly πŸ™‚
a
i would look at the dockerfile first for clues, there were a bunch of PRs from the community that might have changed things a bit
r
Hey @Dor Alon, apologize for the delay, had a busy day. Are you using an M1 or any ARM based computer ? In anyway, make sure you are pulling the right image, with the right arch. You can check the pulled image arch with 
docker inspect image <IMAGE NAME>
d
which worked for 0.3.1
r
As you can see here this tag is only linux/arm/v8. Try to run it on m1 instance or you can build the dockerfile as amd arch.
d
when are going to release 0.4.0 ?
a
Hey @Dor Alon we are probably going to release the full 0.4.0 later this week or next week. Sorry for the issue with the image, i will try to build you another variant later today (linux/amd)
please note it's now 0.4.0-rc1
it should work on your cpu architecture now
d
thanks
4 Views
Open in Slack
PreviousNext
Powered by