Allow persisting discovery bundles #2886
Comments
|
We should support persistence of discovery bundles because otherwise the persistence feature doesn't work when discovery is used (e.g., the OPA would start, attempt to download a discovery bundle, and then fail and remain inoperable.) The implementation should just persist the discovery bundle like any other one (i.e., there's no need to persist the configuration produced by the discovery bundle.) |
|
@ashutosh-narkar could you take a look and see how much work this would be? |
Right, what I meant was that if the discovery bundle has configuration to download other bundles those should also be persisted if the discovery bundle bootstrap config has the |
|
I'd just have the discovered configuration specify the |
|
The discovered configuration is not necessarily even managed by the OPA admin, but rather the "bundle server admin". If I configure my OPA bootstrap config with Even when these two admins are the same person, having to administer this in two disparate systems sounds less than ideal. (..additionally, our current bundle server of choice does not provide us with options to meddle with the configuration provided in discovery bundles, so unless that feature was added in that product too, this would not be available to us) |
|
That sounds like a limitation in the bundle server of choice that ought to be addressed... RE: the implementation, I'm advocating for the option with the least amount of magic/implicit behaviour. I don't know how common the separation of duty between "OPA admin" and "bundle server admin" is. It sounds especially odd when Discovery is enabled since that means that all the "OPA admin" is doing is enabling Discovery--the "bundle server admin" would be in complete control of the discovered configuration so the "OPA admin" is really not in control. My guess is that this stems from the limitation in the bundle service you mentioned... |
|
I can kinda get behind the no magic / implicit behavior from a developers point of view, but as an "OPA admin" I'm mainly interested in knowing that I can trust the config I provide will do what I intended, and if I say "persist my bundles" in hopes I can start OPA in a last known working state, it's hard to see the appeal of having that option scattered over many places - especially so given how saving something to local disk feels like a decision to make.. well, locally. The bundle server admin does not control the level of which logs should be written to console, and to me this feels like it's in the same category. Is there even a use case for configuring say 2 out of 3 bundles with Oh well, if that's not the direction this will take, I'll make sure to at least file a feature request to have this supported in our bundle server. |
We could add a global "persist my bundles" option to the bootstrap config however the same could be said for any of the other config setting (e.g., verification keys). I'd like to avoid the problem of merging config/desired state from multiple sources (in this case the bootstrap config and the discovered config) because that always causes headaches. Putting as little information as possible in the bootstrap config helps ensure that a central service can manage as much of the OPA instance as possible. As far as logging and other server settings go...there is no good reason for them being outside of the rest of the config. |
|
Thanks Torin! This isn't the hill I'm planning to die on ( 😄 ), so I'll have a chat with our dear bundle server provider to have this feature taken into account from their end, and I'm looking forward to seeing the discovery bundle included in the persist options on the OPA side 👍 |
tsandall
added
distribution
Fixes open-policy-agent#2886 Signed-off-by: Ashutosh Narkar <[email protected]>
Fixes open-policy-agent#2886 Signed-off-by: Ashutosh Narkar <[email protected]>
Fixes open-policy-agent#2886 Signed-off-by: Ashutosh Narkar <[email protected]>
…disk This commit adds support to persist and load discovery bundle from disk. Only the discovery bundle itself is persisted and not the configuration produced by the discovery bundle. A new field is introduced in OPA's discovery configuration that can be optionally set to enable OPA to write and read the discovery bundle from disk. This feature would enable OPA to evaluate the discovery bundle in scenarios where it is unable to communicate with the bundle server on start-up. Fixes open-policy-agent#2886 Signed-off-by: Ashutosh Narkar <[email protected]>
…disk This commit adds support to persist and load discovery bundle from disk. Only the discovery bundle itself is persisted and not the configuration produced by the discovery bundle. A new field is introduced in OPA's discovery configuration that can be optionally set to enable OPA to write and read the discovery bundle from disk. This feature would enable OPA to evaluate the discovery bundle in scenarios where it is unable to communicate with the bundle server on start-up. Fixes open-policy-agent#2886 Signed-off-by: Ashutosh Narkar <[email protected]>
…disk This commit adds support to persist and load discovery bundle from disk. Only the discovery bundle itself is persisted and not the configuration produced by the discovery bundle. A new field is introduced in OPA's discovery configuration that can be optionally set to enable OPA to write and read the discovery bundle from disk. This feature would enable OPA to evaluate the discovery bundle in scenarios where it is unable to communicate with the bundle server on start-up. Fixes #2886 Signed-off-by: Ashutosh Narkar <[email protected]>
With systems configured with discovery, it would be great if the new
persistoption was available to persist both the discovery bundle itself, as well as any from discovery config included bundles, in case the remote service was unreachable when re-starting an OPA instance.For the configured policy bundles, I suppose one could add
persist: truein the config provided by the discovery bundle, but whether to persist bundles feels more like a decision to make locally (like log level) than something that should be centrally managed. Havingpersist: truein the bootstrap configuration would thus be desirable.The text was updated successfully, but these errors were encountered: