Open Policy Agent
OPA deployment split brain #456
-
|
We moved our deployment from a single instance deployment on an EC2 instance which had a single OPA service on each EC2 instance to k8s. In the new architecture we move to k8s and we would like to have at least 2 instances of OPA service on the cluster. What is the right solution for this kind of architecture? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 1 reply
-
|
Maybe try OPAL (https://github.com/permitio/opal) ? |
Beta Was this translation helpful? Give feedback.
-
|
Since you already have a custom service to update OPA instances, you might also be interested to look into the Delta Bundle functionality: https://www.openpolicyagent.org/docs/latest/management-bundles/#delta-bundles. It wouldn't be a REST call, but would allow fast updates many OPA instances. |
Beta Was this translation helpful? Give feedback.
-
|
I was thinking that since, I already have the custom service I can use it as the "bundle service API" and expose a new bundle API. |
Beta Was this translation helpful? Give feedback.
-
|
👍 depending on how quickly you need the updates, you might not even need delta bundles. Here's an example implementation that might be useful: https://github.com/ashutosh-narkar/example-delta-bundle-server |
Beta Was this translation helpful? Give feedback.
-
|
Styra -- the creators and maintainers of OPA -- Also have a commercial product called Enterprise OPA with a bunch of pre-written data source integrations that will be able to fetch data out of the box. Here's a tutorial for using Kafka https://docs.styra.com/enterprise-opa/tutorials/kafka |
Beta Was this translation helpful? Give feedback.
Maybe try OPAL (https://github.com/permitio/opal) ?
You can use it's event-driven nature to update both OPA instances from a single endpoint, and it provides health-checks, readiness policy, and callbacks to track the state of each of the OPA instances