Document how plugin can be used with vendored and GOPATH OPA dependency. #94
Conversation
Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
There was a problem hiding this comment.
See comment on which options to expose. Other than that, LGTM.
If the go modules stuff doesn't pan out I'm wondering if we could do the .so file build inside of a container that has the dependencies setup in GOPATH. /cc @patrick-east for thoughts.
| @@ -101,6 +101,20 @@ IP/port of the Istio Ingress gateway. | |||
| curl --user bob:password -i http://$GATEWAY_URL/api/v1/products | |||
| ``` | |||
|
|
|||
| ## How to use the OPA-Istio plugin | |||
|
|
|||
| ### Option 1: Using `vendored` OPA dependency | |||
There was a problem hiding this comment.
Do we have a scenario where this option makes sense? I'm wondering if we should only recommend (1) running the opa_istio binary/container produced by the makefile or (2) building the .so file with the GOPATH option and then running with either (i) upstream OPA (of the correct version) or (ii) a custom OPA executable.
|
Maybe a dumb question, but why do we need a separate
Yea, that would work. It might even be a good opportunity to show a "best practice" or something for building opa plugins. Some scripts/tooling to have a container with golang tools+opa source at some release version and churn out plugin .so's seems useful. |
|
@patrick-east that's a good point. As part of the build process in this repo though we can still produce the |
Yea, I would definitely want to see that happen. We can turn this into only a library and remove the vendor directory (keeping the dependency yaml/toml/etc). Our build scripts for the .so file can do the container based build which does the right thing import path-wise and anyone wanting a custom binary can much more easily use the library. |
|
+1 this seems like the way to go. @ashutosh-narkar WDYT? |
|
The suggestion sounds fine but the only concern I have is that we are now telling users that if they want to use the plugin they need to have OPA cloned in their GOPATH. Today, users cannot simply use the released OPA binary to run this plugin file. So if they want to use a released OPA version or a custom OPA version, they would need to build from source. If we are sure (or want to enforce a best practice) that a OPA plugin is only a library then this suggestion makes sense. On the other hand, if someone wants to use the plugin as a standalone and does not prefer cloning OPA or is not doing any OPA development or simply wants to try it out, the current approach of generating the opa_istio is beneficial. Again I don't have enough info if users will use the plugin in this manner. If it helps we can think of making the tooling better to facilitate both usage patterns. Update on the go modules transition: Was able to migrate from glide and build the plugin. In the first scenario, built the plugin by specifying plugin.Open("opa_istio_plugin"): plugin was built with a different version of package github.com/open-policy-agent/opa/utilIn the second scenario, used the The only way to run the plugin was by creating a So it looks like the same OPA source code in the module cache is treated differently from the one in the local filesystem path (Investigating why this is the case). At this point I do not see any added benefit of transitioning to go modules imo. Found this related issue: golang/go#31354 |
:/ that's too bad. Let's ignore Go modules for now then. I think the path forward is clear then:
|
|
Removed support for Go Plugin: #139 Customize OPA: https://www.openpolicyagent.org/docs/latest/extensions/#custom-plugins-for-opa-daemon |
Signed-off-by: Ashutosh Narkar anarkar4387@gmail.com