-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax config check when Discovery is enabled #5722
Comments
Related: #5070 (not a duplicate, but if I'm reading things right, fixing this would likely fix that too, so adding here for tracking) |
PR #5314 already did some work on this and left it to the plugins what can be overridden (my assumption was that some things should just not be overridable but that might be wrong). It uses the same merge values method that is used by the command line‘s |
Since this is removed from planning and we are hit by this: Is there agreement on doing it as described?
The linked PR does no. 1 but is more specific, i.e some conditions would need to be removed. What is missing is essentially the delta tracking and publishing this via status API |
@mjungsbluth we've mostly seen this request come from Styra DAS users, however, since Styra DAS now supports the ability to override the discovery config (via the API) we decided to deprioritize the work in OPA. Here is a link to the Styra DAS docs that show how to override the discovery config: https://docs.styra.com/das/policies/policy-organization/systems/opa-discovery#add-or-override-a-value-in-discovery-configuration. |
@tsandall understood and I have seen that change which mitigates the problem for now. |
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: open-policy-agent#5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: open-policy-agent#5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: open-policy-agent#5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: #5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Currently OPA does not allow users to supply plugin config when Discovery is enabled. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. In some cases though we've found that the user deploying OPA must be able to make local overrides even when discovery is in place, e.g., because the system serving the discovery config is unaware of all options available in OPA.
To address this we can relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configs. In case of conflicts, the bootstrap configuration for plugins should win. These local configuration overrides from the bootstrap configuration could be included in the Status API messages so that management systems can at least visibility into the local overrides.
For example, to enable console decision logging when an
opa-config.yaml
relies on discovery, the user would just need to:The text was updated successfully, but these errors were encountered: