Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for additive updates to the services configuration when discovery is enabled #2058

Closed
tsandall opened this issue Feb 5, 2020 · 1 comment · Fixed by #2311 or #2318
Closed

Add support for additive updates to the services configuration when discovery is enabled #2058

tsandall opened this issue Feb 5, 2020 · 1 comment · Fixed by #2311 or #2318
Assignees
@ashutosh-narkar
Labels
feature-request

Comments

@tsandall
Copy link
Member

tsandall commented Feb 5, 2020

Discovery is not currently able to update the services configuration in OPA. This was done to protect users from accidentally rendering the OPA inoperable (e.g., unable to reach the discovery service to pull down new bundles.) In some cases it would be useful to be able to add new services (e.g., when migrating from one service implementation to another.)

To enable this use case we could relax the validation done by the discovery plugin to permit additive changes to the services configuration.
@mjungsbluth
Copy link
Contributor

Apart from migrations there are two other use cases where this can be useful:

  1. Token exchange: If you are on AWS you can use the build in AWS IAM support in OPA to avoid propagating static tokens in your infrastructure and use the discovery to exchange the information from the signed request to a bearer token to some other service. This way you don't have to do stuff like credential rotation in a distributed environment.

  2. Increase availability of Management APIs: You could run discovery as your own service but host your bundles on S3. During discovery you would return new services representing the S3 bucket(s) you want to use. In case your discovery service goes down, the OPA instances will still be able to download and refresh bundles as pretty much nothing beats the availability of S3.

@ashutosh-narkar ashutosh-narkar self-assigned this Apr 14, 2020
@ashutosh-narkar ashutosh-narkar mentioned this issue Apr 16, 2020
Merged
ashutosh-narkar added a commit to ashutosh-narkar/opa that referenced this issue Apr 17, 2020
@ashutosh-narkar
plugins: Additive updates to services when discovery enabled
66a4a00 
Earlier with discovery enabled updates to the 'services' configuration
was not allowed to protect against accidental changes to the discovery service
itself. Since adding new services could be useful, this change allows modifications
to the 'services' configuration. The only exception is that the service used to download
the discovery bundle cannot be modified.

Fixes open-policy-agent#2058

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
ashutosh-narkar added a commit that referenced this issue Apr 17, 2020
@ashutosh-narkar
plugins: Additive updates to services when discovery enabled
d67c0f7 
Earlier with discovery enabled updates to the 'services' configuration
was not allowed to protect against accidental changes to the discovery service
itself. Since adding new services could be useful, this change allows modifications
to the 'services' configuration. The only exception is that the service used to download
the discovery bundle cannot be modified.

Fixes #2058

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@tsandall tsandall reopened this Apr 17, 2020
@ashutosh-narkar ashutosh-narkar mentioned this issue Apr 17, 2020
Merged
ashutosh-narkar added a commit to ashutosh-narkar/opa that referenced this issue Apr 28, 2020
@ashutosh-narkar
plugins: Additive updates to services when discovery enabled
5261011 
Earlier with discovery enabled, there was no protection against accidental
changes to the discovery service. This change prevents the discovery service
from being modified by checking it's config in the service bundle.

Fixes open-policy-agent#2058

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
tsandall pushed a commit that referenced this issue Apr 29, 2020
@ashutosh-narkar @tsandall
plugins: Additive updates to services when discovery enabled
5d2b9df 
Earlier with discovery enabled, there was no protection against accidental
changes to the discovery service. This change prevents the discovery service
from being modified by checking it's config in the service bundle.

Fixes #2058

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashutosh-narkar ashutosh-narkar

Labels
feature-request
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
3 participants
@tsandall @mjungsbluth @ashutosh-narkar