Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

About high availability deployments #3135

Closed
andyyumiao opened this issue Feb 9, 2021 · 3 comments
Closed

About high availability deployments #3135

andyyumiao opened this issue Feb 9, 2021 · 3 comments
Labels
question

Comments

@andyyumiao
Copy link

andyyumiao commented Feb 9, 2021
edited
Loading

As the title, we want to use OPA in our production environment. As a large number of applications, services and data in our production environment need to be connected to OPA, which means that there are millions of policies and data that need to be written and maintained, at the same time, these policy and data will be updated frequently. Therefore, we must use the high availability deployment mode(use bundle server), but we have a few questions:

  1. In bundle server, should we going to put millions of policy files in one bundle.tar.gz (full load)? If it is, this packet will be very large(as millions of policy and data in our production environment), and in this way, policy synchronization will be slow, so does OPA support incremental update? That is, when a part of the policy(or data) changes, only the policy(or data) file of this part will be updated? That is to use different bundle packages instead of one

  2. The bundle.tar.gz will be updated regularly. Even if there is no policy change, the bundle package will be downloaded regularly. This will cause many invalid requests. However, we only want to download the bundle package when we add or modify the policy or data file, how to solve it?
@anderseknert
Copy link
Member

The most common form of deployment for OPA is to deploy one instance per service, or even one instance per replica of the service. That service would then only pull bundles from the bundle service which is relevant to the service. So if you have, say 10 microservices, you would have different OPAs deployed for each of them, with 10 different endpoints at the bundle server each serving a bundle unique to its respective service.

Issue #1055 proposes some ideas around incremental updates on bundles, so you may want to track that for updates.

As for your second point - the bundle API supports caching through the HTTP Etag/If-None-Match headers, so unless the bundle server signals that a bundle has changed, OPA won't download it.

@anderseknert
Copy link
Member

Hi @andyyumiao ! Anything left unanswered here or should we close this ticket?

@andyyumiao
Copy link
Author

Hi @andyyumiao ! Anything left unanswered here or should we close this ticket?

ok, it can solve my problem, thanks for your reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anderseknert @andyyumiao