Flag to fail OPA runtime if some of the bundle was not found

Question

Flag to fail OPA runtime if some of the bundle was not found

Opened this issue a month ago · 4 comments

What is the underlying problem you're trying to solve?

In our use case, it's very crucial to load all bundles on OPA startup. Whenever error happens, we need to handle it the way we want, and not just see it in logs.

Describe the ideal solution

In OPA runtime golang lib, when we start a server, I want to panic, if some of my bundles fail to load.

Now I see error log like this:

{"level":"error","msg":"Bundle load failed: server replied with Not Found","name":"unsigned_policy_bundle","plugin":"bundle","time":"2024-04-23T18:56:41Z"}

But I want lib to panic, so I could catch this panic and write my logic of how to handle this error.

Describe a "Good Enough" solution

Panic if bundle load fails for whatever reason.

Answer 1 · 2024-04-24T20:39:09.000Z

In our use case, it's very crucial to load all bundles on OPA startup. Whenever error happens, we need to handle it the way we want, and not just see it in logs.

How are you deploying OPA? For example, if you use Kubernetes you can configure a readinessProbe that calls /health?bundles. This will ensure that OPA serves requests only after all bundles are activated. Also whenever bundle activation fails OPA will log the error and also send a status message with the error via the Status API . This provides visibility into OPA's status.

Panic if bundle load fails for whatever reason

OPA can be loaded with one or more bundles. So to panic if one of them fails activation does not seem appropriate. The client can use the Health API or Status API for example to get more info and behave accordingly.

Answer 2 · 2024-04-25T21:40:24.000Z

It might work, but I also noticed /health?bundles endpoint returns a general error text when one of the bundles fails to load. It would be nice to have the name of the bundle that failed to load in the error msg.

Answer 3 · 2024-04-25T22:14:26.000Z

That's probably something that can be improved.

Answer 4 · 2024-05-26T01:37:26.000Z

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.