permitio / opal-helm-chart Goto Github PK
View Code? Open in Web Editor NEWYou know, for Kubernetes
License: Apache License 2.0
opal-helm-chart's People
Contributors
Stargazers
Watchers
Forkers
hongbo-miao aandriyenko codestaple ckreiling mohammedimrank jayanthvhavle sagar2366 sumeshes07 avo-sepp northvolt samsatya oc002 philipclaesson priyaadama klebertiko mittalsuraj18 nadendlaprasad thilak009 gitolicious antaka1 emily-zall gallolpopal-helm-chart's Issues
enableServiceLink option not available in chart template
Upgrading from version 0.0.8 to 0.0.9 fails with the error
ValueError: invalid literal for int() with base 10: 'tcp://123.123.123.123:7002'
(IP-address redacted.)
From experience this error can be caused by conflicting environment variables in the application and the kubernetes service discovery environment variables as seen here:
https://kubernetes.io/docs/concepts/services-networking/service/#environment-variables
This can be quickly fixed a few ways, either change the environment variable in the application, or add the enableServiceLink boolean option in the podspec of the opal server (or all pod specs, for what it's worth).
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podspec-v1-core
OPAL_BUNDLE_IGNORE cannot be configured on helm chart
I would like to use a monorepo approach and just track one folder in my repo as the policy source. In https://docs.opal.ac/getting-started/running-opal/run-opal-server/policy-repo-location/ I see the setting OPAL_BUNDLE_IGNORE which looks like what I want but I don't see it as an option in values.yaml.
https://authorizon.github.io/opal-helm-chart/index.yaml returns 404
Hi Team,
Looks like something is broken and index.yaml is not served anymore. Can you please check?
helm repo add opal https://authorizon.github.io/opal-helm-chart
Error: looks like "https://authorizon.github.io/opal-helm-chart" is not a valid chart repository or cannot be reached: failed to fetch https://authorizon.github.io/opal-helm-chart/index.yaml : 404 Not Found
Configure postgres to pull from specified registry
The pgsql pod is not pulling from specified docker registry here --> https://github.com/permitio/opal-helm-chart/blob/master/templates/deployment-pgsql.yaml#L21
It would be great, if we can integrate this to be pulled from the image registry specified in the values file https://github.com/permitio/opal-helm-chart/blob/master/values.yaml#L1
OPAL Server breaks on startup if 'server.extraEnv.OPAL_SERVER_PORT' is missing
I tried installing the chart (0.0.11) with helm install opal opal/opal after adding and updating the repo. The installed chart is version 0.0.11:
$ helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
opal pva 1 2023-03-28 14:22:59.4348607 +0200 CEST deployed opal-0.0.11 0.5.0
The server never starts properly:
Logs:
$ k logs -l app.kubernetes.io/name=opal-server --tail 300 --follow
[2023-03-28 12:20:34 +0000] [1] [INFO] Starting gunicorn 20.1.0
[2023-03-28 12:20:35 +0000] [1] [INFO] Listening at: http://0.0.0.0:7002 (1)
[2023-03-28 12:20:35 +0000] [1] [INFO] Using worker: uvicorn.workers.UvicornWorker
[2023-03-28 12:20:35 +0000] [7] [INFO] Booting worker with pid: 7
[2023-03-28 12:20:35 +0000] [8] [INFO] Booting worker with pid: 8
[2023-03-28 12:20:35 +0000] [9] [INFO] Booting worker with pid: 9
[2023-03-28 12:20:35 +0000] [10] [INFO] Booting worker with pid: 10
[2023-03-28 12:20:35 +0000] [7] [ERROR] Exception in worker process
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
worker.init_process()
File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 66, in init_process
super(UvicornWorker, self).init_process()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 134, in init_process
self.load_wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
self.wsgi = self.app.wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 67, in wsgi
self.callable = self.load()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
return self.load_wsgiapp()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
return util.import_app(self.app_uri)
File "/usr/local/lib/python3.10/site-packages/gunicorn/util.py", line 359, in import_app
mod = importlib.import_module(module)
File "/usr/local/lib/python3.10/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 883, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 8, in <module>
app = create_app()
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 2, in create_app
from .server import OpalServer
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/server.py", line 26, in <module>
from opal_server.config import opal_server_config
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/config.py", line 288, in <module>
opal_server_config = OpalServerConfig(prefix="OPAL_")
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 128, in __init__
value = self._eval_and_save_entry(name, entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 162, in _eval_and_save_entry
value = self._eval_entry(entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 168, in _eval_entry
res = self._evaluate(whole_key, entry.default, entry.cast, **entry.kwargs)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 205, in _evaluate
res = config(key, default=passed_default, cast=safe_cast_func, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 245, in __call__
return self.config(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 107, in __call__
return self.get(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 101, in get
return cast(value)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 74, in wrapped_cast
return cast_func(value, *args, **kwargs)
ValueError: invalid literal for int() with base 10: 'tcp://10.43.243.243:7002'
[2023-03-28 12:20:35 +0000] [7] [INFO] Worker exiting (pid: 7)
[2023-03-28 12:20:35 +0000] [8] [ERROR] Exception in worker process
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
worker.init_process()
File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 66, in init_process
super(UvicornWorker, self).init_process()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 134, in init_process
self.load_wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
self.wsgi = self.app.wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 67, in wsgi
self.callable = self.load()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
return self.load_wsgiapp()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
return util.import_app(self.app_uri)
File "/usr/local/lib/python3.10/site-packages/gunicorn/util.py", line 359, in import_app
mod = importlib.import_module(module)
File "/usr/local/lib/python3.10/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 883, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 8, in <module>
app = create_app()
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 2, in create_app
from .server import OpalServer
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/server.py", line 26, in <module>
from opal_server.config import opal_server_config
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/config.py", line 288, in <module>
opal_server_config = OpalServerConfig(prefix="OPAL_")
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 128, in __init__
value = self._eval_and_save_entry(name, entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 162, in _eval_and_save_entry
value = self._eval_entry(entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 168, in _eval_entry
res = self._evaluate(whole_key, entry.default, entry.cast, **entry.kwargs)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 205, in _evaluate
res = config(key, default=passed_default, cast=safe_cast_func, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 245, in __call__
return self.config(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 107, in __call__
return self.get(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 101, in get
return cast(value)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 74, in wrapped_cast
return cast_func(value, *args, **kwargs)
ValueError: invalid literal for int() with base 10: 'tcp://10.43.243.243:7002'
[2023-03-28 12:20:35 +0000] [8] [INFO] Worker exiting (pid: 8)
[2023-03-28 12:20:35 +0000] [9] [ERROR] Exception in worker process
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
worker.init_process()
File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 66, in init_process
super(UvicornWorker, self).init_process()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 134, in init_process
self.load_wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
self.wsgi = self.app.wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 67, in wsgi
self.callable = self.load()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
return self.load_wsgiapp()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
return util.import_app(self.app_uri)
File "/usr/local/lib/python3.10/site-packages/gunicorn/util.py", line 359, in import_app
mod = importlib.import_module(module)
File "/usr/local/lib/python3.10/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 883, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 8, in <module>
app = create_app()
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 2, in create_app
from .server import OpalServer
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/server.py", line 26, in <module>
from opal_server.config import opal_server_config
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/config.py", line 288, in <module>
opal_server_config = OpalServerConfig(prefix="OPAL_")
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 128, in __init__
value = self._eval_and_save_entry(name, entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 162, in _eval_and_save_entry
value = self._eval_entry(entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 168, in _eval_entry
res = self._evaluate(whole_key, entry.default, entry.cast, **entry.kwargs)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 205, in _evaluate
res = config(key, default=passed_default, cast=safe_cast_func, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 245, in __call__
return self.config(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 107, in __call__
return self.get(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 101, in get
return cast(value)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 74, in wrapped_cast
return cast_func(value, *args, **kwargs)
ValueError: invalid literal for int() with base 10: 'tcp://10.43.243.243:7002'
[2023-03-28 12:20:35 +0000] [9] [INFO] Worker exiting (pid: 9)
[2023-03-28 12:20:35 +0000] [10] [ERROR] Exception in worker process
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
worker.init_process()
File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 66, in init_process
super(UvicornWorker, self).init_process()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 134, in init_process
self.load_wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
self.wsgi = self.app.wsgi()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 67, in wsgi
self.callable = self.load()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
return self.load_wsgiapp()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
return util.import_app(self.app_uri)
File "/usr/local/lib/python3.10/site-packages/gunicorn/util.py", line 359, in import_app
mod = importlib.import_module(module)
File "/usr/local/lib/python3.10/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 883, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 8, in <module>
app = create_app()
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/main.py", line 2, in create_app
from .server import OpalServer
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/server.py", line 26, in <module>
from opal_server.config import opal_server_config
File "/usr/local/lib/python3.10/site-packages/opal_server-0.5.0-py3.10.egg/opal_server/config.py", line 288, in <module>
opal_server_config = OpalServerConfig(prefix="OPAL_")
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 128, in __init__
value = self._eval_and_save_entry(name, entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 162, in _eval_and_save_entry
value = self._eval_entry(entry)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 168, in _eval_entry
res = self._evaluate(whole_key, entry.default, entry.cast, **entry.kwargs)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 205, in _evaluate
res = config(key, default=passed_default, cast=safe_cast_func, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 245, in __call__
return self.config(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 107, in __call__
return self.get(*args, **kwargs)
File "/usr/local/lib/python3.10/site-packages/decouple.py", line 101, in get
return cast(value)
File "/usr/local/lib/python3.10/site-packages/opal_common-0.5.0-py3.10.egg/opal_common/confi/confi.py", line 74, in wrapped_cast
return cast_func(value, *args, **kwargs)
ValueError: invalid literal for int() with base 10: 'tcp://10.43.243.243:7002'
[2023-03-28 12:20:35 +0000] [10] [INFO] Worker exiting (pid: 10)
[2023-03-28 12:20:35 +0000] [1] [WARNING] Worker with pid 8 was terminated due to signal 15
[2023-03-28 12:20:35 +0000] [1] [WARNING] Worker with pid 10 was terminated due to signal 15
[2023-03-28 12:20:35 +0000] [1] [WARNING] Worker with pid 9 was terminated due to signal 15
[2023-03-28 12:20:35 +0000] [1] [INFO] Shutting down: Master
[2023-03-28 12:20:35 +0000] [1] [INFO] Reason: Worker failed to boot.
For some reason the application code attempts to parse 'tcp://10.43.243.243:7002' to an int and crashes understandibly. A workaround is to set server.extraEnv.OPAL_SERVER_PORT manually, either via helm install opal opal/opal --set server.extraEnv.OPAL_SERVER_PORT=7002 or a values.yaml file. The server then starts normally.
Unable to configure embedded OPA
Hi,
Following the documentation here I tried configuring the embedded OPA process, but I does not currently seem to work:
My client pod reports the following environment variables:
opal-client:
Environment:
UVICORN_NUM_WORKERS: 1
OPAL_SERVER_URL: http://opal-server:7002
CUSTOM_ENV_VAR: VALUE
OPAL_DATA_UPDATER_ENABLED: false
OPAL_INLINE_OPA_CONFIG: '{"authentication": "basic", "authorization": "token"}'But tailing the logs for the client pod shows:
2023-02-28T10:08:43.844449+0000 | opal_client.opa.runner | INFO | Running OPA inline: opa run --server --addr=:8181 --authentication=off --authorization=off --log-level=info
2023-02-28T10:08:44.848556+0000 | opal_client.opa.runner | INFO | Running OPA initial start callbacks
2023-02-28T10:08:44.849416+0000 | opal_client.policy_store.opa_client | INFO | persisting health check policy: ready=false, healthy=false(⎈ |dev:default)➜ ~ kubectl exec -n opal opal-client-59f246df7f-n9sgq -- printenv
PATH=/opal:/root/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
OPAL_DATA_UPDATER_ENABLED=false
OPAL_INLINE_OPA_CONFIG='{"authentication": "basic", "authorization": "token"}'2023-02-28T10:08:43.844449+0000 | opal_client.opa.runner | INFO | Running OPA inline: opa run --server --addr=:8181 --authentication=off --authorization=off --log-level=info tells me that the configuration put on the environment does not resolve and the default values have been used.
Care to elaborate on how one should make this work?
Make image version dynamic
Currently the image version is retrieved from the AppVersion which leads to a coupling to have a helm chart release available. This also prevents that one cannot try not yet released version by referring to a tag/SHA. Therefore it would be great if the chart doesn't only use the AppVersion but allow to specify a SHA/tag parameter which then takes precedence over the AppVersion.
Document how to setup authorization
There should be more documentation explaining how to setup authorization in the OPAL client. There's plenty of documentation already available for authentication, but very little to do with authorization.
The official OPAL docs webpages should contain a section devoted to Rego authorization.
There already exists a Docker example of setting up authorization, but there's less documentation available on the Helm side. The opaStartupData option is not documented in values.yml.
A very basic Helm implementation of "authorization":
client:
extraEnv:
OPAL_INLINE_OPA_CONFIG: '{"authorization": "basic", "files": ["/opt/opa/startup-data/authz.rego"]}'
opaStartupData:
authz.rego: |
package system.authz
default allow := true
opal-client health check raises an exception or unhealthy
The opal-client runs into an issue when doing health checks as below
2023-03-17T21:13:50.257220+0000 | uvicorn.protocols.http.httptools_impl |ERROR | Exception in ASGI application
Traceback (most recent call last):
File "/usr/local/bin/gunicorn", line 33, in <module>
sys.exit(load_entry_point('gunicorn==20.1.0', 'console_scripts', 'gunicorn')())
│ │ └ <function importlib_load_entry_point at 0x7fa4bd62edd0>
│ └ <built-in function exit>
└ <module 'sys' (built-in)>
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/wsgiapp.py", line 67, in run
WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]").run()
└ <class 'gunicorn.app.wsgiapp.WSGIApplication'>
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 231, in run
super().run()
File "/usr/local/lib/python3.10/site-packages/gunicorn/app/base.py", line 72, in run
Arbiter(self).run()
│ └ <gunicorn.app.wsgiapp.WSGIApplication object at 0x7fa4bd60bc70>
└ <class 'gunicorn.arbiter.Arbiter'>
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 202, in run
self.manage_workers()
│ └ <function Arbiter.manage_workers at 0x7fa4bcb07130>
└ <gunicorn.arbiter.Arbiter object at 0x7fa4bc630670>
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 551, in manage_workers
self.spawn_workers()
│ └ <function Arbiter.spawn_workers at 0x7fa4bcb07250>
└ <gunicorn.arbiter.Arbiter object at 0x7fa4bc630670>
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 622, in spawn_workers
self.spawn_worker()
│ └ <function Arbiter.spawn_worker at 0x7fa4bcb071c0>
└ <gunicorn.arbiter.Arbiter object at 0x7fa4bc630670>
File "/usr/local/lib/python3.10/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
worker.init_process()
│ └ <function UvicornWorker.init_process at 0x7fa4bb320310>
└ <uvicorn.workers.UvicornWorker object at 0x7fa4bc6307c0>
File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 66, in init_process
super(UvicornWorker, self).init_process()
│ └ <uvicorn.workers.UvicornWorker object at 0x7fa4bc6307c0>
└ <class 'uvicorn.workers.UvicornWorker'>
File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/base.py", line 142, in init_process
self.run()
│ └ <function UvicornWorker.run at 0x7fa4bb320550>
└ <uvicorn.workers.UvicornWorker object at 0x7fa4bc6307c0>
File "/usr/local/lib/python3.10/site-packages/uvicorn/workers.py", line 98, in run
return asyncio.run(self._serve())
│ │ │ └ <function UvicornWorker._serve at 0x7fa4bb3204c0>
│ │ └ <uvicorn.workers.UvicornWorker object at 0x7fa4bc6307c0>
│ └ <function run at 0x7fa4bc659bd0>
└ <module 'asyncio' from '/usr/local/lib/python3.10/asyncio/__init__.py'>
File "/usr/local/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
│ │ └ <coroutine object UvicornWorker._serve at 0x7fa4ba79f450>
│ └ <method 'run_until_complete' of 'uvloop.loop.Loop' objects>
└ <uvloop.Loop running=True closed=False debug=False>
> File "/usr/local/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 419, in run_asgi
result = await app( # type: ignore[func-returns-value]
└ <uvicorn.middleware.proxy_headers.ProxyHeadersMiddleware object at 0x7fa4ba662a40>
File "/usr/local/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 78, in __call__
return await self.app(scope, receive, send)
│ │ │ │ └ <bound method RequestResponseCycle.send of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6d74...
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <fastapi.applications.FastAPI object at 0x7fa4ba770a30>
└ <uvicorn.middleware.proxy_headers.ProxyHeadersMiddleware object at 0x7fa4ba662a40>
File "/usr/local/lib/python3.10/site-packages/fastapi/applications.py", line 271, in __call__
await super().__call__(scope, receive, send)
│ │ └ <bound method RequestResponseCycle.send of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6d74...
│ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
└ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
File "/usr/local/lib/python3.10/site-packages/starlette/applications.py", line 118, in __call__
await self.middleware_stack(scope, receive, send)
│ │ │ │ └ <bound method RequestResponseCycle.send of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6d74...
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <starlette.middleware.errors.ServerErrorMiddleware object at 0x7fa4ba6d4b20>
└ <fastapi.applications.FastAPI object at 0x7fa4ba770a30>
File "/usr/local/lib/python3.10/site-packages/starlette/middleware/errors.py", line 184, in __call__
raise exc
File "/usr/local/lib/python3.10/site-packages/starlette/middleware/errors.py", line 162, in __call__
await self.app(scope, receive, _send)
│ │ │ │ └ <function ServerErrorMiddleware.__call__.<locals>._send at 0x7fa4ba5acdc0>
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <starlette.middleware.cors.CORSMiddleware object at 0x7fa4ba6d4b80>
└ <starlette.middleware.errors.ServerErrorMiddleware object at 0x7fa4ba6d4b20>
File "/usr/local/lib/python3.10/site-packages/starlette/middleware/cors.py", line 84, in __call__
await self.app(scope, receive, send)
│ │ │ │ └ <function ServerErrorMiddleware.__call__.<locals>._send at 0x7fa4ba5acdc0>
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <starlette.middleware.exceptions.ExceptionMiddleware object at 0x7fa4ba6d4c70>
└ <starlette.middleware.cors.CORSMiddleware object at 0x7fa4ba6d4b80>
File "/usr/local/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 79, in __call__
raise exc
File "/usr/local/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 68, in __call__
await self.app(scope, receive, sender)
│ │ │ │ └ <function ExceptionMiddleware.__call__.<locals>.sender at 0x7fa4ba5ad000>
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <fastapi.middleware.asyncexitstack.AsyncExitStackMiddleware object at 0x7fa4ba6d4d60>
└ <starlette.middleware.exceptions.ExceptionMiddleware object at 0x7fa4ba6d4c70>
File "/usr/local/lib/python3.10/site-packages/fastapi/middleware/asyncexitstack.py", line 21, in __call__
raise e
File "/usr/local/lib/python3.10/site-packages/fastapi/middleware/asyncexitstack.py", line 18, in __call__
await self.app(scope, receive, send)
│ │ │ │ └ <function ExceptionMiddleware.__call__.<locals>.sender at 0x7fa4ba5ad000>
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <fastapi.routing.APIRouter object at 0x7fa4ba770a60>
└ <fastapi.middleware.asyncexitstack.AsyncExitStackMiddleware object at 0x7fa4ba6d4d60>
File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 706, in __call__
await route.handle(scope, receive, send)
│ │ │ │ └ <function ExceptionMiddleware.__call__.<locals>.sender at 0x7fa4ba5ad000>
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <function Route.handle at 0x7fa4ba969360>
└ APIRoute(path='/healthcheck', name='healthcheck', methods=['GET'])
File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 276, in handle
await self.app(scope, receive, send)
│ │ │ │ └ <function ExceptionMiddleware.__call__.<locals>.sender at 0x7fa4ba5ad000>
│ │ │ └ <bound method RequestResponseCycle.receive of <uvicorn.protocols.http.httptools_impl.RequestResponseCycle object at 0x7fa4ba6...
│ │ └ {'type': 'http', 'asgi': {'version': '3.0', 'spec_version': '2.3'}, 'http_version': '1.1', 'server': ('10.244.0.67', 7000), '...
│ └ <function request_response.<locals>.app at 0x7fa4ba6312d0>
└ APIRoute(path='/healthcheck', name='healthcheck', methods=['GET'])
File "/usr/local/lib/python3.10/site-packages/starlette/routing.py", line 66, in app
response = await func(request)
│ └ <starlette.requests.Request object at 0x7fa4ba618df0>
└ <function get_request_handler.<locals>.app at 0x7fa4ba631090>
File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 237, in app
raw_response = await run_endpoint_function(
└ <function run_endpoint_function at 0x7fa4ba9680d0>
File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 163, in run_endpoint_function
return await dependant.call(**values)
│ │ └ {}
│ └ <function OpalClient._configure_api_routes.<locals>.healthcheck at 0x7fa4ba631120>
└ <fastapi.dependencies.models.Dependant object at 0x7fa4ba662f20>
File "/usr/local/lib/python3.10/site-packages/opal_client-0.5.0-py3.10.egg/opal_client/client.py", line 212, in healthcheck
healthy = resp["result"]
└ {}
KeyError: 'result' ```
Steps to reproduce:
helm install --create-namespace -n opal-ns myopal opal/opal
``` opal-ns myopal-client-d75cc4c59-sbs2b 0/1 Running 1 (78s ago) 3m50s
opal-ns myopal-pgsql-7d6c77d68c-gnnzz 1/1 Running 0 3m50s
opal-ns myopal-server-6bc57c7897-qqnml 1/1 Running 0 3m50s
We can see the client pod never comes and throws above error.
Chart do not permit use of specific docker credentials
The server and client templates does not permit the use of specific docker credentials.
It should embark this directive :
imagePullSecrets:
- name: name_of_my_dockercreds
I am preparing a PR regarding this issue, will push it tomorrow.
404 error on helm repo add command and index.yaml link on https://permitio.github.io/opal-helm-chart/
Go to https://permitio.github.io/opal-helm-chart/, click index.yaml link (https://authorizon.github.io/opal-helm-chart/index.yaml) get a 404 error.
Also get a 404 error on the helm repo add command that appears there
helm repo add opal2 https://authorizon.github.io/opal-helm-chart
Error: looks like "https://authorizon.github.io/opal-helm-chart" is not a valid chart repository or cannot be reached: failed to fetch https://authorizon.github.io/opal-helm-chart/index.yaml : 404 Not Found
Installing v0.0.7 with default configuration on EKS not working
Hey @RazcoDev!
I'm trying to deploy OPAL with default configuration using this helm chart v0.0.7 on AWS EKS. Kubernetes version in v1.21.5-eks-9017834
helm install --create-namespace -n opal-ns --version 0.0.7 myopal opal/opalThis gives me three pods. The pgsql and server work fine but the client is not healthy.
NAME READY STATUS RESTARTS AGE
xxx-client-7db887db78-rb99m 0/1 CrashLoopBackOff 31 139m
xxx-pgsql-6dcd6dbd64-pmbsw 1/1 Running 0 139m
xxx-server-5db6656dcc-2bjs4 1/1 Running 0 18m
Pulling the logs from the client pod shows me that it is crashing in the healthcheck method of client.py: https://github.com/permitio/opal/blob/master/packages/opal-client/opal_client/client.py#L212
2023-02-13T15:29:16.352136+0000 | uvicorn.protocols.http.httptools_impl | INFO | 10.11.14.224:53402 - "GET /healthcheck HTTP/1.1" 500
2023-02-13T15:29:16.352461+0000 | uvicorn.protocols.http.httptools_impl |ERROR | Exception in ASGI application
<enormous python trace redacted>
File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 237, in app
raw_response = await run_endpoint_function(
└ <function run_endpoint_function at 0x7f12773c70a0>
File "/usr/local/lib/python3.10/site-packages/fastapi/routing.py", line 163, in run_endpoint_function
return await dependant.call(**values)
│ │ └ {}
│ └ <function OpalClient._configure_api_routes.<locals>.healthcheck at 0x7f12771b7d00>
└ <fastapi.dependencies.models.Dependant object at 0x7f12770e1ea0>
File "/usr/local/lib/python3.10/site-packages/opal_client-0.4.0-py3.10.egg/opal_client/client.py", line 212, in healthcheck
healthy = resp["result"]
└ {}
KeyError: 'result'I that understand the client is trying to query the healthcheck policy in OPA, and for some reason that data is not there.
OPA is up and running and I can reach the web interface and also run curl /v1/data or /v1/policies. However v1/data/system/opal/healthy just times out.
Any ideas of what could be the error here?
Use ConfigMap to store env vars for client and server
At the moment, environment variables for client and server are either hardcoded, or just some values from the values.yaml file.
I thought we can use a ConfigMap to store env vars for client and server, this way, user can use any variable he wants, without the maintainers of the chart to let him use it.
I am preparing a PR for it.
issue with using external_source_url
hi there, we are trying to use terraform to deploy the opal server with the latest version on the helm chart and notice that you have committed this changes 25731f6 recently to change the the default values file 'dataConfigSources' section:
server:
.........
dataConfigSources:
# Option #1 - No data sources
config:
entries: []
which currently cause an issue when we set the value for external_source_url as follow:
server:
dataConfigSources:
external_source_url: "http://xxx-xxx-xx-xxx"
When we deploy via terraform it will set the environment variable OPAL_DATA_CONFIG_SOURCES to {"config":{"entries":[]},"external_source_url":"http://xxx-xxx-xx-xxx"} and opal server is throwing the following error:
pydantic.error_wrappers.ValidationError: 1 validation error for ServerDataSourceConfig
root
you must provide ONLY ONE of these fields: config, external_source_url (type=value_error)
I think thats why the default values file was initially set with external_source_url as the first options rather than having the config -> entries as the first options.
I'm wondering if you able to revert this that part of the code changes in the value file or update the server template file to fix this issue.
Image name are hardcoded values in chart
Images are called this way in all templates :
image: {{ printf "%s/authorizon/opal-server:%s" .Values.imageRegistry .Chart.AppVersion | quote }}
But if you use a private registry with custom path or custom name for your image you cannot use this part of the chart.
I am preparing a PR about this, and will push it tomorrow.
Feature Request: Allow extra objects to be deployed alonside server and client
Hi,
I am currently working to deploy an OPAL server instance and an OPAL client instance (cluster mode) as separate releases using the Helm chart.
I see there is an undocumented secrets parameter on both server and client sections of the value file, however there is no way to deploy those secrets or any additional objects in the same release using the chart.
It would be great to be able to deploy extra manifests using the same chart, use cases include:
- Private and Public keys as secrets (instead of regular env) when running in secure mode
- Client token as secret
- Broadcast url as secret (it contains the DB/Redis password)
- Any other manifests ie. Istio manifests, etc
If you are interested, I have prepared a PR that adds the following:
- A new
extraObjectsparameter to the root section of the value file - Updated values JSON schema (array of string)
- Allows templates inside the objects, they are defined as strings to avoid yaml parse errors on the value file and allow templating
- Adds sample values to the value file
Thank you for you work on OPAL.
Edited: Updated to only add one extraObjects section.
The term opal is missing from resource names
When installing the chart as a dependency of a more complex chart it becomes difficult to identify the resources provided by opal. Here an example of a release called myproduct that references Dapr, Rabbitmq, Postgresql and Opal
$ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dapr-placement-server ClusterIP None <none> 50005/TCP,8201/TCP 52s
myproduct-postgresql NodePort 10.43.11.136 <none> 5432:32432/TCP 52s
myproduct-rabbitmq-headless ClusterIP None <none> 4369/TCP,5672/TCP,25672/TCP,15672/TCP 52s
myproduct-postgresql-hl ClusterIP None <none> 5432/TCP 52s
dapr-sentry ClusterIP 10.43.104.204 <none> 80/TCP 52s
dapr-webhook ClusterIP 10.43.99.63 <none> 443/TCP 52s
dapr-api ClusterIP 10.43.93.109 <none> 80/TCP 52s
myproduct-rabbitmq ClusterIP 10.43.141.100 <none> 5672/TCP,4369/TCP,25672/TCP,15672/TCP 52s
dapr-dashboard ClusterIP 10.43.120.137 <none> 8080/TCP 52s
dapr-sidecar-injector ClusterIP 10.43.18.148 <none> 443/TCP 52s
## these are opal resources:
myproduct-pgsql ClusterIP 10.43.34.47 <none> 5432/TCP 52s
myproduct-server ClusterIP 10.43.49.71 <none> 7002/TCP 52s
myproduct-client ClusterIP 10.43.33.16 <none> 7000/TCP,8181/TCP 52sThere are multiple philosophies on how to name things; Dapr omits the release name while Postgres and Rabbitmq prefix their respective names, e.g. -rabbitmq-headless, -postgresql-hl, etc. with the release name. It would be nice to see the opal term somewhere in resource name, like myproduct-opal-server.
Client pods being deployed irrespective of values
The chart values file sets certain client values by default meaning the client deployment is always deployed irrespective of the values set by the operator.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.