OPA will include theĮtag value in the If-None-Match header of bundle requests. In bundle responses to identify the revision of the bundle. Services implementing the Bundle Service API should set the HTTP Etag header See the following section for details on the bundle file format. The optional bundles.signing field can be used to specify the keyid and scope that should be usedįor verifying the signature of the bundle. The bundle server is restored, the latest bundle is downloaded, activated, and persisted.īy default, bundles are persisted under the current working directory of the OPA process (e.g. Any errorsĮncountered during the process will be surfaced in the bundle’s status update. OPA will try to load and activate persisted bundles on a best-effort basis. ThisĪllows OPA to start with the most recently activated bundle in case OPA cannot communicate Persistence is enabled, OPA will attempt to read the bundle from disk on startup. Persistence, set the bundles.persist field to true. OPA can optionally persist activated bundles to disk for recovery purposes. This canīe useful when relying on default resource behavior with a name likeĪuthz/ which results in a resource of For theĮxample above this is authz and would default to bundles/authz.īundle names can have any valid YAML characters in them, including /. If the bundles.resource field is not defined, the value defaults toīundles/ where the name is the key value in the configuration. Using this configuration, OPA will fetch bundles from Services : - name : acmecorp url : credentials : bearer : token : "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm" bundles : authz : service : acmecorp resource : somedir/ persist : true polling : min_delay_seconds : 10 max_delay_seconds : 20 signing : keyid : my_global_key scope : read Here is a basic example on how to build a bundle from a folder called foo. The CLI command opa build gives you the capability to build your own bundles. See the Configuration Reference for configuration details. If you need to load policy and data from multiple sources, Policies and data loaded from bundles are accessible via theīundles provide an alternative to pushing policies into OPA via the REST APIs.īy configuring OPA to download bundles from a remote HTTP server, you canĮnsure that OPA has an up-to-date copy of policies and data required forīy default, the OPA REST APIs will prevent you from modifying policy and data Once the policies and data have been loaded, they are enforced The policies and data are loaded on the fly without requiring a OPA can periodically download bundles of policy and data from remote HTTP Support Enterprise and Commercial Community Miscellaneous Intermediate Representation (IR) WebAssembly Type Checking OAuth2 and OpenID Connect Compiler Strict Mode Disk Storage Ecosystem Editor and IDE Support Comparison to Other Systems FAQ Annotations Management APIs Overview & Architecture Bundles Decision Logs Status DiscoveryĬontributing How to contribute Contributing Docs Contributing Code Development Adding Built-in Functions Operations Configuration Deployment Monitoring Security Privacy Other Use Cases AWS CloudFormation Hooks Docker GraphQL APIs HTTP APIs Kafka SSH and sudo Terraform Kubernetes Overview & Architecture Policy Primer via Examples Tutorial: Ingress Validation Debugging TipsĮnvoy Overview & Architecture Policy Primer via Examples Tutorial: Standalone Envoy Tutorial: Gloo Edge Tutorial: Istio Performance Debugging Tips You can also have the pkg_tar rules for the third-party libraries in the third-party workspace for better modularity.Core Docs Introduction Philosophy Policy Language Policy Reference Policy Testing Policy Performance External Data Integrating OPA Extending OPA REST API CLI Now in the main project you could have a main BUILD script that collects all the files into a tar archive: # "pkg_tar")īuilding :release should create a tar file with the desired structure: $> bazel build :release The same pattern will apply to thirdparty/lib2/BUILD and project/mylib/BUILD. Your third-party libraries BUILD files could expose a filegroup and a cc_library: # thirdparty/lib1/BUILD If you have control over the BUILD files of the third-party libraries, you could expose the header files separately and then use pkg_tar rules to collect the target files in the main project.įor example, assuming a folder structure like the following.
0 Comments
Leave a Reply. |