search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.64k stars 1.34k forks source link

Programmatically add label to Decision Log #7131

Open PietervdWerk opened 4 days ago

PietervdWerk commented 4 days ago

What is the underlying problem you're trying to solve?

When extending OPA with your own functions or plugins, there is nothing in the decision log indicating that the OPA runtime that ran the evaluation is in fact a custom build OPA runtime.

Describe the ideal solution

I would like to programmatically add a label to the decision log that indicates the custom version. A ldflag can be used to pass the build tag into the binary. And some kind of hook could be used to add the label to manager's labels.

package main

import (
    "os"

        "github.com/open-policy-agent/opa/config"
    "github.com/open-policy-agent/opa/cmd"
    "gitlab.com/n-id/core/pkg/utilities/log/v2"
)

var version = "dev"

func main() {
        config.AddLabel("build-tag", version)
        // Plugin and extensions code

    if err := cmd.RootCommand.Execute(); err != nil {
        log.Errorln(err)
        os.Exit(1)
    }
}

Describe a "Good Enough" solution

I do not know a simpler solution, but all ideas are welcome!

Additional Context

The OPA config allows a labels setting to add labels to the Decision Log for that instance, as far as I could see, there is no way to add to the config programmatically.

https://openpolicyagent.slack.com/archives/CBR63TK2A/p1729599666570109

charlieegan3 commented 4 days ago

Hi, thanks for raising the issue here. (Slack Thread)

This might be a bit of a hack, but could you use os.Setenv("OPA_BUILD", "my-custom-build")

and then use environment variables in the config: https://www.openpolicyagent.org/docs/latest/configuration/#using-environment-variables-in-configuration

for the labels key: https://www.openpolicyagent.org/docs/latest/configuration/#miscellaneous

I no it's not super neat, but it might unblock you.

PietervdWerk commented 4 days ago

Yes, you're right; that would be a solution. However, our clients download our runtime and our bundle to be part of our trust network. Since we don’t control how they run their instance, we also don’t manage the configuration YAML. I would love to control this from the runtime itself.

charlieegan3 commented 4 days ago

Ok interesting, so beyond the most minimal config file needed to download the bundle, what configuration is being set by clients in their OPA config files? Are they making use of other OPA features that are out of your control?

I was wondering if you might be able to use Discovery Bundles https://www.openpolicyagent.org/docs/latest/management-discovery/ to minimise the different things that users need to change. The realised configuration might be able to abstract the variable substitution?