INLINE_OPA_CONFIG didn't support multiple addr/diagnostic-addr?

[h9ing]

HI

I have a public OPA that allows everyone to access it on port 8181 without TLS for policy validation.
However, for policy updates, I have configured OPA on port 8282 with TLS, and only the OPAL Client can access it.
(I used the Docker image "permitio/opal-client:0.7.3" to conduct the testing.)

multiple addr

According to the OPA documentation, we can configure multiple "addr" settings to start multiple ports.

Here are my settings:
OPAL_INLINE_OPA_CONFIG:
"{\"addr\":\"https://127.0.0.1:8282\",\"addr\":\"http://0.0.0.0:8181\"..........

OPAL Log:
2023-06-28T10:15:24.915217+0000 | opal_client.engine.runner | INFO | Running policy engine inline: opa run --server --addr=http://0.0.0.0:8181 --authentication=tls --authorization=basic --tls-ca-cert-file=/opa_opal_config/ca.pem --tls-cert-file=/opa_opal_config/server-cert.pem --tls-private-key-file=/opa_opal_config/server-key.pem --log-level=info /opa_opal_config/check.rego 2023-06-28T10:15:24.937032+0000 | opal_client.engine.logger | INFO | Initializing server. {"addrs": ["http://0.0.0.0:8181"], "diagnostic-addrs": [], "time": "2023-06-28T10:15:24Z"}

I also tried using a JSON array for configuration:
OPAL_INLINE_OPA_CONFIG:
"{\"addr\":[\"https://127.0.0.1:8282\",\"http://0.0.0.0:8181\"]..........

OPAL Log:
Failed parsing config key- OPAL_INLINE_OPA_CONFIG

However, none of these configurations seem to work as expected.

diagnostic-addr

According to the OPA documentation, I believe I can use the "diagnostic-addr" setting to open an additional port.

OPAL_INLINE_OPA_CONFIG:
"{\"addr\":\"https://127.0.0.1:8282\",\"diagnostic_addr\":\":8181\"..........

OPAL Log:
2023-06-29T03:17:18.631652+0000 | opal_client.engine.runner | INFO | Launching engine runner 2023-06-29T03:17:18.635502+0000 | opal_client.engine.runner | INFO | Running policy engine inline: opa run --server --addr=https://127.0.0.1:8282 --authentication=tls --authorization=basic --tls-ca-cert-file=/opa_opal_config/ca.pem --tls-cert-file=/opa_opal_config/server-cert.pem --tls-private-key-file=/opa_opal_config/server-key.pem --log-level=info /opa_opal_config/check.rego

OPAL_INLINE_OPA_CONFIG:
"{\"addr\":\"https://127.0.0.1:8282\",\"diagnostic-addr\":\":8181\"..........

OPAL Log:
2023-06-29T03:20:50.381100+0000 | opal_client.engine.runner | INFO | Running policy engine inline: opa run --server --addr=https://127.0.0.1:8282 --authentication=tls --authorization=basic --tls-ca-cert-file=/opa_opal_config/ca.pem --tls-cert-file=/opa_opal_config/server-cert.pem --tls-private-key-file=/opa_opal_config/server-key.pem --log-level=info /opa_opal_config/check.rego 2023-06-29T03:20:50.411110+0000 | opal_client.engine.logger | INFO | Initializing server. {"addrs": ["https://127.0.0.1:8282"], "diagnostic-addrs": [], "time": "2023-06-29T03:20:50Z"}

Unfortunately, neither "diagnostic-addr" nor "diagnostic_addr" seem to work for setting the diagnostic address.

Could you please provide guidance on how to configure multiple "addr" and "diagnostic-addr" in the OPA configuration?

(Both multiple "addr" and "diagnostic-addr" configurations have been tested on my local single OPA, and they work properly.)

Thanks~

[shaulk]

Hi h9ing,

OPAL doesn't currently have a configuration option to add command line arguments to the inline OPA, so your only option (assuming the current code) is to run OPA separately, and set INLINE_OPA_ENABLED false and POLICY_STORE_URL to OPA's URL.

As an alternative, you can set up nginx in front of OPA to serve as the public gateway, by proxying only POST requests to whichever route you want to expose, thus negating the need for listening on two separate ports.

If you want to contribute this functionality, we'd love a PR. You can add support for custom configs to OPAL at opal_client.opa.runner, with a configuration option from opal_client.config.