using url: http://docker.for.mac.localhost:8080 in then bundle OPA config

[yashas224]

Hi,

I have this as bundle config

services:

• name: bundleService
  url: http://docker.for.mac.localhost:8080/bundle-provider
  bundles:
  authz:
  service: bundleService
  resource: download/local-policy.tar.gz
  polling:
  min_delay_seconds: 10
  max_delay_seconds: 20

This is my deployment with OPA sidecar

apiVersion: apps/v1
kind: Deployment
metadata:
name: bundle-consumer-app
spec:
replicas: 1
selector:
matchLabels:
app: bundle-consumer-app
template:
metadata:
labels:
app: bundle-consumer-app
name: opa
spec:
containers:
- name: bundle-consumer-app
image: bundle-consumer-app
imagePullPolicy: Never
ports:
- containerPort: 8080
- name: opa
image: openpolicyagent/opa:0.51.0
ports:
- name: http
containerPort: 8181
args:
- "run"
- "--ignore=.*" # exclude hidden dirs created by Kubernetes
- "--server"
- "--config-file"
- "/policies/bundle-config.yaml"
volumeMounts:
- readOnly: true
mountPath: /policies
name: policy-config
livenessProbe:
httpGet:
scheme: HTTP # assumes OPA listens on localhost:8181
port: 8181
initialDelaySeconds: 5 # tune these periods for your environment
periodSeconds: 5
readinessProbe:
httpGet:
path: /health?bundle=true # Include bundle activation in readiness
scheme: HTTP
port: 8181
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: policy-config
configMap:
name: policy-config

Opa container is not able to download the bundle.
logs from opa container:
{"level":"error","msg":"Bundle load failed: request failed: Get "http://docker.for.mac.localhost:8080/bundle-provider/download/local-policy.tar.gz\": dial tcp: lookup docker.for.mac.localhost on 10.96.0.10:53: read udp 10.1.0.158:47705-\u003e10.96.0.10:53: read: connection refused","name":"authz","plugin":"bundle","time":"2023-04-17T20:51:08Z"}

Can someone help me here?

[ashutosh-narkar]

This seems to be an issue with how you've setup your bundle server and OPA not being to call it. I would imagine there is some network config you need to play with here. If your goal is just to have a local bundle server and OPA call it then see this example.

[yashas224]

Hi @ashutosh-narkar
To not have it on my local system , I have deployed it to a test cloud platform.

This is how I have structured my bundle config

services:
  - name: bundleService
    url: http://tcp-mo4.mogenius.io:53108/bundle-provider
bundles:
  authz:
    service: bundleService
    resource: download/local-policy.tar.gz
    polling:
      min_delay_seconds: 10
      max_delay_seconds: 20

I still see the same error
{"level":"error","msg":"Bundle load failed: request failed: Get "http://tcp-mo4.mogenius.io:53108/bundle-provider/download/local-policy.tar.gz\": dial tcp: lookup tcp-mo4.mogenius.io on 10.96.0.10:53: read udp 10.1.0.171:53257-\u003e10.96.0.10:53: read: connection refused","name":"authz","plugin":"bundle","time":"2023-04-17T21:59:51Z"}

[ashutosh-narkar]

You need to check why the endpoint is not reachable from within the cluster. This does not look like an issue with OPA itself. For ex if I run wget http://tcp-mo4.mogenius.io:53108/bundle-provider/download/local-policy.tar.gz, I can download the bundle but something in your cluster is likely causing this.

[yashas224]

Thanks @ashutosh-narkar .