policy hot reload in sidecar opa server in kubernetes

[shturec]

One option to supply policy to opa sidecar in a kubernetes cluster is via config map and mounted volume. Note that the deployment option under discussion here is distributed opa as a sidecar injected automatically to workloads via the opa operator.

However, it seems that the opa server does not hot reload policy configmap changes automatically even with opa run --watch option enabled and the only option is to restart the container (e.g. by scale down and then up the workload deployment replicas).
That is hardly a productive operational scenario and I wanted to confirm the following:

1. Is this a bug in --watch behavior?
2. Or is that's on purpose and has some rationale, i.e. you do not want this behavior on purpose? And if so, how does that fit the --watch option description?
3. If this behavior is by design, the only valid option to push policy changes with zero downtime to distributed opa sidecars would be a central bundle service.

The relevant injected sidecar container config:

      "args": [
        "run",
        "--server",
        "--config-file=/config/config.yaml",
        "--addr=localhost:8181",
        "--diagnostic-addr=0.0.0.0:8282",
        "--watch",
        "/policy/policy.rego",
      ],
      "volumeMounts": [{
        "mountPath": "/config",
        "name": "opa-istio-config",
      }, {
        "mountPath": "/policy",
        "name": "opa-policy",
      }],

My expectation was that with --watch, changes in the configmap that materializes as /policy/policy.rego would be hot reloaded by the opa server in the sidecar container.

[shturec]

Scratch that. I had to be more patient and wait for the configmap changes to replicate to the volume mount.
Looks like using --watch is a valid and working option for hot reloading file changes.