Skip to content

OCP: support serving bundles directly#302

Open
srenatus wants to merge 5 commits intomainfrom
sr/serve-bundles-directly
Open

OCP: support serving bundles directly#302
srenatus wants to merge 5 commits intomainfrom
sr/serve-bundles-directly

Conversation

@srenatus
Copy link
Contributor

@srenatus srenatus commented Mar 25, 2026
edited
Loading

Add http_server as a new object_storage variant for bundles, allowing OCP to serve bundles directly via its HTTP API without requiring external object storage

TODOs

  • introduce new permission+role
  • add actual e2e test with OPA

Note that

  1. Bundles are held in memory and served on OCP's main HTTP server at the configured path, with full authentication and authorization (bearer token + bundles.download permission)
  2. Supports the OPA bundle protocol: Content-Type: application/gzip, ETag-based caching with If-None-Match/304, and returns an X-OPA-Revision header

Example configuration

  bundles:
    hello-world:
      object_storage:
        http_server:
          path: bundles/hello-world/bundle.tar.gz # => /v1/external/bundles/hello-world/bundle.tar.gz
      requirements:
      - source: hello-world

When to use this

This is intended for development, testing, and simple deployments where running external object storage (S3, GCS, Azure Blob) is unnecessary overhead.
For production environments, an external object store like S3 is strongly recommended — it provides durability, scalability, and avoids coupling bundle availability to the OCP process lifecycle.
Bundles stored via http_server live only in memory and are lost when OCP restarts.

srenatus added 2 commits March 25, 2026 13:48
@srenatus
server: allow serving bundles from memory
deb63b4 
Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
@srenatus
objectstorage: only require Upload() not Download()
551441a 
Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
@srenatus srenatus changed the title Sr/serve bundles directly OCP: support serving bundles directly Mar 25, 2026
srenatus added 3 commits March 25, 2026 14:01
@srenatus
authz: add bundles.download action, grant to "downloader" rule
d59daab 
...and use that for authz of served bundles.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
@srenatus
examples/docker: add direct serve from memory example
46740e7 
Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
@srenatus
server: add mandatory /v1/external/ prefix for in-mem serving
2497ee4 
This gives the user some control wrt proxying etc -- it's a clearer
distinction than using whatever was configured as ENTIRE path.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
@srenatus srenatus marked this pull request as ready for review March 25, 2026 13:21
@srenatus srenatus requested a review from philipaconrad March 25, 2026 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philipaconrad philipaconrad Awaiting requested review from philipaconrad

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@srenatus