eopa dependencies

Author: nuwandi-wickramasinghe_zse

config/config.go

@@ -317,6 +317,7 @@ type Config struct {
 	OpenPolicyAgentControlLoopMaxJitter                time.Duration `yaml:"open-policy-agent-control-loop-max-jitter"`
 	EnableOpenPolicyAgentDataPreProcessingOptimization bool          `yaml:"enable-open-policy-agent-data-preprocessing-optimization"`
 	EnableOpenPolicyAgentPreloading                    bool          `yaml:"enable-open-policy-agent-preloading"`
+	EnableEnterpriseOpenPolicyAgentPlugins             bool          `yaml:"enable-enterprise-open-policy-agent-plugins"`
 	OpenPolicyAgentConfigTemplate                      string        `yaml:"open-policy-agent-config-template"`
 	OpenPolicyAgentEnvoyMetadata                       string        `yaml:"open-policy-agent-envoy-metadata"`
 	OpenPolicyAgentCleanerInterval                     time.Duration `yaml:"open-policy-agent-cleaner-interval"`
@@ -571,6 +572,7 @@ func NewConfig() *Config {
 	flag.Int64Var(&cfg.OpenPolicyAgentMaxRequestBodySize, "open-policy-agent-max-request-body-size", openpolicyagent.DefaultMaxRequestBodySize, "Maximum number of bytes from a http request body that are passed as input to the policy")
 	flag.Int64Var(&cfg.OpenPolicyAgentRequestBodyBufferSize, "open-policy-agent-request-body-buffer-size", openpolicyagent.DefaultRequestBodyBufferSize, "Read buffer size for the request body")
 	flag.Int64Var(&cfg.OpenPolicyAgentMaxMemoryBodyParsing, "open-policy-agent-max-memory-body-parsing", openpolicyagent.DefaultMaxMemoryBodyParsing, "Total number of bytes used to parse http request bodies across all requests. Once the limit is met, requests will be rejected.")
+	flag.BoolVar(&cfg.EnableEnterpriseOpenPolicyAgentPlugins, "enable-enterprise-open-policy-agent-plugins", false, "Allowing open policy agent to load additional plugins which are available with EOPA. EOPA has been donated to the OPA community")
 
 	// TLS client certs
 	flag.StringVar(&cfg.ClientKeyFile, "client-tls-key", "", "TLS Key file for backend connections, multiple keys may be given comma separated - the order must match the certs")
@@ -1041,6 +1043,7 @@ func (c *Config) ToOptions() skipper.Options {
 		OpenPolicyAgentControlLoopMaxJitter:                c.OpenPolicyAgentControlLoopMaxJitter,
 		EnableOpenPolicyAgentDataPreProcessingOptimization: c.EnableOpenPolicyAgentDataPreProcessingOptimization,
 		EnableOpenPolicyAgentPreloading:                    c.EnableOpenPolicyAgentPreloading,
+		EnableEnterpriseOpenPolicyAgentPlugins:             c.EnableEnterpriseOpenPolicyAgentPlugins,
 		OpenPolicyAgentConfigTemplate:                      c.OpenPolicyAgentConfigTemplate,
 		OpenPolicyAgentEnvoyMetadata:                       c.OpenPolicyAgentEnvoyMetadata,
 		OpenPolicyAgentCleanerInterval:                     c.OpenPolicyAgentCleanerInterval,

filters/openpolicyagent/internal/eopa/eopaplugins.go

@@ -0,0 +1,14 @@
+package eopa
+
+import (
+	"github.com/open-policy-agent/eopa/pkg/plugins/data"
+	dl "github.com/open-policy-agent/eopa/pkg/plugins/decision_logs"
+	"github.com/open-policy-agent/opa/v1/plugins"
+)
+
+func All() map[string]plugins.Factory {
+	return map[string]plugins.Factory{
+		data.Name:       data.Factory(),
+		dl.DLPluginName: dl.Factory(),
+	}
+}

filters/openpolicyagent/openpolicyagent.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/zalando/skipper/filters/openpolicyagent/internal/eopa"
 	"io"
 	"maps"
 	"math/rand"
@@ -115,6 +116,8 @@ type OpenPolicyAgentRegistry struct {
 	controlLoopInterval     time.Duration
 	controlLoopMaxJitter    time.Duration
 
+	enableEopaPlugins bool
+
 	enableDataPreProcessingOptimization bool
 
 	valueCache iCache.InterQueryValueCache
@@ -200,6 +203,13 @@ func WithEnableCustomControlLoop(enabled bool) func(*OpenPolicyAgentRegistry) er
 	}
 }
 
+func WithEnableEopaPlugins(enabled bool) func(*OpenPolicyAgentRegistry) error {
+	return func(cfg *OpenPolicyAgentRegistry) error {
+		cfg.enableEopaPlugins = enabled
+		return nil
+	}
+}
+
 func WithEnableDataPreProcessingOptimization(enabled bool) func(*OpenPolicyAgentRegistry) error {
 	return func(cfg *OpenPolicyAgentRegistry) error {
 		cfg.enableDataPreProcessingOptimization = enabled
@@ -690,7 +700,14 @@ func (registry *OpenPolicyAgentRegistry) new(store storage.Store, bundleName str
 		return nil, err
 	}
 
-	discoveryPlugin, err := discovery.New(manager, discovery.Factories(map[string]plugins.Factory{envoy.PluginName: envoy.Factory{}}), discovery.Hooks(configHooks))
+	discoveryOpts := map[string]plugins.Factory{envoy.PluginName: envoy.Factory{}}
+	if registry.enableEopaPlugins {
+		for name, factory := range eopa.All() {
+			discoveryOpts[name] = factory
+		}
+	}
+
+	discoveryPlugin, err := discovery.New(manager, discovery.Factories(discoveryOpts), discovery.Hooks(configHooks))
 	if err != nil {
 		return nil, err
 	}

filters/openpolicyagent/openpolicyagent_test.go

@@ -121,6 +121,44 @@ func mockControlPlaneWithDiscoveryBundle(discoveryBundle string) (*opasdktest.Se
 				{"discovery":{"bundles":{"bundles/test":{"persist":false,"resource":"bundles/test","service":"test"}}}}
 			`,
 		}),
+		opasdktest.MockBundle("/bundles/discovery-eopa-plugin", map[string]string{
+			"data.json": `{
+			  "discovery": {
+				"bundles": {
+				  "bundles/test": {
+					"persist": false,
+					"resource": "bundles/test",
+					"service": "test"
+				  }
+				},
+				"decision_logs": {
+					"plugin": "eopa_dl"
+				},
+				"plugins": {
+					"eopa_dl": {
+					  "buffer": {
+						"type": "memory",
+						"max_bytes": 50000000
+					  },
+					  "output": {
+						"type": "s3",
+						"bucket": "logs",
+						"endpoint": "https://example.s3.eu-central-1.amazonaws.com/",
+						"force_path": true,
+						"region": "eu-central-1",
+						"access_key_id": "myid",
+						"access_secret": "mysecret",
+						"batching": {
+						  "at_bytes": 10000000,
+						  "at_period": "1s"
+						}
+					  }
+					}
+			  	}
+		}
+			}
+			`,
+		}),
 		opasdktest.MockBundle("/bundles/discovery-with-wrong-bundle", map[string]string{
 			"data.json": `
 				{"discovery":{"bundles":{"bundles/non-existing-bundle":{"persist":false,"resource":"bundles/non-existing-bundle","service":"test"}}}}
@@ -560,17 +598,24 @@ func TestOpaActivationSuccessWithDiscovery(t *testing.T) {
 		{
 			enableCustomControlLoop: true,
 			discoveryBundle:         "bundles/discovery",
+			enableEopaPlugins:       false,
 		},
 		{
 			enableCustomControlLoop: false,
 			discoveryBundle:         "bundles/discovery",
+			enableEopaPlugins:       true,
+		},
+		{
+			enableCustomControlLoop: false,
+			discoveryBundle:         "bundles/discovery-eopa-plugin",
+			enableEopaPlugins:       true,
 		},
 	}
 	runWithTestCases(t, testCases,
 		func(t *testing.T, tc opaInstanceStartupTestCase) {
 			_, config := mockControlPlaneWithDiscoveryBundle(tc.discoveryBundle)
 
-			registry, err := NewOpenPolicyAgentRegistry(WithReuseDuration(1*time.Second), WithCleanInterval(1*time.Second), WithEnableCustomControlLoop(tc.enableCustomControlLoop), WithOpenPolicyAgentInstanceConfig(WithConfigTemplate(config)))
+			registry, err := NewOpenPolicyAgentRegistry(WithReuseDuration(1*time.Second), WithCleanInterval(1*time.Second), WithEnableCustomControlLoop(tc.enableCustomControlLoop), WithOpenPolicyAgentInstanceConfig(WithConfigTemplate(config)), WithEnableEopaPlugins(tc.enableEopaPlugins))
 			assert.NoError(t, err)
 
 			instance, err := registry.GetOrStartInstance("test")
@@ -1084,6 +1129,7 @@ type opaInstanceStartupTestCase struct {
 	expectedTriggerMode     plugins.TriggerMode
 	discoveryBundle         string
 	resourceBundle          bool
+	enableEopaPlugins       bool
 }
 
 func runWithTestCases(t *testing.T, cases []opaInstanceStartupTestCase, test func(t *testing.T, tc opaInstanceStartupTestCase)) {