openpolicyagent

package

v0.26.21 Latest Latest Go to latest Published: Jun 5, 2026 License: Apache-2.0, MIT Imports: 59 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/zalando/skipper

Links

Open Source Insights

Documentation ¶

Overview ¶

Package openpolicyagent provides OPA related filters.

Index ¶

Constants
Variables
func BuildLabelSet(bundleName string, contextExtensions map[string]string) pprof.LabelSet
func FormOpenPolicyAgentMetaDataObject(decisionId string) (*pbstruct.Struct, error)
func WithAsyncDecisionLogging(enabled bool) func(*OpenPolicyAgentRegistry) error
func WithBackgroundTaskBufferSize(size int) func(*OpenPolicyAgentRegistry) error
func WithCleanInterval(interval time.Duration) func(*OpenPolicyAgentRegistry) error
func WithConfigTemplate(configTemplate []byte) func(*OpenPolicyAgentInstanceConfig) error
func WithConfigTemplateFile(configTemplateFile string) func(*OpenPolicyAgentInstanceConfig) error
func WithControlLoopInterval(interval time.Duration) func(*OpenPolicyAgentRegistry) error
func WithControlLoopMaxJitter(maxJitter time.Duration) func(*OpenPolicyAgentRegistry) error
func WithDecisionLogTaskTimeout(timeout time.Duration) func(*OpenPolicyAgentRegistry) error
func WithEnableCustomControlLoop(enabled bool) func(*OpenPolicyAgentRegistry) error
func WithEnableDataPreProcessingOptimization(enabled bool) func(*OpenPolicyAgentRegistry) error
func WithEnablePrintTracing(enabled bool) func(*OpenPolicyAgentRegistry) error
func WithEnvoyMetadata(metadata *ext_authz_v3_core.Metadata) func(*OpenPolicyAgentInstanceConfig) error
func WithEnvoyMetadataBytes(content []byte) func(*OpenPolicyAgentInstanceConfig) error
func WithEnvoyMetadataFile(file string) func(*OpenPolicyAgentInstanceConfig) error
func WithInstanceStartupTimeout(timeout time.Duration) func(*OpenPolicyAgentRegistry) error
func WithMaxMemoryBodyParsing(n int64) func(*OpenPolicyAgentRegistry) error
func WithMaxRequestBodyBytes(n int64) func(*OpenPolicyAgentRegistry) error
func WithOpenPolicyAgentInstanceConfig(opts ...func(*OpenPolicyAgentInstanceConfig) error) func(*OpenPolicyAgentRegistry) error
func WithPreloadingEnabled(enabled bool) func(*OpenPolicyAgentRegistry) error
func WithPrometheusRegisterer(registerer prometheus.Registerer) func(*OpenPolicyAgentRegistry) error
func WithReadBodyBufferSize(n int64) func(*OpenPolicyAgentRegistry) error
func WithReuseDuration(duration time.Duration) func(*OpenPolicyAgentRegistry) error
func WithTracer(tracer opentracing.Tracer) func(*OpenPolicyAgentRegistry) error
func WithTracingOptBundleName(bundleName string) func(*transport)
func WithTracingOptManager(manager *plugins.Manager) func(*transport)
func WithTracingOptTracer(tracer opentracing.Tracer) func(*transport)
type BackgroundTask
- func (t *BackgroundTask) Wait() error
type OpenPolicyAgentFilter
type OpenPolicyAgentInstance
- func (opa *OpenPolicyAgentInstance) BundleName() string
- func (opa *OpenPolicyAgentInstance) Close(ctx context.Context)
- func (opa *OpenPolicyAgentInstance) EnvoyPluginConfig() envoy.PluginConfig
- func (opa *OpenPolicyAgentInstance) Eval(ctx context.Context, req *ext_authz_v3.CheckRequest) (*envoyauth.EvalResult, error)
- func (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error)
- func (opa *OpenPolicyAgentInstance) HandleEvaluationError(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult, ...)
- func (opa *OpenPolicyAgentInstance) HandleInstanceNotReadyError(fc filters.FilterContext, span opentracing.Span, serve bool)
- func (opa *OpenPolicyAgentInstance) HandleInvalidDecisionError(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult, ...)
- func (opa *OpenPolicyAgentInstance) Healthy() bool
- func (opa *OpenPolicyAgentInstance) InstanceConfig() *OpenPolicyAgentInstanceConfig
- func (opa *OpenPolicyAgentInstance) Logger() logging.Logger
- func (opa *OpenPolicyAgentInstance) MarkStartScheduled()
- func (opa *OpenPolicyAgentInstance) MetricsKey(key string) string
- func (opa *OpenPolicyAgentInstance) ServeInvalidDecisionError(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult, ...)
- func (opa *OpenPolicyAgentInstance) ServeResponse(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult)
- func (opa *OpenPolicyAgentInstance) Start() error
- func (opa *OpenPolicyAgentInstance) StartScheduled() bool
- func (opa *OpenPolicyAgentInstance) StartSpanFromContext(ctx context.Context) (opentracing.Span, context.Context)
- func (opa *OpenPolicyAgentInstance) StartSpanFromFilterContext(fc filters.FilterContext) (opentracing.Span, context.Context)
- func (opa *OpenPolicyAgentInstance) Started() bool
type OpenPolicyAgentInstanceConfig
- func NewOpenPolicyAgentConfig(opts ...func(*OpenPolicyAgentInstanceConfig) error) (*OpenPolicyAgentInstanceConfig, error)
- func (config *OpenPolicyAgentInstanceConfig) GetEnvoyMetadata() *ext_authz_v3_core.Metadata
type OpenPolicyAgentRegistry
- func NewOpenPolicyAgentRegistry(opts ...func(*OpenPolicyAgentRegistry) error) (*OpenPolicyAgentRegistry, error)
- func (registry *OpenPolicyAgentRegistry) Close()
- func (registry *OpenPolicyAgentRegistry) Do(routes []*routing.Route) []*routing.Route
- func (registry *OpenPolicyAgentRegistry) GetOrStartInstance(bundleName string) (*OpenPolicyAgentInstance, error)
- func (registry *OpenPolicyAgentRegistry) NewPreProcessor() routing.PreProcessor
- func (registry *OpenPolicyAgentRegistry) ScheduleBackgroundTask(fn func() error) (*BackgroundTask, error)
type QuietLogger
- func (l *QuietLogger) Debug(fmt string, a ...interface{})
- func (l *QuietLogger) Error(fmt string, a ...interface{})
- func (l *QuietLogger) GetLevel() logging.Level
- func (l *QuietLogger) Info(fmt string, a ...interface{})
- func (l *QuietLogger) SetLevel(level logging.Level)
- func (l *QuietLogger) Warn(fmt string, a ...interface{})
- func (l *QuietLogger) WithFields(fields map[string]interface{}) logging.Logger

Constants ¶

View Source

const (
	DefaultCleanIdlePeriod      = 10 * time.Second
	DefaultControlLoopInterval  = 60 * time.Second
	DefaultControlLoopMaxJitter = 1000 * time.Millisecond

	DefaultOpaStartupTimeout        = 30 * time.Second
	DefaultBackgroundTaskBufferSize = 100
	DefaultDecisionLogTaskTimeout   = 5 * time.Second
	DefaultMaxRequestBodySize       = 1 << 20 // 1 MB
	DefaultMaxMemoryBodyParsing     = 100 * DefaultMaxRequestBodySize
	DefaultRequestBodyBufferSize    = 8 * 1024 // 8 KB

)

Variables ¶

View Source

var (
	ErrClosed                 = errors.New("reader closed")
	ErrTotalBodyBytesExceeded = errors.New("buffer for in-flight request body authorization in Open Policy Agent exceeded")
)

Functions ¶

func BuildLabelSet ¶ added in v0.24.49

func BuildLabelSet(bundleName string, contextExtensions map[string]string) pprof.LabelSet

BuildLabelSet builds pprof label pairs for OPA filter profiling. It always includes opa.task and opa.bundle_name, and adds opa.ctx.<key>=<value> for each entry in contextExtensions.

func FormOpenPolicyAgentMetaDataObject ¶ added in v0.21.166

func FormOpenPolicyAgentMetaDataObject(decisionId string) (*pbstruct.Struct, error)

func WithAsyncDecisionLogging ¶ added in v0.24.89

func WithAsyncDecisionLogging(enabled bool) func(*OpenPolicyAgentRegistry) error

func WithBackgroundTaskBufferSize ¶ added in v0.22.133

func WithBackgroundTaskBufferSize(size int) func(*OpenPolicyAgentRegistry) error

func WithCleanInterval ¶

func WithCleanInterval(interval time.Duration) func(*OpenPolicyAgentRegistry) error

func WithConfigTemplate ¶

func WithConfigTemplate(configTemplate []byte) func(*OpenPolicyAgentInstanceConfig) error

func WithConfigTemplateFile ¶

func WithConfigTemplateFile(configTemplateFile string) func(*OpenPolicyAgentInstanceConfig) error

func WithControlLoopInterval ¶ added in v0.22.22

func WithControlLoopInterval(interval time.Duration) func(*OpenPolicyAgentRegistry) error

func WithControlLoopMaxJitter ¶ added in v0.22.22

func WithControlLoopMaxJitter(maxJitter time.Duration) func(*OpenPolicyAgentRegistry) error

func WithDecisionLogTaskTimeout ¶ added in v0.26.12

func WithDecisionLogTaskTimeout(timeout time.Duration) func(*OpenPolicyAgentRegistry) error

func WithEnableCustomControlLoop ¶ added in v0.22.22

func WithEnableCustomControlLoop(enabled bool) func(*OpenPolicyAgentRegistry) error

func WithEnableDataPreProcessingOptimization ¶ added in v0.22.51

func WithEnableDataPreProcessingOptimization(enabled bool) func(*OpenPolicyAgentRegistry) error

func WithEnablePrintTracing ¶ added in v0.24.59

func WithEnablePrintTracing(enabled bool) func(*OpenPolicyAgentRegistry) error

func WithEnvoyMetadata ¶

func WithEnvoyMetadata(metadata *ext_authz_v3_core.Metadata) func(*OpenPolicyAgentInstanceConfig) error

func WithEnvoyMetadataBytes ¶

func WithEnvoyMetadataBytes(content []byte) func(*OpenPolicyAgentInstanceConfig) error

func WithEnvoyMetadataFile ¶

func WithEnvoyMetadataFile(file string) func(*OpenPolicyAgentInstanceConfig) error

func WithInstanceStartupTimeout ¶ added in v0.22.22

func WithInstanceStartupTimeout(timeout time.Duration) func(*OpenPolicyAgentRegistry) error

func WithMaxMemoryBodyParsing ¶ added in v0.20.6

func WithMaxMemoryBodyParsing(n int64) func(*OpenPolicyAgentRegistry) error

func WithMaxRequestBodyBytes ¶ added in v0.20.6

func WithMaxRequestBodyBytes(n int64) func(*OpenPolicyAgentRegistry) error

func WithOpenPolicyAgentInstanceConfig ¶ added in v0.22.74

func WithOpenPolicyAgentInstanceConfig(opts ...func(*OpenPolicyAgentInstanceConfig) error) func(*OpenPolicyAgentRegistry) error

func WithPreloadingEnabled ¶ added in v0.22.133

func WithPreloadingEnabled(enabled bool) func(*OpenPolicyAgentRegistry) error

func WithPrometheusRegisterer ¶ added in v0.24.28

func WithPrometheusRegisterer(registerer prometheus.Registerer) func(*OpenPolicyAgentRegistry) error

func WithReadBodyBufferSize ¶ added in v0.20.6

func WithReadBodyBufferSize(n int64) func(*OpenPolicyAgentRegistry) error

func WithReuseDuration ¶

func WithReuseDuration(duration time.Duration) func(*OpenPolicyAgentRegistry) error

func WithTracer ¶ added in v0.21.66

func WithTracer(tracer opentracing.Tracer) func(*OpenPolicyAgentRegistry) error

func WithTracingOptBundleName ¶ added in v0.21.66

func WithTracingOptBundleName(bundleName string) func(*transport)

func WithTracingOptManager ¶ added in v0.21.66

func WithTracingOptManager(manager *plugins.Manager) func(*transport)

func WithTracingOptTracer ¶ added in v0.21.66

func WithTracingOptTracer(tracer opentracing.Tracer) func(*transport)

Types ¶

type BackgroundTask ¶ added in v0.22.133

type BackgroundTask struct {
	// contains filtered or unexported fields
}

func (*BackgroundTask) Wait ¶ added in v0.22.133

func (t *BackgroundTask) Wait() error

Wait blocks until the task completes and returns the result and error

type OpenPolicyAgentFilter ¶

type OpenPolicyAgentFilter interface {
	OpenPolicyAgent() *OpenPolicyAgentInstance
}

type OpenPolicyAgentInstance ¶

type OpenPolicyAgentInstance struct {
	// contains filtered or unexported fields
}

func (*OpenPolicyAgentInstance) BundleName ¶ added in v0.24.49

func (opa *OpenPolicyAgentInstance) BundleName() string

func (*OpenPolicyAgentInstance) Close ¶

func (opa *OpenPolicyAgentInstance) Close(ctx context.Context)

func (*OpenPolicyAgentInstance) EnvoyPluginConfig ¶

func (opa *OpenPolicyAgentInstance) EnvoyPluginConfig() envoy.PluginConfig

func (*OpenPolicyAgentInstance) Eval ¶

func (opa *OpenPolicyAgentInstance) Eval(ctx context.Context, req *ext_authz_v3.CheckRequest) (*envoyauth.EvalResult, error)

func (*OpenPolicyAgentInstance) ExtractHttpBodyOptionally ¶ added in v0.20.6

func (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error)

func (*OpenPolicyAgentInstance) HandleEvaluationError ¶ added in v0.20.6

func (opa *OpenPolicyAgentInstance) HandleEvaluationError(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult, err error, serve bool, status int)

func (*OpenPolicyAgentInstance) HandleInstanceNotReadyError ¶ added in v0.22.133

func (opa *OpenPolicyAgentInstance) HandleInstanceNotReadyError(fc filters.FilterContext, span opentracing.Span, serve bool)

func (*OpenPolicyAgentInstance) HandleInvalidDecisionError ¶

func (opa *OpenPolicyAgentInstance) HandleInvalidDecisionError(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult, err error, serve bool)

func (*OpenPolicyAgentInstance) Healthy ¶ added in v0.22.133

func (opa *OpenPolicyAgentInstance) Healthy() bool

func (*OpenPolicyAgentInstance) InstanceConfig ¶

func (opa *OpenPolicyAgentInstance) InstanceConfig() *OpenPolicyAgentInstanceConfig

func (*OpenPolicyAgentInstance) Logger ¶

func (opa *OpenPolicyAgentInstance) Logger() logging.Logger

func (*OpenPolicyAgentInstance) MarkStartScheduled ¶ added in v0.22.165

func (opa *OpenPolicyAgentInstance) MarkStartScheduled()

func (*OpenPolicyAgentInstance) MetricsKey ¶

func (opa *OpenPolicyAgentInstance) MetricsKey(key string) string

func (*OpenPolicyAgentInstance) ServeInvalidDecisionError ¶

func (opa *OpenPolicyAgentInstance) ServeInvalidDecisionError(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult, err error)

func (*OpenPolicyAgentInstance) ServeResponse ¶

func (opa *OpenPolicyAgentInstance) ServeResponse(fc filters.FilterContext, span opentracing.Span, result *envoyauth.EvalResult)

func (*OpenPolicyAgentInstance) Start ¶

func (opa *OpenPolicyAgentInstance) Start() error

func (*OpenPolicyAgentInstance) StartScheduled ¶ added in v0.22.165

func (opa *OpenPolicyAgentInstance) StartScheduled() bool

func (*OpenPolicyAgentInstance) StartSpanFromContext ¶

func (opa *OpenPolicyAgentInstance) StartSpanFromContext(ctx context.Context) (opentracing.Span, context.Context)

func (*OpenPolicyAgentInstance) StartSpanFromFilterContext ¶

func (opa *OpenPolicyAgentInstance) StartSpanFromFilterContext(fc filters.FilterContext) (opentracing.Span, context.Context)

func (*OpenPolicyAgentInstance) Started ¶ added in v0.22.133

func (opa *OpenPolicyAgentInstance) Started() bool

type OpenPolicyAgentInstanceConfig ¶

type OpenPolicyAgentInstanceConfig struct {
	// contains filtered or unexported fields
}

func NewOpenPolicyAgentConfig ¶

func NewOpenPolicyAgentConfig(opts ...func(*OpenPolicyAgentInstanceConfig) error) (*OpenPolicyAgentInstanceConfig, error)

func (*OpenPolicyAgentInstanceConfig) GetEnvoyMetadata ¶

func (config *OpenPolicyAgentInstanceConfig) GetEnvoyMetadata() *ext_authz_v3_core.Metadata

type OpenPolicyAgentRegistry ¶

type OpenPolicyAgentRegistry struct {
	// contains filtered or unexported fields
}

func NewOpenPolicyAgentRegistry ¶

func NewOpenPolicyAgentRegistry(opts ...func(*OpenPolicyAgentRegistry) error) (*OpenPolicyAgentRegistry, error)

func (*OpenPolicyAgentRegistry) Close ¶

func (registry *OpenPolicyAgentRegistry) Close()

func (*OpenPolicyAgentRegistry) Do ¶

func (registry *OpenPolicyAgentRegistry) Do(routes []*routing.Route) []*routing.Route

Do implements routing.PostProcessor and cleans unused OPA instances

func (*OpenPolicyAgentRegistry) GetOrStartInstance ¶ added in v0.22.133

func (registry *OpenPolicyAgentRegistry) GetOrStartInstance(bundleName string) (*OpenPolicyAgentInstance, error)

GetOrStartInstance returns an existing instance immediately, or creates one using registry config

func (*OpenPolicyAgentRegistry) NewPreProcessor ¶ added in v0.22.133

func (registry *OpenPolicyAgentRegistry) NewPreProcessor() routing.PreProcessor

NewPreProcessor creates a pre-processor that pre-loads OPA instances Only used when pre-loading is enabled via command line flag

func (*OpenPolicyAgentRegistry) ScheduleBackgroundTask ¶ added in v0.22.133

func (registry *OpenPolicyAgentRegistry) ScheduleBackgroundTask(fn func() error) (*BackgroundTask, error)

ScheduleBackgroundTask schedules a task to be executed in the background with limited parallelism (1) Returns a BackgroundTask that can be used to wait for completion

type QuietLogger ¶

type QuietLogger struct {
	// contains filtered or unexported fields
}

QuietLogger is a logging.Logger that does not pollute info with debug logs

func (*QuietLogger) Debug ¶

func (l *QuietLogger) Debug(fmt string, a ...interface{})

func (*QuietLogger) Error ¶

func (l *QuietLogger) Error(fmt string, a ...interface{})

func (*QuietLogger) GetLevel ¶

func (l *QuietLogger) GetLevel() logging.Level

func (*QuietLogger) Info ¶

func (l *QuietLogger) Info(fmt string, a ...interface{})

func (*QuietLogger) SetLevel ¶

func (l *QuietLogger) SetLevel(level logging.Level)

func (*QuietLogger) Warn ¶

func (l *QuietLogger) Warn(fmt string, a ...interface{})

func (*QuietLogger) WithFields ¶

func (l *QuietLogger) WithFields(fields map[string]interface{}) logging.Logger

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
internal Package internal provides internal only code to be able to use quasi standard OPA plugins and config.	Package internal provides internal only code to be able to use quasi standard OPA plugins and config.
envoy Package envoy provides envoy compatible OPA data structures.	Package envoy provides envoy compatible OPA data structures.
opatestutils Package opatestutils is a test infrastructure package to support to test OPA infrastructure in skipper.	Package opatestutils is a test infrastructure package to support to test OPA infrastructure in skipper.
opaauthorizerequest Package opaauthorizerequest provides filters that work on the request path.	Package opaauthorizerequest provides filters that work on the request path.
opaserveresponse Package opaserveresponse provides OPA filters that can respond to the client.	Package opaserveresponse provides OPA filters that can respond to the client.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL