Flag to fail OPA runtime if some of the bundle was not found

[ahd3r]

What is the underlying problem you're trying to solve?

In our use case, it's very crucial to load all bundles on OPA startup. Whenever error happens, we need to handle it the way we want, and not just see it in logs.

Describe the ideal solution

In OPA runtime golang lib, when we start a server, I want to panic, if some of my bundles fail to load.

Now I see error log like this:

{"level":"error","msg":"Bundle load failed: server replied with Not Found","name":"unsigned_policy_bundle","plugin":"bundle","time":"2024-04-23T18:56:41Z"}

But I want lib to panic, so I could catch this panic and write my logic of how to handle this error.

Describe a "Good Enough" solution

Panic if bundle load fails for whatever reason.

[ashutosh-narkar]

In our use case, it's very crucial to load all bundles on OPA startup. Whenever error happens, we need to handle it the way we want, and not just see it in logs.

How are you deploying OPA? For example, if you use Kubernetes you can configure a readinessProbe that calls /health?bundles. This will ensure that OPA serves requests only after all bundles are activated. Also whenever bundle activation fails OPA will log the error and also send a status message with the error via the Status API . This provides visibility into OPA's status.

Panic if bundle load fails for whatever reason

OPA can be loaded with one or more bundles. So to panic if one of them fails activation does not seem appropriate. The client can use the Health API or Status API for example to get more info and behave accordingly.

[ahd3r]

It might work, but I also noticed /health?bundles endpoint returns a general error text when one of the bundles fails to load. It would be nice to have the name of the bundle that failed to load in the error msg.

[ashutosh-narkar]

That's probably something that can be improved.