From a5e604434e13b61b57ed464706fad046231d90e4 Mon Sep 17 00:00:00 2001 From: dagtveit Date: Wed, 4 Mar 2026 18:35:50 +0100 Subject: [PATCH] Add OPA Envoy ext_authz plugin as separate topazd-envoy build target with decision logging --- .gitignore | 6 ++ .goreleaser.yml | 67 ++++++++++++++- Dockerfile.envoy | 33 ++++++++ go.mod | 8 ++ go.sum | 14 ++++ makefile | 1 + topazd-envoy/main.go | 59 +++++++++++++ topazd-envoy/topaz_run.go | 120 +++++++++++++++++++++++++++ topazd/app/topaz/runtime_resolver.go | 10 ++- topazd/cc/factory.go | 3 + 10 files changed, 317 insertions(+), 4 deletions(-) create mode 100644 Dockerfile.envoy create mode 100644 topazd-envoy/main.go create mode 100644 topazd-envoy/topaz_run.go diff --git a/.gitignore b/.gitignore index 5dd2aed2..d02559d0 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,9 @@ __debug_bin* # LLM agent configs AGENTS.md CLAUDE.md + +# IDE +.idea/ + +# goenv +.go-version diff --git a/.goreleaser.yml b/.goreleaser.yml index ba92607c..5f9485b9 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -5,7 +5,7 @@ project_name: topaz env: # https://goreleaser.com/customization/env/ - REGISTRY=ghcr.io - - ORG=aserto-dev + - ORG=dynamik-software-lab - REPO=topaz - DESCRIPTION="Topaz Authorization Service" - LICENSE=Apache-2.0 @@ -85,6 +85,29 @@ builds: - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/pkg/version.date={{.Date}} mod_timestamp: "{{ .CommitTimestamp }}" + - id: topazd-envoy + main: ./topazd-envoy + binary: topazd-envoy + goos: + - darwin + - linux + - windows + goarch: + - amd64 + - arm64 + env: + - CGO_ENABLED=0 + ignore: + - goos: windows + goarch: arm64 + ldflags: + - -s + - -w + - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/topazd/version.ver={{.Version}} + - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/topazd/version.commit={{.ShortCommit}} + - -X github.com/{{ .Env.ORG }}/{{ .Env.REPO }}/topazd/version.date={{.Date}} + mod_timestamp: "{{ .CommitTimestamp }}" + - id: topaz-backup main: ./topaz-backup binary: topaz-backup @@ -115,6 +138,7 @@ archives: ids: - topaz - topazd + - topazd-envoy - topaz-backup files: - LICENSE @@ -228,6 +252,46 @@ dockers_v2: build_args: flags: + - id: topaz-envoy-docker + dockerfile: "Dockerfile.envoy" + + platforms: + - linux/amd64 + - linux/arm64 + + ids: + - topaz + - topazd-envoy + - topaz-backup + + images: + - "{{ .Env.REGISTRY }}/{{ .Env.ORG }}/{{ .Env.REPO }}-envoy" + + tags: + - "{{ .Version }}" + - "{{ if not .IsSnapshot }}latest{{ end }}" + + labels: + "org.opencontainers.image.created": "{{.Date}}" + "org.opencontainers.image.name": "{{.ProjectName}}-envoy" + "org.opencontainers.image.revision": "{{.FullCommit}}" + "org.opencontainers.image.version": "{{.Version}}" + "org.opencontainers.image.source": "https://github.com/{{ .Env.ORG }}/{{ .Env.REPO }}" + "org.opencontainers.image.description": "{{ .Env.DESCRIPTION }} with Envoy ext_authz support" + "org.opencontainers.image.licenses": "{{ .Env.LICENSE }}" + + sbom: false + + retry: + attempts: 10 + delay: 10s + max_delay: 2m + + extra_files: + annotations: + build_args: + flags: + sboms: # https://goreleaser.com/customization/sbom/ - id: default @@ -244,5 +308,6 @@ sboms: ids: - topaz - topazd + - topazd-envoy - topaz-backup - topaz-db diff --git a/Dockerfile.envoy b/Dockerfile.envoy new file mode 100644 index 00000000..ddf87f33 --- /dev/null +++ b/Dockerfile.envoy @@ -0,0 +1,33 @@ +FROM alpine + +ARG TARGETPLATFORM +ARG TARGETOS +ARG TARGETARCH +ARG BUILDPLATFORM + +RUN echo "BUILDPLATFORM=$BUILDPLATFORM" \ + && echo "TARGETPLATFORM=$TARGETPLATFORM" \ + && echo "TARGETOS=$TARGETOS" \ + && echo "TARGETARCH=$TARGETARCH" + +RUN apk add --no-cache bash tzdata ca-certificates + +RUN mkdir /config && \ + mkdir /certs && \ + mkdir /db && \ + mkdir /decisions + +VOLUME ["/config", "/certs", "/db", "/decisions"] + +WORKDIR /app + +COPY \ +${TARGETPLATFORM}/topaz \ +${TARGETPLATFORM}/topazd-envoy \ +${TARGETPLATFORM}/topaz-backup \ +/app/ + +EXPOSE 8282 8383 9191 9292 9393 + +ENTRYPOINT ["./topazd-envoy"] +CMD ["run", "-c", "/config/config.yaml"] diff --git a/go.mod b/go.mod index f17b6e51..8e66cdc8 100644 --- a/go.mod +++ b/go.mod @@ -24,6 +24,7 @@ require ( github.com/aserto-dev/self-decision-logger v0.0.12 github.com/authzen/access.go v1.0.1 github.com/cli/browser v1.3.0 + github.com/dagdynamik/topaz-opa-envoy-log-plugin v0.2.0 github.com/docker/docker v28.5.2+incompatible github.com/docker/go-connections v0.6.0 github.com/fatih/color v1.18.0 @@ -46,6 +47,7 @@ require ( github.com/moby/term v0.5.2 github.com/olekukonko/tablewriter v1.1.3 github.com/open-policy-agent/opa v1.14.0 + github.com/open-policy-agent/opa-envoy-plugin v1.14.0-envoy github.com/opencontainers/image-spec v1.1.1 github.com/panmari/cuckoofilter v1.0.6 github.com/pkg/errors v0.9.1 @@ -82,6 +84,7 @@ require ( github.com/clipperhouse/displaywidth v0.6.2 // indirect github.com/clipperhouse/stringish v0.1.1 // indirect github.com/clipperhouse/uax29/v2 v2.3.0 // indirect + github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect github.com/containerd/containerd/v2 v2.2.1 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect @@ -96,6 +99,8 @@ require ( github.com/distribution/reference v0.6.0 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/ebitengine/purego v0.9.1 // indirect + github.com/envoyproxy/go-control-plane/envoy v1.37.0 // indirect + github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/gdamore/encoding v1.0.1 // indirect @@ -108,6 +113,7 @@ require ( github.com/gobwas/glob v0.2.3 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/gonvenience/bunt v1.4.3 // indirect github.com/gonvenience/idem v0.0.2 // indirect github.com/gonvenience/neat v1.3.17 // indirect @@ -202,7 +208,9 @@ require ( github.com/yashtewari/glob-intersection v0.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect + go.opentelemetry.io/contrib/propagators/b3 v1.40.0 // indirect go.opentelemetry.io/otel v1.40.0 // indirect go.opentelemetry.io/otel/metric v1.40.0 // indirect go.opentelemetry.io/otel/sdk v1.40.0 // indirect diff --git a/go.sum b/go.sum index a5078d92..9cea1c52 100644 --- a/go.sum +++ b/go.sum @@ -84,6 +84,8 @@ github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEX github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4= github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w= +github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI= github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk= github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= @@ -102,6 +104,8 @@ github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHf github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/dagdynamik/topaz-opa-envoy-log-plugin v0.2.0 h1:ovuu8D3x9WPpxLByguLDVTvfBdICT2zND1h91kN4Gio= +github.com/dagdynamik/topaz-opa-envoy-log-plugin v0.2.0/go.mod h1:XglfyESWYtwXAsdC3PrGylxIQ0Jg9aGoh/+r8jm4N2k= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -134,7 +138,11 @@ github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane/envoy v1.37.0 h1:u3riX6BoYRfF4Dr7dwSOroNfdSbEPe9Yyl09/B6wBrQ= +github.com/envoyproxy/go-control-plane/envoy v1.37.0/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4= +github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA= github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= @@ -385,6 +393,8 @@ github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/open-policy-agent/opa v1.14.0 h1:sdG94h9GrZQQcTaH70fJhOuU+/C2FAeeAo8mSPssV/U= github.com/open-policy-agent/opa v1.14.0/go.mod h1:e+JSg7BVV9/vRcD5HYTUeyKIrvigPxYX6T1KcVUaHaM= +github.com/open-policy-agent/opa-envoy-plugin v1.14.0-envoy h1:RN35n0PVD9xvM5BIwuxFfnO7DfDvTjyFxGQAgCN8KQQ= +github.com/open-policy-agent/opa-envoy-plugin v1.14.0-envoy/go.mod h1:++NgaPFESeZuDMHmysHE1bGM5Q8wnrhiGoLwwQIEgHU= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= @@ -516,8 +526,12 @@ go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo= go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0 h1:XmiuHzgJt067+a6kwyAzkhXooYVv3/TOw9cM2VfJgUM= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.65.0/go.mod h1:KDgtbWKTQs4bM+VPUr6WlL9m/WXcmkCcBlIzqxPGzmI= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0= +go.opentelemetry.io/contrib/propagators/b3 v1.40.0 h1:xariChe8OOVF3rNlfzGFgQc61npQmXhzZj/i82mxMfg= +go.opentelemetry.io/contrib/propagators/b3 v1.40.0/go.mod h1:72WvbdxbOfXaELEQfonFfOL6osvcVjI7uJEE8C2nkrs= go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms= go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 h1:QKdN8ly8zEMrByybbQgv8cWBcdAarwmIPZ6FThrWXJs= diff --git a/makefile b/makefile index c08d37c4..78384894 100644 --- a/makefile +++ b/makefile @@ -1,4 +1,5 @@ SHELL := $(shell which bash) +export PATH := $(HOME)/.goenv/shims:$(PATH) NO_COLOR := \033[0m OK_COLOR := \033[32;01m diff --git a/topazd-envoy/main.go b/topazd-envoy/main.go new file mode 100644 index 00000000..010ba79a --- /dev/null +++ b/topazd-envoy/main.go @@ -0,0 +1,59 @@ +package main + +import ( + "fmt" + "log" + + "github.com/aserto-dev/topaz/topazd/version" + "github.com/aserto-dev/topaz/topazd/x" + "github.com/spf13/cobra" +) + +var rootCmd = &cobra.Command{ + Use: "topazd-envoy [flags]", + SilenceErrors: true, + SilenceUsage: true, +} + +var versionCmd = &cobra.Command{ + Use: "version", + Short: "Print version and exit", + Run: func(cmd *cobra.Command, args []string) { + fmt.Printf("%s %s (envoy)\n", x.AppName, version.GetInfo().String()) + }, +} + +func main() { + cmdRun.Flags().StringVarP( + &flagRunConfigFile, + "config-file", "c", "", + "set path of configuration file") + cmdRun.Flags().StringSliceVarP( + &flagRunBundleFiles, + "bundle", "b", []string{}, + "load paths as bundle files or root directories (can be specified more than once)") + cmdRun.Flags().BoolVarP( + &flagRunWatchLocalBundles, + "watch", "w", false, + "if set, local changes to bundle paths trigger a reload") + cmdRun.Flags().StringSliceVarP( + &flagRunIgnorePaths, + "ignore", "", []string{}, + "set file and directory names to ignore during loading local bundles (e.g., '.*' excludes hidden files)") + cmdRun.Flags().BoolVarP( + &flagRunDebug, + "debug", "", false, + "start debug service") + + rootCmd.AddCommand(cmdRun) + + _ = cmdRun.MarkFlagRequired("config-file") + + rootCmd.AddCommand( + versionCmd, + ) + + if err := rootCmd.Execute(); err != nil { + log.Fatal(err.Error()) + } +} diff --git a/topazd-envoy/topaz_run.go b/topazd-envoy/topaz_run.go new file mode 100644 index 00000000..fa372f3d --- /dev/null +++ b/topazd-envoy/topaz_run.go @@ -0,0 +1,120 @@ +package main + +import ( + "os" + + runtime "github.com/aserto-dev/runtime" + "github.com/aserto-dev/topaz/pkg/config" + "github.com/aserto-dev/topaz/topazd/app" + "github.com/aserto-dev/topaz/topazd/app/directory" + "github.com/aserto-dev/topaz/topazd/app/topaz" + "github.com/aserto-dev/topaz/topazd/debug" + zerologdecisionlog "github.com/dagdynamik/topaz-opa-envoy-log-plugin" + envoy_plugin "github.com/open-policy-agent/opa-envoy-plugin/plugin" + "github.com/spf13/cobra" +) + +var ( + flagRunConfigFile string + flagRunBundleFiles []string + flagRunWatchLocalBundles bool + flagRunIgnorePaths []string + flagRunDebug bool + debugService *debug.Server +) + +var cmdRun = &cobra.Command{ + Use: "run [args]", + Short: "Start Topaz authorization service with Envoy ext_authz support", + Long: `Start instance of the Topaz authorization service with the OPA Envoy ext_authz gRPC plugin.`, + RunE: run, +} + +func run(cmd *cobra.Command, args []string) error { + configPath := config.Path(flagRunConfigFile) + + topazApp, cleanup, err := topaz.BuildApp(os.Stdout, os.Stderr, configPath, configOverrides) + if err != nil { + return err + } + + defer topazApp.Manager.StopServers(topazApp.Context) + + defer cleanup() + + if err := topazApp.ConfigServices(); err != nil { + return err + } + + if topazApp.Configuration.DebugService.Enabled { + debugService = debug.NewServer(&topazApp.Configuration.DebugService, topazApp.Logger) + debugService.Start() + + defer debugService.Stop() + } + + if _, ok := topazApp.Services["authorizer"]; ok { + dirResolver, err := directory.NewResolver(topazApp.Logger, &topazApp.Configuration.DirectoryResolver) + if err != nil { + return err + } + + defer dirResolver.Close() + + decisionlog, err := topazApp.GetDecisionLogger(topazApp.Configuration.DecisionLogger) + if err != nil { + return err + } + + defer decisionlog.Shutdown() + + runtime, runtimeCleanup, err := topaz.NewRuntimeResolver( + topazApp.Context, + topazApp.Logger, + topazApp.Configuration, + dirResolver.GetConn(), + decisionlog, + // envoy ext_authz plugin + runtime.WithPlugin(envoy_plugin.PluginName, &envoy_plugin.Factory{}), + // zerolog decision log plugin for structured JSON output + runtime.WithPlugin(zerologdecisionlog.PluginName, zerologdecisionlog.NewFactory(topazApp.Logger)), + ) + if err != nil { + return err + } + + defer runtimeCleanup() + + if authorizer, ok := topazApp.Services["authorizer"].(*app.Authorizer); ok { + authorizer.Resolver.SetRuntimeResolver(runtime) + authorizer.Resolver.SetDirectoryResolver(dirResolver) + } + } + + err = topazApp.Start() + if err != nil { + return err + } + + <-topazApp.Context.Done() + + return nil +} + +func configOverrides(cfg *config.Config) { + cfg.Command.Mode = config.CommandModeRun + + if len(flagRunBundleFiles) > 0 { + cfg.OPA.LocalBundles.Paths = append(cfg.OPA.LocalBundles.Paths, flagRunBundleFiles...) + } + + if len(flagRunIgnorePaths) > 0 { + cfg.OPA.LocalBundles.Ignore = append(cfg.OPA.LocalBundles.Ignore, flagRunIgnorePaths...) + } + + if flagRunWatchLocalBundles { + cfg.OPA.LocalBundles.Watch = true + } + + cfg.DebugService.Enabled = flagRunDebug +} diff --git a/topazd/app/topaz/runtime_resolver.go b/topazd/app/topaz/runtime_resolver.go index 7237a976..079c7f18 100644 --- a/topazd/app/topaz/runtime_resolver.go +++ b/topazd/app/topaz/runtime_resolver.go @@ -41,12 +41,12 @@ func NewRuntimeResolver( cfg *config.Config, dsConn *grpc.ClientConn, decisionLogger decisionlog.DecisionLogger, + extraOpts ...runtime.Option, ) (resolvers.RuntimeResolver, func(), error) { dsClient := reader.NewReaderClient(dsConn) acClient := access.NewAccessClient(dsConn) - sidecarRuntime, err := runtime.New(ctx, &cfg.OPA, - + opts := []runtime.Option{ // directory get functions runtime.WithBuiltin1(ds.RegisterIdentity(logger, builtins.DSIdentity, dsClient)), runtime.WithBuiltin1(ds.RegisterUser(logger, builtins.DSUser, dsClient)), @@ -73,7 +73,11 @@ func NewRuntimeResolver( runtime.WithPlugin(edge.PluginName, edge.NewPluginFactory(ctx, cfg, logger)), runtime.WithRegoVersion(ast.RegoV0), - ) + } + + opts = append(opts, extraOpts...) + + sidecarRuntime, err := runtime.New(ctx, &cfg.OPA, opts...) if err != nil { return nil, func() {}, err } diff --git a/topazd/cc/factory.go b/topazd/cc/factory.go index 5dcf39c3..3db47c60 100644 --- a/topazd/cc/factory.go +++ b/topazd/cc/factory.go @@ -32,6 +32,9 @@ func buildCC( return nil, nil, err } + // Inject logger into context so that runtime.New() can extract it via zerolog.Ctx(ctx) + contextContext = zerologLogger.WithContext(contextContext) + generator := certs.NewGenerator(zerologLogger) configConfig, err := config.NewConfig(configPath, zerologLogger, overrides, generator)