Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cmd] Implement a rootless deprecation messages #6091

Merged
merged 2 commits into from Jul 14, 2023
Merged

[cmd] Implement a rootless deprecation messages #6091

merged 2 commits into from Jul 14, 2023

Conversation

charlieegan3
Copy link
Contributor

@charlieegan3 charlieegan3 commented Jul 13, 2023
edited

I have added a system for showing fatal and non-fatal deprecation warnings. It's configurable by command and environment.

If we merge this PR, running a rootless image with any OPA command other than opa run will result in a fatal error and exit code 1.

It's possible for users to continue to use the image by unsetting: OPA_DOCKER_IMAGE_TAG=rootless.

opa run will show the message, but it's not fatal for this command. This is intended to avoid production disruption.

This PR has been added to allow us to one day do #6086. It is a simpler version of my earlier PR for the same task #5566.

Example showing how opa build will fail and exit with 1:

opa $ OPA_DOCKER_IMAGE_TAG=rootless go run main.go build
################################################################################
###                        FATAL DEPRECATION WARNINGS                        ###
################################################################################
OPA appears to be running in a deprecated -rootless image.
Since v0.50.0, the default OPA images have been configured to use a non-root
user.

This image will soon cease to be updated. The following images should now be
used instead:

* openpolicyagent/opa:latest and NOT (openpolicyagent/opa:latest-rootless)
* openpolicyagent/opa:edge and NOT (openpolicyagent/opa:edge-rootless)
* openpolicyagent/opa:X.Y.Z and NOT (openpolicyagent/opa:X.Y.Z-rootless)

You can choose to acknowledge and ignore this message by unsetting:
OPA_DOCKER_IMAGE_TAG=rootless
################################################################################
###                      END FATAL DEPRECATION WARNINGS                      ###
################################################################################
exit status 1

Example showing how opa run will continue as normal, after showing the message.

$ OPA_DOCKER_IMAGE_TAG=rootless go run main.go run -s
################################################################################
###                           DEPRECATION WARNINGS                           ###
################################################################################
OPA appears to be running in a deprecated -rootless image.
Since v0.50.0, the default OPA images have been configured to use a non-root
user.

This image will soon cease to be updated. The following images should now be
used instead:

* openpolicyagent/opa:latest and NOT (openpolicyagent/opa:latest-rootless)
* openpolicyagent/opa:edge and NOT (openpolicyagent/opa:edge-rootless)
* openpolicyagent/opa:X.Y.Z and NOT (openpolicyagent/opa:X.Y.Z-rootless)

You can choose to acknowledge and ignore this message by unsetting:
OPA_DOCKER_IMAGE_TAG=rootless
################################################################################
###                         END DEPRECATION WARNINGS                         ###
################################################################################
{"addrs":[":8181"],"diagnostic-addrs":[],"level":"info","msg":"Initializing server. OPA is running on a public (0.0.0.0) network interface. Unless you intend to expose OPA outside of the host, binding to the localhost interface (--addr localhost:8181) is recommended. See https://www.openpolicyagent.org/docs/latest/security/#interface-binding","time":"2023-07-13T14:24:07+01:00"}

@charlieegan3 charlieegan3 mentioned this pull request Jul 13, 2023
Closed
@charlieegan3
[cmd] Implement a rootless deprecation messages
86eaf73 
I have added a system for showing fatal and non-fatal deprecation warnings. It's configurable by command and environment.

If we merge this PR, running a rootless image with any OPA command other than `opa run` will result in a fatal error and exit code 1.

It's possible for users to continue to use the image by unsetting: OPA_DOCKER_IMAGE_TAG=rootless.

`opa run` will show the message, but it's not fatal for this command. This is intended to avoid production disruption.

Signed-off-by: Charlie Egan <charlie@styra.com>
srenatus
srenatus previously approved these changes Jul 13, 2023
View reviewed changes
Copy link
Contributor

@srenatus srenatus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🥳 Nicely done.

cmd/commands.go Show resolved Hide resolved
cmd/commands.go

message, fatal := deprecation.CheckWarnings(os.Environ(), cmd.Use)
if message != "" {
cmd.PrintErr(message)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oooh I didn't know that cobra.Command had that 💡

srenatus
srenatus previously approved these changes Jul 13, 2023
View reviewed changes
@charlieegan3
Use buf.String()
830e4e4 
Signed-off-by: Charlie Egan <charlie@styra.com>
ashutosh-narkar
ashutosh-narkar approved these changes Jul 13, 2023
View reviewed changes
Copy link
Member

@ashutosh-narkar ashutosh-narkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for looking into this! Please squash and merge!

@ashutosh-narkar ashutosh-narkar merged commit d584a15 into open-policy-agent:main Jul 14, 2023
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashutosh-narkar ashutosh-narkar ashutosh-narkar approved these changes

@srenatus srenatus srenatus left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@charlieegan3 @srenatus @ashutosh-narkar