Simplify OPA to use rootCAs custom transport (#6843)

Also close the connections properly to use the
connection pooling properly for HTTP clients.
master
Harshavardhana 6 years ago committed by Nitish Tiwari
parent 2fc024e880
commit d4265f9a13
  1. 2
      cmd/config-current.go
  2. 48
      pkg/iam/policy/opa.go

@ -558,6 +558,8 @@ func (s *serverConfig) loadToCachedConfigs() {
globalPolicyOPA = iampolicy.NewOpa(iampolicy.OpaArgs{
URL: s.Policy.OPA.URL,
AuthToken: s.Policy.OPA.AuthToken,
Transport: NewCustomHTTPTransport(),
CloseRespFn: CloseResponse,
})
}
}

@ -18,12 +18,10 @@ package iampolicy
import (
"bytes"
"crypto/tls"
"encoding/json"
"net"
"io"
"net/http"
"os"
"time"
xnet "github.com/minio/minio/pkg/net"
)
@ -32,6 +30,8 @@ import (
type OpaArgs struct {
URL *xnet.URL `json:"url"`
AuthToken string `json:"authToken"`
Transport http.RoundTripper `json:"-"`
CloseRespFn func(r io.ReadCloser) `json:"-"`
}
// Validate - validate opa configuration params.
@ -75,30 +75,7 @@ func (a *OpaArgs) UnmarshalJSON(data []byte) error {
// Opa - implements opa policy agent calls.
type Opa struct {
args OpaArgs
secureFailed bool
client *http.Client
insecureClient *http.Client
}
// newCustomHTTPTransport returns a new http configuration
// used while communicating with the cloud backends.
// This sets the value for MaxIdleConnsPerHost from 2 (go default)
// to 100.
func newCustomHTTPTransport(insecure bool) *http.Transport {
return &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).DialContext,
MaxIdleConns: 1024,
MaxIdleConnsPerHost: 1024,
IdleConnTimeout: 30 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure},
DisableCompression: true,
}
}
// NewOpa - initializes opa policy engine connector.
@ -109,8 +86,7 @@ func NewOpa(args OpaArgs) *Opa {
}
return &Opa{
args: args,
client: &http.Client{Transport: newCustomHTTPTransport(false)},
insecureClient: &http.Client{Transport: newCustomHTTPTransport(true)},
client: &http.Client{Transport: args.Transport},
}
}
@ -139,23 +115,11 @@ func (o *Opa) IsAllowed(args Args) bool {
req.Header.Set("Authorization", o.args.AuthToken)
}
var resp *http.Response
if o.secureFailed {
resp, err = o.insecureClient.Do(req)
} else {
resp, err = o.client.Do(req)
if err != nil {
o.secureFailed = true
resp, err = o.insecureClient.Do(req)
if err != nil {
return false
}
}
}
resp, err := o.client.Do(req)
if err != nil {
return false
}
defer resp.Body.Close()
defer o.args.CloseRespFn(resp.Body)
// Handle OPA response
type opaResponse struct {

Loading…
Cancel
Save