Allow Http send to pass bearer token read from file

[nishanth007joy]

What is the underlying problem you're trying to solve?

Currently bearer token to pass when calling an http endpoint from rego is not allowed to read from a mounted file. There are systems where different methods of authentication channels where a token will rotated to a mounted volume and we can read it inside OPA to pass a bearer token.

By making this change, what are you hoping to improve or fix?

This will support scenario where a rotatable token be available to read from a mount file than an environment variable so changed made to token be available in OPA without a restart.

Why would this change make the OPA experience better?

Better integration.

Are there any current solutions that are inefficient or frustrating?

Describe the ideal solution

Allow http send to read bearer token from a mount volume like we can read from an environment variable.

Describe a "Good Enough" solution

Allow http send to read bearer token from a mount volume like we can read from an environment variable.

[charlieegan3]

Hi there @nishanth007joy, thanks for taking the time to write up the issue. It'd be good to get some more context about what you're trying to do. You say 'better integration', it'd be good to know what with exactly.

While we're always keen to make OPA work well for new use cases, we are also cautious to add new features that don't have widespread use.

[nishanth007joy]

Use the pod’s ServiceAccount token, which rotates automatically and is mounted at:

/var/run/secrets/kubernetes.io/serviceaccount/token

Your policy/ configuration can read it at evaluation time so it always uses the correct value.

This way:
• No token hardcoding
• No manual renewal logic needed
• Auto-refresh handled by Kubernetes

This allow flexibility to choose from environment variable or mount volume or generate token based on integration pattern applicable for each consumers. At the moment I believe token can be fetched from environment variable which is static and vault integration which needs then logic to fetch periodically and needs a vault, in case if token is handled by deployment platform like kubernetes there is no integration at the moment to fetch periodically. So I suggest to read the token from mount volume.

[charlieegan3]

OK, so you're interested in loading data from the k8s API using the SA token to get the state at eval time. Have you considered using https://github.com/open-policy-agent/kube-mgmt to load data from the API into OPA?

[nishanth007joy]

I am trying to load the policy evaluation state from a protected endpoint not from k8 api. For the protected endpoint I need to pass a token which rotates in every few hours.

[nishanth007joy]

Bearer Token

OPA will authenticate using the specified bearer token and schema; to enable bearer token authentication, either the token or the path to the token must be specified. If the latter is provided, on each request OPA will re-read the token from the file and use that token for authentication.

This functionality is specified in service configuration to fetch bearer token and I am expecting similar functionality in http send to fetch token from the file like service is fetching token for policy bundle control plane connection.

[nishanth007joy]

I am referring to this documentation. https://www.openpolicyagent.org/docs/configuration.html

Similar kind of functionality for token in http.sent to get the bearer token.

[charlieegan3]

http.send supports the use of client certificates for caller identification. Is that something that would work for your use case?

I can also imagine you having a simple sidecar that exposes the token via http on localhost to OPA that does the loading from disk at the interval that's required. This would be a simple service with a single endpoint that just returns the token from disk in the format you require.

[nishanth007joy]

Can do that which means we need to create another container and run across all pods we run ops instance to Serve localhost call. But if have a feature to load directly from file will be more simpler and less components.