From 3506f7c31da131133101fbae67bb6578176b77bc Mon Sep 17 00:00:00 2001 From: dervoeti Date: Wed, 28 Jan 2026 18:17:40 +0100 Subject: [PATCH] feat: support cliOverrides --- CHANGELOG.md | 2 ++ .../configuration-environment-overrides.adoc | 33 +++++++++++++++++++ rust/operator-binary/src/controller.rs | 21 ++++++++++-- 3 files changed, 54 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6670a5dd..951a9bbf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file. - Bump testing-tools to `0.3.0-stackable0.0.0-dev` ([#793]). - Support objectOverrides using `.spec.objectOverrides`. See [objectOverrides concepts page](https://docs.stackable.tech/home/nightly/concepts/overrides/#object-overrides) for details ([#795]). +- Support `cliOverrides` to allow customization of OPA command-line arguments at role and rolegroup levels ([#803]). ### Changed @@ -31,6 +32,7 @@ All notable changes to this project will be documented in this file. [#795]: https://github.com/stackabletech/opa-operator/pull/795 [#797]: https://github.com/stackabletech/opa-operator/pull/797 [#799]: https://github.com/stackabletech/opa-operator/pull/799 +[#803]: https://github.com/stackabletech/opa-operator/pull/803 ## [25.11.0] - 2025-11-07 diff --git a/docs/modules/opa/pages/usage-guide/configuration-environment-overrides.adoc b/docs/modules/opa/pages/usage-guide/configuration-environment-overrides.adoc index 6ce013dc..a5abbd44 100644 --- a/docs/modules/opa/pages/usage-guide/configuration-environment-overrides.adoc +++ b/docs/modules/opa/pages/usage-guide/configuration-environment-overrides.adoc @@ -38,6 +38,39 @@ servers: config: {} ---- +== CLI overrides + +The OPA operator supports overriding command-line arguments passed to the OPA binary via the `cliOverrides` property. +This allows you to customize OPA's behavior by passing additional or overriding existing command-line flags. + +CLI overrides can be specified at both the role and rolegroup level, with rolegroup overrides taking precedence over role overrides. + +For example, per rolegroup: + +[source,yaml] +---- +servers: + roleGroups: + default: + cliOverrides: + --log-format: json-pretty + --diagnostic-addr: "0.0.0.0:8282" +---- + +or per role: + +[source,yaml] +---- +servers: + cliOverrides: + --log-format: json + --diagnostic-addr: "0.0.0.0:8282" + roleGroups: + default: {} +---- + +For a complete list of available flags, refer to the https://www.openpolicyagent.org/docs/latest/cli/#run[OPA documentation]. + == Pod overrides The OPA operator also supports Pod overrides, allowing you to override any property that you can set on a Kubernetes Pod. diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index 7fd0e743..74d16ce2 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -735,6 +735,14 @@ fn build_server_rolegroup_daemonset( .rolegroup(rolegroup_ref) .context(InternalOperatorFailureSnafu)?; + let merged_cli_overrides = { + let role_cli_overrides: &BTreeMap = &role.config.cli_overrides; + let rolegroup_cli_overrides: &BTreeMap = &role_group.config.cli_overrides; + let mut merged = role_cli_overrides.clone(); + merged.extend(rolegroup_cli_overrides.clone()); + merged + }; + let env = server_config .get(&PropertyNameKind::Env) .iter() @@ -846,6 +854,7 @@ fn build_server_rolegroup_daemonset( merged_config, &opa_container_name, opa.spec.cluster_config.tls_enabled(), + &merged_cli_overrides, )]) .add_env_vars(env) .add_env_var( @@ -1206,6 +1215,7 @@ fn build_opa_start_command( merged_config: &v1alpha1::OpaConfig, container_name: &str, tls_enabled: bool, + cli_overrides: &BTreeMap, ) -> String { let mut file_log_level = DEFAULT_FILE_LOG_LEVEL; let mut console_log_level = DEFAULT_CONSOLE_LOG_LEVEL; @@ -1267,13 +1277,19 @@ fn build_opa_start_command( "&> >(CONSOLE_LEVEL={console_log_level} FILE_LEVEL={file_log_level} DECISION_LEVEL={decision_log_level} SERVER_LEVEL={server_log_level} OPA_ROLLING_LOG_FILE_SIZE_BYTES={OPA_ROLLING_LOG_FILE_SIZE_BYTES} OPA_ROLLING_LOG_FILES={OPA_ROLLING_LOG_FILES} STACKABLE_LOG_DIR={STACKABLE_LOG_DIR} CONTAINER_NAME={container_name} process-logs)" ); + let extra_cli_args = cli_overrides + .iter() + .map(|(key, value)| format!("{key} {value}")) + .collect::>() + .join(" "); + // TODO: Think about adding --shutdown-wait-period, as suggested by https://github.com/open-policy-agent/opa/issues/2764 formatdoc! {" {COMMON_BASH_TRAP_FUNCTIONS} {remove_vector_shutdown_file_command} prepare_signal_handlers containerdebug --output={STACKABLE_LOG_DIR}/containerdebug-state.json --loop & - opa run -s -a 0.0.0.0:{bind_port} -c {CONFIG_DIR}/{CONFIG_FILE} -l {opa_log_level} --shutdown-grace-period {shutdown_grace_period_s} --disable-telemetry {tls_flags} {logging_redirects} & + opa run -s -a 0.0.0.0:{bind_port} -c {CONFIG_DIR}/{CONFIG_FILE} -l {opa_log_level} --shutdown-grace-period {shutdown_grace_period_s} --disable-telemetry {tls_flags} {extra_cli_args} {logging_redirects} & wait_for_termination $! {create_vector_shutdown_file_command} ", @@ -1282,7 +1298,8 @@ fn build_opa_start_command( create_vector_shutdown_file_command = create_vector_shutdown_file_command(STACKABLE_LOG_DIR), shutdown_grace_period_s = merged_config.graceful_shutdown_timeout.unwrap_or(DEFAULT_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT).as_secs(), - opa_log_level = [console_log_level, file_log_level].iter().min().unwrap_or(&LogLevel::INFO).to_opa_literal() + opa_log_level = [console_log_level, file_log_level].iter().min().unwrap_or(&LogLevel::INFO).to_opa_literal(), + extra_cli_args = extra_cli_args } }