Skip to content

feat: config overrides #818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dervoeti wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: config overrides #818

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
8210a9f
feat: config overrides
dervoeti Mar 18, 2026
797698e
chore: changelog
dervoeti Mar 18, 2026
33c4462
Update rust/operator-binary/src/controller.rs
dervoeti Apr 7, 2026
1dc457d
Update rust/operator-binary/src/controller.rs
dervoeti Apr 7, 2026
a75fa14
fix: address review feedback
dervoeti Apr 8, 2026
5feaa82
feat: daemonset maxsurge to prevent unavailability on config changes …
dervoeti Mar 24, 2026
899baa2
chore: Generated commit to update templated files since the last temp…
stackable-bot Mar 30, 2026
a4286be
Merge branch 'main' into feat/config-overrides
dervoeti Apr 8, 2026
ef8ba50
refactor: mention role overrides first
dervoeti Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,16 @@ All notable changes to this project will be documented in this file.

## [Unreleased]

### Added

- Support `configOverrides` for `config.json` (#818).

### Changed

- Set `maxSurge=1` and `maxUnavailable=0` on the OPA DaemonSet rolling update strategy to eliminate
availability gaps during rolling updates ([#819]).

[#818]: https://github.com/stackabletech/opa-operator/pull/818
[#819]: https://github.com/stackabletech/opa-operator/pull/819

## [26.3.0] - 2026-03-16
Expand Down
31 changes: 10 additions & 21 deletions docs/modules/opa/pages/usage-guide/OpenTelemetry.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,19 @@
= OpenTelemetry
:description: Ship OPA traces and logs to OpenTelemetry
:opa-docs: https://v1-4-2--opa-docs.netlify.app/configuration/#distributed-tracing
:opa-docs: https://www.openpolicyagent.org/docs/configuration/#distributed-tracing

Opa supports sending OpenTelemetry traces as stated in {opa-docs}[the documentation].
OPA supports sending OpenTelemetry traces as stated in {opa-docs}[the documentation].

As of SDP 25.7, `configOverrides` are (still) not supported, we are tracking the progress in https://github.com/stackabletech/opa-operator/issues/756[this GitHub issue].
To enable traces you need to modify the config and thus xref:opa:usage-guide/operations/cluster-operations.adoc[pause the reconciliation] of your OpaCluster, so that changes to the ConfigMap aren't immediately overridden by the opa-operator.

WARNING: It's not encouraged to pause the reconciliation more than just temporarily. We recommend disabling it while you debug e.g. performance problems and re-enabling it afterwards. This problem will be solved once we support configOverrides for OPA.

Afterwards you can edit the `<stacklet-name>-server-default` ConfigMap and append a `distributed_tracing` section as follows.
To enable traces, add a `distributed_tracing` section to the OPA configuration using `configOverrides`.
Please check the {opa-docs}[OPA documentation] to see what other settings you can configure.

[source,yaml]
----
apiVersion: v1
kind: ConfigMap
metadata:
name: opa-server-default
data:
config.json: |-
{
<<< existing JSON >>>
"distributed_tracing": {
"address": "jaeger-collector.default.svc.cluster.local:4317",
"type": "grpc"
}
}
servers:
configOverrides:
config.json:
jsonMergePatch:
distributed_tracing:
address: jaeger-collector.default.svc.cluster.local:4317
type: grpc
----
65 changes: 48 additions & 17 deletions docs/modules/opa/pages/usage-guide/configuration-environment-overrides.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,34 +8,65 @@ This will lead to faulty installations.

== Configuration properties

Currently, not supported for `config.json`.
OPA's `config.json` can be overridden using `configOverrides`.
For details on the supported override strategies, see the xref:concepts:overrides.adoc#config-overrides[config overrides documentation].

For example per role:

[source,yaml]
----
servers:
configOverrides:
config.json:
jsonPatches:
- '{"op": "replace", "path": "/bundles/stackable/polling/min_delay_seconds", "value": 3}'
- '{"op": "add", "path": "/default_decision", "value": "allow"}'
roleGroups:
default:
config: {}
----

or per role group:

[source,yaml]
----
servers:
roleGroups:
default:
configOverrides:
config.json:
jsonMergePatch:
distributed_tracing:
address: jaeger-collector.default.svc.cluster.local:4317
type: grpc
----

== Environment variables

Environment variables can be (over)written by adding the `envOverrides` property.

For example per role group:
For example per role:

[source,yaml]
----
servers:
envOverrides:
MY_ENV_VAR: "MY_VALUE"
roleGroups:
default:
config: {}
envOverrides:
MY_ENV_VAR: "MY_VALUE"
----

or per role:
or per role group:

[source,yaml]
----
servers:
envOverrides:
MY_ENV_VAR: "MY_VALUE"
roleGroups:
default:
config: {}
envOverrides:
MY_ENV_VAR: "MY_VALUE"
----

== CLI overrides
Expand All @@ -45,28 +76,28 @@ This allows you to customize OPA's behavior by passing additional or overriding

CLI overrides can be specified at both the role and rolegroup level, with rolegroup overrides taking precedence over role overrides.

For example, per rolegroup:
For example, per role:

[source,yaml]
----
servers:
cliOverrides:
--log-format: json
--diagnostic-addr: "0.0.0.0:8282"
roleGroups:
default:
cliOverrides:
--log-format: json-pretty
--diagnostic-addr: "0.0.0.0:8282"
default: {}
----

or per role:
or per rolegroup:

[source,yaml]
----
servers:
cliOverrides:
--log-format: json
--diagnostic-addr: "0.0.0.0:8282"
roleGroups:
default: {}
default:
cliOverrides:
--log-format: json-pretty
--diagnostic-addr: "0.0.0.0:8282"
----

For a complete list of available flags, refer to the https://www.openpolicyagent.org/docs/latest/cli/#run[OPA documentation].
Expand Down
172 changes: 152 additions & 20 deletions extra/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1121,17 +1121,50 @@ spec:
type: object
type: object
configOverrides:
additionalProperties:
additionalProperties:
type: string
type: object
default: {}
description: |-
The `configOverrides` can be used to configure properties in product config files
that are not exposed in the CRD. Read the
[config overrides documentation](https://docs.stackable.tech/home/nightly/concepts/overrides#config-overrides)
and consult the operator specific usage guide documentation for details on the
available config files and settings for the specific product.
properties:
config.json:
description: Overrides for the OPA `config.json` file.
nullable: true
oneOf:
- required:
- jsonMergePatch
- required:
- jsonPatches
- required:
- userProvided
properties:
jsonMergePatch:
description: |-
Can be set to arbitrary YAML content, which is converted to JSON and used as
[RFC 7396](https://datatracker.ietf.org/doc/html/rfc7396) JSON merge patch.
x-kubernetes-preserve-unknown-fields: true
jsonPatches:
description: |-
List of [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902) JSON patches.

Can be used when more flexibility is needed, e.g. to only modify elements
in a list based on a condition.

A patch looks something like

`{"op": "test", "path": "/0/name", "value": "Andrew"}`

or

`{"op": "add", "path": "/0/happy", "value": true}`
items:
type: string
type: array
userProvided:
description: Override the entire config file with the specified String.
type: string
type: object
type: object
envOverrides:
additionalProperties:
Expand Down Expand Up @@ -1680,17 +1713,50 @@ spec:
type: object
type: object
configOverrides:
additionalProperties:
additionalProperties:
type: string
type: object
default: {}
description: |-
The `configOverrides` can be used to configure properties in product config files
that are not exposed in the CRD. Read the
[config overrides documentation](https://docs.stackable.tech/home/nightly/concepts/overrides#config-overrides)
and consult the operator specific usage guide documentation for details on the
available config files and settings for the specific product.
properties:
config.json:
description: Overrides for the OPA `config.json` file.
nullable: true
oneOf:
- required:
- jsonMergePatch
- required:
- jsonPatches
- required:
- userProvided
properties:
jsonMergePatch:
description: |-
Can be set to arbitrary YAML content, which is converted to JSON and used as
[RFC 7396](https://datatracker.ietf.org/doc/html/rfc7396) JSON merge patch.
x-kubernetes-preserve-unknown-fields: true
jsonPatches:
description: |-
List of [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902) JSON patches.

Can be used when more flexibility is needed, e.g. to only modify elements
in a list based on a condition.

A patch looks something like

`{"op": "test", "path": "/0/name", "value": "Andrew"}`

or

`{"op": "add", "path": "/0/happy", "value": true}`
items:
type: string
type: array
userProvided:
description: Override the entire config file with the specified String.
type: string
type: object
type: object
envOverrides:
additionalProperties:
Expand Down Expand Up @@ -2887,17 +2953,50 @@ spec:
type: object
type: object
configOverrides:
additionalProperties:
additionalProperties:
type: string
type: object
default: {}
description: |-
The `configOverrides` can be used to configure properties in product config files
that are not exposed in the CRD. Read the
[config overrides documentation](https://docs.stackable.tech/home/nightly/concepts/overrides#config-overrides)
and consult the operator specific usage guide documentation for details on the
available config files and settings for the specific product.
properties:
config.json:
description: Overrides for the OPA `config.json` file.
nullable: true
oneOf:
- required:
- jsonMergePatch
- required:
- jsonPatches
- required:
- userProvided
properties:
jsonMergePatch:
description: |-
Can be set to arbitrary YAML content, which is converted to JSON and used as
[RFC 7396](https://datatracker.ietf.org/doc/html/rfc7396) JSON merge patch.
x-kubernetes-preserve-unknown-fields: true
jsonPatches:
description: |-
List of [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902) JSON patches.

Can be used when more flexibility is needed, e.g. to only modify elements
in a list based on a condition.

A patch looks something like

`{"op": "test", "path": "/0/name", "value": "Andrew"}`

or

`{"op": "add", "path": "/0/happy", "value": true}`
items:
type: string
type: array
userProvided:
description: Override the entire config file with the specified String.
type: string
type: object
type: object
envOverrides:
additionalProperties:
Expand Down Expand Up @@ -3446,17 +3545,50 @@ spec:
type: object
type: object
configOverrides:
additionalProperties:
additionalProperties:
type: string
type: object
default: {}
description: |-
The `configOverrides` can be used to configure properties in product config files
that are not exposed in the CRD. Read the
[config overrides documentation](https://docs.stackable.tech/home/nightly/concepts/overrides#config-overrides)
and consult the operator specific usage guide documentation for details on the
available config files and settings for the specific product.
properties:
config.json:
description: Overrides for the OPA `config.json` file.
nullable: true
oneOf:
- required:
- jsonMergePatch
- required:
- jsonPatches
- required:
- userProvided
properties:
jsonMergePatch:
description: |-
Can be set to arbitrary YAML content, which is converted to JSON and used as
[RFC 7396](https://datatracker.ietf.org/doc/html/rfc7396) JSON merge patch.
x-kubernetes-preserve-unknown-fields: true
jsonPatches:
description: |-
List of [RFC 6902](https://datatracker.ietf.org/doc/html/rfc6902) JSON patches.

Can be used when more flexibility is needed, e.g. to only modify elements
in a list based on a condition.

A patch looks something like

`{"op": "test", "path": "/0/name", "value": "Andrew"}`

or

`{"op": "add", "path": "/0/happy", "value": true}`
items:
type: string
type: array
userProvided:
description: Override the entire config file with the specified String.
type: string
type: object
type: object
envOverrides:
additionalProperties:
Expand Down
Loading
Loading