Simplify OPA to use rootCAs custom transport (#6843)

Also close the connections properly to use the connection pooling properly for HTTP clients.
2025-04-25 12:34:03 -04:00 · 2018-11-21 19:01:05 -08:00 · 2018-11-21 19:01:05 -08:00 · d4265f9a13
commit d4265f9a13
parent 2fc024e880
2 changed files with 15 additions and 49 deletions
--- a/cmd/config-current.go
+++ b/cmd/config-current.go
@ -556,8 +556,10 @@ func (s *serverConfig) loadToCachedConfigs() {
 	if globalPolicyOPA == nil {
 		if s.Policy.OPA.URL != nil && s.Policy.OPA.URL.String() != "" {
 			globalPolicyOPA = iampolicy.NewOpa(iampolicy.OpaArgs{
-				URL:       s.Policy.OPA.URL,
+				URL:         s.Policy.OPA.URL,
-				AuthToken: s.Policy.OPA.AuthToken,
+				AuthToken:   s.Policy.OPA.AuthToken,
 				Transport:   NewCustomHTTPTransport(),
 				CloseRespFn: CloseResponse,
 			})
 		}
 	}
--- a/pkg/iam/policy/opa.go
+++ b/pkg/iam/policy/opa.go
@ -18,20 +18,20 @@ package iampolicy
 import (
 	"bytes"
 	"crypto/tls"
 	"encoding/json"
-	"net"
+	"io"
 	"net/http"
 	"os"
 	"time"
 	xnet "github.com/minio/minio/pkg/net"
 )
 // OpaArgs opa general purpose policy engine configuration.
 type OpaArgs struct {
-	URL       *xnet.URL `json:"url"`
+	URL         *xnet.URL             `json:"url"`
-	AuthToken string    `json:"authToken"`
+	AuthToken   string                `json:"authToken"`
 	Transport   http.RoundTripper     `json:"-"`
 	CloseRespFn func(r io.ReadCloser) `json:"-"`
 }
 // Validate - validate opa configuration params.
@ -74,31 +74,8 @@ func (a *OpaArgs) UnmarshalJSON(data []byte) error {
 // Opa - implements opa policy agent calls.
 type Opa struct {
-	args           OpaArgs
+	args   OpaArgs
-	secureFailed   bool
+	client *http.Client
 	client         *http.Client
 	insecureClient *http.Client
 }
 // newCustomHTTPTransport returns a new http configuration
 // used while communicating with the cloud backends.
 // This sets the value for MaxIdleConnsPerHost from 2 (go default)
 // to 100.
 func newCustomHTTPTransport(insecure bool) *http.Transport {
 	return &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
 			Timeout:   30 * time.Second,
 			KeepAlive: 30 * time.Second,
 		}).DialContext,
 		MaxIdleConns:          1024,
 		MaxIdleConnsPerHost:   1024,
 		IdleConnTimeout:       30 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		TLSClientConfig:       &tls.Config{InsecureSkipVerify: insecure},
 		DisableCompression:    true,
 	}
 }
 // NewOpa - initializes opa policy engine connector.
@ -108,9 +85,8 @@ func NewOpa(args OpaArgs) *Opa {
 		return nil
 	}
 	return &Opa{
-		args:           args,
+		args:   args,
-		client:         &http.Client{Transport: newCustomHTTPTransport(false)},
+		client: &http.Client{Transport: args.Transport},
 		insecureClient: &http.Client{Transport: newCustomHTTPTransport(true)},
 	}
 }
@ -139,23 +115,11 @@ func (o *Opa) IsAllowed(args Args) bool {
 		req.Header.Set("Authorization", o.args.AuthToken)
 	}
-	var resp *http.Response
+	resp, err := o.client.Do(req)
 	if o.secureFailed {
 		resp, err = o.insecureClient.Do(req)
 	} else {
 		resp, err = o.client.Do(req)
 		if err != nil {
 			o.secureFailed = true
 			resp, err = o.insecureClient.Do(req)
 			if err != nil {
 				return false
 			}
 		}
 	}
 	if err != nil {
 		return false
 	}
-	defer resp.Body.Close()
+	defer o.args.CloseRespFn(resp.Body)
 	// Handle OPA response
 	type opaResponse struct {