Fix OPA configuration handling

horizon/enforcer/opa/config_maker.py

@@ -37,16 +37,25 @@ def get_opa_config_file_path(
     decision_logs_backend_tier = (
         sidecar_config.OPA_DECISION_LOG_INGRESS_BACKEND_TIER_URL or sidecar_config.CONTROL_PLANE
     )
+    configs = {
+        "bearer_token": "enforced" if sidecar_config.OPA_BEARER_TOKEN_REQUIRED else "optional",
+        "decision_logs": "disabled",
+        "plugins": list(sidecar_config.OPA_PLUGINS.keys()) or "none",
+    }
+    if sidecar_config.OPA_DECISION_LOG_ENABLED:
+        configs["decision_logs"] = decision_logs_backend_tier
+
     logger.info(
-        "Uploading decision logs to backend tier: {tier}",
-        tier=decision_logs_backend_tier,
+        "Configuring OPA with the following settings:\n{settings}",
+        settings="\n".join(f"{k} = {v}" for k, v in configs.items()),
     )
 
     try:
         template = env.get_template(template_path)
         contents = template.render(
             cloud_service_url=decision_logs_backend_tier,
-            bearer_token=get_env_api_key(),
+            bearer_token=get_env_api_key() if sidecar_config.OPA_BEARER_TOKEN_REQUIRED else None,
+            decision_logs_enabled=sidecar_config.OPA_DECISION_LOG_ENABLED,
             log_ingress_endpoint=sidecar_config.OPA_DECISION_LOG_INGRESS_ROUTE,
             min_delay_seconds=sidecar_config.OPA_DECISION_LOG_MIN_DELAY,
             max_delay_seconds=sidecar_config.OPA_DECISION_LOG_MAX_DELAY,

horizon/pdp.py

@@ -142,9 +142,9 @@ def __init__(self):
 
         self._log_environment(remote_config.context)
 
-        if sidecar_config.OPA_BEARER_TOKEN_REQUIRED or sidecar_config.OPA_DECISION_LOG_ENABLED:
-            # we need to pass to OPAL a custom inline OPA config to enable these features
-            self._configure_inline_opa_config()
+        # we need to pass to OPAL a custom inline OPA config to
+        # enable some of the features
+        self._configure_inline_opa_config()
 
         self._configure_opal_data_updater()
         self._configure_opal_offline_mode()
@@ -273,12 +273,11 @@ def _configure_inline_opa_config(self):
 
         logger.debug(f"existing OPAL_INLINE_OPA_CONFIG={inline_opa_config}")
 
-        if sidecar_config.OPA_DECISION_LOG_ENABLED:
-            # decision logs needs to be configured via the config file
-            config_file_path = get_opa_config_file_path(sidecar_config)
+        # decision logs needs to be configured via the config file
+        config_file_path = get_opa_config_file_path(sidecar_config)
 
-            # append the config file to inline OPA config
-            inline_opa_config.update({"config_file": config_file_path})
+        # append the config file to inline OPA config
+        inline_opa_config.update({"config_file": config_file_path})
 
         if sidecar_config.OPA_BEARER_TOKEN_REQUIRED:
             # overrides OPAL client config so that OPAL passes the bearer token in requests

horizon/static/templates/config.yaml.template

@@ -1,12 +1,12 @@
 services:
   permit_io:
     url: {{ cloud_service_url }}
-    {% if bearer_token is defined %}
+    {% if bearer_token %}
     credentials:
       bearer:
         token: "{{ bearer_token }}"
     {% endif %}
-
+{% if decision_logs_enabled %}
 decision_logs:
   {% if log_to_console %}
   console: true
@@ -17,6 +17,7 @@ decision_logs:
     min_delay_seconds: {{ min_delay_seconds }}
     max_delay_seconds: {{ max_delay_seconds }}
     upload_size_limit_bytes: {{ upload_size_limit_bytes }}
+{% endif %}
 
 {% if plugins %}
 plugins: