feat: replace Synchronous HTTP Calls with Asynchronous in OPA plugin #2011
+114
−38
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terylt
reviewed
Jan 9, 2026
| response: Returns a response that's recieved from the OPA server. Raises error in cases the communication is not successful. | ||
| """ | ||
| match = re.match(r"(\d+)s", self.opa_config.opa_client_timeout.strip()) |
Collaborator
There was a problem hiding this comment.
Is this something that could be done once in the init function of the Plugin? This would save processing.
Member
There was a problem hiding this comment.
e.g.,
# Parse once in __init__:
def __init__(self, config: PluginConfig):
...
# Parse timeout once
match = re.match(r"(\d+)s", self.opa_config.opa_client_timeout.strip())
self._timeout_seconds = float(match.group(1)) if match else 30.0
Collaborator
Author
There was a problem hiding this comment.
yes that's a good point. I will make that change
araujof
requested changes
Jan 9, 2026
Member
araujof
left a comment
araujof
left a comment
There was a problem hiding this comment.
Hi Shriti, please look into the recommendations we made.
| try: | ||
| rsp = requests.post(url, json=payload) | ||
| logger.info(f"OPA connection response '{rsp}'") | ||
| async with httpx.AsyncClient() as client: |
Member
There was a problem hiding this comment.
A new httpx.AsyncClient() is created and destroyed for every OPA policy evaluation. This means:
- Connection establishment overhead on every request
- No connection reuse/pooling
- TCP handshake + TLS negotiation repeated for each policy check
- Under high load with many plugin invocations, this becomes a severe bottleneck
Recommendation:
# In __init__:
self._http_client = httpx.AsyncClient(
timeout=httpx.Timeout(self._timeout_seconds),
limits=httpx.Limits(max_keepalive_connections=20, max_connections=100),
http2=True # Optional: enable HTTP/2 for better performance
)
# Add cleanup method:
async def cleanup(self):
await self._http_client.aclose()
Member
There was a problem hiding this comment.
Maybe set a default (those are max numbers) and allows for configuration, I think.
| response: Returns a response that's recieved from the OPA server. Raises error in cases the communication is not successful. | ||
| """ | ||
| match = re.match(r"(\d+)s", self.opa_config.opa_client_timeout.strip()) |
Member
There was a problem hiding this comment.
e.g.,
# Parse once in __init__:
def __init__(self, config: PluginConfig):
...
# Parse timeout once
match = re.match(r"(\d+)s", self.opa_config.opa_client_timeout.strip())
self._timeout_seconds = float(match.group(1)) if match else 30.0| logger.warning(f"Retry attempt to connect to OPA server {attempt + 1}") | ||
| if attempt == max_retries - 1: | ||
| raise | ||
| await asyncio.sleep(2**attempt) |
Member
There was a problem hiding this comment.
await asyncio.sleep(2**attempt) grows exponentially without limit:
- Attempt 0: 1 second
- Attempt 1: 2 seconds
- Attempt 2: 4 seconds
- Attempt 3: 8 seconds (if max_retries increased)
This could cause excessive delays if max_retries is increased.
Recommendation:
# Add jitter and cap max delay
import random
delay = min(2**attempt, 10) + random.uniform(0, 1)
await asyncio.sleep(delay)
Collaborator
Author
There was a problem hiding this comment.
Sure, makes sense. Will make that change
Member
|
Nice job on this PR. As noted in the inlined comments, a few suggestions:
# In __init__:
self.http_client = httpx.AsyncClient(timeout=httpx.Timeout(30.0))
# In _evaluate_opa_policy:
rsp = await self._post_with_retry(client=self.http_client, url=url, payload=payload, ...)
# Add cleanup method:
async def cleanup(self):
await self.http_client.aclose()This would improve performance by avoiding connection establishment overhead on each OPA request.
match = re.match(r"(\d+)s", self.opa_config.opa_client_timeout.strip())Could be compiled once in init: # In __init__:
self._timeout_pattern = re.compile(r"(\d+)s")
# In _post_with_retry:
match = self._timeout_pattern.match(self.opa_config.opa_client_timeout.strip()) |
araujof
changed the title
araujof
changed the title
…to opa Signed-off-by: Shriti Priya <shritip@ibm.com>
Signed-off-by: Shriti Priya <shritip@ibm.com>
Signed-off-by: Shriti Priya <shritip@ibm.com>
Signed-off-by: Shriti Priya <shritip@ibm.com>
Signed-off-by: Shriti Priya <shritip@ibm.com>
Signed-off-by: Shriti Priya <shritip@ibm.com>
- Rename cleanup() to shutdown() to match plugin framework interface - Fix config key from opa_client_max_retries to opa_client_retries The plugin framework calls shutdown() for cleanup, not cleanup(). The config.yaml key must match the schema field name. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
crivetimihai
force-pushed
the
fix/opa_plugin_performance_optimization
branch
from
d9ad3d4 to
ace14e3
Compare
- Pass keepalive_expiry to httpx.Limits (was parsed but unused) - Add Pydantic Field validation for retries >= 1 (prevents 0/negative) - Add validation for max_keepalive and max_connections >= 1 Addresses review feedback about config knobs having no effect and retries=0 causing silent failures. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
- Add httpx>=0.28.0 to pyproject.toml dependencies (was missing) - Clarify retries field: 1=single attempt, 3=up to 3 attempts The httpx library is now explicitly declared since the plugin switched from requests to httpx for async HTTP calls. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📝 This PR addresses the following:
Fix #1931
Previous implementation of OPA plugin had the following issue:
When the OPA plugin is enabled and evaluates policies, each policy check blocks the entire async worker until the HTTP request completes, which caused latency across all concurrent requests, etc.
Fix:
Key improvements:
config.yaml