if opaURL == "" {
			return args, nil
		}
	}
	authToken := env.Get(EnvIamOpaAuthToken, "")
	if authToken == "" {
		authToken = env.Get(EnvPolicyOpaAuthToken, kv.Get(AuthToken))
	}

	u, err := xnet.ParseHTTPURL(opaURL)
	if err != nil {
		return args, err
	}
	args = Args{
		URL:         u,
		AuthToken:   authToken,
		Transport:   transport,
		CloseRespFn: closeRespFn,
	}

	if err != nil {
		return nil, err
	}

	// Verify if the authToken already contains
	// <Key> <Token> like format, if this is
	// already present we can blindly use the
	// authToken as is instead of adding 'Bearer'
	tokens := strings.Fields(target.args.AuthToken)
	switch len(tokens) {
	case 2:
		req.Header.Set("Authorization", target.args.AuthToken)
	case 1:

			Type:        "url",
		},
		config.HelpKV{
			Key:         AuthToken,
			Description: "authorization token for plugin hook endpoint" + defaultHelpPostfix(AuthToken),
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
			Secret:      true,
		},
		config.HelpKV{
			Key:         RolePolicy,

	if err != nil {
		return err
	}

	// Verify if the authToken already contains
	// <Key> <Token> like format, if this is
	// already present we can blindly use the
	// authToken as is instead of adding 'Bearer'
	tokens := strings.Fields(target.args.AuthToken)
	switch len(tokens) {
	case 2:
		req.Header.Set("Authorization", target.args.AuthToken)
	case 1:

		config.KV{
			Key:   config.Enable,
			Value: config.EnableOn,
		},
		config.KV{
			Key:   Endpoint,
			Value: args.Endpoint.String(),
		},
		config.KV{
			Key:   AuthToken,
			Value: args.AuthToken,
		},
	}
}

// SetLoggerHTTP helper for migrating older config to newer KV format.
func SetLoggerHTTP(scfg config.Config, k string, args http.Config) {
	if !args.Enabled {

			Key:   URL,
			Value: "",
		},
		config.KV{
			Key:   AuthToken,
			Value: "",
		},
		config.KV{
			Key:   EnableHTTP2,
			Value: "off",
		},
	}
)

// Args for general purpose policy engine configuration.
type Args struct {
	URL         *xnet.URL             `json:"url"`
	AuthToken   string                `json:"authToken"`
	Transport   http.RoundTripper     `json:"-"`

			return cfg, fmt.Errorf("maximum allowed value for retry interval is '1m': %s", retryIntervalCfgVal)
		}
		cfg.HTTP[k] = http.Config{
			Enabled:    true,
			Endpoint:   url,
			AuthToken:  getCfgVal(EnvLoggerWebhookAuthToken, k, kv.Get(AuthToken)),
			ClientCert: clientCert,
			ClientKey:  clientKey,
			Proxy:      getCfgVal(EnvLoggerWebhookProxy, k, kv.Get(Proxy)),
			BatchSize:  batchSize,
			QueueSize:  queueSize,

		return
	}
	s[config.PolicyOPASubSys][config.Default] = config.KVS{
		config.KV{
			Key:   URL,
			Value: opaArgs.URL.String(),
		},
		config.KV{
			Key:   AuthToken,
			Value: opaArgs.AuthToken,
		},
	}

	Enabled     bool              `json:"enabled"`
	Name        string            `json:"name"`
	UserAgent   string            `json:"userAgent"`
	Endpoint    *xnet.URL         `json:"endpoint"`
	AuthToken   string            `json:"authToken"`
	ClientCert  string            `json:"clientCert"`
	ClientKey   string            `json:"clientKey"`
	BatchSize   int               `json:"batchSize"`
	QueueSize   int               `json:"queueSize"`

	// Sign a token for the given audience.
	AuthFn AuthFn
	// Callbacks to validate incoming connections.
	AuthToken ValidateTokenFn
}

// NewManager creates a new grid manager
func NewManager(ctx context.Context, o ManagerOptions) (*Manager, error) {
	found := false
	if o.AuthToken == nil {
		return nil, fmt.Errorf("grid: AuthToken not set")
	}
	if o.Dialer == nil {
		return nil, fmt.Errorf("grid: Dialer not set")
	}