Configuration Reference

This page defines the format of OPA configuration files. Fields marked as required must be specified if the parent is defined. For example, when the configuration contains a status key, the status.service field must be defined.

The configuration file path is specified with the -c or --config-file command line argument:

opa run -s -c config.yaml

Example

services:
  - name: acmecorp
    url: https://example.com/control-plane-api/v1
    credentials:
      bearer:
        token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm"

labels:
  app: myapp
  region: west
  environment: production

bundle:
  name: http/example/authz
  service: acmecorp
  polling:
    min_delay_seconds: 60
    max_delay_seconds: 120

decision_logs:
  service: acmecorp
  reporting:
    min_delay_seconds: 300
    max_delay_seconds: 600

status:
  service: acmecorp

default_decision: /http/example/authz/allow

Services

Services represent endpoints that implement one or more control plane APIs such as the Bundle or Status APIs. OPA configuration files may contain multiple services.

Field Type Required Description
services[_].name string Yes Unique name for the service. Referred to by plugins.
services[_].url string Yes Base URL to contact the service with.
services[_].headers object No HTTP headers to include in requests to the service.
services[_].allow_insecure_tls bool No Allow insecure TLS.
services[_].credentials.bearer.token string No Enables token-based authentication and supplies the bearer token to authenticate with.
services[_].credentials.bearer.scheme string No Bearer token scheme to specify.
services[_].credentials.client_tls.cert string No The path to the client certificate to authenticate with.
services[_].credentials.client_tls.private_key string No The path to the private key of the client certificate.
services[_].credentials.client_tls.private_key_passphrase string No The passphrase to use for the private key.

Services can be defined as an array or object. When defined as an object, the object keys override the services[_].name fields.

Miscellaenous

Field Type Required Description
labels object Yes Set of key-value pairs that uniquely identify the OPA instance. Labels are included when OPA uploads decision logs and status information.
default_decision string No (default: /system/main) Set path of default policy decision used to serve queries against OPA's base URL.
default_authorization_decision string No (default: /system/authz/allow) Set path of default authorization decision for OPA's API.

Bundles

Field Type Required Description
bundle.name string Yes Name of the bundle to download.
bundle.service string Yes Name of service to use to contact remote server.
bundle.polling.min_delay_seconds int64 No (default: 60) Minimum amount of time to wait between bundle downloads.
bundle.polling.max_delay_seconds int64 No (default: 120) Maximum amount of time to wait between bundle downloads.

Status

Field Type Required Description
status.service string Yes Name of service to use to contact remote server.
status.partition_name string No Path segment to include in status updates.

Decision Logs

Field Type Required Description
decision_logs.service string Yes Name of the service to use to contact remote server.
decision_logs.partition_name string No Path segment to include in status updates.
decision_logs.reporting.buffer_size_limit_bytes int64 No Decision log buffer size limit in bytes. OPA will drop old events from the log if this limit is exceeded. By default, no limit is set.
decision_logs.reporting.upload_size_limit_bytes int64 No (default: 32768) Decision log upload size limit in bytes. OPA will chunk uploads to cap message body to this limit.
decision_logs.reporting.min_delay_seconds int64 No (default: 300) Minimum amount of time to wait between uploads.
decision_logs.reporting.max_delay_seconds int64 No (default: 600) Maximum amount of time to wait between uploads.

Discovery

Field Type Required Description
discovery.name string Yes Name of the discovery configuration to download.
discovery.prefix string No (default: bundles) Path prefix to use to download configuration from remote server.
discovery.polling.min_delay_seconds int64 No (default: 60) Minimum amount of time to wait between configuration downloads.
discovery.polling.max_delay_seconds int64 No (default: 120) Maximum amount of time to wait between configuration downloads.

results matching ""

    No results matching ""