OPAL Configuration Variables
Provided on this page is a full list of all the OPAL configuration variabls for the OPAL Client and the OPAL Server. Please use this table as a reference.
Common OPAL Configuration Variables
| Variables | Description | Example |
|---|---|---|
| ALLOWED_ORIGINS | ||
| PROCESS_NAME | The process name to be shown in logs. | |
| LOG_FORMAT_INCLUDE_PID | ||
| LOG_FORMAT | ||
| LOG_TRACEBACK | ||
| LOG_SHOW_CODE_LINE | ||
| LOG_LEVEL | ||
| LOG_MODULE_EXCLUDE_LIST | ||
| LOG_MODULE_INCLUDE_LIST | ||
| LOG_PATCH_UVICORN_LOGS | Takeover UVICORN's logs so they appear in the main logger. | |
| LOG_TO_FILE | ||
| LOG_FILE_PATH | Path to define where to save the log file. | |
| LOG_FILE_ROTATION | ||
| LOG_FILE_RETENTION | ||
| LOG_FILE_COMPRESSION | ||
| LOG_FILE_SERIALIZE | ||
| LOG_FILE_LEVEL | ||
| STATISTICS_ENABLED | Collect statistics about OPAL clients. | |
| STATISTICS_ADD_CLIENT_CHANNEL | The topic to update about the new OPAL clients connection. | |
| STATISTICS_REMOVE_CLIENT_CHANNEL | The topic to update about the OPAL clients disconnection. | |
| FETCH_PROVIDER_MODULES | ||
| FETCHING_WORKER_COUNT | ||
| FETCHING_CALLBACK_TIMEOUT | ||
| FETCHING_ENQUEUE_TIMEOUT | ||
| GIT_SSH_KEY_FILE | ||
| CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED | Whether or not OPAL Client will trust HTTPs connections protected by self signed certificates. Not to be used in Production. | |
| CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE | A path to your own CA public certificate file (usually a .crt or a .pem file). Certificates signed by this issuer will be trusted by OPAL Client. Not to be used in Production. | |
| AUTH_PUBLIC_KEY_FORMAT | ||
| AUTH_PUBLIC_KEY | ||
| AUTH_JWT_ALGORITHM | JWT algorithm. See possible values here. | |
| AUTH_JWT_AUDIENCE | ||
| AUTH_JWT_ISSUER |
OPAL Server Configuration Variables
| Variables | Description | Example |
|---|---|---|
| AUTH_JWT_ISSUER | ||
| AUTH_JWT_ISSUER | ||
| CLIENT_LOAD_LIMIT_NOTATION | If supplied, rate limit would be enforced on the servers websocket endpoint. Format is limits-style notation (e.g. 10 per second). Learn more. | |
| BROADCAST_URI | ||
| BROADCAST_CHANNEL_NAME | ||
| BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED | ||
| AUTH_PRIVATE_KEY_FORMAT | ||
| AUTH_PRIVATE_KEY_PASSPHRASE | ||
| AUTH_PRIVATE_KEY | ||
| AUTH_JWKS_URL | ||
| AUTH_JWKS_STATIC_DIR | ||
| AUTH_MASTER_TOKEN | ||
| POLICY_SOURCE_TYPE | Set your policy source, this can be GIT / API. | |
| POLICY_REPO_URL | Set your remote repo URL - this is relevant only to GIT source type E.g. view example. | |
| POLICY_BUNDLE_URL | Set your API bundle URL, this is relevant only to API source type. | |
| POLICY_REPO_CLONE_PATH | Base path to create local git folder inside this path, that manages policy change. | |
| POLICY_REPO_CLONE_FOLDER_PREFIX | Prefix for the local git folder. | |
| POLICY_REPO_REUSE_CLONE_PATH | Set if OPAL server should use a fixed clone path (and reuse if it already exists) instead of randomizing its suffix on each run. | |
| POLICY_REPO_MAIN_BRANCH | ||
| POLICY_REPO_SSH_KEY | ||
| POLICY_REPO_MANIFEST_PATH | Path of the directory holding the '.manifest' file (updated way), or of the manifest file itself (old way). Repo's root is used by default. | |
| POLICY_REPO_CLONE_TIMEOUT | If set to 0, waits forever until successful clone. | |
| LEADER_LOCK_FILE_PATH | ||
| POLICY_BUNDLE_SERVER_TYPE | HTTP (authenticated with bearer token, or nothing), AWS-S3(Authenticated with AWS REST Auth | AWS-S3 |
| POLICY_BUNDLE_SERVER_TOKEN_ID | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server. | AKIAIOSFODNN7EXAMPLE |
| POLICY_BUNDLE_SERVER_TOKEN | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server. | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| POLICY_BUNDLE_TMP_PATH | Path for temp policy file. It needs to be writable. | |
| POLICY_BUNDLE_GIT_ADD_PATTERN | File pattern to add files to all the git default files. | |
| REPO_WATCHER_ENABLED | ||
| PUBLISHER_ENABLED | ||
| BROADCAST_KEEPALIVE_INTERVAL | The time to wait between sending two consecutive broadcaster keepalive messages. | |
| BROADCAST_KEEPALIVE_TOPIC | The topic on which we should send broadcaster keepalive messages. | |
| MAX_CHANNELS_PER_CLIENT | Max number of records per client, after this number it will not be added to statistics, relevant only if STATISTICS_ENABLED. | |
| STATISTICS_WAKEUP_CHANNEL | The topic a waking-up OPAL server uses to notify others he needs their statistics data. | |
| STATISTICS_STATE_SYNC_CHANNEL | The topic other servers with statistics provide their state to a waking-up server. | |
| ALL_DATA_TOPIC | Top level topic for data. | |
| ALL_DATA_ROUTE | ||
| ALL_DATA_URL | URL for all data config [If you choose to have it all at one place]. | |
| DATA_CONFIG_ROUTE | URL to fetch the full basic configuration of data. | |
| DATA_CALLBACK_DEFAULT_ROUTE | Exists as a sane default in case the user did not set OPAL_DEFAULT_UPDATE_CALLBACKS. | |
| DATA_CONFIG_SOURCES | Configuration of data sources by topics. | |
| DATA_UPDATE_TRIGGER_ROUTE | URL to trigger data update events. | |
| POLICY_REPO_WEBHOOK_SECRET | ||
| POLICY_REPO_WEBHOOK_TOPIC | ||
| POLICY_REPO_WEBHOOK_ENFORCE_BRANCH | ||
| POLICY_REPO_WEBHOOK_PARAMS | ||
| POLICY_REPO_POLLING_INTERVAL | ||
| ALLOWED_ORIGINS | ||
| FILTER_FILE_EXTENSIONS | ||
| NO_RPC_LOGS | ||
| SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the server [Default calculated to CPU-cores]. | |
| SERVER_HOST | (If run using the CLI) - Address for the server to bind. | |
| SERVER_BIND_PORT | (If run using the CLI) - Port for the server to bind. (replaces deprecated SERVER_PORT) | |
| ENABLE_DATADOG_APM | Set if OPAL server should enable tracing with datadog APM. | |
| SCOPES | ||
| REDIS_URL | ||
| BASE_DIR | ||
| POLICY_REFRESH_INTERVAL | ||
| OPAL_WS_ROUTE | ||
| SERVER_WS_URL | ||
| SERVER_PUBSUB_URL | ||
| CLIENT_TOKEN | The OPAL Server Auth Token. | |
| CLIENT_API_SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the opal-client's internal server. | |
| CLIENT_API_SERVER_HOST | (If run using the CLI) - Address for the opal-client's internal server to bind. | |
| CLIENT_API_SERVER_PORT | (If run using the CLI) - Port for the opal-client's internal server to bind. | |
| WAIT_ON_SERVER_LOAD | If set, client would wait for 200 from server's loadlimit endpoint before starting background tasks. | |
| OPAL_POLICY_REPO_URL | The repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh{" "} (i.e: git@). | |
| OPAL_POLICY_REPO_SSH_KEY | The content of the var is a private crypto key (i.e: SSH key). You will need to register the matching public key with your repo. For example, see the{" "} GitHub tutorial {" "} on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with{" "} _). | |
| OPAL_POLICY_REPO_CLONE_PATH | Where (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume). | |
| OPAL_POLICY_REPO_MAIN_BRANCH | Name of the git branch to track for policy files (default: master). | |
| OPAL_BUNDLE_IGNORE | Paths to omit from policy bundle. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). | bundle_ignore: Optional[List[str]] |
OPAL Client Configuration Variables
| Variables | Description | Example | ||
|---|---|---|---|---|
| POLICY_STORE_TYPE | ||||
| POLICY_STORE_AUTH_TYPE | The authentication method for connecting to the policy store. Possible values are oauth or token | |||
| POLICY_STORE_AUTH_TOKEN | The authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent). | |||
| POLICY_STORE_AUTH_OAUTH_SERVER | The authentication server OPAL client will use to authenticate against for retrieving the access_token. | |||
| POLICY_STORE_AUTH_OAUTH_CLIENT_ID | The client id OPAL will use to authenticate against the OAuth server. | |||
| POLICY_STORE_AUTH_OAUTH_CLIENT_SECRET | The client secret OPAL will use to authenticate against the OAuth server. | |||
| POLICY_STORE_CONN_RETRY | Retry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA). | |||
| POLICY_STORE_POLICY_PATHS_TO_IGNORE | Which policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). | |||
| INLINE_OPA_ENABLED | Whether or not OPAL should run OPA by itself in the same container. | |||
| INLINE_OPA_CONFIG | If inline OPA is indeed enabled, the user can set the server configuration options that affects how OPA will start when running opa run --server inline. Watch escaping quotes. | {"config_file":"/mnt/opa/config"} | ||
| INLINE_OPA_LOG_FORMAT | ||||
| KEEP_ALIVE_INTERVAL | ||||
| OFFLINE_MODE_ENABLED | If set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False | |||
| STORE_BACKUP_PATH | Path to backup policy store's data to | |||
| STORE_BACKUP_INTERVAL | Interval in seconds to backup policy store's data | |||
| POLICY_UPDATER_ENABLED | If set to FALSE, OPAL Client will not fetch policies or listen to policy updates. |
Policy Updater Configuration Variables
| Variables | Description | Example |
|---|---|---|
| POLICY_SUBSCRIPTION_DIRS | The directories in a policy repo we should subscribe to for policy code (rego) modules. | |
| POLICY_UPDATER_CONN_RETRY | Retry options when connecting to the policy source (e.g. the policy bundle server |
Data Updater Configuration Variables
| Variables | Description | Example |
|---|---|---|
| DATA_UPDATER_ENABLED | If set to FALSE, OPAL Client will not listen to dynamic data updates. | |
| DATA_TOPICS | Data topics to subscribe to. | |
| DEFAULT_DATA_SOURCES_CONFIG_URL | Default URL to fetch data configuration from. | |
| DEFAULT_DATA_URL | Default URL to fetch data from. | |
| SHOULD_REPORT_ON_DATA_UPDATES | Should the client report on updates to callbacks defined in DEFAULT_UPDATE_CALLBACKS or within the given updates. | |
| DEFAULT_UPDATE_CALLBACK_CONFIG | ||
| DEFAULT_UPDATE_CALLBACKS | Where/How the client should report on the completion of data updates. | |
| DATA_STORE_CONN_RETRY | Retry options when connecting to the base data source (e.g. an external API server which returns data snapshot). |
OPA Transaction Log / Healthcheck Configuration Variables
| Variables | Description | Example |
|---|---|---|
| OPA_HEALTH_CHECK_POLICY_ENABLED | Should we load a special healthcheck policy into OPA that checks that opa was synced correctly and is ready to answer to authorization queries. | |
| OPA_HEALTH_CHECK_TRANSACTION_LOG_PATH | Path to OPA document that stores the OPA write transactions. | |
| OPAL_CLIENT_STAT_ID | Unique client statistics identifier. | |
| OPA_HEALTH_CHECK_POLICY_PATH | ||
| SCOPE_ID |