| AUTH_JWT_ISSUER | | |
| AUTH_JWT_ISSUER | | |
| CLIENT_LOAD_LIMIT_NOTATION | If supplied, rate limit would be enforced on the servers websocket endpoint. Format is limits-style notation (e.g. 10 per second). Learn more. | |
| BROADCAST_URI | | |
| BROADCAST_CHANNEL_NAME | | |
| BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED | | |
| AUTH_PRIVATE_KEY_FORMAT | | |
| AUTH_PRIVATE_KEY_PASSPHRASE | | |
| AUTH_PRIVATE_KEY | | |
| AUTH_JWKS_URL | | |
| AUTH_JWKS_STATIC_DIR | | |
| AUTH_MASTER_TOKEN | | |
| POLICY_SOURCE_TYPE | Set your policy source, this can be GIT / API. | |
| POLICY_REPO_URL | Set your remote repo URL - this is relevant only to GIT source type E.g. view example. | |
| POLICY_BUNDLE_URL | Set your API bundle URL, this is relevant only to API source type. | |
| POLICY_REPO_CLONE_PATH | Base path to create local git folder inside this path, that manages policy change. | |
| POLICY_REPO_CLONE_FOLDER_PREFIX | Prefix for the local git folder. | |
| POLICY_REPO_REUSE_CLONE_PATH | Set if OPAL server should use a fixed clone path (and reuse if it already exists) instead of randomizing its suffix on each run. | |
| POLICY_REPO_MAIN_BRANCH | | |
| POLICY_REPO_SSH_KEY | | |
| POLICY_REPO_MANIFEST_PATH | Path of the directory holding the '.manifest' file (updated way), or of the manifest file itself (old way). Repo's root is used by default. | |
| POLICY_REPO_CLONE_TIMEOUT | If set to 0, waits forever until successful clone. | |
| LEADER_LOCK_FILE_PATH | | |
| POLICY_BUNDLE_SERVER_TOKEN | The Bearer Token to sent to the API bundle server. | |
| POLICY_BUNDLE_TMP_PATH | Path for temp policy file. It needs to be writable. | |
| POLICY_BUNDLE_GIT_ADD_PATTERN | File pattern to add files to all the git default files. | |
| REPO_WATCHER_ENABLED | | |
| PUBLISHER_ENABLED | | |
| BROADCAST_KEEPALIVE_INTERVAL | The time to wait between sending two consecutive broadcaster keepalive messages. | |
| BROADCAST_KEEPALIVE_TOPIC | The topic on which we should send broadcaster keepalive messages. | |
| MAX_CHANNELS_PER_CLIENT | Max number of records per client, after this number it will not be added to statistics, relevant only if STATISTICS_ENABLED. | |
| STATISTICS_WAKEUP_CHANNEL | The topic a waking-up OPAL server uses to notify others he needs their statistics data. | |
| STATISTICS_STATE_SYNC_CHANNEL | The topic other servers with statistics provide their state to a waking-up server. | |
| ALL_DATA_TOPIC | Top level topic for data. | |
| ALL_DATA_ROUTE | | |
| ALL_DATA_URL | URL for all data config [If you choose to have it all at one place]. | |
| DATA_CONFIG_ROUTE | URL to fetch the full basic configuration of data. | |
| DATA_CALLBACK_DEFAULT_ROUTE | Exists as a sane default in case the user did not set OPAL_DEFAULT_UPDATE_CALLBACKS. | |
| DATA_CONFIG_SOURCES | Configuration of data sources by topics. | |
| DATA_UPDATE_TRIGGER_ROUTE | URL to trigger data update events. | |
| POLICY_REPO_WEBHOOK_SECRET | | |
| POLICY_REPO_WEBHOOK_TOPIC | | |
| POLICY_REPO_WEBHOOK_ENFORCE_BRANCH | | |
| POLICY_REPO_WEBHOOK_PARAMS | | |
| POLICY_REPO_POLLING_INTERVAL | | |
| ALLOWED_ORIGINS | | |
| OPA_FILE_EXTENSIONS | | |
| NO_RPC_LOGS | | |
| SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the server [Default calculated to CPU-cores]. | |
| SERVER_HOST | (If run using the CLI) - Address for the server to bind. | |
| SERVER_PORT | (If run using the CLI) - Port for the server to bind. | |
| ENABLE_DATADOG_APM | Set if OPAL server should enable tracing with datadog APM. | |
| SERVER_ROLE | Server is leader or follower. | |
| SCOPES | | |
| REDIS_URL | | |
| CELERY_BACKEND | | |
| BASE_DIR | | |
| POLICY_REFRESH_INTERVAL | | |
| SERVER_URL | | |
| WORKER_TOKEN | | |
| SERVER_URL | | |
| OPAL_WS_ROUTE | | |
| SERVER_WS_URL | | |
| SERVER_PUBSUB_URL | | |
| CLIENT_TOKEN | The OPAL Server Auth Token. | |
| CLIENT_API_SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the opal-client's internal server. | |
| CLIENT_API_SERVER_HOST | (If run using the CLI) - Address for the opal-client's internal server to bind. | |
| CLIENT_API_SERVER_PORT | (If run using the CLI) - Port for the opal-client's internal server to bind. | |
| WAIT_ON_SERVER_LOAD | If set, client would wait for 200 from server's loadlimit endpoint before starting background tasks. | |
| OPAL_POLICY_REPO_URL | The repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh{" "} (i.e: git@). | |
| OPAL_POLICY_REPO_SSH_KEY | The content of the var is a private crypto key (i.e: SSH key). You will need to register the matching public key with your repo. For example, see the{" "} GitHub tutorial {" "} on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with{" "} _). | |
| OPAL_POLICY_REPO_CLONE_PATH | Where (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume). | |
| OPAL_POLICY_REPO_MAIN_BRANCH | Name of the git branch to track for policy files (default: master). | |
| OPAL_BUNDLE_IGNORE | Paths to omit from policy bundle. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). | bundle_ignore: Optional[List[str]] |