OPAL Configuration Variables
Provided on this page is a full list of all the OPAL configuration variabls for the OPAL Client and the OPAL Server. Please use this table as a reference.
Common OPAL Configuration Variables
Variables | Description | Example |
---|---|---|
ALLOWED_ORIGINS | ||
PROCESS_NAME | The process name to be shown in logs. | |
LOG_FORMAT_INCLUDE_PID | ||
LOG_FORMAT | ||
LOG_TRACEBACK | ||
LOG_SHOW_CODE_LINE | ||
LOG_LEVEL | ||
LOG_MODULE_EXCLUDE_LIST | ||
LOG_MODULE_INCLUDE_LIST | ||
LOG_PATCH_UVICORN_LOGS | Takeover UVICORN's logs so they appear in the main logger. | |
LOG_TO_FILE | ||
LOG_FILE_PATH | Path to define where to save the log file. | |
LOG_FILE_ROTATION | ||
LOG_FILE_RETENTION | ||
LOG_FILE_COMPRESSION | ||
LOG_FILE_SERIALIZE | ||
LOG_FILE_LEVEL | ||
STATISTICS_ENABLED | Collect statistics about OPAL clients. | |
STATISTICS_ADD_CLIENT_CHANNEL | The topic to update about the new OPAL clients connection. | |
STATISTICS_REMOVE_CLIENT_CHANNEL | The topic to update about the OPAL clients disconnection. | |
FETCH_PROVIDER_MODULES | ||
FETCHING_WORKER_COUNT | ||
FETCHING_CALLBACK_TIMEOUT | ||
FETCHING_ENQUEUE_TIMEOUT | ||
GIT_SSH_KEY_FILE | ||
CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED | Whether or not OPAL Client will trust HTTPs connections protected by self signed certificates. Not to be used in Production. | |
CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE | A path to your own CA public certificate file (usually a .crt or a .pem file). Certificates signed by this issuer will be trusted by OPAL Client. Not to be used in Production. | |
AUTH_PUBLIC_KEY_FORMAT | ||
AUTH_PUBLIC_KEY | ||
AUTH_JWT_ALGORITHM | JWT algorithm. See possible values here. | |
AUTH_JWT_AUDIENCE | ||
AUTH_JWT_ISSUER |
OPAL Server Configuration Variables
Variables | Description | Example |
---|---|---|
AUTH_JWT_ISSUER | ||
AUTH_JWT_ISSUER | ||
CLIENT_LOAD_LIMIT_NOTATION | If supplied, rate limit would be enforced on the servers websocket endpoint. Format is limits -style notation (e.g. 10 per second). Learn more. | |
BROADCAST_URI | ||
BROADCAST_CHANNEL_NAME | ||
BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED | ||
AUTH_PRIVATE_KEY_FORMAT | ||
AUTH_PRIVATE_KEY_PASSPHRASE | ||
AUTH_PRIVATE_KEY | ||
AUTH_JWKS_URL | ||
AUTH_JWKS_STATIC_DIR | ||
AUTH_MASTER_TOKEN | ||
POLICY_SOURCE_TYPE | Set your policy source, this can be GIT / API. | |
POLICY_REPO_URL | Set your remote repo URL - this is relevant only to GIT source type E.g. view example. | |
POLICY_BUNDLE_URL | Set your API bundle URL, this is relevant only to API source type. | |
POLICY_REPO_CLONE_PATH | Base path to create local git folder inside this path, that manages policy change. | |
POLICY_REPO_CLONE_FOLDER_PREFIX | Prefix for the local git folder. | |
POLICY_REPO_REUSE_CLONE_PATH | Set if OPAL server should use a fixed clone path (and reuse if it already exists) instead of randomizing its suffix on each run. | |
POLICY_REPO_MAIN_BRANCH | ||
POLICY_REPO_SSH_KEY | ||
POLICY_REPO_MANIFEST_PATH | Path of the directory holding the '.manifest' file (updated way), or of the manifest file itself (old way). Repo's root is used by default. | |
POLICY_REPO_CLONE_TIMEOUT | If set to 0, waits forever until successful clone. | |
LEADER_LOCK_FILE_PATH | ||
POLICY_BUNDLE_SERVER_TOKEN | The Bearer Token to sent to the API bundle server. | |
POLICY_BUNDLE_TMP_PATH | Path for temp policy file. It needs to be writable. | |
POLICY_BUNDLE_GIT_ADD_PATTERN | File pattern to add files to all the git default files. | |
REPO_WATCHER_ENABLED | ||
PUBLISHER_ENABLED | ||
BROADCAST_KEEPALIVE_INTERVAL | The time to wait between sending two consecutive broadcaster keepalive messages. | |
BROADCAST_KEEPALIVE_TOPIC | The topic on which we should send broadcaster keepalive messages. | |
MAX_CHANNELS_PER_CLIENT | Max number of records per client, after this number it will not be added to statistics, relevant only if STATISTICS_ENABLED . | |
STATISTICS_WAKEUP_CHANNEL | The topic a waking-up OPAL server uses to notify others he needs their statistics data. | |
STATISTICS_STATE_SYNC_CHANNEL | The topic other servers with statistics provide their state to a waking-up server. | |
ALL_DATA_TOPIC | Top level topic for data. | |
ALL_DATA_ROUTE | ||
ALL_DATA_URL | URL for all data config [If you choose to have it all at one place]. | |
DATA_CONFIG_ROUTE | URL to fetch the full basic configuration of data. | |
DATA_CALLBACK_DEFAULT_ROUTE | Exists as a sane default in case the user did not set OPAL_DEFAULT_UPDATE_CALLBACKS . | |
DATA_CONFIG_SOURCES | Configuration of data sources by topics. | |
DATA_UPDATE_TRIGGER_ROUTE | URL to trigger data update events. | |
POLICY_REPO_WEBHOOK_SECRET | ||
POLICY_REPO_WEBHOOK_TOPIC | ||
POLICY_REPO_WEBHOOK_ENFORCE_BRANCH | ||
POLICY_REPO_WEBHOOK_PARAMS | ||
POLICY_REPO_POLLING_INTERVAL | ||
ALLOWED_ORIGINS | ||
FILTER_FILE_EXTENSIONS | ||
NO_RPC_LOGS | ||
SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the server [Default calculated to CPU-cores]. | |
SERVER_HOST | (If run using the CLI) - Address for the server to bind. | |
SERVER_BIND_PORT | (If run using the CLI) - Port for the server to bind. (replaces deprecated SERVER_PORT) | |
ENABLE_DATADOG_APM | Set if OPAL server should enable tracing with datadog APM. | |
SCOPES | ||
REDIS_URL | ||
BASE_DIR | ||
POLICY_REFRESH_INTERVAL | ||
OPAL_WS_ROUTE | ||
SERVER_WS_URL | ||
SERVER_PUBSUB_URL | ||
CLIENT_TOKEN | The OPAL Server Auth Token. | |
CLIENT_API_SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the opal-client's internal server. | |
CLIENT_API_SERVER_HOST | (If run using the CLI) - Address for the opal-client's internal server to bind. | |
CLIENT_API_SERVER_PORT | (If run using the CLI) - Port for the opal-client's internal server to bind. | |
WAIT_ON_SERVER_LOAD | If set, client would wait for 200 from server's loadlimit endpoint before starting background tasks. | |
OPAL_POLICY_REPO_URL | The repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh{" "} (i.e: git@). | |
OPAL_POLICY_REPO_SSH_KEY | The content of the var is a private crypto key (i.e: SSH key). You will need to register the matching public key with your repo. For example, see the{" "} GitHub tutorial {" "} on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with{" "} _). | |
OPAL_POLICY_REPO_CLONE_PATH | Where (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume). | |
OPAL_POLICY_REPO_MAIN_BRANCH | Name of the git branch to track for policy files (default: master ). | |
OPAL_BUNDLE_IGNORE | Paths to omit from policy bundle. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). | bundle_ignore: Optional[List[str]] |
OPAL Client Configuration Variables
Variables | Description | Example |
---|---|---|
POLICY_STORE_TYPE | ||
POLICY_STORE_AUTH_TYPE | The authentication method for connecting to the policy store. Possible values are oauth or token | |
POLICY_STORE_AUTH_TOKEN | The authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent). | |
POLICY_STORE_AUTH_OAUTH_SERVER | The authentication server OPAL client will use to authenticate against for retrieving the access_token. | |
POLICY_STORE_AUTH_OAUTH_CLIENT_ID | The client id OPAL will use to authenticate against the OAuth server. | |
POLICY_STORE_AUTH_OAUTH_CLIENT_SECRET | The client secret OPAL will use to authenticate against the OAuth server. | |
POLICY_STORE_CONN_RETRY | Retry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA). | |
POLICY_STORE_POLICY_PATHS_TO_IGNORE | Which policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). | |
POLICY_UPDATER_CONN_RETRY | Retry options when connecting to the policy source (e.g. the policy bundle server). | |
INLINE_OPA_ENABLED | Whether or not OPAL should run OPA by itself in the same container. | |
INLINE_OPA_CONFIG | If inline OPA is indeed enabled, user can pass cli options (configuration) that affects how OPA will run cli options used when running opa run --server inline. | |
INLINE_OPA_LOG_FORMAT | ||
KEEP_ALIVE_INTERVAL | ||
OFFLINE_MODE_ENABLED | If set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False | |
STORE_BACKUP_PATH | Path to backup policy store's data to | |
STORE_BACKUP_INTERVAL | Interval in seconds to backup policy store's data |
Policy Updater Configuration Variables
Variables | Description | Example |
---|---|---|
POLICY_SUBSCRIPTION_DIRS | The directories in a policy repo we should subscribe to for policy code (rego) modules. |
Data Updater Configuration Variables
Variables | Description | Example |
---|---|---|
DATA_UPDATER_ENABLED | If set to FALSE , OPAL Client will not listen to dynamic data updates. | |
DATA_TOPICS | Data topics to subscribe to. | |
DEFAULT_DATA_SOURCES_CONFIG_URL | Default URL to fetch data configuration from. | |
DEFAULT_DATA_URL | Default URL to fetch data from. | |
SHOULD_REPORT_ON_DATA_UPDATES | Should the client report on updates to callbacks defined in DEFAULT_UPDATE_CALLBACKS or within the given updates. | |
DEFAULT_UPDATE_CALLBACK_CONFIG | ||
DEFAULT_UPDATE_CALLBACKS | Where/How the client should report on the completion of data updates. |
OPA Transaction Log / Healthcheck Configuration Variables
Variables | Description | Example |
---|---|---|
OPA_HEALTH_CHECK_POLICY_ENABLED | Should we load a special healthcheck policy into OPA that checks that opa was synced correctly and is ready to answer to authorization queries. | |
OPA_HEALTH_CHECK_TRANSACTION_LOG_PATH | Path to OPA document that stores the OPA write transactions. | |
OPAL_CLIENT_STAT_ID | Unique client statistics identifier. | |
OPA_HEALTH_CHECK_POLICY_PATH | ||
SCOPE_ID |