Step 3: Changing and updating the policy in realtime
docker-compose.yml example file that we have mentioned earlier, it is defined that OPAL should
track this repository.
Here is a snippet of code from that repo:
# by default we run opal-server from latest official image
# the broadcast backbone uri used by opal server workers (see comments above for: broadcast_channel)
# number of uvicorn workers to run inside the opal-server container
# the git repo hosting our policy
# - if this repo is not public, you can pass an ssh key via `OPAL_POLICY_REPO_SSH_KEY`)
# - the repo we pass in this example is *public* and acts as an example repo with dummy rego policy
# - for more info, see: https://docs.opal.ac/tutorials/track_a_git_repo
# in this example we will use a polling interval of 30 seconds to check for new policy updates (git commits affecting the rego policy).
# however, it is better to utilize a git *webhook* to trigger the server to check for changes only when the repo has new commits.
# for more info see: https://docs.opal.ac/tutorials/track_a_git_repo
You can also simply change the tracked repo in the example
docker-compose.yml file by editing these variables:
- OPAL_POLICY_REPO_URL=<YOUR REPO URL>
# use this if you want to setup policy updates via git webhook (recommended)
- OPAL_POLICY_REPO_WEBHOOK_SECRET=<your webhook secret>
# use this if you want to setup policy updates via polling (not recommended)
- POLICY_REPO_POLLING_INTERVAL=<interval in seconds>
You can then issue a commit affecting the policy and see that OPA state is indeed changing.
If you would like more information on managing and tracking a git repo, check out this tutorial.