Configuring Variables
Configuration Variables
We will now explain how to pass configuration variables to OPAL.
- In its dockerized form, OPAL server and client containers pick up their configuration variables from environment variables prefixed with
OPAL_(e.g:OPAL_DATA_CONFIG_SOURCES,OPAL_POLICY_REPO_URL, etc). - The OPAL CLI can pick up config vars from either environment variables prefixed with
OPAL_or from CLI arguments (interchangeable).- Supported CLI options are listed in
--help. - Each cli argument can match to a corresponding environment variable:
- Simply convert the cli argument name to SCREAMING_SNAKE_CASE, and prefix it with
OPAL_. - Examples:
--server-urlbecomesOPAL_SERVER_URL--data-config-sourcesbecomesOPAL_DATA_CONFIG_SOURCES
- Simply convert the cli argument name to SCREAMING_SNAKE_CASE, and prefix it with
- Supported CLI options are listed in
Security Considerations (for production environments)
Soon the OPAL Security Model will be available, we have listed the mandatory checklist below:
- OPAL server should always be protected with a TLS/SSL certificate (i.e: HTTPS).
- OPAL server should always run in secure mode - meaning JWT token verification should be active.
- OPAL server should be configured with a master token.
- Sensitive configuration variables (i.e: environment variables with sensitive values) should always be stored in a dedicated Secret Store
- Example secret stores: AWS Secrets Manager, HashiCorp Vault, etc.
- NEVER EVER EVER store secrets as part of your source code (e.g: in your git repository).