Skip to main content

Policy Repository Syncing

Step 4: Server config - policy repo syncing (change detection)

Currently OPAL server supports two ways to detect changes in the policy git repo:

  • Polling in fixed intervals - checks every X seconds if new commits are available.
  • Github Webhooks - if the git repo is stored on github - you may setup a webhook (we plan to expand to generic webhook in the near future).

You may use polling by defining the following env var to a value different than 0:

Env Var NameFunction
OPAL_POLICY_REPO_POLLING_INTERVALthe interval in seconds to use for polling the policy repo

Option 2: Using a webhook

It is much more recommended to use webhooks if your policy repo is stored in a supported service (currently Github, we are working on expanding this). Webhooks are much more efficient with network traffic, and won't conteminate your logs.

If your server is hosted at the webhook URL you must setup with your webhook provider (e.g: github) is See GitHub's guide on configuring webhooks.

Typically you would need to share a secret with your webhook provider (authenticating incoming webhooks). You can use the OPAL CLI to create a cryptographically strong secret to use.

Let's install the cli to a new python virtualenv:
pyenv virtualenv opal pyenv activate opal pip install opal-server

Now let's use the cli to generate a secret:

opal-server generate-secret

You must then configure the appropriate env var:

Env Var NameFunction
OPAL_POLICY_REPO_WEBHOOK_SECRETthe webhook secret generated by the cli (or any other secret you pick)

For more info, check out this tutorial: How to track a git repo.