This message was deleted.
# opal
s
This message was deleted.
👀 1
o
Hi @Oskar Christensson - You can add the certificate to the OS certificate store (i.e.
/etc/ssl/certs
and
/etc/ssl/private
if I’m not mistaken) in the docker image and then it should be available for OPAL-client when trying to connect to OPA. There isn’t an option to add it directly to the client at the moment (and not sure there should be, Though the underlying client can support that). That being said, it could be a nice hack/feature to have OPAL automatically use the one if provider for the inline OPA config . @Ro'e Katz, @Asaf Cohen, @Shaul Kremer, @Ori Shavit - WDYT ?
You can also consider disabling the health check via
OPA_HEALTH_CHECK_POLICY_ENABLED
o
Thanks, I'd assume that there would be a tls version of the token support that is provided by the
POLICY_STORE_AUTH_TOKEN
https://docs.opal.ac/getting-started/configuration#opal-client-configuration-variables. I can disable the /healthcheck sure, but since every api call to OPA would require a client certificate pushing setting policies from OPAL client won't work either.
o
The token is application level, and TLS is transport layer, they are independent.
I agree that disabling the health check is not ideal, but wanted to provide that option as well.
o
Right! So is there any way to support adding client certificates for the opal client when communicating with opa? Seeing as the http client need to be confiured and the certificate need to be installed in the container. To me it does not look like opal supports an OPA instance that have been started with --tls-ca-cert-file?
o
Hi @Oskar Christensson :) Short answer is that besides adding it to the OS certificate chain, there currently isn't a way. We can look at adding that feature. Would you be interested in working on it? I guess the easiest thing would be to add Three env-variables like
POLICY_STORE_SSL_PEM
,
POLICY_STORE_SSL_KEY
, and
POLICY_STORE_SSL_CRT
And create an SSL context in the opa-client code.