This message was deleted.

Hi @Oskar Christensson - You can add the certificate to the OS certificate store (i.e.

/etc/ssl/certs

and

/etc/ssl/private

if I’m not mistaken) in the docker image and then it should be available for OPAL-client when trying to connect to OPA. There isn’t an option to add it directly to the client at the moment (and not sure there should be, Though the underlying client can support that). That being said, it could be a nice hack/feature to have OPAL automatically use the one if provider for the inline OPA config . @Ro'e Katz, @Asaf Cohen, @Shaul Kremer, @Ori Shavit - WDYT ?

Thanks, I'd assume that there would be a tls version of the token support that is provided by the

POLICY_STORE_AUTH_TOKEN

https://docs.opal.ac/getting-started/configuration#opal-client-configuration-variables. I can disable the /healthcheck sure, but since every api call to OPA would require a client certificate pushing setting policies from OPAL client won't work either.

The token is application level, and TLS is transport layer, they are independent.

Right! So is there any way to support adding client certificates for the opal client when communicating with opa? Seeing as the http client need to be confiured and the certificate need to be installed in the container. To me it does not look like opal supports an OPA instance that have been started with --tls-ca-cert-file?

Hi @Oskar Christensson :) Short answer is that besides adding it to the OS certificate chain, there currently isn't a way. We can look at adding that feature. Would you be interested in working on it? I guess the easiest thing would be to add Three env-variables like

POLICY_STORE_SSL_PEM

,

POLICY_STORE_SSL_KEY

, and

POLICY_STORE_SSL_CRT