https://linen.dev logo
Title
b

Ben Wallis

05/25/2023, 2:37 PM
Is there a way to configure OPAL Server to not use a git repo for policy and default data and instead use a local path within the container or similar?
g

Gabriel L. Manor

05/25/2023, 3:21 PM
You can use a mock git image in your compose configuration and mount it to local volume
cedar_retrieval_repository:
      image: rockstorm/gitweb
      ports:
        - "80:80"
      volumes:
        - "../:/srv/git:ro"
It is an example of working with Cedar, but will work with OPA/Rego too
b

Ben Wallis

05/25/2023, 3:29 PM
That might be a viable option - it would be nice to be able to provide the configs as a simple volume mount to the OPAL Server image though. In our specific situation we already have an infrastructure-as-code repository where we plan to store the rego policies, but we don't want to give OPAL Server access to that repo, nor do we ever intend to update policies outside of deployments. Is it feasible in the future that it would be possible to forego the git requirement entirely? Similarly it would be very useful if
OPAL_DATA_CONFIG_SOURCES
could use a volume mount to read a
.json
file opposed to requiring an external HTTP server for config.
I appreciate that the existing design is likely because it's what works for permit.io though 🙂
g

Gabriel L. Manor

05/25/2023, 3:36 PM
One of the core principles of OPAL is GitOps, including its versioning, immutability, and one source of truth. Supporting local files is a viable option but will not stand in those principles. You can open an issue in OPAL repo so we can collaborate with other contributors on best practices.