This message was deleted.

Hi @M D, we don't have one yet but i assume it's pretty simple. You run OPAL client as a sidecar (the OPAL client runs the OPA process for you in the same container) So you now have a sidecar container with 2 exposed ports: • 7766/7000 is the port of the OPAL client • 8181 is the port of OPA You can then configure AuthZ flows by directly talking to OPA on port 8181. Hope that makes sense, please let us know if you need more direction.

You will most likely want to build the opal client image with the istio or envoy plugins for opa. @Asaf Cohen I've seen istio side car auth use 9191 grpc endpoint of the plugin.

Thanks @Gage Miller! We actually do support custom OPA images so the istio/envoy version should be supported. Cc @Ori Shavit for instructions how to do so

You can find the Dockerfile for OPAL under

docker/Dockerfile

in the OPAL repo. You can pass the

opa_image

and

opa_tag

for alternative images to get the OPA binaries from (the default is

openpolicyagent/opa

and

latest-static

, respectively.

Many thanks for the responses. Are you able to show me an example of this kind of implementation. Also would like to understand if OPA is purely the decision engine, request the end-user context authorisation from downstream application or microservice or would it be via he identity provider e.g. CIAM