Bundle Registry uses Styra DAS to distribute policy and data to OPA using OPA's Bundle API. Bundle Registry is deployed at the Styra System level.
Styra DAS distributes policy and data to OPA using OPA's Bundle API.
Policy Bundle Deployment
Styra DAS supports two types of distribution through the Bundle Registry. Policy Bundle deployment is configured as automatic or manual.
Automatic distribution: Anytime an action is taken to change a policy, a new Policy Bundle is created and is immediately distributed to all relevant OPAs. This is the default configuration.
Manual distribution: Policy changes are only deployed after they are approved for distribution. You can approve a new Policy Bundle through the Styra DAS UI or the Styra DAS API.
The two modes of distribution are applicable regardless of the source of the bundle change. The following operations generate an update of the Policy Bundle to OPA.
A policy stored in the Styra DAS-native backend storage is changed through the Styra DAS UI or Styra DAS API.
A policy stored in Git is changed by a merge into the main branch.
A data source receives an update when it is pulled or pushed.
System labels are changed (which could influence which Systems a Stack applies to and the policies that are relevant to the specified System).
A Policy Library imported by a System Policy is updated.
Maximum Policy Bundles
Bundle Registry allows you to roll back to previously deployed bundles and examine the history of deployments. Maximum Policy Bundles allows you to specify how many bundles are saved.
Policy Bundle Registry
Bundle Registry allows you to choose where you want OPA to download bundles from:
Styra DAS: OPA or the SLP downloads bundles from Styra DAS directly.
Amazon S3: OPA or the SLP downloads bundles from Amazon S3. When Styra builds the bundles, they are pushed to Amazon S3 so that OPA or the SLP can download them. This option is targeted at high-scale users that want the reliability of cloud-scale storage for serving bundles.
Google Cloud Storage: Styra DAS stores policy bundles and the history of past bundles in the specified Google Cloud Storage bucket. This option does not rely on Styra DAS high availability since OPA downloads bundles from the Google Cloud Storage bucket.
For more information on setting up and configuring cloud storage, see Cloud Storage.
Bundle optimization level controls how bundles are optimized. Optimization applies partial evaluation to pre-compute known values in the system policies. Higher values increase bundle generation time and bundle propagation time to agents.
There are three settings for bundle optimization:
- 0- Disabled optimization (default): By default optimizations are disabled.
- 1- Moderate optimization: Policies are partially evaluated and virtual documents are not inlined.
- 2- High optimization: Policies are partially evaluated and more aggressive inlining is applied within rules.
OPAs periodically download bundles of policy and data from remote Styra DAS servers. Once the policies and data have been loaded, they are enforced immediately and do not require a restart of OPA.
By default, Styra DAS uses a Snapshot Bundle, which represents the entirety of OPA’s policy and data cache. Large bundles cause a significant load on OPA, as every bundle download triggers OPA to erase and overwrite all the policy and data in its cache before activating the new bundle. Delta Bundles provide a more efficient way to make data changes by only updating the delta changes to the Snapshot Bundle. By leveraging Delta Bundles, Styra DAS propagates data changes to OPAs and SLPs more efficiently.
Delta Bundles are only supported if Styra DAS is configured to host the Bundle Registry. Amazon S3 and Google Cloud Storage do not support Delta Bundles.
Delta Bundles and OPA Version Requirements
Delta Bundles have specific OPA version requirements.
- In order to support Delta Bundles, the minimum OPA version is 0.37.
- To display the Deployments page with agent status and bundle type utilized by the OPAs, the minimum OPA version is 0.40.
- To display the bundle size in bytes, the minimum OPA version is 0.44.
Separate Data Bundles and Policy Bundles
By default, all Bundle content is stored in a Policy Bundle or System independent bundle. Enabling Separate Data Bundles and Policy Bundles removes Data Source content from the System independent bundle. The Data Source content is stored in a new System dependent bundle which supports Bundle Promotion. Bundle Promotion is used to copy a System dependent bundle to another System.
When this option is enabled, the System Deployments tab lists two bundles, a System dependent bundle and a System independent bundle.
Changing Bundle Registry Location
When Amazon S3 or Google Cloud Storage is configured, Styra DAS builds bundles and pushes the bundles to Amazon S3 or Google Cloud Storage. Styra DAS changes the configuration that OPA uses to download bundles through discovery and to pull the bundles from Amazon S3 or Google Cloud Storage.
OPA's discovery protocol also uses bundles, so when OPA requests discovery, Styra DAS responds with a bundle. These discovery bundles can be served from Amazon S3. However, if you have already deployed OPA and configured it to use Styra DAS for bundles and switch the settings to use Amazon S3 or Google Cloud Storage for bundles, discovery bundles will still be served from Styra DAS, but regular bundles will be served from Amazon S3 or Google Storage. OPA is configured to use Styra DAS to download discovery, so while Styra DAS can redirect OPA to pull regular bundles from Amazon S3 or Google Storage, Styra DAS cannot change OPA's original configuration. If you want both the discovery and regular bundles served out of Amazon S3 or Google Storage, you need to select Amazon S3 or Google Storage for bundle storage and then deploy OPA with the configuration that tells it to pull discovery bundles out of Amazon S3 or Google Storage.