Skip to main content

Bundle Registry

Bundle Registry uses Styra DAS to distribute policy and data to OPA using OPA's Bundle API. Bundle Registry is deployed at the Styra DAS System level.

Styra DAS distributes policy and data to OPA using OPA's Bundle API.

Policy Bundle Deployment

Styra DAS supports two types of distribution through the Bundle Registry. Policy Bundle deployment is configured as automatic or manual.

  • Automatic distribution: Anytime an action is taken to change a policy, a new Policy Bundle is created and is immediately distributed to all relevant OPAs. This is the default configuration.

  • Manual distribution: Policy changes are only deployed after they are approved for distribution. You can approve a new Policy Bundle through the Styra DAS UI or the Styra DAS API.

The two modes of distribution are applicable regardless of the source of the bundle change. The following operations generate an update of the Policy Bundle to OPA.

  • A policy stored in the Styra DAS-native backend storage is changed through the Styra DAS UI or Styra DAS API.

  • A policy stored in Git is changed by a merge into the main branch.

  • A data source receives an update when it is pulled or pushed.

  • System labels are changed (which could influence which Systems a Stack applies to and the policies that are relevant to the specified System).

  • A Policy Library imported by a System Policy is updated.

Maximum Policy Bundles

Bundle Registry allows you to roll back to previously deployed bundles and examine the history of deployments. Maximum Policy Bundles allows you to specify how many bundles are saved.

Policy Bundle Registry

Bundle Registry allows you to choose where you want OPA to download bundles from:

  • Styra DAS: OPA or the SLP downloads bundles from Styra DAS directly.

  • Amazon S3: OPA or the SLP downloads bundles from Amazon S3. When Styra builds the bundles, they are pushed to Amazon S3 so that OPA or the SLP can download them. This option is targeted at high-scale users that want the reliability of cloud-scale storage for serving bundles.

  • Google Cloud Storage: Styra DAS stores policy bundles and the history of past bundles in the specified Google Cloud Storage bucket. This option does not rely on Styra DAS high availability since OPA downloads bundles from the Google Cloud Storage bucket.

For more information on setting up and configuring cloud storage, see Cloud Storage.

Discovery Bundle Location

When Amazon S3 or Google Cloud Storage is configured for the bundle registry, Styra DAS builds policy bundles and pushes the bundles to the configured location. Styra DAS will change the OPA configuration in the install instructions such that OPA will download discovery and policy bundles from Amazon S3 or Google Cloud Storage rather than from Styra DAS.

For a System with OPA already deployed, the OPA configuration must be updated to use the discovery bundle from Amazon S3 or Google Cloud Storage. Otherwise OPA will continue to fetch discovery from Styra DAS (the discovery bundle from DAS will still correctly direct OPA to download the policy bundle from Amazon S3 or Google Cloud Storage).

Bundle Name Template Variables

When using Amazon S3 or Google Cloud Storage for a System's Bundle Registry, the Discovery Bundle and Policy Bundle paths can be customized. These paths default to discovery.tgz and bundle.tgz, respectively. The bundle name portion of the path supports the use of template variables in the format $VARIABLE or ${VARIABLE}. Supported bundle name template variables for Discovery and Policy Bundles include:

  • $VERSION - Policy Bundle version
  • $BUNDLE_DIGEST - Policy Bundle SHA256 digest
  • $REVISION_DIGEST - 8-character Policy Bundle revision digest
  • $COMMIT - System commit SHA
  • $SYSTEM - System ID
  • $SYSTEM_NAME - URL-path-encoded System name
  • $TIMESTAMP - Policy Bundle creation time in milliseconds since epoch

Using the $VERSION template variable in the Policy Bundle name will result in Styra DAS creating a separate object in the configure Amazon S3 or Google Cloud Storage bucket for each Policy Bundle version generated for the associated System.

note

If the Policy Bundle name includes a template variable, then the Discovery Bundle endpoint (/v1/systems/{id}/discovery) will return the Discovery Bundle using the Styra DAS Bundle Registry distribution, even if Amazon S3 or Google Cloud Storage is configured. In order for OPA to to use the Amazon S3 or Google Cloud Storage distribution of bundles, OPA must be configured to use the Discovery Bundle from Amazon S3 or Google Cloud Storage.

note

If separate Data (Context) Bundles are enabled for a System, template variables cannot be used in Data Bundle names. The Data Bundle name defaults to context-{policy_path}.tgz if the Policy Bundle path is static and defaults to context-bundle.tgz if the Policy Bundle path uses a template variable.

caution

Bundle name template variables are not compatible with OPA deployments in a Kubernetes cluster when using the Styra DAS SLP.

Bundle Optimization

Bundle optimization level controls how bundles are optimized. Optimization applies partial evaluation to pre-compute known values in the system policies. Higher values increase bundle generation time and bundle propagation time to agents.

There are three settings for bundle optimization:

  • 0- Disabled optimization (default): By default optimizations are disabled.
  • 1- Moderate optimization: Policies are partially evaluated and virtual documents are not inlined.
  • 2- High optimization: Policies are partially evaluated and more aggressive inlining is applied within rules.

Delta Bundles

OPAs periodically download bundles of policy and data from remote Styra DAS servers. Once the policies and data have been loaded, they are enforced immediately and do not require a restart of OPA.

By default, Styra DAS uses a Snapshot Bundle, which represents the entirety of OPA’s policy and data cache. Large bundles cause a significant load on OPA, as every bundle download triggers OPA to erase and overwrite all the policy and data in its cache before activating the new bundle. Delta Bundles provide a more efficient way to make data changes by only updating the delta changes to the Snapshot Bundle. By leveraging Delta Bundles, Styra DAS propagates data changes to OPAs and SLPs more efficiently.

note

Delta Bundles are only supported if Styra DAS is configured to host the Bundle Registry. Amazon S3 and Google Cloud Storage do not support Delta Bundles.

Delta Bundles and OPA Version Requirements

Delta Bundles have specific OPA version requirements.

  • In order to support Delta Bundles, the minimum OPA version is 0.37.
  • To display the Deployments page with agent status and bundle type utilized by the OPAs, the minimum OPA version is 0.40.
  • To display the bundle size in bytes, the minimum OPA version is 0.44.

Separate Data Bundles and Policy Bundles

By default, all policy and data content is stored in a single Policy Bundle. Enabling Separate Data Bundles and Policy Bundles removes System Data Source content from the System-independent Policy Bundle. The System Data Source content is stored in a System-dependent Bundle, referred to as a Context Bundle or a Data Bundle, which supports Bundle Promotion. Bundle Promotion is used to copy a System-independent Bundle to another System.

When this option is enabled, the System Deployments tab lists two bundles: a System-independent Bundle and a System-dependent Bundle, referred to as a Policy Bundle and a Data Bundle in the Styra DAS Deployments tab, respectively.

The contents of the Context Bundle/Data Bundle can be configured in the Bundle Registry settings to include Stack, Library, and/or Global data sources in addition to System data sources. This can be configured via the Systems API (e.g., UpdateSystem) with the context_bundle_roots parameter (e.g., set to ["/", "stacks", "libraries", "global"] to include System, Stack, Library, and Global data sources in the Context Bundle) and also setting context_bundle_data_only to true.

If Manual distribution is enabled for a System and separate Data Bundles are enabled, the Data Bundle can optionally be configured with Automatic distribution. With this configuration, Policy Bundle changes will be manually distributed while Data Bundle changes will be automatically distributed.