Skip to main content

Styra Local Control Plane

The Styra Local Control Plane (SLP) sits between Styra DAS and OPA. It downloads policies from Styra DAS and relays them to the OPAs. It provides an additional copy of the policies for higher availability. It also receives decision logs and status updates from the OPAs and relays them to DAS. When the SLP is deployed, an OPA can be configured to connect to the SLP for all of the OPA Management APIs, instead of communicating directly with Styra DAS. The SLP then connects to Styra DAS to relay policy bundles, decision logs, status, and discovery (configuration) bundles. The SLP container image is available on DockerHub. The image version for the SLP is SLP_AGENT_RELEASE_VERSION, and can be pulled with the command:

docker pull styra/styra-local-plane:SLP_AGENT_RELEASE_VERSION

The SLP will persist policy bundles downloaded from Styra DAS to the /scratch directory by default. The —-storage flag is used to configure the location of the persistent storage directory. When the persistent storage is enabled, the SLP will attempt to read the most recent policy bundle from the storage directory upon process start up. This allows the SLP to successfully start and serve policy bundles to configure OPAs even if Styra DAS is not reachable.

If Styra DAS is not accessible to the SLP, the SLP will write decision logs to the /scratch directory in order to prevent log loss. When access to Styra DAS is restored, the SLP will automatically read the logs from the /scratch directory and upload the logs to Styra DAS. For a full list of configuration options, run the following command to see the SLP help.

docker run styra/styra-local-plane:SLP_AGENT_RELEASE_VERSION --help
info

OPA and SLP run in a single system scope, where one SLP cannot serve multiple OPAs for different systems simultaneously.

Configuration

To use the SLP, download the OPA configuration file from Styra DAS and use it as SLP configuration file instead of using it as an OPA configuration file. For OPA, use the same configuration file and change the DAS URL to point to SLP without authentication.

To configure the SLP, run:

styra-local-plane --config-file=/config/slp.yaml

Example of SLP Configuration YAML file:

services:
- name: styra
url: https://test.styra.com/v1
credentials:
bearer:
token_path: /config/das_slp_token
labels:
system-id: "d4184d285b8448408ff8b3929c4c182a"
system-type: "custom"
discovery:
name: discovery
resource: /systems/d4184d285b8448408ff8b3929c4c182a/discovery
service: 'styra'

Example of OPA Configuration YAML file:

services:
- name: styra
url: http://localhost:8080/v1
labels:
system-id: "d4184d285b8448408ff8b3929c4c182a"
system-type: custom
discovery:
name: discovery
service: styra

The following shows the CLI help for the SLP. In this case, only the —config-file (-c) is mandatory.

$ styra-local-plane --help
Local kubernetes-integrated Styra control plane for OPA

Usage:
styra-local-plane [flags]

Flags:
-a, --addr string listening address of the server (default "127.0.0.1:8080")
--auth {token,tls,off} authentication scheme (default off)
--authz strings authorization scripts
-c, --config-file string set path of configuration file
--cosign string whether to start the cosign module. "optional": attempts to initialize cosign module and skips it if an error is encountered. "disabled": disables cosign module entirely. "required": prevents Styra Local Plane from starting if cosign module fails to initialize (default "optional")
-h, --help help for styra-local-plane
--no-storage run without storage (in-memory mode)
--opa-auth-token string set authentication token for OPA API endpoint
--opa-auth-token-file string set file containing authentication token for OPA API endpoint
--opa-url string set URL of OPA API endpoint (default "http://localhost:8181/v1")
--set stringArray override config values on the command line (use commas to specify multiple values)
--set-file stringArray override config values with files on the command line (use commas to specify multiple values)
--shutdown-grace-period int set the time (in seconds) that the server will wait to gracefully shut down (default 10)
--status-port uint16 port for /v1/system API for status/health checks (default 8000)
--storage string path where to store recovery data (default "/scratch")
--tls-ca-cert-file string path of the TLS CA certificate file
--tls-cert-file string path of the TLS certificate file
--tls-private-key-file string path of the TLS private key file
note

See OPA Overview and Architecture for additional information on OPA.

SLP Security

SLP security uses the same configuration format as OPA. SLP to Styra DAS authentication is configured through a Styra DAS token in the configuration or path to the file holding the token. OPA Security provides information on configuring OPA or SLP security.