Skip to main content

Configure Feature Flags

The following sections describe how to configure feature flags.

Authorization v2

The version 2 of the Styra DAS authorization will give you more fine-grained controls as well as new RBAC roles scoped for Workspace, System, and Stack resources.

Additionally, there are new capabilities such as SSO-claims based authorization as well the ability to grant permissions to specific API tokens.

Upon successful migration, the Styra DAS UI will automatically render new Access Control pages which can be used for further configuration of Styra DAS Authorization posture for the tenant.

caution

Modifying these feature flags can break external workflows if they are based on a specific version of the authorization APIs, for example, creating users through the Styra DAS API.

To enable version 2 of Styra DAS product authorization, uncomment the following Feature Flags which will automatically trigger a data migration and enable all the new capabilities and UI pages.

featureFlags:
custom:
# authz v2
# AUTHZ_MAX_LOAD_DELAY: 1m
# AUTHZ_V2_ENABLED: true
# AUTHZ_V2_ENFORCEMENT_ENABLED: true
# AUTHZ_ENFORCEMENT_ENABLED: false
# AUTHZ_V2_INTERNAL_APIS_ENABLED: true
# AUTHZ_V2_EXPANDED_ROLES_ENABLED: true

Elasticsearch Customization

There are two Feature Flags for Elasticsearch settings:

  • LOG_VIEW_LIMIT_TIME which configures the max decision log record age.
  • DECISIONS_GC_HISTORY which configures how long decision batches are stored before they expire.

The default settings in values.yaml are:

featureFlags:
default:
LOG_VIEW_LIMIT_TIME: 72h
DECISIONS_GC_HISTORY: 336h

Postgres connections limit

You can limit the connection lifetime, as well as the number of idle and open connections to the database by setting them in values.yaml:

featureFlags:
custom:
# postgres connection settings
DATABASE_MAX_IDLE_CONNECTIONS: ""
DATABASE_MAX_OPEN_CONNECTIONS: ""

Where value is a positive integer. If not set, the default of 2 maximum idle connections and an unlimited number of open connections are used.

Local login

After SSO is configured and validated, local login can be disabled through a feature flag. This can be configured by uncommenting the DISABLE_LOCAL_LOGIN_IF_SSO_ENABLED feature flag in the featureFlags section of values.yaml

featureFlags:

custom:
# disable local users
DISABLE_LOCAL_LOGIN_IF_SSO_ENABLED: true
caution

Do not enable the DISABLE_LOCAL_LOGIN_IF_SSO_ENABLED feature flag until you have tested your SSO configuration and are positive it is working correctly. If local login is disabled and SSO login fails, Styra DAS is inaccessible. In addition, ensure the SSO identity provider has at least one active admin account.

Secondary ingress URL

The SECONDARY_INGRESS_URL feature flag can be used in conjunction with the gatewaySecondary configuration section to deploy a secondary ingress. Please refer to Configure a Second Ingress for more information on the use case for this feature, as well as information on how to best configure it.