Git
Enterprise OPA's support for pulling in data from any Git repository makes it possible to use GitOps practices for managing data and have that data available for policy evaluations in Enterprise OPA.
Example Configuration
The Git integration is provided via the data
plugin, and needs to be enabled in Enterprise OPA's configuration.
enterprise-opa-conf.yaml (minimal)
plugins:
data:
git.users:
type: git
url: https://git.internal.corp/data-repository
file_path: users.json
With this minimal configuration, Enterprise OPA will pull in the users.json
file from the
repository's main
branch every 30 seconds.
All of this, and various authentication methods, can be configured using an advanced configuration:
enterprise-opa-conf-advanced.yaml
plugins:
data:
git.users:
type: git
url: https://git.internal.corp/data-repository
file_path: users.json
commit: 73b9d1aefab # if empty, use `branch` (default: none)
branch: prod-branch # if empty, use `reference` (default: none)
reference: ref/heads/main # full git reference
polling_interval: 10m # default: 30s, minimum 10s
username: alice # basic auth
password: wordpass # basic auth
token: personal-access-token # token auth
private_key: path/to/key # SSH key, file path or PEM contents
passphrase: secret # passphrase for protected keys
With a config like this, Enterprise OPA will retrieve the file from the specified repository location, and attempt to parse as any of:
- XML
- YAML
- JSON
The result will then be available to all policy evaluations under data.git.users
.
Example Call
If the referenced Git repository contains a users.json
file with this content,
[
{"username": "alice", "roles": ["admin"]},
{"username": "bob", "roles": []},
{"username": "catherine", "roles": ["viewer"]}
]
then Enterprise OPA's data.git.users
will look like this:
$ curl 'http://127.0.0.1:8181/v1/data/git/users?pretty'
{
"result": [
{
"roles": [
"admin"
],
"username": "alice"
},
{
"roles": [],
"username": "bob"
},
{
"roles": [
"viewer"
],
"username": "catherine"
}
]
}
The key below data
in the configuration (git.users
in the example) can be anything you want,
and determines where the retrieved document will be found in Enterprise OPA's data
hierarchy.