Skip to main content

Use Styra Local Control Plane

Styra Local Control Plane (SLP) sits between DAS and OPA. It downloads policies from the DAS and relays them to the OPAs. It provides an additional copy of the policies for higher availability. It also receives decision logs and status updates from the OPAs and relays them to DAS. When the SLP is deployed, an OPA can be configured to connect to the SLP for all of the OPA Management APIs, instead of communicating directly with DAS. The SLP will then connect to DAS to relay policy bundles, decision logs, status, and discovery (configuration) bundles.The SLP container image is available here. The image version for the SLP is 0.4.0, and can be pulled with the command: docker pull styra/styra-local-plane:0.4.0.

The SLP will persist policy bundles downloaded from DAS to the /scratch directory by default. The —-storage flag is used to configure the location of the persistent storage directory. When the persistent storage is enabled, the SLP will attempt to read the most recent policy bundle from the storage directory upon process start up. This allows the SLP to successfully start and serve policy bundles to configure OPAs even if DAS is not reachable.

Also, if DAS is not accessible to the SLP, the SLP will write decision logs to the /scratch directory in order to prevent log loss. When access to DAS is restored, the SLP will automatically read the logs from the /scratch directory and upload to DAS. For a full list of configuration options, run docker run styra/styra-local-plane:0.4.0 --help to see the SLP help.


OPA and SLP run in a single system scope, where one SLP cannot serve multiple OPAs for different systems simultaneously.


To use SLP, download the OPA configuration file from Styra DAS and use it as SLP configuration file instead of using it as an OPA configuration file. For OPA, use the same configuration file and change the DAS URL to point to SLP without authentication.

To configure SLP, run styra-local-plane --config-file=/config/slp.yaml command.

Example of SLP Configuration YAML file

- name: styra
token_path: /config/das_slp_token
system-id: "d4184d285b8448408ff8b3929c4c182a"
system-type: "custom"
name: discovery
resource: /systems/d4184d285b8448408ff8b3929c4c182a/discovery
service: 'styra'

Example of OPA Configuration YAML file

- name: styra
url: http://localhost:8080/v1
system-id: "d4184d285b8448408ff8b3929c4c182a"
system-type: custom
name: discovery
service: styra

The following shows the CLI help for the SLP. In this case, only the —config-file (-c) is mandatory.

/fetchdb # styra-local-plane --help
Local kubernetes-integrated Styra control plane for OPA

styra-local-plane [flags]

-a, --addr string listening address of the server (default "")
--alsologtostderr log to standard error as well as files
--auth {token,tls,off} authentication scheme (default off)
--authz strings authorization scripts
-c, --config-file string set path of configuration file
-h, --help help for styra-local-plane
--log_backtrace_at when logging hits line file:N, emit a stack trace (default :0)
--logtostderr log to standard error instead of files (default true)
--no-storage run without storage (in-memory mode)
--opa-auth-token string set authentication token for OPA API endpoint
--opa-auth-token-file string set file containing authentication token for OPA API endpoint
--opa-url string set URL of OPA API endpoint (default "http://localhost:8181/v1")
--set stringArray override config values on the command line (use commas to specify multiple values)
--set-file stringArray override config values with files on the command line (use commas to specify multiple values)
--shutdown-grace-period int set the time (in seconds) that the server will wait to gracefully shut down (default 10)
--status-port uint16 port for /v1/system API for status/health checks (default 8000)
--stderrthreshold logs at or above this threshold go to stderr (default 2)
--storage string path where to store recovery data (default "/scratch")
--tls-ca-cert-file string path of the TLS CA certificate file
--tls-cert-file string path of the TLS certificate file
--tls-private-key-file string path of the TLS private key file
--v log level for V logs (default 2)
--vmodule comma-separated list of pattern=N settings for file-filtered logging