Skip to main content

Styra Local Control Plane

The Styra Local Control Plane (SLP) sits between Styra DAS and OPA. It downloads policies from Styra DAS and relays them to the OPAs. It provides an additional copy of the policies for higher availability. It also receives decision logs and status updates from the OPAs and relays them to DAS. When the SLP is deployed, an OPA can be configured to connect to the SLP for all of the OPA Management APIs, instead of communicating directly with Styra DAS. The SLP then connects to Styra DAS to relay policy bundles, decision logs, status, and discovery (configuration) bundles. The SLP container image is available on DockerHub. The image version for the SLP is SLP_AGENT_RELEASE_VERSION, and can be pulled with the command:

docker pull styra/styra-local-plane:SLP_AGENT_RELEASE_VERSION

The SLP will persist policy bundles downloaded from Styra DAS to the /scratch directory by default. The —-storage flag is used to configure the location of the persistent storage directory. When the persistent storage is enabled, the SLP will attempt to read the most recent policy bundle from the storage directory upon process start up. This allows the SLP to successfully start and serve policy bundles to configure OPAs even if Styra DAS is not reachable.

If Styra DAS is not accessible to the SLP, the SLP will write decision logs to the /scratch directory in order to prevent log loss. When access to Styra DAS is restored, the SLP will automatically read the logs from the /scratch directory and upload the logs to Styra DAS. For a full list of configuration options, run the following command to see the SLP help.

docker run styra/styra-local-plane:SLP_AGENT_RELEASE_VERSION --help
info

OPA and SLP run in a single system scope, where one SLP cannot serve multiple OPAs for different systems simultaneously.

Configuration

To use the SLP, download the OPA configuration file from Styra DAS and use it as SLP configuration file instead of using it as an OPA configuration file. For OPA, use the same configuration file and change the DAS URL to point to SLP without authentication.

To configure the SLP, run:

styra-local-plane --config-file=/config/slp.yaml

Example of SLP Configuration YAML file:

services:
  - name: styra
    url: https://test.styra.com/v1
    credentials:
      bearer:
        token_path: /config/das_slp_token
labels:
  system-id: "d4184d285b8448408ff8b3929c4c182a"
  system-type: "custom"
discovery:
  name: discovery
  resource: /systems/d4184d285b8448408ff8b3929c4c182a/discovery
  service: 'styra'

Example of OPA Configuration YAML file:

services:
  - name: styra
    url: http://localhost:8080/v1
labels:
  system-id: "d4184d285b8448408ff8b3929c4c182a"
  system-type: custom
discovery:
  name: discovery
  service: styra

The following shows the CLI help for the SLP. In this case, only the —config-file (-c) is mandatory.

$ styra-local-plane --help
Local kubernetes-integrated Styra control plane for OPA

Usage:
  styra-local-plane [flags]

Flags:
  -a, --addr string                   listening address of the server (default "127.0.0.1:8080")
      --auth {token,tls,off}          authentication scheme (default off)
      --authz strings                 authorization scripts
  -c, --config-file string            set path of configuration file
      --cosign string                 whether to start the cosign module. "optional": attempts to initialize cosign module and skips it if an error is encountered. "disabled": disables cosign module entirely. "required": prevents Styra Local Plane from starting if cosign module fails to initialize (default "optional")
  -h, --help                          help for styra-local-plane
      --no-storage                    run without storage (in-memory mode)
      --opa-auth-token string         set authentication token for OPA API endpoint
      --opa-auth-token-file string    set file containing authentication token for OPA API endpoint
      --opa-url string                set URL of OPA API endpoint (default "http://localhost:8181/v1")
      --set stringArray               override config values on the command line (use commas to specify multiple values)
      --set-file stringArray          override config values with files on the command line (use commas to specify multiple values)
      --shutdown-grace-period int     set the time (in seconds) that the server will wait to gracefully shut down (default 10)
      --status-port uint16            port for /v1/system API for status/health checks (default 8000)
      --storage string                path where to store recovery data (default "/scratch")
      --tls-ca-cert-file string       path of the TLS CA certificate file
      --tls-cert-file string          path of the TLS certificate file
      --tls-private-key-file string   path of the TLS private key file
note

See OPA Overview and Architecture for additional information on OPA.

SLP Security

SLP security uses the same configuration format as OPA. SLP to Styra DAS authentication is configured through a Styra DAS token in the configuration or path to the file holding the token. OPA Security provides information on configuring OPA or SLP security.