Overview
The following section provides an overview of the Styra Self-Hosted DAS Installation Guide, Styra DAS, Styra DAS architecture, and the microservices used with Styra DAS.
Document Overview and Audience
The Self-Hosted Styra DAS Installation Guide contains information on configuring and installing Styra DAS on a wide selection of cloud infrastructure providers. The contents of the Infrastructure Configuration and the Cloud Agnostic Infrastructure sections are not, however, meant to be a comprehensive guide to cloud infrastructure. The infrastructure sections of this document are intended to provide guidance specific to configuring and instantiating infrastructure for use with Styra DAS. Accordingly, this document assumes the customer is familiar with managing their own infrastructure and defers to provider-specific documentation wherever possible.
Styra DAS can also run on self-managed or non-cloud infrastructure. Such setups, however, tend to require customized support and compatibility patterns. If you cannot utilize any of the providers described in this document, we recommend working with Styra’s Sales and Solutions Architecture teams to assess the viability of Styra DAS on your infrastructure.
Architecture
The Styra DAS architecture splits the functionality across microservices which enables the Styra backend to scale individual components and adapt to varying workloads. The Styra DAS architecture consists of OPA and the Styra DAS UI.
-
OPA: Supported system-types act as clients of the Styra DAS API. When you create and install a system, the gateway provides the API for the OPA to operate. It also provides the bundle API to OPA containers running on the cluster, and the APIs for Styra DAS receive status updates and decisions from the OPAs. These interactions and APIs are designed based on the availability after OPA has successfully downloaded the initial bundle, it can continue serving authorization requests even if the Styra DAS becomes temporarily unavailable.
-
Styra DAS UI: All Styra DAS UI interactions go through the gateway. The Styra DAS UI frontend downloads both its JavaScript through the gateway from the Styra DAS UI microservice. It also interacts with the other APIs through the gateway, in order to implement and facilitate the actions on the Styra DAS UI. Internally, the Styra DAS system relies on controllers (for example, environment-configurator) to converge the platform to a desired state. These interactions between the microservices don't require the involvement of the gateway.
The following figure shows Styra microservices (in blue) that are made available by the Gateway API and how they relate to different entities talking to the Styra DAS over the network using OPA and the Styra DAS UI.
Architecture of Styra DAS with MicroservicesThe communication between microservices occurs over the following protocols:
-
External communication towards (for example: bundle downloads) Styra DAS occurs over HTTPS. However, the TLS is terminated with the Kubernetes ingress.
-
Service to service communication occurs over HTTP, with the exception of the coordinator that uses gRPC with the other services.
-
Communication with storage subsystems uses their preferred protocols as follows:
- Using PostgreSQL, the protocol is PostgreSQL.
- Using Elasticsearch communication occurs using HTTP.
Styra DAS Microservices
The following table describes the Styra DAS microservices used in Self-Hosted Styra DAS.
| Styra DAS Microservice | Styra Description |
|---|---|
| activity | Provides user activity log APIs. |
| agentbundle | Constructs and serves policy bundles. |
| agentloader | Loads decision logs from OPA to Elasticsearch for indexing. |
| agentstatus | APIs for OPAs to send status updates and decision logs. |
| agentstatusstore | Caches OPA status updates for quick retrieval. |
| analysis-api | APIs to search decision logs. |
| blueprints | Required to enable mock-opa sandbox environments. |
| coordinator | Shards work across service replicas. |
| datasources | Executes Data Sources that require pulling data. |
| elasticsearch | Search engine for decision logs. |
| environment-configurator | Manages storage resources for the environment. |
| fetchdb | Configuration management APIs. |
| gateway | API gateway. All API requests are routed through the gateway. It enforces authentication and authorization and records user activity. |
| gateway-secondary | Optional second API gateway. |
| logreplay | APIs to assess the impact of a policy change on previous decisions. |
| mock-opa | Decision mocking for sandbox environments. |
| policies | APIs for policy management. |
| stacks | Stack configuration and management APIs. |
| storage | PostgreSQL for all internal, persisted states. |
| systems | System configuration and management APIs, OPA configuration bundle APIs used for discovery. |
| tenants | Configures and manages the tenant's internal state. |
| timeseries | Computes metrics over decision log APIs |
| ui | Serves HTML and JavaScript for the Styra DAS UI. |