Step 3: Changing and updating the policy in realtime
In the docker-compose.yml example file that we have mentioned earlier, it is defined that OPAL should
track this repository.
Here is a snippet of code from that repo:
opal_server: # by default we run opal-server from latest official image image: permitio/opal-server:latest environment: # the broadcast backbone uri used by opal server workers (see comments above for: broadcast_channel) - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres # number of uvicorn workers to run inside the opal-server container - UVICORN_NUM_WORKERS=4 # the git repo hosting our policy # - if this repo is not public, you can pass an ssh key via `OPAL_POLICY_REPO_SSH_KEY`) # - the repo we pass in this example is *public* and acts as an example repo with dummy rego policy # - for more info, see: https://docs.opal.ac/tutorials/track_a_git_repo - OPAL_POLICY_REPO_URL=https://github.com/permitio/opal-example-policy-repo # in this example we will use a polling interval of 30 seconds to check for new policy updates (git commits affecting the rego policy). # however, it is better to utilize a git *webhook* to trigger the server to check for changes only when the repo has new commits. # for more info see: https://docs.opal.ac/tutorials/track_a_git_repo - OPAL_POLICY_REPO_POLLING_INTERVAL=30You can also simply change the tracked repo in the example docker-compose.yml file by editing these variables:
version: "3.8"services: ... opal_server: environment: ... - OPAL_POLICY_REPO_URL=<YOUR REPO URL> # use this if you want to setup policy updates via git webhook (recommended) - OPAL_POLICY_REPO_WEBHOOK_SECRET=<your webhook secret> # use this if you want to setup policy updates via polling (not recommended) - POLICY_REPO_POLLING_INTERVAL=<interval in seconds>You can then issue a commit affecting the policy and see that OPA state is indeed changing.
info
If you would like more information on managing and tracking a git repo, check out this tutorial.