You are browsing documentation for an outdated plugin version.
Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The OPA plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
string required
The name of the plugin, in this case
opa
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
string
The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
string
The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
boolean default:
true
Whether this plugin will be applied.
-
record required
-
string default:
http
Must be one of:http
,https
The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are
http
andhttps
.
-
string required default:
localhost
The DNS name or IP address of the OPA server.
-
integer required default:
8181
between:0
65535
The port of the OPA server.
-
string required starts_with:
/
The HTTP path to use when making a request to the OPA server. This is usually the path to the policy and rule to evaluate, prefixed with
/v1/data/
. For example, if you want to evaluate theallow
rule insideexample.kong
package, then the path would be/v1/data/example/kong/allowBoolean
.
-
boolean default:
false
If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.
-
boolean default:
false
If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.
-
boolean default:
false
If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.
-
boolean default:
false
-
boolean default:
false
If set to true and the
Content-Type
header of the current request isapplication/json
, the request body will be JSON decoded and the decoded struct is included as input to OPA.
-
boolean default:
false
If set to true, the regex capture groups captured on the Kong Gateway Route’s path field in the current request (if any) are included as input to OPA.
-
boolean required default:
true
If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.
-