Configuration
This plugin is compatible with DB-less mode.
Compatible protocols
The OPA plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
name
string requiredThe name of the plugin, in this case
opa
. -
instance_name
stringAn optional custom name to identify an instance of the plugin, for example
opa_my-service
. Useful when running the same plugin in multiple contexts, for example, on multiple services. -
service.name or service.id
stringThe name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/SERVICE_NAME|ID/plugins
. -
route.name or route.id
stringThe name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/ROUTE_NAME|ID/plugins
. -
enabled
boolean default:true
Whether this plugin will be applied.
-
config
record required-
opa_protocol
string default:http
Must be one of:http
,https
The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are
http
andhttps
.
-
opa_host
string required default:localhost
A string representing a host name, such as example.com.
-
opa_port
integer required default:8181
between:0
65535
An integer representing a port number between 0 and 65535, inclusive.
-
opa_path
string required starts_with:/
A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).
-
include_service_in_opa_input
boolean default:false
If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.
-
include_route_in_opa_input
boolean default:false
If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.
-
include_consumer_in_opa_input
boolean default:false
If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.
-
include_body_in_opa_input
boolean default:false
-
include_parsed_json_body_in_opa_input
boolean default:false
If set to true and the
Content-Type
header of the current request isapplication/json
, the request body will be JSON decoded and the decoded struct is included as input to OPA.
-
include_uri_captures_in_opa_input
boolean default:false
If set to true, the regex capture groups captured on the Kong Gateway Route’s path field in the current request (if any) are included as input to OPA.
-
ssl_verify
boolean required default:true
If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.
-