Skip to content
|
search
Plugin Hub
github-edit-pageEdit this page
report-issueReport an issue
header icon

OPA Configuration

By Kong Inc.

Configuration

This plugin is compatible with DB-less mode.

Compatible protocols

The OPA plugin is compatible with the following protocols:

grpc, grpcs, http, https

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

  • name

    string required

    The name of the plugin, in this case opa.

  • instance_name

    string

    An optional custom name to identify an instance of the plugin, for example opa_my-service. Useful when running the same plugin in multiple contexts, for example, on multiple services.

  • service.name or service.id

    string

    The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint. Not required if using /services/SERVICE_NAME|ID/plugins.

  • route.name or route.id

    string

    The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint. Not required if using /routes/ROUTE_NAME|ID/plugins.

  • enabled

    boolean default: true

    Whether this plugin will be applied.

  • config

    record required

    • opa_protocol

      string default: http Must be one of: http, https

      The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are http and https.

    • opa_host

      string required default: localhost

      A string representing a host name, such as example.com.

    • opa_port

      integer required default: 8181 between: 0 65535

      An integer representing a port number between 0 and 65535, inclusive.

    • opa_path

      string required starts_with: /

      A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).

    • include_service_in_opa_input

      boolean default: false

      If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.

    • include_route_in_opa_input

      boolean default: false

      If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.

    • include_consumer_in_opa_input

      boolean default: false

      If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.

    • include_body_in_opa_input

      boolean default: false

    • include_parsed_json_body_in_opa_input

      boolean default: false

      If set to true and the Content-Type header of the current request is application/json, the request body will be JSON decoded and the decoded struct is included as input to OPA.

    • include_uri_captures_in_opa_input

      boolean default: false

      If set to true, the regex capture groups captured on the Kong Gateway Route’s path field in the current request (if any) are included as input to OPA.

    • ssl_verify

      boolean required default: true

      If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.