Skip to content
|
search
Plugin Hub
report-issueReport an issue
header icon

OPA Configuration

By Kong Inc.

Configuration

This plugin is compatible with DB-less mode.

Compatible protocols

The OPA plugin is compatible with the following protocols:

grpc, grpcs, http, https

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

  • name

    string required

    The name of the plugin, in this case opa.

  • instance_name

    string

    An optional custom name to identify an instance of the plugin, for example opa_my-service. Useful when running the same plugin in multiple contexts, for example, on multiple services.

  • service.name or service.id

    string

    The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint. Not required if using /services/SERVICE_NAME|SERVICE_ID/plugins.

  • route.name or route.id

    string

    The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint. Not required if using /routes/ROUTE_NAME|ROUTE_ID/plugins.

  • enabled

    boolean default: true

    Whether this plugin will be applied.

  • config

    record required

    • opa_protocol

      string default: http Must be one of: http, https

      The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are http and https.

    • opa_host

      string required default: localhost

      The DNS name or IP address of the OPA server.

    • opa_port

      integer required default: 8181 between: 0 65535

      The port of the OPA server.

    • opa_path

      string required starts_with: /

      The HTTP path to use when making a request to the OPA server. This is usually the path to the policy and rule to evaluate, prefixed with /v1/data/. For example, if you want to evaluate the allow rule inside example.kong package, then the path would be /v1/data/example/kong/allowBoolean.

    • include_service_in_opa_input

      boolean default: false

      If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.

    • include_route_in_opa_input

      boolean default: false

      If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.

    • include_consumer_in_opa_input

      boolean default: false

      If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.

    • include_body_in_opa_input

      boolean default: false

    • include_parsed_json_body_in_opa_input

      boolean default: false

      If set to true and the Content-Type header of the current request is application/json, the request body will be JSON decoded and the decoded struct is included as input to OPA.

    • include_uri_captures_in_opa_input

      boolean default: false

      If set to true, the regex capture groups captured on the Kong Gateway Route’s path field in the current request (if any) are included as input to OPA.

    • ssl_verify

      boolean required default: true

      If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.