Policy Repository Location

Step 3: Server config - policy repo location

OPAL server is responsible to track policy changes and push them to OPAL clients.

At the moment, OPAL can tracks a git repository as the policy source.

(Mandatory) Repo location

Env Var Name	Function
OPAL_POLICY_REPO_URL	The repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh (i.e: git@).

(Optional) SSH key for private repos

If your tracked policy repo is private, you should declare this env var in order to authenticate and successfully clone the repo:

Env Var Name	Function
OPAL_POLICY_REPO_SSH_KEY	Content of the var is a private crypto key (i.e: SSH key) You will need to register the matching public key with your repo. For example, see the GitHub tutorial on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with _)

(Optional) Clone/pull settings

For these config vars, in most cases you are good with the default values:

Env Var Name	Function
OPAL_POLICY_REPO_CLONE_PATH	Where (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume)
OPAL_POLICY_REPO_MAIN_BRANCH	Name of the git branch to track for policy files (default: master)

(Optional) Bundle settings

Env Var Name	Function
OPAL_BUNDLE_IGNORE	Comma separated list of glob paths to omit from policy bundle. Note that double asterisks ** do not recursively match; unless at the end, and without other wildcards.