Skip to main content

Step 3: Changing and updating the policy in realtime

In the docker-compose.yml example file that we have mentioned earlier, it is defined that OPAL should track this repository.

Here is a snippet of code from that repo:

# by default we run opal-server from latest official image
image: permitio/opal-server:latest
# the broadcast backbone uri used by opal server workers (see comments above for: broadcast_channel)
- OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
# number of uvicorn workers to run inside the opal-server container
# the git repo hosting our policy
# - if this repo is not public, you can pass an ssh key via `OPAL_POLICY_REPO_SSH_KEY`)
# - the repo we pass in this example is *public* and acts as an example repo with dummy rego policy
# - for more info, see:
# in this example we will use a polling interval of 30 seconds to check for new policy updates (git commits affecting the rego policy).
# however, it is better to utilize a git *webhook* to trigger the server to check for changes only when the repo has new commits.
# for more info see:

You can also simply change the tracked repo in the example docker-compose.yml file by editing these variables:

# use this if you want to setup policy updates via git webhook (recommended)
- OPAL_POLICY_REPO_WEBHOOK_SECRET=<your webhook secret>
# use this if you want to setup policy updates via polling (not recommended)
- POLICY_REPO_POLLING_INTERVAL=<interval in seconds>

You can then issue a commit affecting the policy and see that OPA state is indeed changing.


If you would like more information on managing and tracking a git repo, check out this tutorial.