Skip to main content

Policy Repository Location

Step 3: Server config - policy repo location

OPAL server is responsible to track policy changes and push them to OPAL clients.

At the moment, OPAL can tracks a git repository as the policy source.

(Mandatory) Repo location

Env Var NameFunction
  • The repo url the policy repo is located at.
  • Must be available from the machine running OPAL (opt for public internet addresses).

  • Supported URI schemes: https:// and ssh (i.e: git@).

(Optional) SSH key for private repos

If your tracked policy repo is private, you should declare this env var in order to authenticate and successfully clone the repo:

Env Var NameFunction
  • Content of the var is a private crypto key (i.e: SSH key)
  • You will need to register the matching public key with your repo. For example, see the

    GitHub tutorial

    on the subject.

  • The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with _)

(Optional) Clone/pull settings

For these config vars, in most cases you are good with the default values:

Env Var NameFunction

Where (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume)


Name of the git branch to track for policy files (default: master)

(Optional) Bundle settings

Env Var NameFunction

Comma separated list of glob paths to omit from policy bundle. Note that double asterisks ** do not recursively match; unless at the end, and without other wildcards.