opal-server

Chainguard Container for opal-server

OPAL is an administration layer for Policy Engines

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/opal-server:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility

Chainguard's opal-client and opal-server images are drop-in compatible with the upstream images from Permit.io’s OPAL project.

Getting Started

Deploy with Docker Compose

Start by downloading the upstream Docker Compose example provided by the OPAL project:

curl -L https://raw.githubusercontent.com/permitio/opal/master/docker/docker-compose-example.yml > docker-compose.yml

Edit the downloaded docker-compose.yml file and replace the image references with the Chainguard images:

opal-server:
  image: cgr.dev/ORGANIZATION/opal-server:latest

opal-client:
  image: cgr.dev/ORGANIZATION/opal-client:latest

Bring up the stack:

docker-compose up

This deployment starts the OPAL server and client, a broadcast channel, and loads example policies and data. Once the services are running, verify the setup by querying the OPA Agent API, which is exposed on port 8181:

curl http://localhost:8181/v1/data/users

A successful response returns example user data similar to the following:

{
  "result": {
    "alice": {
      "location": {
        "country": "US",
        "ip": "8.8.8.8"
      },
      "roles": ["admin"]
    }
  }
}

To learn how to modify policies or data sources, see the OPAL quickstart guide.

Deploy with Helm

To deploy OPAL in Kubernetes, first add the upstream OPAL Helm repository:

helm repo add permitio https://permitio.github.io/opal-helm-chart
helm repo update

Create a values.yaml file to override the default image locations:

image:
  client:
    registry: cgr.dev/ORGANIZATION
    repository: opal-client
    tag: latest
  server:
    registry: cgr.dev/ORGANIZATION
    repository: opal-server
    tag: latest

Install the chart into a new namespace:

helm install --create-namespace -n opal opal permitio/opal -f values.yaml

By default, the Helm chart deploys OPAL with the same example policies and data used in the Docker Compose setup. These examples are maintained in the upstream OPAL example policy repository.

After installation, forward the OPA Agent API to your local machine:

kubectl wait --for=condition=available deployment/opal-client -n opal --timeout=300s

kubectl port-forward -n opal service/opal-client 8181:8181

You can then verify the deployment by querying the same /v1/data/users endpoint used in the Docker example:

curl http://localhost:8181/v1/data/users

For a full list of supported Helm configuration values, see the OPAL documentation on the Helm chart configuration options.

References

• OPAL website
• OPAL GitHub repository

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.