Thoughts on the OPA Control Plane

As part of the winding down of Styra, they have released the OPA Control Plane as a new open-source tool. It is meant to replace some of the functionality of Styra DAS.

Quick Review

Capabilities

OPA Control Plane (hereafter: opactl) is primarily a tool to build and deploy policy bundles. It says it has support for regression testing bundles with historical decision logs, and support for migrating Styra DAS configuration to opactl, but I haven’t tried either of those.

Build

The primary interesting feature of opactl is the ability to:

• fetch policy from github (and probably from bitbucket and gitlab)

• build policy bundles

• deploy those policy bundles to S3, Azure Blob Object or Google Cloud Storage

Although there is a showstopper bug with the deployment to the cloud, I was able to create a fix for myself (and I will happily provide the fix to the maintainers when they are ready to accept it). Contact me if you need it (johnbr@paclabs.io). Assuming that will be fixed soon, I can say that opactl does do the build-deploy cycle, and simplifies the DevOps aspects of policy implementation.

Notes

• The code is decent. A little cryptic for my taste, but that’s not a sin.

• You will only get debug logging if you enable the logging: —log-level debug and also turn off interactive mode —non-interactive

• If you want to include data.json (or equivalent), you *must* put it at the top of a tree structure, or opactl will assign it to a namespace, which is typically not what you want

Future

It’s too early to tell if the maintainers are going to provide robust support for opactl, but they definitely are very familiar with the problem (probably from implementing this functionality in DAS)