Add support for interfacing with opa instance configured with tls authentication
oc002 opened this issue · comments
Is your feature request related to a problem? Please describe.
OPA can be configured (both externally and the embedded version provided with opa-client) to authenticate requests using either an Authorization: Bearer <TOKEN>
header or using mutual-TLS.
https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization
opal-client can be configured to work with an opa configured with --authentication=token
by providing the a static token in
https://github.com/permitio/opal/blob/master/packages/opal-client/opal_client/config.py#L30
that, and on the opa side a package system.authz
policy can verify this token.
However, I do believe that it's currently impossible to configure opal to work with an opa instance configured with --authentication=tls
.
This is especially troubling as it is possible to configure even the embedded opa within opal-client this way (https://github.com/permitio/opal/blob/master/packages/opal-client/opal_client/opa/options.py#L16)
Describe the solution you'd like
A way to configure opal client to use client certificate chain and key (and ca) when communicating with the policy store (external or embedded)
Describe alternatives you've considered
None
Additional context
This was created after discussion in Slack here https://permit-io.slack.com/archives/C01RUUYV3TP/p1681310018277859
I will push a PR with an implementation suggestion