Sign in Subscribe
Concepts

Secure TLS Configuration for Open Policy Agent in Production

Andrios Robert

1 min read

The connection failed before the request even left the machine. The logs made it clear: the TLS handshake was never completed. For Open Policy Agent (OPA) running in production, a broken TLS configuration is not just an error — it’s a security gap.

OPA’s TLS support controls both encryption in transit and mutual authentication. To configure it, you define the tls section under the server configuration, typically in config.yaml. This includes the certificate, private key, and optional CA bundle for verifying clients.

Example OPA TLS Configuration:

services:
 example:
 url: https://policy.example.com
 tls:
 cert_file: /etc/opa/certs/server.crt
 key_file: /etc/opa/certs/server.key
 ca_cert_file: /etc/opa/certs/ca.crt
 skip_verify: false
  • cert_file points to the server’s public certificate in PEM format.
  • key_file is the associated private key. Keep it secure with strict filesystem permissions.
  • ca_cert_file is required for validating client or upstream certificates when mutual TLS is enabled.
  • skip_verify: false enforces full certificate verification.

For mutual TLS (mTLS), OPA can authenticate connecting clients by requiring them to present valid certificates signed by a trusted CA. This is critical when OPA sits between sensitive microservices or policy distribution endpoints. To activate mTLS for the server API:

tls:
 cert_file: /etc/opa/certs/server.crt
 key_file: /etc/opa/certs/server.key
 ca_cert_file: /etc/opa/certs/ca.crt
 client_auth: require_and_verify_client_cert

Key considerations for secure OPA TLS configuration:

  1. Always use certificates issued by a trusted internal or external CA. Self-signed certs increase maintenance overhead and risk.
  2. Rotate certificates before expiry using automated tooling.
  3. Store keys in protected directories with 0600 permissions.
  4. Test connectivity with openssl s_client to ensure the full handshake and certificate chain are valid.
  5. Monitor OPA logs for TLS-related errors after deployment.

For OPA deployments behind load balancers or service meshes, decide if TLS is terminated at the edge or passed through to OPA. If TLS is terminated upstream, disable OPA’s listener TLS to avoid unnecessary complexity. If you pass TLS through, align cipher suites and protocol versions between components.

A correct TLS configuration for Open Policy Agent ensures confidentiality, integrity, and trust between policy decision points and policy enforcement points. Lock it down before shipping to production.

Want to see secure TLS configuration in action without the guesswork? Check it out live on hoop.dev and get it running in minutes.