Skip to main content

Migrating to Enterprise OPA from OPA

Users of OPA with data-heavy use cases may wish to use Enterprise OPA instead of OPA. Enterprise OPA and OPA work in much the same way, making the migration relatively straightforward. However, there are some changes operators need to bear in mind, which are outlined below.

Bundle Format

Enterprise OPA uses a different bundle format based on binary JSON. Enterprise OPA requires formatted bundles to achieve the quoted performance gains. When running Enterprise OPA, bundles loaded from the filesystem or over the Bundle Service API should be in the Enterprise OPA format.

The following actions are used to support bundle format:

  • Update the process that builds bundles to use the Enterprise OPA bundle format.
  • Configure Enterprise OPA instances to use these new bundles rather than the OPA bundles. If these new bundles have the same name, and are available the same URL or filesystem path then no configuration changes are needed.
  • If you are using OPA's Discovery Bundle feature, Discovery Bundles should not be updated to the Enterprise OPA format. Enterprise OPA formatted bundles are not supported for use as Discovery Bundles.

Interface Binding

By default, Enterprise OPA only binds to the loopback interface (localhost:8181). This is different from OPA which binds to all interfaces (:8181). This is a secure default which has been introduced for Enterprise OPA and can help avoid the Enterprise OPA instance being exposed to the pubic internet or other untrusted networks unintentionally.

If you understand the risks and are in an environment where you need to bind to all interfaces, you can do so by starting Enterprise OPA with the flag --addr=":8181".

To bind to all interfaces in your environment start Enterprise OPA with the correct --addr flag.

License Requirement

Wherever an Enterprise OPA binary is invoked, a license is required. Licensing details configuration requirements.

note

Ensure that the license is present in each location where Enterprise OPA is to be run. This might include CI/CD pipelines which build bundles as well as Enterprise OPA server instances.