Unlocking edge-native policy management with Avassa, OPA and Styra DAS

Looking beyond the public cloud and centralized paradigm made successful by the hyperscaler clouds, there is a growing need to run applications across many resource-constrained sites, also known as edge computing.

The drivers behind this evolution include the need for robust and resilient operations without relying on centralized resources, efficient ways to be compliant with data privacy and regulations, and a need to keep data and applications local for performance and data contextualization.

Deploying applications at the edge requires an infrastructure that can provide the core application services comfortably provided in centralized clouds. Policy management is no exception which is why the ability to automate how OPA is deployed and configured across edge sites has a significant impact on application team efficiency.

The edge-native challenges for applications

Managing the lifecycle of applications across many distributed locations is in many ways a fundamentally different task from doing the same thing in centralized clouds. How edge environments impact the tooling and approach of all parts of the DevOps cycle is still being explored.

A common pattern for edge environments is to deploy replicas of small applications (a handful of containers at the most) across hundreds of locations. Thes edge-application replicas expect many of the same services as provided by central clouds, including monitoring, observability, application event logging services, secrets management, and policy management.

And these infrastructure services need to be made available in each location to allow the system as a whole to scale without single points of failure, and to allow for site-local survivability in the face of upstream connectivity failure. To scale this, the tasks of deploying and upgrading applications and the configuration management of these services must be centralized and automated.

The Avassa platform allows application and operations teams to deploy applications at scale across their distributed edge clouds. The solution includes both the scheduling and placement of container applications as well as the management of their configuration.

Managing OPA at the edge

Avassa has worked together with the Styra team to build a joint solution that allows application and operations teams to manage the lifecycle and configuration of very large OPA populations across distributed edge clouds, consisting of hundreds or even thousands of locations.

The combined solution provides site-local lifecycle management of containerized OPA instances in each site — combined with the centralized configuration of call-home credentials for easy setup with Styra DAS. Using a declarative approach, it also makes rolling upgrades of OPA instances and corresponding configuration a simple operation that fits well with GitOps-style setups.

The result came out pretty cool and provides a deeply automated and scalable solution that makes hosting heavily distributed OPA instances with central policy management through Styra DAS a delight.

This setup provides an automated, scalable, resilient, and blazing fast policy enforcement and authorization solution for edge-native applications.

The demo below shows the deployment of an OPA-enabled application across more than a hundred edge sites that are running OPA locally. Styra DAS is then used to centrally manage Rego policies across these locations, and finally how to use Avassa to perform a rolling upgrade of OPA instances.

This combined solution unlocks the potential of running a massively distributed set of OPA instances at the edge without the operational overhead of manually managing the lifecycle of OPA itself. It also includes all related configuration that is done through Avassa as well as the rego policies through Styra DAS.

Operating applications in an edge environment is operationally different from in centralized clouds because of the large number of sites involved and the fact that each site needs to locally provide critical services for applications. This further emphasizes the value of applying a centralized and declarative approach to policy management at the edge, enabling efficient orchestration and placement of OPAs and Styra DAS configurations at scale.