permitio · EliMoshkovich · Sep 29, 2025 · Sep 29, 2025 · Oct 7, 2025 · Oct 15, 2025
diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml
@@ -217,13 +217,44 @@ jobs:
           tags: |
             permitio/opal-client-cedar:${{ github.event.release.tag_name }}
 
+      - name: Build & Push EOPA
+        if: ${{ github.event.release.prerelease == false }}
+        id: build_push_eopa_regular
+        uses: docker/build-push-action@v6
+        with:
+          file: docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          target: client-eopa
+          cache-from: type=registry,ref=permitio/opal-client-eopa:latest
+          cache-to: type=inline
+          tags: |
+            permitio/opal-client-eopa:latest
+            permitio/opal-client-eopa:${{ github.event.release.tag_name }}
+
+      - name: Build & Push EOPA (prerelease)
+        if: ${{ github.event.release.prerelease == true }}
+        id: build_push_eopa_prerelease
+        uses: docker/build-push-action@v6
+        with:
+          file: docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          target: client-eopa
+          cache-from: type=registry,ref=permitio/opal-client-eopa:latest
+          cache-to: type=inline
+          tags: |
+            permitio/opal-client-eopa:${{ github.event.release.tag_name }}
+
       - name: Python setup
+        if: ${{ github.event.release.prerelease == false }}
         uses: actions/setup-python@v5
         with:
           python-version: '3.11.8'
 
       # This is the root file representing the package for all the sub-packages.
       - name: Bump version - packaging__.py
+        if: ${{ github.event.release.prerelease == false }}
         run: |
           # Install required packages
           pip install semver packaging
@@ -244,6 +275,7 @@ jobs:
           cat packages/__packaging__.py
 
       - name: Cleanup setup.py and Build every sub-packages
+        if: ${{ github.event.release.prerelease == false }}
         run: |
           pip install wheel
           cd packages/opal-common/ ; rm -rf *.egg-info build/ dist/
@@ -258,6 +290,7 @@ jobs:
 
       # Upload package distributions to the release - All assets in one step
       - name: Upload assets to release
+        if: ${{ github.event.release.prerelease == false }}
         uses: shogo82148/actions-upload-release-asset@v1.7.5
         with:
           upload_url: ${{ github.event.release.upload_url }}
@@ -268,6 +301,7 @@ jobs:
 
       # Publish package distributions to PyPI
       - name: Publish package distributions to PyPI - Opal-Common
+        if: ${{ github.event.release.prerelease == false }}
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           password: ${{ secrets.PYPI_TOKEN }}
@@ -280,6 +314,7 @@ jobs:
           url: https://pypi.org/p/opal-common/
 
       - name: Publish package distributions to PyPI - Opal-Client
+        if: ${{ github.event.release.prerelease == false }}
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           password: ${{ secrets.PYPI_TOKEN }}
@@ -292,6 +327,7 @@ jobs:
           url: https://pypi.org/p/opal-client/
 
       - name: Publish package distributions to PyPI - Opal-Server
+        if: ${{ github.event.release.prerelease == false }}
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
           password: ${{ secrets.PYPI_TOKEN }}

diff --git a/Makefile b/Makefile
@@ -15,6 +15,7 @@ help:
 	@echo "  docker-build-server   - Build opal-server Docker image"
 	@echo "  docker-run-client     - Run opal-client in Docker"
 	@echo "  docker-run-server     - Run opal-server in Docker"
+	@echo "  docker-build-client-eopa - Build opal-client-eopa Docker image"
 
 OPAL_SERVER_URL ?= http://host.docker.internal:7002
 OPAL_AUTH_PRIVATE_KEY ?= /root/ssh/opal_rsa
@@ -59,6 +60,9 @@ docs-dev:
 docker-build-client:
 	@docker build -t permitio/opal-client --target client -f docker/Dockerfile .
 
+docker-build-client-eopa:
+	@docker build -t permitio/opal-client-eopa --target client-eopa -f docker/Dockerfile .
+
 docker-build-client-cedar:
 	@docker build -t permitio/opal-client-cedar --target client-cedar -f docker/Dockerfile .
 
@@ -82,11 +86,13 @@ docker-build-next:
 	@docker build -t permitio/opal-client-standalone:next --target client-standalone -f docker/Dockerfile .
 	@docker build -t permitio/opal-client:next --target client -f docker/Dockerfile .
 	@docker build -t permitio/opal-server:next --target server -f docker/Dockerfile .
+	@docker build -t permitio/opal-client-eopa:next --target client-eopa -f docker/Dockerfile .
 
 docker-build-latest:
 	@docker build -t permitio/opal-client-standalone:latest --target client-standalone -f docker/Dockerfile .
 	@docker build -t permitio/opal-client:latest --target client -f docker/Dockerfile .
 	@docker build -t permitio/opal-server:latest --target server -f docker/Dockerfile .
+	@docker build -t permitio/opal-client-eopa:latest --target client-eopa -f docker/Dockerfile .
 
 docker-run-server:
 	@if [[ -z "$(OPAL_POLICY_REPO_SSH_KEY)" ]]; then \

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -88,7 +88,7 @@ WORKDIR /opal
 
 # copy opa from official docker image
 ARG opa_image=openpolicyagent/opa
-ARG opa_tag=0.70.0-static
+ARG opa_tag=1.9.0-static
 RUN skopeo copy "docker://${opa_image}:${opa_tag}" docker-archive:./image.tar && \
   mkdir image && tar xf image.tar -C ./image && cat image/*.tar | tar xf - -C ./image -i && \
   find image/ -name "opa*" -type f -executable -print0 | xargs -0 -I "{}" cp {} ./opa && chmod 755 ./opa && \
@@ -113,6 +113,48 @@ ENV OPAL_INLINE_OPA_EXEC_PATH=/opal/opa
 EXPOSE 8181
 USER opal
 
+# EOPA BINARY DOWNLOAD STAGE ------------------------
+# ---------------------------------------------------
+FROM alpine:latest AS eopa-extractor
+USER root
+
+# Install download dependencies
+RUN apk add --no-cache wget
+
+# Set working directory
+WORKDIR /download
+
+# Download pre-built EOPA binary based on architecture
+ARG eopa_tag=v1.44.0
+ARG TARGETARCH
+RUN case "${TARGETARCH}" in \
+        "amd64") EOPA_ARCH="x86_64" ;; \
+        "arm64") EOPA_ARCH="arm64" ;; \
+        *) echo "Unsupported architecture: ${TARGETARCH}" && exit 1 ;; \
+    esac && \
+    echo "Downloading EOPA for Linux_${EOPA_ARCH}" && \
+    wget -O eopa "https://github.com/open-policy-agent/eopa/releases/download/${eopa_tag}/eopa_Linux_${EOPA_ARCH}" && \
+    chmod +x eopa
+
+# EOPA CLIENT IMAGE ---------------------------------
+# Using standalone image as base --------------------
+# ---------------------------------------------------
+FROM client-standalone AS client-eopa
+
+# Temporarily move back to root for additional setup
+USER root
+
+# copy eopa from eopa-extractor
+COPY --from=eopa-extractor /download/eopa ./eopa
+
+# enable inline EOPA
+ENV OPAL_POLICY_STORE_TYPE=OPA
+ENV OPAL_INLINE_OPA_ENABLED=true
+ENV OPAL_INLINE_OPA_EXEC_PATH=/opal/eopa
+# expose eopa port (same as OPA)
+EXPOSE 8181
+USER opal
+
 # CEDAR CLIENT IMAGE --------------------------------
 # Using standalone image as base --------------------
 # ---------------------------------------------------

diff --git a/docker/docker-compose-example-eopa.yml b/docker/docker-compose-example-eopa.yml
@@ -0,0 +1,37 @@
+version: "3.8"
+
+services:
+  broadcast_channel:
+    image: postgres:alpine
+    environment:
+      - POSTGRES_DB=postgres
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+
+  opal_server:
+    image: permitio/opal-server:latest
+    environment:
+      - OPAL_BROADCAST_URI=postgres://postgres:postgres@broadcast_channel:5432/postgres
+      - OPAL_POLICY_REPO_URL=https://github.com/permitio/opal-example-policy-repo
+      - OPAL_POLICY_REPO_POLLING_INTERVAL=30
+      - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+    ports:
+      - "7002:7002"
+    depends_on:
+      - broadcast_channel
+
+  opal_client_eopa:
+    image: permitio/opal-client-eopa:latest
+    environment:
+      - OPAL_SERVER_URL=http://opal_server:7002
+      - OPAL_INLINE_OPA_ENABLED=true
+      - OPAL_LOG_FORMAT_INCLUDE_PID=true
+      - OPAL_INLINE_OPA_LOG_FORMAT=http
+      # - OPAL_CLIENT_TOKEN=replace-me  # set in production
+    ports:
+      - "7766:7000"
+      - "8181:8181"
+    depends_on:
+      - opal_server
+    command: sh -c "./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
diff --git a/...mentation/docs/getting-started/quickstart/docker-compose-config/opal-client.mdx b/...mentation/docs/getting-started/quickstart/docker-compose-config/opal-client.mdx
@@ -49,3 +49,17 @@ OPAL **listens** to policy code update notifications and **downloads up-to-date
 
 OPAL **listens** to policy data update notifications and **fetches the data from the sources** specified by the instructions
 sent from the server. OPAL can aggregate data from multiple sources. This may include your **APIs**, **databases** and **3rd party SaaS**.
+
+
+### eOPA variant
+
+OPAL Client supports running eOPA as the inline engine.
+
+```yml showLineNumbers {3}
+service:
+  opal_client:
+    image: permitio/opal-client-eopa:latest
+```
+
+See `docker/docker-compose-example-eopa.yml` for a full example. The engine exposes the same OPA-compatible HTTP API on `:8181` while OPAL keeps policies and data synchronized.
+Read more about eOPA [here](https://github.com/open-policy-agent/eopa).