-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency open-policy-agent/opa to v0.65.0 #130
Open
minchine
wants to merge
1
commit into
main
Choose a base branch
from
renovate/open-policy-agent-opa-0.x
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a855f3b
to
de03b04
Compare
de03b04
to
36411eb
Compare
dea4b38
to
a85d794
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
219b608
to
f4f4955
Compare
cbe53c0
to
8f3a049
Compare
8f3a049
to
620cd1b
Compare
620cd1b
to
b8207bd
Compare
b8207bd
to
18f90ba
Compare
18f90ba
to
cf706e4
Compare
8b6c373
to
fa70bcc
Compare
8bc8108
to
8c2bf0a
Compare
8c2bf0a
to
30d7832
Compare
3056f94
to
1df78ae
Compare
ec0b458
to
e9ffd73
Compare
e9ffd73
to
e00803a
Compare
e00803a
to
2f146dd
Compare
2f146dd
to
73d0ba5
Compare
73d0ba5
to
249a528
Compare
249a528
to
d5ac986
Compare
d5ac986
to
cad597a
Compare
e3d13c5
to
d3e1453
Compare
c27fc2a
to
8625c97
Compare
8625c97
to
a9a1f34
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.50.0
->0.65.0
Release Notes
open-policy-agent/opa (open-policy-agent/opa)
v0.65.0
Compare Source
This release contains a mix of features and bugfixes.
Runtime, Tooling, SDK
Topdown and Rego
every
domain is a collection type before evaluation (#6762) authored by @johanfylling reported by @anderseknertMiscellaneous
Breaking changes
A new IsSetStmt statement has been added to the intermediate representation (IR).
This is a breaking change for custom IR evaluators, which must interpret this statement in IR plans generated by this OPA version and later.
No actions are required for Wasm users, as long as Wasm modules are built by this OPA version or later.
v0.64.1
Compare Source
This is a bug fix release addressing the following issues:
macos-latest
was changed fromamd64
toarm64
and as a resultdarwin/amd64
binary wasn't released (#6720) authored by @suzuki-shunsukev0.64.0
Compare Source
This release contains a mix of features, a new builtin function (
json.marshal_with_options()
), performance improvements, and bugfixes.Breaking Change
Bootstrap configuration overrides Discovered configuration
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually.
The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that
the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration
check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts,
the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included
in the Status API messages so that management systems can get visibility into the local overrides.
In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all
configuration fields. For example, if the discovered configuration changes the
labels
section, only labels that areadditional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the
bootstrap configuration override those in the discovered configuration. But for fields such as
default_decision
,default_authorization_decision
,nd_builtin_cache
, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistentfor the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @ashutosh-narkar
Add
rego_version
attribute to the bundle manifestA new global
rego_version
attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0
/v1
) touse while parsing/compiling contained Rego files. There is also a new
file_rego_versions
attribute which allows individualfiles to override the global Rego version specified by
rego_version
.When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the
--v1-compatible
(or future--v0-compatible
) flag in order to correctly parse, compile and evaluate the bundle's modules.A bundle's
rego_version
attribute takes precedence over any applied--v1-compatible
/--v0-compatible
flag. (#6578) authored by @johanfyllingRuntime, Tooling, SDK
opa build
was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @philipaconraddeps
command for policies with high dependency connectivity (#6685) authored by @johanfyllingv1
syntax (#6689) authored by @xico42Topdown and Rego
rego.v1
inv0
support modules when applicable (#6450) authored by @johanfyllingjson.marshal_with_options()
builtin for indented/"pretty-printed" and/or line-prefixed JSON (#6630) authored by @sean-r-williamsDocs, Website, Ecosystem
Miscellaneous
go
stanza of OPA'sgo.mod
togo 1.21
. OPA, used as Go dependency, requires at leastgo 1.21
, and thus works with all officially supported Go versions (1.21.x
and1.22.x
) (#6678) authored by @srenatusupload-artifact
anddownload-artifact
Github actions to the latest version (v4) (#6670) authored by @philipaconradv0.63.0
Compare Source
This release contains a mix of features, performance improvements, and bugfixes.
Runtime, Tooling, SDK
--timeout
flag toopa exec
to prevent infinite hangs. (#6613) authored by @philipaconradTopdown and Rego
crypto.x509.parse_and_verify_certificates_with_options
built-in function. (#5882) authored by @yogisinha reported by @IxDayDocs + Website + Ecosystem
Debugging OPA
(#6637) authored by @setchyMiscellaneous
v0.62.1
Compare Source
This is a security fix release for the fixes published in Golang 1.22.1.
OPA servers using
--authentication=tls
would be affected: crafted malicious clientcertificates could cause a panic in the server.
Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin,
status and decision logs; and
http.send
calls that verify TLS.This affects all crypto/tls clients, and servers that set Config.ClientAuth to
VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is
for TLS servers to not verify client certificates.
This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).
Note that there are other security fixes in this Golang release, but whether or not
OPA is affected is harder to tell. An update is advised.
Miscellaneous
v0.62.0
Compare Source
This release contains a mix of improvements and bugfixes.
Runtime, Tooling, SDK
WithBundleParserOpts
method to OCI downloader (#6571) authored by @slonka%!F(MISSING)
in logs by skipping calls to the{Debug,Info,Warn,Error}f
functions when there are no arguments (#6555) authored by @srenatusTopdown and Rego
raise_error
flag during input validation (#6553) authored by @ashutosh-narkarDocs + Website + Ecosystem
application/yaml
instead ofapplication/x-yaml
as the former is now a recognized content type (#6565) authored by @anderseknertMiscellaneous
v0.61.0
Compare Source
This release contains a mix of new features and bugfixes.
Runtime, SDK
--v1-compatible
flag to all previously unsupported command line commands (#6520) authored by @johanfyllingsize_limit_bytes
(#6514) authored by @anderseknert reported by @dolevfTopdown
http.send
cache entries periodically (#5320) authored by @rudrakhp reported by @lukyerDocs
Miscellaneous
v0.60.0
Compare Source
Runtime, Tooling, SDK
--v1-compatible
flag. When this mode is enabled, the current release of OPA will behave as OPAv1.0
will eventually behave by default. This flag is currently supported on thebuild
,check
,fmt
,eval
andtest
commands (#6478) authored by @johanfyllingopa fmt
where the assignment operator and term in the rule head of chain rules are removed from the re-written rule head (#6467) authored by @anderseknertdiff
tool with an external golang library function (#6284) authored by @colinjlacyTopdown and Rego
providers.aws.sign_req
builtin command (#6456) authored by @c2zwdjnlcgDocs
sprintf
builtin command when used with the%T
marker (#6487) authored by @lcarvaWebsite + Ecosystem
Miscellaneous
Makefile
to allow customGOFLAGS
to be provided to the golang executable (#6458) authored by @cova-fev0.59.0
Compare Source
This release adds tooling to help prepare existing policies for the upcoming OPA 1.0 release.
It also contains a mix of improvements, bugfixes and security fixes for third-party libraries.
Rego v1
The upcoming release of OPA 1.0, which will be released at a future date, will introduce breaking changes to the Rego language. Most notably:
import future.keywords
into a module before use will be part of the Rego language by default, without the need to first import them.if
keyword will be required before the body of a rule.contains
keyword will be required when declaring a multi-value rule (partial set rule).This current release (
0.59.0
) introduces a new--rego-v1
flag to theopa fmt
andopa check
commands to facilitate the transition of existing policies to be compatible with the 1.0 syntax.When used with
opa fmt
, the--rego-v1
flag will format the module(s) according to the new Rego syntax in OPA 1.0.Formatted modules are compatible with both the current version of OPA and 1.0.
Modules using deprecated built-ins will terminate formatting with an error. Future versions of OPA will support rewriting applicable function calls with equivalent Rego compatible with 1.0.
When used with
opa check
, the--rego-v1
flag will check that the modules are compatible with both the current version of OPA and 1.0.Relevant Changes
--rego-v1
flag tocheck
cmd (#6429) authored by @johanfyllingopa fmt
(#6297) authored by @johanfyllingrego.v1
import (#6375) (authored by @johanfylling)rego.v1
) (#6356) authored by @ashutosh-narkarrego.v1
import (#6247) introduced in OPA 0.58.0, authored by @johanfyllingRuntime, Tooling, SDK
rule_head_refs
capabilities feature flag (#6334) authored by @johanfyllingTopdown and Rego
strings.render_template
to render templated strings (#6371) authored by @RDVasavadaMiscellaneous
v0.58.0
Compare Source
This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.
Runtime, Tooling, SDK
= true
as it is implied (#6323) authored by @anderseknertv0.23.0
(#2266) authored by @ashutosh-narkarhttp_request_duration_seconds
metric (#6238) authored by @AdrianArnautuTopdown and Rego
walk
-ing (#6267) authored by @anderseknertDocs
/
) or other special characters (#6264) authored by @dennisgWebsite + Ecosystem
Miscellaneous
hub
tool in GitHub workflows in favor of GitHub CLI tool (#6326) authored by @ashutosh-narkarv0.57.1
Compare Source
This is a bug fix release addressing the following security issues:
Golang security fix GO-2023-2102
OpenTelemetry-Go Contrib security fix CVE-2023-45142
v0.57.0
Compare Source
This release contains an updated Rego syntax to allow general references in rule heads, and a mix of new features and bugfixes.
Support for General References in Rule Heads
In OPA
0.56.0
, we introduced support for general references in rule heads as an experimental feature.It has now graduated to a fully supported feature, and is no longer experimental.
A general reference is a reference with variables at arbitrary locations.
In Rego, partial rules are used for generating sets and objects.
In previous versions of OPA, variables were only allowed in the very last position in the rule's reference.
Now, Rego has been expanded to allow rules to be declared with general references in their head, with variables at arbitrary locations.
This allows for generating nested dynamic object structures:
v0.56.0
Compare Source
This release contains a mix of new features, bugfixes and a new builtin function.
Support for General References in Rule Heads (Experimental)
A new experimental feature in OPA is support for general refs in rule heads. Where a general ref is a reference with variables at arbitrary locations.
v0.55.0
Compare Source
This release contains a mix of new features, bugfixes and a new builtin function.
Honor
default
keyword on functionsPreviously if a function was defined with a
default
value, OPA would ignore it. Now thedefault
function is honoredif all functions with the same name are undefined. For example,
The value of a
default
function follows the same conditions as that of adefault
rule. In addition, adefault
function satisfies the following properties:
Authored by @ashutosh-narkar.
New Built-In Function: crypto.parse_private_keys
crypto.parse_private_keys
returns zero or more private keys from the given encoded string containing DER certificate data.If the input contains a list of one or more concatenated PEM blocks, then the built-in will output the parsed private keys
represented as objects.
See the documentation on the new built-in
for all the details.
Authored by @volck.
Runtime, Tooling, SDK
discard
output format toopa eval
which discards the result while still showing the output of eval flags like--profile
(#6103) authored by @26tanishabanikTopdown and Rego
WithRoots
compiler option that allows callers to set the roots to include in the output bundle manifest (#6088) authored by @kubajDocs
Website + Ecosystem
Ecosystem:
Website:
Miscellaneous
CRLF
line terminations in the patch output (#6069) authored by @johanfyllingv0.54.0
Compare Source
This release focuses on bug fixes, but also includes some improvements to the SDK and commandline.
Note: This will be the last OPA release to support building with Golang 1.18. (Golang 1.21 is expected to be released in August. Keeping the support for 1.18 is blocking OPA from upgrading OpenTelemetry.)
Topdown and Rego
lazyObj
when compared against other object type (6060) (authored by @johanfylling)fmt
panic in comprehension with comments (#5798) authored by @Trolloldem reported by @Djoustobject.union_n
where nested objects were mutated (#5975) authored by @qshu-splunkobject.subset
method failing to correctly compare array relationships (5968) authored by @DCRUNNNhttp.send
(#5997) authored by @ashutosh-narkartime.format
andtime.parse_ns
(#5945) authored by @tjonsRuntime, Tooling, SDK
--schema
flag toopa test
(#5923) authored by @renatoscConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.