Update dependency open-policy-agent/opa to v0.65.0

[minchine]

This PR contains the following updates:

Package	Update	Change
open-policy-agent/opa	minor	0.50.0 -> 0.65.0

---

Release Notes

open-policy-agent/opa (open-policy-agent/opa)

v0.65.0

Compare Source

This release contains a mix of features and bugfixes.

Runtime, Tooling, SDK

• ast: Include annotations in rule AST, to help external tooling analyzing the AST (#​6771) authored by @​ashutosh-narkar
• aws: Always read HTTP response body, to re-use persistent connections for non-200 responses (#​6734) authored by @​johanneslarsson
• plugins/discovery: Update comparison logic for overrides (#​6723) authored by @​ashutosh-narkar
• plugins/logs: Include http request context in decision logs (#​6693) authored by @​ashutosh-narkar reported by @​stiidk
• plugins/rest: Disable the Authorization header for ECR redirects (6728) authored by @​gdlg reported by @​vazquezf2000
• runtime: Fix OpenTelemetry graceful shutdown (#​6651) authored by @​nicolaschotard and @​David-Wobrock reported by @​nicolaschotard

Topdown and Rego

• topdown: Asserting the every domain is a collection type before evaluation (#​6762) authored by @​johanfylling reported by @​anderseknert

Miscellaneous

• docs: Add arrays to composite values section (#​6727) authored by @​anderseknert reported by @​SpecLad
• docs: Add remainder operator to grammar (#​6767) authored by @​anderseknert
• docs: Fix dynamic metadata object in docs (#​6709) authored by @​antonioberben
• docs: Use best practice package name in test examples (#​6731) authored by @​asleire
• docs: Update query API doc with details about overriding the def decision path (#​6745) authored by @​ashutosh-narkar
• ci: pin GitHub Actions macos runner version and build for darwin/amd64 (#​6720) reported and authored by @​suzuki-shunsuke
• Dependency updates; notably:
  • build(go): bump golang from 1.22.2 to 1.22.3
  • build(deps): bump github.com/containerd/containerd from 1.7.15 to 1.7.17
  • build(deps): bump github.com/prometheus/client_golang
  • build(deps): bump golang.org/x/net from 0.24.0 to 0.25.0
  • build(deps): bump google.golang.org/grpc from 1.63.2 to 1.64.0

Breaking changes

A new IsSetStmt statement has been added to the intermediate representation (IR).
This is a breaking change for custom IR evaluators, which must interpret this statement in IR plans generated by this OPA version and later.
No actions are required for Wasm users, as long as Wasm modules are built by this OPA version or later.

v0.64.1

Compare Source

This is a bug fix release addressing the following issues:

• ci: Pin GitHub Actions macos runner version. The architecture of the GitHub Actions Runner macos-latest was changed from amd64 to arm64 and as a result darwin/amd64 binary wasn't released (#​6720) authored by @​suzuki-shunsuke
• plugins/discovery: Update comparison logic used in the discovery plugin for handling overrides. This fixes a panic that resulted from the comparison of uncomparable types (#​6723) authored by @​ashutosh-narkar

v0.64.0

Compare Source

NOTES:

• The minimum version of Go required to build the OPA module is 1.21

This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.

Breaking Change

Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually.
The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that
the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration
check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts,
the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included
in the Status API messages so that management systems can get visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all
configuration fields. For example, if the discovered configuration changes the labels section, only labels that are
additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the
bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision,
nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent
for the entire configuration and helps to avoid accidental configuration errors. (#​5722) authored by @​ashutosh-narkar

Add rego_version attribute to the bundle manifest

A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to
use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual
files to override the global Rego version specified by rego_version.

When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the
--v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.

A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#​6578) authored by @​johanfylling

Runtime, Tooling, SDK

• compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#​6661) authored by @​philipaconrad
• cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#​6685) authored by @​johanfylling
• server: Keep default decision path in-sync with manager's config (#​6697) authored by @​ashutosh-narkar
• server: Remove unnecessary AST-to-JSON conversions (#​6665) and (#​6669) authored by @​koponen-styra
• sdk: Allow customizations of the plugin manager via SDK (#​6662) authored by @​xico42
• sdk: Fix issue where active parser options aren't propagated to module reload during bundle activation resulting in errors while activating bundles with v1 syntax (#​6689) authored by @​xico42
• plugins/rest: Close response body in OAuth2 client credentials flow (#​6708) authored by @​johanneslarsson

Topdown and Rego

• ast: Import rego.v1 in v0 support modules when applicable (#​6450) authored by @​johanfylling
• rego: Set query Rego version from configured imports (#​6701) authored by @​johanfylling
• topdown: New json.marshal_with_options() builtin for indented/"pretty-printed" and/or line-prefixed JSON (#​6630) authored by @​sean-r-williams

Docs, Website, Ecosystem

• Add Raygun to ecosystem projects (#​6712) authored by @​johndbro1
• Add env0 to ecosystem projects (#​6658) authored by @​yarivg
• Add Rego Language Comparisons to ecosystem projects (#​6663) authored by @​charlieegan3
• docs/configuration: Tidy up headers in Services section (#​6695) authored by @​tsandall
• docs: Use cuboid rather than cube to explain concepts of sets and composite values in policy-language section of documentation (#​6691) authored by @​kd-labs

Miscellaneous

• go.{mod,sum}: Update the go stanza of OPA's go.mod to go 1.21. OPA, used as Go dependency, requires at least go 1.21, and thus works with all officially supported Go versions (1.21.x and 1.22.x) (#​6678) authored by @​srenatus
• ci: Update Github Actions for Node 20. This change updates the upload-artifact and download-artifact Github actions to the latest version (v4) (#​6670) authored by @​philipaconrad
• build: Update WASM Rego test generation docker command to address CVE-2022-24765 in Git (#​6703) authored by @​ashutosh-narkar
• Dependency updates; notably:
  • build(go): bump 1.22.1 -> 1.22.2 (#​6672) authored by @​srenatus
  • build(deps): bump aquasecurity/trivy-action from 0.18.0 to 0.19.0
  • build(deps): bump github.com/containerd/containerd from 1.7.14 to 1.7.15
  • build(deps): bump github.com/prometheus/client_model from 0.5.0 to 0.6.1
  • build(deps): bump golang.org/x/net from 0.22.0 to 0.24.0
  • build(deps): bump google.golang.org/grpc from 1.62.1 to 1.63.2

v0.63.0

Compare Source

This release contains a mix of features, performance improvements, and bugfixes.

Runtime, Tooling, SDK

• cmd/exec: Add --timeout flag to opa exec to prevent infinite hangs. (#​6613) authored by @​philipaconrad
• download: Surface bundle download errors via debug logging (#​6609) authored by @​ashutosh-narkar reported by @​nevumx
• topdown: Fixing overactive Early Exit suppression (#​6566) authored by @​johanfylling reported by @​ashwinhb
• plugins/rest: Add support to get temp creds via AssumeRole (#​6634) authored by @​ashutosh-narkar

Topdown and Rego

• topdown: Adding a new crypto.x509.parse_and_verify_certificates_with_options built-in function. (#​5882) authored by @​yogisinha reported by @​IxDay
• format: Preserve brackets around set union operation (#​6588) authored by @​ashutosh-narkar reported by @​HarshPathakhp
• aws: Support for Unsigned Payload or provided content sha256 in AWS signing (#​6581) authored by @​prasanthj

Docs + Website + Ecosystem

• ADOPTERS.md: Add Facets.cloud to the list (#​6640) authored by @​ashutosh-narkar reported by @​samarthya-gupta1
• docs: Mention homebrew install option (#​6622) authored by @​anderseknert
• docs: Add Rego v1 keywords to list of reserved names (#​6649) authored by @​anderseknert
• docs: Add Tunnelmole as an open source tunneling option in the Cloudformation hooks documentation (#​6626) authored by @​robbie-cahill
• docs: Add docs on using env vars in place of CLI flags (#​6631) authored by @​anderseknert
• docs: Adding integration for Backstage (#​6629) authored by @​Parsifal-M
• docs: Clear up some uses of future keywords (#​6653) authored by @​charlieegan3
• docs: Update delta bundle patch doc for remove op (#​6645) authored by @​0marq
• docs: Fix typo in Debugging OPA (#​6637) authored by @​setchy

Miscellaneous

• chore: Remove repetitive words (#​6644) authored by @​occupyhabit
• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.14
  • build(deps): bump github.com/golang/protobuf from 1.5.3 to 1.5.4
  • build(deps): bump google.golang.org/grpc from 1.62.0 to 1.62.1

v0.62.1

Compare Source

This is a security fix release for the fixes published in Golang 1.22.1.

OPA servers using --authentication=tls would be affected: crafted malicious client
certificates could cause a panic in the server.

Also, crafted server certificates could panic OPA's HTTP clients, in bundle plugin,
status and decision logs; and http.send calls that verify TLS.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to
VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is
for TLS servers to not verify client certificates.

This is CVE-2024-24783 (https://pkg.go.dev/vuln/GO-2024-2598).

Note that there are other security fixes in this Golang release, but whether or not
OPA is affected is harder to tell. An update is advised.

Miscellaneous

• Add Trino to OPA ecosystem (authored by @​mosabua)
• update: ADOPTERS.md (#​6608) (authored by @​fredmaggiowski)

v0.62.0

Compare Source

NOTES:

• The minimum version of Go required to build the OPA module is 1.20

This release contains a mix of improvements and bugfixes.

Runtime, Tooling, SDK

• cmd: Add environment variable backups for command-line flags (#​6508) authored by @​colinjlacy
• download/oci: Add missing WithBundleParserOpts method to OCI downloader (#​6571) authored by @​slonka
• logging: avoid %!F(MISSING) in logs by skipping calls to the {Debug,Info,Warn,Error}f functions when there are no arguments (#​6555) authored by @​srenatus

Topdown and Rego

• ast+cmd: Allow bundle to contain calls to unknown Rego functions when inspected (#​6591) authored by @​johanfylling
• topdown/http: Respect raise_error flag during input validation (#​6553) authored by @​ashutosh-narkar

Docs + Website + Ecosystem

• Add OpaDotNet to ecosystem projects (#​6554) authored by @​me-viper
• Add updated logos for Permit.io and OPAL (#​6562) authored by @​danielbass37
• docs: Update description of the url path usage when accessing values inside object and array documents for v1/data GET and POST (#​6567) authored by @​ashutosh-narkar
• docs: Use application/yaml instead of application/x-yaml as the former is now a recognized content type (#​6565) authored by @​anderseknert

Miscellaneous

• Add Elastic to ADOPTERS.md (#​6568) authored by @​orouz
• Dependency updates; notably:
  • bump golang 1.21.5 -> 1.22 (#​6595) authored by @​srenatus
  • bump google.golang.org/grpc from 1.61.0 to 1.62.0
  • bump golang.org/x/net from 0.19.0 to 0.21.0
  • bump github.com/containerd/containerd from 1.7.12 to 1.7.13
  • bump aquasecurity/trivy-action from 0.16.1 to 0.17.0
  • bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0
  • bump github.com/opencontainers/image-spec from 1.1.0-rc5 to 1.1.0-rc6

v0.61.0

Compare Source

This release contains a mix of new features and bugfixes.

Runtime, SDK

• Adding --v1-compatible flag to all previously unsupported command line commands (#​6520) authored by @​johanfylling
• Don't load files in tarball exceeding size_limit_bytes (#​6514) authored by @​anderseknert reported by @​dolevf
• Allow TLS cipher suites to be set for the OPA server (#​6537) authored by @​ashutosh-narkar
• Removing deprecated fields and functions related to rego-v1 compatibility (#​6542) authored by @​johanfylling
• bundle: Make func newDescriptor and withCloser public (#​6517) authored by @​antgubarev
• runtime/logging: Do not panic when rctx is missing (#​6506) authored by @​srenatus

Topdown

• topdown: Clean expired http.send cache entries periodically (#​5320) authored by @​rudrakhp reported by @​lukyer

Docs

• docs: Add documentation for new cache config parameters (#​6518) authored by @​rudrakhp
• docs: Update docker-authorization.md to use new plugin version (#​6539) authored by @​denis-accesa
• docs: Fix a typo in _index.md (#​6491) authored by @​trungnguyen
• docs: Add a new debugging page (#​6513) authored by @​charlieegan3
• docs: Update log masking policy examples to be Rego v1 compatible (#​6545) authored by @​ashutosh-narkar
• docs: Update version for non docs pages (#​6526) authored by @​charlieegan3
• Integrations, Ecosystem:
  • docs: Add dependency-management-data logo (#​6543) authored by @​jamietanna
  • docs: Updated Rond links (#​6524) authored by @​ugho16
  • docs: Correctly size integration logos (#​6544) authored by @​charlieegan3
  • docs: Validate ecosystem keys (#​6522) authored by @​charlieegan3

Miscellaneous

• linters+testdata: Reformat all yaml testcases for linting. (#​6511) authored by @​philipaconrad
• Dependency updates, notably:
  • bump github.com/containerd/containerd from 1.7.11 to 1.7.12
  • bump github.com/go-logr/logr from 1.3.0 to 1.4.1
  • bump github.com/google/uuid from 1.5.0 to 1.6.0
  • bump github.com/prometheus/client_golang from v1.16.0 to v1.18.0
  • bump google.golang.org/grpc from 1.60.1 to 1.61.0

v0.60.0

Compare Source

Runtime, Tooling, SDK

• OPA can be run in 1.0 compatibility mode by using the new --v1-compatible flag. When this mode is enabled, the current release of OPA will behave as OPA v1.0 will eventually behave by default. This flag is currently supported on the build, check, fmt, eval and test commands (#​6478) authored by @​johanfylling
• Extend the telemetry report to include the minimum compatible version of policies loaded into OPA (#​6361) co-authored by @​srenatus and @​ashutosh-narkar
• server: Support fsnotify based reloading of certificate, key and CA cert pool when they change on disk (#​5788) authored by @​charlieegan3
• Add option on the unit test runner to surface builtin errors. This should help with debugging errors generated while running unit tests (#​6489) authored by @​jalseth
• Fix issue in opa fmt where the assignment operator and term in the rule head of chain rules are removed from the re-written rule head (#​6467) authored by @​anderseknert
• cmd/fmt: Replace dependency on diff tool with an external golang library function (#​6284) authored by @​colinjlacy

Topdown and Rego

• topdown/providers: Preserve user provided http headers in the providers.aws.sign_req builtin command (#​6456) authored by @​c2zwdjnlcg
• rego: Allow custom builtin function registration to provide a description for the builtin (#​6449) authored by @​lcarva
• ast+cmd: Allow bundle to contain calls to unknown functions when inspected (#​6457) authored by @​johanfylling

Docs

• Add section on the changes proposed for a future OPA v1.0 and update Rego examples to be OPA v1.0 compliant(#​6453) authored by @​johanfylling
• Clarify behavior of the sprintf builtin command when used with the %T marker (#​6487) authored by @​lcarva

Website + Ecosystem

• Ecosystem: Digger (#​6464) authored by @​anderseknert

Miscellaneous

• Update Makefile to allow custom GOFLAGS to be provided to the golang executable (#​6458) authored by @​cova-fe
• Dependency updates; notably:
  • bump golang 1.21.4 -> 1.21.5 (#​6460) authored by @​srenatus
  • bump aquasecurity/trivy-action from 0.14.0 to 0.16.0
  • bump github.com/containerd/containerd from 1.7.9 to 1.7.11
  • bump google.golang.org/grpc from 1.59.0 to 1.60.1
  • bump github.com/google/uuid from 1.4.0 to 1.5.0

v0.59.0

Compare Source

This release adds tooling to help prepare existing policies for the upcoming OPA 1.0 release.
It also contains a mix of improvements, bugfixes and security fixes for third-party libraries.

NOTES:

• All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
  there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases.
  This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
  either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

Rego v1

The upcoming release of OPA 1.0, which will be released at a future date, will introduce breaking changes to the Rego language. Most notably:

• the keywords that currently must be imported through import future.keywords into a module before use will be part of the Rego language by default, without the need to first import them.
• the if keyword will be required before the body of a rule.
• the contains keyword will be required when declaring a multi-value rule (partial set rule).
• deprecated built-in functions will be removed.

This current release (0.59.0) introduces a new --rego-v1 flag to the opa fmt and opa check commands to facilitate the transition of existing policies to be compatible with the 1.0 syntax.

When used with opa fmt, the --rego-v1 flag will format the module(s) according to the new Rego syntax in OPA 1.0.
Formatted modules are compatible with both the current version of OPA and 1.0.
Modules using deprecated built-ins will terminate formatting with an error. Future versions of OPA will support rewriting applicable function calls with equivalent Rego compatible with 1.0.

When used with opa check, the --rego-v1 flag will check that the modules are compatible with both the current version of OPA and 1.0.

Relevant Changes

• cmd: Adding --rego-v1 flag to check cmd (#​6429) authored by @​johanfylling
• cmd & format: Adding rego-v1 mode to opa fmt (#​6297) authored by @​johanfylling
• ast: Adding capability feature for the rego.v1 import (#​6375) (authored by @​johanfylling)
• ast: Skip if keyword requirement for default rule (rego.v1) (#​6356) authored by @​ashutosh-narkar
• rego.v1: Fixing erroneous missing value assignment error (#​6364) authored by @​johanfylling
• rego.v1: Improving support for rules with chained bodies (#​6370) authored by @​johanfylling
• ast: Add rego.v1 import (#​6247) introduced in OPA 0.58.0, authored by @​johanfylling

Runtime, Tooling, SDK

• ast: Adding rule_head_refs capabilities feature flag (#​6334) authored by @​johanfylling
• build: Remove rootless image variant (#​4295) authored by @​ashutosh-narkar
• discovery: Make status updates non blocking (#​6345) (#​6343) authored by @​charlieegan3
• plugins/rest: Masks X-AMZ-SECURITY-TOKEN header in decision logs (#​5848) authored by @​colinjlacy reported by @​jwineinger
• wasm: Fix re2 bug (#​6376) authored by @​srenatus reported by @​sandhose
• ast: Add ExcludeLocationFile JSON marshalling option (#​6398) (authored by @​anderseknert)
• cmd: Add options to the filter to only load rego files (#​6317) authored by @​tjons
• ast: Add minimum compatible version computation to compiler (#​6348) authored by @​tsandall
• internal/planner: Insert general ref head objects starting from the leaves, not root. (#​6401) authored by @​srenatus
• internal/planner: Don't plan superfluous Equal/NotEqualStmts (#​6386) authored by @​srenatus

Topdown and Rego

• ast: Allowing packages to be declared within the dynamic extent of a rule (#​6387) authored by @​johanfylling
• ast: Disallow root document shadowing in leading term of rule refs (#​6291) authored by @​johanfylling
• topdown: Add a new builtin function strings.render_template to render templated strings (#​6371) authored by @​RDVasavada
• topdown/crypto: Add URIStrings field to JSON certs (#​6416) authored by @​charlieegan3 reported by @​kenjenkins
• ast: change ident token string (#​6435) authored by @​tsandall

Miscellaneous

• chore: Fix IDE warnings and remove usage of several deprecated fields. (#​6397) authored by @​willbeason
• chore: Disable verbose output in wasm-sdk-e2e-test (#​6434) authored by @​tsandall
• deps: group otel deps (#​6407) authored by @​srenatus
• test: add environment variable tests (#​6420) authored by @​robhafner
• Docs & Website:
  • docs: Add dependency-management-data to the Ecosystem (#​6436) authored by @​jamietanna
  • docs: Add docs for dynamic_metadata feature in opa-envoy-plugin (#​6389) authored by @​tjons
  • docs: Fixed XACML Policy in documentation (Comparing to Other Systems) to be XACML 3.0 compliant (#​6438) authored by @​cdanger
  • docs: Update docs on rego.v1 / OPA 1.0 (#​6365) authored by @​anderseknert
  • docs: Update spinnaker integration (#​6414) authored by @​charlieegan3
  • docs: Add legitify to ecosystem (#​6369) authored by @​charlieegan3
  • docs: add cheat sheet link (#​6362) authored by @​charlieegan3
  • docs: add newstack blog to regal (#​6372) authored by @​charlieegan3
  • docs: Disk storage broken link (#​6425) authored by @​francoisauclair911
  • docs: Update istio envoy tutorial to use AuthorizationPolicy (#​6426) authored by @​tjons
• Dependency updates; notably:
  • golang from 1.21.3 to 1.21.4
  • OpenTelemetry (contrib) 1.21.0/0.46.1

v0.58.0

Compare Source

NOTES:

• All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
  there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases.
  This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
  either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.

Runtime, Tooling, SDK

• cmd/test: Display lines not covered if code coverage threshold not met in verbose reporting mode (#​2562) authored by @​johanfylling
• cmd/test: Don't round up test coverage calculation as it could lead to inaccurate code coverage results (#​6307) authored by @​anderseknert
• cmd/fmt: Don't format functions without a value to include = true as it is implied (#​6323) authored by @​anderseknert
• server: Remove deprecated partial query parameter from REST API. This option has been deprecated since v0.23.0 (#​2266) authored by @​ashutosh-narkar
• Add support for configurable prometheus buckets for the http_request_duration_seconds metric (#​6238) authored by @​AdrianArnautu
• plugins/bundle: Update bundle plugin state on a reconfigure operation when existing bundle is not modified (#​6311) authored by @​asadk12
• internal/pathwatcher: Fix how paths to watch by a fsnotify watcher are determined to avoid monitoring unintended directories and files (#​6277) authored by @​ashutosh-narkar

Topdown and Rego

• topdown: Fix issue with build optimization producing support modules with forbidden characters in first var of rule ref (#​6338) authored by @​johanfylling
• topdown: Fix panic in build optimization when policy contains rules with a general ref in the head (#​6339) authored by @​johanfylling
• topdown: Avoid unnecessary conversion of small numbers by caching them and thereby helping to speed up some arithmetic operations (#​6021) authored by @​ashutosh-narkar
• ast+rego: Disable compiler stages for IR-based eval paths (#​6335) authored by @​srenatus
• built-in/walk: Skip path creation if path is assigned a wildcard to achieve faster walk-ing (#​6267) authored by @​anderseknert
• ast: Add regression test for edge case where partial rule hides recursion cycle (#​6318) authored by @​johanfylling

Docs

• Drop EXPERIMENTAL status of reported prom metrics (#​6298) authored by @​ashutosh-narkar
• Update documentation on GCS bundles for case where the resource (the object in the GCS bucket) contains slashes (/) or other special characters (#​6264) authored by @​dennisg
• Provide a more clear description of negation in the policy language section (#​6275) authored by @​gusega

Website + Ecosystem

• Fix un-versioned built-in docs issue so that only the built-ins for a given doc version are displayed (#​6269) authored by @​charlieegan3

Miscellaneous

• ci: Remove hub tool in GitHub workflows in favor of GitHub CLI tool (#​6326) authored by @​ashutosh-narkar
• Dependency updates; notably:
  • bump go.opentelemetry.io modules (#​6292) authored by @​cksidharthan
  • aquasecurity/trivy-action from 0.12.0 to 0.13.0
  • github.com/containerd/containerd from 1.7.6 to 1.7.7
  • github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
  • golang.org/x/net from 0.15.0 to 0.17.0
  • google.golang.org/grpc from 1.58.2 to 1.59.0 (addresses vulnerability GHSA-m425-mq94-257g)
  • oras.land/oras-go/v2 from 2.3.0 to 2.3.1
  • sigs.k8s.io/yaml from 1.3.0 to 1.4.0

v0.57.1

Compare Source

This is a bug fix release addressing the following security issues:

Golang security fix GO-2023-2102

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption.

OpenTelemetry-Go Contrib security fix CVE-2023-45142

Denial of service in otelhttp due to unbound cardinality metrics.

v0.57.0

Compare Source

This release contains an updated Rego syntax to allow general references in rule heads, and a mix of new features and bugfixes.

Support for General References in Rule Heads

In OPA 0.56.0, we introduced support for general references in rule heads as an experimental feature.
It has now graduated to a fully supported feature, and is no longer experimental.

A general reference is a reference with variables at arbitrary locations.
In Rego, partial rules are used for generating sets and objects.
In previous versions of OPA, variables were only allowed in the very last position in the rule's reference.
Now, Rego has been expanded to allow rules to be declared with general references in their head, with variables at arbitrary locations.
This allows for generating nested dynamic object structures:

package example

import future.keywords

v0.56.0

Compare Source

This release contains a mix of new features, bugfixes and a new builtin function.

Support for General References in Rule Heads (Experimental)

A new experimental feature in OPA is support for general refs in rule heads. Where a general ref is a reference with variables at arbitrary locations.

package example

import future.keywords

v0.55.0

Compare Source

NOTES:

• All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
  there is no longer a need for the -rootless image variant and hence it will be not be published as part of future releases.
  This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
  either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

• The minimum version of Go required to build the OPA module is 1.19

This release contains a mix of new features, bugfixes and a new builtin function.

Honor default keyword on functions

Previously if a function was defined with a default value, OPA would ignore it. Now the default function is honored
if all functions with the same name are undefined. For example,

package example

default clamp_positive(x) := 0

clamp_positive(x) = x {
    x > 0
}

$ opa eval -d example.rego 'data.example.clamp_positive(1)' -f pretty
1

$ opa eval -d example.rego 'data.example.clamp_positive(-1)' -f pretty
0

The value of a default function follows the same conditions as that of a default rule. In addition, a default
function satisfies the following properties:

• same arity as other functions with the same name
• arguments should only be plain variables ie. no composite values
• argument names should not be repeated

NOTE:

default functions used to be previously ignored. If existing policies contain default functions, ensure that they conform
to the properties mentioned above. Otherwise, those policies will fail to evaluate.

Authored by @​ashutosh-narkar.

New Built-In Function: crypto.parse_private_keys

crypto.parse_private_keys returns zero or more private keys from the given encoded string containing DER certificate data.
If the input contains a list of one or more concatenated PEM blocks, then the built-in will output the parsed private keys
represented as objects.

See the documentation on the new built-in
for all the details.

Authored by @​volck.

Runtime, Tooling, SDK

• plugins/rest: Add AWS KMS support for OAuth2 Client Credentials JWT authentication (#​5942) authored by @​prasanthu
• sdk: Update input object to conform to the format expected by decision log masking (#​6090) authored by @​epaulson10
• sdk: Add option for specifying decision ID to SDK. Users can use this to control the ID that gets included in the decision logs (#​6101) authored by @​brianchhun-chime
• cmd: Add discard output format to opa eval which discards the result while still showing the output of eval flags like --profile (#​6103) authored by @​26tanishabanik
• Make rootless deprecation messages more explicit as all published OPA images now run with non-root uid/gid (#​6091) authored by @​charlieegan3
• download/oci: Add support for Docker Registry v2 authentication scheme (#​6045) authored by @​gitu and @​DerGut
• plugins/discovery: Ensure discovery plugin doesn't erase its own config on the plugin manager (#​6070) authored by @​blacksails

Topdown and Rego

• ast: Add WithRoots compiler option that allows callers to set the roots to include in the output bundle manifest (#​6088) authored by @​kubaj
• rego: Parse store modules iff modules set on the Rego object. This change assumes that while using the Rego package, the compiler and store are kept in-sync, and thereby attempts to avoid a race during the compilation process (#​6081) authored by @​ashutosh-narkar

Docs

• docs/envoy: Update the standalone Envoy tutorial to use kind, updated Envoy version etc. (#​6105) authored by @​charlieegan3

Website + Ecosystem

• Ecosystem:

  • Carbonetes BrainIAC (#​6073) authored by @​jaysonsantos05

• Website:

  • Reorganize relevant doc sections and OPA Ecosystem projects to have a closer integration between them (#​6064) authored by @​charlieegan3

Miscellaneous

• chore: Update comments on some exported functions and clean up instances where the same package was imported multiple times (authored by @​testwill)
• Fix issue in the OPA release patch scripts related to CRLF line terminations in the patch output (#​6069) authored by @​johanfylling
• Dependency bumps, notably:
  • golang from 1.20.5 to 1.20.6
  • oras.land/oras-go/v2 from 2.2.0 to 2.2.1
  • google.golang.org/grpc from 1.56.1 to 1.56.2
  • github.com/containerd/containerd from 1.6.19 to 1.7.2
  • golang.org/x/net from 0.11.0 to 0.12.0
  • go.uber.org/automaxprocs from 1.5.2 to 1.5.3
  • go.opentelemetry.io/otel from v1.14.0 to v1.16.0 (#​6062) authored by @​srenatus with feedback from @​ghaskins and @​zregvart

v0.54.0

Compare Source

This release focuses on bug fixes, but also includes some improvements to the SDK and commandline.

Note: This will be the last OPA release to support building with Golang 1.18. (Golang 1.21 is expected to be released in August. Keeping the support for 1.18 is blocking OPA from upgrading OpenTelemetry.)

Topdown and Rego

• Add unwrap functionality to topdown.Error (#​5890) authored by @​ajith-sub reported by @​ajith-sub
• Lazy obj performance (#​6009) authored by @​johanfylling reported by @​kubaj
• ast: Only realizing lazyObj when compared against other object type (6060) (authored by @​johanfylling)
• ast: Fixing issue in type-checker where partial objects couldn't have key overrides of divergent type (#​5972) authored by @​johanfylling
• planner: CallDynamic regression fix (#​5964) authored by @​srenatus
• fmt: Fix fmt panic in comprehension with comments (#​5798) authored by @​Trolloldem reported by @​Djoust
• topdown: Format integer numbers without exponent (#​6013) authored by @​kenjenkins reported by @​kenjenkins
• topdown: Fix panic in partial eval with ref head rule (#​6027) authored by @​srenatus
• Fixed a bug in object.union_n where nested objects were mutated (#​5975) authored by @​qshu-splunk
• Fixed the issue of the object.subset method failing to correctly compare array relationships (5968) authored by @​DCRUNNN
• topdown: Fixed caching race condition issue in http.send (#​5997) authored by @​ashutosh-narkar
• Allow time formatting constants in rego time.format and time.parse_ns (#​5945) authored by @​tjons

Runtime, Tooling, SDK

• Add --schema flag to opa test (#​5923) authored by @​renatosc
• Add ability to specify namespace for optimized files (#​5933) authored by @​ashutosh-narkar reported by @​deezkay
• Fix for the issue when OPA throws misleading error (storage_not_found_error) message while loading the delta bundle when per

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[minchine]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.