Bundle Signing
OPA now supports digital signatures for policy bundles. Specifically, a signed bundle is a normal OPA bundle that includes a file named ".signatures.json" that dictates which files should be included in the bundle, what their SHA hashes are, and of course is cryptographically secure. When OPA receives a new bundle, it checks that it has been properly signed using a key that OPA has been configured with out-of-band. Only if that verification succeeds does OPA activate the new bundle; otherwise, OPA continues using its existing bundle and reports an activation failure via the status API and error logging. For more information see https://openpolicyagent.org/docs/latest/management/#signing. Many thanks to @ashish246 who co-designed the feature and provided valuable input to the development process with his proof-of-concept #1757.
Optimization Levels
opa build
now supports multiple optimization levels. The first level (--optimize=1
) enables constant folding (based on partial evaluation) that only inlines values that can be computed entirely at build time. The second level (--optimize=2
) enables the existing (more aggressive) version of partial evaluation that eagerly inlines as much of the policy as possible. For more information on the optimization levels see the Optimization Levels section in the documentation.
Built-in Functions
numbers.range
(#2479) was added to support policies that need to generate a range of integers (e.g., a network port range).semver.is_valid
andsemver.compare
(#2538) was added to support policies that need to validate semantic version numbers (authored by @charlieegan3).
WebAssembly
- All String built-in functions (except
sprintf
) are now implemented natively inside of Wasm-compiled policies.
Fixes
- A few small issues in the Go integration and
rego
package examples have been resolved (#2294) and #2367) authored by @gaga5lala. - The Kubernetes Admission Controller tutorial as been updated to work with recent versions of Kubernetes (#2467 authored by @gaga5lala).
- A few issues in partial evaluation around negation inlining and partial rules have been resolved (e.g., #2492, #2491).
Miscellaneous
- OPA now supports IMDSv2 for the AWS metadata service. This improves the security posture of OPA deployments in AWS (#2482) authored by @nhw76.
- Several improvements to the project documentation including a policy style discussion, an integration option comparison, and discussion of bootstrapping and fail-open versus fail-closed modes.
- The project's CI/CD infrastructure has been migrated to GitHub Actions. The new CI/CD infrastructure is designed and implemented to be portable and includes a number of quality-of-life improvements.
- End-to-end query latency with decision logging enabled has been improved by 10%-15% in real-world cases.
Backwards Compatibility
- The
rego.Tracer
andrego.EvalTracer
API's have been deprecated in favor of
the newerrego.QueryTracer
andrego.EvalQueryTracer
API. - The
tester.Runner#SetCoverageTracer
API has been deprecated in favor of the
newertest.Runner#SetCoverageQueryTracer
API.