This release contains a number of enhancements and fixes.
SDK
- This release includes a new top-level package to support OPA integrations in Go programs:
github.com/open-policy-agent/opa/sdk. Users that want to integrate OPA as a library in Go and expose features like bundles and decision logging should use this package. The package is controlled by specifying an OPA configuration file. Hot reloading is supported out-of-the-box. See the GoDoc for the package docs for more details.
Server
- A deadlock in the bundle plugin during shutdown has been resolved (#3363)
- An issue between bundle signing and bundle persistence when multiple data.json files are included in the bundle has been resolved (#3472)
- The
github.com/open-policy-agent/opa/runtime#Paramsstruct now supports a router parameter to enable custom routes on the HTTP server. - The bundle manifest can now include an extra
metadatakey where arbitrary key-value pairs can be stored. Authored by @viovanov - The bundle plugin now supports file:// urls in the
resourcefield for test purposes. - The decision log plugin emits a clearer message at DEBUG instead of INFO when there is no work to do. Authored by andrewbanchich
- The discovery plugin now supports a
resourceconfiguration field like the bundle plugin. Similarly, theresourceis treated as the canonical setting to identify the discovery bundle.
Tooling
- The
opa testtimeout as been increased to 30 seconds when benchmarking (#3107) - The
opa eval --schemaflag has been fixed to correctly set the schema when a single schema file is passed - The
opa build --debugflag output has been improved for readability - The
array.itemsJSON schema value is now supported by the type checker - The
opa fmtsubcommand can now exit with a non-zero status when a diff is detected (by passing--fail) - The
opa testsubcommand no longer emits bogus file paths when fed a file:// url
Built-in Functions
- The
http.sendbuilt-in function falls back to the system certificate pool when thetls_ca_certortls_ca_cert_env_variableoptions are not specified (#2271) authored by @olamiko
Evaluation
- The order of support rules emitted by partial evaluation is now deterministic (#3453) authored by @andrehaland
- The big number performance regression caught by the fuzzer has been resolved (#3262)
- The evaluator has been updated to memoize calls to rules with arguments (functions) within a single query. This avoids recomputing function results when the same input is passed multiple times (similar to how complete rules are memoized.)
WebAssembly
- The
wasmtarget no longer panics if the OPA binary does not include a wasm runtime (#3264) - The interrupt handling mechanism has been rewritten to make safe use of the wasmtime package. The SDK also returns structured errors now that are more aligned with topdown. (#3225)
- The SDK provides the subset of required imports now (which is useful for debugging with opa_println in the runtime library if needed.)
- The opa_number_float type has been removed from the value library (it was unused after moving to libmpdec)
- The runtime library builder has been updated to use llvm-12 and the wasmtime-go package has been updated to v0.27.0
Documentation
- The HTTP API authorization tutorial has been updated to show how to distribute policies using bundles
- The Envoy tutorial has been tweaked to show better path matching examples
Infrastructure
- The release-patch script has been improved to deal with this file in bugfix/patch releases (#2533) authored by @jjshanks
- The Makefile check targets now rely on golangci-lint and many linting errors have been resolved (authored by @willbeason)
- Multiple nightly fuzzing and data race issues in test cases have been resolved