This release includes a number of improvements and fixes.
💾 Disk-based Storage (Experimental)
This release adds a disk-based storage implementation to OPA. The implementation can be found in github.com/open-policy-agent/storage/disk. There is also an example in the rego
package that shows how policies can be evaluated with the disk-based store. The disk-based store is currently only available as a library (i.e., it is not integrated into the rest of OPA yet.) In the next few releases, we are planning to integrate the implementation into the OPA server and provide tooling to help leverage the disk-based store.
Built-in Functions
This release includes a few improvements to existing built-in functions:
- The
http.send
function now supports UNIX domain sockets (#3661) authored by @kirk-patton - The
units.parse_bytes
function now supports E* and P* units (#2911) - The
io.jwt.encode_sign
function uses the built-in context randomization source (which is helpful for replay purposes)
Server
This release includes multiple improvements for OPA server deployments in serverless environments:
- Plugins can now be triggered manually within OPA. This feature allows users extending and customizing OPA to control exactly when operations like bundle downloads and decision log uploads occur. The built-in plugins now include a
trigger
configuration that can be set tomanual
orperiodic
(which is the default). Whenmanual
triggering is enabled, the plugins WILL NOT perform any periodic/background operations. Instead, the plugins will only execute when theTrigger
API is invoked. - Plugins can now wait for server initialization. When runtime initialization is finished, plugins can be notified. This allows plugins to synchronize their behaviour with server startup. #3701 authored by @gshively11.
- The Health API now supports an
exclude-plugin
parameter to control which plugins are checked. #3713 authored by @gshively11.
Tooling
- The compiler no longer fetches remote schemas by default when used as as library. Capabilities have been updated to include an
allow_net
field to control whether network operations can be performed (#3746). This field is only used to control schema fetching today. In future versions of OPA, theallow_net
parameter will be used to control other behaviour likehttp.send
. - The
WebAssembly runtime not supported
error message has been improved #3739.
Rego
- Added support for
anyOf
andallOf
keywords in JSON schema support in the type checker (#3592) authored by @jchen10500 and @juliafriedman8. - Added support for custom JSON result marshalling in the
rego
package. - Added a new convenience function (
Allowed() bool
) to therego.ResultSet
API. - Improved string-representation construction performance for arrays, sets, and objects.
- Improved the topdown evaluator to support
ast.Value
results from the store so that unnecessary conversions can be avoided. - Improved the
rego
package to make the wasmtime-go dependency optional at build-time (#3545). - Fixed a bug in the comprehension indexer whereby index keys were not constructed correctly leading to incorrect outputs (#3579).
- Fixed a stack overflow during partial evaluation due to incorrect term rewriting in the copy propagation implementation (#3071).
- Fixed a bug in partial evaluation when shallow inlinign is enabled that resulted in built-in functions being invoked instead of saved (#3681).
WebAssembly
- The internal Wasm SDK now supports the inter-query built-in cache.
- The pre-compiled runtime is now built with llvm 12.0.1 and the builder image includes clang-format.
- The internal Wasm SDK has been updated to use wasmtime-go v0.29.0.
Documentation
This release includes a number of documentation improvements:
- The wasm
opa_eval
arguments have been clarified #3699 - The contributing and development guide have been moved into a dedicated Contributing section on the website #3751
- The Envoy standalone tutorial includes cleanup steps now (thanks @princespaghetti)
- Various typos have been fixed by multiple folks (thanks @Tej-Singh-Rana @gujun4990)
- The Kubernetes ingress validation tutorial has been updated to include new mandatory attributes and newer API versions (thanks @ereslibre)
- The recommendations around using OPA Gatekeeper have been improved.
Infrastructure
- OPA is now built with Go v1.17 and CI jobs have been added to ensure OPA builds with older versions of Go.
Backwards Compatibility
The rego
package no longer relies on build constraints to enable the Wasm runtime. Instead, library users must opt-in to Wasm runtime support by adding an import statement in the Go code:
import _ "github.com/open-policy-agent/opa/features/wasm"
This change ensures that (by default) the wasmtime-go blobs are not vendored in projects that embed OPA as a library. If you are currently relying on the Wasm runtime support in the rego
package (via the rego.Target("wasm")
option), please update you code to include the import above. See #3545 for more details.