This release contains a mix of new features, bugfixes, security fixes, optimizations and build updates related to
OPA's published images.
New Built-in Functions: JSON Schema Verification and Validation
These new built-in functions add functionality to verify and validate JSON Schema (#5486) (co-authored by @jkulvich and @johanfylling).
json.verify_schema: Checks that the input is a valid JSON schema objectjson.match_schema: Checks that the document matches the JSON schema
See the documentation for all details.
Annotations scoped to package carries across modules
package scoped schema annotations are now applied across modules instead of only local to the module where
it's declared (#5251) (authored by @johanfylling). This change may cause compile-time errors and behavioural changes to
type checking when the schemas annotation is used, and to rules calling the rego.metadata.chain() built-in function:
- Existing projects with the same package declared in multiple files will trigger a
rego_type_error: package annotation redeclared
error if two or more of these are annotated with thepackagescope. - If using the
packagescope, theschemasannotation will be applied to type checking also for rules declared in
another file than the annotation declaration, as long as the package is the same. - The chain of metadata returned by the
rego.metadata.chain()built-in function will now contain an entry for the
package even if the annotations are declared in another file, if the scope ispackage.
Remote bundle URL shorthand for run command
To load a remote bundle using opa run, the set directive can be provided multiple times as shown below:
$ opa run -s --set "services.default.url=https://example.com" \
--set "bundles.example.service=default" \
--set "bundles.example.resource=/bundles/bundle.tar.gz" \
--set "bundles.example.persist=true"
The following command can be used as a shorthand to easily start OPA with a remote bundle (#5674) (authored by @anderseknert):
$ opa run -s https://example.com/bundles/bundle.tar.gz
Performance Improvements for json.patch Built-in Function
Performance improvements in json.patch were achieved with the introduction of a new EditTree data structure,
which is built for applying in-place modifications to an ast.Term, and can render the final result of all edits efficiently
by applying all patches in a JSON-Patch sequence rapidly, and then collapsing all edits at the end with minimal wasted ast.Term copying (authored by @philipaconrad).
For more details and benchmarks refer #5494 and #5390.
Surface decision log errors via status API
Errors encountered during decision log uploads will now be surfaced via the Status API in addition to being logged. This
functionality should give users greater visibility into any issues OPA may face while processing, uploading logs etc (#5637) (authored by @ashutosh-narkar).
See the documentation for more details.
OPA Published Images Update
All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
there is no longer a need for the -rootless image variant and hence it will be not be published as part of future releases.
This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.
Runtime, Tooling, SDK
- server: Support compression of response payloads if HTTP client supports it (#5310) authored by @AdrianArnautu
- bundle: Ensure the bundle resulting from merging a set of bundles does not contain
nildata (#5703) authored by @anderseknert - repl: Use lowercase for repl commands only and keep any provided arguments as-is (#5229) authored by @Trolloldem
- metrics: New endpoint
/metrics/alloc_bytesto show OPA's memory utilization (#5715) authored by @anderseknert - server: When using OPA TLS authorization, authz policy authors will now have access to the client certificates
presented as part of the TLS connection. This new data will be available under the keyclient_certificates(#5538) authored by @charlieegan3 - server: Use streaming implementation of json.Decode rather than using an intermediate buffer for the incoming request (#5661) authored by @anderseknert
Topdown and Rego
- ast: Extend compiler
strictmode check to include unused arguments (#5602) authored by @boranx. This change may cause
compile-time errors for policies that have unused arguments in the scope when thestrictmode is enabled. These
variables could be replaced with_(wildcard) or get cleaned up if they are not intended to be used in the body of the functions. - ast: Respect inlined
schemasannotations even if--schemaflag isn't used (#5506) authored by @johanfylling - ast: Force type-checker to respect
allow_netcapability when fetching remote schemas (#5670) authored by @johanfylling - ast/parse: Provide custom parsing options that allow location information of AST nodes to be included in their JSON
representation. This location information can be used by tools that work with the OPA AST (#3143) authored by @charlieegan3
Docs
- docs/policy-reference: Fix typo in policy reference doc (#5654) authored by @alvarogomez93
- docs/extensions: Fix sample code provided in the custom built-in implementation example (#5666) authored by @Ronnie-personal
- docs/bundles: Clarify delta bundle behavior when it contains an empty list of patch operations (#5629) authored by @charlieegan3
- docs/http-api-authz: Update the HTTP API authz tutorial with steps related to proper bundle creation (#5682) authored by @lamoboos223
- Fix broken 'future keywords' url link (#5686) authored by @neelanjan00
Website + Ecosystem
-
Ecosystem:
- Styra Load (#5659) authored by @charlieegan3
-
Website:
- Update OPA documentation search to use Algolia v3 (#5706) authored by @Parsifal-M
- Drop Google Universal Analytics (UA) code as part of Google Analytics 4 migration (authored by @chalin)
Miscellaneous
- Dependency bumps, notably:
- golang from 1.20.1 to 1.20.2
- github.com/containerd/containerd from 1.6.16 to 1.6.19
- github.com/golang/protobuf from 1.5.2 to 1.5.3
- golang.org/x/net from 0.5.0 to 0.8.0
- google.golang.org/grpc from 1.52.3 to 1.53.0
- OpenTelemetry-related dependencies (#5701)