github open-policy-agent/opa v0.55.0

latest releases: v0.70.0, v0.69.0, v0.68.0...
15 months ago

NOTES:

  • All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
    there is no longer a need for the -rootless image variant and hence it will be not be published as part of future releases.
    This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
    either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

  • The minimum version of Go required to build the OPA module is 1.19

This release contains a mix of new features, bugfixes and a new builtin function.

Honor default keyword on functions

Previously if a function was defined with a default value, OPA would ignore it. Now the default function is honored
if all functions with the same name are undefined. For example,

package example

default clamp_positive(_) := 0

clamp_positive(x) = x {
    x > 0
}
$ opa eval -d example.rego 'data.example.clamp_positive(1)' -f pretty
1
$ opa eval -d example.rego 'data.example.clamp_positive(-1)' -f pretty
0

The value of a default function follows the same conditions as that of a default rule. In addition, a default
function satisfies the following properties:

  • same arity as other functions with the same name
  • arguments should only be plain variables ie. no composite values
  • argument names should not be repeated

NOTE:

default functions used to be previously ignored. If existing policies contain default functions, ensure that they conform
to the properties mentioned above. Otherwise, those policies will fail to evaluate.

Authored by @ashutosh-narkar.

New Built-In Function: crypto.parse_private_keys

crypto.parse_private_keys returns zero or more private keys from the given encoded string containing DER certificate data.
If the input contains a list of one or more concatenated PEM blocks, then the built-in will output the parsed private keys
represented as objects.

See the documentation on the new built-in
for all the details.

Authored by @volck.

Runtime, Tooling, SDK

  • plugins/rest: Add AWS KMS support for OAuth2 Client Credentials JWT authentication (#5942) authored by @prasanthu
  • sdk: Update input object to conform to the format expected by decision log masking (#6090) authored by @epaulson10
  • sdk: Add option for specifying decision ID to SDK. Users can use this to control the ID that gets included in the decision logs (#6101) authored by @brianchhun-chime
  • cmd: Add discard output format to opa eval which discards the result while still showing the output of eval flags like --profile (#6103) authored by @26tanishabanik
  • Make rootless deprecation messages more explicit as all published OPA images now run with non-root uid/gid (#6091) authored by @charlieegan3
  • download/oci: Add support for Docker Registry v2 authentication scheme (#6045) authored by @gitu and @DerGut
  • plugins/discovery: Ensure discovery plugin doesn't erase its own config on the plugin manager (#6070) authored by @blacksails

Topdown and Rego

  • ast: Add WithRoots compiler option that allows callers to set the roots to include in the output bundle manifest (#6088) authored by @kubaj
  • rego: Parse store modules iff modules set on the Rego object. This change assumes that while using the Rego package, the compiler and store are kept in-sync, and thereby attempts to avoid a race during the compilation process (#6081) authored by @ashutosh-narkar

Docs

  • docs/envoy: Update the standalone Envoy tutorial to use kind, updated Envoy version etc. (#6105) authored by @charlieegan3

Website + Ecosystem

  • Ecosystem:

  • Website:

    • Reorganize relevant doc sections and OPA Ecosystem projects to have a closer integration between them (#6064) authored by @charlieegan3

Miscellaneous

  • chore: Update comments on some exported functions and clean up instances where the same package was imported multiple times (authored by @testwill)
  • Fix issue in the OPA release patch scripts related to CRLF line terminations in the patch output (#6069) authored by @johanfylling
  • Dependency bumps, notably:
    • golang from 1.20.5 to 1.20.6
    • oras.land/oras-go/v2 from 2.2.0 to 2.2.1
    • google.golang.org/grpc from 1.56.1 to 1.56.2
    • github.com/containerd/containerd from 1.6.19 to 1.7.2
    • golang.org/x/net from 0.11.0 to 0.12.0
    • go.uber.org/automaxprocs from 1.5.2 to 1.5.3
    • go.opentelemetry.io/otel from v1.14.0 to v1.16.0 (#6062) authored by @srenatus with feedback from @ghaskins and @zregvart

Don't miss a new opa release

NewReleases is sending notifications on new releases.