v0.28.0
This release includes a number of features, enhancements, and fixes. The default
branch for the Git repository has also been updated to main
.
Schema Annotations
This release adds support for annotations. Annotations allow users to declare metadata on rules and packages. Currently, OPA supports one form of metadata: schema declarations. For example:
package example
# METADATA
# schemas:
# - input: schema.service
deny["service is missing required 'owner' label"] {
input.kind == "Service"
not input.metadata.labels.owner
}
# METADATA
# schemas:
# - input: schema.deployment
deny["deployment replica count too low for 'production' namespace"] {
input.kind == "Deployment"
input.metadata.namespace == "production"
object.get(input.spec, "replicas", 1) < 3
}
Users can include schema annotations in their policies to tell OPA about the structure of external data loaded under input
or data
. By learning the schema of base documents, OPA can surface mistakes in the policy at authoring time (e.g., referring to a non-existent field in a JSON object or calling a built-in function with an invalid value.) For more information on the annotations and schema support see the Type Checking page in the documentation. In the future, annotations will be expanded to support other kinds of metadata and additional tooling will be added to leverage them.
Server
- The server now automatically sets GOMAXPROCS when running inside of a container that has cgroups applied. This helps the Go runtime avoid consuming too many CPU resources and being throttled by the kernel. (#3328)
- The server now logs an error if users enable the
token
authentication mode without a corresponding authorization policy. (#3380) authored by @kale-amruta - The server now supports a
GET /v1/config
endpoint that returns OPA's active configuration. This API is useful if you need to debug the running configuration in an OPA configured via Discovery. (#2020) - The server now respects the
?pretty
option in the v0 API (#3332) authored by @clarshad - The Bundle plugin is more forgiving when it comes to Etag processing on HTTP 304 responses (#3361)
- The Decision Log plugin now supports a "Decision Per Second" rate limit configuration setting.
- The Status plugin can now be configured to use a custom reporter similar to the Decision Log plugin (e.g., so that Status messages can be sent to AWS Kinesis, etc.)
- The Status plugin now reports the number of decision logs that are dropped due to buffer limits.
- The service clients can authenticate with the Azure Identity OAuth2 implementation the client credentials JWT flow is used (#3372)
- Library users can now customize the logger used by the plugins by providing the
plugins.Logger
option when creating the plugin manager.
Tooling
- The various OPA subcommands that accept schema files now accept a directory tree of schemas instead of only a single schema.
- The
opa refactor move
subcommand was added to support package renaming use cases (#3290) - The
opa check
subcommand now supports a-s
/--schema
flag like theopa eval
subcommand.
Documentation
- The Management API docs have been restructured so that each API has a dedicated page. In addition, the Bundle API docs now include getting started steps for cloud-provider specific services (e.g., AWS, GCP, Azure, etc.)
Security
- OPA now supports PKCS8 encoded EC private keys for JWT verification (which includes service authentication, bundle verification, and verification built-in functions) (#3283). Authored by @andrehaland.
- The bundle signing and verification APIs have been updated to support custom signers/verififers (#3336). Authored by @gshively11.
Evaluation
- The
time.diff
function was added to support calculating differences between date/time values (#3348) authored by @andrehaland - The
units.parse_bytes
function now supports floating-point values (#3297) authored by @andy-paine - The evaluator was fixed to use correct bindings when evaluating the full-extent of a partial rule set. This issue was causing unexpected undefined results and evaluation errors in some rare cases. (#3369 #3376)
- The evaluator was fixed to correctly generate package paths when namespacing is disabled partial evaluation. (#3302).
- The
http.send
function no longer errors out on invalid Expires headers. (#3284) - The inter-query cache now serializes elements on insertion thereby reducing memory usage significantly (because deserialized elements carry a ~20x cost.) (#3042)
- The rule indexer was fixed to correctly handle mapped and non-mapped values which could occur with
glob.match
usage (#3293)
WebAssembly
- The
opa eval
subcommand now correctly returns the set of all variable bindings and expression values when thewasm
target is enabled. Previously it returned only set of variable bindings. (#3281) - The
glob.match
function now handles the default delimiter correctly. (#3294) - The
opa build
subcommand no longer requires a capabilities file when thewasm
target is enabled. If capabilities are not provided, OPA will use the capabilities for its own version. (#3270) - The
opa build
subcommand now dumps the IR emitted by the planner when--debug
is specified. - The
opa eval
subcommand no longer panics when a policy fails to type check and thewasm
target is enabled. - The comparison functions can now return
false
instead of either beingtrue
orundefined
. (#3271) - The internal wasm runtime will now correctly return
CancelErr
to indicate cancellation errors (instead ofBuiltinErr
which it returned previously.) - The internal wasm runtime now correctly handles non-halt built-in errors (#3320)
- The planner no longer generates unexpected scan statements when negation used over base documents under
data
(#3279) and (#3305) - The planner now correctly discards out-of-scope variables when exiting comprehensions (#3325)
- The
rego
package no longer panics when thewasm
target is enabled and undefined functions are encountered (#3251) - 🎈 The remaining exceptions in the e2e test framework for the internal wasm runtime have been resolved.
Build
- The
make image
target now uses the CI image for building the Go binary. This avoids platform-specific build issues by building the Go binary inside of Docker.