Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.0 #943

Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 25, 2024

Bumps github.com/open-policy-agent/opa from 0.63.0 to 0.64.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.64.0

NOTES:

  • The minimum version of Go required to build the OPA module is 1.21

This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.

Breaking Change

Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the labels section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision, nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @​ashutosh-narkar

Add rego_version attribute to the bundle manifest

A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual files to override the global Rego version specified by rego_version.

When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the --v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.

A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @​johanfylling

Runtime, Tooling, SDK

  • compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @​philipaconrad
  • cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @​johanfylling
  • server: Keep default decision path in-sync with manager's config (#6697) authored by @​ashutosh-narkar
  • server: Remove unnecessary AST-to-JSON conversions (#6665) and (#6669) authored by @​koponen-styra
  • sdk: Allow customizations of the plugin manager via SDK (#6662) authored by @​xico42
  • sdk: Fix issue where active parser options aren't propagated to module reload during bundle activation resulting in errors while activating bundles with v1 syntax (#6689) authored by @​xico42
  • plugins/rest: Close response body in OAuth2 client credentials flow (#6708) authored by @​johanneslarsson

Topdown and Rego

  • ast: Import rego.v1 in v0 support modules when applicable (#6450) authored by @​johanfylling
  • rego: Set query Rego version from configured imports (#6701) authored by @​johanfylling
  • topdown: New json.marshal_with_options() builtin for indented/"pretty-printed" and/or line-prefixed JSON (#6630) authored by @​sean-r-williams

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.64.0

NOTES:

  • The minimum version of Go required to build the OPA module is 1.21

This release contains a mix of features, a new builtin function (json.marshal_with_options()), performance improvements, and bugfixes.

Breaking Change

Bootstrap configuration overrides Discovered configuration

Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides.

In general, the bootstrap configuration overrides the discovered configuration. Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the labels section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as default_decision, default_authorization_decision, nd_builtin_cache, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. (#5722) authored by @​ashutosh-narkar

Add rego_version attribute to the bundle manifest

A new global rego_version attribute is added to the bundle manifest, to inform the OPA runtime about what Rego version (v0/v1) to use while parsing/compiling contained Rego files. There is also a new file_rego_versions attribute which allows individual files to override the global Rego version specified by rego_version.

When the version of the contained Rego is advertised by the bundle through this attribute, it is not required to run OPA with the --v1-compatible (or future --v0-compatible) flag in order to correctly parse, compile and evaluate the bundle's modules.

A bundle's rego_version attribute takes precedence over any applied --v1-compatible/--v0-compatible flag. (#6578) authored by @​johanfylling

Runtime, Tooling, SDK

  • compile: Fix panic from CLI + metadata entrypoint overlaps. The panic occurs when opa build was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. (#6661) authored by @​philipaconrad
  • cmd/deps: Improve memory footprint and execution time of deps command for policies with high dependency connectivity (#6685) authored by @​johanfylling
  • server: Keep default decision path in-sync with manager's config (#6697) authored by @​ashutosh-narkar
  • server: Remove unnecessary AST-to-JSON conversions (#6665) and (#6669) authored by @​koponen-styra
  • sdk: Allow customizations of the plugin manager via SDK (#6662) authored by @​xico42
  • sdk: Fix issue where active parser options aren't propagated to module reload during bundle activation resulting in errors while activating bundles with v1 syntax (#6689) authored by @​xico42
  • plugins/rest: Close response body in OAuth2 client credentials flow (#6708) authored by @​johanneslarsson

Topdown and Rego

  • ast: Import rego.v1 in v0 support modules when applicable (#6450) authored by @​johanfylling
  • rego: Set query Rego version from configured imports (#6701) authored by @​johanfylling
  • topdown: New json.marshal_with_options() builtin for indented/"pretty-printed" and/or line-prefixed JSON (#6630) authored by @​sean-r-williams

... (truncated)

Commits
  • 75cc90a Prepare v0.64.0 release
  • a400281 server: Keep default decision path in-sync with manager's config
  • f2011b1 Adding Raygun to the policy-testing ecosystem (#6712)
  • b58e87f ast: Importing rego.v1 in v0 support modules when applicable (#6698)
  • 44fa8ad Relax configuration check when Discovery is enabled
  • ef8532f auth: requestToken close response body
  • 8260697 build: Update WASM Rego test generation setup (#6707)
  • 091286b rego: Setting query Rego-version from configured imports
  • 3954ba0 ci: Update Github Actions for Node 20. (#6670)
  • 93ff719 docs/configuration: Tidy up headers in Services section (#6695)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.63.0 to 0.64.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v0.63.0...v0.64.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Apr 25, 2024
Copy link
Member

@boranx boranx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dependabot squash and merge

@dependabot dependabot bot merged commit c8ca358 into master Apr 26, 2024
7 checks passed
@dependabot dependabot bot deleted the dependabot/go_modules/github.com/open-policy-agent/opa-0.64.0 branch April 26, 2024 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant