Releases: permitio/opal
v0.7.5
What's Changed
Fixes
- Data Fetching: Introduce custom retry configuration for fetching data sources by @thilak009 in #502
- Merge updates from permit's internal OPAL version by @roekatz in #546
- Concurrent (thus faster) handling of updates (both policy & data) in client and server
- Offline Mode: Support having the backup file on a shared volume used by multiple opal-client replicas (Fix file writing race).
- Restart OPA when panic is detected
- Upgrade
fastapi_websocket_pubsub
(v0.3.7) &permit-broadcaster
(v0.2.5) for improved stability & performance. - Scopes: bug fixes & improved performance (redis access, better repo locks, better git object caching, repo sharding for handling lots of scopes).
- Fix parsing update callbacks configuration
- ApiPolicySource: Log errors when retrying failed bundle updates by @roekatz in #500
Build & Dependencies
- Upgrade to Debian bookworm
- Install netcat and jq in the common stage by @fortum-vaanavil in #499
- remove unused rookout by @asafc in #525
- Use redis-py to replace asyncio-redis by @calmzhu in #498
- Update cryptography dependency by @orishavit in #520
- [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @obsd in #547
- [Snyk] Security upgrade fastapi from 0.103.2 to 0.109.1 by @RazcoDev in #543
- [Snyk] Security upgrade aiohttp from 3.8.6 to 3.9.2 by @asafc in #541
- [Snyk] Upgrade sass from 1.54.9 to 1.69.5 by @obsd in #522
Docs
- Update README.md by @orweis in #501
- Make it clear Bundle Server does not serve OPA bundles by @roekatz in #544
- Tweak healthcheck docs by @orweis in #527
- Fix command format and typo in Triggering data updates tutorial #549 by @jonis100 in #550
New Contributors
- @fortum-vaanavil made their first contribution in #499
- @calmzhu made their first contribution in #498
- @gemanor made their first contribution in #537
- @jonis100 made their first contribution in #550
Full Changelog: 0.7.4...0.7.5
v0.7.4
What's Changed
New Features
- Add support for PATCH as save_method in data updates. by @thilak009 in #483
Bugfixes
- Fix hanging inline OPA on very long log lines. by @roekatz in #489
- Upgrade gitpython to mitigate CVE-2023-40267. by @philipclaesson in #490
- Explicitly close web socket on server before endpoint exits. @roekatz in #496
Docs
- kafka sasl docs by @orweis in #485
- tweaks to improve the docs by @orweis in #486
- Add tinytodo to docs by @obsd in #487
- Update inline opa config docs with an example and link by @jasonmcintosh in #493
- add basic tutorial about self signed certificates by @asafc in #495
New Contributors
- @jasonmcintosh made their first contribution in #493
- @philipclaesson made their first contribution in #490
Full Changelog: 0.7.3...0.7.4
v0.7.3
v0.7.2
What's Changed
New Features
- Support OPA tls authentication. by @oskar-christensson in #457
- Support disabling policy updates in OPAL client (data-only mode). by @thilak009 in #470
- Support S3 buckets as bundle servers (aka api policy source) by @orweis in #472 & @cbat98 in #473
- Upgraded broadcaster version to 0.2.3 (Includes new support for Kafka SSL by @david-hamilton-bah in permitio/broadcaster#5)
- Policy store data updates: Support only pushing nested keys instead of overriding entire root path (eg
/v1/data
on OPA) by @orishavit in #448
Fixes
- Fix memory leaks (Leaking tasks on publishing updates & executing webhook trigger) by @roekatz in #475 & #476
Docs & Examples
- New Cedar docs. by @shaulk in #464 & @orweis in #465
- Update helm chart tutorial by @roekatz in #468
- Fix Kafka based docker-compose example by @roekatz in #469
- docs on data.json by @orweis in #474
New Contributors
- @oskar-christensson made their first contribution in #457
- @thilak009 made their first contribution in #470
- @cbat98 made their first contribution in #473
Full Changelog: 0.7.0...0.7.2
v0.7.0
What's Changed
Supporting a new policy engine: Cedar Agent
Cedar Agent provides the ability to run Cedar as a standalone agent (Similar to how one would use OPA) which can then be powered by OPAL. OPAL manages the policies loaded into Cedar through git, same as for OPA, and can push data updates in real time from external data sources.
Example OPAL configuration for Cedar can be found here.
The Cedar policy language offers better readability, better performance for policy evaluation and is analyzable via automatic reasoning.
- Add a Cedar policy engine plugin by @shaulk in #461
- Shaul/per 5343 update cedar agent in opal by @shaulk in #463
Small fixes and improvements
- Add platforms to build-push-action with amd64 and arm64 by @vivedo in #427
- [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @RazcoDev in #323
- [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @asafc in #324
- Bump json5 from 2.2.1 to 2.2.3 in /documentation by @dependabot in #354
- Bump webpack from 5.74.0 to 5.76.1 in /documentation by @dependabot in #410
- Upgrade GitHub Action by @cclauss in #417
- Docs: Add periodic_update_interval to data-sources.mdx by @roekatz in #458
- Oded/small docs fixes by @obsd in #283
- sort and add more questions by @orweis in #459
- Merge pull request #347 from permitio/improve-cli-windows-support by @orweis in #349
- Tests: Mark test_external_http_get flaky for retries by @roekatz in #460
- bump version: 0.7.0 by @asafc in #462
New Contributors
Full Changelog: 0.6.1...0.7.0
v0.6.1
What's Changed
Bug Fixes
- Fix exception thrown on webhook for API policy source by @urspraveen2001 in #438
- Fix restoring OPA from a local backup on offline mode by @roekatz in #450
- Fix clients can't reconnect when broadcaster disconnects if statistics are enabled by @roekatz in #453
New Contributors
- @urspraveen2001 made their first contribution in #438
Full Changelog: 0.6.0...0.6.1
v0.6.0
What's Changed
New Features in Policy Store Control (Client)
- Automatic resolution of ordering issues: Any failed policy store loading operation (file loading / deletion) would be re-attempted after completing other operations (instead of bailing out), thus eventually achieving the correct loading order via trial and error. by @roekatz in #425
- Eliminates the need to explicitly define .manifest files on most cases (although having an explicit manifest might still be beneficial for performance).
- Resolves the known issue of handling moved/renamed modules.
- OAuth2 support for policy store authentication by @scarlier in #407
- Add option to ignore specific policy files by @orweis in #414
- Could be used to prevent opal-client from overriding policy files managed outside OPAL.
- Optional offline mode, where policy store's data is restored from a local backup file on client startup (Thus being able to handle queries even when server connection can't be established) by @roekatz in #441
Server Multi Process Stability
Bug fixes in using opal-server with multiple workers (UVICORN_NUM_WORKERS
) and/or multiple instances (e.g. pod replicas).
- Fix leader worker sometimes not getting git webhook event (Bug in broadcaster subscription) by @roekatz in #398
- Turn on BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED by default (Fixes silent connection losses to Postgres broadcaster) @roekatz in #443
- Bump fastapi_websocket_pubsub ver to 0.3.3 by @roekatz in #423
Health Checks
- Make client's health check always available (without requiring persisting health status in OPA by setting
OPAL_OPA_HEALTH_CHECK_POLICY_ENABLED
) by @roekatz in #420 - Expose new
/ready
endpoint - would return200 OK
if OPA was loaded from either server or backup (on newly available offline mode) at least once. by @roekatz in #441
Scopes Stability
Introduce quite a few refactors & changes in scopes
we've been working on and testing internally lately. by @roekatz in #436.
- Bug fixes related to using multiple Uvicorn workers and / or multiple instances (e.g pod replicas).
- Getting rid of Celery worker (a.k.a opal-server-worker) for periodically syncing scopes (Instead, using the leader process the same way it's used when scopes are disabled).
- Bug fixes in detecting and notifying changes when multiple scopes use the same git repository (but possibly different branches).
- Fix races in detecting and notifying changes during server setup time (cloning all scopes' repos).
- Better logging when using scopes
Other Improvements & Fixes
- Optionally allow to skip url matching in git webhook receiver by @asafc in #400
- Rename
OPAL_SERVER_PORT
->OPAL_SERVER_BIND_PORT
to avoid configuration parsing error when k8s sets this envar to "tcp://..." if there's a service named "opal-server" (For backward compatibility old envar would still be used if has a valid port integer value). by @roekatz in #442
Docs & Examples
- Update config.py by @money8203 in #358
- Introduced "OPAL Configuration Variables" doc by @filipermit in #397
- Updates to fetch providers, config variables, opal+ and new release page by @filipermit in #401
- Fix for Doc Broken links by @renatosc in #412
- Change Slack Link by @danielbass37 in #416
- Fix typos discovered by codespell by @cclauss in #419
- fix broken tutorial links by @omriza in #429
- Introduce
run-example-with-scopes.sh
to demonstrate using scopes by @roekatz in #444
New Contributors
- @scarlier made their first contribution in #407
- @renatosc made their first contribution in #412
- @cclauss made their first contribution in #419
- @omriza made their first contribution in #429
Full Changelog: 0.5.0...0.6.0
v0.5.0
What's Changed
This release contains several small fixes and improvements.
New Feature: Bundle Ignore
Adds support for omitting files in the bundle produced by opal-server. Use the OPAL_BUNDLE_IGNORE
environment variable to specify a list of comma separated glob paths which if matched will ignore a file from being included in the policy bundle.
- add support for omitting files from bundle by @tlowerison in #372
- Fixes to bundle ignore feature by @orishavit in #394
- Merge pull request #372 from tlowerison/master + precommit by @orweis in #387
Bug fix: bitbucket webhook
Fixes #381: When sending a webhook from Bitbucket to the OPAL server with an secret configured then the the response on the request is an 401, no secret was provided. This is unexpected as the configuration looks correct.
Bug fix: confi default casting
Improve usability of topics in data updates
- Have the default topic (policy_data) as a default value for DataSourceEntry.topics - To prevent users who have left this empty before from experiencing breaking changes as a result of related bug fixes in 0.4.0. Also fixes #375: Uncaught server exception when posting data update without topics
- Warn at realtime when published entry doesn't have topics, or when client processes data update with no matching entries (this would cover what isn't covered by 1).
- Fix documentation about topics in data updates.
Included PRs:
CI Fixes
Documentation Fixes
- Updated FAQ for OPAL by @filipermit in #373
- Update feature_request.md by @money8203 in #374
- Update issue templates by @orweis in #383
- Bump http-cache-semantics from 4.1.0 to 4.1.1 in /documentation by @dependabot in #377
- Bump eta, @docusaurus/core and @docusaurus/preset-classic in /documentation by @dependabot in #378
- Bump @sideway/formula from 3.0.0 to 3.0.1 in /documentation by @dependabot in #380
- improvements to docs by @orweis in #386
- add OPAL-plus by @orweis in #391
New Contributors
- @tlowerison made their first contribution in #372
Full Changelog: 0.4.0...0.5.0
v0.4.0
What's Changed
This release contains several small fixes and improvements.
Support custom OPA versions / variants
- Extract OPA executable from opa docker image by @tibotix in #316
- Add opa_image Dockerfile build argument by @tibotix in #322
Improved OPAL client healthcheck
- OPAL client healthcheck returns the value of the OPA healthcheck policy, based on sync status by @orishavit in #332
Fixed: Hanging redis lock issue
- This fix by @roekatz solves the issue of the Redis lock (around the policy git clone) staying hanging forever (preventing new workers from cloning the repo). Probably because the app crashes with segfault before releasing the lock. link: #345
Fixed: Pulling policy from private repo only succeeds for newly cloned repos
- Pass SSH environment to BranchTracker by @orishavit in #366
More webhook formats supported
- Webhooks: Support BitBucket webhooks by @roekatz in #361
- Check webhook URL properly by @orishavit in #355
- Git-webhook-azure by @orweis in #351
- Git-webhook-expand by @orweis in #342
- add support to enforce git branch by @orweis in #357
New configuration options
Small fixes and improvements
- Add .dockerignore file by @tibotix in #317
- fixed spelling error by @garnerp in #329
- Bump loader-utils from 2.0.2 to 2.0.4 in /documentation by @dependabot in #325
- fix env-var name by @orweis in #353
- Bump ua-parser-js from 0.7.31 to 0.7.33 in /documentation by @dependabot in #363
- Stabilize release 0.4.0 by @asafc in #370
- Create pull_request_template.md by @money8203 in #369
- Change OPAL test matrix to 3.9/3.10 by @orishavit in #319
- Update cryptography dependency to >38 by @orishavit in #320
- Add rego_clone/ to Dockerignore by @orishavit in #331
- Minor bug fix Data Source Refresh by @loan75 in #311
- Support Local Health Checks for OPAL Server by @brianhyder in #309
- Topic related DataUpdate bug fixes by @roekatz in #339
Documentation Fixes
- Opal-statistics-docs by @orweis in #347
- improve docs interlinking by @orweis in #362
- Navbar fix by @filipermit in #356
- Fixes+helm by @filipermit in #352
- Small guide fixes by @filipermit in #346
- Improvement/docs by @filipermit in #333
- Improvements/getting-started by @filipermit in #327
- sp: Akso to Also by @avo-sepp in #364
New Contributors
- @loan75 made their first contribution in #311
- @tibotix made their first contribution in #316
- @brianhyder made their first contribution in #309
- @garnerp made their first contribution in #329
- @avo-sepp made their first contribution in #364
- @money8203 made their first contribution in #369
Full Changelog: 0.3.1...0.4.0
v0.3.1
What's Changed
Minor bug fixes and improvements.
This release allows you to define periodic refetching on a data source, initiated by the server.
Simply define periodic_update_interval on the entry to desire to periodically refetch.
- Data source refresh by @DServy in #305
- Small fix for removed variable by @jamielennox in #307
New Contributors
- @jamielennox made their first contribution in #307
- @DServy made their first contribution in #305
Full Changelog: 0.3.0...0.3.1