This release contains a mix of features, performance improvements, and bugfixes.
Optimized read mode for OPA's in-memory store (#7125)
A new optimized read mode has been added to the default in-memory store, where data written to the store is eagerly converted
to AST values (the data format used during evaluation). This removes the time spent converting raw data values to AST
during policy evaluation, thereby improving performance.
The memory footprint of the store will increase, as processed AST values generally take up more space in memory than the
corresponding raw data values, but overall memory usage of OPA might remain more stable over time, as pre-converted data
is shared across evaluations and isn't recomputed for each evaluation, which can cause spikes in memory usage.
This mode can be enabled for opa run, opa eval, and opa bench by setting the --optimize-store-for-read-speed flag.
More information about this feature can be found here.
topdown: Use new Inter-Query Value Cache for json.match_schema built-in function (#7011) authored by @anderseknert reported by @lcarva
ast: Fix location text attribute for multi-value rules with generated body (#7128) authored by @anderseknert
ast: Fix regression in opa check where a file that referenced non-provided schemas failed validation (#7124) authored by @tjons
test/cases/testdata: Fix bug in test by replacing unification by explicit equality check (#7093) authored by @matajoh
ast: Replace use of yaml.v2 library with yaml.v3. The earlier version would parse yes/no values as boolean. The usage of yaml.v2 in the parser was unintentional and now has been updated to yaml.v3 (#7090) authored by @anderseknert
Runtime, Tooling, SDK
cmd: Make opa check respect --ignore when --bundle flag is set (#7136) authored by @anderseknert
server/writer: Properly handle result encoding errors which earlier on failure would emit logs such as superfluous call to WriteHeader() while still returning 200 HTTP status code. Now, errors encoding the payload properly lead to 500 HTTP status code, without extra logs. Also use Header().Set() not Header().Add() to avoid duplicate content-type headers (#7114) authored by @srenatus
cmd: Support file:// format for TLS key material file flags in opa run (#7094) authored by @alexrohozneanu
plugins/rest/azure: Support managed identity for App Service / Container Apps (#7085) reported and authored by @apc-kamezaki
debug: Fix step-over behaviour when exiting partial rules (#7096) authored by @johanfylling
util+plugins: Fix potential memory leaks with explicit timer cancellation (#7089) authored by @philipaconrad
Docs, Website, Ecosystem
docs: Fix OCI example with updated flag used by the ORAS CLI (#7130) authored by @b3n3d17
docs: Delete Atom editor from supported editor integrations (#7111) authored by @KaranbirSingh7
docs/website: Add Styra OPA ASP.NET Core SDK integration (#7073) authored by @philipaconrad
docs/website: Update compatibility information on the rego-cpp integration (#7078) authored by @matajoh
Miscellaneous
Dependency updates; notably:
build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23
build(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5
build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0
build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0
build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1
This release contains a mix of features, performance improvements, and bugfixes.
Optimized read mode for OPA's in-memory store (#7125)
A new optimized read mode has been added to the default in-memory store, where data written to the store is eagerly converted
to AST values (the data format used during evaluation). This removes the time spent converting raw data values to AST
during policy evaluation, thereby improving performance.
The memory footprint of the store will increase, as processed AST values generally take up more space in memory than the
corresponding raw data values, but overall memory usage of OPA might remain more stable over time, as pre-converted data
is shared across evaluations and isn't recomputed for each evaluation, which can cause spikes in memory usage.
This mode can be enabled for opa run, opa eval, and opa bench by setting the --optimize-store-for-read-speed flag.
More information about this feature can be found here.
topdown: Use new Inter-Query Value Cache for json.match_schema built-in function (#7011) authored by @anderseknert reported by @lcarva
ast: Fix location text attribute for multi-value rules with generated body (#7128) authored by @anderseknert
ast: Fix regression in opa check where a file that referenced non-provided schemas failed validation (#7124) authored by @tjons
test/cases/testdata: Fix bug in test by replacing unification by explicit equality check (#7093) authored by @matajoh
ast: Replace use of yaml.v2 library with yaml.v3. The earlier version would parse yes/no values as boolean. The usage of yaml.v2 in the parser was unintentional and now has been updated to yaml.v3 (#7090) authored by @anderseknert
Runtime, Tooling, SDK
cmd: Make opa check respect --ignore when --bundle flag is set (#7136) authored by @anderseknert
server/writer: Properly handle result encoding errors which earlier on failure would emit logs such as superfluous call to WriteHeader() while still returning 200 HTTP status code. Now, errors encoding the payload properly lead to 500 HTTP status code, without extra logs. Also use Header().Set() not Header().Add() to avoid duplicate content-type headers (#7114) authored by @srenatus
cmd: Support file:// format for TLS key material file flags in opa run (#7094) authored by @alexrohozneanu
plugins/rest/azure: Support managed identity for App Service / Container Apps (#7085) reported and authored by @apc-kamezaki
debug: Fix step-over behaviour when exiting partial rules (#7096) authored by @johanfylling
util+plugins: Fix potential memory leaks with explicit timer cancellation (#7089) authored by @philipaconrad
Docs, Website, Ecosystem
docs: Fix OCI example with updated flag used by the ORAS CLI (#7130) authored by @b3n3d17
docs: Delete Atom editor from supported editor integrations (#7111) authored by @KaranbirSingh7
docs/website: Add Styra OPA ASP.NET Core SDK integration (#7073) authored by @philipaconrad
docs/website: Update compatibility information on the rego-cpp integration (#7078) authored by @matajoh
Miscellaneous
Dependency updates; notably:
build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23
build(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5
build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0
build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0
build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1
We decided to revert the testutil change that made our util functions less error-prone, but created a lot of work for our downstream users. Apologies for the pain! This revert should not cause any major breaking change, even if you already did the work--unless you depend on the exact error message.
Going forward, we plan to reinforce our release testing strategy [1],[2] and deliver an enhanced testutil package/module with more flexible and safer APIs.
[BUGFIX] testutil: Reverted #1424; functions using compareMetricFamilies are (again) only failing if filtered metricNames are in the expected input. #1645
Bumps the all-go-mod-patch-and-minor group with 10 updates in the / directory:
1.1.0
1.1.1
0.13.0
0.13.1
0.68.0
0.70.0
0.68.0-envoy-4
0.70.0-envoy-1
9.6.1
9.7.0
1.9.0
1.10.0
0.33.0
0.34.0
1.17.3
1.18.0
0.23.0
0.24.0
0.8.0
0.9.0
Updates
github.com/andybalholm/brotli
from 1.1.0 to 1.1.1Commits
57434b5
Encoder: check for empty block97e8583
matchfinder.M4: some refinements to scoringUpdates
github.com/envoyproxy/go-control-plane
from 0.13.0 to 0.13.1Release notes
Sourced from github.com/envoyproxy/go-control-plane's releases.
Commits
03ea0b2
Mirrored from envoyproxy/envoy @ d049362557545b054e1a883231e64944ed0a8819bec043f
Mirrored from envoyproxy/envoy @ c6761de5f33e97758471c6b973a57a5c2e5db9258c942bd
Mirrored from envoyproxy/envoy @ e48666365c8a0b3a62343602fd9380d58a7afd95e1df533
Mirrored from envoyproxy/envoy @ 1173629e531abf758f011c2da15da739f72881c6deb90cf
Mirrored from envoyproxy/envoy @ 42068a59e37d0d6c313340d0175cb08cce2574bb06f4ee8
Mirrored from envoyproxy/envoy @ a3e32c92c5ae699a4daad094c6a87b58e1e84ec2f61d5e4
Mirrored from envoyproxy/envoy @ 1a153166a6d1e9336ee8982d1a00ba98655c9d39f6ecc7e
Mirrored from envoyproxy/envoy @ 07a8c4afe8ac83632535bd118f142df70d2335be74bddf0
Mirrored from envoyproxy/envoy @ 865aa1081a0a66d13b2564382abc89129c1ba090d1afc3b
Mirrored from envoyproxy/envoy @ 38530270d6cb3a3a71a9b70b3de55854750b75a9Updates
github.com/open-policy-agent/opa
from 0.68.0 to 0.70.0Release notes
Sourced from github.com/open-policy-agent/opa's releases.
... (truncated)
Changelog
Sourced from github.com/open-policy-agent/opa's changelog.
... (truncated)
Commits
2ea031e
Prepare v0.70.0 release6af5e79
storage: Optimized read mode for default data storage1b797d9
Makeopa check
respect--ignore
when--bundle
flag is set (#7137)8e44b98
build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#7138)ad6ffda
build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#7135)67fe53b
Update Andrew Peabody to emeritus (#7133)30f3747
build(deps): bump github/codeql-action from 3.26.13 to 3.27.0f7957bd
:bug: fix: oras cli changed to --config58ec50b
Fix location for multivalue rules with generated bodies (#7129)555fe84
only check schemas when schemas are provided (#7124)Updates
github.com/open-policy-agent/opa-envoy-plugin
from 0.68.0-envoy-4 to 0.70.0-envoy-1Release notes
Sourced from github.com/open-policy-agent/opa-envoy-plugin's releases.
Commits
bf7dca6
Disable git safe directory check43d7bd2
build(deps): bump github.com/open-policy-agent/opa from 0.69.0 to 0.70.0765ad70
refactor creation of prepared queries4c4c3fd
Update GO version to match OPA versionc2f5136
build(deps): bump github.com/envoyproxy/go-control-planee818d2e
build(deps): bump github.com/prometheus/client_golang8d6a285
build(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.175df799
build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1 (#600)47179af
build(deps): bump golang.org/x/tools from 0.25.0 to 0.26.0 (#601)420d0d0
build(deps): bump github.com/open-policy-agent/opa from 0.68.0 to 0.69.0Updates
github.com/prometheus/client_golang
from 1.20.4 to 1.20.5Release notes
Sourced from github.com/prometheus/client_golang's releases.
Changelog
Sourced from github.com/prometheus/client_golang's changelog.
Commits
48e12a1
Merge pull request #1645 from prometheus/cut-1204-pr1424504ad9b
Cut 1.20.5; update comments.584a7ce
Revert "testutil compareMetricFamilies: make less error-prone (#1424)"Updates
github.com/redis/go-redis/v9
from 9.6.1 to 9.7.0Release notes
Sourced from github.com/redis/go-redis/v9's releases.
... (truncated)
Commits
ed37c33
Updated package version [9.7] (#3159)135f8e3
Fix field name spellings (#3132) (#3156)ac2e91d
Support Json with Resp 2 (#3146) (#3155)ec680ae
Remove direct read from TLS underlying conn (#3138) (#3154)ad131f4
Updated package version (#3134)d9eeed1
Fix Flaky Test: should handle FTAggregate with Unstable RESP3 Search Module a...e99abe4
DOC-4237 added Bloom filter examples (#3115)9e79c9b
DOC-4228 JSON code examples (#3114)9e3709c
DOC-4234 added bitmap examples (#3124)69b4c01
DOC-4241 added t-digest examples (#3123)Updates
github.com/stretchr/testify
from 1.9.0 to 1.10.0Release notes
Sourced from github.com/stretchr/testify's releases.
... (truncated)
Commits
89cbdd9
Merge pull request #1626 from arjun-1/fix-functional-options-diff-indirect-calls07bac60
Merge pull request #1667 from sikehish/flaky716de8d
Increase timeouts in Test_Mock_Called_blocks to reduce flakiness in CI118fb83
NotSame should fail if args are not pointers #1661 (#1664)7d99b2b
attempt 205f87c0
more similarea7129e
better fmta1b9c9e
Merge pull request #1663 from ybrustin/master8302de9
Merge branch 'master' into master89352f7
Merge pull request #1518 from hendrywiranto/adjust-readme-remove-v2Updates
github.com/testcontainers/testcontainers-go
from 0.33.0 to 0.34.0Release notes
Sourced from github.com/testcontainers/testcontainers-go's releases.
... (truncated)
Commits
7d0f970
chore: use new version (v0.34.0) in modules and examples2c66f20
feat: add meilisearch-module (#2835)235ab07
fix(postgres): duplicate snapshot name (#2840)f1632b3
chore: use Contains or ErrorContains checks (#2839)b74984d
golangci-lint: enable thelper linter (#2834)5e988ff
fix(reaper): refactor to allow retries and fix races (#2728)56bb501
chore: update ryuk to 0.10.2 (#2833)27f699b
feat: add yugabytedb module (#2825)00e7002
fix: update module container struct name and missing imports (#2831)fb6a4ba
chore: replace 'assert' with 'require' (#2827)Updates
github.com/tidwall/gjson
from 1.17.3 to 1.18.0Commits
133f42c
Generally faster parsing92dff34
Update README.mdUpdates
golang.org/x/crypto
from 0.27.0 to 0.28.0Commits
adef4cc
go.mod: update golang.org/x dependenciesa0819fb
sha3: fix cSHAKE initialization for extremely large N and or S42ee18b
ssh: return ServerAuthError after too many auth failures9e92970
bn256: add missing symbols in commentUpdates
golang.org/x/net
from 0.29.0 to 0.30.0Commits
6cc5ac4
go.mod: update golang.org/x dependenciesf88258d
websocket: update nhooyr.io/websocket to github.com/coder/websocket7191757
http2: add support for net/http HTTP2 config field4790dc7
http2: add support for server-originated pings541dbe5
http2: add Server.WriteByteTimeout3c333c0
route: fix address parsing of messages on DarwinUpdates
golang.org/x/oauth2
from 0.23.0 to 0.24.0Commits
22134a4
README: don't recommend go getUpdates
golang.org/x/sync
from 0.8.0 to 0.9.0C... _Description has been truncated_