OPA Release v0.32.0

[peteroneilljr]

This release includes a number of improvements and fixes.

💾 Disk-based Storage (Experimental)

This release adds a disk-based storage implementation to OPA. The implementation can be found in github.com/open-policy-agent/storage/disk. There is also an example in the rego package that shows how policies can be evaluated with the disk-based store. The disk-based store is currently only available as a library (i.e., it is not integrated into the rest of OPA yet.) In the next few releases, we are planning to integrate the implementation into the OPA server and provide tooling to help leverage the disk-based store.

Built-in Functions

This release includes a few improvements to existing built-in functions:

• The http.send function now supports UNIX domain sockets (#3661) authored by @kirk-patton
• The units.parse_bytes function now supports E* and P* units (#2911)
• The io.jwt.encode_sign function uses the built-in context randomization source (which is helpful for replay purposes)

Server

This release includes multiple improvements for OPA server deployments in serverless environments:

• Plugins can now be triggered manually within OPA. This feature allows users extending and customizing OPA to control exactly when operations like bundle downloads and decision log uploads occur. The built-in plugins now include a trigger configuration that can be set to manual or periodic (which is the default). When manual triggering is enabled, the plugins WILL NOT perform any periodic/background operations. Instead, the plugins will only execute when the Trigger API is invoked.
• Plugins can now wait for server initialization. When runtime initialization is finished, plugins can be notified. This allows plugins to synchronize their behaviour with server startup. #3701 authored by @gshively11.
• The Health API now supports an exclude-plugin parameter to control which plugins are checked. #3713 authored by @gshively11.

Tooling

• The compiler no longer fetches remote schemas by default when used as as library. Capabilities have been updated to include an allow_net field to control whether network operations can be performed (#3746). This field is only used to control schema fetching today. In future versions of OPA, the allow_net parameter will be used to control other behaviour like http.send.
• The WebAssembly runtime not supported error message has been improved #3739.

Rego

• Added support for anyOf and allOf keywords in JSON schema support in the type checker (#3592) authored by @jchen10500 and @juliafriedman8.
• Added support for custom JSON result marshalling in the rego package.
• Added a new convenience function (Allowed() bool) to the rego.ResultSet API.
• Improved string-representation construction performance for arrays, sets, and objects.
• Improved the topdown evaluator to support ast.Value results from the store so that unnecessary conversions can be avoided.
• Improved the rego package to make the wasmtime-go dependency optional at build-time (#3545).
• Fixed a bug in the comprehension indexer whereby index keys were not constructed correctly leading to incorrect outputs (#3579).
• Fixed a stack overflow during partial evaluation due to incorrect term rewriting in the copy propagation implementation (#3071).
• Fixed a bug in partial evaluation when shallow inlinign is enabled that resulted in built-in functions being invoked instead of saved (#3681).

WebAssembly

• The internal Wasm SDK now supports the inter-query built-in cache.
• The pre-compiled runtime is now built with llvm 12.0.1 and the builder image includes clang-format.
• The internal Wasm SDK has been updated to use wasmtime-go v0.29.0.

Documentation

This release includes a number of documentation improvements:

• The wasm opa_eval arguments have been clarified #3699
• The contributing and development guide have been moved into a dedicated Contributing section on the website #3751
• The Envoy standalone tutorial includes cleanup steps now (thanks @princespaghetti)
• Various typos have been fixed by multiple folks (thanks @Tej-Singh-Rana @gujun4990)
• The Kubernetes ingress validation tutorial has been updated to include new mandatory attributes and newer API versions (thanks @ereslibre)
• The recommendations around using OPA Gatekeeper have been improved.

Infrastructure

• OPA is now built with Go v1.17 and CI jobs have been added to ensure OPA builds with older versions of Go.

Backwards Compatibility

The rego package no longer relies on build constraints to enable the Wasm runtime. Instead, library users must opt-in to Wasm runtime support by adding an import statement in the Go code:

import _ "github.com/open-policy-agent/opa/features/wasm"

This change ensures that (by default) the wasmtime-go blobs are not vendored in projects that embed OPA as a library. If you are currently relying on the Wasm runtime support in the rego package (via the rego.Target("wasm") option), please update you code to include the import above. See #3545 for more details.