cherry-pick and release v0.39.1 for gatekeeper

[thomasmckay]

cherry-pick e9d3828 and release v0.39.1

gatekeeper-3.8 relies on opa-0.39, rather than bumping to opa-0.40 in a 3.8.z it would be better to have the fix backported

Thoughts?

[tsandall]

We'd recommend just updating to v0.40.0. Is there something in v0.40.0 that you're particularly worried about?

[thomasmckay]

Nothing specific but bumping to a y-stream in the underlying core tech could be perceived as "risky". A y-stream bump to opa would be better consumed in a y-stream of gatekeeper. In the community meeting there wasn't strong pushback against bumping opa but for future reference, should consumers of opa not expect cve/bug backports? Is there a doc on the threshold?

[tsandall]

If GK can update to 0.40 that's preferable. We don't provide a backport guarantee today--but that's not to say we can't do it, e.g., in this case, if there are specific needs for a v0.39.1 release, we're happy to do it.

[tsandall]

@ritazh @willbeason is GK 3.8 going to update to v0.40?

[willbeason]

@tsandall I don't think there's any danger in upgrading GK 3.8 to v0.40 in a patch release. I don't have a good understanding of the need for a v0.39.1 release. If there were a specific reason to not upgrade to v0.40 in a patch release, that would be compelling, but in the absence of anything specific it's hard to justify.

I have a PR out for upgrading (future) GK 3.9 to v0.40: open-policy-agent/gatekeeper#2069

[anderseknert]

OK to close this now?

[willbeason]

@thomasmckay @maxsmythe ?

[maxsmythe]

v3.9.0-beta.2 is on OPA v0.40.0

https://github.com/open-policy-agent/gatekeeper/blob/24aad6c76af7e661fc7d578684419cf7427fe87d/go.sum#L826

@sozercan didn't want to upgrade OPA on a minor release b/c it could mean a significant change IIRC.

Not sure if that meets @thomasmckay 's goals or not?

[srenatus]

Looks like it's OK to close? We can always re-open 🧹