v0.7.4

What's Changed

New Features

• Add support for PATCH as save_method in data updates. by @thilak009 in #483

Bugfixes

• Fix hanging inline OPA on very long log lines. by @roekatz in #489
• Upgrade gitpython to mitigate CVE-2023-40267. by @philipclaesson in #490
• Explicitly close web socket on server before endpoint exits. @roekatz in #496

Docs

• kafka sasl docs by @orweis in #485
• tweaks to improve the docs by @orweis in #486
• Add tinytodo to docs by @obsd in #487
• Update inline opa config docs with an example and link by @jasonmcintosh in #493
• add basic tutorial about self signed certificates by @asafc in #495

New Contributors

• @jasonmcintosh made their first contribution in #493
• @philipclaesson made their first contribution in #490

Full Changelog: 0.7.3...0.7.4

v0.7.3

What's Changed

• Webhook: Fix not listening on webhook notifications when broadcaster isn't configured. by @roekatz in #480 - Thanks Jack Geek from our Slack community for reporting!
• Fix multi arch support in docker build and push workflow. by @roekatz in #479

Full Changelog: 0.7.2...0.7.3

v0.7.2

What's Changed

New Features

• Support OPA tls authentication. by @oskar-christensson in #457
• Support disabling policy updates in OPAL client (data-only mode). by @thilak009 in #470
• Support S3 buckets as bundle servers (aka api policy source) by @orweis in #472 & @cbat98 in #473
• Upgraded broadcaster version to 0.2.3 (Includes new support for Kafka SSL by @david-hamilton-bah in permitio/broadcaster#5)
• Policy store data updates: Support only pushing nested keys instead of overriding entire root path (eg /v1/data on OPA) by @orishavit in #448

Fixes

• Fix memory leaks (Leaking tasks on publishing updates & executing webhook trigger) by @roekatz in #475 & #476

Docs & Examples

• New Cedar docs. by @shaulk in #464 & @orweis in #465
• Update helm chart tutorial by @roekatz in #468
• Fix Kafka based docker-compose example by @roekatz in #469
• docs on data.json by @orweis in #474

New Contributors

• @oskar-christensson made their first contribution in #457
• @thilak009 made their first contribution in #470
• @cbat98 made their first contribution in #473

Full Changelog: 0.7.0...0.7.2

v0.7.0

What's Changed

Supporting a new policy engine: Cedar Agent

Cedar Agent provides the ability to run Cedar as a standalone agent (Similar to how one would use OPA) which can then be powered by OPAL. OPAL manages the policies loaded into Cedar through git, same as for OPA, and can push data updates in real time from external data sources.
Example OPAL configuration for Cedar can be found here.

The Cedar policy language offers better readability, better performance for policy evaluation and is analyzable via automatic reasoning.

• Add a Cedar policy engine plugin by @shaulk in #461
• Shaul/per 5343 update cedar agent in opal by @shaulk in #463

Small fixes and improvements

• Add platforms to build-push-action with amd64 and arm64 by @vivedo in #427
• [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @RazcoDev in #323
• [Snyk] Security upgrade setuptools from 39.0.1 to 65.5.1 by @asafc in #324
• Bump json5 from 2.2.1 to 2.2.3 in /documentation by @dependabot in #354
• Bump webpack from 5.74.0 to 5.76.1 in /documentation by @dependabot in #410
• Upgrade GitHub Action by @cclauss in #417
• Docs: Add periodic_update_interval to data-sources.mdx by @roekatz in #458
• Oded/small docs fixes by @obsd in #283
• sort and add more questions by @orweis in #459
• Merge pull request #347 from permitio/improve-cli-windows-support by @orweis in #349
• Tests: Mark test_external_http_get flaky for retries by @roekatz in #460
• bump version: 0.7.0 by @asafc in #462

New Contributors

• @vivedo made their first contribution in #427
• @RazcoDev made their first contribution in #323

Full Changelog: 0.6.1...0.7.0

v0.6.1

What's Changed

Bug Fixes

• Fix exception thrown on webhook for API policy source by @urspraveen2001 in #438
• Fix restoring OPA from a local backup on offline mode by @roekatz in #450
• Fix clients can't reconnect when broadcaster disconnects if statistics are enabled by @roekatz in #453

New Contributors

• @urspraveen2001 made their first contribution in #438

Full Changelog: 0.6.0...0.6.1

v0.6.0

What's Changed

New Features in Policy Store Control (Client)

• Automatic resolution of ordering issues: Any failed policy store loading operation (file loading / deletion) would be re-attempted after completing other operations (instead of bailing out), thus eventually achieving the correct loading order via trial and error. by @roekatz in #425
  • Eliminates the need to explicitly define .manifest files on most cases (although having an explicit manifest might still be beneficial for performance).
  • Resolves the known issue of handling moved/renamed modules.
• OAuth2 support for policy store authentication by @scarlier in #407
• Add option to ignore specific policy files by @orweis in #414
  • Could be used to prevent opal-client from overriding policy files managed outside OPAL.
• Optional offline mode, where policy store's data is restored from a local backup file on client startup (Thus being able to handle queries even when server connection can't be established) by @roekatz in #441

Server Multi Process Stability

Bug fixes in using opal-server with multiple workers (UVICORN_NUM_WORKERS) and/or multiple instances (e.g. pod replicas).

• Fix leader worker sometimes not getting git webhook event (Bug in broadcaster subscription) by @roekatz in #398
• Turn on BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED by default (Fixes silent connection losses to Postgres broadcaster) @roekatz in #443
• Bump fastapi_websocket_pubsub ver to 0.3.3 by @roekatz in #423

Health Checks

• Make client's health check always available (without requiring persisting health status in OPA by setting OPAL_OPA_HEALTH_CHECK_POLICY_ENABLED) by @roekatz in #420
• Expose new /ready endpoint - would return 200 OK if OPA was loaded from either server or backup (on newly available offline mode) at least once. by @roekatz in #441

Scopes Stability

Introduce quite a few refactors & changes in scopes we've been working on and testing internally lately. by @roekatz in #436.

• Bug fixes related to using multiple Uvicorn workers and / or multiple instances (e.g pod replicas).
• Getting rid of Celery worker (a.k.a opal-server-worker) for periodically syncing scopes (Instead, using the leader process the same way it's used when scopes are disabled).
• Bug fixes in detecting and notifying changes when multiple scopes use the same git repository (but possibly different branches).
• Fix races in detecting and notifying changes during server setup time (cloning all scopes' repos).
• Better logging when using scopes

Other Improvements & Fixes

• Optionally allow to skip url matching in git webhook receiver by @asafc in #400
• Rename OPAL_SERVER_PORT -> OPAL_SERVER_BIND_PORT to avoid configuration parsing error when k8s sets this envar to "tcp://..." if there's a service named "opal-server" (For backward compatibility old envar would still be used if has a valid port integer value). by @roekatz in #442

Docs & Examples

• Update config.py by @money8203 in #358
• Introduced "OPAL Configuration Variables" doc by @filipermit in #397
• Updates to fetch providers, config variables, opal+ and new release page by @filipermit in #401
• Fix for Doc Broken links by @renatosc in #412
• Change Slack Link by @danielbass37 in #416
• Fix typos discovered by codespell by @cclauss in #419
• fix broken tutorial links by @omriza in #429
• Introduce run-example-with-scopes.sh to demonstrate using scopes by @roekatz in #444

New Contributors

• @scarlier made their first contribution in #407
• @renatosc made their first contribution in #412
• @cclauss made their first contribution in #419
• @omriza made their first contribution in #429

Full Changelog: 0.5.0...0.6.0

v0.5.0

What's Changed

This release contains several small fixes and improvements.

New Feature: Bundle Ignore

Adds support for omitting files in the bundle produced by opal-server. Use the OPAL_BUNDLE_IGNORE environment variable to specify a list of comma separated glob paths which if matched will ignore a file from being included in the policy bundle.

• add support for omitting files from bundle by @tlowerison in #372
• Fixes to bundle ignore feature by @orishavit in #394
• Merge pull request #372 from tlowerison/master + precommit by @orweis in #387

Bug fix: bitbucket webhook

Fixes #381: When sending a webhook from Bitbucket to the OPAL server with an secret configured then the the response on the request is an 401, no secret was provided. This is unexpected as the configuration looks correct.

• fix bug in parsing and make tests test secrets by @orweis in #384

Bug fix: confi default casting

• improve error logging, and fix defualt casting by @orweis in #371

Improve usability of topics in data updates

1. Have the default topic (policy_data) as a default value for DataSourceEntry.topics - To prevent users who have left this empty before from experiencing breaking changes as a result of related bug fixes in 0.4.0. Also fixes #375: Uncaught server exception when posting data update without topics
2. Warn at realtime when published entry doesn't have topics, or when client processes data update with no matching entries (this would cover what isn't covered by 1).
3. Fix documentation about topics in data updates.

Included PRs:

• Improve usability of topics in data updates by @roekatz in #389

CI Fixes

• Fix broken pre commit by @asafc in #393
• feat: Install jq to client and server by @avo-sepp in #392

Documentation Fixes

• Updated FAQ for OPAL by @filipermit in #373
• Update feature_request.md by @money8203 in #374
• Update issue templates by @orweis in #383
• Bump http-cache-semantics from 4.1.0 to 4.1.1 in /documentation by @dependabot in #377
• Bump eta, @docusaurus/core and @docusaurus/preset-classic in /documentation by @dependabot in #378
• Bump @sideway/formula from 3.0.0 to 3.0.1 in /documentation by @dependabot in #380
• improvements to docs by @orweis in #386
• add OPAL-plus by @orweis in #391

New Contributors

• @tlowerison made their first contribution in #372

Full Changelog: 0.4.0...0.5.0

v0.4.0

What's Changed

This release contains several small fixes and improvements.

Support custom OPA versions / variants

• Extract OPA executable from opa docker image by @tibotix in #316
• Add opa_image Dockerfile build argument by @tibotix in #322

Improved OPAL client healthcheck

• OPAL client healthcheck returns the value of the OPA healthcheck policy, based on sync status by @orishavit in #332

Fixed: Hanging redis lock issue

• This fix by @roekatz solves the issue of the Redis lock (around the policy git clone) staying hanging forever (preventing new workers from cloning the repo). Probably because the app crashes with segfault before releasing the lock. link: #345

Fixed: Pulling policy from private repo only succeeds for newly cloned repos

• Pass SSH environment to BranchTracker by @orishavit in #366

More webhook formats supported

• Webhooks: Support BitBucket webhooks by @roekatz in #361
• Check webhook URL properly by @orishavit in #355
• Git-webhook-azure by @orweis in #351
• Git-webhook-expand by @orweis in #342
• add support to enforce git branch by @orweis in #357

New configuration options

• Policy-updater-retry-config by @orweis in #359

Small fixes and improvements

• Add .dockerignore file by @tibotix in #317
• fixed spelling error by @garnerp in #329
• Bump loader-utils from 2.0.2 to 2.0.4 in /documentation by @dependabot in #325
• fix env-var name by @orweis in #353
• Bump ua-parser-js from 0.7.31 to 0.7.33 in /documentation by @dependabot in #363
• Stabilize release 0.4.0 by @asafc in #370
• Create pull_request_template.md by @money8203 in #369
• Change OPAL test matrix to 3.9/3.10 by @orishavit in #319
• Update cryptography dependency to >38 by @orishavit in #320
• Add rego_clone/ to Dockerignore by @orishavit in #331
• Minor bug fix Data Source Refresh by @loan75 in #311
• Support Local Health Checks for OPAL Server by @brianhyder in #309
• Topic related DataUpdate bug fixes by @roekatz in #339

Documentation Fixes

• Opal-statistics-docs by @orweis in #347
• improve docs interlinking by @orweis in #362
• Navbar fix by @filipermit in #356
• Fixes+helm by @filipermit in #352
• Small guide fixes by @filipermit in #346
• Improvement/docs by @filipermit in #333
• Improvements/getting-started by @filipermit in #327
• sp: Akso to Also by @avo-sepp in #364

New Contributors

• @loan75 made their first contribution in #311
• @tibotix made their first contribution in #316
• @brianhyder made their first contribution in #309
• @garnerp made their first contribution in #329
• @avo-sepp made their first contribution in #364
• @money8203 made their first contribution in #369

Full Changelog: 0.3.1...0.4.0

v0.3.1

What's Changed

Minor bug fixes and improvements.

This release allows you to define periodic refetching on a data source, initiated by the server.
Simply define periodic_update_interval on the entry to desire to periodically refetch.

• Data source refresh by @DServy in #305
• Small fix for removed variable by @jamielennox in #307

New Contributors

• @jamielennox made their first contribution in #307
• @DServy made their first contribution in #305

Full Changelog: 0.3.0...0.3.1

v0.3.0

What's Changed

New Feature: Inline data updates

You can now push a data update via opal that already includes the data itself (inline) instead of including a reference url and incurring another network round trip. This is best for small incremental data updates.

• Allow embedded data in DataUpdate by @orishavit in #294
• Minor bug fixes to inline data updates by @asafc in #306

Fixes: Performance and stability improvements to OPAL Scopes

OPAL Scopes is a new experimental feature that allows a single OPAL server to track multiple git repositories, and in essence enables true multi-tenancy by a single OPAL deployment. This release includes major improvements to the performance and stability of this feature.

• Improve opal scopes performance by @asafc in #298

Minor bug fixes

• Add redis dependency to OPAL by @orishavit in #296
• Update OPAL Server from worker also after initial clone by @orishavit in #297
• Fix OPAL server trying to use the broadcaster when it's not configured by @shaulk in #295

Documentation

• Publishing OPAL as online docusaurus documentation by @filipermit in #291
• Dependancy fix and removal of unecessary pages by @filipermit in #292
• Fixed transitive dependancies for docusaurus packages by @filipermit in #293
• Updated the navigation title to a more meaningful version by @filipermit in #302
• Permit.io link in the footer of docs. by @filipermit in #303

New Contributors

• @filipermit made their first contribution in #291
• @shaulk made their first contribution in #295

Full Changelog: 0.2.1...0.3.0