chore(deps): update dependency open-policy-agent/opa to v0.58.0 (opa/dockerfile) (master)

[ivankatliarchuk]

This PR contains the following updates:

Package	Update	Change
open-policy-agent/opa	minor	0.52.0 -> 0.58.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

open-policy-agent/opa (open-policy-agent/opa)

v0.58.0

Compare Source

NOTES:

• All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
  there is no longer a need for the -rootless image variant and hence it will not be published as part of future releases.
  This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
  either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

This release contains a mix of performance improvements, bugfixes and security fixes for third-party libraries.

Runtime, Tooling, SDK

• cmd/test: Display lines not covered if code coverage threshold not met in verbose reporting mode (#​2562) authored by @​johanfylling
• cmd/test: Don't round up test coverage calculation as it could lead to inaccurate code coverage results (#​6307) authored by @​anderseknert
• cmd/fmt: Don't format functions without a value to include = true as it is implied (#​6323) authored by @​anderseknert
• server: Remove deprecated partial query parameter from REST API. This option has been deprecated since v0.23.0 (#​2266) authored by @​ashutosh-narkar
• Add support for configurable prometheus buckets for the http_request_duration_seconds metric (#​6238) authored by @​AdrianArnautu
• plugins/bundle: Update bundle plugin state on a reconfigure operation when existing bundle is not modified (#​6311) authored by @​asadk12
• internal/pathwatcher: Fix how paths to watch by a fsnotify watcher are determined to avoid monitoring unintended directories and files (#​6277) authored by @​ashutosh-narkar

Topdown and Rego

• topdown: Fix issue with build optimization producing support modules with forbidden characters in first var of rule ref (#​6338) authored by @​johanfylling
• topdown: Fix panic in build optimization when policy contains rules with a general ref in the head (#​6339) authored by @​johanfylling
• topdown: Avoid unnecessary conversion of small numbers by caching them and thereby helping to speed up some arithmetic operations (#​6021) authored by @​ashutosh-narkar
• ast+rego: Disable compiler stages for IR-based eval paths (#​6335) authored by @​srenatus
• built-in/walk: Skip path creation if path is assigned a wildcard to achieve faster walk-ing (#​6267) authored by @​anderseknert
• ast: Add regression test for edge case where partial rule hides recursion cycle (#​6318) authored by @​johanfylling

Docs

• Drop EXPERIMENTAL status of reported prom metrics (#​6298) authored by @​ashutosh-narkar
• Update documentation on GCS bundles for case where the resource (the object in the GCS bucket) contains slashes (/) or other special characters (#​6264) authored by @​dennisg
• Provide a more clear description of negation in the policy language section (#​6275) authored by @​gusega

Website + Ecosystem

• Fix un-versioned built-in docs issue so that only the built-ins for a given doc version are displayed (#​6269) authored by @​charlieegan3

Miscellaneous

• ci: Remove hub tool in GitHub workflows in favor of GitHub CLI tool (#​6326) authored by @​ashutosh-narkar
• Dependency updates; notably:
  • bump go.opentelemetry.io modules (#​6292) authored by @​cksidharthan
  • aquasecurity/trivy-action from 0.12.0 to 0.13.0
  • github.com/containerd/containerd from 1.7.6 to 1.7.7
  • github.com/fsnotify/fsnotify from 1.6.0 to 1.7.0
  • golang.org/x/net from 0.15.0 to 0.17.0
  • google.golang.org/grpc from 1.58.2 to 1.59.0 (addresses vulnerability GHSA-m425-mq94-257g)
  • oras.land/oras-go/v2 from 2.3.0 to 2.3.1
  • sigs.k8s.io/yaml from 1.3.0 to 1.4.0

v0.57.1

Compare Source

This is a bug fix release addressing the following security issues:

Golang security fix GO-2023-2102

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption.

OpenTelemetry-Go Contrib security fix CVE-2023-45142

Denial of service in otelhttp due to unbound cardinality metrics.

v0.57.0

Compare Source

This release contains an updated Rego syntax to allow general references in rule heads, and a mix of new features and bugfixes.

Support for General References in Rule Heads

In OPA 0.56.0, we introduced support for general references in rule heads as an experimental feature.
It has now graduated to a fully supported feature, and is no longer experimental.

A general reference is a reference with variables at arbitrary locations.
In Rego, partial rules are used for generating sets and objects.
In previous versions of OPA, variables were only allowed in the very last position in the rule's reference.
Now, Rego has been expanded to allow rules to be declared with general references in their head, with variables at arbitrary locations.
This allows for generating nested dynamic object structures:

package example

import future.keywords

v0.56.0

Compare Source

This release contains a mix of new features, bugfixes and a new builtin function.

Support for General References in Rule Heads (Experimental)

A new experimental feature in OPA is support for general refs in rule heads. Where a general ref is a reference with variables at arbitrary locations.

package example

import future.keywords

v0.55.0

Compare Source

NOTES:

• All published OPA images now run with a non-root uid/gid. The uid:gid is set to 1000:1000 for all images. As a result
  there is no longer a need for the -rootless image variant and hence it will be not be published as part of future releases.
  This change is in line with container security best practices. OPA can still be run with root privileges by explicitly setting the user,
  either with the --user argument for docker run, or by specifying the securityContext in the Kubernetes Pod specification.

• The minimum version of Go required to build the OPA module is 1.19

This release contains a mix of new features, bugfixes and a new builtin function.

Honor default keyword on functions

Previously if a function was defined with a default value, OPA would ignore it. Now the default function is honored
if all functions with the same name are undefined. For example,

package example

default clamp_positive(x) := 0

clamp_positive(x) = x {
    x > 0
}

$ opa eval -d example.rego 'data.example.clamp_positive(1)' -f pretty
1

$ opa eval -d example.rego 'data.example.clamp_positive(-1)' -f pretty
0

The value of a default function follows the same conditions as that of a default rule. In addition, a default
function satisfies the following properties:

• same arity as other functions with the same name
• arguments should only be plain variables ie. no composite values
• argument names should not be repeated

NOTE:

default functions used to be previously ignored. If existing policies contain default functions, ensure that they conform
to the properties mentioned above. Otherwise, those policies will fail to evaluate.

Authored by @​ashutosh-narkar.

New Built-In Function: crypto.parse_private_keys

crypto.parse_private_keys returns zero or more private keys from the given encoded string containing DER certificate data.
If the input contains a list of one or more concatenated PEM blocks, then the built-in will output the parsed private keys
represented as objects.

See the documentation on the new built-in
for all the details.

Authored by @​volck.

Runtime, Tooling, SDK

• plugins/rest: Add AWS KMS support for OAuth2 Client Credentials JWT authentication (#​5942) authored by @​prasanthu
• sdk: Update input object to conform to the format expected by decision log masking (#​6090) authored by @​epaulson10
• sdk: Add option for specifying decision ID to SDK. Users can use this to control the ID that gets included in the decision logs (#​6101) authored by @​brianchhun-chime
• cmd: Add discard output format to opa eval which discards the result while still showing the output of eval flags like --profile (#​6103) authored by @​26tanishabanik
• Make rootless deprecation messages more explicit as all published OPA images now run with non-root uid/gid (#​6091) authored by @​charlieegan3
• download/oci: Add support for Docker Registry v2 authentication scheme (#​6045) authored by @​gitu and @​DerGut
• plugins/discovery: Ensure discovery plugin doesn't erase its own config on the plugin manager (#​6070) authored by @​blacksails

Topdown and Rego

• ast: Add WithRoots compiler option that allows callers to set the roots to include in the output bundle manifest (#​6088) authored by @​kubaj
• rego: Parse store modules iff modules set on the Rego object. This change assumes that while using the Rego package, the compiler and store are kept in-sync, and thereby attempts to avoid a race during the compilation process (#​6081) authored by @​ashutosh-narkar

Docs

• docs/envoy: Update the standalone Envoy tutorial to use kind, updated Envoy version etc. (#​6105) authored by @​charlieegan3

Website + Ecosystem

• Ecosystem:

  • Carbonetes BrainIAC (#​6073) authored by @​jaysonsantos05

• Website:

  • Reorganize relevant doc sections and OPA Ecosystem projects to have a closer integration between them (#​6064) authored by @​charlieegan3

Miscellaneous

• chore: Update comments on some exported functions and clean up instances where the same package was imported multiple times (authored by @​testwill)
• Fix issue in the OPA release patch scripts related to CRLF line terminations in the patch output (#​6069) authored by @​johanfylling
• Dependency bumps, notably:
  • golang from 1.20.5 to 1.20.6
  • oras.land/oras-go/v2 from 2.2.0 to 2.2.1
  • google.golang.org/grpc from 1.56.1 to 1.56.2
  • github.com/containerd/containerd from 1.6.19 to 1.7.2
  • golang.org/x/net from 0.11.0 to 0.12.0
  • go.uber.org/automaxprocs from 1.5.2 to 1.5.3
  • go.opentelemetry.io/otel from v1.14.0 to v1.16.0 (#​6062) authored by @​srenatus with feedback from @​ghaskins and @​zregvart

v0.54.0

Compare Source

This release focuses on bug fixes, but also includes some improvements to the SDK and commandline.

Note: This will be the last OPA release to support building with Golang 1.18. (Golang 1.21 is expected to be released in August. Keeping the support for 1.18 is blocking OPA from upgrading OpenTelemetry.)

Topdown and Rego

• Add unwrap functionality to topdown.Error (#​5890) authored by @​ajith-sub reported by @​ajith-sub
• Lazy obj performance (#​6009) authored by @​johanfylling reported by @​kubaj
• ast: Only realizing lazyObj when compared against other object type (6060) (authored by @​johanfylling)
• ast: Fixing issue in type-checker where partial objects couldn't have key overrides of divergent type (#​5972) authored by @​johanfylling
• planner: CallDynamic regression fix (#​5964) authored by @​srenatus
• fmt: Fix fmt panic in comprehension with comments (#​5798) authored by @​Trolloldem reported by @​Djoust
• topdown: Format integer numbers without exponent (#​6013) authored by @​kenjenkins reported by @​kenjenkins
• topdown: Fix panic in partial eval with ref head rule (#​6027) authored by @​srenatus
• Fixed a bug in object.union_n where nested objects were mutated (#​5975) authored by @​qshu-splunk
• Fixed the issue of the object.subset method failing to correctly compare array relationships (5968) authored by @​DCRUNNN
• topdown: Fixed caching race condition issue in http.send (#​5997) authored by @​ashutosh-narkar
• Allow time formatting constants in rego time.format and time.parse_ns (#​5945) authored by @​tjons

Runtime, Tooling, SDK

• Add --schema flag to opa test (#​5923) authored by @​renatosc
• Add ability to specify namespace for optimized files (#​5933) authored by @​ashutosh-narkar reported by @​deezkay
• Fix for the issue when OPA throws misleading error (storage_not_found_error) message while loading the delta bundle when persist property in config is true. (#​5959) authored by @​yogisinha reported by @​jnethery
• cmd: Update storage when a file remove op is detected (#​5986) authored by @​boranx
• cmd: Add support for watch mode in opa test (#​1719) authored by @​ashutosh-narkar reported by @​Fox32
• download: Pass request to docker.Authorizer (#​5902) authored by @​DerGut reported by @​carabasdaniel
• plugins/discovery: Fix discovery erasing persistence_directory config (#​6042) authored by @​blacksails
• plugins/discovery: Fix persistence of discovery bundle (#​6048) (authored by @​bdjgs)
• Add tracing to bundle/discovery download (#​5967) authored by @​mjungsbluth
• Fallback on embedded timezone database if tzdata is not found on filesystem (6038) authored by @​charlieegan3
• extensibility: Adding hooks (plugins, discovery, sdk) (#​6053) authored by @​srenatus
• sdk: allow passing in a separate Store implementation in SDK (5962) authored by @​srenatus
• config: Show "extra", unknown fields in /v1/config API result (6056) authored by @​srenatus

Miscellaneous

• Disable provenance attestations in buildx (#​5877) authored by @​ashutosh-narkar reported by @​JasonMan34
• build: configure SELinux labels for Docker volumes (#​6054) authored by @​zregvart reported by @​zregvart
• Dependency bumps, notably:
  • golang from 1.20.4 to 1.20.5
  • github.com/prometheus/client_golang from from 1.15.1 to v1.16.0

v0.53.1

Compare Source

This is a bug fix release addressing the following issues:

Runtime, Tooling, SDK

• plugins/logs: Previously while passing the decision log plugins's status to the Status API, the plugin held the mutex while a status upload was in process. This had the potential to block new decisions from being written to the plugin's buffer. To avoid this situation, a local copy of plugin's status is created (#​5966) authored by @​ashutosh-narkar
• download: Public docker repositories require an authorization handshake where the client needs to respond to challenges marked by the WWW-Authenticate header of a 401 Unauthorized response. Errors were returned when downloading a public image as it was assumed that authorization is not necessary for public repositories. This fix addresses this issue by challenging any 401 Unauthorized responses by passing it to the docker.Authorizer (#​5902) authored by @​DerGut
• opa fmt: Fix panic encountered while processing policies with comprehensions written on multiple lines with comments in these lines (#​5798) authored by @​Trolloldem

Topdown and Rego

• built-in function object.subset: Fix an issue in object.subset related to incorrect results being generated when arrays are provided as an input (#​5968) authored by @​DCRUNNN
• planner: Fix the optimization check for overlapping ref rules (#​5964) authored by @​srenatus

v0.53.0

Compare Source

This release contains some enhancements, bugfixes, and a new builtin function.

Runtime, Tooling, SDK

• status: Ensure Status plugin is correctly reconfigured to register or unregister Prometheus Collectors based on the state provided in OPA's active config (#​5918) authored by @​johanfylling
• opa eval: Update OPA eval's --profile-sort flag description to highlight the valid options to sort the profile results (#​5924) authored by @​ecbenezra
• opa fmt: Fix cases in which invalid code was generated due to parentheses being improperly handled (#​5537) authored by @​Trolloldem
• rest: Allow users to configure the AWS STS domain when using Web Identity Credentials (#​5915) authored by @​johanfylling
• status: Add an OPA environment information Gauge to Prometheus metrics to capture information like OPA version (#​5852) authored by @​jmoghisi
• server: Add ability to configure Unix socket permissions if OPA is listening on a Unix socket (#​5888) authored by @​ashutosh-narkar
• loader: Allow extensions to the loader package that provide ability to register handlers for certain file extensions. This feature is currently EXPERIMENTAL (#​5940) authored by @​srenatus

Topdown and Rego

• New built-in function crypto.x509.parse_keypair: Returns a key pair from a pair of PEM or base64 encoded strings of data. See the documentation on the new built-in for all the details. (#​5853) authored by @​volck.
• ast: Abort query evaluation if the compiler has errors. These errors will be exposed via the Status API if enabled (#​5947) authored by @​johanfylling
• io.jwt.decode_verify: Fix issue where token verification succeeded in case where iss constraint was required but JWT did not contain it (#​5850) authored by @​AleksanderBrzozowski
• wasm: Fix memory leaks in WASM when incrementally adding or removing data (#​5785) and (#​5901) authored by @​ctelfer-sophos
• http.send: Add a new option to the http.send input object which allows policy authors to specify a retry count for executing a HTTP request. Retries are performed with an exponential backoff delay (#​5891) authored by @​ashutosh-narkar
• ast: Fix issue with _ matching only scalars in rule indexing for arrays (#​5916) authored by @​jaspervdj
• rego: Allow for extending the Rego evaluation targets with plugins (#​5939) authored by @​srenatus

Miscellaneous

• Add PITS Global Data Recovery Services to ADOPTERS.md (authored by @​pheianox)
• Avoid unnecessary byte/string conversion by using alternative functions/methods (#​5944) authored by @​Juneezee
• False positive finding of CVE-2022-3517 addressed by removing the dead code (#​5941) authored by @​testwill
• Dependency bumps, notably:
  • golang from 1.20.3 to 1.20.4
  • golang.org/x/net from 0.9.0 to 0.10.0
  • google.golang.org/grpc from 1.54.0 to 1.55.0
  • oras.land/oras-go/v2 from 2.0.2 to 2.2.0
  • github.com/prometheus/client_golang from 1.15.0 to 1.15.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.