Update dependency open-policy-agent/opa to v0.70.0

[renovate]

This PR contains the following updates:

Package	Update	Change
open-policy-agent/opa	minor	v0.68.0 -> v0.70.0

---

Release Notes

open-policy-agent/opa (open-policy-agent/opa)

v0.70.0

Compare Source

This release contains a mix of features, performance improvements, and bugfixes.

Optimized read mode for OPA's in-memory store (#​7125)

A new optimized read mode has been added to the default in-memory store, where data written to the store is eagerly converted
to AST values (the data format used during evaluation). This removes the time spent converting raw data values to AST
during policy evaluation, thereby improving performance.

The memory footprint of the store will increase, as processed AST values generally take up more space in memory than the
corresponding raw data values, but overall memory usage of OPA might remain more stable over time, as pre-converted data
is shared across evaluations and isn't recomputed for each evaluation, which can cause spikes in memory usage.

This mode can be enabled for opa run, opa eval, and opa bench by setting the --optimize-store-for-read-speed flag.

More information about this feature can be found here.

Co-authored by @​johanfylling and @​ashutosh-narkar.

Topdown and Rego

• topdown: Use new Inter-Query Value Cache for json.match_schema built-in function (#​7011) authored by @​anderseknert reported by @​lcarva
• ast: Fix location text attribute for multi-value rules with generated body (#​7128) authored by @​anderseknert
• ast: Fix regression in opa check where a file that referenced non-provided schemas failed validation (#​7124) authored by @​tjons
• test/cases/testdata: Fix bug in test by replacing unification by explicit equality check (#​7093) authored by @​matajoh
• ast: Replace use of yaml.v2 library with yaml.v3. The earlier version would parse yes/no values as boolean. The usage of yaml.v2 in the parser was unintentional and now has been updated to yaml.v3 (#​7090) authored by @​anderseknert

Runtime, Tooling, SDK

• cmd: Make opa check respect --ignore when --bundle flag is set (#​7136) authored by @​anderseknert
• server/writer: Properly handle result encoding errors which earlier on failure would emit logs such as superfluous call to WriteHeader() while still returning 200 HTTP status code. Now, errors encoding the payload properly lead to 500 HTTP status code, without extra logs. Also use Header().Set() not Header().Add() to avoid duplicate content-type headers (#​7114) authored by @​srenatus
• cmd: Support file:// format for TLS key material file flags in opa run (#​7094) authored by @​alexrohozneanu
• plugins/rest/azure: Support managed identity for App Service / Container Apps (#​7085) reported and authored by @​apc-kamezaki
• debug: Fix step-over behaviour when exiting partial rules (#​7096) authored by @​johanfylling
• util+plugins: Fix potential memory leaks with explicit timer cancellation (#​7089) authored by @​philipaconrad

Docs, Website, Ecosystem

• docs: Fix OCI example with updated flag used by the ORAS CLI (#​7130) authored by @​b3n3d17
• docs: Delete Atom editor from supported editor integrations (#​7111) authored by @​KaranbirSingh7
• docs/website: Add Styra OPA ASP.NET Core SDK integration (#​7073) authored by @​philipaconrad
• docs/website: Update compatibility information on the rego-cpp integration (#​7078) authored by @​matajoh

Miscellaneous

• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.22 to 1.7.23
  • build(deps): bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5
  • build(deps): bump golang.org/x/net from 0.29.0 to 0.30.0
  • build(deps): bump golang.org/x/time from 0.6.0 to 0.7.0
  • build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1

v0.69.0

Compare Source

This release contains a mix of features, bugfixes and necessary tooling and test changes required to support the upcoming OPA 1.0 release.

Inter-Query Value Cache (#​6908)

OPA now has a new inter-query value cache added to the SDK. It is intended to be used for values that are expensive to
compute and can be reused across multiple queries. The cache can be leveraged by built-in functions to store values
that otherwise aren't appropriate for the existing inter-query cache; for instance when the entry size isn't an
appropriate or primary limiting factor for cache eviction.

The default size of the inter-query value cache is unbounded, but can be configured via the
caching.inter_query_builtin_value_cache.max_num_entries configuration field. OPA will drop random items from the cache
if this limit is exceeded.

The cache is used by the regex and glob built-in functions, which previously had individual, non-configurable
caches with a max entry size of 100 each.

Currently, the cache is only exercised when running OPA in server mode (ie. opa run -s). Also this feature is unsupported
for WASM.

Authored by @​ashutosh-narkar, reported by @​amirsalarsafaei

Topdown and Rego

• Future-proofing tests in the ast, topdown, rego etc. packages to be 1.0 compatible (authored by @​johanfylling)
• ast: Attach annotation to static part of rule ref (#​7050) authored by @​anderseknert
• ast: Make Module.String() include if/contains for v1 modules (#​6973) authored by @​johanfylling reported by @​nikpivkin
• topdown/http: Stop http.send latency timer when an error is encountered (#​7007) authored by @​lukyer
• ast/compile: Refactor local variable replacement and replace declared variables in with's target (#​6979) authored by @​srenatus reported by @​bluebrown
• ast: Update type checker to cache schema types (#​6970) authored by @​nikpivkin
• test: Fix indentation in a YAML test case (#​7039) authored by @​matajoh
• format: Bracketing keyword ref elements in formatter output (#​7010) authored by @​johanfylling

Runtime, Tooling, SDK

• Future-proofing tests in the sdk, downlaod, server , cmd etc. packages to be 1.0 compatible (authored by @​johanfylling)
• cmd: Add --v0-compatible flag to make OPA behave as v0.x post v1.0 release (#​7065) authored by @​johanfylling
• util: Strip UTF-8 BOM from input JSON when found (#​6988) authored by @​anderseknert reported by @​adhilto
• plugins/rest: Support reading AWS token from the filesystem for the AWS container credential provider (#​6997) authored by @​cmaddalozzo
• debug: Add RegoOption launch option to debugger for setting custom Rego options (#​7045) authored by @​johanfylling
• debug: Always include Input and Data variable scopes to ease discoverability of the scopes (#​7074) authored by @​johanfylling
• wasm: Fix arithmetic comparison for large numbers, caused by an integer overflow (#​6991) authored by @​Ptroger

Docs, Website, Ecosystem

• Add Marsh McLennan to adopters (#​7060) authored by @​anderseknert reported by @​pratimsc
• Add APIwiz to adopters (#​7067) authored by @​anderseknert
• docs: Fix misnomer in OPA-Istio tutorial to document Istio's AuthorizationPolicy API (#​6984) authored by @​tjons
• docs: Readme updates to highlight more up-to-date information about OPA (#​7066) authored by @​charlieegan3
• docs: Update documentation to show Debug API uses (#​7036) authored by @​charlieegan3
• docs: Simplify the OPA-Istio tutorial example policy (#​7059) authored by @​anderseknert
• website: Update policy examples on the OPA home page to be 1.0 compatible (#​7033) authored by @​charlieegan3

Miscellaneous

• build: Bump github.com/golang/glob, remove replace directive (#​7024) authored by @​srenatus reported by @​mmannerm
• Dependency updates; notably:
  • build(deps): bump github.com/containerd/containerd from 1.7.21 to 1.7.22
  • build(deps): bump github.com/prometheus/client_golang from 1.20.2 to 1.20.4
  • build(deps): bump go.uber.org/automaxprocs from 1.5.3 to 1.6.0
  • build(deps): bump golang.org/x/net from 0.28.0 to 0.29.0
  • build(deps): bump google.golang.org/grpc from 1.66.0 to 1.67.0
  • build(go): bump 1.22.5 to 1.23.1 (#​7006) authored by @​srenatus

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[garethahealy]

@anderseknert ; opa check is failing for v0.69. any idea whats wrong with the below? or have I hit a bug?

error occurred: policy/ocp/bestpractices/common-k8s-labels-notset/src.rego:48: rego_type_error: undefined ref: data.lib.konstraint.core.resource.metadata
	data.lib.konstraint.core.resource.metadata
	                         ^
	                         have: "resource"
	                         want (one of): ["annotations" "api_version" "format" "format_with_id" "group" "gv" "has_field" "is_gatekeeper" "kind" "labels" "missing_field" "name" "resource" "version"]

obviously, 0.68 doesn't fail.

[anderseknert]

@garethahealy huh, yeah that looks like a regression in OPA to me.

have: "resource"
...
want (one of): [... "resource" ...]

Mysterious. As far as I'm aware, the JSON schema type checking stuff hasn't been touched in... a long time. But obviously, something on that evaluation path did change if it works in v0.68.0 but not v0.69.0.

I'm probably just tired, but where does the schema come from? It's not passed to the check command AFAICS, but the error clearly shows a schema violation.

[garethahealy]

@anderseknert ; the schema comment gave me the hint I needed to fix

[anderseknert]

Yeah, removing that annotation should fix the issue, as the schema was never there to begin with.

It's still a regression in OPA, so thanks for reporting that! But I'm glad to know it's not one blocking you now.