v0.6.0
What's Changed
New Features in Policy Store Control (Client)
- Automatic resolution of ordering issues: Any failed policy store loading operation (file loading / deletion) would be re-attempted after completing other operations (instead of bailing out), thus eventually achieving the correct loading order via trial and error. by @roekatz in #425
- Eliminates the need to explicitly define .manifest files on most cases (although having an explicit manifest might still be beneficial for performance).
- Resolves the known issue of handling moved/renamed modules.
- OAuth2 support for policy store authentication by @scarlier in #407
- Add option to ignore specific policy files by @orweis in #414
- Could be used to prevent opal-client from overriding policy files managed outside OPAL.
- Optional offline mode, where policy store's data is restored from a local backup file on client startup (Thus being able to handle queries even when server connection can't be established) by @roekatz in #441
Server Multi Process Stability
Bug fixes in using opal-server with multiple workers (UVICORN_NUM_WORKERS) and/or multiple instances (e.g. pod replicas).
- Fix leader worker sometimes not getting git webhook event (Bug in broadcaster subscription) by @roekatz in #398
- Turn on BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED by default (Fixes silent connection losses to Postgres broadcaster) @roekatz in #443
- Bump fastapi_websocket_pubsub ver to 0.3.3 by @roekatz in #423
Health Checks
- Make client's health check always available (without requiring persisting health status in OPA by setting
OPAL_OPA_HEALTH_CHECK_POLICY_ENABLED) by @roekatz in #420 - Expose new
/readyendpoint - would return200 OKif OPA was loaded from either server or backup (on newly available offline mode) at least once. by @roekatz in #441
Scopes Stability
Introduce quite a few refactors & changes in scopes we've been working on and testing internally lately. by @roekatz in #436.
- Bug fixes related to using multiple Uvicorn workers and / or multiple instances (e.g pod replicas).
- Getting rid of Celery worker (a.k.a opal-server-worker) for periodically syncing scopes (Instead, using the leader process the same way it's used when scopes are disabled).
- Bug fixes in detecting and notifying changes when multiple scopes use the same git repository (but possibly different branches).
- Fix races in detecting and notifying changes during server setup time (cloning all scopes' repos).
- Better logging when using scopes
Other Improvements & Fixes
- Optionally allow to skip url matching in git webhook receiver by @asafc in #400
- Rename
OPAL_SERVER_PORT->OPAL_SERVER_BIND_PORTto avoid configuration parsing error when k8s sets this envar to "tcp://..." if there's a service named "opal-server" (For backward compatibility old envar would still be used if has a valid port integer value). by @roekatz in #442
Docs & Examples
- Update config.py by @money8203 in #358
- Introduced "OPAL Configuration Variables" doc by @filipermit in #397
- Updates to fetch providers, config variables, opal+ and new release page by @filipermit in #401
- Fix for Doc Broken links by @renatosc in #412
- Change Slack Link by @danielbass37 in #416
- Fix typos discovered by codespell by @cclauss in #419
- fix broken tutorial links by @omriza in #429
- Introduce
run-example-with-scopes.shto demonstrate using scopes by @roekatz in #444
New Contributors
- @scarlier made their first contribution in #407
- @renatosc made their first contribution in #412
- @cclauss made their first contribution in #419
- @omriza made their first contribution in #429
Full Changelog: 0.5.0...0.6.0
Contributors
scarlier, orweis, and 8 other contributors