v0.1.17

Two major new features in this release:

1) More data in healthcheck policy to help keep track of OPA state

#163: Updated the healthcheck policy to add more data about the current synchronization state of OPAL. The new data format is described in the original issue (#154).

2) Add broadcaster keepalive task

#177: Add broadcaster keepalive task to prevent broadcast backbone from closing the session

We have seen a behavior in our demo environment - where Postgres closes a db session used for broadcaster notifications after no messages were broadcasted for several days.

We are adding a safeguard here (a keepalive task) so that if in a live environment there is no traffic for a long period of time - the session will be kept alive due to the keepalive messages triggering a NOTIFY event, which in turn will also keep the LISTEN sessions alive due to traffic going through.

3) Added OPAL server statistics tracking about connected clients and topics

OPAL server can now keep track of connected clients and display a statistics API.
The feature was suggested in #155 and was added in #169

Check out this docker compose config on how to turn the statistics feature. The new statistics endpoint is https://opalserver.com/statistics.

---

Thanks @obsd for these excellent new features and thanks @hongbo-miao for opening the issues and helping us spec these features!

v0.1.16

This release brings a major new feature: pluggable policy sources (which addresses the feature request in #131)

• Along with the ability to source policy (rego files) from git, opal 0.1.16 adds the options to serve policy files into opal from an external API that serve tar bundles.
• the format of such files is the same as OPA bundles
• We added a document explaining how Sourcing policy from API works
• We added an example docker compose configuration with policy sourced from API instead of git.
• Major props to @obsd - our newest addition to the OPAL team - for the launch of his first feature :)

This release also adds few minor fixes and improvement:

• #161 is fixed: we added the healthcheck policy to the manifest, so OPA healthcheck policy should work in kubernetes just fine :)
• We increased the log verbosity to make it more clear how messages are routed within OPAL.

v0.1.15

This version includes minor changes to log messages:

• Updated to latest RPC and Pub/Sub library versions (added more logs)
• Added env var OPAL_LOG_FORMAT_INCLUDE_PID - if enabled - will add the process id to the logger format (helps debugging in case of multi-worker setup)
• Locked some dependency library versions, i.e: websockets and pyjwt due to breaking changes in latest versions
• fixed issue with duplicate log messages in uvicorn loggers

v0.1.14

• We made a few significant changes to the update callbacks mechanism:

  • Dynamic registry of callbacks: OPAL client can now register new callbacks dynamically during runtime via its REST API (if opal client is running on http://localhost:7000, the API docs can be found on http://localhost:7000/redoc).
  • Callbacks are called for policy updates: OPAL client will now call any registered callbacks after successful policy updates, so now every change made to OPA state will invoke a callback. This allows an OPAL user to monitor OPA state changes (get "push notifications" via the callbacks mechanism; each "callback" is actually implemented as a webhook).

• We made a few small changes to OPAL's authentication mechanism:

  • We now require datasource JWTs in order to publish updates: As was previously explained in the docs, you need a datasource JWT token in order to authenticate successfully when publishing a data update. Until now, we did not enforce the peer type requirement on the token. This change essentially fixes #44.
  • New type of OPAL JWT (listener): A listener JWT is meant for a network peer that "listens" to OPA state changes, or in other words, a peer that exposes a callback to be called by OPAL client after OPA state changes.

• We added new config vars to expose the timeouts enforced on fetch providers (fixes #142):

   # Time in seconds to wait on the queued fetch task (i.e: for a fetch provider to fetch data)
   OPAL_FETCHING_CALLBACK_TIMEOUT (default: 10)
   # Time in seconds to wait for queuing a new task (if the queue is full)
   OPAL_FETCHING_ENQUEUE_TIMEOUT  (default: 10)
  

• We changed the default value of OPAL_POLICY_STORE_URL: the policy store URL should only include the host and port part of the url, not the path. i.e: if OPA is on localhost port 8181, instead of http://localhost:8181/v1, the config var should now be http://localhost:8181.

v0.1.13

This tiny release includes:

• hotfix to data updater, we removed the fetch config from the logs as it may contain sensitive credentials.
• small improvements to docs

v0.1.12

• (#125) added option to disable data updater
• (#126) added docs about update callbacks and opa healthcheck policy + added example docker compose configuration that uses callbacks
• (#127) Load policy bundle according to the order of modules specified in the bundle manifes, see docs
• (#128) extensive changes to repo cloner:
  • It tries indefinitely to clone the repo (i.e: resilient to temp network errors) - fixes opal-server stops the pulling if failed to connect #111
  • Indefinite wait for successful clone can be cancelled with new Env var: OPAL_POLICY_REPO_CLONE_TIMEOUT
  • previous local clones are discarded - this should not affect running docker (unless using a volume) but it does affect running opal as a library.
  • fixed cloning remote branches who are not master - they are now cloned correctly
  • repo cloner is now running in asyncio executor thread - until initial successful clone, /policy (bundle) api correctly return 503.
• Other small fixes and improvements

v0.1.11

• Small fix to OPAL CLI
• Upgraded Fetcher Guide (How to write custom fetch providers)

v0.1.10

• OPAL-Client now support self-signed SSL/TLS certificates - meant for dev environments (#104)
• Fixed fetch provider register, you may now select the custom fetcher by adding fetcher override to FetcherConfig (#110)
• OPA Client now support OPA authentication with bearer token (#105)
• Fixed data updater bug where opal client did not alert the user if we got error responses from authoritative data source (#109)
• Added a fully functional example OPAL fetch-provider for Postgres
• Other various small bugs and fixes

v0.1.9

Small bug fixes and improvements (no breaking changes from previous version):

• bugfix: inline OPA was being rehydrated on shutdown after responding by itself to keyboard interrupts
• Bump fastapi from 0.62.0 to 0.65.2 - addresses fastapi security issue - https://github.com/tiangolo/fastapi/releases/tag/0.65.2 (it's important to note that OPAL does not use cookies for authentication - therefore this security issue is not applicable for previous OPAL versions - however it is good requirements hygiene to upgrade none the less).
• include rpc and pub/sub logs by default - a bit more noisy but easier to detect connection issues - fixes #82.
• added mention of logging configuration and troubleshooting section to containers doc - fixes #83.
• fix requirements inconsistencies with idna and starlette.

v0.1.8

Small fixes:

• fixed broken requirements (i.e: click 8.0.1 with old typer, etc)
• fixed broken docker image - OPA changed the binary file name on their latest release
• fixed several log messages that were not JSONable - broke some logging configurations
• fixed a small issue where killing the opal client with ctrl+c would also kill OPA agent and create a race (when running with inline OPA)