Bump github.com/open-policy-agent/opa from 0.16.2 to 0.23.2

[dependabot-preview]

Bumps github.com/open-policy-agent/opa from 0.16.2 to 0.23.2.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.23.2

This release contains a fix for a regression in v0.23.1 around bundle downloading. The bug caused OPA to cancel bundle downloads prematurely. Users affected by this issue would see the following error message in the OPA logs:

[ERROR] Bundle download failed: bundle read failed: archive read failed: context canceled
  plugin = "bundle"
  name = <bundle name>

v0.23.1

Fixes

• plugins/discovery: Set the last request and last successful request in discovery status (#2630)

Miscellaneous

• plugins/rest: Add response header timeout for REST client

v0.23.0

http.send Caching

The http.send built-in function now supports caching across policy queries. The caching.inter_query_builtin_cache.max_size_bytes configuration setting places a limit on the amount of memory that will be used for built-in function caching. By default, not limit is set. For http.send, cache duration is controlled by HTTP response headers. For more details see the http.send documentation.

Capabilities

OPA now supports a capabilities check on policies. The check allows callers to restrict the built-in functions that policies may depend on. If the policies passed to OPA require built-ins not listed in the capabilities structure, an error is returned. The capabilities check is currently supported by the check and build sub-commands and can be accessed programmatically on the ast.Compiler structure. The repository also includes a set of capabilities files for previous versions of OPA under the capabilities/ directory.

For example, given the following policy:

package example
deny["missing semantic version"] {
not valid_semantic_version_tag
}
valid_semantic_version_tag {
semver.is_valid(input.version)
}

We can check whether it is compatible with different versions of OPA:

# OK!
$ opa build ./policies/example.rego --capabilities ./capabilities/v0.22.0.json
ERROR!
$ opa build ./policies/example.rego --capabilities ./capabilities/v0.21.1.json

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.23.2

This release contains a fix for a regression in v0.23.1 around bundle downloading. The bug caused OPA to cancel bundle downloads prematurely. Users affected by this issue would see the following error message in the OPA logs:

[ERROR] Bundle download failed: bundle read failed: archive read failed: context canceled
  plugin = "bundle"
  name = <bundle name>

0.23.1

Fixes

• plugins/discovery: Set the last request and last successful request in discovery status (#2630)

Miscellaneous

• plugins/rest: Add response header timeout for REST client

0.23.0

http.send Caching

The http.send built-in function now supports caching across policy queries. The caching.inter_query_builtin_cache.max_size_bytes configuration setting places a limit on the amount of memory that will be used for built-in function caching. By default, not limit is set. For http.send, cache duration is controlled by HTTP response headers. For more details see the http.send documentation.

Capabilities

OPA now supports a capabilities check on policies. The check allows callers to restrict the built-in functions that policies may depend on. If the policies passed to OPA require built-ins not listed in the capabilities structure, an error is returned. The capabilities check is currently supported by the check and build sub-commands and can be accessed programmatically on the ast.Compiler structure. The repository also includes a set of capabilities files for previous versions of OPA under the capabilities/ directory.

For example, given the following policy:

package example
deny["missing semantic version"] {
not valid_semantic_version_tag
}
valid_semantic_version_tag {
semver.is_valid(input.version)
}

We can check whether it is compatible with different versions of OPA:

# OK!
$ opa build ./policies/example.rego --capabilities ./capabilities/v0.22.0.json
</tr></table> ... (truncated)

Commits

• 661ec2f Prepare v0.23.2 release
• b538248 fix: bundle download failed - context canceled
• 425504a Prepare v0.23.1 release
• 49914dd plugins/discovery: Set the last request and last successful request in discov...
• a790b65 plugins/rest: Add response header timeout for REST client
• 1d15c5e Prepare v0.23.0 release
• fda63bd compile: Add support for unknowns other than input
• 0d54ba2 docs: Update external data page description of sync-pull option
• 6507fa4 topdown: Pass metrics to built-ins and record http.send latency
• e8806c1 docs: Remove openable tag from test examples
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #21.