Bump github.com/open-policy-agent/opa from 0.16.2 to 0.28.0

[dependabot-preview]

Bumps github.com/open-policy-agent/opa from 0.16.2 to 0.28.0.

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v0.28.0

This release includes a number of features, enhancements, and fixes. The default branch for the Git repository has also been updated to main.

Schema Annotations

This release adds support for annotations. Annotations allow users to declare metadata on rules and packages. Currently, OPA supports one form of metadata: schema declarations. For example:

package example
METADATA
schemas:
- input: schema.service
deny["service is missing required 'owner' label"] {
input.kind == "Service"
not input.metadata.labels.owner
}
METADATA
schemas:
- input: schema.deployment
deny["deployment replica count too low for 'production' namespace"] {
input.kind == "Deployment"
input.metadata.namespace == "production"
object.get(input.spec, "replicas", 1) < 3
}

Users can include schema annotations in their policies to tell OPA about the structure of external data loaded under input or data. By learning the schema of base documents, OPA can surface mistakes in the policy at authoring time (e.g., referring to a non-existent field in a JSON object or calling a built-in function with an invalid value.) For more information on the annotations and schema support see the Type Checking page in the documentation. In the future, annotations will be expanded to support other kinds of metadata and additional tooling will be added to leverage them.

Server

• The server now automatically sets GOMAXPROCS when running inside of a container that has cgroups applied. This helps the Go runtime avoid consuming too many CPU resources and being throttled by the kernel. (#3328)
• The server now logs an error if users enable the token authentication mode without a corresponding authorization policy. (#3380) authored by @kale-amruta
• The server now supports a GET /v1/config endpoint that returns OPA's active configuration. This API is useful if you need to debug the running configuration in an OPA configured via Discovery. (#2020)
• The server now respects the ?pretty option in the v0 API (#3332) authored by @clarshad
• The Bundle plugin is more forgiving when it comes to Etag processing on HTTP 304 responses (#3361)
• The Decision Log plugin now supports a "Decision Per Second" rate limit configuration setting.
• The Status plugin can now be configured to use a custom reporter similar to the Decision Log plugin (e.g., so that Status messages can be sent to AWS Kinesis, etc.)
• The Status plugin now reports the number of decision logs that are dropped due to buffer limits.
• The service clients can authenticate with the Azure Identity OAuth2 implementation the client credentials JWT flow is used (#3372)
• Library users can now customize the logger used by the plugins by providing the plugins.Logger option when creating the plugin manager.

Tooling

• The various OPA subcommands that accept schema files now accept a directory tree of schemas instead of only a single schema.
• The opa refactor move subcommand was added to support package renaming use cases (#3290)
• The opa check subcommand now supports a -s/--schema flag like the opa eval subcommand.

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

0.28.0

This release includes a number of features, enhancements, and fixes. The default branch for the Git repository has also been updated to main.

Schema Annotations

This release adds support for annotations. Annotations allow users to declare metadata on rules and packages. Currently, OPA supports one form of metadata: schema declarations. For example:

package example
METADATA
schemas:
- input: schema.service
deny["service is missing required 'owner' label"] {
input.kind == "Service"
not input.metadata.labels.owner
}
METADATA
schemas:
- input: schema.deployment
deny["deployment replica count too low for 'production' namespace"] {
input.kind == "Deployment"
input.metadata.namespace == "production"
object.get(input.spec, "replicas", 1) < 3
}

Users can include schema annotations in their policies to tell OPA about the structure of external data loaded under input or data. By learning the schema of base documents, OPA can surface mistakes in the policy at authoring time (e.g., referring to a non-existent field in a JSON object or calling a built-in function with an invalid value.) For more information on the annotations and schema support see the Type Checking page in the documentation. In the future, annotations will be expanded to support other kinds of metadata and additional tooling will be added to leverage them.

Server

• The server now automatically sets GOMAXPROCS when running inside of a container that has cgroups applied. This helps the Go runtime avoid consuming too many CPU resources and being throttled by the kernel. (#3328)
• The server now logs an error if users enable the token authentication mode without a corresponding authorization policy. (#3380) authored by @kale-amruta
• The server now supports a GET /v1/config endpoint that returns OPA's active configuration. This API is useful if you need to debug the running configuration in an OPA configured via Discovery. (#2020)
• The server now respects the ?pretty option in the v0 API (#3332) authored by @clarshad
• The Bundle plugin is more forgiving when it comes to Etag processing on HTTP 304 responses (#3361)
• The Decision Log plugin now supports a "Decision Per Second" rate limit configuration setting.

... (truncated)

Commits

• 3fbcd71 Prepare v0.28.0 release
• a6beeed docs: Add note about comment block parsing
• 6f502bf ast: Improve error reporting for attachment error
• 6d56317 ast: Improve YAML decoding error location
• 1001d8b ast: Make the node field private
• fa073bb ast: Add test case to assert that document scope is unordered
• 7288872 docs: Add preliminary docs on annotation scopes
• 43a6ea7 ast: Support inline schema definitions in annotations
• 0ae4102 ast: Support more annotation scopes
• 7d58f03 loader: Insert root schema with key 'schema'
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #32.