v1.31.1

This release includes a bugfix for Enterprise OPA's bundle handling, restoring compatibility with v0 policy bundles.

v1.31.0

This release includes the OPA v1.0 code changes.
Please see the OPA v1 Release Notes for more details.
Read more about the OPA 1.0 announcement here on our blog.

Everything you need to know about compatibility for v0 Rego code that hasn't been migrated yet can be found in these docs.

v1.30.1

This release includes various dependency bumps and updates the embedded Regal version to v0.29.2.

golang.org/x/crypto 0.31.0

This release also bumps the golang.org/x/crypto dependency to version 0.31.0.
In that version, CVE-2024-45337 is fixed.
Please note that the vulnerable code has not been used in Enterprise OPA (or OPA), but some automated security scanners don't account for that.

For further information, see GHSA-v778-237x-gjrc.

v1.30.0

With this release, the built-in sql.send() can be used to talk to Oracle Databases.
This release further includes various dependency bumps and updates the embedded Regal version to v0.29.0.

sql.send supports Oracle

sql.send now supports Oracle databases! To connect to it, use a data_source_name of

oracle://USER:PASSWORD@HOST:PORT/DATABASE

See the sql.send documentation
for all details about the built-in.

v1.29.1

This release includes various dependency bumps, and changes the capabilities files to include names and descriptions for upcoming Regal support of Enterprise OPA
builtins.

v1.29.0

This release includes various dependency bumps, and updates the embedded OPA version to v0.70.0.

v1.28.0

This release includes various dependency bumps, as well as support for Google Cloud Storage as a sink for decision logs.

Google Cloud Storage as a Decision Log Sink

You can now configure Enterprise OPA to send decision logs to Google Cloud Storage.
This is done by configuring a new sink of type gcs in the decision log configuration:

decision_logs:
  plugin: eopa_dl
plugins:
  eopa_dl:
    output:
    - type: gcs
      bucket: logs

For all configuration options, please see the reference documentation.

v1.27.1

This release includes various dependency bumps, as well as fixes for a performance regression affecting licensed Enterprise OPA users.

v1.27.0

This release updates the OPA version used in Enterprise OPA to v0.69.0.

It also includes various dependency bumps.

v1.26.0

This release contains various version bumps and an improvement to EKM ergonomics!

External Key Manager (EKM): Simplified configuration, support for plugin configs

Starting with this release, you no longer need to reference service and keys replacements via JSON pointers, but you can use direct lookups, like

services:
  acmecorp:
    credentials:
      bearer:
        scheme: "bearer"
        token: "${vault(kv/data/acmecorp/bearer:data/token)}"

Furthermore, these are also supported in plugins allowing you to retrieve secrets for their configurations as well.

These replacement can also be done in substrings, like this:

decision_logs:
  plugin: eopa_dl
plugins:
  eopa_dl:
    output:
    - type: http
      url: https://myservice.corp.com/v1/logs
      headers:
        Authorization: "bearer ${vault(kv/data/logs:data/token)}"

Replacements also happen on discovery bundles, if their config includes lookup calls of this sort.

See here for the docs on Using Secrets from HashiCorp Vault.