Upgrade opa from 0.x to 1.x #2652
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
/retest |
simonbaird
force-pushed
the
opa-upgrade
branch
2 times, most recently
from
7920834 to
b8d3fb1
Compare
Do it consistently in each of the go.mod files. This is a big jump and likely includes some breaking changes, which I'll aim to fix in upcoming commits. Ref: https://issues.redhat.com/browse/EC-1130
The github.com/open-policy-agent/opa/cmd import is an exception, that one doesn't have a v1 subpath. Ref: https://issues.redhat.com/browse/EC-1130
Now it's a global config, rather than being attached to each node (or something like that). See open-policy-agent/opa#7281 for more details. Ref: https://issues.redhat.com/browse/EC-1130 Co-authored-by: Claude 4 Sonnet
Related to the opa upgrade. (With this change I think we have a good chance that all the CI is passing.) Ref: https://issues.redhat.com/browse/EC-1130
Since we wrap opa, all the `ec opa` command line docs are generated from the `opa` command line docs. These changes are what you get when running `make generate`. Ref: https://issues.redhat.com/browse/EC-1130
This was useful figuring out the fix in the next commit. Let's leave it in since it's pretty harmless and maybe it will be useful again one day.
Firstly, it causes the "check for uncommitted diffs" CI step to mysteriously fail in GitHub due to mismatch in the generated docs. Here's an example of the diff in docs/modules/ROOT/pages/ec_opa_test.adoc: --p, --parallel:: the number of tests that can run in parallel, defaulting to the number of CPUs (explicitly set with 0). Benchmarks are always run sequentially. (Default: 16) +-p, --parallel:: the number of tests that can run in parallel, defaulting to the number of CPUs (explicitly set with 0). Benchmarks are always run sequentially. (Default: 4) Secondly, having the number of CPUs hard-coded in static docs does not make much sense. Notes: - Originally I implemented this workaround in the template internal/documentation/asciidoc/cli/cli.tmp which worked fine, but made the template quite messy. - See relevant opa code here: https://github.com/open-policy-agent/opa/blob/d0c0ae9730b1ecb06a29c341c707c265138f0494/cmd/test.go#L569C69-L569C76 - This is was tough one to debug! Ref: https://issues.redhat.com/browse/EC-1130
Just a little cleanup I wanted to do after creating the previous commit. Note that f.Deprecated and f.ShorthandDeprecated are both strings so that's why I think we can just compare to "" rather than use len(..) == 0, and also why I think we can skip the extra len > 0 check.
Member
Author
|
I gave this a little test against the real policies, and it seems to work fine. |
simonbaird
commented
Jul 24, 2025
|
|
||
| _, err = evaluator.Evaluate(ctx, EvaluationTarget{Inputs: []string{path.Join(dir, "inputs")}}) | ||
| require.Error(t, err) | ||
| assert.EqualError(t, err, `the rule "deny = true if { true }" returns an unsupported value, at no_msg.rego:5`) |
Member
Author
There was a problem hiding this comment.
This line got nuked by Cursor in #2639 for some reason . I put it back when rebasing.
simonbaird
commented
Jul 24, 2025
| --ignore:: set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: []) | ||
| -m, --max-errors:: set the number of errors to allow before compilation fails early (Default: 10) | ||
| -r, --run:: run only test cases matching the regular expression. | ||
| -p, --parallel:: the number of tests that can run in parallel, defaulting to the number of CPUs (explicitly set with 0). Benchmarks are always run sequentially. (Default: 16) |
Member
Author
There was a problem hiding this comment.
...notice (Default: 16) here and see later commits for the fun it caused.
simonbaird
changed the title
Member
Author
|
I'll probably merge it later today FYI. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ref: https://issues.redhat.com/browse/EC-1130
For reviewers, I suggest looking at commits one by one.