Cerbos v0.30.0

This release contains many enhancements, features and bug fixes to the Cerbos core engine, policy development tools and deployment methods.

Highlights

Variables used in policies are now checked at compile time to detect unknown variables and circular references. This change helps policy authors detect problems with policies early on during development time and enables the Cerbos engine to perform runtime optimizations as well. Please note that if your existing policies reference undefined variables, this version of Cerbos will refuse to start until those issues are rectified. Before upgrading your Cerbos services or sidecars to v0.30.0, we recommend running the cerbos compile command on your policy repository to detect and fix the new compile errors.

Cerbos now follows the convention of looking for .cerbos.yaml as the default configuration file. This is to support the common use case of including the Cerbos configuration within the policy repo itself. If you use cerbos run, you may need to rename your configuration file to .cerbos.yaml.

The file audit log driver now supports automatic log rotation based on file size and age. It also gains the ability to output to multiple destinations (tee) such as a file and stdout/stderr at the same time.

Cerbos can now be configured with an acceptable skew value for validating the standard JWT time-based claims (exp and nbf).

Using the new cerbosctl store export command, you can export your policy repository to a directory or zip/tar.gz archive. This is particularly useful when working with database stores to help troubleshoot issues using Cerbos developer tools such as the test runner and the REPL. It can also be used as a backup tool for capturing snapshots of your policy repo.

The cerbos compile command can now work with policies stored in zip/tar.gz archives. This complements the ability of Cerbos disk driver to work with archive files.

Changelog

Bug Fixes

  • Evict policies from cache after disable or enable (#1711)

  • Ignore invalid expressions (#1799)

  • Lambda body can be a field selection (#1720)

  • Normalize Git store subdirectory config to handle leading ./ correctly (#1774)

Features

  • Add cerbosctl command to export policies and schemas from store (#1686)

  • Add options for intercepting gRPC operations (#1724)

  • Audit log rotation support (#1766)

  • BREAKING Check variable references at compile time (#1772)

Enhancements

  • Add ability to set clusterIP (#1707)

  • Allow an image digest to be provided instead of a tag (#1735)

  • Better error messages from compile command (#1750)

  • Clean-up store resources (#1749)

  • Compile and run tests from an archive (#1721)

  • Configurable time skew for JWT validation (#1790)

  • Configuration to disable API explorer (#1767)

  • Relax naming conventions for resource kinds, principals and roles (#1762)

  • BREAKING Use .cerbos.yaml as conventional name for config file (#1755)

Documentation

  • Add testdata schema URLs (#1779)

  • Caveats of sharing a DB with multiple instances (#1743)

  • Fix typo in 03_calling-cerbos.adoc (#1714)

  • Remove deprecated endpoint/rpc (#1734)

  • Stop building docs for older versions (#1716)

  • Update SDK examples (#1731)

  • Update examples for handling expressions beginning with quote (#1739)

Chores

  • Always run upload-test-times after test (#1756)

  • Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 in /tools (#1788)

  • Bump version to 0.30.0

  • Configure Cloud docs build (#1712)

  • Create PRs for Homebrew formula updates (#1704)

  • Debug logging for server tests (#1791)

  • Downgrade pterm to v0.12.66 (#1787)

  • Fix output path of the E2E coverage (#1757)

  • Ignore PlaygroundEnabled configuration flag (#1705)

  • Mark auxData parameter as optional in OpenAPI spec (#1723)

  • Move gonum dependency into correct group (#1776)

  • Publish prerelease images tagged by commit hash (#1736)

  • Switch to Coveralls (#1751)

  • Update Go to v1.20 (#1775)

  • Update bufbuild/buf-setup-action action to v1.25.0 (#1709)

  • Update bufbuild/buf-setup-action action to v1.25.1 (#1729)

  • Update bufbuild/buf-setup-action action to v1.26.0 (#1748)

  • Update github actions deps (#1759)

  • Update go deps (#1708)

  • Update go deps (#1718)

  • Update go deps (#1730)

  • Update go deps (#1747)

  • Update go deps (#1760)

  • Update go deps (#1768)

  • Update go deps (#1780)

  • Update go deps to v2 (major) (#1769)

  • Update helm release postgresql to v12.6.7 (#1681)

  • Update module github.com/jdxcode/netrc to v1 (#1782)

  • Upgrade gRPC middleware to v2 (#1786)

  • Upgrade to CEL 0.17 (#1717)

  • Upload test coverage from snapshot builds (#1764)

  • Use experimental 'loopvar' released with Go 1.21 (#1738)