Release Notes for Self-Hosted Styra DAS
Self-Hosted Styra DAS 0.16.0 was released on July 9th, 2024.
Self-Hosted Environment Changes
Addition of new Activity table and bucket for v2 activity writer
This release includes a new buffered activity writer implementation (referred to as v2 activity writer), which is responsible for recording the audit trail for all activity on a tenant. This new implementation allows for better scalability of request handling by Styra DAS and more efficient activity log storage. After upgrading to DAS v0.16.0, customers using PostgreSQL or Amazon RDS for the DAS data storage layer will see a new ActivityV2
table in their database, while customers using the Amazon DynamoDB and S3 data storage layer will see a new ActivityV2
table in DynamoDB as well as a new activity
S3 bucket (with the configured resource prefixes). Customers can switch to the v2 activity writer by adding the ACTIVITY_LOGS_USE_BUFFERED_OPTION
feature flag with a value of true
to their Helm values file.
NOTE: Enabling the v2 activity writer also switches the location for activity log reads, which results in the DAS activity log no longer showing activity logged using the v1 activity writer. The next Styra DAS self-hosted release will include support for loading activity logs into Elasticsearch to avoid this potential activity log gap when switching to the v2 activity writer. Unless needed immediately, we recommend customers wait until the next release before moving to the v2 activity writer.
Ability to disable Activity v1 rolling tables
With the release of the v2 activity writer, customers can disable the creation of rolling Activity tables from the v1 activity writer implementation after switching to the v2 activity writer. To do so, add the DYNAMODB_EXCLUDE_TABLES
feature flag with a list value of "Activity"
to the Helm values file like so:
DYNAMODB_EXCLUDE_TABLES:
- "Activity"
PostgreSQL feature flags can be changed without restart
Updates to any DATABASE_*
flags in the Helm values for PostgreSQL configuration can now be made without requiring a restart of affected DAS services.
New Features and Changes
Beta UI Additions
Added Branch and Draft labels on files in policy editor for Git-backed resources.
Upgraded to OPA v0.66.0
The internal version of OPA used by Styra DAS has now been upgraded to OPA 0.66.0.
Support decision log request_context
Added support for the new request_context
field added to decision logs as of OPA v0.65.0.
Optimized Git syncs when tracking commit SHA
When a Git-backed resource is configured to track a commit SHA rather than a branch or a label, DAS will omit Git syncs until the configured commit SHA changes to decrease the number of requests to the configured Git repository.
Improved indicators for deleted files in Git-backed resources
Managing policy files on a user's DAS working branch can result in situations where a file is present on the main branch but not on the working branch. The policy editor will now provide additional context for files not yet on the working branch due to an out of sync working branch and mark files present on the main branch which are deleted on the working branch.
Git branch APIs includes changed files
In addition to the existing deleted_files
parameter returned by the List Git branch files APIs for a System, Stack, or Library, the changed_files
parameter has been added to provide additional context when using DAS to manage Git-backed resources.
Datasource agents additional information
When no Datasource agents are found to display in the Deployments tab, an info tooltip provides context on possible reasons no agents are found if agents are expected.
Kubernetes mutating rules for Envoy and Istio
Mutating rules have been added to the Kubernetes library rules to allow for configuring Envoy and Istio external authorization with OPA and DAS.
Fixed Issues
Show source for custom snippets with non-standard rule head
Custom snippets with non-standard rule heads could not be inspected in the UI code editor to view the custom snippet source.
Unexpected not installed message in Systems
Systems with a datasource without a status update for more than an hour resulted in an invalid datasource agent not installed message on the system.
Policy change push with only deletion did not create deletion commit
A policy change push with only file deletions did not create a deletion commit, depending on the status of the file on the working branch and main branch.
Error on metadata policy push with Workspace Git
In some cases, pushing a policy change for a system metadata file when using workspace git could result in a UI error.
Stack notification policy pushed to Workspace Git
When using a Workspace Git configuration, a notification policy change for a Git-backed Stack could create a Workspace branch instead of a Stack branch.
Bundle registry settings update error with misconfigured feature flags
In cases when bundle registry feature flags were misconfigured, saving bundle registry settings changes in the UI could fail.