Skip to main content

Release Notes for Self-Hosted Styra DAS

Self-Hosted Styra DAS 0.16.0 was released on July 9th, 2024.

Self-Hosted Environment Changes

Addition of new Activity table and bucket for v2 activity writer

This release includes a new buffered activity writer implementation (referred to as v2 activity writer), which is responsible for recording the audit trail for all activity on a tenant. This new implementation allows for better scalability of request handling by Styra DAS and more efficient activity log storage. After upgrading to DAS v0.16.0, customers using PostgreSQL or Amazon RDS for the DAS data storage layer will see a new ActivityV2 table in their database, while customers using the Amazon DynamoDB and S3 data storage layer will see a new ActivityV2 table in DynamoDB as well as a new activity S3 bucket (with the configured resource prefixes). Customers can switch to the v2 activity writer by adding the ACTIVITY_LOGS_USE_BUFFERED_OPTION feature flag with a value of true to their Helm values file.

NOTE: Enabling the v2 activity writer also switches the location for activity log reads, which results in the DAS activity log no longer showing activity logged using the v1 activity writer. The next Styra DAS self-hosted release will include support for loading activity logs into Elasticsearch to avoid this potential activity log gap when switching to the v2 activity writer. Unless needed immediately, we recommend customers wait until the next release before moving to the v2 activity writer.

Ability to disable Activity v1 rolling tables

With the release of the v2 activity writer, customers can disable the creation of rolling Activity tables from the v1 activity writer implementation after switching to the v2 activity writer. To do so, add the DYNAMODB_EXCLUDE_TABLES feature flag with a list value of "Activity" to the Helm values file like so:

DYNAMODB_EXCLUDE_TABLES:
- "Activity"

PostgreSQL feature flags can be changed without restart

Updates to any DATABASE_* flags in the Helm values for PostgreSQL configuration can now be made without requiring a restart of affected DAS services.

New Features and Changes

Beta UI Additions

Added Branch and Draft labels on files in policy editor for Git-backed resources.

Upgraded to OPA v0.66.0

The internal version of OPA used by Styra DAS has now been upgraded to OPA 0.66.0.

Support decision log request_context

Added support for the new request_context field added to decision logs as of OPA v0.65.0.

Optimized Git syncs when tracking commit SHA

When a Git-backed resource is configured to track a commit SHA rather than a branch or a label, DAS will omit Git syncs until the configured commit SHA changes to decrease the number of requests to the configured Git repository.

Improved indicators for deleted files in Git-backed resources

Managing policy files on a user's DAS working branch can result in situations where a file is present on the main branch but not on the working branch. The policy editor will now provide additional context for files not yet on the working branch due to an out of sync working branch and mark files present on the main branch which are deleted on the working branch.

Git branch APIs includes changed files

In addition to the existing deleted_files parameter returned by the List Git branch files APIs for a System, Stack, or Library, the changed_files parameter has been added to provide additional context when using DAS to manage Git-backed resources.

Datasource agents additional information

When no Datasource agents are found to display in the Deployments tab, an info tooltip provides context on possible reasons no agents are found if agents are expected.

Kubernetes mutating rules for Envoy and Istio

Mutating rules have been added to the Kubernetes library rules to allow for configuring Envoy and Istio external authorization with OPA and DAS.

Fixed Issues

Show source for custom snippets with non-standard rule head

Custom snippets with non-standard rule heads could not be inspected in the UI code editor to view the custom snippet source.

Unexpected not installed message in Systems

Systems with a datasource without a status update for more than an hour resulted in an invalid datasource agent not installed message on the system.

Policy change push with only deletion did not create deletion commit

A policy change push with only file deletions did not create a deletion commit, depending on the status of the file on the working branch and main branch.

Error on metadata policy push with Workspace Git

In some cases, pushing a policy change for a system metadata file when using workspace git could result in a UI error.

Stack notification policy pushed to Workspace Git

When using a Workspace Git configuration, a notification policy change for a Git-backed Stack could create a Workspace branch instead of a Stack branch.

Bundle registry settings update error with misconfigured feature flags

In cases when bundle registry feature flags were misconfigured, saving bundle registry settings changes in the UI could fail.