Release Notes for Styra DAS On-Premises 0.4.0
The Styra DAS On-premises 0.4.0 was released on April 28, 2020.
Release Summary
Styra DAS On-premises 0.4.0 delivers the binaries, new features and enhancements, list of issues fixed, known issues and solutions.
Binaries
The following shows the location for Styra DAS On-premises 0.4.0.
- Location: s3://styra-release/releases/0.4.0/on-premises.tar.gz.
- AWS Link: aws s3 presign s3://styra-release/releases/0.4.0/on-premises.tar.gz --expires-in 600000.
New Features and Enhancements
This section describes the New Features and Enhancements that focus on Integration, Storage, Stacks and Systems components in Styra DAS On-premises 0.4.0.
Integration
- Stream decision logs to Amazon Simple Storage Service (AWS S3): Styra offers the ability to stream decision logs to AWS S3, providing unlimited historical record of decisions. This streaming occurs when decisions are received from Open Policy Agent (OPA). The decisions are stored as gzip JSON, with filenames prefixed with a timestamp (in nanoseconds) as a running identifier that is guaranteed to be unique.
Storage
-
Support out-of-band credential configuration for Elasticsearch: This feature allows you to configure Elasticsearch using a secret map similar to
db_username
anddb_password
. -
Extend the query OpenID Connect (OIDC) user information endpoint when email information is not available in identifier (id) token: Most OIDC providers return the necessary user attributes as a part of the initial exchange with the provider in the id token. However, some OIDC providers require additional user information query to obtain the necessary user details. For such providers, Styra extends the OIDC procedure to execute the user information endpoint query when the email information is not available in the id token.
-
Upgrade OPA to include new functionality for
http.send
response: This release enhances the response headers to be part of the response object. Therefore, headers are included inhttp.send
response. Now, you can use OPA for policies on REST API endpoints and ensure that they conform to certain guidelines, like allowing Cross-Origin Resource Sharing (CORS) requests. -
Inject custom CA certificates for backend pods: This release enhances the installation of custom CA certificates by configuring the corresponding CA certificate to the Styra CLI client.
Systems
- Introduce Kubernetes mutating webhook: Kubernetes provides multiple pluggable points for the review of authenticated API requests where a request can be inspected or even modified. This is achieved through admission control plugins. This feature allows you to use OPA policies to govern the behavior of mutation and validation phases. A Styra Kubernetes system installs two webhooks, one each for mutating and validating phase. You can use either one of them individually or both in combination. Each webhook is configured to query a specific data document on the OPA service present in the cluster.
Issues Fixed
This section describes the Issues Fixed in Styra DAS On-premises 0.4.0.
API
- Prior to Styra DAS On-premises 0.4.0, users created a new SSO provider configuration with the same identifier with
HTTP POST
call, only ifHTTP If-None-Match
header was defined earlier. Starting from Styra DAS On-premises 0.4.0, theHTTP If-None-Match
header is not required and theHTTP POST
call checks for a conflict, by default. Therefore, multiple SSO providers with the same identifier was created.
On-Premises
- The deployment kind version
extensions/v1beta1
used by the "on-premises.yaml" was deprecated, and moved to the newapps/v1
version.
Known Issues and Solutions
This section describes the Known Issues and Solutions in Styra DAS On-premises 0.4.0.
- Using IAM roles for S3 streaming and a local ES is not working.
UI
When you write a test and run the test by Previewing or Validating the test itself, you might receive “function not defined” error, because the function you are testing is defined in the draft version of a policy under test.
Workaround: Run the test by Validating the draft policy itself instead of the test module.