Update docker.io/openpolicyagent/opa Docker tag to v1.15.2

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
docker.io/openpolicyagent/opa (source)	minor	1.14.1-debug → 1.15.2-debug	1.16.1-debug (+1)

---

Release Notes

open-policy-agent/opa (docker.io/openpolicyagent/opa)

v1.15.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.26.2.
This version of Go contains multiple security fixes.

v1.15.1

Compare Source

This patch release fixes a backwards-incompatible change in the v1/logging.Logger interface that inadvertently made it
into Release v1.15.0. When using OPA as Go module, and when providing custom Logger implementations, this change would
break your build.

Users of the binaries or Docker images can ignore this, the code is otherwise the same as v1.15.0.
Miscellaneous

logging: make WithContext() optional (authored by @​srenatus)

v1.15.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Add logger plugin interface and file logger implementation with log rotation
• Custom HTTPAuthPlugin behavior change, all per-request authentication logic must be moved from NewClient() to
  Prepare()
• AWS signing supports for web identity for assume role credentials

Logger Plugin Support (#​8434) (authored by @​srenatus)

OPA now supports pluggable logging implementations via the logger plugin interface, which is based on Go's standard log/slog.Handler interface. This allows any slog.Handler implementation to be used as a logger plugin. Loggers can be configured via the server.logger_plugin configuration option and used for both runtime logging and decision logs. OPA includes a built-in file logger plugin (file_logger) that writes structured JSON logs with rotation support using lumberjack. Users can also implement and register custom logger plugins when building OPA.

Example configuration for server logging:

server:
  logger_plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info

Example configuration for decision logs using the same plugin:

server:
  logger_plugin: file_logger

decision_logs:
  plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info

Custom HTTPAuthPlugin behavior change (#​8376) (authored by @​srenatus)

The HTTPAuthPlugin.NewClient() method is now called once per Client instance and cached rather than being called for
every request. Custom plugins that performed per-request operations in NewClient() (such as request counters,
per-request transport wrapping, or logging/metrics side effects) will now only execute those operations once. All
per-request authentication logic must be moved from NewClient() to Prepare(). All plugins included in OPA have been
updated and are unaffected by this change.

Runtime, SDK, Tooling

• plugins/logger: Add logger plugin interface and file logger implementation with log rotation (#​8434) (authored by
  @​srenatus)
• plugins/logs: Decision logs can now use logger plugins for output (#​8434) (authored by @​srenatus)
• logging: Add BufferedLogger to capture early startup logs before plugins are initialized (#​8434) (authored by
  @​srenatus)
• plugins/rest: Configurable re-read interval for TLS client certificates via cert_reread_interval_seconds field.
  Defaults to re-reading on every request for backwards compatibility.
  The implementation also uses content hashing to detect changes and avoid re-parsing unchanged TLS certificates and
  keys. (#​8376) (authored by @​srenatus)
• plugins/rest: All TLS configurations now inherit the minimum version and TLS ciphersuites as configured for the
  server. (#​8376) (authored by @​srenatus)
• internal/providers/aws: Refactor deprecated crypto/elliptic APIs to crypto/ecdh (#​8395) (authored by @​kanywst)
• plugins/rest: AWS Signing - Allow Service Account (Web Identity) credentials for Assume Role Credentials (#​8386) (
  authored by @​tiagogviegas)

Compiler, Topdown and Rego

• ast: fix overlapping array and scalar pattern in rule index (authored by @​srenatus)

Bundles

• optimized bundles: filter metadata comments properly (
  #​8388) (#​6529) authored by @​srenatus

Docs, Website, Ecosystem

• docs(ecosystem): add Kopa ecosystem entry (#​8405) (authored by @​sfreet)
• docs: Update KubeCon event listing (#​8439) (authored by @​charlieegan3)
• docs: fix input of partial-evaluation example (#​8430) (authored by @​edobrb)
• ecosystem: add Big ACL (#​8389) (authored by @​francois-eckert)
• Regal v0.39.0 doc updates (#​8383) (authored by @​anderseknert)

Miscellaneous

• build/generate-extended-cases: Fix testcase loader to use json.Number. (#​8429) (authored by @​philipaconrad)
• Filter compliance test cases using capabilities file (#​8418) (authored by @​sspaink)
• Fix intermittent plugins manager deadlock on opa.configure (#​8407) (authored by @​sspaink)
• Linter configuration cleanup (#​8397) (authored by @​anderseknert)
• fix nightly.yaml by moving secret to env (#​8381) (authored by @​sspaink)
• fix release-vulnerability-check.yaml (authored by @​sspaink)
• nightly+release-vuln-check: add links to slack msg payloads (authored by @​srenatus)
• Dependency updates; notably:
  • build: bump go 1.26.1 (#​8409) (authored by @​srenatus)
  • gha: bump trivy-action (authored by @​srenatus)
  • build(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 (#​8428) (authored by @​dependabot[bot])
  • build(deps): bump github.com/vektah/gqlparser/v2 from 2.5.31 to 2.5.32 (#​8399) (authored by @​dependabot[bot])
  • build(deps): bump modernc.org/sqlite from 1.45.0 to 1.46.1 (#​8399) (authored by @​dependabot[bot])
  • build(deps): bump golang.org/x/net from 0.50.0 to 0.51.0 (#​8412) (authored by @​dependabot[bot])
  • build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#​8412) (authored by @​dependabot[bot])
  • build(deps): bump golang.org/x/time from 0.14.0 to 0.15.0 (#​8412) (authored by @​dependabot[bot])
  • build(deps): bump github.com/microsoft/go-mssqldb from 1.9.6 to 1.9.7(#​8412) (authored by @​dependabot[bot])

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.