From 485325f83d0775677c5ac9f518597bed04ecfe91 Mon Sep 17 00:00:00 2001
From: Shane Hutchins <shane.hutchins@hitachids.com>
Date: Wed, 22 Jan 2025 08:51:01 -0500
Subject: [PATCH] OPA deployment and documentation updates

---
 deployment/deployment-opa.yaml                    |  4 ++--
 deployment/docker-compose.yaml                    |  2 +-
 deployment/helm3/templates/deployment-opa.yaml    |  2 +-
 deployment/policy-azure.yaml                      |  2 +-
 .../templates/deployment-opa.yaml                 |  2 +-
 devops/gc/deploy/values.yaml                      |  2 +-
 docs/docs/opa.md                                  | 15 +++++++++++----
 7 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/deployment/deployment-opa.yaml b/deployment/deployment-opa.yaml
index 6ef5131f..30599ed9 100644
--- a/deployment/deployment-opa.yaml
+++ b/deployment/deployment-opa.yaml
@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: opa
-        image: openpolicyagent/opa:latest
+        image: openpolicyagent/opa:0.70.0
         ports:
         - name: http
           containerPort: 8181
@@ -33,4 +33,4 @@ spec:
       volumes:
       - name: opa-policy
         persistentVolumeClaim:
-            claimName: opa-policy
\ No newline at end of file
+            claimName: opa-policy
diff --git a/deployment/docker-compose.yaml b/deployment/docker-compose.yaml
index d977ac77..b5b9bded 100644
--- a/deployment/docker-compose.yaml
+++ b/deployment/docker-compose.yaml
@@ -1,7 +1,7 @@
 version: '2'
 services:
   opa:
-    image: openpolicyagent/opa:latest
+    image: openpolicyagent/opa:0.70
     ports:
       - 8181:8181
     # WARNING: OPA is NOT running with an authorization policy configured. This
diff --git a/deployment/helm3/templates/deployment-opa.yaml b/deployment/helm3/templates/deployment-opa.yaml
index 7ecb50ec..0e11a27f 100644
--- a/deployment/helm3/templates/deployment-opa.yaml
+++ b/deployment/helm3/templates/deployment-opa.yaml
@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: opa
-        image: openpolicyagent/opa:latest
+        image: openpolicyagent/opa:0.7.0
         ports:
         - name: http
           containerPort: 8181
diff --git a/deployment/policy-azure.yaml b/deployment/policy-azure.yaml
index f4ad6f5f..e646e4f5 100644
--- a/deployment/policy-azure.yaml
+++ b/deployment/policy-azure.yaml
@@ -84,7 +84,7 @@ spec:
     spec:
       containers:
       - name: policy-azure-opa
-        image: osdumvpinfycr6y28cr.azurecr.io/openpolicyagent/opa:latest
+        image: osdumvpinfycr6y28cr.azurecr.io/openpolicyagent/opa:0.70.0
         imagePullPolicy: Always
         ports:
         - containerPort: 8181
diff --git a/devops/azure/deprecated-charts/templates/deployment-opa.yaml b/devops/azure/deprecated-charts/templates/deployment-opa.yaml
index c6f3d2a4..b882c5fc 100644
--- a/devops/azure/deprecated-charts/templates/deployment-opa.yaml
+++ b/devops/azure/deprecated-charts/templates/deployment-opa.yaml
@@ -22,7 +22,7 @@ spec:
       {{- end }}
       containers:
       - name: opa
-        image: openpolicyagent/opa:latest
+        image: openpolicyagent/opa:0.70.0
         lifecycle:
           preStop:
             exec:
diff --git a/devops/gc/deploy/values.yaml b/devops/gc/deploy/values.yaml
index b8a4f3eb..194c63c8 100644
--- a/devops/gc/deploy/values.yaml
+++ b/devops/gc/deploy/values.yaml
@@ -38,7 +38,7 @@ conf:
 opa:
   data:
     requestsMemory: 200Mi
-    image: docker.io/openpolicyagent/opa:latest-rootless
+    image: docker.io/openpolicyagent/opa:0.70.0
     serviceAccountName: opa
   conf:
     envConfig: opa-env-config
diff --git a/docs/docs/opa.md b/docs/docs/opa.md
index cb3126cc..9b8cbba3 100644
--- a/docs/docs/opa.md
+++ b/docs/docs/opa.md
@@ -14,13 +14,20 @@
 | M22       | v0.68.0 or later*                     |
 | M23       | v0.68.0 or later                      |
 | M24       | v0.68.0 or later                      |
-| M25       | v0.68.0 or later                      |
+| M25       | v0.70.0                               |
+|-----------|---------------------------------------|
+
+For M22 - OPA v0.67.1 has been reported to work well, but general recommendation will be to update this to v0.68.0
+
+!!! warning "OPA v1.0.x"
 
-M22 - OPA v0.67.1 has been reported to work well, but general recommendation will be to update this to v0.68.0
+     M25 and earlier releases of Policy Service are not compatible with OPA version 1.x syntax. Do not use v1.x.x release, `openpolicyagent/opa:latest` container tag or use the `-v1-compatible` flag on v0.x releases.
+
+     The [`--v0-compatible`](https://www.openpolicyagent.org/docs/latest/v0-compatibility/) or the `rego_version` attribute in their manifest might work, however these have not yet been fully tested with OSDU.  To support OPA v1 all default Policies (Rego) will have to be replaced/updated. To learn more about these planned changes to policies please see [upgrading OPA](https://www.openpolicyagent.org/docs/latest/v0-upgrade/).
 
 ## Role
-- Currently Policy Service is not compatible with OPA version 1.x syntax, so do not use the `-v1-compatible` flag.
-In M20, Policy Service now has the ability to update OPA for the purpose of adding additional data partitions.
+
+Since M20, Policy Service now has the ability to update OPA for the purpose of adding additional data partitions.
 To do this policy service requires the ability read and update the confimap of OPA.
 
 Policy Service should be provided a role similar to the following:
-- 
GitLab