OPA discovery raises a panic error when a signed policy bundle is used

[humbertoc-silva]

Short description

I am testing the OPA discovery feature. In my case, I am using an unsigned discovery bundle with a config that points to a signed policy bundle. When I start the OPA server the discovery bundle is downloaded but a panic error is raised when OPA tries to load the signed policy bundle.

Steps To Reproduce

I have a repo that could be used to reproduce the error.
https://github.com/humbertoc-silva/opa-discovery-issue

Expected behavior

OPA should download the discovered signed policy bundle, validate it with the public key, and load it correctly.

[ashutosh-narkar]

Initially reported here.

[humbertoc-silva]

I found another problem related to Discovery API. Environment variable substitution does not work on the discovered configuration as noticed in the logs below:

{"headers":{"Prefer":["modes=snapshot,delta"],"User-Agent":["Open Policy Agent/0.40.0 (linux, amd64)"]},"level":"debug","method":"GET","msg":"Sending request.","time":"2022-05-13T18:56:41Z","url":"http://bundle_server/bundles/${UNSIGNED_BUNDLE_NAME}"}
{"headers":{"Connection":["keep-alive"],"Content-Length":["153"],"Content-Type":["text/html"],"Date":["Fri, 13 May 2022 18:56:41 GMT"],"Server":["nginx/1.21.6"]},"level":"debug","method":"GET","msg":"Received response.","status":"404 Not Found","time":"2022-05-13T18:56:41Z","url":"http://bundle_server/bundles/${UNSIGNED_BUNDLE_NAME}"}
{"level":"error","msg":"Bundle load failed: server replied with Not Found","name":"unsigned_policy_bundle","plugin":"bundle","time":"2022-05-13T18:56:41Z"}