-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OPA discovery raises a panic error when a signed policy bundle is used #4656
Comments
Initially reported here. |
I found another problem related to Discovery API. Environment variable substitution does not work on the discovered configuration as noticed in the logs below:
|
ashutosh-narkar
added a commit
to ashutosh-narkar/opa
that referenced
this issue
Jun 9, 2022
Currently OPA allows users to use unsigned discovery bundles that themselves point to signed service bundles. The discovery plugin checks if the keys in the service bundle do not update those in the boot config. It's possible that the signing config in the discovery object be a nil pointer. This is change adds a check for that. Fixes: open-policy-agent#4656 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
ashutosh-narkar
added a commit
that referenced
this issue
Jun 9, 2022
Currently OPA allows users to use unsigned discovery bundles that themselves point to signed service bundles. The discovery plugin checks if the keys in the service bundle do not update those in the boot config. It's possible that the signing config in the discovery object be a nil pointer. This is change adds a check for that. Fixes: #4656 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Short description
I am testing the OPA discovery feature. In my case, I am using an unsigned discovery bundle with a config that points to a signed policy bundle. When I start the OPA server the discovery bundle is downloaded but a panic error is raised when OPA tries to load the signed policy bundle.
Steps To Reproduce
I have a repo that could be used to reproduce the error.
https://github.com/humbertoc-silva/opa-discovery-issue
Expected behavior
OPA should download the discovered signed policy bundle, validate it with the public key, and load it correctly.
The text was updated successfully, but these errors were encountered: