Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPA /health?plugins API panic's with envoy plugin #2396

Closed
patrick-east opened this issue May 12, 2020 · 0 comments
Closed

OPA /health?plugins API panic's with envoy plugin #2396

patrick-east opened this issue May 12, 2020 · 0 comments
Assignees
@patrick-east
Labels
bug int-envoy Issues related to the opa-envoy-plugin

Comments

@patrick-east
Copy link
Contributor

Using the latest OPA if you configure a health probe with the envoy plugin https://github.com/open-policy-agent/opa-istio-plugin you will get a panic:

{15:48} ✘ ~ ❯ k logs example-app-79586cfcdb-r9gvj opa
{"addrs":["localhost:8181"],"diagnostic-addrs":["0.0.0.0:8282"],"insecure_addr":"","level":"info","msg":"Initializing server.","time":"2020-05-12T22:47:44Z"}
{"level":"info","msg":"Starting decision logger.","plugin":"decision_logs","time":"2020-05-12T22:47:44Z"}
{"addr":":9191","dry-run":false,"enable-reflection":false,"level":"info","msg":"Starting gRPC server.","path":"","query":"data.envoy.authz.allow","time":"2020-05-12T22:47:44Z"}
{"client_addr":"172.17.0.1:38724","level":"info","msg":"Received request.","req_body":"","req_id":1,"req_method":"GET","req_params":{"plugins":[""]},"req_path":"/health","time":"2020-05-12T22:47:49Z"}
2020/05/12 22:47:49 http: panic serving 172.17.0.1:38724: runtime error: invalid memory address or nil pointer dereference
goroutine 6 [running]:
net/http.(*conn).serve.func1(0xc0002a2140)
	/usr/local/Cellar/go/1.14.2_1/libexec/src/net/http/server.go:1772 +0x139
panic(0xc85c00, 0x14fcdc0)
	/usr/local/Cellar/go/1.14.2_1/libexec/src/runtime/panic.go:975 +0x3e3
github.com/open-policy-agent/opa/server.(*Server).unversionedGetHealth(0xc0001e11e0, 0xee6580, 0xc00000c4c0, 0xc0002d4600)
	/Users/patrick/projects/go/src/github.com/open-policy-agent/opa/server/server.go:1011 +0x19d
net/http.HandlerFunc.ServeHTTP(0xc000235910, 0xee6580, 0xc00000c4c0, 0xc0002d4600)
	/usr/local/Cellar/go/1.14.2_1/libexec/src/net/http/server.go:2012 +0x44
github.com/open-policy-agent/opa/internal/prometheus.(*Provider).InstrumentHandler.func1(0x7f2eda291108, 0xc0000791d0, 0xc0002d4600)
	/Users/patrick/projects/go/src/github.com/open-policy-agent/opa/internal/prometheus/prometheus.go:78 +0xfc
net/http.HandlerFunc.ServeHTTP(0xc00023d440, 0x7f2eda291108, 0xc0000791d0, 0xc0002d4600)
	/usr/local/Cellar/go/1.14.2_1/libexec/src/net/http/server.go:2012 +0x44
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1(0xee6740, 0xc00007c440, 0xc0002d4600)
	/Users/patrick/projects/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:68 +0x11c
net/http.HandlerFunc.ServeHTTP(0xc00023b860, 0xee6740, 0xc00007c440, 0xc0002d4600)
	/usr/local/Cellar/go/1.14.2_1/libexec/src/net/http/server.go:2012 +0x44
github.com/gorilla/mux.(*Router).ServeHTTP(0xc0001b6180, 0xee6740, 0xc00007c440, 0xc0002d4300)
	/Users/patrick/projects/go/pkg/mod/github.com/gorilla/[email protected]/mux.go:212 +0xe2
github.com/open-policy-agent/opa/runtime.(*LoggingHandler).ServeHTTP(0xc0003051a0, 0xee7bc0, 0xc0002e2000, 0xc0002d4300)
	/Users/patrick/projects/go/src/github.com/open-policy-agent/opa/runtime/logging.go:83 +0x153
net/http.serverHandler.ServeHTTP(0xc0001f61c0, 0xee7bc0, 0xc0002e2000, 0xc0002d4300)
	/usr/local/Cellar/go/1.14.2_1/libexec/src/net/http/server.go:2807 +0xa3
net/http.(*conn).serve(0xc0002a2140, 0xeea940, 0xc00007c2c0)
	/usr/local/Cellar/go/1.14.2_1/libexec/src/net/http/server.go:1895 +0x86c
created by net/http.(*Server).Serve
	/usr/local/Cellar/go/1.14.2_1/libexec/src/net/http/server.go:2933 +0x35c

The issue appears to be that the plugin doesn't have a status set, which is OK, but the server tries to dereference the status pointer and barfs.
@patrick-east patrick-east self-assigned this May 12, 2020
patrick-east added a commit to patrick-east/opa that referenced this issue May 12, 2020
@patrick-east
plugins: Fix panic with /health and envoy plugin
07d12c3 
If there was a nil status value it was still being added to the
status map, but the server didn't check before dereferencing it.

We now just check if the pointer is nil before trying to use it.

Fixes: open-policy-agent#2396
Signed-off-by: Patrick East <[email protected]>
@ashutosh-narkar ashutosh-narkar added the int-envoy Issues related to the opa-envoy-plugin label May 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patrick-east patrick-east

Labels
bug int-envoy Issues related to the opa-envoy-plugin
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ashutosh-narkar @patrick-east