Crash enumerating volumes that are not secrets
Closed this issue · 1 comments
mook-as commented
I'm getting a crash on the admission webhook, when doing entanglements.
Details
Version: cfcontainerization/cf-operator:v1.0.0-1.g424dd0b3
Kube resource definition
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-job
namespace: {{ .Release.Namespace | quote }}
spec:
template:
metadata:
annotations:
quarks.cloudfoundry.org/consumes: credhub.credhub
quarks.cloudfoundry.org/deployment: {{ .Release.Name }}
spec:
containers:
- image: opensuse/leap:15.1
name: job
command: [/usr/bin/sleep, 1d]
restartPolicy: Never
volumes:
- name: config
projected:
sources:
- secret:
name: {{ .Release.Name }}-credhub-setup-config
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-credhub-setup-config
namespace: {{ .Release.Namespace | quote }}
stringData:
credhub-location: {{ .Release.Name }}-credhub.{{ .Release.Name }}.svcStack Trace
2020/01/11 00:09:24 http2: panic serving 192.168.122.65:46178: runtime error: invalid memory address or nil pointer dereference
goroutine 3880 [running]:
net/http.(*http2serverConn).runHandler.func1(0xc0000d05f8, 0xc000783f67, 0xc00055c300)
/usr/local/go/src/net/http/h2_bundle.go:5706 +0x16b
panic(0x14dc220, 0x235a960)
/usr/local/go/src/runtime/panic.go:679 +0x1b2
code.cloudfoundry.org/cf-operator/pkg/kube/controllers/quarkslink.hasSecretVolumeSource(0xc0004201e0, 0x2, 0x2, 0xc000c3a900, 0x13, 0xc000089160)
/go/src/code.cloudfoundry.org/cf-operator/pkg/kube/controllers/quarkslink/pod_mutator.go:147 +0x9d
code.cloudfoundry.org/cf-operator/pkg/kube/controllers/quarkslink.(*PodMutator).addSecret(0xc0005b8f00, 0x18ef680, 0xc001090740, 0xc000088b68, 0x6, 0xc00125e000, 0x1, 0x0)
/go/src/code.cloudfoundry.org/cf-operator/pkg/kube/controllers/quarkslink/pod_mutator.go:81 +0x1b3
code.cloudfoundry.org/cf-operator/pkg/kube/controllers/quarkslink.(*PodMutator).Handle(0xc0005b8f00, 0x18ef680, 0xc001090740, 0xc000570a20, 0x24, 0x0, 0x0, 0xc000088a20, 0x2, 0xc000088a22, ...)
/go/src/code.cloudfoundry.org/cf-operator/pkg/kube/controllers/quarkslink/pod_mutator.go:54 +0x3d9
sigs.k8s.io/controller-runtime/pkg/webhook/admission.(*Webhook).Handle(0xc0005b8f60, 0x18ef680, 0xc001090740, 0xc000570a20, 0x24, 0x0, 0x0, 0xc000088a20, 0x2, 0xc000088a22, ...)
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.2.2/pkg/webhook/admission/webhook.go:135 +0xb4
sigs.k8s.io/controller-runtime/pkg/webhook/admission.(*Webhook).ServeHTTP(0xc0005b8f60, 0x18e9880, 0xc0000d05f8, 0xc000526a00)
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.2.2/pkg/webhook/admission/http.go:86 +0x777
sigs.k8s.io/controller-runtime/pkg/webhook.instrumentedHook.func1(0x18e9880, 0xc0000d05f8, 0xc000526a00)
/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.2.2/pkg/webhook/server.go:116 +0xfc
net/http.HandlerFunc.ServeHTTP(0xc0005b8f90, 0x18e9880, 0xc0000d05f8, 0xc000526a00)
/usr/local/go/src/net/http/server.go:2007 +0x44
net/http.(*ServeMux).ServeHTTP(0xc000048c80, 0x18e9880, 0xc0000d05f8, 0xc000526a00)
/usr/local/go/src/net/http/server.go:2387 +0x1bd
net/http.serverHandler.ServeHTTP(0xc000a4e0e0, 0x18e9880, 0xc0000d05f8, 0xc000526a00)
/usr/local/go/src/net/http/server.go:2802 +0xa4
net/http.initNPNRequest.ServeHTTP(0x18ef740, 0xc000900060, 0xc0005fbc00, 0xc000a4e0e0, 0x18e9880, 0xc0000d05f8, 0xc000526a00)
/usr/local/go/src/net/http/server.go:3365 +0x8d
net/http.(*http2serverConn).runHandler(0xc00055c300, 0xc0000d05f8, 0xc000526a00, 0xc0017a2640)
/usr/local/go/src/net/http/h2_bundle.go:5713 +0x9f
created by net/http.(*http2serverConn).processHeaders
/usr/local/go/src/net/http/h2_bundle.go:5447 +0x4eb
Analysis
addSecret() passes pod.Spec.Volumes directly to hasSecretVolumeSource(). It assumes each volume has a .Secret (so that it can look at .Secret.SecretName); this may not be true if it is a non-secret volume.
cf-gitbot commented
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/170658915
The labels on this github issue will be updated when the story is started.