serve 503 when auth filter setup fails instead of panicking

bhope · bhope · commit 713f7fa7848f · 2026-04-30T09:10:46.000-07:00
diff --git a/pkg/app/server.go b/pkg/app/server.go
@@ -567,26 +567,27 @@ func buildMetricsServer(m *metricshandler.MetricsHandler, durationObserver prome
 	mux := http.NewServeMux()
 
 	// Add metricsPath
-	metricsHandler := promhttp.InstrumentHandlerDuration(durationObserver, m)
+	var metricsHandler http.Handler = promhttp.InstrumentHandlerDuration(durationObserver, m)
 
 	// Add Authentication/Authorization via Kubernetes API
 	if authFilter {
+		unavailable := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			http.Error(w, "auth filter unavailable", http.StatusServiceUnavailable)
+		})
+
 		client, err := rest.HTTPClientFor(kubeConfig)
 		if err != nil {
 			klog.ErrorS(err, "failed to create HTTP client from config")
-		}
-
-		metricsFilter, err := filters.WithAuthenticationAndAuthorization(kubeConfig, client)
-		if err != nil {
+			metricsHandler = unavailable
+		} else if metricsFilter, err := filters.WithAuthenticationAndAuthorization(kubeConfig, client); err != nil {
 			klog.ErrorS(err, "failed to create auth handler")
-		}
-
-		handler, err := metricsFilter(klog.Background(), metricsHandler)
-		if err != nil {
+			metricsHandler = unavailable
+		} else if handler, err := metricsFilter(klog.Background(), metricsHandler); err != nil {
 			klog.ErrorS(err, "failed to apply metrics filter")
+			metricsHandler = unavailable
+		} else {
+			metricsHandler = handler
 		}
-		metricsHandler = handler.(http.HandlerFunc)
-
 	}
 
 	mux.Handle(metricsPath, metricsHandler)
