https://cerbos.dev logo
#help
Title
# help
m

Matthew Ebeweber

05/18/2023, 3:12 AM
any chatter around github flakiness impacting git stored policies? now that i’m moving to a sidecar model we’re pulling down the policies on every deploy. seeing some flakiness spinning things up.
at least that’s my hypothesis right now from the logs. might move to persisting the policies in s3.
c

Charith (Cerbos)

05/18/2023, 8:17 AM
Yeah, it's frustrating but there's nothing much we can do about the availability of external services. PDPs that are already running won't have an issue though (other than being a little stale) because they have a local copy of the repository. Fresh PDPs will obviously fail if GitHub is unavailable. Indeed, you could setup your CI system to publish the policies on every commit to S3 and use that as the Cerbos store. A more involved step might be to set up a git mirror in your environment. The upcoming release of Cerbos will include a new storage driver that can automatically fall back to a secondary store if the primary is down. That could potentially help alleviate some of these issues as well.
r

Rob Crowe

05/18/2023, 12:07 PM
In case it helps, we run this to sync our policies to S3...
Copy code
---
name: S3
on:
  push:
    branches:
      - main
  schedule:
    # every 15mins
    - cron: "*/15 * * * *"
jobs:
  upload:
    name: Upload
    runs-on: ubuntu-latest
    steps:
      - name: Checkout policies
        uses: actions/checkout@v3
      - name: Run sync
        run: >
          aws s3 sync
          ./
          s3://<bucket_name_here>
          --exclude "*" --include "dev/*" --include "prod/*"
          --delete
          --only-show-errors
        env:
          AWS_REGION: eu-west-1
          AWS_ACCESS_KEY_ID: ${{ secrets.POLICIES_SYNC_AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.POLICIES_SYNC_AWS_SECRET_ACCESS_KEY }}
e

Emre (Cerbos)

05/18/2023, 1:22 PM
Hi Matthew, I am not sure how immediately you are looking to solve this issue (like yesterday). However, if you have a week or two to sort it out this is an issue we have specifically addressed in Cerbos Cloud: making sure that the PDPs have an alternative cloud location they can load the policies from in case Github or our cloud services that does policy distribution to PDPs goes down. Would you like to schedule a demo? We’d love you to take it for a spin.
m

Matthew Ebeweber

05/18/2023, 3:48 PM
Looking to solve it in the next day or two and not spend too much time on it. I will likely roll with the s3 solution described above for now. Regardless, I’m happy to give feedback on the cloud offering at some point in the future.
13 Views