https://cerbos.dev logo
#help
Title
# help
d

Dmitry Meyerson

06/12/2023, 6:46 PM
thank for your help team cerbos - looking at the templates here - looks like there is no way to set the namespace? https://artifacthub.io/packages/helm/cerbos/cerbos ? (
c

Charith (Cerbos)

06/12/2023, 6:49 PM
It's set through the
--namespace
flag to Helm.
d

Dmitry Meyerson

06/12/2023, 6:50 PM
ok good point
so I follow these instructions and everything works as expected I should see my policies in /work (which can be verified with an ephemeral debug container?) https://docs.cerbos.dev/cerbos/latest/installation/helm.html or I am missing s.thing 🤔
because I don’t even see
/work
in the debug container
d

Dennis (Cerbos)

06/12/2023, 10:31 PM
Since the cerbos container doesn’t have a shell to exec into, you can try to map
/work
to a volume.
d

Dmitry Meyerson

06/12/2023, 10:56 PM
ic - I can look at that next - first I veried that the token stored as a secret can clone the repo where I store my policies ( it can)
so its its still a mystery why config now appears to use the “disk” driver rather than “git” driver
d

Dennis (Cerbos)

06/12/2023, 10:58 PM
YAML indentation?
d

Dmitry Meyerson

06/12/2023, 10:59 PM
Copy code
# Default values for cerbos.
# This is a YAML-formatted file.

service:
  type: ClusterIP
  httpPort: 3592
  grpcPort: 3593
  httpNodePort: 13592
  grpcNodePort: 13593

envFrom:
  - secretRef:
      name: cerbos-github-token

cerbos:
  config:
    driver: "git"
    git:
      protocol: https
      # git URL
      url: <https://my-url/cerbos-ABAC.git>
      # Replace with the branch name of your repo.
      branch: my-branch
      # Remove or leave empty if the policies are not stored in a subdirectory.
      #subDir: hr
      subDir: policies
      # Path to checkout. By default, /work is a Kubernetes emptyDir volume that is only available for the lifetime of the pod.
      # If you want the work directory to persist between pod restarts, specify the mount path of a persistent volume here.
      #checkoutDir: /work
      # How often the remote repo should be checked for updates.
      updatePollInterval: 60s
      # Credentials used to login to the remote GitHub repo. We are using an environment variable mounted from the secret we created earlier.
      https:
        username: ${GITHUB_TOKEN} 
        password: ""
is there a way to just get more verbose logs?
d

Dennis (Cerbos)

06/12/2023, 11:02 PM
I think your config is missing a storage field:
cerbos -> config -> storage
Copy code
envFrom:
  - secretRef:
      name: cerbos-github-token

cerbos:
  config:
    # Configure the git storage driver
    storage:
      driver: "git"
      git:
        protocol: https
        # Replace with the URL of your GitHub repo.
        url: <https://github.com/cerbos/sample-policies.git>
        # Replace with the branch name of your repo.
        branch: main
        # Remove or leave empty if the policies are not stored in a subdirectory.
        subDir: hr
        # Path to checkout. By default, /work is a Kubernetes emptyDir volume that is only available for the lifetime of the pod.
        # If you want the work directory to persist between pod restarts, specify the mount path of a persistent volume here.
        checkoutDir: /work
        # How often the remote repo should be checked for updates.
        updatePollInterval: 60s
        # Credentials used to login to the remote GitHub repo. We are using an environment variable mounted from the secret we created earlier.
        https:
          username: ${GITHUB_TOKEN}
          password: ""
d

Dmitry Meyerson

06/12/2023, 11:03 PM
OHH
DOOD
right
blyat
THANK YOU
ok that works - just errors due to actual policy content