Hi all, I'm deploying Cerbos with 'server.adminAPI...
# help
Hi all, I'm deploying Cerbos with 'server.adminAPI.enabled' set to 'true,' and I have mounted the admin credentials as a secret volume inside Cerbos and I'm passing the file path in the ConfigMap. After installation, I'm getting this error log in the Cerbos pod: {"log.level":"log.logger":"cerbos.grpc","message":"Failed to check admin API credentials","error":"crypto/bcrypt: hashedSecret too short to be a bcrypted password"} Am I doing something wrong here?
Can you give more details? Are you making the Cerbos configuration file a secret and mounting it to the pod or are you mounting the secrets into environment variables and using those environment variables in the Cerbos configuration? BTW, the password has to be a bcrypt hash. The instructions for generating one are in the documentation. https://docs.cerbos.dev/cerbos/latest/configuration/server#_generating_a_password_hash
I'm using volumemounts not as environment variables volumeMounts: - mountPath: /config name: config readOnly: true - mountPath: /work name: work - mountPath: /etc/secrets/cerbos name: cerbos-secret readOnly: true volumes: - configMap: defaultMode: 420 name: cerbos name: config - emptyDir: {} name: work - name: cerbos-secret secret: defaultMode: 420 secretName: cerbos and using those mountPath in the cerbos configuration : data: config.yaml: |- server: adminAPI: adminCredentials: passwordHash: /etc/secrets/cerbos/password username: /etc/secrets/cerbos/username enabled: true grpcListenAddr: :3593 httpListenAddr: :3592 Am I missing something here ?
Yes, that wouldn't work. Admin credentials expect a string value for
. You'd need to load your secrets into pod environment variables and change the config file to use them instead. Something like:
Copy code
passwordHash: ${PASSWORD_HASH_ENV_VAR}
username: ${USERNAME_ENV_VAR}
Okay @Charith (Cerbos) Thanks for the info.Let me try this 👍
Working fine 👍 thank you @Charith (Cerbos)
🙇 1