Alex Dolid
03/04/2024, 7:27 PM{"type":"Error","message":"gRPC error 14 (UNAVAILABLE): read ECONNRESET","stack":"NotOK: gRPC error 14 (UNAVAILABLE): read ECONNRESET
my fly.toml configuration
app = 'cerbos-service'
primary_region = 'waw'
[build]
[http_service]
internal_port = 3592
force_https = true
auto_stop_machines = true
auto_start_machines = true
min_machines_running = 0
[http_service.http_options]
h2_backend = true
[[services]]
internal_port = 3592
protocol = "tcp"
auto_stop_machines = true
auto_start_machines = true
min_machines_running = 0
[[services.ports]]
handlers = ["http"]
start_port = 3592
end_port = 3592
[[services]]
internal_port = 3593
protocol = "tcp"
auto_stop_machines = true
auto_start_machines = true
min_machines_running = 0
[[services.ports]]
handlers = ["tls", "http"]
start_port = 3593
end_port = 3593
[services.ports.tls_options]
alpn = ["h2"]
[[vm]]
size = "shared-cpu-1x"
memory = '256mb'
cpu_kind = 'shared'
cpus = 1
Alex Dolid
03/04/2024, 10:57 PMmessage":"gRPC error 1 (CANCELLED): Call cancelled","stack":"NotOK:
you can try check https://cerbos-service.fly.dev:3592/oguzhan
<http://fly.io|fly.io>
but bear with me.
I think the first [[services]]
is not required (?). Since Cerbos uses port 3952
for HTTP and 3593
for gRPC, perhaps the configuration might look like this?
app = 'cerbos-service'
primary_region = 'waw'
[build]
[http_service]
internal_port = 3592
force_https = true
auto_stop_machines = true
auto_start_machines = true
min_machines_running = 0
[http_service.http_options]
h2_backend = true
[[services]]
internal_port = 3593
protocol = "tcp"
auto_stop_machines = true
auto_start_machines = true
min_machines_running = 0
[[services.ports]]
handlers = ["tls"]
start_port = 3593
end_port = 3593
[services.ports.tls_options]
alpn = ["h2"]
[[vm]]
size = "shared-cpu-1x"
memory = '256mb'
cpu_kind = 'shared'
cpus = 1
Alex Dolid
03/06/2024, 10:24 PMcerbos-service.fly.dev:3593
like CERBOS_URLAlex Dolid
03/06/2024, 10:29 PMcerbos-service.fly.dev:3592
like CERBOS_URL in my config env vars I got the gRPC error 14 (UNAVAILABLE) againAlex Dolid
03/06/2024, 10:35 PMfly.toml
file, but nothing worked and I still haven’t found a reason why fly doesn’t want to work correctly with cerbos even though it has first-class support for docker containers, because almost everything that is mounted with fly is mounted with docker. I have a suspicion that it’s a problem with the network, somehow fly can’t understand that two servers are up at once in one container for sure, but it’s really strange.oguzhan
Alex Dolid
03/07/2024, 1:16 PMAlex Dolid
03/07/2024, 1:22 PMCharith (Cerbos)
oguzhan
app = 'cerbos'
primary_region = 'lhr'
[build]
image = 'ghcr.io/cerbos/cerbos:0.34.0'
[[mounts]]
source = 'cerbos_policies'
destination = '/policies'
initial_size = '1GB'
[[services]]
protocol = ''
internal_port = 3592
auto_stop_machines = true
[[services.ports]]
port = 3592
handlers = ['tls', 'http']
[[services.http_checks]]
interval = '5s'
timeout = '2s'
grace_period = '5s'
method = 'get'
path = '/_cerbos/health'
protocol = 'http'
[[services]]
protocol = ''
internal_port = 3593
auto_stop_machines = true
[[services.ports]]
port = 3593
handlers = ['tls']
[services.ports.tls_options]
alpn = ['h2']
[[vm]]
memory = '1gb'
cpu_kind = 'shared'
cpus = 1
[metrics]
port = 3592
path = "/_cerbos/metrics"
Alex Dolid
03/07/2024, 3:11 PMAlex Dolid
03/07/2024, 3:39 PM{"type":"Error","message":"gRPC error 1 (CANCELLED): Call cancelled","stack":"NotOK: gRPC error 1 (CANCELLED): Call cancelled
Charith (Cerbos)
curl -k <https://YOUR_SERVICE.fly.dev:3592/api/check/resources> -d @req01.json
{"requestId":"test", "results":[{"resource":{"id":"XX125", "kind":"leave_request", "policyVersion":"20210210"}, "actions":{"approve":"EFFECT_DENY", "create":"EFFECT_DENY", "defer":"EFFECT_DENY", "view:public":"EFFECT_DENY"}}, {"resource":{"id":"XX150", "kind":"leave_request", "policyVersion":"20210210"}, "actions":{"approve":"EFFECT_DENY", "create":"EFFECT_DENY", "view:public":"EFFECT_DENY"}}], "cerbosCallId":"01HRCSE8XYEC8QDCZKRVYX4GZN"}
buf curl -k -d @req01.json --protocol=grpc <https://YOUR_SERVICE.fly.dev:3593/cerbos.svc.v1.CerbosService/CheckResources>
{
"requestId": "test",
"results": [
{
"resource": {
"id": "XX125",
"kind": "leave_request",
"policyVersion": "20210210"
},
"actions": {
"approve": "EFFECT_DENY",
"create": "EFFECT_DENY",
"defer": "EFFECT_DENY",
"view:public": "EFFECT_DENY"
}
},
{
"resource": {
"id": "XX150",
"kind": "leave_request",
"policyVersion": "20210210"
},
"actions": {
"approve": "EFFECT_DENY",
"create": "EFFECT_DENY",
"view:public": "EFFECT_DENY"
}
}
],
"cerbosCallId": "01HRCS7E5C1SAXX511W199FRR9"
}
So, whatever is happening is because of something else. Is your Node app deployed to fly.io as well?oguzhan
api-request.js:1143 Mixed Content: The page at 'https://<SERVICE_URL>.fly.dev:3592/#post-/api/check/resources' was loaded over HTTPS, but requested an insecure resource 'http://<SERVICE_URL>.fly.dev/api/check/resources'. This request has been blocked; the content must be served over HTTPS.
Alex Dolid
03/07/2024, 3:58 PMimport { GRPC as Cerbos } from '@cerbos/grpc';
this.#cerbos = new Cerbos(configService.get('CERBOS_URL'), { tls: false });
const isAllowed = await this.#cerbos.isAllowed({
principal: {
id: user.id,
roles: user.roles,
},
action: 'read',
resource: {
kind: 'app',
id: 'app',
},
});
Alex Dolid
03/07/2024, 3:59 PMCERBOS_URL
I put cerbos-service.fly.dev:3593
Charith (Cerbos)
tls: false
. I believe the endpoint has TLS.Alex Dolid
03/07/2024, 4:28 PMisAllowed
method locally return true
, but on fly.io return false
for the same request, but I think I’ll figure it out myselfAlex Dolid
03/07/2024, 4:29 PMCharith (Cerbos)
Alex Dolid
03/07/2024, 4:40 PMCharith (Cerbos)
oguzhan
Alex Dolid
03/07/2024, 5:13 PM