I am trying to use Cerbos client from rails application. I have installed

cerbos

gem and tried it with locally running Cerbos. Works fine. However, then trying to reach it while behind k8s ingres which is configured like in attached screenshot - I am getting following error:

irb(main):011> client = Cerbos::Client.new("<host>:443", tls: nil, on_validation_error: :raise)
irb(main):012> client.allow?(principal: {id: '<mailto:bojan@org.com|bojan@org.com>', roles: ['foo']}, resource: {id: 'foo', kind: 'bar'}, action: 'view')
/Users/bojan.delic/.local/share/mise/installs/ruby/3.2.4/lib/ruby/gems/3.2.0/gems/cerbos-0.9.0/lib/cerbos/client.rb:235:in `rescue in handle_errors': gRPC error 14: failed to connect to all addresses; last error: INTERNAL: ipv4:10.163.39.30:443: Trying to connect an http1.x server (Cerbos::Error::Unavailable)
/Users/bojan.delic/.local/share/mise/installs/ruby/3.2.4/lib/ruby/gems/3.2.0/gems/grpc-1.64.0-arm64-darwin/src/ruby/lib/grpc/generic/active_call.rb:29:in `check_status': 14:failed to connect to all addresses; last error: INTERNAL: ipv4:10.163.39.30:443: Trying to connect an http1.x server. debug_error_string:{UNKNOWN:Error received from peer  {created_time:"2024-06-27T16:11:44.84836+02:00", grpc_status:14, grpc_message:"failed to connect to all addresses; last error: INTERNAL: ipv4:10.163.39.30:443: Trying to connect an http1.x server"}} (GRPC::Unavailable)

Now, this seems like something is not right with the network, but I am able to use

grpcurl

to hit health endpoint on the same host:

❯ grpcurl <host>:443 grpc.health.v1.Health.Check
{
  "status": "SERVING"
}

I am not sure what is happening here. Is there any guidance on setting this up? Also, is there maybe HTTP ruby client available? In addition to this problem with proxying GRPC, there is also a problem with GRPC requiring glibc, and I am using alpine base image. I would appreciate any help.

I think your code is trying to connect to a TLS server over plaintext, Try constructing the client like this

client = Cerbos::Client.new("<host>:443", tls: Cerbos::TLS.new)

Re: glibc requirement, it looks like it should work on Alpine if you install the

gcompat

package: https://github.com/grpc/grpc/issues/25711#issuecomment-1825466108

Wow, these two answers are solving both problems I had 🙂 . Re first problem - I did try sending

Cerbos::TLS.new

, of course, but at that point there were probably some other problems in my infra setup. So, I reverted that and forgot to try again once infra problems were solved. Looks like classic PEBCAK on my end. Thanks @Charith (Cerbos) Re glibc and alpine - this is an awesome tip in general, I did not know about

gcompat

package. It seems to work as advertise. Thanks @Andrew Haines (Cerbos). TIL 🙂 You guys rock 🙂