Hey, Can anyone please help me to resolve this error -

{"log.level":"info","@timestamp":"2024-08-27T14:12:29.172Z","log.logger":"cerbos.server","message":"maxprocs: Updating GOMAXPROCS=1: using minimum allowed GOMAXPROCS"}
{"log.level":"info","@timestamp":"2024-08-27T14:12:29.173Z","log.logger":"cerbos.server","message":"Loading configuration from /config/config.yaml"}
{"log.level":"info","@timestamp":"2024-08-27T14:12:29.173Z","log.logger":"cerbos.server","message":"maxprocs: Resetting GOMAXPROCS to 2"}
{"log.level":"error","@timestamp":"2024-08-27T14:12:29.173Z","log.logger":"cerbos.server","message":"Failed to load configuration","error":"failed to load config: couldn't decode merged YAML: yaml: line 14: could not find expected ':'"}
cerbos: error: failed to load config: couldn't decode merged YAML: yaml: line 14: could not find expected ':'

It sounds like your configuration file has a syntax error somewhere on or before line 14. Usually these are caused by unterminated strings or incorrect spacing.

@Charith (Cerbos) This is config which I'm using -

apiVersion: v1
kind: ConfigMap
metadata:
  name: cerbos-config
data:
  config.yaml: |
    storage:
      driver: "postgres"
      postgres:
        url: "postgres://${POSTGRES_USERNAME}:${POSTGRES_PASSWORD}@host:5432/postgres?sslmode=allow&search_path=cerbos"
    server:
      httpListenAddr: "[::]:3592"
      adminAPI:
        enabled: true
        adminCredentials:
          username: ${CERBOS_USERNAME}
          passwordHash: ${CERBOS_PASSOWRD_HASH}

Hey, Is this all of your configuration file, because there is no line 14. 🤔

could not find expected ':'

error occurs when there is a missing

:

after a key such as:

a: a
b: b
c      # missing :

Also, how does your k8s deployment look?

Yes this is only, we are using config map and deployment is on k8s.

username: ${CERBOS_USERNAME}
passwordHash: ${CERBOS_PASSOWRD_HASH}

above value is added in secrets and fetching values through deployment container env's

1. There is a typo in the env variable

CERBOS_PASSOWRD_HASH

. It should be

CERBOS_PASSWORD_HASH

. I think this might not be the actual issue, though. I wanted to point it out just in case. 2. Do you think one of the environment variables could include a

whitespace

or a new line character perhaps. Is it possible for you to check what is provided as a value for the

CERBOS_PASSWORD_HASH

?

This is correct value CERBOS_PASSOWRD_HASH, have defined same in deployment also while defining env variables.

Can you change the value of the

CERBOS_PASSOWRD_HASH

to something like this just to be safe:

JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo

(this is

cerbosAdmin

)

Checking @oguzhan

Yes

not able to create secret with this, looks like not encoded properly -

echo -n 'JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo' | base64 --decode
$2y$10$cl.e7zqyv3ZL4bQp/95aM.KZc3YuW7qRFQwRs9hERrFwdXqTE.Lma

base64: invalid input

Decoding

JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo

should indeed result in

$2y$10$cl.e7zqyv3ZL4bQp/95aM.KZc3YuW7qRFQwRs9hERrFwdXqTE.Lma

as your terminal output suggests. I don’t know why it says

base64: invalid input

. It works for me:

> echo -n "JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo" | base64 -d

$2y$10$cl.e7zqyv3ZL4bQp/95aM.KZc3YuW7qRFQwRs9hERrFwdXqTE.Lma

when i'm decoding it it's giving error -

echo -n "JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo" | base64 -d
$2y$10$cl.e7zqyv3ZL4bQp/95aM.KZc3YuW7qRFQwRs9hERrFwdXqTE.Lma

base64: invalid input

That's because GNU

base64

requires padded inputs. You can ignore that error. In fact, you don't need to decode base64 at all because Cerbos is expecting a base64-encoded value for the

passwordHash

field. You can just create your secret with something like

kubectl create secret generic cerbos-admin-credentials --from-literal=CERBOS_PASSWORD_HASH=JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo

.

yes got you point @Charith (Cerbos), but while applying getting error -

k apply -f secret.yaml -n prod-cerbos-namespace
The request is invalid: patch: Invalid value: "map[data:map[passwordHash:JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo username:cHJvZGNlcmJvc2NhcnMyNEFkbWlu] metadata:map[annotations:map[kubectl.kubernetes.io/last-applied-configuration:{\"apiVersion\":\"v1\",\"data\":{\"passwordHash\":\"JDJ5JDEwJGNsLmU3enF5djNaTDRiUXAvOTVhTS5LWmMzWXVXN3FSRlF3UnM5aEVSckZ3ZFhxVEUuTG1hCgo\",\"postgresPassword\":\"RXB6dmJXUWhXZAo=\",\"postgresUser\":\"cHJvZGZXIK\",\"username\":\"cHJvZGNlcmJvc2NhcnMyNEFkbWlu\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"cerbos-secret\",\"namespace\":\"prod-cerbos-namespace\"},\"type\":\"Opaque\"}\n]]]": error decoding from json: illegal base64 data at input byte 80

Are you using

stringData

or

data

?

Data

Use

stringData

Thanks @Charith (Cerbos)

stringData

is working. Some other issue are there I will check.