Viet Au
09/09/2022, 2:48 PMcerbos:
config:
server:
tls:
caCert: /certs/ca.crt
cert: /certs/tls.crt
key: /certs/tls.key
tlsSecretName: cerbos-tls
Charith (Cerbos)
09/09/2022, 3:06 PMtlsSecretName
you don't need to add the server.tls
section of the config. In fact, it will be overwritten to give priority to tlsSecretName
.tls.crt
, tls.key
)Viet Au
09/09/2022, 3:46 PMtlssecretname
, but thought it may need the additional config too.
This is an example of our secret
apiVersion: v1
data:
ca.crt: <base64>
tls.crt: <base64>
tls.key: <base64>
kind: Secret
metadata:
name: cerbos-tls
namespace: default
type: <http://kubernetes.io/tls|kubernetes.io/tls>
Charith (Cerbos)
09/09/2022, 3:49 PMca.crt
from the secret.Viet Au
09/12/2022, 8:19 AMdialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
it works, but using the default WithTLSInsecure
which sets tlsConf.InsecureSkipVerify = true
then it doesn't work.Charith (Cerbos)
09/12/2022, 8:34 AMViet Au
09/12/2022, 9:15 AMcerbos.New(cerbosAddr, cerbos.WithTLSInsecure())
which uses InsecureSkipVerify: true
under the hood then it errors with rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"
.
If we change the grpc connection to use grpc.WithTransportCredentials(insecure.NewCredentials())
then it works without issues.Charith (Cerbos)
09/12/2022, 1:56 PMWithPlaintext()
instead of WithTLSInsecure()
Viet Au
09/12/2022, 2:27 PMCharith (Cerbos)
09/12/2022, 2:45 PMViet Au
09/12/2022, 2:59 PMCharith (Cerbos)
09/12/2022, 3:10 PMViet Au
09/12/2022, 3:20 PMCharith (Cerbos)
09/13/2022, 1:48 PM<http://github.com/cerbos/cerbos/client@main|github.com/cerbos/cerbos/client@main>
as your dependency, I can let you know as soon as it lands on main
as well.main
.Viet Au
09/20/2022, 10:44 AM