Viet Au
09/09/2022, 2:48 PMcerbos:
config:
server:
tls:
caCert: /certs/ca.crt
cert: /certs/tls.crt
key: /certs/tls.key
tlsSecretName: cerbos-tls
Charith (Cerbos)
tlsSecretName
you don't need to add the server.tls
section of the config. In fact, it will be overwritten to give priority to tlsSecretName
.Charith (Cerbos)
tls.crt
, tls.key
)Viet Au
09/09/2022, 3:46 PMtlssecretname
, but thought it may need the additional config too.
This is an example of our secret
apiVersion: v1
data:
ca.crt: <base64>
tls.crt: <base64>
tls.key: <base64>
kind: Secret
metadata:
name: cerbos-tls
namespace: default
type: <http://kubernetes.io/tls|kubernetes.io/tls>
Viet Au
09/09/2022, 3:47 PMCharith (Cerbos)
Charith (Cerbos)
ca.crt
from the secret.Charith (Cerbos)
Viet Au
09/12/2022, 8:19 AMdialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
it works, but using the default WithTLSInsecure
which sets tlsConf.InsecureSkipVerify = true
then it doesn't work.Charith (Cerbos)
Viet Au
09/12/2022, 9:15 AMViet Au
09/12/2022, 1:36 PMcerbos.New(cerbosAddr, cerbos.WithTLSInsecure())
which uses InsecureSkipVerify: true
under the hood then it errors with rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"
.
If we change the grpc connection to use grpc.WithTransportCredentials(insecure.NewCredentials())
then it works without issues.Charith (Cerbos)
WithPlaintext()
instead of WithTLSInsecure()
Viet Au
09/12/2022, 2:27 PMCharith (Cerbos)
Charith (Cerbos)
Viet Au
09/12/2022, 2:59 PMCharith (Cerbos)
Viet Au
09/12/2022, 3:20 PMViet Au
09/13/2022, 1:40 PMCharith (Cerbos)
<http://github.com/cerbos/cerbos/client@main|github.com/cerbos/cerbos/client@main>
as your dependency, I can let you know as soon as it lands on main
as well.Charith (Cerbos)
main
.Charith (Cerbos)
Viet Au
09/20/2022, 10:44 AM