Title
v
Viet Au
09/09/2022, 2:48 PMHi,
I am deploying cerbos using the cerbos helm chart and in my values file I set the tls certificate info but keep getting handshake errors when connecting to the api through grpc. Using the same certificate locally pointing the config to the actual path works fine, am I doing something wrong?
values.yaml file
cerbos:config:server:tls:caCert: /certs/ca.crtcert: /certs/tls.crtkey: /certs/tls.keytlsSecretName: cerbos-tlsc
Charith (Cerbos)
09/09/2022, 3:06 PMIf you provide
tlsSecretNameserver.tlstlsSecretNameDoes the secret contain the same certificates that you're testing locally with? Also, the secret should be in the Certmanager format (
tls.crttls.keyv
Viet Au
09/09/2022, 3:46 PMWe did just have
tlssecretnameapiVersion: v1data:ca.crt: <base64>tls.crt: <base64>tls.key: <base64>kind: Secretmetadata:name: cerbos-tlsnamespace: defaulttype: <http://kubernetes.io/tls|kubernetes.io/tls>Yes, we use the same certificate locally and ones deploy to k8s.
c
Charith (Cerbos)
09/09/2022, 3:49 PMHmm...that seems right to me.
Do you do mTLS? If not, try removing
ca.crtOh BTW, if you're using the same certs locally, what are the cnames on it? Do they contain the k8s service DNS name or pod DNS name?
v
Viet Au
09/12/2022, 8:19 AMwe use * for the CN. We are using with insecure on the cerbos client to skip the checks, so not sure if it matters so much.
When we change the cerbos client to use
dialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))WithTLSInsecuretlsConf.InsecureSkipVerify = truec
Charith (Cerbos)
09/12/2022, 8:34 AMCan you share the full error message? Also, the certs work locally without modifying the client, right?
v
Viet Au
09/12/2022, 9:15 AMThat was my bad. Certs did not work locally.
I will investigate a bit more and share my info here.
Hi @Charith (Cerbos),
Since we deploy cerbos internally only, we want to have insecure connection to cerbos server. No TLS set on the cerbos service.
If we use
cerbos.New(cerbosAddr, cerbos.WithTLSInsecure())InsecureSkipVerify: truerpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"grpc.WithTransportCredentials(insecure.NewCredentials())c
Charith (Cerbos)
09/12/2022, 1:56 PMAh! You don't use TLS at all! Then you need to configure the Cerbos client with
WithPlaintext()WithTLSInsecure()v
Viet Au
09/12/2022, 2:27 PMWithPlainText() it expects the host address to be 127. or localhost in order to work. Cerbos is on K8s so host is <cerbos>.svc.cluster.local.
c
Charith (Cerbos)
09/12/2022, 2:45 PMHow so? I don't think we have such a restriction
Are you using a service mesh by any chance?
v
Viet Au
09/12/2022, 2:59 PMNot using service mesh. But i believe the restriction is part of grpc for local.NewCredentials()
c
Charith (Cerbos)
09/12/2022, 3:10 PMOh yeah. Our E2E tests are all TLS-enabled so we didn't catch that. We'll get a fix out soon. Thanks for reporting it.
v
Viet Au
09/12/2022, 3:20 PMThank you
@Charith (Cerbos) Please give us a buzz once you have this.
c
Charith (Cerbos)
09/13/2022, 1:48 PMWe have the patch ready. It's just a matter of testing it and cutting a release. Will let you know once it goes out. If you don't mind using
<http://github.com/cerbos/cerbos/client@main|github.com/cerbos/cerbos/client@main>mainIt just landed on
mainWe just released v0.21.0 that includes this fix.
v
Viet Au
09/20/2022, 10:44 AMThat's great thanks!