Title
#help
m

Matthew Ebeweber

09/12/2022, 4:06 PM
For the git storage mechanism, do you know if there's an easy way to support filters / sparse checkouts? For context, I'd like my policies to exist within a monorepo but also want to avoid needing to pull everything down all the time.
Charith (Cerbos)

Charith (Cerbos)

09/12/2022, 4:38 PM
Hi. We don't currently have a mechanism to do filters natively. The way you can do it right now is by having a CI process that publishes your policies to S3/GCS/Minio and configuring the Cerbos
blob
driver to load policies from there. Alternatively, if you're on Kubernetes, you could configure an init container to do the sparse checkout for Cerbos and deploy a job to periodically refresh it.
4:40 PM
I'll create an issue for us to look into supporting sparse checkouts natively. It's something we'd like to support at some point.
m

Matthew Ebeweber

09/12/2022, 5:36 PM
Appreciate the feedback. Longterm, S3 does feel like the way to go -- trying to avoid too many moving parts initially. Could also help limit service exposure to AWS infra only. Additionally, slapping a depth=1 argument on the git clone as well avoids cloning the entire history and takes me down from multiple seconds to < .5 seconds locally, which could be an easy win.
Charith (Cerbos)

Charith (Cerbos)

09/12/2022, 5:41 PM
We originally used to do a shallow clone with depth=1 but something else broke because of that. I can't quite remember what it was. Will try to dig that up.
5:09 PM
Unfortunately, the git library that we use doesn't support
fetch
for shallow clones. We need to be able to
fetch
to grab updates from the remote repo so that's why we don't shallow clone at the moment. There's an open issue for it upstream and hopefully it will get resolved soon. They have also recently merged a fix for sparse clones but it's not yet released. As soon as those upstream issues are resolved, we'll update our implementation. Until then, I am afraid the choices are limited to either tolerating the full clone on startup or using one of the workarounds I suggested above.