https://cerbos.dev logo
Join Slack
Powered by
Other related question - in the server config, the...
# community
j
Other related question - in the server config, there's the ability to add tls cert & key, do you have a working example of this (TLS enabled)? Because I'm having trouble getting it to behave in minikube
1
Probably my fault / lack of knowledge, but would be great to have a working example of this
e
You may have to wait a bit for that one for @Alex Olivier (Cerbos)to be online in an hour or so. I am not too familiar with it. Perhaps @Charith (Cerbos) or @Dennis (Cerbos) may be helpful. What is the error you are seeing?
j
No rush - appreciate your timely responses. Realize it's late in the day / night
I'm just having trouble calling the service using HTTPS despite having the cert & key hooked up... probably a gap in my kube knowledge, but that's why it would be helpful to see a working example with minikube
d
Do you see any related message in the log?
j
Copy code
root@uber:/# curl --insecure -I -v "<https://cerbos.default.svc.cluster.local:3592/admin/policy/list?pretty>"
*   Trying 10.99.102.159:3592...
* TCP_NODELAY set
* Connected to cerbos.default.svc.cluster.local (10.99.102.159) port 3592 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; O=NTWRK
*  start date: Oct 29 20:55:19 2021 GMT
*  expire date: Jul 25 20:55:19 2024 GMT
*  issuer: C=US; O=NTWRK
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562132b54e10)
> HEAD /admin/policy/list?pretty HTTP/2
> Host: cerbos.default.svc.cluster.local:3592
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 501 
HTTP/2 501 
< content-type: application/json
content-type: application/json
< content-length: 51
content-length: 51
< date: Tue, 02 Nov 2021 20:26:33 GMT
date: Tue, 02 Nov 2021 20:26:33 GMT

< 
* Connection #0 to host cerbos.default.svc.cluster.local left intact
I'm in the cluster in an ubuntu container using cURL
I'm using a self-signed cert
FYI - I am able to access the health endpoint:
Copy code
Connection #0 to host cerbos.default.svc.cluster.local left intact
root@uber:/# curl --insecure -I -v "<https://cerbos.default.svc.cluster.local:3592/_cerbos/health>"
*   Trying 10.99.102.159:3592...
* TCP_NODELAY set
* Connected to cerbos.default.svc.cluster.local (10.99.102.159) port 3592 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; O=NTWRK
*  start date: Oct 29 20:55:19 2021 GMT
*  expire date: Jul 25 20:55:19 2024 GMT
*  issuer: C=US; O=NTWRK
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ca9121ae10)
> HEAD /_cerbos/health HTTP/2
> Host: cerbos.default.svc.cluster.local:3592
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
HTTP/2 200 
< content-type: text/plain; charset=utf-8
content-type: text/plain; charset=utf-8
< content-length: 8
content-length: 8
< date: Tue, 02 Nov 2021 20:31:20 GMT
date: Tue, 02 Nov 2021 20:31:20 GMT
Sorry if this is just me doing something dumb
d
No worries. Is there any error in Cerbos logs regarding request to the Admin endpoint?
j
None
would it give a 404 vs 501 if admin weren't running
d
Can you publish or DM me your Cerbos config?
1
The config looks good to me. Does the endpoint work if TLS is disabled?
Answering your original question - we don’t have a working example with minikube ATM. I’ll create an issue to add it to our docs.
j
yes it does work with TLS disabled
d
I’ve created the issue. Please vote https://github.com/cerbos/cerbos/issues/417
Sorry, I don’t have an answer at this moment. I will look at this issue today.
👍 1
I’ve just noticed that your 
/admin/policy/list
request does not provide credentials.
j
ahhh that may be it
😭
Let me try again
FYI @Dennis (Cerbos) - it still doesn't work with auth included in the curl request
Also, I think if that were the issue, we should be getting back a different status code...
should be 401 if unauthenticated, right?
private messaging you the curl request with basic auth included
👍 1
d
Yes, I’d expect 401
j
Thanks @Dennis (Cerbos) and @Emre (Cerbos) - mystery resolved. Dennis helped me find my dumb mistake
d
No worries.
6 Views
Open in Slack
PreviousNext
Powered by