https://cerbos.dev logo
Join SlackCommunities
Powered by
hi. i have some confusion regarding the documentat...
# help
j
hi. i have some confusion regarding the documentation. https://docs.cerbos.dev/cerbos/latest/configuration/index.html here i see that there are various blocks that define what configuration options i can set for cerbos such as "server", "auxdata", "engine" etc. i understand that i can put these config blocks inside a YAML file and apply them using the binary called "cerbos". question is, when i run "helm show values cerbos/cerbos --version=0.9.1", i see a default YAML that I can use to install cerbos. i can customize this YAML and then do "helm install cerbos cerbos/cerbos --version=0.9.1 --values=myvalues.yaml", correct? now when i look at https://docs.cerbos.dev/cerbos/latest/configuration/index.html, i also see some configuration blocks. how do i specify this in "myvalues.yaml" ?
furthermore, i see # Cerbos service settings. service: type: ClusterIP httpPort: 3592 grpcPort: 3593 # Cerbos deployment settings. cerbos: # Port to expose the http service on. httpPort: 3592 # Port to expose the gRPC service on. grpcPort: 3593
those values appear in the default yaml that is generated when i run helm show values. what's the difference between the "service" and "cerbos" blocks? they both specify httpPort and grpcPort values. why are these values repeated?
next, if i look at https://docs.cerbos.dev/cerbos/latest/configuration/server.html, i also see httpListenAddr and grpcListenAddr. how are these values related to the two blocks above?
lastly, all the references to the "cerbos" binary - where does this binary live after i have installed via helm chart? for example, when i look at https://docs.cerbos.dev/cerbos/latest/configuration/index.html, i see "./cerbos server --config=/path/to/config.yaml --set=server.httpListenAddr=:3592 --set=engine.defaultPolicyVersion=staging". where is this "cerbos" binary? do i have to get a bash prompt into any of my cerbos pods to find this binary?
d
You don’t have to pass arguments via CLI unless you want to overwrite your config values
cerbos binary is deployed in a pod and is configured via helm chart
those values appear in the default yaml that is generated when i run helm show values. what’s the difference between the “service” and “cerbos” blocks?
one configures K8s service, another configures Cerbos itself.
Have you, by any chance, seen these examples in Cerbos repo? https://github.com/cerbos/cerbos/tree/main/deploy/charts/cerbos
Sorry, I misled you about the “cerbos” block above. It is not a cerbos binary config yet.
j
Ok maybe I need some help with cerbos installation via helm..
d
And the Cerbos binary config is in “cerbos.config”
j
Then I install it using helm install cerbos cerbos/cerbos --version=0.9.1 --values=myyaml.yaml
d
You don’t have to provide these:
next, if i look at https://docs.cerbos.dev/cerbos/latest/configuration/server.html, i also see httpListenAddr and grpcListenAddr. how are these values related to the two blocks above? (edited)
if you run Cerbos with Helm
j
And then once cerbos is installed and I want to customize it further, how do I do it with yaml files? Let's say I want to change the storage from blob to sqllite.
Normally I would do something like kubectl and apply a crd.
So kubectl apply -f myconfig.yaml
How would I do it with cerbos?
So do I just update the original yaml I used with the helm chart? Then run helm to update the config?
Is this the supported way to change a running cerbos instance's config?
d
You don’t have to use HELM to run Cerbos
… in K8s cluster
It is just a convenience
j
Understood. So I want to use helm only as a convenient manner to install cerbos.
Thereafter, what's the easiest way to modify cerbos' config?
d
To customise deployment you’d normally create a yaml (like this ) to overwrite default values.
j
Agreed. How do I overwrite the values after I have created the yaml?
Basically my question is how do I apply a new yaml?
Do I get a bash shell into a running pod and run the cerbos binary and apply the new yaml?
Sorry my question may seem basic!
d
You pass path to YAML via 
--values
flag
helm install cerbos cerbos/cerbos --version=0.9.1 --values=pv-values.yaml
j
Aaaaah ok
Got it. I was looking for a cerbos crd definition but couldn't find it in your docs.
But I understand it now.
d
You can find the example at the bottom of the page here
j
So if I have a running instance of cerbos that I need to update, I will still do "helm install etc etc" yes?
E.g helm install cerbos cerbos/cerbos --version=0.9.1 --values=pv-values.yaml
I will try it out. Thank you.
Actually it's probably more like helm upgrade instead of helm install.
👍 1
Thank you so much for your help @Dennis (Cerbos). Very much appreciated.
d
You are welcome, Jesum.
c
I just want to add that the configuration for cerbos is generated as a ConfigMap by the Helm chart. You can see it with 
kubectl get cm cerbos -o yaml
. It can be customized during install by adding any config section to the 
cerbos.config
template value block. It can be through your own values file (see https://github.com/cerbos/cerbos/blob/main/deploy/charts/cerbos/values-audit-log.yaml for an example which you can install as 
helm install cerbos cerbos/cerbos  --values=deploy/charts/cerbos/values-audit-log.yaml
) or as command line arguments to helm (e.g. 
helm install cerbos cerbos/cerbos  --set=cerbos.config.server.adminAPI.enabled=true
)
The reason that there is 
service.httpPort
and 
cerbos.httpPort
is because your Kubernetes service can listen on different ports than those exposed by the pod. The 
service.httpPort
setting defines how Cerbos is accessed via the service and 
cerbos.httpPort
defines on which port in the pod the Cerbos binary would be listening.
j
Thank you!! This is very clear now. 👍 👍 👍 👍
Since it's a config map, I can easily manage the changes. I assume I can make changes to the storage driver of a running cerbos instance? I just need this for resiliency purposes in case my main policy repository is inaccessible.
I assume after applying a new config map I just need to trigger a rolling update of my pods.
c
You will need to update the configmap and restart the Cerbos pod. If you do it with Helm, it should do that for you anyway.
👍 1
6 Views
Open in Slack
PreviousNext
Powered by