Hi. Besides Github, will Cerbos work with Gitlab? ...
# helpj
Jesum Yip
10/29/2021, 2:35 AMHi. Besides Github, will Cerbos work with Gitlab? I'm referring to this https://docs.cerbos.dev/cerbos/latest/installation/helm.html
d
Dennis (Cerbos)
10/29/2021, 2:41 AM
If you mean reading policies from GitLab repository, then yes.
j
Jesum Yip
10/29/2021, 2:47 AMYes, that's what I mean. So it will be the same set of instructions at https://docs.cerbos.dev/cerbos/latest/installation/helm.html#_deploy_cerbos_configured_to_read_policies_from_a_github_repository except I replace the url and credentials with the gitlab ones?
d
Dennis (Cerbos)
10/29/2021, 2:50 AM
Short answer: yes.
j
Jesum Yip
10/29/2021, 2:50 AMthank you Dennis
d
Dennis (Cerbos)
10/29/2021, 2:50 AM
Longer answer: in addition to supporting any git repository there are other options for storage.
https://docs.cerbos.dev/cerbos/latest/configuration/storage.html
j
Jesum Yip
10/29/2021, 2:51 AMholy moly! that's exactly what i need. thank you !!
๐ 1
d
Dennis (Cerbos)
10/29/2021, 2:54 AM
Youโre welcome, Jesum. Please let us know if you have any other questions anytime.
j
Jesum Yip
10/29/2021, 2:55 AMso if the policy store is offline (e.g. i have cerbos in GKE, and i use an AWS S3 bucket for policy storage) , will cerbos perform a fail open or fail close evaluation ?
Jesum Yip
10/29/2021, 2:56 AMand do i have a choice for configuring "fail open" or "fail close" ? or will the cerbos REST API calls just fail with HTTP500?
Jesum Yip
10/29/2021, 2:56 AMthen it's up to my application logic how it wants to handle the HTTP500
d
Dennis (Cerbos)
10/29/2021, 2:57 AM
It will keep working with downloaded policies if it fails to download the update.
j
Jesum Yip
10/29/2021, 2:58 AMoh so cerbos maintains a cache?
Jesum Yip
10/29/2021, 2:59 AMwhat triggers cache invalidation? when the next download is successful? will it survive a pod rolling restart (assuming i deploy cerbos as a service)?
d
Dennis (Cerbos)
10/29/2021, 2:59 AM
It downloads it to a specified workDir
j
Jesum Yip
10/29/2021, 3:00 AMsorry for so many questions. i'm starting my ABAC infrastructure build and i hope to have a running instance within the next 5-6 days which i can let my app team use.
d
Dennis (Cerbos)
10/29/2021, 3:00 AM
no worries, I am here to help
j
Jesum Yip
10/29/2021, 3:00 AMso i just have to ensure i mount the workdir in a K8s PV to ensure it survives a restart?
d
Dennis (Cerbos)
10/29/2021, 3:01 AM
Yes, I think so
Dennis (Cerbos)
10/29/2021, 3:01 AM
Unless you are certain you can always download it from the S3
Dennis (Cerbos)
10/29/2021, 3:02 AM
We support GCS as well of your application runs in GKE.
j
Jesum Yip
10/29/2021, 3:03 AMi'm thinking of putting my storage in an easily accessible place for my policy team. GCS is difficult for them to get access to. Gitlab is easier with a browser and credentials.
Jesum Yip
10/29/2021, 3:03 AMso they can then login and author the policies in YAML.
Jesum Yip
10/29/2021, 3:04 AMif i use public gitlab with a PAT, i can then ensure they have access to it from anywhere.
Jesum Yip
10/29/2021, 3:04 AMi just need to make sure cerbos can survive a gitlab outage
Jesum Yip
10/29/2021, 3:04 AMso based on what you have said it sounds like it will as long as it has managed to download all the policies at least once.
d
Dennis (Cerbos)
10/29/2021, 3:05 AM
Cerbos will download update from GitLab when it become available again, meanwhile using available policies.
j
Jesum Yip
10/29/2021, 3:05 AMthen i can set up the workdir as a kubernetes persistent volume so that if GKE automatically updates my pods and performs a rolling restart, my "cached" policies are still intact in Cerbos
๐ 1
Jesum Yip
10/29/2021, 3:05 AMok!
Jesum Yip
10/29/2021, 3:05 AMby the way, what time zone are you in?
d
Dennis (Cerbos)
10/29/2021, 3:06 AM
I am in Auckland, NZ (4pm now). We also have team members in Europe.
Dennis (Cerbos)
10/29/2021, 3:08 AM
We have almost round the clock coverage in this Slack channel.
j
Jesum Yip
10/29/2021, 3:11 AMgreat! i'm in Singapore. so UTC+8.
๐ 2
4 Views