https://cerbos.dev logo
Join Slack
Channels
Powered by Linen
Title
t

TS

06/16/2022, 10:12 PM
Hi, I'm trying to deploy cerbos server to a cluster following your example but I'm getting this error. I just changed the repo URL, branch (it exists in remote), and subDir. I created a personal access token with repo scope
d

Dennis (Cerbos)

06/16/2022, 10:15 PM
Which git protocol are you using: file, HTTPS or ssh?
I guess https
t

TS

06/16/2022, 10:16 PM
https
d

Dennis (Cerbos)

06/16/2022, 10:20 PM
Can you please try to check out this repo (if not already) 
<https://github.com/cerbos/sample-policies.git>
The idea is to reproduce the example in your environment
t

TS

06/16/2022, 10:25 PM
That repo is private
d

Dennis (Cerbos)

06/16/2022, 10:26 PM
Oops. My bad.
t

TS

06/16/2022, 10:28 PM
I tried with this repo
It worked 🤔
đź‘Ť 1
So I think there is a problem with my repo
d

Dennis (Cerbos)

06/16/2022, 10:30 PM
Probably the pod doesn’t have access to the internet or to the git repo.
t

TS

06/16/2022, 10:31 PM
The pod have access to internet because it clone this repo
So I think there is a problem with my repo
d

Dennis (Cerbos)

06/16/2022, 10:32 PM
I see
t

TS

06/16/2022, 10:32 PM
My repo is private and is inside an organization
I think my personal access token does not work for that
The image is correct? I think it should be: 
https:
  username: "my-github-username"
  password: ${GITHUB_TOKEN}
isn't?
d

Dennis (Cerbos)

06/16/2022, 10:39 PM
Hmm… Let me double-check this.
My repo is private and is inside an organization
Is it on GitHub?
t

TS

06/16/2022, 10:39 PM
Yeah, on GitHub
d

Dennis (Cerbos)

06/16/2022, 10:41 PM
Have you tried both? 
https:
  username: "my-github-username"
  password: ${GITHUB_TOKEN}
and 
https:
  username: ${GITHUB_TOKEN}
  password:
t

TS

06/16/2022, 10:42 PM
yep
d

Dennis (Cerbos)

06/16/2022, 10:44 PM
If you want to use a PAT to access resources owned by an organization that uses SAML SSO, you must authorize the PAT. For more information, see “About authentication with SAML single sign-on” and “Authorizing a personal access token for use with SAML single sign-on” in the GitHub Enterprise Cloud documentation.
from here https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
Does your org use SAML SSO?
I think you’re right. The auth details should be 
https:
  username: "anything here but an empty string"
  password: ${GITHUB_TOKEN}
t

TS

06/16/2022, 11:03 PM
I don't think so SSO is the problem
because I have just used personal access for another apps
d

Dennis (Cerbos)

06/16/2022, 11:10 PM
You probably running those apps locally. Have your tried to run cerbos locally as well?
t

TS

06/16/2022, 11:11 PM
They are running in the same cluster
d

Dennis (Cerbos)

06/16/2022, 11:26 PM
Can you publish or DM your config (with all sensitive info removed)?
t

TS

06/16/2022, 11:33 PM
Sent
d

Dennis (Cerbos)

06/16/2022, 11:33 PM
Thanks
The config seems to be correct. Could you please try it with the main/master branch? I understand it doesn’t have policies.
t

TS

06/16/2022, 11:46 PM
With master branch, I get 
failed to get repo HEAD: reference not found
The same issue
d

Dennis (Cerbos)

06/16/2022, 11:47 PM
Does the repo URL end with 
.git
?
t

TS

06/16/2022, 11:49 PM
yes
d

Dennis (Cerbos)

06/16/2022, 11:53 PM
Here’s the smallest code snippet to try to reproduce the issue locally, but it requires Golang. Usage: Check out the repo, then from 
./_examples/clone/auth/basic/access_token
run 
go run main.go <url> <directory> <github_access_token>
It checks out the repo set by <url> to the <directory>
t

TS

06/17/2022, 12:11 AM
go run main.go '<https://github.com/my-org/repo.git>' ./repo/ 'my-token'
It worked correctly
It cloned the repo to the specified directory
d

Dennis (Cerbos)

06/17/2022, 12:12 AM
So the token and the git library work
Can you please try to run cerbos locally?
t

TS

06/17/2022, 12:17 AM
Do you think the problem could be some kind of timeout because I saw the cloning took 1 minute with 20 seconds?
d

Dennis (Cerbos)

06/17/2022, 12:17 AM
Possibly
Git storage has updatePollInterval and operationTimeout
Default is 60s
t

TS

06/17/2022, 12:21 AM
Let's try it 🤞
Did not work
d

Dennis (Cerbos)

06/17/2022, 12:29 AM
Same repo and token as with the code snippet?
t

TS

06/17/2022, 12:29 AM
Yep, the same
d

Dennis (Cerbos)

06/17/2022, 12:31 AM
Did you get the same error when you run cerbos locally?
t

TS

06/17/2022, 12:32 AM
I did not try locally, yet
d

Dennis (Cerbos)

06/17/2022, 12:33 AM
Can you please try it locally?
t

TS

06/17/2022, 12:44 AM
will try it locally
In the meantime, I try with uploading the policies to a s3 bucket, publicly accessible. but does not work either
d

Dennis (Cerbos)

06/17/2022, 12:47 AM
If it is public, can you DM me the bucket URL?
t

TS

06/17/2022, 12:51 AM
done
d

Dennis (Cerbos)

06/17/2022, 1:07 AM
Cerbos instance running locally has cloned your S3 bucket
View count: 11
Back to #helpJoin thread in Slack