https://cerbos.dev logo
Title
j

Jesum Yip

01/12/2023, 10:02 AM
i must be doing something stupidly wrong here....i have cerbos configured to use gitlab. i've tested the token from cli and it works. with cli, i do
git clone <https://oauth2>:<token>@<gitlabURL>/repo.git
and it works just fine. however, i see my cerbos pods crashing with
cerbos: error: failed to create store: failed to clone from https://<giturl>/repo.git to /work: authentication required
does the config look right?
c

Charith (Cerbos)

01/12/2023, 10:08 AM
I think you have to set
username
to
oauth2
. It appears to be empty in the screenshot.
j

Jesum Yip

01/12/2023, 10:10 AM
wait
so should i do
username: oauth2:${GITHUB-TOKEN}
?
c

Charith (Cerbos)

01/12/2023, 10:11 AM
No.
username: oauth2
and
password: ${GITHUB-TOKEN}
j

Jesum Yip

01/12/2023, 10:11 AM
oooooooh
ok let me try that
guess that's for github (not gitlab) ?
c

Charith (Cerbos)

01/12/2023, 10:12 AM
Yes, that's for GitHub. GitLab works differently.
j

Jesum Yip

01/12/2023, 10:13 AM
i'll try it out
c

Charith (Cerbos)

01/12/2023, 10:14 AM
BTW, the environment variable name has no significance to Cerbos. You can call it
GITLAB_TOKEN
or whatever that makes sense to you. I reckon it would be confusing to see
GITHUB-TOKEN
being used to authenticate to GitLab 🙂
j

Jesum Yip

01/12/2023, 10:14 AM
yup i'm aware of that. i'll change that after i'm done testing. thank you!
cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=0, load failures=1
what does that mean?
btw my policies store in gitlab is empty. there's no YAML in it. will this throw that error above?
wait
i've put a
test.yaml
in that policy store and this file has a single line in it:
# Blank
still same error
c

Charith (Cerbos)

01/12/2023, 10:21 AM
That would be it because that's not a valid policy. Empty stores are completely fine.
j

Jesum Yip

01/12/2023, 10:22 AM
ok
c

Charith (Cerbos)

01/12/2023, 10:22 AM
Does your repo have the
policies
directory that's referenced in the config?
If you don't have that directory, remove that line from the config.
j

Jesum Yip

01/12/2023, 10:23 AM
yes, that directory exists. i have just copy and pasted a sample policy from
<https://docs.cerbos.dev/cerbos/latest/policies/resource_policies.html>
for testing
c

Charith (Cerbos)

01/12/2023, 10:23 AM
Which version of Cerbos are you using? It should log what the actual error is.
j

Jesum Yip

01/12/2023, 10:24 AM
0.24
cerbos: error: failed to create store: failed to build index: missing imports=1, missing scopes=2, duplicate definitions=0, load failures=0
c

Charith (Cerbos)

01/12/2023, 10:24 AM
There's nothing after that?
j

Jesum Yip

01/12/2023, 10:24 AM
let me check...
yeah there's nothing after that
c

Charith (Cerbos)

01/12/2023, 10:26 AM
You can run
cerbos compile
on the directory to get more detailed errors. From the error message I think it's because you copied a resource policy that references a derived role set which doesn't exist in the storez
j

Jesum Yip

01/12/2023, 10:26 AM
yeah i think so too after reading a bit more
ok let me test with a simpler policy that i have from my environment
thanks for your help. i'm quite sure this is simply a malformed policy
c

Charith (Cerbos)

01/12/2023, 10:27 AM
The whole directory can be empty as well if you just want to check whether GitLab works. You can add your policies to it later.
j

Jesum Yip

01/12/2023, 10:27 AM
oh ok
ok gitlab works fine with an empty folder.
thanks again @Charith (Cerbos)
c

Charith (Cerbos)

01/12/2023, 10:29 AM
You're welcome
j

Jesum Yip

01/12/2023, 10:52 AM
is there a way i can configure cerbos to not crash when an invalid policy file is encountered? just skip it and log that?
else i'll just have to include the policy checks in my cd pipeline
c

Charith (Cerbos)

01/12/2023, 11:35 AM
Our recommended approach is the GitOps model where policies are validated and tested before being pushed to "production". Therefore, there's no option in Cerbos to skip invalid ones.