https://cerbos.dev logo
Join Slack
Powered by
i must be doing something stupidly wrong here....i...
# help
j
i must be doing something stupidly wrong here....i have cerbos configured to use gitlab. i've tested the token from cli and it works. with cli, i do 
git clone <https://oauth2>:<token>@<gitlabURL>/repo.git
and it works just fine. however, i see my cerbos pods crashing with 
cerbos: error: failed to create store: failed to clone from https://<giturl>/repo.git to /work: authentication required
in the cerbos config map, i see this:
in the 
Deployment
for cerbos, i see this:
does the config look right?
c
I think you have to set 
username
to 
oauth2
. It appears to be empty in the screenshot.
j
wait
message has been deleted
so should i do 
username: oauth2:${GITHUB-TOKEN}
?
c
No. 
username: oauth2
and 
password: ${GITHUB-TOKEN}
j
oooooooh
ok let me try that
the docs say something else
guess that's for github (not gitlab) ?
c
Yes, that's for GitHub. GitLab works differently.
1
j
i'll try it out
c
BTW, the environment variable name has no significance to Cerbos. You can call it 
GITLAB_TOKEN
or whatever that makes sense to you. I reckon it would be confusing to see 
GITHUB-TOKEN
being used to authenticate to GitLab 🙂
j
yup i'm aware of that. i'll change that after i'm done testing. thank you!
👍 1
cerbos: error: failed to create store: failed to build index: missing imports=0, missing scopes=0, duplicate definitions=0, load failures=1
what does that mean?
btw my policies store in gitlab is empty. there's no YAML in it. will this throw that error above?
wait
i've put a 
test.yaml
in that policy store and this file has a single line in it: 
# Blank
still same error
c
That would be it because that's not a valid policy. Empty stores are completely fine.
j
ok
c
Does your repo have the 
policies
directory that's referenced in the config?
If you don't have that directory, remove that line from the config.
j
yes, that directory exists. i have just copy and pasted a sample policy from 
<https://docs.cerbos.dev/cerbos/latest/policies/resource_policies.html>
for testing
c
Which version of Cerbos are you using? It should log what the actual error is.
j
0.24
cerbos: error: failed to create store: failed to build index: missing imports=1, missing scopes=2, duplicate definitions=0, load failures=0
c
There's nothing after that?
j
let me check...
yeah there's nothing after that
message has been deleted
c
You can run 
cerbos compile
on the directory to get more detailed errors. From the error message I think it's because you copied a resource policy that references a derived role set which doesn't exist in the storez
j
yeah i think so too after reading a bit more
ok let me test with a simpler policy that i have from my environment
thanks for your help. i'm quite sure this is simply a malformed policy
c
The whole directory can be empty as well if you just want to check whether GitLab works. You can add your policies to it later.
j
oh ok
ok gitlab works fine with an empty folder.
thanks again @Charith (Cerbos)
c
You're welcome
j
is there a way i can configure cerbos to not crash when an invalid policy file is encountered? just skip it and log that?
else i'll just have to include the policy validations in my cd pipeline
c
Our recommended approach is the GitOps model where policies are validated and tested before being pushed to "production". Therefore, there's no option in Cerbos to skip invalid ones.
💯 1
6 Views
Open in Slack
PreviousNext
Powered by