how does everyone handle promoting cerbos policies to produc Cerbos Community #help

how does everyone handle promoting cerbos policies...

Jesum Yip

01/31/2023, 1:37 AM

how does everyone handle promoting cerbos policies to production? let's say we are using gitlab (or github / doesn't really matter) 1. have a set of test suites and policies checked into your git repo together 2. triggers a cd/ci pipeline job to run in git which basically runs

cerbos compile

with the

--tests

parameter. 3. #2 completes with exit code 0 - great, everything checks out. 4. then what do you do next? in your git actions / ci, do you

git clone

git add

git commit

git push

to another repo / folder that the production version of cerbos is watching so that it will get the set of policies from #1?

Jesum Yip

01/31/2023, 1:41 AM

so do you have

/prod_policies

folder in your repo together with

/beta_policies

? and then you run the test suites against the

/beta_policies

folder and when testing passes, you copy all of them into

/prod_policies

Jesum Yip

01/31/2023, 1:43 AM

i would imagine

/prod_policies

and

/beta_policies

should be a complete mirror of each other.

Jesum Yip

01/31/2023, 1:47 AM

how do you handle naming your policy versions then?

Jesum Yip

01/31/2023, 1:47 AM

policies both in

prod_policies

and

beta_policies

have the same policy version values?

Charith (Cerbos)

01/31/2023, 9:26 AM

The typical workflow is to develop your policies in a branch. When you want to promote them, create a pull request and let the CI checks run. Merge to your production branch on success (the branch that Cerbos is configured to watch) and Cerbos should automatically pick those changes up if you have enabled polling.

2 Views

Open in Slack

Previous Next