Hey there. I have a service that normally runs cer...
# help
Hey there. I have a service that normally runs cerbos as a sidecar (socket) in k8s. When I'm developing locally I just run cerbos on my machine and connect via the gRPC port. I need to do this in CI (github actions), but not sure how to do it. I see there is a
Setup Cerbos
github action. Should I be using that? If so, how do I connect my service to it? This is probably more of a GHA question than a cerbos one 🙏
Hey! You have two options here. 1. Use
Setup Cerbos
action to install the Cerbos binary into your runner and then use
cerbos run
utility to run your tests. It starts a temporary Cerbos server for the duration of a user-specified command. So you could do something like
cerbos run -- go test ./...
. https://docs.cerbos.dev/cerbos/latest/cli/cerbos.html#run 2. Run Cerbos as a GHA service: https://docs.github.com/en/actions/using-containerized-services/about-service-containers. One issue that I have run into with this is that GH launches the service before the source is checked out so you can't mount your policies into that service container from your sources. You'll have to use a remote store like S3 or Git with Cerbos, which can be a bit of a pain to configure in the restricted GH environment.
OK...I think i can get #1 to work. Trying now
I assume that you're trying to run integration tests. Otherwise you could also use the SDK to start a Cerbos server in your unit tests: https://pkg.go.dev/github.com/cerbos/cerbos@v0.24.0/client/testutil#example-StartCerbosServer
With the
action, I see the action defaults to look for policies in a local
folder. What if the policies are in another repo? I'm guessing I need to check out the policy repo as well and manually set the policy path?
I think you're talking about the
action? The
action just installs Cerbos binaries inside the runner.
Oh, if you're talking about
cerbos run
, yeah, you should either clone the policy repo and set the location by invoking cerbos with
cerbos run --set=storage.disk.directory=/path/to/policy/repo
OR you could create a
file with a
store that pulls from your policy repo.
Sweet I got it working!