"Protecting a Blog" with docker-compose and GoLang. #1967
-
I'm following the Protecting a Blog tutorial, tutorial, but I encounter an error when running app-1 | 2024/07/03 13:08:13 stderr: 2024/07/03 13:08:13 failed to write schema: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: first record does not look like a TLS handshake"
Gracefully stopping... (press Ctrl+C again to force)
[+] Stopping 2/2 The app-1 container uses the following code, with minor adjustments from the tutorial: package main
import (
"context"
"log"
"os"
pb "github.com/authzed/authzed-go/proto/authzed/api/v1"
"github.com/authzed/authzed-go/v1"
"github.com/authzed/grpcutil"
)
const schema = `
definition user {}
definition post {
relation reader: user
relation writer: user
permission read = reader + writer
permission write = writer
}`
func main() {
spicedbEndpoint := os.Getenv("SPICEDB_ENDPOINT")
systemCerts, err := grpcutil.WithSystemCerts(grpcutil.VerifyCA)
if err != nil {
log.Fatalf("unable to load system CA certificates: %s", err)
}
client, err := authzed.NewClient(
spicedbEndpoint,
grpcutil.WithInsecureBearerToken("somerandomkeyhere"),
systemCerts,
)
if err != nil {
log.Fatalf("unable to initialize client: %s", err)
}
request := &pb.WriteSchemaRequest{Schema: schema}
_, err = client.WriteSchema(context.Background(), request)
if err != nil {
log.Fatalf("failed to write schema: %s", err)
}
log.Println("Schema written successfully!")
} The Dockerfile used to build the app service is: # Use the official Golang image from the Docker Hub
FROM golang:1.22.4-alpine3.20
# Create and change to the /app directory
WORKDIR /app
# Copy go.mod and go.sum files
COPY go.mod go.sum ./
# Download all dependencies
RUN go mod download
# Install CompileDaemon
RUN go install github.com/githubnemo/CompileDaemon@latest
# Copy the source code into the container
COPY ./src ./src
# Set the working directory to the src folder
WORKDIR /app/src
# Build the Go app
RUN go build -o /app/spicedb-benchmark
# Expose port 8080 (or any port your app uses)
EXPOSE 8080 And the docker-compose.yaml is: services:
spicedb:
image: authzed/spicedb
command: serve --grpc-preshared-key "somerandomkeyhere"
ports:
- "50051:50051"
app:
build:
context: .
dockerfile: Dockerfile
depends_on:
- spicedb
volumes:
- ./src:/app/src
ports:
- "8080:8080"
environment:
- SPICEDB_ENDPOINT=spicedb:50051
command: ["CompileDaemon", "--build=go build -o /app/spicedb-benchmark", "--command=/app/spicedb-benchmark"] Theoretically this setup should work as is, but the app service encounters issues upon running |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
It looks like you're configuring your client to validate TLS: systemCerts, err := grpcutil.WithSystemCerts(grpcutil.VerifyCA)
if err != nil {
log.Fatalf("unable to load system CA certificates: %s", err)
}
client, err := authzed.NewClient(
// ...
systemCerts,
) But the server is not configured with TLS. The simplest thing to do for testing would be to disable TLS validation in the client, like this: import (
grpc "google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
)
// systemCerts, err := grpcutil.WithSystemCerts(grpcutil.VerifyCA)
// if err != nil {
// log.Fatalf("unable to load system CA certificates: %s", err)
// }
client, err := authzed.NewClient(
spicedbEndpoint,
grpcutil.WithInsecureBearerToken("somerandomkeyhere"),
grpc.WithTransportCredentials(insecure.NewCredentials()),
) |
Beta Was this translation helpful? Give feedback.
Hi @jb-is-batman
It looks like you're configuring your client to validate TLS:
But the server is not configured with TLS.
The simplest thing to do for testing would be to disable TLS validation in the client, like this: