search

authzed / spicedb-operator

Kubernetes controller for managing instances of SpiceDB
Apache License 2.0
62 stars 26 forks source link

Add capability to disable TLS warning #180

Open imclem opened 1 year ago

imclem commented 1 year ago

Hi 👋

I'm running a spicedb cluster, and I'm getting a warning in the Status.Conditions of the cluster because TLS is not configured. I would like to be able to remove this warning, I'm running spicedb internally, nothing is exposed to the outside world, there should be no security issue without tls.

Here's the output of describing the cluster:

Name:         spicedb-mycoach-infrastructure
Namespace:    default
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: mycoach-infrastructure
              meta.helm.sh/release-namespace: default
API Version:  authzed.com/v1alpha1
Kind:         SpiceDBCluster
Metadata:
  Creation Timestamp:  2023-03-23T17:26:40Z
  Generation:          2
  Managed Fields:
    API Version:  authzed.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:meta.helm.sh/release-name:
          f:meta.helm.sh/release-namespace:
        f:labels:
          f:app.kubernetes.io/managed-by:
      f:status:
        f:conditions:
        f:currentMigrationHash:
        f:image:
        f:migration:
        f:observedGeneration:
        f:secretHash:
        f:targetMigrationHash:
        f:version:
          f:attributes:
          f:channel:
          f:name:
    Manager:      spicedb-operator
    Operation:    Apply
    Subresource:  status
    Time:         2023-04-04T08:03:28Z
    API Version:  authzed.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:meta.helm.sh/release-name:
          f:meta.helm.sh/release-namespace:
        f:labels:
          .:
          f:app.kubernetes.io/managed-by:
      f:spec:
        .:
        f:channel:
        f:config:
          .:
          f:datastoreEngine:
          f:replicas:
        f:secretName:
        f:version:
    Manager:         Go-http-client
    Operation:       Update
    Time:            2023-03-23T17:57:48Z
  Resource Version:  332941291
  UID:               3fd90ca2-f928-4fc1-bb16-326def7e6ae6
Spec:
  Channel:  stable
  Config:
    Datastore Engine:  mysql
    Replicas:          3
  Secret Name:         spicedb-mycoach-infrastructure
  Version:             v1.18.0
Status:
  Conditions:
    Last Transition Time:  2023-03-23T17:26:40Z
    Message:               no TLS configured, consider setting "tlsSecretName"
    Reason:                WarningsPresent
    Status:                True
    Type:                  ConfigurationWarning
  Current Migration Hash:  n698hch68ch65h544h67fh9ch6q
  Image:                   ghcr.io/authzed/spicedb:v1.18.0
  Migration:               add_caveat
  Observed Generation:     2
  Secret Hash:             n645h599h694hd6h96h547h695h688q
  Target Migration Hash:   n698hch68ch65h544h67fh9ch6q
  Version:
    Attributes:
      migration
    Channel:  stable
    Name:     v1.18.0

And the status condition:

Status:
  Conditions:
    Last Transition Time:  2023-03-23T17:26:40Z
    Message:               no TLS configured, consider setting "tlsSecretName"
    Reason:                WarningsPresent
    Status:                True
    Type:                  ConfigurationWarning

Thanks

jawnsy commented 1 year ago

It's perhaps worth noting here that TLS is not really optional for some clients, due to https://github.com/authzed/authzed-py/issues/89

akoserwal commented 3 months ago

Is it basically removing the warning from here: https://github.com/authzed/spicedb-operator/blob/main/pkg/config/config.go#L350