Closed batazor closed 1 year ago
Could you describe how you're trying to pass secrets in, and why passing a secretName
doesn't work for you?
I tried this config:
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: auth
spec:
config:
replicas: 1
datastoreEngine: postgres
secretName: my-spicedb-config
patches:
- kind: Deployment
patch:
spec:
template:
spec:
containers:
- name: spicedb
env:
- name: SPICEDB_DATASTORE_CONN_URI
valueFrom:
secretKeyRef:
name: spicedb-postgres-pguser-spicedb
key: uri
But this option did not work right.
I want to automate the process of creating postgres-clusters and I am using one of the ready-made operators, so I would like to be able to set environment variables based on third-party secrets
I'm curious what error you saw, I think that should have worked if everything else was configured correctly.
But I do think it makes sense to be able to split up required secret fields into their own config if you want. What about something like this:
spec:
presharedKey:
key: preshared_key
secretName: spicedb-config
datastoreUri:
key: datastore_uri
secretName: spicedb-config
which would allow you to control which secret/key the value comes from. For crunchy, you could specify uri
as the key.
Eventually, I was able to get the application up and running. I use ArgoCD to deploy applications, and the patches
changes were not always picked up immediately, but manual updates helped. Also, at some time, Deployment in SpiceDBCluster stopped being created, but disabling Istio gave it back.
My final config:
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: auth
annotations:
sidecar.istio.io/inject: "false"
spec:
config:
replicas: 1
datastoreEngine: postgres
secretName: auth-spicedb-config
patches:
- kind: Deployment
patch:
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: spicedb
env:
- name: SPICEDB_DATASTORE_CONN_URI
valueFrom:
secretKeyRef:
name: spicedb-postgres-pguser-spicedb
key: uri
- kind: Job
patch:
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
containers:
- name: migrate
env:
- name: SPICEDB_DATASTORE_CONN_URI
valueFrom:
secretKeyRef:
name: spicedb-postgres-pguser-spicedb
key: uri
@ecordell Thanks for your help.
It would be cool to set the configuration through environment variables without being tied to the way of working with the secrets of a particular approach.
For example - Using Secrets as environment variables
P.S. I tried to use
pathes
, but it's a hard way. Which may break on subsequent operator updates