search

authzed / spicedb-operator

Kubernetes controller for managing instances of SpiceDB
Apache License 2.0
62 stars 26 forks source link

add support env variable #210

Closed batazor closed 1 year ago

batazor commented 1 year ago

It would be cool to set the configuration through environment variables without being tied to the way of working with the secrets of a particular approach.

For example - Using Secrets as environment variables

P.S. I tried to use pathes, but it's a hard way. Which may break on subsequent operator updates

ecordell commented 1 year ago

Could you describe how you're trying to pass secrets in, and why passing a secretName doesn't work for you?

batazor commented 1 year ago

I tried this config:

apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
  name: auth
spec:
  config:
    replicas: 1
    datastoreEngine: postgres
  secretName: my-spicedb-config
  patches:
    - kind: Deployment
      patch:
        spec:
          template:
            spec:
              containers:
                - name: spicedb
                  env:
                    - name: SPICEDB_DATASTORE_CONN_URI
                      valueFrom:
                        secretKeyRef:
                          name: spicedb-postgres-pguser-spicedb
                          key: uri

But this option did not work right.

I want to automate the process of creating postgres-clusters and I am using one of the ready-made operators, so I would like to be able to set environment variables based on third-party secrets

ecordell commented 1 year ago

I'm curious what error you saw, I think that should have worked if everything else was configured correctly.

But I do think it makes sense to be able to split up required secret fields into their own config if you want. What about something like this:

spec:
  presharedKey:
    key: preshared_key
    secretName: spicedb-config
  datastoreUri:
    key: datastore_uri
    secretName: spicedb-config

which would allow you to control which secret/key the value comes from. For crunchy, you could specify uri as the key.

batazor commented 1 year ago

Eventually, I was able to get the application up and running. I use ArgoCD to deploy applications, and the patches changes were not always picked up immediately, but manual updates helped. Also, at some time, Deployment in SpiceDBCluster stopped being created, but disabling Istio gave it back.

My final config:

apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
  name: auth
  annotations:
    sidecar.istio.io/inject: "false"
spec:
  config:
    replicas: 1
    datastoreEngine: postgres
  secretName: auth-spicedb-config
  patches:
    - kind: Deployment
      patch:
        spec:
          template:
            metadata:
              annotations:
                sidecar.istio.io/inject: "false"
            spec:
              containers:
                - name: spicedb
                  env:
                    - name: SPICEDB_DATASTORE_CONN_URI
                      valueFrom:
                        secretKeyRef:
                          name: spicedb-postgres-pguser-spicedb
                          key: uri
    - kind: Job
      patch:
        spec:
          template:
            metadata:
              annotations:
                sidecar.istio.io/inject: "false"
            spec:
              containers:
                - name: migrate
                  env:
                  - name: SPICEDB_DATASTORE_CONN_URI
                    valueFrom:
                      secretKeyRef:
                        name: spicedb-postgres-pguser-spicedb
                        key: uri

@ecordell Thanks for your help.