From 54f3ef4aea6b8f95ce247b2f4d568f178697723a Mon Sep 17 00:00:00 2001 From: Jimmy Zelinskie Date: Tue, 12 Apr 2022 13:38:06 -0400 Subject: [PATCH] k8s: add RBAC and flesh out example Fixes #499 --- k8s/basic.yaml | 88 ----------------------- k8s/example.yaml | 182 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 182 insertions(+), 88 deletions(-) delete mode 100644 k8s/basic.yaml create mode 100644 k8s/example.yaml diff --git a/k8s/basic.yaml b/k8s/basic.yaml deleted file mode 100644 index 947971873d..0000000000 --- a/k8s/basic.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# This file contains the most basic configuration of SpiceDB in Kubernetes. -# -# It runs with the following: -# - a single node deployment -# - default ports (gRPC 50051, dashboard 8080) -# - no TLS -# - debug logging -# - in-memory datastore -# -# To apply this configuration execute the following: -# kubectl -n $YOUR_NAMESPACE create secret generic spicedb --from-literal=SPICEDB_GRPC_PRESHARED_KEY=$YOUR_SECRET -# kubectl -n $YOUR_NAMESPACE apply -f basic.yaml ---- -apiVersion: "v1" -kind: "Service" -metadata: - name: "spicedb" - labels: - app: "spicedb" -spec: - selector: - app: "spicedb" - type: "ClusterIP" - ports: - - name: "grpc" - port: 50051 - protocol: "TCP" - targetPort: 50051 - - name: "internal" - port: 50053 - protocol: "TCP" - targetPort: 50053 ---- -apiVersion: "apps/v1" -kind: "Deployment" -metadata: - name: "spicedb" -spec: - replicas: 1 - selector: - matchLabels: - app: "spicedb" - strategy: - rollingUpdate: - maxSurge: "25%" - maxUnavailable: "25%" - type: "RollingUpdate" - progressDeadlineSeconds: 600 - template: - metadata: - labels: - app: "spicedb" - spec: - dnsPolicy: "ClusterFirst" - restartPolicy: "Always" - terminationGracePeriodSeconds: 30 - containers: - - name: "spicedb" - image: "quay.io/authzed/spicedb:v1.0.0" - imagePullPolicy: "IfNotPresent" - command: ["spicedb", "serve"] - env: - - name: "SPICEDB_GRPC_SHUTDOWN_GRACE_PERIOD" - value: "1s" - - name: "SPICEDB_LOG_LEVEL" - value: "debug" - - name: "SPICEDB_GRPC_PRESHARED_KEY" - valueFrom: - secretKeyRef: - name: "spicedb" - key: "SPICEDB_GRPC_PRESHARED_KEY" - ports: - - name: "grpc" - containerPort: 50051 - protocol: "TCP" - - name: "internal" - containerPort: 50053 - protocol: "TCP" - - name: "prometheus" - containerPort: 9090 - protocol: "TCP" - readinessProbe: - exec: - command: ["grpc_health_probe", "-v", "-addr=localhost:50051"] - failureThreshold: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 diff --git a/k8s/example.yaml b/k8s/example.yaml new file mode 100644 index 0000000000..f71734819b --- /dev/null +++ b/k8s/example.yaml @@ -0,0 +1,182 @@ +# This file contains an example configuration of SpiceDB in Kubernetes. +# +# It creates the following: +# - A single node deployment with no persistence (in-memory datastore) +# - Ports for the gRPC and HTTP APIs +# - Ports for internal dispatching and metrics +# - TLS is NOT securing any connections +# - Logging configured at the debug log-level +# +# To apply this configuration execute the following: +# kubectl -n $YOUR_NAMESPACE create secret generic spicedb --from-literal=SPICEDB_GRPC_PRESHARED_KEY=$YOUR_SECRET +# kubectl -n $YOUR_NAMESPACE create -f example.yaml +--- +apiVersion: "v1" +kind: "Service" +metadata: + name: "spicedb" + labels: + app.kubernetes.io/name: "spicedb" + app.kubernetes.io/version: "example" + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9090" +spec: + selector: + app: "spicedb" + type: "ClusterIP" + ports: + - name: "grpc" + port: 50051 + protocol: "TCP" + targetPort: 50051 + - name: "http" + port: 8443 + protocol: "TCP" + targetPort: 8443 + - name: "dispatch" + port: 50053 + protocol: "TCP" + targetPort: 50053 + - name: "prometheus" + port: 9090 + protocol: "TCP" + targetPort: 9090 +--- +apiVersion: "apps/v1" +kind: "Deployment" +metadata: + name: "spicedb" + labels: + app.kubernetes.io/name: "spicedb" + app.kubernetes.io/version: "example" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: "spicedb" + app.kubernetes.io/version: "example" + strategy: + type: "RollingUpdate" + rollingUpdate: + maxSurge: "25%" + maxUnavailable: "25%" + progressDeadlineSeconds: 600 + template: + metadata: + labels: + app.kubernetes.io/name: "spicedb" + app.kubernetes.io/version: "example" + spec: + dnsPolicy: "ClusterFirst" + restartPolicy: "Always" + terminationGracePeriodSeconds: 30 + serviceAccountName: "spicedb" + containers: + - name: "spicedb" + image: "quay.io/authzed/spicedb:latest" + imagePullPolicy: "Always" + command: ["spicedb", "serve"] + env: + # These flags are used to enable TLS for the gRPC and HTTP ports: + # + # - name: "SPICEDB_GRPC_TLS_KEY_PATH" + # valueFrom: + # secretKeyRef: + # name: "spicedb" + # key: "SPICEDB_GRPC_KEY_PATH" + # - name: "SPICEDB_GRPC_TLS_CERT_PATH" + # valueFrom: + # secretKeyRef: + # name: "spicedb" + # key: "SPICEDB_GRPC_CERT_PATH" + # - name: "SPICEDB_HTTP_TLS_KEY_PATH" + # valueFrom: + # secretKeyRef: + # name: "spicedb" + # key: "SPICEDB_HTTP_KEY_PATH" + # - name: "SPICEDB_GRPC_HTTP_CERT_PATH" + # valueFrom: + # secretKeyRef: + # name: "spicedb" + # key: "SPICEDB_HTTP_CERT_PATH" + # + # These flags are used to enable a persistent datastore along + # with cluster dispatching. For more info see: + # https://docs.authzed.com/spicedb/selecting-a-datastore + # + # - name: "SPICEDB_DATASTORE_ENGINE" + # value: "cockroachdb" + # - name: "SPICEDB_DATASTORE_CONN_URI" + # valueFrom: + # secretKeyRef: + # name: "spicedb" + # key: "SPICEDB_DATASTORE_CONN_URI" + # - name: "SPICEDB_DISPATCH_UPSTREAM_ADDR" + # value: "kubernetes:///spicedb:dispatch" + - name: "SPICEDB_LOG_LEVEL" + value: "debug" + - name: "SPICEDB_HTTP_ENABLED" + value: "true" + - name: "SPICEDB_GRPC_SHUTDOWN_GRACE_PERIOD" + value: "1s" + - name: "SPICEDB_GRPC_PRESHARED_KEY" + valueFrom: + secretKeyRef: + name: "spicedb" + key: "SPICEDB_GRPC_PRESHARED_KEY" + ports: + - name: "grpc" + containerPort: 50051 + protocol: "TCP" + - name: "http" + containerPort: 8443 + protocol: "TCP" + - name: "dispatch" + containerPort: 50053 + protocol: "TCP" + - name: "prometheus" + containerPort: 9090 + protocol: "TCP" + readinessProbe: + exec: + command: ["grpc_health_probe", "-v", "-addr=localhost:50051"] + failureThreshold: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 +--- +apiVersion: "v1" +kind: "ServiceAccount" +metadata: + name: "spicedb" + labels: + app.kubernetes.io/name: "spicedb" + app.kubernetes.io/version: "example" +--- +apiVersion: "rbac.authorization.k8s.io/v1" +kind: "Role" +metadata: + name: "watch-service" + labels: + app.kubernetes.io/name: "spicedb" + app.kubernetes.io/version: "example" +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch"] +--- +apiVersion: "rbac.authorization.k8s.io/v1" +kind: "RoleBinding" +metadata: + name: "spicedb-watch-service" + labels: + app.kubernetes.io/name: "spicedb" + app.kubernetes.io/version: "example" +subjects: + - kind: "ServiceAccount" + name: "spicedb" +roleRef: + apiGroup: "rbac.authorization.k8s.io" + kind: "Role" + name: "watch-service"