Skip to main content

SpiceDB Operator

The SpiceDB operator is a Kubernetes Operator that can manage the installation and lifecycle of SpiceDB Clusters.

Installing

Create a Kubernetes Cluster

The installation guide assumes you already have a kubernetes cluster available.

If you want to run the operator locally, we recommend one of:

Install the Operator with kubectl

Confirm you are connected to the correct cluster with kubectl config current-context, and then:

kubectl apply --server-side -k github.com/authzed/spicedb-operator/config

After a succesful rollout, you will see the spicedb-operator pod running in the spicedb-operator namespace.

kubectl -n spicedb-operator get pods

Create a SpiceDBCluster

danger

The commands documented here do not configure best practices for production deployments. For example, TLS is disabled and data is not persisted when SpiceDB is shut down. See the guide for selecting a datastore.

You can now create and configure SpiceDB clusters by writing a SpiceDBCluster objects. For example:

kubectl apply --server-side -f - <<EOF
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: dev
spec:
config:
datastoreEngine: memory
secretName: dev-spicedb-config
---
apiVersion: v1
kind: Secret
metadata:
name: dev-spicedb-config
stringData:
preshared_key: "averysecretpresharedkey"
EOF

Forward the port so that you can connect to it:

kubectl port-forward deployment/dev-spicedb 50051:50051

This creates a single node cluster with no persistent storage. See the examples in the GitHub repo for more deployment options, including TLS, connecting to datastore backends, and configuring ingress.

Connect and Verify

A variety of clients/tools can be used to interact with the API.

zed is the official CLI client and can be used to check that SpiceDB is running, write schema and relationships, and perform other operations against SpiceDB:

Running via brew

zed is available via brew on macOS and Linux.

brew install zed
zed context set local localhost:50051 "somerandomkeyhere" --insecure
zed schema read --insecure

Configuration

Flags

SpiceDB flags can be set via the .spec.config field on the SpiceDBCluster object:

apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: dev
spec:
config:
replicas: 2
datastoreEngine: cockroachdb
logLevel: debug

Any CLI flag for SpiceDB can be set in config by converting the name of the flag to camelCase and removing dashes. For example: --log-level becomes logLevel, --datastore-engine becomes datastoreEngine, and so on. The values for these flags are expected to be strings, unless the operator has implemented special support for a specific flag. This allows the operator to be forward-compatible with new versions of SpiceDB, even if it doesn't know about new features and flags. There may be exceptions to this rule, but they will be documented in release notes if and when they occur.

The operator also introduces some new flags that are not present on the CLI:

FlagDescriptionType
imageA specific container image to run.string
replicasThe number of nodes to run for this cluster.string or int
skipMigrationsIf true, the operator will not run migrations on changes to this cluster.string or bool
tlsSecretNameThe name of a Kubernetes secret in the same namespace to use as the TLS credentials for SpiceDB services.string
dispatchUpstreamCASecretNameThe name of a Kubernetes secret in the same namespace to use as the TLS CA validation. This should be the CA cert that was used to issue the cert in tlsSecretNamestring
datastoreTLSSecretNameThe name of a Kubernetes secret containing a TLS secret to use when connecting to the datastore.string
spannerCredentialsThe name of a Kubernetes secret containing credentials for talking to Cloud Spanner. Typically, this would not be used, in favor of workload identity.string
extraPodLabelsA set of additional labels to add to the spicedb pods.string or map[string]string

All other flags are passed through to SpiceDB without any additional processing.

Global Config

The operator comes with a global config file baked into the image. This defines what the default is and what SpiceDB images are allowed (the operator will run any image as SpiceDB, but will warn if it is not in this list).

The file is located at /opt/operator/config.yaml in released images, and can be changed with the --config flag on the operator.

Example:

allowedImages:
- ghcr.io/authzed/spicedb
- authzed/spicedb
- quay.io/authzed/spicedb
allowedTags:
- v1.11.0
- v1.10.0
disableImageValidation: false
imageName: ghcr.io/authzed/spicedb
imageTag: v1.11.0

If disableImageValidation is true, then the operator will not warn if it is running an image outside the allowed list.

Bootstrapping CRDs

The operator can optionally bootstrap CRDs on start up with --crds=true.

This is not generally recommended; it requires granting CRD create permission to the operator.

Static SpiceDBClusters

The operator can optionally take in a set of "static" SpiceDBClusters that it will create on startup, via --bootstrap-spicedbs. This argument is expected to be a file with a yaml list of SpiceDBCluster objects.

This is not generally recommended; it is primarily for CD of the operator itself.

Debug, Logs, Health, and Metrics

The operator serves a debug endpoint, health, and metrics from the same address, defined by --debug-addr (:8080 by default):

  • /metrics serves a prometheus metric endpoint, which includes controller queue depths and stats about abnormal SpiceDBClusters.
  • /debug/pprof/ for profiling data
  • /healthz for health

Log level can be configured with --v and accepts standard klog flags.

Updating

Updating the Operator

Updating the operator is as simple as re-running:

kubectl apply --server-side -k github.com/authzed/spicedb-operator/config

whenever there is an update available.

Updating Managed SpiceDBClusters

The operator supports different strategies for updating SpiceDB clusters, described below.

If keeping on top of updates sounds daunting, Authzed Dedicated provides a simple interface for managing SpiceDB upgrades without the hassle.

Automatic Updates

Every release of SpiceDB Operator comes with a version of SpiceDB that it considers the "default" version. This default version is used for every SpiceDBCluster that does not specify a specific image in its .spec.config. When either the operator or its config file is updated, every cluster under management will be rolled to the new default version.

This is recommended primarily for development environments.

If you wish to have truly zero-touch upgrades, you can automate the updating of the operator with standard git-ops tooling like Flux or ArgoCD. In the future, other update mechanisms may become available.

Manual upgrades

If you specify a container image from a SpiceDB release in .spec.config.image, the cluster will not be updated automatically. You can choose when and how to update to a new release of SpiceDB, which is recommended for production deployments.

Each operator release only "knows" about previous SpiceDB releases. Although the operator attempts to be forward-compatible as much as possible, the guarantees are only best-effort. We recommend updating SpiceDB operator before updating SpiceDB whenever possible.