Hey guys, does spicedb currently support
# spicedbt
terrakube
06/27/2024, 11:02 AMHey guys, does spicedb currently support reading configuration from a file (
.envv
vroldanbet
06/27/2024, 11:58 AMt
terrakube
06/27/2024, 12:02 PMThat's awesome!
Does this work if I run spicedb as a container?
v
vroldanbet
06/27/2024, 12:46 PMthat I haven't tried
y
yetitwo
06/27/2024, 1:43 PM@terrakube would this be for locally messing around or for production deployment? how are you planning on deploying?
t
terrakube
06/27/2024, 3:08 PMHey @yetitwo it'd be for production deployment. It'd be deployed to a K8S cluster using the docker image. Because K8S secrets are plain text, we cannot store spicebd secrets there (mainly datastore connectionm string and grpc preshared key), so I was thinking how to retrieve secrets from, let's say, Azure Keyvault in a init container and write them in the spicedb env file for the main container to load
terrakube
06/27/2024, 3:10 PMI've just given that approach a try and seemed to work. A shared volume in the pod to which the init container can write an env file. The main container (spicedb) seemed to pick it up. Once I have something more production ready I can get back to you guys, if you're interested to know
v
vroldanbet
06/27/2024, 3:23 PMhmm is there anything about the SpiceDB CLI API that does not allow you to store your env vars in a secret storage?
t
terrakube
06/29/2024, 10:23 AMI could store them as a K8S Secret, however I've been advised not to, as they're stored as plain text. Also we're using FluxCD, and any manifests will be checked in source control, so passing hardcoded secrets is not an option either
v
vroldanbet
06/30/2024, 3:59 PMWas thinking of loading it from the vault into a secret with IRS own secret provider, not soring it plain text: https://damn.engineer/2022/01/31/azure-keyvault-to-kubernetes
t
terrakube
07/01/2024, 7:51 AMI didn't know about this, thanks. Will take a look 🙂
31 Views