Terraform Registry SpiceDB #spicedb

Terraform Registry

theconductor

09/16/2024, 3:17 PM

Are there any plans to publish a terraform provider? I saw some mention of it in this discord's history, not sure if that went somewhere. Someone on my team found this, but it doesn't seem to be official? https://registry.terraform.io/providers/EducationPerfect/spicedb/0.1.0

vroldanbet

09/16/2024, 3:27 PM

We want to eventually build one, but it's in the backlog. If there are any specific requirements on how it should work, we are all ears 😄

theconductor

09/16/2024, 3:38 PM

Cool, thanks! I'm admittedly not the infra guy, just relaying the message. I do know that we use CDKTF with TypeScript for our TF configuration, and since it didn't recognize the

SpiceDBCluster

CRD, our guy needed to do something hacky to get it working. It did work though, so definitely not a showstopper

vroldanbet

09/16/2024, 4:23 PM

is there anything specific about the CRD definition that made it incompatible with CDKTF?

theconductor

09/16/2024, 5:33 PM

I asked our guy and this is what he said: > It's not 'incompatible', it's simply a case of staging the release of the CRD to the Kubernetes API; prior to creating the SpiceDBCluster resource which requires the CRD. Since the Operator's behavior and exact timing of when it applies the CRD to the cluster is opaque to CDKTF we don't have great mechanisms to await the change to be applied. Once the CRD is applied, we won't have issues.

theconductor

09/16/2024, 5:33 PM

So just an order of operations issue, deploying the "SpiceDBCluster" before k8s knows what that is

vroldanbet

09/17/2024, 9:57 AM

I believe the operator can handle this. There is a flag

bootstrap-crds

which will make sure the first thing done is to apply the CRDS to the APIServer. I think it would make sense for the terraform provider to have that enabled to address the "chicken and egg problem".

vroldanbet

09/17/2024, 10:01 AM

I guess what you are trying to say is that there is race on CDKTF: - operator is applied - operator at some point CRDs applies - next CDTKF operation may create a

SpiceDBCluster

resource, but we don't know if the spicedb-operator has applied that yet I guess one option is to implement a wait function that lists CRD resources. Whenever the SpiceDBCluster CRD appears via the API, any logic implemented over CDKTF can proceed. Is there anything we could do to make any of this easier? What if provided a new command to the

spicedb-operator

CLI like

spicedb-operator bootstrap-crds

, then it would return 0, and after that you can start up

spicedb-operator

normally.

vroldanbet

09/17/2024, 10:01 AM

cc @ecordell I case you have thoughts on this

ecordell

09/17/2024, 6:48 PM

I'd just add that there's another feature too: you can provide SpiceDBCluster definititions to the operator on startup too. Then the operator will start, apply the CRDs, wait for them to be registered in the kube api, and then apply the SpiceDBCluster objects as well, so you can do a one-shot install

ecordell

09/17/2024, 6:49 PM

the flag is

--bootstrap-spicedbs

and it expects a file that is a

yaml

stream of SpiceDBCluster objects (i think json is supported too, would have to double check)

56 Views

Previous Next