Does the SpiceDBCluster `patches` SpiceDB #spicedb

Does the SpiceDBCluster `patches`

Teatime 🇩🇰

11/20/2024, 9:32 AM

Does the SpiceDBCluster

patches

section also apply to migration jobs ?

vroldanbet

11/20/2024, 10:47 AM

I don't think it does. What are you trying to achieve?

Teatime 🇩🇰

11/20/2024, 10:49 AM

I was trying to construct the datastore_uri env var, based on values from other configmaps/secrets. While it might work with the deployment pods, it's no good, if it doesnt work with the migration jobs.

vroldanbet

11/20/2024, 10:53 AM

The operator supports providing a secret for the datastore, but not if does not have the values the way it expects them

vroldanbet

11/20/2024, 10:54 AM

see https://authzed.com/docs/spicedb/ops/deploying-spicedb-on-eks#configure-spicedb-settings

ecordell

11/20/2024, 3:11 PM

patches apply to jobs as well, you you write them as:

Copy code

- kind: Job
      patch:
         <thepatch>

Teatime 🇩🇰

11/21/2024, 7:38 AM

Yes, i discovered that... Still struggling with how to append to env vars, though.

Teatime 🇩🇰

11/21/2024, 7:58 AM

Got it:

Copy code

- kind: Job
      patch:
          op: add
          path: /spec/template/spec/containers/0/env/-
          value:
            name: PGHOST
            valueFrom:
                configMapKeyRef:
                  name: database
                  key: db.host

Teatime 🇩🇰

11/22/2024, 8:04 AM

And just for reference. This enables me to compose the datastore_uri like this: (And similar for the deployment) It israhter verbose, but useful, when the database credentials is provided by another team, and we dont know their actual values.

Copy code

- kind: Job
      patch:
        op: test
        # Ensure that the index of the CONN_URI env var is correct
        path: /spec/template/spec/containers/0/env/1/name
        value: SPICEDB_DATASTORE_CONN_URI
    - kind: Job
      patch:
        op: remove
        # Delete the original CONN_URI env var, so we can re-add it, as the last one with varialble substitution
        path: /spec/template/spec/containers/0/env/1
    - kind: Job
      patch:
        op: add
        path: /spec/template/spec/containers/0/env/-
        value:
          name: SPICEDB_DATASTORE_CONN_URI
          value: "postgres://$(PGUSER):$(PGPASSWORD)@$(PGHOST):$(PGPORT)/$(PGDATABASE)?sslmode=require"

ecordell

11/22/2024, 9:48 PM

We do have an issue filed to make it easier to specify credentials in different ways, but I'm glad you were able to make it work just with patches

ecordell

11/22/2024, 9:50 PM

FWIW I think you could probably make it simpler with just a

merge

patch, like:

Copy code

- kind: Job
      patch:
        template:
          spec:
            containers:
            - name: migrate
              env:
              - name: SPICEDB_DATASTORE_CONN_URI
                value: "postgres://$(PGUSER):$(PGPASSWORD)@$(PGHOST):$(PGPORT)/$(PGDATABASE)?sslmode=require"

which should avoid the need for the test/remove operations you have (but warning: I didn't test this, I may have made some typos)

6 Views

Previous Next