https://authzed.com logo
Join Discord
Powered by
Heyo 👋
# spicedb
u
Heyo 👋 trying to patch some 
Deployment
settings with spicedb-operator, snippet:
Copy code
...
  patches:
    - kind: Deployment
      patch:
        spec:
          minReadySeconds: 30 # this one!!
          template:
            spec:
              containers:
...
no luck applying this 
minReadySeconds
, and the 
Deployment
didnt get any updates, like it was ignored. any thoughts? 🤔 //same with 
deployment.spec.template.spec.nodeSelector
 //some others specs works fine (like resources limit..)
e
do you see any errors on the SpiceDBCluster status or in the operator logs?
I would've expected this to work
u
same expectation here 😒 nothing in logs
u
in the SpiceDBCluster's status there are errors though:
Copy code
status:
  conditions:
    - lastTransitionTime: '2024-12-19T10:44:01Z'
      message: no TLS configured, consider setting "tlsSecretName"
      reason: WarningsPresent
      status: 'True'
      type: ConfigurationWarning
    - lastTransitionTime: '2025-01-06T13:08:09Z'
      message: >-
        Error validating config with secret hash
        "n5d4h76h58bh55fhfbh58bh8bh574q": secret must contain a datastore_uri
        field
      reason: InvalidConfig
      status: 'True'
      type: ValidatingFailed
    - lastTransitionTime: '2025-01-21T12:25:51Z'
      message: Validating config with secret hash "n5d4h76h58bh55fhfbh58bh8bh574q"
      reason: ConfigChanged
      status: 'True'
      type: Validating
  currentMigrationHash: n89hb4h58fhbbh5fch5b5h56dh79q
  image: ghcr.io/authzed/spicedb:v1.38.0
  migration: add-metadata-to-transaction-table
  observedGeneration: 14
  secretHash: n5d4h76h58bh55fhfbh58bh8bh574q
  targetMigrationHash: n89hb4h58fhbbh5fch5b5h56dh79q
  version:
    attributes:
      - migration
    channel: stable
    name: v1.38.0
I don't know what hash field validation is the one mentioned in the error, but we are just loading the SPICEDB_DATASTORE_CONN_URI env from the secret that contains the 
datastore_uri
e
what is 
.spec.secretName
in the SpiceDBCluster object? the secret there definitely has a 
datastore_uri
field?
u
@ecordell I think you just led us to find our bug. The secret on the spicedbcluster spec is one that contains ONLY 
preshared_key
. They are separate bc we have two different Vault mounts, one to store database secrets. The other is for any custom key value.
Would it be perhaps possible, omitting this spec.secretName and feeding the 
preshared_key
value via env var? like we do with the spicedb conn URI. https://cdn.discordapp.com/attachments/1331291754938368000/1331560922543558687/image.png?ex=6792103f&is=6790bebf&hm=7a0f8617a52b7c644cff8831892d44795b46aa0480e708de7cc15a99d383c7f1&
e
Unfortunately they need to be in the secret at the moment in order to avoid that warning, see: https://github.com/authzed/spicedb-operator/issues/285 https://github.com/authzed/spicedb-operator/issues/155 I believe you should be able to patch where the preshared key comes from as well, but you'll still get the status condition This is something I think should be improved but haven't had a chance to address; open to PRs though
7 Views
PreviousNext
Powered by