Office Hours: ACL-aware filtering in your own database with SpiceDB and AuthZed Materialize

SpiceDB Operator is Open Source

/assets/team/evan-cordell.jpg
September 8, 2022|3 min read

Today we’re announcing the open sourcing of spicedb-operator - a Kubernetes operator for installing, upgrading, and maintaining SpiceDB clusters on Kubernetes. Through previous work at CoreOS and Red Hat, our team developed many of the early ideas around operators. As we began to scale out the deployment of SpiceDB clusters across our fleet to address the needs of our customers, an operator was the natural choice.

Running in production for 4 months

The operator has been quietly managing SpiceDB clusters for Authzed’s Serverless and Dedicated offerings for the past four months. It's production-ready and available today!

To get started yourself, install the operator:

kubectl apply --server-side -k github.com/authzed/spicedb-operator/config

And then create a cluster:

kubectl apply --server-side -f - <<EOF
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
  name: dev
spec:
  config:
    replicas: 2
    datastoreEngine: postgres
  secretName: dev-spicedb-config
---
apiVersion: v1
kind: Secret
metadata:
  name: dev-spicedb-config
stringData:
  datastore_uri: "postgresql:///the-url-of-your-datastore"
  preshared_key: "averysecretpresharedkey"
EOF

Once a cluster is running, the operator will automatically run migrations and roll out new SpiceDB releases as they become available. Or, by pinning a cluster to a specific release, the operator can be used to coordinate the rollout of migrations in git-ops workflows.

The operator also simplifies the configuration of multi-node clusters and TLS - for more information, check out the examples and the docs.

Listen up, idioms!

We’ve also open-sourced controller-idioms, the library we developed to support SpiceDB Operator and other operators that we use to run Authzed Dedicated. We found ourselves solving some of the same problems in every operator we wrote, and built this microframework to standardize common patterns across our stack.

This new library:

  • Works with other (golang-based) tooling like client-go and controller-runtime.
  • Uses golang generics to simplify dealing with Kubernetes APIs, informers, and indexes.
  • Implements common patterns for resource adoption, ownership, status, and metrics.
  • Provides a framework for breaking down large controller statemachines into small, testable pieces.

If you’re developing an operator of your own, please check out controller-idioms and let us know what’s missing in the GitHub issues.

Additional Reading

If you’re interested in learning more about Authorization and Google Zanzibar, we recommend reading the following posts:

Join the Conversation

Don’t see something you want? Let us know in the GitHub issues what you’d like to see from the operator in the future, and don’t hesitate to reach out on discord with any questions or feedback.

Header image generated with DALL·E 2 with prompt "a robot putting a database icon in a kubernetes cluster"

Get started for free

Join 1000s of companies doing authorization the right way.