SpiceDB Documentation
Deploying the SpiceDB Operator

Deploying the SpiceDB Operator

The SpiceDB Operator is the best way to run SpiceDB in production.

This guide will walk you through the steps to deploy the SpiceDB Operator to a Kubernetes (opens in a new tab) cluster and confirm it's functional by creating a simple SpiceDB deployment.


Create or Configure a Kubernetes Cluster

The rest of this guide assumes kubectl (opens in a new tab) is configured to use an available Kubernetes cluster.

For production use-cases, we recommend using your cloud provider's managed Kubernetes services (e.g. EKS (opens in a new tab), GKE (opens in a new tab), or AKS (opens in a new tab)).

If you want to run a Kubernetes cluster locally, we recommend one of:

Applying the Operator manifests

Before modifying any cluster, we recommend double-checking that your current context is configured for the target cluster:

kubectl config current-context

Now you're ready to apply the manifests that install the SpiceDB Operator:

kubectl apply --server-side -k github.com/authzed/spicedb-operator/config

All resources are created in the spicedb-operator namespace.

If you'd like to confirm that the deployment is running, you can run the following command:

kubectl -n spicedb-operator get pods

Create a SpiceDBCluster

You can now create and configure SpiceDB clusters by applying SpiceDBCluster resources.


The following manifests configure a simple deployment, not a secure one.

Do not use these values in production.

Apply a SpiceDBCluster and required Secret (opens in a new tab) using the following command:

kubectl apply --server-side -f - <<EOF
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
  name: dev
    datastoreEngine: memory
  secretName: dev-spicedb-config
apiVersion: v1
kind: Secret
  name: dev-spicedb-config
  preshared_key: "averysecretpresharedkey"

Connect & Verify

In order to verify our SpiceDB deployment is healthy, we're going to need access to ports where it's serving traffic.

The easiest way is to forward the port using kubectl:

kubectl port-forward deployment/dev-spicedb 50051:50051

There are a variety of ways to interact with the SpiceDB API, but for this guide we'll be using the official command-line client, Zed (opens in a new tab).

If you don't already have zed installed, you can follow this guide.

For zed to connect to SpiceDB, we'll first have to create an insecure context named local for connecting to our locally forwarded port:

zed context set local localhost:50051 "somerandomkeyhere" --insecure

With our context set, we're free to make requests to our new, empty SpiceDB deployment:

zed schema read

If all is successful, reading the schema should have thrown an error:

code = NotFound
desc = No schema has been defined; please call WriteSchema to start

Taking things to production

This guide creates a single-node deployment of SpiceDB with no persistent storage; to really take things into production, it's just a matter of configuration.

To learn more about configuring the SpiceDB Operator, you can reference the SpiceDB Operator docs or reference the community examples GitHub repository (opens in a new tab) which has more deployment examples including TLS, connecting to datastore backends, and configuring ingress.

© 2024 AuthZed.