Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Install spicedb #1372

Merged
merged 24 commits into from
Feb 17, 2025
Merged

✨ Install spicedb #1372

merged 24 commits into from
Feb 17, 2025

Conversation

yanmxa
Copy link
Member

@yanmxa yanmxa commented Feb 10, 2025

Summary

  • Install spicedb operator and operand
  • apply the imagepullsecret, imagepullpolicy, toleration, nodeselector of mgh into the operator and operand

Related issue(s)

Fixes # https://issues.redhat.com/browse/ACM-17759

Tests

  • Unit/function tests have been added and incorporated into make unit-tests.
  • Integration tests have been added and incorporated into make integration-test.
  • E2E tests have been added and incorporated into make e2e-test-all.
  • List other manual tests you have done.
NAME                                                READY   STATUS    RESTARTS   AGE
kafka-kraft-0                                       0/1     Running   0          30s
multicluster-global-hub-grafana-79bd77df4f-f7pd5    2/2     Running   0          96s
multicluster-global-hub-operator-5787469d56-xkcn5   1/1     Running   0          3m5s
multicluster-global-hub-postgresql-0                2/2     Running   0          99s
spicedb-operator-7f4474848-59l8c                    1/1     Running   0          98s
spicedb-spicedb-787597bcf4-ps255                    1/1     Running   0          69s
strimzi-cluster-operator-v0.43.0-76f57fb5b7-chjw2   1/1     Running   0          69s

@yanmxa
Copy link
Member Author

yanmxa commented Feb 10, 2025

/test sonarcloud

Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
@clyang82
Copy link
Contributor

one comment: we need to control the spicedb components with WithInventory. in other words, if we have with-inventory annotation, then the spicedb will be there. otherwise, we should not have spicedb installed.

Signed-off-by: myan <[email protected]>
@yanmxa
Copy link
Member Author

yanmxa commented Feb 14, 2025

one comment: we need to control the spicedb components with WithInventory. in other words, if we have with-inventory annotation, then the spicedb will be there. otherwise, we should not have spicedb installed.

Done

@yanmxa yanmxa requested a review from clyang82 February 14, 2025 11:59
@yanmxa
Copy link
Member Author

yanmxa commented Feb 14, 2025

/test test-integration

labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: spicedb-operator-edit
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Copy link
Member Author

@yanmxa yanmxa Feb 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This role is intended for user access, not the operator. Remove it for now.

rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: spicedb-operator-view
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above, remove it for now

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spicedb-operator
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggest to add multicluster-global-hub: as prefix to avoid collision.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -0,0 +1,2796 @@
apiVersion: v1
data:
update-graph.yaml: |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it necessary for spicedb operator?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find a description of it. Open an issue in the community to track it. authzed/spicedb-operator#351

name: spicedb-operator
namespace: {{.Namespace}}
spec:
replicas: {{.Replicas}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for operator, maybe we just hardcode 1 replica

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

pgConfig.Host,
pgConfig.Port,
InventoryDatabaseName,
"disable",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need a TODO to support verify-full

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

replicas = 2
}

// create spicedb cluster
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how to specify the PV in spicedb?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just reinstalled it but didn't find any PVC associated with Spicedb.

❯ oc get pods
NAME                                                READY   STATUS    RESTARTS   AGE
kafka-entity-operator-6765f65976-wnx2m              0/2     Running   0          9s
kafka-kraft-0                                       1/1     Running   0          49s
kafka-kraft-1                                       1/1     Running   0          49s
kafka-kraft-2                                       1/1     Running   0          49s
multicluster-global-hub-grafana-79bd77df4f-5kspv    2/2     Running   0          2m10s
multicluster-global-hub-grafana-79bd77df4f-lccgt    2/2     Running   0          2m10s
multicluster-global-hub-operator-5787469d56-8cmq4   1/1     Running   0          2m38s
multicluster-global-hub-postgresql-0                2/2     Running   0          2m13s
spicedb-operator-7f4474848-m9gns                    1/1     Running   0          2m13s
spicedb-spicedb-759bdd554b-44kpq                    1/1     Running   0          92s
spicedb-spicedb-759bdd554b-6q8q5                    1/1     Running   0          92s
strimzi-cluster-operator-v0.43.0-76f57fb5b7-pvkmv   1/1     Running   0          90s
❯ oc get pvc
NAME                                              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
data-0-kafka-kraft-0                              Bound    pvc-143f6317-8398-47c5-803f-4c1604a66bac   10Gi       RWO            gp3-csi        <unset>                 55s
data-0-kafka-kraft-1                              Bound    pvc-2faf6766-eb88-444b-b107-5078bd326bf6   10Gi       RWO            gp3-csi        <unset>                 55s
data-0-kafka-kraft-2                              Bound    pvc-c34ca80e-049e-474c-9ce8-da83f06017e8   10Gi       RWO            gp3-csi        <unset>                 55s
postgresdb-multicluster-global-hub-postgresql-0   Bound    pvc-357342b0-6888-4398-afcb-a80495832850   25Gi       RWO            gp3-csi        <unset>                 2m17s

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why can't I see the inventory-api component?

err := ctrl.NewControllerManagedBy(mgr).Named("spicedb-cluster").
For(&v1alpha4.MulticlusterGlobalHub{}, builder.WithPredicates(config.MGHPred)).
Watches(&corev1.Secret{}, &handler.EnqueueRequestForObject{}, builder.WithPredicates(spiceDBSecretPred)).
Watches(&spicedbv1alpha1.SpiceDBCluster{}, &handler.EnqueueRequestForObject{},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we should use EnqueueRequestForOwner

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change with Owns now.

Signed-off-by: myan <[email protected]>
@clyang82
Copy link
Contributor

from e2e, it seems the spicedb-operator cannot be ready. refer to https://github.com/stolostron/multicluster-global-hub/actions/runs/13362270192/job/37313832429?pr=1372#step:5:1329

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
inventory-api                      1/1     1            1           11s
kafka-entity-operator              1/1     1            1           35s
multicluster-global-hub-manager    1/1     1            1           11s
multicluster-global-hub-operator   1/1     1            1           2m27s
spicedb-operator                   0/1     1            0           2m22s
strimzi-cluster-operator-v0.43.0   1/1     1            1           106s

@yanmxa
Copy link
Member Author

yanmxa commented Feb 17, 2025

/test test-integration

@yanmxa yanmxa requested a review from clyang82 February 17, 2025 09:00
Copy link
Contributor

@clyang82 clyang82 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link

openshift-ci bot commented Feb 17, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clyang82, yanmxa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit b129adf into stolostron:main Feb 17, 2025
16 checks passed
@yanmxa yanmxa deleted the br_spicedb branch February 19, 2025 02:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants