✨ Install spicedb

[yanmxa]

Summary

• Install spicedb operator and operand
• apply the imagepullsecret, imagepullpolicy, toleration, nodeselector of mgh into the operator and operand

Related issue(s)

Fixes # https://issues.redhat.com/browse/ACM-17759

Tests

• Unit/function tests have been added and incorporated into make unit-tests.
• Integration tests have been added and incorporated into make integration-test.
• E2E tests have been added and incorporated into make e2e-test-all.
• List other manual tests you have done.

NAME                                                READY   STATUS    RESTARTS   AGE
kafka-kraft-0                                       0/1     Running   0          30s
multicluster-global-hub-grafana-79bd77df4f-f7pd5    2/2     Running   0          96s
multicluster-global-hub-operator-5787469d56-xkcn5   1/1     Running   0          3m5s
multicluster-global-hub-postgresql-0                2/2     Running   0          99s
spicedb-operator-7f4474848-59l8c                    1/1     Running   0          98s
spicedb-spicedb-787597bcf4-ps255                    1/1     Running   0          69s
strimzi-cluster-operator-v0.43.0-76f57fb5b7-chjw2   1/1     Running   0          69s

[yanmxa]

/test sonarcloud

[clyang82]

one comment: we need to control the spicedb components with WithInventory. in other words, if we have with-inventory annotation, then the spicedb will be there. otherwise, we should not have spicedb installed.

[yanmxa]

one comment: we need to control the spicedb components with WithInventory. in other words, if we have with-inventory annotation, then the spicedb will be there. otherwise, we should not have spicedb installed.

Done

[yanmxa]

/test test-integration

[clyang82]

ditto

[yanmxa]

This role is intended for user access, not the operator. Remove it for now.

[clyang82]

ditto

[yanmxa]

As above, remove it for now

[clyang82]

suggest to add multicluster-global-hub: as prefix to avoid collision.

[yanmxa]

Done

[clyang82]

is it necessary for spicedb operator?

[yanmxa]

I couldn't find a description of it. Open an issue in the community to track it. authzed/spicedb-operator#351

[clyang82]

for operator, maybe we just hardcode 1 replica

[yanmxa]

Done

[clyang82]

need a TODO to support verify-full

[yanmxa]

Done

[clyang82]

how to specify the PV in spicedb?

[yanmxa]

I just reinstalled it but didn't find any PVC associated with Spicedb.

❯ oc get pods
NAME                                                READY   STATUS    RESTARTS   AGE
kafka-entity-operator-6765f65976-wnx2m              0/2     Running   0          9s
kafka-kraft-0                                       1/1     Running   0          49s
kafka-kraft-1                                       1/1     Running   0          49s
kafka-kraft-2                                       1/1     Running   0          49s
multicluster-global-hub-grafana-79bd77df4f-5kspv    2/2     Running   0          2m10s
multicluster-global-hub-grafana-79bd77df4f-lccgt    2/2     Running   0          2m10s
multicluster-global-hub-operator-5787469d56-8cmq4   1/1     Running   0          2m38s
multicluster-global-hub-postgresql-0                2/2     Running   0          2m13s
spicedb-operator-7f4474848-m9gns                    1/1     Running   0          2m13s
spicedb-spicedb-759bdd554b-44kpq                    1/1     Running   0          92s
spicedb-spicedb-759bdd554b-6q8q5                    1/1     Running   0          92s
strimzi-cluster-operator-v0.43.0-76f57fb5b7-pvkmv   1/1     Running   0          90s
❯ oc get pvc
NAME                                              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
data-0-kafka-kraft-0                              Bound    pvc-143f6317-8398-47c5-803f-4c1604a66bac   10Gi       RWO            gp3-csi        <unset>                 55s
data-0-kafka-kraft-1                              Bound    pvc-2faf6766-eb88-444b-b107-5078bd326bf6   10Gi       RWO            gp3-csi        <unset>                 55s
data-0-kafka-kraft-2                              Bound    pvc-c34ca80e-049e-474c-9ce8-da83f06017e8   10Gi       RWO            gp3-csi        <unset>                 55s
postgresdb-multicluster-global-hub-postgresql-0   Bound    pvc-357342b0-6888-4398-afcb-a80495832850   25Gi       RWO            gp3-csi        <unset>                 2m17s

[clyang82]

why can't I see the inventory-api component?

[clyang82]

maybe we should use EnqueueRequestForOwner

[yanmxa]

Change with Owns now.

[clyang82]

from e2e, it seems the spicedb-operator cannot be ready. refer to https://github.com/stolostron/multicluster-global-hub/actions/runs/13362270192/job/37313832429?pr=1372#step:5:1329

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
inventory-api                      1/1     1            1           11s
kafka-entity-operator              1/1     1            1           35s
multicluster-global-hub-manager    1/1     1            1           11s
multicluster-global-hub-operator   1/1     1            1           2m27s
spicedb-operator                   0/1     1            0           2m22s
strimzi-cluster-operator-v0.43.0   1/1     1            1           106s

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
80.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[yanmxa]

/test test-integration

[clyang82]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clyang82, yanmxa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [clyang82,yanmxa]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment