-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Install spicedb #1372
✨ Install spicedb #1372
Conversation
/test sonarcloud |
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
one comment: we need to control the spicedb components with |
Signed-off-by: myan <[email protected]>
Done |
/test test-integration |
Signed-off-by: myan <[email protected]>
...or/pkg/controllers/inventory/manifests/spicedb-operator/3.spicedb-operator.clusterroles.yaml
Outdated
Show resolved
Hide resolved
labels: | ||
rbac.authorization.k8s.io/aggregate-to-admin: "true" | ||
rbac.authorization.k8s.io/aggregate-to-edit: "true" | ||
name: spicedb-operator-edit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This role is intended for user access, not the operator. Remove it for now.
rbac.authorization.k8s.io/aggregate-to-admin: "true" | ||
rbac.authorization.k8s.io/aggregate-to-edit: "true" | ||
rbac.authorization.k8s.io/aggregate-to-view: "true" | ||
name: spicedb-operator-view |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As above, remove it for now
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: spicedb-operator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggest to add multicluster-global-hub: as prefix to avoid collision.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -0,0 +1,2796 @@ | |||
apiVersion: v1 | |||
data: | |||
update-graph.yaml: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it necessary for spicedb operator?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find a description of it. Open an issue in the community to track it. authzed/spicedb-operator#351
name: spicedb-operator | ||
namespace: {{.Namespace}} | ||
spec: | ||
replicas: {{.Replicas}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for operator, maybe we just hardcode 1 replica
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pgConfig.Host, | ||
pgConfig.Port, | ||
InventoryDatabaseName, | ||
"disable", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need a TODO to support verify-full
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
replicas = 2 | ||
} | ||
|
||
// create spicedb cluster |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how to specify the PV in spicedb?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just reinstalled it but didn't find any PVC associated with Spicedb.
❯ oc get pods
NAME READY STATUS RESTARTS AGE
kafka-entity-operator-6765f65976-wnx2m 0/2 Running 0 9s
kafka-kraft-0 1/1 Running 0 49s
kafka-kraft-1 1/1 Running 0 49s
kafka-kraft-2 1/1 Running 0 49s
multicluster-global-hub-grafana-79bd77df4f-5kspv 2/2 Running 0 2m10s
multicluster-global-hub-grafana-79bd77df4f-lccgt 2/2 Running 0 2m10s
multicluster-global-hub-operator-5787469d56-8cmq4 1/1 Running 0 2m38s
multicluster-global-hub-postgresql-0 2/2 Running 0 2m13s
spicedb-operator-7f4474848-m9gns 1/1 Running 0 2m13s
spicedb-spicedb-759bdd554b-44kpq 1/1 Running 0 92s
spicedb-spicedb-759bdd554b-6q8q5 1/1 Running 0 92s
strimzi-cluster-operator-v0.43.0-76f57fb5b7-pvkmv 1/1 Running 0 90s
❯ oc get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE
data-0-kafka-kraft-0 Bound pvc-143f6317-8398-47c5-803f-4c1604a66bac 10Gi RWO gp3-csi <unset> 55s
data-0-kafka-kraft-1 Bound pvc-2faf6766-eb88-444b-b107-5078bd326bf6 10Gi RWO gp3-csi <unset> 55s
data-0-kafka-kraft-2 Bound pvc-c34ca80e-049e-474c-9ce8-da83f06017e8 10Gi RWO gp3-csi <unset> 55s
postgresdb-multicluster-global-hub-postgresql-0 Bound pvc-357342b0-6888-4398-afcb-a80495832850 25Gi RWO gp3-csi <unset> 2m17s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why can't I see the inventory-api component?
err := ctrl.NewControllerManagedBy(mgr).Named("spicedb-cluster"). | ||
For(&v1alpha4.MulticlusterGlobalHub{}, builder.WithPredicates(config.MGHPred)). | ||
Watches(&corev1.Secret{}, &handler.EnqueueRequestForObject{}, builder.WithPredicates(spiceDBSecretPred)). | ||
Watches(&spicedbv1alpha1.SpiceDBCluster{}, &handler.EnqueueRequestForObject{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we should use EnqueueRequestForOwner
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change with Owns
now.
Signed-off-by: myan <[email protected]>
from e2e, it seems the spicedb-operator cannot be ready. refer to https://github.com/stolostron/multicluster-global-hub/actions/runs/13362270192/job/37313832429?pr=1372#step:5:1329
|
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
Signed-off-by: myan <[email protected]>
|
/test test-integration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: clyang82, yanmxa The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
Related issue(s)
Fixes # https://issues.redhat.com/browse/ACM-17759
Tests
make unit-tests
.make integration-test
.make e2e-test-all
.