Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote SpiceDB Support #24

Merged
merged 1 commit into from
Sep 6, 2023
Merged

Remote SpiceDB Support #24

merged 1 commit into from
Sep 6, 2023

Conversation

vroldanbet
Copy link
Contributor

@vroldanbet vroldanbet commented Sep 1, 2023
edited
Loading

Closes #8
Based on top of #16

The proxy now takes new arguments to configure a remote SpiceDB:

  • spicedb-endpoint: URL to the remote SpiceDB
  • spicedb-insecure: allows connecting to SpiceDB in plain text
  • spicedb-skip-verify-ca: lets the proxy connect to a remote service without
    verifying the certificate trust chain
  • spicedb-token: the preshared key of the remote server

if spicedb-endpoint is set to embedded://, the original
behavior of spinning up an embedded SpiceDB will take place, which
is useful for testing purposes.

An additional flag to support setting a path for the durable task database is
also added: durabletask-database-path. It will default to /tmp/dtx.sqlite.

Note

I implemented it so Complete(context.Context) wouldn't fail if it was unable to reach to the server. I could have used WithBlock and make it fail with a timeout, so that it ends up restarted after it fails kube's health check. I considered that having rakis call the proxy and get a "no healthy backend" wasn't much better than getting an error because the gRPC connection is broken.

@vroldanbet vroldanbet self-assigned this Sep 1, 2023
@github-actions github-actions bot added area/core area/dependencies Affects dependencies area/tooling Affects the dev or user toolchain labels Sep 1, 2023
@vroldanbet vroldanbet changed the base branch from main to durable-writes September 1, 2023 13:51
@ecordell ecordell force-pushed the durable-writes branch 3 times, most recently from e9c8ce0 to db94273 Compare September 1, 2023 21:52
@vroldanbet vroldanbet mentioned this pull request Sep 4, 2023
Merged
@github-actions github-actions bot removed the area/dependencies Affects dependencies label Sep 4, 2023
@vroldanbet vroldanbet force-pushed the remote-spicedb branch 7 times, most recently from 1bcfaac to ef2a553 Compare September 4, 2023 17:56
@vroldanbet vroldanbet marked this pull request as ready for review September 4, 2023 17:58
@vroldanbet vroldanbet changed the base branch from durable-writes to main September 6, 2023 10:09
@vroldanbet
support remote SpiceDB
992df9b 
the proxy now take new arguments to configure
a remote SpiceDB:

- spicedb-endpoint: url to the remote SpiceDB
- spicedb-insecure: allows connecting to SpiceDB in plain text
- spicedb-skip-verify-ca: lets the proxy connect to a remote service without
  verifying the certificate trust chain
- spicedb-token: the preshared key of the remote server

if spicedb-endpoint is set to "embedded://", the original
behaviour of spinning up an embedded SpiceDB will take place, which
is useful for testing purposes.

An additional flag to support setting a path for the durable task database is
also added: durabletask-database-path. It will default to /tmp/dtx.sqlite".
ecordell
ecordell reviewed Sep 6, 2023
View reviewed changes
pkg/proxy/server.go
@@ -146,7 +137,11 @@ func NewServer(ctx context.Context, o Options) (*Server, error) {
codecs := serializer.NewCodecFactory(scheme)
failHandler := genericapifilters.Unauthorized(codecs)

handler := s.WithAuthorization(clusterProxy, failHandler, watchClient, taskHubClient)
handler, err := WithAuthorization(clusterProxy, failHandler, o.PermissionsClient, o.WatchClient, taskHubClient, &s.LockMode)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just curious why you made this not a method? it would have direct access to the lockmode and clients if so

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to separate concerns, the server was becoming a god-class like structure and I thought as the authorization handler evolves, it would be easier for testing purposes to decouple it from the server.

@ecordell ecordell merged commit fcc8bd1 into main Sep 6, 2023
6 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Sep 6, 2023
@vroldanbet vroldanbet deleted the remote-spicedb branch September 6, 2023 11:51
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ecordell ecordell ecordell approved these changes

Assignees

@vroldanbet vroldanbet

Labels
area/core area/tooling Affects the dev or user toolchain
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

remove k8s proxy's embedded spicedb
2 participants
@vroldanbet @ecordell