{"id":13521129,"url":"https://github.com/authzed/spicedb-operator","last_synced_at":"2025-04-05T21:06:07.298Z","repository":{"id":58876080,"uuid":"491227630","full_name":"authzed/spicedb-operator","owner":"authzed","description":"Kubernetes controller for managing instances of SpiceDB","archived":false,"fork":false,"pushed_at":"2025-03-19T18:36:51.000Z","size":1999,"stargazers_count":79,"open_issues_count":35,"forks_count":32,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-03-29T20:02:54.445Z","etag":null,"topics":["authorization","authzed","database","database-management","distributed","distributed-systems","fine-grained-authorization","go","golang","graph-database","kubernetes","kubernetes-controller","kubernetes-operator","permissions","production","scale","security","security-tools","spicedb","zanzibar"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/authzed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-11T18:23:35.000Z","updated_at":"2025-03-29T13:38:55.000Z","dependencies_parsed_at":"2022-09-08T21:41:12.443Z","dependency_job_id":"678a0d2f-046b-4515-bd55-a84b60498dd1","html_url":"https://github.com/authzed/spicedb-operator","commit_stats":{"total_commits":342,"total_committers":15,"mean_commits":22.8,"dds":0.3391812865497076,"last_synced_commit":"a9124b625adeca9a3a6d314611a38ab5a192a1fe"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/authzed","download_url":"https://codeload.github.com/authzed/spicedb-operator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247399871,"owners_count":20932876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","authzed","database","database-management","distributed","distributed-systems","fine-grained-authorization","go","golang","graph-database","kubernetes","kubernetes-controller","kubernetes-operator","permissions","production","scale","security","security-tools","spicedb","zanzibar"],"created_at":"2024-08-01T06:00:29.048Z","updated_at":"2025-04-05T21:06:07.273Z","avatar_url":"https://github.com/authzed.png","language":"Go","funding_links":[],"categories":["Developer Tools"],"sub_categories":["Official Tools"],"readme":"# SpiceDB Operator\n\n[![Container Image](https://img.shields.io/github/v/release/authzed/spicedb-operator?color=%232496ED\u0026label=container\u0026logo=docker \"Container Image\")](https://hub.docker.com/r/authzed/spicedb-operator/tags)\n[![Docs](https://img.shields.io/badge/docs-authzed.com-%234B4B6C \"Authzed Documentation\")](https://docs.authzed.com)\n[![Build Status](https://github.com/authzed/spicedb-operator/workflows/Build%20\u0026%20Test/badge.svg \"GitHub Actions\")](https://github.com/authzed/spicedb-operator/actions)\n[![Discord Server](https://img.shields.io/discord/844600078504951838?color=7289da\u0026logo=discord \"Discord Server\")](https://discord.gg/jTysUaxXzM)\n[![Twitter](https://img.shields.io/twitter/follow/authzed?color=%23179CF0\u0026logo=twitter\u0026style=flat-square \"@authzed on Twitter\")](https://twitter.com/authzed)\n\nA [Kubernetes operator] for managing [SpiceDB] clusters.\n\nFeatures include:\n\n- Creation, management, and scaling of SpiceDB clusters with a single [Custom Resource]\n- Automated datastore migrations when upgrading SpiceDB versions\n\nHave questions? Join our [Discord].\n\nLooking to contribute? See [CONTRIBUTING.md].\n\n[Kubernetes operator]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/\n[SpiceDB]: https://github.com/authzed/spicedb\n[Custom Resource]: https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/\n[Discord]: https://authzed.com/discord\n[CONTRIBUTING.md]: CONTRIBUTING.md\n\n## Getting Started\n\nIn order to get started, you'll need a Kubernetes cluster.\nFor local development, install your tool of choice.\nYou can use whatever, so long as you're comfortable with it and it works on your platform.\nWe recommend one of the following:\n\n- [Docker Desktop](https://www.docker.com/products/docker-desktop/)\n- [kind](https://kind.sigs.k8s.io)\n- [minikube](https://minikube.sigs.k8s.io)\n\nNext, you'll install a [release](https://github.com/authzed/spicedb-operator/releases/) of the operator:\n\n```console\nkubectl apply --server-side -f https://github.com/authzed/spicedb-operator/releases/latest/download/bundle.yaml\n```\n\nFinally you can create your first cluster:\n\n```console\nkubectl apply --server-side -f - \u003c\u003cEOF\napiVersion: authzed.com/v1alpha1\nkind: SpiceDBCluster\nmetadata:\n  name: dev\nspec:\n  config:\n    datastoreEngine: memory\n  secretName: dev-spicedb-config\n---\napiVersion: v1\nkind: Secret\nmetadata:\n  name: dev-spicedb-config\nstringData:\n  preshared_key: \"averysecretpresharedkey\" \nEOF\n```\n\n## Connecting To Your Cluster\n\nIf you haven't already, make sure you've installed [zed](https://github.com/authzed/zed#installation).\n\nPort forward the grpc endpoint:\n\n```console\nkubectl port-forward deployment/dev-spicedb 50051:50051\n```\n\nNow you can use zed to interact with SpiceDB:\n\n```console\nzed --insecure --endpoint=localhost:50051 --token=averysecretpresharedkey schema read\n```\n\n## Where To Go From Here\n\n- Check out the [examples](examples) directory to see how to configure `SpiceDBCluster` for production, including datastore backends, TLS, and Ingress.\n- Learn how to use SpiceDB via the [docs](https://docs.authzed.com/) and [playground](https://play.authzed.com/).\n- Ask questions and join the community in [discord](https://authzed.com/discord).\n\n## Automatic and Suggested Updates\n\nThe SpiceDB operator now ships with a set of release channels for SpiceDB.\nRelease channels allow the operator to walk through a safe series of updates, like the [phased migration for postgres in SpiceDB v1.14.0](https://github.com/authzed/spicedb/releases/tag/v1.14.0)\n\nThere are two ways you can choose to use update channels:\n\n- automatic updates\n- suggested updates\n\nWhich mode you choose depends on your tolerance for uncertainty.\nIf possible, we recommend running a stage or canary instance with automatic updates enabled, and using suggested updates for production and production-like environments.\n\nIf no channel is selected, a default (stable) channel will be used for the selected datastore.\n\nAvailable Update Channels:\n\n| Datastore   | Channels |\n|-------------|----------|\n| postgres    | stable   |\n| cockroachdb | stable   |\n| mysql       | stable   |\n| spanner     | stable   |\n| memory      | stable   |\n\n### Automatic Updates\n\nIf you do not specify a `version` that you want to run, the operator will always keep you up to date with the newest version in the channel.\n\nIf the operator or the update graph changes, the head of the channel may change and trigger an update.\n\n```yaml\napiVersion: authzed.com/v1alpha1\nkind: SpiceDBCluster\nmetadata:\n  name: dev\n  namespace: default\nspec:\n  channel: stable \n  config:\n    datastoreEngine: cockroachdb\nstatus:\n  version:\n    name: v1.16.1\n    channel: stable \n```\n\n### Suggested Updates\n\nEven if you do not want automatic updates, you should choose an update channel - this ensures you do not miss important upgrade steps in phased migrations.\n\nBy specifying a `version`, the operator will install the specific version you have requested.\nIf another version is already running, the operator will walk through the steps defined in the update channel, but will stop once it reaches `version`.\nNo updates will be taken automatically, you must pick the next version to run and write it into the `spec.version` field.\nThis keeps SpiceDB updates \"on rails\" while giving you full control over when and how to roll out updates.\n\nOnce you are at the specified `version`, the operator will inform you of available updates in the status of the `SpiceDBCluster`:\n\n```yaml\napiVersion: authzed.com/v1alpha1\nkind: SpiceDBCluster\nmetadata:\n  name: dev\nspec:\n  channel: stable \n  version: v1.14.0\n  config:\n    datastoreEngine: cockroachdb\nstatus:\n  version:\n    name: v1.14.0\n    channel: stable \n  availableVersions:\n  - name: v1.14.1\n    channel: stable\n    description: direct update with no migrations\n```\n\nNote that it can also show you updates that are available in other channels, if you wish to switch back and forth (be careful! if you switch to another channel and update, there may not be a path to get back to the original channel!)\nOnly the nearest-neighbor update will be shown for channels other than the current one.\n\n### Force Override\n\nYou can opt out of update channels entirely, and force spicedb-operator to install a specific image and manage it as a `spicedb` instance.\n\nThis is not recommended, but may be useful for development environments or to try prerelease versions of SpiceDB before they are in an update channel.\n\n```yaml=\napiVersion: authzed.com/v1alpha1\nkind: SpiceDBCluster\nmetadata:\n  name: dev\nspec:\n  config:\n    image: ghcr.io/authzed/spicedb:v1.11.0-prerelease\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fspicedb-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauthzed%2Fspicedb-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fspicedb-operator/lists"}