spicedb-operator icon indicating copy to clipboard operation
spicedb-operator copied to clipboard
verified publisher icon authzed

Add capability to disable TLS warning

Open imclem opened this issue 2 years ago • 2 comments

Hi 👋

I'm running a spicedb cluster, and I'm getting a warning in the Status.Conditions of the cluster because TLS is not configured. I would like to be able to remove this warning, I'm running spicedb internally, nothing is exposed to the outside world, there should be no security issue without tls.

Here's the output of describing the cluster:

Name:         spicedb-mycoach-infrastructure
Namespace:    default
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: mycoach-infrastructure
              meta.helm.sh/release-namespace: default
API Version:  authzed.com/v1alpha1
Kind:         SpiceDBCluster
Metadata:
  Creation Timestamp:  2023-03-23T17:26:40Z
  Generation:          2
  Managed Fields:
    API Version:  authzed.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:meta.helm.sh/release-name:
          f:meta.helm.sh/release-namespace:
        f:labels:
          f:app.kubernetes.io/managed-by:
      f:status:
        f:conditions:
        f:currentMigrationHash:
        f:image:
        f:migration:
        f:observedGeneration:
        f:secretHash:
        f:targetMigrationHash:
        f:version:
          f:attributes:
          f:channel:
          f:name:
    Manager:      spicedb-operator
    Operation:    Apply
    Subresource:  status
    Time:         2023-04-04T08:03:28Z
    API Version:  authzed.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:meta.helm.sh/release-name:
          f:meta.helm.sh/release-namespace:
        f:labels:
          .:
          f:app.kubernetes.io/managed-by:
      f:spec:
        .:
        f:channel:
        f:config:
          .:
          f:datastoreEngine:
          f:replicas:
        f:secretName:
        f:version:
    Manager:         Go-http-client
    Operation:       Update
    Time:            2023-03-23T17:57:48Z
  Resource Version:  332941291
  UID:               3fd90ca2-f928-4fc1-bb16-326def7e6ae6
Spec:
  Channel:  stable
  Config:
    Datastore Engine:  mysql
    Replicas:          3
  Secret Name:         spicedb-mycoach-infrastructure
  Version:             v1.18.0
Status:
  Conditions:
    Last Transition Time:  2023-03-23T17:26:40Z
    Message:               no TLS configured, consider setting "tlsSecretName"
    Reason:                WarningsPresent
    Status:                True
    Type:                  ConfigurationWarning
  Current Migration Hash:  n698hch68ch65h544h67fh9ch6q
  Image:                   ghcr.io/authzed/spicedb:v1.18.0
  Migration:               add_caveat
  Observed Generation:     2
  Secret Hash:             n645h599h694hd6h96h547h695h688q
  Target Migration Hash:   n698hch68ch65h544h67fh9ch6q
  Version:
    Attributes:
      migration
    Channel:  stable
    Name:     v1.18.0

And the status condition:

Status:
  Conditions:
    Last Transition Time:  2023-03-23T17:26:40Z
    Message:               no TLS configured, consider setting "tlsSecretName"
    Reason:                WarningsPresent
    Status:                True
    Type:                  ConfigurationWarning

Thanks

imclem avatar Apr 04 '23 08:04 imclem

It's perhaps worth noting here that TLS is not really optional for some clients, due to https://github.com/authzed/authzed-py/issues/89

jawnsy avatar Aug 25 '23 17:08 jawnsy

Is it basically removing the warning from here: https://github.com/authzed/spicedb-operator/blob/main/pkg/config/config.go#L350

akoserwal avatar Jun 05 '24 13:06 akoserwal