authzed
Proposal: Custom SpiceDB container registry
Some applications require that all images be pulled from a custom container registry, either for vulnerability scanning or for firewall egress reasons. I propose adding an option to spicedb-operator's CRD to allow specifying the registry, which would override the default ghcr.io registry. Supposing the custom registry is public.ecr.aws, a sample image that spicedb-operator would use in a SpiceDB deployment might be public.ecr.aws/authzed/spicedb:v1.39.1.
Here's a SpiceDBCluster with the proposed option:
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: test-cluster
spec:
version: "v1.39.1"
channel: "stable"
config:
datastoreEngine: postgres
secretName: spicedb-config
containerRegistry: public.ecr.aws
There is a field imageName in the update-graph.yaml file that indicates the base image to use for the tags in the graph:
https://github.com/authzed/spicedb-operator/blob/824987d106a0de87a478c96ebe3d8d8fd495fe50/config/update-graph.yaml#L2859
You can overwrite this to change the setting globally for the operator.
That said, I think it might be simpler to have that configuration separate, perhaps as a flag on startup (or per-SpiceDBCluster as you've suggested).
To memorialize a comment made in the discord, it's not possible to override only the imageName: setting. You have to instead override the entire update-graph.yaml and replace the last line with the custom Docker registry. We are doing that--manually copying the update-graph.yaml file and substituting our own value for imageName--but it's a little hacky.
Ok - I'll start putting an implementation together. I'd think we should probably aim for backwards compatibility and support both overriding from the update-graph.yaml and wherever we end up moving the config item too.
see #367
One thing I had forgotten that was already implemented: if you set .config.image = <image without tag or digest> then that will be used as the base image already.