A Comprehensive Guide to Setting Up Spicedb with PostgreSQL and a Monitoring Stack
In this post, we will learn how to use the kind to set up Authzed Spicedb with a PostgreSQL database on a local Kubernetes cluster. Also, we will set up a monitoring stack with the help of kube-prometheus-stack.
Prerequisites:
- kind
- kubectl
- zed (Spicedb client)
- helm
- grpcurl (optional)
- git
- Docker
Setup code repository
Start by cloning the spicedb-postgres-kube repository from GitHub using the following command:
git clone https://github.com/akoserwal/spicedb-postgres-kube.gitRun the setup script
./setup.sh The script will create a local Kubernetes cluster using kind.
creating kind cluster
Creating cluster "sp-cluster" ...
✓ Ensuring node image (kindest/node:v1.25.3) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-sp-cluster"
You can now use your cluster with:
kubectl cluster-info --context kind-sp-clusterOnce the Kubernetes cluster is up and running. It will install Contour, which is a high-performance ingress controller for Kubernetes. It will help us with setting up ingress for Spicedb and monitoring stack.
deploy contour
namespace/projectcontour created
serviceaccount/contour created
serviceaccount/envoy created
configmap/contour created
customresourcedefinition.apiextensions.k8s.io/contourconfigurations.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/contourdeployments.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/extensionservices.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/httpproxies.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/tlscertificatedelegations.projectcontour.io created
serviceaccount/contour-certgen created
rolebinding.rbac.authorization.k8s.io/contour created
role.rbac.authorization.k8s.io/contour-certgen created
job.batch/contour-certgen-v1.22.0 created
clusterrolebinding.rbac.authorization.k8s.io/contour created
rolebinding.rbac.authorization.k8s.io/contour-rolebinding created
clusterrole.rbac.authorization.k8s.io/contour created
role.rbac.authorization.k8s.io/contour created
service/contour created
service/envoy created
deployment.apps/contour created
daemonset.apps/envoy createdCreate a namespace Spicedb and install PostgreSQL and Spicedb.
create spicedb namespace
namespace/spicedb created
deploy postgres
secret/postgres-credentials created
persistentvolume/postgres-pv created
persistentvolumeclaim/postgres-pvc created
service/postgres created
deployment.apps/postgres created
deploy spicedb
secret/spicedb-datastore created
secret/spicedb-preshared created
deployment.apps/spicedb created
service/spicedb created
ingress.networking.k8s.io/spicedb-https created
ingress.networking.k8s.io/spicedb-prometheus created
ingress.networking.k8s.io/spicedb-grpc created
httpproxy.projectcontour.io/spicedb createdOnce Spicedb with PostgreSQL database is up and running, you will see generated ingress endpoints.
spicedb-grpc <none> spicedb-grpc.127.0.0.1.nip.io 80 34s
spicedb-https <none> spicedb-http.127.0.0.1.nip.io 80 34s
spicedb-prometheus <none> spicedb-metric.127.0.0.1.nip.io 80 34sFor example, if you make a curl request in a different terminal to spicedb metrics endpoint. You will see the generated metrics:
Testing the Spicedb grpc endpoint using grpcurl.
$ grpcurl -plaintext spicedb-grpc.127.0.0.1.nip.io:80 list
authzed.api.v1.ExperimentalService
authzed.api.v1.PermissionsService
authzed.api.v1.SchemaService
grpc.health.v1.Health
grpc.reflection.v1alpha.ServerReflectionWe can try using the official Spicedb client to add a schema
zed schema write ./schema/schema.zed --endpoint spicedb-grpc.127.0.0.1.nip.io:80 --insecure --token "foobar"Check the schema using zed schema read
zed schema read --endpoint spicedb-grpc.127.0.0.1.nip.io:80 --insecure --token "foobar"
definition user {}
definition doc {
relation reader: user
relation writer: user
permission read = reader + writer
permission write = writer
}Meanwhile, the script will install the monitoring stack using kube-prometheus-stack helm chart.
Install kube prometheus
NAME: kube-prometheus-stack
LAST DEPLOYED: Wed Jun 28 14:58:28 2023
NAMESPACE: monitoring
STATUS: deployed
REVISION: 1
NOTES:
kube-prometheus-stack has been installed. Check its status by running:
kubectl --namespace monitoring get pods -l "release=kube-prometheus-stack"
Visit https://github.com/prometheus-operator/kube-prometheus for instructions on how to create & configure Alertmanager and Prometheus instances using the Operator.
pod/kube-prometheus-stack-kube-state-metrics-6d8b9f8644-f8krv condition met
pod/kube-prometheus-stack-operator-575d5fc68d-jbsh8 condition met
pod/kube-prometheus-stack-prometheus-node-exporter-zxjp8 condition met
Setup service monitor for spicedb
servicemonitor.monitoring.coreos.com/spicedb-service-monitor created
ingress.networking.k8s.io/prom created
ingress.networking.k8s.io/grafana createdEndpoints for Prometheus and Grafana
NAME CLASS HOSTS ADDRESS PORTS AGE
grafana <none> grafana.127.0.0.1.nip.io 80 1s
prom <none> prom.127.0.0.1.nip.io 80 1sPrometheus
Open URL prom.127.0.0.1.nip.io in the browser
Grafana
To get the Grafana “admin” user password, run the command in terminal
kubectl get secret/kube-prometheus-stack-grafana -n monitoring --template='{{index .data "admin-password"}}' | base64 -dOnce you log in with credentials. In the administration section, you see Prometheus is added as a default data source.
We can add a dashboard.
Conclusion
We see how to set up Spicedb with PostgreSQL and a monitoring stack on a local Kubernetes cluster. The spiced-postgres-kube repository facilitates SpicedDB’s integration with PostgreSQL and a monitoring stack. Using the commands mentioned, you can quickly deploy and monitor Spicedb.
Please give me a cheer if you like the post. Thank you for reading!
