Support JSON logging format in operator

Author: ivanauth

README.md

@@ -80,7 +80,7 @@ zed --insecure --endpoint=localhost:50051 --token=averysecretpresharedkey schema
 
 ## Where To Go From Here
 
-- Check out the [examples](examples) directory to see how to configure `SpiceDBCluster` for production, including datastore backends, TLS, and Ingress.
+- Check out the [examples](examples) directory to see how to configure `SpiceDBCluster` for production, including datastore backends, TLS, Ingress, and operator features like JSON logging.
 - Learn how to use SpiceDB via the [docs](https://docs.authzed.com/) and [playground](https://play.authzed.com/).
 - Ask questions and join the community in [discord](https://authzed.com/discord).
 

examples/json-logging/README.md

@@ -0,0 +1,86 @@
+# JSON Logging for SpiceDB Operator
+
+This example demonstrates how to configure the SpiceDB Operator to output logs in JSON format, which is useful for integration with log aggregation systems like ELK (Elasticsearch, Logstash, Kibana) stack, Splunk, or other structured logging solutions.
+
+## Overview
+
+By default, the SpiceDB Operator uses a text-based log format. However, for production environments where logs need to be parsed and analyzed by log aggregation systems, JSON format is often preferred.
+
+## Configuration
+
+### Using the Command Line Flag
+
+The simplest way to enable JSON logging is by using the `--log-format` flag when starting the operator:
+
+```bash
+spicedb-operator run --log-format=json
+```
+
+### In Kubernetes Deployment
+
+To enable JSON logging in a Kubernetes deployment, modify the operator's deployment manifest:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spicedb-operator
+  namespace: spicedb-operator
+spec:
+  template:
+    spec:
+      containers:
+      - name: spicedb-operator
+        image: authzed/spicedb-operator:latest
+        args:
+        - "run"
+        - "--log-format=json"
+        # ... other flags
+```
+
+## Log Format Comparison
+
+### Text Format (Default)
+```
+2024-01-15T10:30:45.123Z	INFO	controller	Reconciling SpiceDBCluster	{"namespace": "default", "name": "my-spicedb"}
+2024-01-15T10:30:45.456Z	INFO	controller	Created deployment	{"namespace": "default", "name": "my-spicedb-spicedb"}
+```
+
+### JSON Format
+```json
+{"level":"info","ts":"2024-01-15T10:30:45.123Z","logger":"controller","msg":"Reconciling SpiceDBCluster","namespace":"default","name":"my-spicedb"}
+{"level":"info","ts":"2024-01-15T10:30:45.456Z","logger":"controller","msg":"Created deployment","namespace":"default","name":"my-spicedb-spicedb"}
+```
+
+## Integration with ELK Stack
+
+When using JSON logging with the ELK stack:
+
+1. **Filebeat Configuration**: Configure Filebeat to read the operator logs:
+   ```yaml
+   filebeat.inputs:
+   - type: container
+     paths:
+       - /var/log/containers/spicedb-operator-*.log
+     processors:
+       - decode_json_fields:
+           fields: ["message"]
+           target: ""
+           overwrite_keys: true
+   ```
+
+2. **Logstash Pipeline**: No special parsing is needed as the logs are already structured.
+
+3. **Kibana**: You can directly query and visualize the structured log fields.
+
+## Benefits
+
+- **Structured Data**: Each log entry is a valid JSON object with consistent fields
+- **Easy Parsing**: No need for complex regular expressions to parse log entries
+- **Better Search**: Log aggregation systems can index individual fields for faster searching
+- **Standardized Format**: Compatible with most modern logging infrastructure
+- **Machine-Readable**: Easier to process logs programmatically for alerting or analysis
+
+## Complete Example
+
+See the [operator-with-json-logging.yaml](operator-with-json-logging.yaml) file for a complete example of deploying the SpiceDB Operator with JSON logging enabled.

examples/json-logging/operator-with-json-logging.yaml

@@ -0,0 +1,142 @@
+# Example deployment of SpiceDB Operator with JSON logging enabled
+#
+# This manifest shows how to configure the operator to output logs in JSON format
+# for better integration with log aggregation systems like ELK stack.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: spicedb-operator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spicedb-operator
+  namespace: spicedb-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: spicedb-operator
+rules:
+- apiGroups: [""]
+  resources: ["namespaces", "secrets", "services", "serviceaccounts", "endpoints", "events", "configmaps", "pods"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets", "statefulsets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["policy"]
+  resources: ["poddisruptionbudgets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["roles", "rolebindings"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["authzed.com"]
+  resources: ["spicedbclusters"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+- apiGroups: ["authzed.com"]
+  resources: ["spicedbclusters/status"]
+  verbs: ["get", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: spicedb-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: spicedb-operator
+subjects:
+- kind: ServiceAccount
+  name: spicedb-operator
+  namespace: spicedb-operator
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spicedb-operator
+  namespace: spicedb-operator
+  labels:
+    app: spicedb-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: spicedb-operator
+  template:
+    metadata:
+      labels:
+        app: spicedb-operator
+    spec:
+      serviceAccountName: spicedb-operator
+      containers:
+      - name: spicedb-operator
+        image: authzed/spicedb-operator:latest
+        args:
+        - "run"
+        - "--log-format=json"  # Enable JSON logging
+        - "--debug-address=:8080"
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        ports:
+        - name: metrics
+          containerPort: 8080
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            memory: "256Mi"
+            cpu: "500m"
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+---
+# Optional: Service to expose metrics endpoint
+apiVersion: v1
+kind: Service
+metadata:
+  name: spicedb-operator-metrics
+  namespace: spicedb-operator
+  labels:
+    app: spicedb-operator
+spec:
+  ports:
+  - name: metrics
+    port: 8080
+    targetPort: 8080
+  selector:
+    app: spicedb-operator
+---
+# Optional: ServiceMonitor for Prometheus Operator
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: spicedb-operator
+  namespace: spicedb-operator
+  labels:
+    app: spicedb-operator
+spec:
+  selector:
+    matchLabels:
+      app: spicedb-operator
+  endpoints:
+  - port: metrics
+    path: /metrics
+    interval: 30s

go.mod

@@ -10,13 +10,15 @@ require (
 	github.com/evanphx/json-patch v5.9.11+incompatible
 	github.com/fatih/camelcase v1.0.0
 	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/zapr v1.3.0
 	github.com/gosimple/slug v1.15.0
 	github.com/jzelinskie/stringz v0.0.3
 	github.com/magefile/mage v1.15.0
 	github.com/samber/lo v1.49.1
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	go.uber.org/atomic v1.11.0
+	go.uber.org/zap v1.27.0
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
 	k8s.io/api v0.34.0-alpha.2
 	k8s.io/apimachinery v0.34.0-alpha.2
@@ -120,7 +122,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.3 // indirect
 	golang.org/x/crypto v0.38.0 // indirect

pkg/cmd/run/run.go

@@ -2,8 +2,12 @@ package run
 
 import (
 	"context"
+	"fmt"
 
+	"github.com/go-logr/logr"
+	"github.com/go-logr/zapr"
 	"github.com/spf13/cobra"
+	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/errors"
@@ -48,6 +52,9 @@ type Options struct {
 	MetricNamespace string
 
 	WatchNamespaces []string
+
+	// LogFormat specifies the log format: "text" or "json"
+	LogFormat string
 }
 
 // RecommendedOptions builds a new options config with default values
@@ -57,6 +64,7 @@ func RecommendedOptions() *Options {
 		DebugFlags:      ctrlmanageropts.RecommendedDebuggingOptions(),
 		DebugAddress:    ":8080",
 		MetricNamespace: "spicedb_operator",
+		LogFormat:       "text",
 	}
 }
 
@@ -89,6 +97,7 @@ func NewCmdRun(o *Options) *cobra.Command {
 	globalflag.AddGlobalFlags(globalFlags, cmd.Name())
 	globalFlags.StringVar(&o.OperatorConfigPath, "config", "", "set a path to the operator's config file (configure registries, image tags, etc)")
 	globalFlags.StringVar(&o.BaseImage, "base-image", "", "default base image for SpiceDB containers")
+	globalFlags.StringVar(&o.LogFormat, "log-format", o.LogFormat, "log format: text or json")
 
 	for _, f := range namedFlagSets.FlagSets {
 		cmd.Flags().AddFlagSet(f)
@@ -102,7 +111,15 @@ func NewCmdRun(o *Options) *cobra.Command {
 
 // Validate checks the set of flags provided by the user.
 func (o *Options) Validate() error {
-	return errors.NewAggregate(o.DebugFlags.Validate())
+	validationErrors := []error{}
+
+	// Allow empty string to use default
+	if o.LogFormat != "" && o.LogFormat != "text" && o.LogFormat != "json" {
+		validationErrors = append(validationErrors, fmt.Errorf("invalid log format %q: must be 'text' or 'json'", o.LogFormat))
+	}
+
+	validationErrors = append(validationErrors, o.DebugFlags.Validate()...)
+	return errors.NewAggregate(validationErrors)
 }
 
 // Run performs the apply operation.
@@ -113,7 +130,27 @@ func (o *Options) Run(ctx context.Context, f cmdutil.Factory) error {
 	}
 	DisableClientRateLimits(restConfig)
 
-	logger := textlogger.NewLogger(textlogger.NewConfig())
+	// Configure logger based on format
+	// Use default if empty
+	logFormat := o.LogFormat
+	if logFormat == "" {
+		logFormat = "text"
+	}
+
+	var logger logr.Logger
+	if logFormat == "json" {
+		// Use zap with JSON encoder
+		zapConfig := zap.NewProductionConfig()
+		zapConfig.DisableStacktrace = true
+		zapLog, err := zapConfig.Build()
+		if err != nil {
+			return fmt.Errorf("failed to create JSON logger: %w", err)
+		}
+		logger = zapr.NewLogger(zapLog)
+	} else {
+		// Use default text logger
+		logger = textlogger.NewLogger(textlogger.NewConfig())
+	}
 
 	dclient, err := dynamic.NewForConfig(restConfig)
 	if err != nil {
@@ -155,7 +192,7 @@ func (o *Options) Run(ctx context.Context, f cmdutil.Factory) error {
 		controllers = append(controllers, staticSpiceDBController)
 	}
 
-	ctrl, err := controller.NewController(ctx, registry, dclient, kclient, resources, o.OperatorConfigPath, o.BaseImage, broadcaster, o.WatchNamespaces)
+	ctrl, err := controller.NewController(ctx, logger, registry, dclient, kclient, resources, o.OperatorConfigPath, o.BaseImage, broadcaster, o.WatchNamespaces)
 	if err != nil {
 		return err
 	}