diff --git a/README.md b/README.md index 727d0cbc..b7add735 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,55 @@ zed --insecure --endpoint=localhost:50051 --token=averysecretpresharedkey schema - Learn how to use SpiceDB via the [docs](https://docs.authzed.com/) and [playground](https://play.authzed.com/). - Ask questions and join the community in [discord](https://authzed.com/discord). +## Configuration + +### Datastore TLS Certificates + +If your datastore requires TLS client certificates for authentication, you can configure SpiceDB to use them via the `datastoreTLSSecretName` configuration option. + +When configured, the operator will mount the specified secret's contents at `/spicedb-db-tls` (read-only) in both the SpiceDB pods and migration jobs. You can then reference these certificate files in your `datastore_uri` connection string. + +#### Example: PostgreSQL/CockroachDB with TLS + +1. Create a Kubernetes secret containing your TLS certificates: + +```console +kubectl create secret generic my-db-tls \ + --from-file=ca.crt=/path/to/ca.crt \ + --from-file=tls.crt=/path/to/client.crt \ + --from-file=tls.key=/path/to/client.key +``` + +1. Configure your SpiceDBCluster to use the secret: + +```yaml +apiVersion: authzed.com/v1alpha1 +kind: SpiceDBCluster +metadata: + name: production +spec: + config: + datastoreEngine: cockroachdb + datastoreTLSSecretName: my-db-tls + secretName: production-spicedb-config +--- +apiVersion: v1 +kind: Secret +metadata: + name: production-spicedb-config +stringData: + datastore_uri: "postgresql://user@db.example.com:26257/spicedb?sslmode=verify-full&sslrootcert=/spicedb-db-tls/ca.crt&sslcert=/spicedb-db-tls/tls.crt&sslkey=/spicedb-db-tls/tls.key" + preshared_key: "your-secret-key" +``` + +The certificates will be available at these paths inside the SpiceDB containers: + +- `/spicedb-db-tls/ca.crt` - CA certificate +- `/spicedb-db-tls/tls.crt` - Client certificate +- `/spicedb-db-tls/tls.key` - Client private key + +Note: The exact SSL parameter names depend on your datastore's connection driver. Consult your datastore's documentation for the correct connection string format. + ## Automatic and Suggested Updates The SpiceDB operator now ships with a set of release channels for SpiceDB. diff --git a/examples/cockroachdb-tls-ingress/README.md b/examples/cockroachdb-tls-ingress/README.md index 4157969e..3bc39c60 100644 --- a/examples/cockroachdb-tls-ingress/README.md +++ b/examples/cockroachdb-tls-ingress/README.md @@ -85,6 +85,39 @@ kubectl apply --server-side -k . It is safe and may be necessary to run this multiple times if any of the resources fail to apply. CRDs especially may fail to create, so check the output for them. +## Datastore TLS (Optional) + +This example configures TLS for SpiceDB's API endpoints and internal dispatch communication, but the CockroachDB database connection uses `sslmode=disable` for simplicity. + +If your production database requires TLS client certificates, you can configure them using the `datastoreTLSSecretName` option: + +1. Create a secret with your database TLS certificates: + +```sh +kubectl create secret generic db-tls-certs \ + --namespace spicedb \ + --from-file=ca.crt=/path/to/db-ca.crt \ + --from-file=tls.crt=/path/to/db-client.crt \ + --from-file=tls.key=/path/to/db-client.key +``` + +1. Add `datastoreTLSSecretName` to the SpiceDB cluster config in `spicedb/spicedb.yaml`: + +```yaml +spec: + config: + datastoreTLSSecretName: db-tls-certs +``` + +1. Update the `datastore_uri` in the secret to reference the mounted certificates at `/spicedb-db-tls`: + +```yaml +stringData: + datastore_uri: "postgresql://root@cockroachdb.cockroachdb:26257/defaultdb?sslmode=verify-full&sslrootcert=/spicedb-db-tls/ca.crt&sslcert=/spicedb-db-tls/tls.crt&sslkey=/spicedb-db-tls/tls.key" +``` + +See the main [README](../../README.md#datastore-tls-certificates) for more details. + ## Connect with `zed` If you haven't already, make sure you've installed [zed](https://github.com/authzed/zed#installation).