[spicedb] rolling update when schema changes (#18561)

Author: svenefftinge

components/server/src/authorization/spicedb-authorizer.ts

@@ -6,6 +6,7 @@
 
 import { v1 } from "@authzed/authzed-node";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { TrustedValue } from "@gitpod/gitpod-protocol/lib/util/scrubbing";
 
 import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
 import { inject, injectable } from "inversify";
@@ -47,7 +48,9 @@ export class SpiceDBAuthorizer {
             return permitted;
         } catch (err) {
             error = err;
-            log.error("[spicedb] Failed to perform authorization check.", err, { req });
+            log.error("[spicedb] Failed to perform authorization check.", err, {
+                request: new TrustedValue(req),
+            });
             return false;
         } finally {
             observeSpicedbClientLatency("check", error, timer());
@@ -72,7 +75,7 @@ export class SpiceDBAuthorizer {
             return response;
         } catch (err) {
             error = err;
-            log.error("[spicedb] Failed to write relationships.", err, { updates });
+            log.error("[spicedb] Failed to write relationships.", err, { updates: new TrustedValue(updates) });
         } finally {
             observeSpicedbClientLatency("write", error, timer());
         }
@@ -104,7 +107,7 @@ export class SpiceDBAuthorizer {
             error = err;
             // While in we're running two authorization systems in parallel, we do not hard fail on writes.
             //TODO throw new ApplicationError(ErrorCodes.INTERNAL_SERVER_ERROR, "Failed to delete relationships.");
-            log.error("[spicedb] Failed to delete relationships.", err, { req });
+            log.error("[spicedb] Failed to delete relationships.", err, { request: new TrustedValue(req) });
             return [];
         } finally {
             observeSpicedbClientLatency("delete", error, timer());

install/installer/pkg/components/spicedb/deployment.go

@@ -34,7 +34,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 		return nil, errors.New("missing configuration for spicedb.secretRef")
 	}
 
-	bootstrapVolume, bootstrapVolumeMount, bootstrapFiles, err := getBootstrapConfig(ctx)
+	bootstrapVolume, bootstrapVolumeMount, bootstrapFiles, contentHash, err := getBootstrapConfig(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get bootstrap config: %w", err)
 	}
@@ -56,10 +56,14 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Strategy: common.DeploymentStrategy,
 				Template: corev1.PodTemplateSpec{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:        Component,
-						Namespace:   ctx.Namespace,
-						Labels:      labels,
-						Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment),
+						Name:      Component,
+						Namespace: ctx.Namespace,
+						Labels:    labels,
+						Annotations: common.CustomizeAnnotation(ctx, Component, common.TypeMetaDeployment, func() map[string]string {
+							return map[string]string{
+								common.AnnotationConfigChecksum: contentHash,
+							}
+						}),
 					},
 					Spec: corev1.PodSpec{
 						Affinity:                      cluster.WithNodeAffinityHostnameAntiAffinity(Component, cluster.AffinityLabelMeta),

install/installer/pkg/components/spicedb/schema.go

@@ -5,6 +5,8 @@
 package spicedb
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"path/filepath"
 
@@ -42,7 +44,7 @@ func bootstrap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	}, nil
 }
 
-func getBootstrapConfig(ctx *common.RenderContext) (corev1.Volume, corev1.VolumeMount, []string, error) {
+func getBootstrapConfig(ctx *common.RenderContext) (corev1.Volume, corev1.VolumeMount, []string, string, error) {
 	var volume corev1.Volume
 	var mount corev1.VolumeMount
 	var paths []string
@@ -68,12 +70,21 @@ func getBootstrapConfig(ctx *common.RenderContext) (corev1.Volume, corev1.Volume
 
 	files, err := spicedb_component.GetBootstrapFiles()
 	if err != nil {
-		return corev1.Volume{}, corev1.VolumeMount{}, nil, fmt.Errorf("failed to get bootstrap files: %w", err)
+		return corev1.Volume{}, corev1.VolumeMount{}, nil, "", fmt.Errorf("failed to get bootstrap files: %w", err)
 	}
 
 	for _, f := range files {
 		paths = append(paths, filepath.Join(mountPath, f.Name))
 	}
 
-	return volume, mount, paths, nil
+	concatenated := ""
+	for _, f := range files {
+		concatenated += f.Data
+	}
+
+	hasher := sha256.New()
+	hasher.Write([]byte(concatenated))
+	hash := hex.EncodeToString(hasher.Sum(nil))
+
+	return volume, mount, paths, hash, nil
 }