Skip to content

fix(deploy): use FQDN for SpiceDB endpoint in stage#441

Merged
jsell-rh merged 1 commit intomainfrom
jsell/fix/spicedb-fqdn
Apr 23, 2026
Merged

fix(deploy): use FQDN for SpiceDB endpoint in stage#441
jsell-rh merged 1 commit intomainfrom
jsell/fix/spicedb-fqdn

Conversation

@jsell-rh
Copy link
Copy Markdown
Collaborator

@jsell-rh jsell-rh commented Apr 23, 2026
edited by coderabbitai Bot
Loading

Summary

OpenShift service serving certs have SANs for the full service DNS name (kartograph-spicedb.kartograph-stage.svc), not the short name (kartograph-spicedb). The TLS client verifies the hostname against the cert and fails with: "Peer name kartograph-spicedb is not in peer certificate".

Adds SPICEDB_ENDPOINT override in the stage overlay to use the FQDN.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated configuration for the stage deployment environment.

@jsell-rh @claude
fix(deploy): use FQDN for SpiceDB endpoint in stage overlay
dd48fd2 
OpenShift service serving certificates have SANs for the full
service DNS name (kartograph-spicedb.kartograph-stage.svc), not
the short name. TLS cert verification fails with "Peer name
kartograph-spicedb is not in peer certificate".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 23, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 637a04d3-8d3d-450e-9b8d-bf31f37fa99e

📥 Commits

Reviewing files that changed from the base of the PR and between 3fc519c and dd48fd2.

📒 Files selected for processing (1)
  • deploy/apps/kartograph/overlays/stage/configmap-patch.yaml

Walkthrough

The change adds a new configuration entry SPICEDB_ENDPOINT with the value kartograph-spicedb.kartograph-stage.svc:50051 to the stage environment's kartograph-config ConfigMap. This explicitly defines the Spicedb endpoint for the stage overlay, with a comment noting TLS SAN matching considerations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: using an FQDN (fully qualified domain name) for the SpiceDB endpoint configuration in the stage environment, which directly addresses the TLS certificate validation issue.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jsell/fix/spicedb-fqdn

Comment @coderabbitai help to get the list of available commands and usage tips.

@jsell-rh jsell-rh merged commit 469cb56 into main Apr 23, 2026
10 checks passed
@jsell-rh jsell-rh deleted the jsell/fix/spicedb-fqdn branch April 23, 2026 18:15
@jsell-rh jsell-rh mentioned this pull request Apr 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jsell-rh