From 0ac6aad842466e95df5fe585da065b801c16c24a Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Thu, 17 Oct 2024 16:14:18 +0200 Subject: [PATCH 01/13] feat: generate datastore URI from config --- charts/openfga/templates/_helpers.tpl | 12 +++++++++ charts/openfga/templates/deployment.yaml | 2 +- charts/openfga/values.schema.json | 31 +++++++++++++++++++++++- charts/openfga/values.yaml | 4 +++ 4 files changed, 47 insertions(+), 2 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 6abf573..8e346d1 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -77,3 +77,15 @@ Return true if a secret object should be created {{- true -}} {{- end -}} {{- end -}} + +{{- define "openfga.datastore.uri" -}} +{{- if not .Values.datastore.uri -}} + {{- if eq datastore.engine "postgresql" }} + {{- printf "postgres://%s:%s@%s:%s/%s?sslmode=disable" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} + {{- else if eq datastore.engine "mysql" }} + {{- printf "%s:%s@tcp(%s:%s)/%s?parseTime=true" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} + {{- end -}} +{{- else -}} + {{- .Values.datastore.uri | quote -}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index 5af7dfb..6201f6c 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -87,7 +87,7 @@ spec: {{- if .Values.datastore.uri }} - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" + value: {{ include "openfga.datastore.uri" . }} {{- else if .Values.datastore.uriSecret }} - name: OPENFGA_DATASTORE_URI valueFrom: diff --git a/charts/openfga/values.schema.json b/charts/openfga/values.schema.json index d002147..3ef00ea 100644 --- a/charts/openfga/values.schema.json +++ b/charts/openfga/values.schema.json @@ -271,7 +271,36 @@ "type": [ "string", "null" - ] + ], + "description": "the URI of the datastore including credentials and database (e.g. postgres://user:password@host:port/dbname)" + }, + "host": { + "type": [ + "string", + "null" + ], + "description": "the host address of the datastore" + }, + "port": { + "type": [ + "integer", + "null" + ], + "description": "the port of the datastore" + }, + "user": { + "type": [ + "string", + "null" + ], + "description": "the username to authenticate with the datastore" + }, + "password": { + "type": [ + "string", + "null" + ], + "description": "the password to authenticate with the datastore" }, "uriSecret": { "type": [ diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index 686a1eb..7c96519 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -189,6 +189,10 @@ telemetry: datastore: engine: memory uri: + host: + port: + user: + password: uriSecret: maxCacheSize: maxOpenConns: From d683b6e0bf4d2db840fc072f6cb26527bfc6907e Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 11:38:08 +0200 Subject: [PATCH 02/13] feat: configure username and password using either values or secret --- charts/openfga/templates/_helpers.tpl | 12 ------------ charts/openfga/templates/deployment.yaml | 22 ++++++++++++++++++++++ charts/openfga/values.yaml | 6 +++--- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 8e346d1..6abf573 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -77,15 +77,3 @@ Return true if a secret object should be created {{- true -}} {{- end -}} {{- end -}} - -{{- define "openfga.datastore.uri" -}} -{{- if not .Values.datastore.uri -}} - {{- if eq datastore.engine "postgresql" }} - {{- printf "postgres://%s:%s@%s:%s/%s?sslmode=disable" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} - {{- else if eq datastore.engine "mysql" }} - {{- printf "%s:%s@tcp(%s:%s)/%s?parseTime=true" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} - {{- end -}} -{{- else -}} - {{- .Values.datastore.uri | quote -}} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index 6201f6c..4beac39 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -96,6 +96,28 @@ spec: key: "uri" {{- end }} + {{- if .Values.datastore.password}} + - name: OPENFGA_DATASTORE_PASSWORD + value: "{{ .Values.datastore.password }}" + {{- else if .Values.datastore.passwordSecret }} + - name: OPENFGA_DATASTORE_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.passwordSecret }}" + key: "password" + {{- end }} + + {{- if .Values.datastore.username }} + - name: OPENFGA_DATASTORE_USER + value: "{{ .Values.datastore.username }}" + {{- else if .Values.datastore.usernameSecret }} + - name: OPENFGA_DATASTORE_USERNAME + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.userSecret }}" + key: "username" + {{- end }} + {{- if .Values.datastore.maxCacheSize }} - name: OPENFGA_DATASTORE_MAX_CACHE_SIZE value: "{{ .Values.datastore.maxCacheSize }}" diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index 7c96519..b65abed 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -189,11 +189,11 @@ telemetry: datastore: engine: memory uri: - host: - port: - user: + username: password: uriSecret: + usernameSecret: + passwordSecret: maxCacheSize: maxOpenConns: maxIdleConns: From 4d00e7f42f10d792f7c93f323b8009ff09926bc7 Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 11:44:24 +0200 Subject: [PATCH 03/13] chore: add new values to schema.json --- charts/openfga/values.schema.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/openfga/values.schema.json b/charts/openfga/values.schema.json index 3ef00ea..797e63f 100644 --- a/charts/openfga/values.schema.json +++ b/charts/openfga/values.schema.json @@ -274,40 +274,40 @@ ], "description": "the URI of the datastore including credentials and database (e.g. postgres://user:password@host:port/dbname)" }, - "host": { + "username": { "type": [ "string", "null" ], - "description": "the host address of the datastore" + "description": "the username to authenticate with the datastore" }, - "port": { + "password": { "type": [ - "integer", + "string", "null" ], - "description": "the port of the datastore" + "description": "the password to authenticate with the datastore" }, - "user": { + "uriSecret": { "type": [ "string", "null" ], - "description": "the username to authenticate with the datastore" + "description": "the secret name where to get the datastore URI, it expects a key named uri to exist in the secret" }, - "password": { + "usernameSecret": { "type": [ "string", "null" ], - "description": "the password to authenticate with the datastore" + "description": "the secret name where to get the datastore username, it expects a key named username to exist in the secret" }, - "uriSecret": { + "passwordSecret": { "type": [ "string", "null" ], - "description": "the secret name where to get the datastore URI, it expects a key named uri to exist in the secret" + "description": "the secret name where to get the datastore password, it expects a key named password to exist in the secret" }, "maxCacheSize": { "type": [ From 03533d53d4acbb73a333985610cbd1896f5bc34b Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 14:22:21 +0200 Subject: [PATCH 04/13] refactor: move common datastore config to helper function --- charts/openfga/templates/_helpers.tpl | 38 ++++++++++++++++++++++ charts/openfga/templates/deployment.yaml | 40 ++---------------------- charts/openfga/templates/job.yaml | 16 +--------- 3 files changed, 41 insertions(+), 53 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 6abf573..f131de3 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -77,3 +77,41 @@ Return true if a secret object should be created {{- true -}} {{- end -}} {{- end -}} + + +{{- define "openfga.datastore.envConfig" -}} +{{- if .Values.datastore.engine }} +- name: OPENFGA_DATASTORE_ENGINE + value: "{{ .Values.datastore.engine }}" +{{- end }} +{{- if .Values.datastore.uri }} +- name: OPENFGA_DATASTORE_URI + value: "{{ .Values.datastore.uri}}" +{{- else if .Values.datastore.uriSecret }} +- name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.uriSecret }}" + key: "uri" +{{- end }} +{{- if .Values.datastore.password }} +- name: OPENFGA_DATASTORE_PASSWORD + value: "{{ .Values.datastore.password }}" +{{- else if .Values.datastore.passwordSecret }} +- name: OPENFGA_DATASTORE_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.passwordSecret }}" + key: "password" +{{- end -}} +{{- if .Values.datastore.username }} +- name: OPENFGA_DATASTORE_USER + value: "{{ .Values.datastore.username }}" +{{- else if .Values.datastore.usernameSecret }} +- name: OPENFGA_DATASTORE_USERNAME + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.usernameSecret }}" + key: "username" +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index 4beac39..c3a8499 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if not .Values.autoscaling.enabled }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ ternary 1 .Values.replicaCount (eq .Values.datastore.engine "memory")}} {{- end }} selector: @@ -80,43 +80,7 @@ spec: {{- end }} env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: {{ include "openfga.datastore.uri" . }} - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} - - {{- if .Values.datastore.password}} - - name: OPENFGA_DATASTORE_PASSWORD - value: "{{ .Values.datastore.password }}" - {{- else if .Values.datastore.passwordSecret }} - - name: OPENFGA_DATASTORE_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.passwordSecret }}" - key: "password" - {{- end }} - - {{- if .Values.datastore.username }} - - name: OPENFGA_DATASTORE_USER - value: "{{ .Values.datastore.username }}" - {{- else if .Values.datastore.usernameSecret }} - - name: OPENFGA_DATASTORE_USERNAME - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.userSecret }}" - key: "username" - {{- end }} + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.datastore.maxCacheSize }} - name: OPENFGA_DATASTORE_MAX_CACHE_SIZE diff --git a/charts/openfga/templates/job.yaml b/charts/openfga/templates/job.yaml index 3ec2595..cac6d35 100644 --- a/charts/openfga/templates/job.yaml +++ b/charts/openfga/templates/job.yaml @@ -36,21 +36,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: ["migrate"] env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.migrate.timeout }} - name: OPENFGA_TIMEOUT From e88f25647f850b14fa86aebb408d47c5e3368a7f Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 15:15:56 +0200 Subject: [PATCH 05/13] feat: use single secret for URI and credentials --- charts/openfga/templates/_helpers.tpl | 42 +++++++++++++-------------- charts/openfga/values.yaml | 8 +++-- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index f131de3..06664b5 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -84,34 +84,34 @@ Return true if a secret object should be created - name: OPENFGA_DATASTORE_ENGINE value: "{{ .Values.datastore.engine }}" {{- end }} -{{- if .Values.datastore.uri }} -- name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri}}" -{{- else if .Values.datastore.uriSecret }} +{{- if .Values.datastore.externalSecret.uriSecretKey }} - name: OPENFGA_DATASTORE_URI valueFrom: secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" + name: "{{ .Values.datastore.externalSecret.name }}" + key: "{{ .Values.datastore.externalSecret.uriSecretKey }}" +{{- else if .Values.datastore.uri }} +- name: OPENFGA_DATASTORE_URI + value: "{{ .Values.datastore.uri }}" {{- end }} -{{- if .Values.datastore.password }} -- name: OPENFGA_DATASTORE_PASSWORD - value: "{{ .Values.datastore.password }}" -{{- else if .Values.datastore.passwordSecret }} -- name: OPENFGA_DATASTORE_PASSWORD +{{- if .Values.datastore.externalSecret.usernameSecretKey }} +- name: OPENFGA_DATASTORE_USERNAME valueFrom: secretKeyRef: - name: "{{ .Values.datastore.passwordSecret }}" - key: "password" -{{- end -}} -{{- if .Values.datastore.username }} -- name: OPENFGA_DATASTORE_USER - value: "{{ .Values.datastore.username }}" -{{- else if .Values.datastore.usernameSecret }} + name: "{{ .Values.datastore.externalSecret.name }}" + key: "{{ .Values.datastore.externalSecret.usernameSecretKey }}" +{{- else if .Values.datastore.username }} - name: OPENFGA_DATASTORE_USERNAME + value: "{{ .Values.datastore.username }}" +{{- end }} +{{- if .Values.datastore.externalSecret.passwordSecretKey }} +- name: OPENFGA_DATASTORE_PASSWORD valueFrom: secretKeyRef: - name: "{{ .Values.datastore.usernameSecret }}" - key: "username" + name: "{{ .Values.datastore.externalSecret.name }}" + key: "{{ .Values.datastore.externalSecret.passwordSecretKey }}" +{{- else if .Values.datastore.password }} +- name: OPENFGA_DATASTORE_PASSWORD + value: "{{ .Values.datastore.password }}" {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index b65abed..a5451c8 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -191,9 +191,11 @@ datastore: uri: username: password: - uriSecret: - usernameSecret: - passwordSecret: + externalSecret: + name: "" + uriSecretKey: "" + usernameSecretKey: "" + passwordSecretKey: "" maxCacheSize: maxOpenConns: maxIdleConns: From 06ab1a87c1900acc603865f19b1a83cb260579e3 Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 15:36:21 +0200 Subject: [PATCH 06/13] ci: modify workflow for own fork hosting --- .github/workflows/release.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e8cda3e..32ffdf6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,21 +19,12 @@ jobs: - name: Configure Git run: | git config user.name github-actions - git config user.email contact@openfga.dev - - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} - - - name: Export GPG key to legacy format - run: gpg --export-secret-keys > ~/.gnupg/pubring.gpg + git config user.email jasper.vaneessen@ugent.be - name: Install Helm uses: azure/setup-helm@v4 with: - version: v3.5.0 + version: v3.16.2 - name: Add Helm Repositories run: | @@ -43,8 +34,6 @@ jobs: - name: Run chart-releaser uses: helm/chart-releaser-action@v1.6.0 - with: - config: .github/cr.yaml env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_SKIP_EXISTING: true From e6377f6a425d79a8a58c2105fbe0691d7d75e1f4 Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 8 Nov 2024 11:39:55 +0100 Subject: [PATCH 07/13] fix: reflect user/password setup to the new initContainer --- charts/openfga/templates/deployment.yaml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index 369e27d..f5c68d3 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -56,20 +56,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: [ "migrate" ] env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.migrate.timeout }} - name: OPENFGA_TIMEOUT value: "{{ .Values.migrate.timeout }}" From e45b8ef59bf304cd76c5018772e7b1931da92aa4 Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Mon, 16 Dec 2024 11:13:19 +0100 Subject: [PATCH 08/13] feat: use bitnami like existing secret and key refs --- charts/openfga/templates/_helpers.tpl | 24 +++++++++++++++--------- charts/openfga/templates/deployment.yaml | 1 - charts/openfga/values.yaml | 11 ++++++----- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index a925b0a..3ecbde7 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -87,32 +87,38 @@ Return true if a secret object should be created - name: OPENFGA_DATASTORE_ENGINE value: "{{ .Values.datastore.engine }}" {{- end }} -{{- if .Values.datastore.externalSecret.uriSecretKey }} +{{- if .Values.datastore.uriSecret }} - name: OPENFGA_DATASTORE_URI valueFrom: secretKeyRef: - name: "{{ .Values.datastore.externalSecret.name }}" - key: "{{ .Values.datastore.externalSecret.uriSecretKey }}" + name: "{{ .Values.datastore.uriSecret }}" + key: uri +{{- else if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.uriKey) }} +- name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.existingSecret }}" + key: "{{ .Values.datastore.secretKeys.uriKey }}" {{- else if .Values.datastore.uri }} - name: OPENFGA_DATASTORE_URI value: "{{ .Values.datastore.uri }}" {{- end }} -{{- if .Values.datastore.externalSecret.usernameSecretKey }} +{{- if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.usernameKey) }} - name: OPENFGA_DATASTORE_USERNAME valueFrom: secretKeyRef: - name: "{{ .Values.datastore.externalSecret.name }}" - key: "{{ .Values.datastore.externalSecret.usernameSecretKey }}" + name: "{{ .Values.datastore.existingSecret }}" + key: "{{ .Values.datastore.secretKeys.usernameKey }}" {{- else if .Values.datastore.username }} - name: OPENFGA_DATASTORE_USERNAME value: "{{ .Values.datastore.username }}" {{- end }} -{{- if .Values.datastore.externalSecret.passwordSecretKey }} +{{- if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.passwordKey) }} - name: OPENFGA_DATASTORE_PASSWORD valueFrom: secretKeyRef: - name: "{{ .Values.datastore.externalSecret.name }}" - key: "{{ .Values.datastore.externalSecret.passwordSecretKey }}" + name: "{{ .Values.datastore.existingSecret }}" + key: "{{ .Values.datastore.secretKeys.passwordKey }}" {{- else if .Values.datastore.password }} - name: OPENFGA_DATASTORE_PASSWORD value: "{{ .Values.datastore.password }}" diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index f5c68d3..88cbd85 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -109,7 +109,6 @@ spec: env: {{- include "openfga.datastore.envConfig" . | nindent 12 }} - {{- if .Values.datastore.maxCacheSize }} - name: OPENFGA_DATASTORE_MAX_CACHE_SIZE value: "{{ .Values.datastore.maxCacheSize }}" diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index 030238c..911c5e5 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -196,13 +196,14 @@ telemetry: datastore: engine: memory uri: + uriSecret: username: password: - externalSecret: - name: "" - uriSecretKey: "" - usernameSecretKey: "" - passwordSecretKey: "" + existingSecret: "" + secretKeys: + uriKey: "" + usernameKey: "" + passwordKey: "" maxCacheSize: maxOpenConns: maxIdleConns: From ca477160df6855d30f1f30f75e8a7d10acd2163f Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Mon, 16 Dec 2024 11:19:19 +0100 Subject: [PATCH 09/13] ci: use different bitnami repo (redirect issues on default) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 32ffdf6..78341fb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: - name: Add Helm Repositories run: | - helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add bitnami https://repo.broadcom.com/bitnami-files helm repo add openfga https://openfga.github.io/helm-charts helm repo update From 18ed16ec5adefb3d6fe638103bca526e0b5cc05d Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Mon, 16 Dec 2024 11:21:31 +0100 Subject: [PATCH 10/13] chore(dependency): use OCI registry for bitnami charts --- charts/openfga/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/openfga/Chart.yaml b/charts/openfga/Chart.yaml index 5b3caa6..6209b3f 100644 --- a/charts/openfga/Chart.yaml +++ b/charts/openfga/Chart.yaml @@ -18,11 +18,11 @@ annotations: dependencies: - name: postgresql version: "12.12.10" - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts condition: postgresql.enabled - name: mysql version: "9.6.0" - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts condition: mysql.enabled - name: common version: "2.13.3" From 7792c16f030ab163aca12e990da7098df0d0de00 Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Mon, 16 Dec 2024 11:23:15 +0100 Subject: [PATCH 11/13] chore(dependency): update lock file --- charts/openfga/Chart.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/openfga/Chart.lock b/charts/openfga/Chart.lock index 46f3063..ed186c2 100644 --- a/charts/openfga/Chart.lock +++ b/charts/openfga/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: postgresql - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts version: 12.12.10 - name: mysql - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts version: 9.6.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.13.3 -digest: sha256:a152c0abc09cadc6a2158e237b67485b3177d1ed8ad9b7f0b64af300b4eb6e25 -generated: "2024-03-07T16:13:52.695937-07:00" +digest: sha256:0a0986b7eaf3e674035b7d87cd52babd574bf05b867a00dcdfad450c88607ec8 +generated: "2024-12-16T11:22:51.356552959+01:00" From 3b9e11b217c42659eda683969676fe4898b51a3d Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Mon, 16 Dec 2024 11:35:52 +0100 Subject: [PATCH 12/13] docs: update schema --- charts/openfga/values.schema.json | 35 ++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/charts/openfga/values.schema.json b/charts/openfga/values.schema.json index 6fc65d8..b9995eb 100644 --- a/charts/openfga/values.schema.json +++ b/charts/openfga/values.schema.json @@ -300,19 +300,38 @@ ], "description": "the secret name where to get the datastore URI, it expects a key named uri to exist in the secret" }, - "usernameSecret": { + "existingSecret": { "type": [ "string", "null" ], - "description": "the secret name where to get the datastore username, it expects a key named username to exist in the secret" + "description": "the name of an existing secret that contains the datastore uri and credentials" }, - "passwordSecret": { - "type": [ - "string", - "null" - ], - "description": "the secret name where to get the datastore password, it expects a key named password to exist in the secret" + "secretKeys": { + "type": "object", + "properties": { + "uriKey": { + "type": [ + "string", + "null" + ], + "description": "the key in the existing secret mapping to the datastore uri" + }, + "usernameKey": { + "type": [ + "string", + "null" + ], + "description": "the key in the existing secret mapping to the datastore username" + }, + "passwordKey": { + "type": [ + "string", + "null" + ], + "description": "the key in the existing secret mapping to the datastore password" + } + } }, "maxCacheSize": { "type": [ From b1a2c8be791f42e73863eb60b632d1fa41947eac Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Mon, 23 Dec 2024 13:21:53 +0100 Subject: [PATCH 13/13] docs: update readme with existingsecret usage --- charts/openfga/README.md | 44 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/charts/openfga/README.md b/charts/openfga/README.md index 6c11bab..4be069f 100644 --- a/charts/openfga/README.md +++ b/charts/openfga/README.md @@ -66,6 +66,50 @@ $ helm install openfga openfga/openfga \ This will bootstrap a MySQL deployment using the [`bitnami/mysql`](https://artifacthub.io/packages/helm/bitnami/mysql) chart and deploy OpenFGA configured in a way to connect to it. +### Connecting to an existing Postgres or MySQL deployment + +If you have an existing Postgres or MySQL deployment, you can connect OpenFGA to it by providing the `datastore.uri` parameter. For example, to connect to a Postgres deployment: + +``` +$ helm install openfga openfga/openfga \ + --set datastore.engine=postgres \ + --set datastore.uri="postgres://postgres:password@postgres.postgres:5432/postgres?sslmode=disable" +``` + +### Using an existing secret for Postgres or MySQL + +If you have an existing secret with the connection details for Postgres or MySQL, you can reference the secret in the values file. For example, say you have created the following secret for Postgres: + +```sh +kubectl create secret generic my-postgres-secret \ + --from-literal=uri="postgres://postgres.postgres:5432/postgres?sslmode=disable" \ + --from-literal=username=postgres --from-literal=password=password +``` + +You can reference this secret in the values file as follows: + +```yaml +datastore: + engine: postgres + existingSecret: my-postgres-secret + secretKeys: + uri: uri + username: username + password: password +``` + +You can also mix and match both static config and secret references. When the secret key is defined, the static config will be ignored. The following example shows how to reference the secret for username and password, but provide the URI statically: + +```yaml +datastore: + engine: postgres + uri: "postgres://postgres.postgres:5432/postgres?sslmode=disable" + existingSecret: my-postgres-secret + secretKeys: + username: username + password: password +``` + ## Uninstalling the Chart To uninstall/delete the `openfga` deployment: