Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: configure datastore username and password separately #163

Closed
wants to merge 6 commits into from
Closed

feat: configure datastore username and password separately #163

wants to merge 6 commits into from

Conversation

MisterTimn
Copy link

@MisterTimn MisterTimn commented Oct 18, 2024
edited
Loading

The chart currently only support setting the datastore URI through values or secret. We deploy postgres using an operator that creates secrets with credentials and want to be able to feed username and password through the secret.

Goals of this PR:

  • Add config option for username and password
  • Allow config to be fed by a secret
  • Move common datastore config to helper function so they can be included (deployment and job both use them)

Working example in our case, using zalando operator to create postgres cluster, the zalando operator creates a secret in the openfga namespace with credentials:

datastore:
  engine: postgres
  uri: postgres://openfga:[email protected]:5432/openfga
  passwordSecret: openfga.openfga.pgobelisk.credentials.postgresql.acid.zalan.do
  usernameSecret: openfga.openfga.pgobelisk.credentials.postgresql.acid.zalan.do

In this PR I have mimicked how the uriSecret functions in that it uses a hard coded reference key (uri, username and password). This is already being used to deploy openfga on our development server.

But I would actually propose to change how uriSecret works similar to bitnami charts, with a configurable secret key:

datastore:
  engine: postgres
  uri: postgres://user:[email protected]:5432/openfga
  externalSecret:
    name: openfga.openfga.pgobelisk.credentials.postgresql.acid.zalan.do
    uriSecretKey: ""
    passwordSecretKey: "password"
    usernameSecretKey: "username"

This would be setup like so:

  1. if secretKey for config value is set (default they are null or empty string), then we use the secret
  2. secretKey not set, then we use the default

This way you can mix and match values from config and from secrets by setting the reference keys.

Description

References

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

If you haven't done so yet, we would appreciate it if you could star the OpenFGA repository. :)

@MisterTimn MisterTimn requested review from a team as code owners October 18, 2024 12:34
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Oct 18, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@MisterTimn MisterTimn mentioned this pull request Oct 18, 2024
Open
4 tasks
@MisterTimn
Copy link
Author

closing this PR in favor of #140

@MisterTimn MisterTimn closed this Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@MisterTimn