From 0ac6aad842466e95df5fe585da065b801c16c24a Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Thu, 17 Oct 2024 16:14:18 +0200 Subject: [PATCH 1/6] feat: generate datastore URI from config --- charts/openfga/templates/_helpers.tpl | 12 +++++++++ charts/openfga/templates/deployment.yaml | 2 +- charts/openfga/values.schema.json | 31 +++++++++++++++++++++++- charts/openfga/values.yaml | 4 +++ 4 files changed, 47 insertions(+), 2 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 6abf573..8e346d1 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -77,3 +77,15 @@ Return true if a secret object should be created {{- true -}} {{- end -}} {{- end -}} + +{{- define "openfga.datastore.uri" -}} +{{- if not .Values.datastore.uri -}} + {{- if eq datastore.engine "postgresql" }} + {{- printf "postgres://%s:%s@%s:%s/%s?sslmode=disable" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} + {{- else if eq datastore.engine "mysql" }} + {{- printf "%s:%s@tcp(%s:%s)/%s?parseTime=true" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} + {{- end -}} +{{- else -}} + {{- .Values.datastore.uri | quote -}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index 5af7dfb..6201f6c 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -87,7 +87,7 @@ spec: {{- if .Values.datastore.uri }} - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" + value: {{ include "openfga.datastore.uri" . }} {{- else if .Values.datastore.uriSecret }} - name: OPENFGA_DATASTORE_URI valueFrom: diff --git a/charts/openfga/values.schema.json b/charts/openfga/values.schema.json index d002147..3ef00ea 100644 --- a/charts/openfga/values.schema.json +++ b/charts/openfga/values.schema.json @@ -271,7 +271,36 @@ "type": [ "string", "null" - ] + ], + "description": "the URI of the datastore including credentials and database (e.g. postgres://user:password@host:port/dbname)" + }, + "host": { + "type": [ + "string", + "null" + ], + "description": "the host address of the datastore" + }, + "port": { + "type": [ + "integer", + "null" + ], + "description": "the port of the datastore" + }, + "user": { + "type": [ + "string", + "null" + ], + "description": "the username to authenticate with the datastore" + }, + "password": { + "type": [ + "string", + "null" + ], + "description": "the password to authenticate with the datastore" }, "uriSecret": { "type": [ diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index 686a1eb..7c96519 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -189,6 +189,10 @@ telemetry: datastore: engine: memory uri: + host: + port: + user: + password: uriSecret: maxCacheSize: maxOpenConns: From d683b6e0bf4d2db840fc072f6cb26527bfc6907e Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 11:38:08 +0200 Subject: [PATCH 2/6] feat: configure username and password using either values or secret --- charts/openfga/templates/_helpers.tpl | 12 ------------ charts/openfga/templates/deployment.yaml | 22 ++++++++++++++++++++++ charts/openfga/values.yaml | 6 +++--- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 8e346d1..6abf573 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -77,15 +77,3 @@ Return true if a secret object should be created {{- true -}} {{- end -}} {{- end -}} - -{{- define "openfga.datastore.uri" -}} -{{- if not .Values.datastore.uri -}} - {{- if eq datastore.engine "postgresql" }} - {{- printf "postgres://%s:%s@%s:%s/%s?sslmode=disable" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} - {{- else if eq datastore.engine "mysql" }} - {{- printf "%s:%s@tcp(%s:%s)/%s?parseTime=true" .Values.datastore.user .Values.datastore.password .Values.datastore.host .Values.datastore.port .Values.datastore.database | quote }} - {{- end -}} -{{- else -}} - {{- .Values.datastore.uri | quote -}} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index 6201f6c..4beac39 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -96,6 +96,28 @@ spec: key: "uri" {{- end }} + {{- if .Values.datastore.password}} + - name: OPENFGA_DATASTORE_PASSWORD + value: "{{ .Values.datastore.password }}" + {{- else if .Values.datastore.passwordSecret }} + - name: OPENFGA_DATASTORE_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.passwordSecret }}" + key: "password" + {{- end }} + + {{- if .Values.datastore.username }} + - name: OPENFGA_DATASTORE_USER + value: "{{ .Values.datastore.username }}" + {{- else if .Values.datastore.usernameSecret }} + - name: OPENFGA_DATASTORE_USERNAME + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.userSecret }}" + key: "username" + {{- end }} + {{- if .Values.datastore.maxCacheSize }} - name: OPENFGA_DATASTORE_MAX_CACHE_SIZE value: "{{ .Values.datastore.maxCacheSize }}" diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index 7c96519..b65abed 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -189,11 +189,11 @@ telemetry: datastore: engine: memory uri: - host: - port: - user: + username: password: uriSecret: + usernameSecret: + passwordSecret: maxCacheSize: maxOpenConns: maxIdleConns: From 4d00e7f42f10d792f7c93f323b8009ff09926bc7 Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 11:44:24 +0200 Subject: [PATCH 3/6] chore: add new values to schema.json --- charts/openfga/values.schema.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/openfga/values.schema.json b/charts/openfga/values.schema.json index 3ef00ea..797e63f 100644 --- a/charts/openfga/values.schema.json +++ b/charts/openfga/values.schema.json @@ -274,40 +274,40 @@ ], "description": "the URI of the datastore including credentials and database (e.g. postgres://user:password@host:port/dbname)" }, - "host": { + "username": { "type": [ "string", "null" ], - "description": "the host address of the datastore" + "description": "the username to authenticate with the datastore" }, - "port": { + "password": { "type": [ - "integer", + "string", "null" ], - "description": "the port of the datastore" + "description": "the password to authenticate with the datastore" }, - "user": { + "uriSecret": { "type": [ "string", "null" ], - "description": "the username to authenticate with the datastore" + "description": "the secret name where to get the datastore URI, it expects a key named uri to exist in the secret" }, - "password": { + "usernameSecret": { "type": [ "string", "null" ], - "description": "the password to authenticate with the datastore" + "description": "the secret name where to get the datastore username, it expects a key named username to exist in the secret" }, - "uriSecret": { + "passwordSecret": { "type": [ "string", "null" ], - "description": "the secret name where to get the datastore URI, it expects a key named uri to exist in the secret" + "description": "the secret name where to get the datastore password, it expects a key named password to exist in the secret" }, "maxCacheSize": { "type": [ From 03533d53d4acbb73a333985610cbd1896f5bc34b Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 14:22:21 +0200 Subject: [PATCH 4/6] refactor: move common datastore config to helper function --- charts/openfga/templates/_helpers.tpl | 38 ++++++++++++++++++++++ charts/openfga/templates/deployment.yaml | 40 ++---------------------- charts/openfga/templates/job.yaml | 16 +--------- 3 files changed, 41 insertions(+), 53 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 6abf573..f131de3 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -77,3 +77,41 @@ Return true if a secret object should be created {{- true -}} {{- end -}} {{- end -}} + + +{{- define "openfga.datastore.envConfig" -}} +{{- if .Values.datastore.engine }} +- name: OPENFGA_DATASTORE_ENGINE + value: "{{ .Values.datastore.engine }}" +{{- end }} +{{- if .Values.datastore.uri }} +- name: OPENFGA_DATASTORE_URI + value: "{{ .Values.datastore.uri}}" +{{- else if .Values.datastore.uriSecret }} +- name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.uriSecret }}" + key: "uri" +{{- end }} +{{- if .Values.datastore.password }} +- name: OPENFGA_DATASTORE_PASSWORD + value: "{{ .Values.datastore.password }}" +{{- else if .Values.datastore.passwordSecret }} +- name: OPENFGA_DATASTORE_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.passwordSecret }}" + key: "password" +{{- end -}} +{{- if .Values.datastore.username }} +- name: OPENFGA_DATASTORE_USER + value: "{{ .Values.datastore.username }}" +{{- else if .Values.datastore.usernameSecret }} +- name: OPENFGA_DATASTORE_USERNAME + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.usernameSecret }}" + key: "username" +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index 4beac39..c3a8499 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if not .Values.autoscaling.enabled }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ ternary 1 .Values.replicaCount (eq .Values.datastore.engine "memory")}} {{- end }} selector: @@ -80,43 +80,7 @@ spec: {{- end }} env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: {{ include "openfga.datastore.uri" . }} - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} - - {{- if .Values.datastore.password}} - - name: OPENFGA_DATASTORE_PASSWORD - value: "{{ .Values.datastore.password }}" - {{- else if .Values.datastore.passwordSecret }} - - name: OPENFGA_DATASTORE_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.passwordSecret }}" - key: "password" - {{- end }} - - {{- if .Values.datastore.username }} - - name: OPENFGA_DATASTORE_USER - value: "{{ .Values.datastore.username }}" - {{- else if .Values.datastore.usernameSecret }} - - name: OPENFGA_DATASTORE_USERNAME - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.userSecret }}" - key: "username" - {{- end }} + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.datastore.maxCacheSize }} - name: OPENFGA_DATASTORE_MAX_CACHE_SIZE diff --git a/charts/openfga/templates/job.yaml b/charts/openfga/templates/job.yaml index 3ec2595..cac6d35 100644 --- a/charts/openfga/templates/job.yaml +++ b/charts/openfga/templates/job.yaml @@ -36,21 +36,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: ["migrate"] env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.migrate.timeout }} - name: OPENFGA_TIMEOUT From e88f25647f850b14fa86aebb408d47c5e3368a7f Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 15:15:56 +0200 Subject: [PATCH 5/6] feat: use single secret for URI and credentials --- charts/openfga/templates/_helpers.tpl | 42 +++++++++++++-------------- charts/openfga/values.yaml | 8 +++-- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index f131de3..06664b5 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -84,34 +84,34 @@ Return true if a secret object should be created - name: OPENFGA_DATASTORE_ENGINE value: "{{ .Values.datastore.engine }}" {{- end }} -{{- if .Values.datastore.uri }} -- name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri}}" -{{- else if .Values.datastore.uriSecret }} +{{- if .Values.datastore.externalSecret.uriSecretKey }} - name: OPENFGA_DATASTORE_URI valueFrom: secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" + name: "{{ .Values.datastore.externalSecret.name }}" + key: "{{ .Values.datastore.externalSecret.uriSecretKey }}" +{{- else if .Values.datastore.uri }} +- name: OPENFGA_DATASTORE_URI + value: "{{ .Values.datastore.uri }}" {{- end }} -{{- if .Values.datastore.password }} -- name: OPENFGA_DATASTORE_PASSWORD - value: "{{ .Values.datastore.password }}" -{{- else if .Values.datastore.passwordSecret }} -- name: OPENFGA_DATASTORE_PASSWORD +{{- if .Values.datastore.externalSecret.usernameSecretKey }} +- name: OPENFGA_DATASTORE_USERNAME valueFrom: secretKeyRef: - name: "{{ .Values.datastore.passwordSecret }}" - key: "password" -{{- end -}} -{{- if .Values.datastore.username }} -- name: OPENFGA_DATASTORE_USER - value: "{{ .Values.datastore.username }}" -{{- else if .Values.datastore.usernameSecret }} + name: "{{ .Values.datastore.externalSecret.name }}" + key: "{{ .Values.datastore.externalSecret.usernameSecretKey }}" +{{- else if .Values.datastore.username }} - name: OPENFGA_DATASTORE_USERNAME + value: "{{ .Values.datastore.username }}" +{{- end }} +{{- if .Values.datastore.externalSecret.passwordSecretKey }} +- name: OPENFGA_DATASTORE_PASSWORD valueFrom: secretKeyRef: - name: "{{ .Values.datastore.usernameSecret }}" - key: "username" + name: "{{ .Values.datastore.externalSecret.name }}" + key: "{{ .Values.datastore.externalSecret.passwordSecretKey }}" +{{- else if .Values.datastore.password }} +- name: OPENFGA_DATASTORE_PASSWORD + value: "{{ .Values.datastore.password }}" {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index b65abed..a5451c8 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -191,9 +191,11 @@ datastore: uri: username: password: - uriSecret: - usernameSecret: - passwordSecret: + externalSecret: + name: "" + uriSecretKey: "" + usernameSecretKey: "" + passwordSecretKey: "" maxCacheSize: maxOpenConns: maxIdleConns: From 06ab1a87c1900acc603865f19b1a83cb260579e3 Mon Sep 17 00:00:00 2001 From: Jasper Vaneessen Date: Fri, 18 Oct 2024 15:36:21 +0200 Subject: [PATCH 6/6] ci: modify workflow for own fork hosting --- .github/workflows/release.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e8cda3e..32ffdf6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,21 +19,12 @@ jobs: - name: Configure Git run: | git config user.name github-actions - git config user.email contact@openfga.dev - - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} - - - name: Export GPG key to legacy format - run: gpg --export-secret-keys > ~/.gnupg/pubring.gpg + git config user.email jasper.vaneessen@ugent.be - name: Install Helm uses: azure/setup-helm@v4 with: - version: v3.5.0 + version: v3.16.2 - name: Add Helm Repositories run: | @@ -43,8 +34,6 @@ jobs: - name: Run chart-releaser uses: helm/chart-releaser-action@v1.6.0 - with: - config: .github/cr.yaml env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_SKIP_EXISTING: true