diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e8cda3e..78341fb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,32 +19,21 @@ jobs: - name: Configure Git run: | git config user.name github-actions - git config user.email contact@openfga.dev - - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} - - - name: Export GPG key to legacy format - run: gpg --export-secret-keys > ~/.gnupg/pubring.gpg + git config user.email jasper.vaneessen@ugent.be - name: Install Helm uses: azure/setup-helm@v4 with: - version: v3.5.0 + version: v3.16.2 - name: Add Helm Repositories run: | - helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add bitnami https://repo.broadcom.com/bitnami-files helm repo add openfga https://openfga.github.io/helm-charts helm repo update - name: Run chart-releaser uses: helm/chart-releaser-action@v1.6.0 - with: - config: .github/cr.yaml env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_SKIP_EXISTING: true diff --git a/charts/openfga/Chart.lock b/charts/openfga/Chart.lock index 46f3063..ed186c2 100644 --- a/charts/openfga/Chart.lock +++ b/charts/openfga/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: postgresql - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts version: 12.12.10 - name: mysql - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts version: 9.6.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.13.3 -digest: sha256:a152c0abc09cadc6a2158e237b67485b3177d1ed8ad9b7f0b64af300b4eb6e25 -generated: "2024-03-07T16:13:52.695937-07:00" +digest: sha256:0a0986b7eaf3e674035b7d87cd52babd574bf05b867a00dcdfad450c88607ec8 +generated: "2024-12-16T11:22:51.356552959+01:00" diff --git a/charts/openfga/Chart.yaml b/charts/openfga/Chart.yaml index 5b3caa6..6209b3f 100644 --- a/charts/openfga/Chart.yaml +++ b/charts/openfga/Chart.yaml @@ -18,11 +18,11 @@ annotations: dependencies: - name: postgresql version: "12.12.10" - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts condition: postgresql.enabled - name: mysql version: "9.6.0" - repository: https://charts.bitnami.com/bitnami + repository: oci://registry-1.docker.io/bitnamicharts condition: mysql.enabled - name: common version: "2.13.3" diff --git a/charts/openfga/README.md b/charts/openfga/README.md index 6c11bab..4be069f 100644 --- a/charts/openfga/README.md +++ b/charts/openfga/README.md @@ -66,6 +66,50 @@ $ helm install openfga openfga/openfga \ This will bootstrap a MySQL deployment using the [`bitnami/mysql`](https://artifacthub.io/packages/helm/bitnami/mysql) chart and deploy OpenFGA configured in a way to connect to it. +### Connecting to an existing Postgres or MySQL deployment + +If you have an existing Postgres or MySQL deployment, you can connect OpenFGA to it by providing the `datastore.uri` parameter. For example, to connect to a Postgres deployment: + +``` +$ helm install openfga openfga/openfga \ + --set datastore.engine=postgres \ + --set datastore.uri="postgres://postgres:password@postgres.postgres:5432/postgres?sslmode=disable" +``` + +### Using an existing secret for Postgres or MySQL + +If you have an existing secret with the connection details for Postgres or MySQL, you can reference the secret in the values file. For example, say you have created the following secret for Postgres: + +```sh +kubectl create secret generic my-postgres-secret \ + --from-literal=uri="postgres://postgres.postgres:5432/postgres?sslmode=disable" \ + --from-literal=username=postgres --from-literal=password=password +``` + +You can reference this secret in the values file as follows: + +```yaml +datastore: + engine: postgres + existingSecret: my-postgres-secret + secretKeys: + uri: uri + username: username + password: password +``` + +You can also mix and match both static config and secret references. When the secret key is defined, the static config will be ignored. The following example shows how to reference the secret for username and password, but provide the URI statically: + +```yaml +datastore: + engine: postgres + uri: "postgres://postgres.postgres:5432/postgres?sslmode=disable" + existingSecret: my-postgres-secret + secretKeys: + username: username + password: password +``` + ## Uninstalling the Chart To uninstall/delete the `openfga` deployment: diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 3af9014..3ecbde7 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -80,3 +80,47 @@ Return true if a secret object should be created {{- true -}} {{- end -}} {{- end -}} + + +{{- define "openfga.datastore.envConfig" -}} +{{- if .Values.datastore.engine }} +- name: OPENFGA_DATASTORE_ENGINE + value: "{{ .Values.datastore.engine }}" +{{- end }} +{{- if .Values.datastore.uriSecret }} +- name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.uriSecret }}" + key: uri +{{- else if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.uriKey) }} +- name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.existingSecret }}" + key: "{{ .Values.datastore.secretKeys.uriKey }}" +{{- else if .Values.datastore.uri }} +- name: OPENFGA_DATASTORE_URI + value: "{{ .Values.datastore.uri }}" +{{- end }} +{{- if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.usernameKey) }} +- name: OPENFGA_DATASTORE_USERNAME + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.existingSecret }}" + key: "{{ .Values.datastore.secretKeys.usernameKey }}" +{{- else if .Values.datastore.username }} +- name: OPENFGA_DATASTORE_USERNAME + value: "{{ .Values.datastore.username }}" +{{- end }} +{{- if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.passwordKey) }} +- name: OPENFGA_DATASTORE_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.existingSecret }}" + key: "{{ .Values.datastore.secretKeys.passwordKey }}" +{{- else if .Values.datastore.password }} +- name: OPENFGA_DATASTORE_PASSWORD + value: "{{ .Values.datastore.password }}" +{{- end }} +{{- end -}} diff --git a/charts/openfga/templates/deployment.yaml b/charts/openfga/templates/deployment.yaml index cd276e0..88cbd85 100644 --- a/charts/openfga/templates/deployment.yaml +++ b/charts/openfga/templates/deployment.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- if not .Values.autoscaling.enabled }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ ternary 1 .Values.replicaCount (eq .Values.datastore.engine "memory")}} {{- end }} selector: @@ -56,20 +56,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: [ "migrate" ] env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.migrate.timeout }} - name: OPENFGA_TIMEOUT value: "{{ .Values.migrate.timeout }}" @@ -121,22 +108,7 @@ spec: {{- end }} env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} - + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.datastore.maxCacheSize }} - name: OPENFGA_DATASTORE_MAX_CACHE_SIZE value: "{{ .Values.datastore.maxCacheSize }}" diff --git a/charts/openfga/templates/job.yaml b/charts/openfga/templates/job.yaml index a7a670d..a4d7c70 100644 --- a/charts/openfga/templates/job.yaml +++ b/charts/openfga/templates/job.yaml @@ -36,21 +36,7 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: ["migrate"] env: - {{- if .Values.datastore.engine }} - - name: OPENFGA_DATASTORE_ENGINE - value: "{{ .Values.datastore.engine }}" - {{- end }} - - {{- if .Values.datastore.uri }} - - name: OPENFGA_DATASTORE_URI - value: "{{ .Values.datastore.uri }}" - {{- else if .Values.datastore.uriSecret }} - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "{{ .Values.datastore.uriSecret }}" - key: "uri" - {{- end }} + {{- include "openfga.datastore.envConfig" . | nindent 12 }} {{- if .Values.migrate.timeout }} - name: OPENFGA_TIMEOUT diff --git a/charts/openfga/values.schema.json b/charts/openfga/values.schema.json index 9ec52d9..b9995eb 100644 --- a/charts/openfga/values.schema.json +++ b/charts/openfga/values.schema.json @@ -276,7 +276,22 @@ "type": [ "string", "null" - ] + ], + "description": "the URI of the datastore including credentials and database (e.g. postgres://user:password@host:port/dbname)" + }, + "username": { + "type": [ + "string", + "null" + ], + "description": "the username to authenticate with the datastore" + }, + "password": { + "type": [ + "string", + "null" + ], + "description": "the password to authenticate with the datastore" }, "uriSecret": { "type": [ @@ -285,6 +300,39 @@ ], "description": "the secret name where to get the datastore URI, it expects a key named uri to exist in the secret" }, + "existingSecret": { + "type": [ + "string", + "null" + ], + "description": "the name of an existing secret that contains the datastore uri and credentials" + }, + "secretKeys": { + "type": "object", + "properties": { + "uriKey": { + "type": [ + "string", + "null" + ], + "description": "the key in the existing secret mapping to the datastore uri" + }, + "usernameKey": { + "type": [ + "string", + "null" + ], + "description": "the key in the existing secret mapping to the datastore username" + }, + "passwordKey": { + "type": [ + "string", + "null" + ], + "description": "the key in the existing secret mapping to the datastore password" + } + } + }, "maxCacheSize": { "type": [ "integer", diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index 16da369..911c5e5 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -197,6 +197,13 @@ datastore: engine: memory uri: uriSecret: + username: + password: + existingSecret: "" + secretKeys: + uriKey: "" + usernameKey: "" + passwordKey: "" maxCacheSize: maxOpenConns: maxIdleConns: