openfga · MisterTimn · Oct 17, 2024 · Oct 18, 2024 · Oct 18, 2024 · Oct 18, 2024
@@ -19,32 +19,21 @@ jobs:
       - name: Configure Git
         run: |
           git config user.name github-actions
-          git config user.email [email protected]
-
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}
-
-      - name: Export GPG key to legacy format
-        run: gpg --export-secret-keys > ~/.gnupg/pubring.gpg
+          git config user.email [email protected]
 
       - name: Install Helm
         uses: azure/setup-helm@v4
         with:
-          version: v3.5.0
+          version: v3.16.2
 
       - name: Add Helm Repositories
         run: |
-          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add bitnami https://repo.broadcom.com/bitnami-files
           helm repo add openfga https://openfga.github.io/helm-charts
           helm repo update
 
       - name: Run chart-releaser
         uses: helm/[email protected]
-        with:
-          config: .github/cr.yaml
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_SKIP_EXISTING: true
@@ -1,12 +1,12 @@
 dependencies:
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
   version: 12.12.10
 - name: mysql
-  repository: https://charts.bitnami.com/bitnami
+  repository: oci://registry-1.docker.io/bitnamicharts
   version: 9.6.0
 - name: common
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 2.13.3
-digest: sha256:a152c0abc09cadc6a2158e237b67485b3177d1ed8ad9b7f0b64af300b4eb6e25
-generated: "2024-03-07T16:13:52.695937-07:00"
+digest: sha256:0a0986b7eaf3e674035b7d87cd52babd574bf05b867a00dcdfad450c88607ec8
+generated: "2024-12-16T11:22:51.356552959+01:00"
@@ -18,11 +18,11 @@ annotations:
 dependencies:
   - name: postgresql
     version: "12.12.10"
-    repository: https://charts.bitnami.com/bitnami
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - name: mysql
     version: "9.6.0"
-    repository: https://charts.bitnami.com/bitnami
+    repository: oci://registry-1.docker.io/bitnamicharts
     condition: mysql.enabled
   - name: common
     version: "2.13.3"

@@ -66,6 +66,50 @@ $ helm install openfga openfga/openfga \
 
 This will bootstrap a MySQL deployment using the [`bitnami/mysql`](https://artifacthub.io/packages/helm/bitnami/mysql) chart and deploy OpenFGA configured in a way to connect to it.
 
+### Connecting to an existing Postgres or MySQL deployment
+
+If you have an existing Postgres or MySQL deployment, you can connect OpenFGA to it by providing the `datastore.uri` parameter. For example, to connect to a Postgres deployment:
+
+```
+$ helm install openfga openfga/openfga \
+  --set datastore.engine=postgres \
+  --set datastore.uri="postgres://postgres:[email protected]:5432/postgres?sslmode=disable"
+```
+
+### Using an existing secret for Postgres or MySQL
+
+If you have an existing secret with the connection details for Postgres or MySQL, you can reference the secret in the values file. For example, say you have created the following secret for Postgres:
+
+```sh
+kubectl create secret generic my-postgres-secret \
+  --from-literal=uri="postgres://postgres.postgres:5432/postgres?sslmode=disable" \
+  --from-literal=username=postgres --from-literal=password=password
+```
+
+You can reference this secret in the values file as follows:
+
+```yaml
+datastore:
+  engine: postgres
+  existingSecret: my-postgres-secret
+  secretKeys:
+    uri: uri
+    username: username
+    password: password
+```
+
+You can also mix and match both static config and secret references. When the secret key is defined, the static config will be ignored. The following example shows how to reference the secret for username and password, but provide the URI statically:
+
+```yaml
+datastore:
+  engine: postgres
+  uri: "postgres://postgres.postgres:5432/postgres?sslmode=disable"
+  existingSecret: my-postgres-secret
+  secretKeys:
+    username: username
+    password: password
+```
+
 ## Uninstalling the Chart
 To uninstall/delete the `openfga` deployment:
 

@@ -80,3 +80,47 @@ Return true if a secret object should be created
     {{- true -}}
 {{- end -}}
 {{- end -}}
+
+
+{{- define "openfga.datastore.envConfig" -}}
+{{- if .Values.datastore.engine }}
+- name: OPENFGA_DATASTORE_ENGINE
+  value: "{{ .Values.datastore.engine }}"
+{{- end }}
+{{- if .Values.datastore.uriSecret }}
+- name: OPENFGA_DATASTORE_URI
+  valueFrom:
+    secretKeyRef:
+      name: "{{ .Values.datastore.uriSecret }}"
+      key: uri
+{{- else if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.uriKey) }}
+- name: OPENFGA_DATASTORE_URI
+  valueFrom:
+    secretKeyRef:
+      name: "{{ .Values.datastore.existingSecret }}"
+      key: "{{ .Values.datastore.secretKeys.uriKey }}"
+{{- else if .Values.datastore.uri }}
+- name: OPENFGA_DATASTORE_URI
+  value: "{{ .Values.datastore.uri }}"
+{{- end }}
+{{- if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.usernameKey) }}
+- name: OPENFGA_DATASTORE_USERNAME
+  valueFrom:
+    secretKeyRef:
+      name: "{{ .Values.datastore.existingSecret }}"
+      key: "{{ .Values.datastore.secretKeys.usernameKey }}"
+{{- else if .Values.datastore.username }}
+- name: OPENFGA_DATASTORE_USERNAME
+  value: "{{ .Values.datastore.username }}"
+{{- end }}
+{{- if and (.Values.datastore.existingSecret) (.Values.datastore.secretKeys.passwordKey) }}
+- name: OPENFGA_DATASTORE_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: "{{ .Values.datastore.existingSecret }}"
+      key: "{{ .Values.datastore.secretKeys.passwordKey }}"
+{{- else if .Values.datastore.password }}
+- name: OPENFGA_DATASTORE_PASSWORD
+  value: "{{ .Values.datastore.password }}"
+{{- end }}
+{{- end -}}
@@ -9,7 +9,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- if not .Values.autoscaling.enabled }}
+  {{- if not  .Values.autoscaling.enabled }}
   replicas: {{ ternary 1 .Values.replicaCount (eq .Values.datastore.engine "memory")}}
   {{- end }}
   selector:
@@ -56,20 +56,7 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           args: [ "migrate" ]
           env:
-            {{- if .Values.datastore.engine }}
-            - name: OPENFGA_DATASTORE_ENGINE
-              value: "{{ .Values.datastore.engine }}"
-            {{- end }}
-            {{- if .Values.datastore.uri }}
-            - name: OPENFGA_DATASTORE_URI
-              value: "{{ .Values.datastore.uri }}"
-            {{- else if .Values.datastore.uriSecret }}
-            - name: OPENFGA_DATASTORE_URI
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Values.datastore.uriSecret }}"
-                  key: "uri"
-            {{- end }}
+            {{- include "openfga.datastore.envConfig" . | nindent 12 }}
             {{- if .Values.migrate.timeout }}
             - name: OPENFGA_TIMEOUT
               value: "{{ .Values.migrate.timeout }}"
@@ -121,22 +108,7 @@ spec:
             {{- end }}
 
           env:
-            {{- if .Values.datastore.engine }}
-            - name: OPENFGA_DATASTORE_ENGINE
-              value: "{{ .Values.datastore.engine }}"
-            {{- end }}
-
-            {{- if .Values.datastore.uri }}
-            - name: OPENFGA_DATASTORE_URI
-              value: "{{ .Values.datastore.uri }}"
-            {{- else if .Values.datastore.uriSecret }}
-            - name: OPENFGA_DATASTORE_URI
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Values.datastore.uriSecret }}"
-                  key: "uri"
-            {{- end }}
-
+            {{- include "openfga.datastore.envConfig" . | nindent 12 }}
             {{- if .Values.datastore.maxCacheSize }}
             - name: OPENFGA_DATASTORE_MAX_CACHE_SIZE
               value: "{{ .Values.datastore.maxCacheSize }}"

@@ -36,21 +36,7 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           args: ["migrate"]
           env:
-            {{- if .Values.datastore.engine }}
-            - name: OPENFGA_DATASTORE_ENGINE
-              value: "{{ .Values.datastore.engine }}"
-            {{- end }}
-
-            {{- if .Values.datastore.uri }}
-            - name: OPENFGA_DATASTORE_URI
-              value: "{{ .Values.datastore.uri }}"
-            {{- else if .Values.datastore.uriSecret }}
-            - name: OPENFGA_DATASTORE_URI
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Values.datastore.uriSecret }}"
-                  key: "uri"
-            {{- end }}
+            {{- include "openfga.datastore.envConfig" . | nindent 12 }}
 
             {{- if .Values.migrate.timeout }}
             - name: OPENFGA_TIMEOUT

@@ -276,7 +276,22 @@
                     "type": [
                         "string",
                         "null"
-                    ]
+                    ],
+                    "description": "the URI of the datastore including credentials and database (e.g. postgres://user:password@host:port/dbname)"
+                },
+                "username": {
+                    "type": [
+                        "string",
+                        "null"
+                    ],
+                    "description": "the username to authenticate with the datastore"
+                },
+                "password": {
+                    "type": [
+                        "string",
+                        "null"
+                    ],
+                    "description": "the password to authenticate with the datastore"
                 },
                 "uriSecret": {
                     "type": [
@@ -285,6 +300,39 @@
                     ],
                     "description": "the secret name where to get the datastore URI, it expects a key named uri to exist in the secret"
                 },
+                "existingSecret": {
+                    "type": [
+                        "string",
+                        "null"
+                    ],
+                    "description": "the name of an existing secret that contains the datastore uri and credentials"
+                },
+                "secretKeys": {
+                    "type": "object",
+                    "properties": {
+                        "uriKey": {
+                            "type": [
+                                "string",
+                                "null"
+                            ],
+                            "description": "the key in the existing secret mapping to the datastore uri"
+                        },
+                        "usernameKey": {
+                            "type": [
+                                "string",
+                                "null"
+                            ],
+                            "description": "the key in the existing secret mapping to the datastore username"
+                        },
+                        "passwordKey": {
+                            "type": [
+                                "string",
+                                "null"
+                            ],
+                            "description": "the key in the existing secret mapping to the datastore password"
+                        }
+                    }
+                },
                 "maxCacheSize": {
                     "type": [
                         "integer",

@@ -197,6 +197,13 @@ datastore:
   engine: memory
   uri:
   uriSecret:
+  username:
+  password:
+  existingSecret: ""
+  secretKeys:
+    uriKey: ""
+    usernameKey: ""
+    passwordKey: ""
   maxCacheSize:
   maxOpenConns:
   maxIdleConns: