Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: expand datastore connection configuration (username, password and uri) and allow set-up through an existing secret #178

Open
wants to merge 14 commits into
base: main
Choose a base branch
from

Conversation

MisterTimn
Copy link

Description

This PR adds additional configuration to setup datastore connection statically and through a secret.

Our use case: operating Postgres through the Zalando PG operator which creates secrets in relevant namespaces with username and password to connect to table. We want to automate our deployments as much as possible so copying these secrets manually into a full connection string is not an option.

Changes:

Adds datastore.username and datastore.password, mapping to OPENFGA_DATASTORE_USERNAME and OPENFGA_DATASTORE_PASSWORD.

Allow all connection config to be set through a secret, referenced through datastore.existingSecret.

For each field a datastore.secretKeys.usernameKey|passwordKey|uriKey can be set. When the secret key is not set, the config will default to the value of datastore.username|password|uri.

datastore:
  engine: memory
  uri:
  uriSecret:
  username:
  password:
  existingSecret: ""
  secretKeys:
    uriKey: ""
    usernameKey: ""
    passwordKey: ""

Our use case: setting up URI through static config and the username/password through the secret:

datastore:
  engine: postgres
  applyMigrations: true
  migrationType: job
  uri: postgres://pgobelisk.postgresql:5432/openfga
  # Reference to the secret created by pgo
  existingSecret: openfga.openfga.pgobelisk.credentials.postgresql.acid.zalan.do
  secretKeys:
    usernameKey: "username"
    passwordKey: "password"

Internally I have put all the datastore config setup into a helper function which then can be invoked in both the job, initcontainer and openfga container sections, so they all use the same config and there is less duplication.

I have also kept the old uriSecret as is and made it co-exist with the new setup, so existing deployments don't get broken.

I'm free for input on this and hope this can be added to the main chart, as we have been packaging our own fork for quite some time now.

References

Stale PR with overlap: #140

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

@MisterTimn MisterTimn requested review from a team as code owners December 23, 2024 12:38
@MisterTimn
Copy link
Author

There are some changes in .github folders that were needed for my setup because I wanted to package this myself and there was an issue where bitnami repo's were inaccessible for a day (also they are moving to OCI registries so it is probably best to keep some of these changes).

When there is interest in integrating these changes upstream I will clean this up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant