Skip to content

Commit 798ca4e

Browse files
easyCZeasyCZ
committed
[openfga] Configure CloudSQL Datastore
1 parent a3c2f52 commit 798ca4e

File tree

1 file changed

+102
-67
lines changed

1 file changed

+102
-67
lines changed

install/installer/pkg/components/openfga/deployment.go

Lines changed: 102 additions & 67 deletions
Original file line numberDiff line numberDiff line change
@@ -28,75 +28,10 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
2828
return nil, nil
2929
}
3030

31-
containers := []corev1.Container{
32-
{
33-
Name: ContainerName,
34-
Image: ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), RegistryImage, ImageTag),
35-
ImagePullPolicy: corev1.PullIfNotPresent,
36-
Args: []string{
37-
"run",
38-
"--log-format=json",
39-
"--log-level=warn",
40-
},
41-
Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(
42-
common.DefaultEnv(&ctx.Config),
43-
)),
44-
Ports: []corev1.ContainerPort{
45-
{
46-
ContainerPort: ContainerGRPCPort,
47-
Name: ContainerGRPCName,
48-
Protocol: *common.TCPProtocol,
49-
},
50-
{
51-
ContainerPort: ContainerHTTPPort,
52-
Name: ContainerHTTPName,
53-
Protocol: *common.TCPProtocol,
54-
},
55-
{
56-
ContainerPort: ContainerPlaygroundPort,
57-
Name: ContainerPlaygroundName,
58-
Protocol: *common.TCPProtocol,
59-
},
60-
},
61-
Resources: common.ResourceRequirements(ctx, Component, ContainerName, corev1.ResourceRequirements{
62-
Requests: corev1.ResourceList{
63-
"cpu": resource.MustParse("1m"),
64-
"memory": resource.MustParse("30Mi"),
65-
},
66-
}),
67-
SecurityContext: &corev1.SecurityContext{
68-
RunAsGroup: pointer.Int64(65532),
69-
RunAsNonRoot: pointer.Bool(true),
70-
RunAsUser: pointer.Int64(65532),
71-
},
72-
LivenessProbe: &corev1.Probe{
73-
ProbeHandler: corev1.ProbeHandler{
74-
HTTPGet: &corev1.HTTPGetAction{
75-
Path: "/healthz",
76-
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
77-
Scheme: corev1.URISchemeHTTP,
78-
},
79-
},
80-
FailureThreshold: 3,
81-
SuccessThreshold: 1,
82-
TimeoutSeconds: 1,
83-
},
84-
ReadinessProbe: &corev1.Probe{
85-
ProbeHandler: corev1.ProbeHandler{
86-
HTTPGet: &corev1.HTTPGetAction{
87-
Path: "/healthz",
88-
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
89-
Scheme: corev1.URISchemeHTTP,
90-
},
91-
},
92-
FailureThreshold: 3,
93-
SuccessThreshold: 1,
94-
TimeoutSeconds: 1,
95-
},
96-
},
97-
}
31+
var containers []corev1.Container
9832

9933
var volumes []corev1.Volume
34+
var openfgaEnvVars []corev1.EnvVar
10035

10136
if cfg.CloudSQL != nil {
10237
containers = append(containers, corev1.Container{
@@ -137,8 +72,108 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
13772
}},
13873
},
13974
}...)
75+
76+
// We use our cloud-sql-proxy sidecar to target the DB.
77+
dbHost := "localhost"
78+
openfgaEnvVars = append(openfgaEnvVars, []corev1.EnvVar{
79+
{
80+
Name: "OPENFGA_DATASTORE_ENGINE",
81+
Value: "mysql",
82+
},
83+
{
84+
Name: "DB_PASSWORD",
85+
ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
86+
LocalObjectReference: corev1.LocalObjectReference{
87+
Name: cfg.CloudSQL.DatabaseSecretRef,
88+
},
89+
Key: "password",
90+
}},
91+
},
92+
{
93+
Name: "DB_USERNAME",
94+
ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
95+
LocalObjectReference: corev1.LocalObjectReference{
96+
Name: cfg.CloudSQL.DatabaseSecretRef,
97+
},
98+
Key: "user",
99+
}},
100+
},
101+
{
102+
Name: "OPENFGA_DATASTORE_URI",
103+
Value: fmt.Sprintf("$(DB_USERNAME):$(DB_PASSWORD)@tcp(%s:%d)/%s?parseTime=true", dbHost, CloudSQLProxyPort, cfg.CloudSQL.Instance),
104+
},
105+
}...)
106+
}
107+
108+
openfgaContainer := corev1.Container{
109+
Name: ContainerName,
110+
Image: ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), RegistryImage, ImageTag),
111+
ImagePullPolicy: corev1.PullIfNotPresent,
112+
Args: []string{
113+
"run",
114+
"--log-format=json",
115+
"--log-level=warn",
116+
},
117+
Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(
118+
common.DefaultEnv(&ctx.Config),
119+
openfgaEnvVars,
120+
)),
121+
Ports: []corev1.ContainerPort{
122+
{
123+
ContainerPort: ContainerGRPCPort,
124+
Name: ContainerGRPCName,
125+
Protocol: *common.TCPProtocol,
126+
},
127+
{
128+
ContainerPort: ContainerHTTPPort,
129+
Name: ContainerHTTPName,
130+
Protocol: *common.TCPProtocol,
131+
},
132+
{
133+
ContainerPort: ContainerPlaygroundPort,
134+
Name: ContainerPlaygroundName,
135+
Protocol: *common.TCPProtocol,
136+
},
137+
},
138+
Resources: common.ResourceRequirements(ctx, Component, ContainerName, corev1.ResourceRequirements{
139+
Requests: corev1.ResourceList{
140+
"cpu": resource.MustParse("1m"),
141+
"memory": resource.MustParse("30Mi"),
142+
},
143+
}),
144+
SecurityContext: &corev1.SecurityContext{
145+
RunAsGroup: pointer.Int64(65532),
146+
RunAsNonRoot: pointer.Bool(true),
147+
RunAsUser: pointer.Int64(65532),
148+
},
149+
LivenessProbe: &corev1.Probe{
150+
ProbeHandler: corev1.ProbeHandler{
151+
HTTPGet: &corev1.HTTPGetAction{
152+
Path: "/healthz",
153+
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
154+
Scheme: corev1.URISchemeHTTP,
155+
},
156+
},
157+
FailureThreshold: 3,
158+
SuccessThreshold: 1,
159+
TimeoutSeconds: 1,
160+
},
161+
ReadinessProbe: &corev1.Probe{
162+
ProbeHandler: corev1.ProbeHandler{
163+
HTTPGet: &corev1.HTTPGetAction{
164+
Path: "/healthz",
165+
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
166+
Scheme: corev1.URISchemeHTTP,
167+
},
168+
},
169+
FailureThreshold: 3,
170+
SuccessThreshold: 1,
171+
TimeoutSeconds: 1,
172+
},
140173
}
141174

175+
containers = append(containers, openfgaContainer)
176+
142177
return []runtime.Object{
143178
&appsv1.Deployment{
144179
TypeMeta: common.TypeMetaDeployment,

0 commit comments

Comments
 (0)