Skip to content

[openfga] Configure CloudSQL datastore #15703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 12, 2023
Merged

[openfga] Configure CloudSQL datastore #15703

merged 1 commit into from
Jan 12, 2023

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented Jan 12, 2023

Description

Related Issue(s)

How to test

Release Notes

NONE

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

@easyCZ easyCZ changed the title [openfga] Configure cloud-sql-proxy sidecar [openfga] Configure CloudSQL datastore Jan 12, 2023
@easyCZ easyCZ changed the base branch from main to mp/openfga-cloud-sql-proxy-sidecar January 12, 2023 08:39
@easyCZ easyCZ force-pushed the mp/openfga-configure-datastore branch from f9ff207 to 798ca4e Compare January 12, 2023 08:50
Base automatically changed from mp/openfga-cloud-sql-proxy-sidecar to main January 12, 2023 08:50
@easyCZ easyCZ force-pushed the mp/openfga-configure-datastore branch from 798ca4e to 7458925 Compare January 12, 2023 08:56
easyCZ
easyCZ commented Jan 12, 2023
View reviewed changes
install/installer/pkg/components/openfga/deployment.go
@@ -28,75 +28,10 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
return nil, nil
}

containers := []corev1.Container{
{
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The definition is moved below. If there's config for CloudSQL, we configure the sidecar first and based on that we inject extra envs to the openfga application.

install/installer/pkg/components/openfga/deployment.go
Comment on lines +78 to +106
openfgaEnvVars = append(openfgaEnvVars, []corev1.EnvVar{
{
Name: "OPENFGA_DATASTORE_ENGINE",
Value: "mysql",
},
{
Name: "DB_PASSWORD",
ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: cfg.CloudSQL.DatabaseSecretRef,
},
Key: "password",
}},
},
{
Name: "DB_USERNAME",
ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: cfg.CloudSQL.DatabaseSecretRef,
},
Key: "user",
}},
},
{
Name: "OPENFGA_DATASTORE_URI",
Value: fmt.Sprintf("$(DB_USERNAME):$(DB_PASSWORD)@tcp(%s:%d)/%s?parseTime=true", dbHost, CloudSQLProxyPort, cfg.CloudSQL.Instance),
},
}...)
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the core of this PRs change, rest are moves to satisfy declaration dependencies.

@easyCZ easyCZ marked this pull request as ready for review January 12, 2023 09:00
@easyCZ easyCZ requested a review from a team January 12, 2023 09:00
@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label Jan 12, 2023
@easyCZ
Copy link
Member Author

easyCZ commented Jan 12, 2023

/hold I want to validate the cloud-sql-proxy alone works correctly in staging before I land this change.

@easyCZ
Copy link
Member Author

easyCZ commented Jan 12, 2023

Cloud sql has successfully deployed in staging, we can proceed with this

/unhold

andrew-farries
andrew-farries approved these changes Jan 12, 2023
View reviewed changes
install/installer/pkg/components/openfga/deployment.go
LocalObjectReference: corev1.LocalObjectReference{
Name: cfg.CloudSQL.DatabaseSecretRef,
},
Key: "password",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How will the real username and password be provided to the env var?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Through a k8s secret, which has been added in this PR https://github.com/gitpod-io/ops/pull/7712

TF loads the secret from GCP into k8s, we reference it through the cfg.CloudSQL.DatabaseSecretRef config

@roboquat roboquat merged commit edc4cba into main Jan 12, 2023
@roboquat roboquat deleted the mp/openfga-configure-datastore branch January 12, 2023 10:51
@roboquat roboquat added deployed: webapp Meta team change is running in production deployed Change is completely running in production labels Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-farries andrew-farries andrew-farries approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note-none size/L team: webapp Issue belongs to the WebApp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@easyCZ @andrew-farries @roboquat