simplify Docker compose and OpenFGA setup

canonical · Aug 23, 2024 · eb31dbe · eb31dbe
1 parent de6bf2a
commit eb31dbe
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 50 deletions.
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -93,65 +93,23 @@ services:
     cap_add:
       - IPC_LOCK
 
-  migrateopenfga:
-    image: openfga/openfga:v1.2.0
-    container_name: migrateopenfga
-    command: migrate --datastore-engine postgres --datastore-uri 'postgresql://jimm:jimm@db/jimm?sslmode=disable'
-    depends_on:
-      db:
-        condition: service_healthy
-
-  insert-hardcoded-store:
-    image: governmentpaas/psql
-    container_name: insert-hardcoded-store
-    command: psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW());"
-    depends_on:
-      migrateopenfga:
-        condition: service_completed_successfully
-
   openfga:
-    # We use our 'image' to mimic juju standard.
-    # image: openfga/openfga:latest
     build:
-      context: .
-      dockerfile: ./local/openfga/Dockerfile
+      context: ./local/openfga/
+      dockerfile: Dockerfile
     container_name: openfga
     environment:
       OPENFGA_AUTHN_METHOD: "preshared"
       OPENFGA_AUTHN_PRESHARED_KEYS: "jimm"
       OPENFGA_DATASTORE_ENGINE: "postgres"
       OPENFGA_DATASTORE_URI: "postgresql://jimm:jimm@db/jimm?sslmode=disable"
-    command: run
+    volumes:
+      - ./openfga/authorisation_model.json:/app/authorisation_model.json
     ports:
       - 8080:8080
       - 3000:3000
     depends_on:
-      migrateopenfga:
-        condition: service_completed_successfully
-      insert-hardcoded-store:
-        condition: service_completed_successfully
-    healthcheck:
-      test: [ "CMD", "curl", "http://0.0.0.0:8080/healthz" ]
-      interval: 5s
-      timeout: 5s
-      retries: 10
-
-  # Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries.
-  # The auth model json is retrieved from file via volume mount.
-  insert-hardcoded-auth-model:
-    profiles: ["dev", "test"]
-    image: governmentpaas/psql
-    container_name: insert-hardcoded-auth-model
-    volumes:
-      - ./local/openfga/authorisation_model.json:/authorisation_model.json
-    command:
-        - /bin/sh
-        - -c
-        - |
-          wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json openfga:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models
-          psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';"
-    depends_on:
-      openfga:
+      db:
         condition: service_healthy
 
   keycloak:

diff --git a/local/openfga/Dockerfile b/local/openfga/Dockerfile
@@ -1,9 +1,25 @@
 # syntax=docker/dockerfile:1.3.1
 FROM ubuntu:20.04 AS build
-RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl
+
+# Install some tools necessary for health checks and setup.
+RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl wget postgresql-client
+
 EXPOSE 8081
 EXPOSE 8080
+
 WORKDIR /app
+
+# Copy OpenFGA binaries from upstream image
 COPY --from=openfga/openfga:v1.2.0 /openfga /app/openfga
 COPY --from=openfga/openfga:v1.2.0 /assets /app/assets
-ENTRYPOINT ["/app/openfga"]
+
+COPY entrypoint.sh                /app/entrypoint.sh
+
+ENTRYPOINT [ "/app/entrypoint.sh" ]
+
+HEALTHCHECK \
+    --start-period=5s \
+    --interval=1s \
+    --timeout=5s \
+    --retries=10 \
+        CMD [ "curl", "http://0.0.0.0:8080/healthz" ]
diff --git a/local/openfga/authorisation_model.json b/local/openfga/authorisation_model.json
diff --git a/local/openfga/entrypoint.sh b/local/openfga/entrypoint.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# This script starts the OpenFGA server, migrates the associated database and applies JIMM's auth model.
+# It also manually edits the authorization_model_id to a hardcoded value for easier testing.
+# Note that this script expects an authorisation_model.json file to be present. We provide that file
+# by mounting the file from the host rather than putting it into the Docker container to avoid duplication.
+
+set -e
+
+# Migrate the database
+./openfga migrate --datastore-engine postgres --datastore-uri "$OPENFGA_DATASTORE_URI"
+
+./openfga run &
+sleep 3
+
+# Cleanup old auth model from previous starts
+psql -Atx "$OPENFGA_DATASTORE_URI" -c "DELETE FROM authorization_model;"
+# Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries.
+wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json localhost:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models
+psql -Atx "$OPENFGA_DATASTORE_URI" -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW()) ON CONFLICT DO NOTHING;"
+psql -Atx "$OPENFGA_DATASTORE_URI" -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';"
+
+# Keep container alive
+tail -f /dev/null & trap 'kill %1' TERM ; wait