Simplify openfga setup #1323
Simplify openfga setup #1323
Conversation
kian99
force-pushed
the
simplify-openfga-setup
branch
3 times, most recently
from
eb31dbe
to
4a0d3dd
Compare
local/jimm/add-controller.sh
Outdated
| echo "Switching juju controller to $JIMM_CONTROLLER_NAME" | ||
| juju switch "$JIMM_CONTROLLER_NAME" | ||
| echo | ||
| echo "Retrieving controller info for $CONTROLLER_NAME" | ||
| ./jimmctl controller-info --local "$CONTROLLER_NAME" "$CONTROLLER_YAML_PATH" --tls-hostname juju-apiserver | ||
| jimmctl controller-info --local "$CONTROLLER_NAME" "$CONTROLLER_YAML_PATH" --tls-hostname juju-apiserver |
There was a problem hiding this comment.
why are using jimmctl installed via snap even though we build it locally before?
There was a problem hiding this comment.
we can remove the build part all together if we suppose to always have the snap.
There was a problem hiding this comment.
This is introduced in #1321, so we can discuss it there but the purpose of this change is to detect if jimmctl is available and if it's not only then build it. In CI, we don't necessarily want to require Go to be installed to spin up the test environment.
docker-compose.yaml
Outdated
| # An instance of JIMM used for dev, built from source with hot-reloading. | ||
| jimm-dev: | ||
| extends: | ||
| file: compose-common.yaml |
| container_name: openfga | ||
| environment: | ||
| OPENFGA_AUTHN_METHOD: "preshared" | ||
| OPENFGA_AUTHN_PRESHARED_KEYS: "jimm" | ||
| OPENFGA_DATASTORE_ENGINE: "postgres" | ||
| OPENFGA_DATASTORE_URI: "postgresql://jimm:jimm@db/jimm?sslmode=disable" | ||
| command: run | ||
| volumes: | ||
| - ./openfga/authorisation_model.json:/app/authorisation_model.json |
There was a problem hiding this comment.
Let me know if you agree:
having it as a volume suggests that changing this json triggers a change in the openfga model.
Is this true?
If it isn't, i would add this file in the dockerfile as an ADD
There was a problem hiding this comment.
So I initially had it added inside the dockerfile, the issue is that the dockerfile is in local/openfga/ and the auth model is defined in /openfga/authorisation_model.json so I couldn't figure out how to pass that file through. Symlinks are not handled by dockerfile ADD so the volume was the next best thing.
Makefile
Outdated
| @@ -36,22 +36,23 @@ certs: | |||
| @cd local/traefik/certs; ./certs.sh; cd - | |||
|
|
|||
| test-env: sys-deps certs | |||
There was a problem hiding this comment.
out of curiosity:
what is the purpose of this make rule? it is a docker compose w/o any profile
There was a problem hiding this comment.
It's there just for convenience and aligns with the other commands like dev-env. I still often just do docker compose up --wait -d myself.
kian99
force-pushed
the
simplify-openfga-setup
branch
from
4a0d3dd
to
b199e83
Compare
kian99
force-pushed
the
simplify-openfga-setup
branch
from
726fb3b
to
62a4d08
Compare
| # Cleanup old auth model from previous starts | ||
| psql -Atx "$OPENFGA_DATASTORE_URI" -c "DELETE FROM authorization_model;" | ||
| # Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries. | ||
| wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json localhost:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models |
* simplify Docker compose and OpenFGA setup * entrypoint tweaks
Description
Note: This PR builds on #1322
This PR simplifies JIMM's Docker compose file further by removing all the OpenFGA migration containers and placing their actions into an entrypoint.sh script that is called when running the OpenFGA container.