Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify openfga setup #1323

Merged
merged 2 commits into from
Aug 27, 2024
Merged

Simplify openfga setup #1323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
90d54b9
simplify Docker compose and OpenFGA setup
kian99 Aug 23, 2024
62a4d08
entrypoint tweaks
kian99 Aug 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions compose-common.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,6 @@ services:
condition: service_healthy
traefik:
condition: service_healthy
insert-hardcoded-auth-model:
condition: service_completed_successfully
keycloak:
condition: service_healthy
labels:
Expand Down
54 changes: 6 additions & 48 deletions docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ services:
db:
image: postgres
container_name: postgres
restart: always
restart: on-failure
ports:
- 5432:5432
environment:
Expand Down Expand Up @@ -93,65 +93,23 @@ services:
cap_add:
- IPC_LOCK

migrateopenfga:
image: openfga/openfga:v1.2.0
container_name: migrateopenfga
command: migrate --datastore-engine postgres --datastore-uri 'postgresql://jimm:jimm@db/jimm?sslmode=disable'
depends_on:
db:
condition: service_healthy

insert-hardcoded-store:
image: governmentpaas/psql
container_name: insert-hardcoded-store
command: psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW());"
depends_on:
migrateopenfga:
condition: service_completed_successfully

openfga:
# We use our 'image' to mimic juju standard.
# image: openfga/openfga:latest
build:
context: .
dockerfile: ./local/openfga/Dockerfile
context: ./local/openfga/
dockerfile: Dockerfile
container_name: openfga
environment:
OPENFGA_AUTHN_METHOD: "preshared"
OPENFGA_AUTHN_PRESHARED_KEYS: "jimm"
OPENFGA_DATASTORE_ENGINE: "postgres"
OPENFGA_DATASTORE_URI: "postgresql://jimm:jimm@db/jimm?sslmode=disable"
command: run
volumes:
- ./openfga/authorisation_model.json:/app/authorisation_model.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know if you agree:
having it as a volume suggests that changing this json triggers a change in the openfga model.
Is this true?
If it isn't, i would add this file in the dockerfile as an ADD

Copy link
Contributor Author

@kian99 kian99 Aug 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I initially had it added inside the dockerfile, the issue is that the dockerfile is in local/openfga/ and the auth model is defined in /openfga/authorisation_model.json so I couldn't figure out how to pass that file through. Symlinks are not handled by dockerfile ADD so the volume was the next best thing.

ports:
- 8080:8080
- 3000:3000
depends_on:
migrateopenfga:
condition: service_completed_successfully
insert-hardcoded-store:
condition: service_completed_successfully
healthcheck:
test: [ "CMD", "curl", "http://0.0.0.0:8080/healthz" ]
interval: 5s
timeout: 5s
retries: 10

# Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries.
# The auth model json is retrieved from file via volume mount.
insert-hardcoded-auth-model:
profiles: ["dev", "test"]
image: governmentpaas/psql
container_name: insert-hardcoded-auth-model
volumes:
- ./local/openfga/authorisation_model.json:/authorisation_model.json
command:
- /bin/sh
- -c
- |
wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json openfga:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models
psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';"
depends_on:
openfga:
db:
condition: service_healthy

keycloak:
Expand Down
20 changes: 18 additions & 2 deletions local/openfga/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,25 @@
# syntax=docker/dockerfile:1.3.1
FROM ubuntu:20.04 AS build
RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl

# Install some tools necessary for health checks and setup.
RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl wget postgresql-client

EXPOSE 8081
EXPOSE 8080

WORKDIR /app

# Copy OpenFGA binaries from upstream image
COPY --from=openfga/openfga:v1.2.0 /openfga /app/openfga
COPY --from=openfga/openfga:v1.2.0 /assets /app/assets
ENTRYPOINT ["/app/openfga"]

COPY entrypoint.sh /app/entrypoint.sh

ENTRYPOINT [ "/app/entrypoint.sh" ]

HEALTHCHECK \
--start-period=5s \
--interval=1s \
--timeout=5s \
--retries=10 \
CMD [ "curl", "http://0.0.0.0:8080/healthz" ]
1 change: 0 additions & 1 deletion local/openfga/authorisation_model.json
View file
Open in desktop

This file was deleted.

24 changes: 24 additions & 0 deletions local/openfga/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/sh

# This script starts the OpenFGA server, migrates the associated database and applies JIMM's auth model.
# It also manually edits the authorization_model_id to a hardcoded value for easier testing.
# Note that this script expects an authorisation_model.json file to be present. We provide that file
# by mounting the file from the host rather than putting it into the Docker container to avoid duplication.

set -e

# Migrate the database
./openfga migrate --datastore-engine postgres --datastore-uri "$OPENFGA_DATASTORE_URI"

./openfga run &
sleep 3

# Cleanup old auth model from previous starts
psql -Atx "$OPENFGA_DATASTORE_URI" -c "DELETE FROM authorization_model;"
# Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries.
wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json localhost:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this

psql -Atx "$OPENFGA_DATASTORE_URI" -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW()) ON CONFLICT DO NOTHING;"
psql -Atx "$OPENFGA_DATASTORE_URI" -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';"

# Handle exit signals
trap 'kill %1' TERM ; wait
4 changes: 2 additions & 2 deletions local/vault/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,5 @@ vault secrets enable -version=2 -path /jimm-kv kv
# This container is now healthy
touch /tmp/healthy

# Keep container alive
tail -f /dev/null & trap 'kill %1' TERM ; wait
# Handle exit signals
trap 'kill %1' TERM ; wait
Loading