Skip to content

Commit

Permalink
simplify Docker compose and OpenFGA setup
Browse files Browse the repository at this point in the history
  • Loading branch information
kian99 committed Aug 23, 2024
1 parent de6bf2a commit 4a0d3dd
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 52 deletions.
2 changes: 0 additions & 2 deletions compose-common.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,6 @@ services:
condition: service_healthy
traefik:
condition: service_healthy
insert-hardcoded-auth-model:
condition: service_completed_successfully
keycloak:
condition: service_healthy
labels:
Expand Down
52 changes: 5 additions & 47 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,65 +93,23 @@ services:
cap_add:
- IPC_LOCK

migrateopenfga:
image: openfga/openfga:v1.2.0
container_name: migrateopenfga
command: migrate --datastore-engine postgres --datastore-uri 'postgresql://jimm:jimm@db/jimm?sslmode=disable'
depends_on:
db:
condition: service_healthy

insert-hardcoded-store:
image: governmentpaas/psql
container_name: insert-hardcoded-store
command: psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW());"
depends_on:
migrateopenfga:
condition: service_completed_successfully

openfga:
# We use our 'image' to mimic juju standard.
# image: openfga/openfga:latest
build:
context: .
dockerfile: ./local/openfga/Dockerfile
context: ./local/openfga/
dockerfile: Dockerfile
container_name: openfga
environment:
OPENFGA_AUTHN_METHOD: "preshared"
OPENFGA_AUTHN_PRESHARED_KEYS: "jimm"
OPENFGA_DATASTORE_ENGINE: "postgres"
OPENFGA_DATASTORE_URI: "postgresql://jimm:jimm@db/jimm?sslmode=disable"
command: run
volumes:
- ./openfga/authorisation_model.json:/app/authorisation_model.json
ports:
- 8080:8080
- 3000:3000
depends_on:
migrateopenfga:
condition: service_completed_successfully
insert-hardcoded-store:
condition: service_completed_successfully
healthcheck:
test: [ "CMD", "curl", "http://0.0.0.0:8080/healthz" ]
interval: 5s
timeout: 5s
retries: 10

# Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries.
# The auth model json is retrieved from file via volume mount.
insert-hardcoded-auth-model:
profiles: ["dev", "test"]
image: governmentpaas/psql
container_name: insert-hardcoded-auth-model
volumes:
- ./local/openfga/authorisation_model.json:/authorisation_model.json
command:
- /bin/sh
- -c
- |
wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json openfga:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models
psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';"
depends_on:
openfga:
db:
condition: service_healthy

keycloak:
Expand Down
20 changes: 18 additions & 2 deletions local/openfga/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,9 +1,25 @@
# syntax=docker/dockerfile:1.3.1
FROM ubuntu:20.04 AS build
RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl

# Install some tools necessary for health checks and setup.
RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl wget postgresql-client

EXPOSE 8081
EXPOSE 8080

WORKDIR /app

# Copy OpenFGA binaries from upstream image
COPY --from=openfga/openfga:v1.2.0 /openfga /app/openfga
COPY --from=openfga/openfga:v1.2.0 /assets /app/assets
ENTRYPOINT ["/app/openfga"]

COPY entrypoint.sh /app/entrypoint.sh

ENTRYPOINT [ "/app/entrypoint.sh" ]

HEALTHCHECK \
--start-period=5s \
--interval=1s \
--timeout=5s \
--retries=10 \
CMD [ "curl", "http://0.0.0.0:8080/healthz" ]
1 change: 0 additions & 1 deletion local/openfga/authorisation_model.json

This file was deleted.

24 changes: 24 additions & 0 deletions local/openfga/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/sh

# This script starts the OpenFGA server, migrates the associated database and applies JIMM's auth model.
# It also manually edits the authorization_model_id to a hardcoded value for easier testing.
# Note that this script expects an authorisation_model.json file to be present. We provide that file
# by mounting the file from the host rather than putting it into the Docker container to avoid duplication.

set -e

# Migrate the database
./openfga migrate --datastore-engine postgres --datastore-uri "$OPENFGA_DATASTORE_URI"

./openfga run &
sleep 3

# Cleanup old auth model from previous starts
psql -Atx "$OPENFGA_DATASTORE_URI" -c "DELETE FROM authorization_model;"
# Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries.
wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json localhost:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models
psql -Atx "$OPENFGA_DATASTORE_URI" -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW()) ON CONFLICT DO NOTHING;"
psql -Atx "$OPENFGA_DATASTORE_URI" -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';"

# Keep container alive
tail -f /dev/null & trap 'kill %1' TERM ; wait

0 comments on commit 4a0d3dd

Please sign in to comment.