From 4a0d3ddd45cba4d2d265e7a3e4b73a97fb804dc5 Mon Sep 17 00:00:00 2001 From: Kian Parvin Date: Fri, 23 Aug 2024 13:41:50 +0200 Subject: [PATCH] simplify Docker compose and OpenFGA setup --- compose-common.yaml | 2 - docker-compose.yaml | 52 +++----------------------- local/openfga/Dockerfile | 20 +++++++++- local/openfga/authorisation_model.json | 1 - local/openfga/entrypoint.sh | 24 ++++++++++++ 5 files changed, 47 insertions(+), 52 deletions(-) delete mode 120000 local/openfga/authorisation_model.json create mode 100755 local/openfga/entrypoint.sh diff --git a/compose-common.yaml b/compose-common.yaml index c467cda94..3e905dab0 100644 --- a/compose-common.yaml +++ b/compose-common.yaml @@ -53,8 +53,6 @@ services: condition: service_healthy traefik: condition: service_healthy - insert-hardcoded-auth-model: - condition: service_completed_successfully keycloak: condition: service_healthy labels: diff --git a/docker-compose.yaml b/docker-compose.yaml index 89bda35e9..4acf7233f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -93,65 +93,23 @@ services: cap_add: - IPC_LOCK - migrateopenfga: - image: openfga/openfga:v1.2.0 - container_name: migrateopenfga - command: migrate --datastore-engine postgres --datastore-uri 'postgresql://jimm:jimm@db/jimm?sslmode=disable' - depends_on: - db: - condition: service_healthy - - insert-hardcoded-store: - image: governmentpaas/psql - container_name: insert-hardcoded-store - command: psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW());" - depends_on: - migrateopenfga: - condition: service_completed_successfully - openfga: - # We use our 'image' to mimic juju standard. - # image: openfga/openfga:latest build: - context: . - dockerfile: ./local/openfga/Dockerfile + context: ./local/openfga/ + dockerfile: Dockerfile container_name: openfga environment: OPENFGA_AUTHN_METHOD: "preshared" OPENFGA_AUTHN_PRESHARED_KEYS: "jimm" OPENFGA_DATASTORE_ENGINE: "postgres" OPENFGA_DATASTORE_URI: "postgresql://jimm:jimm@db/jimm?sslmode=disable" - command: run + volumes: + - ./openfga/authorisation_model.json:/app/authorisation_model.json ports: - 8080:8080 - 3000:3000 depends_on: - migrateopenfga: - condition: service_completed_successfully - insert-hardcoded-store: - condition: service_completed_successfully - healthcheck: - test: [ "CMD", "curl", "http://0.0.0.0:8080/healthz" ] - interval: 5s - timeout: 5s - retries: 10 - - # Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries. - # The auth model json is retrieved from file via volume mount. - insert-hardcoded-auth-model: - profiles: ["dev", "test"] - image: governmentpaas/psql - container_name: insert-hardcoded-auth-model - volumes: - - ./local/openfga/authorisation_model.json:/authorisation_model.json - command: - - /bin/sh - - -c - - | - wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json openfga:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models - psql -Atx postgresql://jimm:jimm@db/jimm?sslmode=disable -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';" - depends_on: - openfga: + db: condition: service_healthy keycloak: diff --git a/local/openfga/Dockerfile b/local/openfga/Dockerfile index e2c9b06a7..7bc5c9b72 100644 --- a/local/openfga/Dockerfile +++ b/local/openfga/Dockerfile @@ -1,9 +1,25 @@ # syntax=docker/dockerfile:1.3.1 FROM ubuntu:20.04 AS build -RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl + +# Install some tools necessary for health checks and setup. +RUN apt-get -qq update && apt-get -qq install -y ca-certificates curl wget postgresql-client + EXPOSE 8081 EXPOSE 8080 + WORKDIR /app + +# Copy OpenFGA binaries from upstream image COPY --from=openfga/openfga:v1.2.0 /openfga /app/openfga COPY --from=openfga/openfga:v1.2.0 /assets /app/assets -ENTRYPOINT ["/app/openfga"] + +COPY entrypoint.sh /app/entrypoint.sh + +ENTRYPOINT [ "/app/entrypoint.sh" ] + +HEALTHCHECK \ + --start-period=5s \ + --interval=1s \ + --timeout=5s \ + --retries=10 \ + CMD [ "curl", "http://0.0.0.0:8080/healthz" ] diff --git a/local/openfga/authorisation_model.json b/local/openfga/authorisation_model.json deleted file mode 120000 index 97998ba1b..000000000 --- a/local/openfga/authorisation_model.json +++ /dev/null @@ -1 +0,0 @@ -../../openfga/authorisation_model.json \ No newline at end of file diff --git a/local/openfga/entrypoint.sh b/local/openfga/entrypoint.sh new file mode 100755 index 000000000..8201ed77b --- /dev/null +++ b/local/openfga/entrypoint.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +# This script starts the OpenFGA server, migrates the associated database and applies JIMM's auth model. +# It also manually edits the authorization_model_id to a hardcoded value for easier testing. +# Note that this script expects an authorisation_model.json file to be present. We provide that file +# by mounting the file from the host rather than putting it into the Docker container to avoid duplication. + +set -e + +# Migrate the database +./openfga migrate --datastore-engine postgres --datastore-uri "$OPENFGA_DATASTORE_URI" + +./openfga run & +sleep 3 + +# Cleanup old auth model from previous starts +psql -Atx "$OPENFGA_DATASTORE_URI" -c "DELETE FROM authorization_model;" +# Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries. +wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json localhost:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models +psql -Atx "$OPENFGA_DATASTORE_URI" -c "INSERT INTO store (id,name,created_at,updated_at) VALUES ('01GP1254CHWJC1MNGVB0WDG1T0','jimm',NOW(),NOW()) ON CONFLICT DO NOTHING;" +psql -Atx "$OPENFGA_DATASTORE_URI" -c "UPDATE authorization_model SET authorization_model_id = '01GP1EC038KHGB6JJ2XXXXCXKB' WHERE store = '01GP1254CHWJC1MNGVB0WDG1T0';" + +# Keep container alive +tail -f /dev/null & trap 'kill %1' TERM ; wait