-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify openfga setup #1323
Simplify openfga setup #1323
Conversation
eb31dbe
to
4a0d3dd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these changes are very good in the direction of improving our dev-env. Thank you for this!
local/jimm/add-controller.sh
Outdated
echo "Switching juju controller to $JIMM_CONTROLLER_NAME" | ||
juju switch "$JIMM_CONTROLLER_NAME" | ||
echo | ||
echo "Retrieving controller info for $CONTROLLER_NAME" | ||
./jimmctl controller-info --local "$CONTROLLER_NAME" "$CONTROLLER_YAML_PATH" --tls-hostname juju-apiserver | ||
jimmctl controller-info --local "$CONTROLLER_NAME" "$CONTROLLER_YAML_PATH" --tls-hostname juju-apiserver |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are using jimmctl installed via snap even though we build it locally before?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can remove the build part all together if we suppose to always have the snap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is introduced in #1321, so we can discuss it there but the purpose of this change is to detect if jimmctl is available and if it's not only then build it. In CI, we don't necessarily want to require Go to be installed to spin up the test environment.
docker-compose.yaml
Outdated
# An instance of JIMM used for dev, built from source with hot-reloading. | ||
jimm-dev: | ||
extends: | ||
file: compose-common.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is very clever!
container_name: openfga | ||
environment: | ||
OPENFGA_AUTHN_METHOD: "preshared" | ||
OPENFGA_AUTHN_PRESHARED_KEYS: "jimm" | ||
OPENFGA_DATASTORE_ENGINE: "postgres" | ||
OPENFGA_DATASTORE_URI: "postgresql://jimm:jimm@db/jimm?sslmode=disable" | ||
command: run | ||
volumes: | ||
- ./openfga/authorisation_model.json:/app/authorisation_model.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me know if you agree:
having it as a volume suggests that changing this json triggers a change in the openfga model.
Is this true?
If it isn't, i would add this file in the dockerfile as an ADD
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I initially had it added inside the dockerfile, the issue is that the dockerfile is in local/openfga/
and the auth model is defined in /openfga/authorisation_model.json
so I couldn't figure out how to pass that file through. Symlinks are not handled by dockerfile ADD so the volume was the next best thing.
Makefile
Outdated
@@ -36,22 +36,23 @@ certs: | |||
@cd local/traefik/certs; ./certs.sh; cd - | |||
|
|||
test-env: sys-deps certs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
out of curiosity:
what is the purpose of this make rule? it is a docker compose w/o any profile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's there just for convenience and aligns with the other commands like dev-env
. I still often just do docker compose up --wait -d
myself.
4a0d3dd
to
b199e83
Compare
726fb3b
to
62a4d08
Compare
# Cleanup old auth model from previous starts | ||
psql -Atx "$OPENFGA_DATASTORE_URI" -c "DELETE FROM authorization_model;" | ||
# Adds the auth model and updates its authorisation model id to be the expected hard-coded id such that our local JIMM can utilise it for queries. | ||
wget -q -O - --header 'Content-Type: application/json' --header 'Authorization: Bearer jimm' --post-file authorisation_model.json localhost:8080/stores/01GP1254CHWJC1MNGVB0WDG1T0/authorization-models |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this
* simplify Docker compose and OpenFGA setup * entrypoint tweaks
Description
Note: This PR builds on #1322
This PR simplifies JIMM's Docker compose file further by removing all the OpenFGA migration containers and placing their actions into an entrypoint.sh script that is called when running the OpenFGA container.