From b71ac600f09e3f6e735ad6dbcc970f946936c461 Mon Sep 17 00:00:00 2001 From: Evan Anderson Date: Wed, 10 Jan 2024 14:09:50 -0800 Subject: [PATCH] feat: add parameters to allow migrate job to use its own database account and service account --- charts/openfga/templates/_helpers.tpl | 22 +++++++++++++++ charts/openfga/templates/job.yaml | 28 +++++++++++++++++--- charts/openfga/templates/serviceaccount.yaml | 20 ++++++++++++++ charts/openfga/values.yaml | 19 +++++++++++++ 4 files changed, 86 insertions(+), 3 deletions(-) diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl index 6652760..c456b12 100644 --- a/charts/openfga/templates/_helpers.tpl +++ b/charts/openfga/templates/_helpers.tpl @@ -61,6 +61,28 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Create the name of the service account to use for the migration job +*/}} +{{- define "openfga.migrationServiceAccountName" -}} +{{- if .Values.migrate.serviceAccount.name }} +{{- default "default" .Values.serviceAccount.name }} +{{- else if .Values.migrate.serviceAccount.create }} +{{- default (printf "%s-%s" (include "openfga.fullname" .) "migrate") .Values.migrate.serviceAccount.name }} +{{- else }} +{{- include "openfga.serviceAccountName" . }} +{{- end }} +{{- end }} + +{{/* +Return true if migration job is enabled +*/}} +{{- define "openfga.haveMigration" -}} +{{- if and (has .Values.datastore.engine (list "postgres" "mysql")) .Values.datastore.applyMigrations }} + {{- true -}} +{{- end -}} +{{- end -}} + {{/* Return true if a secret object should be created */}} diff --git a/charts/openfga/templates/job.yaml b/charts/openfga/templates/job.yaml index aaf7d37..9813cad 100644 --- a/charts/openfga/templates/job.yaml +++ b/charts/openfga/templates/job.yaml @@ -1,4 +1,4 @@ -{{- if and (has .Values.datastore.engine (list "postgres" "mysql")) .Values.datastore.applyMigrations -}} +{{- if (include "openfga.haveMigration" .) -}} apiVersion: batch/v1 kind: Job metadata: @@ -24,7 +24,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - serviceAccountName: {{ include "openfga.serviceAccountName" . }} + serviceAccountName: {{ include "openfga.migrationServiceAccountName" . }} containers: - name: migrate-database securityContext: @@ -37,7 +37,16 @@ spec: value: "{{ .Values.datastore.engine }}" {{- end }} - {{- if .Values.datastore.uri }} + {{- if .Values.datastore.migrations.uri}} + - name: OPENFGA_DATASTORE_URI + value: "{{ .Values.datastore.migrations.uri }}" + {{- else if .Values.datastore.migrations.uriSecret }} + - name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "{{ .Values.datastore.migrations.uriSecret }}" + key: "uri" + {{- else if .Values.datastore.uri }} - name: OPENFGA_DATASTORE_URI value: "{{ .Values.datastore.uri }}" {{- else if .Values.datastore.uriSecret }} @@ -47,12 +56,25 @@ spec: name: "{{ .Values.datastore.uriSecret }}" key: "uri" {{- end }} + {{- if .Values.migrate.extraEnvVars }} + {{- toYaml .Values.migrate.extraEnvVars | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.datastore.migrations.resources | nindent 12 }} + + {{- with .Values.migrate.extraVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} {{- if .Values.migrate.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.migrate.sidecars "context" $) | nindent 8 }} {{- end }} + restartPolicy: Never + {{- with .Values.migrate.extraVolumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/openfga/templates/serviceaccount.yaml b/charts/openfga/templates/serviceaccount.yaml index bbe191c..b8be7df 100644 --- a/charts/openfga/templates/serviceaccount.yaml +++ b/charts/openfga/templates/serviceaccount.yaml @@ -10,3 +10,23 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} +--- +{{- if and (include "openfga.haveMigration" .) .Values.migrate.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "openfga.migrationServiceAccountName" . }} + labels: + {{- include "openfga.labels" . | nindent 4 }} + {{- if .Values.migrate.serviceAccount.annotations }} + {{- with .Values.migrate.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- else if .Values.serviceAccount.annotations -}} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml index 45feddb..c0fbc70 100644 --- a/charts/openfga/values.yaml +++ b/charts/openfga/values.yaml @@ -132,6 +132,8 @@ telemetry: datastore: engine: memory uri: + # A secret containing a "uri" key with the database URI to use. Use this if you have a + # password in the URI (for example) uriSecret: maxCacheSize: maxOpenConns: @@ -145,6 +147,11 @@ datastore: repository: groundnuty/k8s-wait-for pullPolicy: Always tag: "v2.0" + # The database URI to use for migrations. If unset, the URI from datastore.uri is used. + uri: + # A secret containing a "uri" key with the database URI to use for migrations. Use this + # if you have a password in the URI (for example). + uriSecret: postgres: ## @param postgres.enabled enable the bitnami/postgresql subchart and deploy Postgres @@ -262,3 +269,15 @@ migrate: helm.sh/hook-weight: "-5" helm.sh/hook-delete-policy: "before-hook-creation" labels: {} + extraEnvVars: [] + extraVolumes: [] + extraVolumeMounts: [] + serviceAccount: + # Specifies whether a separate migration service account should be created + create: false + # Annotations to add to the migration service account. If unset, the annotations + # from serviceAccount.annotations are used. + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" \ No newline at end of file