From c50b1b95ccedac08865b2dd3db68878b50a84fc4 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Tue, 24 Jun 2025 09:58:50 +0200 Subject: [PATCH] feat: openfga helmfile --- helmfile.d/openfga.yaml.gotmpl | 43 ++++++++++ values/openfga/env-oceanbox.yaml.gotmpl | 3 + values/openfga/env.yaml.gotmpl | 7 +- .../openfga/kustomize/base/kustomization.yaml | 4 - values/openfga/manifests/migration-job.yaml | 41 ---------- values/openfga/manifests/openfga.yaml | 26 ++++-- values/openfga/manifests/postgres-secret.yaml | 19 ----- values/openfga/values-prod.yaml | 57 ------------- .../values/openfga-staging.yaml.gotmpl | 79 ------------------- ...nfga-prod.yaml.gotmpl => values-prod.yaml} | 20 ----- .../openfga/{ => values}/values-staging.yaml | 20 +---- .../{openfga.yaml.gotmpl => values.yaml} | 0 12 files changed, 69 insertions(+), 250 deletions(-) create mode 100644 helmfile.d/openfga.yaml.gotmpl create mode 100644 values/openfga/env-oceanbox.yaml.gotmpl delete mode 100644 values/openfga/kustomize/base/kustomization.yaml delete mode 100644 values/openfga/manifests/migration-job.yaml delete mode 100644 values/openfga/manifests/postgres-secret.yaml delete mode 100644 values/openfga/values-prod.yaml delete mode 100644 values/openfga/values/openfga-staging.yaml.gotmpl rename values/openfga/values/{openfga-prod.yaml.gotmpl => values-prod.yaml} (70%) rename values/openfga/{ => values}/values-staging.yaml (78%) rename values/openfga/values/{openfga.yaml.gotmpl => values.yaml} (100%) diff --git a/helmfile.d/openfga.yaml.gotmpl b/helmfile.d/openfga.yaml.gotmpl new file mode 100644 index 00000000..bd026b3f --- /dev/null +++ b/helmfile.d/openfga.yaml.gotmpl @@ -0,0 +1,43 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: openfga + url: https://openfga.github.io/helm-charts + +commonLabels: + tier: system + +releases: +- name: {{ .Environment.Name }}-openfga + namespace: openfga + chart: openfga/openfga + version: 0.2.35 + condition: openfga.enabled + values: + - ../values/openfga/values/values.yaml + - ../values/openfga/values/values-{{ .Environment.Name }}.yaml + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/openfga/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: manifests + namespace: openfga + chart: manifests + condition: openfga.enabled + missingFileHandler: Info + values: + - ../values/env.yaml + - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml + - ../values/openfga/env.yaml.gotmpl + - ../values/openfga/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/openfga/manifests + - manifests diff --git a/values/openfga/env-oceanbox.yaml.gotmpl b/values/openfga/env-oceanbox.yaml.gotmpl new file mode 100644 index 00000000..7ac9dc0d --- /dev/null +++ b/values/openfga/env-oceanbox.yaml.gotmpl @@ -0,0 +1,3 @@ +openfga: + enabled: true + env: prod diff --git a/values/openfga/env.yaml.gotmpl b/values/openfga/env.yaml.gotmpl index 13d4231a..67361e6f 100644 --- a/values/openfga/env.yaml.gotmpl +++ b/values/openfga/env.yaml.gotmpl @@ -1,5 +1,4 @@ openfga: - enabled: true - envs: - - prod - - staging \ No newline at end of file + enabled: false + autosync: false + env: prod diff --git a/values/openfga/kustomize/base/kustomization.yaml b/values/openfga/kustomize/base/kustomization.yaml deleted file mode 100644 index 57f354b1..00000000 --- a/values/openfga/kustomize/base/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - _manifest.yaml diff --git a/values/openfga/manifests/migration-job.yaml b/values/openfga/manifests/migration-job.yaml deleted file mode 100644 index 2b565ec7..00000000 --- a/values/openfga/manifests/migration-job.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: staging-openfga-migrate - labels: - helm.sh/chart: openfga-0.2.12 - app.kubernetes.io/name: openfga - app.kubernetes.io/instance: staging - app.kubernetes.io/version: "v1.5.9" - app.kubernetes.io/managed-by: Helm - annotations: - helm.sh/hook: post-install, post-upgrade, post-rollback, post-delete - helm.sh/hook-delete-policy: before-hook-creation - helm.sh/hook-weight: "-5" -spec: - template: - metadata: - annotations: - helm.sh/hook: post-install, post-upgrade, post-rollback, post-delete - helm.sh/hook-delete-policy: before-hook-creation - helm.sh/hook-weight: "-5" - spec: - serviceAccountName: staging-openfga - containers: - - name: migrate-database - securityContext: - {} - image: "openfga/openfga:v1.5.9" - args: ["migrate"] - env: - - name: OPENFGA_DATASTORE_ENGINE - value: "postgres" - - name: OPENFGA_DATASTORE_URI - valueFrom: - secretKeyRef: - name: "staging-openfga-db-superuser" - key: "uri" - resources: - {} - restartPolicy: Never - backoffLimit: 1 diff --git a/values/openfga/manifests/openfga.yaml b/values/openfga/manifests/openfga.yaml index 261a0b1d..0f89e083 100644 --- a/values/openfga/manifests/openfga.yaml +++ b/values/openfga/manifests/openfga.yaml @@ -1,9 +1,8 @@ {{- if .Values.clusterConfig.argo.enabled }} -{{- range .Values.openfga.envs }} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: {{ . }}-openfga + name: {{ .Values.openfga.env }}-openfga namespace: argocd annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -12,17 +11,31 @@ metadata: spec: destination: namespace: openfga - server: 'https://kubernetes.default.svc' + server: https://kubernetes.default.svc + project: sys sources: - repoURL: {{ .Values.clusterConfig.manifests }} targetRevision: HEAD - path: helmfiles/openfga + path: helmfile.d plugin: - name: helmfile + name: helmfile-cmp env: - name: CLUSTER_NAME value: {{ .Values.clusterConfig.cluster }} - project: sys + - name: HELMFILE_ENVIRONMENT + value: {{ .Values.openfga.env }} + - name: HELMFILE_FILE_PATH + value: openfga.yaml.gotmpl + # - repoURL: https://openfga.github.io/helm-charts + # targetRevision: 0.2.35 + # chart: openfga + # helm: + # valueFiles: + # - $values/values/openfga/values/values.yaml + # - $values/values/openfga/values/values-{{ .Values.openfga.env }}.yaml + # - repoURL: https://gitlab.com/oceanbox/manifests.git + # targetRevision: main + # ref: values syncPolicy: managedNamespaceMetadata: labels: @@ -37,4 +50,3 @@ spec: # selfHeal: false {{- end }} {{- end }} -{{- end }} diff --git a/values/openfga/manifests/postgres-secret.yaml b/values/openfga/manifests/postgres-secret.yaml deleted file mode 100644 index 0a0ad2f7..00000000 --- a/values/openfga/manifests/postgres-secret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -stringData: - postgres-password: blT6zzv37KyFvzb1Ct3bhfAwPxhTG2fBO1EiIASQWI4wnEOB8AOWvmVa2sogGexr - uri: postgres://postgres:blT6zzv37KyFvzb1Ct3bhfAwPxhTG2fBO1EiIASQWI4wnEOB8AOWvmVa2sogGexr@prod-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable -kind: Secret -metadata: - name: prod-openfga-postgresql - namespace: openfga -type: Opaque ---- -apiVersion: v1 -stringData: - postgres-password: iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa - uri: postgres://postgres:iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable -kind: Secret -metadata: - name: staging-openfga-postgresql - namespace: openfga -type: Opaque diff --git a/values/openfga/values-prod.yaml b/values/openfga/values-prod.yaml deleted file mode 100644 index 73650055..00000000 --- a/values/openfga/values-prod.yaml +++ /dev/null @@ -1,57 +0,0 @@ -replicaCount: 2 - -datastore: - engine: postgres - uriSecret: prod-openfga-db-superuser - migrationType: initContainer - -postgresql: - enabled: false - -playground: - enabled: false - -telemetry: - metrics: - enabled: true - serviceMonitor: - enabled: true - enableRPCHistograms: true - trace: - enabled: true - otlp: - endpoint: opentelemetry-collector.otel.svc.cluster.local:4317 - sampleRatio: 0.1 - -ingress: - enabled: true - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 - hosts: - - host: openfga.srv.oceanbox.io - paths: - - path: / - pathType: ImplementationSpecific - tls: - - secretName: prod-openfga-tls - hosts: - - openfga.srv.oceanbox.io - -extraObjects: - - apiVersion: postgresql.cnpg.io/v1 - kind: Cluster - metadata: - name: prod-openfga-db - namespace: openfga - spec: - instances: 2 - imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm - storage: - resizeInUseVolumes: true - size: 10Gi - backup: - retentionPolicy: 60d - target: prefer-standby diff --git a/values/openfga/values/openfga-staging.yaml.gotmpl b/values/openfga/values/openfga-staging.yaml.gotmpl deleted file mode 100644 index 15afe77b..00000000 --- a/values/openfga/values/openfga-staging.yaml.gotmpl +++ /dev/null @@ -1,79 +0,0 @@ -replicaCount: 1 - -datastore: - engine: postgres - uriSecret: staging-openfga-db-superuser - migrationType: initContainer - -#postgresql: -# enabled: false -# -#playground: -# enabled: false -# -#telemetry: -# metrics: -# enabled: true -# serviceMonitor: -# enabled: true -# enableRPCHistograms: true -# trace: -# enabled: true -# otlp: -# endpoint: opentelemetry-collector.otel.svc.cluster.local:4317 -# sampleRatio: 0.1 - -ingress: - enabled: true - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/ssl-redirect: "true" - oceanbox.io/expose: internal - hosts: - - host: openfga.dev.oceanbox.io - paths: - - path: / - pathType: ImplementationSpecific - tls: - - secretName: staging-openfga-tls - hosts: - - openfga.dev.oceanbox.io - -extraObjects: - - apiVersion: postgresql.cnpg.io/v1 - kind: Cluster - metadata: - name: staging-openfga-db - namespace: openfga - spec: - instances: 1 - imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm - storage: - resizeInUseVolumes: true - size: 10Gi - backup: - retentionPolicy: 60d - target: prefer-standby - bootstrap: - pg_basebackup: - database: "" - owner: "" - source: openfga - enableSuperuserAccess: true - externalClusters: - - name: openfga - connectionParameters: - host: prod-openfga-db-rw.openfga - sslmode: verify-full - user: streaming_replica - sslCert: - key: tls.crt - name: prod-openfga-db-replication - sslKey: - key: tls.key - name: prod-openfga-db-replication - sslRootCert: - key: ca.crt - name: prod-openfga-db-ca - diff --git a/values/openfga/values/openfga-prod.yaml.gotmpl b/values/openfga/values/values-prod.yaml similarity index 70% rename from values/openfga/values/openfga-prod.yaml.gotmpl rename to values/openfga/values/values-prod.yaml index 5a49fcd0..70be5f89 100644 --- a/values/openfga/values/openfga-prod.yaml.gotmpl +++ b/values/openfga/values/values-prod.yaml @@ -5,31 +5,12 @@ datastore: uriSecret: prod-openfga-db-superuser migrationType: initContainer -#postgresql: -# enabled: false -# -#playground: -# enabled: false -# -#telemetry: -# metrics: -# enabled: true -# serviceMonitor: -# enabled: true -# enableRPCHistograms: true -# trace: -# enabled: true -# otlp: -# endpoint: opentelemetry-collector.otel.svc.cluster.local:4317 -# sampleRatio: 0.1 - ingress: enabled: true className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/ssl-redirect: "true" - oceanbox.io/expose: internal hosts: - host: openfga.srv.oceanbox.io paths: @@ -55,4 +36,3 @@ extraObjects: backup: retentionPolicy: 60d target: prefer-standby - diff --git a/values/openfga/values-staging.yaml b/values/openfga/values/values-staging.yaml similarity index 78% rename from values/openfga/values-staging.yaml rename to values/openfga/values/values-staging.yaml index d91044ab..f64b98de 100644 --- a/values/openfga/values-staging.yaml +++ b/values/openfga/values/values-staging.yaml @@ -5,31 +5,13 @@ datastore: uriSecret: staging-openfga-db-superuser migrationType: initContainer -postgresql: - enabled: false - -playground: - enabled: false - -telemetry: - metrics: - enabled: true - serviceMonitor: - enabled: true - enableRPCHistograms: true - trace: - enabled: true - otlp: - endpoint: opentelemetry-collector.otel.svc.cluster.local:4317 - sampleRatio: 0.1 - ingress: enabled: true className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + oceanbox.io/expose: internal hosts: - host: openfga.dev.oceanbox.io paths: diff --git a/values/openfga/values/openfga.yaml.gotmpl b/values/openfga/values/values.yaml similarity index 100% rename from values/openfga/values/openfga.yaml.gotmpl rename to values/openfga/values/values.yaml