feat: add openfga app and kustomizations

applications/openfga.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: openfga
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        hostname: openfga.adm.oceanbox.io
+        autoSync: false
+        prune: true
+      - cluster: https://kubernetes.default.svc
+        env: staging
+        hostname: openfga.dev.oceanbox.io
+        autoSync: true
+        prune: true
+  template:
+    metadata:
+      name: '{{ .env }}-openfga'
+    spec:
+      project: aux
+      destination:
+        namespace: idp
+        server: '{{ .cluster }}'
+      source:
+        repoURL: https://gitlab.com/oceanbox/manifests.git
+        targetRevision: main
+        path: kustomizations/openfga
+        plugin:
+          name: kustomize-helm-with-rewrite
+          parameters:
+          - name: env
+            string: '{{ .env }}'
+          - name: hostname
+            string: '{{ .hostname }}'
+  templatePatch: |
+    {{- if .autoSync }}
+    spec:
+      syncPolicy:
+        automated:
+          prune: {{ .prune }}
+          selfHeal: false
+    {{- end }}

argocd/kustomize-helm-with-rewrite/init-helm-repos.sh

@@ -10,5 +10,6 @@ helm repo add cerbos https://download.cerbos.dev/helm-charts
 helm repo add dapr https://dapr.github.io/helm-charts/
 helm repo add ncsa https://opensource.ncsa.illinois.edu/charts
 helm repo add dex https://charts.dexidp.io
+helm repo add openfga https://openfga.github.io/helm-charts
 
 helm repo update

kustomizations/openfga/base/cluster.yaml

@@ -0,0 +1,19 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: openfga-db
+spec:
+  enableSuperuserAccess: true
+  instances: 2
+  logLevel: info
+  storage:
+    pvcTemplate:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: managed-nfs-storage
+      volumeMode: Filesystem
+    resizeInUseVolumes: true
+    size: 1Gi

kustomizations/openfga/base/kustomization.yaml

@@ -0,0 +1,5 @@
+generatorOptions:
+  disableNameSuffixHash: true
+resources:
+  - cluster.yaml
+  - _manifest.yaml

kustomizations/openfga/prod/kustomization.yaml

@@ -0,0 +1,3 @@
+namePrefix: prod-
+resources:
+  - ../base

kustomizations/openfga/staging/cluster_patch.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: /spec/instances
+  value: 1

kustomizations/openfga/staging/kustomization.yaml

@@ -0,0 +1,9 @@
+namePrefix: staging-
+patches:
+  - target:
+      group: postgresql.cnpg.io
+      version: v1
+      kind: Cluster
+    path: cluster_patch.yaml
+resources:
+  - ../base

kustomizations/openfga/values-prod.yaml

@@ -0,0 +1,36 @@
+replicaCount: 2
+
+datastore:
+  engine: postgres
+  uri: postgres://prod-openfga-db.idp.svc.cluster.local:5432/app?sslmode=disable
+
+postgresql:
+  enabled: true
+  auth:
+    username: app
+    existingSecret: prod-openfga-db-app
+    secretKeys:
+       userPasswordKey: password
+
+playground:
+  enabled: false
+  port: 3000
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+  hosts:
+    - host: a11n.srv.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+   - secretName: staging-openfga-tls
+     hosts:
+       - a11n.srv.oceanbox.io
+
+

kustomizations/openfga/values-staging.yaml

@@ -0,0 +1,36 @@
+replicaCount: 1
+
+datastore:
+  engine: postgres
+  uri: postgres://staging-openfga-db.idp.svc.cluster.local:5432/app?sslmode=disable
+
+postgresql:
+  enabled: true
+  auth:
+    username: app
+    existingSecret: staging-openfga-db-app
+    secretKeys:
+       userPasswordKey: password
+
+playground:
+  enabled: true
+  port: 3000
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+  hosts:
+    - host: a11n.dev.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+   - secretName: staging-openfga-tls
+     hosts:
+       - a11n.dev.oceanbox.io
+
+