feat: expand datastore connection configuration (username, password and uri) and allow set-up through an existing secret #178
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds additional configuration to setup datastore connection statically and through a secret.
Our use case: operating Postgres through the Zalando PG operator which creates secrets in relevant namespaces with username and password to connect to table. We want to automate our deployments as much as possible so copying these secrets manually into a full connection string is not an option.
Changes:
Adds
datastore.username
anddatastore.password
, mapping toOPENFGA_DATASTORE_USERNAME
andOPENFGA_DATASTORE_PASSWORD
.Allow all connection config to be set through a secret, referenced through
datastore.existingSecret
.For each field a
datastore.secretKeys.usernameKey|passwordKey|uriKey
can be set. When the secret key is not set, the config will default to the value ofdatastore.username|password|uri
.Our use case: setting up URI through static config and the username/password through the secret:
Internally I have put all the datastore config setup into a helper function which then can be invoked in both the job, initcontainer and openfga container sections, so they all use the same config and there is less duplication.
I have also kept the old
uriSecret
as is and made it co-exist with the new setup, so existing deployments don't get broken.I'm free for input on this and hope this can be added to the main chart, as we have been packaging our own fork for quite some time now.
References
Stale PR with overlap: #140
Review Checklist
main