Add parameters to allow migrate job to use its own database account a…

…nd service account
openfga · Jan 10, 2024 · c4d1bd5 · c4d1bd5
1 parent e4377ef
commit c4d1bd5
Show file tree

Hide file tree

Showing 4 changed files with 86 additions and 3 deletions.
diff --git a/charts/openfga/templates/_helpers.tpl b/charts/openfga/templates/_helpers.tpl
@@ -61,6 +61,28 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the service account to use for the migration job
+*/}}
+{{- define "openfga.migrationServiceAccountName" -}}
+{{- if .Values.migrate.serviceAccount.name }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- else if .Values.migrate.serviceAccount.create }}
+{{- default (printf "%s-%s" (include "openfga.fullname" .) "migrate") .Values.migrate.serviceAccount.name }}
+{{- else }}
+{{- include "openfga.serviceAccountName" . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Return true if migration job is enabled
+*/}}
+{{- define "openfga.haveMigration" -}}
+{{- if and (has .Values.datastore.engine (list "postgres" "mysql")) .Values.datastore.applyMigrations }}
+  {{- true -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return true if a secret object should be created
 */}}

diff --git a/charts/openfga/templates/job.yaml b/charts/openfga/templates/job.yaml
@@ -1,4 +1,4 @@
-{{- if and (has .Values.datastore.engine (list "postgres" "mysql")) .Values.datastore.applyMigrations -}}
+{{- if (include "openfga.haveMigration" .) -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -24,7 +24,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      serviceAccountName: {{ include "openfga.serviceAccountName" . }}
+      serviceAccountName: {{ include "openfga.migrationServiceAccountName" . }}
       containers:
         - name: migrate-database
           securityContext:
@@ -37,7 +37,16 @@ spec:
               value: "{{ .Values.datastore.engine }}"
             {{- end }}
 
-            {{- if .Values.datastore.uri }}
+            {{- if .Values.datastore.migrations.uri}}
+            - name: OPENFGA_DATASTORE_URI
+              value: "{{ .Values.datastore.migrations.uri }}"
+            {{- else if .Values.datastore.migrations.uriSecret }}
+            - name: OPENFGA_DATASTORE_URI
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.datastore.migrations.uriSecret }}"
+                  key: "uri"
+            {{- else if .Values.datastore.uri }}
             - name: OPENFGA_DATASTORE_URI
               value: "{{ .Values.datastore.uri }}"
             {{- else if .Values.datastore.uriSecret }}
@@ -47,12 +56,25 @@ spec:
                   name: "{{ .Values.datastore.uriSecret }}"
                   key: "uri"
             {{- end }}
+            {{- if .Values.migrate.extraEnvVars }}
+            {{- toYaml .Values.migrate.extraEnvVars | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.datastore.migrations.resources | nindent 12 }}
+
+          {{- with .Values.migrate.extraVolumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
         {{- if .Values.migrate.sidecars }}
         {{- include "common.tplvalues.render" ( dict "value" .Values.migrate.sidecars "context" $) | nindent 8 }}
         {{- end }}
+
       restartPolicy: Never
+      {{- with .Values.migrate.extraVolumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/openfga/templates/serviceaccount.yaml b/charts/openfga/templates/serviceaccount.yaml
@@ -10,3 +10,23 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
+---
+{{- if and (include "openfga.haveMigration" .) .Values.migrate.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "openfga.migrationServiceAccountName" . }}
+  labels:
+    {{- include "openfga.labels" . | nindent 4 }}
+  {{- if .Values.migrate.serviceAccount.annotations }}
+  {{- with .Values.migrate.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- else if .Values.serviceAccount.annotations -}}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/openfga/values.yaml b/charts/openfga/values.yaml
@@ -132,6 +132,8 @@ telemetry:
 datastore:
   engine: memory
   uri:
+  # A secret containing a "uri" key with the database URI to use.  Use this if you have a
+  # password in the URI (for example)
   uriSecret:
   maxCacheSize:
   maxOpenConns:
@@ -145,6 +147,11 @@ datastore:
       repository: groundnuty/k8s-wait-for
       pullPolicy: Always
       tag: "v2.0"
+    # The database URI to use for migrations.  If unset, the URI from datastore.uri is used.
+    uri:
+    # A secret containing a "uri" key with the database URI to use for migrations.  Use this
+    # if you have a password in the URI (for example).
+    uriSecret:
 
 postgres:
   ## @param postgres.enabled enable the bitnami/postgresql subchart and deploy Postgres
@@ -262,3 +269,15 @@ migrate:
     helm.sh/hook-weight: "-5"
     helm.sh/hook-delete-policy: "before-hook-creation"
   labels: {}
+  extraEnvVars: []
+  extraVolumes: []
+  extraVolumeMounts: []
+  serviceAccount:
+    # Specifies whether a separate migration service account should be created
+    create: false
+    # Annotations to add to the migration service account.  If unset, the annotations
+    # from serviceAccount.annotations are used.
+    annotations: {}
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    name: ""