Skip to content

Commit eada9e6

Browse files
easyCZeasyCZ
committed
[openfga] Configure cloud-sql-proxy sidecar
1 parent bcd2b60 commit eada9e6

File tree

3 files changed

+147
-65
lines changed

3 files changed

+147
-65
lines changed

install/installer/pkg/components/openfga/constants.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,4 +21,6 @@ const (
2121
ImageTag = "v0.3.1"
2222

2323
ContainerName = "openfga"
24+
25+
CloudSQLProxyPort = 3306
2426
)

install/installer/pkg/components/openfga/deployment.go

Lines changed: 139 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@
55
package openfga
66

77
import (
8+
"fmt"
9+
810
"github.com/gitpod-io/gitpod/installer/pkg/cluster"
911
"github.com/gitpod-io/gitpod/installer/pkg/common"
12+
"github.com/gitpod-io/gitpod/installer/pkg/components/database/cloudsql"
1013

1114
appsv1 "k8s.io/api/apps/v1"
1215
corev1 "k8s.io/api/core/v1"
@@ -20,6 +23,140 @@ import (
2023
func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
2124
labels := common.CustomizeLabel(ctx, Component, common.TypeMetaDeployment)
2225

26+
cfg := getExperimentalOpenFGAConfig(ctx)
27+
if cfg == nil || !cfg.Enabled {
28+
return nil, nil
29+
}
30+
31+
// var env []corev1.EnvVar
32+
// if cfg.CloudSQL != nil {
33+
// env = append(env, corev1.EnvVar{
34+
// Name: "OPENFGA_DATASTORE_ENGINE",
35+
// Value: "mysql",
36+
// }, corev1.EnvVar{
37+
// Name: "OPENFGA_DATASTORE_URI",
38+
// Value: "$(DB_USERNAME):$(DB_PASSWORD)@tcp($(DB_HOST):$(DB_PORT))/openfga?parseTime=true",
39+
// }, corev1.EnvVar{
40+
// Name: "DB_USERNAME",
41+
// ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
42+
// LocalObjectReference: secretRef,
43+
// Key: "username",
44+
// }},
45+
// })
46+
// }
47+
48+
containers := []corev1.Container{
49+
{
50+
Name: ContainerName,
51+
Image: ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), RegistryImage, ImageTag),
52+
ImagePullPolicy: corev1.PullIfNotPresent,
53+
Args: []string{
54+
"run",
55+
"--log-format=json",
56+
"--log-level=warn",
57+
},
58+
Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(
59+
common.DefaultEnv(&ctx.Config),
60+
common.DatabaseEnv(&ctx.Config),
61+
)),
62+
Ports: []corev1.ContainerPort{
63+
{
64+
ContainerPort: ContainerGRPCPort,
65+
Name: ContainerGRPCName,
66+
Protocol: *common.TCPProtocol,
67+
},
68+
{
69+
ContainerPort: ContainerHTTPPort,
70+
Name: ContainerHTTPName,
71+
Protocol: *common.TCPProtocol,
72+
},
73+
{
74+
ContainerPort: ContainerPlaygroundPort,
75+
Name: ContainerPlaygroundName,
76+
Protocol: *common.TCPProtocol,
77+
},
78+
},
79+
Resources: common.ResourceRequirements(ctx, Component, ContainerName, corev1.ResourceRequirements{
80+
Requests: corev1.ResourceList{
81+
"cpu": resource.MustParse("1m"),
82+
"memory": resource.MustParse("30Mi"),
83+
},
84+
}),
85+
SecurityContext: &corev1.SecurityContext{
86+
RunAsGroup: pointer.Int64(65532),
87+
RunAsNonRoot: pointer.Bool(true),
88+
RunAsUser: pointer.Int64(65532),
89+
},
90+
LivenessProbe: &corev1.Probe{
91+
ProbeHandler: corev1.ProbeHandler{
92+
HTTPGet: &corev1.HTTPGetAction{
93+
Path: "/healthz",
94+
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
95+
Scheme: corev1.URISchemeHTTP,
96+
},
97+
},
98+
FailureThreshold: 3,
99+
SuccessThreshold: 1,
100+
TimeoutSeconds: 1,
101+
},
102+
ReadinessProbe: &corev1.Probe{
103+
ProbeHandler: corev1.ProbeHandler{
104+
HTTPGet: &corev1.HTTPGetAction{
105+
Path: "/healthz",
106+
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
107+
Scheme: corev1.URISchemeHTTP,
108+
},
109+
},
110+
FailureThreshold: 3,
111+
SuccessThreshold: 1,
112+
TimeoutSeconds: 1,
113+
},
114+
},
115+
}
116+
117+
var volumes []corev1.Volume
118+
119+
if cfg.CloudSQL != nil {
120+
containers = append(containers, corev1.Container{
121+
Name: "cloud-sql-proxy",
122+
SecurityContext: &corev1.SecurityContext{
123+
Privileged: pointer.Bool(false),
124+
RunAsNonRoot: pointer.Bool(false),
125+
AllowPrivilegeEscalation: pointer.Bool(false),
126+
},
127+
Image: ctx.ImageName(cloudsql.ImageRepo, cloudsql.ImageName, cloudsql.ImageVersion),
128+
Command: []string{
129+
"/cloud_sql_proxy",
130+
"-dir=/cloudsql",
131+
fmt.Sprintf("-instances=%s=tcp:0.0.0.0:%d", cfg.CloudSQL.Instance, CloudSQLProxyPort),
132+
"-credential_file=/credentials/credentials.json",
133+
},
134+
Ports: []corev1.ContainerPort{{
135+
ContainerPort: CloudSQLProxyPort,
136+
}},
137+
VolumeMounts: []corev1.VolumeMount{{
138+
MountPath: "/cloudsql",
139+
Name: "cloudsql",
140+
}, {
141+
MountPath: "/credentials",
142+
Name: "gcloud-sql-token",
143+
}},
144+
Env: common.CustomizeEnvvar(ctx, Component, []corev1.EnvVar{}),
145+
})
146+
147+
volumes = append(volumes, []corev1.Volume{
148+
{
149+
Name: "cloudsql",
150+
VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
151+
}, {
152+
Name: "gcloud-sql-token",
153+
VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{
154+
SecretName: cfg.CloudSQL.SecretRef,
155+
}},
156+
},
157+
}...)
158+
}
159+
23160
return []runtime.Object{
24161
&appsv1.Deployment{
25162
TypeMeta: common.TypeMetaDeployment,
@@ -51,71 +188,8 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
51188
SecurityContext: &corev1.PodSecurityContext{
52189
RunAsNonRoot: pointer.Bool(false),
53190
},
54-
Containers: []corev1.Container{{
55-
Name: ContainerName,
56-
Image: ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), RegistryImage, ImageTag),
57-
ImagePullPolicy: corev1.PullIfNotPresent,
58-
Args: []string{
59-
"run",
60-
"--log-format=json",
61-
"--log-level=warn",
62-
},
63-
Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(
64-
common.DefaultEnv(&ctx.Config),
65-
)),
66-
Ports: []corev1.ContainerPort{
67-
{
68-
ContainerPort: ContainerGRPCPort,
69-
Name: ContainerGRPCName,
70-
Protocol: *common.TCPProtocol,
71-
},
72-
{
73-
ContainerPort: ContainerHTTPPort,
74-
Name: ContainerHTTPName,
75-
Protocol: *common.TCPProtocol,
76-
},
77-
{
78-
ContainerPort: ContainerPlaygroundPort,
79-
Name: ContainerPlaygroundName,
80-
Protocol: *common.TCPProtocol,
81-
},
82-
},
83-
Resources: common.ResourceRequirements(ctx, Component, ContainerName, corev1.ResourceRequirements{
84-
Requests: corev1.ResourceList{
85-
"cpu": resource.MustParse("1m"),
86-
"memory": resource.MustParse("30Mi"),
87-
},
88-
}),
89-
SecurityContext: &corev1.SecurityContext{
90-
RunAsGroup: pointer.Int64(65532),
91-
RunAsNonRoot: pointer.Bool(true),
92-
RunAsUser: pointer.Int64(65532),
93-
},
94-
LivenessProbe: &corev1.Probe{
95-
ProbeHandler: corev1.ProbeHandler{
96-
HTTPGet: &corev1.HTTPGetAction{
97-
Path: "/healthz",
98-
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
99-
Scheme: corev1.URISchemeHTTP,
100-
},
101-
},
102-
FailureThreshold: 3,
103-
SuccessThreshold: 1,
104-
TimeoutSeconds: 1,
105-
},
106-
ReadinessProbe: &corev1.Probe{
107-
ProbeHandler: corev1.ProbeHandler{
108-
HTTPGet: &corev1.HTTPGetAction{
109-
Path: "/healthz",
110-
Port: intstr.IntOrString{IntVal: ContainerHTTPPort},
111-
Scheme: corev1.URISchemeHTTP,
112-
},
113-
},
114-
FailureThreshold: 3,
115-
SuccessThreshold: 1,
116-
TimeoutSeconds: 1,
117-
},
118-
}},
191+
Containers: containers,
192+
Volumes: volumes,
119193
},
120194
},
121195
},

install/installer/pkg/config/v1/experimental/experimental.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,12 @@ type IAMConfig struct {
190190

191191
type OpenFGAConfig struct {
192192
Enabled bool `json:"enabled"`
193+
194+
CloudSQL *struct {
195+
Instance string `json:"instance"`
196+
Database string `json:"database"`
197+
SecretRef string `json:"secretRef"`
198+
} `json:"cloudSql,omitempty"`
193199
}
194200

195201
type WebAppConfig struct {

0 commit comments

Comments
 (0)