openfga/helm-charts

feat: add tls support to openfga chart

Opened this issue · 2 comments

The openfga chart does not yet officially support TLS. If a developer wants to helm install the chart with TLS support, there isn't a good way to bootstrap the TLS certs for the chart install.

We may be able to add support by using the native functions built into Helm:
https://helm.sh/docs/chart_template_guide/function_list/#gensignedcert
https://helm.sh/docs/chart_template_guide/function_list/#genca

or we could add a chat dependency on cert-manager, which is a great tool to manage certifications and is widely used across the CNCF landscape.

kdubb commented

Adding an extraVolumes and extraVolumeMounts that render into the openfga container would go a long way here.

WRT cert-manager using its csi controller it's pretty easy to mount a generated TLS certificate using just volumes and mounts.

Using the following kustomization patch works great and is easy:

spec:
  containers:
  - name: openfga
    volumeMounts:
    - name: tls
      mountPath: /tls
    - name: tls
      mountPath: /etc/ssl/certs/local-tls-root.crt
      subPath: ca.crt
  volumes:
  - name: tls
    csi:
      driver: csi.cert-manager.io
      readOnly: true
      volumeAttributes:
        csi.cert-manager.io/common-name: openfga.default.svc.cluster.local
        csi.cert-manager.io/dns-names: openfga,openfga.default,openfga.default.svc,openfga.default.svc.cluster.local
        csi.cert-manager.io/issuer-kind: ClusterIssuer
        csi.cert-manager.io/issuer-name: local-tls

If we could add these to the chart via values it would simplify things further with resorting to kustomization.

Related to #3