feat: Alternatively allow specifying a secret to define a comma-separated list of pre-shared keys.

[francescopagnamenta]

Improvement proposal: allow to defined preshared keys in a secret

Intro

Using OpenFGA with the "pre-shared" authentication mode requires defining API keys in the values file.

Proposal

Alternatively allow specifying a secret to define a comma-separated list of pre-shared keys.

{{- if .Values.authn.preshared.keysSecret }}
- name: OPENFGA_AUTHN_PRESHARED_KEYS
    valueFrom:
    secretKeyRef:
        name: "{{ .Values.authn.preshared.keysSecret }}"
        key: "presharedKeys"
{{- end }}

Testing

Tested locally on minikube as follows

Testing the configuration with preshared.keys (on clear)

helm install openfga ./openfga \
  --set datastore.engine=mysql \
  --set datastore.uri="root:password@tcp(openfga-mysql.default.svc.cluster.local:3306)/mysql?parseTime=true" \
  --set datastore.applyMigrations=true \
  --set datastore.waitForMigrations=true \
  --set datastore.migrationType=initContainer \
  --set mysql.enabled=true \
  --set mysql.auth.rootPassword=password \
  --set mysql.auth.database=mysql \
  --set authn.method=preshared \
  --set-json authn.preshared.keys='["key1"]'

Port forwarding for testing

  export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=openfga,app.kubernetes.io/instance=openfga" -o jsonpath="{.items[0].metadata.name}")
  export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[1].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT

Testing an endpoint

curl --location 'http://localhost:8080/stores' --header 'Authorization: Bearer key1'
{"stores":[], "continuation_token":""}
curl --location 'http://localhost:8080/stores' --header 'Authorization: Bearer key2'
{"code":"unauthenticated","message":"unauthenticated"}

Testing the configuration with preshared.keys (on clear)

Define the secret

kubectl create secret -n default generic openfga-secrets --from-literal=presharedKeys=key1,key2

Install openfga with presahred (run if you have the previous running instance helm uninstall openfga)

helm install openfga ./openfga \
  --set datastore.engine=mysql \
  --set datastore.uri="root:password@tcp(openfga-mysql.default.svc.cluster.local:3306)/mysql?parseTime=true" \
  --set datastore.applyMigrations=true \
  --set datastore.waitForMigrations=true \
  --set datastore.migrationType=initContainer \
  --set mysql.enabled=true \
  --set mysql.auth.rootPassword=password \
  --set mysql.auth.database=mysql  \
  --set authn.method=preshared  \
  --set authn.preshared.keysSecret=openfga-secrets

Testing an endpoint (user the port-forwarding statement defined before)

curl --location 'http://localhost:8080/stores' --header 'Authorization: Bearer key1'
{"stores":[], "continuation_token":""}
curl --location 'http://localhost:8080/stores' --header 'Authorization: Bearer key2'
{"stores":[], "continuation_token":""}
curl --location 'http://localhost:8080/stores' --header 'Authorization: Bearer key3'
{"code":"unauthenticated","message":"unauthenticated"}

[linux-foundation-easycla]

• ✅ login: francescopagnamenta (6f75fcd, 9f6c961, cf17f81, 79de9cc)
• ❌ The email address for the commit (c04c182) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

[rhamzeh]

Thanks for your PR @francescopagnamenta! In order to review and merge this - may we ask you to sign the CLA posted by the bot above?

This is required for us to accept contributions under the CNCF and Linux Foundation rules

[francescopagnamenta]

Dear @rhamzeh, apologies for the very late reply! This PR might no longer be relevant.
I’ve signed the CLA, but I’m not sure if that’s sufficient to proceed with this PR in its current state.