This repository contains a Juju Charm for deploying OpenFGA on Kubernetes.
Bootstrap a microk8s controller using
juju 3.2 and create a new Juju model:
juju add-model openfgaTo deploy a single unit of OpenFGA using its default configuration.
juju deploy openfga-k8s --channel edge
juju deploy postgresql-k8s --channel edge
juju integrate postgresql-k8s:database openfga-k8sCurrent charm provides a library for the openfga integration interface. Your
application should define an interface in metadata.yaml:
requires:
openfga:
interface: openfgaThen run
charmcraft fetch-lib charms.openfga_k8s.v1.openfgaPlease read usage documentation about openfga library for more information about how to enable PostgreSQL interface in your application.
Integrations to new applications are supported via the openfga interface. To
create an integration:
juju integrate openfga-k8s <application>To remove an integration:
juju remove-relation openfga-k8s <application>The Charmed PostgreSQL Operator also supports TLS encryption on internal and external connections. To enable TLS:
# Deploy the TLS Certificates Operator.
juju deploy tls-certificates-operator --channel=edge
# Add the necessary configurations for TLS.
juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Test CA"
# Enable TLS via integration.
juju integrate openfga-k8s tls-certificates-operator
# Disable TLS by removing integration.
juju remove-relation openfga-k8s tls-certificates-operatorNote: The TLS settings shown here are for self-signed-certificates, which are not recommended for production clusters. The TLS Certificates Operator offers a variety of configurations. Read more on the TLS Certificates Operator here.
This OpenFGA operator integrates with Canonical Observability Stack (COS) bundle. It comes with a Grafana dashboard and Loki and Prometheus alert rules for basic common scenarios. To integrate with the COS bundle, after you deploy it, you can run:
juju integrate openfga:grafana-dashboard grafana:grafana-dashboard
juju integrate openfga:metrics-endpoint prometheus:metrics-endpoint
juju integrate loki:logging openfga:log-proxySecurity issues in the Charmed OpenFGA k8s Operator can be reported through LaunchPad. Please do not file GitHub issues about security issues.
Please see the Juju SDK docs for guidelines on enhancements to this charm following best practice guidelines, and CONTRIBUTING.md for developer guidance.
The OpenFGA k8s charm is distributed under the Apache Software License, version 2.0. It installs/operates/depends on OpenFGA, which is licensed under the Apache Software License, version 2.0.