okd_firezone/gen-cnpg-and-firezone-new.sh

#!/usr/bin/env bash
set -euo pipefail

#######################################################################
### 1) CONFIGURATION
#######################################################################

# Change these values as needed.
NAMESPACE="firezone"                 # The namespace where everything will live.
CLUSTER_NAME="cluster-firezone"      # The name for the CloudNativePG Cluster CR.
SECRET_USER_NAME="firezone"          # The name of the Secret for the normal DB user.
SECRET_SUPERUSER_NAME="izadmin"      # The name of the Secret for the Postgres superuser.
SECRET_FIREZONE="firezone-database"  # The name of the Secret that Firezone will use.

# CloudNativePG cluster settings.
POSTGRES_IMAGE="ghcr.io/cloudnative-pg/postgresql:16.2"
STORAGE_CLASS="ceph-block"
STORAGE_SIZE="20Gi"

# Database and Firezone credentials.
# Firezone (or your application) is expecting a database with this name.
DB_NAME="firezone"         # This is the database created during bootstrap (initdb).
DB_APP_USER="firezone"     # The database owner (normal DB user).
DB_SUPERUSER="postgres"    # The typical Postgres superuser name.

# Additional PostgreSQL parameters.
MAX_CONNECTIONS="200"
SHARED_BUFFERS="256MB"

# Generate random passwords for demo purposes.
# If you want fixed passwords, you can set these manually.
DB_APP_PASSWORD="$(openssl rand -hex 16)"
DB_SUPERUSER_PASSWORD="$(openssl rand -hex 16)"

#######################################################################
### 2) CREATE/UPDATE SECRETS FOR CLOUDNATIVE-PG
#######################################################################

echo "Creating/updating secrets for CloudNativePG..."

# Secret for the normal DB user (used during initdb bootstrap).
oc -n "$NAMESPACE" create secret generic "$SECRET_USER_NAME" \
  --type=kubernetes.io/basic-auth \
  --from-literal=username="$DB_APP_USER" \
  --from-literal=password="$DB_APP_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

# Secret for the Postgres superuser.
oc -n "$NAMESPACE" create secret generic "$SECRET_SUPERUSER_NAME" \
  --type=kubernetes.io/basic-auth \
  --from-literal=username="$DB_SUPERUSER" \
  --from-literal=password="$DB_SUPERUSER_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

echo "Secrets for CloudNativePG created/updated."

#######################################################################
### 3) HANDLE THE CLOUDNATIVE-PG CLUSTER CR (INITDB)
#######################################################################

# IMPORTANT: The bootstrap (initdb) phase runs only when the cluster is first created.
# If the cluster already exists, then changes to bootstrap.initdb will not re-run.
# To force a re‑initialization (to create the DB as specified), we delete the
# existing cluster CR before re‑creating it.

if oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; then
  echo "CloudNativePG Cluster '$CLUSTER_NAME' already exists."
  echo "Deleting the existing cluster to force re‑initialization (initdb)..."
  oc delete cluster "$CLUSTER_NAME" -n "$NAMESPACE"

  # Wait until the cluster CR is fully deleted.
  echo "Waiting for cluster '$CLUSTER_NAME' to be deleted..."
  while oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; do
    sleep 5
  done
  echo "Existing cluster deleted."
fi

echo "Creating CloudNativePG Cluster '$CLUSTER_NAME' with initdb bootstrap..."
cat <<EOF | oc apply -n "$NAMESPACE" -f -
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: $CLUSTER_NAME
spec:
  description: "PostgreSQL cluster with replication"
  imageName: "$POSTGRES_IMAGE"
  instances: 3
  primaryUpdateStrategy: unsupervised
  postgresql:
    parameters:
      max_connections: "$MAX_CONNECTIONS"
      shared_buffers: "$SHARED_BUFFERS"
      pg_stat_statements.max: "10000"
      pg_stat_statements.track: "all"
      auto_explain.log_min_duration: "10s"
    pg_hba:
      - host all all 10.128.0.0/16 md5
  bootstrap:
    initdb:
      database: "$DB_NAME"
      owner: "$DB_APP_USER"
      secret:
        name: "$SECRET_USER_NAME"
  enableSuperuserAccess: true
  superuserSecret:
    name: "$SECRET_SUPERUSER_NAME"
  storage:
    storageClass: "$STORAGE_CLASS"
    size: "$STORAGE_SIZE"
  resources:
    requests:
      memory: "512Mi"
      cpu: "1"
  affinity:
    enablePodAntiAffinity: true
    topologyKey: failure-domain.beta.kubernetes.io/zone
EOF

echo "CloudNativePG Cluster '$CLUSTER_NAME' created (or re‑created)."

# (Optional) Wait for the new cluster to be up and the bootstrap to complete.
# Depending on your environment and operator, you might want to check a status field.
# For demo purposes, we simply sleep for a short while.
echo "Waiting for CloudNativePG cluster to initialize..."
sleep 30

#######################################################################
### 4) UPDATE FIREZONE SECRETS WITH THE SAME DB CREDENTIALS
#######################################################################

echo "Updating Firezone secrets with matching DB credentials..."

# Firezone (or your application) uses this secret to connect to the database.
oc -n "$NAMESPACE" create secret generic "$SECRET_FIREZONE" \
  --from-literal=username="$DB_APP_USER" \
  --from-literal=password="$DB_APP_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

echo "Firezone secrets updated with DB credentials."

#######################################################################
### 5) FINAL MESSAGE
#######################################################################

echo "Done!
 - Secrets '$SECRET_USER_NAME' and '$SECRET_SUPERUSER_NAME' created/updated for CloudNativePG.
 - CloudNativePG Cluster '$CLUSTER_NAME' was (re‑)created, triggering initdb (database: '$DB_NAME').
 - Firezone secret '$SECRET_FIREZONE' updated with DB credentials."