144 lines
5.3 KiB
Bash
Executable file
144 lines
5.3 KiB
Bash
Executable file
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
#######################################################################
|
||
### 1) CONFIGURATION
|
||
#######################################################################
|
||
|
||
# Namespace and resource names
|
||
NAMESPACE="firezone" # Namespace where everything lives
|
||
CLUSTER_NAME="cluster-firezone" # CloudNativePG Cluster CR name
|
||
SECRET_USER_NAME="firezone" # Secret name for the normal DB user (used in bootstrap)
|
||
SECRET_SUPERUSER_NAME="izadmin" # Secret name for the Postgres superuser
|
||
SECRET_FIREZONE="firezone-database" # Secret name that Firezone will use
|
||
|
||
# CloudNativePG cluster settings
|
||
POSTGRES_IMAGE="ghcr.io/cloudnative-pg/postgresql:16.2"
|
||
STORAGE_CLASS="ceph-block"
|
||
STORAGE_SIZE="20Gi"
|
||
|
||
# Database credentials and names
|
||
# IMPORTANT: Firezone is trying to connect to a database named "firebase"
|
||
# so we set DB_NAME to "firebase" here. If you prefer a different name,
|
||
# you must update Firezone’s configuration accordingly.
|
||
DB_NAME="firebase" # The database to be created by initdb
|
||
DB_APP_USER="firezone" # The owner (normal DB user) for the database
|
||
DB_SUPERUSER="postgres" # Typical Postgres superuser name
|
||
|
||
# Additional PostgreSQL parameters
|
||
MAX_CONNECTIONS="200"
|
||
SHARED_BUFFERS="256MB"
|
||
|
||
# Generate random passwords (or set fixed ones if desired)
|
||
DB_APP_PASSWORD="$(openssl rand -hex 16)"
|
||
DB_SUPERUSER_PASSWORD="$(openssl rand -hex 16)"
|
||
|
||
#######################################################################
|
||
### 2) CREATE/UPDATE SECRETS FOR CLOUDNATIVE-PG
|
||
#######################################################################
|
||
|
||
echo "Creating/updating secrets for CloudNativePG..."
|
||
|
||
# Secret for the normal DB user (used during initdb bootstrap)
|
||
oc -n "$NAMESPACE" create secret generic "$SECRET_USER_NAME" \
|
||
--type=kubernetes.io/basic-auth \
|
||
--from-literal=username="$DB_APP_USER" \
|
||
--from-literal=password="$DB_APP_PASSWORD" \
|
||
--dry-run=client -o yaml | oc apply -f -
|
||
|
||
# Secret for the Postgres superuser
|
||
oc -n "$NAMESPACE" create secret generic "$SECRET_SUPERUSER_NAME" \
|
||
--type=kubernetes.io/basic-auth \
|
||
--from-literal=username="$DB_SUPERUSER" \
|
||
--from-literal=password="$DB_SUPERUSER_PASSWORD" \
|
||
--dry-run=client -o yaml | oc apply -f -
|
||
|
||
echo "Secrets for CloudNativePG created/updated."
|
||
|
||
#######################################################################
|
||
### 3) HANDLE THE CLOUDNATIVE-PG CLUSTER CR (FOR INITDB)
|
||
#######################################################################
|
||
|
||
# The bootstrap (initdb) phase only runs when the cluster is first created.
|
||
# To force a re‑initialization with the new settings, delete any existing cluster.
|
||
|
||
if oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; then
|
||
echo "CloudNativePG Cluster '$CLUSTER_NAME' already exists."
|
||
echo "Deleting the existing cluster to force re‑initialization (initdb)..."
|
||
oc delete cluster "$CLUSTER_NAME" -n "$NAMESPACE"
|
||
|
||
# Wait until the cluster CR is fully deleted.
|
||
echo "Waiting for cluster '$CLUSTER_NAME' to be deleted..."
|
||
while oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; do
|
||
sleep 5
|
||
done
|
||
echo "Existing cluster deleted."
|
||
fi
|
||
|
||
echo "Creating CloudNativePG Cluster '$CLUSTER_NAME' with initdb bootstrap..."
|
||
cat <<EOF | oc apply -n "$NAMESPACE" -f -
|
||
apiVersion: postgresql.cnpg.io/v1
|
||
kind: Cluster
|
||
metadata:
|
||
name: $CLUSTER_NAME
|
||
spec:
|
||
description: "PostgreSQL cluster with replication"
|
||
imageName: "$POSTGRES_IMAGE"
|
||
instances: 3
|
||
primaryUpdateStrategy: unsupervised
|
||
postgresql:
|
||
parameters:
|
||
max_connections: "$MAX_CONNECTIONS"
|
||
shared_buffers: "$SHARED_BUFFERS"
|
||
pg_stat_statements.max: "10000"
|
||
pg_stat_statements.track: "all"
|
||
auto_explain.log_min_duration: "10s"
|
||
pg_hba:
|
||
- host all all 10.128.0.0/16 md5
|
||
bootstrap:
|
||
initdb:
|
||
database: "$DB_NAME"
|
||
owner: "$DB_APP_USER"
|
||
secret:
|
||
name: "$SECRET_USER_NAME"
|
||
enableSuperuserAccess: true
|
||
superuserSecret:
|
||
name: "$SECRET_SUPERUSER_NAME"
|
||
storage:
|
||
storageClass: "$STORAGE_CLASS"
|
||
size: "$STORAGE_SIZE"
|
||
resources:
|
||
requests:
|
||
memory: "512Mi"
|
||
cpu: "1"
|
||
affinity:
|
||
enablePodAntiAffinity: true
|
||
topologyKey: failure-domain.beta.kubernetes.io/zone
|
||
EOF
|
||
|
||
echo "CloudNativePG Cluster '$CLUSTER_NAME' created (or re‑created)."
|
||
echo "Waiting for CloudNativePG cluster to initialize (this may take a while)..."
|
||
sleep 30
|
||
|
||
#######################################################################
|
||
### 4) UPDATE FIREZONE SECRETS WITH THE SAME DB CREDENTIALS
|
||
#######################################################################
|
||
|
||
echo "Updating Firezone secrets with matching DB credentials..."
|
||
|
||
# Firezone uses these credentials to connect to the database.
|
||
oc -n "$NAMESPACE" create secret generic "$SECRET_FIREZONE" \
|
||
--from-literal=username="$DB_APP_USER" \
|
||
--from-literal=password="$DB_APP_PASSWORD" \
|
||
--dry-run=client -o yaml | oc apply -f -
|
||
|
||
echo "Firezone secrets updated with DB credentials."
|
||
|
||
#######################################################################
|
||
### 5) FINAL MESSAGE
|
||
#######################################################################
|
||
|
||
echo "Done!
|
||
- Secrets '$SECRET_USER_NAME' and '$SECRET_SUPERUSER_NAME' created/updated for CloudNativePG.
|
||
- CloudNativePG Cluster '$CLUSTER_NAME' was (re‑)created, triggering initdb (database: '$DB_NAME').
|
||
- Firezone secret '$SECRET_FIREZONE' updated with DB credentials."
|