njackson/okd_firezone
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
okd_firezone/gen-cnpg-and-firezone-new.sh
Nate J 91d252ae0a first commit
2025-02-05 15:14:20 -08:00

149 lines
5.6 KiB
Bash
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
set -euo pipefail
#######################################################################
### 1) CONFIGURATION
#######################################################################
# Change these values as needed.
NAMESPACE="firezone" # The namespace where everything will live.
CLUSTER_NAME="cluster-firezone" # The name for the CloudNativePG Cluster CR.
SECRET_USER_NAME="firezone" # The name of the Secret for the normal DB user.
SECRET_SUPERUSER_NAME="izadmin" # The name of the Secret for the Postgres superuser.
SECRET_FIREZONE="firezone-database" # The name of the Secret that Firezone will use.
# CloudNativePG cluster settings.
POSTGRES_IMAGE="ghcr.io/cloudnative-pg/postgresql:16.2"
STORAGE_CLASS="ceph-block"
STORAGE_SIZE="20Gi"
# Database and Firezone credentials.
# Firezone (or your application) is expecting a database with this name.
DB_NAME="firezone" # This is the database created during bootstrap (initdb).
DB_APP_USER="firezone" # The database owner (normal DB user).
DB_SUPERUSER="postgres" # The typical Postgres superuser name.
# Additional PostgreSQL parameters.
MAX_CONNECTIONS="200"
SHARED_BUFFERS="256MB"
# Generate random passwords for demo purposes.
# If you want fixed passwords, you can set these manually.
DB_APP_PASSWORD="$(openssl rand -hex 16)"
DB_SUPERUSER_PASSWORD="$(openssl rand -hex 16)"
#######################################################################
### 2) CREATE/UPDATE SECRETS FOR CLOUDNATIVE-PG
#######################################################################
echo "Creating/updating secrets for CloudNativePG..."
# Secret for the normal DB user (used during initdb bootstrap).
oc -n "$NAMESPACE" create secret generic "$SECRET_USER_NAME" \
--type=kubernetes.io/basic-auth \
--from-literal=username="$DB_APP_USER" \
--from-literal=password="$DB_APP_PASSWORD" \
--dry-run=client -o yaml | oc apply -f -
# Secret for the Postgres superuser.
oc -n "$NAMESPACE" create secret generic "$SECRET_SUPERUSER_NAME" \
--type=kubernetes.io/basic-auth \
--from-literal=username="$DB_SUPERUSER" \
--from-literal=password="$DB_SUPERUSER_PASSWORD" \
--dry-run=client -o yaml | oc apply -f -
echo "Secrets for CloudNativePG created/updated."
#######################################################################
### 3) HANDLE THE CLOUDNATIVE-PG CLUSTER CR (INITDB)
#######################################################################
# IMPORTANT: The bootstrap (initdb) phase runs only when the cluster is first created.
# If the cluster already exists, then changes to bootstrap.initdb will not re-run.
# To force a reinitialization (to create the DB as specified), we delete the
# existing cluster CR before recreating it.
if oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; then
echo "CloudNativePG Cluster '$CLUSTER_NAME' already exists."
echo "Deleting the existing cluster to force reinitialization (initdb)..."
oc delete cluster "$CLUSTER_NAME" -n "$NAMESPACE"
# Wait until the cluster CR is fully deleted.
echo "Waiting for cluster '$CLUSTER_NAME' to be deleted..."
while oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; do
sleep 5
done
echo "Existing cluster deleted."
fi
echo "Creating CloudNativePG Cluster '$CLUSTER_NAME' with initdb bootstrap..."
cat <<EOF | oc apply -n "$NAMESPACE" -f -
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: $CLUSTER_NAME
spec:
description: "PostgreSQL cluster with replication"
imageName: "$POSTGRES_IMAGE"
instances: 3
primaryUpdateStrategy: unsupervised
postgresql:
parameters:
max_connections: "$MAX_CONNECTIONS"
shared_buffers: "$SHARED_BUFFERS"
pg_stat_statements.max: "10000"
pg_stat_statements.track: "all"
auto_explain.log_min_duration: "10s"
pg_hba:
- host all all 10.128.0.0/16 md5
bootstrap:
initdb:
database: "$DB_NAME"
owner: "$DB_APP_USER"
secret:
name: "$SECRET_USER_NAME"
enableSuperuserAccess: true
superuserSecret:
name: "$SECRET_SUPERUSER_NAME"
storage:
storageClass: "$STORAGE_CLASS"
size: "$STORAGE_SIZE"
resources:
requests:
memory: "512Mi"
cpu: "1"
affinity:
enablePodAntiAffinity: true
topologyKey: failure-domain.beta.kubernetes.io/zone
EOF
echo "CloudNativePG Cluster '$CLUSTER_NAME' created (or recreated)."
# (Optional) Wait for the new cluster to be up and the bootstrap to complete.
# Depending on your environment and operator, you might want to check a status field.
# For demo purposes, we simply sleep for a short while.
echo "Waiting for CloudNativePG cluster to initialize..."
sleep 30
#######################################################################
### 4) UPDATE FIREZONE SECRETS WITH THE SAME DB CREDENTIALS
#######################################################################
echo "Updating Firezone secrets with matching DB credentials..."
# Firezone (or your application) uses this secret to connect to the database.
oc -n "$NAMESPACE" create secret generic "$SECRET_FIREZONE" \
--from-literal=username="$DB_APP_USER" \
--from-literal=password="$DB_APP_PASSWORD" \
--dry-run=client -o yaml | oc apply -f -
echo "Firezone secrets updated with DB credentials."
#######################################################################
### 5) FINAL MESSAGE
#######################################################################
echo "Done!
- Secrets '$SECRET_USER_NAME' and '$SECRET_SUPERUSER_NAME' created/updated for CloudNativePG.
- CloudNativePG Cluster '$CLUSTER_NAME' was (re)created, triggering initdb (database: '$DB_NAME').
- Firezone secret '$SECRET_FIREZONE' updated with DB credentials."
Reference in a new issue View git blame Copy permalink