134 lines
4.7 KiB
Bash
Executable file
134 lines
4.7 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
# Script: gen-cnpg-and-firezone.sh
|
|
# Purpose:
|
|
# 1) Generate random credentials for a CloudNativePG cluster (app user + superuser)
|
|
# 2) Create the Postgres Cluster CR in the same namespace
|
|
# 3) Update the Firezone secrets with the same DB credentials
|
|
# 4) Keep everything consistent for Firezone + CloudNativePG on OpenShift
|
|
|
|
set -euo pipefail
|
|
|
|
#######################################################################
|
|
### 1) CONFIGURATION
|
|
#######################################################################
|
|
|
|
# Change these to your desired values
|
|
NAMESPACE="firezone" # The namespace where everything will live
|
|
CLUSTER_NAME="cluster-firezone" # The name for the CloudNativePG Cluster CR
|
|
SECRET_USER_NAME="firezone" # The name of the Secret for the normal DB user
|
|
SECRET_SUPERUSER_NAME="izadmin" # The name of the Secret for the Postgres superuser
|
|
SECRET_FIREZONE="firezone-database" # The name of the Secret that Firezone will use
|
|
|
|
# CloudNativePG cluster settings
|
|
POSTGRES_IMAGE="ghcr.io/cloudnative-pg/postgresql:16.2"
|
|
STORAGE_CLASS="ceph-block"
|
|
STORAGE_SIZE="20Gi"
|
|
|
|
# Firezone expects certain DB credentials
|
|
# We'll store them in global.database.username/password in the 'firezone-secrets' secret
|
|
DB_NAME="firezone"
|
|
DB_APP_USER="firezone" # The owner of the DB
|
|
DB_SUPERUSER="postgres" # Typical Postgres superuser name
|
|
|
|
# Additional Postgres parameters
|
|
MAX_CONNECTIONS="200"
|
|
SHARED_BUFFERS="256MB"
|
|
|
|
# For demo, we generate random passwords.
|
|
# If you want fixed passwords, set them manually below.
|
|
DB_APP_PASSWORD="$(openssl rand -hex 16)"
|
|
DB_SUPERUSER_PASSWORD="$(openssl rand -hex 16)"
|
|
|
|
#######################################################################
|
|
### 2) CREATE/UPDATE SECRETS FOR CLOUDNATIVE-PG
|
|
#######################################################################
|
|
|
|
echo "Creating/updating secrets for CloudNativePG..."
|
|
|
|
# 2.1 cluster-app-user (normal DB user)
|
|
oc -n "$NAMESPACE" create secret generic "$SECRET_USER_NAME" \
|
|
--type=kubernetes.io/basic-auth \
|
|
--from-literal=username="$DB_APP_USER" \
|
|
--from-literal=password="$DB_APP_PASSWORD" \
|
|
--dry-run=client -o yaml | oc apply -f -
|
|
|
|
# 2.2 cluster-superuser
|
|
oc -n "$NAMESPACE" create secret generic "$SECRET_SUPERUSER_NAME" \
|
|
--type=kubernetes.io/basic-auth \
|
|
--from-literal=username="$DB_SUPERUSER" \
|
|
--from-literal=password="$DB_SUPERUSER_PASSWORD" \
|
|
--dry-run=client -o yaml | oc apply -f -
|
|
|
|
echo "Secrets for CloudNativePG created/updated."
|
|
|
|
#######################################################################
|
|
### 3) CREATE/UPDATE THE CLOUDNATIVE-PG CLUSTER CR
|
|
#######################################################################
|
|
|
|
echo "Creating/updating CloudNativePG Cluster '${CLUSTER_NAME}'..."
|
|
|
|
cat <<EOF | oc apply -n "$NAMESPACE" -f -
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: $CLUSTER_NAME
|
|
spec:
|
|
description: "PostgreSQL cluster with replication"
|
|
imageName: "$POSTGRES_IMAGE"
|
|
instances: 3
|
|
primaryUpdateStrategy: unsupervised
|
|
postgresql:
|
|
parameters:
|
|
max_connections: "$MAX_CONNECTIONS"
|
|
shared_buffers: "$SHARED_BUFFERS"
|
|
pg_stat_statements.max: "10000"
|
|
pg_stat_statements.track: "all"
|
|
auto_explain.log_min_duration: "10s"
|
|
pg_hba:
|
|
- host all all 10.128.0.0/16 md5
|
|
bootstrap:
|
|
initdb:
|
|
database: "$DB_NAME"
|
|
owner: "$DB_APP_USER"
|
|
secret:
|
|
name: "$SECRET_USER_NAME"
|
|
enableSuperuserAccess: true
|
|
superuserSecret:
|
|
name: "$SECRET_SUPERUSER_NAME"
|
|
storage:
|
|
storageClass: "$STORAGE_CLASS"
|
|
size: "$STORAGE_SIZE"
|
|
resources:
|
|
requests:
|
|
memory: "512Mi"
|
|
cpu: "1"
|
|
affinity:
|
|
enablePodAntiAffinity: true
|
|
topologyKey: failure-domain.beta.kubernetes.io/zone
|
|
EOF
|
|
|
|
echo "CloudNativePG Cluster '${CLUSTER_NAME}' is created/updated."
|
|
|
|
#######################################################################
|
|
### 4) CREATE/UPDATE THE FIREZONE SECRETS WITH THE SAME DB CREDENTIALS
|
|
#######################################################################
|
|
|
|
echo "Updating Firezone secrets with matching DB credentials..."
|
|
|
|
# We'll store them in the 'firezone-secrets' Secret under keys "username" and "password".
|
|
# If you also want random keys/secrets for SECRET_KEY_BASE, etc.,
|
|
# you can combine this with your existing Firezone secret generation approach.
|
|
|
|
oc -n "$NAMESPACE" create secret generic "$SECRET_FIREZONE" \
|
|
--from-literal=username="$DB_APP_USER" \
|
|
--from-literal=password="$DB_APP_PASSWORD" \
|
|
--dry-run=client -o yaml | oc apply -f -
|
|
|
|
echo "Firezone secrets updated with DB credentials."
|
|
|
|
echo "Done!
|
|
- Secrets '$SECRET_USER_NAME' and '$SECRET_SUPERUSER_NAME' created for CloudNativePG.
|
|
- Cluster '$CLUSTER_NAME' created/updated.
|
|
- Firezone secrets '$SECRET_FIREZONE' updated with DB credentials (username/password).
|
|
"
|