@sysnee/pgs 0.1.0

package/manager.js

@@ -0,0 +1,510 @@
+#!/usr/bin/env node
+
+import fs, { readFileSync } from 'fs';
+import path from 'path';
+import yaml from 'js-yaml';
+import { Command } from 'commander';
+import { execSync } from 'child_process';
+import generateRandomPassword from '../common/helpers/password-generator.js';
+
+const COMPOSE_FILE = path.join(process.cwd(), 'docker-compose.yml');
+const INIT_DIR = path.join(process.cwd(), 'init');
+const HAPROXY_CFG = path.join(process.cwd(), 'haproxy.cfg');
+const TENANT_ACCESS_FILE = path.join(process.cwd(), 'tenant-access.json');
+
+function loadCompose() {
+    if (!fs.existsSync(COMPOSE_FILE)) {
+        throw new Error('docker-compose.yml not found');
+    }
+    const content = fs.readFileSync(COMPOSE_FILE, 'utf8');
+    return yaml.load(content);
+}
+
+function saveCompose(doc) {
+    const content = yaml.dump(doc, { indent: 2, lineWidth: -1 });
+    fs.writeFileSync(COMPOSE_FILE, content);
+}
+
+// ==================== Tenant Access Management ====================
+
+function loadTenantAccess() {
+    if (!fs.existsSync(TENANT_ACCESS_FILE)) {
+        fs.writeFileSync(TENANT_ACCESS_FILE, '{}');
+    }
+    const content = fs.readFileSync(TENANT_ACCESS_FILE, 'utf8');
+    return JSON.parse(content) || {};
+}
+
+function saveTenantAccess(access) {
+    const content = JSON.stringify(access, null, 2);
+    fs.writeFileSync(TENANT_ACCESS_FILE, content);
+}
+
+function setTenantAccess(tenantId, enabled) {
+    const access = loadTenantAccess();
+    access[tenantId] = enabled;
+    saveTenantAccess(access);
+}
+
+function removeTenantAccess(tenantId) {
+    const access = loadTenantAccess();
+    delete access[tenantId];
+    saveTenantAccess(access);
+}
+
+// ==================== HAProxy Configuration ====================
+
+function generateHAProxyConfig() {
+    const doc = loadCompose();
+
+    // Get all tenant services
+    const tenants = Object.keys(doc.services || {})
+        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
+
+    // Generate full HAProxy config
+    let config = `global
+    log stdout format raw local0 info
+    maxconn 4096
+    lua-load /etc/haproxy/lua/pg-route.lua
+
+defaults
+    log global
+    mode tcp
+    option tcplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+    retries 3
+
+frontend postgres_frontend
+    bind *:5432
+    mode tcp
+    
+    # Use Lua script to parse PostgreSQL startup packet and route by username
+    tcp-request inspect-delay 5s
+    tcp-request content lua.pg_route
+    tcp-request content reject if { var(txn.pg_blocked) -m bool }
+    
+    # Route to backend based on username extracted by Lua
+    use_backend %[var(txn.pg_backend)] if { var(txn.pg_backend) -m found }
+    
+    # Default backend for unknown connections
+    default_backend pg_reject
+
+backend pg_reject
+    mode tcp
+    timeout server 1s
+
+backend pg_ssl_pool
+    mode tcp
+`;
+
+    // Add all tenant backends to SSL pool for SSL negotiation
+    // PostgreSQL will respond 'N' (no SSL) during negotiation, then client retries without SSL
+    if (tenants.length > 0) {
+        for (const serviceName of tenants) {
+            config += `    server ${serviceName}_ssl ${serviceName}:5432 check
+`;
+        }
+        config += `
+`;
+    } else {
+        config += `    # No tenants configured yet
+`;
+    }
+
+    // Generate backend for each tenant
+    for (const serviceName of tenants) {
+        config += `backend ${serviceName}
+    mode tcp
+    server pg1 ${serviceName}:5432 check
+
+`;
+    }
+
+    fs.writeFileSync(HAPROXY_CFG, config);
+}
+
+function updateHAProxyDependsOn() {
+    const doc = loadCompose();
+
+    // Get all tenant services
+    const tenants = Object.keys(doc.services || {})
+        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
+
+    // Ensure HAProxy service exists
+    if (!doc.services.haproxy) {
+        doc.services.haproxy = {
+            image: 'haproxy:latest',
+            container_name: 'postgres_proxy',
+            ports: ['5432:5432'],
+            volumes: [
+                './haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro',
+                './haproxy-lua:/etc/haproxy/lua:ro',
+                './tenant-access.json:/etc/haproxy/tenant-access.json:ro'
+            ],
+            networks: ['postgres_network'],
+            restart: 'unless-stopped'
+        };
+    }
+
+    // Update depends_on
+    if (tenants.length > 0) {
+        doc.services.haproxy.depends_on = tenants;
+    } else {
+        delete doc.services.haproxy.depends_on;
+    }
+
+    saveCompose(doc);
+
+    // Restart HAProxy
+    executeCommand('sudo docker restart postgres_proxy');
+}
+
+function createInitScript({ tenantId, password, databaseName }) {
+    if (!fs.existsSync(INIT_DIR)) {
+        fs.mkdirSync(INIT_DIR, { recursive: true });
+    }
+
+    const initFile = path.join(INIT_DIR, `init-${tenantId}.sql`);
+    const sql = `CREATE ROLE ${tenantId} WITH LOGIN PASSWORD '${password}' SUPERUSER CREATEDB CREATEROLE;
+    CREATE DATABASE ${databaseName} OWNER ${tenantId};
+    GRANT ALL PRIVILEGES ON DATABASE ${databaseName} TO ${tenantId};
+    `;
+
+    fs.writeFileSync(initFile, sql);
+    return initFile;
+}
+
+const DEFAULT_LIMITS = { cpu: 0.5, memory: 256 };
+
+function createService({ tenantId, password, databaseName, version = '18', limits = DEFAULT_LIMITS }) {
+    const containerName = `pgs_${tenantId}`;
+    const volumeName = `pgdata_${tenantId}`;
+
+    return {
+        image: `postgres:${version}`,
+        container_name: containerName,
+        environment: {
+            POSTGRES_PASSWORD: password,
+            POSTGRES_DB: databaseName,
+        },
+        expose: ['5432'],
+        volumes: [
+            `${volumeName}:/var/lib/postgresql`,
+            `./init/init-${tenantId}.sql:/docker-entrypoint-initdb.d/init-${tenantId}.sql:ro`,
+        ],
+        networks: ['postgres_network'],
+        restart: 'unless-stopped',
+        deploy: {
+            resources: {
+                limits: {
+                    cpus: String(limits.cpu),
+                    memory: `${limits.memory}M`,
+                },
+            },
+        },
+    };
+}
+
+function ensureNetwork(doc) {
+    if (!doc.networks) {
+        doc.networks = {};
+    }
+    if (!doc.networks.postgres_network) {
+        doc.networks.postgres_network = {
+            driver: 'bridge'
+        };
+    }
+}
+
+function createTenant(tenantId, options = {}) {
+    const { version = '18', password, limits = DEFAULT_LIMITS } = options;
+    const doc = loadCompose();
+
+    if (doc.services && doc.services[`pgs_${tenantId}`]) {
+        throw new Error(`Tenant ${tenantId} already exists`);
+    }
+
+    if (!doc.services) {
+        doc.services = {};
+    }
+
+    if (!doc.volumes) {
+        doc.volumes = {};
+    }
+
+    createInitScript({ tenantId, password, databaseName: tenantId });
+
+    const serviceName = `pgs_${tenantId}`;
+    doc.services[serviceName] = createService({ tenantId, password, databaseName: tenantId, version, limits });
+
+    const volumeName = `pgdata_${tenantId}`;
+    if (!doc.volumes[volumeName]) {
+        doc.volumes[volumeName] = null;
+    }
+
+    ensureNetwork(doc);
+
+    saveCompose(doc);
+
+    // Add tenant to access control (disabled by default for security)
+    setTenantAccess(tenantId, true);
+
+    // Regenerate HAProxy config and update depends_on
+    generateHAProxyConfig();
+    updateHAProxyDependsOn();
+
+    // start the tenant
+    executeCommand(`sudo docker compose up -d ${serviceName}`.trim());
+
+    console.log(`✓ Created tenant: ${tenantId}`);
+    console.log(`  Service: ${serviceName}`);
+    console.log(`  Port: 5432`);
+    console.log(`  Database: ${tenantId}`);
+    console.log(`  Password: ${password}`);
+    console.log(`  Access: enabled (use 'disable-access ${tenantId}' to disable)`);
+
+    return { tenantId, serviceName };
+}
+
+function listTenants() {
+    const doc = loadCompose();
+    const access = loadTenantAccess();
+
+    if (!doc.services) {
+        console.log('No tenants found');
+        return;
+    }
+
+    const tenants = Object.keys(doc.services)
+        .filter(name => name.startsWith('pgs_') && name !== 'haproxy')
+        .map(name => {
+            const service = doc.services[name];
+            const db = service.environment?.POSTGRES_DB || 'N/A';
+            const tenantId = name.replace('pgs_', '');
+            const accessEnabled = access[tenantId] === true;
+
+            return { tenantId, db, service: name, access: accessEnabled };
+        });
+
+    if (tenants.length === 0) {
+        console.log('No tenants found');
+        return;
+    }
+
+    console.log('\nTenants:');
+    console.log('─'.repeat(75));
+    console.log(`  ${'ID'.padEnd(20)} ${'Database'.padEnd(20)} ${'Access'.padEnd(15)}`);
+    console.log('─'.repeat(75));
+    tenants.forEach(t => {
+        const accessStr = t.access ? '✓ enabled' : '✗ disabled';
+        console.log(`  ${t.tenantId.padEnd(20)} ${t.db.padEnd(20)} ${accessStr}`);
+    });
+    console.log('─'.repeat(75));
+}
+
+function enableTenantAccess(tenantId) {
+    const doc = loadCompose();
+    const serviceName = `pgs_${tenantId}`;
+
+    if (!doc.services || !doc.services[serviceName]) {
+        throw new Error(`Tenant ${tenantId} not found`);
+    }
+
+    // Update access control
+    setTenantAccess(tenantId, true);
+
+    // Restart HAProxy
+    executeCommand('sudo docker restart postgres_proxy');
+
+    console.log(`✓ External access enabled for tenant: ${tenantId}`);
+}
+
+function disableTenantAccess(tenantId) {
+    const doc = loadCompose();
+    const serviceName = `pgs_${tenantId}`;
+
+    if (!doc.services || !doc.services[serviceName]) {
+        throw new Error(`Tenant ${tenantId} not found`);
+    }
+
+    // Update access control
+    setTenantAccess(tenantId, false);
+
+    // Restart HAProxy
+    executeCommand('sudo docker restart postgres_proxy');
+
+    console.log(`✓ External access disabled for tenant: ${tenantId}`);
+}
+
+function removeTenant(tenantId) {
+    const doc = loadCompose();
+    const serviceName = `pgs_${tenantId}`;
+
+    if (!doc.services || !doc.services[serviceName]) {
+        throw new Error(`Tenant ${tenantId} not found`);
+    }
+
+    delete doc.services[serviceName];
+
+    const volumeName = `pgdata_${tenantId}`;
+    if (doc.volumes && doc.volumes[volumeName]) {
+        delete doc.volumes[volumeName];
+    }
+
+    const initFile = path.join(INIT_DIR, `init-${tenantId}.sql`);
+    if (fs.existsSync(initFile)) {
+        fs.unlinkSync(initFile);
+    }
+
+    saveCompose(doc);
+
+    // Remove from tenant access and regenerate HAProxy config
+    removeTenantAccess(tenantId);
+    generateHAProxyConfig();
+    updateHAProxyDependsOn();
+
+    console.log(`✓ Removed tenant: ${tenantId}`);
+    console.log(`  Run: docker compose down ${serviceName}`);
+    console.log(`  Run: docker volume rm pgs_${volumeName}`);
+}
+
+function executeCommand(command) {
+    try {
+        execSync(command, { stdio: 'inherit', cwd: process.cwd() });
+    } catch (error) {
+        console.error(`Error executing: ${command}`);
+        process.exit(1);
+    }
+}
+
+const program = new Command();
+
+program
+    .name('postgres-manager')
+    .description('Manage PostgreSQL tenant instances')
+    .version('1.0.0');
+
+program
+    .command('create')
+    .description('Create a new PostgreSQL tenant instance')
+    .argument('<tenant-id>', 'Tenant identifier')
+    .option('-f, --file <file>', 'Manifest file path')
+    .option('-p, --password <password>', 'Database password')
+    .option('-v, --version <version>', 'PostgreSQL version', '18')
+    .option('--cpu <cpu>', 'CPU limit (cores)', '0.5')
+    .option('--memory <memory>', 'Memory limit (MB)', '256')
+    .action((...args) => {
+        try {
+            const providedTenantId = args[0];
+            const randomSuffix = Math.random().toString(36).substring(2, 8);
+            const tenantId = `${providedTenantId}_${randomSuffix}`;
+
+            const opts = args[1];
+
+            const tenantOptions = {
+                password: null,
+                version: null,
+                limits: null
+            }
+            
+            if (opts.file) {
+                const manifestFilePath = path.resolve(opts.file)
+                const optsFromManifest = JSON.parse(readFileSync(manifestFilePath))
+                
+                if (optsFromManifest.type !== 'postgres') {
+                    throw new Error(`The type "${optsFromManifest.type}" is not valid for this agent.`)
+                }
+                console.log('optsFromManifest', optsFromManifest)
+
+                tenantOptions.limits = optsFromManifest.shared_limits
+            } else {
+                tenantOptions.version = opts.version;
+                tenantOptions.limits = {
+                    cpu: parseFloat(opts.cpu),
+                    memory: parseInt(opts.memory, 10),
+                };
+            }
+            
+            tenantOptions.password = opts.password || generateRandomPassword();
+            
+            createTenant(tenantId, tenantOptions);
+        } catch (error) {
+            console.error(`Error: ${error}`);
+            process.exit(1);
+        }
+    });
+
+program
+    .command('list')
+    .description('List all tenant instances')
+    .action(() => {
+        try {
+            listTenants();
+        } catch (error) {
+            console.error(`Error: ${error.message}`);
+            process.exit(1);
+        }
+    });
+
+program
+    .command('remove')
+    .description('Remove a tenant instance')
+    .argument('<tenant-id>', 'Tenant identifier')
+    .action((tenantId) => {
+        try {
+            removeTenant(tenantId);
+        } catch (error) {
+            console.error(`Error: ${error.message}`);
+            process.exit(1);
+        }
+    });
+
+program
+    .command('start')
+    .description('Start all PostgreSQL services')
+    .argument('[tenant-id]', 'Tenant identifier (optional, starts all if omitted)')
+    .action((tenantId) => {
+        const service = tenantId ? `pgs_${tenantId}` : '';
+        executeCommand(`sudo docker compose up -d ${service}`.trim());
+    });
+
+program
+    .command('stop')
+    .description('Stop all PostgreSQL services')
+    .argument('[tenant-id]', 'Tenant identifier (optional, stops all if omitted)')
+    .action((tenantId) => {
+        const service = tenantId ? `pgs_${tenantId}` : '';
+        executeCommand(`sudo docker compose stop ${service}`.trim());
+        executeCommand('sudo docker restart postgres_proxy');
+    });
+
+program
+    .command('enable-access')
+    .description('Enable external access for a tenant')
+    .argument('<tenant-id>', 'Tenant identifier')
+    .action((tenantId) => {
+        try {
+            enableTenantAccess(tenantId);
+        } catch (error) {
+            console.error(`Error: ${error.message}`);
+            process.exit(1);
+        }
+    });
+
+program
+    .command('disable-access')
+    .description('Disable external access for a tenant')
+    .argument('<tenant-id>', 'Tenant identifier')
+    .action((tenantId) => {
+        try {
+            disableTenantAccess(tenantId);
+        } catch (error) {
+            console.error(`Error: ${error.message}`);
+            process.exit(1);
+        }
+    });
+
+program.parse();
+

package/manifest.json

@@ -0,0 +1,32 @@
+{
+    "type": "deploy",
+    "version": "18",
+    "tier": 1,
+    "purpose": "development",
+    "storage": 2,
+    "region": "us-central-1",
+    "provider": "gcp",
+    "zone": "a",
+    "shared": true,
+    "shared_limits": {
+        "cpu": 0.5,
+        "memory": 512
+    },
+    "postgres": {
+        "port": 5432,
+        "username": "postgres",
+        "password": "postgres",
+        "default_database": "postgres"
+    },
+    "firewall": {
+        "rules": [
+            {
+                "description": "Allow all traffic",
+                "type": "allow",
+                "protocol": "tcp",
+                "port": 5432,
+                "source": "0.0.0.0/0"
+            }
+        ]
+    }
+}

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@sysnee/pgs",
+  "version": "0.1.0",
+  "description": "Dynamic PostgreSQL service instance manager",
+  "type": "module",
+  "bin": {
+    "pgs": "./manager.js"
+  },
+  "scripts": {
+    "create": "node manager.js create",
+    "list": "node manager.js list",
+    "remove": "node manager.js remove",
+    "start": "node manager.js start",
+    "stop": "node manager.js stop",
+    "enable-access": "node manager.js enable-access",
+    "disable-access": "node manager.js disable-access",
+    "reload-haproxy": "node manager.js reload-haproxy"
+  },
+  "dependencies": {
+    "js-yaml": "^4.1.0",
+    "commander": "^11.1.0"
+  }
+}
+