@sysnee/pgs 0.1.6 → 0.1.7-rc.10

package/manager.js

@@ -19,7 +19,9 @@ const CONFIG_DIR = path.join(os.homedir(), '.sysnee-config');
 
 const COMPOSE_FILE_PATH = path.join(CONFIG_DIR, 'docker-compose.yml');
 const INIT_DIR_PATH = path.join(CONFIG_DIR, 'init');
-const HAPROXY_CFG_PATH = path.join(CONFIG_DIR, 'haproxy.cfg');
+const CERTS_DIR_PATH = path.join(CONFIG_DIR, 'certs');
+const TRAEFIK_STATIC_PATH = path.join(CONFIG_DIR, 'traefik.yml');
+const TRAEFIK_DYNAMIC_PATH = path.join(CONFIG_DIR, 'dynamic.yml');
 const TENANT_ACCESS_FILE_PATH = path.join(CONFIG_DIR, 'tenant-access.json');
 const SETUP_STATUS_PATH = path.join(CONFIG_DIR, 'status.txt');
 
@@ -58,86 +60,116 @@ function removeTenantAccess(tenantId) {
     saveTenantAccess(access);
 }
 
-// ==================== HAProxy Configuration ====================
+// ==================== Traefik Configuration ====================
 
-function generateHAProxyConfig() {
-    console.debug('In generateHAProxy function')
+function generateTraefikDynamicConfig(tenantsManifests = {}) {
+    console.debug('Generating Traefik dynamic config')
     const doc = loadCompose();
+    const access = loadTenantAccess();
 
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
-
-    console.debug(`tenants.lenght: ${tenants.length}`)
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik');
 
-    // Get initial HAProxy config
-    const templateFilePath = path.join(__dirname, 'haproxy.cfg')
-    console.debug(`haproxy template file path: ${templateFilePath}`)
-    let config = readFileSync(templateFilePath, 'utf8');
-    console.debug(`haproxy template file loaded`)
+    console.debug(`tenants.length: ${tenants.length}`)
 
-    // Add all tenant backends to SSL pool for SSL negotiation
-    // PostgreSQL will respond 'N' (no SSL) during negotiation, then client retries without SSL
-    if (tenants.length > 0) {
-        for (const serviceName of tenants) {
-            config += `    server ${serviceName}_ssl ${serviceName}:5432 check
-`;
+    const dynamicConfig = {
+        tcp: {
+            routers: {},
+            middlewares: {},
+            services: {}
+        },
+        tls: {
+            certificates: [
+                {
+                    certFile: '/etc/traefik/certs/fullchain.pem',
+                    keyFile: '/etc/traefik/certs/privkey.pem'
+                }
+            ]
         }
-        config += `
-`;
-    } else {
-        config += `    # No tenants configured yet
-`;
-    }
+    };
 
-    // Generate backend for each tenant
     for (const serviceName of tenants) {
-        config += `backend ${serviceName}
-    mode tcp
-    server pg1 ${serviceName}:5432 check
+        const tenantId = serviceName.replace('pgs_', '');
+        
+        if (access[tenantId] !== true) {
+            console.debug(`Skipping disabled tenant: ${tenantId}`);
+            continue;
+        }
+
+        const routerName = `router_${tenantId}`.replace(/-/g, '_');
+        const middlewareName = `ipwhitelist_${tenantId}`.replace(/-/g, '_');
+        const svcName = `svc_${tenantId}`.replace(/-/g, '_');
+
+        const router = {
+            entryPoints: ['postgres'],
+            rule: `HostSNI(\`${tenantId}.pgs.br-sp-1.sysnee.com\`)`,
+            service: svcName,
+            tls: {}
+        };
+
+        const manifest = tenantsManifests[tenantId];
+        if (manifest && manifest.firewall && manifest.firewall.rules) {
+            const sourceRanges = manifest.firewall.rules
+                .filter(rule => rule.type === 'allow')
+                .map(rule => rule.source);
+
+            if (sourceRanges.length > 0) {
+                router.middlewares = [middlewareName];
+                
+                if (!dynamicConfig.tcp.middlewares[middlewareName]) {
+                    dynamicConfig.tcp.middlewares[middlewareName] = {
+                        ipAllowList: {
+                            sourceRange: sourceRanges
+                        }
+                    };
+                }
+            }
+        }
 
-`;
+        dynamicConfig.tcp.routers[routerName] = router;
+
+        dynamicConfig.tcp.services[svcName] = {
+            loadBalancer: {
+                servers: [
+                    { address: `${serviceName}:5432` }
+                ]
+            }
+        };
     }
 
-    console.log(`Preparing to save haproxy file in ${HAPROXY_CFG_PATH}`)
-    writeFileSync(HAPROXY_CFG_PATH, config);
-    console.log(`Succesfully saved haproxy file in ${HAPROXY_CFG_PATH}`)
+    const yamlContent = yaml.dump(dynamicConfig, { indent: 2, lineWidth: -1, quotingType: '"' });
+    
+    console.log(`Saving Traefik dynamic config to ${TRAEFIK_DYNAMIC_PATH}`)
+    writeFileSync(TRAEFIK_DYNAMIC_PATH, yamlContent);
+    console.log('Traefik dynamic config saved successfully')
 }
 
-function updateHAProxyDependsOn() {
+function updateTraefikService() {
     const doc = loadCompose();
 
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
-
-    // Ensure HAProxy service exists
-    if (!doc.services.haproxy) {
-        doc.services.haproxy = {
-            image: 'haproxy:latest',
-            container_name: 'postgres_proxy',
-            ports: ['5432:5432'],
-            volumes: [
-                './haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro',
-                './haproxy-lua:/etc/haproxy/lua:ro',
-                './tenant-access.json:/etc/haproxy/tenant-access.json:ro'
-            ],
-            networks: ['postgres_network'],
-            restart: 'unless-stopped'
-        };
-    }
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik');
+
+    doc.services.traefik = {
+        image: 'traefik:v3.0',
+        container_name: 'postgres_proxy',
+        ports: ['5432:5432'],
+        volumes: [
+            `${TRAEFIK_STATIC_PATH}:/etc/traefik/traefik.yml:ro`,
+            `${TRAEFIK_DYNAMIC_PATH}:/etc/traefik/dynamic.yml:ro`,
+            `${CERTS_DIR_PATH}:/etc/traefik/certs:ro`
+        ],
+        networks: ['postgres_network'],
+        restart: 'unless-stopped'
+    };
 
-    // Update depends_on
     if (tenants.length > 0) {
-        doc.services.haproxy.depends_on = tenants;
-    } else {
-        delete doc.services.haproxy.depends_on;
+        doc.services.traefik.depends_on = tenants;
     }
 
     saveCompose(doc);
 
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    executeCommand('docker compose up -d --force-recreate traefik');
 }
 
 function createInitScript({ tenantId, password, databaseName }) {
@@ -200,11 +232,30 @@ function ensureNetwork(doc) {
 }
 
 function initialSetup() {
+    installDocker()
     createInitialFiles()
     ensureDockerPrivilegies()
     console.log('All ready!')
 }
 
+function installDocker() {
+
+    try {
+        execSync('docker info', { stdio: 'pipe' })
+        console.log('Docker already installed')
+        return
+    } catch (_) {}
+
+    console.log('Installing Docker...')
+    execSync('curl -fsSL https://get.docker.com -o get-docker.sh && sudo sh get-docker.sh', { stdio: 'inherit' })
+    execSync('rm get-docker.sh')
+    console.log('Docker installed successfully')
+    
+    console.log('Installing Docker Compose plugin...')
+    execSync('sudo apt-get install -y docker-compose-plugin', { stdio: 'inherit' })
+    console.log('Docker Compose plugin installed successfully')
+}
+
 function ensureDockerPrivilegies() {
     execSync('sudo usermod -aG docker $USER && newgrp docker')
     writeFileSync(SETUP_STATUS_PATH, 'container:ok')
@@ -217,14 +268,43 @@ function createInitialFiles() {
     }
 
     // docker-compose.yml
-    if (!fs.existsSync(COMPOSE_FILE_PATH)) {
+    if (!existsSync(COMPOSE_FILE_PATH)) {
         const dockerComposeInitialContent = readFileSync(path.join(__dirname, 'docker-compose.yml'), 'utf8')
         writeFileSync(COMPOSE_FILE_PATH, dockerComposeInitialContent)
     }
 
     // tenant-access.json
-    if (!fs.existsSync(TENANT_ACCESS_FILE_PATH)) {
-        fs.writeFileSync(TENANT_ACCESS_FILE_PATH, '{}');
+    if (!existsSync(TENANT_ACCESS_FILE_PATH)) {
+        writeFileSync(TENANT_ACCESS_FILE_PATH, '{}');
+    }
+
+    // Traefik static config
+    if (!existsSync(TRAEFIK_STATIC_PATH)) {
+        const traefikTemplate = readFileSync(path.join(__dirname, 'traefik.yml'), 'utf8');
+        writeFileSync(TRAEFIK_STATIC_PATH, traefikTemplate);
+    }
+
+    // Traefik dynamic config (empty initially)
+    if (!existsSync(TRAEFIK_DYNAMIC_PATH)) {
+        const emptyDynamic = yaml.dump({
+            tcp: { routers: {}, services: {} },
+            tls: {
+                certificates: [{
+                    certFile: '/etc/traefik/certs/fullchain.pem',
+                    keyFile: '/etc/traefik/certs/privkey.pem'
+                }]
+            }
+        }, { indent: 2 });
+        writeFileSync(TRAEFIK_DYNAMIC_PATH, emptyDynamic);
+    }
+
+    // Certs directory
+    if (!existsSync(CERTS_DIR_PATH)) {
+        mkdirSync(CERTS_DIR_PATH, { recursive: true });
+        console.log(`Created certs directory at ${CERTS_DIR_PATH}`);
+        console.log('Place your SSL certificate files there:');
+        console.log('  - fullchain.pem (certificate chain)');
+        console.log('  - privkey.pem (private key)');
     }
 }
 
@@ -244,7 +324,7 @@ function checkSetupStatus() {
 }
 
 function createTenant(tenantId, options = {}) {
-    const { version = '18', password, limits = DEFAULT_LIMITS } = options;
+    const { version = '18', password, limits = DEFAULT_LIMITS, manifest = null } = options;
     const doc = loadCompose();
 
     if (doc.services && doc.services[`pgs_${tenantId}`]) {
@@ -273,21 +353,21 @@ function createTenant(tenantId, options = {}) {
 
     saveCompose(doc);
 
-    // Add tenant to access control (disabled by default for security)
     setTenantAccess(tenantId, true);
 
-    // Regenerate HAProxy config and update depends_on
-    generateHAProxyConfig();
-    updateHAProxyDependsOn();
+    const manifests = manifest ? { [tenantId]: manifest } : {};
+    generateTraefikDynamicConfig(manifests);
+    updateTraefikService();
 
-    // start the tenant
     executeCommand(`docker compose up -d ${serviceName}`.trim());
 
     console.log(`✓ Created tenant: ${tenantId}`);
     console.log(`  Service: ${serviceName}`);
+    console.log(`  Host: ${tenantId}.pgs.br-sp-1.sysnee.com`);
     console.log(`  Port: 5432`);
     console.log(`  Database: ${tenantId}`);
     console.log(`  Password: ${password}`);
+    console.log(`  SSL: required`);
     console.log(`  Access: enabled (use 'disable-access ${tenantId}' to disable)`);
 
     return { tenantId, serviceName };
@@ -303,7 +383,7 @@ function listTenants() {
     }
 
     const tenants = Object.keys(doc.services)
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy')
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik')
         .map(name => {
             const service = doc.services[name];
             const db = service.environment?.POSTGRES_DB || 'N/A';
@@ -319,17 +399,18 @@ function listTenants() {
     }
 
     console.log('\nTenants:');
-    console.log('─'.repeat(75));
-    console.log(`  ${'ID'.padEnd(20)} ${'Database'.padEnd(20)} ${'Access'.padEnd(15)}`);
-    console.log('─'.repeat(75));
+    console.log('─'.repeat(90));
+    console.log(`  ${'ID'.padEnd(25)} ${'Host'.padEnd(45)} ${'Access'.padEnd(15)}`);
+    console.log('─'.repeat(90));
     tenants.forEach(t => {
         const accessStr = t.access ? '✓ enabled' : '✗ disabled';
-        console.log(`  ${t.tenantId.padEnd(20)} ${t.db.padEnd(20)} ${accessStr}`);
+        const host = `${t.tenantId}.pgs.br-sp-1.sysnee.com`;
+        console.log(`  ${t.tenantId.padEnd(25)} ${host.padEnd(45)} ${accessStr}`);
     });
-    console.log('─'.repeat(75));
+    console.log('─'.repeat(90));
 }
 
-function enableTenantAccess(tenantId) {
+function enableTenantAccess(tenantId, manifests = {}) {
     const doc = loadCompose();
     const serviceName = `pgs_${tenantId}`;
 
@@ -337,16 +418,13 @@ function enableTenantAccess(tenantId) {
         throw new Error(`Tenant ${tenantId} not found`);
     }
 
-    // Update access control
     setTenantAccess(tenantId, true);
-
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    generateTraefikDynamicConfig(manifests);
 
     console.log(`✓ External access enabled for tenant: ${tenantId}`);
 }
 
-function disableTenantAccess(tenantId) {
+function disableTenantAccess(tenantId, manifests = {}) {
     const doc = loadCompose();
     const serviceName = `pgs_${tenantId}`;
 
@@ -354,16 +432,13 @@ function disableTenantAccess(tenantId) {
         throw new Error(`Tenant ${tenantId} not found`);
     }
 
-    // Update access control
     setTenantAccess(tenantId, false);
-
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    generateTraefikDynamicConfig(manifests);
 
     console.log(`✓ External access disabled for tenant: ${tenantId}`);
 }
 
-function removeTenant(tenantId) {
+function removeTenant(tenantId, manifests = {}) {
     const doc = loadCompose();
     const serviceName = `pgs_${tenantId}`;
 
@@ -385,10 +460,9 @@ function removeTenant(tenantId) {
 
     saveCompose(doc);
 
-    // Remove from tenant access and regenerate HAProxy config
     removeTenantAccess(tenantId);
-    generateHAProxyConfig();
-    updateHAProxyDependsOn();
+    generateTraefikDynamicConfig(manifests);
+    updateTraefikService();
 
     console.log(`✓ Removed tenant: ${tenantId}`);
     console.log(`  Run: docker compose down ${serviceName}`);
@@ -437,14 +511,15 @@ program
 
             const providedTenantId = args[0];
             const randomSuffix = Math.random().toString(36).substring(2, 8);
-            const tenantId = `${providedTenantId}_${randomSuffix}`;
+            const tenantId = `${providedTenantId}-${randomSuffix}`;
 
             const opts = args[1];
 
             const tenantOptions = {
                 password: null,
                 version: null,
-                limits: null
+                limits: null,
+                manifest: null
             }
 
             if (opts.file) {
@@ -458,6 +533,7 @@ program
 
                 tenantOptions.limits = optsFromManifest.shared_limits
                 tenantOptions.version = optsFromManifest.version
+                tenantOptions.manifest = optsFromManifest
             } else {
                 tenantOptions.version = opts.version;
                 tenantOptions.limits = {
@@ -492,10 +568,17 @@ program
     .command('remove')
     .description('Remove a tenant instance')
     .argument('<tenant-id>', 'Tenant identifier')
-    .action((tenantId) => {
+    .option('-f, --file <file>', 'Manifest file path (optional, for firewall rules)')
+    .action((tenantId, opts) => {
         checkSetupStatus()
         try {
-            removeTenant(tenantId);
+            const manifests = {};
+            if (opts.file) {
+                const manifestFilePath = path.resolve(opts.file)
+                const manifest = JSON.parse(readFileSync(manifestFilePath))
+                manifests[tenantId] = manifest;
+            }
+            removeTenant(tenantId, manifests);
         } catch (error) {
             console.error(`Error: ${error.message}`);
             process.exit(1);
@@ -520,17 +603,23 @@ program
         checkSetupStatus()
         const service = tenantId ? `pgs_${tenantId}` : '';
         executeCommand(`docker compose stop ${service}`.trim());
-        executeCommand('docker restart postgres_proxy');
     });
 
 program
     .command('enable-access')
     .description('Enable external access for a tenant')
     .argument('<tenant-id>', 'Tenant identifier')
-    .action((tenantId) => {
+    .option('-f, --file <file>', 'Manifest file path (optional, for firewall rules)')
+    .action((tenantId, opts) => {
         checkSetupStatus()
         try {
-            enableTenantAccess(tenantId);
+            const manifests = {};
+            if (opts.file) {
+                const manifestFilePath = path.resolve(opts.file)
+                const manifest = JSON.parse(readFileSync(manifestFilePath))
+                manifests[tenantId] = manifest;
+            }
+            enableTenantAccess(tenantId, manifests);
         } catch (error) {
             console.error(`Error: ${error.message}`);
             process.exit(1);
@@ -541,10 +630,17 @@ program
     .command('disable-access')
     .description('Disable external access for a tenant')
     .argument('<tenant-id>', 'Tenant identifier')
-    .action((tenantId) => {
+    .option('-f, --file <file>', 'Manifest file path (optional, for firewall rules)')
+    .action((tenantId, opts) => {
         checkSetupStatus()
         try {
-            disableTenantAccess(tenantId);
+            const manifests = {};
+            if (opts.file) {
+                const manifestFilePath = path.resolve(opts.file)
+                const manifest = JSON.parse(readFileSync(manifestFilePath))
+                manifests[tenantId] = manifest;
+            }
+            disableTenantAccess(tenantId, manifests);
         } catch (error) {
             console.error(`Error: ${error.message}`);
             process.exit(1);
@@ -552,4 +648,3 @@ program
     });
 
 program.parse();
-

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sysnee/pgs",
-  "version": "0.1.6",
+  "version": "0.1.7-rc.10",
   "description": "Dynamic PostgreSQL service instance manager",
   "type": "module",
   "bin": {
@@ -14,7 +14,7 @@
     "stop": "node manager.js stop",
     "enable-access": "node manager.js enable-access",
     "disable-access": "node manager.js disable-access",
-    "reload-haproxy": "node manager.js reload-haproxy"
+    "setup": "node manager.js setup"
   },
   "dependencies": {
     "js-yaml": "^4.1.0",

package/traefik.yml

@@ -0,0 +1,15 @@
+api:
+  dashboard: false
+
+log:
+  level: INFO
+
+entryPoints:
+  postgres:
+    address: ":5432"
+
+providers:
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true
+

package/haproxy-lua/pg-route.lua

@@ -1,177 +0,0 @@
--- PostgreSQL Protocol Parser for HAProxy
--- Routes connections based on username extracted from startup packet
--- Checks tenant-access.json for access control
-
--- Simple JSON parser for our limited use case (flat object with string keys and boolean values)
-local function parse_json(str)
-    local result = {}
-    -- Match patterns like "key": true or "key": false
-    for key, value in string.gmatch(str, '"([^"]+)":%s*(%w+)') do
-        if value == "true" then
-            result[key] = true
-        elseif value == "false" then
-            result[key] = false
-        end
-    end
-    return result
-end
-
--- Cache for tenant access configuration
-local tenant_access_cache = {}
-local cache_timestamp = 0
-local CACHE_TTL = 5 -- seconds
-
--- Load tenant access configuration
-local function load_tenant_access()
-    local now = core.now().sec
-    if now - cache_timestamp < CACHE_TTL then
-        return tenant_access_cache
-    end
-    
-    local file = io.open("/etc/haproxy/tenant-access.json", "r")
-    if not file then
-        core.Warning("tenant-access.json not found, denying all connections")
-        tenant_access_cache = {}
-        cache_timestamp = now
-        return tenant_access_cache
-    end
-    
-    local content = file:read("*all")
-    file:close()
-    
-    local data = parse_json(content)
-    tenant_access_cache = data or {}
-    cache_timestamp = now
-    
-    return tenant_access_cache
-end
-
--- Parse PostgreSQL startup packet to extract username
--- PostgreSQL startup packet format:
--- [4 bytes: length] [4 bytes: protocol version] [key=value pairs\0]
-local function parse_startup_packet(data)
-    if #data < 8 then
-        return nil
-    end
-    
-    -- Read packet length (big-endian)
-    local len = (string.byte(data, 1) * 16777216) +
-                (string.byte(data, 2) * 65536) +
-                (string.byte(data, 3) * 256) +
-                string.byte(data, 4)
-    
-    if #data < len then
-        return nil
-    end
-    
-    -- Read protocol version
-    local major = (string.byte(data, 5) * 256) + string.byte(data, 6)
-    local minor = (string.byte(data, 7) * 256) + string.byte(data, 8)
-    
-    -- Check for SSL request (protocol 1234.5679)
-    if major == 1234 and minor == 5679 then
-        return { ssl_request = true }
-    end
-    
-    -- Check for cancel request (protocol 1234.5678)
-    if major == 1234 and minor == 5678 then
-        return { cancel_request = true }
-    end
-    
-    -- Normal startup message (protocol 3.0)
-    if major ~= 3 then
-        return nil
-    end
-    
-    -- Parse key-value pairs starting at byte 9
-    local params = {}
-    local pos = 9
-    
-    while pos < len do
-        -- Read key
-        local key_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        
-        if pos > len then break end
-        
-        local key = string.sub(data, key_start, pos - 1)
-        pos = pos + 1 -- skip null
-        
-        if key == "" then break end -- end of parameters
-        
-        -- Read value
-        local val_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        
-        local value = string.sub(data, val_start, pos - 1)
-        pos = pos + 1 -- skip null
-        
-        params[key] = value
-    end
-    
-    return params
-end
-
--- Main routing function called by HAProxy
-function pg_route(txn)
-    -- Get data from the request buffer
-    local data = txn.req:data(0)
-    
-    if not data or #data == 0 then
-        -- No data yet, need to wait
-        return
-    end
-    
-    local params = parse_startup_packet(data)
-    
-    if not params then
-        core.Warning("Failed to parse PostgreSQL startup packet")
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    -- Handle SSL request - route to default pool for SSL negotiation
-    -- PostgreSQL will respond 'N' (no SSL), then client retries without SSL
-    if params.ssl_request then
-        core.Info("SSL request received, routing to SSL negotiation pool")
-        -- Route to SSL pool backend which forwards to any available PostgreSQL
-        -- This allows SSL negotiation to complete
-        txn:set_var("txn.pg_backend", "pg_ssl_pool")
-        return
-    end
-    
-    -- Handle cancel request
-    if params.cancel_request then
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    local username = params["user"]
-    if not username then
-        core.Warning("No username in PostgreSQL startup packet")
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    -- Load tenant access configuration
-    local access = load_tenant_access()
-    
-    -- Check if tenant has external access enabled
-    if not access[username] then
-        core.Warning("Access denied: " .. username)
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    -- Route to tenant's backend
-    local backend = "pgs_" .. username
-    core.Info("Routing user " .. username .. " to backend " .. backend)
-    txn:set_var("txn.pg_backend", backend)
-end
-
--- Register the action with HAProxy
-core.register_action("pg_route", { "tcp-req" }, pg_route, 0)