@sysnee/pgs 0.1.7-rc.2 → 0.1.7-rc.4

package/docker-compose.yml

@@ -1,16 +1,19 @@
+version: "3.8"
+
 services:
-  haproxy:
-    image: haproxy:latest
+  traefik:
+    image: traefik:v3.0
     container_name: postgres_proxy
     ports:
-      - '5432:5432'
+      - "5432:5432"
     volumes:
-      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
-      - ./haproxy-lua:/etc/haproxy/lua:ro
-      - ./tenant-access.json:/etc/haproxy/tenant-access.json:ro
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./certs:/etc/traefik/certs:ro
     networks:
       - postgres_network
     restart: unless-stopped
+
 networks:
   postgres_network:
     driver: bridge

package/manager.js

@@ -19,8 +19,9 @@ const CONFIG_DIR = path.join(os.homedir(), '.sysnee-config');
 
 const COMPOSE_FILE_PATH = path.join(CONFIG_DIR, 'docker-compose.yml');
 const INIT_DIR_PATH = path.join(CONFIG_DIR, 'init');
-const LUA_DIR_PATH = path.join(CONFIG_DIR, 'haproxy-lua');
-const HAPROXY_CFG_PATH = path.join(CONFIG_DIR, 'haproxy.cfg');
+const CERTS_DIR_PATH = path.join(CONFIG_DIR, 'certs');
+const TRAEFIK_STATIC_PATH = path.join(CONFIG_DIR, 'traefik.yml');
+const TRAEFIK_DYNAMIC_PATH = path.join(CONFIG_DIR, 'dynamic.yml');
 const TENANT_ACCESS_FILE_PATH = path.join(CONFIG_DIR, 'tenant-access.json');
 const SETUP_STATUS_PATH = path.join(CONFIG_DIR, 'status.txt');
 
@@ -59,86 +60,93 @@ function removeTenantAccess(tenantId) {
     saveTenantAccess(access);
 }
 
-// ==================== HAProxy Configuration ====================
+// ==================== Traefik Configuration ====================
 
-function generateHAProxyConfig() {
-    console.debug('In generateHAProxy function')
+function generateTraefikDynamicConfig() {
+    console.debug('Generating Traefik dynamic config')
     const doc = loadCompose();
+    const access = loadTenantAccess();
 
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
-
-    console.debug(`tenants.lenght: ${tenants.length}`)
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik');
 
-    // Get initial HAProxy config
-    const templateFilePath = path.join(__dirname, 'haproxy.cfg')
-    console.debug(`haproxy template file path: ${templateFilePath}`)
-    let config = readFileSync(templateFilePath, 'utf8');
-    console.debug(`haproxy template file loaded`)
+    console.debug(`tenants.length: ${tenants.length}`)
 
-    // Add all tenant backends to SSL pool for SSL negotiation
-    // PostgreSQL will respond 'N' (no SSL) during negotiation, then client retries without SSL
-    if (tenants.length > 0) {
-        for (const serviceName of tenants) {
-            config += `    server ${serviceName}_ssl ${serviceName}:5432 check
-`;
+    const dynamicConfig = {
+        tcp: {
+            routers: {},
+            services: {}
+        },
+        tls: {
+            certificates: [
+                {
+                    certFile: '/etc/traefik/certs/fullchain.pem',
+                    keyFile: '/etc/traefik/certs/privkey.pem'
+                }
+            ]
         }
-        config += `
-`;
-    } else {
-        config += `    # No tenants configured yet
-`;
-    }
+    };
 
-    // Generate backend for each tenant
     for (const serviceName of tenants) {
-        config += `backend ${serviceName}
-    mode tcp
-    server pg1 ${serviceName}:5432 check
+        const tenantId = serviceName.replace('pgs_', '');
+        
+        if (access[tenantId] !== true) {
+            console.debug(`Skipping disabled tenant: ${tenantId}`);
+            continue;
+        }
+
+        const routerName = `router_${tenantId}`.replace(/-/g, '_');
+        const svcName = `svc_${tenantId}`.replace(/-/g, '_');
+
+        dynamicConfig.tcp.routers[routerName] = {
+            entryPoints: ['postgres'],
+            rule: `HostSNI(\`${tenantId}.pgs.us-central-1.sysnee.com\`)`,
+            service: svcName,
+            tls: {}
+        };
 
-`;
+        dynamicConfig.tcp.services[svcName] = {
+            loadBalancer: {
+                servers: [
+                    { address: `${serviceName}:5432` }
+                ]
+            }
+        };
     }
 
-    console.log(`Preparing to save haproxy file in ${HAPROXY_CFG_PATH}`)
-    writeFileSync(HAPROXY_CFG_PATH, config);
-    console.log(`Succesfully saved haproxy file in ${HAPROXY_CFG_PATH}`)
+    const yamlContent = yaml.dump(dynamicConfig, { indent: 2, lineWidth: -1, quotingType: '"' });
+    
+    console.log(`Saving Traefik dynamic config to ${TRAEFIK_DYNAMIC_PATH}`)
+    writeFileSync(TRAEFIK_DYNAMIC_PATH, yamlContent);
+    console.log('Traefik dynamic config saved successfully')
 }
 
-function updateHAProxyDependsOn() {
+function updateTraefikService() {
     const doc = loadCompose();
 
-    // Get all tenant services
     const tenants = Object.keys(doc.services || {})
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
-
-    // Ensure HAProxy service exists
-    if (!doc.services.haproxy) {
-        doc.services.haproxy = {
-            image: 'haproxy:latest',
-            container_name: 'postgres_proxy',
-            ports: ['5432:5432'],
-            volumes: [
-                `${HAPROXY_CFG_PATH}:/usr/local/etc/haproxy/haproxy.cfg:ro`,
-                `${LUA_DIR_PATH}:/etc/haproxy/lua:ro`,
-                `${TENANT_ACCESS_FILE_PATH}:/etc/haproxy/tenant-access.json:ro`
-            ],
-            networks: ['postgres_network'],
-            restart: 'unless-stopped'
-        };
-    }
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik');
+
+    doc.services.traefik = {
+        image: 'traefik:v3.0',
+        container_name: 'postgres_proxy',
+        ports: ['5432:5432'],
+        volumes: [
+            `${TRAEFIK_STATIC_PATH}:/etc/traefik/traefik.yml:ro`,
+            `${TRAEFIK_DYNAMIC_PATH}:/etc/traefik/dynamic.yml:ro`,
+            `${CERTS_DIR_PATH}:/etc/traefik/certs:ro`
+        ],
+        networks: ['postgres_network'],
+        restart: 'unless-stopped'
+    };
 
-    // Update depends_on
     if (tenants.length > 0) {
-        doc.services.haproxy.depends_on = tenants;
-    } else {
-        delete doc.services.haproxy.depends_on;
+        doc.services.traefik.depends_on = tenants;
     }
 
     saveCompose(doc);
 
-    // Restart HAProxy
-    executeCommand('docker compose up -d haproxy');
+    executeCommand('docker compose up -d --force-recreate traefik');
 }
 
 function createInitScript({ tenantId, password, databaseName }) {
@@ -228,21 +236,33 @@ function createInitialFiles() {
         writeFileSync(TENANT_ACCESS_FILE_PATH, '{}');
     }
 
-    // haproxy.cfg
-    if (!existsSync(HAPROXY_CFG_PATH)) {
-        const haproxyTemplate = readFileSync(path.join(__dirname, 'haproxy.cfg'), 'utf8');
-        writeFileSync(HAPROXY_CFG_PATH, haproxyTemplate);
+    // Traefik static config
+    if (!existsSync(TRAEFIK_STATIC_PATH)) {
+        const traefikTemplate = readFileSync(path.join(__dirname, 'traefik.yml'), 'utf8');
+        writeFileSync(TRAEFIK_STATIC_PATH, traefikTemplate);
     }
 
-    // Lua
-    if (!existsSync(LUA_DIR_PATH)) {
-        mkdirSync(LUA_DIR_PATH, { recursive: true });
+    // Traefik dynamic config (empty initially)
+    if (!existsSync(TRAEFIK_DYNAMIC_PATH)) {
+        const emptyDynamic = yaml.dump({
+            tcp: { routers: {}, services: {} },
+            tls: {
+                certificates: [{
+                    certFile: '/etc/traefik/certs/fullchain.pem',
+                    keyFile: '/etc/traefik/certs/privkey.pem'
+                }]
+            }
+        }, { indent: 2 });
+        writeFileSync(TRAEFIK_DYNAMIC_PATH, emptyDynamic);
     }
-    const luaSourceFile = path.join(__dirname, 'haproxy-lua', 'pg-route.lua');
-    const luaDestFile = path.join(LUA_DIR_PATH, 'pg-route.lua');
-    if (!existsSync(luaDestFile)) {
-        const luaContent = readFileSync(luaSourceFile, 'utf8');
-        writeFileSync(luaDestFile, luaContent);
+
+    // Certs directory
+    if (!existsSync(CERTS_DIR_PATH)) {
+        mkdirSync(CERTS_DIR_PATH, { recursive: true });
+        console.log(`Created certs directory at ${CERTS_DIR_PATH}`);
+        console.log('Place your SSL certificate files there:');
+        console.log('  - fullchain.pem (certificate chain)');
+        console.log('  - privkey.pem (private key)');
     }
 }
 
@@ -291,21 +311,23 @@ function createTenant(tenantId, options = {}) {
 
     saveCompose(doc);
 
-    // Add tenant to access control (disabled by default for security)
+    // Add tenant to access control
     setTenantAccess(tenantId, true);
 
-    // Regenerate HAProxy config and update depends_on
-    generateHAProxyConfig();
-    updateHAProxyDependsOn();
+    // Regenerate Traefik config and update service
+    generateTraefikDynamicConfig();
+    updateTraefikService();
 
     // start the tenant
     executeCommand(`docker compose up -d ${serviceName}`.trim());
 
     console.log(`✓ Created tenant: ${tenantId}`);
     console.log(`  Service: ${serviceName}`);
+    console.log(`  Host: ${tenantId}.pgs.us-central-1.sysnee.com`);
     console.log(`  Port: 5432`);
     console.log(`  Database: ${tenantId}`);
     console.log(`  Password: ${password}`);
+    console.log(`  SSL: required`);
     console.log(`  Access: enabled (use 'disable-access ${tenantId}' to disable)`);
 
     return { tenantId, serviceName };
@@ -321,7 +343,7 @@ function listTenants() {
     }
 
     const tenants = Object.keys(doc.services)
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy')
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik')
         .map(name => {
             const service = doc.services[name];
             const db = service.environment?.POSTGRES_DB || 'N/A';
@@ -337,14 +359,15 @@ function listTenants() {
     }
 
     console.log('\nTenants:');
-    console.log('─'.repeat(75));
-    console.log(`  ${'ID'.padEnd(20)} ${'Database'.padEnd(20)} ${'Access'.padEnd(15)}`);
-    console.log('─'.repeat(75));
+    console.log('─'.repeat(90));
+    console.log(`  ${'ID'.padEnd(25)} ${'Host'.padEnd(45)} ${'Access'.padEnd(15)}`);
+    console.log('─'.repeat(90));
     tenants.forEach(t => {
         const accessStr = t.access ? '✓ enabled' : '✗ disabled';
-        console.log(`  ${t.tenantId.padEnd(20)} ${t.db.padEnd(20)} ${accessStr}`);
+        const host = `${t.tenantId}.pgs.us-central-1.sysnee.com`;
+        console.log(`  ${t.tenantId.padEnd(25)} ${host.padEnd(45)} ${accessStr}`);
     });
-    console.log('─'.repeat(75));
+    console.log('─'.repeat(90));
 }
 
 function enableTenantAccess(tenantId) {
@@ -355,11 +378,8 @@ function enableTenantAccess(tenantId) {
         throw new Error(`Tenant ${tenantId} not found`);
     }
 
-    // Update access control
     setTenantAccess(tenantId, true);
-
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    generateTraefikDynamicConfig();
 
     console.log(`✓ External access enabled for tenant: ${tenantId}`);
 }
@@ -372,11 +392,8 @@ function disableTenantAccess(tenantId) {
         throw new Error(`Tenant ${tenantId} not found`);
     }
 
-    // Update access control
     setTenantAccess(tenantId, false);
-
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    generateTraefikDynamicConfig();
 
     console.log(`✓ External access disabled for tenant: ${tenantId}`);
 }
@@ -403,10 +420,9 @@ function removeTenant(tenantId) {
 
     saveCompose(doc);
 
-    // Remove from tenant access and regenerate HAProxy config
     removeTenantAccess(tenantId);
-    generateHAProxyConfig();
-    updateHAProxyDependsOn();
+    generateTraefikDynamicConfig();
+    updateTraefikService();
 
     console.log(`✓ Removed tenant: ${tenantId}`);
     console.log(`  Run: docker compose down ${serviceName}`);
@@ -538,7 +554,6 @@ program
         checkSetupStatus()
         const service = tenantId ? `pgs_${tenantId}` : '';
         executeCommand(`docker compose stop ${service}`.trim());
-        executeCommand('docker restart postgres_proxy');
     });
 
 program
@@ -570,4 +585,3 @@ program
     });
 
 program.parse();
-

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sysnee/pgs",
-  "version": "0.1.7-rc.2",
+  "version": "0.1.7-rc.4",
   "description": "Dynamic PostgreSQL service instance manager",
   "type": "module",
   "bin": {

package/traefik.yml

@@ -0,0 +1,15 @@
+api:
+  dashboard: false
+
+log:
+  level: INFO
+
+entryPoints:
+  postgres:
+    address: ":5432"
+
+providers:
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true
+

package/haproxy-lua/pg-route.lua

@@ -1,177 +0,0 @@
--- PostgreSQL Protocol Parser for HAProxy
--- Routes connections based on username extracted from startup packet
--- Checks tenant-access.json for access control
-
--- Simple JSON parser for our limited use case (flat object with string keys and boolean values)
-local function parse_json(str)
-    local result = {}
-    -- Match patterns like "key": true or "key": false
-    for key, value in string.gmatch(str, '"([^"]+)":%s*(%w+)') do
-        if value == "true" then
-            result[key] = true
-        elseif value == "false" then
-            result[key] = false
-        end
-    end
-    return result
-end
-
--- Cache for tenant access configuration
-local tenant_access_cache = {}
-local cache_timestamp = 0
-local CACHE_TTL = 5 -- seconds
-
--- Load tenant access configuration
-local function load_tenant_access()
-    local now = core.now().sec
-    if now - cache_timestamp < CACHE_TTL then
-        return tenant_access_cache
-    end
-    
-    local file = io.open("/etc/haproxy/tenant-access.json", "r")
-    if not file then
-        core.Warning("tenant-access.json not found, denying all connections")
-        tenant_access_cache = {}
-        cache_timestamp = now
-        return tenant_access_cache
-    end
-    
-    local content = file:read("*all")
-    file:close()
-    
-    local data = parse_json(content)
-    tenant_access_cache = data or {}
-    cache_timestamp = now
-    
-    return tenant_access_cache
-end
-
--- Parse PostgreSQL startup packet to extract username
--- PostgreSQL startup packet format:
--- [4 bytes: length] [4 bytes: protocol version] [key=value pairs\0]
-local function parse_startup_packet(data)
-    if #data < 8 then
-        return nil
-    end
-    
-    -- Read packet length (big-endian)
-    local len = (string.byte(data, 1) * 16777216) +
-                (string.byte(data, 2) * 65536) +
-                (string.byte(data, 3) * 256) +
-                string.byte(data, 4)
-    
-    if #data < len then
-        return nil
-    end
-    
-    -- Read protocol version
-    local major = (string.byte(data, 5) * 256) + string.byte(data, 6)
-    local minor = (string.byte(data, 7) * 256) + string.byte(data, 8)
-    
-    -- Check for SSL request (protocol 1234.5679)
-    if major == 1234 and minor == 5679 then
-        return { ssl_request = true }
-    end
-    
-    -- Check for cancel request (protocol 1234.5678)
-    if major == 1234 and minor == 5678 then
-        return { cancel_request = true }
-    end
-    
-    -- Normal startup message (protocol 3.0)
-    if major ~= 3 then
-        return nil
-    end
-    
-    -- Parse key-value pairs starting at byte 9
-    local params = {}
-    local pos = 9
-    
-    while pos < len do
-        -- Read key
-        local key_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        
-        if pos > len then break end
-        
-        local key = string.sub(data, key_start, pos - 1)
-        pos = pos + 1 -- skip null
-        
-        if key == "" then break end -- end of parameters
-        
-        -- Read value
-        local val_start = pos
-        while pos <= len and string.byte(data, pos) ~= 0 do
-            pos = pos + 1
-        end
-        
-        local value = string.sub(data, val_start, pos - 1)
-        pos = pos + 1 -- skip null
-        
-        params[key] = value
-    end
-    
-    return params
-end
-
--- Main routing function called by HAProxy
-function pg_route(txn)
-    -- Get data from the request buffer
-    local data = txn.req:data(0)
-    
-    if not data or #data == 0 then
-        -- No data yet, need to wait
-        return
-    end
-    
-    local params = parse_startup_packet(data)
-    
-    if not params then
-        core.Warning("Failed to parse PostgreSQL startup packet")
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    -- Handle SSL request - route to default pool for SSL negotiation
-    -- PostgreSQL will respond 'N' (no SSL), then client retries without SSL
-    if params.ssl_request then
-        core.Info("SSL request received, routing to SSL negotiation pool")
-        -- Route to SSL pool backend which forwards to any available PostgreSQL
-        -- This allows SSL negotiation to complete
-        txn:set_var("txn.pg_backend", "pg_ssl_pool")
-        return
-    end
-    
-    -- Handle cancel request
-    if params.cancel_request then
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    local username = params["user"]
-    if not username then
-        core.Warning("No username in PostgreSQL startup packet")
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    -- Load tenant access configuration
-    local access = load_tenant_access()
-    
-    -- Check if tenant has external access enabled
-    if not access[username] then
-        core.Warning("Access denied: " .. username)
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    
-    -- Route to tenant's backend
-    local backend = "pgs_" .. username
-    core.Info("Routing user " .. username .. " to backend " .. backend)
-    txn:set_var("txn.pg_backend", backend)
-end
-
--- Register the action with HAProxy
-core.register_action("pg_route", { "tcp-req" }, pg_route, 0)

package/haproxy.cfg

@@ -1,35 +0,0 @@
-global
-    log stdout format raw local0 info
-    maxconn 4096
-    lua-load /etc/haproxy/lua/pg-route.lua
-
-defaults
-    log global
-    mode tcp
-    option tcplog
-    timeout connect 5s
-    timeout client 30s
-    timeout server 30s
-    retries 3
-
-frontend postgres_frontend
-    bind *:5432
-    mode tcp
-    
-    # Use Lua script to parse PostgreSQL startup packet and route by username
-    tcp-request inspect-delay 5s
-    tcp-request content lua.pg_route
-    tcp-request content reject if { var(txn.pg_blocked) -m bool }
-    
-    # Route to backend based on username extracted by Lua
-    use_backend %[var(txn.pg_backend)] if { var(txn.pg_backend) -m found }
-    
-    # Default backend for unknown connections
-    default_backend pg_reject
-
-backend pg_reject
-    mode tcp
-    timeout server 1s
-
-backend pg_ssl_pool
-    mode tcp