npm - @sysnee/pgs - Versions diffs - 0.1.7-rc.3 → 0.1.7-rc.4 - Mend

@sysnee/pgs 0.1.7-rc.3 → 0.1.7-rc.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/docker-compose.yml CHANGED Viewed

@@ -1,16 +1,19 @@
+version: "3.8"
 services:
-  haproxy:
-    image: haproxy:latest
+  traefik:
+    image: traefik:v3.0
     container_name: postgres_proxy
     ports:
-      - '5432:5432'
+      - "5432:5432"
     volumes:
-      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
-      - ./haproxy-lua:/etc/haproxy/lua:ro
-      - ./tenant-access.json:/etc/haproxy/tenant-access.json:ro
+      - ./traefik.yml:/etc/traefik/traefik.yml:ro
+      - ./dynamic.yml:/etc/traefik/dynamic.yml:ro
+      - ./certs:/etc/traefik/certs:ro
     networks:
       - postgres_network
     restart: unless-stopped
 networks:
   postgres_network:
     driver: bridge

package/manager.js CHANGED Viewed

@@ -19,9 +19,9 @@ const CONFIG_DIR = path.join(os.homedir(), '.sysnee-config');
 const COMPOSE_FILE_PATH = path.join(CONFIG_DIR, 'docker-compose.yml');
 const INIT_DIR_PATH = path.join(CONFIG_DIR, 'init');
-const LUA_DIR_PATH = path.join(CONFIG_DIR, 'haproxy-lua');
 const CERTS_DIR_PATH = path.join(CONFIG_DIR, 'certs');
-const HAPROXY_CFG_PATH = path.join(CONFIG_DIR, 'haproxy.cfg');
+const TRAEFIK_STATIC_PATH = path.join(CONFIG_DIR, 'traefik.yml');
+const TRAEFIK_DYNAMIC_PATH = path.join(CONFIG_DIR, 'dynamic.yml');
 const TENANT_ACCESS_FILE_PATH = path.join(CONFIG_DIR, 'tenant-access.json');
 const SETUP_STATUS_PATH = path.join(CONFIG_DIR, 'status.txt');
@@ -60,68 +60,93 @@ function removeTenantAccess(tenantId) {
     saveTenantAccess(access);
 }
-// ==================== HAProxy Configuration ====================
+// ==================== Traefik Configuration ====================
-function generateHAProxyConfig() {
-    console.debug('In generateHAProxy function')
+function generateTraefikDynamicConfig() {
+    console.debug('Generating Traefik dynamic config')
     const doc = loadCompose();
+    const access = loadTenantAccess();
     const tenants = Object.keys(doc.services || {})
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik');
     console.debug(`tenants.length: ${tenants.length}`)
-    const templateFilePath = path.join(__dirname, 'haproxy.cfg')
-    console.debug(`haproxy template file path: ${templateFilePath}`)
-    let config = readFileSync(templateFilePath, 'utf8');
-    console.debug(`haproxy template file loaded`)
+    const dynamicConfig = {
+        tcp: {
+            routers: {},
+            services: {}
+        },
+        tls: {
+            certificates: [
+                {
+                    certFile: '/etc/traefik/certs/fullchain.pem',
+                    keyFile: '/etc/traefik/certs/privkey.pem'
+                }
+            ]
+        }
+    };
-    // Generate backend for each tenant (routing by SNI hostname)
     for (const serviceName of tenants) {
-        config += `backend ${serviceName}
-    mode tcp
-    server pg1 ${serviceName}:5432 check
+        const tenantId = serviceName.replace('pgs_', '');
+        if (access[tenantId] !== true) {
+            console.debug(`Skipping disabled tenant: ${tenantId}`);
+            continue;
+        }
+        const routerName = `router_${tenantId}`.replace(/-/g, '_');
+        const svcName = `svc_${tenantId}`.replace(/-/g, '_');
+        dynamicConfig.tcp.routers[routerName] = {
+            entryPoints: ['postgres'],
+            rule: `HostSNI(\`${tenantId}.pgs.us-central-1.sysnee.com\`)`,
+            service: svcName,
+            tls: {}
+        };
-`;
+        dynamicConfig.tcp.services[svcName] = {
+            loadBalancer: {
+                servers: [
+                    { address: `${serviceName}:5432` }
+                ]
+            }
+        };
     }
-    console.log(`Preparing to save haproxy file in ${HAPROXY_CFG_PATH}`)
-    writeFileSync(HAPROXY_CFG_PATH, config);
-    console.log(`Succesfully saved haproxy file in ${HAPROXY_CFG_PATH}`)
+    const yamlContent = yaml.dump(dynamicConfig, { indent: 2, lineWidth: -1, quotingType: '"' });
+    console.log(`Saving Traefik dynamic config to ${TRAEFIK_DYNAMIC_PATH}`)
+    writeFileSync(TRAEFIK_DYNAMIC_PATH, yamlContent);
+    console.log('Traefik dynamic config saved successfully')
 }
-function updateHAProxyDependsOn() {
+function updateTraefikService() {
     const doc = loadCompose();
     const tenants = Object.keys(doc.services || {})
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy');
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik');
-    // Always set HAProxy service with current config
-    doc.services.haproxy = {
-        image: 'haproxy:latest',
+    doc.services.traefik = {
+        image: 'traefik:v3.0',
         container_name: 'postgres_proxy',
         ports: ['5432:5432'],
         volumes: [
-            `${HAPROXY_CFG_PATH}:/usr/local/etc/haproxy/haproxy.cfg:ro`,
-            `${LUA_DIR_PATH}:/etc/haproxy/lua:ro`,
-            `${TENANT_ACCESS_FILE_PATH}:/etc/haproxy/tenant-access.json:ro`,
-            `${CERTS_DIR_PATH}:/etc/haproxy/certs:ro`
+            `${TRAEFIK_STATIC_PATH}:/etc/traefik/traefik.yml:ro`,
+            `${TRAEFIK_DYNAMIC_PATH}:/etc/traefik/dynamic.yml:ro`,
+            `${CERTS_DIR_PATH}:/etc/traefik/certs:ro`
         ],
         networks: ['postgres_network'],
         restart: 'unless-stopped'
     };
-    // Update depends_on
     if (tenants.length > 0) {
-        doc.services.haproxy.depends_on = tenants;
-    } else {
-        delete doc.services.haproxy.depends_on;
+        doc.services.traefik.depends_on = tenants;
     }
     saveCompose(doc);
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    executeCommand('docker compose up -d --force-recreate traefik');
 }
 function createInitScript({ tenantId, password, databaseName }) {
@@ -211,28 +236,33 @@ function createInitialFiles() {
         writeFileSync(TENANT_ACCESS_FILE_PATH, '{}');
     }
-    // haproxy.cfg
-    if (!existsSync(HAPROXY_CFG_PATH)) {
-        const haproxyTemplate = readFileSync(path.join(__dirname, 'haproxy.cfg'), 'utf8');
-        writeFileSync(HAPROXY_CFG_PATH, haproxyTemplate);
+    // Traefik static config
+    if (!existsSync(TRAEFIK_STATIC_PATH)) {
+        const traefikTemplate = readFileSync(path.join(__dirname, 'traefik.yml'), 'utf8');
+        writeFileSync(TRAEFIK_STATIC_PATH, traefikTemplate);
     }
-    // Lua
-    if (!existsSync(LUA_DIR_PATH)) {
-        mkdirSync(LUA_DIR_PATH, { recursive: true });
-    }
-    const luaSourceFile = path.join(__dirname, 'haproxy-lua', 'pg-route.lua');
-    const luaDestFile = path.join(LUA_DIR_PATH, 'pg-route.lua');
-    if (!existsSync(luaDestFile)) {
-        const luaContent = readFileSync(luaSourceFile, 'utf8');
-        writeFileSync(luaDestFile, luaContent);
+    // Traefik dynamic config (empty initially)
+    if (!existsSync(TRAEFIK_DYNAMIC_PATH)) {
+        const emptyDynamic = yaml.dump({
+            tcp: { routers: {}, services: {} },
+            tls: {
+                certificates: [{
+                    certFile: '/etc/traefik/certs/fullchain.pem',
+                    keyFile: '/etc/traefik/certs/privkey.pem'
+                }]
+            }
+        }, { indent: 2 });
+        writeFileSync(TRAEFIK_DYNAMIC_PATH, emptyDynamic);
     }
     // Certs directory
     if (!existsSync(CERTS_DIR_PATH)) {
         mkdirSync(CERTS_DIR_PATH, { recursive: true });
         console.log(`Created certs directory at ${CERTS_DIR_PATH}`);
-        console.log('Place your wildcard.pem certificate file there (combined cert + key)');
+        console.log('Place your SSL certificate files there:');
+        console.log('  - fullchain.pem (certificate chain)');
+        console.log('  - privkey.pem (private key)');
     }
 }
@@ -281,21 +311,23 @@ function createTenant(tenantId, options = {}) {
     saveCompose(doc);
-    // Add tenant to access control (disabled by default for security)
+    // Add tenant to access control
     setTenantAccess(tenantId, true);
-    // Regenerate HAProxy config and update depends_on
-    generateHAProxyConfig();
-    updateHAProxyDependsOn();
+    // Regenerate Traefik config and update service
+    generateTraefikDynamicConfig();
+    updateTraefikService();
     // start the tenant
     executeCommand(`docker compose up -d ${serviceName}`.trim());
     console.log(`✓ Created tenant: ${tenantId}`);
     console.log(`  Service: ${serviceName}`);
+    console.log(`  Host: ${tenantId}.pgs.us-central-1.sysnee.com`);
     console.log(`  Port: 5432`);
     console.log(`  Database: ${tenantId}`);
     console.log(`  Password: ${password}`);
+    console.log(`  SSL: required`);
     console.log(`  Access: enabled (use 'disable-access ${tenantId}' to disable)`);
     return { tenantId, serviceName };
@@ -311,7 +343,7 @@ function listTenants() {
     }
     const tenants = Object.keys(doc.services)
-        .filter(name => name.startsWith('pgs_') && name !== 'haproxy')
+        .filter(name => name.startsWith('pgs_') && name !== 'traefik')
         .map(name => {
             const service = doc.services[name];
             const db = service.environment?.POSTGRES_DB || 'N/A';
@@ -327,14 +359,15 @@ function listTenants() {
     }
     console.log('\nTenants:');
-    console.log('─'.repeat(75));
-    console.log(`  ${'ID'.padEnd(20)} ${'Database'.padEnd(20)} ${'Access'.padEnd(15)}`);
-    console.log('─'.repeat(75));
+    console.log('─'.repeat(90));
+    console.log(`  ${'ID'.padEnd(25)} ${'Host'.padEnd(45)} ${'Access'.padEnd(15)}`);
+    console.log('─'.repeat(90));
     tenants.forEach(t => {
         const accessStr = t.access ? '✓ enabled' : '✗ disabled';
-        console.log(`  ${t.tenantId.padEnd(20)} ${t.db.padEnd(20)} ${accessStr}`);
+        const host = `${t.tenantId}.pgs.us-central-1.sysnee.com`;
+        console.log(`  ${t.tenantId.padEnd(25)} ${host.padEnd(45)} ${accessStr}`);
     });
-    console.log('─'.repeat(75));
+    console.log('─'.repeat(90));
 }
 function enableTenantAccess(tenantId) {
@@ -345,11 +378,8 @@ function enableTenantAccess(tenantId) {
         throw new Error(`Tenant ${tenantId} not found`);
     }
-    // Update access control
     setTenantAccess(tenantId, true);
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    generateTraefikDynamicConfig();
     console.log(`✓ External access enabled for tenant: ${tenantId}`);
 }
@@ -362,11 +392,8 @@ function disableTenantAccess(tenantId) {
         throw new Error(`Tenant ${tenantId} not found`);
     }
-    // Update access control
     setTenantAccess(tenantId, false);
-    // Restart HAProxy
-    executeCommand('docker restart postgres_proxy');
+    generateTraefikDynamicConfig();
     console.log(`✓ External access disabled for tenant: ${tenantId}`);
 }
@@ -393,10 +420,9 @@ function removeTenant(tenantId) {
     saveCompose(doc);
-    // Remove from tenant access and regenerate HAProxy config
     removeTenantAccess(tenantId);
-    generateHAProxyConfig();
-    updateHAProxyDependsOn();
+    generateTraefikDynamicConfig();
+    updateTraefikService();
     console.log(`✓ Removed tenant: ${tenantId}`);
     console.log(`  Run: docker compose down ${serviceName}`);
@@ -528,7 +554,6 @@ program
         checkSetupStatus()
         const service = tenantId ? `pgs_${tenantId}` : '';
         executeCommand(`docker compose stop ${service}`.trim());
-        executeCommand('docker restart postgres_proxy');
     });
 program
@@ -560,4 +585,3 @@ program
     });
 program.parse();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sysnee/pgs",
-  "version": "0.1.7-rc.3",
+  "version": "0.1.7-rc.4",
   "description": "Dynamic PostgreSQL service instance manager",
   "type": "module",
   "bin": {

package/traefik.yml ADDED Viewed

@@ -0,0 +1,15 @@
+api:
+  dashboard: false
+log:
+  level: INFO
+entryPoints:
+  postgres:
+    address: ":5432"
+providers:
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true

package/haproxy-lua/pg-route.lua DELETED Viewed

@@ -1,81 +0,0 @@
--- PostgreSQL Protocol Router for HAProxy
--- Routes connections based on SNI hostname
--- Format: tenant_id.pgs.cloud.sysnee.com
-local function parse_json(str)
-    local result = {}
-    for key, value in string.gmatch(str, '"([^"]+)":%s*(%w+)') do
-        if value == "true" then
-            result[key] = true
-        elseif value == "false" then
-            result[key] = false
-        end
-    end
-    return result
-end
-local tenant_access_cache = {}
-local cache_timestamp = 0
-local CACHE_TTL = 5
-local function load_tenant_access()
-    local now = core.now().sec
-    if now - cache_timestamp < CACHE_TTL then
-        return tenant_access_cache
-    end
-    local file = io.open("/etc/haproxy/tenant-access.json", "r")
-    if not file then
-        core.Warning("tenant-access.json not found, denying all connections")
-        tenant_access_cache = {}
-        cache_timestamp = now
-        return tenant_access_cache
-    end
-    local content = file:read("*all")
-    file:close()
-    tenant_access_cache = parse_json(content) or {}
-    cache_timestamp = now
-    return tenant_access_cache
-end
--- Extract tenant_id from hostname
--- Supports: tenant_id.pgs.cloud.sysnee.com or tenant_id.any.domain.com
-local function extract_tenant_from_sni(hostname)
-    if not hostname then return nil end
-    local tenant = string.match(hostname, "^([^.]+)%.")
-    return tenant
-end
-function pg_route_by_sni(txn)
-    local sni = txn.f:ssl_fc_sni()
-    if not sni or sni == "" then
-        core.Warning("No SNI hostname provided")
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    local tenant_id = extract_tenant_from_sni(sni)
-    if not tenant_id then
-        core.Warning("Invalid hostname format: " .. sni)
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    local access = load_tenant_access()
-    if not access[tenant_id] then
-        core.Warning("Access denied for tenant: " .. tenant_id)
-        txn:set_var("txn.pg_blocked", true)
-        return
-    end
-    local backend = "pgs_" .. tenant_id
-    core.Info("Routing SNI " .. sni .. " to backend " .. backend)
-    txn:set_var("txn.pg_backend", backend)
-end
-core.register_action("pg_route_by_sni", { "tcp-req" }, pg_route_by_sni, 0)

package/haproxy.cfg DELETED Viewed

@@ -1,30 +0,0 @@
-global
-    log stdout format raw local0 info
-    maxconn 4096
-    lua-load /etc/haproxy/lua/pg-route.lua
-defaults
-    log global
-    mode tcp
-    option tcplog
-    timeout connect 5s
-    timeout client 30s
-    timeout server 30s
-    retries 3
-frontend postgres_frontend
-    bind *:5432 ssl crt /etc/haproxy/certs/wildcard.pem
-    mode tcp
-    # Extract tenant from SNI hostname
-    tcp-request inspect-delay 5s
-    tcp-request content lua.pg_route_by_sni
-    tcp-request content reject if { var(txn.pg_blocked) -m bool }
-    use_backend %[var(txn.pg_backend)] if { var(txn.pg_backend) -m found }
-    default_backend pg_reject
-backend pg_reject
-    mode tcp
-    timeout server 1s