npm - @sysnee/pgs - Versions diffs - 0.1.7-rc.5 → 0.1.7-rc.7 - Mend

@sysnee/pgs 0.1.7-rc.5 → 0.1.7-rc.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +155 -188
package/docs/ARCHITECTURE_RECOMMENDATIONS.md +11 -9
package/docs/CRITICAL_REVIEW.md +10 -8
package/docs/EXECUTIVE_SUMMARY.md +9 -9
package/docs/PROJECT.md +130 -77
package/manager.js +79 -23
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -1,151 +1,164 @@
 # PostgreSQL Multi-Tenant Instance Manager
-Dynamic PostgreSQL multi-tenant management system providing complete database isolation by creating dedicated PostgreSQL instances per tenant, with intelligent routing via HAProxy.
+Dynamic PostgreSQL multi-tenant management system providing complete database isolation by creating dedicated PostgreSQL instances per tenant, with intelligent SNI-based routing via Traefik v3.
-> 📖 **For detailed project definition, architecture, and comparison with similar solutions, see [PROJECT.md](./PROJECT.md)**
+> 📖 **For detailed project definition, architecture, and comparison with similar solutions, see [docs/PROJECT.md](./docs/PROJECT.md)**
+## Quick Start
+### Initial Setup
+```bash
+pgs setup
+```
+This creates the configuration directory at `~/.sysnee-config/` with:
+- `docker-compose.yml` - Container orchestration
+- `traefik.yml` - Traefik static configuration
+- `dynamic.yml` - Traefik dynamic routing configuration
+- `tenant-access.json` - Access control
+- `certs/` - SSL certificates directory
+### SSL Certificate Setup
+Place your wildcard SSL certificate in the certs directory:
+```bash
+# Using Let's Encrypt
+sudo cp /etc/letsencrypt/live/pgs.YOUR-DOMAIN.com/fullchain.pem ~/.sysnee-config/certs/
+sudo cp /etc/letsencrypt/live/pgs.YOUR-DOMAIN.com/privkey.pem ~/.sysnee-config/certs/
+sudo chown $USER:$USER ~/.sysnee-config/certs/*
+```
+### DNS Configuration
+Add a wildcard DNS record pointing to your server:
+```
+*.pgs.YOUR-DOMAIN.com → YOUR_SERVER_IP
+```
 ## Usage
 ### Create a new tenant instance
 ```bash
-npm run create <tenant-id> [--password <password>]
+pgs create <tenant-id> [--password <password>]
 ```
 Example:
 ```bash
-npm run create tenant1
-npm run create tenant2 --password mycustompass
+pgs create tenant1
+pgs create tenant2 --password mycustompass
 ```
-New tenants are created with external access **disabled** by default.
+New tenants are created with external access **enabled** by default.
 ### List all tenants
 ```bash
-npm run list
+pgs list
 ```
-Shows all tenants with their external access status.
+Shows all tenants with their hostnames and external access status.
 ### Remove a tenant
 ```bash
-npm run remove <tenant-id>
+pgs remove <tenant-id>
 ```
 ### Start services
 ```bash
-npm run start                      # Start all services (including HAProxy)
-npm run start -- --tenant tenant1  # Start specific tenant
+pgs start                 # Start all services (including Traefik)
+pgs start <tenant-id>     # Start specific tenant
 ```
 ### Stop services
 ```bash
-npm run stop                       # Stop all services
-npm run stop -- --tenant tenant1   # Stop specific tenant
+pgs stop                  # Stop all services
+pgs stop <tenant-id>      # Stop specific tenant
+```
+### Access Control
+```bash
+pgs enable-access <tenant-id>   # Enable external access
+pgs disable-access <tenant-id>  # Disable external access
 ```
 ## How it works
-- HAProxy listens on port 5432 and routes connections based on the PostgreSQL username
-- Each tenant connects using their tenant ID as the username (e.g., `tecnolab`)
+- **Traefik v3** listens on port 5432 with TLS/SSL enabled
+- Routes connections based on **SNI (Server Name Indication)** hostname
+- Each tenant connects using their unique hostname (e.g., `tenant1-abc123.pgs.domain.com`)
 - External access is controlled via `tenant-access.json`
 - Tenants are isolated in their own PostgreSQL containers on a Docker bridge network
-- Only HAProxy has external port mapping; PostgreSQL containers are internal only
+- Only Traefik has external port mapping; PostgreSQL containers are internal only
 ## Connection
-After creating a tenant and enabling external access:
+After creating a tenant:
 ```bash
-psql -h localhost -p 5432 -U <tenant-id> -d <tenant-id>
-```
-## Project Definition
-### What It Is
-A **dynamic PostgreSQL multi-tenant management system** that provides complete database isolation by creating dedicated PostgreSQL instances per tenant. The system uses HAProxy with custom PostgreSQL protocol parsing to route connections intelligently while maintaining complete tenant isolation at the database server level.
-### Core Concept
+# Using psql
+psql "postgresql://postgres:PASSWORD@TENANT-ID.pgs.YOUR-DOMAIN.com:5432/DATABASE?sslmode=require"
-Instead of sharing a single PostgreSQL instance with multiple databases (shared database architecture), this system creates **one PostgreSQL container per tenant**, ensuring:
-- **Complete Data Isolation**: Each tenant has its own PostgreSQL process and data directory
-- **Independent Scaling**: Resources can be allocated per tenant
-- **Enhanced Security**: No risk of cross-tenant data access
-- **Simplified Operations**: Each tenant can be managed independently
-### Key Features
-1. **Dynamic Tenant Provisioning**
-   - Create new PostgreSQL instances on-demand
-   - Automatic volume and network configuration
-   - Custom initialization scripts per tenant
-2. **Intelligent Routing**
-   - HAProxy parses PostgreSQL protocol to extract username
-   - Routes connections to correct tenant backend automatically
-   - Single external port (5432) for all tenants
-3. **Access Control**
-   - Per-tenant external access enable/disable
-   - Secure by default (access disabled on creation)
-   - Runtime access control without service restart
+# Example
+psql "postgresql://postgres:mypass@tenant1-abc123.pgs.us-central-1.sysnee.com:5432/tenant1-abc123?sslmode=require"
+```
-4. **Complete Isolation**
-   - Separate Docker containers per tenant
-   - Isolated volumes for data persistence
-   - Network isolation via Docker bridge network
-   - No shared processes or memory
+### DBeaver / GUI Clients
-5. **Zero-Downtime Operations**
-   - Graceful HAProxy reloads
-   - Independent tenant management
-   - No impact on other tenants during operations
+1. **Host**: `tenant-id.pgs.your-domain.com`
+2. **Port**: `5432`
+3. **Database**: `tenant-id`
+4. **Username**: `postgres`
+5. **Password**: (your password)
+6. **SSL**: Enable SSL, set mode to `require`
 ## Architecture
 ```
-┌─────────────────────────────────────────────────────────┐
-│                    External Access                       │
-│                  (localhost:5432)                        │
-└──────────────────────┬──────────────────────────────────┘
-                       │
-                       ▼
-┌─────────────────────────────────────────────────────────┐
-│                    HAProxy Proxy                         │
-│  ┌──────────────────────────────────────────────────┐   │
-│  │  Frontend: postgres_frontend                     │   │
-│  │  - Listens on port 5432                          │   │
-│  │  - Parses PostgreSQL protocol (Lua script)       │   │
-│  │  - Extracts username from startup packet         │   │
-│  │  - Checks tenant-access.json for permissions     │   │
-│  └──────────────────────────────────────────────────┘   │
-└──────────────────────┬──────────────────────────────────┘
-                       │
-        ┌──────────────┼──────────────┐
-        │              │              │
-        ▼              ▼              ▼
-┌──────────────┐ ┌──────────────┐ ┌──────────────┐
-│  Backend     │ │  Backend     │ │  Backend     │
-│ pgs_tenant1  │ │ pgs_tenant2  │ │ pgs_tenant3  │
-└──────┬───────┘ └──────┬───────┘ └──────┬───────┘
-       │                │                │
-       ▼                ▼                ▼
-┌──────────────┐ ┌──────────────┐ ┌──────────────┐
-│ PostgreSQL   │ │ PostgreSQL   │ │ PostgreSQL   │
-│ Container 1  │ │ Container 2  │ │ Container 3  │
-│              │ │              │ │              │
-│ Port: 5432   │ │ Port: 5432   │ │ Port: 5432   │
-│ (internal)   │ │ (internal)   │ │ (internal)   │
-│              │ │              │ │              │
-│ Volume:      │ │ Volume:      │ │ Volume:      │
-│ pgdata_1     │ │ pgdata_2     │ │ pgdata_3     │
-└──────────────┘ └──────────────┘ └──────────────┘
+┌─────────────────────────────────────────────────────────────────┐
+│                       External Access                            │
+│           (tenant-id.pgs.domain.com:5432 + TLS/SNI)             │
+└───────────────────────────┬─────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                      Traefik v3 Proxy                            │
+│  ┌───────────────────────────────────────────────────────────┐  │
+│  │  EntryPoint: postgres (port 5432)                         │  │
+│  │  - TLS termination with wildcard certificate              │  │
+│  │  - PostgreSQL STARTTLS protocol support                   │  │
+│  │  - SNI-based routing (HostSNI rule)                       │  │
+│  │  - Dynamic configuration via dynamic.yml                  │  │
+│  └───────────────────────────────────────────────────────────┘  │
+└───────────────────────────┬─────────────────────────────────────┘
+                            │
+         ┌──────────────────┼──────────────────┐
+         │                  │                  │
+         ▼                  ▼                  ▼
+┌──────────────┐   ┌──────────────┐   ┌──────────────┐
+│  TCP Router  │   │  TCP Router  │   │  TCP Router  │
+│  tenant1     │   │  tenant2     │   │  tenant3     │
+│  HostSNI()   │   │  HostSNI()   │   │  HostSNI()   │
+└──────┬───────┘   └──────┬───────┘   └──────┬───────┘
+       │                  │                  │
+       ▼                  ▼                  ▼
+┌──────────────┐   ┌──────────────┐   ┌──────────────┐
+│ PostgreSQL   │   │ PostgreSQL   │   │ PostgreSQL   │
+│ Container 1  │   │ Container 2  │   │ Container 3  │
+│              │   │              │   │              │
+│ Port: 5432   │   │ Port: 5432   │   │ Port: 5432   │
+│ (internal)   │   │ (internal)   │   │ (internal)   │
+│              │   │              │   │              │
+│ Volume:      │   │ Volume:      │   │ Volume:      │
+│ pgdata_1     │   │ pgdata_2     │   │ pgdata_3     │
+└──────────────┘   └──────────────┘   └──────────────┘
 ```
 ## Technical Implementation
@@ -155,22 +168,16 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 1. **Manager Script (manager.js)**
    - Node.js CLI tool for tenant lifecycle management
    - Dynamically generates docker-compose.yml entries
-   - Manages HAProxy configuration
+   - Manages Traefik dynamic configuration
    - Controls tenant access permissions
-2. **HAProxy Reverse Proxy**
-   - TCP-level load balancer and router
-   - Custom Lua script for PostgreSQL protocol parsing
-   - Routes based on extracted username
-   - Per-tenant access control
-3. **PostgreSQL Protocol Parser (pg-route.lua)**
-   - Parses binary PostgreSQL startup packet
-   - Extracts username and connection parameters
-   - Handles SSL negotiation
-   - Enforces access control policies
+2. **Traefik v3 Reverse Proxy**
+   - TCP-level routing with TLS termination
+   - Native PostgreSQL STARTTLS protocol support
+   - SNI-based tenant routing
+   - Dynamic configuration without restarts
-4. **Docker Infrastructure**
+3. **Docker Infrastructure**
    - Separate container per tenant
    - Bridge network for internal communication
    - Persistent volumes for data
@@ -178,13 +185,22 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 ### Connection Flow
-1. Client connects to `localhost:5432` with username `tenant_id`
-2. HAProxy receives connection and invokes Lua script
-3. Script parses PostgreSQL startup packet and extracts username
-4. Script checks `tenant-access.json` for permission
-5. If allowed, routes to backend `pgs_{tenant_id}`
-6. Backend forwards to PostgreSQL container on internal network
-7. Connection established with complete isolation
+1. Client connects to `tenant-id.pgs.domain.com:5432` with `sslmode=require`
+2. Traefik receives connection and initiates PostgreSQL STARTTLS handshake
+3. Client sends TLS ClientHello with SNI (hostname)
+4. Traefik extracts SNI and matches against configured routers
+5. If tenant has access enabled, routes to backend `pgs_{tenant_id}:5432`
+6. Connection established with complete isolation
+### Why Traefik v3?
+PostgreSQL uses a non-standard TLS negotiation (STARTTLS):
+1. Client sends PostgreSQL SSLRequest packet
+2. Server responds 'S' (SSL supported)
+3. Client sends TLS ClientHello with SNI
+4. TLS handshake completes
+**Traefik v3** is one of the few proxies that natively understands this PostgreSQL-specific flow, allowing SNI-based routing for PostgreSQL connections.
 ## Comparison with Similar Solutions
@@ -195,65 +211,29 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 - Multiple databases/schemas per instance
 - Shared processes and memory
 - Risk of cross-tenant data access
-- Less isolation
 **This Solution:**
 - Multiple PostgreSQL instances
 - One instance per tenant
 - Complete process isolation
 - Zero risk of cross-tenant access
-- Maximum isolation
 ### Similar Open Source Solutions
-#### 1. **PgBouncer**
-- **Purpose**: Connection pooling, not tenant isolation
-- **Difference**: Pools connections to single instance; this creates separate instances
-- **Use Case**: Different - PgBouncer optimizes connections; this isolates tenants
-#### 2. **Citus**
-- **Purpose**: PostgreSQL extension for distributed PostgreSQL
-- **Difference**: Shards data across nodes; this creates separate instances per tenant
-- **Use Case**: Horizontal scaling vs. tenant isolation
-#### 3. **Patroni + HAProxy**
-- **Purpose**: High availability and load balancing
-- **Difference**: Replicates single database; this creates isolated instances
-- **Use Case**: HA for single database vs. multi-tenant isolation
-#### 4. **Schema-based Multi-tenancy**
-- **Purpose**: Share database, separate schemas
-- **Difference**: Shared instance; this uses separate instances
-- **Use Case**: Resource efficiency vs. complete isolation
+| Solution | Purpose | Difference |
+|----------|---------|------------|
+| **PgBouncer** | Connection pooling | Pools to single instance; this creates separate instances |
+| **Citus** | Distributed PostgreSQL | Shards data; this isolates tenants completely |
+| **Patroni** | High availability | Replicates single DB; this creates isolated instances |
+| **RLS** | Row-level security | Logic-based separation; this uses infrastructure isolation |
-#### 5. **Row-level Security (RLS)**
-- **Purpose**: Application-level tenant isolation
-- **Difference**: Logic-based separation; this uses infrastructure isolation
-- **Use Case**: Application isolation vs. infrastructure isolation
+### Unique Aspects
-### Unique Aspects of This Solution
-1. **Instance-per-tenant at infrastructure level**
-   - Not just database or schema separation
-   - Complete process and memory isolation
-2. **Dynamic provisioning with single external port**
-   - No need for port management
-   - Automatic routing based on connection parameters
-3. **Protocol-aware routing**
-   - Parses PostgreSQL binary protocol
-   - Routes before connection completion
-   - Handles SSL negotiation
-4. **Runtime access control**
-   - Enable/disable tenant access without restart
-   - No downtime for access changes
-5. **Docker-native architecture**
-   - Leverages container isolation
-   - Simple deployment and scaling
-   - Resource limits per tenant
+1. **Instance-per-tenant** - Complete process and memory isolation
+2. **SNI-based routing** - Single port, automatic hostname-based routing
+3. **TLS by default** - Secure connections required
+4. **Dynamic provisioning** - Create tenants on-demand via CLI
+5. **Docker-native** - Simple deployment and resource limits per tenant
 ## Use Cases
@@ -263,52 +243,39 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 - **Healthcare/Finance** applications with compliance requirements
 - **Multi-tenant platforms** needing independent scaling
 - **Development/Testing** environments with isolated databases
-- **Legacy application migration** requiring tenant separation
 ### Not Ideal For
 - Thousands of tenants (resource overhead)
-- Shared resource requirements
 - Simple multi-tenant applications without strict isolation needs
 - Environments requiring minimal resource usage
-## Advantages
-✅ **Maximum Isolation**: Complete process and data separation
-✅ **Security**: Zero risk of cross-tenant data access
-✅ **Flexibility**: Independent scaling and management per tenant
-✅ **Simplicity**: Single external port, automatic routing
-✅ **Compliance**: Easier to meet regulatory requirements
-✅ **Debugging**: Isolated environments simplify troubleshooting
-## Trade-offs
-⚠️ **Resource Usage**: Higher memory/CPU per tenant
-⚠️ **Management Overhead**: More containers to manage
-⚠️ **Scaling Limits**: Practical limit on number of tenants per host
-⚠️ **Backup Complexity**: Need to backup multiple instances
 ## Technology Stack
 - **Runtime**: Node.js (ES Modules)
 - **Container Orchestration**: Docker Compose
-- **Reverse Proxy**: HAProxy with Lua scripting
+- **Reverse Proxy**: Traefik v3 (PostgreSQL STARTTLS + SNI routing)
 - **Database**: PostgreSQL 18+
-- **Protocol Parsing**: Custom Lua script
-- **Configuration**: YAML (docker-compose.yml), JSON (tenant-access.json)
+- **TLS**: Wildcard SSL certificate
+- **Configuration**: YAML (docker-compose.yml, traefik.yml, dynamic.yml), JSON (tenant-access.json)
+## Requirements
+- Docker & Docker Compose
+- Node.js 18+
+- Wildcard SSL certificate for your domain
+- Wildcard DNS record pointing to your server
 ## Future Enhancements
 - [ ] Health checks and automatic failover
 - [ ] Backup/restore automation per tenant
-- [ ] Resource limits (CPU/memory) per tenant
 - [ ] Monitoring and metrics collection
 - [ ] Tenant migration tools
 - [ ] Kubernetes support
 - [ ] Connection pooling per tenant
-- [ ] SSL/TLS termination
+- [ ] Web dashboard
 ## License & Status
-This is a custom solution built for specific multi-tenant requirements. It combines open-source tools (HAProxy, PostgreSQL, Docker) with custom routing logic to achieve instance-per-tenant isolation with intelligent connection routing.
+This is a custom solution built for specific multi-tenant requirements. It combines open-source tools (Traefik, PostgreSQL, Docker) with SNI-based routing to achieve instance-per-tenant isolation with intelligent connection routing.

package/docs/ARCHITECTURE_RECOMMENDATIONS.md CHANGED Viewed

@@ -8,9 +8,11 @@ Para transformar esta solução em um produto comercial viável (PaaS de Postgre
 2. **Alta Disponibilidade**: Sem replicação → Patroni/pg_auto_failover
 3. **Backup/Recovery**: Inexistente → pgBackRest + S3
 4. **Monitoramento**: Básico → Prometheus + Grafana
-5. **Segurança**: Melhorias necessárias → Vault + SSL/TLS
+5. **Segurança**: ✅ TLS/SNI implementado via Traefik v3 → Adicionar Vault para secrets
 6. **API**: CLI apenas → REST API completa
+> **Nota**: A solução atual usa Traefik v3 para roteamento SNI com suporte nativo ao protocolo PostgreSQL STARTTLS.
 ---
 ## Abordagem por Fase
@@ -32,8 +34,8 @@ Host 2 (Região A)
 ├── docker-compose-3.yml  # Tenants 101-150
 └── docker-compose-4.yml  # Tenants 151-200
-Load Balancer (HAProxy/Nginx)
-├── Roteia para host correto baseado em tenant_id hash
+Load Balancer (Traefik v3)
+├── Roteia para host correto baseado em SNI (hostname)
 └── Health checks de todos os hosts
 ```
@@ -141,12 +143,12 @@ pgs_tenant1_replica:
     PATRONI_ROLE: replica
 ```
-#### 2. HAProxy Redundante
+#### 2. Traefik Redundante
 ```
-HAProxy 1 ──┐
+Traefik 1 ──┐
             ├── Keepalived VIP (Virtual IP)
-HAProxy 2 ──┘
+Traefik 2 ──┘
 ```
 #### 3. Backup com pgBackRest
@@ -301,7 +303,7 @@ spec:
 ```yaml
 # docker-compose.yml com profiles e múltiplos arquivos
 services:
-  haproxy:
+  traefik:
     # ...
   pgs_tenant1:
@@ -340,7 +342,7 @@ API centralizada gerencia:
 ```
 Orquestração: Docker Compose (melhorado)
-Proxy: HAProxy
+Proxy: Traefik v3 (SNI routing + PostgreSQL STARTTLS)
 Backup: pg_dump + AWS S3
 Monitoring: Prometheus + Grafana
 Secrets: HashiCorp Vault (básico)
@@ -352,7 +354,7 @@ Database: PostgreSQL 18+
 ```
 Orquestração: Kubernetes
-Proxy: Nginx Ingress + HAProxy
+Proxy: Traefik IngressRoute (TCP + SNI) ou Nginx Ingress
 Backup: pgBackRest + S3/GCS
 Monitoring: Prometheus + Grafana + Alertmanager
 Secrets: HashiCorp Vault (completo)

package/docs/CRITICAL_REVIEW.md CHANGED Viewed

@@ -4,6 +4,8 @@
 Esta análise identifica os pontos críticos que precisam ser endereçados para transformar esta solução em um produto comercial viável.
+> **Nota**: A solução atual utiliza **Traefik v3** para roteamento baseado em SNI (Server Name Indication) com suporte nativo ao protocolo PostgreSQL STARTTLS. Isso permite roteamento por hostname com TLS obrigatório.
 ---
 ## 🔴 PROBLEMAS CRÍTICOS
@@ -118,8 +120,8 @@ Melhorias possíveis:
 - Sem backup automático em tempo real
 - RTO (Recovery Time Objective) alto
-**b) HAProxy como SPOF**
-- Se HAProxy cair, todos os tenants ficam inacessíveis
+**b) Traefik como SPOF**
+- Se Traefik cair, todos os tenants ficam inacessíveis
 - Sem redundância do proxy
 #### Soluções Necessárias:
@@ -137,12 +139,12 @@ Primary (writable) ──streaming──> Standby (read-only)
      ↓ failover                         ↑ promotion
 ```
-**2. HAProxy Redundância**
+**2. Traefik Redundância**
 ```
-- Múltiplas instâncias HAProxy
+- Múltiplas instâncias Traefik
 - Keepalived para VIP (Virtual IP)
-- Health checks entre HAProxy instances
-- Load balancing do HAProxy
+- Health checks entre Traefik instances
+- Load balancing do Traefik
 ```
 **3. Multi-Region (Futuro)**
@@ -296,7 +298,7 @@ Implementação:
 **2. SSL/TLS**
 ```
 - Certificados SSL para conexões
-- TLS entre HAProxy e PostgreSQL
+- TLS entre Traefik e PostgreSQL (interno)
 - Certificate management automático (Let's Encrypt)
 - TLS 1.2+ obrigatório
 ```
@@ -557,7 +559,7 @@ resource "managed_postgres_tenant" "example" {
 ```
 ✅ Alta Disponibilidade
    - Replicação PostgreSQL (Patroni)
-   - HAProxy redundante (Keepalived)
+   - Traefik redundante (Keepalived)
    - Auto-failover
 ✅ Backup Avançado

package/docs/EXECUTIVE_SUMMARY.md CHANGED Viewed

@@ -30,12 +30,12 @@
 **Problema**: Zero redundância
 - 1 container PostgreSQL = 1 ponto de falha
-- HAProxy sem redundância
+- Traefik sem redundância
 - Sem failover automático
 **Solução**:
 - Replicação PostgreSQL (Patroni/pg_auto_failover)
-- HAProxy redundante com Keepalived
+- Traefik redundante com Keepalived
 - Auto-failover configurado
 ### 3. Backup e Recovery - ESSENCIAL
@@ -60,14 +60,13 @@
 ### 5. Segurança
-**Problemas**:
-- Senhas em texto plano
-- Sem SSL/TLS
-- Sem secret management
+**Status Atual** ✅:
+- TLS/SSL implementado via Traefik v3
+- Roteamento SNI (hostname-based)
+- Certificado wildcard
-**Solução**:
+**Melhorias Necessárias**:
 - HashiCorp Vault para secrets
-- SSL/TLS obrigatório
 - Rotação automática de senhas
 - Network policies
@@ -103,7 +102,8 @@
 ✅ API REST
 ✅ Monitoring básico (Prometheus + Grafana)
 ✅ Secrets management básico
-✅ SSL/TLS
+✅ SSL/TLS via Traefik v3 (IMPLEMENTADO)
+✅ SNI-based routing (IMPLEMENTADO)
 ```
 **Custo estimado**: $5K-15K (infraestrutura + desenvolvimento)

package/docs/PROJECT.md CHANGED Viewed

@@ -4,7 +4,7 @@
 ### What It Is
-A **dynamic PostgreSQL multi-tenant management system** that provides complete database isolation by creating dedicated PostgreSQL instances per tenant. The system uses HAProxy with custom PostgreSQL protocol parsing to route connections intelligently while maintaining complete tenant isolation at the database server level.
+A **dynamic PostgreSQL multi-tenant management system** that provides complete database isolation by creating dedicated PostgreSQL instances per tenant. The system uses **Traefik v3** with native PostgreSQL STARTTLS support to route connections based on SNI (Server Name Indication), enabling hostname-based tenant routing with TLS security.
 ### Core Concept
@@ -22,15 +22,16 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
    - Automatic volume and network configuration
    - Custom initialization scripts per tenant
-2. **Intelligent Routing**
-   - HAProxy parses PostgreSQL protocol to extract username
-   - Routes connections to correct tenant backend automatically
+2. **SNI-Based Routing**
+   - Traefik v3 handles PostgreSQL STARTTLS protocol
+   - Routes connections based on hostname (SNI)
    - Single external port (5432) for all tenants
+   - TLS/SSL encryption required
 3. **Access Control**
    - Per-tenant external access enable/disable
-   - Secure by default (access disabled on creation)
    - Runtime access control without service restart
+   - Dynamic Traefik configuration updates
 4. **Complete Isolation**
    - Separate Docker containers per tenant
@@ -39,49 +40,50 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
    - No shared processes or memory
 5. **Zero-Downtime Operations**
-   - Graceful HAProxy reloads
+   - Traefik dynamic configuration (no restarts needed)
    - Independent tenant management
    - No impact on other tenants during operations
 ## Architecture
 ```
-┌─────────────────────────────────────────────────────────┐
-│                    External Access                       │
-│                  (localhost:5432)                        │
-└──────────────────────┬──────────────────────────────────┘
-                       │
-                       ▼
-┌─────────────────────────────────────────────────────────┐
-│                    HAProxy Proxy                         │
-│  ┌──────────────────────────────────────────────────┐   │
-│  │  Frontend: postgres_frontend                     │   │
-│  │  - Listens on port 5432                          │   │
-│  │  - Parses PostgreSQL protocol (Lua script)       │   │
-│  │  - Extracts username from startup packet         │   │
-│  │  - Checks tenant-access.json for permissions     │   │
-│  └──────────────────────────────────────────────────┘   │
-└──────────────────────┬──────────────────────────────────┘
-                       │
-        ┌──────────────┼──────────────┐
-        │              │              │
-        ▼              ▼              ▼
-┌──────────────┐ ┌──────────────┐ ┌──────────────┐
-│  Backend     │ │  Backend     │ │  Backend     │
-│ pgs_tenant1  │ │ pgs_tenant2  │ │ pgs_tenant3  │
-└──────┬───────┘ └──────┬───────┘ └──────┬───────┘
-       │                │                │
-       ▼                ▼                ▼
-┌──────────────┐ ┌──────────────┐ ┌──────────────┐
-│ PostgreSQL   │ │ PostgreSQL   │ │ PostgreSQL   │
-│ Container 1  │ │ Container 2  │ │ Container 3  │
-│              │ │              │ │              │
-│ Port: 5432   │ │ Port: 5432   │ │ Port: 5432   │
-│ (internal)   │ │ (internal)   │ │ (internal)   │
-│              │ │              │ │              │
-│ Volume:      │ │ Volume:      │ │ Volume:      │
-│ pgdata_1     │ │ pgdata_2     │ │ pgdata_3     │
-└──────────────┘ └──────────────┘ └──────────────┘
+┌─────────────────────────────────────────────────────────────────┐
+│                       External Access                            │
+│           (tenant-id.pgs.domain.com:5432 + TLS/SNI)             │
+└───────────────────────────┬─────────────────────────────────────┘
+                            │
+                            ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                      Traefik v3 Proxy                            │
+│  ┌───────────────────────────────────────────────────────────┐  │
+│  │  EntryPoint: postgres (port 5432)                         │  │
+│  │  - TLS termination with wildcard certificate              │  │
+│  │  - PostgreSQL STARTTLS protocol support                   │  │
+│  │  - SNI-based routing (HostSNI rule)                       │  │
+│  │  - Dynamic configuration via dynamic.yml                  │  │
+│  └───────────────────────────────────────────────────────────┘  │
+└───────────────────────────┬─────────────────────────────────────┘
+                            │
+         ┌──────────────────┼──────────────────┐
+         │                  │                  │
+         ▼                  ▼                  ▼
+┌──────────────┐   ┌──────────────┐   ┌──────────────┐
+│  TCP Router  │   │  TCP Router  │   │  TCP Router  │
+│  tenant1     │   │  tenant2     │   │  tenant3     │
+│  HostSNI()   │   │  HostSNI()   │   │  HostSNI()   │
+└──────┬───────┘   └──────┬───────┘   └──────┬───────┘
+       │                  │                  │
+       ▼                  ▼                  ▼
+┌──────────────┐   ┌──────────────┐   ┌──────────────┐
+│ PostgreSQL   │   │ PostgreSQL   │   │ PostgreSQL   │
+│ Container 1  │   │ Container 2  │   │ Container 3  │
+│              │   │              │   │              │
+│ Port: 5432   │   │ Port: 5432   │   │ Port: 5432   │
+│ (internal)   │   │ (internal)   │   │ (internal)   │
+│              │   │              │   │              │
+│ Volume:      │   │ Volume:      │   │ Volume:      │
+│ pgdata_1     │   │ pgdata_2     │   │ pgdata_3     │
+└──────────────┘   └──────────────┘   └──────────────┘
 ```
 ## Technical Implementation
@@ -91,37 +93,88 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 1. **Manager Script (manager.js)**
    - Node.js CLI tool for tenant lifecycle management
    - Dynamically generates docker-compose.yml entries
-   - Manages HAProxy configuration
+   - Manages Traefik dynamic configuration (dynamic.yml)
    - Controls tenant access permissions
-2. **HAProxy Reverse Proxy**
-   - TCP-level load balancer and router
-   - Custom Lua script for PostgreSQL protocol parsing
-   - Routes based on extracted username
-   - Per-tenant access control
+2. **Traefik v3 Reverse Proxy**
+   - TCP-level routing with TLS termination
+   - Native PostgreSQL STARTTLS protocol support
+   - SNI-based routing via HostSNI() rule
+   - Dynamic configuration without restarts
-3. **PostgreSQL Protocol Parser (pg-route.lua)**
-   - Parses binary PostgreSQL startup packet
-   - Extracts username and connection parameters
-   - Handles SSL negotiation
-   - Enforces access control policies
-4. **Docker Infrastructure**
+3. **Docker Infrastructure**
    - Separate container per tenant
    - Bridge network for internal communication
    - Persistent volumes for data
    - Isolated execution environments
+### Why Traefik v3 for PostgreSQL?
+PostgreSQL uses a non-standard TLS negotiation called STARTTLS:
+```
+Standard TLS (HTTPS):
+  Client → TLS ClientHello (with SNI) → Server
+PostgreSQL STARTTLS:
+  Client → SSLRequest (PG protocol) → Server
+  Server → 'S' (SSL supported) → Client
+  Client → TLS ClientHello (with SNI) → Server
+```
+Most SNI proxies expect TLS ClientHello as the first packet. PostgreSQL sends its own protocol first, then TLS.
+**Traefik v3** is one of the few proxies that natively understands this PostgreSQL-specific flow:
+- Detects PostgreSQL SSLRequest
+- Responds with 'S'
+- Captures TLS ClientHello with SNI
+- Routes based on hostname
 ### Connection Flow
-1. Client connects to `localhost:5432` with username `tenant_id`
-2. HAProxy receives connection and invokes Lua script
-3. Script parses PostgreSQL startup packet and extracts username
-4. Script checks `tenant-access.json` for permission
-5. If allowed, routes to backend `pgs_{tenant_id}`
-6. Backend forwards to PostgreSQL container on internal network
+1. Client connects to `tenant-id.pgs.domain.com:5432` with `sslmode=require`
+2. Traefik receives connection and detects PostgreSQL SSLRequest
+3. Traefik responds 'S' (SSL supported)
+4. Client sends TLS ClientHello with SNI (hostname)
+5. Traefik extracts SNI and matches against configured routers in dynamic.yml
+6. If tenant has access enabled, routes to backend `pgs_{tenant_id}:5432`
 7. Connection established with complete isolation
+### Configuration Files
+**traefik.yml** (Static Configuration):
+```yaml
+entryPoints:
+  postgres:
+    address: ":5432"
+providers:
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true
+```
+**dynamic.yml** (Dynamic Configuration - Auto-generated):
+```yaml
+tcp:
+  routers:
+    router_tenant1:
+      entryPoints:
+        - postgres
+      rule: "HostSNI(`tenant1-abc123.pgs.domain.com`)"
+      service: svc_tenant1
+      tls: {}
+  services:
+    svc_tenant1:
+      loadBalancer:
+        servers:
+          - address: "pgs_tenant1-abc123:5432"
+tls:
+  certificates:
+    - certFile: /etc/traefik/certs/fullchain.pem
+      keyFile: /etc/traefik/certs/privkey.pem
+```
 ## Comparison with Similar Solutions
 ### Shared Database Architecture
@@ -152,7 +205,7 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 - **Difference**: Shards data across nodes; this creates separate instances per tenant
 - **Use Case**: Horizontal scaling vs. tenant isolation
-#### 3. **Patroni + HAProxy**
+#### 3. **Patroni + Traefik/HAProxy**
 - **Purpose**: High availability and load balancing
 - **Difference**: Replicates single database; this creates isolated instances
 - **Use Case**: HA for single database vs. multi-tenant isolation
@@ -173,18 +226,18 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
    - Not just database or schema separation
    - Complete process and memory isolation
-2. **Dynamic provisioning with single external port**
+2. **SNI-based routing with single external port**
    - No need for port management
-   - Automatic routing based on connection parameters
+   - Automatic routing based on hostname
+   - TLS/SSL security by default
-3. **Protocol-aware routing**
-   - Parses PostgreSQL binary protocol
-   - Routes before connection completion
-   - Handles SSL negotiation
+3. **PostgreSQL STARTTLS support**
+   - Traefik v3 handles non-standard PG protocol
+   - Proper SNI extraction after PG handshake
 4. **Runtime access control**
    - Enable/disable tenant access without restart
-   - No downtime for access changes
+   - Dynamic Traefik configuration
 5. **Docker-native architecture**
    - Leverages container isolation
@@ -211,9 +264,9 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 ## Advantages
 ✅ **Maximum Isolation**: Complete process and data separation
-✅ **Security**: Zero risk of cross-tenant data access
+✅ **Security**: Zero risk of cross-tenant data access + TLS encryption
 ✅ **Flexibility**: Independent scaling and management per tenant
-✅ **Simplicity**: Single external port, automatic routing
+✅ **Simplicity**: Single external port, automatic SNI routing
 ✅ **Compliance**: Easier to meet regulatory requirements
 ✅ **Debugging**: Isolated environments simplify troubleshooting
@@ -223,15 +276,16 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 ⚠️ **Management Overhead**: More containers to manage
 ⚠️ **Scaling Limits**: Practical limit on number of tenants per host
 ⚠️ **Backup Complexity**: Need to backup multiple instances
+⚠️ **SSL Required**: Clients must support TLS with SNI
 ## Technology Stack
 - **Runtime**: Node.js (ES Modules)
 - **Container Orchestration**: Docker Compose
-- **Reverse Proxy**: HAProxy with Lua scripting
+- **Reverse Proxy**: Traefik v3 (PostgreSQL STARTTLS + SNI routing)
 - **Database**: PostgreSQL 18+
-- **Protocol Parsing**: Custom Lua script
-- **Configuration**: YAML (docker-compose.yml), JSON (tenant-access.json)
+- **TLS**: Wildcard SSL certificate
+- **Configuration**: YAML (docker-compose.yml, traefik.yml, dynamic.yml), JSON (tenant-access.json)
 ## Future Enhancements
@@ -242,9 +296,8 @@ Instead of sharing a single PostgreSQL instance with multiple databases (shared
 - [ ] Tenant migration tools
 - [ ] Kubernetes support
 - [ ] Connection pooling per tenant
-- [ ] SSL/TLS termination
+- [ ] Web dashboard
 ## License & Status
-This is a custom solution built for specific multi-tenant requirements. It combines open-source tools (HAProxy, PostgreSQL, Docker) with custom routing logic to achieve instance-per-tenant isolation with intelligent connection routing.
+This is a custom solution built for specific multi-tenant requirements. It combines open-source tools (Traefik v3, PostgreSQL, Docker) with SNI-based routing to achieve instance-per-tenant isolation with intelligent connection routing.

package/manager.js CHANGED Viewed

@@ -62,7 +62,7 @@ function removeTenantAccess(tenantId) {
 // ==================== Traefik Configuration ====================
-function generateTraefikDynamicConfig() {
+function generateTraefikDynamicConfig(tenantsManifests = {}) {
     console.debug('Generating Traefik dynamic config')
     const doc = loadCompose();
     const access = loadTenantAccess();
@@ -75,6 +75,7 @@ function generateTraefikDynamicConfig() {
     const dynamicConfig = {
         tcp: {
             routers: {},
+            middlewares: {},
             services: {}
         },
         tls: {
@@ -96,15 +97,37 @@ function generateTraefikDynamicConfig() {
         }
         const routerName = `router_${tenantId}`.replace(/-/g, '_');
+        const middlewareName = `ipwhitelist_${tenantId}`.replace(/-/g, '_');
         const svcName = `svc_${tenantId}`.replace(/-/g, '_');
-        dynamicConfig.tcp.routers[routerName] = {
+        const router = {
             entryPoints: ['postgres'],
-            rule: `HostSNI(\`${tenantId}.pgs.us-central-1.sysnee.com\`)`,
+            rule: `HostSNI(\`${tenantId}.pgs.br-sp-1.sysnee.com\`)`,
             service: svcName,
             tls: {}
         };
+        const manifest = tenantsManifests[tenantId];
+        if (manifest && manifest.firewall && manifest.firewall.rules) {
+            const sourceRanges = manifest.firewall.rules
+                .filter(rule => rule.type === 'allow')
+                .map(rule => rule.source);
+            if (sourceRanges.length > 0) {
+                router.middlewares = [middlewareName];
+                if (!dynamicConfig.tcp.middlewares[middlewareName]) {
+                    dynamicConfig.tcp.middlewares[middlewareName] = {
+                        ipAllowList: {
+                            sourceRange: sourceRanges
+                        }
+                    };
+                }
+            }
+        }
+        dynamicConfig.tcp.routers[routerName] = router;
         dynamicConfig.tcp.services[svcName] = {
             loadBalancer: {
                 servers: [
@@ -209,11 +232,23 @@ function ensureNetwork(doc) {
 }
 function initialSetup() {
+    installDocker()
     createInitialFiles()
     ensureDockerPrivilegies()
     console.log('All ready!')
 }
+function installDocker() {
+    console.log('Installing Docker...')
+    execSync('curl -fsSL https://get.docker.com -o get-docker.sh && sudo sh get-docker.sh', { stdio: 'inherit' })
+    execSync('rm get-docker.sh')
+    console.log('Docker installed successfully')
+    console.log('Installing Docker Compose plugin...')
+    execSync('sudo apt-get install -y docker-compose-plugin', { stdio: 'inherit' })
+    console.log('Docker Compose plugin installed successfully')
+}
 function ensureDockerPrivilegies() {
     execSync('sudo usermod -aG docker $USER && newgrp docker')
     writeFileSync(SETUP_STATUS_PATH, 'container:ok')
@@ -282,7 +317,7 @@ function checkSetupStatus() {
 }
 function createTenant(tenantId, options = {}) {
-    const { version = '18', password, limits = DEFAULT_LIMITS } = options;
+    const { version = '18', password, limits = DEFAULT_LIMITS, manifest = null } = options;
     const doc = loadCompose();
     if (doc.services && doc.services[`pgs_${tenantId}`]) {
@@ -311,19 +346,17 @@ function createTenant(tenantId, options = {}) {
     saveCompose(doc);
-    // Add tenant to access control
     setTenantAccess(tenantId, true);
-    // Regenerate Traefik config and update service
-    generateTraefikDynamicConfig();
+    const manifests = manifest ? { [tenantId]: manifest } : {};
+    generateTraefikDynamicConfig(manifests);
     updateTraefikService();
-    // start the tenant
     executeCommand(`docker compose up -d ${serviceName}`.trim());
     console.log(`✓ Created tenant: ${tenantId}`);
     console.log(`  Service: ${serviceName}`);
-    console.log(`  Host: ${tenantId}.pgs.us-central-1.sysnee.com`);
+    console.log(`  Host: ${tenantId}.pgs.br-sp-1.sysnee.com`);
     console.log(`  Port: 5432`);
     console.log(`  Database: ${tenantId}`);
     console.log(`  Password: ${password}`);
@@ -364,13 +397,13 @@ function listTenants() {
     console.log('─'.repeat(90));
     tenants.forEach(t => {
         const accessStr = t.access ? '✓ enabled' : '✗ disabled';
-        const host = `${t.tenantId}.pgs.us-central-1.sysnee.com`;
+        const host = `${t.tenantId}.pgs.br-sp-1.sysnee.com`;
         console.log(`  ${t.tenantId.padEnd(25)} ${host.padEnd(45)} ${accessStr}`);
     });
     console.log('─'.repeat(90));
 }
-function enableTenantAccess(tenantId) {
+function enableTenantAccess(tenantId, manifests = {}) {
     const doc = loadCompose();
     const serviceName = `pgs_${tenantId}`;
@@ -379,12 +412,12 @@ function enableTenantAccess(tenantId) {
     }
     setTenantAccess(tenantId, true);
-    generateTraefikDynamicConfig();
+    generateTraefikDynamicConfig(manifests);
     console.log(`✓ External access enabled for tenant: ${tenantId}`);
 }
-function disableTenantAccess(tenantId) {
+function disableTenantAccess(tenantId, manifests = {}) {
     const doc = loadCompose();
     const serviceName = `pgs_${tenantId}`;
@@ -393,12 +426,12 @@ function disableTenantAccess(tenantId) {
     }
     setTenantAccess(tenantId, false);
-    generateTraefikDynamicConfig();
+    generateTraefikDynamicConfig(manifests);
     console.log(`✓ External access disabled for tenant: ${tenantId}`);
 }
-function removeTenant(tenantId) {
+function removeTenant(tenantId, manifests = {}) {
     const doc = loadCompose();
     const serviceName = `pgs_${tenantId}`;
@@ -421,7 +454,7 @@ function removeTenant(tenantId) {
     saveCompose(doc);
     removeTenantAccess(tenantId);
-    generateTraefikDynamicConfig();
+    generateTraefikDynamicConfig(manifests);
     updateTraefikService();
     console.log(`✓ Removed tenant: ${tenantId}`);
@@ -478,7 +511,8 @@ program
             const tenantOptions = {
                 password: null,
                 version: null,
-                limits: null
+                limits: null,
+                manifest: null
             }
             if (opts.file) {
@@ -492,6 +526,7 @@ program
                 tenantOptions.limits = optsFromManifest.shared_limits
                 tenantOptions.version = optsFromManifest.version
+                tenantOptions.manifest = optsFromManifest
             } else {
                 tenantOptions.version = opts.version;
                 tenantOptions.limits = {
@@ -526,10 +561,17 @@ program
     .command('remove')
     .description('Remove a tenant instance')
     .argument('<tenant-id>', 'Tenant identifier')
-    .action((tenantId) => {
+    .option('-f, --file <file>', 'Manifest file path (optional, for firewall rules)')
+    .action((tenantId, opts) => {
         checkSetupStatus()
         try {
-            removeTenant(tenantId);
+            const manifests = {};
+            if (opts.file) {
+                const manifestFilePath = path.resolve(opts.file)
+                const manifest = JSON.parse(readFileSync(manifestFilePath))
+                manifests[tenantId] = manifest;
+            }
+            removeTenant(tenantId, manifests);
         } catch (error) {
             console.error(`Error: ${error.message}`);
             process.exit(1);
@@ -560,10 +602,17 @@ program
     .command('enable-access')
     .description('Enable external access for a tenant')
     .argument('<tenant-id>', 'Tenant identifier')
-    .action((tenantId) => {
+    .option('-f, --file <file>', 'Manifest file path (optional, for firewall rules)')
+    .action((tenantId, opts) => {
         checkSetupStatus()
         try {
-            enableTenantAccess(tenantId);
+            const manifests = {};
+            if (opts.file) {
+                const manifestFilePath = path.resolve(opts.file)
+                const manifest = JSON.parse(readFileSync(manifestFilePath))
+                manifests[tenantId] = manifest;
+            }
+            enableTenantAccess(tenantId, manifests);
         } catch (error) {
             console.error(`Error: ${error.message}`);
             process.exit(1);
@@ -574,10 +623,17 @@ program
     .command('disable-access')
     .description('Disable external access for a tenant')
     .argument('<tenant-id>', 'Tenant identifier')
-    .action((tenantId) => {
+    .option('-f, --file <file>', 'Manifest file path (optional, for firewall rules)')
+    .action((tenantId, opts) => {
         checkSetupStatus()
         try {
-            disableTenantAccess(tenantId);
+            const manifests = {};
+            if (opts.file) {
+                const manifestFilePath = path.resolve(opts.file)
+                const manifest = JSON.parse(readFileSync(manifestFilePath))
+                manifests[tenantId] = manifest;
+            }
+            disableTenantAccess(tenantId, manifests);
         } catch (error) {
             console.error(`Error: ${error.message}`);
             process.exit(1);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sysnee/pgs",
-  "version": "0.1.7-rc.5",
+  "version": "0.1.7-rc.7",
   "description": "Dynamic PostgreSQL service instance manager",
   "type": "module",
   "bin": {
@@ -14,7 +14,7 @@
     "stop": "node manager.js stop",
     "enable-access": "node manager.js enable-access",
     "disable-access": "node manager.js disable-access",
-    "reload-haproxy": "node manager.js reload-haproxy"
+    "setup": "node manager.js setup"
   },
   "dependencies": {
     "js-yaml": "^4.1.0",