225 lines
7.1 KiB
Bash
225 lines
7.1 KiB
Bash
|
|
#!/bin/bash
|
||
|
|
# Methods library for twenty — sourced by install-twenty.sh and generated run-*.sh scripts.
|
||
|
|
# SCRIPT_DIR must be set before sourcing.
|
||
|
|
|
||
|
|
_kubectl() {
|
||
|
|
if command -v kubectl >/dev/null 2>&1; then
|
||
|
|
command kubectl "$@"
|
||
|
|
elif command -v k0s >/dev/null 2>&1; then
|
||
|
|
k0s kubectl "$@"
|
||
|
|
else
|
||
|
|
echo "ERROR: no kubectl or k0s binary found" >&2; exit 127
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
_require_env() {
|
||
|
|
local var="$1"
|
||
|
|
if [ -z "${!var:-}" ]; then
|
||
|
|
echo "ERROR: required variable $var is not set" >&2; exit 1
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|
||
|
|
_pod_name() {
|
||
|
|
_kubectl get pod \
|
||
|
|
--namespace "$TWENTY_NAMESPACE" \
|
||
|
|
--selector "app.kubernetes.io/name=${TWENTY_NAME}" \
|
||
|
|
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null
|
||
|
|
}
|
||
|
|
|
||
|
|
_wait_for_pod() {
|
||
|
|
local timeout="${1:-300}"
|
||
|
|
_kubectl wait pod \
|
||
|
|
--namespace "$TWENTY_NAMESPACE" \
|
||
|
|
--selector "app.kubernetes.io/name=${TWENTY_NAME}" \
|
||
|
|
--for=condition=Ready \
|
||
|
|
--timeout="${timeout}s"
|
||
|
|
}
|
||
|
|
|
||
|
|
_pg_namespace() { echo "core-data"; }
|
||
|
|
|
||
|
|
_pg_pod() {
|
||
|
|
_kubectl get pod --namespace "$(_pg_namespace)" \
|
||
|
|
--selector "app.kubernetes.io/name=postgresql" \
|
||
|
|
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null
|
||
|
|
}
|
||
|
|
|
||
|
|
# ── Manifest plan helpers ─────────────────────────────────────────────────────
|
||
|
|
|
||
|
|
_plan_apply() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
_kubectl apply -f "$path"
|
||
|
|
}
|
||
|
|
|
||
|
|
_plan_apply_skip() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
if _kubectl get -f "$path" >/dev/null 2>&1; then
|
||
|
|
echo " [skip] ${file} already exists in cluster"
|
||
|
|
return 0
|
||
|
|
fi
|
||
|
|
_kubectl apply -f "$path"
|
||
|
|
}
|
||
|
|
|
||
|
|
_plan_rollout_restart() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
_kubectl rollout restart -f "$path"
|
||
|
|
}
|
||
|
|
|
||
|
|
_plan_delete() {
|
||
|
|
local file="$1"
|
||
|
|
local path="$SCRIPT_DIR/manifests/${file}.yaml"
|
||
|
|
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
|
||
|
|
_kubectl delete -f "$path" --ignore-not-found
|
||
|
|
}
|
||
|
|
|
||
|
|
# shellcheck source=lib/gateway-tls.sh
|
||
|
|
source "${SCRIPT_DIR}/lib/gateway-tls.sh"
|
||
|
|
|
||
|
|
_method_patch-gateway-https() {
|
||
|
|
_lib_gateway_patch_https \
|
||
|
|
"${TLS_HOOK_GATEWAY_NAME:-libre-wuji}" \
|
||
|
|
"${TLS_HOOK_GATEWAY_NS:-kube-system}" \
|
||
|
|
"${TLS_HOOK_LISTENER_NAME}" \
|
||
|
|
"${TLS_HOOK_DOMAIN}" \
|
||
|
|
"${TLS_HOOK_TLS_SECRET}" \
|
||
|
|
"${TLS_HOOK_NAMESPACE}"
|
||
|
|
}
|
||
|
|
|
||
|
|
_method_remove-gateway-https() {
|
||
|
|
_lib_gateway_remove_https \
|
||
|
|
"${TLS_HOOK_GATEWAY_NAME:-libre-wuji}" \
|
||
|
|
"${TLS_HOOK_GATEWAY_NS:-kube-system}" \
|
||
|
|
"${TLS_HOOK_LISTENER_NAME}"
|
||
|
|
}
|
||
|
|
|
||
|
|
# ── Component methods ─────────────────────────────────────────────────────────
|
||
|
|
|
||
|
|
_method_create-credentials() {
|
||
|
|
[ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a
|
||
|
|
[ -f "${SCRIPT_DIR}/env-twenty" ] && set -a && source "${SCRIPT_DIR}/env-twenty" && set +a
|
||
|
|
_require_env TWENTY_DB_PASSWORD
|
||
|
|
_require_env APP_SECRET
|
||
|
|
_require_env TWENTY_ENCRYPTION_KEY
|
||
|
|
|
||
|
|
local db_host="${TWENTY_DB_HOST:-}"
|
||
|
|
local db_port="${TWENTY_DB_PORT:-5432}"
|
||
|
|
local db_user="${TWENTY_DB_USER:-twenty}"
|
||
|
|
local db_name="${TWENTY_DB_NAME:-twenty}"
|
||
|
|
local database_url="postgresql://${db_user}:${TWENTY_DB_PASSWORD}@${db_host}:${db_port}/${db_name}"
|
||
|
|
local redis_url="${TWENTY_REDIS_URL:-}"
|
||
|
|
|
||
|
|
_kubectl create secret generic "${TWENTY_NAME}-credentials" \
|
||
|
|
--namespace "$TWENTY_NAMESPACE" \
|
||
|
|
--from-literal=PG_DATABASE_URL="$database_url" \
|
||
|
|
--from-literal=APP_SECRET="$APP_SECRET" \
|
||
|
|
--from-literal=REDIS_URL="$redis_url" \
|
||
|
|
--from-literal=ENCRYPTION_KEY="$TWENTY_ENCRYPTION_KEY" \
|
||
|
|
--dry-run=client -o yaml | _kubectl apply -f -
|
||
|
|
echo " [ok] credentials secret '${TWENTY_NAME}-credentials' created in ${TWENTY_NAMESPACE}"
|
||
|
|
}
|
||
|
|
|
||
|
|
_method_init-db() {
|
||
|
|
[ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a
|
||
|
|
_require_env TWENTY_DB_PASSWORD
|
||
|
|
|
||
|
|
local pg_ns pg_pod db_user safe_pw safe_usr safe_db
|
||
|
|
pg_ns=$(_pg_namespace)
|
||
|
|
pg_pod=$(_pg_pod)
|
||
|
|
[ -z "$pg_pod" ] && { echo " [error] no postgresql pod found in namespace $pg_ns" >&2; exit 1; }
|
||
|
|
|
||
|
|
db_user="${TWENTY_DB_USER:-twenty}"
|
||
|
|
safe_pw="${TWENTY_DB_PASSWORD//\'/\'\'}"
|
||
|
|
safe_usr="${db_user//\'/\'\'}"
|
||
|
|
safe_db="${TWENTY_DB_NAME:-twenty}"
|
||
|
|
safe_db="${safe_db//\'/\'\'}"
|
||
|
|
|
||
|
|
_kubectl exec -i --namespace "$pg_ns" "$pg_pod" -- psql -U postgres <<SQL
|
||
|
|
DO \$\$
|
||
|
|
DECLARE
|
||
|
|
pw text := '${safe_pw}';
|
||
|
|
usr text := '${safe_usr}';
|
||
|
|
BEGIN
|
||
|
|
IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = usr) THEN
|
||
|
|
EXECUTE format('CREATE ROLE %I WITH LOGIN PASSWORD %L', usr, pw);
|
||
|
|
RAISE NOTICE 'role % created', usr;
|
||
|
|
ELSE
|
||
|
|
EXECUTE format('ALTER ROLE %I WITH PASSWORD %L', usr, pw);
|
||
|
|
RAISE NOTICE 'role % password updated', usr;
|
||
|
|
END IF;
|
||
|
|
END;
|
||
|
|
\$\$;
|
||
|
|
SQL
|
||
|
|
|
||
|
|
local db_exists
|
||
|
|
db_exists=$(_kubectl exec --namespace "$pg_ns" "$pg_pod" -- \
|
||
|
|
psql -U postgres -tAc \
|
||
|
|
"SELECT 1 FROM pg_database WHERE datname = '${safe_db}'" 2>/dev/null || true)
|
||
|
|
|
||
|
|
if [ "${db_exists}" != "1" ]; then
|
||
|
|
_kubectl exec --namespace "$pg_ns" "$pg_pod" -- \
|
||
|
|
psql -U postgres -c \
|
||
|
|
"CREATE DATABASE \"${safe_db}\"
|
||
|
|
WITH OWNER \"${safe_usr}\"
|
||
|
|
ENCODING 'UTF8'
|
||
|
|
LC_COLLATE 'C'
|
||
|
|
LC_CTYPE 'C'
|
||
|
|
TEMPLATE template0"
|
||
|
|
echo " [ok] database '${safe_db}' created"
|
||
|
|
else
|
||
|
|
echo " [skip] database '${safe_db}' already exists"
|
||
|
|
fi
|
||
|
|
|
||
|
|
_kubectl exec --namespace "$pg_ns" "$pg_pod" -- \
|
||
|
|
psql -U postgres -d "${safe_db}" -c \
|
||
|
|
"GRANT ALL ON SCHEMA public TO \"${safe_usr}\""
|
||
|
|
echo " [ok] postgresql role '${safe_usr}' and database '${safe_db}' ensured"
|
||
|
|
}
|
||
|
|
|
||
|
|
_method_wait-valkey() {
|
||
|
|
local valkey_name="${TWENTY_NAME}-valkey"
|
||
|
|
echo " waiting for valkey pod ${valkey_name} to be ready..."
|
||
|
|
_kubectl wait pod \
|
||
|
|
--namespace "$TWENTY_NAMESPACE" \
|
||
|
|
--selector "app.kubernetes.io/name=${valkey_name}" \
|
||
|
|
--for=condition=Ready \
|
||
|
|
--timeout=120s
|
||
|
|
echo " [ok] valkey ready"
|
||
|
|
}
|
||
|
|
|
||
|
|
_method_wait-ready() {
|
||
|
|
_wait_for_pod 300
|
||
|
|
}
|
||
|
|
|
||
|
|
_method_protect-volume() {
|
||
|
|
local pvc="${PLAN_PARAM_PVC:-${TWENTY_NAME}-valkey-data}"
|
||
|
|
|
||
|
|
echo " waiting for PVC '${pvc}' to bind..."
|
||
|
|
_kubectl wait pvc "$pvc" \
|
||
|
|
--namespace "$TWENTY_NAMESPACE" \
|
||
|
|
--for=jsonpath='{.status.phase}'=Bound \
|
||
|
|
--timeout=120s
|
||
|
|
|
||
|
|
local pv_name
|
||
|
|
pv_name=$(_kubectl get pvc "$pvc" \
|
||
|
|
--namespace "$TWENTY_NAMESPACE" \
|
||
|
|
-o jsonpath='{.spec.volumeName}')
|
||
|
|
if [ -z "$pv_name" ]; then
|
||
|
|
echo " [warn] could not resolve PV name for PVC '${pvc}' — skipping volume protection"
|
||
|
|
return 0
|
||
|
|
fi
|
||
|
|
|
||
|
|
if command -v hcloud >/dev/null 2>&1; then
|
||
|
|
hcloud volume enable-protection "$pv_name" delete 2>/dev/null \
|
||
|
|
&& echo " [ok] volume '${pv_name}' protected" \
|
||
|
|
|| echo " [warn] hcloud protect failed — run manually: hcloud volume enable-protection ${pv_name} delete"
|
||
|
|
else
|
||
|
|
echo " [warn] hcloud CLI not found — skip volume protection for '${pv_name}'"
|
||
|
|
fi
|
||
|
|
}
|
||
|
|
|