provisioning-catalog/components/twenty/cluster/twenty-lib.sh

224 lines
7.1 KiB
Bash

#!/bin/bash
# Methods library for twenty — sourced by install-twenty.sh and generated run-*.sh scripts.
# SCRIPT_DIR must be set before sourcing.
_kubectl() {
if command -v kubectl >/dev/null 2>&1; then
command kubectl "$@"
elif command -v k0s >/dev/null 2>&1; then
k0s kubectl "$@"
else
echo "ERROR: no kubectl or k0s binary found" >&2; exit 127
fi
}
_require_env() {
local var="$1"
if [ -z "${!var:-}" ]; then
echo "ERROR: required variable $var is not set" >&2; exit 1
fi
}
_pod_name() {
_kubectl get pod \
--namespace "$TWENTY_NAMESPACE" \
--selector "app.kubernetes.io/name=${TWENTY_NAME}" \
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null
}
_wait_for_pod() {
local timeout="${1:-300}"
_kubectl wait pod \
--namespace "$TWENTY_NAMESPACE" \
--selector "app.kubernetes.io/name=${TWENTY_NAME}" \
--for=condition=Ready \
--timeout="${timeout}s"
}
_pg_namespace() { echo "core-data"; }
_pg_pod() {
_kubectl get pod --namespace "$(_pg_namespace)" \
--selector "app.kubernetes.io/name=postgresql" \
-o jsonpath='{.items[0].metadata.name}' 2>/dev/null
}
# ── Manifest plan helpers ─────────────────────────────────────────────────────
_plan_apply() {
local file="$1"
local path="$SCRIPT_DIR/manifests/${file}.yaml"
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
_kubectl apply -f "$path"
}
_plan_apply_skip() {
local file="$1"
local path="$SCRIPT_DIR/manifests/${file}.yaml"
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
if _kubectl get -f "$path" >/dev/null 2>&1; then
echo " [skip] ${file} already exists in cluster"
return 0
fi
_kubectl apply -f "$path"
}
_plan_rollout_restart() {
local file="$1"
local path="$SCRIPT_DIR/manifests/${file}.yaml"
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
_kubectl rollout restart -f "$path"
}
_plan_delete() {
local file="$1"
local path="$SCRIPT_DIR/manifests/${file}.yaml"
[ -f "$path" ] || { echo " [skip] ${file}.yaml not in manifests/"; return 0; }
_kubectl delete -f "$path" --ignore-not-found
}
# shellcheck source=lib/gateway-tls.sh
source "${SCRIPT_DIR}/lib/gateway-tls.sh"
_method_patch-gateway-https() {
_lib_gateway_patch_https \
"${TLS_HOOK_GATEWAY_NAME:-libre-wuji}" \
"${TLS_HOOK_GATEWAY_NS:-kube-system}" \
"${TLS_HOOK_LISTENER_NAME}" \
"${TLS_HOOK_DOMAIN}" \
"${TLS_HOOK_TLS_SECRET}" \
"${TLS_HOOK_NAMESPACE}"
}
_method_remove-gateway-https() {
_lib_gateway_remove_https \
"${TLS_HOOK_GATEWAY_NAME:-libre-wuji}" \
"${TLS_HOOK_GATEWAY_NS:-kube-system}" \
"${TLS_HOOK_LISTENER_NAME}"
}
# ── Component methods ─────────────────────────────────────────────────────────
_method_create-credentials() {
[ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a
[ -f "${SCRIPT_DIR}/env-twenty" ] && set -a && source "${SCRIPT_DIR}/env-twenty" && set +a
_require_env TWENTY_DB_PASSWORD
_require_env APP_SECRET
_require_env TWENTY_ENCRYPTION_KEY
local db_host="${TWENTY_DB_HOST:-}"
local db_port="${TWENTY_DB_PORT:-5432}"
local db_user="${TWENTY_DB_USER:-twenty}"
local db_name="${TWENTY_DB_NAME:-twenty}"
local database_url="postgresql://${db_user}:${TWENTY_DB_PASSWORD}@${db_host}:${db_port}/${db_name}"
local redis_url="${TWENTY_REDIS_URL:-}"
_kubectl create secret generic "${TWENTY_NAME}-credentials" \
--namespace "$TWENTY_NAMESPACE" \
--from-literal=PG_DATABASE_URL="$database_url" \
--from-literal=APP_SECRET="$APP_SECRET" \
--from-literal=REDIS_URL="$redis_url" \
--from-literal=ENCRYPTION_KEY="$TWENTY_ENCRYPTION_KEY" \
--dry-run=client -o yaml | _kubectl apply -f -
echo " [ok] credentials secret '${TWENTY_NAME}-credentials' created in ${TWENTY_NAMESPACE}"
}
_method_init-db() {
[ -f "${SCRIPT_DIR}/_credentials.env" ] && set -a && source "${SCRIPT_DIR}/_credentials.env" && set +a
_require_env TWENTY_DB_PASSWORD
local pg_ns pg_pod db_user safe_pw safe_usr safe_db
pg_ns=$(_pg_namespace)
pg_pod=$(_pg_pod)
[ -z "$pg_pod" ] && { echo " [error] no postgresql pod found in namespace $pg_ns" >&2; exit 1; }
db_user="${TWENTY_DB_USER:-twenty}"
safe_pw="${TWENTY_DB_PASSWORD//\'/\'\'}"
safe_usr="${db_user//\'/\'\'}"
safe_db="${TWENTY_DB_NAME:-twenty}"
safe_db="${safe_db//\'/\'\'}"
_kubectl exec -i --namespace "$pg_ns" "$pg_pod" -- psql -U postgres <<SQL
DO \$\$
DECLARE
pw text := '${safe_pw}';
usr text := '${safe_usr}';
BEGIN
IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = usr) THEN
EXECUTE format('CREATE ROLE %I WITH LOGIN PASSWORD %L', usr, pw);
RAISE NOTICE 'role % created', usr;
ELSE
EXECUTE format('ALTER ROLE %I WITH PASSWORD %L', usr, pw);
RAISE NOTICE 'role % password updated', usr;
END IF;
END;
\$\$;
SQL
local db_exists
db_exists=$(_kubectl exec --namespace "$pg_ns" "$pg_pod" -- \
psql -U postgres -tAc \
"SELECT 1 FROM pg_database WHERE datname = '${safe_db}'" 2>/dev/null || true)
if [ "${db_exists}" != "1" ]; then
_kubectl exec --namespace "$pg_ns" "$pg_pod" -- \
psql -U postgres -c \
"CREATE DATABASE \"${safe_db}\"
WITH OWNER \"${safe_usr}\"
ENCODING 'UTF8'
LC_COLLATE 'C'
LC_CTYPE 'C'
TEMPLATE template0"
echo " [ok] database '${safe_db}' created"
else
echo " [skip] database '${safe_db}' already exists"
fi
_kubectl exec --namespace "$pg_ns" "$pg_pod" -- \
psql -U postgres -d "${safe_db}" -c \
"GRANT ALL ON SCHEMA public TO \"${safe_usr}\""
echo " [ok] postgresql role '${safe_usr}' and database '${safe_db}' ensured"
}
_method_wait-valkey() {
local valkey_name="${TWENTY_NAME}-valkey"
echo " waiting for valkey pod ${valkey_name} to be ready..."
_kubectl wait pod \
--namespace "$TWENTY_NAMESPACE" \
--selector "app.kubernetes.io/name=${valkey_name}" \
--for=condition=Ready \
--timeout=120s
echo " [ok] valkey ready"
}
_method_wait-ready() {
_wait_for_pod 300
}
_method_protect-volume() {
local pvc="${PLAN_PARAM_PVC:-${TWENTY_NAME}-valkey-data}"
echo " waiting for PVC '${pvc}' to bind..."
_kubectl wait pvc "$pvc" \
--namespace "$TWENTY_NAMESPACE" \
--for=jsonpath='{.status.phase}'=Bound \
--timeout=120s
local pv_name
pv_name=$(_kubectl get pvc "$pvc" \
--namespace "$TWENTY_NAMESPACE" \
-o jsonpath='{.spec.volumeName}')
if [ -z "$pv_name" ]; then
echo " [warn] could not resolve PV name for PVC '${pvc}' — skipping volume protection"
return 0
fi
if command -v hcloud >/dev/null 2>&1; then
hcloud volume enable-protection "$pv_name" delete 2>/dev/null \
&& echo " [ok] volume '${pv_name}' protected" \
|| echo " [warn] hcloud protect failed — run manually: hcloud volume enable-protection ${pv_name} delete"
else
echo " [warn] hcloud CLI not found — skip volume protection for '${pv_name}'"
fi
}