feat(db): DB CLI 增加 cn-prod(阿里云)支持 (#21)#22
Open
xbfool wants to merge 2 commits into
Open
Conversation
query-db / grant-balance / grant-subscription now accept `--env cn`
(alias `cn-prod`), routing to the Aliyun cn-prod environment which is
fully separate from overseas AWS.
cn-prod specifics handled:
- separate Infisical `secrets-cn.optima.chat` (admin email/password →
accessToken → select-organization → org-scoped token; the field-name
trap baked in)
- creds from /shared-secrets/database-users + /database-names by prefix
(AUTH/BILLING/…); the cn RDS has no public endpoint
- private RDS reached through the buildbox ECS via an SSH `-L` tunnel
(sshpass), reusing the existing warm-reuse / zombie-tunnel framework
- curl calls use execFileSync (no shell-quoting, cross-platform)
Env vars (cn only): INFISICAL_CN_EMAIL / INFISICAL_CN_PASSWORD (1P
"Infisical cn-prod admin"), OPTIMA_CN_BUILDBOX_PASSWORD (1P "Aliyun
cn-prod buildbox ECS (root)"). Requires sshpass + aws-less; Windows → WSL.
Tested against cn-prod RDS:
- `query-db user-auth "SELECT count(*) FROM users" cn` → 31 (real)
- connectBillingDB('cn') reads plans (count 0 — cn billing not yet
seeded, but tunnel + auth + query path all green)
Scope notes:
- query-db cn covers services whose creds live in shared-secrets
/database-users (prefix from userKey). Services with a literal
DATABASE_URL in /services/<svc> (e.g. gateway-core) error with a
pointer to #21 — follow-up.
- grant-subscription on cn needs the plans table seeded first.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
cn-prod 的 cred 有两类:① /shared-secrets/database-users(按 prefix)
② 服务自己 /services/<svc> 的 DATABASE_URL(gateway-core 等)。本次补全
②,query-db cn 现在覆盖全部服务。
- getCnSecrets() 加 expand 参数 → expandSecretReferences=true 让 cn
Infisical 服务端解析 `${...}` 引用为字面值(user-auth 等是引用式)
- connectCnDBFromUrl():取展开后的 DATABASE_URL → 解析 → buildbox 隧道
- parseDatabaseUrl() 容忍驱动后缀(postgresql+asyncpg://)
- query-db cn 分支:有 userKey 走 prefix;有 databaseUrlPath 走 URL
实测:`query-db optima-sentinel "SELECT 1" cn` → 1(绿)。
发现(非本 PR):cn Infisical /services/gateway-core 的 DATABASE_URL
口令(32 字符)与 RDS 实际 gateway_user 口令(db-init tfvars,28 字符)
不一致,psql 认证失败 → cn gateway-core Infisical cred 疑似过时,需 cn
侧单独核对/修复。
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
更新:cn query-db 现已覆盖全部服务补了 实测:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
实现 #21。
query-db/grant-balance/grant-subscription现在接受--env cn(别名cn-prod),路由到阿里云 cn-prod(与海外 AWS 完全独立)。处理的 cn 特性
secrets-cn.optima.chat:admin email/password →accessToken→ select-organization → org-scopedtoken(字段名坑已内建处理)/shared-secrets/database-users+/database-names(按 prefix:AUTH/BILLING/…);cn RDS 无公网端点-L隧道(sshpass),复用现有 warm-reuse / 僵尸隧道检测框架execFileSync(无 shell 引号坑,跨平台)用法
optima-query-db user-auth "SELECT count(*) FROM users" cn optima-grant-balance user@x.com --amount 5 --env cn optima-grant-subscription user@x.com --plan pro --env cncn 专用环境变量:
INFISICAL_CN_EMAIL/INFISICAL_CN_PASSWORDInfisical cn-prod admin (secrets-cn.optima.chat)OPTIMA_CN_BUILDBOX_PASSWORDAliyun cn-prod buildbox ECS (root)OPTIMA_CN_BUILDBOX_HOST(可选)47.94.105.163依赖
sshpass(Windows 用 WSL)。实测(对 cn-prod RDS)
query-db user-auth "SELECT count(*) FROM users" cn→ 31(真实)connectBillingDB('cn')读 plans(count=0,cn billing 一期未 seed,但隧道+认证+查询路径全绿)Scope / 已知边界
/shared-secrets/database-users的服务(从 userKey 推 prefix)。用字面 DATABASE_URL 的服务(如 gateway-core)会报错并指向 feat: DB CLI 增加 cn-prod(阿里云)支持 — query-db / grant-balance / grant-subscription #21 —— 留后续。grant-subscriptioncn 需先 seed plans 表。root+ 密码(sshpass);后续可换专用 key / 收紧。关联
🤖 Generated with Claude Code