Add setup-env script and improve reset-data script

asithade · asithade · commit 271bab6c9f58 · 2025-12-18T00:49:27.000-06:00
- Add setup-env.sh script to automate environment variable configuration
- Add confirmation prompt to reset-data.sh requiring 'RESET' input
- Add error handling with abort on critical operation failures
- Add dynamic OpenSearch mapping retrieval before index deletion
- Fix variable quoting throughout scripts (shellcheck compliant)
- Format scripts with shfmt for consistent style
- Update README with quick setup instructions and safety features
- Update README to reference new reset script capabilities

Signed-off-by: Asitha de Silva &lt;asithade@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -15,15 +15,36 @@ These instructions and playbooks assume the script's execution environment has a
 
 ## Setup
 
-### 1. Set Environment Variables
+### Quick Setup (Recommended)
 
-#### NATS Configuration
+Use the automated setup script to configure all environment variables:
+
+```bash
+# Source the script to set environment variables in your current shell
+source ./scripts/setup-env.sh
+```
+
+The script will automatically:
+
+- Set `NATS_URL` to the default Kubernetes service URL
+- Retrieve and set `OPENFGA_STORE_ID` from the OpenFGA API
+- Retrieve and set `JWT_RSA_SECRET` from the heimdall-signer-cert secret
+
+After running this script, you can proceed directly to [Running Mock Data Generation](#running-mock-data-generation).
+
+### Manual Setup (Alternative)
+
+If you prefer to set environment variables manually or need to customize values:
+
+#### 1. Set Environment Variables
+
+##### NATS Configuration
 
 ```bash
 export NATS_URL="lfx-platform-nats.lfx.svc.cluster.local:4222"
 ```
 
-#### OpenFGA Configuration
+##### OpenFGA Configuration
 
 First, confirm the OpenFGA Store ID:
 
@@ -37,15 +58,12 @@ Then export the Store ID:
 export OPENFGA_STORE_ID="your-store-id-here"
 ```
 
-#### Authentication Tokens
+##### Authentication Tokens
 
-A Heimdall JWT secret is needed to use the `!jwt` macro in playbooks. If you
-export it as an environmental variable, you can pass it to the mock data tool
-as a command line argument. No `export` step is needed as this is used only
-to populate arguments to the mock data tool shell invocation.
+A Heimdall JWT secret is needed to use the `!jwt` macro in playbooks. Export it as an environmental variable so you can pass it to the mock data tool as a command line argument:
 
 ```bash
-JWT_RSA_SECRET="$(kubectl get secret/heimdall-signer-cert -n lfx -o json | jq -r '.data["signer.pem"]' | base64 --decode)"
+export JWT_RSA_SECRET="$(kubectl get secret/heimdall-signer-cert -n lfx -o json | jq -r '.data["signer.pem"]' | base64 --decode)"
 ```
 
 ## Usage
@@ -65,14 +83,34 @@ uv run lfx-v2-mockdata \
 ```
 
 **Important Notes:**
+
 - **Order matters!** Playbook directories run in the order specified on the command line.
 - Within each directory, playbooks execute in alphabetical order.
 - Dependencies between playbooks should be considered when organizing execution order. Multiple passes are made to allow `!ref` calls to be resolved, but the right order will improve performance and help avoid max-retry errors.
 - The `!jwt` macro will attempt to detect the JWKS key ID from the endpoint at `http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks`. If this URL is not accessible from the execution environment, you must pass an explicit JWT key ID using the `--jwt-key-id` argument.
 
 ### Wiping Existing Data
 
-If you need to start fresh, wipe the NATS KV buckets:
+If you need to start fresh, use the reset script for a complete data wipe:
+
+```bash
+./scripts/reset-data.sh
+```
+
+This script will:
+
+- Clear all NATS KV buckets (projects, committees, meetings, etc.)
+- Clear and recreate OpenSearch indices (using current mapping)
+- Restart the query service to clear cache
+- Delete the project service pod to clear cache
+
+**Safety Features:**
+- Requires typing `RESET` to confirm before proceeding
+- Validates all critical operations and exits on failure
+- Preserves authentication data in `authelia-users` and `authelia-email-otp` buckets
+- Automatically retrieves and uses current OpenSearch mapping before recreation
+
+**Manual Alternative:** If you prefer to wipe only NATS KV buckets manually:
 
 ```bash
 for bucket in projects project-settings committees committee-settings committee-members; do
@@ -81,19 +119,23 @@ for bucket in projects project-settings committees committee-settings committee-
 done
 ```
 
-*Consider updating this documentation to also provide steps for recreating the OpenSearch index. Stale OpenFGA tuples may also be deleted, but unlike OpenSearch data, it won't impact the refreshed data to keep them.*
+_Note: The reset script is the recommended approach as it handles OpenSearch indices and service caches comprehensively._
 
 ### Running After Data Wipe
 
-When running after wiping data, you need to recreate the ROOT project first, with an extra playbook at the front. This `recreate_root_project` playbook bypasses the API and directly creates a new ROOT project in the NATS KV bucket.
+After using the reset script, the ROOT project is automatically recreated by the project service pod restart. You can run the mock data tool normally:
 
 ```bash
 uv run lfx-v2-mockdata \
     --jwt-rsa-secret "$JWT_RSA_SECRET" \
     -t playbooks/projects/{root_project_access,base_projects,extra_projects} playbooks/committees/base_committees
-    -t playbooks/projects/recreate_root_project playbooks/projects/{root_project_access,base_projects,extra_projects} playbooks/committees/base_committees
 ```
 
+**Note:** If you wiped data manually (without the reset script), you'll need to delete the project service pod to trigger ROOT project recreation, as it handles permissions correctly:
+
+```bash
+kubectl delete pod -n lfx $(kubectl get pods -n lfx --no-headers | grep project-service | awk '{print $1}')
+```
 
 ## Playbook Structure
 
diff --git a/scripts/reset-data.sh b/scripts/reset-data.sh
@@ -14,59 +14,99 @@ OPENSEARCH_POD="opensearch-cluster-master-0"
 
 # Find the NATS box pod
 find_nats_box() {
-    NATS_BOX_POD=$(kubectl get pods -n $NAMESPACE --no-headers -o custom-columns=":metadata.name" 2>/dev/null | grep nats-box | head -1)
-    if [ -z "$NATS_BOX_POD" ]; then
-        echo "❌ Could not find nats-box pod"
-        return 1
-    fi
-    echo "Found NATS box pod: $NATS_BOX_POD"
-    return 0
+	NATS_BOX_POD=$(kubectl get pods -n $NAMESPACE --no-headers -o custom-columns=":metadata.name" 2>/dev/null | grep nats-box | head -1)
+	if [ -z "$NATS_BOX_POD" ]; then
+		echo "❌ Could not find nats-box pod"
+		return 1
+	fi
+	echo "Found NATS box pod: $NATS_BOX_POD"
+	return 0
 }
 
 # Clear and recreate NATS KV buckets
 clear_nats_buckets() {
-    echo ""
-    echo "🗑️  Clearing NATS KV buckets..."
-
-    # All data buckets (excluding authelia-users and authelia-email-otp which are auth-related)
-    for bucket in projects project-settings committees committee-settings committee-members \
-        meetings meeting-settings meeting-registrants meeting-rsvps meeting-attachments-metadata \
-        past-meetings past-meeting-participants past-meeting-recordings past-meeting-transcripts \
-        past-meeting-summaries past-meeting-attachments-metadata fga-sync-cache; do
-        echo "  Clearing bucket: $bucket"
-        kubectl exec -n $NAMESPACE $NATS_BOX_POD -- nats kv rm -f $bucket 2>/dev/null || true
-        kubectl exec -n $NAMESPACE $NATS_BOX_POD -- nats kv add $bucket >/dev/null 2>&1
-        if [ $? -eq 0 ]; then
-            echo "  ✓ Recreated bucket: $bucket"
-        else
-            echo "  ✗ Failed to recreate bucket: $bucket"
-        fi
-    done
-
-    echo "✅ NATS KV buckets cleared"
+	echo ""
+	echo "🗑️  Clearing NATS KV buckets..."
+
+	local has_errors=0
+
+	# All data buckets (excluding authelia-users and authelia-email-otp which are auth-related)
+	for bucket in projects project-settings committees committee-settings committee-members \
+		meetings meeting-settings meeting-registrants meeting-rsvps meeting-attachments-metadata \
+		past-meetings past-meeting-participants past-meeting-recordings past-meeting-transcripts \
+		past-meeting-summaries past-meeting-attachments-metadata fga-sync-cache; do
+		echo "  Clearing bucket: $bucket"
+		kubectl exec -n $NAMESPACE "$NATS_BOX_POD" -- nats kv rm -f $bucket 2>/dev/null || true
+		if kubectl exec -n $NAMESPACE "$NATS_BOX_POD" -- nats kv add $bucket >/dev/null 2>&1; then
+			echo "  ✓ Recreated bucket: $bucket"
+		else
+			echo "  ✗ Failed to recreate bucket: $bucket"
+			has_errors=1
+		fi
+	done
+
+	if [ $has_errors -eq 0 ]; then
+		echo "✅ NATS KV buckets cleared"
+		return 0
+	else
+		echo "⚠️  NATS KV buckets cleared with errors"
+		return 1
+	fi
 }
 
 # Clear OpenSearch indices and recreate resources mapping
 clear_opensearch() {
-    echo ""
-    echo "🗑️  Clearing OpenSearch indices..."
+	echo ""
+	echo "🗑️  Clearing OpenSearch indices..."
+
+	# Retrieve current resources index mapping before deletion
+	echo "  Retrieving current resources index mapping..."
+	RESOURCES_INDEX=$(kubectl exec -n $NAMESPACE $OPENSEARCH_POD -- curl -s "http://localhost:9200/resources" 2>/dev/null)
 
-    # Delete all indices
-    kubectl exec -n $NAMESPACE $OPENSEARCH_POD -- curl -s -X DELETE "http://localhost:9200/_all" >/dev/null 2>&1
+	if [ -z "$RESOURCES_INDEX" ] || echo "$RESOURCES_INDEX" | grep -q "index_not_found_exception"; then
+		echo "  ⚠️  Resources index not found, will use default mapping"
+		RESOURCES_MAPPING=""
+	else
+		# Extract mappings and settings using jq
+		RESOURCES_MAPPING=$(echo "$RESOURCES_INDEX" | jq -c '{
+			settings: .resources.settings.index | {number_of_replicas: (.number_of_replicas // "0")},
+			mappings: .resources.mappings
+		}' 2>/dev/null)
 
-    if [ $? -eq 0 ]; then
-        echo "  ✓ Deleted all indices"
-    else
-        echo "  ✗ Failed to delete indices"
-        return 1
-    fi
+		if [ -z "$RESOURCES_MAPPING" ] || [ "$RESOURCES_MAPPING" = "null" ]; then
+			echo "  ⚠️  Failed to extract mapping, will use default"
+			RESOURCES_MAPPING=""
+		else
+			echo "  ✓ Retrieved current mapping"
+		fi
+	fi
 
-    # Recreate resources index with mapping
-    echo "  Creating resources index with mapping..."
+	# Delete all indices
+	if kubectl exec -n $NAMESPACE $OPENSEARCH_POD -- curl -s -X DELETE "http://localhost:9200/_all" >/dev/null 2>&1; then
+		echo "  ✓ Deleted all indices"
+	else
+		echo "  ✗ Failed to delete indices"
+		return 1
+	fi
 
-    kubectl exec -n $NAMESPACE $OPENSEARCH_POD -- curl -s -X PUT "http://localhost:9200/resources" \
-        -H "Content-Type: application/json" \
-        -d '{
+	# Recreate resources index (using retrieved mapping or fallback to default)
+	echo "  Creating resources index..."
+
+	if [ -n "$RESOURCES_MAPPING" ]; then
+		# Use retrieved mapping from before deletion
+		if kubectl exec -n $NAMESPACE $OPENSEARCH_POD -- curl -s -X PUT "http://localhost:9200/resources" \
+			-H "Content-Type: application/json" \
+			-d "$RESOURCES_MAPPING" >/dev/null 2>&1; then
+			echo "  ✓ Created resources index with retrieved mapping"
+		else
+			echo "  ✗ Failed to create resources index with retrieved mapping"
+			return 1
+		fi
+	else
+		# Fallback to default mapping
+		if kubectl exec -n $NAMESPACE $OPENSEARCH_POD -- curl -s -X PUT "http://localhost:9200/resources" \
+			-H "Content-Type: application/json" \
+			-d '{
   "settings": {
     "number_of_replicas": 0
   },
@@ -110,67 +150,95 @@ clear_opensearch() {
       "v1_data": { "type": "flat_object" }
     }
   }
-}' >/dev/null 2>&1
-
-    if [ $? -eq 0 ]; then
-        echo "  ✓ Created resources index with mapping"
-    else
-        echo "  ✗ Failed to create resources index"
-        return 1
-    fi
+}' >/dev/null 2>&1; then
+			echo "  ✓ Created resources index with default mapping"
+		else
+			echo "  ✗ Failed to create resources index with default mapping"
+			return 1
+		fi
+	fi
 
-    echo "✅ OpenSearch indices cleared and recreated"
+	echo "✅ OpenSearch indices cleared and recreated"
 }
 
 # Restart query service to clear cache
 restart_query_service() {
-    echo ""
-    echo "🔄 Restarting query service..."
+	echo ""
+	echo "🔄 Restarting query service..."
 
-    kubectl rollout restart deployment lfx-v2-query-service -n $NAMESPACE >/dev/null 2>&1
-    kubectl rollout status deployment lfx-v2-query-service -n $NAMESPACE --timeout=120s >/dev/null 2>&1
-
-    if [ $? -eq 0 ]; then
-        echo "✅ Query service restarted"
-    else
-        echo "⚠️  Query service restart timed out"
-    fi
+	kubectl rollout restart deployment lfx-v2-query-service -n $NAMESPACE >/dev/null 2>&1
+	if kubectl rollout status deployment lfx-v2-query-service -n $NAMESPACE --timeout=120s >/dev/null 2>&1; then
+		echo "✅ Query service restarted"
+	else
+		echo "⚠️  Query service restart timed out"
+	fi
 }
 
 # Delete project service pod to clear cache
 delete_project_service_pod() {
-    echo ""
-    echo "🗑️  Deleting project service pod..."
+	echo ""
+	echo "🗑️  Deleting project service pod..."
 
-    PROJECT_POD=$(kubectl get pods -A --no-headers 2>/dev/null | grep project-service | grep -v Terminating | awk '{print $2}' | head -1)
+	PROJECT_POD=$(kubectl get pods -A --no-headers 2>/dev/null | grep project-service | grep -v Terminating | awk '{print $2}' | head -1)
 
-    if [ -z "$PROJECT_POD" ]; then
-        echo "⚠️  Could not find project service pod"
-        return 1
-    fi
+	if [ -z "$PROJECT_POD" ]; then
+		echo "⚠️  Could not find project service pod"
+		return 1
+	fi
 
-    echo "  Found pod: $PROJECT_POD"
-    kubectl delete pod $PROJECT_POD -n $NAMESPACE >/dev/null 2>&1
+	echo "  Found pod: $PROJECT_POD"
+	if kubectl delete pod "$PROJECT_POD" -n $NAMESPACE >/dev/null 2>&1; then
+		echo "✅ Project service pod deleted"
+	else
+		echo "⚠️  Failed to delete project service pod"
+	fi
+}
 
-    if [ $? -eq 0 ]; then
-        echo "✅ Project service pod deleted"
-    else
-        echo "⚠️  Failed to delete project service pod"
-    fi
+# Confirm with user before performing destructive operations
+confirm_reset() {
+	echo ""
+	echo "⚠️  WARNING: This script will PERMANENTLY reset data."
+	echo "    The following will be cleared or restarted:"
+	echo "      - NATS KV buckets for projects, committees, meetings, and related data"
+	echo "      - All OpenSearch indices (they will be recreated empty)"
+	echo "      - Query service cache (service restart)"
+	echo "      - Project service pod (pod deletion)"
+	echo ""
+	echo "This operation cannot be undone."
+	echo ""
+	read -rp "Type 'RESET' to proceed, or anything else to cancel: " CONFIRM_RESET_INPUT
+
+	if [ "$CONFIRM_RESET_INPUT" != "RESET" ]; then
+		echo ""
+		echo "Aborted. No data has been changed."
+		exit 1
+	fi
+
+	echo ""
+	echo "Proceeding with data reset..."
 }
 
 # Main
 echo "========================================="
 echo "  LFX Data Reset Script"
 echo "========================================="
 
-find_nats_box
-if [ $? -ne 0 ]; then
-    exit 1
+confirm_reset
+
+if ! find_nats_box; then
+	exit 1
+fi
+
+if ! clear_nats_buckets; then
+	echo "❌ Failed to clear NATS KV buckets. Aborting."
+	exit 1
+fi
+
+if ! clear_opensearch; then
+	echo "❌ Failed to clear OpenSearch indices. Aborting."
+	exit 1
 fi
 
-clear_nats_buckets
-clear_opensearch
 restart_query_service
 delete_project_service_pod
 
diff --git a/scripts/setup-env.sh b/scripts/setup-env.sh
