pangea-kubernetes 0.1.0

data/lib/pangea/kubernetes/types/kubernetes_config.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+require 'pangea/resources/types'
+require 'pangea/kubernetes/types/firewall_config'
+require 'pangea/kubernetes/types/kernel_config'
+require 'pangea/kubernetes/types/wait_for_dns_config'
+require 'pangea/kubernetes/types/etcd_config'
+require 'pangea/kubernetes/types/pki_config'
+require 'pangea/kubernetes/types/control_plane_config'
+
+module Pangea
+  module Kubernetes
+    module Types
+      # Vanilla Kubernetes distribution configuration for blackmatter-kubernetes
+      # NixOS modules. Maps to `services.blackmatter.kubernetes.*` options.
+      #
+      # Extends K3sConfig fields with control plane, PKI, and etcd options
+      # that are only relevant for vanilla Kubernetes (not k3s).
+      class VanillaKubernetesConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        # --- Shared fields (same as K3sConfig) ---
+
+        # Cluster CIDR for pod networking
+        attribute :cluster_cidr, T::String.optional.default(nil)
+
+        # Service CIDR for service networking
+        attribute :service_cidr, T::String.optional.default(nil)
+
+        # Cluster DNS address
+        attribute :cluster_dns, T::String.optional.default(nil)
+
+        # Node name override
+        attribute :node_name, T::String.optional.default(nil)
+
+        # Node labels (key => value)
+        attribute :node_labels, T::Hash.default({}.freeze)
+
+        # Node taints
+        attribute :node_taints, T::Array.of(T::String).default([].freeze)
+
+        # Node IP address override
+        attribute :node_ip, T::String.optional.default(nil)
+
+        # Extra flags passed to kubelet
+        attribute :extra_flags, T::Array.of(T::String).default([].freeze)
+
+        # Data directory
+        attribute :data_dir, T::String.optional.default(nil)
+
+        # Config file path
+        attribute :config_path, T::String.optional.default(nil)
+
+        # Environment file for systemd services
+        attribute :environment_file, T::String.optional.default(nil)
+
+        # Containerd config template path
+        attribute :containerd_config_template, T::String.optional.default(nil)
+
+        # Components to disable
+        attribute :disable, T::Array.of(T::String).default([].freeze)
+
+        # Extra kubelet args (key => value)
+        attribute :extra_kubelet_config, T::Hash.default({}.freeze)
+
+        # Extra kube-proxy args (key => value)
+        attribute :extra_kube_proxy_config, T::Hash.default({}.freeze)
+
+        # Auto-deploying manifests
+        attribute :manifests, T::Hash.default({}.freeze)
+
+        # Firewall configuration
+        attribute :firewall, FirewallConfig.optional.default(nil)
+
+        # Kernel configuration
+        attribute :kernel, KernelConfig.optional.default(nil)
+
+        # DNS wait configuration
+        attribute :wait_for_dns, WaitForDNSConfig.optional.default(nil)
+
+        # Enable NVIDIA GPU support
+        attribute :nvidia_enable, T::Bool.default(false)
+
+        # Enable graceful node shutdown
+        attribute :graceful_node_shutdown, T::Bool.default(true)
+
+        # --- Vanilla Kubernetes-specific fields ---
+
+        # Control plane configuration
+        attribute :control_plane, ControlPlaneConfig.optional.default(nil)
+
+        # PKI/certificate configuration
+        attribute :pki, PKIConfig.optional.default(nil)
+
+        # Etcd configuration
+        attribute :etcd, EtcdConfig.optional.default(nil)
+
+        def to_h
+          hash = {}
+          hash[:cluster_cidr] = cluster_cidr if cluster_cidr
+          hash[:service_cidr] = service_cidr if service_cidr
+          hash[:cluster_dns] = cluster_dns if cluster_dns
+          hash[:node_name] = node_name if node_name
+          hash[:node_labels] = node_labels if node_labels.any?
+          hash[:node_taints] = node_taints if node_taints.any?
+          hash[:node_ip] = node_ip if node_ip
+          hash[:extra_flags] = extra_flags if extra_flags.any?
+          hash[:data_dir] = data_dir if data_dir
+          hash[:config_path] = config_path if config_path
+          hash[:environment_file] = environment_file if environment_file
+          hash[:containerd_config_template] = containerd_config_template if containerd_config_template
+          hash[:disable] = disable if disable.any?
+          hash[:extra_kubelet_config] = extra_kubelet_config if extra_kubelet_config.any?
+          hash[:extra_kube_proxy_config] = extra_kube_proxy_config if extra_kube_proxy_config.any?
+          hash[:manifests] = manifests if manifests.any?
+          hash[:firewall] = firewall.to_h if firewall
+          hash[:kernel] = kernel.to_h if kernel
+          hash[:wait_for_dns] = wait_for_dns.to_h if wait_for_dns
+          hash[:nvidia_enable] = nvidia_enable if nvidia_enable
+          hash[:graceful_node_shutdown] = graceful_node_shutdown
+          hash[:control_plane] = control_plane.to_h if control_plane
+          hash[:pki] = pki.to_h if pki
+          hash[:etcd] = etcd.to_h if etcd
+          hash
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/types/persistent_state_config.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'pangea/resources/types'
+
+module Pangea
+  module Kubernetes
+    module Types
+      # PersistentStateConfig — opt-in persistent state volume for a NixOS
+      # cluster node, decoupled from the EC2 instance lifecycle.
+      #
+      # The aws_nixos backend (and any future backend that opts in) emits a
+      # separately-managed cloud volume (e.g., aws_ebs_volume) tagged with
+      # `<discovery_tag>=<cluster_name>`, with `lifecycle.prevent_destroy`
+      # ON. The volume survives ASG sleep/wake, instance replacement, and
+      # cluster recreation; only an explicit operator action can destroy it.
+      #
+      # At first boot the cluster bootstrap (kindling) discovers the
+      # volume by tag, attaches it to the running instance, formats it if
+      # blank, and mounts it at `mount_path`. Subsequent boots (after
+      # sleep/wake or instance replacement) skip the format step and
+      # remount the existing filesystem.
+      #
+      # AZ binding: an EBS volume is permanently bound to one AZ. When
+      # `persistent_state` is set, the system node pool's ASG is
+      # constrained to that AZ. Multi-AZ persistent state is a different
+      # primitive (regional replication) and outside this type's scope.
+      #
+      # Mount path default `/var/lib/rancher/k3s` puts the k3s data dir
+      # on the persistent volume, so cluster state (etcd, registrations,
+      # workload state) survives instance churn.
+      class PersistentStateConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        SUPPORTED_VOLUME_TYPES = %w[gp3 gp2 io1 io2 st1 sc1].freeze
+        SUPPORTED_FILESYSTEMS  = %w[ext4 xfs].freeze
+
+        # Volume size in GiB. EBS minimum 1 GiB for gp3/gp2; default 50.
+        attribute :size_gb,
+                  T::Coercible::Integer.constrained(gteq: 8).default(50)
+
+        # EBS volume type. gp3 is the modern default.
+        attribute :volume_type,
+                  T::String.constrained(included_in: SUPPORTED_VOLUME_TYPES).default('gp3')
+
+        # Mount path on the node. Default = k3s data dir, so cluster
+        # state lives on the persistent volume.
+        attribute :mount_path, T::String.default('/var/lib/rancher/k3s')
+
+        # Filesystem to format on first boot. Subsequent boots remount
+        # the existing fs without reformatting.
+        attribute :filesystem,
+                  T::String.constrained(included_in: SUPPORTED_FILESYSTEMS).default('ext4')
+
+        # Tag key used to discover this cluster's persistent volume from
+        # inside the instance. Tag value is always the cluster name.
+        # Tunable so multiple persistent volumes per cluster (e.g. one
+        # for k3s data, one for a workload PV) can coexist with
+        # distinguishable discovery keys.
+        attribute :discovery_tag, T::String.default('PersistentStateFor')
+
+        # Whether to enable EBS encryption-at-rest. Default true.
+        # Set false only for non-sensitive workloads where the marginal
+        # cost matters.
+        attribute :encrypted, T::Bool.default(true)
+
+        # KMS key ARN/alias for encryption. nil = AWS-managed default key.
+        attribute :kms_key_id, T::String.optional.default(nil)
+
+        # Provisioned IOPS (gp3: 3000-16000; io1/io2 required). nil =
+        # volume-type baseline.
+        attribute :iops, T::Coercible::Integer.optional.default(nil)
+
+        # Provisioned throughput in MiB/s (gp3 only: 125-1000). nil =
+        # baseline.
+        attribute :throughput, T::Coercible::Integer.optional.default(nil)
+
+        # Availability zone for the volume. Must match the AZ where the
+        # ASG instance launches. When nil, the backend derives it from
+        # the first system-pool subnet's AZ.
+        attribute :availability_zone, T::String.optional.default(nil)
+
+        def to_h
+          hash = {
+            size_gb: size_gb,
+            volume_type: volume_type,
+            mount_path: mount_path,
+            filesystem: filesystem,
+            discovery_tag: discovery_tag,
+            encrypted: encrypted
+          }
+          hash[:kms_key_id] = kms_key_id if kms_key_id
+          hash[:iops] = iops if iops
+          hash[:throughput] = throughput if throughput
+          hash[:availability_zone] = availability_zone if availability_zone
+          hash
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/types/pki_config.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'pangea/resources/types'
+
+module Pangea
+  module Kubernetes
+    module Types
+      # PKI configuration for blackmatter-kubernetes NixOS modules.
+      # Maps to `pki.*` options in the NixOS module.
+      # Controls certificate generation and distribution.
+      class PKIConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        # PKI mode: 'auto' (generated), 'manual' (user-provided), or 'external' (cert-manager)
+        attribute :mode, T::String.constrained(
+          included_in: %w[auto manual external]
+        ).default('auto')
+
+        # Certificate validity period in days
+        attribute :cert_validity_days, T::Coercible::Integer.constrained(gteq: 1).default(365)
+
+        # CA certificate path (for manual mode)
+        attribute :ca_cert_path, T::String.optional.default(nil)
+
+        # CA key path (for manual mode)
+        attribute :ca_key_path, T::String.optional.default(nil)
+
+        # Additional SANs for the API server certificate
+        attribute :api_server_extra_sans, T::Array.of(T::String).default([].freeze)
+
+        # Certificate directory
+        attribute :cert_dir, T::String.default('/etc/kubernetes/pki')
+
+        def to_h
+          hash = {
+            mode: mode,
+            cert_validity_days: cert_validity_days,
+            cert_dir: cert_dir
+          }
+          hash[:ca_cert_path] = ca_cert_path if ca_cert_path
+          hash[:ca_key_path] = ca_key_path if ca_key_path
+          hash[:api_server_extra_sans] = api_server_extra_sans if api_server_extra_sans.any?
+          hash
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/types/secrets_config.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'pangea/resources/types'
+
+module Pangea
+  module Kubernetes
+    module Types
+      # Secrets configuration for sops-nix path references.
+      # These are file paths that sops-nix decrypts at boot time.
+      # NEVER contains actual secret values — only filesystem paths.
+      class SecretsConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        # Path to the FluxCD SSH deploy key (decrypted by sops-nix)
+        attribute :flux_ssh_key_path, T::String.optional.default(nil)
+
+        # Path to the FluxCD token (decrypted by sops-nix)
+        attribute :flux_token_path, T::String.optional.default(nil)
+
+        # Path to the SOPS age key (decrypted by sops-nix)
+        attribute :sops_age_key_path, T::String.optional.default(nil)
+
+        # Path to the K8s join token (decrypted by sops-nix)
+        attribute :join_token_path, T::String.optional.default(nil)
+
+        # Additional secret paths (name => path)
+        attribute :extra_paths, T::Hash.default({}.freeze)
+
+        def to_h
+          hash = {}
+          hash[:flux_ssh_key_path] = flux_ssh_key_path if flux_ssh_key_path
+          hash[:flux_token_path] = flux_token_path if flux_token_path
+          hash[:sops_age_key_path] = sops_age_key_path if sops_age_key_path
+          hash[:join_token_path] = join_token_path if join_token_path
+          hash[:extra_paths] = extra_paths if extra_paths.any?
+          hash
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/types/vpn_config.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require 'pangea/resources/types'
+
+module Pangea
+  module Kubernetes
+    module Types
+      # Valid VPN profiles — must match kindling's VALID_VPN_PROFILES and
+      # blackmatter-vpn's lib/profiles.nix
+      VALID_VPN_PROFILES = %w[k8s-control-plane k8s-full site-to-site mesh].freeze
+
+      # VPN peer configuration for WireGuard links.
+      class VpnPeerConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        attribute :public_key, T::String
+        attribute :endpoint, T::String.optional.default(nil)
+        attribute :allowed_ips, T::Array.of(T::String).default([].freeze)
+        attribute :persistent_keepalive, T::Coercible::Integer.optional.default(nil)
+        attribute :preshared_key_file, T::String.optional.default(nil)
+
+        def to_h
+          hash = { public_key: public_key, allowed_ips: allowed_ips }
+          hash[:endpoint] = endpoint if endpoint
+          hash[:persistent_keepalive] = persistent_keepalive if persistent_keepalive
+          hash[:preshared_key_file] = preshared_key_file if preshared_key_file
+          hash
+        end
+      end
+
+      # Per-link firewall configuration.
+      class VpnFirewallConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        attribute :trust_interface, T::Bool.default(false)
+        attribute :allowed_tcp_ports, T::Array.of(T::Coercible::Integer).default([].freeze)
+        attribute :allowed_udp_ports, T::Array.of(T::Coercible::Integer).default([].freeze)
+        attribute :incoming_udp_port, T::Coercible::Integer.optional.default(nil)
+
+        def to_h
+          hash = { trust_interface: trust_interface }
+          hash[:allowed_tcp_ports] = allowed_tcp_ports if allowed_tcp_ports.any?
+          hash[:allowed_udp_ports] = allowed_udp_ports if allowed_udp_ports.any?
+          hash[:incoming_udp_port] = incoming_udp_port if incoming_udp_port
+          hash
+        end
+      end
+
+      # A single WireGuard VPN link.
+      class VpnLinkConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        attribute :name, T::String
+        attribute :private_key_file, T::String.optional.default(nil)
+        attribute :listen_port, T::Coercible::Integer.optional.default(nil)
+        attribute :address, T::String.optional.default(nil)
+        attribute :profile, T::String.optional.default(nil)
+        attribute :persistent_keepalive, T::Coercible::Integer.optional.default(nil)
+        attribute :mtu, T::Coercible::Integer.optional.default(nil)
+        attribute :peers, T::Array.of(VpnPeerConfig).default([].freeze)
+        attribute :firewall, VpnFirewallConfig.optional.default(nil)
+
+        def to_h
+          hash = { name: name }
+          hash[:private_key_file] = private_key_file if private_key_file
+          hash[:listen_port] = listen_port if listen_port
+          hash[:address] = address if address
+          hash[:profile] = profile if profile
+          hash[:persistent_keepalive] = persistent_keepalive if persistent_keepalive
+          hash[:mtu] = mtu if mtu
+          hash[:peers] = peers.map(&:to_h) if peers.any?
+          hash[:firewall] = firewall.to_h if firewall
+          hash
+        end
+      end
+
+      # Top-level VPN configuration for a cluster.
+      class VpnConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        attribute :require_liveness, T::Bool.default(false)
+        attribute :links, T::Array.of(VpnLinkConfig).default([].freeze)
+
+        def to_h
+          return {} if links.empty?
+
+          hash = { links: links.map(&:to_h) }
+          hash[:require_liveness] = true if require_liveness
+          hash
+        end
+
+        # Validate VPN configuration — mirrors kindling's structural checks.
+        # Raises ArgumentError with all violations if any are found.
+        def validate!
+          return if links.empty?
+
+          errors = []
+          links.each_with_index do |link, i|
+            ctx = "vpn.links[#{i}] (#{link.name})"
+
+            errors << "#{ctx}: address is not a valid CIDR" if link.address && !valid_cidr?(link.address)
+            errors << "#{ctx}: profile '#{link.profile}' is not valid" if link.profile && !VALID_VPN_PROFILES.include?(link.profile)
+
+            if link.listen_port && link.listen_port != 0 && (link.listen_port < 1024 || link.listen_port > 65_535)
+              errors << "#{ctx}: listen_port #{link.listen_port} outside valid range (0 or 1024-65535)"
+            end
+
+            if link.mtu && (link.mtu < 1280 || link.mtu > 9000)
+              errors << "#{ctx}: mtu #{link.mtu} outside valid range (1280-9000)"
+            end
+
+            link.peers.each_with_index do |peer, j|
+              pctx = "#{ctx}.peers[#{j}]"
+              errors << "#{pctx}: public_key does not look like a valid WireGuard key" if peer.public_key && !valid_wg_key?(peer.public_key)
+
+              peer.allowed_ips.each do |ip|
+                errors << "#{pctx}: allowed_ips entry '#{ip}' is not a valid CIDR" unless valid_cidr?(ip)
+              end
+
+              if peer.endpoint && !valid_endpoint?(peer.endpoint)
+                errors << "#{pctx}: endpoint '#{peer.endpoint}' is not valid (expected host:port)"
+              end
+            end
+          end
+
+          return if errors.empty?
+
+          raise ArgumentError,
+                "VPN validation failed (#{errors.length} violation(s)):\n  - #{errors.join("\n  - ")}"
+        end
+
+        private
+
+        def valid_cidr?(cidr)
+          parts = cidr.split('/', 2)
+          return false unless parts.length == 2
+
+          ip_str, prefix_str = parts
+          begin
+            prefix = Integer(prefix_str, 10)
+          rescue ArgumentError
+            return false
+          end
+
+          require 'ipaddr'
+          begin
+            addr = IPAddr.new(ip_str)
+          rescue IPAddr::InvalidAddressError
+            return false
+          end
+
+          if addr.ipv4?
+            prefix >= 0 && prefix <= 32
+          else
+            prefix >= 0 && prefix <= 128
+          end
+        end
+
+        def valid_wg_key?(key)
+          # WireGuard keys are 32 bytes base64-encoded = 44 characters ending with =
+          key.match?(/\A[A-Za-z0-9+\/]{43}=\z/)
+        end
+
+        def valid_endpoint?(endpoint)
+          # Handle IPv6: [host]:port
+          if endpoint.start_with?('[')
+            match = endpoint.match(/\A\[.+\]:(\d+)\z/)
+            return false unless match
+
+            port = match[1].to_i
+            return port >= 1 && port <= 65_535
+          end
+
+          # IPv4/hostname: host:port
+          parts = endpoint.rpartition(':')
+          return false if parts[0].empty? || parts[2].empty?
+
+          begin
+            port = Integer(parts[2], 10)
+          rescue ArgumentError
+            return false
+          end
+          port >= 1 && port <= 65_535
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/types/wait_for_dns_config.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'pangea/resources/types'
+
+module Pangea
+  module Kubernetes
+    module Types
+      # DNS wait configuration for blackmatter-kubernetes NixOS modules.
+      # Maps to `waitForDNS.*` options in the NixOS module.
+      class WaitForDNSConfig < Pangea::Resources::BaseAttributes
+        transform_keys(&:to_sym)
+
+        # Enable waiting for DNS resolution before bootstrap
+        attribute :enabled, T::Bool.default(false)
+
+        # DNS hostname to resolve before proceeding
+        attribute :hostname, T::String.optional.default(nil)
+
+        # Maximum wait time in seconds
+        attribute :timeout_seconds, T::Coercible::Integer.constrained(gteq: 1).default(300)
+
+        # Retry interval in seconds
+        attribute :retry_interval, T::Coercible::Integer.constrained(gteq: 1).default(5)
+
+        def to_h
+          hash = { enabled: enabled }
+          hash[:hostname] = hostname if hostname
+          hash[:timeout_seconds] = timeout_seconds
+          hash[:retry_interval] = retry_interval
+          hash
+        end
+      end
+    end
+  end
+end