pangea-kubernetes 0.1.0

data/lib/pangea/kubernetes/backends/gcp_gke.rb

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'pangea/kubernetes/backends/base'
+
+module Pangea
+  module Kubernetes
+    module Backends
+      # GCP GKE backend — creates managed GKE clusters with VPC-native networking.
+      module GcpGke
+        include Base
+
+        class << self
+          def backend_name = :gcp
+          def managed_kubernetes? = true
+          def required_gem = 'pangea-gcp'
+
+          def load_provider!
+            require required_gem
+          rescue LoadError => e
+            raise LoadError,
+                  "Backend :gcp requires gem 'pangea-gcp'. " \
+                  "Add it to your Gemfile: gem 'pangea-gcp'\n" \
+                  "Original error: #{e.message}"
+          end
+
+          # Create GCP VPC network + subnet
+          def create_network(ctx, name, config, tags)
+            network = Architecture::NetworkResult.new
+
+            network.vpc = ctx.google_compute_network(
+              :"#{name}_network",
+              name: "#{name}-network",
+              auto_create_subnetworks: false,
+              project: config.project
+            )
+
+            subnet = ctx.google_compute_subnetwork(
+              :"#{name}_subnet",
+              name: "#{name}-subnet",
+              ip_cidr_range: config.network&.vpc_cidr || '10.0.0.0/20',
+              region: config.region,
+              network: network.vpc.id,
+              project: config.project,
+              secondary_ip_range: [
+                { range_name: "#{name}-pods", ip_cidr_range: config.network&.pod_cidr || '10.1.0.0/16' },
+                { range_name: "#{name}-services", ip_cidr_range: config.network&.service_cidr || '10.2.0.0/20' }
+              ]
+            )
+            network.add_subnet(:subnet, subnet)
+
+            network
+          end
+
+          # GKE uses Workload Identity — no standalone IAM resources needed
+          def create_iam(ctx, name, config, tags)
+            iam = Architecture::GcpIamResult.new
+
+            # Service account for GKE nodes
+            iam.node_sa = ctx.google_service_account(
+              :"#{name}_node_sa",
+              account_id: "#{name}-gke-nodes",
+              display_name: "#{name} GKE Node Service Account",
+              project: config.project
+            )
+
+            # Bind minimum required roles
+            %w[logging.logWriter monitoring.metricWriter monitoring.viewer].each do |role|
+              ctx.google_project_iam_member(
+                :"#{name}_node_#{role.gsub('.', '_')}",
+                project: config.project,
+                role: "roles/#{role}",
+                member: "serviceAccount:#{iam.node_sa.email}"
+              )
+            end
+
+            iam
+          end
+
+          # Create the GKE cluster
+          def create_cluster(ctx, name, config, result, tags)
+            cluster_attrs = {
+              name: "#{name}-cluster",
+              location: config.region,
+              project: config.project,
+              initial_node_count: 1,
+              remove_default_node_pool: true,
+              min_master_version: config.kubernetes_version,
+              deletion_protection: false,
+              networking_mode: 'VPC_NATIVE',
+              resource_labels: gke_labels(tags)
+            }
+
+            # VPC-native networking
+            if result.network
+              cluster_attrs[:network] = result.network[:vpc]&.id
+              cluster_attrs[:subnetwork] = result.network[:subnet]&.id
+              cluster_attrs[:ip_allocation_policy] = {
+                cluster_secondary_range_name: "#{name}-pods",
+                services_secondary_range_name: "#{name}-services"
+              }
+            end
+
+            # Private cluster
+            if config.network&.private_endpoint
+              cluster_attrs[:private_cluster_config] = {
+                enable_private_nodes: true,
+                enable_private_endpoint: !config.network.public_endpoint,
+                master_ipv4_cidr_block: '172.16.0.0/28'
+              }
+            end
+
+            # Workload Identity
+            if config.project
+              cluster_attrs[:workload_identity_config] = {
+                workload_pool: "#{config.project}.svc.id.goog"
+              }
+            end
+
+            # Release channel
+            cluster_attrs[:release_channel] = { channel: 'REGULAR' }
+
+            ctx.google_container_cluster(:"#{name}_cluster", cluster_attrs)
+          end
+
+          # Create a GKE node pool
+          def create_node_pool(ctx, name, cluster_ref, pool_config, tags)
+            pool_name = :"#{name}_#{pool_config.name}"
+
+            node_pool_attrs = {
+              name: "#{name}-#{pool_config.name}",
+              cluster: cluster_ref.id,
+              location: tags[:Region] || 'us-central1',
+              initial_node_count: pool_config.effective_desired_size,
+              node_config: {
+                machine_type: pool_config.instance_types.first,
+                disk_size_gb: pool_config.disk_size_gb,
+                oauth_scopes: ['https://www.googleapis.com/auth/cloud-platform'],
+                labels: pool_config.labels.merge(
+                  'node-pool' => pool_config.name.to_s
+                )
+              },
+              autoscaling: {
+                min_node_count: pool_config.min_size,
+                max_node_count: pool_config.max_size
+              }
+            }
+
+            ctx.google_container_node_pool(pool_name, node_pool_attrs)
+          end
+
+          private
+
+          # Convert tags to GKE-compatible labels (lowercase, hyphens)
+          def gke_labels(tags)
+            tags.transform_keys { |k| k.to_s.downcase.gsub(/[^a-z0-9-]/, '-') }
+              .transform_values { |v| v.to_s.downcase.gsub(/[^a-z0-9-]/, '-') }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/backends/gcp_nixos.rb

@@ -0,0 +1,240 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'pangea/kubernetes/backends/base'
+require 'pangea/kubernetes/backends/nixos_base'
+
+module Pangea
+  module Kubernetes
+    module Backends
+      # GCP NixOS backend — GCE instances running NixOS with k3s/k8s
+      # via blackmatter-kubernetes modules.
+      #
+      # Uses:
+      #   - GCE instances for control plane (static)
+      #   - Managed Instance Groups (MIGs) for worker node pools
+      #   - VPC + Firewall rules for networking
+      #   - Instance Templates for NixOS image + cloud-init
+      #
+      # No managed K8s services (GKE) — all k3s/k8s managed by NixOS.
+      module GcpNixos
+        include Base
+        extend NixosBase
+
+        class << self
+          def backend_name = :gcp_nixos
+          def managed_kubernetes? = false
+          def required_gem = 'pangea-gcp'
+
+          def load_provider!
+            require required_gem
+          rescue LoadError => e
+            raise LoadError,
+                  "Backend :gcp_nixos requires gem 'pangea-gcp'. " \
+                  "Add it to your Gemfile: gem 'pangea-gcp'\n" \
+                  "Original error: #{e.message}"
+          end
+
+          # Create VPC network + subnet + firewall rules
+          def create_network(ctx, name, config, tags)
+            network = Architecture::GcpNetworkResult.new
+
+            network.vpc = ctx.google_compute_network(
+              :"#{name}_network",
+              name: "#{name}-network",
+              auto_create_subnetworks: false,
+              project: config.project
+            )
+
+            subnet = ctx.google_compute_subnetwork(
+              :"#{name}_subnet",
+              name: "#{name}-subnet",
+              ip_cidr_range: config.network&.vpc_cidr || '10.0.0.0/20',
+              region: config.region,
+              network: network.vpc.id,
+              project: config.project
+            )
+            network.add_subnet(:subnet, subnet)
+
+            # Firewall rules for k3s/k8s
+            network.firewall_internal = ctx.google_compute_firewall(
+              :"#{name}_fw_internal",
+              name: "#{name}-allow-internal",
+              network: network.vpc.id,
+              project: config.project,
+              allow: [
+                { protocol: 'tcp', ports: %w[0-65535] },
+                { protocol: 'udp', ports: %w[0-65535] },
+                { protocol: 'icmp' }
+              ],
+              source_ranges: [config.network&.vpc_cidr || '10.0.0.0/20']
+            )
+
+            network.firewall_external = ctx.google_compute_firewall(
+              :"#{name}_fw_external",
+              name: "#{name}-allow-external",
+              network: network.vpc.id,
+              project: config.project,
+              allow: [
+                { protocol: 'tcp', ports: %w[22 80 443 6443] }
+              ],
+              source_ranges: ['0.0.0.0/0']
+            )
+
+            network
+          end
+
+          # Service account for GCE instances (minimal permissions)
+          def create_iam(ctx, name, config, tags)
+            iam = Architecture::GcpIamResult.new
+
+            iam.node_sa = ctx.google_service_account(
+              :"#{name}_node_sa",
+              account_id: "#{name}-nixos-nodes",
+              display_name: "#{name} NixOS K8s Node Service Account",
+              project: config.project
+            )
+
+            %w[logging.logWriter monitoring.metricWriter].each do |role|
+              ctx.google_project_iam_member(
+                :"#{name}_node_#{role.gsub('.', '_')}",
+                project: config.project,
+                role: "roles/#{role}",
+                member: "serviceAccount:#{iam.node_sa.email}"
+              )
+            end
+
+            iam
+          end
+
+          # Create control plane GCE instances (static, no MIG)
+          def create_cluster(ctx, name, config, result, tags)
+            nixos_create_cluster(ctx, name, config, result, tags)
+          end
+
+          # Create worker node pool via Instance Template + MIG + Autoscaler
+          def create_node_pool(ctx, name, cluster_ref, pool_config, tags)
+            nixos_create_node_pool(ctx, name, cluster_ref, pool_config, tags)
+          end
+
+          # --- NixosBase template hooks ---
+
+          def create_compute_instance(ctx, name, config, result, cloud_init, index, tags)
+            system_pool = config.system_node_pool
+            machine_type = system_pool.instance_types.first
+            image = config.gce_image || config.nixos&.image_id || 'nixos-24-05'
+
+            ctx.google_compute_instance(
+              :"#{name}_cp_#{index}",
+              name: "#{name}-cp-#{index}",
+              machine_type: machine_type,
+              zone: "#{config.region}-a",
+              project: config.project,
+              boot_disk: {
+                initialize_params: {
+                  image: image,
+                  size: system_pool.disk_size_gb
+                }
+              },
+              network_interface: {
+                network: result.network&.dig(:vpc)&.id,
+                subnetwork: result.network&.dig(:subnet)&.id,
+                access_config: {}
+              },
+              metadata: {
+                'user-data' => cloud_init
+              },
+              service_account: {
+                email: result.iam&.dig(:node_sa)&.email,
+                scopes: ['cloud-platform']
+              },
+              labels: gce_labels(tags.merge(
+                role: 'control-plane',
+                node_index: index.to_s,
+                distribution: config.distribution.to_s
+              ))
+            )
+          end
+
+          def create_worker_pool(ctx, name, _cluster_ref, pool_config, cloud_init, tags)
+            pool_name = :"#{name}_#{pool_config.name}"
+            machine_type = pool_config.instance_types.first
+
+            # Instance Template
+            template = ctx.google_compute_instance_template(
+              :"#{pool_name}_template",
+              name: "#{name}-#{pool_config.name}-template",
+              machine_type: machine_type,
+              project: tags[:Project],
+              disk: [{
+                source_image: tags[:Image] || 'nixos-24-05',
+                disk_size_gb: pool_config.disk_size_gb,
+                auto_delete: true,
+                boot: true
+              }],
+              network_interface: {
+                network: tags[:NetworkId],
+                subnetwork: tags[:SubnetId],
+                access_config: {}
+              },
+              metadata: { 'user-data' => cloud_init },
+              labels: gce_labels(tags.merge(
+                role: 'worker',
+                node_pool: pool_config.name.to_s
+              ))
+            )
+
+            # Managed Instance Group
+            mig = ctx.google_compute_instance_group_manager(
+              :"#{pool_name}_mig",
+              name: "#{name}-#{pool_config.name}-mig",
+              base_instance_name: "#{name}-#{pool_config.name}",
+              zone: "#{tags[:Region] || 'us-central1'}-a",
+              project: tags[:Project],
+              target_size: pool_config.effective_desired_size,
+              version: [{
+                instance_template: template.id
+              }]
+            )
+
+            # Autoscaler
+            ctx.google_compute_autoscaler(
+              :"#{pool_name}_autoscaler",
+              name: "#{name}-#{pool_config.name}-autoscaler",
+              zone: "#{tags[:Region] || 'us-central1'}-a",
+              project: tags[:Project],
+              target: mig.id,
+              autoscaling_policy: {
+                min_replicas: pool_config.min_size,
+                max_replicas: pool_config.max_size,
+                cpu_utilization: { target: 0.7 }
+              }
+            )
+
+            mig
+          end
+
+          private
+
+          def gce_labels(tags)
+            tags.transform_keys { |k| k.to_s.downcase.gsub(/[^a-z0-9-]/, '-') }
+              .transform_values { |v| v.to_s.downcase.gsub(/[^a-z0-9-]/, '-') }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/backends/hcloud_k3s.rb

@@ -0,0 +1,181 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'pangea/kubernetes/backends/base'
+require 'pangea/kubernetes/backends/nixos_base'
+
+module Pangea
+  module Kubernetes
+    module Backends
+      # Hetzner Cloud NixOS backend.
+      # Provisions NixOS VMs with cloud-init carrying blackmatter-kubernetes config.
+      # Supports both k3s and vanilla Kubernetes distributions.
+      module HcloudK3s
+        include Base
+        extend NixosBase
+
+        class << self
+          def backend_name = :hcloud
+          def managed_kubernetes? = false
+          def required_gem = 'pangea-hcloud'
+
+          def load_provider!
+            require required_gem
+          rescue LoadError => e
+            raise LoadError,
+                  "Backend :hcloud requires gem 'pangea-hcloud'. " \
+                  "Add it to your Gemfile: gem 'pangea-hcloud'\n" \
+                  "Original error: #{e.message}"
+          end
+
+          # Create Hetzner Cloud network + subnet
+          def create_network(ctx, name, config, tags)
+            network = Architecture::HcloudNetworkResult.new
+
+            ip_range = config.network&.vpc_cidr || '10.0.0.0/16'
+            network.network = ctx.hcloud_network(
+              :"#{name}_network",
+              name: "#{name}-network",
+              ip_range: ip_range,
+              labels: hcloud_labels(tags)
+            )
+            network.vpc = network.network
+
+            subnet = ctx.hcloud_network_subnet(
+              :"#{name}_subnet",
+              network_id: network.network.id,
+              type: 'cloud',
+              network_zone: config.region,
+              ip_range: config.network&.pod_cidr || '10.0.1.0/24'
+            )
+            network.add_subnet(:subnet, subnet)
+
+            network
+          end
+
+          # NixOS doesn't use cloud IAM — return empty
+          def create_iam(_ctx, _name, _config, _tags)
+            Architecture::IamResult.new
+          end
+
+          # Create control plane server(s) as hcloud_server resources
+          def create_cluster(ctx, name, config, result, tags)
+            # Create firewall first
+            ctx.hcloud_firewall(
+              :"#{name}_firewall",
+              name: "#{name}-firewall",
+              rules: hcloud_firewall_rules(config.distribution),
+              labels: hcloud_labels(tags)
+            )
+
+            nixos_create_cluster(ctx, name, config, result, tags)
+          end
+
+          # Create worker nodes as hcloud_server resources
+          def create_node_pool(ctx, name, cluster_ref, pool_config, tags)
+            # Hetzner doesn't have ASG — create individual servers
+            server_type = pool_config.instance_types.first
+            count = pool_config.effective_desired_size
+
+            servers = []
+            count.times do |idx|
+              # Generate per-worker cloud-init with unique node_index (not shared)
+              cloud_init = build_agent_cloud_init(name, tags, cluster_ref, node_index: idx)
+
+              server = ctx.hcloud_server(
+                :"#{name}_#{pool_config.name}_#{idx}",
+                name: "#{name}-#{pool_config.name}-#{idx}",
+                server_type: server_type,
+                image: 'ubuntu-24.04',
+                location: tags[:Region] || 'nbg1',
+                user_data: cloud_init,
+                ssh_keys: pool_config.ssh_keys,
+                labels: hcloud_labels(tags.merge(
+                  Role: 'worker',
+                  NodePool: pool_config.name.to_s,
+                  NodeIndex: idx.to_s
+                ))
+              )
+
+              servers << server
+            end
+
+            servers.first
+          end
+
+          # --- NixosBase template hooks ---
+
+          def create_compute_instance(ctx, name, config, result, cloud_init, index, tags)
+            system_pool = config.system_node_pool
+            server_type = system_pool.instance_types.first
+            firewall = result.network ? ctx.created_resources&.find { |r| r[:type] == 'hcloud_firewall' } : nil
+
+            ctx.hcloud_server(
+              :"#{name}_cp_#{index}",
+              name: "#{name}-cp-#{index}",
+              server_type: server_type,
+              image: nixos_image(config),
+              location: config.region,
+              user_data: cloud_init,
+              ssh_keys: system_pool.ssh_keys,
+              firewall_ids: firewall ? [firewall[:ref].id] : [],
+              labels: hcloud_labels(tags.merge(
+                Role: 'control-plane',
+                NodeIndex: index.to_s,
+                Distribution: config.distribution.to_s
+              ))
+            )
+          end
+
+          # Override post_create_instance for Hetzner network attachment
+          def post_create_instance(ctx, name, server, result, index, _tags)
+            return unless result.network&.dig(:network)
+
+            ctx.hcloud_server_network(
+              :"#{name}_cp_#{index}_network",
+              server_id: server.id,
+              network_id: result.network[:network].id
+            )
+          end
+
+          private
+
+          def nixos_image(config)
+            config.nixos&.image_id || 'ubuntu-24.04'
+          end
+
+          # Convert standard tags to Hetzner labels (lowercase, underscored)
+          def hcloud_labels(tags)
+            tags.transform_keys { |k| k.to_s.downcase.gsub(/[^a-z0-9_]/, '_') }
+          end
+
+          # Firewall rules for k3s or vanilla k8s
+          def hcloud_firewall_rules(distribution)
+            base_firewall_ports(distribution).map do |_name, port_def|
+              source_ips = port_def[:public] ? ['0.0.0.0/0', '::/0'] : ['10.0.0.0/8']
+              {
+                direction: 'in',
+                protocol: port_def[:protocol].to_s,
+                port: port_def[:port].to_s,
+                source_ips: source_ips
+              }
+            end
+          end
+        end
+      end
+    end
+  end
+end