raijin-server 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

raijin_server/modules/observability_dashboards.py

@@ -0,0 +1,233 @@
+"""Provisiona dashboards opinativos do Grafana e alertas padrao do Prometheus/Alertmanager."""
+
+from __future__ import annotations
+
+import json
+import textwrap
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import (
+    ExecutionContext,
+    kubectl_apply,
+    kubectl_create_ns,
+    require_root,
+    write_file,
+)
+
+MANIFEST_PATH = Path("/tmp/raijin-observability-dashboards.yaml")
+
+CLUSTER_DASHBOARD = {
+    "title": "Raijin Cluster Overview",
+    "uid": "raijin-cluster",
+    "timezone": "browser",
+    "schemaVersion": 39,
+    "panels": [
+        {
+            "type": "timeseries",
+            "title": "Node CPU %",
+            "datasource": "Prometheus",
+            "targets": [
+                {
+                    "expr": '100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)',
+                    "legendFormat": "{{instance}}",
+                }
+            ],
+        },
+        {
+            "type": "timeseries",
+            "title": "Node Memory %",
+            "datasource": "Prometheus",
+            "targets": [
+                {
+                    "expr": '((node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes) * 100',
+                    "legendFormat": "{{instance}}",
+                }
+            ],
+        },
+        {
+            "type": "stat",
+            "title": "API Server Errors (5m)",
+            "datasource": "Prometheus",
+            "targets": [
+                {
+                    "expr": 'sum(rate(apiserver_request_total{code=~"5.."}[5m]))',
+                }
+            ],
+        },
+    ],
+}
+
+SLO_DASHBOARD = {
+    "title": "Raijin SLO - Workloads",
+    "uid": "raijin-slo",
+    "schemaVersion": 39,
+    "panels": [
+        {
+            "type": "timeseries",
+            "title": "Pod Restarts (1h)",
+            "datasource": "Prometheus",
+            "targets": [
+                {
+                    "expr": 'increase(kube_pod_container_status_restarts_total[1h])',
+                    "legendFormat": "{{namespace}}/{{pod}}",
+                }
+            ],
+        },
+        {
+            "type": "timeseries",
+            "title": "Ingress HTTP 5xx Rate",
+            "datasource": "Prometheus",
+            "targets": [
+                {
+                    "expr": 'sum(rate(traefik_service_requests_total{code=~"5.."}[5m])) by (service)',
+                    "legendFormat": "{{service}}",
+                }
+            ],
+        },
+        {
+            "type": "gauge",
+            "title": "Cluster CPU Pressure",
+            "datasource": "Prometheus",
+            "targets": [
+                {
+                    "expr": 'avg(node_pressure_cpu_waiting_seconds_total)',
+                }
+            ],
+        },
+    ],
+}
+
+
+def _json_block(obj: dict) -> str:
+    return json.dumps(obj, indent=2, separators=(",", ": "))
+
+
+def _alertmanager_block(contact_email: str, webhook_url: str) -> str:
+    receivers = ["receivers:", "  - name: default"]
+    if contact_email:
+        receivers.append("    email_configs:")
+        receivers.append(f"      - to: {contact_email}")
+        receivers.append("        send_resolved: true")
+    if webhook_url:
+        receivers.append("    webhook_configs:")
+        receivers.append(f"      - url: {webhook_url}")
+        receivers.append("        send_resolved: true")
+    receivers_str = "\n".join(receivers) if len(receivers) > 2 else "receivers:\n  - name: default"
+    return textwrap.dedent(
+        f"""
+route:
+  receiver: default
+  group_by: ['alertname']
+  group_wait: 30s
+  group_interval: 5m
+  repeat_interval: 4h
+{receivers_str}
+"""
+    ).strip()
+
+
+def _build_manifest(namespace: str, contact_email: str, webhook_url: str) -> str:
+    cluster_json = textwrap.indent(_json_block(CLUSTER_DASHBOARD), "    ")
+    slo_json = textwrap.indent(_json_block(SLO_DASHBOARD), "    ")
+    alertmanager_yaml = textwrap.indent(_alertmanager_block(contact_email, webhook_url), "    ")
+
+    prometheus_rules = textwrap.dedent(
+        f"""
+        apiVersion: monitoring.coreos.com/v1
+        kind: PrometheusRule
+        metadata:
+          name: raijin-default-alerts
+          namespace: {namespace}
+        spec:
+          groups:
+            - name: raijin-cluster-health
+              rules:
+                - alert: NodeDown
+                  expr: kube_node_status_condition{{condition="Ready",status="true"}} == 0
+                  for: 5m
+                  labels:
+                    severity: critical
+                  annotations:
+                    summary: "Node fora do cluster"
+                    description: "O node {{ $labels.node }} nao reporta Ready ha 5 minutos."
+                - alert: HighNodeCPU
+                  expr: avg(node_load1) by (instance) > count(node_cpu_seconds_total{{mode="system"}}) by (instance)
+                  for: 10m
+                  labels:
+                    severity: warning
+                  annotations:
+                    summary: "CPU elevada em {{ $labels.instance }}"
+                    description: "Load1 superior ao numero de cores ha 10 minutos."
+                - alert: APIServerErrorRate
+                  expr: sum(rate(apiserver_request_total{{code=~"5.."}}[5m])) > 5
+                  for: 5m
+                  labels:
+                    severity: warning
+                  annotations:
+                    summary: "API Server retornando 5xx"
+                    description: "Taxa de erros 5xx do API Server acima de 5 req/s."
+        """
+    ).strip()
+
+    grafana_cm = textwrap.dedent(
+        f"""
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: grafana-dashboards-raijin
+          namespace: {namespace}
+          labels:
+            grafana_dashboard: "1"
+        data:
+          cluster-overview.json: |
+{cluster_json}
+          slo-workloads.json: |
+{slo_json}
+        """
+    ).strip()
+
+    alertmanager_cm = textwrap.dedent(
+        f"""
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: alertmanager-raijin
+          namespace: {namespace}
+          labels:
+            app.kubernetes.io/name: alertmanager
+        data:
+          alertmanager.yml: |
+{alertmanager_yaml}
+        """
+    ).strip()
+
+    documents = "\n---\n".join([grafana_cm, alertmanager_cm, prometheus_rules])
+    return documents + "\n"
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Aplicando dashboards e alertas opinativos...")
+
+    namespace = typer.prompt("Namespace de observabilidade", default="observability")
+    contact_email = typer.prompt(
+        "Email para receber alertas (ENTER para ignorar)",
+        default="",
+    )
+    webhook_url = typer.prompt(
+        "Webhook HTTP (Slack/Teams) para Alertmanager (ENTER para ignorar)",
+        default="",
+    )
+
+    kubectl_create_ns(namespace, ctx)
+
+    manifest = _build_manifest(namespace, contact_email, webhook_url)
+    write_file(MANIFEST_PATH, manifest, ctx)
+    kubectl_apply(str(MANIFEST_PATH), ctx)
+
+    typer.secho("Dashboards e alertas aplicados no namespace de observabilidade.", fg=typer.colors.GREEN)
+    typer.echo("Grafana: ConfigMap 'grafana-dashboards-raijin'")
+    typer.echo("Alertmanager: ConfigMap 'alertmanager-raijin'")
+    typer.echo("Prometheus: PrometheusRule 'raijin-default-alerts'")

raijin_server/modules/observability_ingress.py

@@ -0,0 +1,218 @@
+"""Provisiona ingressos seguros para Grafana, Prometheus e Alertmanager."""
+
+from __future__ import annotations
+
+import base64
+import subprocess
+from pathlib import Path
+from typing import Dict, List
+
+import typer
+
+from raijin_server.utils import (
+    ExecutionContext,
+    kubectl_apply,
+    kubectl_create_ns,
+    require_root,
+    write_file,
+)
+
+MANIFEST_PATH = Path("/tmp/raijin-observability-ingress.yaml")
+
+COMPONENTS: List[Dict[str, object]] = [
+    {
+        "key": "grafana",
+        "label": "Grafana",
+        "service": "grafana",
+        "port": 80,
+        "default_host": "grafana.example.com",
+        "default_tls": "grafana-tls",
+        "auth_secret": "grafana-basic-auth",
+        "middleware": "grafana-auth",
+    },
+    {
+        "key": "prometheus",
+        "label": "Prometheus",
+        "service": "kube-prometheus-stack-prometheus",
+        "port": 9090,
+        "default_host": "prometheus.example.com",
+        "default_tls": "prometheus-tls",
+        "auth_secret": "prometheus-basic-auth",
+        "middleware": "prometheus-auth",
+    },
+    {
+        "key": "alertmanager",
+        "label": "Alertmanager",
+        "service": "kube-prometheus-stack-alertmanager",
+        "port": 9093,
+        "default_host": "alerts.example.com",
+        "default_tls": "alertmanager-tls",
+        "auth_secret": "alertmanager-basic-auth",
+        "middleware": "alertmanager-auth",
+    },
+]
+
+
+def _generate_htpasswd(username: str, password: str) -> str:
+  try:
+    result = subprocess.run(
+      ["openssl", "passwd", "-6", password],
+      capture_output=True,
+      text=True,
+      check=True,
+    )
+    hashed = result.stdout.strip()
+  except Exception:
+    import crypt
+
+    hashed = crypt.crypt(password, crypt.mksalt(crypt.METHOD_SHA512))
+  return f"{username}:{hashed}"
+
+
+def _build_manifest(
+    namespace: str,
+    ingress_class: str,
+    services: List[Dict[str, object]],
+    encoded_users: str,
+    issuer_name: str,
+    issuer_kind: str,
+) -> str:
+    documents: List[str] = []
+
+    for svc in services:
+        host = svc["host"]
+        tls_secret = svc["tls_secret"]
+        auth_secret = svc["auth_secret"]
+        middleware = svc["middleware"]
+        service_name = svc["service"]
+        port = svc["port"]
+        name = svc["key"]
+
+        documents.append(
+            f"""apiVersion: v1
+kind: Secret
+metadata:
+  name: {auth_secret}
+  namespace: {namespace}
+type: Opaque
+data:
+  users: {encoded_users}
+"""
+        )
+
+        documents.append(
+            f"""apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: {middleware}
+  namespace: {namespace}
+spec:
+  basicAuth:
+    secret: {auth_secret}
+    removeHeader: true
+"""
+        )
+
+        if issuer_name:
+            documents.append(
+                f"""apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {name}-ingress-cert
+  namespace: {namespace}
+spec:
+  secretName: {tls_secret}
+  dnsNames:
+    - {host}
+  issuerRef:
+    name: {issuer_name}
+    kind: {issuer_kind}
+"""
+            )
+
+        documents.append(
+            f"""apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {name}-secure
+  namespace: {namespace}
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: {namespace}-{middleware}@kubernetescrd
+spec:
+  ingressClassName: {ingress_class}
+  rules:
+    - host: {host}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {service_name}
+                port:
+                  number: {port}
+  tls:
+    - secretName: {tls_secret}
+      hosts:
+        - {host}
+"""
+        )
+
+    return "---\n".join(documents)
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Provisionando ingress seguro para observabilidade...")
+
+    namespace = typer.prompt("Namespace dos componentes", default="observability")
+    ingress_class = typer.prompt("IngressClass dedicada", default="traefik")
+    username = typer.prompt("Usuario para basic auth", default="observability")
+    password = typer.prompt(
+        "Senha para basic auth",
+        hide_input=True,
+        confirmation_prompt=True,
+    )
+
+    configured: List[Dict[str, object]] = []
+    for comp in COMPONENTS:
+        host = typer.prompt(f"Host para {comp['label']}", default=comp["default_host"])
+        tls_secret = typer.prompt(
+            f"Secret TLS para {comp['label']}",
+            default=comp["default_tls"],
+        )
+        configured.append({**comp, "host": host, "tls_secret": tls_secret})
+
+    issue_certs = typer.confirm("Gerar Certificates via cert-manager?", default=True)
+    issuer_name = ""
+    issuer_kind = "ClusterIssuer"
+    if issue_certs:
+        issuer_name = typer.prompt("Nome do issuer (cert-manager)", default="letsencrypt-prod")
+        issuer_kind = typer.prompt("Tipo do issuer (Issuer/ClusterIssuer)", default="ClusterIssuer")
+
+    secret_line = _generate_htpasswd(username, password)
+    encoded_users = base64.b64encode(secret_line.encode()).decode()
+
+    kubectl_create_ns(namespace, ctx)
+
+    manifest = _build_manifest(
+        namespace,
+        ingress_class,
+        configured,
+        encoded_users,
+        issuer_name,
+        issuer_kind,
+    )
+
+    write_file(MANIFEST_PATH, manifest, ctx)
+    kubectl_apply(str(MANIFEST_PATH), ctx)
+
+    typer.secho("Ingress seguro aplicado com sucesso.", fg=typer.colors.GREEN)
+    typer.echo("Hosts publicados:")
+    for svc in configured:
+        typer.echo(f"  - {svc['label']}: https://{svc['host']}")
+    if not issuer_name:
+        typer.secho(
+            "Certificados nao foram criados automaticamente. Certifique-se de que os secrets TLS existem.",
+            fg=typer.colors.YELLOW,
+        )

raijin_server/modules/sanitize.py

@@ -0,0 +1,142 @@
+"""Sanitizacao do servidor antes de nova instalacao Kubernetes."""
+
+from __future__ import annotations
+
+import shutil
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, require_root, run_cmd
+
+SYSTEMD_SERVICES = [
+    "kubelet",
+    "containerd",
+]
+
+APT_PACKAGES = [
+    "kubeadm",
+    "kubelet",
+    "kubectl",
+    "kubernetes-cni",
+    "cri-tools",
+    "containerd",
+]
+
+CLEAN_PATHS = [
+    "/etc/kubernetes",
+    "/etc/cni/net.d",
+    "/etc/calico",
+    "/var/lib/etcd",
+    "/var/lib/kubelet",
+    "/var/lib/cni",
+    "/var/lib/containerd",
+    "/var/run/kubernetes",
+    "/var/lib/dockershim",
+]
+
+TOOL_BINARIES = [
+    "/usr/local/bin/kubectl",
+    "/usr/local/bin/helm",
+    "/usr/local/bin/istioctl",
+    "/usr/local/bin/velero",
+]
+
+APT_MARKERS = [
+    "/etc/apt/sources.list.d/kubernetes.list",
+    "/etc/apt/keyrings/kubernetes-apt-keyring.gpg",
+]
+
+
+def _stop_services(ctx: ExecutionContext) -> None:
+    typer.echo("Parando serviços relacionados (kubelet, containerd)...")
+    for service in SYSTEMD_SERVICES:
+        run_cmd(["systemctl", "stop", service], ctx, check=False)
+        run_cmd(["systemctl", "disable", service], ctx, check=False)
+
+
+def _kubeadm_reset(ctx: ExecutionContext) -> None:
+    typer.echo("Executando kubeadm reset...")
+    if shutil.which("kubeadm") or ctx.dry_run:
+        run_cmd(["kubeadm", "reset", "-f"], ctx, check=False)
+    else:
+        typer.echo("kubeadm nao encontrado, pulando reset.")
+
+
+def _flush_iptables(ctx: ExecutionContext) -> None:
+    typer.echo("Limpando regras iptables/ip6tables e IPVS...")
+    tables = ["filter", "nat", "mangle", "raw"]
+    if shutil.which("iptables") or ctx.dry_run:
+        for table in tables:
+            run_cmd(["iptables", "-t", table, "-F"], ctx, check=False)
+            run_cmd(["iptables", "-t", table, "-X"], ctx, check=False)
+    if shutil.which("ip6tables") or ctx.dry_run:
+        for table in tables:
+            run_cmd(["ip6tables", "-t", table, "-F"], ctx, check=False)
+            run_cmd(["ip6tables", "-t", table, "-X"], ctx, check=False)
+    if shutil.which("ipvsadm") or ctx.dry_run:
+        run_cmd(["ipvsadm", "--clear"], ctx, check=False)
+
+
+def _purge_packages(ctx: ExecutionContext) -> None:
+    typer.echo("Removendo pacotes kube* e containerd...")
+    run_cmd(["apt-get", "purge", "-y", *APT_PACKAGES], ctx, check=False)
+    run_cmd(["apt-get", "autoremove", "-y"], ctx, check=False)
+    run_cmd(["apt-get", "clean"], ctx, check=False)
+
+
+def _remove_paths(ctx: ExecutionContext) -> None:
+    typer.echo("Removendo arquivos e diretorios residuais...")
+    for path in CLEAN_PATHS:
+        run_cmd(["rm", "-rf", path], ctx, check=False)
+    # Remove kubeconfigs de root e usuarios em /home
+    run_cmd(["rm", "-rf", "/root/.kube"], ctx, check=False)
+    home = Path("/home")
+    if home.exists() and home.is_dir():
+        for entry in home.iterdir():
+            candidate = entry / ".kube"
+            run_cmd(["rm", "-rf", str(candidate)], ctx, check=False)
+
+
+def _remove_tool_binaries(ctx: ExecutionContext) -> None:
+    typer.echo("Removendo binarios antigos (kubectl, helm, istioctl, velero)...")
+    for binary in TOOL_BINARIES:
+        run_cmd(["rm", "-f", binary], ctx, check=False)
+
+
+def _remove_apt_markers(ctx: ExecutionContext) -> None:
+    typer.echo("Limpando lista e chave do repositório Kubernetes...")
+    for marker in APT_MARKERS:
+        run_cmd(["rm", "-f", marker], ctx, check=False)
+
+
+def run(ctx: ExecutionContext) -> None:
+    """Remove instalacoes antigas de Kubernetes antes de reinstalar."""
+    require_root(ctx)
+
+    typer.secho("\n=== Sanitizacao do ambiente Kubernetes ===", fg=typer.colors.CYAN, bold=True)
+    typer.echo(
+        "Este passo remove clusters existentes, pacotes kube* e arquivos residuais."
+        " Use apenas em servidores dedicados ao Raijin Server."
+    )
+
+    if ctx.dry_run:
+        typer.echo("[dry-run] Confirmacao automatica para demonstracao.")
+    else:
+        proceed = typer.confirm(
+            "Deseja realmente limpar o servidor antes de uma nova instalacao?",
+            default=False,
+        )
+        if not proceed:
+            typer.echo("Sanitizacao cancelada pelo usuario.")
+            return
+
+    _stop_services(ctx)
+    _kubeadm_reset(ctx)
+    _flush_iptables(ctx)
+    _purge_packages(ctx)
+    _remove_paths(ctx)
+    _remove_tool_binaries(ctx)
+    _remove_apt_markers(ctx)
+
+    typer.secho("\n✓ Sanitizacao concluida. Servidor pronto para novo full_install.", fg=typer.colors.GREEN, bold=True)

raijin_server/modules/secrets.py

@@ -0,0 +1,109 @@
+"""Automacao de sealed-secrets e external-secrets via Helm.
+
+Instala os controladores necessários para criptografar e consumir segredos
+em clusters Kubernetes. Inclui opcionalmente a exportacao do certificado
+publico do sealed-secrets para permitir geracao de manifests lacrados.
+"""
+
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import (
+    ExecutionContext,
+    ensure_tool,
+    helm_upgrade_install,
+    require_root,
+    run_cmd,
+)
+
+SEALED_NAMESPACE = "kube-system"
+ESO_NAMESPACE = "external-secrets"
+
+
+def _export_sealed_cert(namespace: str, ctx: ExecutionContext) -> None:
+    """Exporta o certificado publico do sealed-secrets para um caminho local."""
+
+    default_path = Path("/tmp/sealed-secrets-cert.pem")
+    dest = typer.prompt(
+        "Caminho para salvar o certificado publico do sealed-secrets",
+        default=str(default_path),
+    )
+    typer.echo(f"Exportando certificado para {dest}...")
+    cmd = [
+        "kubectl",
+        "-n",
+        namespace,
+        "get",
+        "secret",
+        "-l",
+        "sealedsecrets.bitnami.com/sealed-secrets-key",
+        "-o",
+        r"jsonpath={.items[0].data.tls\.crt}",
+    ]
+    result = run_cmd(cmd, ctx, check=False)
+    if result.returncode != 0:
+        typer.secho("Nao foi possivel obter o certificado (tente novamente apos o pod estar Ready).", fg=typer.colors.YELLOW)
+        return
+
+    try:
+        import base64
+
+        cert_b64 = result.stdout.strip()
+        cert_bytes = base64.b64decode(cert_b64)
+        Path(dest).write_bytes(cert_bytes)
+        typer.secho(f"✓ Certificado salvo em {dest}", fg=typer.colors.GREEN)
+    except Exception as exc:
+        typer.secho(f"Falha ao decodificar/salvar certificado: {exc}", fg=typer.colors.YELLOW)
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou habilite dry-run.")
+    ensure_tool("helm", ctx, install_hint="Instale helm ou habilite dry-run.")
+
+    typer.echo("Instalando sealed-secrets e external-secrets...")
+
+    sealed_ns = typer.prompt("Namespace para sealed-secrets", default=SEALED_NAMESPACE)
+    eso_ns = typer.prompt("Namespace para external-secrets", default=ESO_NAMESPACE)
+
+    # sealed-secrets
+    typer.secho("\n== Sealed Secrets ==", fg=typer.colors.CYAN, bold=True)
+    helm_upgrade_install(
+        "sealed-secrets",
+        "sealed-secrets",
+        sealed_ns,
+        ctx,
+        repo="bitnami-labs",
+        repo_url="https://bitnami-labs.github.io/sealed-secrets",
+        create_namespace=True,
+    )
+
+    typer.echo(
+        "Para criar sealed-secrets a partir do seu desktop, exporte o certificado publico e use kubeseal."
+    )
+    if typer.confirm("Exportar certificado publico agora?", default=True):
+        _export_sealed_cert(sealed_ns, ctx)
+
+    # external-secrets
+    typer.secho("\n== External Secrets Operator ==", fg=typer.colors.CYAN, bold=True)
+    extra_args = ["--set", "installCRDs=true"]
+    helm_upgrade_install(
+        "external-secrets",
+        "external-secrets",
+        eso_ns,
+        ctx,
+        repo="external-secrets",
+        repo_url="https://charts.external-secrets.io",
+        create_namespace=True,
+        extra_args=extra_args,
+    )
+
+    typer.echo(
+        "External Secrets Operator instalado. Configure um SecretStore/ClusterSecretStore conforme seu provedor (AWS/GCP/Vault)."
+    )
+
+    typer.secho("\nDicas rapidas:", fg=typer.colors.GREEN)
+    typer.echo("- Gere sealed-secrets localmente: kubeseal --controller-namespace <ns> --controller-name sealed-secrets < secret.yaml > sealed.yaml")
+    typer.echo("- Para ESO: crie um SecretStore apontando para seu backend e um ExternalSecret referenciando os keys.")
+