raijin-server 0.1.0__py3-none-any.whl

raijin_server/healthchecks.py

@@ -0,0 +1,296 @@
+"""Health checks para validar estado dos servicos apos instalacao."""
+
+from __future__ import annotations
+
+import subprocess
+import time
+from typing import Callable, Tuple
+
+import typer
+
+from raijin_server.utils import ExecutionContext, logger
+
+
+def wait_for_condition(
+    check_fn: Callable[[], bool],
+    description: str,
+    timeout: int = 300,
+    interval: int = 10,
+) -> bool:
+    """Aguarda ate que uma condicao seja satisfeita ou timeout.
+
+    Args:
+        check_fn: Funcao que retorna True quando condicao e satisfeita
+        description: Descricao da condicao sendo aguardada
+        timeout: Tempo maximo de espera em segundos
+        interval: Intervalo entre verificacoes em segundos
+
+    Returns:
+        True se condicao foi satisfeita, False se timeout
+    """
+    elapsed = 0
+    typer.echo(f"Aguardando: {description}...")
+
+    while elapsed < timeout:
+        if check_fn():
+            typer.secho(f"✓ {description} [OK]", fg=typer.colors.GREEN)
+            return True
+
+        time.sleep(interval)
+        elapsed += interval
+        typer.echo(f"  ... ainda aguardando ({elapsed}/{timeout}s)")
+
+    typer.secho(f"✗ {description} [TIMEOUT]", fg=typer.colors.RED)
+    return False
+
+
+def check_systemd_service(service: str, ctx: ExecutionContext) -> Tuple[bool, str]:
+    """Verifica se um servico systemd esta ativo."""
+    if ctx.dry_run:
+        return True, "dry-run mode"
+
+    try:
+        result = subprocess.run(
+            ["systemctl", "is-active", service],
+            capture_output=True,
+            text=True,
+            timeout=10,
+        )
+        status = result.stdout.strip()
+        if result.returncode == 0 and status == "active":
+            return True, "active"
+        return False, status
+    except Exception as e:
+        return False, f"error: {e}"
+
+
+def check_k8s_node_ready(ctx: ExecutionContext, timeout: int = 300) -> bool:
+    """Verifica se o node Kubernetes esta Ready."""
+    if ctx.dry_run:
+        typer.echo("[dry-run] Pulando verificacao de node Kubernetes")
+        return True
+
+    def check():
+        try:
+            result = subprocess.run(
+                ["kubectl", "get", "nodes", "-o", "jsonpath={.items[0].status.conditions[?(@.type=='Ready')].status}"],
+                capture_output=True,
+                text=True,
+                timeout=10,
+            )
+            return result.returncode == 0 and "True" in result.stdout
+        except Exception:
+            return False
+
+    return wait_for_condition(check, "Node Kubernetes Ready", timeout=timeout)
+
+
+def check_k8s_pods_in_namespace(namespace: str, ctx: ExecutionContext, timeout: int = 300) -> bool:
+    """Verifica se todos os pods em um namespace estao Running."""
+    if ctx.dry_run:
+        typer.echo(f"[dry-run] Pulando verificacao de pods no namespace {namespace}")
+        return True
+
+    def check():
+        try:
+            result = subprocess.run(
+                [
+                    "kubectl", "get", "pods", "-n", namespace,
+                    "-o", "jsonpath={.items[*].status.phase}"
+                ],
+                capture_output=True,
+                text=True,
+                timeout=10,
+            )
+            if result.returncode != 0:
+                return False
+
+            phases = result.stdout.strip().split()
+            if not phases:
+                return False
+
+            return all(phase in ["Running", "Succeeded"] for phase in phases)
+        except Exception:
+            return False
+
+    return wait_for_condition(
+        check,
+        f"Pods no namespace '{namespace}' Running",
+        timeout=timeout
+    )
+
+
+def check_helm_release(release: str, namespace: str, ctx: ExecutionContext) -> Tuple[bool, str]:
+    """Verifica status de um release Helm."""
+    if ctx.dry_run:
+        return True, "dry-run mode"
+
+    try:
+        result = subprocess.run(
+            ["helm", "status", release, "-n", namespace, "-o", "json"],
+            capture_output=True,
+            text=True,
+            timeout=15,
+        )
+        if result.returncode == 0:
+            import json
+            data = json.loads(result.stdout)
+            status = data.get("info", {}).get("status", "unknown")
+            return status == "deployed", status
+        return False, "not found"
+    except Exception as e:
+        return False, f"error: {e}"
+
+
+def check_port_listening(port: int, ctx: ExecutionContext) -> Tuple[bool, str]:
+    """Verifica se uma porta esta em listening."""
+    if ctx.dry_run:
+        return True, "dry-run mode"
+
+    try:
+        result = subprocess.run(
+            ["ss", "-tuln"],
+            capture_output=True,
+            text=True,
+            timeout=5,
+        )
+        if result.returncode == 0:
+            listening = any(f":{port}" in line for line in result.stdout.split("\n"))
+            return listening, "listening" if listening else "not listening"
+        return False, "ss command failed"
+    except Exception as e:
+        return False, f"error: {e}"
+
+
+def verify_essentials(ctx: ExecutionContext) -> bool:
+    """Health check para modulo essentials."""
+    logger.info("Verificando health check: essentials")
+    typer.secho("\n=== Health Check: Essentials ===", fg=typer.colors.CYAN)
+
+    checks = [
+        ("timedatectl NTP", lambda: subprocess.run(["timedatectl", "show", "-p", "NTP", "--value"], capture_output=True).stdout.strip() == b"yes"),
+    ]
+
+    all_ok = True
+    for name, check_fn in checks:
+        try:
+            if ctx.dry_run or check_fn():
+                typer.secho(f"  ✓ {name}", fg=typer.colors.GREEN)
+            else:
+                typer.secho(f"  ✗ {name}", fg=typer.colors.YELLOW)
+                all_ok = False
+        except Exception as e:
+            typer.secho(f"  ✗ {name}: {e}", fg=typer.colors.YELLOW)
+            all_ok = False
+
+    return all_ok
+
+
+def verify_hardening(ctx: ExecutionContext) -> bool:
+    """Health check para modulo hardening."""
+    logger.info("Verificando health check: hardening")
+    typer.secho("\n=== Health Check: Hardening ===", fg=typer.colors.CYAN)
+
+    services = ["fail2ban"]
+    all_ok = True
+
+    for service in services:
+        ok, status = check_systemd_service(service, ctx)
+        if ok:
+            typer.secho(f"  ✓ {service}: {status}", fg=typer.colors.GREEN)
+        else:
+            typer.secho(f"  ✗ {service}: {status}", fg=typer.colors.YELLOW)
+            all_ok = False
+
+    return all_ok
+
+
+def verify_kubernetes(ctx: ExecutionContext) -> bool:
+    """Health check para modulo kubernetes."""
+    logger.info("Verificando health check: kubernetes")
+    typer.secho("\n=== Health Check: Kubernetes ===", fg=typer.colors.CYAN)
+
+    services = ["kubelet", "containerd"]
+    all_ok = True
+
+    for service in services:
+        ok, status = check_systemd_service(service, ctx)
+        if ok:
+            typer.secho(f"  ✓ {service}: {status}", fg=typer.colors.GREEN)
+        else:
+            typer.secho(f"  ✗ {service}: {status}", fg=typer.colors.RED)
+            all_ok = False
+
+    # Verifica API server
+    ok, msg = check_port_listening(6443, ctx)
+    if ok:
+        typer.secho(f"  ✓ API Server (6443): {msg}", fg=typer.colors.GREEN)
+    else:
+        typer.secho(f"  ✗ API Server (6443): {msg}", fg=typer.colors.RED)
+        all_ok = False
+
+    # Verifica node ready
+    if not check_k8s_node_ready(ctx, timeout=180):
+        all_ok = False
+
+    return all_ok
+
+
+def verify_calico(ctx: ExecutionContext) -> bool:
+    """Health check para modulo calico."""
+    logger.info("Verificando health check: calico")
+    typer.secho("\n=== Health Check: Calico ===", fg=typer.colors.CYAN)
+
+    return check_k8s_pods_in_namespace("kube-system", ctx, timeout=180)
+
+
+def verify_helm_chart(release: str, namespace: str, ctx: ExecutionContext) -> bool:
+    """Health check generico para charts Helm."""
+    logger.info(f"Verificando health check: {release} no namespace {namespace}")
+    typer.secho(f"\n=== Health Check: {release} ===", fg=typer.colors.CYAN)
+
+    ok, status = check_helm_release(release, namespace, ctx)
+    if ok:
+        typer.secho(f"  ✓ Release {release}: {status}", fg=typer.colors.GREEN)
+    else:
+        typer.secho(f"  ✗ Release {release}: {status}", fg=typer.colors.RED)
+        return False
+
+    return check_k8s_pods_in_namespace(namespace, ctx, timeout=180)
+
+
+# Mapeamento de modulos para funcoes de health check
+HEALTH_CHECKS = {
+    "essentials": verify_essentials,
+    "hardening": verify_hardening,
+    "kubernetes": verify_kubernetes,
+    "calico": verify_calico,
+    "prometheus": lambda ctx: verify_helm_chart("kube-prometheus-stack", "observability", ctx),
+    "grafana": lambda ctx: verify_helm_chart("grafana", "observability", ctx),
+    "loki": lambda ctx: verify_helm_chart("loki", "observability", ctx),
+    "traefik": lambda ctx: verify_helm_chart("traefik", "traefik", ctx),
+    "kong": lambda ctx: verify_helm_chart("kong", "kong", ctx),
+    "minio": lambda ctx: verify_helm_chart("minio", "minio", ctx),
+    "velero": lambda ctx: verify_helm_chart("velero", "velero", ctx),
+    "kafka": lambda ctx: verify_helm_chart("kafka", "kafka", ctx),
+}
+
+
+def run_health_check(module: str, ctx: ExecutionContext) -> bool:
+    """Executa health check para um modulo especifico."""
+    if module not in HEALTH_CHECKS:
+        logger.warning(f"Nenhum health check definido para modulo '{module}'")
+        return True
+
+    try:
+        result = HEALTH_CHECKS[module](ctx)
+        if result:
+            logger.info(f"Health check '{module}': PASS")
+        else:
+            logger.warning(f"Health check '{module}': FAIL")
+            ctx.warnings.append(f"Health check falhou para modulo '{module}'")
+        return result
+    except Exception as e:
+        logger.error(f"Erro durante health check '{module}': {e}")
+        ctx.errors.append(f"Erro no health check '{module}': {e}")
+        return False

raijin_server/modules/__init__.py

@@ -0,0 +1,26 @@
+"""Colecao de modulos suportados pelo CLI."""
+
+__all__ = [
+    "hardening",
+    "network",
+    "essentials",
+    "firewall",
+    "kubernetes",
+    "calico",
+    "istio",
+    "traefik",
+    "kong",
+    "minio",
+    "prometheus",
+    "grafana",
+    "loki",
+    "harness",
+    "velero",
+    "kafka",
+    "bootstrap",
+    "full_install",
+]
+
+from raijin_server.modules import calico, essentials, firewall, grafana, harness, hardening, istio
+from raijin_server.modules import kafka, kong, kubernetes, loki, minio, network, prometheus, traefik
+from raijin_server.modules import velero, bootstrap, full_install

raijin_server/modules/bootstrap.py

@@ -0,0 +1,224 @@
+"""Instalacao automatica de ferramentas necessarias para o raijin-server."""
+
+import shutil
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, apt_install, apt_update, require_root, run_cmd, write_file
+
+
+# Versoes das ferramentas
+HELM_VERSION = "3.14.0"
+KUBECTL_VERSION = "1.30.0"
+ISTIOCTL_VERSION = "1.21.0"
+VELERO_VERSION = "1.13.0"
+
+
+def _install_helm(ctx: ExecutionContext) -> None:
+    """Instala Helm via script oficial."""
+    if shutil.which("helm") and not ctx.dry_run:
+        typer.echo("Helm ja instalado, pulando...")
+        return
+
+    typer.echo(f"Instalando Helm v{HELM_VERSION}...")
+    run_cmd(
+        "curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash",
+        ctx,
+        use_shell=True,
+    )
+
+
+def _install_kubectl(ctx: ExecutionContext) -> None:
+    """Instala kubectl via binary."""
+    if shutil.which("kubectl") and not ctx.dry_run:
+        typer.echo("kubectl ja instalado, pulando...")
+        return
+
+    typer.echo(f"Instalando kubectl v{KUBECTL_VERSION}...")
+    run_cmd(
+        [
+            "curl",
+            "-fsSL",
+            "-o",
+            "/tmp/kubectl",
+            f"https://dl.k8s.io/release/v{KUBECTL_VERSION}/bin/linux/amd64/kubectl",
+        ],
+        ctx,
+    )
+    run_cmd(["chmod", "+x", "/tmp/kubectl"], ctx)
+    run_cmd(["mv", "/tmp/kubectl", "/usr/local/bin/kubectl"], ctx)
+
+
+def _install_istioctl(ctx: ExecutionContext) -> None:
+    """Instala istioctl."""
+    if shutil.which("istioctl") and not ctx.dry_run:
+        typer.echo("istioctl ja instalado, pulando...")
+        return
+
+    typer.echo(f"Instalando istioctl v{ISTIOCTL_VERSION}...")
+    run_cmd(
+        f"curl -L https://istio.io/downloadIstio | ISTIO_VERSION={ISTIOCTL_VERSION} sh -",
+        ctx,
+        use_shell=True,
+        cwd="/tmp",
+    )
+    run_cmd(
+        ["mv", f"/tmp/istio-{ISTIOCTL_VERSION}/bin/istioctl", "/usr/local/bin/istioctl"],
+        ctx,
+    )
+    run_cmd(["chmod", "+x", "/usr/local/bin/istioctl"], ctx)
+
+
+def _install_velero(ctx: ExecutionContext) -> None:
+    """Instala Velero CLI."""
+    if shutil.which("velero") and not ctx.dry_run:
+        typer.echo("Velero CLI ja instalado, pulando...")
+        return
+
+    typer.echo(f"Instalando Velero CLI v{VELERO_VERSION}...")
+    tarball = f"velero-v{VELERO_VERSION}-linux-amd64.tar.gz"
+    url = f"https://github.com/vmware-tanzu/velero/releases/download/v{VELERO_VERSION}/{tarball}"
+
+    run_cmd(["curl", "-fsSL", "-o", f"/tmp/{tarball}", url], ctx)
+    run_cmd(["tar", "-xzf", f"/tmp/{tarball}", "-C", "/tmp"], ctx)
+    run_cmd(
+        ["mv", f"/tmp/velero-v{VELERO_VERSION}-linux-amd64/velero", "/usr/local/bin/velero"],
+        ctx,
+    )
+    run_cmd(["chmod", "+x", "/usr/local/bin/velero"], ctx)
+
+
+def _install_containerd(ctx: ExecutionContext) -> None:
+    """Configura containerd como container runtime."""
+    typer.echo("Configurando containerd...")
+
+    # Carrega modulos do kernel necessarios
+    modules_conf = """overlay
+br_netfilter
+"""
+    write_file(Path("/etc/modules-load.d/k8s.conf"), modules_conf, ctx)
+
+    run_cmd(["modprobe", "overlay"], ctx, check=False)
+    run_cmd(["modprobe", "br_netfilter"], ctx, check=False)
+
+    # Sysctl para Kubernetes
+    sysctl_conf = """net.bridge.bridge-nf-call-iptables  = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.ipv4.ip_forward                 = 1
+"""
+    write_file(Path("/etc/sysctl.d/k8s.conf"), sysctl_conf, ctx)
+    run_cmd(["sysctl", "--system"], ctx, check=False)
+
+    apt_install(["containerd"], ctx)
+
+    # Gera config padrao
+    run_cmd(["mkdir", "-p", "/etc/containerd"], ctx)
+    run_cmd("containerd config default > /etc/containerd/config.toml", ctx, use_shell=True)
+
+    # Habilita SystemdCgroup
+    run_cmd(
+        "sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml",
+        ctx,
+        use_shell=True,
+    )
+
+    run_cmd(["systemctl", "restart", "containerd"], ctx, check=False)
+    run_cmd(["systemctl", "enable", "containerd"], ctx, check=False)
+
+
+def _setup_swap(ctx: ExecutionContext) -> None:
+    """Desabilita swap (requisito do Kubernetes)."""
+    typer.echo("Desabilitando swap (requisito Kubernetes)...")
+    run_cmd(["swapoff", "-a"], ctx, check=False)
+    # Remove swap do fstab
+    run_cmd(
+        "sed -i '/swap/d' /etc/fstab",
+        ctx,
+        use_shell=True,
+        check=False,
+    )
+
+
+def _install_cert_manager(ctx: ExecutionContext) -> None:
+    """Instala cert-manager para gerenciamento de certificados TLS."""
+    typer.echo("Instalando cert-manager...")
+    run_cmd(
+        [
+            "kubectl",
+            "apply",
+            "-f",
+            "https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml",
+        ],
+        ctx,
+    )
+
+
+def run(ctx: ExecutionContext) -> None:
+    """Instala todas as ferramentas necessarias para o ambiente produtivo."""
+    require_root(ctx)
+
+    typer.secho("\n=== Bootstrap: Instalando Ferramentas ===", fg=typer.colors.CYAN, bold=True)
+
+    # Atualiza sistema
+    typer.echo("\n[1/8] Atualizando sistema...")
+    apt_update(ctx)
+
+    # Pacotes base
+    typer.echo("\n[2/8] Instalando pacotes essenciais...")
+    apt_install(
+        [
+            "curl",
+            "wget",
+            "git",
+            "gnupg",
+            "lsb-release",
+            "ca-certificates",
+            "apt-transport-https",
+            "software-properties-common",
+            "htop",
+            "net-tools",
+            "vim",
+            "jq",
+            "unzip",
+            "nfs-common",  # Para storage NFS
+            "open-iscsi",  # Para iSCSI storage
+        ],
+        ctx,
+    )
+
+    # Desabilita swap
+    typer.echo("\n[3/8] Configurando sistema para Kubernetes...")
+    _setup_swap(ctx)
+
+    # Containerd
+    typer.echo("\n[4/8] Configurando container runtime...")
+    _install_containerd(ctx)
+
+    # Helm
+    typer.echo("\n[5/8] Instalando Helm...")
+    _install_helm(ctx)
+
+    # kubectl
+    typer.echo("\n[6/8] Instalando kubectl...")
+    _install_kubectl(ctx)
+
+    # istioctl
+    typer.echo("\n[7/8] Instalando istioctl...")
+    _install_istioctl(ctx)
+
+    # velero
+    typer.echo("\n[8/8] Instalando Velero CLI...")
+    _install_velero(ctx)
+
+    typer.secho("\n✓ Bootstrap concluido! Ferramentas instaladas.", fg=typer.colors.GREEN, bold=True)
+
+    # Resumo
+    typer.echo("\nFerramentas instaladas:")
+    tools = ["helm", "kubectl", "istioctl", "velero", "containerd"]
+    for tool in tools:
+        path = shutil.which(tool)
+        if path or ctx.dry_run:
+            typer.secho(f"  ✓ {tool}", fg=typer.colors.GREEN)
+        else:
+            typer.secho(f"  ✗ {tool} (nao encontrado)", fg=typer.colors.YELLOW)

raijin_server/modules/calico.py

@@ -0,0 +1,36 @@
+"""Configuracao de Calico como CNI com CIDR customizado e policy default-deny."""
+
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, ensure_tool, kubectl_apply, require_root, run_cmd, write_file
+
+
+def run(ctx: ExecutionContext) -> None:
+        require_root(ctx)
+        ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou habilite dry-run.")
+        ensure_tool("curl", ctx, install_hint="Instale curl.")
+
+        typer.echo("Aplicando Calico como CNI...")
+        pod_cidr = typer.prompt("Pod CIDR (Calico)", default="10.244.0.0/16")
+
+        manifest_url = "https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/calico.yaml"
+        cmd = f"curl -s {manifest_url} | sed 's#192.168.0.0/16#{pod_cidr}#' | kubectl apply -f -"
+        run_cmd(cmd, ctx, use_shell=True)
+
+        # NetworkPolicy default-deny para workloads (excepto kube-system).
+        default_deny = """apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+    name: default-deny-all
+    namespace: default
+spec:
+    podSelector: {}
+    policyTypes:
+    - Ingress
+    - Egress
+"""
+        policy_path = Path("/tmp/raijin-default-deny.yaml")
+        write_file(policy_path, default_deny, ctx)
+        kubectl_apply(str(policy_path), ctx)

raijin_server/modules/essentials.py

@@ -0,0 +1,29 @@
+"""Instalacao de ferramentas basicas do sistema."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, apt_install, apt_update, require_root, run_cmd
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando ferramentas essenciais...")
+    apt_update(ctx)
+    apt_install(
+        [
+            "curl",
+            "wget",
+            "git",
+            "gnupg",
+            "lsb-release",
+            "ca-certificates",
+            "apt-transport-https",
+            "htop",
+            "net-tools",
+            "vim",
+            "jq",
+            "unzip",
+        ],
+        ctx,
+    )
+    run_cmd(["timedatectl", "set-ntp", "true"], ctx)

raijin_server/modules/firewall.py

@@ -0,0 +1,27 @@
+"""Gerenciamento de firewall com UFW."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, apt_install, require_root, run_cmd
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Configurando UFW...")
+
+    apt_install(["ufw"], ctx)
+    run_cmd(["ufw", "--force", "reset"], ctx)
+
+    regras = [
+        ["ufw", "allow", "22"],
+        ["ufw", "allow", "80"],
+        ["ufw", "allow", "443"],
+        ["ufw", "allow", "6443"],  # API server Kubernetes
+        ["ufw", "allow", "2379:2380/tcp"],  # etcd
+        ["ufw", "allow", "10250"],  # kubelet
+    ]
+    for regra in regras:
+        run_cmd(regra, ctx, check=False)
+
+    run_cmd(["ufw", "--force", "enable"], ctx)
+    run_cmd(["ufw", "status", "numbered"], ctx)