raijin-server 0.2.21__tar.gz → 0.2.22__tar.gz

{raijin_server-0.2.21/src/raijin_server.egg-info → raijin_server-0.2.22}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.2.21
+Version: 0.2.22
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin

{raijin_server-0.2.21 → raijin_server-0.2.22}/setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = raijin-server
-version = 0.2.21
+version = 0.2.22
 description = CLI para automacao de setup e hardening de servidores Ubuntu Server.
 long_description = file: README.md
 long_description_content_type = text/markdown

raijin_server-0.2.22/src/raijin_server/__init__.py

@@ -0,0 +1,5 @@
+"""Pacote principal do CLI Raijin Server."""
+
+__version__ = "0.2.22"
+
+__all__ = ["__version__"]

{raijin_server-0.2.21 → raijin_server-0.2.22}/src/raijin_server/modules/cert_manager.py

@@ -601,6 +601,31 @@ def _run_helm_install(ctx: ExecutionContext, attempt: int = 1) -> bool:
         "--set", "startupapicheck.enabled=true",
         "--set", "webhook.replicaCount=1",
         "--set", "cainjector.replicaCount=1",
+        # Tolerations para control-plane (single-node clusters)
+        "--set", "tolerations[0].key=node-role.kubernetes.io/control-plane",
+        "--set", "tolerations[0].operator=Exists",
+        "--set", "tolerations[0].effect=NoSchedule",
+        "--set", "tolerations[1].key=node-role.kubernetes.io/master",
+        "--set", "tolerations[1].operator=Exists",
+        "--set", "tolerations[1].effect=NoSchedule",
+        "--set", "webhook.tolerations[0].key=node-role.kubernetes.io/control-plane",
+        "--set", "webhook.tolerations[0].operator=Exists",
+        "--set", "webhook.tolerations[0].effect=NoSchedule",
+        "--set", "webhook.tolerations[1].key=node-role.kubernetes.io/master",
+        "--set", "webhook.tolerations[1].operator=Exists",
+        "--set", "webhook.tolerations[1].effect=NoSchedule",
+        "--set", "cainjector.tolerations[0].key=node-role.kubernetes.io/control-plane",
+        "--set", "cainjector.tolerations[0].operator=Exists",
+        "--set", "cainjector.tolerations[0].effect=NoSchedule",
+        "--set", "cainjector.tolerations[1].key=node-role.kubernetes.io/master",
+        "--set", "cainjector.tolerations[1].operator=Exists",
+        "--set", "cainjector.tolerations[1].effect=NoSchedule",
+        "--set", "startupapicheck.tolerations[0].key=node-role.kubernetes.io/control-plane",
+        "--set", "startupapicheck.tolerations[0].operator=Exists",
+        "--set", "startupapicheck.tolerations[0].effect=NoSchedule",
+        "--set", "startupapicheck.tolerations[1].key=node-role.kubernetes.io/master",
+        "--set", "startupapicheck.tolerations[1].operator=Exists",
+        "--set", "startupapicheck.tolerations[1].effect=NoSchedule",
         "--wait",
         "--timeout", "15m",
         "--debug",  # Mais logs
@@ -1234,6 +1259,55 @@ def _diagnose_problems(ctx: ExecutionContext) -> None:
         typer.secho("\n  Nenhum problema óbvio detectado", fg=typer.colors.GREEN)
 
 
+def _check_existing_cert_manager() -> bool:
+    """Verifica se existe instalacao do cert-manager."""
+    try:
+        result = subprocess.run(
+            ["helm", "status", "cert-manager", "-n", NAMESPACE],
+            capture_output=True,
+            text=True,
+            timeout=15,
+            env=_helm_env(),
+        )
+        return result.returncode == 0
+    except Exception:
+        return False
+
+
+def _uninstall_cert_manager(ctx: ExecutionContext) -> None:
+    """Remove instalacao anterior do cert-manager."""
+    typer.echo("Removendo instalacao anterior do cert-manager...")
+    
+    run_cmd(
+        ["helm", "uninstall", "cert-manager", "-n", NAMESPACE],
+        ctx,
+        check=False,
+    )
+    
+    # Remove CRDs
+    run_cmd(
+        ["kubectl", "delete", "crd",
+         "certificaterequests.cert-manager.io",
+         "certificates.cert-manager.io",
+         "challenges.acme.cert-manager.io",
+         "clusterissuers.cert-manager.io",
+         "issuers.cert-manager.io",
+         "orders.acme.cert-manager.io",
+         "--ignore-not-found"],
+        ctx,
+        check=False,
+    )
+    
+    # Remove namespace
+    run_cmd(
+        ["kubectl", "delete", "namespace", NAMESPACE, "--ignore-not-found"],
+        ctx,
+        check=False,
+    )
+    
+    time.sleep(5)
+
+
 # =============================================================================
 # Entry Points
 # =============================================================================
@@ -1253,6 +1327,15 @@ def run(ctx: ExecutionContext) -> None:
         ctx.errors.append("cert-manager: cluster não acessível")
         raise typer.Exit(code=1)
 
+    # Prompt opcional de limpeza
+    if _check_existing_cert_manager():
+        cleanup = typer.confirm(
+            "Instalacao anterior do cert-manager detectada. Limpar antes de reinstalar?",
+            default=False,
+        )
+        if cleanup:
+            _uninstall_cert_manager(ctx)
+
     # Mostra status atual
     status = _get_cert_manager_status(ctx)
     _print_status(status)

raijin_server-0.2.22/src/raijin_server/modules/grafana.py

@@ -0,0 +1,205 @@
+"""Configuracao do Grafana via Helm com datasource e dashboards provisionados."""
+
+import socket
+import time
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root, run_cmd, write_file
+
+
+def _detect_node_name(ctx: ExecutionContext) -> str:
+    """Detecta nome do node para nodeSelector."""
+    result = run_cmd(
+        ["kubectl", "get", "nodes", "-o", "jsonpath={.items[0].metadata.name}"],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0 and (result.stdout or "").strip():
+        return (result.stdout or "").strip()
+    return socket.gethostname()
+
+
+def _check_existing_grafana(ctx: ExecutionContext) -> bool:
+    """Verifica se existe instalacao do Grafana."""
+    result = run_cmd(
+        ["helm", "status", "grafana", "-n", "observability"],
+        ctx,
+        check=False,
+    )
+    return result.returncode == 0
+
+
+def _uninstall_grafana(ctx: ExecutionContext) -> None:
+    """Remove instalacao anterior do Grafana."""
+    typer.echo("Removendo instalacao anterior do Grafana...")
+    
+    run_cmd(
+        ["helm", "uninstall", "grafana", "-n", "observability"],
+        ctx,
+        check=False,
+    )
+    
+    remove_data = typer.confirm("Remover PVCs (dados persistentes)?", default=False)
+    if remove_data:
+        run_cmd(
+            ["kubectl", "-n", "observability", "delete", "pvc", "-l", "app.kubernetes.io/name=grafana"],
+            ctx,
+            check=False,
+        )
+    
+    time.sleep(5)
+
+
+def _wait_for_grafana_ready(ctx: ExecutionContext, timeout: int = 180) -> bool:
+    """Aguarda pods do Grafana ficarem Ready."""
+    typer.echo("Aguardando pods do Grafana ficarem Ready...")
+    deadline = time.time() + timeout
+    
+    while time.time() < deadline:
+        result = run_cmd(
+            [
+                "kubectl", "-n", "observability", "get", "pods",
+                "-l", "app.kubernetes.io/name=grafana",
+                "-o", "jsonpath={range .items[*]}{.metadata.name}={.status.phase} {end}",
+            ],
+            ctx,
+            check=False,
+        )
+        
+        if result.returncode == 0:
+            output = (result.stdout or "").strip()
+            if output:
+                pods = []
+                for item in output.split():
+                    if "=" in item:
+                        parts = item.rsplit("=", 1)
+                        if len(parts) == 2:
+                            pods.append((parts[0], parts[1]))
+                
+                if pods and all(phase == "Running" for _, phase in pods):
+                    typer.secho("  Grafana Ready.", fg=typer.colors.GREEN)
+                    return True
+        
+        time.sleep(10)
+    
+    typer.secho("  Timeout aguardando Grafana.", fg=typer.colors.YELLOW)
+    return False
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando Grafana via Helm...")
+
+    # Prompt opcional de limpeza
+    if _check_existing_grafana(ctx):
+        cleanup = typer.confirm(
+            "Instalacao anterior do Grafana detectada. Limpar antes de reinstalar?",
+            default=False,
+        )
+        if cleanup:
+            _uninstall_grafana(ctx)
+
+    admin_password = typer.prompt("Senha admin do Grafana", default="admin")
+    ingress_host = typer.prompt("Host para acessar o Grafana", default="grafana.local")
+    ingress_class = typer.prompt("IngressClass", default="traefik")
+    tls_secret = typer.prompt("Secret TLS (cert-manager)", default="grafana-tls")
+    persistence_size = typer.prompt("Tamanho do storage", default="10Gi")
+
+    node_name = _detect_node_name(ctx)
+
+    values_yaml = f"""adminPassword: {admin_password}
+service:
+  type: ClusterIP
+ingress:
+  enabled: true
+  ingressClassName: {ingress_class}
+  hosts:
+    - {ingress_host}
+  tls:
+    - secretName: {tls_secret}
+      hosts:
+        - {ingress_host}
+persistence:
+  enabled: true
+  size: {persistence_size}
+tolerations:
+  - key: node-role.kubernetes.io/control-plane
+    operator: Exists
+    effect: NoSchedule
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+    effect: NoSchedule
+nodeSelector:
+  kubernetes.io/hostname: {node_name}
+resources:
+  requests:
+    memory: 256Mi
+    cpu: 100m
+  limits:
+    memory: 512Mi
+datasources:
+  datasources.yaml:
+    apiVersion: 1
+    datasources:
+      - name: Prometheus
+        type: prometheus
+        access: proxy
+        url: http://kube-prometheus-stack-prometheus.observability.svc:9090
+        isDefault: true
+        jsonData:
+          timeInterval: 30s
+      - name: Loki
+        type: loki
+        access: proxy
+        url: http://loki.observability.svc:3100
+dashboardProviders:
+  dashboardproviders.yaml:
+    apiVersion: 1
+    providers:
+      - name: 'default'
+        orgId: 1
+        folder: ''
+        type: file
+        disableDeletion: false
+        editable: true
+        options:
+          path: /var/lib/grafana/dashboards/default
+dashboards:
+  default:
+    kubernetes:
+      gnetId: 6417
+      revision: 1
+      datasource: Prometheus
+    node-exporter:
+      gnetId: 1860
+      revision: 27
+      datasource: Prometheus
+"""
+
+    values_path = Path("/tmp/raijin-grafana-values.yaml")
+    write_file(values_path, values_yaml, ctx)
+
+    run_cmd(["kubectl", "create", "namespace", "observability"], ctx, check=False)
+
+    helm_upgrade_install(
+        release="grafana",
+        chart="grafana",
+        namespace="observability",
+        repo="grafana",
+        repo_url="https://grafana.github.io/helm-charts",
+        ctx=ctx,
+        values=[],
+        extra_args=["-f", str(values_path)],
+    )
+
+    if not ctx.dry_run:
+        _wait_for_grafana_ready(ctx)
+
+    typer.secho("\n✓ Grafana instalado com sucesso.", fg=typer.colors.GREEN, bold=True)
+    typer.echo(f"\nAcesse: https://{ingress_host}")
+    typer.echo("Usuario: admin")
+    typer.echo(f"Senha: {admin_password}")
+    typer.echo("\nPara port-forward local:")
+    typer.echo("  kubectl -n observability port-forward svc/grafana 3000:80")

raijin_server-0.2.22/src/raijin_server/modules/harness.py

@@ -0,0 +1,162 @@
+"""Instalacao do Harness Delegate via Helm (production-ready)."""
+
+import socket
+import time
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, ensure_tool, require_root, run_cmd, write_file
+
+
+def _detect_node_name(ctx: ExecutionContext) -> str:
+    """Detecta nome do node para nodeSelector."""
+    result = run_cmd(
+        ["kubectl", "get", "nodes", "-o", "jsonpath={.items[0].metadata.name}"],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0 and (result.stdout or "").strip():
+        return (result.stdout or "").strip()
+    return socket.gethostname()
+
+
+def _check_existing_delegate(ctx: ExecutionContext, namespace: str, delegate_name: str) -> bool:
+    """Verifica se existe instalacao do Harness Delegate."""
+    result = run_cmd(
+        ["helm", "status", delegate_name, "-n", namespace],
+        ctx,
+        check=False,
+    )
+    return result.returncode == 0
+
+
+def _uninstall_delegate(ctx: ExecutionContext, namespace: str, delegate_name: str) -> None:
+    """Remove instalacao anterior do Harness Delegate."""
+    typer.echo("Removendo instalacao anterior do Harness Delegate...")
+    
+    run_cmd(
+        ["helm", "uninstall", delegate_name, "-n", namespace],
+        ctx,
+        check=False,
+    )
+    
+    time.sleep(5)
+
+
+def _wait_for_delegate_ready(ctx: ExecutionContext, namespace: str, delegate_name: str, timeout: int = 180) -> bool:
+    """Aguarda pods do Harness Delegate ficarem Ready."""
+    typer.echo("Aguardando pods do Harness Delegate ficarem Ready...")
+    deadline = time.time() + timeout
+    
+    while time.time() < deadline:
+        result = run_cmd(
+            [
+                "kubectl", "-n", namespace, "get", "pods",
+                "-l", f"app.kubernetes.io/name={delegate_name}",
+                "-o", "jsonpath={range .items[*]}{.metadata.name}={.status.phase} {end}",
+            ],
+            ctx,
+            check=False,
+        )
+        
+        if result.returncode == 0:
+            output = (result.stdout or "").strip()
+            if output:
+                pods = []
+                for item in output.split():
+                    if "=" in item:
+                        parts = item.rsplit("=", 1)
+                        if len(parts) == 2:
+                            pods.append((parts[0], parts[1]))
+                
+                if pods and all(phase == "Running" for _, phase in pods):
+                    typer.secho("  Harness Delegate Ready.", fg=typer.colors.GREEN)
+                    return True
+        
+        time.sleep(10)
+    
+    typer.secho("  Timeout aguardando Harness Delegate.", fg=typer.colors.YELLOW)
+    return False
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("helm", ctx, install_hint="Instale helm para implantar o delegate.")
+
+    typer.echo("Instalando Harness Delegate via Helm...")
+    account_id = typer.prompt("Harness accountId")
+    org_id = typer.prompt("Org ID", default="default")
+    project_id = typer.prompt("Project ID", default="default")
+    delegate_name = typer.prompt("Delegate name", default="raijin-delegate")
+    namespace = typer.prompt("Namespace", default="harness-delegate")
+    delegate_token = typer.prompt("Delegate token", hide_input=True)
+    replicas = typer.prompt("Numero de replicas", default="1")
+
+    # Prompt opcional de limpeza
+    if _check_existing_delegate(ctx, namespace, delegate_name):
+        cleanup = typer.confirm(
+            "Instalacao anterior do Harness Delegate detectada. Limpar antes de reinstalar?",
+            default=False,
+        )
+        if cleanup:
+            _uninstall_delegate(ctx, namespace, delegate_name)
+
+    node_name = _detect_node_name(ctx)
+
+    run_cmd(
+        ["helm", "repo", "add", "harness", "https://app.harness.io/storage/harness-download/delegate-helm-chart/"],
+        ctx,
+    )
+    run_cmd(["helm", "repo", "update"], ctx)
+
+    # Create values file with tolerations
+    values_yaml = f"""delegateName: {delegate_name}
+accountId: {account_id}
+delegateToken: {delegate_token}
+orgId: {org_id}
+projectId: {project_id}
+replicaCount: {replicas}
+tolerations:
+  - key: node-role.kubernetes.io/control-plane
+    operator: Exists
+    effect: NoSchedule
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+    effect: NoSchedule
+nodeSelector:
+  kubernetes.io/hostname: {node_name}
+resources:
+  requests:
+    memory: 256Mi
+    cpu: 100m
+  limits:
+    memory: 1Gi
+"""
+
+    values_path = Path("/tmp/raijin-harness-values.yaml")
+    write_file(values_path, values_yaml, ctx)
+
+    cmd = [
+        "helm",
+        "upgrade",
+        "--install",
+        delegate_name,
+        "harness/harness-delegate-ng",
+        "-n",
+        namespace,
+        "--create-namespace",
+        "-f",
+        str(values_path),
+    ]
+
+    run_cmd(cmd, ctx, mask_output=True, display_override="helm upgrade --install <delegate> harness/harness-delegate-ng ...")
+
+    if not ctx.dry_run:
+        _wait_for_delegate_ready(ctx, namespace, delegate_name)
+
+    typer.secho("\n✓ Harness Delegate instalado com sucesso.", fg=typer.colors.GREEN, bold=True)
+    typer.echo(f"\nO delegate '{delegate_name}' deve aparecer no Harness em alguns minutos.")
+    typer.echo("\nPara verificar status:")
+    typer.echo(f"  kubectl -n {namespace} get pods")
+    typer.echo(f"  kubectl -n {namespace} logs -l app.kubernetes.io/name={delegate_name}")

raijin_server-0.2.22/src/raijin_server/modules/istio.py

@@ -0,0 +1,157 @@
+"""Instalacao do Istio usando istioctl com configuracoes production-ready."""
+
+import socket
+import time
+
+import typer
+
+from raijin_server.utils import ExecutionContext, ensure_tool, require_root, run_cmd
+
+
+ISTIO_PROFILES = ["default", "demo", "minimal", "ambient", "empty"]
+
+
+def _detect_node_name(ctx: ExecutionContext) -> str:
+    """Detecta nome do node para nodeSelector."""
+    result = run_cmd(
+        ["kubectl", "get", "nodes", "-o", "jsonpath={.items[0].metadata.name}"],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0 and (result.stdout or "").strip():
+        return (result.stdout or "").strip()
+    return socket.gethostname()
+
+
+def _check_existing_istio(ctx: ExecutionContext) -> bool:
+    """Verifica se existe instalacao do Istio."""
+    result = run_cmd(
+        ["kubectl", "get", "namespace", "istio-system"],
+        ctx,
+        check=False,
+    )
+    return result.returncode == 0
+
+
+def _uninstall_istio(ctx: ExecutionContext) -> None:
+    """Remove instalacao anterior do Istio."""
+    typer.echo("Removendo instalacao anterior do Istio...")
+    
+    run_cmd(
+        ["istioctl", "uninstall", "--purge", "-y"],
+        ctx,
+        check=False,
+    )
+    
+    run_cmd(
+        ["kubectl", "delete", "namespace", "istio-system", "--ignore-not-found"],
+        ctx,
+        check=False,
+    )
+    
+    time.sleep(5)
+
+
+def _wait_for_istio_ready(ctx: ExecutionContext, timeout: int = 300) -> bool:
+    """Aguarda pods do Istio ficarem Ready."""
+    typer.echo("Aguardando pods do Istio ficarem Ready...")
+    deadline = time.time() + timeout
+    
+    while time.time() < deadline:
+        result = run_cmd(
+            [
+                "kubectl", "-n", "istio-system", "get", "pods",
+                "-o", "jsonpath={range .items[*]}{.metadata.name}={.status.phase} {end}",
+            ],
+            ctx,
+            check=False,
+        )
+        
+        if result.returncode == 0:
+            output = (result.stdout or "").strip()
+            if output:
+                pods = []
+                for item in output.split():
+                    if "=" in item:
+                        parts = item.rsplit("=", 1)
+                        if len(parts) == 2:
+                            pods.append((parts[0], parts[1]))
+                
+                if pods and all(phase in ("Running", "Succeeded") for _, phase in pods):
+                    typer.secho(f"  Todos os {len(pods)} pods Ready.", fg=typer.colors.GREEN)
+                    return True
+                
+                pending = [name for name, phase in pods if phase not in ("Running", "Succeeded")]
+                if pending:
+                    typer.echo(f"  Aguardando: {', '.join(pending[:3])}...")
+        
+        time.sleep(10)
+    
+    typer.secho("  Timeout aguardando pods do Istio.", fg=typer.colors.YELLOW)
+    return False
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("istioctl", ctx, install_hint="Baixe em https://istio.io/latest/docs/setup/getting-started/")
+    typer.echo("Instalando Istio...")
+
+    # Prompt opcional de limpeza
+    if _check_existing_istio(ctx):
+        cleanup = typer.confirm(
+            "Instalacao anterior do Istio detectada. Limpar antes de reinstalar?",
+            default=False,
+        )
+        if cleanup:
+            _uninstall_istio(ctx)
+
+    # Selecao de perfil
+    typer.echo(f"\nPerfis disponiveis: {', '.join(ISTIO_PROFILES)}")
+    profile = typer.prompt("Perfil do Istio", default="default")
+    if profile not in ISTIO_PROFILES:
+        typer.secho(f"Perfil '{profile}' invalido. Usando 'default'.", fg=typer.colors.YELLOW)
+        profile = "default"
+
+    node_name = _detect_node_name(ctx)
+    
+    # Instala com tolerations para control-plane
+    install_cmd = [
+        "istioctl", "install",
+        "--set", f"profile={profile}",
+        # Tolerations para istiod (control plane)
+        "--set", "components.pilot.k8s.tolerations[0].key=node-role.kubernetes.io/control-plane",
+        "--set", "components.pilot.k8s.tolerations[0].operator=Exists",
+        "--set", "components.pilot.k8s.tolerations[0].effect=NoSchedule",
+        "--set", "components.pilot.k8s.tolerations[1].key=node-role.kubernetes.io/master",
+        "--set", "components.pilot.k8s.tolerations[1].operator=Exists",
+        "--set", "components.pilot.k8s.tolerations[1].effect=NoSchedule",
+        # Tolerations para ingress gateway
+        "--set", "components.ingressGateways[0].k8s.tolerations[0].key=node-role.kubernetes.io/control-plane",
+        "--set", "components.ingressGateways[0].k8s.tolerations[0].operator=Exists",
+        "--set", "components.ingressGateways[0].k8s.tolerations[0].effect=NoSchedule",
+        "--set", "components.ingressGateways[0].k8s.tolerations[1].key=node-role.kubernetes.io/master",
+        "--set", "components.ingressGateways[0].k8s.tolerations[1].operator=Exists",
+        "--set", "components.ingressGateways[0].k8s.tolerations[1].effect=NoSchedule",
+        # NodeSelector
+        "--set", f"components.pilot.k8s.nodeSelector.kubernetes\\.io/hostname={node_name}",
+        "-y",
+    ]
+    
+    run_cmd(install_cmd, ctx)
+    
+    # Aguarda pods ficarem prontos
+    if not ctx.dry_run:
+        _wait_for_istio_ready(ctx)
+    
+    # Pergunta sobre injection
+    enable_injection = typer.confirm(
+        "Habilitar sidecar injection automatico no namespace 'default'?",
+        default=True,
+    )
+    if enable_injection:
+        run_cmd(
+            ["kubectl", "label", "namespace", "default", "istio-injection=enabled", "--overwrite"],
+            ctx,
+        )
+    
+    typer.secho("\n✓ Istio instalado com sucesso.", fg=typer.colors.GREEN, bold=True)