raijin-server 0.2.40__py3-none-any.whl → 0.3.0__py3-none-any.whl

raijin_server/__init__.py

@@ -1,5 +1,5 @@
 """Pacote principal do CLI Raijin Server."""
 
-__version__ = "0.2.40"
+__version__ = "0.3.0"
 
 __all__ = ["__version__"]

raijin_server/cli.py

@@ -27,6 +27,7 @@ from raijin_server.modules import (
     grafana,
     harness,
     hardening,
+    internal_dns,
     istio,
     kafka,
     kong,
@@ -44,6 +45,7 @@ from raijin_server.modules import (
     traefik,
     velero,
     vpn,
+    vpn_client,
 )
 from raijin_server.utils import ExecutionContext, logger, active_log_file, available_log_files, page_text, ensure_tool
 from raijin_server.validators import validate_system_requirements, check_module_dependencies, MODULE_DEPENDENCIES
@@ -85,6 +87,8 @@ MODULES: Dict[str, Callable[[ExecutionContext], None]] = {
     "essentials": essentials.run,
     "firewall": firewall.run,
     "vpn": vpn.run,
+    "vpn_client": vpn_client.run,
+    "internal_dns": internal_dns.run,
     "kubernetes": kubernetes.run,
     "calico": calico.run,
     "metallb": metallb.run,
@@ -120,6 +124,8 @@ MODULE_DESCRIPTIONS: Dict[str, str] = {
     "essentials": "Pacotes basicos, repos, utilitarios",
     "firewall": "Regras UFW padrao e serviços basicos",
     "vpn": "Provisiona WireGuard com cliente inicial",
+    "vpn_client": "Gerencia clientes VPN (adicionar/remover/listar)",
+    "internal_dns": "Configura DNS interno para domínios privados (*.asgard.internal)",
     "kubernetes": "Instala kubeadm/kubelet/kubectl e inicializa cluster",
     "calico": "CNI Calico e politica default deny",
     "metallb": "LoadBalancer em bare metal (pool L2)",

raijin_server/modules/__init__.py

@@ -21,6 +21,8 @@ __all__ = [
     "bootstrap",
     "ssh_hardening",
     "vpn",
+    "vpn_client",
+    "internal_dns",
     "observability_ingress",
     "observability_dashboards",
     "apokolips_demo",
@@ -32,4 +34,4 @@ __all__ = [
 from raijin_server.modules import calico, essentials, firewall, grafana, harness, hardening, istio
 from raijin_server.modules import kafka, kong, kubernetes, loki, minio, network, observability_dashboards
 from raijin_server.modules import observability_ingress, prometheus, traefik, velero, apokolips_demo, secrets, cert_manager
-from raijin_server.modules import bootstrap, full_install, sanitize, ssh_hardening, vpn
+from raijin_server.modules import bootstrap, full_install, sanitize, ssh_hardening, vpn, vpn_client, internal_dns

raijin_server/modules/grafana.py

@@ -1,12 +1,27 @@
 """Configuracao do Grafana via Helm com datasource e dashboards provisionados."""
 
+import json
 import socket
+import tempfile
+import textwrap
 import time
 from pathlib import Path
 
 import typer
 
-from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root, run_cmd, write_file
+from raijin_server.utils import (
+    ExecutionContext,
+    helm_upgrade_install,
+    kubectl_create_ns,
+    require_root,
+    run_cmd,
+    write_file,
+)
+
+LOCAL_PATH_PROVISIONER_URL = (
+    "https://raw.githubusercontent.com/rancher/local-path-provisioner/"
+    "v0.0.30/deploy/local-path-storage.yaml"
+)
 
 
 def _detect_node_name(ctx: ExecutionContext) -> str:
@@ -21,6 +36,269 @@ def _detect_node_name(ctx: ExecutionContext) -> str:
     return socket.gethostname()
 
 
+def _get_default_storage_class(ctx: ExecutionContext) -> str:
+    """Retorna o nome da StorageClass default do cluster, se existir."""
+    if ctx.dry_run:
+        return ""
+    result = run_cmd(
+        [
+            "kubectl",
+            "get",
+            "storageclass",
+            "-o",
+            "jsonpath={.items[?(@.metadata.annotations.storageclass\\.kubernetes\\.io/is-default-class=='true')].metadata.name}",
+        ],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0 and (result.stdout or "").strip():
+        return (result.stdout or "").strip()
+    return ""
+
+
+def _list_storage_classes(ctx: ExecutionContext) -> list:
+    """Lista todas as StorageClasses disponiveis."""
+    result = run_cmd(
+        ["kubectl", "get", "storageclass", "-o", "jsonpath={.items[*].metadata.name}"],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0 and (result.stdout or "").strip():
+        return (result.stdout or "").strip().split()
+    return []
+
+
+def _apply_manifest(ctx: ExecutionContext, manifest: str, description: str) -> bool:
+    """Aplica manifest YAML temporario com kubectl."""
+    tmp_path = None
+    try:
+        with tempfile.NamedTemporaryFile("w", delete=False, suffix=".yaml") as tmp:
+            tmp.write(manifest)
+            tmp.flush()
+            tmp_path = Path(tmp.name)
+        result = run_cmd(
+            ["kubectl", "apply", "-f", str(tmp_path)],
+            ctx,
+            check=False,
+        )
+        if result.returncode != 0:
+            typer.secho(f"  Falha ao aplicar {description}.", fg=typer.colors.RED)
+            return False
+        typer.secho(f"  ✓ {description} aplicado.", fg=typer.colors.GREEN)
+        return True
+    finally:
+        if tmp_path and tmp_path.exists():
+            tmp_path.unlink(missing_ok=True)
+
+
+def _patch_local_path_provisioner_tolerations(ctx: ExecutionContext) -> None:
+    """Adiciona tolerations ao local-path-provisioner para rodar em control-plane."""
+    typer.echo("  Configurando tolerations no local-path-provisioner...")
+    
+    # Patch no deployment para tolerar control-plane
+    patch_deployment = textwrap.dedent(
+        """
+        spec:
+          template:
+            spec:
+              tolerations:
+              - key: node-role.kubernetes.io/control-plane
+                operator: Exists
+                effect: NoSchedule
+              - key: node-role.kubernetes.io/master
+                operator: Exists
+                effect: NoSchedule
+        """
+    ).strip()
+    
+    result = run_cmd(
+        [
+            "kubectl", "-n", "local-path-storage", "patch", "deployment",
+            "local-path-provisioner", "--patch", patch_deployment,
+        ],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0:
+        typer.secho("    ✓ Deployment patched com tolerations.", fg=typer.colors.GREEN)
+    
+    # Patch no ConfigMap para os helper pods
+    helper_pod_config = {
+        "nodePathMap": [
+            {
+                "node": "DEFAULT_PATH_FOR_NON_LISTED_NODES",
+                "paths": ["/opt/local-path-provisioner"]
+            }
+        ],
+        "setupCommand": None,
+        "teardownCommand": None,
+        "helperPod": {
+            "apiVersion": "v1",
+            "kind": "Pod",
+            "metadata": {},
+            "spec": {
+                "tolerations": [
+                    {"key": "node-role.kubernetes.io/control-plane", "operator": "Exists", "effect": "NoSchedule"},
+                    {"key": "node-role.kubernetes.io/master", "operator": "Exists", "effect": "NoSchedule"}
+                ],
+                "containers": [
+                    {
+                        "name": "helper-pod",
+                        "image": "busybox:stable",
+                        "imagePullPolicy": "IfNotPresent"
+                    }
+                ]
+            }
+        }
+    }
+    
+    config_json_str = json.dumps(helper_pod_config)
+    patch_data = json.dumps({"data": {"config.json": config_json_str}})
+    
+    result = run_cmd(
+        [
+            "kubectl", "-n", "local-path-storage", "patch", "configmap",
+            "local-path-config", "--type=merge", "-p", patch_data,
+        ],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0:
+        typer.secho("    ✓ ConfigMap patched para helper pods.", fg=typer.colors.GREEN)
+    
+    # Reinicia o deployment
+    run_cmd(
+        ["kubectl", "-n", "local-path-storage", "rollout", "restart", "deployment/local-path-provisioner"],
+        ctx,
+        check=False,
+    )
+    
+    # Aguarda rollout
+    run_cmd(
+        [
+            "kubectl", "-n", "local-path-storage", "rollout", "status",
+            "deployment/local-path-provisioner", "--timeout=60s",
+        ],
+        ctx,
+        check=False,
+    )
+
+
+def _install_local_path_provisioner(ctx: ExecutionContext) -> bool:
+    """Instala local-path-provisioner para usar storage local (NVMe/SSD)."""
+    typer.echo("Instalando local-path-provisioner para storage local...")
+    
+    result = run_cmd(
+        ["kubectl", "apply", "-f", LOCAL_PATH_PROVISIONER_URL],
+        ctx,
+        check=False,
+    )
+    if result.returncode != 0:
+        typer.secho("  Falha ao instalar local-path-provisioner.", fg=typer.colors.RED)
+        return False
+    
+    # Aguarda deployment ficar pronto inicialmente
+    typer.echo("  Aguardando local-path-provisioner ficar Ready...")
+    run_cmd(
+        [
+            "kubectl", "-n", "local-path-storage", "rollout", "status",
+            "deployment/local-path-provisioner", "--timeout=60s",
+        ],
+        ctx,
+        check=False,
+    )
+    
+    # Aplica tolerations para control-plane (single-node clusters)
+    _patch_local_path_provisioner_tolerations(ctx)
+    
+    typer.secho("  ✓ local-path-provisioner instalado e configurado.", fg=typer.colors.GREEN)
+    return True
+
+
+def _set_default_storage_class(ctx: ExecutionContext, name: str) -> None:
+    """Define uma StorageClass como default."""
+    # Remove default de outras classes primeiro
+    existing = _list_storage_classes(ctx)
+    for sc in existing:
+        if sc != name:
+            run_cmd(
+                [
+                    "kubectl", "annotate", "storageclass", sc,
+                    "storageclass.kubernetes.io/is-default-class-",
+                    "--overwrite",
+                ],
+                ctx,
+                check=False,
+            )
+    
+    # Define a nova como default
+    run_cmd(
+        [
+            "kubectl", "annotate", "storageclass", name,
+            "storageclass.kubernetes.io/is-default-class=true",
+            "--overwrite",
+        ],
+        ctx,
+        check=True,
+    )
+    typer.secho(f"  ✓ StorageClass '{name}' definida como default.", fg=typer.colors.GREEN)
+
+
+def _ensure_storage_class(ctx: ExecutionContext) -> str:
+    """Garante que existe uma StorageClass disponivel, instalando local-path se necessario."""
+    if ctx.dry_run:
+        return "local-path"  # Retorna um valor dummy para dry-run
+    
+    default_sc = _get_default_storage_class(ctx)
+    available = _list_storage_classes(ctx)
+
+    # Se ja existir default (qualquer uma), usa ela
+    if default_sc:
+        typer.echo(f"StorageClass default detectada: {default_sc}")
+        # Se for local-path, garante que o provisioner tem tolerations
+        if default_sc == "local-path" or "local-path" in available:
+            _patch_local_path_provisioner_tolerations(ctx)
+        return default_sc
+
+    # Se local-path estiver disponivel mas nao for default, define como default
+    if "local-path" in available:
+        typer.echo("StorageClass 'local-path' detectada.")
+        _patch_local_path_provisioner_tolerations(ctx)
+        _set_default_storage_class(ctx, "local-path")
+        return "local-path"
+
+    # Se houver outras classes disponiveis, pergunta qual usar
+    if available:
+        typer.echo(f"StorageClasses disponiveis (sem default): {', '.join(available)}")
+        choice = typer.prompt(
+            f"Qual StorageClass usar? ({'/'.join(available)})",
+            default=available[0],
+        )
+        return choice
+
+    # Nenhuma StorageClass disponivel - instala local-path automaticamente
+    typer.secho(
+        "Nenhuma StorageClass encontrada no cluster.",
+        fg=typer.colors.YELLOW,
+    )
+    install = typer.confirm(
+        "Instalar local-path-provisioner para usar armazenamento local (NVMe/SSD)?",
+        default=True,
+    )
+    if not install:
+        typer.secho(
+            "Abortando: Grafana com PVC requer uma StorageClass.",
+            fg=typer.colors.RED,
+        )
+        raise typer.Exit(1)
+
+    if not _install_local_path_provisioner(ctx):
+        raise typer.Exit(1)
+
+    _set_default_storage_class(ctx, "local-path")
+    return "local-path"
+
+
 def _check_existing_grafana(ctx: ExecutionContext) -> bool:
     """Verifica se existe instalacao do Grafana."""
     result = run_cmd(
@@ -101,29 +379,84 @@ def run(ctx: ExecutionContext) -> None:
         if cleanup:
             _uninstall_grafana(ctx)
 
+    # Verifica se existe StorageClass default para sugerir no prompt
+    default_sc = _get_default_storage_class(ctx)
+    
+    enable_persistence = typer.confirm(
+        "Habilitar PVC para persistencia do Grafana?",
+        default=bool(default_sc)
+    )
+
+    # Se habilitou PVC, garante que existe StorageClass disponivel
+    if enable_persistence:
+        default_sc = _ensure_storage_class(ctx)
+
     admin_password = typer.prompt("Senha admin do Grafana", default="admin")
-    ingress_host = typer.prompt("Host para acessar o Grafana", default="grafana.local")
-    ingress_class = typer.prompt("IngressClass", default="traefik")
-    tls_secret = typer.prompt("Secret TLS (cert-manager)", default="grafana-tls")
-    persistence_size = typer.prompt("Tamanho do storage", default="10Gi")
+    
+    # Ingress público não é recomendado para ferramentas de observabilidade
+    enable_ingress = typer.confirm(
+        "Habilitar ingress público? (NÃO recomendado - use VPN + port-forward)",
+        default=False
+    )
+    
+    ingress_host = "grafana.local"
+    ingress_class = "traefik"
+    tls_secret = "grafana-tls"
+    
+    if enable_ingress:
+        typer.secho(
+            "\n⚠️  ATENÇÃO: Expor Grafana publicamente é um risco de segurança!",
+            fg=typer.colors.YELLOW,
+            bold=True,
+        )
+        typer.secho(
+            "Recomendação: Use VPN (raijin vpn) + port-forward para acesso seguro.\n",
+            fg=typer.colors.YELLOW,
+        )
+        ingress_host = typer.prompt("Host para ingress", default="grafana.local")
+        ingress_class = typer.prompt("IngressClass", default="traefik")
+        tls_secret = typer.prompt("Secret TLS (cert-manager)", default="grafana-tls")
+    
+    persistence_size = "10Gi"
+    storage_class = ""
+    if enable_persistence:
+        storage_class = typer.prompt(
+            "StorageClass para PVC",
+            default=default_sc or "",
+        ).strip()
+        persistence_size = typer.prompt("Tamanho do storage", default="10Gi")
 
     node_name = _detect_node_name(ctx)
 
+    # Constroi o YAML de persistencia condicionalmente
+    persistence_yaml = f"""persistence:
+  enabled: {str(enable_persistence).lower()}"""
+    
+    if enable_persistence:
+        persistence_yaml += f"""
+  size: {persistence_size}"""
+        if storage_class:
+            persistence_yaml += f"""
+  storageClassName: {storage_class}"""
+    
     values_yaml = f"""adminPassword: {admin_password}
 service:
   type: ClusterIP
 ingress:
-  enabled: true
+  enabled: {str(enable_ingress).lower()}"""
+    
+    if enable_ingress:
+        values_yaml += f"""
   ingressClassName: {ingress_class}
   hosts:
     - {ingress_host}
   tls:
     - secretName: {tls_secret}
       hosts:
-        - {ingress_host}
-persistence:
-  enabled: true
-  size: {persistence_size}
+        - {ingress_host}"""
+    
+    values_yaml += f"""
+{persistence_yaml}
 tolerations:
   - key: node-role.kubernetes.io/control-plane
     operator: Exists
@@ -181,7 +514,13 @@ dashboards:
     values_path = Path("/tmp/raijin-grafana-values.yaml")
     write_file(values_path, values_yaml, ctx)
 
-    run_cmd(["kubectl", "create", "namespace", "observability"], ctx, check=False)
+    kubectl_create_ns("observability", ctx)
+
+    if not enable_persistence:
+        typer.secho(
+            "PVC desativado: Grafana usara volume efemero (dados perdidos apos restart).",
+            fg=typer.colors.YELLOW,
+        )
 
     helm_upgrade_install(
         release="grafana",
@@ -191,15 +530,25 @@ dashboards:
         repo_url="https://grafana.github.io/helm-charts",
         ctx=ctx,
         values=[],
-        extra_args=["-f", str(values_path)],
+        extra_args=["-f", str(values_path), "--wait", "--timeout", "10m", "--atomic"],
     )
 
     if not ctx.dry_run:
         _wait_for_grafana_ready(ctx)
 
     typer.secho("\n✓ Grafana instalado com sucesso.", fg=typer.colors.GREEN, bold=True)
-    typer.echo(f"\nAcesse: https://{ingress_host}")
-    typer.echo("Usuario: admin")
+    
+    if enable_ingress:
+        typer.echo(f"\nAcesse: https://{ingress_host}")
+    else:
+        typer.secho("\n🔒 Acesso Seguro via VPN + Port-Forward:", fg=typer.colors.CYAN, bold=True)
+        typer.echo("\n1. Configure VPN (se ainda não tiver):")
+        typer.echo("   sudo raijin vpn")
+        typer.echo("\n2. Conecte via WireGuard no seu Windows/Mac")
+        typer.echo("\n3. Faça port-forward local:")
+        typer.echo("   kubectl -n observability port-forward svc/grafana 3000:80")
+        typer.echo("\n4. Acesse no navegador:")
+        typer.echo("   http://localhost:3000")
+    
+    typer.echo("\nUsuario: admin")
     typer.echo(f"Senha: {admin_password}")
-    typer.echo("\nPara port-forward local:")
-    typer.echo("  kubectl -n observability port-forward svc/grafana 3000:80")