raijin-server 0.2.6__py3-none-any.whl → 0.2.8__py3-none-any.whl

raijin_server/__init__.py

@@ -1,5 +1,5 @@
 """Pacote principal do CLI Raijin Server."""
 
-__version__ = "0.2.4"
+__version__ = "0.2.7"
 
 __all__ = ["__version__"]

raijin_server/cli.py

@@ -6,6 +6,8 @@ import os
 from pathlib import Path
 from typing import Callable, Dict, Optional
 
+import subprocess
+
 import typer
 from rich import box
 from rich.console import Console
@@ -42,7 +44,7 @@ from raijin_server.modules import (
     velero,
     vpn,
 )
-from raijin_server.utils import ExecutionContext, logger
+from raijin_server.utils import ExecutionContext, logger, active_log_file, available_log_files, page_text, ensure_tool
 from raijin_server.validators import validate_system_requirements, check_module_dependencies
 from raijin_server.healthchecks import run_health_check
 from raijin_server.config import ConfigManager
@@ -131,6 +133,19 @@ MODULE_DESCRIPTIONS: Dict[str, str] = {
 }
 
 
+def _capture_cmd(cmd: list[str], timeout: int = 30) -> str:
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
+        if result.returncode == 0:
+            return result.stdout.strip() or "(sem saida)"
+        return (
+            f"✗ {' '.join(cmd)}\n"
+            f"{(result.stdout or '').strip()}\n{(result.stderr or '').strip()}".strip()
+        )
+    except Exception as exc:
+        return f"✗ {' '.join(cmd)} -> {exc}"
+
+
 def _run_module(ctx: typer.Context, name: str, skip_validation: bool = False) -> None:
     handler = MODULES.get(name)
     if handler is None:
@@ -542,6 +557,120 @@ def cert_list_issuers(ctx: typer.Context) -> None:
         pass
 
 
+# ============================================================================
+# Ferramentas de Depuração / Logs
+# ============================================================================
+debug_app = typer.Typer(help="Ferramentas de depuracao e investigacao de logs")
+app.add_typer(debug_app, name="debug")
+
+
+@debug_app.command(name="logs")
+def debug_logs(
+    lines: int = typer.Option(200, "--lines", "-n", help="Quantidade de linhas ao ler"),
+    follow: bool = typer.Option(False, "--follow", "-f", help="Segue o log com tail -F"),
+    pager: bool = typer.Option(True, "--pager/--no-pager", help="Exibe com less"),
+) -> None:
+    """Mostra logs do raijin-server com opcao de follow."""
+
+    logs = available_log_files()
+    if not logs:
+        typer.secho("Nenhum log encontrado", fg=typer.colors.YELLOW)
+        return
+
+    main_log = active_log_file()
+    typer.echo(f"Log ativo: {main_log}")
+
+    if follow:
+        subprocess.run(["tail", "-n", str(lines), "-F", str(main_log)])
+        return
+
+    chunks = []
+    for path in logs:
+        try:
+            data = path.read_text()
+        except Exception as exc:
+            data = f"[erro ao ler {path}: {exc}]"
+        chunks.append(f"===== {path} =====\n{data}")
+
+    output = "\n\n".join(chunks)
+    if pager:
+        page_text(output)
+    else:
+        typer.echo(output)
+
+
+@debug_app.command(name="kube")
+def debug_kube(
+    ctx: typer.Context,
+    events: int = typer.Option(200, "--events", "-e", help="Quantas linhas finais de eventos exibir"),
+    namespace: Optional[str] = typer.Option(None, "--namespace", "-n", help="Filtra pods/eventos por namespace"),
+    pager: bool = typer.Option(True, "--pager/--no-pager", help="Exibe com less"),
+) -> None:
+    """Snapshot rapido de nodes, pods e eventos do cluster."""
+
+    exec_ctx = ctx.obj or ExecutionContext()
+    ensure_tool("kubectl", exec_ctx)
+
+    sections = []
+    sections.append(("kubectl get nodes -o wide", _capture_cmd(["kubectl", "get", "nodes", "-o", "wide"])))
+
+    pods_cmd: list[str] = ["kubectl", "get", "pods"]
+    if namespace:
+        pods_cmd.extend(["-n", namespace])
+    else:
+        pods_cmd.append("-A")
+    pods_cmd.extend(["-o", "wide"])
+    sections.append(("kubectl get pods", _capture_cmd(pods_cmd)))
+
+    events_cmd: list[str] = ["kubectl", "get", "events"]
+    if namespace:
+        events_cmd.extend(["-n", namespace])
+    else:
+        events_cmd.append("-A")
+    events_cmd.extend(["--sort-by=.lastTimestamp"])
+    events_output = _capture_cmd(events_cmd)
+    if events_output and events > 0:
+        events_output = "\n".join(events_output.splitlines()[-events:])
+    sections.append(("kubectl get events", events_output))
+
+    combined = "\n\n".join([f"[{title}]\n{body}" for title, body in sections])
+    if pager:
+        page_text(combined)
+    else:
+        typer.echo(combined)
+
+
+@debug_app.command(name="journal")
+def debug_journal(
+    ctx: typer.Context,
+    service: str = typer.Option("kubelet", "--service", "-s", help="Unidade systemd para inspecionar"),
+    lines: int = typer.Option(200, "--lines", "-n", help="Linhas a exibir"),
+    follow: bool = typer.Option(False, "--follow", "-f", help="Segue o journal em tempo real"),
+    pager: bool = typer.Option(True, "--pager/--no-pager", help="Exibe com less"),
+) -> None:
+    """Mostra logs de services (ex.: kubelet) via journalctl."""
+
+    exec_ctx = ctx.obj or ExecutionContext()
+    ensure_tool("journalctl", exec_ctx)
+
+    cmd = ["journalctl", "-u", service, "-n", str(lines)]
+    if follow:
+        cmd.append("-f")
+        subprocess.run(cmd)
+        return
+
+    cmd.append("--no-pager")
+    output = _capture_cmd(cmd, timeout=60)
+    if lines > 0:
+        output = "\n".join(output.splitlines()[-lines:])
+
+    text = f"[journalctl -u {service} -n {lines}]\n{output}"
+    if pager:
+        page_text(text)
+    else:
+        typer.echo(text)
+
+
 # ============================================================================
 # Comandos Existentes
 # ============================================================================
@@ -554,8 +683,24 @@ def bootstrap_cmd(ctx: typer.Context) -> None:
 
 
 @app.command(name="full-install")
-def full_install_cmd(ctx: typer.Context) -> None:
+def full_install_cmd(
+    ctx: typer.Context,
+    steps: Optional[str] = typer.Option(None, "--steps", help="Lista de modulos, separado por virgula"),
+    confirm_each: bool = typer.Option(False, "--confirm-each", help="Pedir confirmacao antes de cada modulo"),
+    debug_mode: bool = typer.Option(False, "--debug-mode", help="Habilita snapshots e diagnose pos-modulo"),
+    snapshots: bool = typer.Option(False, "--snapshots", help="Habilita snapshots de cluster apos cada modulo"),
+    post_diagnose: bool = typer.Option(False, "--post-diagnose", help="Executa diagnose pos-modulo quando disponivel"),
+    select_steps: bool = typer.Option(False, "--select-steps", help="Pergunta quais modulos executar antes de iniciar"),
+) -> None:
     """Executa instalacao completa e automatizada do ambiente de producao."""
+    exec_ctx = ctx.obj or ExecutionContext()
+    if steps:
+        exec_ctx.selected_steps = [s.strip() for s in steps.split(",") if s.strip()]
+    exec_ctx.interactive_steps = select_steps
+    exec_ctx.confirm_each_step = confirm_each
+    exec_ctx.debug_snapshots = debug_mode or snapshots or exec_ctx.debug_snapshots
+    exec_ctx.post_diagnose = debug_mode or post_diagnose or exec_ctx.post_diagnose
+    ctx.obj = exec_ctx
     _run_module(ctx, "full_install")
 
 

raijin_server/config.py

@@ -78,15 +78,15 @@ class ConfigManager:
             "modules": {
                 "network": {
                     "interface": "ens18",
-                    "address": "192.168.0.10/24",
-                    "gateway": "192.168.0.1",
-                    "dns": "1.1.1.1,8.8.8.8",
+                    "address": "192.168.1.81/24",
+                    "gateway": "192.168.1.254",
+                    "dns": "177.128.80.44,177.128.80.45",
                 },
                 "kubernetes": {
                     "pod_cidr": "10.244.0.0/16",
                     "service_cidr": "10.96.0.0/12",
                     "cluster_name": "raijin",
-                    "advertise_address": "0.0.0.0",
+                    "advertise_address": "192.168.1.81",
                 },
                 "calico": {
                     "pod_cidr": "10.244.0.0/16",

raijin_server/healthchecks.py

@@ -124,6 +124,21 @@ def check_k8s_pods_in_namespace(namespace: str, ctx: ExecutionContext, timeout:
     )
 
 
+def check_swap_disabled(ctx: ExecutionContext) -> tuple[bool, str]:
+    """Confirma que nao ha swap ativa (requisito kubeadm/kubelet)."""
+    if ctx.dry_run:
+        return True, "dry-run"
+    try:
+        with open("/proc/swaps") as f:
+            lines = f.read().strip().splitlines()
+        # /proc/swaps tem header + linhas; se so header, swap esta off
+        if len(lines) <= 1:
+            return True, "swap desativada"
+        return False, "swap ativa (remova entradas do fstab e execute swapoff -a)"
+    except Exception as exc:
+        return False, f"falha ao verificar swap: {exc}"
+
+
 def check_helm_release(release: str, namespace: str, ctx: ExecutionContext) -> Tuple[bool, str]:
     """Verifica status de um release Helm."""
     if ctx.dry_run:
@@ -217,6 +232,13 @@ def verify_kubernetes(ctx: ExecutionContext) -> bool:
     services = ["kubelet", "containerd"]
     all_ok = True
 
+    swap_ok, swap_msg = check_swap_disabled(ctx)
+    if swap_ok:
+        typer.secho(f"  ✓ Swap: {swap_msg}", fg=typer.colors.GREEN)
+    else:
+        typer.secho(f"  ✗ Swap: {swap_msg}", fg=typer.colors.RED)
+        all_ok = False
+
     for service in services:
         ok, status = check_systemd_service(service, ctx)
         if ok:

raijin_server/modules/calico.py

@@ -1,7 +1,8 @@
 """Configuracao de Calico como CNI com CIDR customizado e policies opinativas."""
 
+import json
 from pathlib import Path
-from typing import Iterable
+from typing import Iterable, List
 
 import typer
 
@@ -16,6 +17,7 @@ from raijin_server.utils import (
 
 EGRESS_LABEL_KEY = "networking.raijin.dev/egress"
 EGRESS_LABEL_VALUE = "internet"
+DEFAULT_WORKLOAD_NAMESPACE = "apps"
 
 
 def _apply_policy(content: str, ctx: ExecutionContext, suffix: str) -> None:
@@ -25,6 +27,23 @@ def _apply_policy(content: str, ctx: ExecutionContext, suffix: str) -> None:
     path.unlink(missing_ok=True)
 
 
+def _ensure_namespace(namespace: str, ctx: ExecutionContext) -> None:
+    """Garante que um namespace de workloads exista com labels padrao."""
+    manifest = f"""apiVersion: v1
+kind: Namespace
+metadata:
+  name: {namespace}
+  labels:
+    raijin/workload-profile: production
+    networking.raijin.dev/default-egress: restricted
+"""
+
+    path = Path(f"/tmp/raijin-ns-{namespace}.yaml")
+    write_file(path, manifest, ctx)
+    kubectl_apply(str(path), ctx)
+    path.unlink(missing_ok=True)
+
+
 def _build_default_deny(namespace: str) -> str:
     return f"""apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -62,6 +81,43 @@ def _split_namespaces(raw_value: str) -> Iterable[str]:
     return [ns.strip() for ns in raw_value.split(",") if ns.strip()]
 
 
+def _list_workloads_without_egress(namespaces: List[str], ctx: ExecutionContext) -> None:
+    """Lista workloads sem label de egress e apenas avisa se falhar."""
+    if ctx.dry_run:
+        typer.echo("[dry-run] Skip listagem de workloads para liberação de egress")
+        return
+
+    typer.secho("\nWorkloads sem liberação de egress (adicione label para liberar internet):", fg=typer.colors.CYAN)
+    for ns in namespaces:
+        result = run_cmd(
+            ["kubectl", "get", "deploy,statefulset,daemonset", "-n", ns, "-o", "json"],
+            ctx,
+            check=False,
+        )
+        if result.returncode != 0:
+            msg = (result.stderr or result.stdout or "erro desconhecido").strip()
+            typer.secho(f"  Aviso: nao foi possivel listar workloads em '{ns}' ({msg})", fg=typer.colors.YELLOW)
+            continue
+
+        try:
+            data = json.loads(result.stdout or "{}")
+            items = data.get("items", [])
+            pending = []
+            for item in items:
+                meta = item.get("metadata", {})
+                labels = meta.get("labels", {}) or {}
+                if labels.get(EGRESS_LABEL_KEY) != EGRESS_LABEL_VALUE:
+                    pending.append(f"{meta.get('namespace', ns)}/{meta.get('name', 'desconhecido')}")
+
+            if pending:
+                for name in pending:
+                    typer.echo(f"  - {name}")
+            else:
+                typer.echo(f"  Nenhum workload pendente em '{ns}'")
+        except Exception as exc:
+            typer.secho(f"  Aviso: falha ao processar workloads em '{ns}': {exc}", fg=typer.colors.YELLOW)
+
+
 def _check_cluster_available(ctx: ExecutionContext) -> bool:
     """Verifica se o cluster Kubernetes esta acessivel."""
     if ctx.dry_run:
@@ -99,13 +155,19 @@ def run(ctx: ExecutionContext) -> None:
     typer.echo("Aplicando Calico como CNI...")
     pod_cidr = typer.prompt("Pod CIDR (Calico)", default="10.244.0.0/16")
 
+    typer.secho(
+        f"Criando namespace padrao de workloads '{DEFAULT_WORKLOAD_NAMESPACE}' (production-ready)...",
+        fg=typer.colors.CYAN,
+    )
+    _ensure_namespace(DEFAULT_WORKLOAD_NAMESPACE, ctx)
+
     manifest_url = "https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/calico.yaml"
     cmd = f"curl -s {manifest_url} | sed 's#192.168.0.0/16#{pod_cidr}#' | kubectl apply -f -"
     run_cmd(cmd, ctx, use_shell=True)
 
     deny_namespaces_raw = typer.prompt(
         "Namespaces para aplicar default-deny (CSV)",
-        default="default",
+        default=DEFAULT_WORKLOAD_NAMESPACE,
     )
     for namespace in _split_namespaces(deny_namespaces_raw):
         typer.echo(f"Aplicando default-deny no namespace '{namespace}'...")
@@ -117,9 +179,12 @@ def run(ctx: ExecutionContext) -> None:
     ):
         allow_namespaces_raw = typer.prompt(
             "Namespaces com pods que precisam acessar APIs externas (CSV)",
-            default="default",
+            default=DEFAULT_WORKLOAD_NAMESPACE,
         )
         cidr = typer.prompt("CIDR liberado (ex.: 0.0.0.0/0)", default="0.0.0.0/0")
+        namespaces = list(_split_namespaces(allow_namespaces_raw))
+        if namespaces:
+            _list_workloads_without_egress(namespaces, ctx)
         for namespace in _split_namespaces(allow_namespaces_raw):
             typer.echo(
                 f"Criando policy allow-egress-internet em '{namespace}' para pods com "

raijin_server/modules/cert_manager.py

@@ -18,6 +18,8 @@ from enum import Enum
 from pathlib import Path
 from typing import Callable, Optional, List
 
+import os
+
 import typer
 
 from raijin_server.utils import (
@@ -34,11 +36,14 @@ CHART_REPO = "https://charts.jetstack.io"
 CHART_NAME = "cert-manager"
 NAMESPACE = "cert-manager"
 MANIFEST_PATH = Path("/tmp/raijin-cert-manager-issuer.yaml")
+HELM_DATA_DIR = Path("/tmp/raijin-helm")
+HELM_REPO_CONFIG = HELM_DATA_DIR / "repositories.yaml"
+HELM_REPO_CACHE = HELM_DATA_DIR / "cache"
 
-# Timeouts mais generosos para ambientes lentos
-WEBHOOK_READY_TIMEOUT = 600  # 10 minutos
-POD_READY_TIMEOUT = 300      # 5 minutos
-CRD_READY_TIMEOUT = 180      # 3 minutos
+# Timeouts enxutos (falha rápida em redes rápidas)
+WEBHOOK_READY_TIMEOUT = 240  # 4 minutos
+POD_READY_TIMEOUT = 180      # 3 minutos
+CRD_READY_TIMEOUT = 120      # 2 minutos
 
 
 class DNSProvider(str, Enum):
@@ -82,6 +87,17 @@ def _get_acme_server(staging: bool) -> str:
     return "https://acme-v02.api.letsencrypt.org/directory"
 
 
+def _helm_env() -> dict:
+    """Garante diretórios de cache/config do Helm isolados em /tmp para evitar erros de permissão."""
+    HELM_DATA_DIR.mkdir(parents=True, exist_ok=True)
+    HELM_REPO_CACHE.mkdir(parents=True, exist_ok=True)
+    return {
+        **os.environ,
+        "HELM_REPOSITORY_CONFIG": str(HELM_REPO_CONFIG),
+        "HELM_REPOSITORY_CACHE": str(HELM_REPO_CACHE),
+    }
+
+
 # =============================================================================
 # Builders de Manifests YAML
 # =============================================================================
@@ -519,6 +535,7 @@ def _add_helm_repo(ctx: ExecutionContext) -> bool:
             capture_output=True,
             text=True,
             timeout=60,
+            env=_helm_env(),
         )
         
         if result.returncode != 0:
@@ -539,6 +556,7 @@ def _add_helm_repo(ctx: ExecutionContext) -> bool:
             capture_output=True,
             text=True,
             timeout=120,
+            env=_helm_env(),
         )
         
         elapsed_update = time.time() - start
@@ -562,8 +580,8 @@ def _add_helm_repo(ctx: ExecutionContext) -> bool:
         return False
 
 
-def _run_helm_install(ctx: ExecutionContext) -> bool:
-    """Executa o helm upgrade --install."""
+def _run_helm_install(ctx: ExecutionContext, attempt: int = 1) -> bool:
+    """Executa o helm upgrade --install, com uma tentativa de retry para repo/config."""
     if ctx.dry_run:
         typer.echo("  [4/5] [dry-run] Executando helm upgrade --install...")
         return True
@@ -574,6 +592,7 @@ def _run_helm_install(ctx: ExecutionContext) -> bool:
     
     cmd = [
         "helm", "upgrade", "--install", "cert-manager", "jetstack/cert-manager",
+        "--repo", CHART_REPO,
         "-n", NAMESPACE,
         "--create-namespace",
         "--set", "installCRDs=true",
@@ -598,6 +617,7 @@ def _run_helm_install(ctx: ExecutionContext) -> bool:
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
             text=True,
+            env=_helm_env(),
         )
         
         output_lines = []
@@ -628,7 +648,13 @@ def _run_helm_install(ctx: ExecutionContext) -> bool:
             output = "".join(output_lines[-20:])  # Últimas 20 linhas
             logger.error(f"Helm install falhou (código {return_code}): {output}")
             typer.secho(f"  ✗ Helm install falhou (código {return_code})", fg=typer.colors.RED)
-            
+
+            needs_repo_retry = "repo jetstack not found" in output.lower() or "repositories.yaml" in output.lower()
+            if needs_repo_retry and attempt == 1:
+                typer.echo("  → Reconfigurando repositório Helm e tentando novamente...")
+                if _add_helm_repo(ctx):
+                    return _run_helm_install(ctx, attempt=2)
+
             # Mostra as últimas linhas do erro
             typer.echo("\n  Últimas linhas do log:")
             for line in output_lines[-10:]: