PyPI - raijin-server - Versions diffs - 0.3.4__py3-none-any.whl → 0.3.7__py3-none-any.whl - Mend

raijin-server 0.3.4py3-none-any.whl → 0.3.7py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of raijin-server might be problematic. Click here for more details.

Files changed (19) hide show

raijin_server/__init__.py +1 -1
raijin_server/cli.py +6 -25
raijin_server/healthchecks.py +1 -55
raijin_server/minio_utils.py +562 -0
raijin_server/modules/__init__.py +4 -6
raijin_server/modules/full_install.py +11 -19
raijin_server/modules/harbor.py +669 -0
raijin_server/modules/secrets.py +392 -96
raijin_server/modules/velero.py +49 -2
raijin_server/validators.py +1 -1
{raijin_server-0.3.4.dist-info → raijin_server-0.3.7.dist-info}/METADATA +1 -1
{raijin_server-0.3.4.dist-info → raijin_server-0.3.7.dist-info}/RECORD +16 -17
raijin_server/modules/apokolips_demo.py +0 -414
raijin_server/modules/observability_dashboards.py +0 -233
raijin_server/modules/observability_ingress.py +0 -246
{raijin_server-0.3.4.dist-info → raijin_server-0.3.7.dist-info}/WHEEL +0 -0
{raijin_server-0.3.4.dist-info → raijin_server-0.3.7.dist-info}/entry_points.txt +0 -0
{raijin_server-0.3.4.dist-info → raijin_server-0.3.7.dist-info}/licenses/LICENSE +0 -0
{raijin_server-0.3.4.dist-info → raijin_server-0.3.7.dist-info}/top_level.txt +0 -0

raijin_server/modules/secrets.py CHANGED Viewed

@@ -1,10 +1,15 @@
-"""Automacao de sealed-secrets e external-secrets via Helm (production-ready).
+"""Automacao de HashiCorp Vault e External Secrets Operator (production-ready).
-Instala os controladores necessários para criptografar e consumir segredos
-em clusters Kubernetes. Inclui opcionalmente a exportacao do certificado
-publico do sealed-secrets para permitir geracao de manifests lacrados.
+Instala Vault com MinIO backend para persistencia e External Secrets Operator
+para sincronizar segredos do Vault para Secrets nativos do Kubernetes.
+Arquitetura:
+- Vault: Gerenciamento centralizado de segredos com MinIO como storage backend
+- External Secrets Operator: Sincroniza segredos do Vault para K8s Secrets
+- Aplicações: Usam Secrets nativos do K8s (transparente)
 """
+import base64
 import socket
 import time
 from pathlib import Path
@@ -19,8 +24,9 @@ from raijin_server.utils import (
     run_cmd,
     write_file,
 )
+from raijin_server.minio_utils import get_or_create_minio_user
-SEALED_NAMESPACE = "kube-system"
+VAULT_NAMESPACE = "vault"
 ESO_NAMESPACE = "external-secrets"
@@ -36,10 +42,10 @@ def _detect_node_name(ctx: ExecutionContext) -> str:
     return socket.gethostname()
-def _check_existing_sealed_secrets(ctx: ExecutionContext, namespace: str) -> bool:
-    """Verifica se existe instalacao do Sealed Secrets."""
+def _check_existing_vault(ctx: ExecutionContext, namespace: str) -> bool:
+    """Verifica se existe instalacao do Vault."""
     result = run_cmd(
-        ["helm", "status", "sealed-secrets", "-n", namespace],
+        ["helm", "status", "vault", "-n", namespace],
         ctx,
         check=False,
     )
@@ -56,12 +62,12 @@ def _check_existing_external_secrets(ctx: ExecutionContext, namespace: str) -> b
     return result.returncode == 0
-def _uninstall_sealed_secrets(ctx: ExecutionContext, namespace: str) -> None:
-    """Remove instalacao anterior do Sealed Secrets."""
-    typer.echo("Removendo instalacao anterior do Sealed Secrets...")
+def _uninstall_vault(ctx: ExecutionContext, namespace: str) -> None:
+    """Remove instalacao anterior do Vault."""
+    typer.echo("Removendo instalacao anterior do Vault...")
     run_cmd(
-        ["helm", "uninstall", "sealed-secrets", "-n", namespace],
+        ["helm", "uninstall", "vault", "-n", namespace],
         ctx,
         check=False,
     )
@@ -82,16 +88,16 @@ def _uninstall_external_secrets(ctx: ExecutionContext, namespace: str) -> None:
     time.sleep(5)
-def _wait_for_sealed_secrets_ready(ctx: ExecutionContext, namespace: str, timeout: int = 120) -> bool:
-    """Aguarda pods do Sealed Secrets ficarem Ready."""
-    typer.echo("Aguardando pods do Sealed Secrets ficarem Ready...")
+def _wait_for_pods_ready(ctx: ExecutionContext, namespace: str, label: str, timeout: int = 120) -> bool:
+    """Aguarda pods ficarem Ready."""
+    typer.echo(f"Aguardando pods com label {label} ficarem Ready...")
     deadline = time.time() + timeout
     while time.time() < deadline:
         result = run_cmd(
             [
                 "kubectl", "-n", namespace, "get", "pods",
-                "-l", "app.kubernetes.io/name=sealed-secrets",
+                "-l", label,
                 "-o", "jsonpath={range .items[*]}{.metadata.name}={.status.phase} {end}",
             ],
             ctx,
@@ -109,49 +115,248 @@ def _wait_for_sealed_secrets_ready(ctx: ExecutionContext, namespace: str, timeou
                             pods.append((parts[0], parts[1]))
                 if pods and all(phase == "Running" for _, phase in pods):
-                    typer.secho("  Sealed Secrets Ready.", fg=typer.colors.GREEN)
+                    typer.secho(f"  Pods {label} Ready.", fg=typer.colors.GREEN)
                     return True
         time.sleep(5)
-    typer.secho("  Timeout aguardando Sealed Secrets.", fg=typer.colors.YELLOW)
+    typer.secho(f"  Timeout aguardando pods {label}.", fg=typer.colors.YELLOW)
     return False
-def _export_sealed_cert(namespace: str, ctx: ExecutionContext) -> None:
-    """Exporta o certificado publico do sealed-secrets para um caminho local."""
+def _get_minio_credentials(ctx: ExecutionContext) -> tuple[str, str]:
+    """Obtem ou cria credenciais específicas do MinIO para Vault.
+    Esta função cria um usuário MinIO dedicado para o Vault com acesso
+    restrito apenas ao bucket 'vault-storage'.
+    """
+    return get_or_create_minio_user(
+        ctx=ctx,
+        app_name="vault",
+        buckets=["vault-storage"],
+        namespace=VAULT_NAMESPACE,
+    )
-    default_path = Path("/tmp/sealed-secrets-cert.pem")
-    dest = typer.prompt(
-        "Caminho para salvar o certificado publico do sealed-secrets",
-        default=str(default_path),
+def _initialize_vault(ctx: ExecutionContext, vault_ns: str, node_ip: str) -> tuple[str, list[str]]:
+    """Inicializa o Vault e retorna root token e unseal keys."""
+    typer.echo("\n Inicializando Vault...")
+    result = run_cmd(
+        ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "init", "-format=json"],
+        ctx,
+        check=False,
     )
-    typer.echo(f"Exportando certificado para {dest}...")
-    cmd = [
-        "kubectl",
-        "-n",
-        namespace,
-        "get",
-        "secret",
-        "-l",
-        "sealedsecrets.bitnami.com/sealed-secrets-key",
-        "-o",
-        r"jsonpath={.items[0].data.tls\.crt}",
-    ]
-    result = run_cmd(cmd, ctx, check=False)
     if result.returncode != 0:
-        typer.secho("Nao foi possivel obter o certificado (tente novamente apos o pod estar Ready).", fg=typer.colors.YELLOW)
-        return
+        typer.secho("Falha ao inicializar Vault.", fg=typer.colors.RED)
+        raise typer.Exit(1)
+    import json
+    init_data = json.loads(result.stdout)
+    root_token = init_data["root_token"]
+    unseal_keys = init_data["unseal_keys_b64"]
+    # Salva keys localmente
+    vault_keys_path = Path("/etc/vault/keys.json")
+    vault_keys_path.parent.mkdir(parents=True, exist_ok=True)
+    vault_keys_path.write_text(json.dumps(init_data, indent=2))
+    typer.secho(f"\n✓ Vault keys salvas em {vault_keys_path}", fg=typer.colors.GREEN)
+    typer.secho("⚠️  IMPORTANTE: Guarde essas keys em local seguro!", fg=typer.colors.YELLOW, bold=True)
+    return root_token, unseal_keys
+def _unseal_vault(ctx: ExecutionContext, vault_ns: str, unseal_keys: list[str]) -> None:
+    """Destrava o Vault usando as unseal keys."""
+    typer.echo("\nDesbloqueando Vault...")
+    # Precisa de 3 keys das 5 geradas (threshold padrão)
+    for i in range(3):
+        run_cmd(
+            ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "unseal", unseal_keys[i]],
+            ctx,
+        )
+    typer.secho("✓ Vault desbloqueado.", fg=typer.colors.GREEN)
+def _enable_kv_secrets(ctx: ExecutionContext, vault_ns: str, root_token: str) -> None:
+    """Habilita KV v2 secrets engine."""
+    typer.echo("\nHabilitando KV v2 secrets engine...")
+    run_cmd(
+        [
+            "kubectl", "-n", vault_ns, "exec", "vault-0", "--",
+            "vault", "secrets", "enable", "-path=secret", "kv-v2"
+        ],
+        ctx,
+        env={"VAULT_TOKEN": root_token},
+        check=False,  # Pode já estar habilitado
+    )
+    typer.secho("✓ KV v2 habilitado em path 'secret'.", fg=typer.colors.GREEN)
+def _configure_kubernetes_auth(ctx: ExecutionContext, vault_ns: str, root_token: str) -> None:
+    """Configura autenticação Kubernetes no Vault."""
+    typer.echo("\nConfigurando autenticação Kubernetes...")
+    # Habilita kubernetes auth
+    run_cmd(
+        ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "auth", "enable", "kubernetes"],
+        ctx,
+        env={"VAULT_TOKEN": root_token},
+        check=False,
+    )
+    # Configura kubernetes auth
+    run_cmd(
+        [
+            "kubectl", "-n", vault_ns, "exec", "vault-0", "--",
+            "sh", "-c",
+            "vault write auth/kubernetes/config " +
+            "kubernetes_host=https://$KUBERNETES_PORT_443_TCP_ADDR:443"
+        ],
+        ctx,
+        env={"VAULT_TOKEN": root_token},
+    )
+    typer.secho("✓ Autenticação Kubernetes configurada.", fg=typer.colors.GREEN)
-    try:
-        import base64
-        cert_b64 = result.stdout.strip()
-        cert_bytes = base64.b64decode(cert_b64)
-        Path(dest).write_bytes(cert_bytes)
-        typer.secho(f"✓ Certificado salvo em {dest}", fg=typer.colors.GREEN)
-    except Exception as exc:
-        typer.secho(f"Falha ao decodificar/salvar certificado: {exc}", fg=typer.colors.YELLOW)
+def _create_eso_policy_and_role(ctx: ExecutionContext, vault_ns: str, root_token: str, eso_ns: str) -> None:
+    """Cria policy e role para External Secrets Operator."""
+    typer.echo("\nCriando policy e role para ESO...")
+    # Policy para ler todos os secrets
+    policy = """path "secret/data/*" {
+  capabilities = ["read"]
+}"""
+    run_cmd(
+        ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "policy", "write", "eso-policy", "-"],
+        ctx,
+        env={"VAULT_TOKEN": root_token},
+        input=policy,
+    )
+    # Role vinculando serviceaccount do ESO
+    run_cmd(
+        [
+            "kubectl", "-n", vault_ns, "exec", "vault-0", "--",
+            "vault", "write", "auth/kubernetes/role/eso-role",
+            "bound_service_account_names=external-secrets",
+            f"bound_service_account_namespaces={eso_ns}",
+            "policies=eso-policy",
+            "ttl=24h"
+        ],
+        ctx,
+        env={"VAULT_TOKEN": root_token},
+    )
+    typer.secho("✓ Policy 'eso-policy' e role 'eso-role' criadas.", fg=typer.colors.GREEN)
+def _create_secretstore_example(ctx: ExecutionContext, vault_ns: str, eso_ns: str, node_ip: str) -> None:
+    """Cria exemplo de ClusterSecretStore e ExternalSecret."""
+    typer.echo("\nCriando exemplo de ClusterSecretStore...")
+    secretstore_yaml = f"""apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-backend
+spec:
+  provider:
+    vault:
+      server: "http://vault.{vault_ns}.svc.cluster.local:8200"
+      path: "secret"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "eso-role"
+          serviceAccountRef:
+            name: "external-secrets"
+            namespace: "{eso_ns}"
+"""
+    secretstore_path = Path("/tmp/raijin-vault-secretstore.yaml")
+    write_file(secretstore_path, secretstore_yaml, ctx)
+    run_cmd(
+        ["kubectl", "apply", "-f", str(secretstore_path)],
+        ctx,
+    )
+    typer.secho("✓ ClusterSecretStore 'vault-backend' criado.", fg=typer.colors.GREEN)
+def _create_example_secret(ctx: ExecutionContext, vault_ns: str, root_token: str) -> None:
+    """Cria um secret de exemplo no Vault."""
+    typer.echo("\nCriando secret de exemplo no Vault...")
+    run_cmd(
+        [
+            "kubectl", "-n", vault_ns, "exec", "vault-0", "--",
+            "vault", "kv", "put", "secret/example",
+            "username=admin",
+            "password=supersecret123"
+        ],
+        ctx,
+        env={"VAULT_TOKEN": root_token},
+    )
+    typer.secho("✓ Secret 'secret/example' criado no Vault.", fg=typer.colors.GREEN)
+    # Cria ExternalSecret de exemplo
+    external_secret_yaml = """apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: example-secret
+  namespace: default
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: example-secret
+    creationPolicy: Owner
+  data:
+  - secretKey: username
+    remoteRef:
+      key: secret/example
+      property: username
+  - secretKey: password
+    remoteRef:
+      key: secret/example
+      property: password
+"""
+    external_secret_path = Path("/tmp/raijin-vault-externalsecret.yaml")
+    write_file(external_secret_path, external_secret_yaml, ctx)
+    run_cmd(
+        ["kubectl", "apply", "-f", str(external_secret_path)],
+        ctx,
+    )
+    typer.secho("✓ ExternalSecret 'example-secret' criado no namespace default.", fg=typer.colors.GREEN)
+    # Aguarda sincronização
+    time.sleep(5)
+    # Verifica se o Secret foi criado
+    result = run_cmd(
+        ["kubectl", "-n", "default", "get", "secret", "example-secret"],
+        ctx,
+        check=False,
+    )
+    if result.returncode == 0:
+        typer.secho("\n✓ Secret sincronizado com sucesso! Teste com:", fg=typer.colors.GREEN)
+        typer.echo("  kubectl -n default get secret example-secret -o yaml")
 def run(ctx: ExecutionContext) -> None:
@@ -159,69 +364,124 @@ def run(ctx: ExecutionContext) -> None:
     ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou habilite dry-run.")
     ensure_tool("helm", ctx, install_hint="Instale helm ou habilite dry-run.")
-    typer.echo("Instalando sealed-secrets e external-secrets...")
+    typer.echo("Instalando HashiCorp Vault + External Secrets Operator...")
-    sealed_ns = typer.prompt("Namespace para sealed-secrets", default=SEALED_NAMESPACE)
-    eso_ns = typer.prompt("Namespace para external-secrets", default=ESO_NAMESPACE)
+    vault_ns = typer.prompt("Namespace para Vault", default=VAULT_NAMESPACE)
+    eso_ns = typer.prompt("Namespace para External Secrets", default=ESO_NAMESPACE)
     node_name = _detect_node_name(ctx)
+    # Detecta IP do node para acesso ao MinIO
+    result = run_cmd(
+        ["kubectl", "get", "nodes", "-o", "jsonpath={.items[0].status.addresses[?(@.type=='InternalIP')].address}"],
+        ctx,
+        check=False,
+    )
+    node_ip = result.stdout.strip() if result.returncode == 0 else "192.168.1.81"
+    minio_host = typer.prompt("MinIO host", default=f"{node_ip}:30900")
+    access_key, secret_key = _get_minio_credentials(ctx)
-    # sealed-secrets
-    typer.secho("\n== Sealed Secrets ==", fg=typer.colors.CYAN, bold=True)
+    # ========== HashiCorp Vault ==========
+    typer.secho("\n== HashiCorp Vault ==", fg=typer.colors.CYAN, bold=True)
-    # Prompt opcional de limpeza
-    if _check_existing_sealed_secrets(ctx, sealed_ns):
+    if _check_existing_vault(ctx, vault_ns):
         cleanup = typer.confirm(
-            "Instalacao anterior do Sealed Secrets detectada. Limpar antes de reinstalar?",
+            "Instalacao anterior do Vault detectada. Limpar antes de reinstalar?",
             default=False,
         )
         if cleanup:
-            _uninstall_sealed_secrets(ctx, sealed_ns)
-    sealed_values_yaml = f"""tolerations:
-  - key: node-role.kubernetes.io/control-plane
-    operator: Exists
-    effect: NoSchedule
-  - key: node-role.kubernetes.io/master
-    operator: Exists
-    effect: NoSchedule
-nodeSelector:
-  kubernetes.io/hostname: {node_name}
-resources:
-  requests:
-    memory: 64Mi
-    cpu: 50m
-  limits:
-    memory: 128Mi
+            _uninstall_vault(ctx, vault_ns)
+    # Credenciais são obtidas automaticamente via get_or_create_minio_user
+    # que já cria o bucket 'vault-storage' e o usuário 'vault-user'
+    vault_values_yaml = f"""server:
+  ha:
+    enabled: true
+    replicas: 1
+    raft:
+      enabled: false
+  standalone:
+    enabled: true
+    config: |
+      ui = true
+      listener "tcp" {{
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }}
+      storage "s3" {{
+        endpoint = "http://{minio_host}"
+        bucket = "vault-storage"
+        access_key = "{access_key}"
+        secret_key = "{secret_key}"
+        s3_force_path_style = true
+      }}
+      api_addr = "http://vault.{vault_ns}.svc.cluster.local:8200"
+      cluster_addr = "http://vault-0.vault-internal:8201"
+  tolerations:
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+    - key: node-role.kubernetes.io/master
+      operator: Exists
+      effect: NoSchedule
+  nodeSelector:
+    kubernetes.io/hostname: {node_name}
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 250m
+    limits:
+      memory: 512Mi
+ui:
+  enabled: true
+  serviceType: "NodePort"
+  serviceNodePort: 30820
+injector:
+  enabled: false
 """
-    sealed_values_path = Path("/tmp/raijin-sealed-secrets-values.yaml")
-    write_file(sealed_values_path, sealed_values_yaml, ctx)
+    vault_values_path = Path("/tmp/raijin-vault-values.yaml")
+    write_file(vault_values_path, vault_values_yaml, ctx)
     helm_upgrade_install(
-        "sealed-secrets",
-        "sealed-secrets",
-        sealed_ns,
+        "vault",
+        "vault",
+        vault_ns,
         ctx,
-        repo="bitnami-labs",
-        repo_url="https://bitnami-labs.github.io/sealed-secrets",
+        repo="hashicorp",
+        repo_url="https://helm.releases.hashicorp.com",
         create_namespace=True,
-        extra_args=["-f", str(sealed_values_path)],
+        extra_args=["-f", str(vault_values_path)],
     )
     if not ctx.dry_run:
-        _wait_for_sealed_secrets_ready(ctx, sealed_ns)
-    typer.echo(
-        "Para criar sealed-secrets a partir do seu desktop, exporte o certificado publico e use kubeseal."
-    )
-    if typer.confirm("Exportar certificado publico agora?", default=True):
-        _export_sealed_cert(sealed_ns, ctx)
+        _wait_for_pods_ready(ctx, vault_ns, "app.kubernetes.io/name=vault", timeout=180)
+        # Inicializa Vault
+        root_token, unseal_keys = _initialize_vault(ctx, vault_ns, node_ip)
+        # Destrava Vault
+        _unseal_vault(ctx, vault_ns, unseal_keys)
+        # Configura Vault
+        _enable_kv_secrets(ctx, vault_ns, root_token)
+        _configure_kubernetes_auth(ctx, vault_ns, root_token)
-    # external-secrets
+    # ========== External Secrets Operator ==========
     typer.secho("\n== External Secrets Operator ==", fg=typer.colors.CYAN, bold=True)
-    # Prompt opcional de limpeza
     if _check_existing_external_secrets(ctx, eso_ns):
         cleanup = typer.confirm(
             "Instalacao anterior do External Secrets detectada. Limpar antes de reinstalar?",
@@ -282,12 +542,48 @@ resources:
         extra_args=["-f", str(eso_values_path)],
     )
-    typer.secho("\n✓ Secrets management instalado com sucesso.", fg=typer.colors.GREEN, bold=True)
-    typer.echo(
-        "\nExternal Secrets Operator instalado. Configure um SecretStore/ClusterSecretStore conforme seu provedor (AWS/GCP/Vault)."
-    )
+    if not ctx.dry_run:
+        _wait_for_pods_ready(ctx, eso_ns, "app.kubernetes.io/name=external-secrets", timeout=120)
+        # Configura integração Vault + ESO
+        _create_eso_policy_and_role(ctx, vault_ns, root_token, eso_ns)
+        _create_secretstore_example(ctx, vault_ns, eso_ns, node_ip)
+        _create_example_secret(ctx, vault_ns, root_token)
-    typer.secho("\nDicas rapidas:", fg=typer.colors.GREEN)
-    typer.echo(f"- Gere sealed-secrets localmente: kubeseal --controller-namespace {sealed_ns} --controller-name sealed-secrets < secret.yaml > sealed.yaml")
-    typer.echo("- Para ESO: crie um SecretStore apontando para seu backend e um ExternalSecret referenciando os keys.")
+    typer.secho("\n✓ Vault + External Secrets Operator instalado com sucesso!", fg=typer.colors.GREEN, bold=True)
+    typer.secho("\n=== Acesso ao Vault UI ===", fg=typer.colors.CYAN)
+    typer.echo(f"URL: http://{node_ip}:30820")
+    typer.echo(f"Token: {root_token if not ctx.dry_run else '<root-token>'}")
+    typer.secho("\n=== Como usar ===", fg=typer.colors.CYAN)
+    typer.echo("1. Criar segredo no Vault:")
+    typer.echo(f"   kubectl -n {vault_ns} exec vault-0 -- vault kv put secret/myapp username=admin password=secret123")
+    typer.echo("\n2. Criar ExternalSecret:")
+    typer.echo("   kubectl apply -f - <<EOF")
+    typer.echo("   apiVersion: external-secrets.io/v1beta1")
+    typer.echo("   kind: ExternalSecret")
+    typer.echo("   metadata:")
+    typer.echo("     name: myapp-secret")
+    typer.echo("   spec:")
+    typer.echo("     secretStoreRef:")
+    typer.echo("       name: vault-backend")
+    typer.echo("       kind: ClusterSecretStore")
+    typer.echo("     target:")
+    typer.echo("       name: myapp-secret")
+    typer.echo("     data:")
+    typer.echo("     - secretKey: username")
+    typer.echo("       remoteRef:")
+    typer.echo("         key: secret/myapp")
+    typer.echo("         property: username")
+    typer.echo("   EOF")
+    typer.echo("\n3. Secret será sincronizado automaticamente!")
+    typer.echo("   kubectl get secret myapp-secret -o yaml")
+    typer.secho("\n⚠️  IMPORTANTE:", fg=typer.colors.YELLOW, bold=True)
+    typer.echo(f"- Root token e unseal keys salvos em: /etc/vault/keys.json")
+    typer.echo("- Faça backup dessas keys em local seguro!")
+    typer.echo("- Após reboot do Vault, use: kubectl -n vault exec vault-0 -- vault operator unseal")

raijin_server/modules/velero.py CHANGED Viewed

@@ -1,10 +1,46 @@
 """Backup e restore com Velero (production-ready)."""
 import time
+from pathlib import Path
 import typer
 from raijin_server.utils import ExecutionContext, ensure_tool, require_root, run_cmd
+from raijin_server.minio_utils import get_or_create_minio_user
+def _create_velero_credentials_file(ctx: ExecutionContext) -> str:
+    """Cria arquivo de credenciais para Velero com usuário MinIO dedicado.
+    Returns:
+        Caminho para o arquivo de credenciais
+    """
+    typer.echo("\nConfigurando credenciais MinIO para Velero...")
+    # Cria usuário MinIO específico para Velero
+    access_key, secret_key = get_or_create_minio_user(
+        ctx=ctx,
+        app_name="velero",
+        buckets=["velero-backups"],
+        namespace="velero",
+    )
+    # Cria arquivo de credenciais no formato esperado pelo Velero
+    credentials_path = Path("/etc/velero/credentials")
+    credentials_path.parent.mkdir(parents=True, exist_ok=True)
+    credentials_content = f"""[default]
+aws_access_key_id = {access_key}
+aws_secret_access_key = {secret_key}
+"""
+    if not ctx.dry_run:
+        credentials_path.write_text(credentials_content)
+        # Protege o arquivo
+        credentials_path.chmod(0o600)
+        typer.secho(f"  ✓ Credenciais salvas em {credentials_path}", fg=typer.colors.GREEN)
+    return str(credentials_path)
 def _check_existing_velero(ctx: ExecutionContext) -> bool:
@@ -91,8 +127,19 @@ def run(ctx: ExecutionContext) -> None:
     provider = typer.prompt("Provider (aws, azure, gcp)", default="aws")
     bucket = typer.prompt("Bucket para backups", default="velero-backups")
     region = typer.prompt("Region", default="us-east-1")
-    s3_url = typer.prompt("S3 URL (para MinIO usar http://minio.minio.svc:9000)", default="https://s3.amazonaws.com")
-    secret_file = typer.prompt("Arquivo de credenciais (secret-file)", default="/etc/velero/credentials")
+    s3_url = typer.prompt("S3 URL (para MinIO usar http://minio.minio.svc:9000)", default="http://minio.minio.svc:9000")
+    # Cria credenciais automaticamente usando usuário MinIO dedicado
+    use_auto_credentials = typer.confirm(
+        "Criar credenciais MinIO automaticamente (usuário dedicado)?",
+        default=True,
+    )
+    if use_auto_credentials:
+        secret_file = _create_velero_credentials_file(ctx)
+    else:
+        secret_file = typer.prompt("Arquivo de credenciais (secret-file)", default="/etc/velero/credentials")
     use_restic = typer.confirm("Habilitar Restic/Kopia para backups de PV?", default=True)
     schedule = typer.prompt("Schedule cron para backups (ex: '0 2 * * *')", default="0 2 * * *")

raijin_server/validators.py CHANGED Viewed

@@ -34,7 +34,7 @@ MODULE_DEPENDENCIES = {
     "kafka": ["kubernetes"],
     "observability_ingress": ["traefik", "prometheus", "grafana"],
     "observability_dashboards": ["prometheus", "grafana"],
-    "apokolips_demo": ["kubernetes", "traefik"],
 }

{raijin_server-0.3.4.dist-info → raijin_server-0.3.7.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.3.4
+Version: 0.3.7
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin

raijin-server 0.3.4__py3-none-any.whl → 0.3.7__py3-none-any.whl

Potentially problematic release.

raijin-server 0.3.4py3-none-any.whl → 0.3.7py3-none-any.whl