raijin-server 0.3.4__py3-none-any.whl → 0.3.7__py3-none-any.whl

raijin_server/modules/observability_dashboards.py

@@ -1,233 +0,0 @@
-"""Provisiona dashboards opinativos do Grafana e alertas padrao do Prometheus/Alertmanager."""
-
-from __future__ import annotations
-
-import json
-import textwrap
-from pathlib import Path
-
-import typer
-
-from raijin_server.utils import (
-    ExecutionContext,
-    kubectl_apply,
-    kubectl_create_ns,
-    require_root,
-    write_file,
-)
-
-MANIFEST_PATH = Path("/tmp/raijin-observability-dashboards.yaml")
-
-CLUSTER_DASHBOARD = {
-    "title": "Raijin Cluster Overview",
-    "uid": "raijin-cluster",
-    "timezone": "browser",
-    "schemaVersion": 39,
-    "panels": [
-        {
-            "type": "timeseries",
-            "title": "Node CPU %",
-            "datasource": "Prometheus",
-            "targets": [
-                {
-                    "expr": '100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)',
-                    "legendFormat": "{{instance}}",
-                }
-            ],
-        },
-        {
-            "type": "timeseries",
-            "title": "Node Memory %",
-            "datasource": "Prometheus",
-            "targets": [
-                {
-                    "expr": '((node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes) * 100',
-                    "legendFormat": "{{instance}}",
-                }
-            ],
-        },
-        {
-            "type": "stat",
-            "title": "API Server Errors (5m)",
-            "datasource": "Prometheus",
-            "targets": [
-                {
-                    "expr": 'sum(rate(apiserver_request_total{code=~"5.."}[5m]))',
-                }
-            ],
-        },
-    ],
-}
-
-SLO_DASHBOARD = {
-    "title": "Raijin SLO - Workloads",
-    "uid": "raijin-slo",
-    "schemaVersion": 39,
-    "panels": [
-        {
-            "type": "timeseries",
-            "title": "Pod Restarts (1h)",
-            "datasource": "Prometheus",
-            "targets": [
-                {
-                    "expr": 'increase(kube_pod_container_status_restarts_total[1h])',
-                    "legendFormat": "{{namespace}}/{{pod}}",
-                }
-            ],
-        },
-        {
-            "type": "timeseries",
-            "title": "Ingress HTTP 5xx Rate",
-            "datasource": "Prometheus",
-            "targets": [
-                {
-                    "expr": 'sum(rate(traefik_service_requests_total{code=~"5.."}[5m])) by (service)',
-                    "legendFormat": "{{service}}",
-                }
-            ],
-        },
-        {
-            "type": "gauge",
-            "title": "Cluster CPU Pressure",
-            "datasource": "Prometheus",
-            "targets": [
-                {
-                    "expr": 'avg(node_pressure_cpu_waiting_seconds_total)',
-                }
-            ],
-        },
-    ],
-}
-
-
-def _json_block(obj: dict) -> str:
-    return json.dumps(obj, indent=2, separators=(",", ": "))
-
-
-def _alertmanager_block(contact_email: str, webhook_url: str) -> str:
-    receivers = ["receivers:", "  - name: default"]
-    if contact_email:
-        receivers.append("    email_configs:")
-        receivers.append(f"      - to: {contact_email}")
-        receivers.append("        send_resolved: true")
-    if webhook_url:
-        receivers.append("    webhook_configs:")
-        receivers.append(f"      - url: {webhook_url}")
-        receivers.append("        send_resolved: true")
-    receivers_str = "\n".join(receivers) if len(receivers) > 2 else "receivers:\n  - name: default"
-    return textwrap.dedent(
-        f"""
-route:
-  receiver: default
-  group_by: ['alertname']
-  group_wait: 30s
-  group_interval: 5m
-  repeat_interval: 4h
-{receivers_str}
-"""
-    ).strip()
-
-
-def _build_manifest(namespace: str, contact_email: str, webhook_url: str) -> str:
-    cluster_json = textwrap.indent(_json_block(CLUSTER_DASHBOARD), "    ")
-    slo_json = textwrap.indent(_json_block(SLO_DASHBOARD), "    ")
-    alertmanager_yaml = textwrap.indent(_alertmanager_block(contact_email, webhook_url), "    ")
-
-    prometheus_rules = textwrap.dedent(
-        f"""
-        apiVersion: monitoring.coreos.com/v1
-        kind: PrometheusRule
-        metadata:
-          name: raijin-default-alerts
-          namespace: {namespace}
-        spec:
-          groups:
-            - name: raijin-cluster-health
-              rules:
-                - alert: NodeDown
-                  expr: kube_node_status_condition{{condition="Ready",status="true"}} == 0
-                  for: 5m
-                  labels:
-                    severity: critical
-                  annotations:
-                    summary: "Node fora do cluster"
-                    description: "O node {{ $labels.node }} nao reporta Ready ha 5 minutos."
-                - alert: HighNodeCPU
-                  expr: avg(node_load1) by (instance) > count(node_cpu_seconds_total{{mode="system"}}) by (instance)
-                  for: 10m
-                  labels:
-                    severity: warning
-                  annotations:
-                    summary: "CPU elevada em {{ $labels.instance }}"
-                    description: "Load1 superior ao numero de cores ha 10 minutos."
-                - alert: APIServerErrorRate
-                  expr: sum(rate(apiserver_request_total{{code=~"5.."}}[5m])) > 5
-                  for: 5m
-                  labels:
-                    severity: warning
-                  annotations:
-                    summary: "API Server retornando 5xx"
-                    description: "Taxa de erros 5xx do API Server acima de 5 req/s."
-        """
-    ).strip()
-
-    grafana_cm = textwrap.dedent(
-        f"""
-        apiVersion: v1
-        kind: ConfigMap
-        metadata:
-          name: grafana-dashboards-raijin
-          namespace: {namespace}
-          labels:
-            grafana_dashboard: "1"
-        data:
-          cluster-overview.json: |
-{cluster_json}
-          slo-workloads.json: |
-{slo_json}
-        """
-    ).strip()
-
-    alertmanager_cm = textwrap.dedent(
-        f"""
-        apiVersion: v1
-        kind: ConfigMap
-        metadata:
-          name: alertmanager-raijin
-          namespace: {namespace}
-          labels:
-            app.kubernetes.io/name: alertmanager
-        data:
-          alertmanager.yml: |
-{alertmanager_yaml}
-        """
-    ).strip()
-
-    documents = "\n---\n".join([grafana_cm, alertmanager_cm, prometheus_rules])
-    return documents + "\n"
-
-
-def run(ctx: ExecutionContext) -> None:
-    require_root(ctx)
-    typer.echo("Aplicando dashboards e alertas opinativos...")
-
-    namespace = typer.prompt("Namespace de observabilidade", default="observability")
-    contact_email = typer.prompt(
-        "Email para receber alertas (ENTER para ignorar)",
-        default="",
-    )
-    webhook_url = typer.prompt(
-        "Webhook HTTP (Slack/Teams) para Alertmanager (ENTER para ignorar)",
-        default="",
-    )
-
-    kubectl_create_ns(namespace, ctx)
-
-    manifest = _build_manifest(namespace, contact_email, webhook_url)
-    write_file(MANIFEST_PATH, manifest, ctx)
-    kubectl_apply(str(MANIFEST_PATH), ctx)
-
-    typer.secho("Dashboards e alertas aplicados no namespace de observabilidade.", fg=typer.colors.GREEN)
-    typer.echo("Grafana: ConfigMap 'grafana-dashboards-raijin'")
-    typer.echo("Alertmanager: ConfigMap 'alertmanager-raijin'")
-    typer.echo("Prometheus: PrometheusRule 'raijin-default-alerts'")

raijin_server/modules/observability_ingress.py

@@ -1,246 +0,0 @@
-"""Provisiona ingressos seguros para Grafana, Prometheus e Alertmanager."""
-
-from __future__ import annotations
-
-import base64
-import subprocess
-from pathlib import Path
-from typing import Dict, List
-
-import typer
-
-from raijin_server.utils import (
-    ExecutionContext,
-    kubectl_apply,
-    kubectl_create_ns,
-    require_root,
-    write_file,
-)
-
-MANIFEST_PATH = Path("/tmp/raijin-observability-ingress.yaml")
-
-COMPONENTS: List[Dict[str, object]] = [
-    {
-        "key": "grafana",
-        "label": "Grafana",
-        "service": "grafana",
-        "port": 80,
-        "default_host": "grafana.example.com",
-        "default_tls": "grafana-tls",
-        "auth_secret": "grafana-basic-auth",
-        "middleware": "grafana-auth",
-    },
-    {
-        "key": "prometheus",
-        "label": "Prometheus",
-        "service": "kube-prometheus-stack-prometheus",
-        "port": 9090,
-        "default_host": "prometheus.example.com",
-        "default_tls": "prometheus-tls",
-        "auth_secret": "prometheus-basic-auth",
-        "middleware": "prometheus-auth",
-    },
-    {
-        "key": "alertmanager",
-        "label": "Alertmanager",
-        "service": "kube-prometheus-stack-alertmanager",
-        "port": 9093,
-        "default_host": "alerts.example.com",
-        "default_tls": "alertmanager-tls",
-        "auth_secret": "alertmanager-basic-auth",
-        "middleware": "alertmanager-auth",
-    },
-]
-
-
-def _generate_htpasswd(username: str, password: str) -> str:
-  try:
-    result = subprocess.run(
-      ["openssl", "passwd", "-6", password],
-      capture_output=True,
-      text=True,
-      check=True,
-    )
-    hashed = result.stdout.strip()
-  except Exception:
-    import crypt
-
-    hashed = crypt.crypt(password, crypt.mksalt(crypt.METHOD_SHA512))
-  return f"{username}:{hashed}"
-
-
-def _build_manifest(
-    namespace: str,
-    ingress_class: str,
-    services: List[Dict[str, object]],
-    encoded_users: str,
-    issuer_name: str,
-    issuer_kind: str,
-) -> str:
-    documents: List[str] = []
-
-    for svc in services:
-        host = svc["host"]
-        tls_secret = svc["tls_secret"]
-        auth_secret = svc["auth_secret"]
-        middleware = svc["middleware"]
-        service_name = svc["service"]
-        port = svc["port"]
-        name = svc["key"]
-
-        documents.append(
-            f"""apiVersion: v1
-kind: Secret
-metadata:
-  name: {auth_secret}
-  namespace: {namespace}
-type: Opaque
-data:
-  users: {encoded_users}
-"""
-        )
-
-        documents.append(
-            f"""apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: {middleware}
-  namespace: {namespace}
-spec:
-  basicAuth:
-    secret: {auth_secret}
-    removeHeader: true
-"""
-        )
-
-        if issuer_name:
-            documents.append(
-                f"""apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {name}-ingress-cert
-  namespace: {namespace}
-spec:
-  secretName: {tls_secret}
-  dnsNames:
-    - {host}
-  issuerRef:
-    name: {issuer_name}
-    kind: {issuer_kind}
-"""
-            )
-
-        documents.append(
-            f"""apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {name}-secure
-  namespace: {namespace}
-  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: {namespace}-{middleware}@kubernetescrd
-spec:
-  ingressClassName: {ingress_class}
-  rules:
-    - host: {host}
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: {service_name}
-                port:
-                  number: {port}
-  tls:
-    - secretName: {tls_secret}
-      hosts:
-        - {host}
-"""
-        )
-
-    return "---\n".join(documents)
-
-
-def run(ctx: ExecutionContext) -> None:
-    require_root(ctx)
-    
-    typer.secho("⚠️  AVISO DE SEGURANÇA", fg=typer.colors.RED, bold=True)
-    typer.secho(
-        "\nExpor ferramentas de observabilidade publicamente é um RISCO DE SEGURANÇA significativo!",
-        fg=typer.colors.YELLOW,
-    )
-    typer.secho(
-        "Mesmo com TLS e BasicAuth, você estará expondo informações sensíveis do cluster.\n",
-        fg=typer.colors.YELLOW,
-    )
-    typer.secho("✅ RECOMENDAÇÃO FORTE:", fg=typer.colors.GREEN, bold=True)
-    typer.echo("1. Configure VPN: sudo raijin vpn")
-    typer.echo("2. Use port-forward via VPN para acesso seguro")
-    typer.echo("3. Mantenha os dashboards APENAS na rede interna\n")
-    
-    proceed = typer.confirm(
-        "Você REALMENTE quer expor os dashboards publicamente?",
-        default=False
-    )
-    
-    if not proceed:
-        typer.secho("\n✓ Boa decisão! Use VPN para acesso seguro.", fg=typer.colors.GREEN)
-        typer.echo("\nPara acessar via VPN + port-forward:")
-        typer.echo("  kubectl -n observability port-forward svc/grafana 3000:80")
-        typer.echo("  kubectl -n observability port-forward svc/kube-prometheus-stack-prometheus 9090:9090")
-        typer.echo("  kubectl -n observability port-forward svc/kube-prometheus-stack-alertmanager 9093:9093")
-        raise typer.Exit(0)
-    
-    typer.echo("\nProvisionando ingress seguro para observabilidade...")
-
-    namespace = typer.prompt("Namespace dos componentes", default="observability")
-    ingress_class = typer.prompt("IngressClass dedicada", default="traefik")
-    username = typer.prompt("Usuario para basic auth", default="observability")
-    password = typer.prompt(
-        "Senha para basic auth",
-        hide_input=True,
-        confirmation_prompt=True,
-    )
-
-    configured: List[Dict[str, object]] = []
-    for comp in COMPONENTS:
-        host = typer.prompt(f"Host para {comp['label']}", default=comp["default_host"])
-        tls_secret = typer.prompt(
-            f"Secret TLS para {comp['label']}",
-            default=comp["default_tls"],
-        )
-        configured.append({**comp, "host": host, "tls_secret": tls_secret})
-
-    issue_certs = typer.confirm("Gerar Certificates via cert-manager?", default=True)
-    issuer_name = ""
-    issuer_kind = "ClusterIssuer"
-    if issue_certs:
-        issuer_name = typer.prompt("Nome do issuer (cert-manager)", default="letsencrypt-prod")
-        issuer_kind = typer.prompt("Tipo do issuer (Issuer/ClusterIssuer)", default="ClusterIssuer")
-
-    secret_line = _generate_htpasswd(username, password)
-    encoded_users = base64.b64encode(secret_line.encode()).decode()
-
-    kubectl_create_ns(namespace, ctx)
-
-    manifest = _build_manifest(
-        namespace,
-        ingress_class,
-        configured,
-        encoded_users,
-        issuer_name,
-        issuer_kind,
-    )
-
-    write_file(MANIFEST_PATH, manifest, ctx)
-    kubectl_apply(str(MANIFEST_PATH), ctx)
-
-    typer.secho("Ingress seguro aplicado com sucesso.", fg=typer.colors.GREEN)
-    typer.echo("Hosts publicados:")
-    for svc in configured:
-        typer.echo(f"  - {svc['label']}: https://{svc['host']}")
-    if not issuer_name:
-        typer.secho(
-            "Certificados nao foram criados automaticamente. Certifique-se de que os secrets TLS existem.",
-            fg=typer.colors.YELLOW,
-        )