raijin-server 0.3.7__py3-none-any.whl → 0.3.8__py3-none-any.whl

raijin_server/__init__.py

@@ -1,5 +1,5 @@
 """Pacote principal do CLI Raijin Server."""
 
-__version__ = "0.3.7"
+__version__ = "0.3.8"
 
 __all__ = ["__version__"]

raijin_server/modules/secrets.py

@@ -138,12 +138,17 @@ def _get_minio_credentials(ctx: ExecutionContext) -> tuple[str, str]:
     )
 
 
-def _initialize_vault(ctx: ExecutionContext, vault_ns: str, node_ip: str) -> tuple[str, list[str]]:
-    """Inicializa o Vault e retorna root token e unseal keys."""
-    typer.echo("\n Inicializando Vault...")
+def _initialize_vault(ctx: ExecutionContext, vault_ns: str, node_ip: str) -> tuple[str, str]:
+    """Inicializa o Vault com 1 key/1 threshold e retorna root token e unseal key."""
+    typer.echo("\nInicializando Vault...")
     
+    # Usa 1 key com threshold 1 para simplificar (produção pode usar 5/3)
     result = run_cmd(
-        ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "init", "-format=json"],
+        [
+            "kubectl", "-n", vault_ns, "exec", "vault-0", "--", 
+            "vault", "operator", "init", 
+            "-key-shares=1", "-key-threshold=1", "-format=json"
+        ],
         ctx,
         check=False,
     )
@@ -155,28 +160,60 @@ def _initialize_vault(ctx: ExecutionContext, vault_ns: str, node_ip: str) -> tup
     import json
     init_data = json.loads(result.stdout)
     root_token = init_data["root_token"]
-    unseal_keys = init_data["unseal_keys_b64"]
+    unseal_key = init_data["unseal_keys_b64"][0]
     
     # Salva keys localmente
     vault_keys_path = Path("/etc/vault/keys.json")
     vault_keys_path.parent.mkdir(parents=True, exist_ok=True)
     vault_keys_path.write_text(json.dumps(init_data, indent=2))
     typer.secho(f"\n✓ Vault keys salvas em {vault_keys_path}", fg=typer.colors.GREEN)
+    
+    # Salva credenciais em secret K8s para uso do ESO
+    _save_vault_credentials_to_k8s(ctx, vault_ns, root_token, unseal_key)
+    
     typer.secho("⚠️  IMPORTANTE: Guarde essas keys em local seguro!", fg=typer.colors.YELLOW, bold=True)
     
-    return root_token, unseal_keys
+    return root_token, unseal_key
 
 
-def _unseal_vault(ctx: ExecutionContext, vault_ns: str, unseal_keys: list[str]) -> None:
-    """Destrava o Vault usando as unseal keys."""
+def _save_vault_credentials_to_k8s(ctx: ExecutionContext, vault_ns: str, root_token: str, unseal_key: str) -> None:
+    """Salva credenciais do Vault em secret K8s."""
+    typer.echo("Salvando credenciais do Vault em secret K8s...")
+    
+    # Codifica em base64
+    token_b64 = base64.b64encode(root_token.encode()).decode()
+    key_b64 = base64.b64encode(unseal_key.encode()).decode()
+    
+    secret_yaml = f"""apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-init-credentials
+  namespace: {vault_ns}
+type: Opaque
+data:
+  root-token: {token_b64}
+  unseal-key: {key_b64}
+"""
+    
+    secret_path = Path("/tmp/raijin-vault-credentials.yaml")
+    write_file(secret_path, secret_yaml, ctx)
+    
+    run_cmd(
+        ["kubectl", "apply", "-f", str(secret_path)],
+        ctx,
+    )
+    
+    typer.secho("✓ Credenciais salvas em secret vault-init-credentials.", fg=typer.colors.GREEN)
+
+
+def _unseal_vault(ctx: ExecutionContext, vault_ns: str, unseal_key: str) -> None:
+    """Destrava o Vault usando a unseal key."""
     typer.echo("\nDesbloqueando Vault...")
     
-    # Precisa de 3 keys das 5 geradas (threshold padrão)
-    for i in range(3):
-        run_cmd(
-            ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "unseal", unseal_keys[i]],
-            ctx,
-        )
+    run_cmd(
+        ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "unseal", unseal_key],
+        ctx,
+    )
     
     typer.secho("✓ Vault desbloqueado.", fg=typer.colors.GREEN)
 
@@ -262,23 +299,21 @@ def _create_secretstore_example(ctx: ExecutionContext, vault_ns: str, eso_ns: st
     """Cria exemplo de ClusterSecretStore e ExternalSecret."""
     typer.echo("\nCriando exemplo de ClusterSecretStore...")
     
-    secretstore_yaml = f"""apiVersion: external-secrets.io/v1beta1
+    secretstore_yaml = f"""apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault-backend
 spec:
   provider:
     vault:
-      server: "http://vault.{vault_ns}.svc.cluster.local:8200"
+      server: "http://vault.{vault_ns}.svc:8200"
       path: "secret"
       version: "v2"
       auth:
-        kubernetes:
-          mountPath: "kubernetes"
-          role: "eso-role"
-          serviceAccountRef:
-            name: "external-secrets"
-            namespace: "{eso_ns}"
+        tokenSecretRef:
+          namespace: "{vault_ns}"
+          name: "vault-init-credentials"
+          key: "root-token"
 """
     
     secretstore_path = Path("/tmp/raijin-vault-secretstore.yaml")
@@ -310,7 +345,7 @@ def _create_example_secret(ctx: ExecutionContext, vault_ns: str, root_token: str
     typer.secho("✓ Secret 'secret/example' criado no Vault.", fg=typer.colors.GREEN)
     
     # Cria ExternalSecret de exemplo
-    external_secret_yaml = """apiVersion: external-secrets.io/v1beta1
+    external_secret_yaml = """apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: example-secret
@@ -379,7 +414,7 @@ def run(ctx: ExecutionContext) -> None:
     )
     node_ip = result.stdout.strip() if result.returncode == 0 else "192.168.1.81"
     
-    minio_host = typer.prompt("MinIO host", default=f"{node_ip}:30900")
+    minio_host = typer.prompt("MinIO host (interno)", default="minio.minio.svc:9000")
     access_key, secret_key = _get_minio_credentials(ctx)
 
     # ========== HashiCorp Vault ==========
@@ -469,15 +504,14 @@ injector:
     if not ctx.dry_run:
         _wait_for_pods_ready(ctx, vault_ns, "app.kubernetes.io/name=vault", timeout=180)
         
-        # Inicializa Vault
-        root_token, unseal_keys = _initialize_vault(ctx, vault_ns, node_ip)
+        # Inicializa Vault (retorna root_token e unseal_key)
+        root_token, unseal_key = _initialize_vault(ctx, vault_ns, node_ip)
         
         # Destrava Vault
-        _unseal_vault(ctx, vault_ns, unseal_keys)
+        _unseal_vault(ctx, vault_ns, unseal_key)
         
         # Configura Vault
         _enable_kv_secrets(ctx, vault_ns, root_token)
-        _configure_kubernetes_auth(ctx, vault_ns, root_token)
 
     # ========== External Secrets Operator ==========
     typer.secho("\n== External Secrets Operator ==", fg=typer.colors.CYAN, bold=True)
@@ -545,8 +579,7 @@ resources:
     if not ctx.dry_run:
         _wait_for_pods_ready(ctx, eso_ns, "app.kubernetes.io/name=external-secrets", timeout=120)
         
-        # Configura integração Vault + ESO
-        _create_eso_policy_and_role(ctx, vault_ns, root_token, eso_ns)
+        # Cria ClusterSecretStore (usa tokenSecretRef, não precisa de Kubernetes auth)
         _create_secretstore_example(ctx, vault_ns, eso_ns, node_ip)
         _create_example_secret(ctx, vault_ns, root_token)
 
@@ -562,7 +595,7 @@ resources:
     
     typer.echo("\n2. Criar ExternalSecret:")
     typer.echo("   kubectl apply -f - <<EOF")
-    typer.echo("   apiVersion: external-secrets.io/v1beta1")
+    typer.echo("   apiVersion: external-secrets.io/v1")
     typer.echo("   kind: ExternalSecret")
     typer.echo("   metadata:")
     typer.echo("     name: myapp-secret")
@@ -582,8 +615,14 @@ resources:
     typer.echo("\n3. Secret será sincronizado automaticamente!")
     typer.echo("   kubectl get secret myapp-secret -o yaml")
     
+    typer.secho("\n=== Recuperar Credenciais ===", fg=typer.colors.CYAN)
+    typer.echo("Via arquivo local:")
+    typer.echo("  cat /etc/vault/keys.json")
+    typer.echo("\nVia Kubernetes Secret:")
+    typer.echo(f"  kubectl -n {vault_ns} get secret vault-init-credentials -o jsonpath='{{.data.root-token}}' | base64 -d")
+    typer.echo(f"  kubectl -n {vault_ns} get secret vault-init-credentials -o jsonpath='{{.data.unseal-key}}' | base64 -d")
+    
     typer.secho("\n⚠️  IMPORTANTE:", fg=typer.colors.YELLOW, bold=True)
-    typer.echo(f"- Root token e unseal keys salvos em: /etc/vault/keys.json")
-    typer.echo("- Faça backup dessas keys em local seguro!")
-    typer.echo("- Após reboot do Vault, use: kubectl -n vault exec vault-0 -- vault operator unseal")
+    typer.echo("- Faça backup das credenciais em local seguro!")
+    typer.echo(f"- Após reboot do Vault, use: kubectl -n {vault_ns} exec vault-0 -- vault operator unseal <unseal-key>")
 

{raijin_server-0.3.7.dist-info → raijin_server-0.3.8.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.3.7
+Version: 0.3.8
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin

{raijin_server-0.3.7.dist-info → raijin_server-0.3.8.dist-info}/RECORD

@@ -1,4 +1,4 @@
-raijin_server/__init__.py,sha256=kD4ksBx35-1QYm5EkRuSYWXJAwwJx_-sM9cp92bOhh4,94
+raijin_server/__init__.py,sha256=IWpKGUd_KknUfa2XJ_Xu7M_xVWCdNyixW7AMO96xWkY,94
 raijin_server/cli.py,sha256=WvZaPJ5AVjhzzs_jLLe2QGvVEH_VphRwnUkTMEgycbI,37320
 raijin_server/config.py,sha256=QNiEVvrbW56XgvNn5-h3bkJm46Xc8mjNqPbvixXD8N0,4829
 raijin_server/healthchecks.py,sha256=UHSRyeKTsCGeL_4dxDSGZ1t8164Q7wYTi1c3ZiU0cro,13536
@@ -28,7 +28,7 @@ raijin_server/modules/minio.py,sha256=ZoxugJvvuGLzViDfEzrVCRZUevoiFwcEy0PNyn0My4
 raijin_server/modules/network.py,sha256=QRlYdcryCCPAWG3QQ_W7ld9gJgETI7H8gwntOU7UqFE,4818
 raijin_server/modules/prometheus.py,sha256=lyhaqLIfMl0GtQ2b2Hre7_A47HrHBB5gspmnWtwXZ4Y,21880
 raijin_server/modules/sanitize.py,sha256=_RnWn1DUuNrzx3NnKEbMvf5iicgjiN_ubwT59e0rYWY,6040
-raijin_server/modules/secrets.py,sha256=HOFk57LFyzW4XJ3c8uEEPRd5Dj_OYDI1NBVLzJMp0vY,18562
+raijin_server/modules/secrets.py,sha256=3QzvFd4qH1hyOtbu3Cxyu4JUaYgWssxI-oZ4gS3HIP4,19924
 raijin_server/modules/ssh_hardening.py,sha256=Zd0dlylUBr01SkrI1CS05-0DB9xIto5rWH1bUVs80ow,5422
 raijin_server/modules/traefik.py,sha256=omziywss4o-8t64Kj-upLqbXdFYm2JwqOoOukDUmqxY,5008
 raijin_server/modules/velero.py,sha256=nH7WI145OOK-DZo_ZjNegEnwkppi8h98DeQaB5A_kVg,7161
@@ -39,9 +39,9 @@ raijin_server/scripts/checklist.sh,sha256=j6E0Kmk1EfjLvKK1VpCqzXJAXI_7Bm67LK4ndy
 raijin_server/scripts/install.sh,sha256=Y1ickbQ4siQ0NIPs6UgrqUr8WWy7U0LHmaTQbEgavoI,3949
 raijin_server/scripts/log_size_metric.sh,sha256=Iv4SsX8AuCYRou-klYn32mX41xB6j0xJGLBO6riw4rU,1208
 raijin_server/scripts/pre-deploy-check.sh,sha256=XqMo7IMIpwUHF17YEmU0-cVmTDMoCGMBFnmS39FidI4,4912
-raijin_server-0.3.7.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
-raijin_server-0.3.7.dist-info/METADATA,sha256=KGvWKBpPSa4-6oSXFHJ0rykLQ-_VFftLobt0mFm-Co0,8829
-raijin_server-0.3.7.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-raijin_server-0.3.7.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
-raijin_server-0.3.7.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
-raijin_server-0.3.7.dist-info/RECORD,,
+raijin_server-0.3.8.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
+raijin_server-0.3.8.dist-info/METADATA,sha256=5QdtvUtfp7Qq_OaevRKA2WoU7i6NViAOG58h3wI5vmw,8829
+raijin_server-0.3.8.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+raijin_server-0.3.8.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
+raijin_server-0.3.8.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
+raijin_server-0.3.8.dist-info/RECORD,,