raijin-server 0.3.7__tar.gz → 0.3.9__tar.gz

{raijin_server-0.3.7/src/raijin_server.egg-info → raijin_server-0.3.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.3.7
+Version: 0.3.9
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin

{raijin_server-0.3.7 → raijin_server-0.3.9}/setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = raijin-server
-version = 0.3.7
+version = 0.3.9
 description = CLI para automacao de setup e hardening de servidores Ubuntu Server.
 long_description = file: README.md
 long_description_content_type = text/markdown

{raijin_server-0.3.7 → raijin_server-0.3.9}/src/raijin_server/__init__.py

@@ -1,5 +1,5 @@
 """Pacote principal do CLI Raijin Server."""
 
-__version__ = "0.3.7"
+__version__ = "0.3.9"
 
 __all__ = ["__version__"]

{raijin_server-0.3.7 → raijin_server-0.3.9}/src/raijin_server/cli.py

@@ -47,7 +47,7 @@ from raijin_server.modules import (
 )
 from raijin_server.utils import ExecutionContext, logger, active_log_file, available_log_files, page_text, ensure_tool
 from raijin_server.validators import validate_system_requirements, check_module_dependencies, MODULE_DEPENDENCIES
-from raijin_server.healthchecks import run_health_check
+from raijin_server.healthchecks import run_health_check, validate_module_status, get_all_module_statuses
 from raijin_server.config import ConfigManager
 from raijin_server import module_manager
 
@@ -212,7 +212,7 @@ def _run_module(ctx: typer.Context, name: str, skip_validation: bool = False) ->
 
 def _print_banner() -> None:
     console.print(Panel.fit(BANNER, style="bold blue"))
-    console.print("[bright_white]Automacao de setup e hardening para Ubuntu Server[/bright_white]\n")
+    console.print(f"[bright_white]Automacao de setup e hardening para Ubuntu Server[/bright_white]  [dim]v{__version__}[/dim]\n")
 
 
 def _select_state_dir() -> Path:
@@ -337,7 +337,7 @@ def _rollback_module(
     typer.secho(f"Rollback finalizado (best-effort) para {name}\n", fg=typer.colors.GREEN)
 
 
-def _render_menu(dry_run: bool) -> int:
+def _render_menu(dry_run: bool, live_status: bool = True) -> int:
     table = Table(
         title="Selecione um modulo para executar",
         header_style="bold white",
@@ -348,9 +348,29 @@ def _render_menu(dry_run: bool) -> int:
     table.add_column("Status", style="green", no_wrap=True)
     table.add_column("Modulo", style="bold green")
     table.add_column("Descricao", style="white")
+    
+    # Obtém status em tempo real se solicitado
+    if live_status:
+        console.print("[dim]Validando status dos módulos...[/dim]")
+        statuses = get_all_module_statuses()
+    else:
+        statuses = {}
+    
     for idx, name in enumerate(MODULES.keys(), start=1):
         desc = MODULE_DESCRIPTIONS.get(name, "")
-        status = "[green]✔[/green]" if _is_completed(name) else "[dim]-[/dim]"
+        
+        if live_status:
+            status_val = statuses.get(name, "not_installed")
+            if status_val == "ok":
+                status = "[green]✔[/green]"
+            elif status_val == "error":
+                status = "[red]✗[/red]"
+            else:
+                status = "[dim]-[/dim]"
+        else:
+            # Fallback para arquivo .done
+            status = "[green]✔[/green]" if _is_completed(name) else "[dim]-[/dim]"
+        
         table.add_row(f"{idx}", status, name, desc)
 
     exit_idx = len(MODULES) + 1

{raijin_server-0.3.7 → raijin_server-0.3.9}/src/raijin_server/healthchecks.py

@@ -375,10 +375,372 @@ HEALTH_CHECKS = {
     "kafka": lambda ctx: verify_helm_chart("kafka", "kafka", ctx),
     "cert_manager": verify_cert_manager,
     "secrets": verify_secrets,
-
 }
 
 
+# =============================================================================
+# STATUS VALIDATION - Validação em tempo real para o menu interativo
+# =============================================================================
+
+def _quick_cmd(cmd: list[str], timeout: int = 5) -> tuple[bool, str]:
+    """Executa comando rápido e retorna (sucesso, output)."""
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
+        return result.returncode == 0, result.stdout.strip()
+    except Exception as e:
+        return False, str(e)
+
+
+def _check_namespace_exists(ns: str) -> bool:
+    """Verifica se namespace existe."""
+    ok, _ = _quick_cmd(["kubectl", "get", "ns", ns])
+    return ok
+
+
+def _check_pods_running(ns: str) -> tuple[bool, bool]:
+    """Retorna (existe, todos_running)."""
+    if not _check_namespace_exists(ns):
+        return False, False
+    ok, out = _quick_cmd(["kubectl", "get", "pods", "-n", ns, "-o", "jsonpath={.items[*].status.phase}"])
+    if not ok or not out:
+        return True, False  # ns existe mas sem pods ou erro
+    phases = out.split()
+    all_ok = all(p in ("Running", "Succeeded") for p in phases)
+    return True, all_ok
+
+
+def _check_helm_deployed(release: str, ns: str) -> tuple[bool, bool]:
+    """Retorna (existe, deployed)."""
+    ok, out = _quick_cmd(["helm", "status", release, "-n", ns, "--output", "json"], timeout=10)
+    if not ok:
+        return False, False
+    try:
+        import json
+        data = json.loads(out)
+        status = data.get("info", {}).get("status", "")
+        return True, status == "deployed"
+    except Exception:
+        return False, False
+
+
+def _check_systemd_active(service: str) -> bool:
+    """Verifica se serviço systemd está ativo."""
+    ok, out = _quick_cmd(["systemctl", "is-active", service])
+    return ok and out == "active"
+
+
+def _check_crd_exists(crd: str) -> bool:
+    """Verifica se CRD existe."""
+    ok, _ = _quick_cmd(["kubectl", "get", "crd", crd])
+    return ok
+
+
+def _check_cluster_secret_store() -> tuple[bool, bool]:
+    """Verifica ClusterSecretStore. Retorna (existe, ready)."""
+    ok, out = _quick_cmd(["kubectl", "get", "clustersecretstore", "-o", "jsonpath={.items[*].status.conditions[?(@.type=='Ready')].status}"])
+    if not ok:
+        return False, False
+    return True, "True" in out
+
+
+# Status: "ok" = ✓, "error" = ✗, "not_installed" = -
+ModuleStatus = str  # "ok" | "error" | "not_installed"
+
+
+def validate_module_status(module: str) -> ModuleStatus:
+    """Valida status de um módulo em tempo real."""
+    validators = {
+        "sanitize": _validate_sanitize,
+        "bootstrap": _validate_bootstrap,
+        "ssh_hardening": _validate_ssh_hardening,
+        "hardening": _validate_hardening,
+        "network": _validate_network,
+        "essentials": _validate_essentials,
+        "firewall": _validate_firewall,
+        "vpn": _validate_vpn,
+        "vpn_client": _validate_vpn_client,
+        "internal_dns": _validate_internal_dns,
+        "kubernetes": _validate_kubernetes,
+        "calico": _validate_calico,
+        "metallb": _validate_metallb,
+        "traefik": _validate_traefik,
+        "cert_manager": _validate_cert_manager,
+        "istio": _validate_istio,
+        "kong": _validate_kong,
+        "minio": _validate_minio,
+        "prometheus": _validate_prometheus,
+        "grafana": _validate_grafana,
+        "secrets": _validate_secrets,
+        "loki": _validate_loki,
+        "harbor": _validate_harbor,
+        "harness": _validate_harness,
+        "velero": _validate_velero,
+        "kafka": _validate_kafka,
+        "full_install": _validate_full_install,
+    }
+    
+    validator = validators.get(module)
+    if validator:
+        try:
+            return validator()
+        except Exception:
+            return "error"
+    return "not_installed"
+
+
+def _validate_sanitize() -> ModuleStatus:
+    # Sanitize é idempotente, consideramos OK se bootstrap/k8s estiver funcionando
+    return "ok"
+
+
+def _validate_bootstrap() -> ModuleStatus:
+    # Verifica se ferramentas estão instaladas
+    tools = ["helm", "kubectl", "containerd"]
+    for tool in tools:
+        ok, _ = _quick_cmd(["which", tool])
+        if not ok:
+            return "not_installed"
+    return "ok"
+
+
+def _validate_ssh_hardening() -> ModuleStatus:
+    # Verifica se SSH está rodando
+    if _check_systemd_active("ssh") or _check_systemd_active("sshd"):
+        return "ok"
+    return "not_installed"
+
+
+def _validate_hardening() -> ModuleStatus:
+    if _check_systemd_active("fail2ban"):
+        return "ok"
+    return "not_installed"
+
+
+def _validate_network() -> ModuleStatus:
+    # Verifica se hostname está configurado
+    ok, hostname = _quick_cmd(["hostname"])
+    if ok and hostname:
+        return "ok"
+    return "not_installed"
+
+
+def _validate_essentials() -> ModuleStatus:
+    # Verifica NTP
+    ok, out = _quick_cmd(["timedatectl", "show", "-p", "NTP", "--value"])
+    if ok and out == "yes":
+        return "ok"
+    return "not_installed"
+
+
+def _validate_firewall() -> ModuleStatus:
+    if _check_systemd_active("ufw"):
+        return "ok"
+    return "not_installed"
+
+
+def _validate_vpn() -> ModuleStatus:
+    if _check_systemd_active("wg-quick@wg0"):
+        return "ok"
+    return "not_installed"
+
+
+def _validate_vpn_client() -> ModuleStatus:
+    # VPN client é gerenciado pelo VPN module
+    if _check_systemd_active("wg-quick@wg0"):
+        return "ok"
+    return "not_installed"
+
+
+def _validate_internal_dns() -> ModuleStatus:
+    # Verifica se CoreDNS custom config existe
+    ok, _ = _quick_cmd(["kubectl", "get", "configmap", "coredns-custom", "-n", "kube-system"])
+    if ok:
+        return "ok"
+    return "not_installed"
+
+
+def _validate_kubernetes() -> ModuleStatus:
+    if not _check_systemd_active("kubelet"):
+        return "not_installed"
+    if not _check_systemd_active("containerd"):
+        return "error"
+    # Verifica se node está ready
+    ok, out = _quick_cmd(["kubectl", "get", "nodes", "-o", "jsonpath={.items[0].status.conditions[?(@.type=='Ready')].status}"])
+    if ok and "True" in out:
+        return "ok"
+    return "error"
+
+
+def _validate_calico() -> ModuleStatus:
+    exists, running = _check_pods_running("kube-system")
+    if not exists:
+        return "not_installed"
+    # Verifica se calico-node está rodando
+    ok, out = _quick_cmd(["kubectl", "get", "pods", "-n", "kube-system", "-l", "k8s-app=calico-node", "-o", "jsonpath={.items[*].status.phase}"])
+    if ok and out and "Running" in out:
+        return "ok"
+    return "not_installed"
+
+
+def _validate_metallb() -> ModuleStatus:
+    exists, running = _check_pods_running("metallb-system")
+    if not exists:
+        return "not_installed"
+    if running:
+        return "ok"
+    return "error"
+
+
+def _validate_traefik() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("traefik", "traefik")
+    if not exists:
+        return "not_installed"
+    _, running = _check_pods_running("traefik")
+    if deployed and running:
+        return "ok"
+    return "error"
+
+
+def _validate_cert_manager() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("cert-manager", "cert-manager")
+    if not exists:
+        return "not_installed"
+    _, running = _check_pods_running("cert-manager")
+    if deployed and running:
+        return "ok"
+    return "error"
+
+
+def _validate_istio() -> ModuleStatus:
+    exists, running = _check_pods_running("istio-system")
+    if not exists:
+        return "not_installed"
+    if running:
+        return "ok"
+    return "error"
+
+
+def _validate_kong() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("kong", "kong")
+    if not exists:
+        return "not_installed"
+    _, running = _check_pods_running("kong")
+    if deployed and running:
+        return "ok"
+    return "error"
+
+
+def _validate_minio() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("minio", "minio")
+    if not exists:
+        return "not_installed"
+    _, running = _check_pods_running("minio")
+    if deployed and running:
+        return "ok"
+    return "error"
+
+
+def _validate_prometheus() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("kube-prometheus-stack", "observability")
+    if not exists:
+        return "not_installed"
+    ok, out = _quick_cmd(["kubectl", "get", "pods", "-n", "observability", "-l", "app.kubernetes.io/name=prometheus", "-o", "jsonpath={.items[*].status.phase}"])
+    if ok and out and "Running" in out:
+        return "ok"
+    if exists:
+        return "error"
+    return "not_installed"
+
+
+def _validate_grafana() -> ModuleStatus:
+    ok, out = _quick_cmd(["kubectl", "get", "pods", "-n", "observability", "-l", "app.kubernetes.io/name=grafana", "-o", "jsonpath={.items[*].status.phase}"])
+    if ok and out and "Running" in out:
+        return "ok"
+    return "not_installed"
+
+
+def _validate_secrets() -> ModuleStatus:
+    # Verifica Vault
+    exists_vault, running_vault = _check_pods_running("vault")
+    # Verifica External Secrets
+    exists_eso, running_eso = _check_pods_running("external-secrets")
+    # Verifica ClusterSecretStore
+    css_exists, css_ready = _check_cluster_secret_store()
+    
+    if not exists_vault and not exists_eso:
+        return "not_installed"
+    
+    if exists_vault and exists_eso and css_exists:
+        if running_vault and running_eso and css_ready:
+            return "ok"
+        return "error"
+    
+    return "not_installed"
+
+
+def _validate_loki() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("loki", "observability")
+    if not exists:
+        return "not_installed"
+    ok, out = _quick_cmd(["kubectl", "get", "pods", "-n", "observability", "-l", "app.kubernetes.io/name=loki", "-o", "jsonpath={.items[*].status.phase}"])
+    if ok and out and "Running" in out:
+        return "ok"
+    return "error"
+
+
+def _validate_harbor() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("harbor", "harbor")
+    if not exists:
+        return "not_installed"
+    _, running = _check_pods_running("harbor")
+    if deployed and running:
+        return "ok"
+    return "error"
+
+
+def _validate_harness() -> ModuleStatus:
+    exists, running = _check_pods_running("harness")
+    if not exists:
+        return "not_installed"
+    if running:
+        return "ok"
+    return "error"
+
+
+def _validate_velero() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("velero", "velero")
+    if not exists:
+        return "not_installed"
+    _, running = _check_pods_running("velero")
+    if deployed and running:
+        return "ok"
+    return "error"
+
+
+def _validate_kafka() -> ModuleStatus:
+    exists, deployed = _check_helm_deployed("kafka", "kafka")
+    if not exists:
+        return "not_installed"
+    _, running = _check_pods_running("kafka")
+    if deployed and running:
+        return "ok"
+    return "error"
+
+
+def _validate_full_install() -> ModuleStatus:
+    # Full install é um meta-módulo
+    return "ok"
+
+
+def get_all_module_statuses() -> dict[str, ModuleStatus]:
+    """Retorna o status de todos os módulos."""
+    from raijin_server.cli import MODULES
+    statuses = {}
+    for module in MODULES.keys():
+        statuses[module] = validate_module_status(module)
+    return statuses
+
+
 def run_health_check(module: str, ctx: ExecutionContext) -> bool:
     """Executa health check para um modulo especifico."""
     if module not in HEALTH_CHECKS:

{raijin_server-0.3.7 → raijin_server-0.3.9}/src/raijin_server/modules/secrets.py

@@ -138,12 +138,17 @@ def _get_minio_credentials(ctx: ExecutionContext) -> tuple[str, str]:
     )
 
 
-def _initialize_vault(ctx: ExecutionContext, vault_ns: str, node_ip: str) -> tuple[str, list[str]]:
-    """Inicializa o Vault e retorna root token e unseal keys."""
-    typer.echo("\n Inicializando Vault...")
+def _initialize_vault(ctx: ExecutionContext, vault_ns: str, node_ip: str) -> tuple[str, str]:
+    """Inicializa o Vault com 1 key/1 threshold e retorna root token e unseal key."""
+    typer.echo("\nInicializando Vault...")
     
+    # Usa 1 key com threshold 1 para simplificar (produção pode usar 5/3)
     result = run_cmd(
-        ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "init", "-format=json"],
+        [
+            "kubectl", "-n", vault_ns, "exec", "vault-0", "--", 
+            "vault", "operator", "init", 
+            "-key-shares=1", "-key-threshold=1", "-format=json"
+        ],
         ctx,
         check=False,
     )
@@ -155,28 +160,60 @@ def _initialize_vault(ctx: ExecutionContext, vault_ns: str, node_ip: str) -> tup
     import json
     init_data = json.loads(result.stdout)
     root_token = init_data["root_token"]
-    unseal_keys = init_data["unseal_keys_b64"]
+    unseal_key = init_data["unseal_keys_b64"][0]
     
     # Salva keys localmente
     vault_keys_path = Path("/etc/vault/keys.json")
     vault_keys_path.parent.mkdir(parents=True, exist_ok=True)
     vault_keys_path.write_text(json.dumps(init_data, indent=2))
     typer.secho(f"\n✓ Vault keys salvas em {vault_keys_path}", fg=typer.colors.GREEN)
+    
+    # Salva credenciais em secret K8s para uso do ESO
+    _save_vault_credentials_to_k8s(ctx, vault_ns, root_token, unseal_key)
+    
     typer.secho("⚠️  IMPORTANTE: Guarde essas keys em local seguro!", fg=typer.colors.YELLOW, bold=True)
     
-    return root_token, unseal_keys
+    return root_token, unseal_key
 
 
-def _unseal_vault(ctx: ExecutionContext, vault_ns: str, unseal_keys: list[str]) -> None:
-    """Destrava o Vault usando as unseal keys."""
+def _save_vault_credentials_to_k8s(ctx: ExecutionContext, vault_ns: str, root_token: str, unseal_key: str) -> None:
+    """Salva credenciais do Vault em secret K8s."""
+    typer.echo("Salvando credenciais do Vault em secret K8s...")
+    
+    # Codifica em base64
+    token_b64 = base64.b64encode(root_token.encode()).decode()
+    key_b64 = base64.b64encode(unseal_key.encode()).decode()
+    
+    secret_yaml = f"""apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-init-credentials
+  namespace: {vault_ns}
+type: Opaque
+data:
+  root-token: {token_b64}
+  unseal-key: {key_b64}
+"""
+    
+    secret_path = Path("/tmp/raijin-vault-credentials.yaml")
+    write_file(secret_path, secret_yaml, ctx)
+    
+    run_cmd(
+        ["kubectl", "apply", "-f", str(secret_path)],
+        ctx,
+    )
+    
+    typer.secho("✓ Credenciais salvas em secret vault-init-credentials.", fg=typer.colors.GREEN)
+
+
+def _unseal_vault(ctx: ExecutionContext, vault_ns: str, unseal_key: str) -> None:
+    """Destrava o Vault usando a unseal key."""
     typer.echo("\nDesbloqueando Vault...")
     
-    # Precisa de 3 keys das 5 geradas (threshold padrão)
-    for i in range(3):
-        run_cmd(
-            ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "unseal", unseal_keys[i]],
-            ctx,
-        )
+    run_cmd(
+        ["kubectl", "-n", vault_ns, "exec", "vault-0", "--", "vault", "operator", "unseal", unseal_key],
+        ctx,
+    )
     
     typer.secho("✓ Vault desbloqueado.", fg=typer.colors.GREEN)
 
@@ -262,23 +299,21 @@ def _create_secretstore_example(ctx: ExecutionContext, vault_ns: str, eso_ns: st
     """Cria exemplo de ClusterSecretStore e ExternalSecret."""
     typer.echo("\nCriando exemplo de ClusterSecretStore...")
     
-    secretstore_yaml = f"""apiVersion: external-secrets.io/v1beta1
+    secretstore_yaml = f"""apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault-backend
 spec:
   provider:
     vault:
-      server: "http://vault.{vault_ns}.svc.cluster.local:8200"
+      server: "http://vault.{vault_ns}.svc:8200"
       path: "secret"
       version: "v2"
       auth:
-        kubernetes:
-          mountPath: "kubernetes"
-          role: "eso-role"
-          serviceAccountRef:
-            name: "external-secrets"
-            namespace: "{eso_ns}"
+        tokenSecretRef:
+          namespace: "{vault_ns}"
+          name: "vault-init-credentials"
+          key: "root-token"
 """
     
     secretstore_path = Path("/tmp/raijin-vault-secretstore.yaml")
@@ -310,7 +345,7 @@ def _create_example_secret(ctx: ExecutionContext, vault_ns: str, root_token: str
     typer.secho("✓ Secret 'secret/example' criado no Vault.", fg=typer.colors.GREEN)
     
     # Cria ExternalSecret de exemplo
-    external_secret_yaml = """apiVersion: external-secrets.io/v1beta1
+    external_secret_yaml = """apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: example-secret
@@ -379,7 +414,7 @@ def run(ctx: ExecutionContext) -> None:
     )
     node_ip = result.stdout.strip() if result.returncode == 0 else "192.168.1.81"
     
-    minio_host = typer.prompt("MinIO host", default=f"{node_ip}:30900")
+    minio_host = typer.prompt("MinIO host (interno)", default="minio.minio.svc:9000")
     access_key, secret_key = _get_minio_credentials(ctx)
 
     # ========== HashiCorp Vault ==========
@@ -469,15 +504,14 @@ injector:
     if not ctx.dry_run:
         _wait_for_pods_ready(ctx, vault_ns, "app.kubernetes.io/name=vault", timeout=180)
         
-        # Inicializa Vault
-        root_token, unseal_keys = _initialize_vault(ctx, vault_ns, node_ip)
+        # Inicializa Vault (retorna root_token e unseal_key)
+        root_token, unseal_key = _initialize_vault(ctx, vault_ns, node_ip)
         
         # Destrava Vault
-        _unseal_vault(ctx, vault_ns, unseal_keys)
+        _unseal_vault(ctx, vault_ns, unseal_key)
         
         # Configura Vault
         _enable_kv_secrets(ctx, vault_ns, root_token)
-        _configure_kubernetes_auth(ctx, vault_ns, root_token)
 
     # ========== External Secrets Operator ==========
     typer.secho("\n== External Secrets Operator ==", fg=typer.colors.CYAN, bold=True)
@@ -545,8 +579,7 @@ resources:
     if not ctx.dry_run:
         _wait_for_pods_ready(ctx, eso_ns, "app.kubernetes.io/name=external-secrets", timeout=120)
         
-        # Configura integração Vault + ESO
-        _create_eso_policy_and_role(ctx, vault_ns, root_token, eso_ns)
+        # Cria ClusterSecretStore (usa tokenSecretRef, não precisa de Kubernetes auth)
         _create_secretstore_example(ctx, vault_ns, eso_ns, node_ip)
         _create_example_secret(ctx, vault_ns, root_token)
 
@@ -562,7 +595,7 @@ resources:
     
     typer.echo("\n2. Criar ExternalSecret:")
     typer.echo("   kubectl apply -f - <<EOF")
-    typer.echo("   apiVersion: external-secrets.io/v1beta1")
+    typer.echo("   apiVersion: external-secrets.io/v1")
     typer.echo("   kind: ExternalSecret")
     typer.echo("   metadata:")
     typer.echo("     name: myapp-secret")
@@ -582,8 +615,14 @@ resources:
     typer.echo("\n3. Secret será sincronizado automaticamente!")
     typer.echo("   kubectl get secret myapp-secret -o yaml")
     
+    typer.secho("\n=== Recuperar Credenciais ===", fg=typer.colors.CYAN)
+    typer.echo("Via arquivo local:")
+    typer.echo("  cat /etc/vault/keys.json")
+    typer.echo("\nVia Kubernetes Secret:")
+    typer.echo(f"  kubectl -n {vault_ns} get secret vault-init-credentials -o jsonpath='{{.data.root-token}}' | base64 -d")
+    typer.echo(f"  kubectl -n {vault_ns} get secret vault-init-credentials -o jsonpath='{{.data.unseal-key}}' | base64 -d")
+    
     typer.secho("\n⚠️  IMPORTANTE:", fg=typer.colors.YELLOW, bold=True)
-    typer.echo(f"- Root token e unseal keys salvos em: /etc/vault/keys.json")
-    typer.echo("- Faça backup dessas keys em local seguro!")
-    typer.echo("- Após reboot do Vault, use: kubectl -n vault exec vault-0 -- vault operator unseal")
+    typer.echo("- Faça backup das credenciais em local seguro!")
+    typer.echo(f"- Após reboot do Vault, use: kubectl -n {vault_ns} exec vault-0 -- vault operator unseal <unseal-key>")
 

{raijin_server-0.3.7 → raijin_server-0.3.9/src/raijin_server.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.3.7
+Version: 0.3.9
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin