├── OCI ├── terraform │ ├── output.tf │ ├── compartment │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── compartment.tf │ ├── kubeconfig │ │ ├── variables.tf │ │ └── kubeconfig.tf │ ├── giropops-senhas │ │ ├── variable.tf │ │ └── deploy.tf │ ├── loadbalancer │ │ ├── outputs.tf │ │ ├── variables.tf │ │ └── load-balancer.tf │ ├── .gitignore │ ├── network │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── network.tf │ ├── cluster │ │ ├── output.tf │ │ ├── variables.tf │ │ └── k8s.tf │ ├── sample.env.sh │ ├── main.tf │ ├── variables.tf │ └── terrafile.tf ├── manifests │ ├── namespace.yaml │ ├── kyverno │ │ └── add-label-giropops.yaml │ ├── podmonitor.yaml │ ├── rbac.yaml │ ├── Issuers │ │ └── Issuers.yaml │ ├── configmap.yaml │ ├── hpa.yaml │ ├── service.yaml │ ├── ingress.yaml │ └── deployment.yaml └── README.md ├── giropops-senhas ├── requirements.txt ├── static │ ├── linuxtips-logo.png │ ├── css │ │ ├── styles.css │ │ └── output.css │ └── js │ │ └── main.js ├── tailwind.config.js ├── Dockerfile ├── templates │ ├── lista_senhas.html │ └── index.html └── app.py ├── static ├── trivy.png └── yamllint.png ├── kind ├── manifests │ ├── namespace.yaml │ ├── locust-svc.yaml │ ├── prometheus-role.yaml │ ├── redis-service.yaml │ ├── service.yaml │ ├── prometheus-rolebinding.yaml │ ├── Issuers │ │ ├── production_issuer.yaml │ │ └── staging_issuer.yaml │ ├── podmonitor.yaml │ ├── servicemonitor.yaml │ ├── hpa.yaml │ ├── kind │ │ ├── kustomization.yaml │ │ └── kind-ingress-cluster.yaml │ ├── locust-configmap.yaml │ ├── redis-deployment.yaml │ ├── ingress.yaml │ ├── ingress-metrics.yaml │ ├── locust-deployment.yaml │ └── deployment.yaml └── README.md ├── .github ├── workflows │ ├── config.yamllint │ ├── yamllint.yml │ ├── digestabot.yml │ ├── release.yml │ └── build.yml └── dependabot.yml ├── key-pair └── cosign.pub ├── README.md └── LICENSE /OCI/terraform/output.tf: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /OCI/terraform/compartment/variables.tf: -------------------------------------------------------------------------------- 1 | variable "compartment_name" { 2 | } -------------------------------------------------------------------------------- /giropops-senhas/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==2.2.5 2 | redis==5.0.1 3 | prometheus-client==0.16.0 -------------------------------------------------------------------------------- /OCI/terraform/kubeconfig/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | } 3 | 4 | variable "oci_profile" { 5 | } -------------------------------------------------------------------------------- /static/trivy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rapha-Borges/LINUXtips-giropops-senhas/HEAD/static/trivy.png -------------------------------------------------------------------------------- /static/yamllint.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rapha-Borges/LINUXtips-giropops-senhas/HEAD/static/yamllint.png -------------------------------------------------------------------------------- /OCI/terraform/compartment/outputs.tf: -------------------------------------------------------------------------------- 1 | output "compartment_id" { 2 | value = "${oci_identity_compartment._.id}" 3 | } -------------------------------------------------------------------------------- /kind/manifests/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: giropops-senhas 6 | -------------------------------------------------------------------------------- /.github/workflows/config.yamllint: -------------------------------------------------------------------------------- 1 | extends: default 2 | 3 | rules: 4 | line-length: disable 5 | comments-indentation: disable -------------------------------------------------------------------------------- /OCI/terraform/giropops-senhas/variable.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_id" { 2 | } 3 | 4 | variable "oci_profile" { 5 | } 6 | 7 | variable "region" { 8 | } -------------------------------------------------------------------------------- /giropops-senhas/static/linuxtips-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Rapha-Borges/LINUXtips-giropops-senhas/HEAD/giropops-senhas/static/linuxtips-logo.png -------------------------------------------------------------------------------- /OCI/terraform/loadbalancer/outputs.tf: -------------------------------------------------------------------------------- 1 | output "load_balancer_public_ip" { 2 | value = "${oci_network_load_balancer_network_load_balancer.nlb.ip_addresses[0].ip_address}" 3 | } -------------------------------------------------------------------------------- /OCI/terraform/.gitignore: -------------------------------------------------------------------------------- 1 | # Terraform files 2 | *terraform* 3 | *.tfplan 4 | 5 | # Authentification files 6 | env.sh 7 | id_rsa* 8 | *.pem 9 | 10 | # Files 11 | install.md -------------------------------------------------------------------------------- /OCI/terraform/network/variables.tf: -------------------------------------------------------------------------------- 1 | variable "compartment_id" { 2 | } 3 | 4 | variable "vcn_id" { 5 | } 6 | 7 | variable "nat_route_id" { 8 | } 9 | 10 | variable "ig_route_id" { 11 | } -------------------------------------------------------------------------------- /OCI/terraform/compartment/compartment.tf: -------------------------------------------------------------------------------- 1 | resource "oci_identity_compartment" "_" { 2 | name = var.compartment_name 3 | description = var.compartment_name 4 | enable_delete = true 5 | } -------------------------------------------------------------------------------- /key-pair/cosign.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu2phuQeQuHuBHaxXviQ5yyZN6iz5 3 | QEBrb2aFaiIzJA3e4miDi+0YVEXrTrpFUXNaAcTCvJJP7PxxcewMOTH1IA== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /OCI/terraform/cluster/output.tf: -------------------------------------------------------------------------------- 1 | output "node_pool_id" { 2 | value = oci_containerengine_node_pool.k8s_node_pool.id 3 | } 4 | 5 | output "cluster_id" { 6 | value = oci_containerengine_cluster.k8s_cluster.id 7 | } -------------------------------------------------------------------------------- /OCI/terraform/network/outputs.tf: -------------------------------------------------------------------------------- 1 | output "public_subnet_id" { 2 | value = "${oci_core_subnet.vcn_public_subnet.id}" 3 | } 4 | 5 | output "vcn_private_subnet_id" { 6 | value = "${oci_core_subnet.vcn_private_subnet.id}" 7 | } -------------------------------------------------------------------------------- /OCI/manifests/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: giropops-senhas 6 | spec: {} 7 | status: {} 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: ingress-nginx 13 | spec: {} 14 | status: {} 15 | -------------------------------------------------------------------------------- /giropops-senhas/tailwind.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('tailwindcss').Config} */ 2 | module.exports = { 3 | content: ["./templates/*.html"], 4 | theme: { 5 | fontFamily: { 6 | emoji: ["Material Icons", "sans-serif"], 7 | }, 8 | extend: {}, 9 | }, 10 | plugins: [], 11 | }; 12 | -------------------------------------------------------------------------------- /OCI/terraform/kubeconfig/kubeconfig.tf: -------------------------------------------------------------------------------- 1 | resource "null_resource" "create_kubeconfig" { 2 | provisioner "local-exec" { 3 | command = "oci ce cluster create-kubeconfig --cluster-id ${var.cluster_id} --file ~/.kube/config --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT --profile ${var.oci_profile}" 4 | } 5 | } -------------------------------------------------------------------------------- /kind/manifests/locust-svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: locust-giropops 6 | namespace: giropops-senhas 7 | spec: 8 | selector: 9 | app: locust-giropops 10 | ports: 11 | - protocol: TCP 12 | port: 80 13 | targetPort: 8089 14 | type: ClusterIP 15 | -------------------------------------------------------------------------------- /kind/manifests/prometheus-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | namespace: giropops-senhas 6 | name: prometheus-role 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["pods", "services", "endpoints", "configmaps"] 10 | verbs: ["get", "list", "watch"] 11 | -------------------------------------------------------------------------------- /kind/manifests/redis-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app: redis 7 | name: redis-service 8 | namespace: giropops-senhas 9 | spec: 10 | selector: 11 | app: redis 12 | ports: 13 | - protocol: TCP 14 | port: 6379 15 | targetPort: 6379 16 | name: tcp-redis 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /kind/manifests/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app: giropops-senhas 7 | name: giropops-svc 8 | namespace: giropops-senhas 9 | spec: 10 | selector: 11 | app: giropops-senhas 12 | ports: 13 | - protocol: TCP 14 | port: 5000 15 | targetPort: 5000 16 | name: tcp-app 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /kind/manifests/prometheus-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: prometheus-role-binding 6 | namespace: giropops-senhas 7 | subjects: 8 | - kind: ServiceAccount 9 | name: prometheus-k8s 10 | namespace: monitoring 11 | roleRef: 12 | kind: Role 13 | name: prometheus-role 14 | apiGroup: rbac.authorization.k8s.io 15 | -------------------------------------------------------------------------------- /OCI/terraform/loadbalancer/variables.tf: -------------------------------------------------------------------------------- 1 | variable "namespace"{ 2 | } 3 | 4 | variable "node_pool_id"{ 5 | } 6 | 7 | variable "compartment_id"{ 8 | } 9 | 10 | variable "public_subnet_id"{ 11 | } 12 | 13 | variable "node_size"{ 14 | } 15 | 16 | variable "node_port_http" { 17 | } 18 | 19 | variable "node_port_https" { 20 | } 21 | 22 | variable "listener_port_http" { 23 | } 24 | 25 | variable "listener_port_https" { 26 | } -------------------------------------------------------------------------------- /kind/manifests/Issuers/production_issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-prod 6 | spec: 7 | acme: 8 | email: raps_rnb@hotmail.com 9 | server: https://acme-v02.api.letsencrypt.org/directory 10 | privateKeySecretRef: 11 | name: letsencrypt-prod 12 | solvers: 13 | - http01: 14 | ingress: 15 | ingressClassName: nginx 16 | -------------------------------------------------------------------------------- /kind/manifests/Issuers/staging_issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Issuer 4 | metadata: 5 | name: letsencrypt-staging 6 | spec: 7 | acme: 8 | email: raps_rnb@hotmail.com 9 | server: https://acme-staging-v02.api.letsencrypt.org/directory 10 | privateKeySecretRef: 11 | name: letsencrypt-staging 12 | solvers: 13 | - http01: 14 | ingress: 15 | ingressClassName: nginx 16 | -------------------------------------------------------------------------------- /OCI/manifests/kyverno/add-label-giropops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kyverno.io/v1 3 | kind: ClusterPolicy 4 | metadata: 5 | name: add-label 6 | namespace: giropops-senhas 7 | spec: 8 | background: false 9 | rules: 10 | - name: add-label-giropops 11 | match: 12 | resources: 13 | kinds: 14 | - "*" 15 | mutate: 16 | patchStrategicMerge: 17 | metadata: 18 | labels: 19 | projeto: "pick" 20 | -------------------------------------------------------------------------------- /OCI/manifests/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: giropops-pod-monitor 6 | labels: 7 | app: giropops-senhas 8 | namespace: giropops-senhas 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - giropops-senhas 13 | selector: 14 | matchLabels: 15 | app: giropops-senhas 16 | podMetricsEndpoints: 17 | - interval: 30s 18 | path: /metrics 19 | targetPort: 5000 20 | -------------------------------------------------------------------------------- /kind/manifests/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: giropops-pod-monitor 6 | labels: 7 | app: giropops-senhas 8 | namespace: giropops-senhas 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - giropops-senhas 13 | selector: 14 | matchLabels: 15 | app: giropops-senhas 16 | podMetricsEndpoints: 17 | - interval: 30s 18 | path: /metrics 19 | targetPort: 5000 20 | -------------------------------------------------------------------------------- /kind/manifests/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: giropops-senhas-service-monitor 6 | labels: 7 | app: giropops-senhas 8 | namespace: giropops-senhas 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - giropops-senhas 13 | selector: 14 | matchLabels: 15 | app: giropops-senhas 16 | endpoints: 17 | - interval: 30s 18 | path: /metrics 19 | targetPort: 5000 20 | -------------------------------------------------------------------------------- /OCI/terraform/sample.env.sh: -------------------------------------------------------------------------------- 1 | export TF_VAR_tenancy_ocid= 2 | export TF_VAR_user_ocid= 3 | export TF_VAR_fingerprint= 4 | export TF_VAR_region= 5 | export TF_VAR_config_file_profile= 6 | export TF_VAR_ssh_public_key=$(cat id_rsa.pub) 7 | export TF_VAR_ssh_private_key=$(cat id_rsa) 8 | export TF_VAR_private_key_path="private_key.pem" 9 | # It must be the same as the one in OCI cofing file 10 | #export TF_VAR_oci_profile="" -------------------------------------------------------------------------------- /kind/manifests/hpa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: autoscaling/v2 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: giropops-hpa 6 | namespace: giropops-senhas 7 | spec: 8 | scaleTargetRef: 9 | apiVersion: apps/v1 10 | kind: Deployment 11 | name: giropops-deployment 12 | minReplicas: 3 13 | maxReplicas: 20 14 | metrics: 15 | - type: Resource 16 | resource: 17 | name: cpu 18 | target: 19 | type: Utilization 20 | averageUtilization: 50 21 | -------------------------------------------------------------------------------- /kind/manifests/kind/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.6.1/components.yaml 6 | patches: 7 | - patch: |- 8 | - op: add 9 | path: /spec/template/spec/containers/0/args/- 10 | value: --kubelet-insecure-tls 11 | target: 12 | kind: Deployment 13 | name: metrics-server 14 | namespace: kube-system 15 | version: v1 16 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "github-actions" 9 | directory: "/" 10 | schedule: 11 | interval: "daily" 12 | -------------------------------------------------------------------------------- /kind/manifests/kind/kind-ingress-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Cluster 3 | apiVersion: kind.x-k8s.io/v1alpha4 4 | nodes: 5 | - role: control-plane 6 | kubeadmConfigPatches: 7 | - | 8 | kind: InitConfiguration 9 | nodeRegistration: 10 | kubeletExtraArgs: 11 | node-labels: "ingress-ready=true" 12 | extraPortMappings: 13 | - containerPort: 80 14 | hostPort: 80 15 | protocol: TCP 16 | - containerPort: 443 17 | hostPort: 443 18 | protocol: TCP 19 | -------------------------------------------------------------------------------- /.github/workflows/yamllint.yml: -------------------------------------------------------------------------------- 1 | name: Validate-YAML 2 | 3 | on: 4 | push: 5 | paths: 6 | - 'kind/manifests/**' 7 | - 'OCI/manifests/**' 8 | 9 | jobs: 10 | validate-yaml: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 14 | - name: Validate YAML file 15 | uses: ibiqlik/action-yamllint@v3 16 | with: 17 | file_or_dir: kind/manifests/**.yaml OCI/manifests/**.yaml 18 | config_file: '.github/workflows/config.yamllint' -------------------------------------------------------------------------------- /giropops-senhas/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM cgr.dev/chainguard/python:latest-dev@sha256:be487ac35cb06641a8aca030ac547d7fe754b608d95d895e56ef34917c9f8949 as builder 2 | WORKDIR /app 3 | COPY . /app 4 | RUN pip install -r requirements.txt --user 5 | 6 | FROM cgr.dev/chainguard/python:latest@sha256:5f16431f56f330925a9c8f5168b31ca65f603de15b127b376f8532bab11583c0 7 | WORKDIR /app 8 | COPY --from=builder /home/nonroot/.local/lib/python3.12/site-packages /home/nonroot/.local/lib/python3.12/site-packages 9 | COPY --from=builder /app /app 10 | 11 | ENTRYPOINT ["python", "-m", "flask", "run", "--host=0.0.0.0"] -------------------------------------------------------------------------------- /OCI/terraform/cluster/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_name" { 2 | } 3 | 4 | variable "k8s_version" { 5 | } 6 | 7 | variable "node_size" { 8 | } 9 | 10 | variable "shape" { 11 | } 12 | 13 | variable "memory_in_gbs_per_node" { 14 | } 15 | 16 | variable "ocpus_per_node" { 17 | } 18 | 19 | variable "image_id" { 20 | } 21 | 22 | variable "availability_domain" { 23 | } 24 | 25 | variable "ssh_public_key" { 26 | } 27 | 28 | variable "public_subnet_id" { 29 | } 30 | 31 | variable "vcn_id" { 32 | } 33 | 34 | variable "compartment_id" { 35 | } 36 | 37 | variable "vcn_private_subnet_id" { 38 | } -------------------------------------------------------------------------------- /.github/workflows/digestabot.yml: -------------------------------------------------------------------------------- 1 | name: Image digest update 2 | 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | # At the end of every day 7 | - cron: "0 0 * * *" 8 | 9 | jobs: 10 | image-update: 11 | name: Image digest update 12 | runs-on: ubuntu-latest 13 | 14 | permissions: 15 | contents: write 16 | pull-requests: write 17 | id-token: write 18 | 19 | steps: 20 | - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 21 | 22 | - uses: chainguard-dev/digestabot@3830b931642989ef391e6db4c0bbcd2bc20d064f 23 | with: 24 | token: ${{ secrets.GITHUB_TOKEN }} 25 | -------------------------------------------------------------------------------- /OCI/terraform/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_providers { 3 | oci = { 4 | source = "oracle/oci" 5 | version = "5.23.0" 6 | } 7 | kubernetes = { 8 | source = "hashicorp/kubernetes" 9 | version = "2.25.2" 10 | } 11 | } 12 | } 13 | 14 | provider "oci" { 15 | region = var.region 16 | tenancy_ocid = var.tenancy_ocid 17 | user_ocid = var.user_ocid 18 | fingerprint = var.fingerprint 19 | private_key_path = var.private_key_path 20 | config_file_profile = var.oci_profile 21 | } 22 | 23 | provider "kubernetes" { 24 | config_path = "~/.kube/config" 25 | } -------------------------------------------------------------------------------- /OCI/manifests/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | namespace: giropops-senhas 6 | name: prometheus-role 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["pods", "services", "endpoints", "configmaps"] 10 | verbs: ["get", "list", "watch"] 11 | --- 12 | apiVersion: rbac.authorization.k8s.io/v1 13 | kind: RoleBinding 14 | metadata: 15 | name: prometheus-role-binding 16 | namespace: giropops-senhas 17 | subjects: 18 | - kind: ServiceAccount 19 | name: prometheus-k8s 20 | namespace: monitoring 21 | roleRef: 22 | kind: Role 23 | name: prometheus-role 24 | apiGroup: rbac.authorization.k8s.io 25 | -------------------------------------------------------------------------------- /giropops-senhas/static/css/styles.css: -------------------------------------------------------------------------------- 1 | /* styles.css */ 2 | @tailwind base; 3 | @tailwind components; 4 | @tailwind utilities; 5 | 6 | body { 7 | font-family: Ubuntu, sans-serif; 8 | background-color: #eeeeee; 9 | background-image: url("data:image/svg+xml,%3Csvg width='52' height='26' viewBox='0 0 52 26' xmlns='http://www.w3.org/2000/svg'%3E%3Cg fill='none' fill-rule='evenodd'%3E%3Cg fill='%23aeb8af' fill-opacity='0.4'%3E%3Cpath d='M10 10c0-2.21-1.79-4-4-4-3.314 0-6-2.686-6-6h2c0 2.21 1.79 4 4 4 3.314 0 6 2.686 6 6 0 2.21 1.79 4 4 4 3.314 0 6 2.686 6 6 0 2.21 1.79 4 4 4v2c-3.314 0-6-2.686-6-6 0-2.21-1.79-4-4-4-3.314 0-6-2.686-6-6zm25.464-1.95l8.486 8.486-1.414 1.414-8.486-8.486 1.414-1.414z' /%3E%3C/g%3E%3C/g%3E%3C/svg%3E"); 10 | } 11 | -------------------------------------------------------------------------------- /kind/manifests/locust-configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | data: 4 | locustfile.py: |- 5 | from locust import HttpUser, task, between 6 | 7 | class Giropops(HttpUser): 8 | wait_time = between(1, 2) 9 | 10 | @task(1) 11 | def gerar_senha(self): 12 | self.client.post( 13 | "/api/gerar-senha", 14 | json={ 15 | "tamanho": 8, 16 | "incluir_numeros": True, 17 | "incluir_caracteres_especiais": True 18 | } 19 | ) 20 | 21 | @task(2) 22 | def listar_senha(self): 23 | self.client.get("/api/senhas") 24 | kind: ConfigMap 25 | metadata: 26 | name: locust-scripts 27 | namespace: giropops-senhas 28 | -------------------------------------------------------------------------------- /OCI/manifests/Issuers/Issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-prod 6 | spec: 7 | acme: 8 | email: raps_rnb@hotmail.com 9 | server: https://acme-v02.api.letsencrypt.org/directory 10 | privateKeySecretRef: 11 | name: letsencrypt-prod 12 | solvers: 13 | - http01: 14 | ingress: 15 | ingressClassName: nginx 16 | --- 17 | apiVersion: cert-manager.io/v1 18 | kind: Issuer 19 | metadata: 20 | name: letsencrypt-staging 21 | spec: 22 | acme: 23 | email: raps_rnb@hotmail.com 24 | server: https://acme-staging-v02.api.letsencrypt.org/directory 25 | privateKeySecretRef: 26 | name: letsencrypt-staging 27 | solvers: 28 | - http01: 29 | ingress: 30 | class: nginx 31 | -------------------------------------------------------------------------------- /kind/manifests/redis-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app: redis 7 | name: redis 8 | namespace: giropops-senhas 9 | spec: 10 | replicas: 1 11 | selector: 12 | matchLabels: 13 | app: redis 14 | template: 15 | metadata: 16 | labels: 17 | app: redis 18 | spec: 19 | containers: 20 | - image: cgr.dev/chainguard/redis:latest@sha256:5c5193e437be1cb5af4f853c814878a83553d95e55421ae5e7227eb58ea7a26a 21 | name: redis 22 | ports: 23 | - containerPort: 6379 24 | imagePullPolicy: Always 25 | resources: 26 | limits: 27 | cpu: 100m 28 | memory: 128Mi 29 | requests: 30 | cpu: 100m 31 | memory: 128Mi 32 | # securityContext: 33 | # readOnlyRootFilesystem: true 34 | # runAsNonRoot: true 35 | # runAsUser: 1000 36 | -------------------------------------------------------------------------------- /kind/manifests/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: giropops-senhas-ingress 6 | namespace: giropops-senhas 7 | annotations: 8 | nginx.ingress.kubernetes.io/rewrite-target: / 9 | nginx.ingress.kubernetes.io/affinity: "cookie" 10 | nginx.ingress.kubernetes.io/session-cookie-name: "giropops-cookie" 11 | cert-manager.io/cluster-issuer: letsencrypt-staging 12 | spec: 13 | rules: 14 | - host: giropops.com.local 15 | http: 16 | paths: 17 | - path: / 18 | pathType: Prefix 19 | backend: 20 | service: 21 | name: giropops-svc 22 | port: 23 | number: 5000 24 | - host: locust.giropops.local 25 | http: 26 | paths: 27 | - path: / 28 | pathType: Prefix 29 | backend: 30 | service: 31 | name: locust-giropops 32 | port: 33 | number: 80 34 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release on Folder Change 2 | 3 | on: 4 | push: 5 | paths: 6 | - 'giropops-senhas/**' 7 | 8 | jobs: 9 | release: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout code 13 | uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 14 | with: 15 | token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} 16 | 17 | - name: Extract version from commit 18 | id: extract_version 19 | run: | 20 | # Extract version from the commit message using awk 21 | VERSION=$(git log -1 --pretty=%B | awk '/Version:/ {print $2}') 22 | echo "Version found: $VERSION" 23 | echo "::set-output name=version::$VERSION" 24 | 25 | - name: Create Release 26 | uses: softprops/action-gh-release@v2 27 | with: 28 | tag_name: ${{ steps.extract_version.outputs.version }} 29 | token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} 30 | env: 31 | TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} -------------------------------------------------------------------------------- /OCI/manifests/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | data: 4 | nginx.conf: | 5 | events { 6 | } 7 | http { 8 | server { 9 | listen 8080; 10 | location / { 11 | root /usr/share/nginx/html; 12 | index index.html; 13 | } 14 | } 15 | } 16 | kind: ConfigMap 17 | metadata: 18 | name: nginx-config 19 | namespace: giropops-senhas 20 | --- 21 | apiVersion: v1 22 | data: 23 | locustfile.py: |- 24 | from locust import HttpUser, task, between 25 | 26 | class Giropops(HttpUser): 27 | wait_time = between(1, 2) 28 | 29 | @task(1) 30 | def gerar_senha(self): 31 | self.client.post( 32 | "/api/gerar-senha", 33 | json={ 34 | "tamanho": 8, 35 | "incluir_numeros": True, 36 | "incluir_caracteres_especiais": True 37 | } 38 | ) 39 | 40 | @task(2) 41 | def listar_senha(self): 42 | self.client.get("/api/senhas") 43 | kind: ConfigMap 44 | metadata: 45 | name: locust-scripts 46 | namespace: giropops-senhas 47 | -------------------------------------------------------------------------------- /OCI/manifests/hpa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: autoscaling/v2 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: giropops-hpa 6 | namespace: giropops-senhas 7 | spec: 8 | scaleTargetRef: 9 | apiVersion: apps/v1 10 | kind: Deployment 11 | name: giropops-deployment 12 | minReplicas: 1 13 | maxReplicas: 15 14 | metrics: 15 | - type: Resource 16 | resource: 17 | name: cpu 18 | target: 19 | type: Utilization 20 | averageUtilization: 50 21 | - type: Resource 22 | resource: 23 | name: memory 24 | target: 25 | type: Utilization 26 | averageUtilization: 50 27 | - type: ContainerResource 28 | containerResource: 29 | name: cpu 30 | container: giropops-senhas 31 | target: 32 | type: Utilization 33 | averageUtilization: 50 34 | behavior: 35 | scaleDown: 36 | stabilizationWindowSeconds: 300 37 | policies: 38 | - type: Pods 39 | value: 100 40 | periodSeconds: 15 41 | scaleUp: 42 | stabilizationWindowSeconds: 0 43 | policies: 44 | - type: Pods 45 | value: 100 46 | periodSeconds: 15 47 | -------------------------------------------------------------------------------- /kind/manifests/ingress-metrics.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: metrics-ingress 6 | namespace: monitoring 7 | annotations: 8 | nginx.ingress.kubernetes.io/rewrite-target: / 9 | nginx.ingress.kubernetes.io/affinity: "cookie" 10 | nginx.ingress.kubernetes.io/session-cookie-name: "giropops-cookie" 11 | cert-manager.io/cluster-issuer: letsencrypt-staging 12 | spec: 13 | rules: 14 | - host: prometheus.giropops.local 15 | http: 16 | paths: 17 | - path: / 18 | pathType: Prefix 19 | backend: 20 | service: 21 | name: prometheus-k8s 22 | port: 23 | number: 9090 24 | - host: grafana.giropops.local 25 | http: 26 | paths: 27 | - path: / 28 | pathType: Prefix 29 | backend: 30 | service: 31 | name: grafana 32 | port: 33 | number: 3000 34 | - host: alertmanager.giropops.local 35 | http: 36 | paths: 37 | - path: / 38 | pathType: Prefix 39 | backend: 40 | service: 41 | name: alertmanager-main 42 | port: 43 | number: 9093 44 | -------------------------------------------------------------------------------- /kind/manifests/locust-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app: locust-giropops 7 | name: locust-giropops 8 | namespace: giropops-senhas 9 | spec: 10 | replicas: 1 11 | selector: 12 | matchLabels: 13 | app: locust-giropops 14 | template: 15 | metadata: 16 | labels: 17 | app: locust-giropops 18 | spec: 19 | containers: 20 | - image: raphaelborges/locust-giropops:1.2 21 | name: locust-giropops 22 | env: 23 | - name: LOCUST_LOCUSTFILE 24 | value: "/usr/src/app/scripts/locustfile.py" 25 | resources: 26 | limits: 27 | cpu: '1' 28 | memory: 128Mi 29 | requests: 30 | cpu: '0.3' 31 | memory: 64Mi 32 | securityContext: 33 | readOnlyRootFilesystem: true 34 | runAsNonRoot: true 35 | runAsUser: 1000 36 | ports: 37 | - containerPort: 8089 38 | imagePullPolicy: Always 39 | volumeMounts: 40 | - name: locust-scripts 41 | mountPath: /usr/src/app/scripts 42 | volumes: 43 | - name: locust-scripts 44 | configMap: 45 | name: locust-scripts 46 | optional: true 47 | -------------------------------------------------------------------------------- /giropops-senhas/templates/lista_senhas.html: -------------------------------------------------------------------------------- 1 |
2 |
    3 | {% for senha_gerada in senhas_geradas %} 4 |
  • 5 |
    6 | 13 |
    14 | 23 | 30 |
    31 |
    32 |
    • 33 | {% endfor %} 34 |
35 |
36 | -------------------------------------------------------------------------------- /kind/manifests/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app: giropops-senhas 7 | name: giropops-deployment 8 | namespace: giropops-senhas 9 | spec: 10 | strategy: 11 | type: RollingUpdate 12 | rollingUpdate: 13 | maxSurge: 1 14 | maxUnavailable: 1 15 | selector: 16 | matchLabels: 17 | app: giropops-senhas 18 | template: 19 | metadata: 20 | labels: 21 | app: giropops-senhas 22 | spec: 23 | containers: 24 | - image: raphaelborges/linuxtips-giropops-senhas:1.3 25 | name: giropops-senhas 26 | ports: 27 | - containerPort: 5000 28 | resources: 29 | limits: 30 | cpu: '0.3' 31 | memory: 128Mi 32 | requests: 33 | cpu: '0.1' 34 | memory: 128Mi 35 | imagePullPolicy: Always 36 | env: 37 | - name: REDIS_HOST 38 | value: redis-service 39 | securityContext: 40 | readOnlyRootFilesystem: true 41 | runAsNonRoot: true 42 | # runAsUser: 1000 43 | livenessProbe: 44 | httpGet: 45 | path: / 46 | port: 5000 47 | initialDelaySeconds: 5 48 | periodSeconds: 5 49 | timeoutSeconds: 5 50 | failureThreshold: 3 51 | successThreshold: 1 52 | readinessProbe: 53 | httpGet: 54 | path: / 55 | port: 5000 56 | initialDelaySeconds: 5 57 | periodSeconds: 5 58 | timeoutSeconds: 5 59 | failureThreshold: 3 60 | successThreshold: 1 61 | -------------------------------------------------------------------------------- /OCI/terraform/cluster/k8s.tf: -------------------------------------------------------------------------------- 1 | data "oci_identity_availability_domains" "ads" { 2 | compartment_id = var.compartment_id 3 | } 4 | 5 | resource "oci_containerengine_cluster" "k8s_cluster" { 6 | compartment_id = var.compartment_id 7 | kubernetes_version = var.k8s_version 8 | name = var.cluster_name 9 | vcn_id = var.vcn_id 10 | 11 | endpoint_config { 12 | is_public_ip_enabled = true 13 | subnet_id = var.public_subnet_id 14 | } 15 | 16 | options { 17 | add_ons { 18 | is_kubernetes_dashboard_enabled = false 19 | is_tiller_enabled = false 20 | } 21 | kubernetes_network_config { 22 | pods_cidr = "10.244.0.0/16" 23 | services_cidr = "10.96.0.0/16" 24 | } 25 | service_lb_subnet_ids = [var.public_subnet_id] 26 | } 27 | } 28 | 29 | resource "oci_containerengine_node_pool" "k8s_node_pool" { 30 | cluster_id = oci_containerengine_cluster.k8s_cluster.id 31 | compartment_id = var.compartment_id 32 | kubernetes_version = var.k8s_version 33 | name = "k8s-node-pool" 34 | node_config_details { 35 | placement_configs { 36 | availability_domain = data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain].name 37 | subnet_id = var.vcn_private_subnet_id 38 | } 39 | size = var.node_size 40 | } 41 | node_shape = var.shape 42 | 43 | node_shape_config { 44 | memory_in_gbs = var.memory_in_gbs_per_node 45 | ocpus = var.ocpus_per_node 46 | } 47 | 48 | node_source_details { 49 | image_id = var.image_id 50 | source_type = "image" 51 | } 52 | 53 | initial_node_labels { 54 | key = "name" 55 | value = "k8s-cluster" 56 | } 57 | 58 | ssh_public_key = var.ssh_public_key 59 | } -------------------------------------------------------------------------------- /giropops-senhas/static/js/main.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | 3 | function showSenha() { 4 | const input = document.getElementById("senha"); 5 | const senhaIcon = document.getElementById("senha-icon"); 6 | if (input.attributes.type.nodeValue == "password") { 7 | input.setAttribute("type", "text"); 8 | senhaIcon.innerText = "visibility_off"; 9 | } else { 10 | input.setAttribute("type", "password"); 11 | senhaIcon.innerText = "visibility"; 12 | } 13 | } 14 | function showSenhaPorId(id) { 15 | console.log(id); 16 | const input = document.getElementById("senha-" + id); 17 | const senhaIcon = document.getElementById("senha-icon-" + id); 18 | if (input.attributes.type.nodeValue == "password") { 19 | input.setAttribute("type", "text"); 20 | senhaIcon.innerText = "visibility_off"; 21 | } else { 22 | input.setAttribute("type", "password"); 23 | senhaIcon.innerText = "visibility"; 24 | } 25 | } 26 | function copiarParaAreaDeTransferencia() { 27 | const senhaElemento = document.getElementById("senha"); 28 | navigator.clipboard.writeText(senhaElemento.value).then( 29 | () => { 30 | alert("Senha copiada para a área de transferência!"); 31 | }, 32 | (err) => { 33 | alert("Não foi possível copiar a senha: " + err); 34 | } 35 | ); 36 | } 37 | 38 | function copiarParaAreaDeTransferenciaPorId(id) { 39 | const senhaElemento = document.getElementById("senha-" + id); 40 | navigator.clipboard.writeText(senhaElemento.value).then( 41 | () => { 42 | alert("Senha copiada para a área de transferência!"); 43 | }, 44 | (err) => { 45 | alert("Não foi possível copiar a senha: " + err); 46 | } 47 | ); 48 | } 49 | 50 | function toggleUsuarios() { 51 | const listaUsuariosContainer = document.getElementById( 52 | "lista-usuarios-container" 53 | ); 54 | listaUsuariosContainer.classList.toggle("hidden"); 55 | } 56 | function buscarUltimasSenhas() { 57 | navigation.reload(); 58 | } 59 | -------------------------------------------------------------------------------- /OCI/terraform/variables.tf: -------------------------------------------------------------------------------- 1 | # ----------> Compartment <---------- 2 | 3 | variable "compartment_name" { 4 | type = string 5 | default = "pick" 6 | } 7 | 8 | variable "region" { 9 | type = string 10 | default = "us-ashburn-1" 11 | } 12 | 13 | variable "availability_domain" { 14 | type = number 15 | default = 2 16 | } 17 | 18 | # ---------->VM's---------- 19 | 20 | variable "shape" { 21 | type = string 22 | default = "VM.Standard.E3.Flex" 23 | } 24 | 25 | variable "ocpus_per_node" { 26 | type = number 27 | default = 2 28 | } 29 | 30 | variable "memory_in_gbs_per_node" { 31 | type = number 32 | default = 4 33 | } 34 | 35 | variable "image_id" { 36 | type = string 37 | default = "ocid1.image.oc1.iad.aaaaaaaanwsto6tqklfuawgqrve5ugjpbff3l5qtb7bs35dp72ewcnsuwoka" 38 | } 39 | # Link to a list of available images (We are using Oracle-Linux-8.8-aarch64-2023.12.13-0, allways use the ARM version): https://docs.cloud.oracle.com/iaas/images/ 40 | 41 | # ----------> Cluster <---------- 42 | variable "k8s_version" { 43 | type = string 44 | default = "v1.28.2" 45 | } 46 | 47 | variable "node_size" { 48 | type = string 49 | default = "4" 50 | } 51 | 52 | variable "cluster_name" { 53 | type = string 54 | default = "k8s-cluster" 55 | } 56 | 57 | # ----------> Network <---------- 58 | 59 | variable "vcn_name" { 60 | type = string 61 | default = "k8s-vcn" 62 | } 63 | 64 | variable "vcn_dns_label" { 65 | type = string 66 | default = "k8svcn" 67 | } 68 | 69 | # ----------> Load Balancer <---------- 70 | 71 | variable "load_balancer_name_space" { 72 | type = string 73 | default = "loadbalancer" 74 | } 75 | 76 | variable "node_port_http" { 77 | type = number 78 | default = 30080 79 | } 80 | 81 | variable "node_port_https" { 82 | type = number 83 | default = 30443 84 | } 85 | 86 | variable "listener_port_http" { 87 | type = number 88 | default = 80 89 | } 90 | 91 | variable "listener_port_https" { 92 | type = number 93 | default = 443 94 | } 95 | 96 | # ----------> Authentication <---------- 97 | 98 | variable "ssh_public_key" { 99 | type = string 100 | } 101 | 102 | variable "fingerprint" { 103 | type = string 104 | } 105 | 106 | variable "private_key_path" { 107 | type = string 108 | } 109 | 110 | variable "tenancy_ocid" { 111 | type = string 112 | } 113 | 114 | variable "user_ocid" { 115 | type = string 116 | } 117 | 118 | variable "oci_profile" { 119 | type = string 120 | } -------------------------------------------------------------------------------- /OCI/terraform/network/network.tf: -------------------------------------------------------------------------------- 1 | # locals { 2 | # compartment_id = var.compartment_id 3 | # } 4 | 5 | resource "oci_core_security_list" "private_subnet_sl" { 6 | compartment_id = var.compartment_id 7 | vcn_id = var.vcn_id 8 | 9 | display_name = "k8s-private-subnet-sl" 10 | 11 | egress_security_rules { 12 | stateless = false 13 | destination = "0.0.0.0/0" 14 | destination_type = "CIDR_BLOCK" 15 | protocol = "all" 16 | } 17 | 18 | ingress_security_rules { 19 | stateless = false 20 | source = "10.0.0.0/16" 21 | source_type = "CIDR_BLOCK" 22 | protocol = "all" 23 | } 24 | } 25 | 26 | resource "oci_core_security_list" "public_subnet_sl" { 27 | compartment_id = var.compartment_id 28 | vcn_id = var.vcn_id 29 | 30 | display_name = "k8s-public-subnet-sl" 31 | 32 | egress_security_rules { 33 | stateless = false 34 | destination = "0.0.0.0/0" 35 | destination_type = "CIDR_BLOCK" 36 | protocol = "all" 37 | } 38 | 39 | ingress_security_rules { 40 | stateless = false 41 | source = "10.0.0.0/16" 42 | source_type = "CIDR_BLOCK" 43 | protocol = "all" 44 | } 45 | 46 | ingress_security_rules { 47 | stateless = false 48 | source = "0.0.0.0/0" 49 | source_type = "CIDR_BLOCK" 50 | protocol = "6" 51 | tcp_options { 52 | min = 6443 53 | max = 6443 54 | } 55 | } 56 | 57 | ingress_security_rules { 58 | protocol = "6" 59 | source = "0.0.0.0/0" 60 | source_type = "CIDR_BLOCK" 61 | stateless = false 62 | tcp_options { 63 | max = 80 64 | min = 80 65 | } 66 | } 67 | 68 | ingress_security_rules { 69 | protocol = "6" 70 | source = "0.0.0.0/0" 71 | source_type = "CIDR_BLOCK" 72 | stateless = false 73 | tcp_options { 74 | max = 443 75 | min = 443 76 | } 77 | } 78 | } 79 | 80 | resource "oci_core_subnet" "vcn_private_subnet" { 81 | compartment_id = var.compartment_id 82 | vcn_id = var.vcn_id 83 | cidr_block = "10.0.1.0/24" 84 | 85 | route_table_id = var.nat_route_id 86 | security_list_ids = [oci_core_security_list.private_subnet_sl.id] 87 | display_name = "k8s-private-subnet" 88 | prohibit_public_ip_on_vnic = true 89 | } 90 | 91 | resource "oci_core_subnet" "vcn_public_subnet" { 92 | compartment_id = var.compartment_id 93 | vcn_id = var.vcn_id 94 | cidr_block = "10.0.0.0/24" 95 | 96 | route_table_id = var.ig_route_id 97 | security_list_ids = [oci_core_security_list.public_subnet_sl.id] 98 | display_name = "k8s-public-subnet" 99 | } 100 | -------------------------------------------------------------------------------- /giropops-senhas/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, render_template, request, jsonify 2 | import redis 3 | import string 4 | import random 5 | import os 6 | from prometheus_client import Counter, start_http_server, generate_latest 7 | 8 | 9 | app = Flask(__name__) 10 | 11 | redis_host = os.environ.get('REDIS_HOST', 'redis-service') 12 | redis_port = 6379 13 | redis_password = "" 14 | 15 | r = redis.StrictRedis(host=redis_host, port=redis_port, password=redis_password, decode_responses=True) 16 | 17 | senha_gerada_counter = Counter('senha_gerada', 'Contador de senhas geradas') 18 | 19 | 20 | def criar_senha(tamanho, incluir_numeros, incluir_caracteres_especiais): 21 | caracteres = string.ascii_letters 22 | 23 | if incluir_numeros: 24 | caracteres += string.digits 25 | 26 | if incluir_caracteres_especiais: 27 | caracteres += string.punctuation 28 | 29 | senha = ''.join(random.choices(caracteres, k=tamanho)) 30 | 31 | return senha 32 | 33 | @app.route('/', methods=['GET', 'POST']) 34 | def index(): 35 | if request.method == 'POST': 36 | tamanho = int(request.form.get('tamanho', 8)) 37 | incluir_numeros = request.form.get('incluir_numeros') == 'on' 38 | incluir_caracteres_especiais = request.form.get('incluir_caracteres_especiais') == 'on' 39 | senha = criar_senha(tamanho, incluir_numeros, incluir_caracteres_especiais) 40 | 41 | r.lpush("senhas", senha) 42 | senha_gerada_counter.inc() 43 | senhas = r.lrange("senhas", 0, 9) 44 | if senhas: 45 | senhas_geradas = [{"id": index + 1, "senha": senha} for index, senha in enumerate(senhas)] 46 | return render_template('index.html', senhas_geradas=senhas_geradas, senha=senhas_geradas[0]['senha'] or '' ) 47 | return render_template('index.html') 48 | 49 | 50 | @app.route('/api/gerar-senha', methods=['POST']) 51 | def gerar_senha_api(): 52 | dados = request.get_json() 53 | 54 | tamanho = int(dados.get('tamanho', 8)) 55 | incluir_numeros = dados.get('incluir_numeros', False) 56 | incluir_caracteres_especiais = dados.get('incluir_caracteres_especiais', False) 57 | 58 | senha = criar_senha(tamanho, incluir_numeros, incluir_caracteres_especiais) 59 | r.lpush("senhas", senha) 60 | senha_gerada_counter.inc() 61 | 62 | return jsonify({"senha": senha}) 63 | 64 | @app.route('/api/senhas', methods=['GET']) 65 | def listar_senhas(): 66 | senhas = r.lrange("senhas", 0, 9) 67 | 68 | resposta = [{"id": index + 1, "senha": senha} for index, senha in enumerate(senhas)] 69 | return jsonify(resposta) 70 | 71 | @app.route('/metrics') 72 | def metrics(): 73 | return generate_latest() 74 | 75 | if __name__ == '__main__': 76 | import logging 77 | logging.basicConfig(filename='error.log', level=logging.DEBUG) 78 | start_http_server(8088) 79 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: Build Docker Image 2 | on: 3 | release: 4 | types: [published] 5 | jobs: 6 | build: 7 | name: Build 8 | runs-on: ubuntu-20.04 9 | permissions: 10 | actions: read 11 | contents: read 12 | security-events: write 13 | steps: 14 | - name: Checkout code 15 | uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 16 | 17 | - name: Set up QEMU 18 | uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 19 | 20 | - name: Install Cosign 21 | uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 22 | 23 | - name: Set up Docker Buildx 24 | uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb 25 | 26 | - name: Log in to Docker Hub 27 | uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 28 | with: 29 | username: ${{ secrets.DOCKER_USERNAME }} 30 | password: ${{ secrets.DOCKER_PASSWORD }} 31 | 32 | - name: Extract metadata (tags, labels) for Docker 33 | id: meta 34 | uses: docker/metadata-action@1294d94f8ee362ab42b6da04c35f4cd03a0e6af7 35 | with: 36 | images: raphaelborges/linuxtips-giropops-senhas 37 | 38 | - name: Build and push Docker image 39 | uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 40 | id: build-and-push 41 | with: 42 | context: ./giropops-senhas 43 | file: ./giropops-senhas/Dockerfile 44 | push: true 45 | tags: ${{ steps.meta.outputs.tags }} 46 | labels: ${{ steps.meta.outputs.labels }} 47 | platforms: linux/amd64,linux/arm64 48 | 49 | - name: Run Trivy vulnerability scanner 50 | uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 51 | with: 52 | image-ref: raphaelborges/linuxtips-giropops-senhas:latest 53 | format: 'sarif' 54 | severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' 55 | output: 'trivy-results.sarif' 56 | 57 | - name: Upload Trivy scan results to GitHub Security tab 58 | uses: github/codeql-action/upload-sarif@v3 59 | if: always() 60 | with: 61 | sarif_file: 'trivy-results.sarif' 62 | 63 | - name: Sign image with a key 64 | run: | 65 | images="" 66 | for tag in ${TAGS}; do 67 | images+="${tag}@${DIGEST} " 68 | done 69 | cosign sign --yes --key env://COSIGN_PRIVATE_KEY $images 70 | env: 71 | TAGS: ${{ steps.meta.outputs.tags }} 72 | COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} 73 | COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} 74 | DIGEST: ${{ steps.build-and-push.outputs.digest }} -------------------------------------------------------------------------------- /OCI/terraform/giropops-senhas/deploy.tf: -------------------------------------------------------------------------------- 1 | # resource "null_resource" "create_kubeconfig" { 2 | # provisioner "local-exec" { 3 | # command = "oci ce cluster create-kubeconfig --cluster-id ${var.cluster_id} --file ~/.kube/config --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT --profile ${var.oci_profile}" 4 | # } 5 | # } 6 | 7 | # resource "kubernetes_namespace" "ingress-nginx" { 8 | # depends_on = [null_resource.create_kubeconfig] 9 | # metadata { 10 | # name = "ingress-nginx" 11 | # } 12 | # } 13 | 14 | # resource "null_resource" "ingress" { 15 | # depends_on = [kubernetes_namespace.ingress-nginx] 16 | 17 | # provisioner "local-exec" { 18 | # command = <<-EOT 19 | # helm upgrade --install ingress-nginx ingress-nginx \ 20 | # --repo https://kubernetes.github.io/ingress-nginx \ 21 | # --namespace ingress-nginx \ 22 | # --set controller.service.annotations."oci\.oraclecloud\.com/load-balancer-type"="nlb" \ 23 | # --set controller.service.annotations."oci-network-load-balancer\.oraclecloud\.com/security-list-management-mode"="All" \ 24 | # --set controller.service.type="NodePort" \ 25 | # --set controller.service.nodePorts.http=30080 \ 26 | # --set controller.service.nodePorts.https=30443 && \ 27 | # kubectl wait --namespace ingress-nginx \ 28 | # --for=condition=ready pod \ 29 | # --selector=app.kubernetes.io/component=controller \ 30 | # --timeout=90s 31 | # EOT 32 | # } 33 | # } 34 | 35 | # resource "null_resource" "install_cert_manager" { 36 | # depends_on = [ null_resource.ingress ] 37 | # provisioner "local-exec" { 38 | # command = "kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.yaml && sleep 90" 39 | # } 40 | # } 41 | 42 | # resource "kubernetes_namespace" "giropops-senhas" { 43 | # depends_on = [null_resource.install_cert_manager] 44 | # metadata { 45 | # name = "giropops-senhas" 46 | # } 47 | # } 48 | 49 | # resource "null_resource" "issuer" { 50 | # depends_on = [kubernetes_namespace.giropops-senhas] 51 | 52 | # provisioner "local-exec" { 53 | # command = "kubectl apply -f ../manifests/Issuers/Issuers.yaml" 54 | # } 55 | # } 56 | 57 | # resource "null_resource" "install_kube_prometheus" { 58 | # depends_on = [null_resource.issuer] 59 | 60 | # provisioner "local-exec" { 61 | # command = "git clone https://github.com/prometheus-operator/kube-prometheus.git && cd kube-prometheus && kubectl create -f manifests/setup && until kubectl get servicemonitors --all-namespaces; do date; sleep 1; echo ''; done && kubectl create -f manifests/ && cd .. && rm -rf kube-prometheus" 62 | # } 63 | # } 64 | 65 | # resource "null_resource" "install_metrics_server" { 66 | # depends_on = [null_resource.install_kube_prometheus] 67 | 68 | # provisioner "local-exec" { 69 | # command = "kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml" 70 | # } 71 | # } 72 | 73 | # resource "null_resource" "apply_manifests" { 74 | # depends_on = [null_resource.install_metrics_server] 75 | 76 | # provisioner "local-exec" { 77 | # command = "kubectl apply -f ../manifests" 78 | # } 79 | # } 80 | -------------------------------------------------------------------------------- /OCI/terraform/loadbalancer/load-balancer.tf: -------------------------------------------------------------------------------- 1 | data "oci_core_instances" "instances" { 2 | compartment_id = var.compartment_id 3 | } 4 | 5 | resource "oci_network_load_balancer_network_load_balancer" "nlb" { 6 | compartment_id = var.compartment_id 7 | display_name = "k8s-nlb" 8 | subnet_id = var.public_subnet_id 9 | 10 | is_private = false 11 | is_preserve_source_destination = false 12 | } 13 | 14 | resource "oci_network_load_balancer_backend_set" "nlb_backend_set_http" { 15 | health_checker { 16 | protocol = "TCP" 17 | } 18 | name = "k8s-backend-set-http" 19 | network_load_balancer_id = oci_network_load_balancer_network_load_balancer.nlb.id 20 | policy = "FIVE_TUPLE" 21 | depends_on = [oci_network_load_balancer_network_load_balancer.nlb] 22 | 23 | is_preserve_source = false 24 | } 25 | 26 | resource "oci_network_load_balancer_backend_set" "nlb_backend_set_https" { 27 | health_checker { 28 | protocol = "TCP" 29 | } 30 | name = "k8s-backend-set-https" 31 | network_load_balancer_id = oci_network_load_balancer_network_load_balancer.nlb.id 32 | policy = "FIVE_TUPLE" 33 | depends_on = [oci_network_load_balancer_network_load_balancer.nlb] 34 | 35 | is_preserve_source = false 36 | } 37 | 38 | resource "oci_network_load_balancer_backend" "nlb_backend_http" { 39 | backend_set_name = oci_network_load_balancer_backend_set.nlb_backend_set_http.name 40 | network_load_balancer_id = oci_network_load_balancer_network_load_balancer.nlb.id 41 | port = var.node_port_http 42 | depends_on = [oci_network_load_balancer_backend_set.nlb_backend_set_http] 43 | count = var.node_size 44 | target_id = data.oci_core_instances.instances.instances[count.index].id 45 | } 46 | 47 | resource "oci_network_load_balancer_backend" "nlb_backend_https" { 48 | backend_set_name = oci_network_load_balancer_backend_set.nlb_backend_set_https.name 49 | network_load_balancer_id = oci_network_load_balancer_network_load_balancer.nlb.id 50 | port = var.node_port_https 51 | depends_on = [oci_network_load_balancer_backend_set.nlb_backend_set_https] 52 | count = var.node_size 53 | target_id = data.oci_core_instances.instances.instances[count.index].id 54 | } 55 | 56 | resource "oci_network_load_balancer_listener" "nlb_listener_http" { 57 | default_backend_set_name = oci_network_load_balancer_backend_set.nlb_backend_set_http.name 58 | name = "k8s-nlb-listener_http" 59 | network_load_balancer_id = oci_network_load_balancer_network_load_balancer.nlb.id 60 | port = var.listener_port_http 61 | protocol = "TCP" 62 | depends_on = [oci_network_load_balancer_backend.nlb_backend_http] 63 | } 64 | 65 | resource "oci_network_load_balancer_listener" "nlb_listener_https" { 66 | default_backend_set_name = oci_network_load_balancer_backend_set.nlb_backend_set_https.name 67 | name = "k8s-nlb-listener-https" 68 | network_load_balancer_id = oci_network_load_balancer_network_load_balancer.nlb.id 69 | port = var.listener_port_https 70 | protocol = "TCP" 71 | depends_on = [oci_network_load_balancer_backend.nlb_backend_https] 72 | } -------------------------------------------------------------------------------- /OCI/manifests/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app: giropops-senhas 7 | name: giropops-svc 8 | namespace: giropops-senhas 9 | spec: 10 | selector: 11 | app: giropops-senhas 12 | ports: 13 | - protocol: TCP 14 | port: 80 15 | targetPort: 5000 16 | name: tcp-app 17 | type: NodePort 18 | --- 19 | apiVersion: v1 20 | kind: Service 21 | metadata: 22 | labels: 23 | app: nginx 24 | name: nginx-service 25 | namespace: giropops-senhas 26 | spec: 27 | selector: 28 | app: nginx 29 | ports: 30 | - protocol: TCP 31 | port: 80 32 | targetPort: 8080 33 | name: tcp-nginx 34 | type: NodePort 35 | --- 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | labels: 40 | app: locust-giropops 41 | name: locust-svc 42 | namespace: giropops-senhas 43 | spec: 44 | selector: 45 | app: locust-giropops 46 | ports: 47 | - protocol: TCP 48 | port: 80 49 | targetPort: 8089 50 | name: tcp-locust 51 | type: NodePort 52 | --- 53 | apiVersion: v1 54 | kind: Service 55 | metadata: 56 | labels: 57 | app: redis 58 | name: redis-service 59 | namespace: giropops-senhas 60 | spec: 61 | selector: 62 | app: redis 63 | ports: 64 | - protocol: TCP 65 | port: 6379 66 | targetPort: 6379 67 | name: tcp-redis 68 | type: ClusterIP 69 | --- 70 | apiVersion: v1 71 | kind: Service 72 | metadata: 73 | labels: 74 | app.kubernetes.io/component: alert-router 75 | app.kubernetes.io/instance: main 76 | app.kubernetes.io/name: alertmanager 77 | app.kubernetes.io/part-of: kube-prometheus 78 | app.kubernetes.io/version: 0.26.0 79 | name: alertmanager-svc 80 | namespace: monitoring 81 | spec: 82 | selector: 83 | app.kubernetes.io/component: alert-router 84 | app.kubernetes.io/instance: main 85 | app.kubernetes.io/name: alertmanager 86 | app.kubernetes.io/part-of: kube-prometheus 87 | ports: 88 | - protocol: TCP 89 | port: 80 90 | targetPort: 9093 91 | name: tcp-app 92 | sessionAffinity: ClientIP 93 | type: NodePort 94 | --- 95 | apiVersion: v1 96 | kind: Service 97 | metadata: 98 | labels: 99 | app.kubernetes.io/component: grafana 100 | app.kubernetes.io/name: grafana 101 | app.kubernetes.io/part-of: kube-prometheus 102 | app.kubernetes.io/version: 10.2.3 103 | name: grafana-svc 104 | namespace: monitoring 105 | spec: 106 | selector: 107 | app.kubernetes.io/component: grafana 108 | app.kubernetes.io/name: grafana 109 | app.kubernetes.io/part-of: kube-prometheus 110 | ports: 111 | - protocol: TCP 112 | port: 80 113 | targetPort: 3000 114 | name: tcp-app 115 | type: NodePort 116 | --- 117 | apiVersion: v1 118 | kind: Service 119 | metadata: 120 | labels: 121 | app.kubernetes.io/component: prometheus 122 | app.kubernetes.io/instance: k8s 123 | app.kubernetes.io/managed-by: prometheus-operator 124 | app.kubernetes.io/name: prometheus 125 | app.kubernetes.io/part-of: kube-prometheus 126 | prometheus: k8s 127 | name: prometheus-svc 128 | namespace: monitoring 129 | spec: 130 | selector: 131 | app.kubernetes.io/component: prometheus 132 | app.kubernetes.io/instance: k8s 133 | app.kubernetes.io/managed-by: prometheus-operator 134 | app.kubernetes.io/name: prometheus 135 | app.kubernetes.io/part-of: kube-prometheus 136 | operator.prometheus.io/name: k8s 137 | ports: 138 | - protocol: TCP 139 | port: 80 140 | targetPort: 9090 141 | name: tcp-app 142 | type: NodePort 143 | -------------------------------------------------------------------------------- /OCI/terraform/terrafile.tf: -------------------------------------------------------------------------------- 1 | module "compartment" { 2 | source = "./compartment" 3 | compartment_name = var.compartment_name 4 | } 5 | 6 | module "vcn" { 7 | source = "oracle-terraform-modules/vcn/oci" 8 | version = "3.6.0" 9 | 10 | compartment_id = module.compartment.compartment_id 11 | region = var.region 12 | 13 | internet_gateway_route_rules = null 14 | local_peering_gateways = null 15 | nat_gateway_route_rules = null 16 | 17 | vcn_name = var.vcn_name 18 | vcn_dns_label = var.vcn_dns_label 19 | vcn_cidrs = ["10.0.0.0/16"] 20 | 21 | create_internet_gateway = true 22 | create_nat_gateway = true 23 | create_service_gateway = true 24 | } 25 | 26 | module "network" { 27 | source = "./network" 28 | compartment_id = module.compartment.compartment_id 29 | vcn_id = module.vcn.vcn_id 30 | nat_route_id = module.vcn.nat_route_id 31 | ig_route_id = module.vcn.ig_route_id 32 | } 33 | 34 | module "cluster" { 35 | source = "./cluster" 36 | compartment_id = module.compartment.compartment_id 37 | cluster_name = var.cluster_name 38 | k8s_version = var.k8s_version 39 | node_size = var.node_size 40 | shape = var.shape 41 | memory_in_gbs_per_node = var.memory_in_gbs_per_node 42 | ocpus_per_node = var.ocpus_per_node 43 | image_id = var.image_id 44 | availability_domain = var.availability_domain 45 | ssh_public_key = var.ssh_public_key 46 | public_subnet_id = module.network.public_subnet_id 47 | vcn_id = module.vcn.vcn_id 48 | vcn_private_subnet_id = module.network.vcn_private_subnet_id 49 | } 50 | 51 | module "loadbalancer" { 52 | source = "./loadbalancer" 53 | depends_on = [ module.cluster, module.network, module.compartment, module.vcn ] 54 | namespace = var.load_balancer_name_space 55 | node_pool_id = module.cluster.node_pool_id 56 | compartment_id = module.compartment.compartment_id 57 | public_subnet_id = module.network.public_subnet_id 58 | node_size = var.node_size 59 | node_port_http = var.node_port_http 60 | node_port_https = var.node_port_https 61 | listener_port_http = var.listener_port_http 62 | listener_port_https = var.listener_port_https 63 | } 64 | 65 | module "kubeconfig" { 66 | source = "./kubeconfig" 67 | depends_on = [ module.loadbalancer ] 68 | cluster_id = module.cluster.cluster_id 69 | oci_profile = var.oci_profile 70 | } 71 | 72 | # module "giropops-senhas" { 73 | # source = "./giropops-senhas" 74 | # depends_on = [ module.loadbalancer ] 75 | # cluster_id = module.cluster.cluster_id 76 | # oci_profile = var.oci_profile 77 | # region = var.region 78 | # } 79 | 80 | output "public_ip" { 81 | value = module.loadbalancer.load_balancer_public_ip 82 | } -------------------------------------------------------------------------------- /OCI/manifests/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: giropops-cert 6 | namespace: giropops-senhas 7 | spec: 8 | secretName: giropops-tls 9 | issuerRef: 10 | name: letsencrypt-prod 11 | # name: letsencrypt-staging 12 | kind: ClusterIssuer 13 | dnsNames: 14 | - giropops.r11s.com.br 15 | - nginx.r11s.com.br 16 | - locust.r11s.com.br 17 | --- 18 | apiVersion: cert-manager.io/v1 19 | kind: Certificate 20 | metadata: 21 | name: monitoring-cert 22 | namespace: monitoring 23 | spec: 24 | secretName: monitoring-tls 25 | issuerRef: 26 | name: letsencrypt-prod 27 | # name: letsencrypt-staging 28 | kind: ClusterIssuer 29 | dnsNames: 30 | - alertmanager.r11s.com.br 31 | - grafana.r11s.com.br 32 | - prometheus.r11s.com.br 33 | --- 34 | apiVersion: networking.k8s.io/v1 35 | kind: Ingress 36 | metadata: 37 | name: giropops-senhas-ingress 38 | namespace: giropops-senhas 39 | annotations: 40 | nginx.ingress.kubernetes.io/rewrite-target: / 41 | cert-manager.io/cluster-issuer: "letsencrypt-prod" 42 | nginx.ingress.kubernetes.io/affinity: "cookie" 43 | nginx.ingress.kubernetes.io/session-cookie-name: "giropops-cookie" 44 | # cert-manager.io/cluster-issuer: "letsencrypt-staging" 45 | spec: 46 | ingressClassName: nginx 47 | rules: 48 | - host: giropops.r11s.com.br 49 | http: 50 | paths: 51 | - path: / 52 | pathType: Prefix 53 | backend: 54 | service: 55 | name: giropops-svc 56 | port: 57 | number: 80 58 | - host: nginx.r11s.com.br 59 | http: 60 | paths: 61 | - path: / 62 | pathType: Prefix 63 | backend: 64 | service: 65 | name: nginx-service 66 | port: 67 | number: 80 68 | - host: locust.r11s.com.br 69 | http: 70 | paths: 71 | - path: / 72 | pathType: Prefix 73 | backend: 74 | service: 75 | name: locust-svc 76 | port: 77 | number: 80 78 | tls: 79 | - hosts: 80 | - giropops.r11s.com.br 81 | - nginx.r11s.com.br 82 | - locust.r11s.com.br 83 | secretName: giropops-tls 84 | --- 85 | apiVersion: networking.k8s.io/v1 86 | kind: Ingress 87 | metadata: 88 | name: monitoring-ingress 89 | namespace: monitoring 90 | annotations: 91 | nginx.ingress.kubernetes.io/rewrite-target: / 92 | cert-manager.io/cluster-issuer: "letsencrypt-prod" 93 | # cert-manager.io/cluster-issuer: "letsencrypt-staging" 94 | spec: 95 | ingressClassName: nginx 96 | rules: 97 | - host: alertmanager.r11s.com.br 98 | http: 99 | paths: 100 | - path: / 101 | pathType: Prefix 102 | backend: 103 | service: 104 | name: alertmanager-svc 105 | port: 106 | number: 80 107 | - host: grafana.r11s.com.br 108 | http: 109 | paths: 110 | - path: / 111 | pathType: Prefix 112 | backend: 113 | service: 114 | name: grafana-svc 115 | port: 116 | number: 80 117 | - host: prometheus.r11s.com.br 118 | http: 119 | paths: 120 | - path: / 121 | pathType: Prefix 122 | backend: 123 | service: 124 | name: prometheus-svc 125 | port: 126 | number: 80 127 | tls: 128 | - hosts: 129 | - alertmanager.r11s.com.br 130 | - grafana.r11s.com.br 131 | - prometheus.r11s.com.br 132 | secretName: monitoring-tls 133 | -------------------------------------------------------------------------------- /giropops-senhas/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | Gerador de Senhas 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 25 |
26 |
27 |
28 |
29 |
30 |

Gerar senha

31 |
32 |
33 |
34 | 35 | 36 | 8 37 |
38 |
39 | 40 | 41 |
42 |
43 | 44 | 45 |
46 | 50 |
51 | {% if senha %} 52 |
53 |

Senha gerada:

54 | 56 |
57 | 61 | 65 |
66 | {% endif %} 67 |
68 |
69 |
70 |
71 |
72 |
73 |

74 | Últimas senhas criadas 75 |

76 |
77 | 82 | {% include 'lista_senhas.html' %} 83 |
84 |
85 | 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /OCI/manifests/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app: giropops-senhas 7 | name: giropops-deployment 8 | namespace: giropops-senhas 9 | spec: 10 | strategy: 11 | type: RollingUpdate 12 | rollingUpdate: 13 | maxSurge: 1 14 | maxUnavailable: 1 15 | selector: 16 | matchLabels: 17 | app: giropops-senhas 18 | template: 19 | metadata: 20 | labels: 21 | app: giropops-senhas 22 | spec: 23 | containers: 24 | - image: raphaelborges/linuxtips-giropops-senhas:latest@sha256:3a95857af1cd706a4a909ee22b399406f811f631adfb60abf81be1872c9a7354 25 | name: giropops-senhas 26 | ports: 27 | - containerPort: 5000 28 | resources: 29 | limits: 30 | cpu: '0.1' 31 | memory: 256Mi 32 | requests: 33 | cpu: '0.1' 34 | memory: 256Mi 35 | imagePullPolicy: Always 36 | env: 37 | - name: REDIS_HOST 38 | value: redis-service 39 | securityContext: 40 | readOnlyRootFilesystem: true 41 | runAsNonRoot: true 42 | # runAsUser: 1000 43 | livenessProbe: 44 | httpGet: 45 | path: / 46 | port: 5000 47 | initialDelaySeconds: 5 48 | periodSeconds: 5 49 | timeoutSeconds: 5 50 | failureThreshold: 3 51 | successThreshold: 1 52 | readinessProbe: 53 | httpGet: 54 | path: / 55 | port: 5000 56 | initialDelaySeconds: 5 57 | periodSeconds: 5 58 | timeoutSeconds: 5 59 | failureThreshold: 3 60 | successThreshold: 1 61 | --- 62 | apiVersion: apps/v1 63 | kind: Deployment 64 | metadata: 65 | labels: 66 | app: locust-giropops 67 | name: locust-giropops 68 | namespace: giropops-senhas 69 | spec: 70 | replicas: 1 71 | selector: 72 | matchLabels: 73 | app: locust-giropops 74 | template: 75 | metadata: 76 | labels: 77 | app: locust-giropops 78 | spec: 79 | containers: 80 | - image: raphaelborges/locust-giropops:1.3-rc1 81 | name: locust-giropops 82 | env: 83 | - name: LOCUST_LOCUSTFILE 84 | value: "/usr/src/app/scripts/locustfile.py" 85 | resources: 86 | limits: 87 | cpu: '0.3' 88 | memory: 2Gi 89 | requests: 90 | cpu: '0.3' 91 | memory: 2Gi 92 | securityContext: 93 | readOnlyRootFilesystem: true 94 | runAsNonRoot: true 95 | runAsUser: 1000 96 | ports: 97 | - containerPort: 8089 98 | imagePullPolicy: Always 99 | volumeMounts: 100 | - name: locust-scripts 101 | mountPath: /usr/src/app/scripts 102 | volumes: 103 | - name: locust-scripts 104 | configMap: 105 | name: locust-scripts 106 | optional: true 107 | --- 108 | apiVersion: apps/v1 109 | kind: Deployment 110 | metadata: 111 | labels: 112 | app: nginx 113 | name: nginx-deployment 114 | namespace: giropops-senhas 115 | spec: 116 | replicas: 1 117 | selector: 118 | matchLabels: 119 | app: nginx 120 | template: 121 | metadata: 122 | labels: 123 | app: nginx 124 | spec: 125 | containers: 126 | - image: nginx:1.14.2 127 | name: nginx 128 | resources: 129 | limits: 130 | cpu: '0.1' 131 | memory: 128Mi 132 | requests: 133 | cpu: '0.1' 134 | memory: 128Mi 135 | ports: 136 | - containerPort: 8080 137 | volumeMounts: 138 | - name: nginx-config 139 | mountPath: /etc/nginx/nginx.conf 140 | subPath: nginx.conf 141 | volumes: 142 | - name: nginx-config 143 | configMap: 144 | name: nginx-config 145 | --- 146 | apiVersion: apps/v1 147 | kind: Deployment 148 | metadata: 149 | labels: 150 | app: redis 151 | name: redis 152 | namespace: giropops-senhas 153 | spec: 154 | replicas: 1 155 | selector: 156 | matchLabels: 157 | app: redis 158 | template: 159 | metadata: 160 | labels: 161 | app: redis 162 | spec: 163 | containers: 164 | - image: cgr.dev/chainguard/redis:latest@sha256:5c5193e437be1cb5af4f853c814878a83553d95e55421ae5e7227eb58ea7a26a 165 | name: redis 166 | ports: 167 | - containerPort: 6379 168 | imagePullPolicy: Always 169 | resources: 170 | limits: 171 | cpu: "0.1" 172 | memory: 128Mi 173 | requests: 174 | cpu: "0.1" 175 | memory: 128Mi 176 | # securityContext: 177 | # readOnlyRootFilesystem: true 178 | # runAsNonRoot: true 179 | # runAsUser: 1000 180 | -------------------------------------------------------------------------------- /kind/README.md: -------------------------------------------------------------------------------- 1 | ## Configuração do Cluster 2 | 3 | ### Criando o Cluster 4 | 5 | 1. Crie o cluster utilizando o [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) 6 | 7 | ```bash 8 | kind create cluster --name pick --config manifests/kind/kind-ingress-cluster.yaml 9 | ``` 10 | 11 | 2. Instalando o [Ingress NGINX Controller no Kind](https://kind.sigs.k8s.io/docs/user/ingress/#ingress-nginx) 12 | 13 | ```bash 14 | kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml 15 | ``` 16 | 17 | Aguarde a instalação do Ingress NGINX Controller: 18 | 19 | ```bash 20 | kubectl wait --namespace ingress-nginx \ 21 | --for=condition=ready pod \ 22 | --selector=app.kubernetes.io/component=controller \ 23 | --timeout=90s 24 | ``` 25 | 26 | 3. Instalando o Cert-Manager 27 | 28 | ```bash 29 | kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml 30 | ``` 31 | 32 | 4. Instale o yamllint e verifique se os manifestos estão corretos 33 | 34 | ```bash 35 | sudo apt-get install yamllint 36 | yamllint manifests/ && echo "No errors found in the YAML file." 37 | ``` 38 | 39 | ![Yamllint](static/yamllint.png) 40 | 41 | 4. Crie o Issuer de staging e o ClusterIssuer de produção 42 | 43 | ```bash 44 | kubectl apply -f manifests/namespace.yaml 45 | kubectl apply -f manifests/Issuers/staging_issuer.yaml 46 | kubectl apply -f manifests/Issuers/production_issuer.yaml 47 | ``` 48 | 49 | 5. Instale o [kube-prometheus](https://prometheus-operator.dev/docs/prologue/quick-start/) 50 | 51 | ```bash 52 | git clone https://github.com/prometheus-operator/kube-prometheus.git 53 | cd kube-prometheus 54 | kubectl create -f manifests/setup 55 | until kubectl get servicemonitors --all-namespaces ; do date; sleep 1; echo ""; done 56 | kubectl create -f manifests/ 57 | cd .. 58 | rm -rf kube-prometheus 59 | ``` 60 | 61 | 6. Instale o [Cosign](https://github.com/sigstore/cosign) 62 | 63 | ```bash 64 | curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" 65 | sudo mv cosign-linux-amd64 /usr/local/bin/cosign 66 | sudo chmod +x /usr/local/bin/cosign 67 | ``` 68 | 69 | 7. Utilize a chave publica disponível no arquivo `key-pair/consign.pub` para verificar a imagem no Docker Hub 70 | 71 | ```bash 72 | cosign verify --key key-pair/cosign.pub raphaelborges/linuxtips-giropops-senhas:{ultima-versao} 73 | ``` 74 | 75 | 8. Instale o Metrics Server 76 | 77 | ```bash 78 | kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml 79 | ``` 80 | 81 | Como estamos utilizando o Kind, precisamos aplicar um patch para que o Metrics Server funcione corretamente. Faremos isso utilizando o kustomize. 82 | 83 | ```bash 84 | curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash 85 | sudo mv kustomize /usr/local/bin 86 | kustomize build manifests/kind/ | kubectl apply -f - 87 | ``` 88 | 89 | 9. Aplique os manifestos presentes na pasta `manifests` 90 | 91 | ```bash 92 | kubectl apply -f manifests/ 93 | ``` 94 | 95 | 10. Instale o [Zora Dashboard](#implementando-o-zora-dashboard) 96 | 97 | 11. Para que nossos serviços funcionem localmente, precisamos adicionar algumas entradas no arquivo `/etc/hosts` 98 | 99 | ```bash 100 | vim /etc/hosts 101 | ``` 102 | 103 | Adicione as seguintes linhas: 104 | 105 | ```bash 106 | 127.0.0.1 prometheus.giropops.local 107 | 127.0.0.1 grafana.giropops.local 108 | 127.0.0.1 alertmanager.giropops.local 109 | 127.0.0.1 giropops.com.local 110 | ``` 111 | 112 | 12. Acesse cada um dos serviços através dos links abaixo: 113 | 114 | - [Giropops](https://giropops.com.local) 115 | - [Prometheus](https://prometheus.giropops.local) 116 | - [Grafana](https://grafana.giropops.local) 117 | - [Alertmanager](https://alertmanager.giropops.local) 118 | - [Locust](https://locust.giropops.local) 119 | 120 | 13. Testando a aplicação e o HPA 121 | 122 | Acesse o serviço do [Locust](https://locust.giropops.local) e execute o teste de carga. Após alguns minutos, o HPA irá aumentar o número de réplicas do serviço de Senhas. Como estamos utilizando o Kind e o nosso service type é ClusterIP, precisamos acessar o serviço através do IP do cluster. Para isso, execute o comando abaixo: 123 | 124 | ```bash 125 | kubectl get svc -n giropops-senhas 126 | ``` 127 | 128 | Copie o IP do serviço `giropops-svc` e execute o teste no Locust utilizando este IP na porta `5000`. 129 | 130 | ``` 131 | http://{IP_DO_SERVICO}:5000 132 | ``` 133 | 134 | ## Implementando o Zora Dashboard 135 | 136 | 1. Crie sua conta no site do [Zora](https://zora-dashboard.undistro.io/) 137 | 138 | 2. Instale o [Helm](https://helm.sh/docs/intro/install/) 139 | 140 | 3. Copie o comando de instalação do Zora Dashboard, já com o Workspace ID direto da aba 'Connect Cluster' do site do Zora Dashboard 141 | 142 | ```bash 143 | helm repo add undistro https://charts.undistro.io --force-update 144 | helm repo update undistro 145 | helm upgrade --install zora undistro/zora \ 146 | -n zora-system \ 147 | --version 0.7.0 \ 148 | --create-namespace \ 149 | --wait \ 150 | --set clusterName="$(kubectl config current-context)" \ 151 | --set saas.workspaceID='ef1dd987-cf77-49b5-b2bb-f0419b1ecb4e' 152 | ``` 153 | 154 | 4. Após a instalação você pode monitorar o seu cluster através do site do [Zora](https://zora-dashboard.undistro.io/) 155 | 156 | TODO: 157 | 158 | - [ ] Implementar Terraform para facilitar a utilização 159 | - [ ] Adicionar mais detalhes do projeto no Readme 160 | - [ ] Diretrizes para contribuições 161 | - [ ] Revisar o upload do resultado do Trivy para a aba Security 162 | - [x] Assinatura e validação da Image com Cosign direto na Automação com GitHub Actions 163 | - [ ] Testes de performance 164 | - [ ] Trabalhar na parte de monitoramento 165 | - [ ] Corrigir o erro 'line too long' 166 | - [x] Nova versão do Girpopops-Senhas via GitHub Actions 167 | - [ ] Buscar uma forma de utilizar `securityContext` no Redis -------------------------------------------------------------------------------- /OCI/README.md: -------------------------------------------------------------------------------- 1 | # Deploy do Cluster Kubernetes na Oracle Cloud Infrastructure 2 | 3 | 1. Crie uma `API key` 4 | 5 | - Entre no seu perfil, acesse a aba [API Keys](https://cloud.oracle.com/identity/domains/my-profile/api-keys) e clique em `Add API Key`. 6 | 7 | 2. Selecione `Generate API key pair`, faça o download da chave privada. Em seguida, clique em `Add`. 8 | 9 | 3. Após o download, mova a chave para o diretório `~/.oci/` e renomeie para `oci_api_key.pem`. 10 | 11 | ``` 12 | mv ~/Downloads/.pem ~/.oci/oci_api_key.pem 13 | ``` 14 | 15 | 4. Corrija as permissões da chave privada: 16 | 17 | ``` 18 | oci setup repair-file-permissions --file ~/.oci/oci_api_key.pem 19 | ``` 20 | 21 | 5. Copie o texto que apareceu na página de criação da `API KEY` para o arquivo `~/.oci/config`. Não se esqueça de substituir o valor do compo `key_file` pelo caminho da chave privada `~/.oci/oci_api_key.pem`, conforme exemplo abaixo. 22 | 23 | ``` 24 | vim ~/.oci/config 25 | ``` 26 | 27 | Você pode personalizar o nome do profile alterando o valor [DEFAULT] para o nome desejado. (Leia o passo 3 antes de alterar o nome do profile) 28 | 29 | ``` 30 | [DEFAULT] 31 | user=ocid1.user.oc1..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 32 | fingerprint=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 33 | tenancy=ocid1.tenancy.oc1..xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 34 | region=xxxxxxxx 35 | key_file=~/.oci/oci_api_key.pem 36 | ``` 37 | 38 | 6. Crie a chave `ssh`. 39 | 40 | ```bash 41 | ssh-keygen -t rsa -b 4096 -f ssh/id_rsa 42 | ``` 43 | 44 | 7. Adicione os valores ao arquivo `env.sh`, para exportar todas as variáveis necessárias para a autenticação do terraform. 45 | 46 | ``` 47 | export TF_VAR_tenancy_ocid= 48 | export TF_VAR_user_ocid= 49 | export TF_VAR_fingerprint= 50 | export TF_VAR_private_key_path=~/.oci/oci_api_key.pem 51 | export TF_VAR_ssh_public_key=$(cat ssh/id_rsa.pub) 52 | export TF_VAR_ssh_private_key=$(cat ssh/id_rsa) 53 | # Optional if you want to use a different profile name change the value below 54 | export TF_VAR_oci_profile="DEFAULT" 55 | ``` 56 | 57 | Agora rode o script para exportar as variáveis: 58 | 59 | ``` 60 | source env.sh 61 | ``` 62 | 63 | 3. Aplicar os arquivos na pasta `terraform`. 64 | 65 | ```bash 66 | tofu init 67 | tofu apply 68 | ``` 69 | 70 | * Caso você tenha utilizado um profile diferente de `DEFAULT`, basta adicionar o profile no arquivo `~/.kube/config`. 71 | 72 | ``` 73 | vim ~/.kube/config 74 | ``` 75 | 76 | ``` 77 | # conteúdo anterior 78 | users: 79 | - name: 80 | user: 81 | exec: 82 | apiVersion: client.authentication.k8s.io/v1beta1 83 | command: oci 84 | args: 85 | - ce 86 | - cluster 87 | - generate-token 88 | - --cluster-id 89 | - 90 | - --region 91 | - sa-saopaulo-1 92 | - --profile # ADICIONE ESSA LINHA 93 | - # ADICIONE ESSA LINHA 94 | 95 | ``` 96 | 97 | 4. Acesse o cluster: 98 | 99 | ```bash 100 | kubectl get nodes 101 | ``` 102 | 103 | # Deploy da aplicação 104 | 105 | 1. Criando os namespaces: 106 | 107 | ```bash 108 | kubectl apply -f manifests/namespace.yaml 109 | ``` 110 | 111 | 2. Instalando o Ingress Nginx Controller: 112 | 113 | ```bash 114 | helm upgrade --install ingress-nginx ingress-nginx \ 115 | --repo https://kubernetes.github.io/ingress-nginx \ 116 | --namespace ingress-nginx \ 117 | --set controller.service.annotations."oci\.oraclecloud\.com/load-balancer-type"="nlb" \ 118 | --set controller.service.annotations."oci-network-load-balancer\.oraclecloud\.com/security-list-management-mode"="All" \ 119 | --set controller.service.type="NodePort" \ 120 | --set controller.service.nodePorts.http=30080 \ 121 | --set controller.service.nodePorts.https=30443 122 | ``` 123 | 124 | Utilize o comando abaixo para garantir que o Ingress Nginx Controller foi instalado corretamente antes de prosseguir. 125 | 126 | ```bash 127 | kubectl wait --namespace ingress-nginx \ 128 | --for=condition=ready pod \ 129 | --selector=app.kubernetes.io/component=controller \ 130 | --timeout=90s 131 | ``` 132 | 133 | 3. Instale o Cert-Manager: 134 | 135 | ```bash 136 | kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.yaml 137 | ``` 138 | 139 | 4. Agora vamos criar a `Issuer` e a `ClusterIssuer` que serão utilizadas para gerar os certificados SSL. 140 | 141 | ```bash 142 | kubectl apply -f manifests/Issuers/Issuers.yaml 143 | ``` 144 | 145 | 5. Instale o Prometheus, Grafana, AlertManager utilizando o kube-prometheus: 146 | 147 | ```bash 148 | git clone https://github.com/prometheus-operator/kube-prometheus.git && cd kube-prometheus && kubectl create -f manifests/setup && until kubectl get servicemonitors --all-namespaces; do date; sleep 1; echo ''; done && kubectl create -f manifests/ && cd .. && rm -rf kube-prometheus 149 | ``` 150 | 151 | 6. Instale o Metrics Server que será utilizado pelo HPA (Horizontal Pod Autoscaler): 152 | 153 | ```bash 154 | kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml 155 | ``` 156 | 157 | 7. Com o ambiente pronto, podemos fazer o deploy das aplicações: 158 | 159 | ```bash 160 | kubectl apply -f manifests/ 161 | ``` 162 | 163 | 8. Após o deploy, precisamos configurar o nosso domínio para apontar para o IP do NLB (Network Load Balancer). Você pode encontrar o IP do NLB no console da Oracle Cloud Infrastructure ou executando o comando abaixo `tofu output` no diretório `terraform`. 164 | 165 | ```bash 166 | tofu output 167 | ``` 168 | 169 | 9. Com o IP do NLB em mãos, crie um registro A no seu domínio apontando para o IP do NLB. 170 | 171 | 10. Podemos acessar cada uma das aplicações através dos endereços abaixo: 172 | 173 | ```bash 174 | https://giropops.r11s.com.br # Aplicação principal 175 | https://locust.r11s.com.br # Locust 176 | https://prometheus.r11s.com.br # Prometheus 177 | https://grafana.r11s.com.br # Grafana 178 | https://alertmanager.r11s.com.br # AlertManager 179 | ``` 180 | 181 | # Removendo os recursos 182 | 183 | Para remover a aplicação: 184 | 185 | ```bash 186 | kubectl delete -f manifests/ && kubectl delete -f manifests/Issuers/ 187 | git clone https://github.com/prometheus-operator/kube-prometheus.git && cd kube-prometheus && kubectl delete -f manifests/ && kubectl delete -f manifests/setup 188 | cd .. && rm -rf kube-prometheus 189 | kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.yaml 190 | kubectl delete -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml 191 | kubectl delete secrets letsencrypt-staging letsencrypt-prod 192 | ``` 193 | 194 | Removendo o Ingress Nginx Controller: 195 | 196 | ```bash 197 | helm uninstall ingress-nginx -n ingress-nginx 198 | ``` 199 | 200 | Para remover o cluster e todos os recursos criados: 201 | 202 | ```bash 203 | tofu destroy 204 | ``` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Projeto Prático Programa Intensivo em Containers e Kubernetes - Desenvolvimento e Otimização Segura de Aplicações Kubernetes 2 | 3 | O objetivo deste projeto é criar e implementar uma aplicação em Kubernetes, utilizando as melhores práticas de segurança e otimização. 4 | 5 | Este projeto utiliza como base a aplicação [Giropops-Senhas](https://github.com/badtuxx/giropops-senhas). 6 | 7 | ## Tecnologias utilizadas 8 | 9 | - [Docker](https://docs.docker.com/get-docker/) 10 | - [Kubernetes](https://kubernetes.io/docs/home/) 11 | - [Helm](https://helm.sh/docs/intro/install/) 12 | - [Prometheus](https://prometheus.io/docs/prometheus/latest/installation/) 13 | - [Grafana](https://grafana.com/docs/grafana/latest/installation/) 14 | - [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) 15 | - [Cert-Manager](https://cert-manager.io/docs/installation/kubernetes/) 16 | - [Ingress NGINX Controller](https://kubernetes.github.io/ingress-nginx/deploy/) 17 | - [Kyverno](https://kyverno.io/) 18 | - [Cosign](https://github.com/sigstore/cosign) 19 | - [Trivy](https://aquasecurity.github.io/trivy/v0.47/getting-started/installation/) 20 | - [yamlint](https://yamllint.readthedocs.io/en/stable/index.html) 21 | - [Digestabot](https://github.com/chainguard-dev/digestabot) 22 | - [Zora Dashboard](https://zora-dashboard.undistro.io/) 23 | - [Locust](https://locust.io/) 24 | - [Terrafom](https://www.terraform.io) 25 | - [OpenTofu](https://opentofu.org/) 26 | - [OCI](https://www.oracle.com/br/cloud/) 27 | - [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) 28 | 29 | 30 | 31 | ## Imagem Docker 32 | 33 | ![Trivy](static/trivy.png) 34 | 35 | A aplicação foi construída utilizando como base as imagens [Python da Chainguard](https://edu.chainguard.dev/chainguard/chainguard-images/reference/python/), que já possuem as melhores práticas de segurança implementadas. Utilizando a técnica de [multi-stage build](https://docs.docker.com/develop/develop-images/multistage-build/) para reduzir o tamanho final e principalmente aumentar a segurança. 36 | 37 | Você pode buildar a imagem localmente utilizando os arquivos na pasta 'giropops-senhas' com o comando: 38 | 39 | ```bash 40 | docker build -t /linuxtips-giropops-senhas:{versao} . 41 | ``` 42 | 43 | E rodar testes de segurança utilizando o [Trivy](https://aquasecurity.github.io/trivy/v0.47/getting-started/installation/) 44 | 45 | ```bash 46 | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.47.0 47 | trivy image /linuxtips-giropops-senhas:{versao} 48 | ``` 49 | 50 | Ou utilizar a imagem disponível no [Docker Hub](https://hub.docker.com/repository/docker/raphaelborges/linuxtips-giropops-senhas/) com a garantia de utilizar sempre a versão mais recente e livre de vulnerabilidades. Já que a imagem é buildada automaticamente sempre que houver qualquer alterção, utilizando o [Digestabot](https://github.com/chainguard-dev/digestabot) para manter a imagem base sempre atualizada, o [Trivy](https://trivy.dev/) para verificar se a imagem possui alguma vulnerabilidade e o [Cosign](https://docs.sigstore.dev/) para assinar a imagem e garantir que ela não foi alterada. 51 | 52 | * Caso tenha interesse em conhecer mais sobre o Digestabot, você pode ler o meu artigo [Você já conhece o Digestabot?](https://dev.to/raphaborges/voce-ja-conhece-o-digestabot-787). 53 | 54 | ## Kubernetes - Técnicas Aplciadas 55 | 56 | Como o objetivo deste projeto é aplicar as melhores práticas de segurança e otimização, foram utilizadas as seguintes técnicas: 57 | 58 | - [x] [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) para armazenar as variáveis de ambiente?? 59 | - [x] [Limites de Recursos](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) para limitar o uso de CPU e Memória 60 | - [x] [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) para limitar o acesso a aplicação 61 | - [x] [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) para limitar o acesso a aplicação 62 | - [x] [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) para limitar o acesso a aplicação 63 | - [x] [Service Account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) para limitar o acesso a aplicação 64 | - [x] [Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) para garantir que sempre haverá pelo menos um pod rodando ?? 65 | - [x] [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) para escalar a aplicação horizontalmente 66 | - [x] [Pod Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) para garantir que os pods rodem no mesmo node 67 | - [x] [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) para armazenar as configurações da aplicação 68 | - [x] [Pod Monitor](https://docs.openshift.com/container-platform/4.14/rest_api/monitoring_apis/podmonitor-monitoring-coreos-com-v1.html) Para definir as métricas de monitoramento 69 | - [x] [Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) para garantir que a aplicação seja atualizada sem downtime 70 | - [x] [Image Pull Policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) para garantir que a aplicação utilize sempre a imagem mais recente 71 | - [x] [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) para definir o usuário e grupo que a aplicação irá rodar 72 | - [x] [Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) para verificar se a aplicação está saudável 73 | - [x] [Policy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) para garantir que a aplicação utilize sempre a imagem mais recente 74 | 75 | ## Kubernetes - Arquitetura 76 | 77 | A aplicação foi dividida nos seguintes componentes: 78 | 79 | - [x] [giropops-senhas](giropops-senhas/deployment.yaml) - Responsável por gerar as senhas 80 | - [x] [redis](redis/deployment.yaml) - Responsável por armazenar as senhas 81 | - [x] [locust](locust/deployment.yaml) - Responsável por gerar testes de carga na aplicação 82 | - [x] [ingress-nginx](ingress-nginx/deployment.yaml) - Responsável por gerar o ingress da aplicação 83 | - [x] [kube-prometheus](kube-prometheus/deployment.yaml) - Responsável por gerar o dashboard de monitoramento 84 | - [x] [metrics-server](metrics-server/deployment.yaml) - Responsável por gerar métricas de monitoramento 85 | - [x] [zora-dashboard](zora-dashboard/deployment.yaml) - Responsável por gerar um dashboard de vulnerabilidades 86 | 87 | ## Deploy 88 | 89 | O deploy da aplicação pode ser feito de forma local, utilizando o [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/), ou em um cluster na [Oracle Cloud](https://www.oracle.com/br/cloud/) utilizando outro projeto que desenvolvi como base, o [OKE-FREE](https://github.com/rapha-Borges/oke-free) 90 | 91 | - Local - [Kind](kind/README.md) 92 | - OCI - [Oracle Cloud](OCI/README.md) 93 | 94 | ## Desenvolvido por [@Raphael Borges](https://r11s.com.br/) -------------------------------------------------------------------------------- /giropops-senhas/static/css/output.css: -------------------------------------------------------------------------------- 1 | /* styles.css */ 2 | 3 | /* ! tailwindcss v3.2.7 | MIT License | https://tailwindcss.com */ 4 | 5 | /* 6 | 1. Prevent padding and border from affecting element width. (https://github.com/mozdevs/cssremedy/issues/4) 7 | 2. Allow adding a border to an element by just adding a border-width. (https://github.com/tailwindcss/tailwindcss/pull/116) 8 | */ 9 | 10 | *, 11 | ::before, 12 | ::after { 13 | box-sizing: border-box; 14 | /* 1 */ 15 | border-width: 0; 16 | /* 2 */ 17 | border-style: solid; 18 | /* 2 */ 19 | border-color: #e5e7eb; 20 | /* 2 */ 21 | } 22 | 23 | ::before, 24 | ::after { 25 | --tw-content: ''; 26 | } 27 | 28 | /* 29 | 1. Use a consistent sensible line-height in all browsers. 30 | 2. Prevent adjustments of font size after orientation changes in iOS. 31 | 3. Use a more readable tab size. 32 | 4. Use the user's configured `sans` font-family by default. 33 | 5. Use the user's configured `sans` font-feature-settings by default. 34 | */ 35 | 36 | html { 37 | line-height: 1.5; 38 | /* 1 */ 39 | -webkit-text-size-adjust: 100%; 40 | /* 2 */ 41 | -moz-tab-size: 4; 42 | /* 3 */ 43 | -o-tab-size: 4; 44 | tab-size: 4; 45 | /* 3 */ 46 | font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji"; 47 | /* 4 */ 48 | font-feature-settings: normal; 49 | /* 5 */ 50 | } 51 | 52 | /* 53 | 1. Remove the margin in all browsers. 54 | 2. Inherit line-height from `html` so users can set them as a class directly on the `html` element. 55 | */ 56 | 57 | body { 58 | margin: 0; 59 | /* 1 */ 60 | line-height: inherit; 61 | /* 2 */ 62 | } 63 | 64 | /* 65 | 1. Add the correct height in Firefox. 66 | 2. Correct the inheritance of border color in Firefox. (https://bugzilla.mozilla.org/show_bug.cgi?id=190655) 67 | 3. Ensure horizontal rules are visible by default. 68 | */ 69 | 70 | hr { 71 | height: 0; 72 | /* 1 */ 73 | color: inherit; 74 | /* 2 */ 75 | border-top-width: 1px; 76 | /* 3 */ 77 | } 78 | 79 | /* 80 | Add the correct text decoration in Chrome, Edge, and Safari. 81 | */ 82 | 83 | abbr:where([title]) { 84 | -webkit-text-decoration: underline dotted; 85 | text-decoration: underline dotted; 86 | } 87 | 88 | /* 89 | Remove the default font size and weight for headings. 90 | */ 91 | 92 | h1, 93 | h2, 94 | h3, 95 | h4, 96 | h5, 97 | h6 { 98 | font-size: inherit; 99 | font-weight: inherit; 100 | } 101 | 102 | /* 103 | Reset links to optimize for opt-in styling instead of opt-out. 104 | */ 105 | 106 | a { 107 | color: inherit; 108 | text-decoration: inherit; 109 | } 110 | 111 | /* 112 | Add the correct font weight in Edge and Safari. 113 | */ 114 | 115 | b, 116 | strong { 117 | font-weight: bolder; 118 | } 119 | 120 | /* 121 | 1. Use the user's configured `mono` font family by default. 122 | 2. Correct the odd `em` font sizing in all browsers. 123 | */ 124 | 125 | code, 126 | kbd, 127 | samp, 128 | pre { 129 | font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace; 130 | /* 1 */ 131 | font-size: 1em; 132 | /* 2 */ 133 | } 134 | 135 | /* 136 | Add the correct font size in all browsers. 137 | */ 138 | 139 | small { 140 | font-size: 80%; 141 | } 142 | 143 | /* 144 | Prevent `sub` and `sup` elements from affecting the line height in all browsers. 145 | */ 146 | 147 | sub, 148 | sup { 149 | font-size: 75%; 150 | line-height: 0; 151 | position: relative; 152 | vertical-align: baseline; 153 | } 154 | 155 | sub { 156 | bottom: -0.25em; 157 | } 158 | 159 | sup { 160 | top: -0.5em; 161 | } 162 | 163 | /* 164 | 1. Remove text indentation from table contents in Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=999088, https://bugs.webkit.org/show_bug.cgi?id=201297) 165 | 2. Correct table border color inheritance in all Chrome and Safari. (https://bugs.chromium.org/p/chromium/issues/detail?id=935729, https://bugs.webkit.org/show_bug.cgi?id=195016) 166 | 3. Remove gaps between table borders by default. 167 | */ 168 | 169 | table { 170 | text-indent: 0; 171 | /* 1 */ 172 | border-color: inherit; 173 | /* 2 */ 174 | border-collapse: collapse; 175 | /* 3 */ 176 | } 177 | 178 | /* 179 | 1. Change the font styles in all browsers. 180 | 2. Remove the margin in Firefox and Safari. 181 | 3. Remove default padding in all browsers. 182 | */ 183 | 184 | button, 185 | input, 186 | optgroup, 187 | select, 188 | textarea { 189 | font-family: inherit; 190 | /* 1 */ 191 | font-size: 100%; 192 | /* 1 */ 193 | font-weight: inherit; 194 | /* 1 */ 195 | line-height: inherit; 196 | /* 1 */ 197 | color: inherit; 198 | /* 1 */ 199 | margin: 0; 200 | /* 2 */ 201 | padding: 0; 202 | /* 3 */ 203 | } 204 | 205 | /* 206 | Remove the inheritance of text transform in Edge and Firefox. 207 | */ 208 | 209 | button, 210 | select { 211 | text-transform: none; 212 | } 213 | 214 | /* 215 | 1. Correct the inability to style clickable types in iOS and Safari. 216 | 2. Remove default button styles. 217 | */ 218 | 219 | button, 220 | [type='button'], 221 | [type='reset'], 222 | [type='submit'] { 223 | -webkit-appearance: button; 224 | /* 1 */ 225 | background-color: transparent; 226 | /* 2 */ 227 | background-image: none; 228 | /* 2 */ 229 | } 230 | 231 | /* 232 | Use the modern Firefox focus style for all focusable elements. 233 | */ 234 | 235 | :-moz-focusring { 236 | outline: auto; 237 | } 238 | 239 | /* 240 | Remove the additional `:invalid` styles in Firefox. (https://github.com/mozilla/gecko-dev/blob/2f9eacd9d3d995c937b4251a5557d95d494c9be1/layout/style/res/forms.css#L728-L737) 241 | */ 242 | 243 | :-moz-ui-invalid { 244 | box-shadow: none; 245 | } 246 | 247 | /* 248 | Add the correct vertical alignment in Chrome and Firefox. 249 | */ 250 | 251 | progress { 252 | vertical-align: baseline; 253 | } 254 | 255 | /* 256 | Correct the cursor style of increment and decrement buttons in Safari. 257 | */ 258 | 259 | ::-webkit-inner-spin-button, 260 | ::-webkit-outer-spin-button { 261 | height: auto; 262 | } 263 | 264 | /* 265 | 1. Correct the odd appearance in Chrome and Safari. 266 | 2. Correct the outline style in Safari. 267 | */ 268 | 269 | [type='search'] { 270 | -webkit-appearance: textfield; 271 | /* 1 */ 272 | outline-offset: -2px; 273 | /* 2 */ 274 | } 275 | 276 | /* 277 | Remove the inner padding in Chrome and Safari on macOS. 278 | */ 279 | 280 | ::-webkit-search-decoration { 281 | -webkit-appearance: none; 282 | } 283 | 284 | /* 285 | 1. Correct the inability to style clickable types in iOS and Safari. 286 | 2. Change font properties to `inherit` in Safari. 287 | */ 288 | 289 | ::-webkit-file-upload-button { 290 | -webkit-appearance: button; 291 | /* 1 */ 292 | font: inherit; 293 | /* 2 */ 294 | } 295 | 296 | /* 297 | Add the correct display in Chrome and Safari. 298 | */ 299 | 300 | summary { 301 | display: list-item; 302 | } 303 | 304 | /* 305 | Removes the default spacing and border for appropriate elements. 306 | */ 307 | 308 | blockquote, 309 | dl, 310 | dd, 311 | h1, 312 | h2, 313 | h3, 314 | h4, 315 | h5, 316 | h6, 317 | hr, 318 | figure, 319 | p, 320 | pre { 321 | margin: 0; 322 | } 323 | 324 | fieldset { 325 | margin: 0; 326 | padding: 0; 327 | } 328 | 329 | legend { 330 | padding: 0; 331 | } 332 | 333 | ol, 334 | ul, 335 | menu { 336 | list-style: none; 337 | margin: 0; 338 | padding: 0; 339 | } 340 | 341 | /* 342 | Prevent resizing textareas horizontally by default. 343 | */ 344 | 345 | textarea { 346 | resize: vertical; 347 | } 348 | 349 | /* 350 | 1. Reset the default placeholder opacity in Firefox. (https://github.com/tailwindlabs/tailwindcss/issues/3300) 351 | 2. Set the default placeholder color to the user's configured gray 400 color. 352 | */ 353 | 354 | input::-moz-placeholder, textarea::-moz-placeholder { 355 | opacity: 1; 356 | /* 1 */ 357 | color: #9ca3af; 358 | /* 2 */ 359 | } 360 | 361 | input::placeholder, 362 | textarea::placeholder { 363 | opacity: 1; 364 | /* 1 */ 365 | color: #9ca3af; 366 | /* 2 */ 367 | } 368 | 369 | /* 370 | Set the default cursor for buttons. 371 | */ 372 | 373 | button, 374 | [role="button"] { 375 | cursor: pointer; 376 | } 377 | 378 | /* 379 | Make sure disabled buttons don't get the pointer cursor. 380 | */ 381 | 382 | :disabled { 383 | cursor: default; 384 | } 385 | 386 | /* 387 | 1. Make replaced elements `display: block` by default. (https://github.com/mozdevs/cssremedy/issues/14) 388 | 2. Add `vertical-align: middle` to align replaced elements more sensibly by default. (https://github.com/jensimmons/cssremedy/issues/14#issuecomment-634934210) 389 | This can trigger a poorly considered lint error in some tools but is included by design. 390 | */ 391 | 392 | img, 393 | svg, 394 | video, 395 | canvas, 396 | audio, 397 | iframe, 398 | embed, 399 | object { 400 | display: block; 401 | /* 1 */ 402 | vertical-align: middle; 403 | /* 2 */ 404 | } 405 | 406 | /* 407 | Constrain images and videos to the parent width and preserve their intrinsic aspect ratio. (https://github.com/mozdevs/cssremedy/issues/14) 408 | */ 409 | 410 | img, 411 | video { 412 | max-width: 100%; 413 | height: auto; 414 | } 415 | 416 | /* Make elements with the HTML hidden attribute stay hidden by default */ 417 | 418 | [hidden] { 419 | display: none; 420 | } 421 | 422 | *, ::before, ::after { 423 | --tw-border-spacing-x: 0; 424 | --tw-border-spacing-y: 0; 425 | --tw-translate-x: 0; 426 | --tw-translate-y: 0; 427 | --tw-rotate: 0; 428 | --tw-skew-x: 0; 429 | --tw-skew-y: 0; 430 | --tw-scale-x: 1; 431 | --tw-scale-y: 1; 432 | --tw-pan-x: ; 433 | --tw-pan-y: ; 434 | --tw-pinch-zoom: ; 435 | --tw-scroll-snap-strictness: proximity; 436 | --tw-ordinal: ; 437 | --tw-slashed-zero: ; 438 | --tw-numeric-figure: ; 439 | --tw-numeric-spacing: ; 440 | --tw-numeric-fraction: ; 441 | --tw-ring-inset: ; 442 | --tw-ring-offset-width: 0px; 443 | --tw-ring-offset-color: #fff; 444 | --tw-ring-color: rgb(59 130 246 / 0.5); 445 | --tw-ring-offset-shadow: 0 0 #0000; 446 | --tw-ring-shadow: 0 0 #0000; 447 | --tw-shadow: 0 0 #0000; 448 | --tw-shadow-colored: 0 0 #0000; 449 | --tw-blur: ; 450 | --tw-brightness: ; 451 | --tw-contrast: ; 452 | --tw-grayscale: ; 453 | --tw-hue-rotate: ; 454 | --tw-invert: ; 455 | --tw-saturate: ; 456 | --tw-sepia: ; 457 | --tw-drop-shadow: ; 458 | --tw-backdrop-blur: ; 459 | --tw-backdrop-brightness: ; 460 | --tw-backdrop-contrast: ; 461 | --tw-backdrop-grayscale: ; 462 | --tw-backdrop-hue-rotate: ; 463 | --tw-backdrop-invert: ; 464 | --tw-backdrop-opacity: ; 465 | --tw-backdrop-saturate: ; 466 | --tw-backdrop-sepia: ; 467 | } 468 | 469 | ::backdrop { 470 | --tw-border-spacing-x: 0; 471 | --tw-border-spacing-y: 0; 472 | --tw-translate-x: 0; 473 | --tw-translate-y: 0; 474 | --tw-rotate: 0; 475 | --tw-skew-x: 0; 476 | --tw-skew-y: 0; 477 | --tw-scale-x: 1; 478 | --tw-scale-y: 1; 479 | --tw-pan-x: ; 480 | --tw-pan-y: ; 481 | --tw-pinch-zoom: ; 482 | --tw-scroll-snap-strictness: proximity; 483 | --tw-ordinal: ; 484 | --tw-slashed-zero: ; 485 | --tw-numeric-figure: ; 486 | --tw-numeric-spacing: ; 487 | --tw-numeric-fraction: ; 488 | --tw-ring-inset: ; 489 | --tw-ring-offset-width: 0px; 490 | --tw-ring-offset-color: #fff; 491 | --tw-ring-color: rgb(59 130 246 / 0.5); 492 | --tw-ring-offset-shadow: 0 0 #0000; 493 | --tw-ring-shadow: 0 0 #0000; 494 | --tw-shadow: 0 0 #0000; 495 | --tw-shadow-colored: 0 0 #0000; 496 | --tw-blur: ; 497 | --tw-brightness: ; 498 | --tw-contrast: ; 499 | --tw-grayscale: ; 500 | --tw-hue-rotate: ; 501 | --tw-invert: ; 502 | --tw-saturate: ; 503 | --tw-sepia: ; 504 | --tw-drop-shadow: ; 505 | --tw-backdrop-blur: ; 506 | --tw-backdrop-brightness: ; 507 | --tw-backdrop-contrast: ; 508 | --tw-backdrop-grayscale: ; 509 | --tw-backdrop-hue-rotate: ; 510 | --tw-backdrop-invert: ; 511 | --tw-backdrop-opacity: ; 512 | --tw-backdrop-saturate: ; 513 | --tw-backdrop-sepia: ; 514 | } 515 | 516 | .static { 517 | position: static; 518 | } 519 | 520 | .fixed { 521 | position: fixed; 522 | } 523 | 524 | .top-0 { 525 | top: 0px; 526 | } 527 | 528 | .z-10 { 529 | z-index: 10; 530 | } 531 | 532 | .my-14 { 533 | margin-top: 3.5rem; 534 | margin-bottom: 3.5rem; 535 | } 536 | 537 | .mb-4 { 538 | margin-bottom: 1rem; 539 | } 540 | 541 | .mb-6 { 542 | margin-bottom: 1.5rem; 543 | } 544 | 545 | .ml-2 { 546 | margin-left: 0.5rem; 547 | } 548 | 549 | .ml-4 { 550 | margin-left: 1rem; 551 | } 552 | 553 | .ml-auto { 554 | margin-left: auto; 555 | } 556 | 557 | .mr-10 { 558 | margin-right: 2.5rem; 559 | } 560 | 561 | .mr-16 { 562 | margin-right: 4rem; 563 | } 564 | 565 | .mr-2 { 566 | margin-right: 0.5rem; 567 | } 568 | 569 | .mr-4 { 570 | margin-right: 1rem; 571 | } 572 | 573 | .mr-8 { 574 | margin-right: 2rem; 575 | } 576 | 577 | .mr-auto { 578 | margin-right: auto; 579 | } 580 | 581 | .mt-10 { 582 | margin-top: 2.5rem; 583 | } 584 | 585 | .mt-12 { 586 | margin-top: 3rem; 587 | } 588 | 589 | .mt-4 { 590 | margin-top: 1rem; 591 | } 592 | 593 | .mt-40 { 594 | margin-top: 10rem; 595 | } 596 | 597 | .flex { 598 | display: flex; 599 | } 600 | 601 | .h-10 { 602 | height: 2.5rem; 603 | } 604 | 605 | .h-16 { 606 | height: 4rem; 607 | } 608 | 609 | .h-24 { 610 | height: 6rem; 611 | } 612 | 613 | .h-32 { 614 | height: 8rem; 615 | } 616 | 617 | .w-40 { 618 | width: 10rem; 619 | } 620 | 621 | .w-9 { 622 | width: 2.25rem; 623 | } 624 | 625 | .w-full { 626 | width: 100%; 627 | } 628 | 629 | .max-w-3xl { 630 | max-width: 48rem; 631 | } 632 | 633 | .max-w-4xl { 634 | max-width: 56rem; 635 | } 636 | 637 | .grow { 638 | flex-grow: 1; 639 | } 640 | 641 | .flex-col { 642 | flex-direction: column; 643 | } 644 | 645 | .items-center { 646 | align-items: center; 647 | } 648 | 649 | .justify-center { 650 | justify-content: center; 651 | } 652 | 653 | .justify-between { 654 | justify-content: space-between; 655 | } 656 | 657 | .justify-evenly { 658 | justify-content: space-evenly; 659 | } 660 | 661 | .self-start { 662 | align-self: flex-start; 663 | } 664 | 665 | .self-end { 666 | align-self: flex-end; 667 | } 668 | 669 | .whitespace-nowrap { 670 | white-space: nowrap; 671 | } 672 | 673 | .rounded { 674 | border-radius: 0.25rem; 675 | } 676 | 677 | .rounded-lg { 678 | border-radius: 0.5rem; 679 | } 680 | 681 | .rounded-t-lg { 682 | border-top-left-radius: 0.5rem; 683 | border-top-right-radius: 0.5rem; 684 | } 685 | 686 | .border { 687 | border-width: 1px; 688 | } 689 | 690 | .bg-emerald-200 { 691 | --tw-bg-opacity: 1; 692 | background-color: rgb(167 243 208 / var(--tw-bg-opacity)); 693 | } 694 | 695 | .bg-emerald-700 { 696 | --tw-bg-opacity: 1; 697 | background-color: rgb(4 120 87 / var(--tw-bg-opacity)); 698 | } 699 | 700 | .bg-green-700 { 701 | --tw-bg-opacity: 1; 702 | background-color: rgb(21 128 61 / var(--tw-bg-opacity)); 703 | } 704 | 705 | .bg-slate-300 { 706 | --tw-bg-opacity: 1; 707 | background-color: rgb(203 213 225 / var(--tw-bg-opacity)); 708 | } 709 | 710 | .bg-slate-50 { 711 | --tw-bg-opacity: 1; 712 | background-color: rgb(248 250 252 / var(--tw-bg-opacity)); 713 | } 714 | 715 | .p-3 { 716 | padding: 0.75rem; 717 | } 718 | 719 | .px-10 { 720 | padding-left: 2.5rem; 721 | padding-right: 2.5rem; 722 | } 723 | 724 | .px-2 { 725 | padding-left: 0.5rem; 726 | padding-right: 0.5rem; 727 | } 728 | 729 | .px-3 { 730 | padding-left: 0.75rem; 731 | padding-right: 0.75rem; 732 | } 733 | 734 | .py-1 { 735 | padding-top: 0.25rem; 736 | padding-bottom: 0.25rem; 737 | } 738 | 739 | .pb-8 { 740 | padding-bottom: 2rem; 741 | } 742 | 743 | .text-center { 744 | text-align: center; 745 | } 746 | 747 | .font-emoji { 748 | font-family: Material Icons, sans-serif; 749 | } 750 | 751 | .text-2xl { 752 | font-size: 1.5rem; 753 | line-height: 2rem; 754 | } 755 | 756 | .text-4xl { 757 | font-size: 2.25rem; 758 | line-height: 2.5rem; 759 | } 760 | 761 | .text-lg { 762 | font-size: 1.125rem; 763 | line-height: 1.75rem; 764 | } 765 | 766 | .font-bold { 767 | font-weight: 700; 768 | } 769 | 770 | .tracking-wider { 771 | letter-spacing: 0.05em; 772 | } 773 | 774 | .text-emerald-600 { 775 | --tw-text-opacity: 1; 776 | color: rgb(5 150 105 / var(--tw-text-opacity)); 777 | } 778 | 779 | .text-slate-50 { 780 | --tw-text-opacity: 1; 781 | color: rgb(248 250 252 / var(--tw-text-opacity)); 782 | } 783 | 784 | .text-white { 785 | --tw-text-opacity: 1; 786 | color: rgb(255 255 255 / var(--tw-text-opacity)); 787 | } 788 | 789 | .shadow { 790 | --tw-shadow: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1); 791 | --tw-shadow-colored: 0 1px 3px 0 var(--tw-shadow-color), 0 1px 2px -1px var(--tw-shadow-color); 792 | box-shadow: var(--tw-ring-offset-shadow, 0 0 #0000), var(--tw-ring-shadow, 0 0 #0000), var(--tw-shadow); 793 | } 794 | 795 | .shadow-lg { 796 | --tw-shadow: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1); 797 | --tw-shadow-colored: 0 10px 15px -3px var(--tw-shadow-color), 0 4px 6px -4px var(--tw-shadow-color); 798 | box-shadow: var(--tw-ring-offset-shadow, 0 0 #0000), var(--tw-ring-shadow, 0 0 #0000), var(--tw-shadow); 799 | } 800 | 801 | body { 802 | font-family: Ubuntu, sans-serif; 803 | background-color: #eeeeee; 804 | background-image: url("data:image/svg+xml,%3Csvg width='52' height='26' viewBox='0 0 52 26' xmlns='http://www.w3.org/2000/svg'%3E%3Cg fill='none' fill-rule='evenodd'%3E%3Cg fill='%23aeb8af' fill-opacity='0.4'%3E%3Cpath d='M10 10c0-2.21-1.79-4-4-4-3.314 0-6-2.686-6-6h2c0 2.21 1.79 4 4 4 3.314 0 6 2.686 6 6 0 2.21 1.79 4 4 4 3.314 0 6 2.686 6 6 0 2.21 1.79 4 4 4v2c-3.314 0-6-2.686-6-6 0-2.21-1.79-4-4-4-3.314 0-6-2.686-6-6zm25.464-1.95l8.486 8.486-1.414 1.414-8.486-8.486 1.414-1.414z' /%3E%3C/g%3E%3C/g%3E%3C/svg%3E"); 805 | } 806 | 807 | .hover\:bg-green-800:hover { 808 | --tw-bg-opacity: 1; 809 | background-color: rgb(22 101 52 / var(--tw-bg-opacity)); 810 | } 811 | 812 | .hover\:bg-slate-400:hover { 813 | --tw-bg-opacity: 1; 814 | background-color: rgb(148 163 184 / var(--tw-bg-opacity)); 815 | } 816 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | --------------------------------------------------------------------------------