RubyGems - kdep - Versions diffs - 0.1.3 → 0.2.0 - Mend

kdep 0.1.3 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

checksums.yaml +4 -4
data/lib/kdep/cli.rb +1 -0
data/lib/kdep/commands/apply.rb +1 -1
data/lib/kdep/commands/bump.rb +17 -10
data/lib/kdep/commands/diff.rb +1 -1
data/lib/kdep/commands/helm_install.rb +286 -0
data/lib/kdep/commands/migrate.rb +176 -71
data/lib/kdep/commands/render.rb +2 -2
data/lib/kdep/defaults.rb +6 -2
data/lib/kdep/docker.rb +57 -1
data/lib/kdep/helm.rb +34 -0
data/lib/kdep/old_format.rb +690 -9
data/lib/kdep/preset.rb +1 -1
data/lib/kdep/registry.rb +119 -3
data/lib/kdep/version.rb +1 -1
data/lib/kdep.rb +2 -0
data/templates/presets/helm +4 -0
data/templates/presets/statefulset +4 -0
data/templates/presets/statefulset_svc +5 -0
data/templates/resources/configmap.yml.erb +7 -3
data/templates/resources/cronjob.yml.erb +49 -12
data/templates/resources/deployment.yml.erb +64 -11
data/templates/resources/ingress.yml.erb +59 -13
data/templates/resources/secret.yml.erb +7 -7
data/templates/resources/service.yml.erb +26 -2
data/templates/resources/statefulset.yml.erb +125 -0
metadata +16 -10

data/lib/kdep/old_format.rb CHANGED Viewed

@@ -7,14 +7,32 @@ module Kdep
     end
     def app_name
+      # Try .app-name file in deploy dir
       name_file = File.join(@path, ".app-name")
-      raise "Missing .app-name file in #{@path}" unless File.exist?(name_file)
-      File.read(name_file).strip
+      if File.exist?(name_file)
+        return File.read(name_file).strip
+      end
+      # Try .app-name in parent dir (old pattern: repo/.app-name + repo/deploy/)
+      parent_name_file = File.join(@path, "..", ".app-name")
+      if File.exist?(parent_name_file)
+        return File.read(parent_name_file).strip
+      end
+      # Try name from app.yml config
+      cfg = config
+      return cfg["name"] if cfg["name"]
+      # Fall back to image field
+      return cfg["image"] if cfg["image"]
+      # Fall back to directory name (deploy_web -> web)
+      dirname = File.basename(@path)
+      name = dirname.sub(/\Adeploy_?/, "")
+      return name unless name.empty?
+      # "deploy" dir -> use parent dir name (repo name)
+      File.basename(File.expand_path(File.join(@path, "..")))
     end
     def config
       config_file = File.join(@path, "app.yml")
-      raise "Missing app.yml in #{@path}" unless File.exist?(config_file)
+      return {} unless File.exist?(config_file)
       content = File.read(config_file)
       if RUBY_VERSION >= "3.1"
         YAML.safe_load(content, permitted_classes: [], permitted_symbols: [], aliases: false) || {}
@@ -25,32 +43,695 @@ module Kdep
     def materialized_files
       mat_dir = materialized_dir
-      return [] unless mat_dir && File.directory?(mat_dir)
-      Dir.glob(File.join(mat_dir, "*.yml")).sort
+      if mat_dir
+        return Dir.glob(File.join(mat_dir, "*.yml")).sort
+      end
+      # Collect yml/yaml files from subdirectories (app/, config/, secrets/, net/)
+      files = []
+      Dir.entries(@path).sort.each do |entry|
+        next if entry.start_with?(".")
+        next if entry.start_with?("_")
+        subdir = File.join(@path, entry)
+        next unless File.directory?(subdir)
+        next if entry == "script"
+        next if entry == "disabled"
+        Dir.glob(File.join(subdir, "*.{yml,yaml}")).sort.each { |f| files << f }
+      end
+      files
     end
     def materialized_dir
       dir = File.join(@path, "materialized")
       return dir if File.directory?(dir)
-      # Fallback to .rendered/ directory
       dir = File.join(@path, ".rendered")
       return dir if File.directory?(dir)
       nil
     end
+    # Build a complete kdep app.yml by extracting config from materialized K8s files
     def to_kdep_config
       old = config
       result = {}
+      # Start with what's in the old app.yml
       %w[preset namespace name image registry context port replicas
-         command target env env_from resources probe domains
-         image_pull_secrets schedule].each do |key|
+         command args env env_from resources probe domains
+         image_pull_secrets image_pull_policy schedule service_port
+         ingress_name ingress_annotations ingress_class_field
+         tls_secret_name tls_hosts ssl_redirect
+         volume_mounts volumes lifecycle security_context
+         termination_grace_period container_name deployment_name
+         configmap_name secret_name service_name cronjob_name
+         restart_policy cronjob_label
+         pod_labels service_type cluster_ip service_ports
+         service_port_protocol container_port_protocol
+         suspend ingress_backend_service statefulset_name
+         secret_type].each do |key|
         result[key] = old[key] if old.key?(key)
       end
-      # Ensure name from .app-name if not in config
+      # Old format uses "target" as the preset name
+      result["preset"] ||= old["target"]
+      # Convert Hash-style domains (host => config) to Array-style
+      if result["domains"].is_a?(Hash)
+        result["domains"] = result["domains"].map do |host, cfg|
+          if cfg.is_a?(Hash) && !cfg.empty?
+            domain = { "host" => host }
+            domain["path"] = cfg["path"] if cfg["path"]
+            domain["path_type"] = cfg["path_type"] if cfg["path_type"]
+            # Per-host TLS secret
+            if cfg["tls_secret"]
+              result["tls_hosts"] ||= {}
+              result["tls_hosts"][host] = cfg["tls_secret"]
+            end
+            domain
+          else
+            host
+          end
+        end
+      end
+      # Extract missing config from materialized K8s files
+      # Save app.yml namespace, let manifest namespace take priority
+      appyml_namespace = result.delete("namespace")
+      extract_from_manifests(result)
+      # Fall back to app.yml namespace if manifests didn't have one
+      result["namespace"] ||= appyml_namespace
+      # Merge env from ConfigMap into config (for rendering)
+      manifest_env = extract_env
+      unless manifest_env.empty?
+        result["env"] = (result["env"] || {}).merge(manifest_env)
+      end
+      # Ensure name: prefer deploy metadata name > image > app_name
+      result["name"] ||= result.delete("deploy_meta_name")
       result["name"] ||= app_name
+      if result["name"].nil? || result["name"].empty?
+        result["name"] = result["image"]
+      end
       # Ensure image defaults to name
       result["image"] ||= result["name"]
+      # Resolve ingress_backend_service: if backend differs from app name
+      candidate = result.delete("_ingress_backend_service_candidate")
+      if candidate && result["name"] && candidate != result["name"]
+        result["ingress_backend_service"] = candidate
+      end
+      # Handle ingress class annotation flag
+      no_ingress_class = result.delete("_no_ingress_class_annotation")
+      if no_ingress_class && !result["ingress_class_field"]
+        # No annotation AND no ingressClassName field: tell template not to add annotation
+        result["no_ingress_class_annotation"] = true
+      elsif !no_ingress_class && result["ingress_class_field"]
+        # Has BOTH annotation and ingressClassName field: keep both
+        result["ingress_class_annotation"] = true
+      end
+      # Handle Secret-specific namespace (cross-namespace secrets)
+      sec_ns = result.delete("_secret_namespace")
+      if sec_ns && result["namespace"] && sec_ns != result["namespace"]
+        result["secret_namespace"] = sec_ns
+      end
+      # Process multi-ingress domains
+      if result["domains"].is_a?(Array)
+        hash_domains = result["domains"].select { |d| d.is_a?(Hash) }
+        # Extract common ssl_redirect to global if ALL domains share the same value
+        # Domains without ssl_redirect default to "false"
+        ssl_values = hash_domains.map { |d| d["ssl_redirect"] || "false" }.uniq
+        if ssl_values.size == 1 && ssl_values[0] != "false"
+          result["ssl_redirect"] = ssl_values[0]
+          hash_domains.each { |d| d.delete("ssl_redirect") }
+        elsif ssl_values.size == 1
+          # All default "false" - no need for global
+          hash_domains.each { |d| d.delete("ssl_redirect") }
+        end
+        # If ssl_redirect differs across groups, keep per-domain
+        # Extract common ingress_annotations to global if all annotated domains share them
+        all_annot = hash_domains.map { |d| d["ingress_annotations"] }.compact
+        if all_annot.size > 0 && all_annot.uniq.size == 1
+          result["ingress_annotations"] = all_annot[0]
+          hash_domains.each { |d| d.delete("ingress_annotations") }
+        end
+        # If annotations differ across groups, keep them per-domain
+        # Simplify: if all domains have same ingress name, remove ingress tag
+        ingress_names = hash_domains.map { |d| d["ingress"] }.compact.uniq
+        if ingress_names.size <= 1
+          # All from same ingress (or no ingress tag), simplify domains
+          result["domains"] = result["domains"].map do |d|
+            if d.is_a?(Hash)
+              d = d.dup
+              d.delete("ingress")
+              d.delete("ssl_redirect") if d["ssl_redirect"].nil?
+              d.delete("ingress_annotations") if d["ingress_annotations"].nil?
+              # Simplify to string if only host remains
+              if d.keys == ["host"]
+                d["host"]
+              else
+                d
+              end
+            else
+              d
+            end
+          end
+        end
+      end
+      # Simplify tls_hosts: if all hosts use same secret, use tls_secret_name
+      if result["tls_hosts"].is_a?(Hash) && result["tls_hosts"].size > 0
+        unique_secrets = result["tls_hosts"].values.uniq
+        if unique_secrets.size == 1
+          result["tls_secret_name"] = unique_secrets[0]
+          result.delete("tls_hosts")
+        end
+      end
+      # Clean up nil values
+      result.delete_if { |_, v| v.nil? }
       result
     end
+    # Return secrets extracted from materialized Secret manifest (already base64)
+    def extract_secrets
+      secrets = {}
+      each_manifest do |doc|
+        next unless doc["kind"] == "Secret" && doc["data"]
+        doc["data"].each do |k, v|
+          secrets[k] = v  # already base64-encoded
+        end
+      end
+      secrets
+    end
+    # Return custom resources that need to be generated as standalone templates
+    # Returns array of { kind:, doc:, file: } hashes
+    def extract_custom_resources
+      customs = []
+      each_manifest do |doc|
+        case doc["kind"]
+        when "PersistentVolumeClaim"
+          customs << { "kind" => doc["kind"], "doc" => doc }
+        when "Secret"
+          # stringData secrets are custom (not handled by standard secret template)
+          if doc["stringData"]
+            customs << { "kind" => "Secret", "doc" => doc, "subtype" => "stringData" }
+          end
+        end
+      end
+      customs
+    end
+    # Return env vars from materialized ConfigMap
+    def extract_env
+      env = {}
+      each_manifest do |doc|
+        next unless doc["kind"] == "ConfigMap" && doc["data"]
+        doc["data"].each do |k, v|
+          env[k] = v
+        end
+      end
+      env
+    end
+    private
+    def extract_from_manifests(result)
+      has_service = false
+      has_ingress = false
+      has_statefulset = false
+      has_deployment = false
+      has_cronjob = false
+      each_manifest do |doc|
+        case doc["kind"]
+        when "StatefulSet"
+          has_statefulset = true
+          extract_from_deployment(doc, result)
+        when "Deployment"
+          has_deployment = true
+          extract_from_deployment(doc, result)
+        when "Service"
+          has_service = true
+          extract_from_service(doc, result)
+        when "Ingress"
+          has_ingress = true
+          extract_from_ingress(doc, result)
+        when "CronJob"
+          has_cronjob = true
+          extract_from_cronjob(doc, result)
+        when "ConfigMap"
+          cm_name = doc.dig("metadata", "name")
+          result["configmap_name"] ||= cm_name if cm_name
+          result["namespace"] ||= doc.dig("metadata", "namespace")
+        when "Secret"
+          sec_name = doc.dig("metadata", "name")
+          result["secret_name"] ||= sec_name if sec_name
+          # Track Secret-specific namespace for cross-namespace secrets
+          sec_ns = doc.dig("metadata", "namespace")
+          result["_secret_namespace"] ||= sec_ns if sec_ns
+          result["namespace"] ||= sec_ns
+          # Extract secret type if present
+          if doc["type"] && !result["secret_type"]
+            result["secret_type"] = doc["type"]
+          end
+        end
+      end
+      # Manifest kind determines preset
+      # StatefulSet/CronJob always override since they're distinct workload types
+      if has_statefulset
+        result["preset"] = has_service ? "statefulset_svc" : "statefulset"
+      elsif has_cronjob
+        result["preset"] = "cronjob"
+      elsif has_deployment
+        # Deployment is compatible with web/worker but NOT job/cronjob
+        if result["preset"] == "job" || result["preset"] == "cronjob"
+          result["preset"] = (has_service || has_ingress) ? "web" : "worker"
+        elsif !result["preset"]
+          result["preset"] = (has_service || has_ingress) ? "web" : "worker"
+        end
+      elsif !result["preset"]
+        result["preset"] ||= "worker"
+      end
+      # Normalize non-standard preset names
+      unless Kdep::Preset::BUILT_IN.include?(result["preset"])
+        result["preset"] = (has_service || has_ingress) ? "web" : "worker"
+      end
+    end
+    def extract_from_deployment(doc, result)
+      # Name from deployment metadata (most authoritative source)
+      deploy_name = doc.dig("metadata", "name")
+      if deploy_name
+        # Strip common suffixes like "-deployment"
+        clean_name = deploy_name.sub(/-deployment\z/, "")
+        result["deploy_meta_name"] ||= clean_name
+        # Preserve original deployment name if it has a suffix
+        if deploy_name != clean_name
+          result["deployment_name"] ||= deploy_name
+        end
+      end
+      # Namespace from metadata
+      result["namespace"] ||= doc.dig("metadata", "namespace")
+      spec = doc.dig("spec") || {}
+      result["replicas"] ||= spec["replicas"]
+      # Extract pod labels (beyond standard app: name)
+      pod_labels = doc.dig("spec", "template", "metadata", "labels") || {}
+      app_label_name = result["deploy_meta_name"] || result["name"]
+      extra_labels = pod_labels.reject { |k, _| k == "app" }
+      if !extra_labels.empty? && !result["pod_labels"]
+        result["pod_labels"] = extra_labels
+      end
+      container = doc.dig("spec", "template", "spec", "containers", 0)
+      return unless container
+      # Container name (if differs from app name)
+      if container["name"] && !result["container_name"]
+        cname = container["name"]
+        # Only preserve if it differs from what we'd default to
+        meta_name = result["deploy_meta_name"] || result["name"]
+        if meta_name && cname != meta_name
+          result["container_name"] = cname
+        end
+      end
+      # Image -> extract registry
+      if container["image"]
+        img = container["image"]
+        # Split "registry/image:tag" -> registry, image
+        parts = img.split(":")
+        image_path = parts[0]  # e.g. "leadfycr.azurecr.io/msger-web"
+        if image_path.include?("/")
+          segments = image_path.split("/")
+          image_name = segments.pop
+          registry = segments.join("/")
+          result["registry"] ||= registry
+          result["image"] ||= image_name
+        end
+      end
+      # Port
+      if container["ports"] && container["ports"][0]
+        result["port"] ||= container["ports"][0]["containerPort"]
+        # Extract protocol if not TCP (default)
+        protocol = container["ports"][0]["protocol"]
+        if protocol && protocol != "TCP" && !result["container_port_protocol"]
+          result["container_port_protocol"] = protocol
+        end
+      end
+      # imagePullPolicy
+      if container["imagePullPolicy"] && !result["image_pull_policy"]
+        result["image_pull_policy"] = container["imagePullPolicy"]
+      end
+      # args
+      if container["args"] && !result["args"]
+        result["args"] = container["args"]
+      end
+      # Resources
+      if container["resources"] && !result["resources"]
+        result["resources"] = container["resources"]
+      end
+      # Probe
+      if container["livenessProbe"] && !result["probe"]
+        lp = container["livenessProbe"]
+        if lp["httpGet"]
+          result["probe"] = {
+            "path" => lp["httpGet"]["path"],
+            "port" => lp["httpGet"]["port"],
+            "initial_delay" => lp["initialDelaySeconds"],
+            "period" => lp["periodSeconds"],
+            "failure_threshold" => lp["failureThreshold"],
+            "liveness_success_threshold" => lp["successThreshold"],
+            "timeout" => lp["timeoutSeconds"]
+          }
+        end
+      end
+      # Readiness probe (may differ from liveness)
+      if container["readinessProbe"] && result["probe"]
+        rp = container["readinessProbe"]
+        result["probe"]["readiness_initial_delay"] = rp["initialDelaySeconds"]
+        result["probe"]["readiness_success_threshold"] = rp["successThreshold"]
+        if rp["httpGet"]
+          rp_path = rp["httpGet"]["path"]
+          rp_port = rp["httpGet"]["port"]
+          lp = container["livenessProbe"]
+          lp_path = lp&.dig("httpGet", "path")
+          lp_port = lp&.dig("httpGet", "port")
+          result["probe"]["readiness_path"] = rp_path if rp_path && rp_path != lp_path
+          result["probe"]["readiness_port"] = rp_port if rp_port && rp_port != lp_port
+        end
+        result["probe"]["readiness_period"] = rp["periodSeconds"] if rp["periodSeconds"] != result["probe"]["period"]
+        result["probe"]["readiness_failure_threshold"] = rp["failureThreshold"] if rp["failureThreshold"] != result["probe"]["failure_threshold"]
+        result["probe"]["readiness_timeout"] = rp["timeoutSeconds"] if rp["timeoutSeconds"] != result["probe"]["timeout"]
+      end
+      # Volume mounts
+      if container["volumeMounts"] && !result["volume_mounts"]
+        result["volume_mounts"] = container["volumeMounts"]
+      end
+      # Volumes (pod-level)
+      pod_volumes = doc.dig("spec", "template", "spec", "volumes")
+      if pod_volumes && !result["volumes"]
+        result["volumes"] = pod_volumes
+      end
+      # Lifecycle hooks
+      if container["lifecycle"] && !result["lifecycle"]
+        result["lifecycle"] = container["lifecycle"]
+      end
+      # Security context
+      if container["securityContext"] && !result["security_context"]
+        result["security_context"] = container["securityContext"]
+      end
+      # Termination grace period
+      termination = doc.dig("spec", "template", "spec", "terminationGracePeriodSeconds")
+      if termination && !result["termination_grace_period"]
+        result["termination_grace_period"] = termination
+      end
+      # Image pull secrets
+      pull_secrets = doc.dig("spec", "template", "spec", "imagePullSecrets")
+      if pull_secrets && pull_secrets[0] && !result["image_pull_secrets"]
+        result["image_pull_secrets"] = pull_secrets[0]["name"]
+      end
+      # envFrom -> preserve full list in original order
+      if container["envFrom"] && !result["env_from"]
+        refs = []
+        container["envFrom"].each do |ref|
+          if ref["configMapRef"]
+            refs << "configmap/#{ref["configMapRef"]["name"]}"
+          elsif ref["secretRef"]
+            refs << "secret/#{ref["secretRef"]["name"]}"
+          end
+        end
+        result["env_from"] = refs unless refs.empty?
+      end
+    end
+    def extract_from_cronjob(doc, result)
+      result["schedule"] ||= doc.dig("spec", "schedule")
+      # Extract suspend field
+      suspend = doc.dig("spec", "suspend")
+      if !suspend.nil? && !result.key?("suspend")
+        result["suspend"] = suspend
+      end
+      # Preserve cronjob name from metadata
+      cron_name = doc.dig("metadata", "name")
+      if cron_name && !result["cronjob_name"]
+        result["cronjob_name"] = cron_name
+        # Derive app name by stripping cronjob suffixes
+        clean = cron_name.sub(/-cron-?job\z/, "")
+        if clean != cron_name
+          result["deploy_meta_name"] ||= clean
+        end
+      end
+      # Namespace
+      result["namespace"] ||= doc.dig("metadata", "namespace")
+      # Extract cronjob template label
+      cron_label = doc.dig("spec", "jobTemplate", "spec", "template", "metadata", "labels", "cronjob")
+      if cron_label && !result["cronjob_label"]
+        result["cronjob_label"] = cron_label
+      end
+      # restartPolicy
+      restart = doc.dig("spec", "jobTemplate", "spec", "template", "spec", "restartPolicy")
+      if restart && !result["restart_policy"]
+        result["restart_policy"] = restart
+      end
+      container = doc.dig("spec", "jobTemplate", "spec", "template", "spec", "containers", 0)
+      return unless container
+      result["command"] ||= container["command"]
+      result["args"] ||= container["args"]
+      # Container name - compare against app name (stripped), not cronjob_name
+      if container["name"] && !result["container_name"]
+        app_name_candidate = result["deploy_meta_name"] || result["name"]
+        if app_name_candidate && container["name"] != app_name_candidate
+          result["container_name"] = container["name"]
+        end
+      end
+      if container["image"]
+        img = container["image"]
+        parts = img.split(":")
+        image_path = parts[0]
+        if image_path.include?("/")
+          segments = image_path.split("/")
+          image_name = segments.pop
+          registry = segments.join("/")
+          result["registry"] ||= registry
+          result["image"] ||= image_name
+        end
+      end
+      # imagePullPolicy
+      if container["imagePullPolicy"] && !result["image_pull_policy"]
+        result["image_pull_policy"] = container["imagePullPolicy"]
+      end
+      if container["resources"] && !result["resources"]
+        result["resources"] = container["resources"]
+      end
+      # Volume mounts
+      if container["volumeMounts"] && !result["volume_mounts"]
+        result["volume_mounts"] = container["volumeMounts"]
+      end
+      # Volumes (pod-level)
+      pod_volumes = doc.dig("spec", "jobTemplate", "spec", "template", "spec", "volumes")
+      if pod_volumes && !result["volumes"]
+        result["volumes"] = pod_volumes
+      end
+      # imagePullSecrets
+      pull_secrets = doc.dig("spec", "jobTemplate", "spec", "template", "spec", "imagePullSecrets")
+      if pull_secrets && pull_secrets[0] && !result["image_pull_secrets"]
+        result["image_pull_secrets"] = pull_secrets[0]["name"]
+      end
+      # envFrom
+      if container["envFrom"] && !result["env_from"]
+        refs = []
+        container["envFrom"].each do |ref|
+          if ref["configMapRef"]
+            refs << "configmap/#{ref["configMapRef"]["name"]}"
+          elsif ref["secretRef"]
+            refs << "secret/#{ref["secretRef"]["name"]}"
+          end
+        end
+        result["env_from"] = refs unless refs.empty?
+      end
+    end
+    def extract_from_service(doc, result)
+      # Preserve custom service name
+      svc_name = doc.dig("metadata", "name")
+      result["service_name"] ||= svc_name if svc_name
+      result["namespace"] ||= doc.dig("metadata", "namespace")
+      # Extract service type (NodePort, LoadBalancer, etc.)
+      svc_type = doc.dig("spec", "type")
+      if svc_type && !result["service_type"]
+        result["service_type"] = svc_type
+      end
+      # Extract clusterIP (for headless services)
+      cluster_ip = doc.dig("spec", "clusterIP")
+      if cluster_ip && !result["cluster_ip"]
+        result["cluster_ip"] = cluster_ip
+      end
+      ports = doc.dig("spec", "ports")
+      return unless ports && ports[0]
+      # Multi-port support
+      if ports.size > 1
+        # Multiple ports: save full port array
+        if !result["service_ports"]
+          result["service_ports"] = ports.map do |p|
+            sp = { "port" => p["port"], "targetPort" => p["targetPort"] || p["port"] }
+            sp["protocol"] = p["protocol"] if p["protocol"]
+            sp["name"] = p["name"] if p["name"]
+            sp
+          end
+        end
+      else
+        # Single port
+        svc_port = ports[0]["port"]
+        # If service port differs from container port, save it
+        if svc_port && result["port"] && svc_port != result["port"]
+          result["service_port"] = svc_port
+        end
+        # Extract protocol if not TCP
+        protocol = ports[0]["protocol"]
+        if protocol && protocol != "TCP" && !result["service_port_protocol"]
+          result["service_port_protocol"] = protocol
+        end
+      end
+    end
+    def extract_from_ingress(doc, result)
+      ingress_name = doc.dig("metadata", "name")
+      # Multi-ingress: accumulate domains from all ingresses
+      rules = doc.dig("spec", "rules") || []
+      # Extract backend service name from first rule (for ingress_backend_service)
+      first_backend = rules.dig(0, "http", "paths", 0, "backend", "service", "name")
+      # Detect per-ingress-specific annotations (beyond standard ones)
+      annotations = doc.dig("metadata", "annotations") || {}
+      standard = %w[kubernetes.io/ingress.class acme.cert-manager.io/http01-edit-in-place
+                     nginx.ingress.kubernetes.io/ssl-redirect]
+      per_ingress_extra = annotations.reject { |k, _| standard.include?(k) }
+      new_domains = rules.map do |r|
+        host = r["host"]
+        next nil unless host
+        path_info = r.dig("http", "paths", 0)
+        domain = { "host" => host }
+        if path_info
+          domain["path"] = path_info["path"] if path_info["path"] && path_info["path"] != "/"
+          domain["path_type"] = path_info["pathType"] if path_info["pathType"] && path_info["pathType"] != "Prefix"
+        end
+        # Tag domain with its ingress name for multi-ingress grouping
+        domain["ingress"] = ingress_name if ingress_name
+        # Store per-ingress annotations on domain
+        domain["ingress_annotations"] = per_ingress_extra unless per_ingress_extra.empty?
+        # Store per-ingress ssl-redirect if non-default
+        ssl_val = annotations["nginx.ingress.kubernetes.io/ssl-redirect"]
+        domain["ssl_redirect"] = ssl_val if ssl_val && ssl_val != "false"
+        domain
+      end.compact
+      if result["domains"]
+        # Append to existing domains (multi-ingress)
+        result["domains"].concat(new_domains)
+      else
+        result["domains"] = new_domains
+      end
+      # Detect backend service name mismatch
+      if first_backend && !result["ingress_backend_service"]
+        # Will be set later; check after name is resolved
+        result["_ingress_backend_service_candidate"] = first_backend
+      end
+      # Preserve first ingress name
+      result["ingress_name"] ||= ingress_name
+      # Namespace
+      result["namespace"] ||= doc.dig("metadata", "namespace")
+      # Detect ingressClassName vs annotation
+      ingress_class = doc.dig("spec", "ingressClassName")
+      if ingress_class
+        result["ingress_class_field"] = ingress_class
+      end
+      # Check if ingress.class annotation is absent (don't add it if not in original)
+      if !annotations.key?("kubernetes.io/ingress.class") && !result.key?("_no_ingress_class_annotation")
+        result["_no_ingress_class_annotation"] = true
+      end
+      if annotations.key?("kubernetes.io/ingress.class")
+        # Has the annotation explicitly - clear the flag
+        result.delete("_no_ingress_class_annotation")
+      end
+      # NOTE: ssl_redirect and ingress_annotations are stored per-domain (above)
+      # They will be extracted as globals in post-processing if all domains share them
+      # Preserve per-host TLS secrets
+      tls = doc.dig("spec", "tls") || []
+      tls_map = result["tls_hosts"] || {}
+      tls.each do |t|
+        secret = t["secretName"]
+        (t["hosts"] || []).each { |h| tls_map[h] = secret } if secret
+      end
+      # Store tls_hosts map - will be simplified later
+      if tls_map.size > 0
+        result["tls_hosts"] = tls_map
+      end
+    end
+    def each_manifest
+      materialized_files.each do |file|
+        content = File.read(file)
+        # Handle multi-document YAML
+        content.split(/^---\s*$/).each do |part|
+          next if part.strip.empty?
+          doc = if RUBY_VERSION >= "3.1"
+                  YAML.safe_load(part, permitted_classes: [], permitted_symbols: [], aliases: false)
+                else
+                  YAML.safe_load(part, [], [], false)
+                end
+          yield doc if doc.is_a?(Hash)
+        end
+      end
+    end
   end
 end