kdep 0.3.5 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f2546356a99516a639dc29b0d25a6494898c351a2dd40ca58a3510da93aa49d
-  data.tar.gz: ea992fe366d4d6875b1edf6d976d2c8ece688854d76dfd12ab87031c85ffda6d
+  metadata.gz: '09613eb122fcc0b4963a04b0d2d982dbd3b4a6d7c3325aebebdfad3875eb6d69'
+  data.tar.gz: 1d844ed77f42b6b50fdbdeaf3aece71e78658223571f827d5c31a9713361c4f5
 SHA512:
-  metadata.gz: 122d63cdabc4fda2ff9f7f52f546dc5288d26209ec9f7025ee93cbdd0109e4de094e37af1b5073266b6b5a5d939ca15fcd65004dc79c5eda286709bc4fb059d3
-  data.tar.gz: 2aee7b30512d9102f86bf1150b6ee5054f741497bc4009784dbaf38f2d2f222ae6b8c3a2249090c3a9dad5a31fcdf013c8c753e7f07dd761051ccc189e0450f8
+  metadata.gz: 15743ca9ed3ced89956e3b83535629d127f0c7b51378b54653d3dc4c62b4c799f63e5c28fdf760ac1c327173656741a69a8efe10b8821c4a4536e9ba06c8b11e
+  data.tar.gz: edfc8dae8a811f72fc12563f5832c253b4637e6da02bfe134b1aed19ed0ce2e830697d8631b74e18cb63d6e811b9941e5598ff915e33ac58928cb2304cf19863

data/lib/kdep/check_runner.rb

@@ -0,0 +1,52 @@
+require "open3"
+
+module Kdep
+  # Runs declarative preflight validators from app.yml's `check:` list.
+  # Each entry is `cmd: <shell-string>` plus optional `inputs: [paths]`. Paths
+  # are resolved via PathResolver. The full invocation is `sh -c "<cmd>
+  # <resolved_inputs...>"`. Any non-zero exit halts the pipeline.
+  class CheckRunner
+    class Error < StandardError; end
+
+    # Injectable runner so tests can assert argv without shelling out.
+    class << self
+      attr_accessor :runner
+    end
+    self.runner = ->(cmd) { Open3.capture3("sh", "-c", cmd) }
+
+    def initialize(checks:, path_resolver:, ui:)
+      @checks = checks || []
+      @resolver = path_resolver
+      @ui = ui
+    end
+
+    def run!
+      return true if @checks.empty?
+
+      @checks.each do |entry|
+        cmd = entry["cmd"].to_s
+        raise Error, "check entry missing 'cmd'" if cmd.empty?
+        inputs = Array(entry["inputs"]).map { |p| @resolver.resolve(p, warn_on_fallback: true) }
+        # Shell-quote each input so paths with spaces survive.
+        quoted_inputs = inputs.compact.map { |p| shell_quote(p) }
+        full_cmd = ([cmd] + quoted_inputs).join(" ")
+
+        @ui.info("check: #{full_cmd}")
+        stdout, stderr, status = self.class.runner.call(full_cmd)
+        unless status.success?
+          @ui.error("check failed: #{full_cmd}")
+          @ui.error(stderr.strip) unless stderr.strip.empty?
+          @ui.error(stdout.strip) unless stdout.strip.empty?
+          raise Error, "preflight check failed: #{full_cmd}"
+        end
+      end
+      true
+    end
+
+    private
+
+    def shell_quote(str)
+      "'#{str.to_s.gsub("'", %q('\\\\''))}'"
+    end
+  end
+end

data/lib/kdep/cli.rb

@@ -21,6 +21,7 @@ module Kdep
       "helm-install" => Commands::HelmInstall,
       "dashboard" => Commands::Dashboard,
       "doctor" => Commands::Doctor,
+      "check"  => Commands::Check,
     }.freeze
 
     def initialize(argv)

data/lib/kdep/commands/bump.rb

@@ -14,6 +14,7 @@ module Kdep
           opts.on("--no-dashboard", "Skip TUI dashboard after deploy")
           opts.on("--platform=PLATFORM", "Target platform (e.g., linux/amd64)")
           opts.on("--init-state", "Seed state.yml at 0.0 when missing (non-interactive)")
+          opts.on("--no-check", "Skip preflight check: validators")
         end
       end
 
@@ -44,7 +45,43 @@ module Kdep
 
         config = Kdep::Config.new(deploy_dir, env).load
 
-        # Step 2: Context guard (bump touches the cluster)
+        # Feature G: preflight validators. Runs for every preset, halts on
+        # first failure. --no-check skips.
+        unless @command_options[:"no-check"]
+          run_preflight_checks(config, deploy_dir, kdep_dir)
+        end
+
+        # Feature E: dispatch on preset before the docker-heavy app pipeline.
+        # Helm and custom presets don't build/push images — they route to
+        # preset-specific pipelines that keep the rest of bump's guarantees
+        # (context guard, rollout tracking, etc.).
+        preset = config["preset"]
+        if preset == "helm"
+          run_helm_pipeline(deploy_dir, env)
+          return
+        elsif preset == "custom"
+          run_custom_pipeline(deploy_dir, config, kdep_dir)
+          return
+        end
+
+        # Step 2: Local config sanity — read state.yml BEFORE touching the
+        # cluster. A missing/corrupt state.yml is a local config error and
+        # should fail fast without waking kubectl.
+        begin
+          current_tag = Kdep::State.tag(deploy_dir) || handle_missing_state(deploy_dir)
+        rescue Kdep::State::Error => e
+          @ui.error(e.message)
+          exit 1
+        end
+        # to_fix.md #3 — warn if someone has gitignored state.yml
+        require "kdep/doctor/check_state_gitignored"
+        gitignore_result = Kdep::Doctor::CheckStateGitignored.new(deploy_dir).run
+        if gitignore_result.severity == :error
+          @ui.warn(gitignore_result.message)
+          @ui.warn(gitignore_result.hint) if gitignore_result.hint
+        end
+
+        # Step 3: Context guard (bump touches the cluster)
         begin
           Kdep::ContextGuard.new(config["context"]).validate!
         rescue Kdep::Kubectl::Error => e
@@ -64,20 +101,7 @@ module Kdep
         repo_root = File.dirname(kdep_dir)
 
         begin
-          # Step 3: Read current tag from state.yml, increment minor
-          begin
-            current_tag = Kdep::State.tag(deploy_dir) || handle_missing_state(deploy_dir)
-          rescue Kdep::State::Error => e
-            @ui.error(e.message)
-            exit 1
-          end
-          # to_fix.md #3 — warn if someone has gitignored state.yml
-          require "kdep/doctor/check_state_gitignored"
-          gitignore_result = Kdep::Doctor::CheckStateGitignored.new(deploy_dir).run
-          if gitignore_result.severity == :error
-            @ui.warn(gitignore_result.message)
-            @ui.warn(gitignore_result.hint) if gitignore_result.hint
-          end
+          # Step 4: Increment minor version.
           parsed = Kdep::VersionTagger.parse(current_tag)
           next_version = parsed ? "#{parsed[0]}.#{parsed[1] + 1}" : "0.1"
           @ui.info("#{current_tag} -> #{next_version}")
@@ -192,6 +216,68 @@ module Kdep
 
       private
 
+      # Feature E: helm-preset bump = helm-install pipeline. Preflight
+      # already ran; context guard runs inside HelmInstall; rollout flush
+      # and configmap overlays are internal to it.
+      def run_helm_pipeline(deploy_dir, env)
+        deploy_arg = File.basename(deploy_dir)
+        helm_install = Kdep::Commands::HelmInstall.new(
+          global_options: @global_options,
+          command_options: { :"dry-run" => @command_options[:"dry-run"] },
+          args: env ? [deploy_arg, env] : [deploy_arg],
+        )
+        helm_install.execute
+      end
+
+      # Feature E: custom-preset bump = render + apply, no docker, no state.
+      def run_custom_pipeline(deploy_dir, config, kdep_dir)
+        # Context guard for safety.
+        begin
+          Kdep::ContextGuard.new(config["context"]).validate!
+        rescue Kdep::Kubectl::Error => e
+          @ui.error(e.message)
+          exit 1
+        end
+
+        namespace = config["namespace"]
+        repo_root = File.dirname(kdep_dir)
+        output_dir = File.join(deploy_dir, ".rendered")
+
+        writer = Kdep::Writer.new(output_dir)
+        writer.clean
+        renderer = Kdep::Renderer.new(config, deploy_dir)
+        preset_resources = Kdep::Preset.new("custom", deploy_dir).resources
+
+        preset_resources.each_with_index do |resource, idx|
+          content = renderer.render_resource(resource)
+          path = writer.write(resource, content, idx + 1)
+          @ui.file_written(path.sub(repo_root + "/", "")) if path
+        end
+
+        unless @command_options[:"dry-run"]
+          Dir.glob(File.join(output_dir, "*.yml")).sort.each do |file_path|
+            Kdep::Kubectl.apply(file_path, namespace: namespace)
+            @ui.info("applied: #{File.basename(file_path)}")
+          end
+        end
+      end
+
+      def run_preflight_checks(config, deploy_dir, kdep_dir)
+        checks = config["check"]
+        return if checks.nil? || checks.empty?
+
+        resolver = Kdep::PathResolver.new(
+          deploy_dir: deploy_dir,
+          kdep_dir: kdep_dir,
+          paths_from: config["paths_from"],
+        )
+        begin
+          Kdep::CheckRunner.new(checks: checks, path_resolver: resolver, ui: @ui).run!
+        rescue Kdep::CheckRunner::Error
+          exit 1
+        end
+      end
+
       def handle_missing_state(deploy_dir)
         if @command_options[:"init-state"]
           seed_initial_state(deploy_dir, reason: :flag)

data/lib/kdep/commands/check.rb

@@ -0,0 +1,84 @@
+require "optparse"
+
+module Kdep
+  module Commands
+    # `kdep check <deploy>` — runs preflight validators declared in app.yml's
+    # check: list. Exits 0 on success, non-zero on first failing validator.
+    class Check
+      def self.option_parser
+        OptionParser.new do |opts|
+          opts.banner = "Usage: kdep check [deploy] [env]"
+          opts.separator ""
+          opts.separator "Runs preflight validators (promtool, amtool, etc.) declared in app.yml's"
+          opts.separator "check: list. Invoked automatically by kdep bump unless --no-check is set."
+        end
+      end
+
+      def initialize(global_options:, command_options:, args:)
+        @global_options = global_options
+        @command_options = command_options
+        @args = args
+        @ui = Kdep::UI.new(color: false)
+      end
+
+      def execute
+        deploy_name = @args[0]
+        env = @args[1]
+
+        discovery = Kdep::Discovery.new
+        kdep_dir = discovery.find_kdep_dir
+        unless kdep_dir
+          @ui.error("No kdep/ directory found")
+          exit 1
+        end
+
+        deploy_dir = resolve_deploy_dir(kdep_dir, deploy_name, discovery)
+        exit 1 unless deploy_dir
+
+        config = Kdep::Config.new(deploy_dir, env).load
+        checks = config["check"]
+        if checks.nil? || checks.empty?
+          @ui.info("no check: entries declared for this deploy")
+          return
+        end
+
+        resolver = Kdep::PathResolver.new(
+          deploy_dir: deploy_dir,
+          kdep_dir: kdep_dir,
+          paths_from: config["paths_from"],
+        )
+
+        begin
+          Kdep::CheckRunner.new(checks: checks, path_resolver: resolver, ui: @ui).run!
+          @ui.success("all #{checks.size} checks passed")
+        rescue Kdep::CheckRunner::Error
+          exit 1
+        end
+      end
+
+      private
+
+      def resolve_deploy_dir(kdep_dir, deploy_name, discovery)
+        if deploy_name
+          path = File.join(kdep_dir, deploy_name)
+          unless File.directory?(path)
+            @ui.error("Deploy target not found: #{deploy_name}")
+            return nil
+          end
+          path
+        else
+          deploys = discovery.find_deploys
+          if deploys.length == 1
+            File.join(kdep_dir, deploys[0])
+          elsif deploys.length > 1
+            @ui.error("Multiple deploys found, specify one: #{deploys.join(', ')}")
+            nil
+          else
+            @ui.error("No deploy targets found in kdep/")
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/kdep/commands/helm_install.rb

@@ -46,6 +46,18 @@ module Kdep
         # Load config
         config = Kdep::Config.new(@deploy_dir, env).load
         @namespace = config["namespace"]
+        @kdep_dir = kdep_dir
+        @resolver = Kdep::PathResolver.new(
+          deploy_dir: @deploy_dir,
+          kdep_dir: @kdep_dir,
+          paths_from: config["paths_from"],
+        )
+        @tracker = Kdep::RolloutTracker.new(
+          rollout_on: config["rollout_on"],
+          namespace: @namespace,
+          ui: @ui,
+          dry_run: @dry_run,
+        )
 
         unless config["preset"] == "helm"
           @ui.error("#{deploy_name} is not a helm preset (preset: #{config["preset"]})")
@@ -88,10 +100,43 @@ module Kdep
           install_chart(chart_conf)
         end
 
+        # Feature A: overlay rich config into helm-owned configmaps.
+        apply_configmap_overlays(config)
+
         # Render and apply additional k8s resources (ingress, secret, etc.)
         apply_extra_resources(config, kdep_dir)
+
+        # Feature F: flush rollout-restarts after all apply phases complete.
+        ok = @tracker.flush!
+        exit 1 if @tracker.errors? && !ok
+      end
+
+      private
+
+      def apply_configmap_overlays(config)
+        overlays = config["configmap_overlays"] || []
+        return if overlays.empty?
+
+        overlays.each do |overlay_hash|
+          overlay = Kdep::ConfigmapOverlay.new(
+            overlay_hash,
+            namespace: @namespace,
+            path_resolver: @resolver,
+            ui: @ui,
+            dry_run: @dry_run,
+          )
+          begin
+            result = overlay.apply!
+            @tracker.record_applied("configmap", overlay_hash["name"]) if result&.applied
+          rescue Kdep::ConfigmapOverlay::Error => e
+            @ui.error(e.message)
+            exit 1
+          end
+        end
       end
 
+      public
+
       private
 
       # Build a normalized list of chart configs.
@@ -108,16 +153,22 @@ module Kdep
             {
               release: c["release"] || config["name"],
               chart: c["chart"],
+              version: c["version"],
               values: c["values"],
               sets: c["sets"] || {},
             }
           end
         elsif config["chart"]
+          sets = config["sets"] || config["helm_sets"] || {}
+          if config.key?("helm_sets") && !config.key?("sets")
+            @ui.warn("helm_sets: is deprecated; use sets: (will be removed in kdep 0.5.x)")
+          end
           [{
             release: config["release"] || config["name"],
             chart: config["chart"],
+            version: config["version"],
             values: nil, # auto-detect values.yml in deploy dir
-            sets: config["helm_sets"] || {},
+            sets: sets,
           }]
         else
           []
@@ -137,7 +188,9 @@ module Kdep
           sets[key] = interpolate(value.to_s, @secrets)
         end
 
-        @ui.info("helm upgrade --install #{release} #{chart} -n #{@namespace}")
+        version = chart_conf[:version]
+        version_suffix = version ? " --version #{version}" : ""
+        @ui.info("helm upgrade --install #{release} #{chart} -n #{@namespace}#{version_suffix}")
         @ui.info("  values: #{values_file}") if values_file
         sets.each { |k, v| @ui.info("  --set #{k}=#{mask(v)}") }
 
@@ -146,6 +199,7 @@ module Kdep
             release: release,
             chart: chart,
             namespace: @namespace,
+            version: version,
             values_file: values_file,
             sets: sets,
             dry_run: @dry_run
@@ -160,13 +214,14 @@ module Kdep
 
       def resolve_values_file(explicit_name)
         if explicit_name
-          path = File.join(@deploy_dir, explicit_name)
-          return path if File.exist?(path)
+          path = @resolver.resolve(explicit_name, warn_on_fallback: true)
+          return path if path && File.exist?(path)
           @ui.warn("Values file not found: #{explicit_name}")
           return nil
         end
 
-        # Auto-detect values.yml or values.yaml
+        # Auto-detect values.yml or values.yaml in the deploy dir (not affected
+        # by paths_from: repo_root, since auto-detect is a deploy-dir contract).
         %w[values.yml values.yaml].each do |name|
           path = File.join(@deploy_dir, name)
           return path if File.exist?(path)
@@ -190,8 +245,35 @@ module Kdep
         files_written = 0
         render_errors = []
 
-        resources.each_with_index do |resource_name, idx|
-          index = idx + 1
+        next_index = 1
+        resources.each do |resource_name|
+          # Feature B: multi-ingress replaces the single built-in ingress when
+          # config["ingresses"] is set.
+          if resource_name == "ingress" && config["ingresses"]
+            begin
+              entries = renderer.render_helm_ingresses
+            rescue => e
+              render_errors << "ingress: #{e.message}"
+              next
+            end
+            entries.each do |suffix, content|
+              unless content.nil? || content.strip.empty?
+                result = validator.validate(content, "ingress")
+                unless result["valid"]
+                  result["errors"].each { |err| render_errors << "ingress[#{suffix}]: #{err}" }
+                end
+              end
+              path = writer.write_suffixed("ingress", suffix, content, next_index)
+              if path
+                @ui.file_written(path.sub(repo_root + "/", ""))
+                files_written += 1
+                next_index += 1
+              end
+            end
+            next
+          end
+
+          index = next_index
           begin
             content = renderer.render_resource(resource_name)
           rescue => e
@@ -212,6 +294,7 @@ module Kdep
           if path
             @ui.file_written(path.sub(repo_root + "/", ""))
             files_written += 1
+            next_index += 1
           end
         end
 

data/lib/kdep/config.rb

@@ -64,7 +64,31 @@ module Kdep
         result["image"] = result["name"]
       end
 
+      desugar_configmap_overlay_rollout!(result)
+
       result
     end
+
+    # Feature F sugar: `configmap_overlays[].rollout` becomes an entry in
+    # `rollout_on` with source: configmap/<overlay-name>. If an explicit
+    # rollout_on entry already exists for that source, merge targets (union,
+    # deduped). Canonical internal form is always `rollout_on`.
+    def desugar_configmap_overlay_rollout!(config)
+      overlays = config["configmap_overlays"]
+      return unless overlays.is_a?(Array)
+
+      overlays.each do |overlay|
+        next unless overlay.is_a?(Hash) && overlay["rollout"]
+        src = "configmap/#{overlay["name"]}"
+        target = overlay["rollout"]
+        config["rollout_on"] ||= []
+        existing = config["rollout_on"].find { |r| r.is_a?(Hash) && r["source"] == src }
+        if existing
+          existing["targets"] = (Array(existing["targets"]) + [target]).uniq
+        else
+          config["rollout_on"] << { "source" => src, "targets" => [target] }
+        end
+      end
+    end
   end
 end

data/lib/kdep/configmap_overlay.rb

@@ -0,0 +1,110 @@
+require "yaml"
+require "json"
+
+module Kdep
+  # Overlays rich configmap data from external files onto a helm-owned
+  # configmap. Runs after `helm upgrade --install` so the chart creates the
+  # configmap first; this module rewrites its data keys without touching
+  # helm-set labels or annotations.
+  #
+  # Two merge strategies:
+  #   replace  — fetch live configmap, replace `data:` with only the listed
+  #              keys, `kubectl apply` the full manifest back.
+  #   patch    — emit a JSON patch that adds/updates only the listed keys,
+  #              leaving any other data helm wrote intact.
+  #
+  # First-deploy safety: if the configmap does not yet exist (chart hasn't
+  # run yet), the overlay is skipped with a warning; a re-run picks it up.
+  class ConfigmapOverlay
+    class Error < StandardError; end
+
+    Result = Struct.new(:configmap_name, :applied, :skipped_reason,
+                        keyword_init: true)
+
+    def initialize(overlay, namespace:, path_resolver:, ui:, dry_run: false)
+      @overlay = overlay
+      @namespace = namespace
+      @resolver = path_resolver
+      @ui = ui
+      @dry_run = dry_run
+    end
+
+    def name
+      @overlay["name"]
+    end
+
+    def merge_strategy
+      (@overlay["merge"] || "replace").to_s
+    end
+
+    def apply!
+      case merge_strategy
+      when "replace" then apply_replace!
+      when "patch"   then apply_patch!
+      else
+        raise Error, "configmap_overlay #{name}: unknown merge strategy '#{merge_strategy}' (expected replace|patch)"
+      end
+    end
+
+    private
+
+    def data_payload
+      payload = {}
+      @overlay["data_files"].each do |key, path|
+        resolved = @resolver.resolve(path, warn_on_fallback: true)
+        raise Error, "configmap_overlay #{name}: source file not found: #{path}" unless resolved && File.exist?(resolved)
+        content = File.read(resolved)
+        raise Error, "configmap_overlay #{name}: source file is empty: #{path}" if content.empty?
+        payload[key] = content
+      end
+      payload
+    end
+
+    def apply_replace!
+      live_yaml = Kdep::Kubectl.get("configmap", name, namespace: @namespace)
+      if live_yaml.nil? || live_yaml.strip.empty?
+        @ui.warn("configmap_overlay #{name}: not yet created (first deploy); skipping")
+        return Result.new(configmap_name: name, applied: false, skipped_reason: "not_yet_created")
+      end
+
+      live = Kdep::YAMLCompat.safe_load(live_yaml)
+      raise Error, "configmap_overlay #{name}: unexpected live configmap shape" unless live.is_a?(Hash)
+      live["data"] = data_payload
+      # Strip server-side-managed fields that confuse kubectl apply.
+      if live["metadata"].is_a?(Hash)
+        %w[resourceVersion uid creationTimestamp managedFields selfLink generation].each { |k| live["metadata"].delete(k) }
+      end
+
+      require "tempfile"
+      tmp = Tempfile.new(["#{name}-overlay", ".yml"])
+      tmp.write(YAML.dump(live))
+      tmp.close
+
+      if @dry_run
+        @ui.info("[dry-run] would apply configmap_overlay #{name}")
+      else
+        Kdep::Kubectl.apply(tmp.path, namespace: @namespace)
+        @ui.info("configmap_overlay #{name}: applied (replace)")
+      end
+      Result.new(configmap_name: name, applied: true, skipped_reason: nil)
+    ensure
+      tmp&.unlink
+    end
+
+    def apply_patch!
+      ops = data_payload.map { |k, v| { "op" => "add", "path" => "/data/#{escape_patch_key(k)}", "value" => v } }
+      if @dry_run
+        @ui.info("[dry-run] would patch configmap_overlay #{name} (#{ops.size} keys)")
+      else
+        Kdep::Kubectl.patch("configmap", name, namespace: @namespace, type: "json", patch: ops.to_json)
+        @ui.info("configmap_overlay #{name}: patched (#{ops.size} keys)")
+      end
+      Result.new(configmap_name: name, applied: true, skipped_reason: nil)
+    end
+
+    # RFC 6901 JSON-pointer escaping for `/` and `~` in key names.
+    def escape_patch_key(key)
+      key.to_s.gsub("~", "~0").gsub("/", "~1")
+    end
+  end
+end

data/lib/kdep/doctor/check_state_gitignored.rb

@@ -8,12 +8,14 @@ module Kdep
 
       def run
         state_path = File.join(deploy_dir, Kdep::State::FILENAME)
-        _, status = Open3.capture2("git", "check-ignore", "-q", state_path)
+        # capture3 swallows stderr so "fatal: not a git repository" noise
+        # never reaches the user when the caller runs outside a repo.
+        _, _, status = Open3.capture3("git", "check-ignore", "-q", state_path)
         if status.success?
           Result.new(
             id: ID, severity: :error,
             message: "#{state_path} is gitignored",
-            hint: "Remove 'state.yml' from .gitignore and 'git add' the file so fresh clones see the last-deployed tag."
+            hint: "Remove 'state.yml' from any .gitignore (local or ancestor) and 'git add' the file so fresh clones see the last-deployed tag."
           )
         else
           Result.ok(ID)

data/lib/kdep/doctor.rb

@@ -5,7 +5,6 @@ require "kdep/doctor/check_state_parseable"
 require "kdep/doctor/check_state_tag_format"
 require "kdep/doctor/check_state_gitignored"
 require "kdep/doctor/check_gitignore_canonical"
-require "kdep/doctor/check_ancestor_ignores_state"
 
 module Kdep
   module Doctor
@@ -15,7 +14,6 @@ module Kdep
       CheckStateTagFormat,
       CheckStateGitignored,
       CheckGitignoreCanonical,
-      CheckAncestorIgnoresState,
     ].freeze
   end
 end

data/lib/kdep/helm.rb

@@ -4,17 +4,24 @@ module Kdep
   module Helm
     class Error < StandardError; end
 
+    class << self
+      attr_accessor :runner
+    end
+    # Default: shell out to the real helm binary.
+    self.runner = ->(*args) { Open3.capture3("helm", *args) }
+
     def self.run(*args)
-      stdout, stderr, status = Open3.capture3("helm", *args)
+      stdout, stderr, status = runner.call(*args)
       unless status.success?
         raise Error, "helm #{args.first} failed: #{stderr.strip}"
       end
       stdout
     end
 
-    # helm upgrade --install <release> <chart> -n <namespace> [-f values.yml] [--set k=v ...]
-    def self.upgrade_install(release:, chart:, namespace:, values_file: nil, sets: {}, dry_run: false)
+    # helm upgrade --install <release> <chart> -n <namespace> [--version <v>] [-f values.yml] [--set k=v ...]
+    def self.upgrade_install(release:, chart:, namespace:, version: nil, values_file: nil, sets: {}, dry_run: false)
       args = ["upgrade", "--install", release, chart, "-n", namespace]
+      args += ["--version", version] if version
       args += ["-f", values_file] if values_file
       sets.each do |key, value|
         args += ["--set", "#{key}=#{value}"]

data/lib/kdep/kubectl.rb

@@ -5,8 +5,14 @@ module Kdep
   module Kubectl
     class Error < StandardError; end
 
+    class << self
+      attr_accessor :runner
+    end
+    # Default: shell out to the real kubectl binary.
+    self.runner = ->(*args) { Open3.capture3("kubectl", *args) }
+
     def self.run(*args)
-      stdout, stderr, status = Open3.capture3("kubectl", *args)
+      stdout, stderr, status = runner.call(*args)
       unless status.success?
         raise Error, "kubectl #{args.first} failed: #{stderr.strip}"
       end
@@ -14,8 +20,7 @@ module Kdep
     end
 
     def self.run_json(*args)
-      output = run(*args, "-o", "json")
-      JSON.parse(output)
+      JSON.parse(run(*args, "-o", "json"))
     end
 
     def self.current_context
@@ -27,15 +32,30 @@ module Kdep
     end
 
     def self.diff(file_path)
-      stdout, stderr, status = Open3.capture3("kubectl", "diff", "-f", file_path)
+      stdout, stderr, status = runner.call("diff", "-f", file_path)
       case status.exitstatus
-      when 0
-        nil
-      when 1
-        stdout
-      else
-        raise Error, "kubectl diff failed (exit #{status.exitstatus}): #{stderr.strip}"
+      when 0 then nil              # no diff
+      when 1 then stdout           # diffs present on stdout
+      else raise Error, "kubectl diff failed (exit #{status.exitstatus}): #{stderr.strip}"
       end
     end
+
+    # Declarative rollout-restart helper used by Kdep::RolloutTracker (Feature F).
+    def self.rollout_restart(kind, name, namespace:)
+      run("rollout", "restart", "#{kind}/#{name}", "-n", namespace)
+    end
+
+    # JSON-patch helper used by Kdep::ConfigmapOverlay (Feature A) with merge: patch.
+    def self.patch(kind, name, namespace:, type:, patch:)
+      run("patch", kind, name, "-n", namespace, "--type", type, "-p", patch)
+    end
+
+    # Live-fetch helper. Returns nil when the resource is absent (NotFound).
+    # Caller distinguishes "not yet created" from real errors.
+    def self.get(kind, name, namespace:, output: "yaml")
+      run("get", kind, name, "-n", namespace, "-o", output)
+    rescue Error
+      nil
+    end
   end
 end

data/lib/kdep/old_format.rb

@@ -261,14 +261,20 @@ module Kdep
     # Extract the image tag from the live deploy (e.g., "0.44" from
     # "ghcr.io/org/app:0.44"). Returns nil if the tag is "latest",
     # empty, or absent. On multi-container deployments, returns the
-    # first usable tag found.
+    # first usable tag found. Uses rpartition so registry URLs with
+    # explicit ports (host:5000/org/app:0.44) aren't misparsed.
     def extracted_tag
       deployed_images.each do |img|
-        parts = img.to_s.split(":", 2)
-        next if parts.length < 2
-        tag = parts[1]
-        next if tag.nil? || tag.empty? || tag == "latest"
-        return tag
+        before, sep, after = img.to_s.rpartition(":")
+        # rpartition returns ["", "", img] when no ":" exists
+        next if sep.empty?
+        # A host:port with no tag (e.g. "host:5000/img") has sep but the
+        # "tag" part contains a "/" — not a real tag.
+        next if after.empty? || after.include?("/")
+        next if after == "latest"
+        # before will include any host:port prefix intact
+        _ = before
+        return after
       end
       nil
     end

data/lib/kdep/path_resolver.rb

@@ -0,0 +1,61 @@
+require "pathname"
+
+module Kdep
+  # Resolves user-supplied relative file paths from app.yml against either
+  # the deploy dir (default) or the repo root that contains kdep/.
+  # Mode is selected by the top-level `paths_from:` field.
+  class PathResolver
+    def initialize(deploy_dir:, kdep_dir:, paths_from:)
+      @deploy_dir = deploy_dir
+      @repo_root  = File.dirname(kdep_dir)
+      @mode       = paths_from.to_s == "repo_root" ? :repo_root : :target
+    end
+
+    # Returns the absolute filesystem path for a relative input. If the
+    # resolved path does not exist at the configured origin but DOES exist at
+    # the other origin, resolves at the other and optionally warns — this
+    # catches the common "forgot paths_from: repo_root" mistake.
+    def resolve(path, warn_on_fallback: false)
+      return nil if path.nil?
+      return path if Pathname.new(path).absolute?
+
+      primary = File.expand_path(path, primary_base)
+      return primary if File.exist?(primary)
+
+      fallback = File.expand_path(path, fallback_base)
+      if File.exist?(fallback)
+        if warn_on_fallback
+          warn "path '#{path}' not found under #{@mode}; falling back to #{other_mode}. " \
+               "Set paths_from: #{other_mode} or fix the path."
+        end
+        return fallback
+      end
+
+      primary
+    end
+
+    # Checks either origin. Used by validators that don't care WHICH origin
+    # holds the file, only that it exists somewhere sensible.
+    def exists?(path)
+      return false if path.nil?
+      return File.exist?(path) if Pathname.new(path).absolute?
+
+      File.exist?(File.expand_path(path, primary_base)) ||
+        File.exist?(File.expand_path(path, fallback_base))
+    end
+
+    private
+
+    def primary_base
+      @mode == :repo_root ? @repo_root : @deploy_dir
+    end
+
+    def fallback_base
+      @mode == :repo_root ? @deploy_dir : @repo_root
+    end
+
+    def other_mode
+      @mode == :repo_root ? :target : :repo_root
+    end
+  end
+end

data/lib/kdep/renderer.rb

@@ -28,6 +28,28 @@ module Kdep
       erb.result(context.get_binding)
     end
 
+    # Feature B: render N Ingress resources from config["ingresses"].
+    # Returns [[suffix, yaml], ...] so the caller can emit multiple files.
+    def render_helm_ingresses
+      entries = @config["ingresses"] || []
+      return [] if entries.empty?
+
+      template_path = File.join(Kdep.templates_dir, "resources", "helm_ingress.yml.erb")
+      raise "helm_ingress template not found at #{template_path}" unless File.exist?(template_path)
+      template_content = File.read(template_path)
+      erb = if RUBY_VERSION >= "2.6"
+              ERB.new(template_content, trim_mode: "-")
+            else
+              ERB.new(template_content, nil, "-")
+            end
+
+      entries.map do |ingress|
+        context = TemplateContext.new(@config)
+        context.instance_variable_set(:@ingress, ingress)
+        [ingress["name"], erb.result(context.get_binding)]
+      end
+    end
+
     private
 
     def resolve_template(resource_name)

data/lib/kdep/rollout_tracker.rb

@@ -0,0 +1,62 @@
+require "set"
+
+module Kdep
+  # Declarative rollout-restart triggers. Phases that apply resources register
+  # sources; at end of run the tracker looks up matching rollout_on rules and
+  # restarts the unique set of targets once.
+  #
+  # sources are "kind/name" (configmap, secret).
+  # targets are "kind/name" (deployment, statefulset, daemonset).
+  class RolloutTracker
+    class Error < StandardError; end
+
+    def initialize(rollout_on:, namespace:, ui:, dry_run: false)
+      @rules = rollout_on || []
+      @namespace = namespace
+      @ui = ui
+      @dry_run = dry_run
+      @applied = Set.new
+      @errors = []
+    end
+
+    def record_applied(kind, name)
+      @applied << "#{kind.to_s.downcase}/#{name}"
+    end
+
+    def flush!
+      targets = Set.new
+      @rules.each do |rule|
+        src = normalize(rule["source"])
+        next unless @applied.include?(src)
+        Array(rule["targets"]).each { |t| targets << normalize(t) }
+      end
+
+      targets.sort.each do |target|
+        kind, name = target.split("/", 2)
+        if @dry_run
+          @ui.info("[dry-run] would rollout-restart #{kind}/#{name}")
+          next
+        end
+        begin
+          Kdep::Kubectl.rollout_restart(kind, name, namespace: @namespace)
+          @ui.info("rollout-restarted #{kind}/#{name}")
+        rescue Kdep::Kubectl::Error => e
+          @errors << "#{kind}/#{name}: #{e.message}"
+          @ui.error("rollout-restart failed for #{kind}/#{name}: #{e.message}")
+        end
+      end
+
+      @errors.empty?
+    end
+
+    def errors?
+      !@errors.empty?
+    end
+
+    private
+
+    def normalize(s)
+      s.to_s.downcase
+    end
+  end
+end

data/lib/kdep/version.rb

@@ -1,3 +1,3 @@
 module Kdep
-  VERSION = "0.3.5"
+  VERSION = "0.4.0"
 end

data/lib/kdep/writer.rb

@@ -22,5 +22,17 @@ module Kdep
       File.write(path, content)
       path
     end
+
+    # Used by Feature B (multi-ingress): one logical resource "ingress"
+    # emits N files named NN-ingress-<suffix>.yml so kubectl apply diffs
+    # them independently.
+    def write_suffixed(base_name, suffix, content, index)
+      return nil if content.nil? || content.strip.empty?
+      FileUtils.mkdir_p(@output_dir)
+      filename = format("%02d-%s-%s.yml", index, base_name, suffix)
+      path = File.join(@output_dir, filename)
+      File.write(path, content)
+      path
+    end
   end
 end

data/lib/kdep.rb

@@ -18,6 +18,10 @@ require "kdep/helm"
 require "kdep/registry"
 require "kdep/version_tagger"
 require "kdep/state"
+require "kdep/path_resolver"
+require "kdep/configmap_overlay"
+require "kdep/rollout_tracker"
+require "kdep/check_runner"
 require "kdep/doctor"
 require "kdep/commands/render"
 require "kdep/commands/init"
@@ -37,6 +41,7 @@ require "kdep/commands/migrate"
 require "kdep/commands/helm_install"
 require "kdep/commands/dashboard"
 require "kdep/commands/doctor"
+require "kdep/commands/check"
 require "kdep/dashboard/screen"
 require "kdep/dashboard/layout"
 require "kdep/dashboard/panel"

data/templates/resources/helm_ingress.yml.erb

@@ -0,0 +1,43 @@
+<%
+  raise "helm_ingress template requires @ingress (single entry)" unless @ingress
+  ingress = @ingress
+  ingress_name = "ingress-#{ingress["name"]}"
+  default_annotations = {
+    "kubernetes.io/ingress.class" => "nginx",
+    "cert-manager.io/cluster-issuer" => "letsencrypt",
+  }
+  if ingress["auth_secret"] && !ingress["auth_secret"].to_s.empty?
+    default_annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+    default_annotations["nginx.ingress.kubernetes.io/auth-secret"] = ingress["auth_secret"]
+    default_annotations["nginx.ingress.kubernetes.io/auth-realm"] = "Auth required"
+  end
+  user_annotations = ingress["annotations"].is_a?(Hash) ? ingress["annotations"] : {}
+  annotations = default_annotations.merge(user_annotations)
+  path = ingress["path"] || "/"
+  path_type = ingress["path_type"] || "Prefix"
+-%>
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: <%= ingress_name %>
+  namespace: <%= namespace %>
+  annotations:
+<% annotations.each do |k, v| -%>
+    <%= k %>: "<%= v %>"
+<% end -%>
+spec:
+  tls:
+    - hosts:
+        - <%= ingress["host"] %>
+      secretName: <%= ingress["tls_secret"] %>
+  rules:
+    - host: <%= ingress["host"] %>
+      http:
+        paths:
+          - path: <%= path %>
+            pathType: <%= path_type %>
+            backend:
+              service:
+                name: <%= ingress["service"] %>
+                port:
+                  number: <%= ingress["port"] %>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kdep
 version: !ruby/object:Gem::Version
-  version: 0.3.5
+  version: 0.4.0
 platform: ruby
 authors:
 - Leadfy
@@ -63,11 +63,13 @@ files:
 - LICENSE.txt
 - exe/kdep
 - lib/kdep.rb
+- lib/kdep/check_runner.rb
 - lib/kdep/cli.rb
 - lib/kdep/cluster_health.rb
 - lib/kdep/commands/apply.rb
 - lib/kdep/commands/build.rb
 - lib/kdep/commands/bump.rb
+- lib/kdep/commands/check.rb
 - lib/kdep/commands/dashboard.rb
 - lib/kdep/commands/diff.rb
 - lib/kdep/commands/doctor.rb
@@ -84,6 +86,7 @@ files:
 - lib/kdep/commands/sh.rb
 - lib/kdep/commands/status.rb
 - lib/kdep/config.rb
+- lib/kdep/configmap_overlay.rb
 - lib/kdep/context_guard.rb
 - lib/kdep/dashboard.rb
 - lib/kdep/dashboard/health_panel.rb
@@ -98,7 +101,6 @@ files:
 - lib/kdep/docker.rb
 - lib/kdep/doctor.rb
 - lib/kdep/doctor/check.rb
-- lib/kdep/doctor/check_ancestor_ignores_state.rb
 - lib/kdep/doctor/check_gitignore_canonical.rb
 - lib/kdep/doctor/check_state_gitignored.rb
 - lib/kdep/doctor/check_state_parseable.rb
@@ -108,9 +110,11 @@ files:
 - lib/kdep/helm.rb
 - lib/kdep/kubectl.rb
 - lib/kdep/old_format.rb
+- lib/kdep/path_resolver.rb
 - lib/kdep/preset.rb
 - lib/kdep/registry.rb
 - lib/kdep/renderer.rb
+- lib/kdep/rollout_tracker.rb
 - lib/kdep/state.rb
 - lib/kdep/template_context.rb
 - lib/kdep/ui.rb
@@ -134,6 +138,7 @@ files:
 - templates/resources/configmap.yml.erb
 - templates/resources/cronjob.yml.erb
 - templates/resources/deployment.yml.erb
+- templates/resources/helm_ingress.yml.erb
 - templates/resources/ingress.yml.erb
 - templates/resources/job.yml.erb
 - templates/resources/secret.yml.erb

data/lib/kdep/doctor/check_ancestor_ignores_state.rb

@@ -1,26 +0,0 @@
-require "open3"
-require "kdep/state"
-
-module Kdep
-  module Doctor
-    class CheckAncestorIgnoresState < Check
-      ID = "ancestor_ignores_state".freeze
-
-      def run
-        state_path = File.join(deploy_dir, Kdep::State::FILENAME)
-        _, status = Open3.capture2("git", "check-ignore", "-v", state_path)
-        if status.success?
-          Result.new(
-            id: ID, severity: :error,
-            message: "An ancestor .gitignore is ignoring #{state_path}",
-            hint: "Run 'git check-ignore -v #{state_path}' to find which file, then remove the pattern."
-          )
-        else
-          Result.ok(ID)
-        end
-      rescue Errno::ENOENT
-        Result.ok(ID)
-      end
-    end
-  end
-end