@crossdelta/infrastructure 0.2.22 → 0.2.24

package/dist/helpers/discover-services.d.ts

@@ -1,18 +1,21 @@
-import type { ServiceConfig } from '../types';
+import type { K8sServiceConfig } from '../runtimes/doks/types';
 /**
- * Auto-discovers all service configurations from a directory.
- * Each .ts file (except index.ts) should export a ServiceConfig as default.
+ * Auto-discovers all K8s service configurations from infra/services directory.
+ * Each .ts file (except index.ts) should export a K8sServiceConfig as default.
+ *
+ * If a config does not specify `image`, it will be auto-generated using
+ * the registry from root package.json's `pf.registry` config.
  *
  * @param servicesDir - Path to services directory (relative to cwd or absolute)
- * @throws Error if duplicate ports are detected
+ * @throws Error if duplicate ports are detected or pf.registry is missing
  *
  * @example
  * ```typescript
- * // Relative path (resolved from process.cwd())
- * const configs = discoverServices('infra/services')
- *
- * // Absolute path
- * const configs = discoverServices('/absolute/path/to/services')
+ * // Config without image - will use pf.registry automatically
+ * const config: K8sServiceConfig = {
+ *   name: 'my-service',
+ *   containerPort: 4001,
+ * }
  * ```
  */
-export declare function discoverServices(servicesDir: string): ServiceConfig[];
+export declare function discoverServiceConfigs(servicesDir?: string): K8sServiceConfig[];

package/dist/index.cjs

@@ -289067,7 +289067,7 @@ var require_lib38 = __commonJS((exports2, module2) => {
 var require_lib39 = __commonJS((exports2, module2) => {
   var fs = require("fs");
   var { promisify } = require("util");
-  var { readFileSync } = fs;
+  var { readFileSync: readFileSync2 } = fs;
   var readFile = promisify(fs.readFile);
   var extractPath = (path, cmdshimContents) => {
     if (/[.]cmd$/.test(path)) {
@@ -289119,7 +289119,7 @@ var require_lib39 = __commonJS((exports2, module2) => {
     });
   };
   var readCmdShimSync = (path) => {
-    const contents = readFileSync(path);
+    const contents = readFileSync2(path);
     const destination = extractPath(path, contents.toString());
     if (!destination) {
       throw notaShim(path);
@@ -308309,7 +308309,7 @@ var require_getImage = __commonJS((exports2) => {
   exports2.getImageOutput = exports2.getImage = undefined;
   var pulumi = require_pulumi();
   var utilities = require_utilities();
-  function getImage(args, opts) {
+  function getImage2(args, opts) {
     args = args || {};
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
     return pulumi.runtime.invoke("digitalocean:index/getImage:getImage", {
@@ -308319,7 +308319,7 @@ var require_getImage = __commonJS((exports2) => {
       source: args.source
     }, opts);
   }
-  exports2.getImage = getImage;
+  exports2.getImage = getImage2;
   function getImageOutput(args, opts) {
     args = args || {};
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
@@ -337015,12 +337015,12 @@ var exports_lib = {};
 __export(exports_lib, {
   ghcrImage: () => ghcrImage,
   getServiceUrl: () => getServiceUrl,
-  getServicePort: () => getServicePort2,
+  getServicePort: () => getServicePort,
   getImage: () => getImage,
   filterByPlatform: () => filterByPlatform,
   ensureDot: () => ensureDot,
   dockerHubImage: () => dockerHubImage,
-  discoverServices: () => discoverServices,
+  discoverServiceConfigs: () => discoverServiceConfigs,
   deployNginxIngress: () => deployNginxIngress,
   deployNats: () => deployNats,
   deployK8sServices: () => deployK8sServices,
@@ -337081,21 +337081,67 @@ var defaultHealthCheck = {
 // lib/helpers/discover-services.ts
 var import_node_fs = require("node:fs");
 var import_node_path = require("node:path");
-function getServicePort(config) {
-  if (config.httpPort)
-    return config.httpPort;
-  const internalPorts = config.internalPorts;
-  if (internalPorts?.[0])
-    return internalPorts[0];
-  return 8080;
+
+// lib/helpers/image.ts
+var scopeImageTagsRaw = process.env.SCOPE_IMAGE_TAGS ?? "";
+var scopeImageTags = (() => {
+  if (!scopeImageTagsRaw.trim()) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(scopeImageTagsRaw);
+    const tags = {};
+    for (const [key, value] of Object.entries(parsed ?? {})) {
+      if (typeof value === "string" && value.trim().length > 0) {
+        tags[key] = value.trim();
+      }
+    }
+    return tags;
+  } catch (error) {
+    console.warn("Unable to parse scope image tags from environment:", error);
+    return {};
+  }
+})();
+var resolveImageTag = (scopeName) => {
+  const tag = scopeImageTags[scopeName];
+  if (!tag) {
+    return "latest";
+  }
+  return tag;
+};
+var ghcrImage = (registry, serviceName) => {
+  const tag = resolveImageTag(serviceName);
+  return `ghcr.io/${registry}/${serviceName}:${tag}`;
+};
+var getImage = (registry, repository, registryCredentials) => {
+  const scopeName = repository.split("/").pop();
+  if (!scopeName) {
+    throw new Error(`Invalid repository name: ${repository}`);
+  }
+  return {
+    registryType: "GHCR",
+    registry,
+    repository,
+    registryCredentials,
+    tag: resolveImageTag(scopeName)
+  };
+};
+
+// lib/helpers/discover-services.ts
+function getRegistryFromPackageJson(workspaceRoot) {
+  const pkgPath = import_node_path.join(workspaceRoot, "package.json");
+  const pkg = JSON.parse(import_node_fs.readFileSync(pkgPath, "utf-8"));
+  if (!pkg.pf?.registry) {
+    throw new Error(`Missing "pf.registry" in ${pkgPath}. Add it to your root package.json, e.g.: "pf": { "registry": "orgname/reponame" }`);
+  }
+  return pkg.pf.registry;
 }
 function validateNoDuplicatePorts(configs) {
   const portMap = new Map;
   for (const config of configs) {
-    const port = getServicePort(config);
-    const existing = portMap.get(port) || [];
+    const existing = portMap.get(config.containerPort) || [];
     existing.push(config.name);
-    portMap.set(port, existing);
+    portMap.set(config.containerPort, existing);
   }
   const conflicts = [...portMap.entries()].filter(([, services]) => services.length > 1).map(([port, services]) => `Port ${port}: ${services.join(", ")}`);
   if (conflicts.length > 0) {
@@ -337104,13 +337150,22 @@ ${conflicts.join(`
 `)}`);
   }
 }
-function discoverServices(servicesDir) {
+function discoverServiceConfigs(servicesDir = "infra/services") {
   const resolvedDir = import_node_path.isAbsolute(servicesDir) ? servicesDir : import_node_path.resolve(process.cwd(), servicesDir);
+  const workspaceRoot = import_node_path.resolve(resolvedDir, "..", "..");
+  const registry = getRegistryFromPackageJson(workspaceRoot);
   const files = import_node_fs.readdirSync(resolvedDir).filter((file) => file.endsWith(".ts") && file !== "index.ts");
   const configs = files.map((file) => {
     const filePath = import_node_path.join(resolvedDir, file);
     const module2 = require(filePath);
-    return module2.default ?? module2;
+    const config = module2.default ?? module2;
+    if (!config.image) {
+      return {
+        ...config,
+        image: ghcrImage(registry, config.name)
+      };
+    }
+    return config;
   });
   validateNoDuplicatePorts(configs);
   return configs;
@@ -337338,50 +337393,6 @@ function buildDropletServices(options) {
 function filterByPlatform(configs, platform) {
   return configs.filter((c) => (c.platform || "app-platform") === platform);
 }
-// lib/helpers/image.ts
-var scopeImageTagsRaw = process.env.SCOPE_IMAGE_TAGS ?? "";
-var scopeImageTags = (() => {
-  if (!scopeImageTagsRaw.trim()) {
-    return {};
-  }
-  try {
-    const parsed = JSON.parse(scopeImageTagsRaw);
-    const tags = {};
-    for (const [key, value] of Object.entries(parsed ?? {})) {
-      if (typeof value === "string" && value.trim().length > 0) {
-        tags[key] = value.trim();
-      }
-    }
-    return tags;
-  } catch (error) {
-    console.warn("Unable to parse scope image tags from environment:", error);
-    return {};
-  }
-})();
-var resolveImageTag = (scopeName) => {
-  const tag = scopeImageTags[scopeName];
-  if (!tag) {
-    return "latest";
-  }
-  return tag;
-};
-var ghcrImage = (registry, serviceName) => {
-  const tag = resolveImageTag(serviceName);
-  return `ghcr.io/${registry}/${serviceName}:${tag}`;
-};
-var getImage = (registry, repository, registryCredentials) => {
-  const scopeName = repository.split("/").pop();
-  if (!scopeName) {
-    throw new Error(`Invalid repository name: ${repository}`);
-  }
-  return {
-    registryType: "GHCR",
-    registry,
-    repository,
-    registryCredentials,
-    tag: resolveImageTag(scopeName)
-  };
-};
 // lib/helpers/service-builder.ts
 function buildServices(options) {
   const { serviceConfigs, registryCredentials, logtailToken, registry } = options;
@@ -337426,7 +337437,7 @@ function buildIngressRules(serviceConfigs) {
 }
 // lib/helpers/service-runtime.ts
 var toEnvKey = (name) => name.toUpperCase().replace(/-/g, "_");
-function getServicePort2(serviceName, defaultPort = 8080) {
+function getServicePort(serviceName, defaultPort = 8080) {
   const envKey = `${toEnvKey(serviceName)}_PORT`;
   const envValue = process.env[envKey];
   if (envValue) {
@@ -337442,7 +337453,7 @@ function getServiceUrl(serviceName) {
   return process.env[envKey];
 }
 // lib/helpers/service-urls.ts
-function getServicePort3(config) {
+function getServicePort2(config) {
   if (config.httpPort)
     return config.httpPort;
   const internalPorts = config.internalPorts;
@@ -337452,7 +337463,7 @@ function getServicePort3(config) {
 }
 function buildInternalUrls(serviceConfigs) {
   return Object.fromEntries(serviceConfigs.map((config) => {
-    const url = config.internalUrl ?? `http://${config.name}:${getServicePort3(config)}`;
+    const url = config.internalUrl ?? `http://${config.name}:${getServicePort2(config)}`;
     return [config.name, url];
   }));
 }
@@ -337464,7 +337475,7 @@ function buildExternalUrls(serviceConfigs, baseUrl) {
 }
 function buildLocalUrls(serviceConfigs) {
   return Object.fromEntries(serviceConfigs.map((config) => {
-    const port = getServicePort3(config);
+    const port = getServicePort2(config);
     return [config.name, `http://localhost:${port}`];
   }));
 }
@@ -337472,14 +337483,14 @@ function buildServiceUrlEnvs(serviceConfigs) {
   return serviceConfigs.map((config) => ({
     key: `${config.name.toUpperCase().replace(/-/g, "_")}_URL`,
     scope: "RUN_TIME",
-    value: config.internalUrl ?? `http://${config.name}:${getServicePort3(config)}`
+    value: config.internalUrl ?? `http://${config.name}:${getServicePort2(config)}`
   }));
 }
 function buildServicePortEnvs(serviceConfigs) {
   return serviceConfigs.map((config) => ({
     key: `${config.name.toUpperCase().replace(/-/g, "_")}_PORT`,
     scope: "RUN_TIME",
-    value: String(getServicePort3(config))
+    value: String(getServicePort2(config))
   }));
 }
 // lib/runtimes/doks/cert-manager.ts
@@ -337844,10 +337855,7 @@ function getImagePullPolicy(image2, explicit) {
     return explicit;
   return image2.endsWith(":latest") ? "Always" : "IfNotPresent";
 }
-function deployK8sService(provider, namespace, config2) {
-  const labels = buildLabels(config2.name, config2.labels);
-  const replicas = config2.replicas ?? DEFAULTS.replicas;
-  const imagePullPolicy = getImagePullPolicy(config2.image, config2.imagePullPolicy);
+function buildEnvVars(config2) {
   const envVars = [];
   envVars.push({ name: "PORT", value: String(config2.containerPort) });
   if (config2.env) {
@@ -337855,17 +337863,7 @@ function deployK8sService(provider, namespace, config2) {
       envVars.push({ name: key, value: pulumi6.output(value) });
     }
   }
-  let secret;
-  if (config2.secrets && Object.keys(config2.secrets).length > 0) {
-    secret = new k8s5.core.v1.Secret(`${config2.name}-secret`, {
-      metadata: {
-        name: `${config2.name}-secret`,
-        namespace,
-        labels
-      },
-      type: "Opaque",
-      stringData: config2.secrets
-    }, { provider });
+  if (config2.secrets) {
     for (const key of Object.keys(config2.secrets)) {
       envVars.push({
         name: key,
@@ -337878,80 +337876,205 @@ function deployK8sService(provider, namespace, config2) {
       });
     }
   }
+  return envVars;
+}
+function createServiceSecret(provider, namespace, config2, labels) {
+  if (!config2.secrets || Object.keys(config2.secrets).length === 0) {
+    return;
+  }
+  return new k8s5.core.v1.Secret(`${config2.name}-secret`, {
+    metadata: {
+      name: `${config2.name}-secret`,
+      namespace,
+      labels
+    },
+    type: "Opaque",
+    stringData: config2.secrets
+  }, { provider });
+}
+function createServiceVolumes(provider, namespace, config2, labels) {
   const pvcs = [];
   const volumeMounts = [];
   const volumes = [];
-  if (config2.volumes) {
-    for (const vol of config2.volumes) {
-      const pvc = new k8s5.core.v1.PersistentVolumeClaim(`${config2.name}-${vol.name}`, {
-        metadata: {
-          name: `${config2.name}-${vol.name}`,
-          namespace,
-          labels
-        },
-        spec: {
-          accessModes: [vol.accessMode ?? "ReadWriteOnce"],
-          storageClassName: vol.storageClass ?? "do-block-storage",
-          resources: {
-            requests: {
-              storage: vol.size ?? "10Gi"
-            }
-          }
-        }
-      }, { provider });
-      pvcs.push(pvc);
-      volumeMounts.push({
-        name: vol.name,
-        mountPath: vol.mountPath,
-        readOnly: vol.readOnly
-      });
-      volumes.push({
-        name: vol.name,
-        persistentVolumeClaim: {
-          claimName: `${config2.name}-${vol.name}`
+  if (!config2.volumes) {
+    return { pvcs, volumeMounts, volumes };
+  }
+  for (const vol of config2.volumes) {
+    const pvc = new k8s5.core.v1.PersistentVolumeClaim(`${config2.name}-${vol.name}`, {
+      metadata: {
+        name: `${config2.name}-${vol.name}`,
+        namespace,
+        labels
+      },
+      spec: {
+        accessModes: [vol.accessMode ?? "ReadWriteOnce"],
+        storageClassName: vol.storageClass ?? "do-block-storage",
+        resources: {
+          requests: { storage: vol.size ?? "10Gi" }
         }
-      });
-    }
+      }
+    }, { provider });
+    pvcs.push(pvc);
+    volumeMounts.push({
+      name: vol.name,
+      mountPath: vol.mountPath,
+      readOnly: vol.readOnly
+    });
+    volumes.push({
+      name: vol.name,
+      persistentVolumeClaim: {
+        claimName: `${config2.name}-${vol.name}`
+      }
+    });
   }
+  return { pvcs, volumeMounts, volumes };
+}
+function buildHealthProbes(config2) {
   const healthCheck = config2.healthCheck;
-  let livenessProbe;
-  let readinessProbe;
-  if (healthCheck) {
-    const probeConfig = {
-      initialDelaySeconds: healthCheck.initialDelaySeconds ?? DEFAULTS.healthCheck.initialDelaySeconds,
-      periodSeconds: healthCheck.periodSeconds ?? DEFAULTS.healthCheck.periodSeconds,
-      failureThreshold: healthCheck.failureThreshold ?? DEFAULTS.healthCheck.failureThreshold,
-      successThreshold: healthCheck.successThreshold ?? DEFAULTS.healthCheck.successThreshold,
-      timeoutSeconds: healthCheck.timeoutSeconds ?? DEFAULTS.healthCheck.timeoutSeconds
-    };
-    if (healthCheck.httpPath) {
-      const httpGet = {
-        path: healthCheck.httpPath,
-        port: healthCheck.port ?? config2.containerPort
-      };
-      livenessProbe = { ...probeConfig, httpGet };
-      readinessProbe = { ...probeConfig, httpGet };
-    } else {
-      const tcpSocket = {
-        port: healthCheck.port ?? config2.containerPort
-      };
-      livenessProbe = { ...probeConfig, tcpSocket };
-      readinessProbe = { ...probeConfig, tcpSocket };
-    }
+  if (!healthCheck) {
+    return {};
   }
-  const resources = config2.resources ?? DEFAULTS.resources;
-  const containerPorts = [
+  const probeConfig = {
+    initialDelaySeconds: healthCheck.initialDelaySeconds ?? DEFAULTS.healthCheck.initialDelaySeconds,
+    periodSeconds: healthCheck.periodSeconds ?? DEFAULTS.healthCheck.periodSeconds,
+    failureThreshold: healthCheck.failureThreshold ?? DEFAULTS.healthCheck.failureThreshold,
+    successThreshold: healthCheck.successThreshold ?? DEFAULTS.healthCheck.successThreshold,
+    timeoutSeconds: healthCheck.timeoutSeconds ?? DEFAULTS.healthCheck.timeoutSeconds
+  };
+  if (healthCheck.httpPath) {
+    const httpGet = {
+      path: healthCheck.httpPath,
+      port: healthCheck.port ?? config2.containerPort
+    };
+    return {
+      livenessProbe: { ...probeConfig, httpGet },
+      readinessProbe: { ...probeConfig, httpGet }
+    };
+  }
+  const tcpSocket = { port: healthCheck.port ?? config2.containerPort };
+  return {
+    livenessProbe: { ...probeConfig, tcpSocket },
+    readinessProbe: { ...probeConfig, tcpSocket }
+  };
+}
+function buildContainerPorts(config2) {
+  const ports = [
     { containerPort: config2.containerPort, name: "http" }
   ];
   if (config2.additionalPorts) {
     for (const port of config2.additionalPorts) {
-      containerPorts.push({
+      ports.push({
         containerPort: port.targetPort ?? port.port,
         name: port.name,
         protocol: port.protocol ?? "TCP"
       });
     }
   }
+  return ports;
+}
+function buildServicePorts(config2) {
+  const ports = [
+    {
+      name: "http",
+      port: config2.containerPort,
+      targetPort: config2.containerPort,
+      protocol: "TCP"
+    }
+  ];
+  if (config2.additionalPorts) {
+    for (const port of config2.additionalPorts) {
+      ports.push({
+        name: port.name,
+        port: port.port,
+        targetPort: port.targetPort ?? port.port,
+        protocol: port.protocol ?? "TCP"
+      });
+    }
+  }
+  return ports;
+}
+function createServiceIngress(provider, namespace, config2, labels, service) {
+  if (!config2.ingress) {
+    return;
+  }
+  const ingressAnnotations = {
+    "kubernetes.io/ingress.class": "nginx",
+    ...config2.ingress.annotations
+  };
+  if (config2.ingress.tls?.enabled) {
+    ingressAnnotations["cert-manager.io/cluster-issuer"] = config2.ingress.tls.issuerName ?? "letsencrypt-production";
+  }
+  let ingressPath = config2.ingress.path;
+  let ingressPathType = config2.ingress.pathType ?? "Prefix";
+  const shouldStripPrefix = config2.ingress.path !== "/" && !config2.ingress.keepPrefix;
+  if (shouldStripPrefix) {
+    ingressPath = `${config2.ingress.path}(/|$)(.*)`;
+    ingressPathType = "ImplementationSpecific";
+    ingressAnnotations["nginx.ingress.kubernetes.io/use-regex"] = "true";
+    ingressAnnotations["nginx.ingress.kubernetes.io/rewrite-target"] = "/$2";
+  }
+  const createRule = (host) => ({
+    ...host && { host },
+    http: {
+      paths: [
+        {
+          path: ingressPath,
+          pathType: ingressPathType,
+          backend: {
+            service: {
+              name: config2.name,
+              port: { number: config2.containerPort }
+            }
+          }
+        }
+      ]
+    }
+  });
+  const ingressRules = [];
+  if (config2.ingress.host) {
+    ingressRules.push(createRule(config2.ingress.host));
+  } else {
+    ingressRules.push(createRule());
+  }
+  if (config2.ingress.additionalHosts) {
+    for (const additionalHost of config2.ingress.additionalHosts) {
+      ingressRules.push(createRule(additionalHost));
+    }
+  }
+  const allHosts = [
+    ...config2.ingress.host ? [config2.ingress.host] : [],
+    ...config2.ingress.additionalHosts ?? []
+  ];
+  const tlsSecretName = config2.ingress.tls?.secretName ?? `${config2.name}-tls`;
+  return new k8s5.networking.v1.Ingress(`${config2.name}-ingress`, {
+    metadata: {
+      name: config2.name,
+      namespace,
+      labels,
+      annotations: ingressAnnotations
+    },
+    spec: {
+      ...config2.ingress.tls?.enabled && allHosts.length > 0 && {
+        tls: [{ hosts: allHosts, secretName: tlsSecretName }]
+      },
+      rules: ingressRules
+    }
+  }, { provider, dependsOn: [service] });
+}
+function deployK8sService(provider, namespace, config2) {
+  if (!config2.image) {
+    throw new Error(`Missing "image" for service "${config2.name}". Either specify image explicitly or use discoverServiceConfigs() which auto-generates it from pf.registry.`);
+  }
+  const labels = buildLabels(config2.name, config2.labels);
+  const replicas = config2.replicas ?? DEFAULTS.replicas;
+  const imagePullPolicy = getImagePullPolicy(config2.image, config2.imagePullPolicy);
+  const resources = config2.resources ?? DEFAULTS.resources;
+  const secret = createServiceSecret(provider, namespace, config2, labels);
+  const envVars = buildEnvVars(config2);
+  const { pvcs, volumeMounts, volumes } = createServiceVolumes(provider, namespace, config2, labels);
+  const { livenessProbe, readinessProbe } = buildHealthProbes(config2);
+  const containerPorts = buildContainerPorts(config2);
+  const servicePorts = buildServicePorts(config2);
   const deployment = new k8s5.apps.v1.Deployment(`${config2.name}-deployment`, {
     metadata: {
       name: config2.name,
@@ -337993,24 +338116,6 @@ function deployK8sService(provider, namespace, config2) {
       }
     }
   }, { provider, dependsOn: pvcs.length > 0 ? pvcs : undefined });
-  const servicePorts = [
-    {
-      name: "http",
-      port: config2.containerPort,
-      targetPort: config2.containerPort,
-      protocol: "TCP"
-    }
-  ];
-  if (config2.additionalPorts) {
-    for (const port of config2.additionalPorts) {
-      servicePorts.push({
-        name: port.name,
-        port: port.port,
-        targetPort: port.targetPort ?? port.port,
-        protocol: port.protocol ?? "TCP"
-      });
-    }
-  }
   const service = new k8s5.core.v1.Service(`${config2.name}-service`, {
     metadata: {
       name: config2.name,
@@ -338023,77 +338128,7 @@ function deployK8sService(provider, namespace, config2) {
       ports: servicePorts
     }
   }, { provider, dependsOn: [deployment] });
-  let ingress;
-  if (config2.ingress) {
-    const ingressAnnotations = {
-      "kubernetes.io/ingress.class": "nginx",
-      ...config2.ingress.annotations
-    };
-    if (config2.ingress.tls?.enabled) {
-      ingressAnnotations["cert-manager.io/cluster-issuer"] = config2.ingress.tls.issuerName ?? "letsencrypt-production";
-    }
-    let ingressPath = config2.ingress.path;
-    let ingressPathType = config2.ingress.pathType ?? "Prefix";
-    const shouldStripPrefix = config2.ingress.path !== "/" && !config2.ingress.keepPrefix;
-    if (shouldStripPrefix) {
-      ingressPath = `${config2.ingress.path}(/|$)(.*)`;
-      ingressPathType = "ImplementationSpecific";
-      ingressAnnotations["nginx.ingress.kubernetes.io/use-regex"] = "true";
-      ingressAnnotations["nginx.ingress.kubernetes.io/rewrite-target"] = "/$2";
-    }
-    const tlsSecretName = config2.ingress.tls?.secretName ?? `${config2.name}-tls`;
-    const ingressRules = [];
-    const createRule = (host) => ({
-      ...host && { host },
-      http: {
-        paths: [
-          {
-            path: ingressPath,
-            pathType: ingressPathType,
-            backend: {
-              service: {
-                name: config2.name,
-                port: { number: config2.containerPort }
-              }
-            }
-          }
-        ]
-      }
-    });
-    if (config2.ingress.host) {
-      ingressRules.push(createRule(config2.ingress.host));
-    } else {
-      ingressRules.push(createRule());
-    }
-    if (config2.ingress.additionalHosts) {
-      for (const additionalHost of config2.ingress.additionalHosts) {
-        ingressRules.push(createRule(additionalHost));
-      }
-    }
-    const allHosts = [
-      ...config2.ingress.host ? [config2.ingress.host] : [],
-      ...config2.ingress.additionalHosts ?? []
-    ];
-    ingress = new k8s5.networking.v1.Ingress(`${config2.name}-ingress`, {
-      metadata: {
-        name: config2.name,
-        namespace,
-        labels,
-        annotations: ingressAnnotations
-      },
-      spec: {
-        ...config2.ingress.tls?.enabled && allHosts.length > 0 && {
-          tls: [
-            {
-              hosts: allHosts,
-              secretName: tlsSecretName
-            }
-          ]
-        },
-        rules: ingressRules
-      }
-    }, { provider, dependsOn: [service] });
-  }
+  const ingress = createServiceIngress(provider, namespace, config2, labels, service);
   const serviceDns = `${config2.name}.${namespace}.svc.cluster.local`;
   const internalUrl = pulumi6.output(`http://${serviceDns}:${config2.containerPort}`);
   return {

package/dist/index.js

@@ -289030,7 +289030,7 @@ var require_lib38 = __commonJS((exports, module) => {
 var require_lib39 = __commonJS((exports, module) => {
   var fs = __require("fs");
   var { promisify } = __require("util");
-  var { readFileSync } = fs;
+  var { readFileSync: readFileSync2 } = fs;
   var readFile = promisify(fs.readFile);
   var extractPath = (path, cmdshimContents) => {
     if (/[.]cmd$/.test(path)) {
@@ -289082,7 +289082,7 @@ var require_lib39 = __commonJS((exports, module) => {
     });
   };
   var readCmdShimSync = (path) => {
-    const contents = readFileSync(path);
+    const contents = readFileSync2(path);
     const destination = extractPath(path, contents.toString());
     if (!destination) {
       throw notaShim(path);
@@ -308272,7 +308272,7 @@ var require_getImage = __commonJS((exports) => {
   exports.getImageOutput = exports.getImage = undefined;
   var pulumi = require_pulumi();
   var utilities = require_utilities();
-  function getImage(args, opts) {
+  function getImage2(args, opts) {
     args = args || {};
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
     return pulumi.runtime.invoke("digitalocean:index/getImage:getImage", {
@@ -308282,7 +308282,7 @@ var require_getImage = __commonJS((exports) => {
       source: args.source
     }, opts);
   }
-  exports.getImage = getImage;
+  exports.getImage = getImage2;
   function getImageOutput(args, opts) {
     args = args || {};
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
@@ -337003,23 +337003,69 @@ var defaultHealthCheck = {
   httpPath: "/health"
 };
 // lib/helpers/discover-services.ts
-import { readdirSync } from "node:fs";
+import { readdirSync, readFileSync } from "node:fs";
 import { isAbsolute, join, resolve } from "node:path";
-function getServicePort(config) {
-  if (config.httpPort)
-    return config.httpPort;
-  const internalPorts = config.internalPorts;
-  if (internalPorts?.[0])
-    return internalPorts[0];
-  return 8080;
+
+// lib/helpers/image.ts
+var scopeImageTagsRaw = process.env.SCOPE_IMAGE_TAGS ?? "";
+var scopeImageTags = (() => {
+  if (!scopeImageTagsRaw.trim()) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(scopeImageTagsRaw);
+    const tags = {};
+    for (const [key, value] of Object.entries(parsed ?? {})) {
+      if (typeof value === "string" && value.trim().length > 0) {
+        tags[key] = value.trim();
+      }
+    }
+    return tags;
+  } catch (error) {
+    console.warn("Unable to parse scope image tags from environment:", error);
+    return {};
+  }
+})();
+var resolveImageTag = (scopeName) => {
+  const tag = scopeImageTags[scopeName];
+  if (!tag) {
+    return "latest";
+  }
+  return tag;
+};
+var ghcrImage = (registry, serviceName) => {
+  const tag = resolveImageTag(serviceName);
+  return `ghcr.io/${registry}/${serviceName}:${tag}`;
+};
+var getImage = (registry, repository, registryCredentials) => {
+  const scopeName = repository.split("/").pop();
+  if (!scopeName) {
+    throw new Error(`Invalid repository name: ${repository}`);
+  }
+  return {
+    registryType: "GHCR",
+    registry,
+    repository,
+    registryCredentials,
+    tag: resolveImageTag(scopeName)
+  };
+};
+
+// lib/helpers/discover-services.ts
+function getRegistryFromPackageJson(workspaceRoot) {
+  const pkgPath = join(workspaceRoot, "package.json");
+  const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+  if (!pkg.pf?.registry) {
+    throw new Error(`Missing "pf.registry" in ${pkgPath}. Add it to your root package.json, e.g.: "pf": { "registry": "orgname/reponame" }`);
+  }
+  return pkg.pf.registry;
 }
 function validateNoDuplicatePorts(configs) {
   const portMap = new Map;
   for (const config of configs) {
-    const port = getServicePort(config);
-    const existing = portMap.get(port) || [];
+    const existing = portMap.get(config.containerPort) || [];
     existing.push(config.name);
-    portMap.set(port, existing);
+    portMap.set(config.containerPort, existing);
   }
   const conflicts = [...portMap.entries()].filter(([, services]) => services.length > 1).map(([port, services]) => `Port ${port}: ${services.join(", ")}`);
   if (conflicts.length > 0) {
@@ -337028,13 +337074,22 @@ ${conflicts.join(`
 `)}`);
   }
 }
-function discoverServices(servicesDir) {
+function discoverServiceConfigs(servicesDir = "infra/services") {
   const resolvedDir = isAbsolute(servicesDir) ? servicesDir : resolve(process.cwd(), servicesDir);
+  const workspaceRoot = resolve(resolvedDir, "..", "..");
+  const registry = getRegistryFromPackageJson(workspaceRoot);
   const files = readdirSync(resolvedDir).filter((file) => file.endsWith(".ts") && file !== "index.ts");
   const configs = files.map((file) => {
     const filePath = join(resolvedDir, file);
     const module = __require(filePath);
-    return module.default ?? module;
+    const config = module.default ?? module;
+    if (!config.image) {
+      return {
+        ...config,
+        image: ghcrImage(registry, config.name)
+      };
+    }
+    return config;
   });
   validateNoDuplicatePorts(configs);
   return configs;
@@ -337262,50 +337317,6 @@ function buildDropletServices(options) {
 function filterByPlatform(configs, platform) {
   return configs.filter((c) => (c.platform || "app-platform") === platform);
 }
-// lib/helpers/image.ts
-var scopeImageTagsRaw = process.env.SCOPE_IMAGE_TAGS ?? "";
-var scopeImageTags = (() => {
-  if (!scopeImageTagsRaw.trim()) {
-    return {};
-  }
-  try {
-    const parsed = JSON.parse(scopeImageTagsRaw);
-    const tags = {};
-    for (const [key, value] of Object.entries(parsed ?? {})) {
-      if (typeof value === "string" && value.trim().length > 0) {
-        tags[key] = value.trim();
-      }
-    }
-    return tags;
-  } catch (error) {
-    console.warn("Unable to parse scope image tags from environment:", error);
-    return {};
-  }
-})();
-var resolveImageTag = (scopeName) => {
-  const tag = scopeImageTags[scopeName];
-  if (!tag) {
-    return "latest";
-  }
-  return tag;
-};
-var ghcrImage = (registry, serviceName) => {
-  const tag = resolveImageTag(serviceName);
-  return `ghcr.io/${registry}/${serviceName}:${tag}`;
-};
-var getImage = (registry, repository, registryCredentials) => {
-  const scopeName = repository.split("/").pop();
-  if (!scopeName) {
-    throw new Error(`Invalid repository name: ${repository}`);
-  }
-  return {
-    registryType: "GHCR",
-    registry,
-    repository,
-    registryCredentials,
-    tag: resolveImageTag(scopeName)
-  };
-};
 // lib/helpers/service-builder.ts
 function buildServices(options) {
   const { serviceConfigs, registryCredentials, logtailToken, registry } = options;
@@ -337350,7 +337361,7 @@ function buildIngressRules(serviceConfigs) {
 }
 // lib/helpers/service-runtime.ts
 var toEnvKey = (name) => name.toUpperCase().replace(/-/g, "_");
-function getServicePort2(serviceName, defaultPort = 8080) {
+function getServicePort(serviceName, defaultPort = 8080) {
   const envKey = `${toEnvKey(serviceName)}_PORT`;
   const envValue = process.env[envKey];
   if (envValue) {
@@ -337366,7 +337377,7 @@ function getServiceUrl(serviceName) {
   return process.env[envKey];
 }
 // lib/helpers/service-urls.ts
-function getServicePort3(config) {
+function getServicePort2(config) {
   if (config.httpPort)
     return config.httpPort;
   const internalPorts = config.internalPorts;
@@ -337376,7 +337387,7 @@ function getServicePort3(config) {
 }
 function buildInternalUrls(serviceConfigs) {
   return Object.fromEntries(serviceConfigs.map((config) => {
-    const url = config.internalUrl ?? `http://${config.name}:${getServicePort3(config)}`;
+    const url = config.internalUrl ?? `http://${config.name}:${getServicePort2(config)}`;
     return [config.name, url];
   }));
 }
@@ -337388,7 +337399,7 @@ function buildExternalUrls(serviceConfigs, baseUrl) {
 }
 function buildLocalUrls(serviceConfigs) {
   return Object.fromEntries(serviceConfigs.map((config) => {
-    const port = getServicePort3(config);
+    const port = getServicePort2(config);
     return [config.name, `http://localhost:${port}`];
   }));
 }
@@ -337396,14 +337407,14 @@ function buildServiceUrlEnvs(serviceConfigs) {
   return serviceConfigs.map((config) => ({
     key: `${config.name.toUpperCase().replace(/-/g, "_")}_URL`,
     scope: "RUN_TIME",
-    value: config.internalUrl ?? `http://${config.name}:${getServicePort3(config)}`
+    value: config.internalUrl ?? `http://${config.name}:${getServicePort2(config)}`
   }));
 }
 function buildServicePortEnvs(serviceConfigs) {
   return serviceConfigs.map((config) => ({
     key: `${config.name.toUpperCase().replace(/-/g, "_")}_PORT`,
     scope: "RUN_TIME",
-    value: String(getServicePort3(config))
+    value: String(getServicePort2(config))
   }));
 }
 // lib/runtimes/doks/cert-manager.ts
@@ -337768,10 +337779,7 @@ function getImagePullPolicy(image2, explicit) {
     return explicit;
   return image2.endsWith(":latest") ? "Always" : "IfNotPresent";
 }
-function deployK8sService(provider, namespace, config2) {
-  const labels = buildLabels(config2.name, config2.labels);
-  const replicas = config2.replicas ?? DEFAULTS.replicas;
-  const imagePullPolicy = getImagePullPolicy(config2.image, config2.imagePullPolicy);
+function buildEnvVars(config2) {
   const envVars = [];
   envVars.push({ name: "PORT", value: String(config2.containerPort) });
   if (config2.env) {
@@ -337779,17 +337787,7 @@ function deployK8sService(provider, namespace, config2) {
       envVars.push({ name: key, value: pulumi6.output(value) });
     }
   }
-  let secret;
-  if (config2.secrets && Object.keys(config2.secrets).length > 0) {
-    secret = new k8s5.core.v1.Secret(`${config2.name}-secret`, {
-      metadata: {
-        name: `${config2.name}-secret`,
-        namespace,
-        labels
-      },
-      type: "Opaque",
-      stringData: config2.secrets
-    }, { provider });
+  if (config2.secrets) {
     for (const key of Object.keys(config2.secrets)) {
       envVars.push({
         name: key,
@@ -337802,80 +337800,205 @@ function deployK8sService(provider, namespace, config2) {
       });
     }
   }
+  return envVars;
+}
+function createServiceSecret(provider, namespace, config2, labels) {
+  if (!config2.secrets || Object.keys(config2.secrets).length === 0) {
+    return;
+  }
+  return new k8s5.core.v1.Secret(`${config2.name}-secret`, {
+    metadata: {
+      name: `${config2.name}-secret`,
+      namespace,
+      labels
+    },
+    type: "Opaque",
+    stringData: config2.secrets
+  }, { provider });
+}
+function createServiceVolumes(provider, namespace, config2, labels) {
   const pvcs = [];
   const volumeMounts = [];
   const volumes = [];
-  if (config2.volumes) {
-    for (const vol of config2.volumes) {
-      const pvc = new k8s5.core.v1.PersistentVolumeClaim(`${config2.name}-${vol.name}`, {
-        metadata: {
-          name: `${config2.name}-${vol.name}`,
-          namespace,
-          labels
-        },
-        spec: {
-          accessModes: [vol.accessMode ?? "ReadWriteOnce"],
-          storageClassName: vol.storageClass ?? "do-block-storage",
-          resources: {
-            requests: {
-              storage: vol.size ?? "10Gi"
-            }
-          }
-        }
-      }, { provider });
-      pvcs.push(pvc);
-      volumeMounts.push({
-        name: vol.name,
-        mountPath: vol.mountPath,
-        readOnly: vol.readOnly
-      });
-      volumes.push({
-        name: vol.name,
-        persistentVolumeClaim: {
-          claimName: `${config2.name}-${vol.name}`
+  if (!config2.volumes) {
+    return { pvcs, volumeMounts, volumes };
+  }
+  for (const vol of config2.volumes) {
+    const pvc = new k8s5.core.v1.PersistentVolumeClaim(`${config2.name}-${vol.name}`, {
+      metadata: {
+        name: `${config2.name}-${vol.name}`,
+        namespace,
+        labels
+      },
+      spec: {
+        accessModes: [vol.accessMode ?? "ReadWriteOnce"],
+        storageClassName: vol.storageClass ?? "do-block-storage",
+        resources: {
+          requests: { storage: vol.size ?? "10Gi" }
         }
-      });
-    }
+      }
+    }, { provider });
+    pvcs.push(pvc);
+    volumeMounts.push({
+      name: vol.name,
+      mountPath: vol.mountPath,
+      readOnly: vol.readOnly
+    });
+    volumes.push({
+      name: vol.name,
+      persistentVolumeClaim: {
+        claimName: `${config2.name}-${vol.name}`
+      }
+    });
   }
+  return { pvcs, volumeMounts, volumes };
+}
+function buildHealthProbes(config2) {
   const healthCheck = config2.healthCheck;
-  let livenessProbe;
-  let readinessProbe;
-  if (healthCheck) {
-    const probeConfig = {
-      initialDelaySeconds: healthCheck.initialDelaySeconds ?? DEFAULTS.healthCheck.initialDelaySeconds,
-      periodSeconds: healthCheck.periodSeconds ?? DEFAULTS.healthCheck.periodSeconds,
-      failureThreshold: healthCheck.failureThreshold ?? DEFAULTS.healthCheck.failureThreshold,
-      successThreshold: healthCheck.successThreshold ?? DEFAULTS.healthCheck.successThreshold,
-      timeoutSeconds: healthCheck.timeoutSeconds ?? DEFAULTS.healthCheck.timeoutSeconds
-    };
-    if (healthCheck.httpPath) {
-      const httpGet = {
-        path: healthCheck.httpPath,
-        port: healthCheck.port ?? config2.containerPort
-      };
-      livenessProbe = { ...probeConfig, httpGet };
-      readinessProbe = { ...probeConfig, httpGet };
-    } else {
-      const tcpSocket = {
-        port: healthCheck.port ?? config2.containerPort
-      };
-      livenessProbe = { ...probeConfig, tcpSocket };
-      readinessProbe = { ...probeConfig, tcpSocket };
-    }
+  if (!healthCheck) {
+    return {};
   }
-  const resources = config2.resources ?? DEFAULTS.resources;
-  const containerPorts = [
+  const probeConfig = {
+    initialDelaySeconds: healthCheck.initialDelaySeconds ?? DEFAULTS.healthCheck.initialDelaySeconds,
+    periodSeconds: healthCheck.periodSeconds ?? DEFAULTS.healthCheck.periodSeconds,
+    failureThreshold: healthCheck.failureThreshold ?? DEFAULTS.healthCheck.failureThreshold,
+    successThreshold: healthCheck.successThreshold ?? DEFAULTS.healthCheck.successThreshold,
+    timeoutSeconds: healthCheck.timeoutSeconds ?? DEFAULTS.healthCheck.timeoutSeconds
+  };
+  if (healthCheck.httpPath) {
+    const httpGet = {
+      path: healthCheck.httpPath,
+      port: healthCheck.port ?? config2.containerPort
+    };
+    return {
+      livenessProbe: { ...probeConfig, httpGet },
+      readinessProbe: { ...probeConfig, httpGet }
+    };
+  }
+  const tcpSocket = { port: healthCheck.port ?? config2.containerPort };
+  return {
+    livenessProbe: { ...probeConfig, tcpSocket },
+    readinessProbe: { ...probeConfig, tcpSocket }
+  };
+}
+function buildContainerPorts(config2) {
+  const ports = [
     { containerPort: config2.containerPort, name: "http" }
   ];
   if (config2.additionalPorts) {
     for (const port of config2.additionalPorts) {
-      containerPorts.push({
+      ports.push({
         containerPort: port.targetPort ?? port.port,
         name: port.name,
         protocol: port.protocol ?? "TCP"
       });
     }
   }
+  return ports;
+}
+function buildServicePorts(config2) {
+  const ports = [
+    {
+      name: "http",
+      port: config2.containerPort,
+      targetPort: config2.containerPort,
+      protocol: "TCP"
+    }
+  ];
+  if (config2.additionalPorts) {
+    for (const port of config2.additionalPorts) {
+      ports.push({
+        name: port.name,
+        port: port.port,
+        targetPort: port.targetPort ?? port.port,
+        protocol: port.protocol ?? "TCP"
+      });
+    }
+  }
+  return ports;
+}
+function createServiceIngress(provider, namespace, config2, labels, service) {
+  if (!config2.ingress) {
+    return;
+  }
+  const ingressAnnotations = {
+    "kubernetes.io/ingress.class": "nginx",
+    ...config2.ingress.annotations
+  };
+  if (config2.ingress.tls?.enabled) {
+    ingressAnnotations["cert-manager.io/cluster-issuer"] = config2.ingress.tls.issuerName ?? "letsencrypt-production";
+  }
+  let ingressPath = config2.ingress.path;
+  let ingressPathType = config2.ingress.pathType ?? "Prefix";
+  const shouldStripPrefix = config2.ingress.path !== "/" && !config2.ingress.keepPrefix;
+  if (shouldStripPrefix) {
+    ingressPath = `${config2.ingress.path}(/|$)(.*)`;
+    ingressPathType = "ImplementationSpecific";
+    ingressAnnotations["nginx.ingress.kubernetes.io/use-regex"] = "true";
+    ingressAnnotations["nginx.ingress.kubernetes.io/rewrite-target"] = "/$2";
+  }
+  const createRule = (host) => ({
+    ...host && { host },
+    http: {
+      paths: [
+        {
+          path: ingressPath,
+          pathType: ingressPathType,
+          backend: {
+            service: {
+              name: config2.name,
+              port: { number: config2.containerPort }
+            }
+          }
+        }
+      ]
+    }
+  });
+  const ingressRules = [];
+  if (config2.ingress.host) {
+    ingressRules.push(createRule(config2.ingress.host));
+  } else {
+    ingressRules.push(createRule());
+  }
+  if (config2.ingress.additionalHosts) {
+    for (const additionalHost of config2.ingress.additionalHosts) {
+      ingressRules.push(createRule(additionalHost));
+    }
+  }
+  const allHosts = [
+    ...config2.ingress.host ? [config2.ingress.host] : [],
+    ...config2.ingress.additionalHosts ?? []
+  ];
+  const tlsSecretName = config2.ingress.tls?.secretName ?? `${config2.name}-tls`;
+  return new k8s5.networking.v1.Ingress(`${config2.name}-ingress`, {
+    metadata: {
+      name: config2.name,
+      namespace,
+      labels,
+      annotations: ingressAnnotations
+    },
+    spec: {
+      ...config2.ingress.tls?.enabled && allHosts.length > 0 && {
+        tls: [{ hosts: allHosts, secretName: tlsSecretName }]
+      },
+      rules: ingressRules
+    }
+  }, { provider, dependsOn: [service] });
+}
+function deployK8sService(provider, namespace, config2) {
+  if (!config2.image) {
+    throw new Error(`Missing "image" for service "${config2.name}". Either specify image explicitly or use discoverServiceConfigs() which auto-generates it from pf.registry.`);
+  }
+  const labels = buildLabels(config2.name, config2.labels);
+  const replicas = config2.replicas ?? DEFAULTS.replicas;
+  const imagePullPolicy = getImagePullPolicy(config2.image, config2.imagePullPolicy);
+  const resources = config2.resources ?? DEFAULTS.resources;
+  const secret = createServiceSecret(provider, namespace, config2, labels);
+  const envVars = buildEnvVars(config2);
+  const { pvcs, volumeMounts, volumes } = createServiceVolumes(provider, namespace, config2, labels);
+  const { livenessProbe, readinessProbe } = buildHealthProbes(config2);
+  const containerPorts = buildContainerPorts(config2);
+  const servicePorts = buildServicePorts(config2);
   const deployment = new k8s5.apps.v1.Deployment(`${config2.name}-deployment`, {
     metadata: {
       name: config2.name,
@@ -337917,24 +338040,6 @@ function deployK8sService(provider, namespace, config2) {
       }
     }
   }, { provider, dependsOn: pvcs.length > 0 ? pvcs : undefined });
-  const servicePorts = [
-    {
-      name: "http",
-      port: config2.containerPort,
-      targetPort: config2.containerPort,
-      protocol: "TCP"
-    }
-  ];
-  if (config2.additionalPorts) {
-    for (const port of config2.additionalPorts) {
-      servicePorts.push({
-        name: port.name,
-        port: port.port,
-        targetPort: port.targetPort ?? port.port,
-        protocol: port.protocol ?? "TCP"
-      });
-    }
-  }
   const service = new k8s5.core.v1.Service(`${config2.name}-service`, {
     metadata: {
       name: config2.name,
@@ -337947,77 +338052,7 @@ function deployK8sService(provider, namespace, config2) {
       ports: servicePorts
     }
   }, { provider, dependsOn: [deployment] });
-  let ingress;
-  if (config2.ingress) {
-    const ingressAnnotations = {
-      "kubernetes.io/ingress.class": "nginx",
-      ...config2.ingress.annotations
-    };
-    if (config2.ingress.tls?.enabled) {
-      ingressAnnotations["cert-manager.io/cluster-issuer"] = config2.ingress.tls.issuerName ?? "letsencrypt-production";
-    }
-    let ingressPath = config2.ingress.path;
-    let ingressPathType = config2.ingress.pathType ?? "Prefix";
-    const shouldStripPrefix = config2.ingress.path !== "/" && !config2.ingress.keepPrefix;
-    if (shouldStripPrefix) {
-      ingressPath = `${config2.ingress.path}(/|$)(.*)`;
-      ingressPathType = "ImplementationSpecific";
-      ingressAnnotations["nginx.ingress.kubernetes.io/use-regex"] = "true";
-      ingressAnnotations["nginx.ingress.kubernetes.io/rewrite-target"] = "/$2";
-    }
-    const tlsSecretName = config2.ingress.tls?.secretName ?? `${config2.name}-tls`;
-    const ingressRules = [];
-    const createRule = (host) => ({
-      ...host && { host },
-      http: {
-        paths: [
-          {
-            path: ingressPath,
-            pathType: ingressPathType,
-            backend: {
-              service: {
-                name: config2.name,
-                port: { number: config2.containerPort }
-              }
-            }
-          }
-        ]
-      }
-    });
-    if (config2.ingress.host) {
-      ingressRules.push(createRule(config2.ingress.host));
-    } else {
-      ingressRules.push(createRule());
-    }
-    if (config2.ingress.additionalHosts) {
-      for (const additionalHost of config2.ingress.additionalHosts) {
-        ingressRules.push(createRule(additionalHost));
-      }
-    }
-    const allHosts = [
-      ...config2.ingress.host ? [config2.ingress.host] : [],
-      ...config2.ingress.additionalHosts ?? []
-    ];
-    ingress = new k8s5.networking.v1.Ingress(`${config2.name}-ingress`, {
-      metadata: {
-        name: config2.name,
-        namespace,
-        labels,
-        annotations: ingressAnnotations
-      },
-      spec: {
-        ...config2.ingress.tls?.enabled && allHosts.length > 0 && {
-          tls: [
-            {
-              hosts: allHosts,
-              secretName: tlsSecretName
-            }
-          ]
-        },
-        rules: ingressRules
-      }
-    }, { provider, dependsOn: [service] });
-  }
+  const ingress = createServiceIngress(provider, namespace, config2, labels, service);
   const serviceDns = `${config2.name}.${namespace}.svc.cluster.local`;
   const internalUrl = pulumi6.output(`http://${serviceDns}:${config2.containerPort}`);
   return {
@@ -338060,12 +338095,12 @@ function buildInternalUrl(serviceName, namespace, port) {
 export {
   ghcrImage,
   getServiceUrl,
-  getServicePort2 as getServicePort,
+  getServicePort,
   getImage,
   filterByPlatform,
   ensureDot,
   dockerHubImage,
-  discoverServices,
+  discoverServiceConfigs,
   deployNginxIngress,
   deployNats,
   deployK8sServices,

package/dist/runtimes/doks/types.d.ts

@@ -197,8 +197,11 @@ export interface K8sVolumeMount {
 export interface K8sServiceConfig {
     /** Unique name of the service (used for deployment, service, and labels) */
     name: string;
-    /** Container image (e.g., 'ghcr.io/orderboss/platform/storefront:latest') */
-    image: string;
+    /**
+     * Container image (e.g., 'ghcr.io/orderboss/platform/storefront:latest').
+     * If not specified, auto-generated from pf.registry config + service name.
+     */
+    image?: string;
     /** Port the container listens on */
     containerPort: number;
     /** Number of replicas (defaults to 1) */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@crossdelta/infrastructure",
-  "version": "0.2.22",
+  "version": "0.2.24",
   "type": "module",
   "license": "MIT",
   "publishConfig": {