@meshxdata/fops 0.1.37 → 0.1.38

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js

@@ -13,7 +13,7 @@ export function hashContent(text) {
 }
 
 /**
- * Resolve Foundation credentials from env → .env → ~/.fops.json.
+ * Resolve Foundation credentials from env → ~/.fops.json → .env files.
  * Returns { bearerToken } or { user, password } or null.
  */
 export function resolveFoundationCreds() {
@@ -26,6 +26,25 @@ export function resolveFoundationCreds() {
     if (cfg.bearerToken?.trim()) return { bearerToken: cfg.bearerToken.trim() };
     if (cfg.user?.trim() && cfg.password) return { user: cfg.user.trim(), password: cfg.password };
   } catch { /* no fops.json */ }
+
+  // Fall back to .env files for credentials
+  const envCandidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
+  try {
+    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
+    if (raw?.projectRoot) envCandidates.unshift(pathMod.join(raw.projectRoot, ".env"));
+  } catch { /* ignore */ }
+  for (const ep of envCandidates) {
+    try {
+      const lines = fs.readFileSync(ep, "utf8").split("\n");
+      const get = (k) => {
+        const ln = lines.find((l) => l.startsWith(`${k}=`));
+        return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : "";
+      };
+      const user = get("QA_USERNAME") || get("FOUNDATION_USERNAME");
+      const pass = get("QA_PASSWORD") || get("FOUNDATION_PASSWORD");
+      if (user && pass) return { user, password: pass };
+    } catch { /* try next */ }
+  }
   return null;
 }
 
@@ -162,7 +181,7 @@ export async function resolveRemoteAuth(opts = {}) {
 
   const creds = resolveFoundationCreds();
   let qaUser = creds?.user || process.env.QA_USERNAME || process.env.FOUNDATION_USERNAME || "operator@local";
-  let qaPass = creds?.password || process.env.QA_PASSWORD || "";
+  let qaPass = creds?.password || process.env.QA_PASSWORD || process.env.FOUNDATION_PASSWORD || "";
   let bearerToken = creds?.bearerToken || "";
 
   // 1) Use local bearer if it's a valid JWT
@@ -224,8 +243,32 @@ export async function resolveRemoteAuth(opts = {}) {
         if (resp.ok) {
           const data = await resp.json();
           if (data.access_token) {
-            log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
-            return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
+            // Validate the token against the target API before committing to it.
+            // Local Auth0 config may have a different audience than the remote VM expects.
+            let tokenValid = true;
+            if (apiUrl) {
+              try {
+                const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+                process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+                try {
+                  const check = await fetch(`${apiUrl}/iam/me`, {
+                    headers: { Authorization: `Bearer ${data.access_token}` },
+                    signal: AbortSignal.timeout(8_000),
+                  });
+                  if (check.status === 401 || check.status === 403) {
+                    tokenValid = false;
+                    log(chalk.dim(`  Auth0 token rejected by API (wrong audience) — trying SSH fallback…`));
+                  }
+                } finally {
+                  if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+                  else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
+                }
+              } catch { /* network error — assume token is OK */ }
+            }
+            if (tokenValid) {
+              log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
+              return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
+            }
           }
         } else {
           log(chalk.dim(`  Auth0 rejected: HTTP ${resp.status}`));

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -2369,31 +2369,6 @@ export async function azureList(opts = {}) {
   let aksClusters = (fullState.azure || {}).clusters || {};
   let hasAks = Object.keys(aksClusters).length > 0;
 
-  // Always try to discover VMs from Azure (tag managed=fops) so we re-add any that were
-  // lost from local state (e.g. state file reset or edited).
-  try {
-    const execa = await lazyExeca();
-    await ensureAzCli(execa);
-    await ensureAzAuth(execa, { subscription: opts.subscription });
-    const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
-    if (found > 0) {
-      console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
-      ({ activeVm, vms } = listVms());
-      vmNames = Object.keys(vms);
-      fullState = readState();
-      aksClusters = (fullState.azure || {}).clusters || {};
-      hasAks = Object.keys(aksClusters).length > 0;
-    }
-  } catch { /* az not available or not authenticated */ }
-
-  if (vmNames.length === 0 && !hasAks) {
-    banner("Azure VMs");
-    hint("No VMs or clusters found in Azure.");
-    hint("Create a VM:       fops azure up <name>");
-    hint("Create a cluster:  fops azure aks up <name>\n");
-    return;
-  }
-
   // Use cache if fresh, otherwise try shared tags, then fall back to full sync
   const forceLive = opts.live;
   let cache = readCache();
@@ -2414,13 +2389,37 @@ export async function azureList(opts = {}) {
       } catch { /* tag read failed, fall through to full sync */ }
     }
 
+    // Discovery + full sync only when all caches are stale
     if (!fresh) {
+      try {
+        const execa = await lazyExeca();
+        await ensureAzCli(execa);
+        await ensureAzAuth(execa, { subscription: opts.subscription });
+        const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
+        if (found > 0) {
+          console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
+          ({ activeVm, vms } = listVms());
+          vmNames = Object.keys(vms);
+          fullState = readState();
+          aksClusters = (fullState.azure || {}).clusters || {};
+          hasAks = Object.keys(aksClusters).length > 0;
+        }
+      } catch { /* az not available or not authenticated */ }
+
       await azureSync({ quiet: !opts.verbose });
       cache = readCache();
       cacheSource = "live";
     }
   }
 
+  if (vmNames.length === 0 && !hasAks) {
+    banner("Azure VMs");
+    hint("No VMs or clusters found in Azure.");
+    hint("Create a VM:       fops azure up <name>");
+    hint("Create a cluster:  fops azure aks up <name>\n");
+    return;
+  }
+
   const cachedVms = cache?.vms || {};
   const cachedClusters = cache?.clusters || {};
   const cacheTime = cache?.updatedAt;

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision.js

@@ -80,7 +80,7 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
 
   console.log(chalk.dim("  Configuring VM..."));
 
-  // Batch: sshd tuning + docker group + ownership + public URL — single SSH round-trip
+  // Batch: sshd tuning + docker group + ownership — single SSH round-trip
   const setupBatch = [
     // Speed up SSH: accept forwarded env vars, disable DNS reverse lookup
     `sudo grep -q '^AcceptEnv.*BEARER_TOKEN' /etc/ssh/sshd_config 2>/dev/null || {`,
@@ -91,22 +91,10 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
     `}`,
     `sudo usermod -aG docker ${user} 2>/dev/null; true`,
     "sudo chown -R azureuser:azureuser /opt/foundation-compose 2>/dev/null; true",
-    `cd /opt/foundation-compose`,
-    `sed -i -e '$a\\' .env 2>/dev/null || true`,
-    `if grep -q '^FOUNDATION_PUBLIC_URL=' .env 2>/dev/null; then`,
-    `  sed -i 's|^FOUNDATION_PUBLIC_URL=.*|FOUNDATION_PUBLIC_URL=${publicUrl}|' .env;`,
-    `else`,
-    `  echo 'FOUNDATION_PUBLIC_URL=${publicUrl}' >> .env;`,
-    `fi`,
-    // Persist COMPOSE_PROFILES so k3s/watcher/traefik start on manual restarts too
-    `if grep -q '^COMPOSE_PROFILES=' .env 2>/dev/null; then`,
-    `  sed -i 's|^COMPOSE_PROFILES=.*|COMPOSE_PROFILES=k3s,traefik${dai ? ",dai" : ""}|' .env;`,
-    `else`,
-    `  echo 'COMPOSE_PROFILES=k3s,traefik${dai ? ",dai" : ""}' >> .env;`,
-    `fi`,
+    // Only inject FOUNDATION_PUBLIC_URL if not already set — never overwrite
+    `cd /opt/foundation-compose && grep -q '^FOUNDATION_PUBLIC_URL=' .env 2>/dev/null || echo 'FOUNDATION_PUBLIC_URL=${publicUrl}' >> .env`,
   ].join("\n");
   await ssh(setupBatch);
-  console.log(chalk.green(`  ✓ FOUNDATION_PUBLIC_URL=${publicUrl}`));
 
   let ghcrOk = false;
   if (githubToken) {
@@ -1057,8 +1045,33 @@ async function removeSshBypassViaRunCommand(execa, rg, vmName, sourceCidr, sub)
 // ── Step: SSH reachability ───────────────────────────────────────────────────
 
 async function vmReconcileSsh(ctx) {
-  const { execa, ip, adminUser, knockSequence, port, desiredUrl, vmName, rg, sub } = ctx;
+  const { execa, ip, adminUser, port, desiredUrl, vmName, rg, sub } = ctx;
   console.log(chalk.dim("  Checking SSH..."));
+
+  // Always fetch the knock sequence fresh from the Azure VM tag — local state can drift
+  // after state recovery or manual changes, causing knocks with the wrong sequence.
+  let knockSequence = ctx.knockSequence;
+  if (rg) {
+    try {
+      const { stdout: tagRaw } = await execa("az", [
+        "vm", "show", "-g", rg, "-n", vmName,
+        "--query", "tags.fopsKnock", "-o", "tsv", ...subArgs(sub),
+      ], { timeout: 15000, reject: false });
+      const raw = (tagRaw || "").trim().replace(/[()]/g, "");
+      if (raw) {
+        const fresh = raw.split(/[-,]/).map((s) => parseInt(s.trim(), 10)).filter((n) => Number.isInteger(n) && n > 0);
+        if (fresh.length >= 2) {
+          if (!knockSequence?.length || fresh.some((v, i) => v !== knockSequence[i])) {
+            console.log(chalk.dim("  Syncing knock sequence from Azure tag..."));
+            knockSequence = fresh;
+            ctx.knockSequence = fresh;
+            writeVmState(vmName, { knockSequence: fresh });
+          }
+        }
+      }
+    } catch { /* best-effort */ }
+  }
+
   // Close any stale mux master before probing. ControlPersist=600 keeps the SSH master
   // alive for 10 min, but if the VM rebooted its underlying TCP is broken — every probe
   // through the stale mux fails even after a successful knock. A fresh connect fixes it.
@@ -1094,15 +1107,44 @@ async function vmReconcileSsh(ctx) {
     }
   }
   if (!sshReady) {
-    console.log(chalk.yellow("  ⚠ SSH not reachable — VM may still be booting. Skipping in-guest checks."));
-    if (knockSequence?.length) {
-      console.log(chalk.dim("  If knock is enabled, the stored sequence may not match the VM (e.g. after state recovery)."));
-      console.log(chalk.dim("  Try: fops azure knock open " + ctx.vmName + "  then immediately  fops azure ssh " + ctx.vmName));
-      console.log(chalk.dim("  Or remove knock: fops azure knock disable " + ctx.vmName));
+    // Verify actual VM power state via Azure CLI — the earlier instance-view may be stale
+    if (rg) {
+      try {
+        const { stdout: showJson } = await execa("az", [
+          "vm", "show", "--resource-group", rg, "--name", vmName,
+          "--show-details", "--output", "json", ...subArgs(sub),
+        ], { timeout: 20000, reject: false });
+        const vmDetails = JSON.parse(showJson || "{}");
+        const powerState = vmDetails?.powerState || "";
+        if (powerState && !powerState.includes("running")) {
+          console.log(chalk.yellow(`  ⚠ Azure reports VM power state: ${chalk.bold(powerState)} — starting VM...`));
+          await execa("az", [
+            "vm", "start", "--resource-group", rg, "--name", vmName, "--output", "none",
+            ...subArgs(sub),
+          ], { timeout: 300000 });
+          reconcileOk("VM", "started");
+          // Give the VM a moment then retry SSH once more
+          await new Promise((r) => setTimeout(r, 10000));
+          if (knockSequence?.length) await performKnock(ip, knockSequence, { quiet: true });
+          sshReady = await waitForSsh(execa, ip, adminUser, 60000);
+        } else if (powerState) {
+          console.log(chalk.dim(`  Azure VM power state: ${powerState}`));
+        }
+      } catch {
+        // best-effort
+      }
+    }
+    if (!sshReady) {
+      console.log(chalk.yellow("  ⚠ SSH not reachable — VM may still be booting. Skipping in-guest checks."));
+      if (knockSequence?.length) {
+        console.log(chalk.dim("  If knock is enabled, the stored sequence may not match the VM (e.g. after state recovery)."));
+        console.log(chalk.dim("  Try: fops azure knock open " + ctx.vmName + "  then immediately  fops azure ssh " + ctx.vmName));
+        console.log(chalk.dim("  Or remove knock: fops azure knock disable " + ctx.vmName));
+      }
+      ctx.publicUrl = desiredUrl || buildPublicUrl(ip, port);
+      ctx.done = true;
+      return;
     }
-    ctx.publicUrl = desiredUrl || buildPublicUrl(ip, port);
-    ctx.done = true;
-    return;
   }
   reconcileOk("SSH", "reachable");
 }
@@ -1644,10 +1686,8 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
   }
 
   await runScript("Cloning foundation-compose", [
-    "cp /opt/foundation-compose/.env /tmp/.env.fops-backup 2>/dev/null || true",
     "rm -rf /opt/foundation-compose",
     `git clone --branch ${branch} --depth 1 --recurse-submodules https://github.com/meshxdata/foundation-compose.git /opt/foundation-compose`,
-    "if [ -f /tmp/.env.fops-backup ]; then cp /tmp/.env.fops-backup /opt/foundation-compose/.env; rm -f /tmp/.env.fops-backup; else cp /opt/foundation-compose/.env.example /opt/foundation-compose/.env; fi",
     "mkdir -p /opt/foundation-compose/credentials",
     "touch /opt/foundation-compose/credentials/kubeconfig.yaml",
     `chown -R ${adminUser}:${adminUser} /opt/foundation-compose`,

package/src/plugins/bundled/fops-plugin-azure/lib/azure-shared-cache.js

@@ -22,7 +22,7 @@ import { readState, listVms } from "./azure-state.js";
 //   fops_by       = alessio                  (who synced)
 
 const TAG_PREFIX = "fops_";
-const TAG_MAX_AGE_MS = 10 * 60 * 1000; // 10 minutes — tags are cheaper to check
+const TAG_MAX_AGE_MS = 20 * 60 * 1000; // 20 minutes — tags are cheaper to check
 
 // ── Write: publish probe results as tags on a VM ─────────────────────────────
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-sync.js

@@ -12,7 +12,7 @@ import {
 // Stored in ~/.fops.json under azure.cache:
 //   { updatedAt, vms: { <name>: { ... } }, clusters: { <name>: { ... } } }
 
-const CACHE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes
+const CACHE_MAX_AGE_MS = 15 * 60 * 1000; // 15 minutes
 
 // Short keys for the 6 tracked Foundation services
 const SVC_MAP = {
@@ -169,16 +169,16 @@ async function syncVms(execa) {
 
       // After a knock, iptables rule needs a moment to propagate; first SSH needs full handshake.
       // Brief delay then retry once to avoid false "unreachable" (e.g. uaenorth latency).
-      await new Promise((r) => setTimeout(r, 800));
+      await new Promise((r) => setTimeout(r, 400));
       let sshOk = false;
       for (let attempt = 0; attempt < 2; attempt++) {
         const { exitCode: sshCode } = await execa("ssh", [
           ...MUX_OPTS(vm.publicIp, DEFAULTS.adminUser),
           "-o", "BatchMode=yes",
           `${DEFAULTS.adminUser}@${vm.publicIp}`, "echo ok",
-        ], { timeout: 15000, reject: false }).catch(() => ({ exitCode: 1 }));
+        ], { timeout: 8000, reject: false }).catch(() => ({ exitCode: 1 }));
         if (sshCode === 0) { sshOk = true; break; }
-        if (attempt === 0) await new Promise((r) => setTimeout(r, 2000));
+        if (attempt === 0) await new Promise((r) => setTimeout(r, 1000));
       }
 
       if (!sshOk) {

package/src/plugins/bundled/fops-plugin-azure/lib/commands/infra-cmds.js

@@ -508,6 +508,8 @@ export function registerInfraCommands(azure) {
     .option("--github-token <token>", "GitHub PAT for Flux + GHCR pull (default: $GITHUB_TOKEN)")
     .option("--no-flux", "Skip Flux bootstrap")
     .option("--no-postgres", "Skip Postgres Flexible Server provisioning")
+    .option("--flux-local-repo <path>", "Path to local flux repo clone (auto-detected if omitted)")
+    .option("--overlay <name>", "App overlay name in flux repo (default: demo-azure)")
     .option("--dai", "Include DAI (Dashboards AI) workloads")
     .action(async (name, opts) => {
       const { aksUp } = await import("../azure-aks.js");
@@ -524,6 +526,8 @@ export function registerInfraCommands(azure) {
         githubToken: opts.githubToken,
         noFlux: opts.flux === false,
         noPostgres: opts.postgres === false,
+        fluxLocalRepo: opts.fluxLocalRepo,
+        overlay: opts.overlay,
         dai: opts.dai === true,
       });
     });

package/src/plugins/bundled/fops-plugin-azure/lib/commands/vm-cmds.js

@@ -468,12 +468,13 @@ export function registerVmCommands(azure, api, registry) {
     .description("Perform port-knock sequence to temporarily open SSH");
 
   knock
-    .command("open [name]", { isDefault: true })
+    .command("open [names...]", { isDefault: true })
     .description("Send the knock sequence — opens SSH for ~5 min")
     .option("--vm-name <name>", "Target VM (default: active VM)")
-    .action(async (name, opts) => {
+    .action(async (names, opts) => {
       const { azureKnock } = await import("../azure.js");
-      await azureKnock({ vmName: opts.vmName || name });
+      const targets = opts.vmName ? [opts.vmName] : (names.length ? names : [undefined]);
+      for (const vmName of targets) await azureKnock({ vmName });
     });
 
   knock

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/dai-backend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dai-backend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/dai/backend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/dai-frontend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dai-frontend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/dai/frontend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-backend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-backend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/backend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-frontend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-frontend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/frontend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-hive.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-hive
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/hive/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-kafka.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-kafka
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/kafka/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-meltano.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-meltano
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/meltano/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-mlflow.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-mlflow
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/mlflow/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-opa.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-opa
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/opa/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-processor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-processor
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/processor/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-scheduler.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-scheduler
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/scheduler/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-storage-engine.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-storage-engine
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/storage-engine/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-trino.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-trino
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/trino/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-watcher.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-watcher
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/watcher/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/config/repository.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: foundation
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: foundation
+  namespace: velora
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: dai
+  namespace: velora
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm/dai
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hive-metastore
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: trinodb
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://trinodb.github.io/charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mlflow
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: https://community-charts.github.io/helm-charts

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - config/repository.yaml
+  - operator/acr-webhook-controller.yaml
+  - operator/kube-reflector.yaml
+  - operator/externalsecrets.yaml
+  - operator/istio.yaml
+  - operator/kafka.yaml
+  - operator/kubecost.yaml
+  - operator/spark.yaml
+  - operator/vertical-pod-autoscaler.yaml
+  - operator/prometheus-agent.yaml
+  - operator/tailscale.yaml
+  - operator/nats-server.yaml
+  - operator/reloader.yaml
+  - apps/foundation-backend.yaml
+  - apps/foundation-frontend.yaml
+  - apps/foundation-scheduler.yaml
+  - apps/foundation-processor.yaml
+  - apps/foundation-watcher.yaml
+  - apps/foundation-opa.yaml
+  - apps/foundation-meltano.yaml
+  - apps/foundation-kafka.yaml
+  - apps/foundation-hive.yaml
+  - apps/foundation-storage-engine.yaml
+  - apps/foundation-trino.yaml
+  - apps/foundation-mlflow.yaml
+  - apps/dai-backend.yaml
+  - apps/dai-frontend.yaml