@meshxdata/fops 0.1.37 → 0.1.39

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -2369,31 +2369,6 @@ export async function azureList(opts = {}) {
   let aksClusters = (fullState.azure || {}).clusters || {};
   let hasAks = Object.keys(aksClusters).length > 0;
 
-  // Always try to discover VMs from Azure (tag managed=fops) so we re-add any that were
-  // lost from local state (e.g. state file reset or edited).
-  try {
-    const execa = await lazyExeca();
-    await ensureAzCli(execa);
-    await ensureAzAuth(execa, { subscription: opts.subscription });
-    const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
-    if (found > 0) {
-      console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
-      ({ activeVm, vms } = listVms());
-      vmNames = Object.keys(vms);
-      fullState = readState();
-      aksClusters = (fullState.azure || {}).clusters || {};
-      hasAks = Object.keys(aksClusters).length > 0;
-    }
-  } catch { /* az not available or not authenticated */ }
-
-  if (vmNames.length === 0 && !hasAks) {
-    banner("Azure VMs");
-    hint("No VMs or clusters found in Azure.");
-    hint("Create a VM:       fops azure up <name>");
-    hint("Create a cluster:  fops azure aks up <name>\n");
-    return;
-  }
-
   // Use cache if fresh, otherwise try shared tags, then fall back to full sync
   const forceLive = opts.live;
   let cache = readCache();
@@ -2414,13 +2389,37 @@ export async function azureList(opts = {}) {
       } catch { /* tag read failed, fall through to full sync */ }
     }
 
+    // Discovery + full sync only when all caches are stale
     if (!fresh) {
+      try {
+        const execa = await lazyExeca();
+        await ensureAzCli(execa);
+        await ensureAzAuth(execa, { subscription: opts.subscription });
+        const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
+        if (found > 0) {
+          console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
+          ({ activeVm, vms } = listVms());
+          vmNames = Object.keys(vms);
+          fullState = readState();
+          aksClusters = (fullState.azure || {}).clusters || {};
+          hasAks = Object.keys(aksClusters).length > 0;
+        }
+      } catch { /* az not available or not authenticated */ }
+
       await azureSync({ quiet: !opts.verbose });
       cache = readCache();
       cacheSource = "live";
     }
   }
 
+  if (vmNames.length === 0 && !hasAks) {
+    banner("Azure VMs");
+    hint("No VMs or clusters found in Azure.");
+    hint("Create a VM:       fops azure up <name>");
+    hint("Create a cluster:  fops azure aks up <name>\n");
+    return;
+  }
+
   const cachedVms = cache?.vms || {};
   const cachedClusters = cache?.clusters || {};
   const cacheTime = cache?.updatedAt;
@@ -3274,7 +3273,7 @@ export async function azureSshWhitelistMe(opts = {}) {
 
   const merged = [...new Set([...currentSources.filter(s => s && s !== "*" && s !== "Internet"), myCidr])];
   console.log(chalk.yellow(`  ↻ Adding ${myCidr} to SSH rule on ${nsgName} (${currentSources.length} existing)...`));
-  const { exitCode: updateCode } = await execa("az", [
+  const { exitCode: updateCode, stderr: updateStderr } = await execa("az", [
     "network", "nsg", "rule", "create", "-g", rg, "--nsg-name", nsgName,
     "-n", sshRule?.name || "allow-ssh", "--priority", String(sshRule?.priority || 1000),
     "--destination-port-ranges", "22", "--access", "Allow",
@@ -3284,8 +3283,17 @@ export async function azureSshWhitelistMe(opts = {}) {
   ], { reject: false, timeout: 30000 });
 
   if (updateCode !== 0) {
-    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}\n`));
-    process.exit(1);
+    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}`));
+    const msg = (updateStderr || "").trim();
+    if (msg.includes("AADSTS") || msg.includes("Interactive authentication")) {
+      console.error(ERR("  Azure session expired — run: az login"));
+    } else if (msg.includes("AuthorizationFailed")) {
+      console.error(ERR("  Insufficient permissions to update NSG rules in this subscription."));
+    } else if (msg) {
+      console.error(DIM(`  ${msg.split("\n")[0]}`));
+    }
+    console.error("");
+    return;
   }
   console.log(OK(`\n  ✓ SSH (22) whitelisted for ${myCidr} on ${vmName} (${nsgName})\n`));
   console.log(`  Sources: ${merged.join(", ")}\n`);

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision.js

@@ -80,7 +80,7 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
 
   console.log(chalk.dim("  Configuring VM..."));
 
-  // Batch: sshd tuning + docker group + ownership + public URL — single SSH round-trip
+  // Batch: sshd tuning + docker group + ownership — single SSH round-trip
   const setupBatch = [
     // Speed up SSH: accept forwarded env vars, disable DNS reverse lookup
     `sudo grep -q '^AcceptEnv.*BEARER_TOKEN' /etc/ssh/sshd_config 2>/dev/null || {`,
@@ -91,22 +91,10 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
     `}`,
     `sudo usermod -aG docker ${user} 2>/dev/null; true`,
     "sudo chown -R azureuser:azureuser /opt/foundation-compose 2>/dev/null; true",
-    `cd /opt/foundation-compose`,
-    `sed -i -e '$a\\' .env 2>/dev/null || true`,
-    `if grep -q '^FOUNDATION_PUBLIC_URL=' .env 2>/dev/null; then`,
-    `  sed -i 's|^FOUNDATION_PUBLIC_URL=.*|FOUNDATION_PUBLIC_URL=${publicUrl}|' .env;`,
-    `else`,
-    `  echo 'FOUNDATION_PUBLIC_URL=${publicUrl}' >> .env;`,
-    `fi`,
-    // Persist COMPOSE_PROFILES so k3s/watcher/traefik start on manual restarts too
-    `if grep -q '^COMPOSE_PROFILES=' .env 2>/dev/null; then`,
-    `  sed -i 's|^COMPOSE_PROFILES=.*|COMPOSE_PROFILES=k3s,traefik${dai ? ",dai" : ""}|' .env;`,
-    `else`,
-    `  echo 'COMPOSE_PROFILES=k3s,traefik${dai ? ",dai" : ""}' >> .env;`,
-    `fi`,
+    // Only inject FOUNDATION_PUBLIC_URL if not already set — never overwrite
+    `cd /opt/foundation-compose && grep -q '^FOUNDATION_PUBLIC_URL=' .env 2>/dev/null || echo 'FOUNDATION_PUBLIC_URL=${publicUrl}' >> .env`,
   ].join("\n");
   await ssh(setupBatch);
-  console.log(chalk.green(`  ✓ FOUNDATION_PUBLIC_URL=${publicUrl}`));
 
   let ghcrOk = false;
   if (githubToken) {
@@ -1057,8 +1045,33 @@ async function removeSshBypassViaRunCommand(execa, rg, vmName, sourceCidr, sub)
 // ── Step: SSH reachability ───────────────────────────────────────────────────
 
 async function vmReconcileSsh(ctx) {
-  const { execa, ip, adminUser, knockSequence, port, desiredUrl, vmName, rg, sub } = ctx;
+  const { execa, ip, adminUser, port, desiredUrl, vmName, rg, sub } = ctx;
   console.log(chalk.dim("  Checking SSH..."));
+
+  // Always fetch the knock sequence fresh from the Azure VM tag — local state can drift
+  // after state recovery or manual changes, causing knocks with the wrong sequence.
+  let knockSequence = ctx.knockSequence;
+  if (rg) {
+    try {
+      const { stdout: tagRaw } = await execa("az", [
+        "vm", "show", "-g", rg, "-n", vmName,
+        "--query", "tags.fopsKnock", "-o", "tsv", ...subArgs(sub),
+      ], { timeout: 15000, reject: false });
+      const raw = (tagRaw || "").trim().replace(/[()]/g, "");
+      if (raw) {
+        const fresh = raw.split(/[-,]/).map((s) => parseInt(s.trim(), 10)).filter((n) => Number.isInteger(n) && n > 0);
+        if (fresh.length >= 2) {
+          if (!knockSequence?.length || fresh.some((v, i) => v !== knockSequence[i])) {
+            console.log(chalk.dim("  Syncing knock sequence from Azure tag..."));
+            knockSequence = fresh;
+            ctx.knockSequence = fresh;
+            writeVmState(vmName, { knockSequence: fresh });
+          }
+        }
+      }
+    } catch { /* best-effort */ }
+  }
+
   // Close any stale mux master before probing. ControlPersist=600 keeps the SSH master
   // alive for 10 min, but if the VM rebooted its underlying TCP is broken — every probe
   // through the stale mux fails even after a successful knock. A fresh connect fixes it.
@@ -1094,15 +1107,44 @@ async function vmReconcileSsh(ctx) {
     }
   }
   if (!sshReady) {
-    console.log(chalk.yellow("  ⚠ SSH not reachable — VM may still be booting. Skipping in-guest checks."));
-    if (knockSequence?.length) {
-      console.log(chalk.dim("  If knock is enabled, the stored sequence may not match the VM (e.g. after state recovery)."));
-      console.log(chalk.dim("  Try: fops azure knock open " + ctx.vmName + "  then immediately  fops azure ssh " + ctx.vmName));
-      console.log(chalk.dim("  Or remove knock: fops azure knock disable " + ctx.vmName));
+    // Verify actual VM power state via Azure CLI — the earlier instance-view may be stale
+    if (rg) {
+      try {
+        const { stdout: showJson } = await execa("az", [
+          "vm", "show", "--resource-group", rg, "--name", vmName,
+          "--show-details", "--output", "json", ...subArgs(sub),
+        ], { timeout: 20000, reject: false });
+        const vmDetails = JSON.parse(showJson || "{}");
+        const powerState = vmDetails?.powerState || "";
+        if (powerState && !powerState.includes("running")) {
+          console.log(chalk.yellow(`  ⚠ Azure reports VM power state: ${chalk.bold(powerState)} — starting VM...`));
+          await execa("az", [
+            "vm", "start", "--resource-group", rg, "--name", vmName, "--output", "none",
+            ...subArgs(sub),
+          ], { timeout: 300000 });
+          reconcileOk("VM", "started");
+          // Give the VM a moment then retry SSH once more
+          await new Promise((r) => setTimeout(r, 10000));
+          if (knockSequence?.length) await performKnock(ip, knockSequence, { quiet: true });
+          sshReady = await waitForSsh(execa, ip, adminUser, 60000);
+        } else if (powerState) {
+          console.log(chalk.dim(`  Azure VM power state: ${powerState}`));
+        }
+      } catch {
+        // best-effort
+      }
+    }
+    if (!sshReady) {
+      console.log(chalk.yellow("  ⚠ SSH not reachable — VM may still be booting. Skipping in-guest checks."));
+      if (knockSequence?.length) {
+        console.log(chalk.dim("  If knock is enabled, the stored sequence may not match the VM (e.g. after state recovery)."));
+        console.log(chalk.dim("  Try: fops azure knock open " + ctx.vmName + "  then immediately  fops azure ssh " + ctx.vmName));
+        console.log(chalk.dim("  Or remove knock: fops azure knock disable " + ctx.vmName));
+      }
+      ctx.publicUrl = desiredUrl || buildPublicUrl(ip, port);
+      ctx.done = true;
+      return;
     }
-    ctx.publicUrl = desiredUrl || buildPublicUrl(ip, port);
-    ctx.done = true;
-    return;
   }
   reconcileOk("SSH", "reachable");
 }
@@ -1644,10 +1686,8 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
   }
 
   await runScript("Cloning foundation-compose", [
-    "cp /opt/foundation-compose/.env /tmp/.env.fops-backup 2>/dev/null || true",
     "rm -rf /opt/foundation-compose",
     `git clone --branch ${branch} --depth 1 --recurse-submodules https://github.com/meshxdata/foundation-compose.git /opt/foundation-compose`,
-    "if [ -f /tmp/.env.fops-backup ]; then cp /tmp/.env.fops-backup /opt/foundation-compose/.env; rm -f /tmp/.env.fops-backup; else cp /opt/foundation-compose/.env.example /opt/foundation-compose/.env; fi",
     "mkdir -p /opt/foundation-compose/credentials",
     "touch /opt/foundation-compose/credentials/kubeconfig.yaml",
     `chown -R ${adminUser}:${adminUser} /opt/foundation-compose`,

package/src/plugins/bundled/fops-plugin-azure/lib/azure-shared-cache.js

@@ -22,7 +22,7 @@ import { readState, listVms } from "./azure-state.js";
 //   fops_by       = alessio                  (who synced)
 
 const TAG_PREFIX = "fops_";
-const TAG_MAX_AGE_MS = 10 * 60 * 1000; // 10 minutes — tags are cheaper to check
+const TAG_MAX_AGE_MS = 20 * 60 * 1000; // 20 minutes — tags are cheaper to check
 
 // ── Write: publish probe results as tags on a VM ─────────────────────────────
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-sync.js

@@ -12,7 +12,7 @@ import {
 // Stored in ~/.fops.json under azure.cache:
 //   { updatedAt, vms: { <name>: { ... } }, clusters: { <name>: { ... } } }
 
-const CACHE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes
+const CACHE_MAX_AGE_MS = 15 * 60 * 1000; // 15 minutes
 
 // Short keys for the 6 tracked Foundation services
 const SVC_MAP = {
@@ -169,16 +169,16 @@ async function syncVms(execa) {
 
       // After a knock, iptables rule needs a moment to propagate; first SSH needs full handshake.
       // Brief delay then retry once to avoid false "unreachable" (e.g. uaenorth latency).
-      await new Promise((r) => setTimeout(r, 800));
+      await new Promise((r) => setTimeout(r, 400));
       let sshOk = false;
       for (let attempt = 0; attempt < 2; attempt++) {
         const { exitCode: sshCode } = await execa("ssh", [
           ...MUX_OPTS(vm.publicIp, DEFAULTS.adminUser),
           "-o", "BatchMode=yes",
           `${DEFAULTS.adminUser}@${vm.publicIp}`, "echo ok",
-        ], { timeout: 15000, reject: false }).catch(() => ({ exitCode: 1 }));
+        ], { timeout: 8000, reject: false }).catch(() => ({ exitCode: 1 }));
         if (sshCode === 0) { sshOk = true; break; }
-        if (attempt === 0) await new Promise((r) => setTimeout(r, 2000));
+        if (attempt === 0) await new Promise((r) => setTimeout(r, 1000));
       }
 
       if (!sshOk) {

package/src/plugins/bundled/fops-plugin-azure/lib/commands/infra-cmds.js

@@ -508,6 +508,8 @@ export function registerInfraCommands(azure) {
     .option("--github-token <token>", "GitHub PAT for Flux + GHCR pull (default: $GITHUB_TOKEN)")
     .option("--no-flux", "Skip Flux bootstrap")
     .option("--no-postgres", "Skip Postgres Flexible Server provisioning")
+    .option("--flux-local-repo <path>", "Path to local flux repo clone (auto-detected if omitted)")
+    .option("--overlay <name>", "App overlay name in flux repo (default: demo-azure)")
     .option("--dai", "Include DAI (Dashboards AI) workloads")
     .action(async (name, opts) => {
       const { aksUp } = await import("../azure-aks.js");
@@ -524,6 +526,8 @@ export function registerInfraCommands(azure) {
         githubToken: opts.githubToken,
         noFlux: opts.flux === false,
         noPostgres: opts.postgres === false,
+        fluxLocalRepo: opts.fluxLocalRepo,
+        overlay: opts.overlay,
         dai: opts.dai === true,
       });
     });

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js

@@ -78,6 +78,20 @@ export function registerTestCommands(azure) {
           : content + `\n${key}=${value}`;
       };
 
+      // Resolve CF Access service token for Cloudflare-proxied endpoints
+      let cfClientId = process.env.CF_ACCESS_CLIENT_ID || "";
+      let cfClientSecret = process.env.CF_ACCESS_CLIENT_SECRET || "";
+      if (!cfClientId) {
+        // Try reading from the compose .env
+        try {
+          const composeDotEnv = await fsp.readFile(path.join(root, ".env"), "utf8");
+          const idMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_ID=(.+)$/m);
+          const secretMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_SECRET=(.+)$/m);
+          if (idMatch) cfClientId = idMatch[1].trim();
+          if (secretMatch) cfClientSecret = secretMatch[1].trim();
+        } catch { /* .env may not exist */ }
+      }
+
       envContent = setVar(envContent, "API_URL", apiUrl);
       envContent = setVar(envContent, "DEV_API_URL", apiUrl);
       envContent = setVar(envContent, "LIVE_API_URL", apiUrl);
@@ -93,6 +107,10 @@ export function registerTestCommands(azure) {
         envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
         envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
       }
+      if (cfClientId && cfClientSecret) {
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_ID", cfClientId);
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_SECRET", cfClientSecret);
+      }
 
       await fsp.writeFile(envPath, envContent);
       console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
@@ -154,6 +172,10 @@ export function registerTestCommands(azure) {
         testEnv.BEARER_TOKEN = bearerToken;
         testEnv.TOKEN_AUTH0 = bearerToken;
       }
+      if (cfClientId && cfClientSecret) {
+        testEnv.CF_ACCESS_CLIENT_ID = cfClientId;
+        testEnv.CF_ACCESS_CLIENT_SECRET = cfClientSecret;
+      }
 
       const startMs = Date.now();
       const proc = execaFn(

package/src/plugins/bundled/fops-plugin-azure/lib/commands/vm-cmds.js

@@ -468,12 +468,13 @@ export function registerVmCommands(azure, api, registry) {
     .description("Perform port-knock sequence to temporarily open SSH");
 
   knock
-    .command("open [name]", { isDefault: true })
+    .command("open [names...]", { isDefault: true })
     .description("Send the knock sequence — opens SSH for ~5 min")
     .option("--vm-name <name>", "Target VM (default: active VM)")
-    .action(async (name, opts) => {
+    .action(async (names, opts) => {
       const { azureKnock } = await import("../azure.js");
-      await azureKnock({ vmName: opts.vmName || name });
+      const targets = opts.vmName ? [opts.vmName] : (names.length ? names : [undefined]);
+      for (const vmName of targets) await azureKnock({ vmName });
     });
 
   knock

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/dai-backend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dai-backend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/dai/backend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/dai-frontend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: dai-frontend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/dai/frontend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-backend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-backend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/backend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-frontend.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-frontend
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/frontend/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-hive.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-hive
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/hive/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-kafka.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-kafka
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/kafka/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-meltano.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-meltano
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/meltano/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-mlflow.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-mlflow
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/mlflow/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-opa.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-opa
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/opa/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-processor.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-processor
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/processor/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-scheduler.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-scheduler
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/scheduler/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-storage-engine.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-storage-engine
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/storage-engine/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-trino.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-trino
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/trino/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/foundation-watcher.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: foundation-watcher
+  namespace: flux-system
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/foundation/watcher/overlays/meshx/{{OVERLAY}}
+  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/config/repository.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: foundation
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: foundation
+  namespace: velora
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: dai
+  namespace: velora
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm/dai
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hive-metastore
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 1m0s
+  url: oci://meshxregistry.azurecr.io/helm
+  secretRef:
+    name: meshxregistry-helm-secret
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: trinodb
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://trinodb.github.io/charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mlflow
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: https://community-charts.github.io/helm-charts

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/kustomization.yaml

@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - config/repository.yaml
+  - operator/acr-webhook-controller.yaml
+  - operator/kube-reflector.yaml
+  - operator/externalsecrets.yaml
+  - operator/istio.yaml
+  - operator/kafka.yaml
+  - operator/kubecost.yaml
+  - operator/spark.yaml
+  - operator/vertical-pod-autoscaler.yaml
+  - operator/prometheus-agent.yaml
+  - operator/tailscale.yaml
+  - operator/nats-server.yaml
+  - operator/reloader.yaml
+  - apps/foundation-backend.yaml
+  - apps/foundation-frontend.yaml
+  - apps/foundation-scheduler.yaml
+  - apps/foundation-processor.yaml
+  - apps/foundation-watcher.yaml
+  - apps/foundation-opa.yaml
+  - apps/foundation-meltano.yaml
+  - apps/foundation-kafka.yaml
+  - apps/foundation-hive.yaml
+  - apps/foundation-storage-engine.yaml
+  - apps/foundation-trino.yaml
+  - apps/foundation-mlflow.yaml
+  - apps/dai-backend.yaml
+  - apps/dai-frontend.yaml