@meshxdata/fops 0.1.44 → 0.1.46

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-ingress.js

@@ -0,0 +1,393 @@
+/**
+ * azure-aks-ingress.js - Ingress IP, DNS, and frontend auth
+ *
+ * Depends on: azure-aks-naming.js, azure-aks-state.js, cloudflare.js
+ */
+
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import {
+  OK, WARN, DIM,
+  hint, resolveUniqueDomain,
+} from "./azure.js";
+import { writeClusterState } from "./azure-aks-state.js";
+import { syncDns, resolveCfToken } from "./cloudflare.js";
+
+// ── Domain resolution ─────────────────────────────────────────────────────────
+
+export function clusterDomain(clusterName) {
+  return resolveUniqueDomain(clusterName, "aks");
+}
+
+// ── Ingress VirtualServices ───────────────────────────────────────────────────
+
+export const INGRESS_VIRTUALSERVICES = [
+  { name: "frontend",       namespace: "foundation", gateway: "foundation-gateway", hostPrefix: "" },
+  { name: "foundation-api", namespace: "foundation", gateway: "foundation-gateway", hostPrefix: "api." },
+];
+
+// ── CLI module resolver helper ────────────────────────────────────────────────
+
+function resolveCliSrc(relPath) {
+  const thisDir = path.dirname(fileURLToPath(import.meta.url));
+  const fromSource = path.resolve(thisDir, "../../../..", relPath);
+  if (fs.existsSync(fromSource)) return new URL(`file://${fromSource}`).href;
+  const fopsBin = process.argv[1];
+  if (fopsBin) {
+    try {
+      const cliRoot = path.dirname(fs.realpathSync(fopsBin));
+      const fromCli = path.resolve(cliRoot, "src", relPath);
+      if (fs.existsSync(fromCli)) return new URL(`file://${fromCli}`).href;
+    } catch { /* fall through */ }
+  }
+  return "../../../../" + relPath;
+}
+
+// ── Reconcile Ingress IP ──────────────────────────────────────────────────────
+
+export async function reconcileIngressIp(ctx) {
+  const { execa, clusterName } = ctx;
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 15000, reject: false, ...opts });
+
+  const domain = clusterDomain(clusterName);
+  writeClusterState(clusterName, { domain });
+
+  // ── 1. Ensure LB has an external IP ──
+
+  const { exitCode, stdout } = await kubectl([
+    "get", "svc", "istio-ingressgateway", "-n", "istio-system",
+    "-o", "json",
+  ]);
+  if (exitCode !== 0 || !stdout) return;
+
+  const svc = JSON.parse(stdout);
+  const annotations = svc.metadata?.annotations || {};
+  const pipName = annotations["service.beta.kubernetes.io/azure-pip-name"] || "";
+  let externalIp = svc.status?.loadBalancer?.ingress?.[0]?.ip;
+
+  // Remove stale annotations from other clouds / restrictive source ranges
+  const staleKeys = Object.keys(annotations).filter(k =>
+    k.startsWith("service.beta.kubernetes.io/aws-") ||
+    k === "service.beta.kubernetes.io/load-balancer-source-ranges" ||
+    k === "service.beta.kubernetes.io/azure-allowed-service-tags"
+  );
+  if (staleKeys.length > 0) {
+    hint(`Removing ${staleKeys.length} stale/restrictive annotation(s) from istio-ingressgateway…`);
+    await kubectl([
+      "annotate", "svc", "istio-ingressgateway", "-n", "istio-system",
+      ...staleKeys.map(k => `${k}-`),
+    ]);
+    console.log(OK(`  ✓ Cleaned ${staleKeys.length} stale annotation(s)`));
+  }
+
+  if (!externalIp && pipName) {
+    hint(`Removing stale PIP annotation "${pipName}" from istio-ingressgateway…`);
+    await kubectl([
+      "annotate", "svc", "istio-ingressgateway", "-n", "istio-system",
+      "service.beta.kubernetes.io/azure-pip-name-",
+      "service.beta.kubernetes.io/azure-pip-name-IPv6-",
+    ]);
+    for (let i = 0; i < 6; i++) {
+      await new Promise(r => setTimeout(r, 10000));
+      const { stdout: refreshed } = await kubectl([
+        "get", "svc", "istio-ingressgateway", "-n", "istio-system",
+        "-o", "jsonpath={.status.loadBalancer.ingress[0].ip}",
+      ]);
+      if (refreshed?.trim()) { externalIp = refreshed.trim(); break; }
+    }
+  }
+
+  if (externalIp) {
+    console.log(OK(`  ✓ Ingress gateway IP: ${externalIp}`));
+  } else {
+    console.log(WARN("  ⚠ Ingress gateway has no external IP yet"));
+    hint(`  kubectl describe svc istio-ingressgateway -n istio-system --context ${clusterName}`);
+  }
+
+  // ── 2. Self-signed TLS cert for Istio ingress ──
+
+  const TLS_SECRET = "istio-ingressgateway-certs";
+  const { exitCode: tlsCheck } = await kubectl([
+    "get", "secret", TLS_SECRET, "-n", "istio-system",
+  ]);
+  if (tlsCheck !== 0) {
+    hint("Creating self-signed TLS certificate for ingress…");
+    const { exitCode: certCode } = await execa("openssl", [
+      "req", "-x509", "-newkey", "rsa:2048",
+      "-keyout", "/tmp/fops-aks-tls.key", "-out", "/tmp/fops-aks-tls.crt",
+      "-days", "3650", "-nodes",
+      "-subj", `/CN=*.meshx.app`,
+      "-addext", `subjectAltName=DNS:*.meshx.app,DNS:meshx.app,DNS:*.${domain}`,
+    ], { timeout: 15000, reject: false });
+    if (certCode === 0) {
+      await execa("kubectl", [
+        "--context", clusterName,
+        "create", "secret", "tls", TLS_SECRET, "-n", "istio-system",
+        "--cert=/tmp/fops-aks-tls.crt", "--key=/tmp/fops-aks-tls.key",
+      ], { timeout: 15000 });
+      console.log(OK("  ✓ Self-signed TLS secret created"));
+    } else {
+      console.log(WARN("  ⚠ Could not generate TLS cert — HTTPS on ingress may not work"));
+    }
+  }
+
+  // ── 3. Reconcile Istio Gateways ──
+
+  const allHosts = INGRESS_VIRTUALSERVICES.map(vs => `${vs.hostPrefix}${domain}`);
+  const uniqueHosts = [...new Set(allHosts)];
+
+  const gwYaml = `apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: foundation-gateway
+  namespace: foundation
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+${uniqueHosts.map(h => `    - "${h}"`).join("\n")}
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      credentialName: ${TLS_SECRET}
+    hosts:
+${uniqueHosts.map(h => `    - "${h}"`).join("\n")}`;
+
+  await kubectl(["apply", "-f", "-"], { input: gwYaml });
+  await kubectl(["delete", "gateway", "foundation-gateway", "-n", "velora", "--ignore-not-found"]);
+  console.log(OK(`  ✓ Istio Gateway → ${domain} (HTTP + HTTPS)`));
+
+  // ── 4. Reconcile VirtualService hosts + gateway refs ──
+
+  let patched = 0;
+  for (const vs of INGRESS_VIRTUALSERVICES) {
+    const correctHost = `${vs.hostPrefix}${domain}`;
+    const { stdout: vsJson } = await kubectl([
+      "get", "virtualservice", vs.name, "-n", vs.namespace, "-o", "json",
+    ]);
+    if (!vsJson) continue;
+
+    const vsObj = JSON.parse(vsJson);
+    const hosts = vsObj.spec?.hosts || [];
+    const gateways = vsObj.spec?.gateways || [];
+    const needsHostFix = hosts.length !== 1 || hosts[0] !== correctHost;
+    const needsGwFix = gateways.some(g => g.includes("velora/"));
+
+    if (!needsHostFix && !needsGwFix) continue;
+
+    const patches = [];
+    if (needsHostFix) patches.push({ op: "replace", path: "/spec/hosts", value: [correctHost] });
+    if (needsGwFix) patches.push({ op: "replace", path: "/spec/gateways", value: ["foundation-gateway"] });
+
+    await kubectl([
+      "patch", "virtualservice", vs.name, "-n", vs.namespace,
+      "--type", "json", "-p", JSON.stringify(patches),
+    ]);
+    patched++;
+  }
+
+  if (patched > 0) {
+    console.log(OK(`  ✓ Patched ${patched} VirtualService(s) → *.${domain}`));
+  } else {
+    console.log(OK(`  ✓ VirtualService hosts correct (*.${domain})`));
+  }
+
+  // ── 5. DNS records ──
+  if (externalIp) {
+    const cfToken = resolveCfToken();
+    if (cfToken) {
+      const dnsNames = [...new Set(INGRESS_VIRTUALSERVICES.map(vs => `${vs.hostPrefix}${domain}`))];
+      for (const host of dnsNames) {
+        await syncDns(cfToken, `https://${host}`, externalIp, { proxied: true });
+      }
+    } else {
+      hint(`  No CLOUDFLARE_API_TOKEN — add DNS A records manually:`);
+      const dnsNames = [...new Set(INGRESS_VIRTUALSERVICES.map(vs => `${vs.hostPrefix}${domain}`))];
+      for (const host of dnsNames) {
+        hint(`    ${host} → ${externalIp}`);
+      }
+    }
+  }
+
+  // Save the ingress info to state
+  if (externalIp) {
+    writeClusterState(clusterName, { ingressIp: externalIp, domain });
+  }
+}
+
+// ── Frontend Auth0 reconciliation ─────────────────────────────────────────────
+
+export async function reconcileFrontendAuth(ctx) {
+  const { execa, clusterName } = ctx;
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
+
+  const domain = clusterDomain(clusterName);
+  const baseUrl = `https://${domain}`;
+
+  // Read Auth0 creds from env or project .env
+  let auth0 = {
+    clientId:      process.env.AUTH0_CLIENT_ID,
+    clientSecret:  process.env.AUTH0_CLIENT_SECRET,
+    domain:        process.env.AUTH0_DOMAIN,
+    audience:      process.env.AUTH0_AUDIENCE,
+    issuerBaseUrl: process.env.AUTH0_ISSUER_BASE_URL,
+    secret:        process.env.AUTH0_SECRET,
+  };
+
+  if (!auth0.clientId) {
+    try {
+      const { rootDir } = await import(resolveCliSrc("project.js"));
+      const root = rootDir();
+      if (root) {
+        const envRaw = fs.readFileSync(path.join(root, ".env"), "utf8");
+        for (const line of envRaw.split("\n")) {
+          const m = line.match(/^([A-Z0-9_]+)=(.+)$/);
+          if (!m) continue;
+          const [, k, v] = m;
+          const val = v.replace(/^["']|["']$/g, "");
+          if (k === "AUTH0_CLIENT_ID")       auth0.clientId = val;
+          if (k === "AUTH0_CLIENT_SECRET")   auth0.clientSecret = val;
+          if (k === "AUTH0_DOMAIN")          auth0.domain = val;
+          if (k === "AUTH0_AUDIENCE")        auth0.audience = val;
+          if (k === "AUTH0_ISSUER_BASE_URL") auth0.issuerBaseUrl = val;
+          if (k === "AUTH0_SECRET")          auth0.secret = val;
+        }
+      }
+    } catch { /* no project root or .env */ }
+  }
+
+  if (!auth0.clientId || !auth0.domain) {
+    console.log(WARN("  ⚠ No Auth0 credentials found — skipping frontend auth setup"));
+    hint("  Set AUTH0_CLIENT_ID / AUTH0_DOMAIN in .env or environment");
+    return;
+  }
+
+  // ── 1. Create/update the frontend auth0 K8s secret ──
+
+  const secretArgs = [
+    "create", "secret", "generic", "foundation-frontend-auth0", "-n", "foundation",
+    "--from-literal", `APP_BASE_URL=${baseUrl}`,
+    "--from-literal", `AUTH0_CLIENT_ID=${auth0.clientId}`,
+    "--from-literal", `AUTH0_CLIENT_SECRET=${auth0.clientSecret || ""}`,
+    "--from-literal", `AUTH0_DOMAIN=${auth0.domain}`,
+    "--from-literal", `AUTH0_AUDIENCE=${auth0.audience || ""}`,
+    "--from-literal", `AUTH0_ISSUER_BASE_URL=${auth0.issuerBaseUrl || `https://${auth0.domain}/`}`,
+    "--from-literal", `AUTH0_SECRET=${auth0.secret || auth0.clientSecret || ""}`,
+    "--from-literal", `NEXT_PUBLIC_AUTH0_CLIENT_ID=${auth0.clientId}`,
+    "--from-literal", `NEXT_PUBLIC_AUTH0_DOMAIN=${auth0.domain}`,
+    "--dry-run=client", "-o", "yaml",
+  ];
+  const { stdout: secretYaml } = await kubectl(secretArgs);
+  if (secretYaml) {
+    await kubectl(["apply", "-f", "-"], { input: secretYaml });
+    console.log(OK(`  ✓ Frontend Auth0 secret → APP_BASE_URL=${baseUrl}`));
+  }
+
+  // ── 2. Patch frontend deployment API_URL to point at own ingress ──
+
+  const { exitCode: feExists } = await kubectl([
+    "get", "deploy", "foundation-frontend", "-n", "foundation",
+  ]);
+  if (feExists === 0) {
+    const apiUrl = `${baseUrl}/api/`;
+    const { exitCode: envExit } = await execa("kubectl", [
+      "--context", clusterName,
+      "set", "env", "deploy/foundation-frontend", "-n", "foundation",
+      `API_URL=${apiUrl}`,
+    ], { timeout: 15000, reject: false });
+    if (envExit === 0) {
+      console.log(OK(`  ✓ Frontend API_URL → ${apiUrl}`));
+    }
+  }
+
+  // ── 3. Ensure Auth0 wildcard callback URLs exist ──
+
+  if (!auth0.clientSecret) {
+    hint("  No AUTH0_CLIENT_SECRET — cannot verify Auth0 wildcard callbacks");
+    return;
+  }
+
+  try {
+    const tokenResp = await fetch(`https://${auth0.domain}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_id: auth0.clientId,
+        client_secret: auth0.clientSecret,
+        audience: `https://${auth0.domain}/api/v2/`,
+        grant_type: "client_credentials",
+      }),
+      signal: AbortSignal.timeout(10_000),
+    });
+    if (!tokenResp.ok) { hint("  Could not get Auth0 management token"); return; }
+    const mgmtToken = (await tokenResp.json()).access_token;
+    if (!mgmtToken) return;
+
+    const appResp = await fetch(
+      `https://${auth0.domain}/api/v2/clients/${auth0.clientId}?fields=callbacks,allowed_logout_urls,web_origins,allowed_origins`,
+      { headers: { Authorization: `Bearer ${mgmtToken}` }, signal: AbortSignal.timeout(10_000) },
+    );
+    if (!appResp.ok) return;
+    const app = await appResp.json();
+
+    const wildcardCb1 = "https://*.meshx.app/auth/callback";
+    const wildcardCb2 = "https://*.meshx.app/api/auth/callback";
+    const wildcardOrigin = "https://*.meshx.app";
+
+    const callbacks = new Set(app.callbacks || []);
+    const logoutUrls = new Set(app.allowed_logout_urls || []);
+    const webOrigins = new Set(app.web_origins || []);
+    const allowedOrigins = new Set(app.allowed_origins || []);
+
+    callbacks.add(`${baseUrl}/auth/callback`);
+    callbacks.add(`${baseUrl}/api/auth/callback`);
+    logoutUrls.add(baseUrl);
+    webOrigins.add(baseUrl);
+    allowedOrigins.add(baseUrl);
+
+    const before = callbacks.size + logoutUrls.size + webOrigins.size + allowedOrigins.size;
+    callbacks.add(wildcardCb1);
+    callbacks.add(wildcardCb2);
+    logoutUrls.add(wildcardOrigin);
+    webOrigins.add(wildcardOrigin);
+    allowedOrigins.add(wildcardOrigin);
+    const after = callbacks.size + logoutUrls.size + webOrigins.size + allowedOrigins.size;
+
+    if (after > before) {
+      const patchResp = await fetch(
+        `https://${auth0.domain}/api/v2/clients/${auth0.clientId}`,
+        {
+          method: "PATCH",
+          headers: { Authorization: `Bearer ${mgmtToken}`, "Content-Type": "application/json" },
+          body: JSON.stringify({
+            callbacks: [...callbacks],
+            allowed_logout_urls: [...logoutUrls],
+            web_origins: [...webOrigins],
+            allowed_origins: [...allowedOrigins],
+          }),
+          signal: AbortSignal.timeout(10_000),
+        },
+      );
+      if (patchResp.ok) {
+        console.log(OK("  ✓ Auth0 wildcard callbacks ensured (*.meshx.app)"));
+      } else {
+        console.log(WARN(`  ⚠ Auth0 callback update failed: HTTP ${patchResp.status}`));
+      }
+    } else {
+      console.log(OK("  ✓ Auth0 wildcard callbacks already configured"));
+    }
+  } catch (e) {
+    hint(`  Auth0 callback check failed: ${e.message}`);
+  }
+}

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-naming.js

@@ -0,0 +1,104 @@
+/**
+ * azure-aks-naming.js - Naming helpers, constants, and pure utility functions
+ *
+ * Foundation module with no internal dependencies.
+ */
+
+import crypto from "node:crypto";
+import { DEFAULTS } from "./azure.js";
+
+// ── AKS Defaults ──────────────────────────────────────────────────────────────
+
+export const AKS_DEFAULTS = {
+  clusterName: "foundation-aks",
+  resourceGroup: process.env.AZURE_AKS_RESOURCE_GROUP || "foundation-aks-rg",
+  location: DEFAULTS.location,
+  nodeCount: 1,
+  minCount: 1,
+  maxCount: 1,
+  nodeVmSize: "Standard_D8s_v3",
+  kubernetesVersion: "1.33",
+  tier: "standard",        // "free" | "standard" | "premium"
+  networkPlugin: "azure",  // "azure" (CNI) | "kubenet"
+  fluxOwner: "meshxdata",
+  fluxRepo: "platform-flux-template",
+  fluxBranch: "main",
+  fluxPath: "clusters/fops",
+};
+
+// Region pairs for Postgres geo-replication
+export const PG_REPLICA_REGIONS = {
+  uaenorth: "westeurope",     // UAE → EU
+  westeurope: "uaenorth",     // EU → UAE
+  eastus: "westeurope",       // US East → EU
+  westus2: "eastus",          // US West → US East
+};
+
+// ── Postgres Defaults ─────────────────────────────────────────────────────────
+
+export const PG_DEFAULTS = {
+  sku: "Standard_B2ms",
+  tier: "Burstable",
+  version: "15",
+  storageSizeGb: 32,
+  adminUser: "foundation",
+};
+
+// ── Event Hubs Defaults ───────────────────────────────────────────────────────
+
+export const EH_DEFAULTS = {
+  sku: "Standard",
+  capacity: 1,
+};
+
+// ── Naming Functions ──────────────────────────────────────────────────────────
+
+export function pgServerName(clusterName) {
+  return `fops-${clusterName}-psql`;
+}
+
+export function kvName(clusterName) {
+  const base = `fops-${clusterName}-kv`.replace(/[^a-zA-Z0-9-]/g, "").slice(0, 24);
+  return base;
+}
+
+export function ehNamespaceName(clusterName) {
+  return `fops-${clusterName}-eh`;
+}
+
+// Note: clusterDomain, stackDomain, and pgDatabaseName are in azure-aks-ingress.js
+// and azure-aks-stacks.js respectively
+
+// ── Utility Functions ─────────────────────────────────────────────────────────
+
+export function generatePassword(len = 32) {
+  const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  const bytes = crypto.randomBytes(len);
+  return Array.from(bytes, b => chars[b % chars.length]).join("");
+}
+
+export function timeSince(isoStr) {
+  const ms = Date.now() - new Date(isoStr).getTime();
+  if (ms < 60_000) return `${Math.round(ms / 1000)}s`;
+  if (ms < 3600_000) return `${Math.round(ms / 60_000)}m`;
+  if (ms < 86400_000) return `${Math.round(ms / 3600_000)}h`;
+  return `${Math.round(ms / 86400_000)}d`;
+}
+
+// ── CIDR Parsing and Overlap Detection ────────────────────────────────────────
+
+export function parseCidr(cidr) {
+  const [ip, bits] = cidr.split("/");
+  const octets = ip.split(".").map(Number);
+  const addr = ((octets[0] << 24) | (octets[1] << 16) | (octets[2] << 8) | octets[3]) >>> 0;
+  const mask = bits === "0" ? 0 : (0xFFFFFFFF << (32 - Number(bits))) >>> 0;
+  return { start: (addr & mask) >>> 0, end: ((addr & mask) | ~mask) >>> 0 };
+}
+
+export function cidrOverlaps(cidr, existingCidrs) {
+  const a = parseCidr(cidr);
+  return existingCidrs.some(ec => {
+    const b = parseCidr(ec);
+    return a.start <= b.end && a.end >= b.start;
+  });
+}