@meshxdata/fops 0.1.45 → 0.1.47

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-stacks.js

@@ -0,0 +1,643 @@
+/**
+ * azure-aks-stacks.js – Stack lifecycle management for AKS clusters
+ *
+ * Dependencies: azure.js, azure-aks-naming.js, azure-aks-state.js,
+ *               azure-aks-secrets.js, azure-aks-storage.js, azure-aks-ingress.js
+ */
+
+import {
+  lazyExeca,
+  subArgs,
+  ensureAzCli,
+  ensureAzAuth,
+  banner,
+  kvLine,
+  hint,
+  runReconcilers,
+  OK, ERR, WARN, DIM, LABEL,
+} from "./azure.js";
+
+import { pgServerName, kvName, timeSince } from "./azure-aks-naming.js";
+import {
+  readClusterState,
+  readStackState,
+  writeStackState,
+  deleteStackState,
+  listStacks,
+  requireCluster,
+} from "./azure-aks-state.js";
+import { SECRET_STORE_NAME, detectEsApiVersion } from "./azure-aks-secrets.js";
+import { reconcileHelmRepos } from "./azure-aks-storage.js";
+import { clusterDomain } from "./azure-aks-ingress.js";
+
+// ── Helpers ──────────────────────────────────────────────────────────────────
+
+export function printClusterInfo(cl) {
+  console.log(`\n  ${LABEL("Cluster Info")}`);
+  kvLine("Name",     cl.clusterName, { pad: 12 });
+  kvLine("RG",       cl.resourceGroup, { pad: 12 });
+  kvLine("FQDN",     cl.fqdn || "—", { pad: 12 });
+  kvLine("K8s",      cl.kubernetesVersion || "—", { pad: 12 });
+  kvLine("Nodes",    `${cl.nodeCount || "?"} x ${cl.nodeVmSize || "?"}`, { pad: 12 });
+  if (cl.flux) {
+    kvLine("Flux",   `${cl.flux.owner}/${cl.flux.repo}`, { pad: 12 });
+  }
+  hint("");
+  hint(`kubectl:  kubectl --context ${cl.clusterName} get nodes`);
+  hint(`status:   fops azure aks status ${cl.clusterName}`);
+  if (!cl.flux) {
+    hint(`flux:     fops azure aks flux bootstrap ${cl.clusterName} --flux-owner <org> --flux-repo <repo>`);
+  }
+  console.log("");
+}
+
+export function stackDomain(clusterName, namespace) {
+  const baseDomain = clusterDomain(clusterName);
+  if (namespace === "foundation") return baseDomain;
+  return `${namespace}.${baseDomain}`;
+}
+
+export function pgDatabaseName(namespace) {
+  return namespace.replace(/-/g, "_");
+}
+
+// ── Stack Reconcilers ────────────────────────────────────────────────────────
+
+async function reconcileStackNamespace(ctx) {
+  const { execa, clusterName, namespace } = ctx;
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
+
+  const { exitCode } = await kubectl(["get", "namespace", namespace]);
+  if (exitCode !== 0) {
+    await kubectl(["create", "namespace", namespace]);
+    console.log(OK(`  ✓ Namespace "${namespace}" created`));
+  } else {
+    console.log(OK(`  ✓ Namespace "${namespace}" exists`));
+  }
+}
+
+async function reconcileStackPgDatabase(ctx) {
+  const { execa, clusterName, namespace, rg, sub } = ctx;
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 60000, reject: false, ...opts });
+
+  const pgServer = pgServerName(clusterName);
+  const pgHost = `${pgServer}.postgres.database.azure.com`;
+  const dbName = pgDatabaseName(namespace);
+
+  // Read admin password from foundation namespace postgres secret
+  const { stdout: pwB64 } = await kubectl([
+    "get", "secret", "postgres", "-n", "foundation",
+    "-o", "jsonpath={.data.password}",
+  ]);
+  if (!pwB64) {
+    console.log(WARN("  ⚠ No postgres secret found in foundation — skipping DB setup"));
+    return;
+  }
+  const pgPass = Buffer.from(pwB64, "base64").toString();
+
+  // Create database and role for this namespace
+  const sqlStatements = [
+    `DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_database WHERE datname = '${dbName}') THEN EXECUTE 'CREATE DATABASE ${dbName}'; END IF; IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${dbName}') THEN CREATE ROLE ${dbName} LOGIN PASSWORD '${pgPass}'; END IF; END $$;`,
+    `GRANT ALL ON DATABASE ${dbName} TO ${dbName};`,
+  ];
+
+  const script = sqlStatements.map(s => `psql -c "${s}"`).join(" && ") + " && echo DONE";
+  const jobName = `fops-pg-setup-${namespace}`;
+
+  const jobManifest = JSON.stringify({
+    apiVersion: "batch/v1", kind: "Job",
+    metadata: { name: jobName, namespace: "foundation" },
+    spec: {
+      backoffLimit: 2, ttlSecondsAfterFinished: 60,
+      template: {
+        spec: {
+          restartPolicy: "Never",
+          containers: [{
+            name: "psql",
+            image: "postgres:16-alpine",
+            env: [
+              { name: "PGHOST", value: pgHost },
+              { name: "PGUSER", value: "foundation" },
+              { name: "PGDATABASE", value: "postgres" },
+              { name: "PGPASSWORD", value: pgPass },
+              { name: "PGSSLMODE", value: "require" },
+            ],
+            command: ["sh", "-c", script],
+          }],
+        },
+      },
+    },
+  });
+
+  await kubectl(["delete", "job", jobName, "-n", "foundation", "--ignore-not-found"]);
+  await new Promise(r => setTimeout(r, 1000));
+
+  const { exitCode, stderr } = await kubectl(["apply", "-f", "-"], { input: jobManifest });
+  if (exitCode !== 0) {
+    console.log(WARN(`  ⚠ pg-setup job failed: ${(stderr || "").split("\n")[0]}`));
+    return;
+  }
+
+  const { exitCode: waitCode } = await execa("kubectl", [
+    "--context", clusterName,
+    "wait", "--for=condition=complete", `job/${jobName}`,
+    "-n", "foundation", "--timeout=60s",
+  ], { timeout: 70000, reject: false });
+
+  if (waitCode === 0) {
+    console.log(OK(`  ✓ Postgres database "${dbName}" ready`));
+  } else {
+    const { stdout: logs } = await kubectl([
+      "logs", `job/${jobName}`, "-n", "foundation", "--tail=5",
+    ]);
+    if (logs?.includes("DONE")) {
+      console.log(OK(`  ✓ Postgres database "${dbName}" ready`));
+    } else {
+      console.log(WARN(`  ⚠ pg-setup job didn't complete — check: kubectl logs job/${jobName} -n foundation`));
+    }
+  }
+
+  await kubectl(["delete", "job", jobName, "-n", "foundation", "--ignore-not-found"]);
+
+  // Create postgres secret in the stack namespace
+  const secretYaml = await kubectl([
+    "create", "secret", "generic", "postgres", "-n", namespace,
+    "--from-literal", `host=${pgHost}`,
+    "--from-literal", `user=${dbName}`,
+    "--from-literal", `password=${pgPass}`,
+    "--from-literal", `superUserPassword=${pgPass}`,
+    "--from-literal", `postgres-password=${pgPass}`,
+    "--from-literal", `mlflow-username=mlflow`,
+    "--from-literal", `mlflow-password=${pgPass}`,
+    "--dry-run=client", "-o", "yaml",
+  ]);
+  if (secretYaml.stdout) {
+    await kubectl(["apply", "-f", "-"], { input: secretYaml.stdout });
+    console.log(OK(`  ✓ Postgres secret synced to ${namespace} namespace`));
+  }
+}
+
+async function reconcileStackSecretStore(ctx) {
+  const { execa, clusterName, namespace, rg, sub } = ctx;
+  const vaultName = kvName(clusterName);
+
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
+
+  // Check if SP secret exists in foundation, replicate to this namespace
+  const { stdout: spSecretJson } = await kubectl([
+    "get", "secret", "azure-secret-sp", "-n", "foundation", "-o", "json",
+  ]);
+  const spSecret = spSecretJson ? JSON.parse(spSecretJson) : null;
+
+  if (!spSecret || !spSecret.data?.ClientID) {
+    console.log(WARN("  ⚠ Secret 'azure-secret-sp' not found in foundation — SecretStore needs SP credentials"));
+    return;
+  }
+
+  // Replicate to this namespace if not foundation
+  if (namespace !== "foundation") {
+    const { exitCode: spExists } = await kubectl(["get", "secret", "azure-secret-sp", "-n", namespace]);
+    if (spExists !== 0) {
+      await kubectl([
+        "create", "secret", "generic", "azure-secret-sp",
+        "-n", namespace,
+        "--from-literal", `ClientID=${Buffer.from(spSecret.data.ClientID, "base64").toString()}`,
+        "--from-literal", `ClientSecret=${Buffer.from(spSecret.data.ClientSecret, "base64").toString()}`,
+      ]);
+      console.log(OK(`  ✓ Replicated azure-secret-sp to ${namespace}`));
+    }
+  }
+
+  // Get tenant ID
+  const { stdout: tenantId } = await execa("az", [
+    "account", "show", "--query", "tenantId", "-o", "tsv",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 15000 });
+
+  // Create SecretStore
+  const { exitCode: ssExists } = await kubectl([
+    "get", "secretstore", SECRET_STORE_NAME, "-n", namespace,
+  ]);
+  if (ssExists === 0) {
+    console.log(OK(`  ✓ SecretStore exists in ${namespace}`));
+    return;
+  }
+
+  const apiVersion = await detectEsApiVersion(kubectl);
+  const manifest = `apiVersion: ${apiVersion}
+kind: SecretStore
+metadata:
+  name: ${SECRET_STORE_NAME}
+  namespace: ${namespace}
+spec:
+  provider:
+    azurekv:
+      authType: ServicePrincipal
+      vaultUrl: https://${vaultName}.vault.azure.net
+      tenantId: ${(tenantId || "").trim()}
+      authSecretRef:
+        clientId:
+          name: azure-secret-sp
+          key: ClientID
+        clientSecret:
+          name: azure-secret-sp
+          key: ClientSecret
+`;
+  const { exitCode: applyCode, stderr } = await kubectl(
+    ["apply", "-f", "-"],
+    { input: manifest },
+  );
+  if (applyCode === 0) {
+    console.log(OK(`  ✓ SecretStore "${SECRET_STORE_NAME}" created in ${namespace}`));
+  } else {
+    console.log(WARN(`  ⚠ SecretStore creation failed in ${namespace}: ${(stderr || "").split("\n")[0]}`));
+  }
+}
+
+async function reconcileStackK8sSecrets(ctx) {
+  const { execa, clusterName, namespace } = ctx;
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
+
+  // Check if OPA keypair exists in this namespace
+  const { exitCode: opaExists } = await kubectl([
+    "get", "secret", "foundation-opa-keypair", "-n", namespace,
+  ]);
+  if (opaExists === 0) {
+    console.log(OK(`  ✓ OPA keypair secret exists in ${namespace}`));
+    return;
+  }
+
+  // Try to copy from foundation namespace
+  const { stdout: foundationOpa } = await kubectl([
+    "get", "secret", "foundation-opa-keypair", "-n", "foundation", "-o", "json",
+  ]);
+  if (foundationOpa) {
+    try {
+      const secret = JSON.parse(foundationOpa);
+      const accessKey = secret.data?.OPA_ACCESS_KEY_ID
+        ? Buffer.from(secret.data.OPA_ACCESS_KEY_ID, "base64").toString()
+        : "placeholder";
+      const secretKey = secret.data?.OPA_SECRET_ACCESS_KEY
+        ? Buffer.from(secret.data.OPA_SECRET_ACCESS_KEY, "base64").toString()
+        : "placeholder";
+
+      const { stdout: opaYaml } = await kubectl([
+        "create", "secret", "generic", "foundation-opa-keypair", "-n", namespace,
+        "--from-literal", `OPA_ACCESS_KEY_ID=${accessKey}`,
+        "--from-literal", `OPA_SECRET_ACCESS_KEY=${secretKey}`,
+        "--dry-run=client", "-o", "yaml",
+      ]);
+      if (opaYaml) {
+        await kubectl(["apply", "-f", "-"], { input: opaYaml });
+        console.log(OK(`  ✓ OPA keypair secret replicated to ${namespace}`));
+      }
+    } catch {
+      console.log(WARN(`  ⚠ Could not replicate OPA secret to ${namespace}`));
+    }
+  }
+}
+
+async function reconcileStackStorageEngine(ctx) {
+  const { execa, clusterName, namespace } = ctx;
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
+
+  // Check if deployment already exists
+  const { exitCode } = await kubectl([
+    "get", "deployment", "foundation-storage-engine", "-n", namespace,
+  ]);
+  if (exitCode === 0) {
+    console.log(OK(`  ✓ Storage engine deployment exists in ${namespace}`));
+    return;
+  }
+
+  hint(`Creating foundation-storage-engine deployment in ${namespace}…`);
+  const manifest = JSON.stringify({
+    apiVersion: "apps/v1", kind: "Deployment",
+    metadata: { name: "foundation-storage-engine", namespace, labels: { app: "foundation-storage-engine" } },
+    spec: {
+      replicas: 1,
+      selector: { matchLabels: { app: "foundation-storage-engine" } },
+      template: {
+        metadata: { labels: { app: "foundation-storage-engine" } },
+        spec: {
+          containers: [{
+            name: "storage-engine",
+            image: "minio/minio:RELEASE.2024-11-07T00-52-20Z",
+            args: ["server", "/data", "--console-address", ":9001"],
+            env: [
+              { name: "MINIO_ROOT_USER", value: "minio" },
+              { name: "MINIO_ROOT_PASSWORD", value: "minio123" },
+            ],
+            ports: [
+              { containerPort: 9000, name: "api" },
+              { containerPort: 9001, name: "console" },
+            ],
+            volumeMounts: [{ name: "data", mountPath: "/data" }],
+            resources: { requests: { cpu: "100m", memory: "256Mi" }, limits: { cpu: "500m", memory: "512Mi" } },
+            readinessProbe: { httpGet: { path: "/minio/health/ready", port: 9000 }, initialDelaySeconds: 5, periodSeconds: 10 },
+          }],
+          volumes: [{ name: "data", emptyDir: {} }],
+        },
+      },
+    },
+  });
+  await kubectl(["apply", "-f", "-"], { input: manifest });
+
+  // Service
+  const svcManifest = JSON.stringify({
+    apiVersion: "v1", kind: "Service",
+    metadata: { name: "foundation-storage-engine", namespace },
+    spec: {
+      selector: { app: "foundation-storage-engine" },
+      ports: [
+        { port: 8080, targetPort: 9000, name: "api" },
+        { port: 9000, targetPort: 9000, name: "s3" },
+      ],
+    },
+  });
+  await kubectl(["apply", "-f", "-"], { input: svcManifest });
+
+  // Minio alias service
+  const minioSvcManifest = JSON.stringify({
+    apiVersion: "v1", kind: "Service",
+    metadata: { name: "minio", namespace },
+    spec: {
+      selector: { app: "foundation-storage-engine" },
+      ports: [
+        { port: 80, targetPort: 9000, name: "http" },
+        { port: 9000, targetPort: 9000, name: "s3" },
+        { port: 8080, targetPort: 9000, name: "api" },
+      ],
+    },
+  });
+  await kubectl(["apply", "-f", "-"], { input: minioSvcManifest });
+
+  console.log(OK(`  ✓ Storage engine deployed to ${namespace}`));
+}
+
+async function reconcileStackIngress(ctx) {
+  const { execa, clusterName, namespace } = ctx;
+  const domain = stackDomain(clusterName, namespace);
+
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 15000, reject: false, ...opts });
+
+  // Create Gateway for this namespace
+  const gwYaml = `apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: ${namespace}-gateway
+  namespace: ${namespace}
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 80
+      name: http
+      protocol: HTTP
+    hosts:
+    - "${domain}"
+    - "*.${domain}"
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    tls:
+      mode: SIMPLE
+      credentialName: istio-ingressgateway-certs
+    hosts:
+    - "${domain}"
+    - "*.${domain}"
+`;
+
+  await kubectl(["apply", "-f", "-"], { input: gwYaml });
+  console.log(OK(`  ✓ Gateway created for ${domain}`));
+
+  // Update state with domain
+  writeStackState(clusterName, namespace, { domain });
+}
+
+// ── Stack Reconciler Array ───────────────────────────────────────────────────
+
+export const STACK_RECONCILERS = [
+  { name: "namespace",      fn: reconcileStackNamespace },
+  { name: "pg-database",    fn: reconcileStackPgDatabase },
+  { name: "secret-store",   fn: reconcileStackSecretStore },
+  { name: "k8s-secrets",    fn: reconcileStackK8sSecrets },
+  { name: "storage-engine", fn: reconcileStackStorageEngine },
+  { name: "helm-repos",     fn: reconcileHelmRepos },
+  { name: "ingress",        fn: reconcileStackIngress },
+];
+
+// ── CLI Commands ─────────────────────────────────────────────────────────────
+
+export async function aksStackUp(opts = {}) {
+  const { namespace, clusterName: explicitCluster, profile } = opts;
+
+  if (!namespace) {
+    console.error(ERR("\n  Namespace is required for stack deployment"));
+    hint("Usage: fops azure aks stack up <namespace> [--cluster <name>]");
+    process.exit(1);
+  }
+
+  const cl = requireCluster(explicitCluster);
+  const { clusterName, resourceGroup: rg } = cl;
+
+  banner(`Stack: ${namespace}`);
+  kvLine("Cluster",   clusterName);
+  kvLine("Namespace", namespace);
+  kvLine("Domain",    stackDomain(clusterName, namespace));
+
+  const execa = lazyExeca();
+  await ensureAzCli(execa);
+  const sub = await ensureAzAuth(execa, profile);
+
+  const ctx = {
+    execa,
+    clusterName,
+    namespace,
+    rg,
+    sub,
+    opts,
+  };
+
+  // Write initial stack state
+  writeStackState(clusterName, namespace, {
+    status: "deploying",
+    domain: stackDomain(clusterName, namespace),
+    postgres: { database: pgDatabaseName(namespace), role: pgDatabaseName(namespace) },
+  });
+
+  await runReconcilers(STACK_RECONCILERS, ctx);
+
+  writeStackState(clusterName, namespace, { status: "deployed" });
+
+  console.log(OK(`\n  ✓ Stack "${namespace}" deployed to ${clusterName}`));
+  hint(`  Domain: https://${stackDomain(clusterName, namespace)}`);
+  hint(`  kubectl:  kubectl --context ${clusterName} -n ${namespace} get pods`);
+  console.log("");
+}
+
+export async function aksStackDown(opts = {}) {
+  const { namespace, clusterName: explicitCluster, profile, yes } = opts;
+
+  if (!namespace) {
+    console.error(ERR("\n  Namespace is required"));
+    hint("Usage: fops azure aks stack down <namespace> [--cluster <name>]");
+    process.exit(1);
+  }
+
+  if (namespace === "foundation") {
+    console.error(ERR("\n  Cannot remove the default 'foundation' stack"));
+    hint("Use 'fops azure aks down' to destroy the entire cluster");
+    process.exit(1);
+  }
+
+  const cl = requireCluster(explicitCluster);
+  const { clusterName, resourceGroup: rg } = cl;
+
+  const stack = readStackState(clusterName, namespace);
+  if (!stack) {
+    console.error(ERR(`\n  Stack "${namespace}" not found on cluster ${clusterName}`));
+    process.exit(1);
+  }
+
+  banner(`Remove Stack: ${namespace}`);
+  kvLine("Cluster",   clusterName);
+  kvLine("Namespace", namespace);
+
+  if (!yes) {
+    const readline = await import("node:readline");
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise(resolve => {
+      rl.question(`  Delete stack "${namespace}" from ${clusterName}? [y/N] `, resolve);
+    });
+    rl.close();
+    if (answer.toLowerCase() !== "y") {
+      console.log(DIM("  Cancelled.\n"));
+      return;
+    }
+  }
+
+  const execa = lazyExeca();
+  await ensureAzCli(execa);
+  const sub = await ensureAzAuth(execa, profile);
+
+  const kubectl = (args, o = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 60000, reject: false, ...o });
+
+  // Delete namespace (cascades to all resources)
+  hint(`Deleting namespace ${namespace}…`);
+  const { exitCode } = await kubectl(["delete", "namespace", namespace, "--wait=false"]);
+  if (exitCode === 0) {
+    console.log(OK(`  ✓ Namespace "${namespace}" deletion initiated`));
+  } else {
+    console.log(WARN(`  ⚠ Could not delete namespace — may already be deleted`));
+  }
+
+  // Remove from state
+  deleteStackState(clusterName, namespace);
+  console.log(OK(`\n  ✓ Stack "${namespace}" removed from ${clusterName}\n`));
+}
+
+export async function aksStackList(opts = {}) {
+  const { clusterName: explicitCluster, profile } = opts;
+
+  const cl = readClusterState(explicitCluster);
+  if (!cl) {
+    console.error(ERR("\n  No AKS cluster tracked"));
+    hint("Create one:  fops azure aks up <name>");
+    process.exit(1);
+  }
+
+  const { clusterName } = cl;
+  const stacks = listStacks(clusterName);
+
+  banner(`Stacks: ${clusterName}`);
+
+  if (stacks.length === 0) {
+    console.log(DIM("  No stacks deployed.\n"));
+    hint("Deploy one:  fops azure aks stack up <namespace>");
+    console.log("");
+    return;
+  }
+
+  console.log("");
+  for (const stack of stacks) {
+    const age = stack.createdAt ? timeSince(stack.createdAt) : "—";
+    const status = stack.status || "unknown";
+    const statusColor = status === "deployed" ? OK : WARN;
+    console.log(`  ${LABEL(stack.namespace.padEnd(20))} ${statusColor(status.padEnd(12))} ${DIM(stack.domain || "—")}`);
+    console.log(`  ${DIM("  Created:")} ${age} ago  ${DIM("DB:")} ${stack.postgres?.database || "—"}`);
+    console.log("");
+  }
+}
+
+export async function aksStackStatus(opts = {}) {
+  const { namespace, clusterName: explicitCluster, profile } = opts;
+
+  if (!namespace) {
+    console.error(ERR("\n  Namespace is required"));
+    hint("Usage: fops azure aks stack status <namespace> [--cluster <name>]");
+    process.exit(1);
+  }
+
+  const cl = requireCluster(explicitCluster);
+  const { clusterName, resourceGroup: rg } = cl;
+
+  const stack = readStackState(clusterName, namespace);
+  if (!stack) {
+    console.error(ERR(`\n  Stack "${namespace}" not found on cluster ${clusterName}`));
+    hint(`Deploy it:  fops azure aks stack up ${namespace}`);
+    process.exit(1);
+  }
+
+  banner(`Stack Status: ${namespace}`);
+  kvLine("Cluster",   clusterName, { pad: 12 });
+  kvLine("Namespace", namespace, { pad: 12 });
+  kvLine("Domain",    stack.domain || "—", { pad: 12 });
+  kvLine("Status",    stack.status || "unknown", { pad: 12 });
+  kvLine("Database",  stack.postgres?.database || "—", { pad: 12 });
+  kvLine("Created",   stack.createdAt ? timeSince(stack.createdAt) + " ago" : "—", { pad: 12 });
+
+  const execa = lazyExeca();
+  const kubectl = (args, o = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 15000, reject: false, ...o });
+
+  // Check namespace exists
+  const { exitCode: nsExists } = await kubectl(["get", "namespace", namespace]);
+  if (nsExists !== 0) {
+    console.log(WARN(`\n  ⚠ Namespace "${namespace}" does not exist in cluster`));
+    return;
+  }
+
+  // List pods
+  const { stdout: podJson } = await kubectl([
+    "get", "pods", "-n", namespace, "-o", "json",
+  ]);
+  if (podJson) {
+    const pods = JSON.parse(podJson).items || [];
+    const running = pods.filter(p => p.status?.phase === "Running").length;
+    const total = pods.length;
+    console.log(OK(`  Pods: ${running}/${total} running`));
+  }
+
+  // Check services
+  const { stdout: svcJson } = await kubectl([
+    "get", "services", "-n", namespace, "-o", "json",
+  ]);
+  if (svcJson) {
+    const svcs = JSON.parse(svcJson).items || [];
+    console.log(OK(`  Services: ${svcs.length}`));
+  }
+
+  console.log("");
+  hint(`kubectl:  kubectl --context ${clusterName} -n ${namespace} get all`);
+  console.log("");
+}