npm - @meshxdata/fops - Versions diffs - 0.1.49 → 0.1.50 - Mend

@meshxdata/fops 0.1.49 → 0.1.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-data-bootstrap.js ADDED Viewed

@@ -0,0 +1,421 @@
+/**
+ * Azure AKS — Data bootstrap operations
+ * Extracted from azure-aks-flux.js for maintainability
+ *
+ * Runs bootstrap_foundation.py script to create demo data mesh on AKS cluster.
+ */
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import {
+  OK, WARN, ERR, DIM,
+  banner, hint, kvLine,
+  lazyExeca, ensureAzCli, ensureAzAuth,
+  resolveCliSrc,
+} from "./azure-helpers.js";
+import { writeClusterState, requireCluster } from "./azure-aks-state.js";
+// ── aks data bootstrap ────────────────────────────────────────────────────────
+function findBootstrapRepoRoot() {
+  const scriptPath = "scripts/bootstrap_foundation.py";
+  const envRoot = process.env.FOUNDATION_ROOT;
+  if (envRoot && fs.existsSync(path.join(envRoot, scriptPath))) return path.resolve(envRoot);
+  try {
+    const fopsPath = path.join(os.homedir(), ".fops.json");
+    const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
+    const root = raw?.projectRoot;
+    if (root && fs.existsSync(path.join(root, scriptPath))) return path.resolve(root);
+  } catch {}
+  let dir = path.resolve(process.cwd());
+  for (;;) {
+    if (fs.existsSync(path.join(dir, scriptPath))) return dir;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+async function discoverFoundationApiUrlFromCluster(execa, clusterName) {
+  try {
+    const { stdout } = await execa("kubectl", [
+      "get", "ingress", "-A",
+      "-o", "jsonpath={.items[*].spec.rules[*].host}",
+      "--context", clusterName,
+    ], { timeout: 15000 });
+    const first = (stdout || "").trim().split(/\s+/).filter(Boolean)[0];
+    if (first) return `https://${first}/api`;
+  } catch {}
+  return null;
+}
+async function uploadSampleDataToStorage(execa, clusterName, repoRoot, env) {
+  const samplesDir = path.join(repoRoot, "storage-data", "spark", "samples");
+  if (!fs.existsSync(samplesDir)) {
+    console.log(WARN("  ⚠ No storage-data/spark/samples directory found, skipping sample upload"));
+    return;
+  }
+  const sampleFiles = fs.readdirSync(samplesDir).filter(f => f.endsWith(".csv"));
+  if (sampleFiles.length === 0) {
+    console.log(WARN("  ⚠ No CSV sample files found in storage-data/spark/samples"));
+    return;
+  }
+  hint("Uploading sample data files to MinIO storage…");
+  const s3Access = env.S3_ACCESS_KEY || env.MINIO_ACCESS_KEY || "minio";
+  const s3Secret = env.S3_SECRET_KEY || env.MINIO_SECRET_KEY || "minio123";
+  // Create ConfigMap with sample files (base64 encoded)
+  const configMapData = {};
+  for (const file of sampleFiles) {
+    const filePath = path.join(samplesDir, file);
+    const content = fs.readFileSync(filePath);
+    configMapData[file] = content.toString("base64");
+  }
+  const configMapManifest = JSON.stringify({
+    apiVersion: "v1",
+    kind: "ConfigMap",
+    metadata: { name: "bootstrap-sample-data", namespace: "foundation" },
+    binaryData: configMapData,
+  });
+  // Apply ConfigMap
+  const { exitCode: cmExitCode } = await execa("kubectl", [
+    "--context", clusterName, "apply", "-f", "-",
+  ], { input: configMapManifest, reject: false, timeout: 30000 });
+  if (cmExitCode !== 0) {
+    console.log(WARN("  ⚠ Could not create sample data ConfigMap"));
+    return;
+  }
+  // Create Job to upload files from ConfigMap to MinIO
+  const uploadScript = `
+set -e
+mc alias set minio http://foundation-storage-engine:8080 "${s3Access}" "${s3Secret}"
+mc mb minio/foundation --ignore-existing
+mc mb minio/foundation/spark --ignore-existing
+mc mb minio/foundation/spark/samples --ignore-existing
+for f in /samples/*.csv; do
+  [ -f "$f" ] && mc cp "$f" minio/foundation/spark/samples/
+done
+echo "Sample files uploaded successfully"
+`.trim();
+  const jobManifest = JSON.stringify({
+    apiVersion: "batch/v1",
+    kind: "Job",
+    metadata: { name: "bootstrap-sample-upload", namespace: "foundation" },
+    spec: {
+      backoffLimit: 3,
+      ttlSecondsAfterFinished: 120,
+      template: {
+        spec: {
+          restartPolicy: "Never",
+          containers: [{
+            name: "mc",
+            image: "minio/mc:latest",
+            command: ["sh", "-c", uploadScript],
+            volumeMounts: [{ name: "samples", mountPath: "/samples" }],
+          }],
+          volumes: [{
+            name: "samples",
+            configMap: { name: "bootstrap-sample-data" },
+          }],
+        },
+      },
+    },
+  });
+  // Delete old job if exists, then create new one
+  await execa("kubectl", [
+    "--context", clusterName, "delete", "job", "bootstrap-sample-upload", "-n", "foundation", "--ignore-not-found",
+  ], { reject: false, timeout: 15000 });
+  const { exitCode: jobExitCode } = await execa("kubectl", [
+    "--context", clusterName, "apply", "-f", "-",
+  ], { input: jobManifest, reject: false, timeout: 15000 });
+  if (jobExitCode !== 0) {
+    console.log(WARN("  ⚠ Could not create sample upload Job"));
+    return;
+  }
+  // Wait for Job completion
+  const { exitCode: waitExitCode } = await execa("kubectl", [
+    "--context", clusterName, "wait", "--for=condition=complete",
+    "job/bootstrap-sample-upload", "-n", "foundation", "--timeout=120s",
+  ], { reject: false, timeout: 130000 });
+  if (waitExitCode === 0) {
+    console.log(OK(`  ✓ Uploaded ${sampleFiles.length} sample file(s) to MinIO storage`));
+  } else {
+    // Check job status for errors
+    const { stdout: jobLogs } = await execa("kubectl", [
+      "--context", clusterName, "logs", "job/bootstrap-sample-upload", "-n", "foundation",
+    ], { reject: false, timeout: 15000 });
+    console.log(WARN("  ⚠ Sample upload Job did not complete"));
+    if (jobLogs) hint(jobLogs.slice(0, 300));
+  }
+  // Cleanup ConfigMap
+  await execa("kubectl", [
+    "--context", clusterName, "delete", "configmap", "bootstrap-sample-data", "-n", "foundation", "--ignore-not-found",
+  ], { reject: false, timeout: 15000 });
+}
+export async function aksDataBootstrap(opts = {}) {
+  const execa = await lazyExeca();
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: opts.profile });
+  const cl = requireCluster(opts.clusterName);
+  const { getCredentials } = await import("./azure-aks-core.js");
+  await getCredentials(execa, {
+    clusterName: cl.clusterName,
+    rg: cl.resourceGroup,
+    sub: opts.profile,
+  });
+  let apiUrl = opts.apiUrl?.trim() || cl.foundationApiUrl?.trim();
+  if (!apiUrl) {
+    apiUrl = await discoverFoundationApiUrlFromCluster(execa, cl.clusterName);
+    if (apiUrl) {
+      hint(`Using API URL from cluster ingress: ${apiUrl}`);
+      writeClusterState(cl.clusterName, { foundationApiUrl: apiUrl });
+    }
+  }
+  if (!apiUrl) {
+    console.error(ERR("\n  Foundation backend API URL is required."));
+    hint("Pass the backend API base URL (e.g. https://foundation.example.com/api):");
+    hint("  fops azure aks bootstrap " + cl.clusterName + " --api-url https://your-foundation-host/api\n");
+    process.exit(1);
+  }
+  const normalized = apiUrl.replace(/\/+$/, "");
+  if (!normalized.endsWith("/api")) {
+    console.log(WARN("  API URL should usually end with /api (e.g. https://host/api). Using as-is."));
+  }
+  const root = findBootstrapRepoRoot();
+  if (!root) {
+    console.error(ERR("\n  Could not find foundation-compose root (scripts/bootstrap_foundation.py)."));
+    hint("Run from the foundation-compose directory, or set FOUNDATION_ROOT.\n");
+    process.exit(1);
+  }
+  const { loadEnvFromFile } = await import("./azure-helpers.js");
+  const projectEnv = loadEnvFromFile(path.join(root, ".env"));
+  let bootstrapEnv = {
+    ...process.env,
+    ...projectEnv,
+    PYTHONUNBUFFERED: "1",
+    API_URL: normalized,
+  };
+  // CLI --bearer-token takes precedence
+  if (opts.bearerToken?.trim()) {
+    bootstrapEnv.BEARER_TOKEN = opts.bearerToken.trim();
+  }
+  let hasCreds = !!(bootstrapEnv.BEARER_TOKEN?.trim()
+    || (bootstrapEnv.QA_USERNAME?.trim() && bootstrapEnv.QA_PASSWORD != null));
+  if (!hasCreds) {
+    try {
+      const fopsPath = path.join(os.homedir(), ".fops.json");
+      const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
+      const cfg = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config || {};
+      if (cfg.bearerToken?.trim()) {
+        bootstrapEnv.BEARER_TOKEN = cfg.bearerToken.trim();
+        hasCreds = true;
+      } else if (cfg.user?.trim() && cfg.password) {
+        bootstrapEnv.QA_USERNAME = cfg.user.trim();
+        bootstrapEnv.QA_PASSWORD = cfg.password;
+        hasCreds = true;
+      }
+    } catch {}
+  }
+  if (!hasCreds && !opts.yes) {
+    console.log(WARN("  No Foundation credentials in env or ~/.fops.json."));
+    const { getInquirer } = await import(resolveCliSrc("lazy.js"));
+    const inquirer = await getInquirer();
+    const { authMethod } = await inquirer.prompt([{
+      type: "list",
+      name: "authMethod",
+      message: "Authentication method:",
+      choices: [
+        { name: "Username / password", value: "password" },
+        { name: "Bearer token (JWT)", value: "jwt" },
+      ],
+    }]);
+    if (authMethod === "jwt") {
+      const { token } = await inquirer.prompt([{ type: "input", name: "token", message: "Bearer token:", validate: (v) => v?.trim() ? true : "Token required" }]);
+      bootstrapEnv.BEARER_TOKEN = token.trim();
+    } else {
+      const { user } = await inquirer.prompt([{ type: "input", name: "user", message: "Username (email):", validate: (v) => v?.trim() ? true : "Username required" }]);
+      const { password } = await inquirer.prompt([{ type: "password", name: "password", message: "Password:", mask: "*", validate: (v) => v ? true : "Password required" }]);
+      bootstrapEnv.QA_USERNAME = user.trim();
+      bootstrapEnv.QA_PASSWORD = password;
+    }
+    hasCreds = true;
+  }
+  if (!hasCreds) {
+    console.error(ERR("  Set BEARER_TOKEN or QA_USERNAME+QA_PASSWORD (env or ~/.fops.json), or run without --yes.\n"));
+    process.exit(1);
+  }
+  // Fetch S3/storage credentials from cluster secret
+  try {
+    const s3SecretResult = await execa("kubectl", [
+      "get", "secret", "-n", "foundation", "storage-engine-auth-credentials",
+      "-o", "jsonpath={.data.AUTH_IDENTITY},{.data.AUTH_CREDENTIAL}",
+    ], { timeout: 15000 });
+    const [identityB64, credentialB64] = s3SecretResult.stdout.trim().split(",");
+    if (identityB64 && credentialB64) {
+      const s3AccessKey = Buffer.from(identityB64, "base64").toString("utf8");
+      const s3SecretKey = Buffer.from(credentialB64, "base64").toString("utf8");
+      bootstrapEnv.S3_ACCESS_KEY = s3AccessKey;
+      bootstrapEnv.S3_SECRET_KEY = s3SecretKey;
+      bootstrapEnv.MINIO_ACCESS_KEY = s3AccessKey;
+      bootstrapEnv.MINIO_SECRET_KEY = s3SecretKey;
+      bootstrapEnv.MY_S3_ACCESS = s3AccessKey;
+      bootstrapEnv.MY_S3_SECRET = s3SecretKey;
+      bootstrapEnv.AWS_ACCESS_KEY_ID = s3AccessKey;
+      bootstrapEnv.AWS_SECRET_ACCESS_KEY = s3SecretKey;
+      console.log(OK("  ✓ Retrieved S3 credentials from cluster"));
+    }
+  } catch {
+    console.log(WARN("  ⚠ Could not fetch S3 credentials from cluster (storage-engine-auth-credentials)"));
+  }
+  // Fetch CF Access credentials from ~/.fops.json
+  try {
+    const fopsPath = path.join(os.homedir(), ".fops.json");
+    const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
+    if (raw?.cloudflare?.accessClientId) {
+      bootstrapEnv.CF_ACCESS_CLIENT_ID = raw.cloudflare.accessClientId;
+      bootstrapEnv.CF_ACCESS_CLIENT_SECRET = raw.cloudflare.accessClientSecret || "";
+    }
+  } catch { /* no fops.json */ }
+  // Upload sample data files to MinIO storage
+  if (!opts.skipSampleUpload) {
+    await uploadSampleDataToStorage(execa, cl.clusterName, root, bootstrapEnv);
+  }
+  banner("Bootstrap demo data (AKS)");
+  kvLine("Cluster", cl.clusterName);
+  kvLine("API URL", normalized);
+  hint("Same as fops bootstrap — creates demo data mesh via backend API.\n");
+  const scriptsDir = path.join(root, "scripts");
+  const venvPython = path.join(scriptsDir, ".venv", "bin", "python");
+  const scriptPath = path.join(scriptsDir, "bootstrap_foundation.py");
+  if (!fs.existsSync(venvPython)) {
+    hint("Creating scripts/.venv…");
+    await execa("python3", ["-m", "venv", path.join(scriptsDir, ".venv")], { cwd: root, timeout: 30000 });
+    const pip = path.join(scriptsDir, ".venv", "bin", "pip");
+    if (!fs.existsSync(pip)) {
+      hint("Installing pip into venv…");
+      await execa("sh", ["-c", `curl -sS https://bootstrap.pypa.io/get-pip.py | ${venvPython}`], { cwd: root, timeout: 60000 });
+    }
+    const reqPath = path.join(scriptsDir, "requirements.txt");
+    if (fs.existsSync(reqPath)) {
+      await execa(venvPython, ["-m", "pip", "install", "--quiet", "-r", reqPath], { cwd: root, timeout: 120000 });
+    }
+  }
+  // Ensure bootstrap user exists in cluster postgres (for QA_USERNAME/QA_PASSWORD auth)
+  if (bootstrapEnv.QA_USERNAME?.trim() && bootstrapEnv.QA_PASSWORD) {
+    hint("Ensuring bootstrap user exists in cluster postgres…");
+    const ensureUserScript = path.join(scriptsDir, "ensure_bootstrap_user_sql.py");
+    if (fs.existsSync(ensureUserScript)) {
+      try {
+        const sqlResult = await execa(venvPython, [ensureUserScript], {
+          cwd: root,
+          timeout: 30000,
+          env: { ...process.env, QA_USERNAME: bootstrapEnv.QA_USERNAME, QA_PASSWORD: bootstrapEnv.QA_PASSWORD },
+        });
+        const sql = sqlResult.stdout?.trim();
+        if (sql) {
+          // Get postgres password from cluster secret
+          let pgPassword = "";
+          try {
+            const secretResult = await execa("kubectl", [
+              "get", "secret", "-n", "foundation", "postgres",
+              "-o", "jsonpath={.data.password}",
+            ], { timeout: 15000 });
+            pgPassword = Buffer.from(secretResult.stdout.trim(), "base64").toString("utf8");
+          } catch { /* ignore */ }
+          // Get postgres host from backend deployment config
+          let pgHost = "foundation-postgres"; // default for in-cluster
+          try {
+            const hostResult = await execa("kubectl", [
+              "get", "helmrelease", "-n", "foundation", "foundation-backend",
+              "-o", "jsonpath={.spec.values.config.postgres.host}",
+            ], { timeout: 15000 });
+            if (hostResult.stdout?.trim()) pgHost = hostResult.stdout.trim();
+          } catch { /* ignore */ }
+          let kubectlResult;
+          const isAzurePg = pgHost.includes(".postgres.database.azure.com");
+          if (isAzurePg) {
+            // Azure PostgreSQL - run psql via temporary pod
+            const podName = `bootstrap-psql-${Date.now()}`;
+            const pgUser = "foundation";
+            const connStr = `postgresql://${pgUser}:${pgPassword}@${pgHost}:5432/foundation?sslmode=require`;
+            kubectlResult = await execa("kubectl", [
+              "run", podName, "-n", "foundation", "--rm", "-i", "--restart=Never",
+              "--image=postgres:15-alpine", "--",
+              "psql", connStr, "-c", sql,
+            ], { timeout: 60000, reject: false });
+          } else {
+            // In-cluster postgres - kubectl exec
+            kubectlResult = await execa("kubectl", [
+              "exec", "-n", "foundation", "deploy/foundation-postgres", "--",
+              "psql", "-U", "foundation", "-d", "foundation", "-c", sql,
+            ], { timeout: 30000, reject: false });
+          }
+          if (kubectlResult.exitCode === 0) {
+            console.log(OK("  ✓ Bootstrap user ready in cluster postgres"));
+          } else {
+            console.log(WARN("  ⚠ Could not create bootstrap user (may already exist or postgres not ready)"));
+            if (kubectlResult.stderr) hint(kubectlResult.stderr.slice(0, 200));
+          }
+        }
+      } catch (e) {
+        console.log(WARN(`  ⚠ ensure-bootstrap-user skipped: ${e.message}`));
+      }
+    }
+  }
+  let captured = "";
+  const proc = execa(venvPython, ["-u", scriptPath], {
+    cwd: root,
+    timeout: 600_000,
+    env: bootstrapEnv,
+    reject: false,
+  });
+  proc.stdout?.on("data", (chunk) => { const s = chunk.toString(); captured += s; process.stdout.write(s); });
+  proc.stderr?.on("data", (chunk) => { const s = chunk.toString(); captured += s; process.stderr.write(s); });
+  const result = await proc;
+  if (result.exitCode === 0) {
+    console.log(OK("\n  ✓ Bootstrap complete! Demo data mesh created on the cluster backend."));
+    writeClusterState(cl.clusterName, { foundationApiUrl: normalized });
+    return;
+  }
+  if ((captured || "").includes("401") || (captured || "").includes("Insufficient permissions")) {
+    hint("\n  If the user needs Foundation Admin, grant it in the UI or via your IdP, then retry.");
+  }
+  const code = result.exitCode === 255 || result.exitCode === -1 ? 1 : result.exitCode;
+  console.error(ERR(`\n  Bootstrap failed (exit code ${code}).`));
+  hint("Ensure the AKS backend is up and reachable at " + normalized);
+  process.exit(1);
+}

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-flux.js CHANGED Viewed

@@ -18,6 +18,10 @@ import { AKS_DEFAULTS } from "./azure-aks-naming.js";
 import {
   readClusterState, writeClusterState, resolveFluxConfig, requireCluster,
 } from "./azure-aks-state.js";
+import { aksDataBootstrap } from "./azure-aks-data-bootstrap.js";
+// Re-export for backwards compatibility
+export { aksDataBootstrap } from "./azure-aks-data-bootstrap.js";
 // ── Template defaults ─────────────────────────────────────────────────────────
@@ -998,183 +1002,5 @@ export async function aksFluxReconcile(opts = {}) {
   }
 }
-// ── aks data bootstrap ────────────────────────────────────────────────────────
-function findBootstrapRepoRoot() {
-  const scriptPath = "scripts/bootstrap_foundation.py";
-  const envRoot = process.env.FOUNDATION_ROOT;
-  if (envRoot && fs.existsSync(path.join(envRoot, scriptPath))) return path.resolve(envRoot);
-  try {
-    const fopsPath = path.join(os.homedir(), ".fops.json");
-    const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
-    const root = raw?.projectRoot;
-    if (root && fs.existsSync(path.join(root, scriptPath))) return path.resolve(root);
-  } catch {}
-  let dir = path.resolve(process.cwd());
-  for (;;) {
-    if (fs.existsSync(path.join(dir, scriptPath))) return dir;
-    const parent = path.dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return null;
-}
-async function discoverFoundationApiUrlFromCluster(execa, clusterName) {
-  try {
-    const { stdout } = await execa("kubectl", [
-      "get", "ingress", "-A",
-      "-o", "jsonpath={.items[*].spec.rules[*].host}",
-      "--context", clusterName,
-    ], { timeout: 15000 });
-    const first = (stdout || "").trim().split(/\s+/).filter(Boolean)[0];
-    if (first) return `https://${first}/api`;
-  } catch {}
-  return null;
-}
-export async function aksDataBootstrap(opts = {}) {
-  const execa = await lazyExeca();
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: opts.profile });
-  const cl = requireCluster(opts.clusterName);
-  const { getCredentials } = await import("./azure-aks-core.js");
-  await getCredentials(execa, {
-    clusterName: cl.clusterName,
-    rg: cl.resourceGroup,
-    sub: opts.profile,
-  });
-  let apiUrl = opts.apiUrl?.trim() || cl.foundationApiUrl?.trim();
-  if (!apiUrl) {
-    apiUrl = await discoverFoundationApiUrlFromCluster(execa, cl.clusterName);
-    if (apiUrl) {
-      hint(`Using API URL from cluster ingress: ${apiUrl}`);
-      writeClusterState(cl.clusterName, { foundationApiUrl: apiUrl });
-    }
-  }
-  if (!apiUrl) {
-    console.error(ERR("\n  Foundation backend API URL is required."));
-    hint("Pass the backend API base URL (e.g. https://foundation.example.com/api):");
-    hint("  fops azure aks bootstrap " + cl.clusterName + " --api-url https://your-foundation-host/api\n");
-    process.exit(1);
-  }
-  const normalized = apiUrl.replace(/\/+$/, "");
-  if (!normalized.endsWith("/api")) {
-    console.log(WARN("  API URL should usually end with /api (e.g. https://host/api). Using as-is."));
-  }
-  const root = findBootstrapRepoRoot();
-  if (!root) {
-    console.error(ERR("\n  Could not find foundation-compose root (scripts/bootstrap_foundation.py)."));
-    hint("Run from the foundation-compose directory, or set FOUNDATION_ROOT.\n");
-    process.exit(1);
-  }
-  const { loadEnvFromFile } = await import("./azure-helpers.js");
-  const projectEnv = loadEnvFromFile(path.join(root, ".env"));
-  let bootstrapEnv = {
-    ...process.env,
-    ...projectEnv,
-    PYTHONUNBUFFERED: "1",
-    API_URL: normalized,
-  };
-  // CLI --bearer-token takes precedence
-  if (opts.bearerToken?.trim()) {
-    bootstrapEnv.BEARER_TOKEN = opts.bearerToken.trim();
-  }
-  let hasCreds = !!(bootstrapEnv.BEARER_TOKEN?.trim()
-    || (bootstrapEnv.QA_USERNAME?.trim() && bootstrapEnv.QA_PASSWORD != null));
-  if (!hasCreds) {
-    try {
-      const fopsPath = path.join(os.homedir(), ".fops.json");
-      const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
-      const cfg = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config || {};
-      if (cfg.bearerToken?.trim()) {
-        bootstrapEnv.BEARER_TOKEN = cfg.bearerToken.trim();
-        hasCreds = true;
-      } else if (cfg.user?.trim() && cfg.password) {
-        bootstrapEnv.QA_USERNAME = cfg.user.trim();
-        bootstrapEnv.QA_PASSWORD = cfg.password;
-        hasCreds = true;
-      }
-    } catch {}
-  }
-  if (!hasCreds && !opts.yes) {
-    console.log(WARN("  No Foundation credentials in env or ~/.fops.json."));
-    const { getInquirer } = await import(resolveCliSrc("lazy.js"));
-    const inquirer = await getInquirer();
-    const { authMethod } = await inquirer.prompt([{
-      type: "list",
-      name: "authMethod",
-      message: "Authentication method:",
-      choices: [
-        { name: "Username / password", value: "password" },
-        { name: "Bearer token (JWT)", value: "jwt" },
-      ],
-    }]);
-    if (authMethod === "jwt") {
-      const { token } = await inquirer.prompt([{ type: "input", name: "token", message: "Bearer token:", validate: (v) => v?.trim() ? true : "Token required" }]);
-      bootstrapEnv.BEARER_TOKEN = token.trim();
-    } else {
-      const { user } = await inquirer.prompt([{ type: "input", name: "user", message: "Username (email):", validate: (v) => v?.trim() ? true : "Username required" }]);
-      const { password } = await inquirer.prompt([{ type: "password", name: "password", message: "Password:", mask: "*", validate: (v) => v ? true : "Password required" }]);
-      bootstrapEnv.QA_USERNAME = user.trim();
-      bootstrapEnv.QA_PASSWORD = password;
-    }
-    hasCreds = true;
-  }
-  if (!hasCreds) {
-    console.error(ERR("  Set BEARER_TOKEN or QA_USERNAME+QA_PASSWORD (env or ~/.fops.json), or run without --yes.\n"));
-    process.exit(1);
-  }
-  banner("Bootstrap demo data (AKS)");
-  kvLine("Cluster", cl.clusterName);
-  kvLine("API URL", normalized);
-  hint("Same as fops bootstrap — creates demo data mesh via backend API.\n");
-  const scriptsDir = path.join(root, "scripts");
-  const venvPython = path.join(scriptsDir, ".venv", "bin", "python");
-  const scriptPath = path.join(scriptsDir, "bootstrap_foundation.py");
-  if (!fs.existsSync(venvPython)) {
-    hint("Creating scripts/.venv…");
-    await execa("python3", ["-m", "venv", path.join(scriptsDir, ".venv")], { cwd: root, timeout: 30000 });
-    const pip = path.join(scriptsDir, ".venv", "bin", "pip");
-    if (!fs.existsSync(pip)) {
-      hint("Installing pip into venv…");
-      await execa("sh", ["-c", `curl -sS https://bootstrap.pypa.io/get-pip.py | ${venvPython}`], { cwd: root, timeout: 60000 });
-    }
-    const reqPath = path.join(scriptsDir, "requirements.txt");
-    if (fs.existsSync(reqPath)) {
-      await execa(venvPython, ["-m", "pip", "install", "--quiet", "-r", reqPath], { cwd: root, timeout: 120000 });
-    }
-  }
-  let captured = "";
-  const proc = execa(venvPython, ["-u", scriptPath], {
-    cwd: root,
-    timeout: 600_000,
-    env: bootstrapEnv,
-    reject: false,
-  });
-  proc.stdout?.on("data", (chunk) => { const s = chunk.toString(); captured += s; process.stdout.write(s); });
-  proc.stderr?.on("data", (chunk) => { const s = chunk.toString(); captured += s; process.stderr.write(s); });
-  const result = await proc;
-  if (result.exitCode === 0) {
-    console.log(OK("\n  ✓ Bootstrap complete! Demo data mesh created on the cluster backend."));
-    writeClusterState(cl.clusterName, { foundationApiUrl: normalized });
-    return;
-  }
-  if ((captured || "").includes("401") || (captured || "").includes("Insufficient permissions")) {
-    hint("\n  If the user needs Foundation Admin, grant it in the UI or via your IdP, then retry.");
-  }
-  const code = result.exitCode === 255 || result.exitCode === -1 ? 1 : result.exitCode;
-  console.error(ERR(`\n  Bootstrap failed (exit code ${code}).`));
-  hint("Ensure the AKS backend is up and reachable at " + normalized);
-  process.exit(1);
-}
+// aksDataBootstrap is now in azure-aks-data-bootstrap.js and re-exported above for backwards compatibility

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-naming.js CHANGED Viewed

@@ -28,17 +28,27 @@ export const AKS_DEFAULTS = {
 // Region pairs for Postgres geo-replication
 export const PG_REPLICA_REGIONS = {
-  uaenorth: "westeurope",     // UAE → EU
+  uaenorth: "northeurope",    // UAE → EU (North Europe)
   westeurope: "uaenorth",     // EU → UAE
-  eastus: "westeurope",       // US East → EU
+  northeurope: "uaenorth",    // EU → UAE
+  eastus: "northeurope",      // US East → EU
   westus2: "eastus",          // US West → US East
 };
+// HA replica regions for storage object replication (cross-region)
+export const HA_REPLICA_REGIONS = {
+  uaenorth: "northeurope",    // UAE North → North Europe
+  northeurope: "uaenorth",    // North Europe → UAE North
+  westeurope: "northeurope",  // West Europe → North Europe
+  eastus: "northeurope",      // US East → North Europe
+  westus2: "northeurope",     // US West → North Europe
+};
 // ── Postgres Defaults ─────────────────────────────────────────────────────────
 export const PG_DEFAULTS = {
-  sku: "Standard_B2ms",
-  tier: "Burstable",
+  sku: "Standard_D2ds_v4",
+  tier: "GeneralPurpose",
   version: "15",
   storageSizeGb: 32,
   adminUser: "foundation",