@meshxdata/fops 0.1.50 → 0.1.52

package/CHANGELOG.md

@@ -1,5 +1,13 @@
-## [0.1.50] - 2026-03-24
-
+## [0.1.52] - 2026-03-24
+
+- fix(doctor): set KUBECONFIG for k3s kubectl commands (db9359b)
+- fix(azure): move --landscape to test run command, not separate subcommand (4b9b089)
+- feat(azure): add test integration command with landscape support (b2990a0)
+- fix(fleet): skip VMs without public IPs in fleet exec (39acbaa)
+- feat(azure): detect and fix External Secrets identity issues (f907d11)
+- operator cli bump 0.1.51 (db55bdc)
+- feat: add postgres-exporter and Azure tray menu improvements (2a337ac)
+- operator cli plugin fix (4dae908)
 - operator cli plugin fix (25620cc)
 - operator cli test fixes (1d1c18f)
 - feat(test): add setup-users command for QA test user creation (b929507)
@@ -171,14 +179,6 @@
 - azure packer (12175b8)
 - init hashed pwd (db8523c)
 - packer (5b5c7c4)
-- doctor for azure vm (ed524fa)
-- packer and 1pwd (c6d053e)
-- split big index.js (dc85a1b)
-- kafka volume update (21815ec)
-- fix openai azure tools confirmation and flow (0118cd1)
-- nighly fixx, test fix (5e0d04f)
-- open ai training (cdc494a)
-- openai integration in azure (1ca1475)
 
 # Changelog
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.50",
+  "version": "0.1.52",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/doctor.js

@@ -22,6 +22,9 @@ const KEY_PORTS = {
   18201: "Vault",
 };
 
+// K3s kubectl requires explicit KUBECONFIG inside the container
+const K3S_KUBECTL = ["exec", "-e", "KUBECONFIG=/etc/rancher/k3s/k3s.yaml", "k3s-server", "kubectl"];
+
 const LABEL_WIDTH = 36;
 
 function header(title) {
@@ -1187,7 +1190,7 @@ export async function runDoctor(opts = {}, registry = null) {
       // 1. Cluster reachable
       try {
         const { stdout: nodesOut, exitCode: nodesExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "nodes",
+          ...K3S_KUBECTL, "get", "nodes",
         ], { timeout: 10000, reject: false });
         if (nodesExit === 0 && /Ready/.test(nodesOut)) {
           ok("K3s cluster reachable", nodesOut.trim().split("\n").find((l) => /Ready/.test(l))?.trim().replace(/\s+/g, " ") || "ready");
@@ -1216,11 +1219,11 @@ export async function runDoctor(opts = {}, registry = null) {
         }
         console.log(chalk.cyan("  ▶ Deleting old ghcr-secret…"));
         await execa("docker", [
-          "exec", "k3s-server", "kubectl", "delete", "secret", "ghcr-secret", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "delete", "secret", "ghcr-secret", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
         console.log(chalk.cyan("  ▶ Creating new ghcr-secret…"));
         await execa("docker", [
-          "exec", "k3s-server", "kubectl", "create", "secret", "docker-registry", "ghcr-secret",
+          ...K3S_KUBECTL, "create", "secret", "docker-registry", "ghcr-secret",
           "--docker-server=ghcr.io", "--docker-username=x-access-token", `--docker-password=${freshToken}`,
           "--namespace=spark-jobs",
         ], { timeout: 10000 });
@@ -1229,7 +1232,7 @@ export async function runDoctor(opts = {}, registry = null) {
         const patchJson = '{"imagePullSecrets":[{"name":"ghcr-secret"}]}';
         for (const sa of ["spark-operator-spark", "spark", "default"]) {
           await execa("docker", [
-            "exec", "k3s-server", "kubectl", "patch", "serviceaccount", sa,
+            ...K3S_KUBECTL, "patch", "serviceaccount", sa,
             "-n", "spark-jobs", "-p", patchJson,
           ], { timeout: 10000, reject: false });
         }
@@ -1238,7 +1241,7 @@ export async function runDoctor(opts = {}, registry = null) {
 
       try {
         const { exitCode: secretExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "secret", "ghcr-secret", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "get", "secret", "ghcr-secret", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
 
         if (secretExit !== 0) {
@@ -1248,7 +1251,7 @@ export async function runDoctor(opts = {}, registry = null) {
           let ghcrTokenValid = false;
           try {
             const { stdout: b64Data } = await execa("docker", [
-              "exec", "k3s-server", "kubectl", "get", "secret", "ghcr-secret",
+              ...K3S_KUBECTL, "get", "secret", "ghcr-secret",
               "-n", "spark-jobs", "-o", "jsonpath={.data.\\.dockerconfigjson}",
             ], { timeout: 10000 });
             if (b64Data?.trim()) {
@@ -1280,7 +1283,7 @@ export async function runDoctor(opts = {}, registry = null) {
       // 3. ECR / regcred secret (informational)
       try {
         const { exitCode: ecrExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "secret", "ecr-secret", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "get", "secret", "ecr-secret", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
         if (ecrExit === 0) {
           ok("ECR pull secret (ecr-secret)", "exists in spark-jobs");
@@ -1291,7 +1294,7 @@ export async function runDoctor(opts = {}, registry = null) {
 
       try {
         const { exitCode: regExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "secret", "regcred", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "get", "secret", "regcred", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
         if (regExit === 0) {
           ok("regcred secret", "exists in spark-jobs");

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-core.js

@@ -1250,6 +1250,15 @@ export async function aksStatus(opts = {}) {
     hint("  Flux CLI not available — skipping Flux status.");
   }
 
+  // External Secrets health check
+  console.log(`\n  ${LABEL("External Secrets")}`);
+  try {
+    const { validateExternalSecretsHealth } = await import("./azure-aks-secrets.js");
+    await validateExternalSecretsHealth({ execa, clusterName, rg, sub });
+  } catch (e) {
+    hint(`  Could not check External Secrets: ${e.message}`);
+  }
+
   console.log("");
 }
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-secrets.js

@@ -172,6 +172,32 @@ export async function reconcileSecretStore(ctx) {
     }
   }
 
+  // 2c. Check for External Secrets managed identity (ext-* prefix) and grant Key Vault access
+  const extSecretsIdentity = await detectExternalSecretsIdentity(execa, clusterName, sub);
+  if (extSecretsIdentity && kvId) {
+    const { stdout: hasExtRole } = await execa("az", [
+      "role", "assignment", "list",
+      "--assignee", extSecretsIdentity.clientId,
+      "--role", "Key Vault Secrets User",
+      "--scope", kvId,
+      "--query", "[0].id", "-o", "tsv",
+      ...subArgs(sub),
+    ], { reject: false, timeout: 30000 });
+
+    if (!hasExtRole?.trim()) {
+      await execa("az", [
+        "role", "assignment", "create",
+        "--assignee", extSecretsIdentity.clientId,
+        "--role", "Key Vault Secrets User",
+        "--scope", kvId,
+        ...subArgs(sub),
+      ], { reject: false, timeout: 30000 });
+      console.log(OK(`  ✓ External Secrets identity granted Key Vault Secrets User role`));
+    }
+    // Store the identity ID for SecretStore configuration
+    ctx.extSecretsIdentityId = extSecretsIdentity.clientId;
+  }
+
   // 3. Ensure azure-secret-sp exists in each target namespace
   const { stdout: spSecretJson } = await kubectl([
     "get", "secret", "azure-secret-sp", "-n", "foundation", "-o", "json",
@@ -579,6 +605,131 @@ export async function detectEsApiVersion(kubectl) {
   return "external-secrets.io/v1";
 }
 
+/**
+ * Detect External Secrets managed identity (ext-* prefix) for clusters with multiple identities.
+ * When AKS has multiple user-assigned identities, SecretStore needs to specify which one to use.
+ */
+export async function detectExternalSecretsIdentity(execa, clusterName, sub) {
+  const { subArgs } = await import("./azure.js");
+
+  // List all managed identities that match the external-secrets pattern
+  const { stdout: identitiesJson } = await execa("az", [
+    "identity", "list",
+    "--query", `[?contains(name, '${clusterName}')].{name:name,clientId:clientId}`,
+    "-o", "json",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  let identities = [];
+  try { identities = JSON.parse(identitiesJson || "[]"); } catch {}
+
+  // Look for ext-* identity (External Secrets workload identity)
+  const extIdentity = identities.find(i => i.name?.startsWith("ext-") && i.name?.includes(clusterName));
+  if (extIdentity) {
+    return { name: extIdentity.name, clientId: extIdentity.clientId };
+  }
+
+  // If multiple identities exist but no ext-* found, warn about potential issues
+  if (identities.length > 1) {
+    const { WARN, hint } = await import("./azure.js");
+    console.log(WARN(`  ⚠ Multiple managed identities found for ${clusterName} but no ext-* identity detected`));
+    hint("External Secrets may fail with 'Multiple user assigned identities exist' error");
+    hint("Create a dedicated identity: az identity create -n ext-<cluster> -g <rg>");
+  }
+
+  return null;
+}
+
+/**
+ * Validate External Secrets health - checks SecretStore config and ExternalSecret status.
+ * Reports issues like missing identityId when multiple identities exist.
+ */
+export async function validateExternalSecretsHealth(ctx) {
+  const { execa, clusterName, sub } = ctx;
+  const { OK, WARN, DIM, hint, subArgs } = await import("./azure.js");
+
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
+
+  const issues = [];
+
+  // Check SecretStore status
+  const { stdout: ssJson } = await kubectl([
+    "get", "secretstore", SECRET_STORE_NAME, "-n", "foundation", "-o", "json",
+  ]);
+  if (!ssJson) {
+    issues.push({ level: "error", msg: "SecretStore not found in foundation namespace" });
+    return issues;
+  }
+
+  const ss = JSON.parse(ssJson);
+  const ssReady = ss.status?.conditions?.find(c => c.type === "Ready")?.status === "True";
+  const authType = ss.spec?.provider?.azurekv?.authType;
+  const identityId = ss.spec?.provider?.azurekv?.identityId;
+
+  // Check if using ManagedIdentity auth without identityId when multiple identities exist
+  if (authType === "ManagedIdentity" && !identityId) {
+    const extIdentity = await detectExternalSecretsIdentity(execa, clusterName, sub);
+    if (extIdentity) {
+      issues.push({
+        level: "warn",
+        msg: `SecretStore uses ManagedIdentity but identityId is empty`,
+        fix: `Set identityId to "${extIdentity.clientId}" in clusters/${clusterName}/config/secret-store.yaml`,
+      });
+    }
+  }
+
+  // Check ExternalSecret status
+  const { stdout: esJson } = await kubectl([
+    "get", "externalsecret", "-n", "foundation", "-o", "json",
+  ]);
+  const externalSecrets = esJson ? JSON.parse(esJson).items : [];
+
+  for (const es of externalSecrets) {
+    const ready = es.status?.conditions?.find(c => c.type === "Ready");
+    if (ready?.status !== "True") {
+      const msg = ready?.message || "Unknown error";
+      if (msg.includes("Multiple user assigned identities exist")) {
+        const extIdentity = await detectExternalSecretsIdentity(execa, clusterName, sub);
+        issues.push({
+          level: "error",
+          msg: `ExternalSecret "${es.metadata.name}" failing: Multiple identities detected`,
+          fix: extIdentity
+            ? `Add identityId: "${extIdentity.clientId}" to SecretStore spec`
+            : "Create ext-* managed identity and grant Key Vault access",
+        });
+      } else if (msg.includes("Forbidden") || msg.includes("not authorized")) {
+        issues.push({
+          level: "error",
+          msg: `ExternalSecret "${es.metadata.name}" failing: Key Vault access denied`,
+          fix: "Run: fops azure aks doctor --fix to grant Key Vault permissions",
+        });
+      } else {
+        issues.push({
+          level: "error",
+          msg: `ExternalSecret "${es.metadata.name}" failing: ${msg.substring(0, 100)}`,
+        });
+      }
+    }
+  }
+
+  // Report findings
+  if (issues.length === 0) {
+    console.log(OK("  ✓ External Secrets healthy"));
+  } else {
+    for (const issue of issues) {
+      if (issue.level === "error") {
+        console.log(WARN(`  ✗ ${issue.msg}`));
+      } else {
+        console.log(WARN(`  ⚠ ${issue.msg}`));
+      }
+      if (issue.fix) hint(`    Fix: ${issue.fix}`);
+    }
+  }
+
+  return issues;
+}
+
 // ── Vault auto-unseal bootstrap ──────────────────────────────────────────────
 
 export const VAULT_UNSEAL_KEY_NAME = "vault-unseal";

package/src/plugins/bundled/fops-plugin-azure/lib/azure-fleet.js

@@ -71,20 +71,28 @@ async function forEachVm({
     return { results: [], vms };
   }
 
-  const targets = opts.vmName ? [opts.vmName] : names;
-  for (const t of targets) {
+  const allTargets = opts.vmName ? [opts.vmName] : names;
+  for (const t of allTargets) {
     if (!vms[t]) {
       console.error(ERR(`\n  VM "${t}" not tracked. Run: fops azure list\n`));
       process.exit(1);
     }
   }
 
+  // Filter out VMs without public IPs (e.g., local stack) unless explicitly targeted
+  const skippedVms = opts.vmName ? [] : allTargets.filter(t => !vms[t].publicIp);
+  const targets = opts.vmName ? allTargets : allTargets.filter(t => vms[t].publicIp);
+
   banner(title);
-  hint(`${targets.length} VM(s)${concurrency ? ` (concurrency: ${concurrency})` : ""}…\n`);
+  if (targets.length === 0) {
+    hint("No VMs with public IPs to target.\n");
+    return { results: [], vms, activeVm: listVms().activeVm };
+  }
+  hint(`${targets.length} VM(s)${skippedVms.length ? ` (${skippedVms.length} skipped: no public IP)` : ""}${concurrency ? ` (concurrency: ${concurrency})` : ""}…\n`);
 
   async function runOne(name) {
     const vm = vms[name];
-    if (!vm.publicIp) return { name, ok: false, reason: "no public IP" };
+    if (!vm.publicIp) return { name, ok: false, reason: "no public IP (local stack?)" };
 
     try {
       await knockForVm(vm);

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js

@@ -14,6 +14,8 @@ export function registerTestCommands(azure) {
     .command("run [name]", { isDefault: true })
     .description("Run QA automation tests locally against a remote VM")
     .option("--vm-name <name>", "Target VM (default: active)")
+    .option("--landscape <file>", "Apply landscape file (FCL/HCL/YAML) before running tests")
+    .option("--landscape-template <name>", "Use built-in landscape template (demo, pipeline_demo)")
     .action(async (name, opts) => {
       const { resolveCliSrc, lazyExeca, ensureAzCli, ensureAzAuth, resolvePublicIp } = await import("../azure-helpers.js");
       const { requireVmState, knockForVm, sshCmd, MUX_OPTS } = await import("../azure.js");
@@ -46,6 +48,32 @@ export function registerTestCommands(azure) {
         process.exit(1);
       }
 
+      // Apply landscape if specified
+      let landscapeFile = opts.landscape;
+      if (!landscapeFile && opts.landscapeTemplate) {
+        const templateDir = path.join(root, "operator-cli/src/plugins/bundled/fops-plugin-foundation/templates/landscapes");
+        const templateName = opts.landscapeTemplate.endsWith(".fcl") ? opts.landscapeTemplate : `${opts.landscapeTemplate}.fcl`;
+        landscapeFile = path.join(templateDir, templateName);
+        try {
+          await fsp.access(landscapeFile);
+        } catch {
+          console.error(chalk.red(`\n  Landscape template not found: ${templateName}`));
+          console.error(chalk.dim(`  Available: demo.fcl, pipeline_demo.fcl\n`));
+          process.exit(1);
+        }
+      }
+      if (landscapeFile) {
+        console.log(chalk.cyan(`\n  Applying landscape: ${path.basename(landscapeFile)}…\n`));
+        const { azureApply } = await import("../azure.js");
+        try {
+          await azureApply(landscapeFile, { vmName: state.vmName });
+          console.log(chalk.green("  ✓ Landscape applied\n"));
+        } catch (err) {
+          console.error(chalk.red(`\n  Failed to apply landscape: ${err.message}\n`));
+          process.exit(1);
+        }
+      }
+
       const vmUrl = state.publicUrl || `https://${ip}`;
       const apiUrl = `${vmUrl}/api`;
 

package/src/plugins/bundled/fops-plugin-foundation/index.js

@@ -1618,6 +1618,8 @@ class AppDelegate: NSObject, NSApplicationDelegate, NSMenuDelegate {
         checkForUpdate()
         let updateTimer = Timer(timeInterval: 900, repeats: true) { _ in self.checkForUpdate() }
         RunLoop.main.add(updateTimer, forMode: .common)
+        // Preload Azure resources
+        preloadAzureResources()
     }
 
     func checkForUpdate() {
@@ -1819,7 +1821,19 @@ class AppDelegate: NSObject, NSApplicationDelegate, NSMenuDelegate {
 
     var azureCache: [String: Any]? = nil
     var azureCacheTime: Date? = nil
-    let azureCacheTTL: TimeInterval = 60 // 60 seconds
+    let azureCacheTTL: TimeInterval = 120 // 2 minutes
+
+    func preloadAzureResources() {
+        fops(["azure", "list", "--json"], capture: true) { out, success in
+            guard success,
+                  let data = out.data(using: .utf8),
+                  let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else { return }
+            DispatchQueue.main.async {
+                self.azureCache = json
+                self.azureCacheTime = Date()
+            }
+        }
+    }
 
     func populateAzureMenu(_ m: NSMenu) {
         // Use cache if fresh
@@ -1837,21 +1851,23 @@ class AppDelegate: NSObject, NSApplicationDelegate, NSMenuDelegate {
 
         // Fetch VMs and AKS clusters via fops azure list --json
         fops(["azure", "list", "--json"], capture: true) { out, success in
-            guard success,
-                  let data = out.data(using: .utf8),
-                  let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
-                m.removeAllItems()
-                let err = NSMenuItem(title: "Not authenticated or plugin disabled", action: nil, keyEquivalent: "")
-                err.isEnabled = false
-                m.addItem(err)
-                return
-            }
+            DispatchQueue.main.async {
+                guard success,
+                      let data = out.data(using: .utf8),
+                      let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
+                    m.removeAllItems()
+                    let err = NSMenuItem(title: "Not authenticated or plugin disabled", action: nil, keyEquivalent: "")
+                    err.isEnabled = false
+                    m.addItem(err)
+                    return
+                }
 
-            // Update cache
-            self.azureCache = json
-            self.azureCacheTime = Date()
+                // Update cache
+                self.azureCache = json
+                self.azureCacheTime = Date()
 
-            self.renderAzureMenu(m, data: json)
+                self.renderAzureMenu(m, data: json)
+            }
         }
     }
 
@@ -1870,9 +1886,21 @@ class AppDelegate: NSObject, NSApplicationDelegate, NSMenuDelegate {
                 let name = vm["name"] as? String ?? "unknown"
                 let ip = vm["publicIp"] as? String ?? ""
                 let ipSuffix = ip.isEmpty ? "" : " (\\(ip))"
-                let item = NSMenuItem(title: "  " + name + ipSuffix, action: #selector(AppDelegate.openAzureVM(_:)), keyEquivalent: "")
-                item.representedObject = name
-                item.target = self
+
+                let item = NSMenuItem(title: "  " + name + ipSuffix, action: nil, keyEquivalent: "")
+                let submenu = NSMenu()
+
+                let sshItem = NSMenuItem(title: "SSH", action: #selector(AppDelegate.azureVMSSH(_:)), keyEquivalent: "")
+                sshItem.representedObject = name
+                sshItem.target = self
+                submenu.addItem(sshItem)
+
+                let testItem = NSMenuItem(title: "Run Tests", action: #selector(AppDelegate.azureVMTest(_:)), keyEquivalent: "")
+                testItem.representedObject = name
+                testItem.target = self
+                submenu.addItem(testItem)
+
+                item.submenu = submenu
                 m.addItem(item)
             }
         }
@@ -1887,9 +1915,28 @@ class AppDelegate: NSObject, NSApplicationDelegate, NSMenuDelegate {
                 let name = cluster["name"] as? String ?? "unknown"
                 let state = cluster["provisioningState"] as? String ?? ""
                 let dot = state.lowercased() == "succeeded" ? "● " : "○ "
-                let item = NSMenuItem(title: "  " + dot + name, action: #selector(AppDelegate.openAzureAKS(_:)), keyEquivalent: "")
-                item.representedObject = name
-                item.target = self
+
+                let item = NSMenuItem(title: "  " + dot + name, action: nil, keyEquivalent: "")
+                let submenu = NSMenu()
+
+                let kubeconfigItem = NSMenuItem(title: "Kubeconfig", action: #selector(AppDelegate.azureAKSKubeconfig(_:)), keyEquivalent: "")
+                kubeconfigItem.representedObject = name
+                kubeconfigItem.target = self
+                submenu.addItem(kubeconfigItem)
+
+                let testItem = NSMenuItem(title: "Run Tests", action: #selector(AppDelegate.azureAKSTest(_:)), keyEquivalent: "")
+                testItem.representedObject = name
+                testItem.target = self
+                submenu.addItem(testItem)
+
+                submenu.addItem(NSMenuItem.separator())
+
+                let statusItem = NSMenuItem(title: "Status", action: #selector(AppDelegate.azureAKSStatus(_:)), keyEquivalent: "")
+                statusItem.representedObject = name
+                statusItem.target = self
+                submenu.addItem(statusItem)
+
+                item.submenu = submenu
                 m.addItem(item)
             }
         }
@@ -1901,12 +1948,27 @@ class AppDelegate: NSObject, NSApplicationDelegate, NSMenuDelegate {
         }
     }
 
-    @objc func openAzureVM(_ sender: NSMenuItem) {
+    @objc func azureVMSSH(_ sender: NSMenuItem) {
         guard let name = sender.representedObject as? String else { return }
         openTerminal(command: "fops azure ssh \\(name)")
     }
 
-    @objc func openAzureAKS(_ sender: NSMenuItem) {
+    @objc func azureVMTest(_ sender: NSMenuItem) {
+        guard let name = sender.representedObject as? String else { return }
+        openTerminal(command: "fops azure test \\(name)")
+    }
+
+    @objc func azureAKSKubeconfig(_ sender: NSMenuItem) {
+        guard let name = sender.representedObject as? String else { return }
+        openTerminal(command: "fops azure aks kubeconfig \\(name)")
+    }
+
+    @objc func azureAKSTest(_ sender: NSMenuItem) {
+        guard let name = sender.representedObject as? String else { return }
+        openTerminal(command: "fops azure aks test \\(name)")
+    }
+
+    @objc func azureAKSStatus(_ sender: NSMenuItem) {
         guard let name = sender.representedObject as? String else { return }
         openTerminal(command: "fops azure aks status \\(name)")
     }