cyberia 3.2.9 → 3.2.22

package/src/cli/deploy.js

@@ -18,9 +18,9 @@ import {
 } from '../server/conf.js';
 import { loggerFactory } from '../server/logger.js';
 import { shellExec } from '../server/process.js';
+import { INTERNAL_READY_PATH, INTERNAL_HEALTH_PATH } from '../server/runtime-status.js';
 import fs from 'fs-extra';
 import dotenv from 'dotenv';
-import { timer } from '../client/components/core/CommonJs.js';
 import os from 'node:os';
 import Underpost from '../index.js';
 
@@ -114,6 +114,64 @@ class UnderpostDeploy {
       )
       .join('')}`;
     },
+    /**
+     * Builds Kubernetes probes that gate on the in-pod internal status endpoint.
+     *
+     * HTTP mode (default) aligns Kubernetes pod readiness with actual Underpost
+     * runtime readiness:
+     *   - readinessProbe → GET /_internal/ready  (200 only when running-deployment)
+     *   - livenessProbe  → GET /_internal/health (deadlock / hung-process detection)
+     *   - startupProbe   → GET /_internal/ready  (long window for hot-built/slow boots)
+     *
+     * Migration: pass `useHttp: false` to emit the legacy TCP socket probes
+     * (port-bound only) for deployments not yet serving the internal endpoint.
+     *
+     * @param {object} opts
+     * @param {number} opts.port - In-pod internal status port (deployment base PORT).
+     * @param {boolean} [opts.useHttp=true] - Emit HTTP probes; false → legacy TCP.
+     * @param {boolean} [opts.liveness=true] - Include a livenessProbe.
+     * @param {boolean} [opts.startup=true] - Include a startupProbe.
+     * @returns {{readinessProbe: object, livenessProbe?: object, startupProbe?: object}}
+     * @memberof UnderpostDeploy
+     */
+    runtimeProbesFactory({ port, useHttp = true, liveness = true, startup = true } = {}) {
+      if (!port) return {};
+      if (!useHttp) {
+        const tcp = { tcpSocket: { port }, initialDelaySeconds: 5, periodSeconds: 10, failureThreshold: 6 };
+        const probes = { readinessProbe: tcp };
+        if (liveness) probes.livenessProbe = { ...tcp, initialDelaySeconds: 30 };
+        return probes;
+      }
+      const probes = {
+        readinessProbe: {
+          httpGet: { path: INTERNAL_READY_PATH, port },
+          initialDelaySeconds: 5,
+          periodSeconds: 5,
+          timeoutSeconds: 3,
+          failureThreshold: 3,
+        },
+      };
+      if (liveness)
+        probes.livenessProbe = {
+          httpGet: { path: INTERNAL_HEALTH_PATH, port },
+          initialDelaySeconds: 30,
+          periodSeconds: 15,
+          timeoutSeconds: 3,
+          failureThreshold: 3,
+        };
+      if (startup)
+        // A startupProbe suspends readiness/liveness until it first succeeds, so
+        // its window bounds in-container hot builds and slow boots. 180 × 10s =
+        // 30 min before the pod is considered failed to start.
+        probes.startupProbe = {
+          httpGet: { path: INTERNAL_READY_PATH, port },
+          initialDelaySeconds: 10,
+          periodSeconds: 10,
+          timeoutSeconds: 3,
+          failureThreshold: 180,
+        };
+      return probes;
+    },
     /**
      * Creates a YAML deployment configuration for a deployment.
      * @param {string} deployId - Deployment ID for which the deployment is being created.
@@ -127,6 +185,12 @@ class UnderpostDeploy {
      * @param {Array<string>} cmd - Command to run in the deployment container.
      * @param {boolean} skipFullBuild - Whether to skip the full client bundle build during deployment.
      * @param {boolean} pullBundle - Whether to pull the pre-built client bundle from Cloudinary before starting. Use together with skipFullBuild to skip the local build entirely.
+     * @param {string} [imagePullPolicy] - Container imagePullPolicy override (`Always`, `IfNotPresent`, `Never`). When omitted, defaults to `Never` for `localhost/` images and `IfNotPresent` otherwise.
+     * @param {object} lifecycle - Kubernetes lifecycle hooks configuration for the deployment container.
+     * @param {object} readinessProbe - Kubernetes readiness probe configuration for the deployment container.
+     * @param {object} livenessProbe - Kubernetes liveness probe configuration for the deployment container.
+     * @param {object} startupProbe - Kubernetes startup probe configuration for the deployment container.
+     * @param {number} containerPort - Container port to expose for the deployment.
      * @returns {string} - YAML deployment configuration for the specified deployment.
      * @memberof UnderpostDeploy
      */
@@ -142,6 +206,22 @@ class UnderpostDeploy {
       cmd,
       skipFullBuild,
       pullBundle,
+      imagePullPolicy,
+      // K8S lifecycle + probe wiring. Pass-through structures shaped like the
+      // upstream Kubernetes API, spliced verbatim into the container spec.
+      //   lifecycle:        { postStart: { exec: { command: [...] } }, preStop: { exec: { command: [...] } } }
+      //   readinessProbe:   { tcpSocket: { port: 8081 }, ... }
+      //   livenessProbe:    { tcpSocket: { port: 8081 }, ... }
+      //   containerPort:    integer; rendered as ports[0].containerPort. Optional.
+      lifecycle,
+      readinessProbe,
+      livenessProbe,
+      startupProbe,
+      containerPort,
+      // Explicit, secret-free internal status port injected as an env var so the
+      // in-pod endpoint binds exactly what the probes and the monitor target,
+      // independent of the ambient `PORT` baked into the image/secret.
+      internalStatusPort,
     }) {
       if (!cmd)
         cmd =
@@ -188,26 +268,76 @@ spec:
       containers:
         - name: ${deployId}-${env}-${suffix}
           image: ${containerImage}
-          imagePullPolicy: ${containerImage.startsWith('localhost/') ? 'Never' : 'IfNotPresent'}
+          imagePullPolicy: ${imagePullPolicy ? imagePullPolicy : containerImage.startsWith('localhost/') ? 'Never' : 'IfNotPresent'}
           envFrom:
             - secretRef:
                 name: underpost-config
 ${
-  resources
-    ? `          resources:
+  internalStatusPort
+    ? `          env:
+            - name: UNDERPOST_INTERNAL_PORT
+              value: "${internalStatusPort}"
+`
+    : ''
+}${
+        containerPort
+          ? `          ports:
+            - containerPort: ${containerPort}
+`
+          : ''
+      }${
+        resources
+          ? `          resources:
             requests:
               memory: "${resources.requests.memory}"
               cpu: "${resources.requests.cpu}"
             limits:
               memory: "${resources.limits.memory}"
               cpu: "${resources.limits.cpu}"`
-    : ''
-}
+          : ''
+      }
           command:
             - /bin/sh
             - -c
             - >
               ${cmd.join(' &&\n              ')}
+${
+  readinessProbe
+    ? `          readinessProbe:
+${JSON.stringify(readinessProbe, null, 2)
+  .split('\n')
+  .map((l) => '            ' + l)
+  .join('\n')}
+`
+    : ''
+}${
+        livenessProbe
+          ? `          livenessProbe:
+${JSON.stringify(livenessProbe, null, 2)
+  .split('\n')
+  .map((l) => '            ' + l)
+  .join('\n')}
+`
+          : ''
+      }${
+        startupProbe
+          ? `          startupProbe:
+${JSON.stringify(startupProbe, null, 2)
+  .split('\n')
+  .map((l) => '            ' + l)
+  .join('\n')}
+`
+          : ''
+      }${
+        lifecycle
+          ? `          lifecycle:
+${JSON.stringify(lifecycle, null, 2)
+  .split('\n')
+  .map((l) => '            ' + l)
+  .join('\n')}
+`
+          : ''
+      }
 
 ${
   volumes.length > 0
@@ -237,17 +367,22 @@ spec:
      * @param {object} options - Options for the manifest build process.
      * @param {string} options.replicas - Number of replicas for each deployment.
      * @param {string} options.image - Docker image for the deployment.
-     * @param {string} options.namespace - Kubernetes namespace for the deployment.
+     * @param {string} options.namespace - Kubernetes namespace for the deployment (defaults to "default").
      * @param {string} [options.versions] - Comma-separated list of versions to deploy.
      * @param {string} [options.cmd] - Custom initialization command for deploymentYamlPartsFactory (comma-separated commands).
-     * @param {string} [options.timeoutResponse] - Timeout response setting for the deployment.
-     * @param {string} [options.timeoutIdle] - Timeout idle setting for the deployment.
-     * @param {string} [options.retryCount] - Retry count setting for the deployment.
-     * @param {string} [options.retryPerTryTimeout] - Retry per-try timeout setting for the deployment.
-     * @param {boolean} [options.disableDeploymentProxy] - Whether to disable deployment proxy.
-     * @param {string} [options.traffic] - Traffic status for the deployment.
-     * @param {boolean} [options.skipFullBuild] - Whether to skip the full client bundle build; forwarded to deploymentYamlPartsFactory to generate a pull-bundle startup command.
+     * @param {string} [options.timeoutResponse] - HTTPProxy per-route response timeout (e.g. "300000ms", "infinity").
+     * @param {string} [options.timeoutIdle] - HTTPProxy per-route idle timeout (e.g. "10s", "infinity").
+     * @param {string} [options.retryCount] - HTTPProxy per-route retry count (e.g. 3).
+     * @param {string} [options.retryPerTryTimeout] - HTTPProxy per-route per-try timeout (e.g. "150ms").
+     * @param {boolean} [options.disableDeploymentProxy] - Whether to disable deployment proxy route generation.
+     * @param {string} [options.traffic] - Comma-separated active traffic colour(s) used to select which versions receive traffic (e.g. "blue", "green").
+     * @param {boolean} [options.cert] - Whether to include cert-manager Certificate resources in secret.yaml (production only).
+     * @param {boolean} [options.selfSigned] - Whether to include TLS block in HTTPProxy using a pre-created self-signed secret. Enables HTTPS for development without cert-manager.
+     * @param {boolean} [options.skipFullBuild] - Whether to skip the full client bundle build; forwarded to deploymentYamlPartsFactory.
      * @param {boolean} [options.pullBundle] - Whether to pull the pre-built client bundle from Cloudinary; forwarded to deploymentYamlPartsFactory. Use together with skipFullBuild.
+     * @param {string} [options.imagePullPolicy] - Container imagePullPolicy override (`Always`, `IfNotPresent`, `Never`); forwarded to deploymentYamlPartsFactory. Defaults to `Never` for `localhost/` images and `IfNotPresent` otherwise.
+     * @param {boolean} [options.disableRuntimeProbes] - Omit internal-status HTTP probes from generated manifests. When true no readiness/liveness/startup probes are emitted.
+     * @param {boolean} [options.tcpProbes] - Emit legacy TCP socket probes instead of HTTP internal-status probes (migration path).
      * @returns {Promise<void>} - Promise that resolves when the manifest is built.
      * @memberof UnderpostDeploy
      */
@@ -272,6 +407,17 @@ spec:
 
         logger.info('port range', { deployId, fromPort, toPort });
 
+        // The internal status endpoint binds `fromPort - 1`: app instances bind
+        // the router range starting at `fromPort`, so this slot is always free
+        // inside the pod. It is injected into the pod env (UNDERPOST_INTERNAL_PORT)
+        // and used for both the probes and the monitor's port-forward target so
+        // all three agree regardless of the image's ambient PORT.
+        // Opt out with `--disable-runtime-probes` to keep legacy probe-less pods.
+        const internalPort = fromPort - 1;
+        const probes = options.disableRuntimeProbes
+          ? {}
+          : Underpost.deploy.runtimeProbesFactory({ port: internalPort, useHttp: !options.tcpProbes });
+
         let deploymentYamlParts = '';
         for (const deploymentVersion of deploymentVersions) {
           deploymentYamlParts += `---
@@ -286,6 +432,11 @@ ${Underpost.deploy
     cmd: options.cmd ? options.cmd.split(',').map((c) => c.trim()) : undefined,
     skipFullBuild: options.skipFullBuild,
     pullBundle: options.pullBundle,
+    imagePullPolicy: options.imagePullPolicy,
+    internalStatusPort: options.disableRuntimeProbes ? undefined : internalPort,
+    readinessProbe: probes.readinessProbe,
+    livenessProbe: probes.livenessProbe,
+    startupProbe: probes.startupProbe,
   })
   .replace('{{ports}}', buildKindPorts(fromPort, toPort))}
 `;
@@ -328,7 +479,7 @@ ${Underpost.deploy
           : [];
 
         for (const host of Object.keys(confServer)) {
-          if (env === 'production')
+          if (env === 'production' && options.cert === true)
             secretYaml += Underpost.deploy.buildCertManagerCertificate({ host, namespace: options.namespace });
 
           const pathPortAssignment = pathPortAssignmentData[host];
@@ -509,10 +660,15 @@ spec:
       const hostTest = options?.hostTest
         ? options.hostTest
         : Object.keys(loadConfServerJson(`./engine-private/conf/${deployId}/conf.server.json`))[0];
+      // Missing HTTPProxy is the canonical "no traffic colour set yet" state
+      // for blue/green rollouts. silentOnError swallows kubectl's NotFound
+      // exit so the function can return null cleanly.
       const info = shellExec(`sudo kubectl get HTTPProxy/${hostTest} -n ${options.namespace} -o yaml`, {
         silent: true,
         stdout: true,
+        silentOnError: true,
       });
+      if (!info) return null;
       return info.match('blue') ? 'blue' : info.match('green') ? 'green' : null;
     },
 
@@ -526,6 +682,7 @@ spec:
      * @memberof UnderpostDeploy
      */
     baseProxyYamlFactory({ host, env, options }) {
+      const includeTls = env !== 'development' || options.selfSigned === true;
       return `
 ---
 apiVersion: projectcontour.io/v1
@@ -536,11 +693,11 @@ metadata:
 spec:
   virtualhost:
     fqdn: ${host}${
-      env === 'development'
-        ? ''
-        : `
+      includeTls
+        ? `
     tls:
       secretName: ${host}`
+        : ''
     }
   routes:`;
     },
@@ -556,36 +713,41 @@ spec:
      * @param {boolean} options.buildManifest - Whether to build the deployment manifest.
      * @param {boolean} options.infoUtil - Whether to display utility information.
      * @param {boolean} options.expose - Whether to expose the deployment.
-     * @param {boolean} options.cert - Whether to create certificates for the deployment.
-     * @param {string} options.certHosts - Comma-separated list of hosts for which to create certificates.
+     * @param {boolean} options.cert - Whether to create cert-manager Certificate resources for the deployment.
+     * @param {string} options.certHosts - Comma-separated list of hosts for which to create cert-manager certificates.
+     * @param {boolean} options.selfSigned - Use a pre-created self-signed TLS secret instead of cert-manager. The secret must already exist in the namespace with the same name as the host. Enables TLS in the Contour HTTPProxy virtualhost without requiring a production ClusterIssuer.
      * @param {string} options.versions - Comma-separated list of versions to deploy.
      * @param {string} options.image - Docker image for the deployment.
      * @param {string} options.traffic - Traffic status for the deployment.
      * @param {string} options.replicas - Number of replicas for the deployment.
      * @param {string} options.node - Node name for resource allocation.
-     * @param {boolean} options.restoreHosts - Whether to restore the hosts file.
      * @param {boolean} options.disableUpdateDeployment - Whether to disable deployment updates.
      * @param {boolean} options.disableUpdateProxy - Whether to disable proxy updates.
      * @param {boolean} options.disableDeploymentProxy - Whether to disable deployment proxy.
      * @param {boolean} options.disableUpdateVolume - Whether to disable volume updates.
      * @param {boolean} options.status - Whether to display deployment status.
-     * @param {boolean} options.etcHosts - Whether to display the /etc/hosts file.
      * @param {boolean} options.disableUpdateUnderpostConfig - Whether to disable Underpost config updates.
-     * @param {string} [options.namespace] - Kubernetes namespace for the deployment.
-     * @param {string} [options.timeoutResponse] - Timeout response setting for the deployment.
-     * @param {string} [options.timeoutIdle] - Timeout idle setting for the deployment.
-     * @param {string} [options.retryCount] - Retry count setting for the deployment.
-     * @param {string} [options.retryPerTryTimeout] - Retry per-try timeout setting for the deployment.
-     * @param {string} [options.kindType] - Type of Kubernetes resource to retrieve information for.
-     * @param {number} [options.port] - Port number for exposing the deployment.
-     * @param {string} [options.cmd] - Custom initialization command for deploymentYamlPartsFactory (comma-separated commands).
-     * @param {number} [options.exposePort] - Local:remote port override when --expose is active (overrides auto-detected service port).
+     * @param {string} [options.namespace] - Kubernetes namespace for the deployment (defaults to "default").
+     * @param {string} [options.timeoutResponse] - HTTPProxy per-route response timeout (e.g. "300000ms", "infinity").
+     * @param {string} [options.timeoutIdle] - HTTPProxy per-route idle timeout (e.g. "10s", "infinity").
+     * @param {string} [options.retryCount] - HTTPProxy per-route retry count (e.g. 3).
+     * @param {string} [options.retryPerTryTimeout] - HTTPProxy per-route per-try timeout (e.g. "150ms").
+     * @param {string} [options.kindType] - Kubernetes resource kind to target when using --expose (defaults to "svc").
+     * @param {number} [options.port] - Port number override for exposing the deployment.
+     * @param {string} [options.cmd] - Custom initialization command (comma-separated) for deploymentYamlPartsFactory.
+     * @param {number} [options.exposePort] - Remote port override when --expose is active (overrides auto-detected service port). Used as both local and remote port unless exposeLocalPort is also set.
+     * @param {number} [options.exposeLocalPort] - Local port override for --expose (e.g. 80); remote port is still auto-detected. Enables /etc/hosts access without a port in the browser URL.
+     * @param {boolean} [options.localProxy] - When true (with --expose), forward all service TCP ports locally and start the Node.js path-routing proxy for full path-based routing (e.g. /wp alongside /).
+     * @param {boolean} [options.tls] - When true (with --expose --local-proxy), start the proxy on port 443 with TLS using self-signed certificates resolved from the local SSL store.
      * @param {boolean} [options.k3s] - Whether to use k3s cluster context.
      * @param {boolean} [options.kubeadm] - Whether to use kubeadm cluster context.
      * @param {boolean} [options.kind] - Whether to use kind cluster context.
      * @param {boolean} [options.gitClean] - Whether to run git clean on volume mount paths before copying.
      * @param {boolean} [options.skipFullBuild] - Whether to skip the full client bundle build; passed through to buildManifest/deploymentYamlPartsFactory.
      * @param {boolean} [options.pullBundle] - Whether to pull the pre-built client bundle from Cloudinary; passed through to buildManifest/deploymentYamlPartsFactory. Use together with skipFullBuild.
+     * @param {string} [options.imagePullPolicy] - Container imagePullPolicy override (`Always`, `IfNotPresent`, `Never`); passed through to buildManifest/deploymentYamlPartsFactory. Defaults to `Never` for `localhost/` images and `IfNotPresent` otherwise.
+     * @param {boolean} [options.disableRuntimeProbes] - Omit internal-status HTTP probes from generated manifests. When true no readiness/liveness/startup probes are emitted.
+     * @param {boolean} [options.tcpProbes] - Emit legacy TCP socket probes instead of HTTP internal-status probes.
      * @returns {Promise<void>} - Promise that resolves when the deployment process is complete.
      * @memberof UnderpostDeploy
      */
@@ -606,13 +768,11 @@ spec:
         traffic: '',
         replicas: '',
         node: '',
-        restoreHosts: false,
         disableUpdateDeployment: false,
         disableUpdateProxy: false,
         disableDeploymentProxy: false,
         disableUpdateVolume: false,
         status: false,
-        etcHosts: false,
         disableUpdateUnderpostConfig: false,
         namespace: '',
         timeoutResponse: '',
@@ -622,11 +782,16 @@ spec:
         kindType: '',
         port: 0,
         exposePort: 0,
+        exposeLocalPort: 0,
+        localProxy: false,
+        tls: false,
+        selfSigned: false,
         cmd: '',
         k3s: false,
         kubeadm: false,
         kind: false,
         gitClean: false,
+        imagePullPolicy: '',
       },
     ) {
       const namespace = options.namespace ? options.namespace : 'default';
@@ -695,14 +860,6 @@ EOF`);
         return;
       }
       if (!options.disableUpdateUnderpostConfig) Underpost.deploy.configMap(env);
-      let renderHosts = '';
-      let etcHosts = [];
-      if (options.restoreHosts === true) {
-        const factoryResult = Underpost.deploy.etcHostFactory(etcHosts);
-        renderHosts = factoryResult.renderHosts;
-        logger.info(renderHosts);
-        return;
-      }
 
       for (const _deployId of deployList.split(',')) {
         const deployId = _deployId.trim();
@@ -710,20 +867,54 @@ EOF`);
         if (options.expose === true) {
           const kindType = options.kindType ? options.kindType : 'svc';
           const svc = Underpost.kubectl.get(deployId, kindType)[0];
-          const port = options.exposePort
-            ? parseInt(options.exposePort)
-            : options.port
-              ? parseInt(options.port)
-              : kindType !== 'svc'
-                ? 80
-                : parseInt(svc[`PORT(S)`].split('/TCP')[0]);
-          logger.info(deployId, {
-            svc,
-            port,
-          });
-          shellExec(`sudo kubectl port-forward -n ${namespace} ${kindType}/${svc.NAME} ${port}:${port}`, {
-            async: true,
-          });
+          if (!svc) {
+            logger.error(`No ${kindType} found matching '${deployId}', skipping expose`);
+            continue;
+          }
+          if (options.localProxy) {
+            const svcPorts = [
+              ...new Set(
+                svc['PORT(S)']
+                  .split(',')
+                  .filter((p) => p.includes('/TCP'))
+                  .map((p) => parseInt(p.split(':')[0])),
+              ),
+            ];
+            for (const svcPort of svcPorts) {
+              shellExec(`sudo kubectl port-forward -n ${namespace} ${kindType}/${svc.NAME} ${svcPort}:${svcPort}`, {
+                async: true,
+              });
+            }
+            const envFile = `./engine-private/conf/${deployId}/.env.${env}`;
+            let basePort = svcPorts[0] - 1;
+            if (fs.existsSync(envFile)) {
+              const portMatch = fs.readFileSync(envFile, 'utf8').match(/^PORT=(\d+)/m);
+              if (portMatch) basePort = parseInt(portMatch[1]);
+            }
+            logger.info(deployId, { svc, svcPorts, basePort });
+            const tlsFlag = options.tls ? ' tls' : '';
+            shellExec(
+              `NODE_ENV=${env} PORT=${basePort} DEV_PROXY_PORT_OFFSET=0 node src/proxy proxy ${deployId} ${env}${tlsFlag}`,
+              { async: true },
+            );
+          } else {
+            const remotePort = options.exposePort
+              ? parseInt(options.exposePort)
+              : options.port
+                ? parseInt(options.port)
+                : kindType !== 'svc'
+                  ? 80
+                  : parseInt(svc[`PORT(S)`].split('/TCP')[0]);
+            const localPort = options.exposeLocalPort ? parseInt(options.exposeLocalPort) : remotePort;
+            logger.info(deployId, {
+              svc,
+              localPort,
+              remotePort,
+            });
+            shellExec(`sudo kubectl port-forward -n ${namespace} ${kindType}/${svc.NAME} ${localPort}:${remotePort}`, {
+              async: true,
+            });
+          }
           continue;
         }
 
@@ -759,7 +950,6 @@ EOF`);
             if (Underpost.deploy.isValidTLSContext({ host, env, options }))
               shellExec(`sudo kubectl delete Certificate ${host} -n ${namespace} --ignore-not-found`);
           }
-          if (!options.remove) etcHosts.push(host);
         }
 
         const manifestsPath =
@@ -776,56 +966,13 @@ EOF`);
           if (!options.disableUpdateProxy)
             shellExec(`sudo kubectl apply -f ./${manifestsPath}/proxy.yaml -n ${namespace}`);
 
-          if (Underpost.deploy.isValidTLSContext({ host: Object.keys(confServer)[0], env, options }))
+          if (
+            Underpost.deploy.isValidTLSContext({ host: Object.keys(confServer)[0], env, options }) &&
+            !options.selfSigned
+          )
             shellExec(`sudo kubectl apply -f ./${manifestsPath}/secret.yaml -n ${namespace}`);
         }
       }
-      if (options.etcHosts === true) {
-        const factoryResult = Underpost.deploy.etcHostFactory(etcHosts);
-        renderHosts = factoryResult.renderHosts;
-      }
-      if (renderHosts)
-        logger.info(
-          `
-` + renderHosts,
-        );
-    },
-    /**
-     * Checks the status of a deployment.
-     * @param {string} deployId - Deployment ID for which the status is being checked.
-     * @param {string} env - Environment for which the status is being checked.
-     * @param {string} traffic - Current traffic status for the deployment.
-     * @param {Array<string>} ignoresNames - List of pod names to ignore.
-     * @param {string} [namespace='default'] - Kubernetes namespace for the deployment.
-     * @returns {object} - Object containing the status of the deployment.
-     * @memberof UnderpostDeploy
-     */
-    async checkDeploymentReadyStatus(deployId, env, traffic, ignoresNames = [], namespace = 'default') {
-      const cmd = `underpost config get container-status`;
-      const pods = Underpost.kubectl.get(`${deployId}-${env}-${traffic}`, 'pods', namespace);
-      const readyPods = [];
-      const notReadyPods = [];
-      for (const pod of pods) {
-        const { NAME } = pod;
-        if (ignoresNames && ignoresNames.find((t) => NAME.trim().toLowerCase().match(t.trim().toLowerCase()))) continue;
-        const out = await new Promise((resolve) => {
-          shellExec(`sudo kubectl exec -i ${NAME} -n ${namespace} -- sh -c "${cmd}"`, {
-            silent: true,
-            disableLog: true,
-            callback: function (code, stdout, stderr) {
-              return resolve(JSON.stringify({ code, stdout, stderr }));
-            },
-          });
-        });
-        pod.out = out;
-        const ready = out.match(`${deployId}-${env}-running-deployment`);
-        ready ? readyPods.push(pod) : notReadyPods.push(pod);
-      }
-      return {
-        ready: pods.length > 0 && notReadyPods.length === 0,
-        notReadyPods,
-        readyPods,
-      };
     },
     /**
      * Creates a Kubernetes Secret for a deployment (replaces configMap for secret data).
@@ -853,6 +1000,7 @@ EOF`);
      * @param {string} options.timeoutIdle - Timeout idle setting for the deployment.
      * @param {string} options.retryCount - Retry count setting for the deployment.
      * @param {string} options.retryPerTryTimeout - Retry per-try timeout setting for the deployment.
+     * @param {string} [options.imagePullPolicy] - Container imagePullPolicy override; forwarded to the manifest rebuild triggered here.
      * @memberof UnderpostDeploy
      */
     switchTraffic(
@@ -866,12 +1014,14 @@ EOF`);
         timeoutIdle: '',
         retryCount: '',
         retryPerTryTimeout: '',
+        imagePullPolicy: '',
       },
     ) {
       const timeoutFlags = Underpost.deploy.timeoutFlagsFactory(options);
+      const imagePullPolicyFlag = options.imagePullPolicy ? ` --image-pull-policy ${options.imagePullPolicy}` : '';
 
       shellExec(
-        `node bin deploy --info-router --build-manifest --traffic ${targetTraffic} --replicas ${replicas} --namespace ${namespace}${timeoutFlags} ${deployId} ${env}`,
+        `node bin deploy --info-router --build-manifest --traffic ${targetTraffic} --replicas ${replicas} --namespace ${namespace}${timeoutFlags}${imagePullPolicyFlag} ${deployId} ${env}`,
       );
 
       shellExec(`sudo kubectl apply -f ./engine-private/conf/${deployId}/build/${env}/proxy.yaml -n ${namespace}`);
@@ -922,15 +1072,12 @@ EOF`);
       if (options.gitClean && volume.volumeMountPath) {
         Underpost.repo.clean({ paths: [volume.volumeMountPath] });
       }
-      if (options.nodeName) {
-        if (!fs.existsSync(rootVolumeHostPath)) fs.mkdirSync(rootVolumeHostPath, { recursive: true });
-        fs.copySync(volume.volumeMountPath, rootVolumeHostPath);
-      } else if (clusterContext === 'kind') {
-        shellExec(`docker exec -i kind-worker bash -c "mkdir -p ${rootVolumeHostPath}"`);
-        // shellExec(`docker cp ${volume.volumeMountPath} kind-worker:${rootVolumeHostPath}`);
-        shellExec(`tar -C ${volume.volumeMountPath} -c . | docker cp - kind-worker:${rootVolumeHostPath}`);
+      if (clusterContext === 'kind') {
+        const kindNode = options.nodeName || 'kind-worker';
+        shellExec(`docker exec -i ${kindNode} bash -c "mkdir -p ${rootVolumeHostPath}"`);
+        shellExec(`tar -C ${volume.volumeMountPath} -c . | docker cp - ${kindNode}:${rootVolumeHostPath}`);
         shellExec(
-          `docker exec -i kind-worker bash -c "chown -R 1000:1000 ${rootVolumeHostPath}; chmod -R 755 ${rootVolumeHostPath}"`,
+          `docker exec -i ${kindNode} bash -c "chown -R 1000:1000 ${rootVolumeHostPath}; chmod -R 755 ${rootVolumeHostPath}"`,
         );
       } else {
         if (!fs.existsSync(rootVolumeHostPath)) fs.mkdirSync(rootVolumeHostPath, { recursive: true });
@@ -1070,42 +1217,6 @@ spec:
       storage: 5Gi`;
     },
 
-    /**
-     * Creates a hosts file for a deployment.
-     * @param {Array<string>} hosts - List of hosts to be added to the hosts file.
-     * @param {object} options - Options for the hosts file creation.
-     * @param {boolean} options.append - Whether to append to the existing hosts file.
-     * @returns {object} - Object containing the rendered hosts file.
-     * @memberof UnderpostDeploy
-     */
-    etcHostFactory(hosts = [], options = { append: false }) {
-      hosts = hosts.map((host) => {
-        try {
-          if (!host.startsWith('http')) host = `http://${host}`;
-          const hostname = new URL(host).hostname;
-          logger.info('Hostname extract valid', { host, hostname });
-          return hostname;
-        } catch (e) {
-          logger.warn('No hostname extract valid', host);
-          return host;
-        }
-      });
-      const renderHosts = `127.0.0.1         ${hosts.join(
-        ' ',
-      )} localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6`;
-
-      if (options && options.append && fs.existsSync(`/etc/hosts`)) {
-        fs.writeFileSync(
-          `/etc/hosts`,
-          fs.readFileSync(`/etc/hosts`, 'utf8') +
-            `
-${renderHosts}`,
-          'utf8',
-        );
-      } else fs.writeFileSync(`/etc/hosts`, renderHosts, 'utf8');
-      return { renderHosts };
-    },
     /**
      * Checks if a TLS context is valid.
      * @param {object} options - Options for the check.
@@ -1116,152 +1227,10 @@ ${renderHosts}`,
      * @memberof UnderpostDeploy
      */
     isValidTLSContext: ({ host, env, options }) =>
-      env === 'production' &&
-      options.cert === true &&
-      (!options.certHosts || options.certHosts.split(',').includes(host)),
-
-    /**
-     * Monitors the ready status of a deployment.
-     * @param {string} deployId - Deployment ID for which the ready status is being monitored.
-     * @param {string} env - Environment for which the ready status is being monitored.
-     * @param {string} targetTraffic - Target traffic status for the deployment.
-     * @param {Array<string>} ignorePods - List of pod names to ignore.
-     * @param {string} [namespace='default'] - Kubernetes namespace for the deployment.
-     * @returns {object} - Object containing the ready status of the deployment.
-     * @memberof UnderpostDeploy
-     */
-    async monitorReadyRunner(deployId, env, targetTraffic, ignorePods = [], namespace = 'default') {
-      let checkStatusIteration = 0;
-      const checkStatusIterationMsDelay = 1000;
-      const maxIterations = 3000;
-      const deploymentId = `${deployId}-${env}-${targetTraffic}`;
-      const iteratorTag = `[${deploymentId}]`;
-      logger.info('Deployment init', { deployId, env, targetTraffic, checkStatusIterationMsDelay, namespace });
-      const minReadyOk = 3;
-      let readyOk = 0;
-      let result = {
-        ready: false,
-        notReadyPods: [],
-        readyPods: [],
-      };
-      let lastMsg = {};
-      while (readyOk < minReadyOk) {
-        if (checkStatusIteration >= maxIterations) {
-          logger.error(
-            `${iteratorTag} | Deployment check ready status timeout. Max iterations reached: ${maxIterations}`,
-          );
-          break;
-        }
-        result = await Underpost.deploy.checkDeploymentReadyStatus(deployId, env, targetTraffic, ignorePods, namespace);
-        if (result.ready === true) {
-          readyOk++;
-          logger.info(`${iteratorTag} | Deployment ready. Verification number: ${readyOk}`);
-          for (const pod of result.readyPods) {
-            const { NAME } = pod;
-            lastMsg[NAME] = 'Deployment ready';
-            console.log(
-              'Target pod:',
-              NAME[NAME.match('green') ? 'bgGreen' : 'bgBlue'].bold.black,
-              '| Status:',
-              lastMsg[NAME].bold.magenta,
-            );
-          }
-        }
-
-        {
-          let indexOf = -1;
-          for (const pod of result.notReadyPods) {
-            indexOf++;
-            const { NAME, out } = pod;
-
-            if (out.match('not') && out.match('found') && checkStatusIteration <= 20 && out.match(deploymentId))
-              lastMsg[NAME] = 'Starting deployment';
-            // else if (out.match('not') && out.match('found') && checkStatusIteration <= 20 && out.match('underpost'))
-            //   lastMsg[NAME] = 'Installing underpost cli';
-            else if (out.match('not') && out.match('found') && checkStatusIteration <= 20 && out.match('task'))
-              lastMsg[NAME] = 'Initializing setup task';
-            else if (out.match('Empty environment variables')) lastMsg[NAME] = 'Setup environment';
-            else if (out.match(`${deployId}-${env}-build-deployment`)) lastMsg[NAME] = 'Building apps/services';
-            else if (out.match(`${deployId}-${env}-initializing-deployment`))
-              lastMsg[NAME] = 'Initializing apps/services';
-            else if (!lastMsg[NAME]) lastMsg[NAME] = `Waiting for status`;
-
-            console.log(
-              'Target pod:',
-              NAME[NAME.match('green') ? 'bgGreen' : 'bgBlue'].bold.black,
-              '| Status:',
-              lastMsg[NAME].bold.magenta,
-            );
-          }
-        }
-        await timer(checkStatusIterationMsDelay);
-        checkStatusIteration++;
-        logger.info(
-          `${iteratorTag} | Deployment in progress... | Delay number monitor iterations: ${checkStatusIteration}`,
-        );
-      }
-      logger.info(
-        `${iteratorTag} | Deployment ready. | Total delay number monitor iterations: ${checkStatusIteration}`,
-      );
-      return result;
-    },
-
-    /**
-     * Retrieves the currently loaded images in the Kubernetes cluster.
-     * @param {string} [node='kind-worker'] - Node name to check for loaded images.
-     * @param {object} options - Options for the image retrieval.
-     * @param {boolean} options.spec - Whether to retrieve images from the pod specifications.
-     * @param {string} options.namespace - Kubernetes namespace to filter pods.
-     * @returns {Array<object>} - Array of objects containing pod names and their corresponding images.
-     * @memberof UnderpostDeploy
-     */
-    getCurrentLoadedImages(node = 'kind-worker', options = { spec: false, namespace: '' }) {
-      if (options.spec) {
-        const raw = shellExec(
-          `kubectl get pods ${options.namespace ? `--namespace ${options.namespace}` : `--all-namespaces`} -o=jsonpath='{range .items[*]}{"\\n"}{.metadata.namespace}{"/"}{.metadata.name}{":\\t"}{range .spec.containers[*]}{.image}{", "}{end}{end}'`,
-          {
-            stdout: true,
-            silent: true,
-          },
-        );
-        return raw
-          .split(`\n`)
-          .map((lines) => ({
-            pod: lines.split('\t')[0].replaceAll(':', '').trim(),
-            image: lines.split('\t')[1] ? lines.split('\t')[1].replaceAll(',', '').trim() : null,
-          }))
-          .filter((o) => o.image);
-      }
-      const raw = shellExec(node === 'kind-worker' ? `docker exec -i ${node} crictl images` : `crictl images`, {
-        stdout: true,
-        silent: true,
-      });
-
-      const heads = raw
-        .split(`\n`)[0]
-        .split(' ')
-        .filter((_r) => _r.trim());
-
-      const pods = raw
-        .split(`\n`)
-        .filter((r) => !r.match('IMAGE'))
-        .map((r) => r.split(' ').filter((_r) => _r.trim()));
-
-      const result = [];
-
-      for (const row of pods) {
-        if (row.length === 0) continue;
-        const pod = {};
-        let index = -1;
-        for (const head of heads) {
-          if (head in pod) continue;
-          index++;
-          pod[head] = row[index];
-        }
-        result.push(pod);
-      }
-      return result;
-    },
+      (env === 'production' &&
+        options.cert === true &&
+        (!options.certHosts || options.certHosts.split(',').includes(host))) ||
+      options.selfSigned === true,
 
     /**
      * Predefined resource templates for Kubernetes deployments.
@@ -1363,6 +1332,34 @@ ${renderHosts}`,
       return undefined;
     },
 
+    /**
+     * Extracts a non-standard `imagePullPolicy` key from an env-resolved
+     * instance lifecycle block (the convention used in `conf.instances.json`,
+     * where `imagePullPolicy` sits alongside `postStart`/`preStop` for
+     * per-instance ergonomics) and returns a clean lifecycle hash that is
+     * safe to splice into the K8S container spec.
+     *
+     * Returns `{ lifecycle, imagePullPolicy }`:
+     *   - `lifecycle` — the input minus `imagePullPolicy`, or `undefined` when
+     *     the resulting block is empty.
+     *   - `imagePullPolicy` — the extracted value, or `undefined` if absent.
+     *
+     * @param {object|undefined} lifecycle - Env-resolved lifecycle block
+     *   (already passed through pickEnv). May be `undefined`.
+     * @returns {{ lifecycle: (object|undefined), imagePullPolicy: (string|undefined) }}
+     * @memberof UnderpostDeploy
+     */
+    extractInstanceImagePullPolicy(lifecycle) {
+      if (!lifecycle || typeof lifecycle !== 'object' || !('imagePullPolicy' in lifecycle)) {
+        return { lifecycle, imagePullPolicy: undefined };
+      }
+      const { imagePullPolicy, ...rest } = lifecycle;
+      return {
+        lifecycle: Object.keys(rest).length > 0 ? rest : undefined,
+        imagePullPolicy,
+      };
+    },
+
     /**
      * Generates timeout flags string for deployment commands.
      * @param {object} options - Options containing timeout settings.