cyberia 3.2.9 → 3.2.22

package/src/cli/env.js

@@ -95,10 +95,7 @@ class UnderpostRootEnv {
     get(key, value, options = { plain: false, disableLog: false, copy: false }) {
       const exeRootPath = `${getNpmRootPath()}/underpost`;
       const envPath = `${exeRootPath}/.env`;
-      if (!fs.existsSync(envPath) || !fs.statSync(envPath).isFile()) {
-        logger.warn(`Empty environment variables`);
-        return undefined;
-      }
+      if (!fs.existsSync(envPath) || !fs.statSync(envPath).isFile()) return undefined;
       const env = dotenv.parse(fs.readFileSync(envPath, 'utf8'));
       if (!options.disableLog)
         options?.plain === true ? console.log(env[key]) : logger.info(`${key}(${typeof env[key]})`, env[key]);

package/src/cli/fs.js

@@ -127,7 +127,11 @@ class UnderpostFileStorage {
         if (options.git === true) {
           const gitPath = hasPathFilter ? basePath : '.';
           shellExec(`cd ${gitPath} && git add .`);
-          shellExec(`underpost cmt ${gitPath} feat`);
+          shellExec(`underpost cmt ${gitPath} feat`, {
+            silentOnError: true,
+            silent: true,
+            disableLog: true,
+          });
         }
 
         return;
@@ -154,7 +158,9 @@ class UnderpostFileStorage {
         // For bundle pulls into ./build the git step is unwanted and would error on a non-repo path.
         if (options.git === true) {
           Underpost.repo.initLocalRepo({ path });
-          shellExec(`cd ${path} && git add . && git commit -m "Base pull state"`);
+          shellExec(`cd ${path} && git add . && git commit -m "Base pull state"`, {
+            silentOnError: true,
+          });
         }
       } else {
         const files =
@@ -173,7 +179,11 @@ class UnderpostFileStorage {
       Underpost.fs.writeStorageConf(storage, storageConf);
       if (options.git === true) {
         shellExec(`cd ${path} && git add .`);
-        shellExec(`underpost cmt ${path} feat`);
+        shellExec(`underpost cmt ${path} feat`, {
+          silentOnError: true,
+          silent: true,
+          disableLog: true,
+        });
       }
     },
     /**

package/src/cli/image.js

@@ -122,6 +122,63 @@ class UnderpostImage {
       else if (kubeadm === true) shellExec(`sudo ctr -n k8s.io images import ${tarFile}`);
       else if (k3s === true) shellExec(`sudo k3s ctr images import ${tarFile}`);
     },
+    /**
+     * @method getCurrentLoaded
+     * @description Retrieves the currently loaded images in the Kubernetes cluster.
+     * @param {string} [node='kind-worker'] - Node name to check for loaded images.
+     * @param {object} options - Options for the image retrieval.
+     * @param {boolean} options.spec - Whether to retrieve images from the pod specifications.
+     * @param {string} options.namespace - Kubernetes namespace to filter pods.
+     * @returns {Array<object>} - Array of objects containing pod names and their corresponding images.
+     * @memberof UnderpostImage
+     */
+    getCurrentLoaded(node = 'kind-worker', options = { spec: false, namespace: '' }) {
+      if (options.spec) {
+        const raw = shellExec(
+          `kubectl get pods ${options.namespace ? `--namespace ${options.namespace}` : `--all-namespaces`} -o=jsonpath='{range .items[*]}{"\\n"}{.metadata.namespace}{"/"}{.metadata.name}{":\\t"}{range .spec.containers[*]}{.image}{", "}{end}{end}'`,
+          {
+            stdout: true,
+            silent: true,
+          },
+        );
+        return raw
+          .split(`\n`)
+          .map((lines) => ({
+            pod: lines.split('\t')[0].replaceAll(':', '').trim(),
+            image: lines.split('\t')[1] ? lines.split('\t')[1].replaceAll(',', '').trim() : null,
+          }))
+          .filter((o) => o.image);
+      }
+      const raw = shellExec(node === 'kind-worker' ? `docker exec -i ${node} crictl images` : `crictl images`, {
+        stdout: true,
+        silent: true,
+      });
+
+      const heads = raw
+        .split(`\n`)[0]
+        .split(' ')
+        .filter((_r) => _r.trim());
+
+      const pods = raw
+        .split(`\n`)
+        .filter((r) => !r.match('IMAGE'))
+        .map((r) => r.split(' ').filter((_r) => _r.trim()));
+
+      const result = [];
+
+      for (const row of pods) {
+        if (row.length === 0) continue;
+        const pod = {};
+        let index = -1;
+        for (const head of heads) {
+          if (head in pod) continue;
+          index++;
+          pod[head] = row[index];
+        }
+        result.push(pod);
+      }
+      return result;
+    },
     /**
      * @method list
      * @description Lists currently loaded Docker images in the specified Kubernetes cluster node.
@@ -139,10 +196,7 @@ class UnderpostImage {
     list(options = { nodeName: '', namespace: '', spec: false, log: false, k3s: false, kubeadm: false, kind: false }) {
       if ((options.kubeadm === true || options.k3s === true) && !options.nodeName)
         options.nodeName = shellExec('echo $HOSTNAME', { stdout: true, silent: true }).trim();
-      const list = Underpost.deploy.getCurrentLoadedImages(
-        options.nodeName ? options.nodeName : 'kind-worker',
-        options,
-      );
+      const list = Underpost.image.getCurrentLoaded(options.nodeName ? options.nodeName : 'kind-worker', options);
       if (options.log) console.table(list);
       return list;
     },

package/src/cli/index.js

@@ -70,6 +70,10 @@ program
     '--pull-bundle',
     'Downloads the pre-built client bundle from Cloudinary via pull-bundle before starting. Use together with --skip-full-build to skip the local build entirely.',
   )
+  .option(
+    '--private-test-repo',
+    'During --build, clone the private test source repo (engine-test-<id>) instead of the production engine-<id> repo.',
+  )
   .action(Underpost.start.callback)
   .description('Initiates application servers, build pipelines, or other defined services based on the deployment ID.');
 
@@ -124,6 +128,10 @@ program
     '--is-remote-repo <url-repo>',
     'Checks whether a remote Git repository URL is reachable. Prints true or false.',
   )
+  .option(
+    '--has-changes',
+    'Prints "1" if there are staged or unstaged git changes in the repository, empty string otherwise.',
+  )
   .description('Manages commits to a GitHub repository, supporting various commit types and options.')
   .action(Underpost.repo.commit);
 
@@ -242,15 +250,27 @@ program
   .command('cluster')
   .argument('[pod-name]', 'Optional: Filters information by a specific pod name.')
   .option('--reset', `Deletes all clusters and prunes all related data and caches.`)
+  .option(
+    '--reset-mongodb',
+    `Performs a hard cleanup of only MongoDB-related resources (StatefulSet, PVCs/PVs, Secrets, ConfigMaps, caches) without restarting the whole node.`,
+  )
   .option('--mariadb', 'Initializes the cluster with a MariaDB statefulset.')
   .option('--mysql', 'Initializes the cluster with a MySQL statefulset.')
   .option('--mongodb', 'Initializes the cluster with a MongoDB statefulset.')
-  .option('--mongo-db-host <host>', 'Set custom mongo db host')
+  .option('--service-host <host>', 'Set custom host/IP for exposed MongoDB and Valkey clients.')
   .option('--postgresql', 'Initializes the cluster with a PostgreSQL statefulset.')
   .option('--mongodb4', 'Initializes the cluster with a MongoDB 4.4 service.')
   .option('--valkey', 'Initializes the cluster with a Valkey service.')
   .option('--ipfs', 'Initializes the cluster with an ipfs-cluster statefulset.')
   .option('--contour', 'Initializes the cluster with Project Contour base HTTPProxy and Envoy.')
+  .option(
+    '--node-port',
+    'Exposes enabled ready services (e.g. MongoDB 4.4, Valkey) to the host/public network via their NodePort Service manifest.',
+  )
+  .option(
+    '--node-selector <k8s-node-name>',
+    'Pins the just-deployed StatefulSet (MongoDB 4.4 / Valkey) to the given Kubernetes node once it is ready (via a kubernetes.io/hostname nodeSelector).',
+  )
   .option('--cert-manager', "Initializes the cluster with a Let's Encrypt production ClusterIssuer.")
   .option('--dedicated-gpu', 'Initializes the cluster with dedicated GPU base resources and environment settings.')
   .option(
@@ -281,6 +301,10 @@ program
   .option('--k3s', 'Initializes the cluster using K3s (Lightweight Kubernetes).')
   .option('--hosts <hosts>', 'A comma-separated list of cluster hostnames or IP addresses.')
   .option('--remove-volume-host-paths', 'Removes specified volume host paths after execution.')
+  .option(
+    '--reset-mode <mode>',
+    'Reset mode for --reset --k3s: "drain" (stop services, keep K3s installed) or "full" (uninstall + cleanup). Default: "full".',
+  )
   .option('--namespace <namespace>', 'Kubernetes namespace for cluster operations (defaults to "default").')
   .option('--replicas <replicas>', 'Sets a custom number of replicas for statefulset deployments.')
   .action(Underpost.cluster.init)
@@ -299,6 +323,12 @@ program
   .option('--expose', 'Exposes services matching the provided deployment ID list.')
   .option('--cert', 'Resets TLS/SSL certificate secrets for deployments.')
   .option('--cert-hosts <hosts>', 'Resets TLS/SSL certificate secrets for specified hosts.')
+  .option(
+    '--self-signed',
+    'Use a pre-created self-signed TLS secret (kubernetes.io/tls) instead of cert-manager. ' +
+      'The secret must already exist in the namespace with the same name as the host. ' +
+      'Enables TLS in the Contour HTTPProxy virtualhost without requiring a production ClusterIssuer.',
+  )
   .option('--node <node>', 'Sets optional node for deployment operations.')
   .option(
     '--build-manifest',
@@ -316,6 +346,8 @@ program
   .option('--retry-count <count>', 'Sets HTTPProxy per-route retry count (e.g., 3).')
   .option('--retry-per-try-timeout <duration>', 'Sets HTTPProxy retry per-try timeout (e.g., "150ms").')
   .option('--disable-update-deployment', 'Disables updates to deployments.')
+  .option('--disable-runtime-probes', 'Omits the internal-status HTTP probes from generated deployment manifests.')
+  .option('--tcp-probes', 'Generates legacy TCP socket probes instead of HTTP internal-status probes (migration).')
   .option('--disable-update-proxy', 'Disables updates to proxies.')
   .option('--disable-deployment-proxy', 'Disables proxies of deployments.')
   .option('--disable-update-volume', 'Disables updates to volume mounts during deployment.')
@@ -327,8 +359,6 @@ program
   .option('--k3s', 'Enables the k3s context for deployment operations.')
   .option('--kind', 'Enables the kind context for deployment operations.')
   .option('--git-clean', 'Runs git clean on volume mount paths before copying.')
-  .option('--etc-hosts', 'Enables the etc-hosts context for deployment operations.')
-  .option('--restore-hosts', 'Restores default `/etc/hosts` entries.')
   .option('--disable-update-underpost-config', 'Disables updates to Underpost configuration during deployment.')
   .option('--namespace <namespace>', 'Kubernetes namespace for deployment operations (defaults to "default").')
   .option('--kind-type <kind-type>', 'Specifies the Kind cluster type for deployment operations.')
@@ -337,6 +367,14 @@ program
     '--expose-port <port>',
     'Sets the local:remote port to expose when --expose is active (overrides auto-detected service port).',
   )
+  .option(
+    '--expose-local-port <port>',
+    'Sets a different local port for --expose (e.g. 80) while keeping the remote service port. Useful for /etc/hosts local access without specifying a port in the browser.',
+  )
+  .option(
+    '--local-proxy',
+    'Forward all service TCP ports locally and start the Node.js path-routing proxy. Enables full path-based routing (e.g. /wp alongside /) without needing --expose-local-port. Requires --expose.',
+  )
   .option('--cmd <cmd>', 'Custom initialization command for deployment (comma-separated commands).')
   .option(
     '--skip-full-build',
@@ -346,6 +384,16 @@ program
     '--pull-bundle',
     'Explicitly pull the pre-built client bundle from Cloudinary inside the container. Use together with --skip-full-build.',
   )
+  .option(
+    '--image-pull-policy <policy>',
+    'Override container imagePullPolicy in the generated deployment manifest (Always, IfNotPresent, Never). Defaults to Never for localhost/ images and IfNotPresent otherwise.',
+  )
+  .option(
+    '--tls',
+    'Enables TLS for the local proxy started by --expose --local-proxy. ' +
+      'The proxy will serve HTTPS on port 443 using self-signed certificates resolved from the local SSL store. ' +
+      'Use together with --expose and --local-proxy.',
+  )
   .description('Manages application deployments, defaulting to deploying development pods.')
   .action(Underpost.deploy.callback);
 
@@ -682,13 +730,37 @@ program
     '--pull-bundle',
     'Explicitly download the pre-built client bundle from Cloudinary inside the container (supported by: sync, template-deploy). Use together with --skip-full-build.',
   )
+  .option('--remove', 'Remove/teardown resources')
+  .option(
+    '--test',
+    'Enables test/generic-purpose mode for the runner (e.g. use self-signed TLS instead of cert-manager).',
+  )
   .description('Runs specified scripts using various runners.')
   .action(Underpost.run.callback);
 
 program
   .command('lxd')
+  .argument(
+    '[vm-id]',
+    'VM identifier shared by current-VM flags like --vm-create, --vm-delete, --vm-init, --vm-info, and --vm-test.',
+  )
   .option('--init', 'Initializes LXD on the current machine via preseed.')
-  .option('--reset', 'Removes the LXD snap and purges all data.')
+  .option(
+    '--reset',
+    'Host-safe reset: removes proxy devices, stops/deletes VMs, drops admin-profile and lxdbr0. Does NOT touch the LXD snap or storage pools.',
+  )
+  .option(
+    '--purge',
+    'DESTRUCTIVE: gracefully shuts down the LXD daemon (60s timeout), then removes the LXD snap. Combine with --reset to wipe per-VM state first. Safe replacement for the prior aggressive teardown.',
+  )
+  .option(
+    '--shutdown',
+    'Pre-host-reboot procedure: gracefully stops every VM and the LXD daemon. Run BEFORE any reboot/poweroff to keep the host bootable.',
+  )
+  .option(
+    '--restore',
+    'Symmetric to --shutdown: starts the LXD daemon, waits for it to be responsive, then starts every VM. VMs created via admin-profile have boot.autostart=false, so this is the explicit "bring the lab back up" command.',
+  )
   .option('--install', 'Installs the LXD snap.')
   .option('--dev', 'Use local paths instead of the global npm installation.')
   .option('--create-virtual-network', 'Creates the lxdbr0 bridge network.')
@@ -696,25 +768,48 @@ program
   .option('--create-admin-profile', 'Creates the admin-profile for VM management.')
   .option('--control', 'Initialize the target VM as a K3s control plane node.')
   .option('--worker', 'Initialize the target VM as a K3s worker node.')
-  .option('--create-vm <vm-name>', 'Copy the LXC launch command for a new K3s VM to the clipboard.')
-  .option('--delete-vm <vm-name>', 'Stop and delete the specified VM.')
-  .option('--init-vm <vm-name>', 'Run k3s-node-setup.sh on the specified VM (use with --control or --worker).')
-  .option('--info-vm <vm-name>', 'Display full configuration and status for the specified VM.')
-  .option('--test <vm-name>', 'Run connectivity and health checks on the specified VM.')
-  .option('--root-size <gb-size>', 'Root disk size in GiB for --create-vm (default: 32).')
+  .option('--vm-create', 'Copy the LXC launch command for the command argument [vm-id] to the clipboard.')
+  .option(
+    '--vm-delete',
+    'SAFELY stop and delete the command argument [vm-id] (removes proxy devices first, then stops, then deletes). Safe to re-run.',
+  )
+  .option(
+    '--vm-init',
+    'Bring the command argument [vm-id] up as a K3s node end-to-end: OS base setup, mirror /home/dd/engine into the VM, then K3s role install via the local engine (use with --control or --worker).',
+  )
+  .option('--vm-info', 'Display full configuration and status for the command argument [vm-id].')
+  .option('--vm-test', 'Run connectivity and health checks on the command argument [vm-id].')
+  .option(
+    '--vm-sync-engine',
+    'Re-copy the host engine source into the command argument [vm-id], overriding whatever is currently there (equivalent to the engine-bootstrap step of --vm-init in isolation).',
+  )
+  .option('--root-size <gb-size>', 'Root disk size in GiB for --vm-create (default: 32).')
   .option(
     '--join-node <nodes>',
     'Join a K3s worker to a control plane. Standalone format: "workerName,controlName". ' +
-      'When used with --init-vm --worker, provide just the control node name for auto-join.',
+      'When used with --vm-init --worker, provide just the control node name for auto-join.',
   )
   .option('--expose <vm-name:ports>', 'Proxy host ports to a VM (e.g., "k3s-control:80,443").')
+  .option(
+    '--node-port <port>',
+    'Customizes the VM-side (connect) port for --expose, so the host listens on the given port but proxies to this NodePort inside the VM (e.g. expose host 27017 -> VM NodePort 32017).',
+  )
   .option('--delete-expose <vm-name:ports>', 'Remove proxied ports from a VM (e.g., "k3s-control:80,443").')
-  .option('--workflow-id <workflow-id>', 'Workflow ID to execute via runWorkflow.')
-  .option('--vm-id <vm-name>', 'Target VM name for workflow execution.')
-  .option('--deploy-id <deploy-id>', 'Deployment ID context for workflow execution.')
+  .option(
+    '--copy',
+    'For two-phase flows that surface a command for the user to execute (e.g. --create-admin-profile phase 1), copy the command to the clipboard instead of printing it to the terminal.',
+  )
   .option('--namespace <namespace>', 'Kubernetes namespace context (defaults to "default").')
+  .option(
+    '--maas-project <project>',
+    'LXD project managed by MAAS (e.g. "k3s-cluster"). When set, all lxc commands target this project so MAAS enumerates the VMs in its machines UI.',
+  )
+  .option(
+    '--move-to-project',
+    'Stop the [vm-id] VM in the default project, move it to --maas-project, then start it so MAAS picks it up. Requires --maas-project.',
+  )
   .description('Manages LXD virtual machines as K3s nodes (control plane or workers).')
-  .action(Underpost.lxd.callback);
+  .action((vmId, options) => Underpost.lxd.callback(vmId, options));
 
 program
   .command('baremetal [workflow-id]')
@@ -824,6 +919,23 @@ program
     '--pwa-build',
     'Runs the pwa-microservices-template update flow: always re-clones, syncs engine sources, installs, builds, and pushes.',
   )
+  .option(
+    '--dry-run',
+    'For --build: previews version-bump changes (per-file substitution counts) without writing files or running downstream commands.',
+  )
+  .option(
+    '--mongo-host <host>',
+    'For --build: override DB_HOST in the template .env.example for the smoke test (e.g., "192.168.1.82:27017").',
+  )
+  .option('--mongo-user <user>', 'For --build: override DB_USER in the template .env.example for the smoke test.')
+  .option(
+    '--mongo-password <password>',
+    'For --build: override DB_PASSWORD in the template .env.example for the smoke test.',
+  )
+  .option(
+    '--valkey-host <host>',
+    'For --build: override VALKEY_HOST in the template .env.example for the smoke test (e.g., "192.168.1.82").',
+  )
   .description('Release orchestrator for building new versions and deploying releases of the Underpost CLI.')
   .action(async (version, options) => {
     if (options.build) return Underpost.release.build(version, options);

package/src/cli/ipfs.js

@@ -131,12 +131,10 @@ class UnderpostIPFS {
       // Apply UDP buffer sysctl on every Kind node so QUIC (used by IPFS) can reach the
       // recommended 7.5 MB buffer size. Kind nodes are containers and do NOT inherit the
       // host sysctl values, so this must be set via docker exec on each node directly.
-      if (!options.kubeadm && !options.k3s) {
-        logger.info('Applying UDP buffer sysctl on Kind nodes');
-        shellExec(
-          `for node in $(kind get nodes); do docker exec $node sysctl -w net.core.rmem_max=7500000 net.core.wmem_max=7500000; done`,
-        );
-      }
+      shellExec(
+        `sudo sysctl -w net.core.rmem_max=7500000
+sudo sysctl -w net.core.wmem_max=7500000`,
+      );
 
       shellExec(`kubectl apply -f ${underpostRoot}/manifests/ipfs/storage-class.yaml`);
       shellExec(`kubectl apply -k ${underpostRoot}/manifests/ipfs -n ${options.namespace}`);

package/src/cli/kubectl.js

@@ -47,9 +47,12 @@ class UnderpostKubectl {
      * @memberof UnderpostKubectl
      */
     get(deployId, kindType = 'pods', namespace = '') {
+      // Existence-check style: a missing kubectl context, a non-existent
+      // namespace, or no pods matching the filter must return an empty
+      // list (not throw). silentOnError keeps the legacy contract.
       const raw = shellExec(
         `sudo kubectl get ${kindType}${namespace ? ` -n ${namespace}` : ` --all-namespaces`} -o wide`,
-        { stdout: true, disableLog: true, silent: true },
+        { stdout: true, disableLog: true, silent: true, silentOnError: true },
       );
 
       const heads = raw