underpost 3.2.10 → 3.2.11

package/bin/deploy.js

@@ -443,10 +443,10 @@ ${shellExec(`git log | grep Author: | sort -u`, { stdout: true }).split(`\n`).jo
           shellExec(`sudo kubectl delete secret ${secretSelector} -n ${namespace} --ignore-not-found`);
           shellExec(
             `sudo kubectl create secret generic ${secretSelector}` +
-            ` --from-literal=POSTGRES_DB=postgresdb` +
-            ` --from-literal=POSTGRES_USER=admin` +
-            ` --from-file=POSTGRES_PASSWORD=/home/dd/engine/engine-private/postgresql-password` +
-            ` --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
+              ` --from-literal=POSTGRES_DB=postgresdb` +
+              ` --from-literal=POSTGRES_USER=admin` +
+              ` --from-file=POSTGRES_PASSWORD=/home/dd/engine/engine-private/postgresql-password` +
+              ` --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
           );
         }
         {
@@ -454,10 +454,10 @@ ${shellExec(`git log | grep Author: | sort -u`, { stdout: true }).split(`\n`).jo
           shellExec(`sudo kubectl delete secret ${secretSelector} -n ${namespace} --ignore-not-found`);
           shellExec(
             `sudo kubectl create secret generic ${secretSelector}` +
-            ` --from-file=SECRET_KEY=/home/dd/engine/engine-private/postgresql-password` +
-            ` --from-literal=FIRST_SUPERUSER=${process.env.GITHUB_EMAIL || 'development@underpost.net'}` +
-            ` --from-file=FIRST_SUPERUSER_PASSWORD=/home/dd/engine/engine-private/postgresql-password` +
-            ` --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
+              ` --from-file=SECRET_KEY=/home/dd/engine/engine-private/postgresql-password` +
+              ` --from-literal=FIRST_SUPERUSER=${process.env.GITHUB_EMAIL || 'development@underpost.net'}` +
+              ` --from-file=FIRST_SUPERUSER_PASSWORD=/home/dd/engine/engine-private/postgresql-password` +
+              ` --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
           );
         }
       }
@@ -577,7 +577,8 @@ nvidia/gpu-operator \
       shellExec(`sudo docker pull ${image}`);
       if (!process.argv.includes('kubeadm'))
         shellExec(
-          `sudo ${process.argv.includes('kubeadm') ? `ctr -n k8s.io images import` : `kind load docker-image`
+          `sudo ${
+            process.argv.includes('kubeadm') ? `ctr -n k8s.io images import` : `kind load docker-image`
           } ${image}`,
         );
       const namespace = process.argv.find((arg) => arg.startsWith('--namespace='))?.split('=')[1] || 'default';
@@ -626,11 +627,11 @@ nvidia/gpu-operator \
           }
           env[key] =
             `${key}`.toUpperCase().match('API') ||
-              `${key}`.toUpperCase().match('KEY') ||
-              `${key}`.toUpperCase().match('SECRET') ||
-              `${key}`.toUpperCase().match('TOKEN') ||
-              `${key}`.toUpperCase().match('PASSWORD') ||
-              `${key}`.toUpperCase().match('MAC')
+            `${key}`.toUpperCase().match('KEY') ||
+            `${key}`.toUpperCase().match('SECRET') ||
+            `${key}`.toUpperCase().match('TOKEN') ||
+            `${key}`.toUpperCase().match('PASSWORD') ||
+            `${key}`.toUpperCase().match('MAC')
               ? 'changethis'
               : isNaN(parseFloat(privateEnv[key]))
                 ? `${privateEnv[key]}`.match(`@`)
@@ -1393,10 +1394,10 @@ nvidia/gpu-operator \
       const deployIds = deployIdArg
         ? [deployIdArg]
         : fs
-          .readFileSync(`./engine-private/deploy/dd.router`, 'utf8')
-          .split(',')
-          .map((d) => d.trim())
-          .filter(Boolean);
+            .readFileSync(`./engine-private/deploy/dd.router`, 'utf8')
+            .split(',')
+            .map((d) => d.trim())
+            .filter(Boolean);
 
       const addComponentToClientConf = ({ filePath, label, targetClientId, targetSubmoduleId }) => {
         if (!fs.existsSync(filePath)) return { added: 0, checked: 0, hasComponentFile: false };
@@ -1527,6 +1528,16 @@ nvidia/gpu-operator \
 
       break;
     }
+
+    case 'k3s-template-env': {
+      if (fs.existsSync('./engine-private/conf/dd-default')) {
+        console.log('Cleaning up existing dd-default config for VM template environment setup');
+        fs.removeSync('./engine-private/conf/dd-default');
+      }
+      shellExec(`node bin env clean`);
+      shellExec(`sed -i "s/127.0.0.1/$(underpost ip --dhcp)/g" .env.example`);
+      break;
+    }
   }
 } catch (error) {
   logger.error(error, error.stack);

package/conf.js

@@ -201,12 +201,9 @@ const DefaultConf = /**/ {
         proxy: [80, 443],
         db: {
           provider: 'env:DB_PROVIDER:mongoose',
-          host: 'env:DB_HOST:mongodb://127.0.0.1:27017',
+          host: 'env:DB_HOST:mongodb://mongodb-0.mongodb-service:27017',
           name: 'env:DB_NAME:default',
           replicaSet: 'env:DB_REPLICA_SET:rs0',
-          authSource: 'env:DB_AUTH_SOURCE:admin',
-          user: 'env:DB_USER:',
-          password: 'env:DB_PASSWORD:',
         },
         mailer: {
           sender: {

package/manifests/cronjobs/dd-cron/dd-cron-backup.yaml

@@ -23,7 +23,7 @@ spec:
         spec:
           containers:
             - name: dd-cron-backup
-              image: underpost/underpost-engine:v3.2.10
+              image: underpost/underpost-engine:v3.2.11
               command:
                 - /bin/sh
                 - -c

package/manifests/cronjobs/dd-cron/dd-cron-dns.yaml

@@ -23,7 +23,7 @@ spec:
         spec:
           containers:
             - name: dd-cron-dns
-              image: underpost/underpost-engine:v3.2.10
+              image: underpost/underpost-engine:v3.2.11
               command:
                 - /bin/sh
                 - -c

package/manifests/deployment/dd-default-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-blue
-          image: underpost/underpost-engine:v3.2.10
+          image: underpost/underpost-engine:v3.2.11
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -98,7 +98,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-green
-          image: underpost/underpost-engine:v3.2.10
+          image: underpost/underpost-engine:v3.2.11
           #          resources:
           #            requests:
           #              memory: "124Ki"

package/manifests/deployment/dd-test-development/deployment.yaml

@@ -20,7 +20,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-blue
-          image: underpost/underpost-engine:v3.2.10
+          image: underpost/underpost-engine:v3.2.11
           imagePullPolicy: IfNotPresent
           envFrom:
             - secretRef:
@@ -148,7 +148,7 @@ spec:
     spec:
       containers:
         - name: dd-test-development-green
-          image: underpost/underpost-engine:v3.2.10
+          image: underpost/underpost-engine:v3.2.11
           imagePullPolicy: IfNotPresent
           envFrom:
             - secretRef:

package/manifests/lxd/lxd-admin-profile.yaml

@@ -1,13 +1,22 @@
 config:
-  limits.cpu: "2"
+  limits.cpu: '2'
   limits.memory: 4GB
-description: vm nat network
+  # Host-safety hardening:
+  #   boot.autostart=false  → the LXD daemon will NOT start any VM created with
+  #     this profile when the host boots. The user explicitly brings VMs up
+  #     after the host is verified healthy. Prevents a broken VM from blocking
+  #     boot via snap.lxd.daemon.
+  #   boot.host_shutdown_timeout=60 → bound the time the daemon waits for this
+  #     VM to stop when the host is going down. Prevents an unresponsive VM
+  #     from holding the host in an indefinite shutdown.
+  boot.autostart: 'false'
+  boot.host_shutdown_timeout: '60'
+description: vm nat network (host-safe defaults)
 devices:
   eth0:
     name: eth0
     network: lxdbr0
     type: nic
-    ipv4.address: 10.250.250.100
   root:
     path: /
     pool: local # lxc storage list

package/manifests/mongodb-4.4/headless-service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb-service
+spec:
+  clusterIP: None
+  selector:
+    app: mongodb
+  ports:
+    - port: 27017

package/manifests/mongodb-4.4/kustomization.yaml

@@ -4,4 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - pv-pvc.yaml
-  - service-deployment.yaml
+  - storage-class.yaml
+  - headless-service.yaml
+  - statefulset.yaml

package/manifests/mongodb-4.4/mongodb-nodeport.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb-nodeport
+  labels:
+    app: mongodb
+spec:
+  type: NodePort
+  externalTrafficPolicy: Cluster
+  selector:
+    app: mongodb
+  ports:
+    - name: mongodb
+      protocol: TCP
+      port: 27017
+      targetPort: 27017
+      nodePort: 32017

package/manifests/mongodb-4.4/pv-pvc.yaml

@@ -1,23 +1,19 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: mongodb-pv
+  name: mongodb-pv-0
+  labels:
+    app: mongodb
 spec:
   capacity:
     storage: 5Gi
   accessModes:
     - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: mongodb-storage-class
+  claimRef:
+    namespace: default
+    name: mongodb-storage-mongodb-0
   hostPath:
-    path: /data/mongodb
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: mongodb-pvc
-spec:
-  storageClassName: ''
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 5Gi
+    path: /data/mongodb/v0
+    type: DirectoryOrCreate

package/manifests/mongodb-4.4/statefulset.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mongodb # Specifies the name of the statefulset
+spec:
+  serviceName: 'mongodb-service' # Specifies the service to use
+  podManagementPolicy: OrderedReady # or Parallel
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongodb
+  template:
+    metadata:
+      labels:
+        app: mongodb
+    spec:
+      subdomain: mongodb-service
+      securityContext:
+        fsGroup: 999
+      initContainers:
+        - name: data-dir-permissions
+          image: docker.io/library/mongo:4.4
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          command:
+            - sh
+            - -c
+            - |
+              chown -R 999:999 /data/db
+              rm -f /data/db/mongod.lock
+          volumeMounts:
+            - name: mongodb-storage
+              mountPath: /data/db
+      containers:
+        - name: mongodb
+          image: docker.io/library/mongo:4.4
+          command:
+            - mongod
+          args:
+            - '--replSet'
+            - 'rs0'
+            - '--bind_ip_all'
+          ports:
+            - containerPort: 27017
+          volumeMounts:
+            - name: mongodb-storage
+              mountPath: /data/db
+          env:
+            - name: MONGO_REPLICA_SET_NAME
+              value: rs0
+          readinessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+          resources:
+            requests:
+              cpu: '100m'
+              memory: '256Mi'
+            limits:
+              cpu: '500m'
+              memory: '512Mi'
+  volumeClaimTemplates:
+    - metadata:
+        name: mongodb-storage
+      spec:
+        accessModes: ['ReadWriteOnce']
+        storageClassName: mongodb-storage-class
+        resources:
+          requests:
+            storage: 5Gi

package/manifests/mongodb-4.4/storage-class.yaml

@@ -0,0 +1,9 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mongodb-storage-class
+  annotations:
+    storageclass.kubernetes.io/is-default-class: 'false'
+provisioner: rancher.io/local-path
+reclaimPolicy: Retain
+volumeBindingMode: WaitForFirstConsumer

package/manifests/valkey/statefulset.yaml

@@ -19,7 +19,7 @@ spec:
           image: docker.io/valkey/valkey:latest
           imagePullPolicy: IfNotPresent
           command: ['valkey-server']
-          args: ['--port', '6379']
+          args: ['--port', '6379', '--bind', '0.0.0.0', '--protected-mode', 'no']
           ports:
             - containerPort: 6379
           startupProbe:

package/manifests/valkey/valkey-nodeport.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: valkey-nodeport
+  labels:
+    app: valkey-service
+spec:
+  type: NodePort
+  externalTrafficPolicy: Cluster
+  selector:
+    app: valkey-service
+  ports:
+    - name: valkey
+      protocol: TCP
+      port: 6379
+      targetPort: 6379
+      nodePort: 32079

package/package.json

@@ -2,7 +2,7 @@
     "type": "module",
     "main": "src/index.js",
     "name": "underpost",
-    "version": "3.2.10",
+    "version": "3.2.11",
     "description": "Underpost Platform — end-to-end CI/CD and application-delivery toolchain CLI. Covers bare metal, Kubernetes, K3s, kubeadm, LXD, container/image orchestration, secrets, databases, cron jobs, monitoring, SSH, runners, PWA + Workbox delivery, and release orchestration. Extensible via downstream CLIs.",
     "scripts": {
         "start": "node --max-old-space-size=8192 src/server",
@@ -73,7 +73,7 @@
         "adm-zip": "^0.5.17",
         "ag-grid-community": "^35.3.0",
         "axios": "^1.16.1",
-        "bumpp": "^10.1.0",
+        "bumpp": "^11.1.0",
         "chai": "^6.2.2",
         "clipboardy": "^5.3.1",
         "cloudinary": "^2.10.0",
@@ -108,7 +108,7 @@
         "marked": "^18.0.4",
         "mongoose": "^9.6.2",
         "morgan": "^1.10.0",
-        "nodemailer": "^8.0.8",
+        "nodemailer": "^8.0.9",
         "nodemon": "^3.0.1",
         "peer": "^1.0.2",
         "peerjs": "^1.5.5",

package/scripts/ipxe-setup.sh

@@ -14,39 +14,39 @@ REBUILD=false
 EMBED_SCRIPT=""
 
 while [[ $# -gt 0 ]]; do
-  case $1 in
-    --rebuild)
-      REBUILD=true
-      shift # past argument
-      ;;
-    --target-arch)
-      case "$2" in
-        arm64)
-          TARGET_ARCH="aarch64"
-          ;;
-        amd64)
-          TARGET_ARCH="x86_64"
-          ;;
+    case $1 in
+        --rebuild)
+            REBUILD=true
+            shift # past argument
+        ;;
+        --target-arch)
+            case "$2" in
+                arm64)
+                    TARGET_ARCH="aarch64"
+                ;;
+                amd64)
+                    TARGET_ARCH="x86_64"
+                ;;
+                *)
+                    echo "Error: Unsupported architecture '$2'. Use 'arm64' or 'amd64'."
+                    exit 1
+                ;;
+            esac
+            shift # past argument
+            shift # past value
+        ;;
+        --embed-script)
+            EMBED_SCRIPT="$2"
+            shift # past argument
+            shift # past value
+        ;;
         *)
-          echo "Error: Unsupported architecture '$2'. Use 'arm64' or 'amd64'."
-          exit 1
-          ;;
-      esac
-      shift # past argument
-      shift # past value
-      ;;
-    --embed-script)
-      EMBED_SCRIPT="$2"
-      shift # past argument
-      shift # past value
-      ;;
-    *)
-      if [ -z "$TARGET_DIR_ARG" ]; then
-          TARGET_DIR_ARG="$1"
-      fi
-      shift # past argument
-      ;;
-  esac
+            if [ -z "$TARGET_DIR_ARG" ]; then
+                TARGET_DIR_ARG="$1"
+            fi
+            shift # past argument
+        ;;
+    esac
 done
 
 # Use argument if provided, otherwise env var, otherwise current dir
@@ -64,7 +64,7 @@ echo "Embed Script:        ${EMBED_SCRIPT:-none}"
 # Determine iPXE build target based on requested architecture
 if [ "$TARGET_ARCH" = "aarch64" ]; then
     BUILD_TARGET="bin-arm64-efi/ipxe.efi"
-elif [ "$TARGET_ARCH" = "x86_64" ]; then
+    elif [ "$TARGET_ARCH" = "x86_64" ]; then
     BUILD_TARGET="bin-x86_64-efi/ipxe.efi"
 else
     echo "Error: Unsupported target architecture '$TARGET_ARCH'"
@@ -79,49 +79,50 @@ DO_BUILD=false
 
 if [ "$REBUILD" = true ]; then
     DO_BUILD=true
-elif [ ! -f "$COMPILED_SRC_PATH" ]; then
+    elif [ ! -f "$COMPILED_SRC_PATH" ]; then
     echo "Binary not found at $COMPILED_SRC_PATH. Initiating build..."
     DO_BUILD=true
+    
 else
-    echo "Binary found at $COMPILED_SRC_PATH. Skipping build."
+    echo "Binary found at $COMPILED_SRC_PATH with matching embedded script. Skipping build."
 fi
 
 if [ "$DO_BUILD" = true ]; then
-
+    
     # Helper function for package manager
     if command -v dnf &> /dev/null; then
         PKG_MGR="dnf"
     else
         PKG_MGR="yum"
     fi
-
+    
     # --- 2. Install Dependencies (RHEL/CentOS/Fedora) ---
     echo ""
     echo "--- Installing Build Dependencies ---"
     echo "Requesting sudo permissions..."
-
+    
     COMMON_PKGS="git make binutils-devel xz-devel perl"
-
+    
     # Logic to determine if we need native or cross-compilers
     if [ "$HOST_ARCH" = "$TARGET_ARCH" ]; then
         # Native compilation
         echo "Architecture match ($HOST_ARCH). Installing native GCC..."
         sudo $PKG_MGR install -y $COMMON_PKGS gcc
         CROSS_COMPILE_PREFIX=""
-
-    elif [ "$HOST_ARCH" = "x86_64" ] && [ "$TARGET_ARCH" = "aarch64" ]; then
+        
+        elif [ "$HOST_ARCH" = "x86_64" ] && [ "$TARGET_ARCH" = "aarch64" ]; then
         # Cross-compilation: x86_64 host -> aarch64 target
         echo "Cross-compiling for $TARGET_ARCH on $HOST_ARCH..."
         # Note: Ensure EPEL repo is enabled on RHEL/CentOS for this package
         sudo $PKG_MGR install -y $COMMON_PKGS gcc-aarch64-linux-gnu
         CROSS_COMPILE_PREFIX="aarch64-linux-gnu-"
-
+        
     else
         echo "Error: No automated path defined for Host: $HOST_ARCH -> Target: $TARGET_ARCH"
         echo "You may need to install specific cross-compilers manually."
         exit 1
     fi
-
+    
     # --- 3. Clone iPXE Source ---
     echo ""
     echo "--- Downloading iPXE Source Code ---"
@@ -133,15 +134,15 @@ if [ "$DO_BUILD" = true ]; then
         git clone https://github.com/ipxe/ipxe.git $IPXE_SRC_DIR
         cd $IPXE_SRC_DIR
     fi
-
+    
     # --- 4. Compile the Binary ---
     echo ""
     echo "--- Compiling $EFI_FILENAME for $TARGET_ARCH ---"
     cd src
-
+    
     # Clean previous builds to ensure no arch mismatch
     make clean
-
+    
     # Build with embedded script if provided
     if [ -n "$EMBED_SCRIPT" ]; then
         echo "Embedding script into iPXE binary..."
@@ -155,7 +156,7 @@ if [ "$DO_BUILD" = true ]; then
         echo "Running make for target: $BUILD_TARGET..."
         make CROSS_COMPILE=$CROSS_COMPILE_PREFIX $BUILD_TARGET
     fi
-
+    
     if [ $? -ne 0 ]; then
         echo "Error: Compilation failed."
         if [ -n "$CROSS_COMPILE_PREFIX" ]; then
@@ -163,6 +164,8 @@ if [ "$DO_BUILD" = true ]; then
         fi
         exit 1
     fi
+    
+    
 fi
 
 # --- 5. Deploy Binary ---
@@ -176,10 +179,10 @@ if [ -f "$COMPILED_SRC_PATH" ]; then
         echo "Creating target directory: $TARGET_DIR"
         mkdir -p "$TARGET_DIR"
     fi
-
+    
     echo "Copying $COMPILED_SRC_PATH to $TARGET_DIR/$EFI_FILENAME..."
     cp "$COMPILED_SRC_PATH" "$TARGET_DIR/$EFI_FILENAME"
-
+    
     if [ $? -eq 0 ]; then
         echo "✓ Success!"
         echo "---------------------------------------------------"