underpost 3.2.22 → 3.2.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/.github/workflows/ghpkg.ci.yml +1 -1
  2. package/.github/workflows/gitlab.ci.yml +1 -1
  3. package/.github/workflows/npmpkg.ci.yml +1 -1
  4. package/.github/workflows/publish.ci.yml +2 -2
  5. package/.github/workflows/pwa-microservices-template-page.cd.yml +1 -1
  6. package/.github/workflows/pwa-microservices-template-test.ci.yml +1 -1
  7. package/CHANGELOG.md +141 -1
  8. package/CLI-HELP.md +56 -2
  9. package/README.md +3 -2
  10. package/baremetal/commission-workflows.json +1 -0
  11. package/bin/build.js +1 -0
  12. package/docker-compose.yml +224 -0
  13. package/manifests/cronjobs/dd-cron/dd-cron-backup.yaml +1 -1
  14. package/manifests/cronjobs/dd-cron/dd-cron-dns.yaml +1 -1
  15. package/manifests/deployment/dd-default-development/deployment.yaml +2 -2
  16. package/package.json +27 -15
  17. package/scripts/kubeadm-node-setup.sh +317 -0
  18. package/scripts/rocky-kickstart.sh +877 -185
  19. package/scripts/rpmfusion-ffmpeg-setup.sh +26 -50
  20. package/src/cli/baremetal.js +717 -16
  21. package/src/cli/cluster.js +3 -1
  22. package/src/cli/deploy.js +6 -2
  23. package/src/cli/docker-compose.js +591 -0
  24. package/src/cli/fs.js +35 -11
  25. package/src/cli/index.js +75 -0
  26. package/src/cli/kickstart.js +142 -20
  27. package/src/cli/repository.js +72 -11
  28. package/src/cli/run.js +253 -2
  29. package/src/cli/ssh.js +190 -0
  30. package/src/cli/static.js +2 -2
  31. package/src/{server → client-builder}/client-build-docs.js +15 -5
  32. package/src/{server → client-builder}/client-build-live.js +3 -3
  33. package/src/{server → client-builder}/client-build.js +25 -22
  34. package/src/{server → client-builder}/client-dev-server.js +3 -3
  35. package/src/{server → client-builder}/client-icons.js +2 -2
  36. package/src/{server → client-builder}/ssr.js +5 -5
  37. package/src/client.build.js +1 -1
  38. package/src/client.dev.js +1 -1
  39. package/src/index.js +12 -1
  40. package/src/mailer/EmailRender.js +1 -1
  41. package/src/{server → projects/underpost}/catalog-underpost.js +1 -2
  42. package/src/runtime/express/Express.js +2 -2
  43. package/src/runtime/nginx/Nginx.js +250 -0
  44. package/src/server/catalog.js +7 -14
  45. package/src/server/conf.js +3 -3
  46. package/src/server.js +1 -1
  47. package/typedoc.json +3 -1
  48. package/src/server/ipfs-client.js +0 -599
  49. /package/src/client/ssr/{Render.js → RootDocument.js} +0 -0
  50. /package/src/{server → client-builder}/client-formatted.js +0 -0
package/package.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "type": "module",
3
3
  "main": "src/index.js",
4
4
  "name": "underpost",
5
- "version": "3.2.22",
5
+ "version": "3.2.28",
6
6
  "description": "Underpost Platform — end-to-end CI/CD and application-delivery toolchain CLI. Covers bare metal, Kubernetes, K3s, kubeadm, LXD, container/image orchestration, secrets, databases, cron jobs, monitoring, SSH, runners, PWA + Workbox delivery, and release orchestration. Extensible via downstream CLIs.",
7
7
  "scripts": {
8
8
  "start": "node --max-old-space-size=8192 src/server",
@@ -26,7 +26,18 @@
26
26
  "security:secrets:ci": "gitleaks detect --source . --config .gitleaks.toml --redact=1",
27
27
  "security:deps": "npm audit",
28
28
  "security": "npm run security:secrets:ci && npm run security:deps",
29
- "clean": "node bin env clean && node bin run clean"
29
+ "clean": "node bin env clean && node bin run clean",
30
+ "docker:generate": "node bin docker-compose --generate",
31
+ "docker:up": "node bin docker-compose --up",
32
+ "docker:up:build": "node bin docker-compose --up --build",
33
+ "docker:down": "node bin docker-compose --down",
34
+ "docker:down:volumes": "node bin docker-compose --down --volumes",
35
+ "docker:restart": "node bin docker-compose --restart",
36
+ "docker:build": "node bin docker-compose --build",
37
+ "docker:pull": "node bin docker-compose --pull",
38
+ "docker:logs": "node bin docker-compose --logs",
39
+ "docker:status": "node bin docker-compose --status",
40
+ "docker:shell": "node bin docker-compose --shell"
30
41
  },
31
42
  "bin": {
32
43
  "underpost": "bin/index.js"
@@ -61,13 +72,13 @@
61
72
  "homepage": "https://github.com/underpostnet/pwa-microservices-template#readme",
62
73
  "dependencies": {
63
74
  "@fortawesome/fontawesome-free": "^7.2.0",
64
- "@fullcalendar/rrule": "^6.1.20",
75
+ "@fullcalendar/rrule": "^6.1.21",
65
76
  "@grpc/grpc-js": "^1.14.4",
66
77
  "@grpc/proto-loader": "^0.8.1",
67
78
  "@neodrag/vanilla": "^2.3.1",
68
79
  "adm-zip": "^0.5.17",
69
- "ag-grid-community": "^35.3.0",
70
- "axios": "^1.16.1",
80
+ "ag-grid-community": "^35.3.1",
81
+ "axios": "^1.18.0",
71
82
  "bumpp": "^11.1.0",
72
83
  "chai": "^6.2.2",
73
84
  "clipboardy": "^5.3.1",
@@ -78,10 +89,10 @@
78
89
  "cookie-parser": "^1.4.7",
79
90
  "cors": "^2.8.6",
80
91
  "d3": "^7.9.0",
81
- "dexie": "^4.4.3",
92
+ "dexie": "^4.4.4",
82
93
  "dotenv": "^17.4.2",
83
94
  "easymde": "^2.21.0",
84
- "esbuild": "^0.28.0",
95
+ "esbuild": "^0.28.1",
85
96
  "escape-string-regexp": "^5.0.0",
86
97
  "express": "^5.2.1",
87
98
  "express-fileupload": "^1.4.3",
@@ -90,20 +101,20 @@
90
101
  "fast-json-stable-stringify": "^2.1.0",
91
102
  "favicons": "^7.3.0",
92
103
  "fs-extra": "^11.3.5",
93
- "fullcalendar": "^6.1.15",
104
+ "fullcalendar": "^6.1.21",
94
105
  "helmet": "^8.2.0",
95
106
  "html-minifier-terser": "^7.2.0",
96
- "http-proxy-middleware": "^4.0.0",
107
+ "http-proxy-middleware": "^4.1.1",
97
108
  "ignore-walk": "^9.0.0",
98
109
  "iovalkey": "^0.3.3",
99
110
  "json-colorizer": "^3.0.1",
100
111
  "jsonwebtoken": "^9.0.3",
101
- "mariadb": "^3.2.2",
112
+ "mariadb": "^3.5.3",
113
+ "marked": "^18.0.5",
102
114
  "mocha": "^11.7.6",
103
- "marked": "^18.0.4",
104
- "mongoose": "^9.6.3",
105
- "morgan": "^1.10.0",
106
- "nodemailer": "^8.0.10",
115
+ "mongoose": "^9.7.1",
116
+ "morgan": "^1.11.0",
117
+ "nodemailer": "^9.0.0",
107
118
  "nodemon": "^3.0.1",
108
119
  "peer": "^1.0.2",
109
120
  "peerjs": "^1.5.5",
@@ -145,6 +156,7 @@
145
156
  "serialize-javascript": ">=7.0.5",
146
157
  "router": {
147
158
  "path-to-regexp": ">=8.4.0"
148
- }
159
+ },
160
+ "ws": "^8.20.2"
149
161
  }
150
162
  }
@@ -0,0 +1,317 @@
1
+ #!/bin/bash
2
+ set -euo pipefail
3
+
4
+ # ---------------------------------------------------------------------------
5
+ # Underpost Kubeadm Node Setup (bare-metal physical node)
6
+ #
7
+ # Mirrors scripts/k3s-node-setup.sh but for kubeadm on real hardware: it runs on
8
+ # the freshly deployed OS (disk-installed Rocky) after first boot, installs NVM +
9
+ # Node.js, ensures the engine source is present, and drives the cluster bring-up
10
+ # through the local engine entrypoint `node bin cluster` (src/cli/cluster.js) —
11
+ # reusing its kubeadm + Contour + host-init logic instead of reimplementing it.
12
+ #
13
+ # Modes:
14
+ # --control Initialize a new kubeadm control-plane (default).
15
+ # --worker Join an existing cluster.
16
+ #
17
+ # Worker join (controller supplies this over SSH; no manual token paste):
18
+ # --join-command="kubeadm join <ip>:6443 --token <t> --discovery-token-ca-cert-hash <h>"
19
+ # or: --control-ip=<ip> --token=<t> --discovery-token-ca-cert-hash=<h>
20
+ #
21
+ # Engine source / options:
22
+ # --engine-root=<path> Engine source path (default /home/dd/engine).
23
+ # --engine-repo=<url> Git repo cloned if the engine source is missing.
24
+ # --engine-branch=<branch> Branch to clone (default: repo default).
25
+ # --no-contour Control mode: skip the Contour ingress install.
26
+ # ---------------------------------------------------------------------------
27
+
28
+ ROLE="control"
29
+ JOIN_COMMAND=""
30
+ CONTROL_IP=""
31
+ CONTROL_ENDPOINT_HOST=""
32
+ TOKEN=""
33
+ CA_CERT_HASH=""
34
+ JOIN_ONLY="0"
35
+ INSTALL_CONTOUR="1"
36
+ ENGINE_ROOT="/home/dd/engine"
37
+ ENGINE_REPO="https://github.com/underpostnet/engine.git"
38
+ ENGINE_BRANCH=""
39
+ # Private repo holding secrets (engine-private/conf/.../.env.production) cloned
40
+ # with a GitHub token. GITHUB_TOKEN/GITHUB_USERNAME come from the environment
41
+ # (passed over SSH by the controller) or the --github-* args.
42
+ ENGINE_PRIVATE_REPO="https://github.com/underpostnet/engine-private.git"
43
+ ENGINE_PRIVATE_BRANCH=""
44
+ GITHUB_TOKEN="${GITHUB_TOKEN:-}"
45
+ GITHUB_USERNAME="${GITHUB_USERNAME:-}"
46
+ CRI_SOCKET="unix:///var/run/crio/crio.sock"
47
+
48
+ for arg in "$@"; do
49
+ case $arg in
50
+ --control) ROLE="control" ;;
51
+ --worker) ROLE="worker" ;;
52
+ --join-command=*) JOIN_COMMAND="${arg#*=}" ;;
53
+ --control-ip=*) CONTROL_IP="${arg#*=}" ;;
54
+ --control-endpoint-host=*) CONTROL_ENDPOINT_HOST="${arg#*=}" ;;
55
+ --token=*) TOKEN="${arg#*=}" ;;
56
+ --discovery-token-ca-cert-hash=*) CA_CERT_HASH="${arg#*=}" ;;
57
+ --join-only) JOIN_ONLY="1" ;;
58
+ --engine-root=*) ENGINE_ROOT="${arg#*=}" ;;
59
+ --engine-repo=*) ENGINE_REPO="${arg#*=}" ;;
60
+ --engine-branch=*) ENGINE_BRANCH="${arg#*=}" ;;
61
+ --engine-private-repo=*) ENGINE_PRIVATE_REPO="${arg#*=}" ;;
62
+ --engine-private-branch=*) ENGINE_PRIVATE_BRANCH="${arg#*=}" ;;
63
+ --github-token=*) GITHUB_TOKEN="${arg#*=}" ;;
64
+ --github-username=*) GITHUB_USERNAME="${arg#*=}" ;;
65
+ --no-contour) INSTALL_CONTOUR="0" ;;
66
+ esac
67
+ done
68
+
69
+ log() { echo "$(date): [kubeadm-setup] $*"; }
70
+
71
+ # worker_join: lightweight, idempotent kubeadm join. Centralizes the join logic
72
+ # used by both the full worker flow and the --join-only short-circuit. Returns
73
+ # non-zero on failure so `set -e` aborts the script (no false-positive success).
74
+ worker_join() {
75
+ if [ -z "$JOIN_COMMAND" ]; then
76
+ if [ -n "$CONTROL_IP" ] && [ -n "$TOKEN" ] && [ -n "$CA_CERT_HASH" ]; then
77
+ JOIN_COMMAND="kubeadm join ${CONTROL_IP}:6443 --token ${TOKEN} --discovery-token-ca-cert-hash ${CA_CERT_HASH}"
78
+ else
79
+ echo "ERROR: worker mode needs --join-command=... OR --control-ip/--token/--discovery-token-ca-cert-hash" >&2
80
+ return 1
81
+ fi
82
+ fi
83
+
84
+ command -v kubeadm >/dev/null 2>&1 || {
85
+ echo "ERROR: kubeadm not found on node. Run a full (non --join-only) setup first." >&2
86
+ return 1
87
+ }
88
+
89
+ # Make the control-plane endpoint hostname resolve to the control IP. kubeadm
90
+ # reads the cluster-info / kubeadm-config ConfigMaps whose server URL is the
91
+ # control-plane endpoint (often 'localhost.localdomain:6443'); without this the
92
+ # worker dials [::1]:6443 and fails with "connection refused".
93
+ if [ -n "$CONTROL_ENDPOINT_HOST" ] && [ -n "$CONTROL_IP" ] && [ "$CONTROL_ENDPOINT_HOST" != "$CONTROL_IP" ]; then
94
+ log "Mapping control-plane endpoint '$CONTROL_ENDPOINT_HOST' -> $CONTROL_IP in /etc/hosts"
95
+ ESC_HOST="$(printf '%s' "$CONTROL_ENDPOINT_HOST" | sed 's/[.]/\\./g')"
96
+ # Strip the endpoint host from any existing (loopback) line so it no longer
97
+ # resolves to 127.0.0.1, then point it at the real control-plane IP.
98
+ sudo sed -i -E "s/[[:space:]]+${ESC_HOST}([[:space:]]|\$)/\1/g" /etc/hosts || true
99
+ if ! grep -qE "^${CONTROL_IP}[[:space:]].*${ESC_HOST}([[:space:]]|\$)" /etc/hosts; then
100
+ echo "${CONTROL_IP} ${CONTROL_ENDPOINT_HOST}" | sudo tee -a /etc/hosts >/dev/null
101
+ fi
102
+ fi
103
+
104
+ # Kernel/sysctl prereqs the kubeadm preflight needs (no engine/node required).
105
+ sudo swapoff -a || true
106
+ sudo sed -i '/swap/d' /etc/fstab || true
107
+ sudo modprobe br_netfilter || true
108
+ printf 'net.bridge.bridge-nf-call-iptables = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.ipv4.ip_forward = 1\n' \
109
+ | sudo tee /etc/sysctl.d/99-kubernetes.conf >/dev/null
110
+ sudo sysctl --system >/dev/null 2>&1 || true
111
+
112
+ # Replace --discovery-token-ca-cert-hash with --discovery-token-unsafe-skip-ca-verification
113
+ # so token discovery does not depend on the pinned CA hash.
114
+ UNSAFE_JOIN="$(echo "${JOIN_COMMAND}" | sed 's/--discovery-token-ca-cert-hash [^ ]*/--discovery-token-unsafe-skip-ca-verification/')"
115
+
116
+ _do_join() {
117
+ # Reset any stale state from a previous failed join so kubeadm does not
118
+ # reuse cached config that points at an unreachable endpoint.
119
+ sudo kubeadm reset -f --cri-socket="${CRI_SOCKET}" >/dev/null 2>&1 || true
120
+ sudo rm -rf /etc/kubernetes/* /var/lib/kubelet/pki 2>/dev/null || true
121
+ log "Joining cluster: ${UNSAFE_JOIN%% --token*} ..."
122
+ sudo ${UNSAFE_JOIN} --cri-socket="${CRI_SOCKET}"
123
+ }
124
+
125
+ if _do_join; then
126
+ log "Worker joined the cluster."
127
+ return 0
128
+ fi
129
+ log "WARNING: kubeadm join attempt failed; resetting and retrying once..."
130
+ if _do_join; then
131
+ log "Worker joined the cluster."
132
+ return 0
133
+ fi
134
+ log "FATAL: kubeadm join failed after retry"
135
+ return 1
136
+ }
137
+
138
+ # --join-only: skip all prerequisite/engine/host setup and go straight to the
139
+ # join (used by `baremetal --resume-join` on an already-provisioned node).
140
+ if [ "$JOIN_ONLY" = "1" ]; then
141
+ [ "$ROLE" = "worker" ] || { echo "ERROR: --join-only is only valid with --worker" >&2; exit 1; }
142
+ log "--join-only: skipping prerequisites/engine setup; joining cluster directly"
143
+ worker_join
144
+ log "kubeadm worker (join-only) complete."
145
+ exit 0
146
+ fi
147
+
148
+ # ---------------------------------------------------------------------------
149
+ # 0. Base prerequisites — a minimal @core Rocky install lacks tar/xz/git, which
150
+ # NVM needs to extract Node.js and the engine clone needs. Install them first.
151
+ # ---------------------------------------------------------------------------
152
+ log "Installing base prerequisites (tar, xz, gzip, git, curl)..."
153
+ sudo dnf install -y tar xz gzip bzip2 git curl ca-certificates which findutils 2>/dev/null \
154
+ || dnf install -y tar xz gzip bzip2 git curl ca-certificates which findutils
155
+
156
+ # ---------------------------------------------------------------------------
157
+ # 1. NVM and Node.js — required for the `node bin ...` entrypoints. Idempotent so
158
+ # a retried run does not reinstall Node from scratch.
159
+ # ---------------------------------------------------------------------------
160
+ if command -v node >/dev/null 2>&1 && node --version 2>/dev/null | grep -q '^v24'; then
161
+ log "Node.js $(node --version) already installed; skipping NVM setup"
162
+ else
163
+ log "Installing NVM and Node.js v24.15.0..."
164
+ curl -o- https://cdn.jsdelivr.net/gh/nvm-sh/nvm@v0.40.1/install.sh | bash
165
+
166
+ export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"
167
+ # shellcheck disable=SC1090
168
+ [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
169
+
170
+ nvm install 24.15.0
171
+ nvm use 24.15.0
172
+ nvm alias default 24.15.0
173
+ ln -sf "$(command -v node)" /usr/local/bin/node
174
+ ln -sf "$(command -v npm)" /usr/local/bin/npm
175
+ ln -sf "$(command -v npx)" /usr/local/bin/npx
176
+ fi
177
+
178
+ echo "
179
+ ██╗░░░██╗███╗░░██╗██████╗░███████╗██████╗░██████╗░░█████╗░░██████╗████████╗
180
+ ██║░░░██║████╗░██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔══██╗██╔════╝╚══██╔══╝
181
+ ██║░░░██║██╔██╗██║██║░░██║█████╗░░██████╔╝██████╔╝██║░░██║╚█████╗░░░░██║░░░
182
+ ██║░░░██║██║╚████║██║░░██║██╔══╝░░██╔══██╗██╔═══╝░██║░░██║░╚═══██╗░░░██║░░░
183
+ ╚██████╔╝██║░╚███║██████╔╝███████╗██║░░██║██║░░░░░╚█████╔╝██████╔╝░░░██║░░░
184
+ ░╚═════╝░╚═╝░░╚══╝╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝░░░░░░╚════╝░╚═════╝░░░░╚═╝░░░
185
+
186
+ Bringing up underpost kubeadm node (role=$ROLE) from $ENGINE_ROOT
187
+ "
188
+
189
+ # ---------------------------------------------------------------------------
190
+ # 2. Engine source — required by `node bin cluster` (manifests + CLI).
191
+ # Normalizes any (custom-named) repo into the canonical paths, mirroring
192
+ # src/server/start.js: clone into a temp dir then copy the contents into the
193
+ # target, so the working tree is always $ENGINE_ROOT regardless of repo name.
194
+ # ---------------------------------------------------------------------------
195
+ command -v git >/dev/null 2>&1 || sudo dnf install -y git
196
+
197
+ # clone_or_pull <repo-url> <branch> <target-dir> <remote-name> [mask-secret]
198
+ # If <target-dir> exists with a git repo, does a git pull (fetch+reset) to
199
+ # update it. Otherwise clones <repo-url> into a temp dir and copies contents
200
+ # to <target-dir> so a custom repo (e.g. engine-test-test) always lands at
201
+ # the canonical path. [mask-secret] is redacted from any logged output.
202
+ clone_or_pull() {
203
+ local url="${1:-}" branch="${2:-}" target="${3:-}" remote="${4:-origin}" mask="${5:-}"
204
+ if [ -d "$target" ] && git -C "$target" rev-parse --git-dir >/dev/null 2>&1; then
205
+ log "$target already present; pulling latest ..."
206
+ if git -C "$target" remote get-url "$remote" >/dev/null 2>&1; then
207
+ # Temporarily set the authenticated URL so the fetch succeeds.
208
+ # The caller strips the token from the remote URL after this returns.
209
+ local saved_url; saved_url="$(git -C "$target" remote get-url "$remote" 2>/dev/null || true)"
210
+ git -C "$target" remote set-url "$remote" "$url" 2>/dev/null || true
211
+ if [ -n "$mask" ]; then
212
+ git -C "$target" fetch --depth 1 "$remote" 2>&1 | sed "s/${mask}/***/g" || true
213
+ else
214
+ git -C "$target" fetch --depth 1 "$remote" 2>&1 || true
215
+ fi
216
+ # Restore the saved (clean) URL immediately so the token is never persisted.
217
+ if [ -n "$saved_url" ]; then
218
+ git -C "$target" remote set-url "$remote" "$saved_url" 2>/dev/null || true
219
+ fi
220
+ if [ -n "$branch" ]; then
221
+ git -C "$target" reset --hard "$remote/$branch" 2>/dev/null || true
222
+ else
223
+ # No branch specified: pull whichever branch is HEAD on remote
224
+ git -C "$target" reset --hard "$remote/$(git -C "$target" rev-parse --abbrev-ref HEAD 2>/dev/null)" 2>/dev/null || true
225
+ fi
226
+ # Clean untracked files so stale artifacts don't accumulate
227
+ git -C "$target" clean -fd 2>/dev/null || true
228
+ log "$target updated via pull"
229
+ return 0
230
+ fi
231
+ fi
232
+ # Full clone + normalize path
233
+ log "Cloning + normalizing $url -> $target ..."
234
+ local tmp; tmp="$(mktemp -d)"
235
+ local ok=0
236
+ if [ -n "$branch" ]; then
237
+ if [ -n "$mask" ]; then git clone --depth 1 --branch "$branch" "$url" "$tmp/repo" 2>&1 | sed "s/${mask}/***/g"; ok=${PIPESTATUS[0]}; else git clone --depth 1 --branch "$branch" "$url" "$tmp/repo"; ok=$?; fi
238
+ else
239
+ if [ -n "$mask" ]; then git clone --depth 1 "$url" "$tmp/repo" 2>&1 | sed "s/${mask}/***/g"; ok=${PIPESTATUS[0]}; else git clone --depth 1 "$url" "$tmp/repo"; ok=$?; fi
240
+ fi
241
+ if [ "$ok" -ne 0 ] || [ ! -d "$tmp/repo" ]; then
242
+ rm -rf "$tmp"
243
+ return 1
244
+ fi
245
+ mkdir -p "$target"
246
+ cp -a "$tmp/repo/." "$target/"
247
+ rm -rf "$tmp"
248
+ }
249
+
250
+ if [ -n "$GITHUB_TOKEN" ]; then
251
+ ENGINE_REPO_URL="https://${GITHUB_USERNAME:-x-access-token}:${GITHUB_TOKEN}@${ENGINE_REPO#https://}"
252
+ # Mask the token in log output by routing through clone_or_pull with mask arg
253
+ clone_or_pull "$ENGINE_REPO_URL" "$ENGINE_BRANCH" "$ENGINE_ROOT" "origin" "$GITHUB_TOKEN" || { log "FATAL: engine clone failed"; exit 1; }
254
+ # Drop the token from the remote URL so it is not persisted on disk.
255
+ git -C "$ENGINE_ROOT" remote set-url origin "$ENGINE_REPO" 2>/dev/null || true
256
+ else
257
+ clone_or_pull "$ENGINE_REPO" "$ENGINE_BRANCH" "$ENGINE_ROOT" "origin" "" || { log "FATAL: engine clone failed"; exit 1; }
258
+ fi
259
+
260
+ cd "$ENGINE_ROOT"
261
+
262
+ # Clone + normalize the private secrets repo into $ENGINE_ROOT/engine-private
263
+ # (where `node bin run secret` reads engine-private/conf/.../.env.production),
264
+ # regardless of the private repo's name. The token is masked in logs and then
265
+ # stripped from the saved remote URL.
266
+ if [ -n "$GITHUB_TOKEN" ]; then
267
+ PRIV_URL="https://${GITHUB_USERNAME:-x-access-token}:${GITHUB_TOKEN}@${ENGINE_PRIVATE_REPO#https://}"
268
+ if clone_or_pull "$PRIV_URL" "$ENGINE_PRIVATE_BRANCH" "$ENGINE_ROOT/engine-private" "origin" "$GITHUB_TOKEN"; then
269
+ # Drop the token from the remote URL so it is not persisted on disk.
270
+ git -C "$ENGINE_ROOT/engine-private" remote set-url origin "$ENGINE_PRIVATE_REPO" 2>/dev/null || true
271
+ else
272
+ log "WARNING: engine-private clone failed — secrets will be unavailable"
273
+ fi
274
+ else
275
+ log "WARNING: GITHUB_TOKEN not provided; engine-private not cloned — secrets will be unavailable"
276
+ fi
277
+
278
+ # Install JS deps and generate secrets using the local engine entrypoint.
279
+ npm install
280
+ npm install -g underpost
281
+ node bin run secret
282
+
283
+ # ---------------------------------------------------------------------------
284
+ # 3. Host prerequisites (Docker, CRI-O, kubelet/kubeadm/kubectl, ...) via cluster.js
285
+ # ---------------------------------------------------------------------------
286
+ log "Installing Kubernetes host prerequisites (underpost cluster --init-host)..."
287
+ # CRI-O is already installed by this point (idempotent dnf). The install-crio
288
+ # runner also tries to install cri-tools (crictl) which is not in Rocky 9 repos.
289
+ # That failure is non-fatal; CRI-O itself works fine without crictl.
290
+ node bin cluster --dev --init-host || log "WARNING: init-host had minor errors (CRI-O is already installed)"
291
+
292
+ # ---------------------------------------------------------------------------
293
+ # 4. Role-specific bring-up, fully delegated to src/cli/cluster.js
294
+ # ---------------------------------------------------------------------------
295
+ if [ "$ROLE" = "control" ]; then
296
+ if [ "$INSTALL_CONTOUR" = "1" ]; then
297
+ log "Initializing kubeadm control-plane + Contour (underpost cluster --kubeadm --contour)..."
298
+ node bin cluster --dev --kubeadm --contour
299
+ else
300
+ log "Initializing kubeadm control-plane (underpost cluster --kubeadm)..."
301
+ node bin cluster --dev --kubeadm
302
+ fi
303
+
304
+ echo ""
305
+ log "Control-plane ready. Join command for workers:"
306
+ sudo kubeadm token create --print-join-command
307
+
308
+ elif [ "$ROLE" = "worker" ]; then
309
+ # Apply the same host configuration cluster.js uses (SELinux, swap, sysctl)
310
+ # before joining; worker_join then handles endpoint mapping + the join itself
311
+ # and fails the script (set -e) if the join does not succeed.
312
+ log "Applying host configuration (underpost cluster --config)..."
313
+ node bin cluster --dev --config
314
+ worker_join
315
+ fi
316
+
317
+ log "kubeadm ${ROLE} setup complete."