sunbeam/manifests.py

"""Manifest build + apply — kustomize overlay with domain substitution."""
import time
from pathlib import Path

from sunbeam.kube import kube, kube_out, kube_ok, kube_apply, kustomize_build, get_lima_ip, get_domain
from sunbeam.output import step, ok, warn

REPO_ROOT = Path(__file__).parents[2] / "infrastructure"
MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "monitoring", "ory",
              "storage", "vault-secrets-operator"]


def pre_apply_cleanup(namespaces=None):
    """Delete immutable resources that must be re-created on each apply.

    Also prunes VaultStaticSecrets that share a name with a VaultDynamicSecret --
    kubectl apply doesn't delete the old resource when a manifest switches kinds,
    and VSO refuses to overwrite a secret owned by a different resource type.

    namespaces: if given, only clean those namespaces; otherwise clean all MANAGED_NS.
    """
    ns_list = namespaces if namespaces is not None else MANAGED_NS
    ok("Cleaning up immutable Jobs and test Pods...")
    for ns in ns_list:
        kube("delete", "jobs", "--all", "-n", ns, "--ignore-not-found", check=False)
        # Query all pods (no phase filter) — CrashLoopBackOff pods report phase=Running
        # so filtering on phase!=Running would silently skip them.
        pods_out = kube_out("get", "pods", "-n", ns,
                            "-o=jsonpath={.items[*].metadata.name}")
        for pod in pods_out.split():
            if pod.endswith(("-test-connection", "-server-test", "-test")):
                kube("delete", "pod", pod, "-n", ns, "--ignore-not-found", check=False)

    # Prune VaultStaticSecrets that were replaced by VaultDynamicSecrets.
    # When a manifest transitions a resource from VSS -> VDS, apply won't delete
    # the old VSS; it just creates the new VDS alongside it. VSO then errors
    # "not the owner" because the K8s secret's ownerRef still points to the VSS.
    ok("Pruning stale VaultStaticSecrets superseded by VaultDynamicSecrets...")
    for ns in ns_list:
        vss_names = set(kube_out(
            "get", "vaultstaticsecret", "-n", ns,
            "-o=jsonpath={.items[*].metadata.name}", "--ignore-not-found",
        ).split())
        vds_names = set(kube_out(
            "get", "vaultdynamicsecret", "-n", ns,
            "-o=jsonpath={.items[*].metadata.name}", "--ignore-not-found",
        ).split())
        for stale in vss_names & vds_names:
            ok(f"  deleting stale VaultStaticSecret {ns}/{stale}")
            kube("delete", "vaultstaticsecret", stale, "-n", ns,
                 "--ignore-not-found", check=False)


def _snapshot_configmaps() -> dict:
    """Return {ns/name: resourceVersion} for all ConfigMaps in managed namespaces."""
    result = {}
    for ns in MANAGED_NS:
        out = kube_out(
            "get", "configmaps", "-n", ns, "--ignore-not-found",
            "-o=jsonpath={range .items[*]}{.metadata.name}={.metadata.resourceVersion}\\n{end}",
        )
        for line in out.splitlines():
            if "=" in line:
                name, rv = line.split("=", 1)
                result[f"{ns}/{name}"] = rv
    return result


def _restart_for_changed_configmaps(before: dict, after: dict):
    """Restart deployments that mount any ConfigMap whose resourceVersion changed."""
    changed_by_ns: dict = {}
    for key, rv in after.items():
        if before.get(key) != rv:
            ns, name = key.split("/", 1)
            changed_by_ns.setdefault(ns, set()).add(name)

    for ns, cm_names in changed_by_ns.items():
        out = kube_out(
            "get", "deployments", "-n", ns, "--ignore-not-found",
            "-o=jsonpath={range .items[*]}{.metadata.name}:"
            "{range .spec.template.spec.volumes[*]}{.configMap.name},{end};{end}",
        )
        for entry in out.split(";"):
            entry = entry.strip()
            if not entry or ":" not in entry:
                continue
            dep, vols = entry.split(":", 1)
            mounted = {v.strip() for v in vols.split(",") if v.strip()}
            if mounted & cm_names:
                ok(f"Restarting {ns}/{dep} (ConfigMap updated)...")
                kube("rollout", "restart", f"deployment/{dep}", "-n", ns, check=False)


def _wait_for_webhook(ns: str, svc: str, timeout: int = 120) -> bool:
    """Poll until a webhook service endpoint exists (signals webhook is ready).

    Returns True if the webhook is ready within timeout seconds.
    """
    ok(f"Waiting for {ns}/{svc} webhook (up to {timeout}s)...")
    deadline = time.time() + timeout
    while time.time() < deadline:
        eps = kube_out("get", "endpoints", svc, "-n", ns,
                       "-o=jsonpath={.subsets[0].addresses[0].ip}", "--ignore-not-found")
        if eps:
            ok(f"  {ns}/{svc} ready.")
            return True
        time.sleep(3)
    warn(f"  {ns}/{svc} not ready after {timeout}s — continuing anyway.")
    return False


def _apply_mkcert_ca_configmap():
    """Create/update gitea-mkcert-ca ConfigMap from the local mkcert root CA.

    Only called in local env. The ConfigMap is mounted into Gitea so Go's TLS
    stack trusts the mkcert wildcard cert when making server-side OIDC calls.
    """
    import subprocess, json
    from pathlib import Path
    caroot = subprocess.run(["mkcert", "-CAROOT"], capture_output=True, text=True).stdout.strip()
    if not caroot:
        warn("mkcert not found — skipping gitea-mkcert-ca ConfigMap.")
        return
    ca_pem = Path(caroot) / "rootCA.pem"
    if not ca_pem.exists():
        warn(f"mkcert root CA not found at {ca_pem} — skipping.")
        return
    cm = json.dumps({
        "apiVersion": "v1",
        "kind": "ConfigMap",
        "metadata": {"name": "gitea-mkcert-ca", "namespace": "devtools"},
        "data": {"ca.crt": ca_pem.read_text()},
    })
    kube("apply", "--server-side", "-f", "-", input=cm)
    ok("gitea-mkcert-ca ConfigMap applied.")


def _filter_by_namespace(manifests: str, namespace: str) -> str:
    """Return only the YAML documents that belong to the given namespace.

    Also includes the Namespace resource itself (safe to re-apply).
    Uses simple string matching — namespace always appears as 'namespace: <name>'
    in top-level metadata, so this is reliable without a full YAML parser.
    """
    kept = []
    for doc in manifests.split("\n---"):
        doc = doc.strip()
        if not doc:
            continue
        if f"namespace: {namespace}" in doc:
            kept.append(doc)
        elif "kind: Namespace" in doc and f"name: {namespace}" in doc:
            kept.append(doc)
    if not kept:
        return ""
    return "---\n" + "\n---\n".join(kept) + "\n"


def cmd_apply(env: str = "local", domain: str = "", email: str = "", namespace: str = ""):
    """Build kustomize overlay for env, substitute domain/email, kubectl apply.

    Runs a second convergence pass if cert-manager is present in the overlay —
    cert-manager registers a ValidatingWebhook that must be running before
    ClusterIssuer / Certificate resources can be created.
    """
    if env == "production":
        if not domain:
            # Try to discover domain from running cluster
            domain = get_domain()
        if not domain:
            from sunbeam.output import die
            die("--domain is required for production apply on first deploy")
        overlay = REPO_ROOT / "overlays" / "production"
    else:
        ip = get_lima_ip()
        domain = f"{ip}.sslip.io"
        overlay = REPO_ROOT / "overlays" / "local"

    scope = f" [{namespace}]" if namespace else ""
    step(f"Applying manifests (env: {env}, domain: {domain}){scope}...")
    if env == "local":
        _apply_mkcert_ca_configmap()
    ns_list = [namespace] if namespace else None
    pre_apply_cleanup(namespaces=ns_list)
    before = _snapshot_configmaps()
    manifests = kustomize_build(overlay, domain, email=email)

    if namespace:
        manifests = _filter_by_namespace(manifests, namespace)
        if not manifests.strip():
            warn(f"No resources found for namespace '{namespace}' — check the name and try again.")
            return

    # First pass: may emit errors for resources that depend on webhooks not yet running
    # (e.g. cert-manager ClusterIssuer/Certificate), which is expected on first deploy.
    kube("apply", "--server-side", "--force-conflicts", "-f", "-",
         input=manifests, check=False)

    # If cert-manager is in the overlay, wait for its webhook then re-apply
    # so that ClusterIssuer and Certificate resources converge.
    # Skip for partial applies unless the target IS cert-manager.
    cert_manager_present = (overlay / "../../base/cert-manager").resolve().exists()
    if cert_manager_present and not namespace:
        if _wait_for_webhook("cert-manager", "cert-manager-webhook", timeout=120):
            ok("Running convergence pass for cert-manager resources...")
            manifests2 = kustomize_build(overlay, domain, email=email)
            kube("apply", "--server-side", "--force-conflicts", "-f", "-", input=manifests2)

    _restart_for_changed_configmaps(before, _snapshot_configmaps())
    ok("Applied.")
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`"""Manifest build + apply — kustomize overlay with domain substitution."""`
feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`import time`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`from pathlib import Path`

feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`from sunbeam.kube import kube, kube_out, kube_ok, kube_apply, kustomize_build, get_lima_ip, get_domain`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`from sunbeam.output import step, ok, warn`

fix: sunbeam apply and bootstrap reliability manifests.py: fix REPO_ROOT parents index (was 3, needed 2) which caused kustomize overlay lookup to resolve against the wrong directory. tools.py: call ensure_tool("helm") before running kustomize so the bundled helm v3.17.1 is on PATH; system helm v4 dropped the -c flag that kustomize 5.6.0 uses for version detection. gitea.py: pass --must-change-password=false to gitea admin user change-password, removing the separate Postgres UPDATE workaround that was fragile and required a second exec into the CNPG pod. 2026-03-03 00:57:39 +00:00			`REPO_ROOT = Path(__file__).parents[2] / "infrastructure"`
feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`MANAGED_NS = ["data", "devtools", "ingress", "lasuite", "media", "monitoring", "ory",`
			`"storage", "vault-secrets-operator"]`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00

feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`def pre_apply_cleanup(namespaces=None):`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`"""Delete immutable resources that must be re-created on each apply.`

			`Also prunes VaultStaticSecrets that share a name with a VaultDynamicSecret --`
			`kubectl apply doesn't delete the old resource when a manifest switches kinds,`
			`and VSO refuses to overwrite a secret owned by a different resource type.`
feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00
			`namespaces: if given, only clean those namespaces; otherwise clean all MANAGED_NS.`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`"""`
feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`ns_list = namespaces if namespaces is not None else MANAGED_NS`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`ok("Cleaning up immutable Jobs and test Pods...")`
feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`for ns in ns_list:`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`kube("delete", "jobs", "--all", "-n", ns, "--ignore-not-found", check=False)`
			`# Query all pods (no phase filter) — CrashLoopBackOff pods report phase=Running`
			`# so filtering on phase!=Running would silently skip them.`
			`pods_out = kube_out("get", "pods", "-n", ns,`
			`"-o=jsonpath={.items[*].metadata.name}")`
			`for pod in pods_out.split():`
			`if pod.endswith(("-test-connection", "-server-test", "-test")):`
			`kube("delete", "pod", pod, "-n", ns, "--ignore-not-found", check=False)`

			`# Prune VaultStaticSecrets that were replaced by VaultDynamicSecrets.`
			`# When a manifest transitions a resource from VSS -> VDS, apply won't delete`
			`# the old VSS; it just creates the new VDS alongside it. VSO then errors`
			`# "not the owner" because the K8s secret's ownerRef still points to the VSS.`
			`ok("Pruning stale VaultStaticSecrets superseded by VaultDynamicSecrets...")`
feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`for ns in ns_list:`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`vss_names = set(kube_out(`
			`"get", "vaultstaticsecret", "-n", ns,`
			`"-o=jsonpath={.items[*].metadata.name}", "--ignore-not-found",`
			`).split())`
			`vds_names = set(kube_out(`
			`"get", "vaultdynamicsecret", "-n", ns,`
			`"-o=jsonpath={.items[*].metadata.name}", "--ignore-not-found",`
			`).split())`
			`for stale in vss_names & vds_names:`
			`ok(f" deleting stale VaultStaticSecret {ns}/{stale}")`
			`kube("delete", "vaultstaticsecret", stale, "-n", ns,`
			`"--ignore-not-found", check=False)`


feat: auto-restart deployments on ConfigMap change after sunbeam apply Snapshot ConfigMap resourceVersions before and after kubectl apply. For any ConfigMap whose resourceVersion changed, find all Deployments in the same namespace that mount it as a volume and issue a rollout restart. Eliminates the need to manually restart pods after editing ConfigMaps (e.g. services.json, nginx configs). 2026-03-03 16:09:04 +00:00			`def _snapshot_configmaps() -> dict:`
			`"""Return {ns/name: resourceVersion} for all ConfigMaps in managed namespaces."""`
			`result = {}`
			`for ns in MANAGED_NS:`
			`out = kube_out(`
			`"get", "configmaps", "-n", ns, "--ignore-not-found",`
			`"-o=jsonpath={range .items[*]}{.metadata.name}={.metadata.resourceVersion}\\n{end}",`
			`)`
			`for line in out.splitlines():`
			`if "=" in line:`
			`name, rv = line.split("=", 1)`
			`result[f"{ns}/{name}"] = rv`
			`return result`


			`def _restart_for_changed_configmaps(before: dict, after: dict):`
			`"""Restart deployments that mount any ConfigMap whose resourceVersion changed."""`
			`changed_by_ns: dict = {}`
			`for key, rv in after.items():`
			`if before.get(key) != rv:`
			`ns, name = key.split("/", 1)`
			`changed_by_ns.setdefault(ns, set()).add(name)`

			`for ns, cm_names in changed_by_ns.items():`
			`out = kube_out(`
			`"get", "deployments", "-n", ns, "--ignore-not-found",`
			`"-o=jsonpath={range .items[*]}{.metadata.name}:"`
			`"{range .spec.template.spec.volumes[*]}{.configMap.name},{end};{end}",`
			`)`
			`for entry in out.split(";"):`
			`entry = entry.strip()`
			`if not entry or ":" not in entry:`
			`continue`
			`dep, vols = entry.split(":", 1)`
			`mounted = {v.strip() for v in vols.split(",") if v.strip()}`
			`if mounted & cm_names:`
			`ok(f"Restarting {ns}/{dep} (ConfigMap updated)...")`
			`kube("rollout", "restart", f"deployment/{dep}", "-n", ns, check=False)`


feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`def _wait_for_webhook(ns: str, svc: str, timeout: int = 120) -> bool:`
			`"""Poll until a webhook service endpoint exists (signals webhook is ready).`

			`Returns True if the webhook is ready within timeout seconds.`
			`"""`
			`ok(f"Waiting for {ns}/{svc} webhook (up to {timeout}s)...")`
			`deadline = time.time() + timeout`
			`while time.time() < deadline:`
			`eps = kube_out("get", "endpoints", svc, "-n", ns,`
			`"-o=jsonpath={.subsets[0].addresses[0].ip}", "--ignore-not-found")`
			`if eps:`
			`ok(f" {ns}/{svc} ready.")`
			`return True`
			`time.sleep(3)`
			`warn(f" {ns}/{svc} not ready after {timeout}s — continuing anyway.")`
			`return False`


			`def _apply_mkcert_ca_configmap():`
			`"""Create/update gitea-mkcert-ca ConfigMap from the local mkcert root CA.`

			`Only called in local env. The ConfigMap is mounted into Gitea so Go's TLS`
			`stack trusts the mkcert wildcard cert when making server-side OIDC calls.`
			`"""`
			`import subprocess, json`
			`from pathlib import Path`
			`caroot = subprocess.run(["mkcert", "-CAROOT"], capture_output=True, text=True).stdout.strip()`
			`if not caroot:`
			`warn("mkcert not found — skipping gitea-mkcert-ca ConfigMap.")`
			`return`
			`ca_pem = Path(caroot) / "rootCA.pem"`
			`if not ca_pem.exists():`
			`warn(f"mkcert root CA not found at {ca_pem} — skipping.")`
			`return`
			`cm = json.dumps({`
			`"apiVersion": "v1",`
			`"kind": "ConfigMap",`
			`"metadata": {"name": "gitea-mkcert-ca", "namespace": "devtools"},`
			`"data": {"ca.crt": ca_pem.read_text()},`
			`})`
			`kube("apply", "--server-side", "-f", "-", input=cm)`
			`ok("gitea-mkcert-ca ConfigMap applied.")`


			`def _filter_by_namespace(manifests: str, namespace: str) -> str:`
			`"""Return only the YAML documents that belong to the given namespace.`

			`Also includes the Namespace resource itself (safe to re-apply).`
			`Uses simple string matching — namespace always appears as 'namespace: <name>'`
			`in top-level metadata, so this is reliable without a full YAML parser.`
			`"""`
			`kept = []`
			`for doc in manifests.split("\n---"):`
			`doc = doc.strip()`
			`if not doc:`
			`continue`
			`if f"namespace: {namespace}" in doc:`
			`kept.append(doc)`
			`elif "kind: Namespace" in doc and f"name: {namespace}" in doc:`
			`kept.append(doc)`
			`if not kept:`
			`return ""`
			`return "---\n" + "\n---\n".join(kept) + "\n"`


			`def cmd_apply(env: str = "local", domain: str = "", email: str = "", namespace: str = ""):`
			`"""Build kustomize overlay for env, substitute domain/email, kubectl apply.`

			`Runs a second convergence pass if cert-manager is present in the overlay —`
			`cert-manager registers a ValidatingWebhook that must be running before`
			`ClusterIssuer / Certificate resources can be created.`
			`"""`
			`if env == "production":`
			`if not domain:`
			`# Try to discover domain from running cluster`
			`domain = get_domain()`
			`if not domain:`
			`from sunbeam.output import die`
			`die("--domain is required for production apply on first deploy")`
			`overlay = REPO_ROOT / "overlays" / "production"`
			`else:`
			`ip = get_lima_ip()`
			`domain = f"{ip}.sslip.io"`
			`overlay = REPO_ROOT / "overlays" / "local"`

			`scope = f" [{namespace}]" if namespace else ""`
			`step(f"Applying manifests (env: {env}, domain: {domain}){scope}...")`
			`if env == "local":`
			`_apply_mkcert_ca_configmap()`
			`ns_list = [namespace] if namespace else None`
			`pre_apply_cleanup(namespaces=ns_list)`
feat: auto-restart deployments on ConfigMap change after sunbeam apply Snapshot ConfigMap resourceVersions before and after kubectl apply. For any ConfigMap whose resourceVersion changed, find all Deployments in the same namespace that mount it as a volume and issue a rollout restart. Eliminates the need to manually restart pods after editing ConfigMaps (e.g. services.json, nginx configs). 2026-03-03 16:09:04 +00:00			`before = _snapshot_configmaps()`
feat(cli): partial apply with namespace filter sunbeam apply [namespace] builds the full kustomize overlay (preserving all image substitutions and patches) then filters the output to only resources in the given namespace before applying. Cleanup and ConfigMap restart detection are also scoped to the target namespace. - manifests.py: _filter_by_namespace(), scoped pre_apply_cleanup() - cli.py: namespace positional arg for apply; meet added to build choices - tests: 17 new tests covering filter logic and CLI dispatch 2026-03-06 12:05:19 +00:00			`manifests = kustomize_build(overlay, domain, email=email)`

			`if namespace:`
			`manifests = _filter_by_namespace(manifests, namespace)`
			`if not manifests.strip():`
			`warn(f"No resources found for namespace '{namespace}' — check the name and try again.")`
			`return`

			`# First pass: may emit errors for resources that depend on webhooks not yet running`
			`# (e.g. cert-manager ClusterIssuer/Certificate), which is expected on first deploy.`
			`kube("apply", "--server-side", "--force-conflicts", "-f", "-",`
			`input=manifests, check=False)`

			`# If cert-manager is in the overlay, wait for its webhook then re-apply`
			`# so that ClusterIssuer and Certificate resources converge.`
			`# Skip for partial applies unless the target IS cert-manager.`
			`cert_manager_present = (overlay / "../../base/cert-manager").resolve().exists()`
			`if cert_manager_present and not namespace:`
			`if _wait_for_webhook("cert-manager", "cert-manager-webhook", timeout=120):`
			`ok("Running convergence pass for cert-manager resources...")`
			`manifests2 = kustomize_build(overlay, domain, email=email)`
			`kube("apply", "--server-side", "--force-conflicts", "-f", "-", input=manifests2)`

feat: auto-restart deployments on ConfigMap change after sunbeam apply Snapshot ConfigMap resourceVersions before and after kubectl apply. For any ConfigMap whose resourceVersion changed, find all Deployments in the same namespace that mount it as a volume and issue a rollout restart. Eliminates the need to manually restart pods after editing ConfigMaps (e.g. services.json, nginx configs). 2026-03-03 16:09:04 +00:00			`_restart_for_changed_configmaps(before, _snapshot_configmaps())`
feat: initial sunbeam CLI package stdlib-only Python CLI replacing infrastructure/scripts/sunbeam.py. Verbs: up, down, status, apply, seed, verify, logs, restart, get, build, mirror, bootstrap. Service scoping via ns/name target syntax. Auto-bundled kubectl/kustomize/helm (SHA256-verified, cached in ~/.local/share/sunbeam/bin). 63 unittest tests, all passing. 2026-03-02 20:59:57 +00:00			`ok("Applied.")`