kube_cluster 0.2.0 → 0.3.0

data/lib/kube/cluster/middleware/pod_anti_affinity.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Kube
+  module Cluster
+    class Middleware
+      # Injects soft pod anti-affinity on pod-bearing resources so
+      # that pods prefer to spread across nodes.
+      #
+      # The anti-affinity uses the resource's own +matchLabels+ from
+      # +spec.selector.matchLabels+ as the label selector, and
+      # +kubernetes.io/hostname+ as the topology key.
+      #
+      # Resources that already have +spec.template.spec.affinity+
+      # set are left untouched.
+      #
+      #   stack do
+      #     use Middleware::PodAntiAffinity
+      #     use Middleware::PodAntiAffinity, topology_key: "topology.kubernetes.io/zone"
+      #   end
+      #
+      class PodAntiAffinity < Middleware
+        def initialize(topology_key: "kubernetes.io/hostname", weight: 1)
+          @topology_key = topology_key
+          @weight = weight
+        end
+
+        def call(manifest)
+          manifest.resources.map! do |resource|
+            next resource unless resource.pod_bearing?
+
+            h = resource.to_h
+            pod_spec = resource.pod_template(h)
+            next resource unless pod_spec
+
+            # Don't overwrite existing affinity configuration.
+            next resource if pod_spec[:affinity]
+
+            match_labels = h.dig(:spec, :selector, :matchLabels)
+            next resource unless match_labels && !match_labels.empty?
+
+            pod_spec[:affinity] = {
+              podAntiAffinity: {
+                preferredDuringSchedulingIgnoredDuringExecution: [
+                  {
+                    weight: @weight,
+                    podAffinityTerm: {
+                      labelSelector: { matchLabels: match_labels },
+                      topologyKey: @topology_key,
+                    },
+                  },
+                ],
+              },
+            }
+
+            resource.rebuild(h)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/kube/cluster/middleware/resource_preset.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module Kube
+  module Cluster
+    class Middleware
+      # Reads the +app.kubernetes.io/size+ label from pod-bearing
+      # resources and injects CPU/memory requests and limits into
+      # every container.
+      #
+      # The label on the resource is the input:
+      #
+      #   Kube::Cluster["Deployment"].new {
+      #     metadata.labels = { "app.kubernetes.io/size": "small" }
+      #     ...
+      #   }
+      #
+      # Register in the stack — no arguments needed:
+      #
+      #   stack do
+      #     use Middleware::ResourcePreset
+      #   end
+      #
+      # Available sizes: nano, micro, small, medium, large, xlarge, 2xlarge.
+      # Limits are ~1.5x requests (following Bitnami conventions).
+      #
+      class ResourcePreset < Middleware
+        LABEL = :"app.kubernetes.io/size"
+
+        PRESETS = {
+          "nano"    => { requests: { cpu: "100m",  memory: "128Mi"  }, limits: { cpu: "150m",  memory: "192Mi"  } },
+          "micro"   => { requests: { cpu: "250m",  memory: "256Mi"  }, limits: { cpu: "375m",  memory: "384Mi"  } },
+          "small"   => { requests: { cpu: "500m",  memory: "512Mi"  }, limits: { cpu: "750m",  memory: "768Mi"  } },
+          "medium"  => { requests: { cpu: "500m",  memory: "1024Mi" }, limits: { cpu: "750m",  memory: "1536Mi" } },
+          "large"   => { requests: { cpu: "1",     memory: "2048Mi" }, limits: { cpu: "1.5",   memory: "3072Mi" } },
+          "xlarge"  => { requests: { cpu: "1",     memory: "3072Mi" }, limits: { cpu: "3",     memory: "6144Mi" } },
+          "2xlarge" => { requests: { cpu: "1",     memory: "3072Mi" }, limits: { cpu: "6",     memory: "12288Mi" } },
+        }.freeze
+
+        def call(manifest)
+          manifest.resources.map! do |resource|
+            size = resource.label(LABEL)
+            next resource unless size
+            next resource unless resource.pod_bearing?
+
+            preset = PRESETS.fetch(size.to_s) do
+              raise ArgumentError, "Unknown size preset: #{size.inspect}. " \
+                "Valid sizes: #{PRESETS.keys.join(', ')}"
+            end
+
+            h = resource.to_h
+            pod_spec = resource.pod_template(h)
+            next resource unless pod_spec
+
+            resource.each_container(pod_spec) do |container|
+              container[:resources] = deep_merge(preset, container[:resources] || {})
+            end
+
+            resource.rebuild(h)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/kube/cluster/middleware/security_context.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module Kube
+  module Cluster
+    class Middleware
+      # Injects pod and container security contexts on pod-bearing resources.
+      #
+      # Reads the +app.kubernetes.io/security+ label. When the label
+      # is absent, the middleware applies the default profile.
+      #
+      #   Kube::Cluster["Deployment"].new {
+      #     metadata.labels = { "app.kubernetes.io/security": "restricted" }
+      #     ...
+      #   }
+      #
+      # Available profiles: +restricted+ (default), +baseline+.
+      #
+      #   stack do
+      #     use Middleware::SecurityContext                      # default: restricted
+      #     use Middleware::SecurityContext, default: :baseline  # change default
+      #   end
+      #
+      class SecurityContext < Middleware
+        LABEL = :"app.kubernetes.io/security"
+
+        PROFILES = {
+          "restricted" => {
+            pod: {
+              runAsNonRoot: true,
+              runAsUser:    1000,
+              runAsGroup:   1000,
+              fsGroup:      1000,
+              seccompProfile: { type: "RuntimeDefault" },
+            },
+            container: {
+              allowPrivilegeEscalation: false,
+              readOnlyRootFilesystem:   true,
+              capabilities:             { drop: ["ALL"] },
+            },
+          },
+          "baseline" => {
+            pod: {
+              runAsNonRoot: true,
+              runAsUser:    1000,
+              runAsGroup:   1000,
+              fsGroup:      1000,
+            },
+            container: {
+              allowPrivilegeEscalation: false,
+            },
+          },
+        }.freeze
+
+        def initialize(default: :restricted)
+          @default = default.to_s
+        end
+
+        def call(manifest)
+          manifest.resources.map! do |resource|
+            next resource unless resource.pod_bearing?
+
+            profile_name = resource.label(LABEL) || @default
+            profile = PROFILES.fetch(profile_name.to_s) do
+              raise ArgumentError, "Unknown security profile: #{profile_name.inspect}. " \
+                "Valid profiles: #{PROFILES.keys.join(', ')}"
+            end
+
+            h = resource.to_h
+            pod_spec = resource.pod_template(h)
+            next resource unless pod_spec
+
+            pod_spec[:securityContext] = deep_merge(profile[:pod], pod_spec[:securityContext] || {})
+
+            resource.each_container(pod_spec) do |container|
+              container[:securityContext] = deep_merge(profile[:container], container[:securityContext] || {})
+            end
+
+            resource.rebuild(h)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/kube/cluster/middleware/service_for_deployment.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Kube
+  module Cluster
+    class Middleware
+      # Generates a Service for every pod-bearing resource that has
+      # containers with named ports.
+      #
+      # The generated Service uses +spec.selector.matchLabels+ from
+      # the source resource and maps each named container port.
+      #
+      # Labels and namespace are copied from the source resource, so
+      # subsequent middleware (Labels, Namespace, etc.) will also
+      # apply to the generated Service.
+      #
+      #   stack do
+      #     use Middleware::ServiceForDeployment
+      #   end
+      #
+      class ServiceForDeployment < Middleware
+        def call(manifest)
+          generated = []
+
+          manifest.resources.each do |resource|
+            next unless resource.pod_bearing?
+
+            h = resource.to_h
+            ports = extract_ports(resource, h)
+            next if ports.empty?
+
+            match_labels = h.dig(:spec, :selector, :matchLabels)
+            next unless match_labels && !match_labels.empty?
+
+            generated << Kube::Cluster["Service"].new {
+              metadata.name      = h.dig(:metadata, :name)
+              metadata.namespace = h.dig(:metadata, :namespace) if h.dig(:metadata, :namespace)
+              metadata.labels    = h.dig(:metadata, :labels) || {}
+
+              spec.selector = match_labels
+              spec.ports = ports.map { |p|
+                {
+                  name:       p[:name],
+                  port:       p[:containerPort],
+                  targetPort: p[:name],
+                  protocol:   p.fetch(:protocol, "TCP"),
+                }
+              }
+            }
+          end
+
+          manifest.resources.concat(generated)
+        end
+
+        private
+
+          def extract_ports(resource, hash)
+            pod_spec = resource.pod_template(hash)
+            return [] unless pod_spec
+
+            ports = []
+            resource.each_container(pod_spec) do |container|
+              Array(container[:ports]).each do |port|
+                ports << port if port[:name]
+              end
+            end
+            ports
+          end
+      end
+    end
+  end
+end

data/lib/kube/cluster/middleware/stack.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Kube
+  module Cluster
+    class Middleware
+      # An ordered pipeline of middleware that processes a manifest.
+      # Each middleware receives the manifest and mutates it in place.
+      #
+      #   stack = Kube::Cluster::Middleware::Stack.new do
+      #     use Middleware::ServiceForDeployment
+      #     use Middleware::Labels, app: "web"
+      #     use Middleware::Namespace, "production"
+      #   end
+      #
+      #   stack.call(manifest)
+      #
+      class Stack
+        def initialize(&block)
+          @middleware = []
+          instance_eval(&block) if block
+        end
+
+        # Register a middleware class with optional positional and keyword arguments.
+        def use(klass, *args, **kwargs)
+          @middleware << [klass, args, kwargs]
+        end
+
+        # Run the manifest through every middleware in order.
+        # Each middleware mutates the manifest in place.
+        def call(manifest)
+          @middleware.each do |klass, args, kwargs|
+            klass.new(*args, **kwargs).call(manifest)
+          end
+        end
+
+        # True when no middleware has been registered.
+        def empty?
+          @middleware.empty?
+        end
+      end
+    end
+  end
+end

data/lib/kube/cluster/middleware.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require_relative "middleware/stack"
+require_relative "middleware/namespace"
+require_relative "middleware/labels"
+require_relative "middleware/annotations"
+require_relative "middleware/resource_preset"
+require_relative "middleware/security_context"
+require_relative "middleware/pod_anti_affinity"
+require_relative "middleware/service_for_deployment"
+require_relative "middleware/ingress_for_service"
+require_relative "middleware/hpa_for_deployment"
+
+module Kube
+  module Cluster
+    # Base class for manifest middleware.
+    #
+    # Middleware receives the full manifest and mutates it in place.
+    # Each middleware is responsible for iterating resources as needed.
+    #
+    # Transform example:
+    #
+    #   class AddTeamLabel < Middleware
+    #     def call(manifest)
+    #       manifest.resources.map! do |resource|
+    #         h = resource.to_h
+    #         h[:metadata][:labels][:"app.kubernetes.io/team"] = "platform"
+    #         resource.rebuild(h)
+    #       end
+    #     end
+    #   end
+    #
+    # Generative example:
+    #
+    #   class ServiceForDeployment < Middleware
+    #     def call(manifest)
+    #       generated = []
+    #       manifest.resources.each do |resource|
+    #         next unless resource.pod_bearing?
+    #         generated << build_service_from(resource)
+    #       end
+    #       manifest.resources.concat(generated)
+    #     end
+    #   end
+    #
+    class Middleware
+      def initialize(**opts)
+        @opts = opts
+      end
+
+      # Override in subclasses. Receives the full manifest,
+      # mutates it in place.
+      def call(manifest)
+      end
+
+      private
+
+        def deep_merge(base, overlay)
+          base.merge(overlay) do |_key, old_val, new_val|
+            if old_val.is_a?(Hash) && new_val.is_a?(Hash)
+              deep_merge(old_val, new_val)
+            else
+              new_val
+            end
+          end
+        end
+    end
+  end
+end

data/lib/kube/cluster/resource/dirty_tracking.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+module Kube
+  module Cluster
+    class Resource < Kube::Schema::Resource
+      module DirtyTracking
+        def changed?
+          to_h != @clean
+        end
+
+        def changed
+          diff_keys(to_h, @clean)
+        end
+
+        def changes
+          build_changes(to_h, @clean)
+        end
+
+        def changes_applied
+          snapshot!
+        end
+
+        # Data suitable for a strategic-merge patch: only the
+        # keys/sub-trees that differ from the clean snapshot.
+        def patch_data
+          deep_diff(to_h, @clean)
+        end
+
+        def respond_to_missing?(name, include_private = false)
+          if name.end_with?("_changed?")
+            true
+          else
+            super
+          end
+        end
+
+        def method_missing(name, *args, &block)
+          if name.end_with?("_changed?")
+            attr = name.to_s.delete_suffix("_changed?").to_sym
+            old_val = @clean[attr]
+            new_val = to_h[attr]
+            old_val != new_val
+          else
+            super
+          end
+        end
+
+        private
+
+          def snapshot!
+            @clean = deep_dup(to_h)
+          end
+
+          def deep_diff(current, original)
+            Hash.new.tap do |result|
+              merged_keys = current.keys | original.keys
+            
+              merged_keys.each do |key|
+                cur_val  = current[key]
+                orig_val = original[key]
+            
+                if cur_val.is_a?(Hash) && orig_val.is_a?(Hash)
+                  nested = deep_diff(cur_val, orig_val)
+
+                  if nested.empty?
+                    next
+                  else
+                    result[key] = nested 
+                  end
+                elsif cur_val != orig_val
+                  result[key] = [orig_val, cur_val]
+                end
+              end
+            end
+          end
+
+          def diff_keys(current, original)
+            Set.new.tap do |keys|
+              merged_keys = (current.keys | original.keys)
+
+              merged_keys.each do |key|
+                if current[key] != original[key]
+                  keys << key 
+                end
+              end
+            end.to_a
+          end
+
+          def build_changes(current, original)
+            Hash.new.tap do |hash|
+              merged_keys = current.keys | original.keys
+
+              merged_keys.each do |key|
+                if current[key] == original[key]
+                  next
+                else
+                  hash[key] = [original[key], current[key]]
+                end
+              end
+            end
+          end
+
+          def deep_dup(obj)
+            case obj
+            when Hash  then obj.each_with_object({}) { |(k, v), h| h[k] = deep_dup(v) }
+            when Array then obj.map { |v| deep_dup(v) }
+            else obj
+            end
+          end
+      end
+    end
+  end
+end

data/lib/kube/cluster/resource/persistence.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "json"
+require "open3"
+
+module Kube
+  module Cluster
+    class Resource < Kube::Schema::Resource
+      module Persistence
+        def apply
+          JSON.generate(deep_stringify_keys(to_h)).then do |json|
+            kubectl("apply", "-f", "-", stdin: json)
+            reload
+            true
+          end
+        end
+
+        def patch(type: "strategic")
+          if persisted?
+            diff = patch_data
+
+            if diff.empty?
+              false
+            else
+              json = JSON.generate(deep_stringify_keys(diff))
+              kubectl("patch", resource_type, name, *ns_flags, "--type", type, "-p", json)
+              reload
+              true
+            end
+          else
+            raise Kube::CommandError, "cannot patch a resource without a name"
+          end
+        end
+
+        def delete
+          if persisted?
+            kubectl("delete", resource_type, name, *ns_flags)
+            true
+          else
+            raise Kube::CommandError, "cannot delete a resource without a name"
+          end
+        end
+
+        def reload
+          if persisted?
+            tap do
+              kubectl("get", resource_type, name, *ns_flags, "-o", "json").then do |json|
+                JSON.parse(json).then do |hash|
+                  @data = BlackHoleStruct.new(hash)
+                  snapshot!
+                end
+              end
+            end
+          else
+            raise Kube::CommandError, "cannot reload a resource without a name"
+          end
+        end
+
+        private
+
+          def kubectl(*args)
+            @cluster.connection.ctl.run(args.join(" "))
+          end
+      end
+    end
+  end
+end

data/lib/kube/cluster/resource.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require_relative "resource/dirty_tracking"
+require_relative "resource/persistence"
+
+module Kube
+  module Cluster
+    class Resource < Kube::Schema::Resource
+      include DirtyTracking
+      include Persistence
+
+      attr_accessor :cluster
+
+      POD_BEARING_KINDS = %w[
+        Deployment
+        StatefulSet
+        DaemonSet
+        Job
+        CronJob
+        ReplicaSet
+      ].freeze
+
+      CLUSTER_SCOPED_KINDS = %w[
+        Namespace
+        ClusterRole
+        ClusterRoleBinding
+        PersistentVolume
+        StorageClass
+        IngressClass
+        CustomResourceDefinition
+        PriorityClass
+        RuntimeClass
+        VolumeAttachment
+        CSIDriver
+        CSINode
+      ].freeze
+
+      def initialize(hash = {}, &block)
+        @cluster = hash.delete(:cluster)
+        super
+        snapshot!
+      end
+
+      # Build a new resource of the same schema subclass from a hash.
+      def rebuild(hash)
+        self.class.new(hash)
+      end
+
+      # Read a label value from the resource.
+      def label(key)
+        labels = to_h.dig(:metadata, :labels) || {}
+        labels[key.to_sym] || labels[key.to_s]
+      end
+
+      # Read an annotation value from the resource.
+      def annotation(key)
+        annotations = to_h.dig(:metadata, :annotations) || {}
+        annotations[key.to_sym] || annotations[key.to_s]
+      end
+
+      # The resource kind as a String (e.g. "Deployment").
+      def kind
+        h = to_h
+        (h[:kind] || h["kind"]).to_s
+      end
+
+      # Is this a resource that contains a pod template?
+      def pod_bearing?
+        POD_BEARING_KINDS.include?(kind)
+      end
+
+      # Is this a cluster-scoped resource (no namespace)?
+      def cluster_scoped?
+        CLUSTER_SCOPED_KINDS.include?(kind)
+      end
+
+      # Returns the pod template spec path from a resource hash,
+      # accounting for CronJob's extra nesting.
+      def pod_template(hash)
+        if (hash[:kind] || hash["kind"]).to_s == "CronJob"
+          hash.dig(:spec, :jobTemplate, :spec, :template, :spec)
+        else
+          hash.dig(:spec, :template, :spec)
+        end
+      end
+
+      # Walk every container list in a pod spec (containers,
+      # initContainers) and yield each container hash.
+      def each_container(pod_spec, &block)
+        return unless pod_spec
+
+        [:containers, :initContainers].each do |key|
+          Array(pod_spec[key]).each(&block)
+        end
+      end
+
+    end
+  end
+end

data/lib/kube/cluster/version.rb

@@ -2,6 +2,6 @@
 
 module Kube
   module Cluster
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end