pangea-kubernetes 0.1.0

data/lib/pangea/kubernetes/architecture.rb

@@ -0,0 +1,383 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'pangea/contracts'
+require 'pangea/kubernetes/types'
+require 'pangea/kubernetes/backend_registry'
+require 'pangea/kubernetes/backends/base'
+
+module Pangea
+  module Kubernetes
+    # Cloud-agnostic Kubernetes architecture module.
+    # Provides kubernetes_cluster() and kubernetes_node_pool() functions
+    # that delegate to provider-specific backends.
+    #
+    # This module is designed to be included in a synthesizer context
+    # (AbstractSynthesizer or TerraformSynthesizer).
+    #
+    # @example
+    #   class MyInfra < TerraformSynthesizer
+    #     include Pangea::Kubernetes::Architecture
+    #
+    #     def build
+    #       kubernetes_cluster(:production, {
+    #         backend: :aws,
+    #         kubernetes_version: '1.29',
+    #         region: 'us-east-1',
+    #         node_pools: [
+    #           { name: :system, instance_types: ['t3.large'], min_size: 2, max_size: 5 }
+    #         ]
+    #       })
+    #     end
+    #   end
+    module Architecture
+      # Create a complete Kubernetes cluster with all supporting infrastructure.
+      #
+      # Phase pipeline: Network -> IAM -> Cluster -> Node Pools -> Addons
+      #
+      # @param name [Symbol] Architecture name
+      # @param attributes [Hash] Cluster configuration (see Types::ClusterConfig)
+      # @return [ArchitectureResult] with cluster, node_pools, network, iam references
+      def kubernetes_cluster(name, attributes = {})
+        # VPN config comes in two forms:
+        # 1. Typed (VpnConfig with :links) — validated by dry-struct, used by NixOS backends
+        # 2. Cloud-init passthrough (flat hash with :interface, :port, etc.) — passed
+        #    as-is to cloud-init for AWS/cloud backends where the node configures WireGuard
+        # Both are legitimate. Only validate if the hash has :links (typed form).
+
+        config = Types::ClusterConfig.new(attributes)
+        backend_module = BackendRegistry.resolve(config.backend)
+        backend_module.load_provider!
+
+        base_tags = {
+          KubernetesCluster: name.to_s,
+          Backend: config.backend.to_s,
+          ManagedBy: 'Pangea'
+        }.merge(config.tags)
+
+        result = ArchitectureResult.new(name, config)
+
+        # Phase 1: Network
+        # Pre-built network takes priority (e.g., SecureVpc from pangea-architectures).
+        # When external_network is set, skip backend's create_network entirely.
+        if config.external_network
+          result.network = config.external_network
+        elsif config.network
+          result.network = backend_module.create_network(self, name, config, base_tags)
+        end
+
+        # Phase 2: IAM
+        result.iam = backend_module.create_iam(self, name, config, base_tags)
+
+        # Phase 3: Cluster
+        result.cluster = backend_module.create_cluster(self, name, config, result, base_tags)
+
+        # Phase 4: Node Pools
+        config.node_pools.each do |pool_config|
+          pool_ref = backend_module.create_node_pool(self, name, result.cluster, pool_config, base_tags)
+          result.add_node_pool(pool_config.name, pool_ref)
+        end
+
+        result
+      end
+
+      # Create a standalone node pool for an existing cluster.
+      #
+      # @param cluster_name [Symbol] Parent cluster name
+      # @param pool_name [Symbol] Node pool name
+      # @param attributes [Hash] Node pool configuration
+      # @param cluster_ref [ResourceReference] Reference to existing cluster
+      # @param backend [Symbol] Backend name (:aws, :gcp, :azure, :hcloud)
+      # @return [ResourceReference] Node pool reference
+      def kubernetes_node_pool(cluster_name, pool_name, attributes = {}, cluster_ref:, backend:, tags: {})
+        pool_config = Types::NodePoolConfig.new(attributes.merge(name: pool_name))
+        backend_module = BackendRegistry.resolve(backend)
+        backend_module.load_provider!
+
+        base_tags = {
+          KubernetesCluster: cluster_name.to_s,
+          Backend: backend.to_s,
+          ManagedBy: 'Pangea'
+        }.merge(tags)
+
+        backend_module.create_node_pool(self, cluster_name, cluster_ref, pool_config, base_tags)
+      end
+
+      # AWS-specific NetworkResult — extends the base contract with AWS fields.
+      # is_a?(Pangea::Contracts::NetworkResult) returns true.
+      class NetworkResult < Pangea::Contracts::NetworkResult
+        attr_accessor :igw, :route_table, :etcd_bucket,
+                      :flow_log, :flow_log_role,
+                      :ssm_logs_bucket,
+                      :kms_key,
+                      :persistent_state_volume
+
+        def initialize
+          super
+          @igw = nil
+          @route_table = nil
+          @etcd_bucket = nil
+          @flow_log = nil
+          @flow_log_role = nil
+          @ssm_logs_bucket = nil
+          @kms_key = nil
+          @persistent_state_volume = nil
+        end
+
+        def [](key)
+          case key.to_sym
+          when :igw then igw
+          when :route_table then route_table
+          when :etcd_bucket then etcd_bucket
+          when :flow_log then flow_log
+          when :flow_log_role then flow_log_role
+          when :ssm_logs_bucket then ssm_logs_bucket
+          when :kms_key then kms_key
+          when :persistent_state_volume then persistent_state_volume
+          else super
+          end
+        end
+
+        def to_h
+          hash = super
+          hash[:igw] = igw if igw
+          hash[:route_table] = route_table if route_table
+          hash[:etcd_bucket] = etcd_bucket if etcd_bucket
+          hash[:flow_log] = flow_log if flow_log
+          hash[:flow_log_role] = flow_log_role if flow_log_role
+          hash[:ssm_logs_bucket] = ssm_logs_bucket if ssm_logs_bucket
+          hash[:kms_key] = kms_key if kms_key
+          hash[:persistent_state_volume] = persistent_state_volume if persistent_state_volume
+          hash
+        end
+      end
+
+      # GCP-specific NetworkResult with firewall rules
+      class GcpNetworkResult < Pangea::Contracts::NetworkResult
+        attr_accessor :firewall_internal, :firewall_external
+
+        def [](key)
+          case key.to_sym
+          when :firewall_internal then firewall_internal
+          when :firewall_external then firewall_external
+          else super
+          end
+        end
+
+        def to_h
+          hash = super
+          hash[:firewall_internal] = firewall_internal if firewall_internal
+          hash[:firewall_external] = firewall_external if firewall_external
+          hash
+        end
+      end
+
+      # Azure-specific NetworkResult with resource group, vnet, and NSG
+      class AzureNetworkResult < Pangea::Contracts::NetworkResult
+        attr_accessor :resource_group, :vnet, :nsg
+
+        def [](key)
+          case key.to_sym
+          when :resource_group then resource_group
+          when :vnet then vnet
+          when :nsg then nsg
+          else super
+          end
+        end
+
+        def to_h
+          hash = super
+          hash[:resource_group] = resource_group if resource_group
+          hash[:vnet] = vnet if vnet
+          hash[:nsg] = nsg if nsg
+          hash
+        end
+      end
+
+      # Hetzner Cloud-specific NetworkResult with network (not VPC)
+      class HcloudNetworkResult < Pangea::Contracts::NetworkResult
+        attr_accessor :network
+
+        def [](key)
+          case key.to_sym
+          when :network then network
+          else super
+          end
+        end
+
+        def to_h
+          hash = super
+          hash[:network] = network if network
+          hash
+        end
+      end
+
+      # AWS-specific IamResult — extends the base contract with AWS fields.
+      # is_a?(Pangea::Contracts::IamResult) returns true.
+      class IamResult < Pangea::Contracts::IamResult
+        attr_accessor :log_group,
+                      :ecr_policy, :etcd_policy, :logs_policy,
+                      :ec2_policy, :ssm_policy,
+                      :karpenter_role, :karpenter_profile,
+                      :persistent_state_policy
+
+        def initialize
+          super
+          @log_group = nil
+          @ecr_policy = nil
+          @etcd_policy = nil
+          @logs_policy = nil
+          @ec2_policy = nil
+          @ssm_policy = nil
+          @karpenter_role = nil
+          @karpenter_profile = nil
+          @persistent_state_policy = nil
+        end
+
+        # Hash-style access for backward compatibility
+        def [](key)
+          case key.to_sym
+          when :log_group then log_group
+          when :ecr_policy then ecr_policy
+          when :etcd_policy then etcd_policy
+          when :logs_policy then logs_policy
+          when :ec2_policy then ec2_policy
+          when :ssm_policy then ssm_policy
+          when :karpenter_role then karpenter_role
+          when :karpenter_profile then karpenter_profile
+          when :persistent_state_policy then persistent_state_policy
+          else super
+          end
+        end
+
+        def to_h
+          hash = super
+          hash[:log_group] = log_group if log_group
+          hash[:ecr_policy] = ecr_policy if ecr_policy
+          hash[:etcd_policy] = etcd_policy if etcd_policy
+          hash[:logs_policy] = logs_policy if logs_policy
+          hash[:ec2_policy] = ec2_policy if ec2_policy
+          hash[:ssm_policy] = ssm_policy if ssm_policy
+          hash[:karpenter_role] = karpenter_role if karpenter_role
+          hash[:karpenter_profile] = karpenter_profile if karpenter_profile
+          hash[:persistent_state_policy] = persistent_state_policy if persistent_state_policy
+          hash
+        end
+      end
+
+      # AWS EKS-specific IamResult with cluster_role, cluster_policy_attachment, and node_role
+      class AwsEksIamResult < IamResult
+        attr_accessor :cluster_role, :cluster_policy_attachment, :node_role
+
+        def [](key)
+          case key.to_sym
+          when :cluster_role then cluster_role
+          when :cluster_policy_attachment then cluster_policy_attachment
+          when :node_role then node_role
+          else super
+          end
+        end
+
+        def to_h
+          hash = super
+          hash[:cluster_role] = cluster_role if cluster_role
+          hash[:cluster_policy_attachment] = cluster_policy_attachment if cluster_policy_attachment
+          hash[:node_role] = node_role if node_role
+          hash
+        end
+      end
+
+      # GCP-specific IamResult with service account for nodes
+      class GcpIamResult < IamResult
+        attr_accessor :node_sa
+
+        def [](key)
+          case key.to_sym
+          when :node_sa then node_sa
+          else super
+          end
+        end
+
+        def to_h
+          hash = super
+          hash[:node_sa] = node_sa if node_sa
+          hash
+        end
+      end
+
+      # AWS-specific ClusterResult — extends the base contract with AWS fields.
+      # is_a?(Pangea::Contracts::ClusterResult) returns true.
+      class ClusterResult < Pangea::Contracts::ClusterResult
+        def asg_tg
+          control_plane_ref.asg_tg
+        end
+
+        def subnet_ids
+          control_plane_ref.subnet_ids
+        end
+
+        def instance_profile_name
+          control_plane_ref.instance_profile_name
+        end
+
+        def ami_id
+          control_plane_ref.ami_id
+        end
+
+        def key_name
+          control_plane_ref.key_name
+        end
+
+        def ipv4_address
+          control_plane_ref.ipv4_address
+        end
+      end
+
+      # Minimal accessor so templates can write result.cluster.security_group.id
+      # Inherits from the base contract for is_a? compatibility.
+      SecurityGroupAccessor = Pangea::Contracts::SecurityGroupAccessor
+
+      # Result object from kubernetes_cluster() — holds all created references.
+      # Inherits from base contract; provider-specific to_h calls config methods
+      # that the typed ClusterConfig provides.
+      class ArchitectureResult < Pangea::Contracts::ArchitectureResult
+        # Override cluster= to wrap in the local ClusterResult subclass
+        # (not the base Pangea::Contracts::ClusterResult)
+        def cluster=(value)
+          @cluster = if value.is_a?(Pangea::Contracts::ClusterResult)
+                       value
+                     elsif value
+                       ClusterResult.new(value)
+                     end
+        end
+
+        def to_h
+          {
+            name: name,
+            backend: config.backend,
+            kubernetes_version: config.kubernetes_version,
+            region: config.region,
+            managed_kubernetes: config.managed_kubernetes?,
+            cluster: cluster&.to_h,
+            network: network_to_h,
+            iam: iam_to_h,
+            node_pools: node_pools.transform_values { |np| np.respond_to?(:to_h) ? np.to_h : np }
+          }
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/backend_registry.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Pangea
+  module Kubernetes
+    # Lazy-loading backend registry. Provider gems are loaded on first use,
+    # so users only need the gems for backends they actually reference.
+    module BackendRegistry
+      @backends = {}
+
+      # Backend matrix: cloud x tech
+      #
+      # Each cloud provider can run multiple Kubernetes technologies:
+      #   - Managed K8s (EKS, GKE, AKS) — cloud-native control plane
+      #   - NixOS K3s — lightweight K3s on NixOS VMs via blackmatter-kubernetes
+      #   - NixOS K8s — vanilla Kubernetes on NixOS VMs (future)
+      #
+      # Naming: {cloud}_{tech} (e.g., aws_eks, aws_nixos_k3s, gcp_gke)
+      # Legacy aliases: :aws → :aws_eks, :aws_nixos → :aws_nixos_k3s
+      BACKEND_MAP = {
+        # ── AWS ───────────────────────────────────────────────────────
+        aws_eks:        { module_path: 'pangea/kubernetes/backends/aws_eks', class_name: 'AwsEks' },
+        aws_nixos_k3s:  { module_path: 'pangea/kubernetes/backends/aws_nixos', class_name: 'AwsNixos' },
+        # aws_nixos_k8s: { module_path: 'pangea/kubernetes/backends/aws_nixos_k8s', class_name: 'AwsNixosK8s' },
+
+        # ── GCP ───────────────────────────────────────────────────────
+        gcp_gke:        { module_path: 'pangea/kubernetes/backends/gcp_gke', class_name: 'GcpGke' },
+        gcp_nixos_k3s:  { module_path: 'pangea/kubernetes/backends/gcp_nixos', class_name: 'GcpNixos' },
+
+        # ── Azure ─────────────────────────────────────────────────────
+        azure_aks:      { module_path: 'pangea/kubernetes/backends/azure_aks', class_name: 'AzureAks' },
+        azure_nixos_k3s: { module_path: 'pangea/kubernetes/backends/azure_nixos', class_name: 'AzureNixos' },
+
+        # ── Hetzner ──────────────────────────────────────────────────
+        hcloud_k3s:     { module_path: 'pangea/kubernetes/backends/hcloud_k3s', class_name: 'HcloudK3s' },
+      }.freeze
+
+      # Legacy aliases — backward compat with existing templates
+      ALIASES = {
+        aws:          :aws_eks,
+        aws_nixos:    :aws_nixos_k3s,
+        gcp:          :gcp_gke,
+        gcp_nixos:    :gcp_nixos_k3s,
+        azure:        :azure_aks,
+        azure_nixos:  :azure_nixos_k3s,
+        hcloud:       :hcloud_k3s,
+      }.freeze
+
+      class << self
+        # Register a backend module for a given backend name
+        def register(name, backend_module)
+          @backends[name.to_sym] = backend_module
+        end
+
+        # Resolve a backend by name, lazy-loading if needed.
+        # Supports both canonical names (aws_eks) and legacy aliases (aws).
+        def resolve(name)
+          name = name.to_sym
+          # Resolve alias to canonical name
+          name = ALIASES[name] if ALIASES.key?(name)
+
+          return @backends[name] if @backends.key?(name)
+
+          entry = BACKEND_MAP[name]
+          raise ArgumentError, "Unknown backend: #{name}. Available: #{available_backends.join(', ')}" unless entry
+
+          load_backend(name, entry)
+        end
+
+        # List all canonical backend names
+        def available_backends
+          BACKEND_MAP.keys
+        end
+
+        # List all names including aliases
+        def all_names
+          (BACKEND_MAP.keys + ALIASES.keys).uniq
+        end
+
+        # Check if a backend's provider gem is available
+        def backend_available?(name)
+          resolve(name)
+          true
+        rescue LoadError
+          false
+        end
+
+        # Reset registry (for testing)
+        def reset!
+          @backends = {}
+        end
+
+        private
+
+        def load_backend(name, entry)
+          require entry[:module_path]
+          backend_module = Pangea::Kubernetes::Backends.const_get(entry[:class_name])
+          @backends[name] = backend_module
+          backend_module
+        end
+      end
+    end
+  end
+end

data/lib/pangea/kubernetes/backends/aws_eks.rb

@@ -0,0 +1,203 @@
+# frozen_string_literal: true
+
+# Copyright 2025 The Pangea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'pangea/kubernetes/backends/base'
+
+module Pangea
+  module Kubernetes
+    module Backends
+      # AWS EKS backend — creates managed EKS clusters with VPC, IAM, and node groups.
+      module AwsEks
+        include Base
+
+        class << self
+          def backend_name = :aws
+          def managed_kubernetes? = true
+          def required_gem = 'pangea-aws'
+
+          def load_provider!
+            require required_gem
+          rescue LoadError => e
+            raise LoadError,
+                  "Backend :aws requires gem 'pangea-aws'. " \
+                  "Add it to your Gemfile: gem 'pangea-aws'\n" \
+                  "Original error: #{e.message}"
+          end
+
+          # Create VPC + subnets for the EKS cluster
+          def create_network(ctx, name, config, tags)
+            network = Architecture::NetworkResult.new
+
+            vpc_cidr = config.network&.vpc_cidr || '10.0.0.0/16'
+            network.vpc = ctx.aws_vpc(
+              :"#{name}_vpc",
+              cidr_block: vpc_cidr,
+              enable_dns_hostnames: true,
+              enable_dns_support: true,
+              tags: tags.merge(Name: "#{name}-vpc")
+            )
+
+            # Create 2 subnets in different AZs (EKS requirement)
+            %w[a b].each_with_index do |az_suffix, idx|
+              subnet = ctx.aws_subnet(
+                :"#{name}_subnet_#{az_suffix}",
+                vpc_id: network.vpc.id,
+                cidr_block: "10.0.#{idx}.0/24",
+                availability_zone: "#{config.region}#{az_suffix}",
+                map_public_ip_on_launch: true,
+                tags: tags.merge(Name: "#{name}-subnet-#{az_suffix}")
+              )
+              network.add_subnet(:"subnet_#{az_suffix}", subnet)
+            end
+
+            network
+          end
+
+          # Create IAM role for the EKS cluster and node groups
+          def create_iam(ctx, name, config, tags)
+            iam = Architecture::AwsEksIamResult.new
+
+            # Cluster role — use provided role_arn or create one
+            unless config.role_arn
+              assume_role_policy = {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Principal: { Service: 'eks.amazonaws.com' },
+                  Action: 'sts:AssumeRole'
+                }]
+              }
+
+              iam.cluster_role = ctx.aws_iam_role(
+                :"#{name}_cluster_role",
+                name: "#{name}-eks-cluster-role",
+                assume_role_policy: assume_role_policy,
+                tags: tags.merge(Name: "#{name}-cluster-role")
+              )
+
+              iam.cluster_policy_attachment = ctx.aws_iam_role_policy_attachment(
+                :"#{name}_cluster_policy",
+                role: iam.cluster_role.ref(:name),
+                policy_arn: 'arn:aws:iam::aws:policy/AmazonEKSClusterPolicy'
+              )
+            end
+
+            # Node role
+            node_assume_role_policy = {
+              Version: '2012-10-17',
+              Statement: [{
+                Effect: 'Allow',
+                Principal: { Service: 'ec2.amazonaws.com' },
+                Action: 'sts:AssumeRole'
+              }]
+            }
+
+            iam.node_role = ctx.aws_iam_role(
+              :"#{name}_node_role",
+              name: "#{name}-eks-node-role",
+              assume_role_policy: node_assume_role_policy,
+              tags: tags.merge(Name: "#{name}-node-role")
+            )
+
+            %w[AmazonEKSWorkerNodePolicy AmazonEKS_CNI_Policy AmazonEC2ContainerRegistryReadOnly].each do |policy|
+              ctx.aws_iam_role_policy_attachment(
+                :"#{name}_node_#{policy.downcase.gsub(/[^a-z0-9]/, '_')}",
+                role: iam.node_role.ref(:name),
+                policy_arn: "arn:aws:iam::aws:policy/#{policy}"
+              )
+            end
+
+            iam
+          end
+
+          # Create the EKS cluster
+          def create_cluster(ctx, name, config, result, tags)
+            # Determine subnet IDs
+            subnet_ids = if config.network&.subnet_ids&.any?
+                           config.network.subnet_ids
+                         elsif result.network
+                           if result.network.respond_to?(:subnet_ids)
+                             result.network.subnet_ids
+                           else
+                             result.network.select { |k, _| k.to_s.start_with?('subnet_') }.values.map(&:id)
+                           end
+                         else
+                           []
+                         end
+
+            # Determine role ARN
+            role_arn = config.role_arn || result.iam&.dig(:cluster_role)&.arn
+
+            cluster_attrs = {
+              name: "#{name}-cluster",
+              role_arn: role_arn,
+              version: config.kubernetes_version,
+              vpc_config: {
+                subnet_ids: subnet_ids,
+                endpoint_private_access: config.network&.private_endpoint || true,
+                endpoint_public_access: config.network&.public_endpoint || false,
+                security_group_ids: config.network&.security_group_ids || []
+              },
+              tags: tags.merge(Name: "#{name}-cluster")
+            }
+
+            cluster_attrs[:enabled_cluster_log_types] = config.logging if config.logging.any?
+
+            if config.encryption_at_rest
+              cluster_attrs[:encryption_config] = {
+                resources: ['secrets']
+              }
+            end
+
+            ctx.aws_eks_cluster(:"#{name}_cluster", cluster_attrs)
+          end
+
+          # Create an EKS managed node group
+          def create_node_pool(ctx, name, cluster_ref, pool_config, tags)
+            pool_name = :"#{name}_#{pool_config.name}"
+
+            node_group_attrs = {
+              cluster_name: cluster_ref.ref(:name),
+              node_group_name: "#{name}-#{pool_config.name}",
+              node_role_arn: "${aws_iam_role.#{name}_node_role.arn}",
+              instance_types: pool_config.instance_types,
+              scaling_config: {
+                desired_size: pool_config.effective_desired_size,
+                min_size: pool_config.min_size,
+                max_size: pool_config.max_size
+              },
+              disk_size: pool_config.disk_size_gb,
+              tags: tags.merge(
+                Name: "#{name}-#{pool_config.name}",
+                NodePool: pool_config.name.to_s
+              )
+            }
+
+            node_group_attrs[:labels] = pool_config.labels if pool_config.labels.any?
+
+            if pool_config.taints.any?
+              node_group_attrs[:taint] = pool_config.taints.map do |t|
+                { key: t[:key], value: t[:value], effect: t[:effect] }
+              end
+            end
+
+            ctx.aws_eks_node_group(pool_name, node_group_attrs)
+          end
+        end
+      end
+    end
+  end
+end