@drunk-pulumi/azure 0.0.19

package/KubeX/Core/Monitoring/index.js

@@ -0,0 +1,322 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const pulumi = require("@pulumi/pulumi");
+const k8s = require("@pulumi/kubernetes");
+const NginxIngress_1 = require("../../../KubeX/Ingress/NginxIngress");
+const SecurityRules_1 = require("../SecurityRules");
+const Namespace_1 = require("../Namespace");
+const CertHelper_1 = require("../../CertHelper");
+const Helpers_1 = require("../../../Common/Helpers");
+const Random_1 = require("../../../Core/Random");
+const Identity_1 = require("../../../AzAd/Identity");
+const AzureEnv_1 = require("../../../Common/AzureEnv");
+const createIdentity = async ({ callbackUrl, name, vaultInfo, }) => {
+    //Create Azure AD Identity for Authentication
+    return await (0, Identity_1.default)({
+        name,
+        appRoleAssignmentRequired: true,
+        appRoles: [
+            {
+                id: '819acdc5-3b86-4a9e-a6ea-1ce87b229ce6',
+                allowedMemberTypes: ['User'],
+                description: 'Grafana org admin Users',
+                displayName: 'Grafana Org Admin',
+                enabled: true,
+                value: 'Admin',
+            },
+            {
+                id: '225f546a-935c-4552-b2f5-97ae976f14e7',
+                allowedMemberTypes: ['User'],
+                description: 'Grafana read only Users',
+                displayName: 'Grafana Viewer',
+                enabled: true,
+                value: 'Viewer',
+            },
+            {
+                id: 'a482ac2e-68f1-4655-8875-2e84b9f13ef9',
+                allowedMemberTypes: ['User'],
+                description: 'Grafana Editor Users',
+                displayName: 'Grafana Editor',
+                enabled: true,
+                value: 'Editor',
+            },
+        ],
+        // requiredResourceAccesses: [
+        //   getGraphPermissions({ name: 'User.Read', type: 'Scope' }),
+        // ],
+        createClientSecret: true,
+        createPrincipal: false,
+        appType: 'web',
+        replyUrls: [callbackUrl],
+        vaultInfo,
+    });
+};
+exports.default = async ({ namespace = 'monitoring', 
+/**Select AKS node that is not Virtual Node*/
+nodeSelector = {}, enableAlertManager = false, enablePrometheus = true, enableGrafana, vaultInfo, provider, }) => {
+    const name = 'prometheus';
+    //TODO: Setup grafana with Azure AD authentication
+    //Sample https://github.com/fabianlee/k3s-cluster-kvm/blob/main/roles/kube-prometheus-stack/files/prom-sparse.expanded.yaml
+    /** https://github.com/cablespaghetti/k3s-monitoring
+     *
+     * Monitor Rules Creating issue
+     *    - kubectl delete  validatingwebhookconfigurations.admissionregistration.k8s.io prometheus-prometheus-oper-admission
+     *    - kubectl delete  MutatingWebhookConfiguration  prometheus-prometheus-oper-admission
+     *
+     * kube-proxy issue refer here: https://github.com/prometheus-community/helm-charts/blob/61e7d540b686fa0df428933a42136f7084223ee2/charts/kube-prometheus-stack/README.md
+     */
+    const rootUrl = `https://${enableGrafana?.hostName}`;
+    const ns = (0, Namespace_1.default)({ name: namespace, provider });
+    const password = (0, Random_1.randomPassword)({ name, policy: 'yearly', vaultInfo }).result;
+    const adIdentity = Boolean(enableGrafana?.auth?.azureAD)
+        ? await createIdentity({
+            name,
+            callbackUrl: `${rootUrl}/login/azuread`,
+            vaultInfo,
+        })
+        : undefined;
+    const prometheus = new k8s.helm.v3.Chart(name, {
+        chart: 'kube-prometheus-stack',
+        namespace,
+        fetchOpts: { repo: 'https://prometheus-community.github.io/helm-charts' },
+        values: {
+            defaultRules: {
+                create: enablePrometheus,
+                rules: {
+                    alertmanager: enableAlertManager,
+                    etcd: false,
+                    configReloaders: false,
+                    general: true,
+                    k8s: false,
+                    kubeApiserverAvailability: false,
+                    kubeApiserverBurnrate: false,
+                    kubeApiserverHistogram: true,
+                    kubeApiserverSlos: false,
+                    kubeControllerManager: false,
+                    kubelet: false,
+                    kubeProxy: false,
+                    kubePrometheusGeneral: enablePrometheus,
+                    kubePrometheusNodeRecording: enablePrometheus,
+                    kubernetesApps: enablePrometheus,
+                    kubernetesResources: enablePrometheus,
+                    kubernetesStorage: enablePrometheus,
+                    kubernetesSystem: enablePrometheus,
+                    kubeSchedulerAlerting: enableAlertManager,
+                    kubeSchedulerRecording: enablePrometheus,
+                    kubeStateMetrics: enablePrometheus,
+                    network: enablePrometheus,
+                    node: enablePrometheus,
+                    nodeExporterAlerting: enableAlertManager,
+                    nodeExporterRecording: enablePrometheus,
+                    prometheus: enablePrometheus,
+                    prometheusOperator: enablePrometheus,
+                },
+            },
+            //Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico),
+            //because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
+            hostNetwork: false,
+            nodeSelector,
+            coreDns: { enabled: enablePrometheus },
+            kubeDns: { enabled: false },
+            kubelet: { enabled: false },
+            //Disable etcd monitoring. See https://github.com/cablespaghetti/k3s-monitoring/issues/4
+            kubeEtcd: { enabled: false },
+            //Disable kube-controller-manager and kube-scheduler monitoring. See https://github.com/cablespaghetti/k3s-monitoring/issues/2
+            kubeControllerManager: { enabled: false },
+            kubeScheduler: { enabled: false },
+            kubeProxy: { enabled: false },
+            kubernetesServiceMonitors: { enabled: enablePrometheus },
+            kubeApiServer: { enabled: enablePrometheus },
+            kubeletService: { enabled: enablePrometheus },
+            kubeStateMetrics: { enabled: enablePrometheus },
+            nodeExporter: { enabled: enablePrometheus },
+            networkPolicy: { enabled: false },
+            prometheus: { enabled: enablePrometheus },
+            prometheusOperator: { enabled: enablePrometheus },
+            prometheusSpec: {
+                retention: '7d',
+                storageSpec: {
+                    volumeClaimTemplate: {
+                        spec: {
+                            accessModes: ['ReadWriteOnce'],
+                            resources: {
+                                requests: {
+                                    storage: '5Gi',
+                                },
+                            },
+                        },
+                    },
+                },
+            },
+            grafana: {
+                enabled: Boolean(enableGrafana),
+                adminPassword: password,
+                plugins: ['grafana-piechart-panel'],
+                env: {
+                    GF_SERVER_ROOT_URL: rootUrl,
+                    GF_SERVER_DOMAIN: enableGrafana?.hostName,
+                    GF_SERVER_SERVE_FROM_SUB_PATH: 'true',
+                },
+            },
+            alertmanager: {
+                enabled: enableAlertManager,
+                // config: {
+                //   global: {
+                //     smtp_from: 'you@gmail.com',
+                //     smtp_smarthost: 'mailhog:1025',
+                //     smtp_require_tls: false,
+                //   },
+                //   route: {
+                //     group_by: ['job'],
+                //     group_wait: '30s',
+                //     group_interval: '5m',
+                //     repeat_interval: '1h',
+                //     receiver: 'email',
+                //     routes: [
+                //       {
+                //         match: {
+                //           alertname: 'Watchdog',
+                //         },
+                //         receiver: 'null',
+                //       },
+                //       {
+                //         match: {
+                //           alertname: 'CPUThrottlingHigh',
+                //         },
+                //         receiver: 'null',
+                //       },
+                //       {
+                //         match: {
+                //           alertname: 'KubeMemoryOvercommit',
+                //         },
+                //         receiver: 'null',
+                //       },
+                //       {
+                //         match: {
+                //           alertname: 'KubeCPUOvercommit',
+                //         },
+                //         receiver: 'null',
+                //       },
+                //       {
+                //         match: {
+                //           alertname: 'KubeletTooManyPods',
+                //         },
+                //         receiver: 'null',
+                //       },
+                //     ],
+                //   },
+                //   receivers: [
+                //     {
+                //       name: 'null',
+                //     },
+                //     {
+                //       name: 'email',
+                //       email_configs: [
+                //         {
+                //           send_resolved: true,
+                //           to: 'youremail@gmail.com',
+                //         },
+                //       ],
+                //     },
+                //   ],
+                //   //Inhibition rules allow to mute a set of alerts given that another alert is firing.
+                //   //We use this to mute any warning-level notifications if the same alert is already critical.
+                //   inhibit_rules: [
+                //     {
+                //       source_match: {
+                //         severity: 'critical',
+                //       },
+                //       target_match: {
+                //         severity: 'warning',
+                //       },
+                //       equal: ['alertname', 'namespace'],
+                //     },
+                //   ],
+                // },
+                // alertmanagerSpec: {
+                //   storage: {
+                //     volumeClaimTemplate: {
+                //       spec: {
+                //         accessModes: ['ReadWriteOnce'],
+                //         resources: {
+                //           requests: {
+                //             storage: '1Gi',
+                //           },
+                //         },
+                //       },
+                //     },
+                //   },
+                // },
+            },
+            ingress: { enabled: false },
+            ingressPerReplica: { enabled: false },
+        },
+        transformations: [
+            (obj) => {
+                (0, SecurityRules_1.applyDeploymentRules)(obj, { ignoredKinds: ['Job'] });
+                //Enable OpenID auth for grafana
+                if (enableGrafana?.auth &&
+                    obj.kind === 'ConfigMap' &&
+                    obj.metadata.name === 'prometheus-grafana') {
+                    //Azure AD
+                    if (enableGrafana.auth.azureAD) {
+                        let current = obj.data['grafana.ini'];
+                        obj.data['grafana.ini'] = pulumi.interpolate `
+${current}
+
+[auth]
+azure_auth_enabled = true
+disable_login_form = true
+
+[auth.anonymous]
+enabled = false
+
+[auth.basic]
+enabled = false
+    
+[auth.azuread]
+name = Azure AD
+enabled = true
+allow_sign_up = true
+auto_login = true
+client_id = ${adIdentity?.clientId}
+client_secret = ${adIdentity?.clientSecret ?? ''}
+scopes = openid email profile
+auth_url = https://login.microsoftonline.com/${AzureEnv_1.tenantId}/oauth2/v2.0/authorize
+token_url = https://login.microsoftonline.com/${AzureEnv_1.tenantId}/oauth2/v2.0/token
+allowed_domains =
+allowed_groups =
+allowed_organizations = ${AzureEnv_1.tenantId}
+role_attribute_strict = true
+allow_assign_grafana_admin = false
+skip_org_role_sync = false
+use_pkce = false
+force_use_graph_api = false
+
+              `;
+                    }
+                }
+            },
+        ],
+    }, { provider, dependsOn: ns });
+    if (enableGrafana) {
+        (0, NginxIngress_1.default)({
+            name: 'prometheus-grafana',
+            hostNames: [enableGrafana.hostName],
+            certManagerIssuer: true,
+            className: 'nginx',
+            tlsSecretName: (0, CertHelper_1.getTlsName)((0, Helpers_1.getRootDomainFromUrl)(enableGrafana.hostName), true),
+            service: {
+                metadata: {
+                    name: pulumi.interpolate `prometheus-grafana`,
+                    namespace,
+                },
+                spec: { ports: [{ port: 80 }] },
+            },
+            dependsOn: prometheus,
+            provider,
+        });
+    }
+    return prometheus;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvS3ViZVgvQ29yZS9Nb25pdG9yaW5nL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEseUNBQXlDO0FBQ3pDLDBDQUEwQztBQUMxQyxzRUFBK0Q7QUFDL0Qsb0RBQXdEO0FBQ3hELDRDQUFxQztBQUNyQyxpREFBOEM7QUFDOUMscURBQStEO0FBQy9ELGlEQUFzRDtBQUN0RCxxREFBcUQ7QUFHckQsdURBQW9EO0FBU3BELE1BQU0sY0FBYyxHQUFHLEtBQUssRUFBRSxFQUM1QixXQUFXLEVBQ1gsSUFBSSxFQUNKLFNBQVMsR0FDSyxFQUFFLEVBQUU7SUFDbEIsNkNBQTZDO0lBQzdDLE9BQU8sTUFBTSxJQUFBLGtCQUFlLEVBQUM7UUFDM0IsSUFBSTtRQUVKLHlCQUF5QixFQUFFLElBQUk7UUFDL0IsUUFBUSxFQUFFO1lBQ1I7Z0JBQ0UsRUFBRSxFQUFFLHNDQUFzQztnQkFDMUMsa0JBQWtCLEVBQUUsQ0FBQyxNQUFNLENBQUM7Z0JBQzVCLFdBQVcsRUFBRSx5QkFBeUI7Z0JBQ3RDLFdBQVcsRUFBRSxtQkFBbUI7Z0JBQ2hDLE9BQU8sRUFBRSxJQUFJO2dCQUNiLEtBQUssRUFBRSxPQUFPO2FBQ2Y7WUFDRDtnQkFDRSxFQUFFLEVBQUUsc0NBQXNDO2dCQUMxQyxrQkFBa0IsRUFBRSxDQUFDLE1BQU0sQ0FBQztnQkFDNUIsV0FBVyxFQUFFLHlCQUF5QjtnQkFDdEMsV0FBVyxFQUFFLGdCQUFnQjtnQkFDN0IsT0FBTyxFQUFFLElBQUk7Z0JBQ2IsS0FBSyxFQUFFLFFBQVE7YUFDaEI7WUFDRDtnQkFDRSxFQUFFLEVBQUUsc0NBQXNDO2dCQUMxQyxrQkFBa0IsRUFBRSxDQUFDLE1BQU0sQ0FBQztnQkFDNUIsV0FBVyxFQUFFLHNCQUFzQjtnQkFDbkMsV0FBVyxFQUFFLGdCQUFnQjtnQkFDN0IsT0FBTyxFQUFFLElBQUk7Z0JBQ2IsS0FBSyxFQUFFLFFBQVE7YUFDaEI7U0FDRjtRQUVELDhCQUE4QjtRQUM5QiwrREFBK0Q7UUFDL0QsS0FBSztRQUVMLGtCQUFrQixFQUFFLElBQUk7UUFDeEIsZUFBZSxFQUFFLEtBQUs7UUFFdEIsT0FBTyxFQUFFLEtBQUs7UUFDZCxTQUFTLEVBQUUsQ0FBQyxXQUFXLENBQUM7UUFDeEIsU0FBUztLQUNWLENBQUMsQ0FBQztBQUNMLENBQUMsQ0FBQztBQXdCRixrQkFBZSxLQUFLLEVBQUUsRUFDcEIsU0FBUyxHQUFHLFlBQVk7QUFDeEIsNkNBQTZDO0FBQzdDLFlBQVksR0FBRyxFQUFFLEVBRWpCLGtCQUFrQixHQUFHLEtBQUssRUFDMUIsZ0JBQWdCLEdBQUcsSUFBSSxFQUN2QixhQUFhLEVBRWIsU0FBUyxFQUNULFFBQVEsR0FDUSxFQUFFLEVBQUU7SUFDcEIsTUFBTSxJQUFJLEdBQUcsWUFBWSxDQUFDO0lBQzFCLGtEQUFrRDtJQUVsRCwySEFBMkg7SUFDM0g7Ozs7Ozs7T0FPRztJQUVILE1BQU0sT0FBTyxHQUFHLFdBQVcsYUFBYSxFQUFFLFFBQVEsRUFBRSxDQUFDO0lBQ3JELE1BQU0sRUFBRSxHQUFHLElBQUEsbUJBQVMsRUFBQyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsUUFBUSxFQUFFLENBQUMsQ0FBQztJQUNwRCxNQUFNLFFBQVEsR0FBRyxJQUFBLHVCQUFjLEVBQUMsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQztJQUM5RSxNQUFNLFVBQVUsR0FBRyxPQUFPLENBQUMsYUFBYSxFQUFFLElBQUksRUFBRSxPQUFPLENBQUM7UUFDdEQsQ0FBQyxDQUFDLE1BQU0sY0FBYyxDQUFDO1lBQ25CLElBQUk7WUFDSixXQUFXLEVBQUUsR0FBRyxPQUFPLGdCQUFnQjtZQUN2QyxTQUFTO1NBQ1YsQ0FBQztRQUNKLENBQUMsQ0FBQyxTQUFTLENBQUM7SUFFZCxNQUFNLFVBQVUsR0FBRyxJQUFJLEdBQUcsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FDdEMsSUFBSSxFQUNKO1FBQ0UsS0FBSyxFQUFFLHVCQUF1QjtRQUM5QixTQUFTO1FBQ1QsU0FBUyxFQUFFLEVBQUUsSUFBSSxFQUFFLG9EQUFvRCxFQUFFO1FBQ3pFLE1BQU0sRUFBRTtZQUNOLFlBQVksRUFBRTtnQkFDWixNQUFNLEVBQUUsZ0JBQWdCO2dCQUN4QixLQUFLLEVBQUU7b0JBQ0wsWUFBWSxFQUFFLGtCQUFrQjtvQkFDaEMsSUFBSSxFQUFFLEtBQUs7b0JBQ1gsZUFBZSxFQUFFLEtBQUs7b0JBQ3RCLE9BQU8sRUFBRSxJQUFJO29CQUNiLEdBQUcsRUFBRSxLQUFLO29CQUNWLHlCQUF5QixFQUFFLEtBQUs7b0JBQ2hDLHFCQUFxQixFQUFFLEtBQUs7b0JBQzVCLHNCQUFzQixFQUFFLElBQUk7b0JBQzVCLGlCQUFpQixFQUFFLEtBQUs7b0JBQ3hCLHFCQUFxQixFQUFFLEtBQUs7b0JBQzVCLE9BQU8sRUFBRSxLQUFLO29CQUNkLFNBQVMsRUFBRSxLQUFLO29CQUNoQixxQkFBcUIsRUFBRSxnQkFBZ0I7b0JBQ3ZDLDJCQUEyQixFQUFFLGdCQUFnQjtvQkFDN0MsY0FBYyxFQUFFLGdCQUFnQjtvQkFDaEMsbUJBQW1CLEVBQUUsZ0JBQWdCO29CQUNyQyxpQkFBaUIsRUFBRSxnQkFBZ0I7b0JBQ25DLGdCQUFnQixFQUFFLGdCQUFnQjtvQkFDbEMscUJBQXFCLEVBQUUsa0JBQWtCO29CQUN6QyxzQkFBc0IsRUFBRSxnQkFBZ0I7b0JBQ3hDLGdCQUFnQixFQUFFLGdCQUFnQjtvQkFDbEMsT0FBTyxFQUFFLGdCQUFnQjtvQkFDekIsSUFBSSxFQUFFLGdCQUFnQjtvQkFDdEIsb0JBQW9CLEVBQUUsa0JBQWtCO29CQUN4QyxxQkFBcUIsRUFBRSxnQkFBZ0I7b0JBQ3ZDLFVBQVUsRUFBRSxnQkFBZ0I7b0JBQzVCLGtCQUFrQixFQUFFLGdCQUFnQjtpQkFDckM7YUFDRjtZQUVELHFHQUFxRztZQUNyRyxtSEFBbUg7WUFDbkgsV0FBVyxFQUFFLEtBQUs7WUFDbEIsWUFBWTtZQUVaLE9BQU8sRUFBRSxFQUFFLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRTtZQUN0QyxPQUFPLEVBQUUsRUFBRSxPQUFPLEVBQUUsS0FBSyxFQUFFO1lBQzNCLE9BQU8sRUFBRSxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUU7WUFDM0Isd0ZBQXdGO1lBQ3hGLFFBQVEsRUFBRSxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUU7WUFDNUIsOEhBQThIO1lBQzlILHFCQUFxQixFQUFFLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRTtZQUN6QyxhQUFhLEVBQUUsRUFBRSxPQUFPLEVBQUUsS0FBSyxFQUFFO1lBQ2pDLFNBQVMsRUFBRSxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUU7WUFDN0IseUJBQXlCLEVBQUUsRUFBRSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUU7WUFDeEQsYUFBYSxFQUFFLEVBQUUsT0FBTyxFQUFFLGdCQUFnQixFQUFFO1lBQzVDLGNBQWMsRUFBRSxFQUFFLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRTtZQUM3QyxnQkFBZ0IsRUFBRSxFQUFFLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRTtZQUMvQyxZQUFZLEVBQUUsRUFBRSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUU7WUFDM0MsYUFBYSxFQUFFLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRTtZQUVqQyxVQUFVLEVBQUUsRUFBRSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUU7WUFDekMsa0JBQWtCLEVBQUUsRUFBRSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUU7WUFDakQsY0FBYyxFQUFFO2dCQUNkLFNBQVMsRUFBRSxJQUFJO2dCQUNmLFdBQVcsRUFBRTtvQkFDWCxtQkFBbUIsRUFBRTt3QkFDbkIsSUFBSSxFQUFFOzRCQUNKLFdBQVcsRUFBRSxDQUFDLGVBQWUsQ0FBQzs0QkFDOUIsU0FBUyxFQUFFO2dDQUNULFFBQVEsRUFBRTtvQ0FDUixPQUFPLEVBQUUsS0FBSztpQ0FDZjs2QkFDRjt5QkFDRjtxQkFDRjtpQkFDRjthQUNGO1lBRUQsT0FBTyxFQUFFO2dCQUNQLE9BQU8sRUFBRSxPQUFPLENBQUMsYUFBYSxDQUFDO2dCQUMvQixhQUFhLEVBQUUsUUFBUTtnQkFDdkIsT0FBTyxFQUFFLENBQUMsd0JBQXdCLENBQUM7Z0JBRW5DLEdBQUcsRUFBRTtvQkFDSCxrQkFBa0IsRUFBRSxPQUFPO29CQUMzQixnQkFBZ0IsRUFBRSxhQUFhLEVBQUUsUUFBUTtvQkFDekMsNkJBQTZCLEVBQUUsTUFBTTtpQkFDdEM7YUFDRjtZQUVELFlBQVksRUFBRTtnQkFDWixPQUFPLEVBQUUsa0JBQWtCO2dCQUMzQixZQUFZO2dCQUNaLGNBQWM7Z0JBQ2Qsa0NBQWtDO2dCQUNsQyxzQ0FBc0M7Z0JBQ3RDLCtCQUErQjtnQkFDL0IsT0FBTztnQkFDUCxhQUFhO2dCQUNiLHlCQUF5QjtnQkFDekIseUJBQXlCO2dCQUN6Qiw0QkFBNEI7Z0JBQzVCLDZCQUE2QjtnQkFDN0IseUJBQXlCO2dCQUN6QixnQkFBZ0I7Z0JBQ2hCLFVBQVU7Z0JBQ1YsbUJBQW1CO2dCQUNuQixtQ0FBbUM7Z0JBQ25DLGFBQWE7Z0JBQ2IsNEJBQTRCO2dCQUM1QixXQUFXO2dCQUNYLFVBQVU7Z0JBQ1YsbUJBQW1CO2dCQUNuQiw0Q0FBNEM7Z0JBQzVDLGFBQWE7Z0JBQ2IsNEJBQTRCO2dCQUM1QixXQUFXO2dCQUNYLFVBQVU7Z0JBQ1YsbUJBQW1CO2dCQUNuQiwrQ0FBK0M7Z0JBQy9DLGFBQWE7Z0JBQ2IsNEJBQTRCO2dCQUM1QixXQUFXO2dCQUNYLFVBQVU7Z0JBQ1YsbUJBQW1CO2dCQUNuQiw0Q0FBNEM7Z0JBQzVDLGFBQWE7Z0JBQ2IsNEJBQTRCO2dCQUM1QixXQUFXO2dCQUNYLFVBQVU7Z0JBQ1YsbUJBQW1CO2dCQUNuQiw2Q0FBNkM7Z0JBQzdDLGFBQWE7Z0JBQ2IsNEJBQTRCO2dCQUM1QixXQUFXO2dCQUNYLFNBQVM7Z0JBQ1QsT0FBTztnQkFDUCxpQkFBaUI7Z0JBQ2pCLFFBQVE7Z0JBQ1Isc0JBQXNCO2dCQUN0QixTQUFTO2dCQUNULFFBQVE7Z0JBQ1IsdUJBQXVCO2dCQUN2Qix5QkFBeUI7Z0JBQ3pCLFlBQVk7Z0JBQ1osaUNBQWlDO2dCQUNqQyx1Q0FBdUM7Z0JBQ3ZDLGFBQWE7Z0JBQ2IsV0FBVztnQkFDWCxTQUFTO2dCQUNULE9BQU87Z0JBQ1AseUZBQXlGO2dCQUN6RixpR0FBaUc7Z0JBQ2pHLHFCQUFxQjtnQkFDckIsUUFBUTtnQkFDUix3QkFBd0I7Z0JBQ3hCLGdDQUFnQztnQkFDaEMsV0FBVztnQkFDWCx3QkFBd0I7Z0JBQ3hCLCtCQUErQjtnQkFDL0IsV0FBVztnQkFDWCwyQ0FBMkM7Z0JBQzNDLFNBQVM7Z0JBQ1QsT0FBTztnQkFDUCxLQUFLO2dCQUNMLHNCQUFzQjtnQkFDdEIsZUFBZTtnQkFDZiw2QkFBNkI7Z0JBQzdCLGdCQUFnQjtnQkFDaEIsMENBQTBDO2dCQUMxQyx1QkFBdUI7Z0JBQ3ZCLHdCQUF3QjtnQkFDeEIsOEJBQThCO2dCQUM5QixlQUFlO2dCQUNmLGFBQWE7Z0JBQ2IsV0FBVztnQkFDWCxTQUFTO2dCQUNULE9BQU87Z0JBQ1AsS0FBSzthQUNOO1lBRUQsT0FBTyxFQUFFLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRTtZQUMzQixpQkFBaUIsRUFBRSxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUU7U0FDdEM7UUFDRCxlQUFlLEVBQUU7WUFDZixDQUFDLEdBQUcsRUFBRSxFQUFFO2dCQUNOLElBQUEsb0NBQW9CLEVBQUMsR0FBRyxFQUFFLEVBQUUsWUFBWSxFQUFFLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDO2dCQUVyRCxnQ0FBZ0M7Z0JBQ2hDLElBQ0UsYUFBYSxFQUFFLElBQUk7b0JBQ25CLEdBQUcsQ0FBQyxJQUFJLEtBQUssV0FBVztvQkFDeEIsR0FBRyxDQUFDLFFBQVEsQ0FBQyxJQUFJLEtBQUssb0JBQW9CLEVBQzFDLENBQUM7b0JBQ0QsVUFBVTtvQkFDVixJQUFJLGFBQWEsQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7d0JBQy9CLElBQUksT0FBTyxHQUFXLEdBQUcsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQUM7d0JBQzlDLEdBQUcsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLEdBQUcsTUFBTSxDQUFDLFdBQVcsQ0FBQTtFQUN4RCxPQUFPOzs7Ozs7Ozs7Ozs7Ozs7OztjQWlCSyxVQUFVLEVBQUUsUUFBUTtrQkFDaEIsVUFBVSxFQUFFLFlBQVksSUFBSSxFQUFFOzsrQ0FFRCxtQkFBUTtnREFDUCxtQkFBUTs7OzBCQUc5QixtQkFBUTs7Ozs7OztlQU9uQixDQUFDO29CQUNKLENBQUM7Z0JBQ0gsQ0FBQztZQUNILENBQUM7U0FDRjtLQUNGLEVBQ0QsRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLEVBQUUsRUFBRSxDQUM1QixDQUFDO0lBRUYsSUFBSSxhQUFhLEVBQUUsQ0FBQztRQUNsQixJQUFBLHNCQUFZLEVBQUM7WUFDWCxJQUFJLEVBQUUsb0JBQW9CO1lBQzFCLFNBQVMsRUFBRSxDQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUM7WUFDbkMsaUJBQWlCLEVBQUUsSUFBSTtZQUN2QixTQUFTLEVBQUUsT0FBTztZQUNsQixhQUFhLEVBQUUsSUFBQSx1QkFBVSxFQUN2QixJQUFBLDhCQUFvQixFQUFDLGFBQWEsQ0FBQyxRQUFRLENBQUMsRUFDNUMsSUFBSSxDQUNMO1lBRUQsT0FBTyxFQUFFO2dCQUNQLFFBQVEsRUFBRTtvQkFDUixJQUFJLEVBQUUsTUFBTSxDQUFDLFdBQVcsQ0FBQSxvQkFBb0I7b0JBQzVDLFNBQVM7aUJBQ1Y7Z0JBQ0QsSUFBSSxFQUFFLEVBQUUsS0FBSyxFQUFFLENBQUMsRUFBRSxJQUFJLEVBQUUsRUFBRSxFQUFFLENBQUMsRUFBRTthQUNoQztZQUVELFNBQVMsRUFBRSxVQUFVO1lBQ3JCLFFBQVE7U0FDVCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsT0FBTyxVQUFVLENBQUM7QUFDcEIsQ0FBQyxDQUFDIn0=

package/KubeX/Core/Namespace.d.ts

@@ -0,0 +1,12 @@
+import * as pulumi from '@pulumi/pulumi';
+import { K8sArgs } from '../types';
+import { ResourceQuotaSpec } from './ResourceQuota';
+interface Props extends K8sArgs {
+    name: string;
+    labels?: pulumi.Input<{
+        [key: string]: pulumi.Input<string>;
+    }>;
+    quota?: ResourceQuotaSpec;
+}
+declare const _default: ({ name, labels, quota, provider, dependsOn, }: Props) => import("@pulumi/kubernetes/core/v1/namespace").Namespace;
+export default _default;

package/KubeX/Core/Namespace.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const k8s = require("@pulumi/kubernetes");
+const ResourceQuota_1 = require("./ResourceQuota");
+exports.default = ({ name = 'dev', labels, quota, provider, dependsOn, }) => {
+    labels = labels || {};
+    const ns = new k8s.core.v1.Namespace(name, {
+        metadata: {
+            name,
+            namespace: name,
+            labels: {
+                name,
+                ...labels,
+            },
+        },
+    }, { provider, dependsOn });
+    //Quota
+    if (quota) {
+        (0, ResourceQuota_1.default)({
+            name,
+            namespace: name,
+            spec: quota,
+            provider,
+            dependsOn: ns,
+        });
+    }
+    //Network
+    // new k8s.networking.v1.NetworkPolicy(`nw_allow_all_${name}`, {
+    //   metadata: {
+    //     name: `nw-allow-all-${name}`,
+    //   },
+    //   spec: {
+    //     policyTypes: ['Ingress', 'Egress'],
+    //     podSelector: {},
+    //     ingress: [{}],
+    //     egress: [{}],
+    //   },
+    // });
+    return ns;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiTmFtZXNwYWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL0t1YmVYL0NvcmUvTmFtZXNwYWNlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBQUEsMENBQTBDO0FBSTFDLG1EQUE0QztBQVU1QyxrQkFBZSxDQUFDLEVBQ2QsSUFBSSxHQUFHLEtBQUssRUFDWixNQUFNLEVBQ04sS0FBSyxFQUNMLFFBQVEsRUFDUixTQUFTLEdBQ0gsRUFBRSxFQUFFO0lBQ1YsTUFBTSxHQUFHLE1BQU0sSUFBSSxFQUFFLENBQUM7SUFFdEIsTUFBTSxFQUFFLEdBQUcsSUFBSSxHQUFHLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxTQUFTLENBQ2xDLElBQUksRUFDSjtRQUNFLFFBQVEsRUFBRTtZQUNSLElBQUk7WUFDSixTQUFTLEVBQUUsSUFBSTtZQUNmLE1BQU0sRUFBRTtnQkFDTixJQUFJO2dCQUNKLEdBQUcsTUFBTTthQUNWO1NBQ0Y7S0FDRixFQUNELEVBQUUsUUFBUSxFQUFFLFNBQVMsRUFBRSxDQUN4QixDQUFDO0lBRUYsT0FBTztJQUNQLElBQUksS0FBSyxFQUFFLENBQUM7UUFDVixJQUFBLHVCQUFhLEVBQUM7WUFDWixJQUFJO1lBQ0osU0FBUyxFQUFFLElBQUk7WUFDZixJQUFJLEVBQUUsS0FBSztZQUNYLFFBQVE7WUFDUixTQUFTLEVBQUUsRUFBRTtTQUNkLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxTQUFTO0lBQ1QsZ0VBQWdFO0lBQ2hFLGdCQUFnQjtJQUNoQixvQ0FBb0M7SUFDcEMsT0FBTztJQUNQLFlBQVk7SUFDWiwwQ0FBMEM7SUFDMUMsdUJBQXVCO0lBQ3ZCLHFCQUFxQjtJQUNyQixvQkFBb0I7SUFDcEIsT0FBTztJQUNQLE1BQU07SUFFTixPQUFPLEVBQUUsQ0FBQztBQUNaLENBQUMsQ0FBQyJ9

package/KubeX/Core/Nginx/index.d.ts

@@ -0,0 +1,60 @@
+import * as k8s from '@pulumi/kubernetes';
+import * as pulumi from '@pulumi/pulumi';
+import { DefaultK8sArgs } from '../../types';
+declare const defaultConfigs: {
+    useForwardedHeaders: string;
+    computeFullForwardedFor: string;
+    useProxyProtocol: string;
+    'use-forwarded-headers': string;
+    'disable-access-log': string;
+    'proxy-buffer-size': string;
+    'client-header-buffer-size': string;
+    client_max_body_size: string;
+    'enable-modsecurity': string;
+    'enable-owasp-modsecurity-crs': string;
+    'worker-shutdown-timeout': string;
+    'worker-connections': string;
+    'worker-processes': string;
+    'annotation-value-word-blocklist': string;
+};
+interface Props extends DefaultK8sArgs {
+    version?: string;
+    replicaCount?: number;
+    useIngressClassOnly?: boolean;
+    defaultIngressClass?: boolean;
+    allowSnippetAnnotations?: boolean;
+    network: {
+        /** The resource group of virtual network and public IpAddress. */
+        vnetResourceGroup?: string;
+        internalSubnetName?: pulumi.Output<string>;
+        internalIngress?: boolean;
+        loadBalancerIP?: pulumi.Input<string>;
+        clusterIP?: pulumi.Input<string>;
+    };
+    /**The nginx config map */
+    config?: {
+        [key: string]: string;
+    } | typeof defaultConfigs;
+    /**Expose TCP Ports {port: dnsName} */
+    tcp?: {
+        [key: number]: string;
+    };
+    /**Expose UDP ports  {port: dnsName} */
+    udp?: {
+        [key: number]: string;
+    };
+    /** Set Proxy Headers. It will be applied to all requests*/
+    addHeaders?: {
+        [key: string]: string;
+    };
+    proxySetHeaders?: {
+        [key: string]: string;
+    };
+    enableDebug?: boolean;
+}
+/**
+ * kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf >> nginx.conf
+ * https://github.com/kubernetes/ingress-nginx
+ */
+declare const _default: ({ name, namespace, version, useIngressClassOnly, defaultIngressClass, allowSnippetAnnotations, replicaCount, network, config, tcp, udp, addHeaders, proxySetHeaders, enableDebug, provider, dependsOn, }: Props) => k8s.helm.v3.Chart;
+export default _default;

package/KubeX/Core/Nginx/index.js

@@ -0,0 +1,109 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const k8s = require("@pulumi/kubernetes");
+const SecurityRules_1 = require("../SecurityRules");
+const defaultConfigs = {
+    useForwardedHeaders: 'true',
+    computeFullForwardedFor: 'true',
+    useProxyProtocol: 'true',
+    'use-forwarded-headers': 'true',
+    'disable-access-log': 'true',
+    'proxy-buffer-size': '800k',
+    'client-header-buffer-size': '800k',
+    client_max_body_size: '10m',
+    'enable-modsecurity': 'true',
+    //'modsecurity-snippet': ``,
+    'enable-owasp-modsecurity-crs': 'true',
+    'worker-shutdown-timeout': '100s',
+    'worker-connections': '1024',
+    'worker-processes': '4', //or auto
+    'annotation-value-word-blocklist': 'load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\\', //Remove single quote from annotation-value-word-blocklist to allows security content.
+};
+/**
+ * kubectl exec ingress-nginx-controller-873061567-4n3k2 -n ingress-nginx -- cat /etc/nginx/nginx.conf >> nginx.conf
+ * https://github.com/kubernetes/ingress-nginx
+ */
+exports.default = ({ name = 'nginx', namespace = 'nginx', version, useIngressClassOnly = true, defaultIngressClass, allowSnippetAnnotations, replicaCount = 1, network, config, tcp, udp, addHeaders, proxySetHeaders, enableDebug = false, provider, dependsOn, }) => {
+    //Annotations
+    const annotations = {};
+    if (network.internalIngress) {
+        annotations['service.beta.kubernetes.io/azure-load-balancer-internal'] =
+            'true';
+    }
+    if (network.vnetResourceGroup) {
+        annotations['service.beta.kubernetes.io/azure-load-balancer-resource-group'] = network.vnetResourceGroup;
+    }
+    if (network.internalSubnetName) {
+        annotations['service.beta.kubernetes.io/azure-load-balancer-internal-subnet'] = network.internalSubnetName;
+    }
+    // Create a NGINX Deployment
+    return new k8s.helm.v3.Chart(name, {
+        namespace,
+        chart: 'ingress-nginx',
+        version,
+        fetchOpts: {
+            repo: 'https://kubernetes.github.io/ingress-nginx',
+        },
+        skipAwait: true,
+        values: {
+            tcp,
+            udp,
+            proxySetHeaders,
+            addHeaders,
+            controller: {
+                hostNetwork: false,
+                allowSnippetAnnotations,
+                replicaCount,
+                proxySetHeaders,
+                addHeaders,
+                config: {
+                    ...defaultConfigs,
+                    ...config,
+                    'error-log-level': enableDebug ? 'debug' : 'notice', // notice or error
+                },
+                useIngressClassOnly,
+                watchIngressWithoutClass: defaultIngressClass,
+                ingressClass: useIngressClassOnly ? name : 'nginx',
+                ingressClassResource: useIngressClassOnly
+                    ? {
+                        name,
+                        controllerValue: `k8s.io/nginx-${name}`,
+                        enabled: true,
+                        default: defaultIngressClass,
+                    }
+                    : undefined,
+                nodeSelector: {
+                    'kubernetes.io/os': 'linux',
+                },
+                service: {
+                    externalTrafficPolicy: 'Local',
+                    annotations,
+                    clusterIP: network.clusterIP,
+                    loadBalancerIP: network.loadBalancerIP,
+                },
+                resources: {
+                    limits: {
+                        cpu: '1000m',
+                        memory: '1Gi',
+                    },
+                    requests: {
+                        cpu: '10m',
+                        memory: '10Mi',
+                    },
+                },
+                // metrics: {
+                //   enabled: true,
+                // },
+            },
+        },
+        transformations: [
+            (obj) => {
+                (0, SecurityRules_1.applyDeploymentRules)(obj, {
+                    //ignoredKinds: isPrd ? ['Job'] : undefined,
+                    ignoreSecurityContext: true,
+                });
+            },
+        ],
+    }, { provider, dependsOn });
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvS3ViZVgvQ29yZS9OZ2lueC9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLDBDQUEwQztBQUkxQyxvREFBd0Q7QUFFeEQsTUFBTSxjQUFjLEdBQUc7SUFDckIsbUJBQW1CLEVBQUUsTUFBTTtJQUMzQix1QkFBdUIsRUFBRSxNQUFNO0lBQy9CLGdCQUFnQixFQUFFLE1BQU07SUFDeEIsdUJBQXVCLEVBQUUsTUFBTTtJQUMvQixvQkFBb0IsRUFBRSxNQUFNO0lBQzVCLG1CQUFtQixFQUFFLE1BQU07SUFDM0IsMkJBQTJCLEVBQUUsTUFBTTtJQUNuQyxvQkFBb0IsRUFBRSxLQUFLO0lBQzNCLG9CQUFvQixFQUFFLE1BQU07SUFDNUIsNEJBQTRCO0lBQzVCLDhCQUE4QixFQUFFLE1BQU07SUFDdEMseUJBQXlCLEVBQUUsTUFBTTtJQUNqQyxvQkFBb0IsRUFBRSxNQUFNO0lBQzVCLGtCQUFrQixFQUFFLEdBQUcsRUFBRSxTQUFTO0lBQ2xDLGlDQUFpQyxFQUMvQixnRkFBZ0YsRUFBRSxzRkFBc0Y7Q0FDM0ssQ0FBQztBQWlDRjs7O0dBR0c7QUFFSCxrQkFBZSxDQUFDLEVBQ2QsSUFBSSxHQUFHLE9BQU8sRUFDZCxTQUFTLEdBQUcsT0FBTyxFQUNuQixPQUFPLEVBRVAsbUJBQW1CLEdBQUcsSUFBSSxFQUMxQixtQkFBbUIsRUFDbkIsdUJBQXVCLEVBQ3ZCLFlBQVksR0FBRyxDQUFDLEVBQ2hCLE9BQU8sRUFDUCxNQUFNLEVBQ04sR0FBRyxFQUNILEdBQUcsRUFDSCxVQUFVLEVBQ1YsZUFBZSxFQUVmLFdBQVcsR0FBRyxLQUFLLEVBQ25CLFFBQVEsRUFDUixTQUFTLEdBQ0gsRUFBRSxFQUFFO0lBQ1YsYUFBYTtJQUNiLE1BQU0sV0FBVyxHQUFxQyxFQUFFLENBQUM7SUFFekQsSUFBSSxPQUFPLENBQUMsZUFBZSxFQUFFLENBQUM7UUFDNUIsV0FBVyxDQUFDLHlEQUF5RCxDQUFDO1lBQ3BFLE1BQU0sQ0FBQztJQUNYLENBQUM7SUFDRCxJQUFJLE9BQU8sQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1FBQzlCLFdBQVcsQ0FDVCwrREFBK0QsQ0FDaEUsR0FBRyxPQUFPLENBQUMsaUJBQWlCLENBQUM7SUFDaEMsQ0FBQztJQUNELElBQUksT0FBTyxDQUFDLGtCQUFrQixFQUFFLENBQUM7UUFDL0IsV0FBVyxDQUNULGdFQUFnRSxDQUNqRSxHQUFHLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQztJQUNqQyxDQUFDO0lBRUQsNEJBQTRCO0lBQzVCLE9BQU8sSUFBSSxHQUFHLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxLQUFLLENBQzFCLElBQUksRUFDSjtRQUNFLFNBQVM7UUFDVCxLQUFLLEVBQUUsZUFBZTtRQUN0QixPQUFPO1FBQ1AsU0FBUyxFQUFFO1lBQ1QsSUFBSSxFQUFFLDRDQUE0QztTQUNuRDtRQUNELFNBQVMsRUFBRSxJQUFJO1FBQ2YsTUFBTSxFQUFFO1lBQ04sR0FBRztZQUNILEdBQUc7WUFDSCxlQUFlO1lBQ2YsVUFBVTtZQUVWLFVBQVUsRUFBRTtnQkFDVixXQUFXLEVBQUUsS0FBSztnQkFDbEIsdUJBQXVCO2dCQUN2QixZQUFZO2dCQUVaLGVBQWU7Z0JBQ2YsVUFBVTtnQkFDVixNQUFNLEVBQUU7b0JBQ04sR0FBRyxjQUFjO29CQUNqQixHQUFHLE1BQU07b0JBQ1QsaUJBQWlCLEVBQUUsV0FBVyxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLFFBQVEsRUFBRSxrQkFBa0I7aUJBQ3hFO2dCQUVELG1CQUFtQjtnQkFDbkIsd0JBQXdCLEVBQUUsbUJBQW1CO2dCQUU3QyxZQUFZLEVBQUUsbUJBQW1CLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsT0FBTztnQkFDbEQsb0JBQW9CLEVBQUUsbUJBQW1CO29CQUN2QyxDQUFDLENBQUM7d0JBQ0UsSUFBSTt3QkFDSixlQUFlLEVBQUUsZ0JBQWdCLElBQUksRUFBRTt3QkFDdkMsT0FBTyxFQUFFLElBQUk7d0JBQ2IsT0FBTyxFQUFFLG1CQUFtQjtxQkFDN0I7b0JBQ0gsQ0FBQyxDQUFDLFNBQVM7Z0JBRWIsWUFBWSxFQUFFO29CQUNaLGtCQUFrQixFQUFFLE9BQU87aUJBQzVCO2dCQUVELE9BQU8sRUFBRTtvQkFDUCxxQkFBcUIsRUFBRSxPQUFPO29CQUM5QixXQUFXO29CQUNYLFNBQVMsRUFBRSxPQUFPLENBQUMsU0FBUztvQkFDNUIsY0FBYyxFQUFFLE9BQU8sQ0FBQyxjQUFjO2lCQUN2QztnQkFDRCxTQUFTLEVBQUU7b0JBQ1QsTUFBTSxFQUFFO3dCQUNOLEdBQUcsRUFBRSxPQUFPO3dCQUNaLE1BQU0sRUFBRSxLQUFLO3FCQUNkO29CQUNELFFBQVEsRUFBRTt3QkFDUixHQUFHLEVBQUUsS0FBSzt3QkFDVixNQUFNLEVBQUUsTUFBTTtxQkFDZjtpQkFDRjtnQkFDRCxhQUFhO2dCQUNiLG1CQUFtQjtnQkFDbkIsS0FBSzthQUNOO1NBQ0Y7UUFFRCxlQUFlLEVBQUU7WUFDZixDQUFDLEdBQUcsRUFBRSxFQUFFO2dCQUNOLElBQUEsb0NBQW9CLEVBQUMsR0FBRyxFQUFFO29CQUN4Qiw0Q0FBNEM7b0JBQzVDLHFCQUFxQixFQUFFLElBQUk7aUJBQzVCLENBQUMsQ0FBQztZQUNMLENBQUM7U0FDRjtLQUNGLEVBQ0QsRUFBRSxRQUFRLEVBQUUsU0FBUyxFQUFFLENBQ3hCLENBQUM7QUFDSixDQUFDLENBQUMifQ==

package/KubeX/Core/OAuthProxy/index.js

@@ -0,0 +1,3 @@
+"use strict";
+//https://oak-tree.tech/blog/k8s-nginx-oauth2-gitlab
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvS3ViZVgvQ29yZS9PQXV0aFByb3h5L2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFBQSxvREFBb0QifQ==

package/KubeX/Core/ResourceQuota.d.ts

@@ -0,0 +1,12 @@
+import { DefaultK8sArgs } from '../types';
+export type ResourceQuotaSpec = {
+    cpu: string;
+    memory: string;
+    pods: string;
+    persistentvolumeclaims: string;
+};
+interface Props extends DefaultK8sArgs {
+    spec: ResourceQuotaSpec;
+}
+declare const _default: ({ name, namespace, spec, ...others }: Props) => import("@pulumi/kubernetes/core/v1/resourceQuota").ResourceQuota;
+export default _default;

package/KubeX/Core/ResourceQuota.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const k8s = require("@pulumi/kubernetes");
+exports.default = ({ name = 'resource-quota', namespace, spec, ...others }) => new k8s.core.v1.ResourceQuota(name, {
+    metadata: {
+        name,
+        namespace,
+    },
+    spec: {
+        hard: spec,
+    },
+}, others);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiUmVzb3VyY2VRdW90YS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9LdWJlWC9Db3JlL1Jlc291cmNlUXVvdGEudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFDQSwwQ0FBMEM7QUFhMUMsa0JBQWUsQ0FBQyxFQUNkLElBQUksR0FBRyxnQkFBZ0IsRUFDdkIsU0FBUyxFQUNULElBQUksRUFDSixHQUFHLE1BQU0sRUFDSCxFQUFFLEVBQUUsQ0FDVixJQUFJLEdBQUcsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLGFBQWEsQ0FDM0IsSUFBSSxFQUNKO0lBQ0UsUUFBUSxFQUFFO1FBQ1IsSUFBSTtRQUNKLFNBQVM7S0FDVjtJQUNELElBQUksRUFBRTtRQUNKLElBQUksRUFBRSxJQUFJO0tBQ1g7Q0FDRixFQUNELE1BQU0sQ0FDUCxDQUFDIn0=

package/KubeX/Core/SecurityRules.d.ts

@@ -0,0 +1,34 @@
+export { defaultResponseHeaders } from '../Ingress/Conts';
+export declare const defaultSecurityContext: {
+    runAsUser: number;
+    runAsGroup: number;
+    fsGroup: number;
+};
+export declare const defaultPodSecurityContext: {
+    readOnlyRootFilesystem: boolean;
+    privileged: boolean;
+    runAsNonRoot: boolean;
+    allowPrivilegeEscalation: boolean;
+    fsGroupChangePolicy: string;
+    capabilities: {
+        add: string[];
+        drop: string[];
+    };
+};
+export declare const defaultResources: {
+    limits: {
+        cpu: string;
+        memory: string;
+    };
+    requests: {
+        cpu: string;
+        memory: string;
+    };
+};
+type Kinds = 'DaemonSet' | 'Deployment' | 'Job' | 'CronJob' | 'StatefulSet';
+interface OptionsProps {
+    disableServiceAccount?: boolean;
+    ignoreSecurityContext?: boolean;
+    ignoredKinds?: Array<Kinds>;
+}
+export declare const applyDeploymentRules: (obj: any, options?: OptionsProps) => any;