npm - @highstate/cilium - Versions diffs - 0.7.2 → 0.7.3 - Mend

@highstate/cilium 0.7.2 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/highstate.manifest.json +5 -0
package/dist/index.js +37 -20
package/dist/index.js.map +1 -0
package/package.json +12 -17
package/src/index.ts +2 -0
package/src/network-policy.ts +250 -0
package/src/shared.ts +1 -0
package/assets/charts.json +0 -8
package/dist/index.d.ts +0 -18

package/dist/highstate.manifest.json ADDED Viewed

@@ -0,0 +1,5 @@
+{
+  "sourceHashes": {
+    "./dist/index.js": "cdeaa3a9d44804f17dc88c4b20b6dac26bb59501ac14d783d09ea1ca60207d0b"
+  }
+}

package/dist/index.js CHANGED Viewed

@@ -1,10 +1,16 @@
-import { output } from '@highstate/pulumi';
-import { NetworkPolicy, mapMetadata, mapServiceToLabelSelector, mapNamespaceLikeToNamespaceName, mapSelectorLikeToSelector } from '@highstate/k8s';
-import { cilium } from '@highstate/cilium-crds';
-import '@pulumi/kubernetes';
-import { mapKeys, pipe, map } from 'remeda';
-class CiliumNetworkPolicy extends NetworkPolicy {
+// src/network-policy.ts
+import { output } from "@highstate/pulumi";
+import {
+  mapMetadata,
+  mapNamespaceLikeToNamespaceName,
+  mapSelectorLikeToSelector,
+  mapServiceToLabelSelector,
+  NetworkPolicy
+} from "@highstate/k8s";
+import { cilium } from "@highstate/cilium-crds";
+import "@pulumi/kubernetes";
+import { map, mapKeys, pipe } from "remeda";
+var CiliumNetworkPolicy = class _CiliumNetworkPolicy extends NetworkPolicy {
   create(name, args, opts) {
     return new cilium.v2.CiliumNetworkPolicy(
       name,
@@ -13,8 +19,8 @@ class CiliumNetworkPolicy extends NetworkPolicy {
         spec: {
           description: args.description,
           endpointSelector: args.podSelector,
-          ingress: CiliumNetworkPolicy.createIngressRules(args),
-          egress: CiliumNetworkPolicy.createEgressRules(args)
+          ingress: _CiliumNetworkPolicy.createIngressRules(args),
+          egress: _CiliumNetworkPolicy.createEgressRules(args)
         }
       },
       opts
@@ -24,7 +30,7 @@ class CiliumNetworkPolicy extends NetworkPolicy {
     if (args.isolateIngress) {
       return [{}];
     }
-    return args.ingressRules.flatMap((rule) => CiliumNetworkPolicy.createRules("from", rule));
+    return args.ingressRules.flatMap((rule) => _CiliumNetworkPolicy.createRules("from", rule));
   }
   static createEgressRules(args) {
     if (args.isolateEgress) {
@@ -34,17 +40,17 @@ class CiliumNetworkPolicy extends NetworkPolicy {
     if (args.allowKubeApiServer) {
       extraRules.push({ toEntities: ["kube-apiserver"] });
     }
-    return args.egressRules.flatMap((rule) => CiliumNetworkPolicy.createRules("to", rule)).concat(extraRules);
+    return args.egressRules.flatMap((rule) => _CiliumNetworkPolicy.createRules("to", rule)).concat(extraRules);
   }
   static createRules(prefix, rule) {
-    const port = CiliumNetworkPolicy.mapPorts(rule.ports);
+    const port = _CiliumNetworkPolicy.mapPorts(rule.ports);
     const ports = port ? [port] : void 0;
     return [
-      ...CiliumNetworkPolicy.createAllRules(prefix, rule, ports),
-      ...CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),
-      ...CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),
-      ...CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),
-      ...prefix === "to" ? CiliumNetworkPolicy.createFqdnRules(rule, ports) : []
+      ..._CiliumNetworkPolicy.createAllRules(prefix, rule, ports),
+      ..._CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),
+      ..._CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),
+      ..._CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),
+      ...prefix === "to" ? _CiliumNetworkPolicy.createFqdnRules(rule, ports) : []
     ];
   }
   static createAllRules(prefix, rule, ports) {
@@ -120,7 +126,7 @@ class CiliumNetworkPolicy extends NetworkPolicy {
     );
   }
   static createSelectorRules(prefix, rule, ports) {
-    const namespaceExpressions = CiliumNetworkPolicy.createNamespaceExpressions(rule);
+    const namespaceExpressions = _CiliumNetworkPolicy.createNamespaceExpressions(rule);
     if (rule.selectors.length === 0) {
       if (namespaceExpressions.length === 0) {
         return [];
@@ -173,6 +179,17 @@ class CiliumNetworkPolicy extends NetworkPolicy {
       })
     };
   }
-}
+};
-export { CiliumNetworkPolicy };
+// assets/charts.json
+var cilium2 = {
+  repo: "https://helm.cilium.io",
+  name: "cilium",
+  version: "1.17.1",
+  sha256: "381de4f8f4c5eace677d3426aa8d896ef8d2318c2bf4d1172c9953345b744471"
+};
+export {
+  CiliumNetworkPolicy,
+  cilium2 as chart
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/network-policy.ts","../assets/charts.json"],"sourcesContent":["import { type ResourceOptions, type Resource, output } from \"@highstate/pulumi\"\nimport {\n mapMetadata,\n mapNamespaceLikeToNamespaceName,\n mapSelectorLikeToSelector,\n mapServiceToLabelSelector,\n NetworkPolicy,\n type NetworkPolicyPort,\n type NormalizedNetworkPolicyArgs,\n type NormalizedRuleArgs,\n} from \"@highstate/k8s\"\nimport { cilium, types } from \"@highstate/cilium-crds\"\nimport { types as k8sTypes } from \"@pulumi/kubernetes\"\nimport { map, mapKeys, pipe } from \"remeda\"\n\ntype Rule = types.input.cilium.v2.CiliumNetworkPolicySpecIngress &\n types.input.cilium.v2.CiliumNetworkPolicySpecEgress\n\nexport class CiliumNetworkPolicy extends NetworkPolicy {\n protected create(\n name: string,\n args: NormalizedNetworkPolicyArgs,\n opts?: ResourceOptions,\n ): Resource {\n return new cilium.v2.CiliumNetworkPolicy(\n name,\n {\n metadata: mapMetadata(args, name),\n spec: {\n description: args.description,\n endpointSelector: args.podSelector,\n ingress: CiliumNetworkPolicy.createIngressRules(args),\n egress: CiliumNetworkPolicy.createEgressRules(args),\n },\n },\n opts,\n )\n }\n\n private static createIngressRules(args: NormalizedNetworkPolicyArgs): Rule[] {\n if (args.isolateIngress) {\n return [{}]\n }\n\n return args.ingressRules.flatMap(rule => CiliumNetworkPolicy.createRules(\"from\", rule))\n }\n\n private static createEgressRules(args: NormalizedNetworkPolicyArgs): Rule[] {\n if (args.isolateEgress) {\n return [{}]\n }\n\n const extraRules: Rule[] = []\n\n if (args.allowKubeApiServer) {\n extraRules.push({ toEntities: [\"kube-apiserver\"] })\n }\n\n return args.egressRules\n .flatMap(rule => CiliumNetworkPolicy.createRules(\"to\", rule))\n .concat(extraRules)\n }\n\n private static createRules(prefix: \"from\" | \"to\", rule: NormalizedRuleArgs): Rule[] {\n const port = CiliumNetworkPolicy.mapPorts(rule.ports)\n const ports = port ? [port] : undefined\n\n return [\n ...CiliumNetworkPolicy.createAllRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),\n ...CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),\n ...(prefix === \"to\" ? CiliumNetworkPolicy.createFqdnRules(rule, ports) : []),\n ]\n }\n\n private static createAllRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (!rule.all) {\n return []\n }\n\n return [\n {\n [`${prefix}Entities`]: [\"all\"],\n toPorts: ports,\n },\n ]\n }\n\n private static createCidrRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (rule.cidrs.length === 0) {\n return []\n }\n\n return [\n {\n [`${prefix}CIDR`]: rule.cidrs,\n toPorts: ports,\n },\n ]\n }\n\n private static createFqdnRules(\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): types.input.cilium.v2.CiliumNetworkPolicySpecEgress[] {\n if (rule.fqdns.length === 0) {\n return []\n }\n\n return [\n {\n toFQDNs: rule.fqdns.map(fqdn => {\n return fqdn.includes(\"*\") ? { matchName: fqdn } : { matchPattern: fqdn }\n }),\n toPorts: ports,\n },\n ]\n }\n\n private static createServiceRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): Rule[] {\n if (rule.services.length === 0) {\n return []\n }\n\n const selectors = rule.services.map(service => {\n const selector = mapServiceToLabelSelector(service)\n\n return output(selector).apply(selector => ({\n matchLabels: {\n ...mapKeys(selector.matchLabels ?? {}, key => `k8s:${key}`),\n \"k8s:io.kubernetes.pod.namespace\": service.metadata.namespace,\n },\n }))\n })\n\n return [\n {\n [`${prefix}Endpoints`]: selectors,\n toPorts: ports,\n },\n ]\n }\n\n private static createNamespaceExpressions(\n rule: NormalizedRuleArgs,\n ): k8sTypes.input.meta.v1.LabelSelectorRequirement[] {\n if (rule.namespaces.length === 0) {\n return []\n }\n\n return pipe(\n //\n rule.namespaces,\n map(mapNamespaceLikeToNamespaceName),\n names => [\n {\n key: \"k8s:io.kubernetes.pod.namespace\",\n operator: \"In\",\n values: names,\n },\n ],\n )\n }\n\n private static createSelectorRules(\n prefix: \"from\" | \"to\",\n rule: NormalizedRuleArgs,\n ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,\n ): types.input.cilium.v2.CiliumNetworkPolicySpecIngress[] {\n const namespaceExpressions = CiliumNetworkPolicy.createNamespaceExpressions(rule)\n\n if (rule.selectors.length === 0) {\n if (namespaceExpressions.length === 0) {\n // if no selectors and no namespaces are provided, we do not match\n return []\n }\n\n // if no selectors are provided, we only match on namespaces\n return [\n {\n [`${prefix}Endpoints`]: [{ matchExpressions: namespaceExpressions }],\n toPorts: ports,\n },\n ]\n }\n\n // otherwise, we match on selectors and namespaces\n const selectors = rule.selectors.map(selector => {\n const rawSelector = mapSelectorLikeToSelector(selector)\n\n return output(rawSelector).apply(rawSelector => {\n const expressions = map(rawSelector.matchExpressions ?? [], expression => ({\n key: `k8s:${expression.key}`,\n operator: expression.operator,\n values: expression.values,\n }))\n\n return {\n matchLabels: mapKeys(rawSelector.matchLabels ?? {}, key => `k8s:${key}`),\n matchExpressions: [...expressions, ...namespaceExpressions],\n }\n })\n })\n\n return [\n {\n [`${prefix}Endpoints`]: selectors,\n toPorts: ports,\n },\n ]\n }\n\n private static mapPorts(\n ports: NetworkPolicyPort[],\n ): types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts | undefined {\n if (ports.length === 0) {\n return\n }\n\n return {\n ports: ports.map(port => {\n if (\"port\" in port) {\n return {\n port: port.port.toString(),\n protocol: port.protocol ?? \"TCP\",\n }\n }\n\n return {\n port: port.range[0].toString(),\n endPort: port.range[1],\n protocol: port.protocol ?? \"TCP\",\n }\n }),\n }\n }\n}\n","{\n \"cilium\": {\n \"repo\": \"https://helm.cilium.io\",\n \"name\": \"cilium\",\n \"version\": \"1.17.1\",\n \"sha256\": \"381de4f8f4c5eace677d3426aa8d896ef8d2318c2bf4d1172c9953345b744471\"\n }\n}\n"],"mappings":";AAAA,SAA8C,cAAc;AAC5D;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AACP,SAAS,cAAqB;AAC9B,OAAkC;AAClC,SAAS,KAAK,SAAS,YAAY;AAK5B,IAAM,sBAAN,MAAM,6BAA4B,cAAc;AAAA,EAC3C,OACR,MACA,MACA,MACU;AACV,WAAO,IAAI,OAAO,GAAG;AAAA,MACnB;AAAA,MACA;AAAA,QACE,UAAU,YAAY,MAAM,IAAI;AAAA,QAChC,MAAM;AAAA,UACJ,aAAa,KAAK;AAAA,UAClB,kBAAkB,KAAK;AAAA,UACvB,SAAS,qBAAoB,mBAAmB,IAAI;AAAA,UACpD,QAAQ,qBAAoB,kBAAkB,IAAI;AAAA,QACpD;AAAA,MACF;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAe,mBAAmB,MAA2C;AAC3E,QAAI,KAAK,gBAAgB;AACvB,aAAO,CAAC,CAAC,CAAC;AAAA,IACZ;AAEA,WAAO,KAAK,aAAa,QAAQ,UAAQ,qBAAoB,YAAY,QAAQ,IAAI,CAAC;AAAA,EACxF;AAAA,EAEA,OAAe,kBAAkB,MAA2C;AAC1E,QAAI,KAAK,eAAe;AACtB,aAAO,CAAC,CAAC,CAAC;AAAA,IACZ;AAEA,UAAM,aAAqB,CAAC;AAE5B,QAAI,KAAK,oBAAoB;AAC3B,iBAAW,KAAK,EAAE,YAAY,CAAC,gBAAgB,EAAE,CAAC;AAAA,IACpD;AAEA,WAAO,KAAK,YACT,QAAQ,UAAQ,qBAAoB,YAAY,MAAM,IAAI,CAAC,EAC3D,OAAO,UAAU;AAAA,EACtB;AAAA,EAEA,OAAe,YAAY,QAAuB,MAAkC;AAClF,UAAM,OAAO,qBAAoB,SAAS,KAAK,KAAK;AACpD,UAAM,QAAQ,OAAO,CAAC,IAAI,IAAI;AAE9B,WAAO;AAAA,MACL,GAAG,qBAAoB,eAAe,QAAQ,MAAM,KAAK;AAAA,MACzD,GAAG,qBAAoB,gBAAgB,QAAQ,MAAM,KAAK;AAAA,MAC1D,GAAG,qBAAoB,mBAAmB,QAAQ,MAAM,KAAK;AAAA,MAC7D,GAAG,qBAAoB,oBAAoB,QAAQ,MAAM,KAAK;AAAA,MAC9D,GAAI,WAAW,OAAO,qBAAoB,gBAAgB,MAAM,KAAK,IAAI,CAAC;AAAA,IAC5E;AAAA,EACF;AAAA,EAEA,OAAe,eACb,QACA,MACA,OACQ;AACR,QAAI,CAAC,KAAK,KAAK;AACb,aAAO,CAAC;AAAA,IACV;AAEA,WAAO;AAAA,MACL;AAAA,QACE,CAAC,GAAG,MAAM,UAAU,GAAG,CAAC,KAAK;AAAA,QAC7B,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAe,gBACb,QACA,MACA,OACQ;AACR,QAAI,KAAK,MAAM,WAAW,GAAG;AAC3B,aAAO,CAAC;AAAA,IACV;AAEA,WAAO;AAAA,MACL;AAAA,QACE,CAAC,GAAG,MAAM,MAAM,GAAG,KAAK;AAAA,QACxB,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAe,gBACb,MACA,OACuD;AACvD,QAAI,KAAK,MAAM,WAAW,GAAG;AAC3B,aAAO,CAAC;AAAA,IACV;AAEA,WAAO;AAAA,MACL;AAAA,QACE,SAAS,KAAK,MAAM,IAAI,UAAQ;AAC9B,iBAAO,KAAK,SAAS,GAAG,IAAI,EAAE,WAAW,KAAK,IAAI,EAAE,cAAc,KAAK;AAAA,QACzE,CAAC;AAAA,QACD,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAe,mBACb,QACA,MACA,OACQ;AACR,QAAI,KAAK,SAAS,WAAW,GAAG;AAC9B,aAAO,CAAC;AAAA,IACV;AAEA,UAAM,YAAY,KAAK,SAAS,IAAI,aAAW;AAC7C,YAAM,WAAW,0BAA0B,OAAO;AAElD,aAAO,OAAO,QAAQ,EAAE,MAAM,CAAAA,eAAa;AAAA,QACzC,aAAa;AAAA,UACX,GAAG,QAAQA,UAAS,eAAe,CAAC,GAAG,SAAO,OAAO,GAAG,EAAE;AAAA,UAC1D,mCAAmC,QAAQ,SAAS;AAAA,QACtD;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAED,WAAO;AAAA,MACL;AAAA,QACE,CAAC,GAAG,MAAM,WAAW,GAAG;AAAA,QACxB,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAe,2BACb,MACmD;AACnD,QAAI,KAAK,WAAW,WAAW,GAAG;AAChC,aAAO,CAAC;AAAA,IACV;AAEA,WAAO;AAAA;AAAA,MAEL,KAAK;AAAA,MACL,IAAI,+BAA+B;AAAA,MACnC,WAAS;AAAA,QACP;AAAA,UACE,KAAK;AAAA,UACL,UAAU;AAAA,UACV,QAAQ;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAe,oBACb,QACA,MACA,OACwD;AACxD,UAAM,uBAAuB,qBAAoB,2BAA2B,IAAI;AAEhF,QAAI,KAAK,UAAU,WAAW,GAAG;AAC/B,UAAI,qBAAqB,WAAW,GAAG;AAErC,eAAO,CAAC;AAAA,MACV;AAGA,aAAO;AAAA,QACL;AAAA,UACE,CAAC,GAAG,MAAM,WAAW,GAAG,CAAC,EAAE,kBAAkB,qBAAqB,CAAC;AAAA,UACnE,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,UAAM,YAAY,KAAK,UAAU,IAAI,cAAY;AAC/C,YAAM,cAAc,0BAA0B,QAAQ;AAEtD,aAAO,OAAO,WAAW,EAAE,MAAM,CAAAC,iBAAe;AAC9C,cAAM,cAAc,IAAIA,aAAY,oBAAoB,CAAC,GAAG,iBAAe;AAAA,UACzE,KAAK,OAAO,WAAW,GAAG;AAAA,UAC1B,UAAU,WAAW;AAAA,UACrB,QAAQ,WAAW;AAAA,QACrB,EAAE;AAEF,eAAO;AAAA,UACL,aAAa,QAAQA,aAAY,eAAe,CAAC,GAAG,SAAO,OAAO,GAAG,EAAE;AAAA,UACvE,kBAAkB,CAAC,GAAG,aAAa,GAAG,oBAAoB;AAAA,QAC5D;AAAA,MACF,CAAC;AAAA,IACH,CAAC;AAED,WAAO;AAAA,MACL;AAAA,QACE,CAAC,GAAG,MAAM,WAAW,GAAG;AAAA,QACxB,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAe,SACb,OACwE;AACxE,QAAI,MAAM,WAAW,GAAG;AACtB;AAAA,IACF;AAEA,WAAO;AAAA,MACL,OAAO,MAAM,IAAI,UAAQ;AACvB,YAAI,UAAU,MAAM;AAClB,iBAAO;AAAA,YACL,MAAM,KAAK,KAAK,SAAS;AAAA,YACzB,UAAU,KAAK,YAAY;AAAA,UAC7B;AAAA,QACF;AAEA,eAAO;AAAA,UACL,MAAM,KAAK,MAAM,CAAC,EAAE,SAAS;AAAA,UAC7B,SAAS,KAAK,MAAM,CAAC;AAAA,UACrB,UAAU,KAAK,YAAY;AAAA,QAC7B;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;ACxPE,IAAAC,UAAU;AAAA,EACR,MAAQ;AAAA,EACR,MAAQ;AAAA,EACR,SAAW;AAAA,EACX,QAAU;AACZ;","names":["selector","rawSelector","cilium"]}

package/package.json CHANGED Viewed

@@ -1,44 +1,39 @@
 {
   "name": "@highstate/cilium",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "type": "module",
   "files": [
-    "assets",
-    "dist"
+    "dist",
+    "src"
   ],
-  "module": "dist/index.js",
-  "types": "dist/index.d.ts",
   "exports": {
     ".": {
-      "default": "./dist/index.js",
-      "types": "./dist/index.d.ts"
-    },
-    "./charts.json": {
-      "default": "./assets/charts.json"
+      "types": "./src/index.ts",
+      "default": "./dist/index.js"
     }
   },
   "publishConfig": {
     "access": "public"
   },
   "scripts": {
-    "build": "pkgroll --tsconfig=tsconfig.build.json",
+    "build": "highstate build",
     "update-charts": "../../scripts/update-charts.sh ./assets/charts.json",
     "generate-crds": "./scripts/generate-crds.sh"
   },
   "dependencies": {
-    "@highstate/cilium-crds": "^0.7.2",
-    "@highstate/k8s": "^0.7.2",
-    "@highstate/pulumi": "^0.7.2",
+    "@highstate/cilium-crds": "^0.7.3",
+    "@highstate/k8s": "^0.7.3",
+    "@highstate/pulumi": "^0.7.3",
     "@pulumi/command": "^1.0.2",
     "@pulumi/kubernetes": "^4.18.0",
-    "@pulumi/pulumi": "^3.152.0",
+    "@pulumi/pulumi": "patch:@pulumi/pulumi@npm%3A3.159.0#~/.yarn/patches/@pulumi-pulumi-npm-3.159.0-d07eefce5c.patch",
     "remeda": "^2.21.0"
   },
   "peerDependencies": {
     "@highstate/library": "workspace:^0.4.4"
   },
   "devDependencies": {
-    "pkgroll": "^2.5.1"
+    "@highstate/cli": "^0.7.3"
   },
-  "gitHead": "e177535015e0fa3c74ae8ddc0bc6d31b191d2c54"
+  "gitHead": "5cf7cec27262c8fa1d96f6478833b94841459d64"
 }

package/src/index.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { CiliumNetworkPolicy } from "./network-policy"
2	+ export { chart } from "./shared"

package/src/network-policy.ts ADDED Viewed

@@ -0,0 +1,250 @@
+import { type ResourceOptions, type Resource, output } from "@highstate/pulumi"
+import {
+  mapMetadata,
+  mapNamespaceLikeToNamespaceName,
+  mapSelectorLikeToSelector,
+  mapServiceToLabelSelector,
+  NetworkPolicy,
+  type NetworkPolicyPort,
+  type NormalizedNetworkPolicyArgs,
+  type NormalizedRuleArgs,
+} from "@highstate/k8s"
+import { cilium, types } from "@highstate/cilium-crds"
+import { types as k8sTypes } from "@pulumi/kubernetes"
+import { map, mapKeys, pipe } from "remeda"
+type Rule = types.input.cilium.v2.CiliumNetworkPolicySpecIngress &
+  types.input.cilium.v2.CiliumNetworkPolicySpecEgress
+export class CiliumNetworkPolicy extends NetworkPolicy {
+  protected create(
+    name: string,
+    args: NormalizedNetworkPolicyArgs,
+    opts?: ResourceOptions,
+  ): Resource {
+    return new cilium.v2.CiliumNetworkPolicy(
+      name,
+      {
+        metadata: mapMetadata(args, name),
+        spec: {
+          description: args.description,
+          endpointSelector: args.podSelector,
+          ingress: CiliumNetworkPolicy.createIngressRules(args),
+          egress: CiliumNetworkPolicy.createEgressRules(args),
+        },
+      },
+      opts,
+    )
+  }
+  private static createIngressRules(args: NormalizedNetworkPolicyArgs): Rule[] {
+    if (args.isolateIngress) {
+      return [{}]
+    }
+    return args.ingressRules.flatMap(rule => CiliumNetworkPolicy.createRules("from", rule))
+  }
+  private static createEgressRules(args: NormalizedNetworkPolicyArgs): Rule[] {
+    if (args.isolateEgress) {
+      return [{}]
+    }
+    const extraRules: Rule[] = []
+    if (args.allowKubeApiServer) {
+      extraRules.push({ toEntities: ["kube-apiserver"] })
+    }
+    return args.egressRules
+      .flatMap(rule => CiliumNetworkPolicy.createRules("to", rule))
+      .concat(extraRules)
+  }
+  private static createRules(prefix: "from" | "to", rule: NormalizedRuleArgs): Rule[] {
+    const port = CiliumNetworkPolicy.mapPorts(rule.ports)
+    const ports = port ? [port] : undefined
+    return [
+      ...CiliumNetworkPolicy.createAllRules(prefix, rule, ports),
+      ...CiliumNetworkPolicy.createCidrRules(prefix, rule, ports),
+      ...CiliumNetworkPolicy.createServiceRules(prefix, rule, ports),
+      ...CiliumNetworkPolicy.createSelectorRules(prefix, rule, ports),
+      ...(prefix === "to" ? CiliumNetworkPolicy.createFqdnRules(rule, ports) : []),
+    ]
+  }
+  private static createAllRules(
+    prefix: "from" | "to",
+    rule: NormalizedRuleArgs,
+    ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,
+  ): Rule[] {
+    if (!rule.all) {
+      return []
+    }
+    return [
+      {
+        [`${prefix}Entities`]: ["all"],
+        toPorts: ports,
+      },
+    ]
+  }
+  private static createCidrRules(
+    prefix: "from" | "to",
+    rule: NormalizedRuleArgs,
+    ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,
+  ): Rule[] {
+    if (rule.cidrs.length === 0) {
+      return []
+    }
+    return [
+      {
+        [`${prefix}CIDR`]: rule.cidrs,
+        toPorts: ports,
+      },
+    ]
+  }
+  private static createFqdnRules(
+    rule: NormalizedRuleArgs,
+    ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,
+  ): types.input.cilium.v2.CiliumNetworkPolicySpecEgress[] {
+    if (rule.fqdns.length === 0) {
+      return []
+    }
+    return [
+      {
+        toFQDNs: rule.fqdns.map(fqdn => {
+          return fqdn.includes("*") ? { matchName: fqdn } : { matchPattern: fqdn }
+        }),
+        toPorts: ports,
+      },
+    ]
+  }
+  private static createServiceRules(
+    prefix: "from" | "to",
+    rule: NormalizedRuleArgs,
+    ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,
+  ): Rule[] {
+    if (rule.services.length === 0) {
+      return []
+    }
+    const selectors = rule.services.map(service => {
+      const selector = mapServiceToLabelSelector(service)
+      return output(selector).apply(selector => ({
+        matchLabels: {
+          ...mapKeys(selector.matchLabels ?? {}, key => `k8s:${key}`),
+          "k8s:io.kubernetes.pod.namespace": service.metadata.namespace,
+        },
+      }))
+    })
+    return [
+      {
+        [`${prefix}Endpoints`]: selectors,
+        toPorts: ports,
+      },
+    ]
+  }
+  private static createNamespaceExpressions(
+    rule: NormalizedRuleArgs,
+  ): k8sTypes.input.meta.v1.LabelSelectorRequirement[] {
+    if (rule.namespaces.length === 0) {
+      return []
+    }
+    return pipe(
+      //
+      rule.namespaces,
+      map(mapNamespaceLikeToNamespaceName),
+      names => [
+        {
+          key: "k8s:io.kubernetes.pod.namespace",
+          operator: "In",
+          values: names,
+        },
+      ],
+    )
+  }
+  private static createSelectorRules(
+    prefix: "from" | "to",
+    rule: NormalizedRuleArgs,
+    ports: types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts[] | undefined,
+  ): types.input.cilium.v2.CiliumNetworkPolicySpecIngress[] {
+    const namespaceExpressions = CiliumNetworkPolicy.createNamespaceExpressions(rule)
+    if (rule.selectors.length === 0) {
+      if (namespaceExpressions.length === 0) {
+        // if no selectors and no namespaces are provided, we do not match
+        return []
+      }
+      // if no selectors are provided, we only match on namespaces
+      return [
+        {
+          [`${prefix}Endpoints`]: [{ matchExpressions: namespaceExpressions }],
+          toPorts: ports,
+        },
+      ]
+    }
+    // otherwise, we match on selectors and namespaces
+    const selectors = rule.selectors.map(selector => {
+      const rawSelector = mapSelectorLikeToSelector(selector)
+      return output(rawSelector).apply(rawSelector => {
+        const expressions = map(rawSelector.matchExpressions ?? [], expression => ({
+          key: `k8s:${expression.key}`,
+          operator: expression.operator,
+          values: expression.values,
+        }))
+        return {
+          matchLabels: mapKeys(rawSelector.matchLabels ?? {}, key => `k8s:${key}`),
+          matchExpressions: [...expressions, ...namespaceExpressions],
+        }
+      })
+    })
+    return [
+      {
+        [`${prefix}Endpoints`]: selectors,
+        toPorts: ports,
+      },
+    ]
+  }
+  private static mapPorts(
+    ports: NetworkPolicyPort[],
+  ): types.input.cilium.v2.CiliumNetworkPolicySpecEgressToPorts | undefined {
+    if (ports.length === 0) {
+      return
+    }
+    return {
+      ports: ports.map(port => {
+        if ("port" in port) {
+          return {
+            port: port.port.toString(),
+            protocol: port.protocol ?? "TCP",
+          }
+        }
+        return {
+          port: port.range[0].toString(),
+          endPort: port.range[1],
+          protocol: port.protocol ?? "TCP",
+        }
+      }),
+    }
+  }
+}

package/src/shared.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export { cilium as chart } from "../assets/charts.json"

package/assets/charts.json DELETED Viewed

@@ -1,8 +0,0 @@
-{
-  "cilium": {
-    "repo": "https://helm.cilium.io",
-    "name": "cilium",
-    "version": "1.17.1",
-    "sha256": "381de4f8f4c5eace677d3426aa8d896ef8d2318c2bf4d1172c9953345b744471"
-  }
-}

package/dist/index.d.ts DELETED Viewed

@@ -1,18 +0,0 @@
-import { ResourceOptions, Resource } from '@highstate/pulumi';
-import { NetworkPolicy, NormalizedNetworkPolicyArgs } from '@highstate/k8s';
-declare class CiliumNetworkPolicy extends NetworkPolicy {
-    protected create(name: string, args: NormalizedNetworkPolicyArgs, opts?: ResourceOptions): Resource;
-    private static createIngressRules;
-    private static createEgressRules;
-    private static createRules;
-    private static createAllRules;
-    private static createCidrRules;
-    private static createFqdnRules;
-    private static createServiceRules;
-    private static createNamespaceExpressions;
-    private static createSelectorRules;
-    private static mapPorts;
-}
-export { CiliumNetworkPolicy };