@highstate/k8s 0.14.2 → 0.16.0

package/src/rbac.ts

@@ -10,17 +10,24 @@ import {
   type Output,
   output,
   toPromise,
+  type Unwrap,
 } from "@highstate/pulumi"
 import { KubeConfig } from "@kubernetes/client-node"
 import { core, rbac, type types } from "@pulumi/kubernetes"
 import { map, unique } from "remeda"
 import { stringify } from "yaml"
 import { Secret } from "./secret"
-import { getNamespaceName, getProvider, type NamespaceLike, type ScopedResource } from "./shared"
+import {
+  getNamespaceName,
+  getProvider,
+  NamespacedResource,
+  type NamespaceLike,
+  type Resource,
+} from "./shared"
 
 export type ClusterAccessScopeArgs = {
   /**
-   * The namespace to locate the ServiceAccount in.
+   * The namespace to create the ServiceAccount in.
    */
   namespace: Input<Namespace>
 
@@ -52,35 +59,19 @@ export type ClusterAccessScopeArgs = {
   extraNamespaces?: InputArray<NamespaceLike>
 
   /**
-   * Whether to create `ClusterRoleBinding` to bind the `ServiceAccount` to the `ClusterRole`.
+   * Whether to create `ClusterRoleBinding` instead of `RoleBinding` to allow cluster-wide access.
    *
    * This will allow the `ServiceAccount` to access all namespaces and cluster resources.
    */
   clusterWide?: boolean
-}
-
-export type ClusterAccessScopeForResourcesArgs = {
-  /**
-   * The namespace to locate the `ServiceAccount` in.
-   */
-  namespace: Input<Namespace>
-
-  /**
-   * The verbs to allow on the resources.
-   */
-  verbs: string[]
-
-  /**
-   * The resources to allow verbs on.
-   */
-  resources: InputArray<ScopedResource>
 
   /**
-   * Whether to allow access on the whole collection rather than specific resources.
+   * The extra resources to merge into passed rules.
    *
-   * The provided resources in this case will be used to determine the types and api groups only.
+   * Resources will be merged into rule `resourceNames` if they exactly match rule's `apiGroups` and `resources`.
+   * If rule specifies multiple apiGroups or resources, resources will not be merged into it.
    */
-  collectionAccess?: boolean
+  resources?: InputArray<Resource | k8s.Resource>
 }
 
 export class ClusterAccessScope extends ComponentResource {
@@ -111,12 +102,15 @@ export class ClusterAccessScope extends ComponentResource {
         name,
         {
           metadata: {
-            name: interpolate`highstate.${namespaceName}.${name}`,
+            name: interpolate`hs.${namespaceName}.${name}`,
             annotations: {
               "kubernetes.io/description": interpolate`Created by Highstate for the ServiceAccount "${name}" in the namespace "${namespaceName}".`,
             },
           },
-          rules: normalizeInputs(args.rule, args.rules),
+          rules: output({
+            rules: normalizeInputs(args.rule, args.rules),
+            resources: args.resources ?? [],
+          }).apply(({ rules, resources }) => mergeResources(rules, resources)),
         },
         { provider },
       )
@@ -143,14 +137,36 @@ export class ClusterAccessScope extends ComponentResource {
         )
       }
 
-      if (args.allowOriginNamespace ?? true) {
-        createRoleBinding(namespaceName)
+      if (args.clusterWide) {
+        new rbac.v1.ClusterRoleBinding(
+          name,
+          {
+            metadata: { name },
+            roleRef: {
+              kind: "ClusterRole",
+              name: clusterRole.metadata.name,
+              apiGroup: "rbac.authorization.k8s.io",
+            },
+            subjects: [
+              {
+                kind: "ServiceAccount",
+                name: serviceAccount.metadata.name,
+                namespace: namespaceName,
+              },
+            ],
+          },
+          { provider },
+        )
+      } else {
+        if (args.allowOriginNamespace !== false) {
+          createRoleBinding(namespaceName)
+        }
+
+        output(args.extraNamespaces ?? [])
+          .apply(map(getNamespaceName))
+          .apply(map(createRoleBinding))
       }
 
-      output(args.extraNamespaces ?? [])
-        .apply(map(getNamespaceName))
-        .apply(map(createRoleBinding))
-
       return { serviceAccount, kubeconfig: cluster.kubeconfig }
     })
 
@@ -193,81 +209,43 @@ export class ClusterAccessScope extends ComponentResource {
       }
     })
   }
+}
 
-  /**
-   * Creates `ClusterAccessScope` for the given resources with the specified verbs.
-   *
-   * All resources must belong to the same namespace in the same cluster.
-   *
-   * @param name The name of the resource and the ServiceAccount.
-   * @param resources The resources to create access scope for.
-   * @param verbs The verbs to allow on the resources.
-   */
-  static async forResources(
-    name: string,
-    args: ClusterAccessScopeForResourcesArgs,
-    opts?: ComponentResourceOptions,
-  ): Promise<ClusterAccessScope> {
-    const resolved = await toPromise(
-      output(args.resources).apply(resources =>
-        resources.map(r => ({
-          namespaceId: r.namespace.metadata.uid,
-          namespace: r.namespace,
-          metadata: r.metadata,
-          apiVersion: r.apiVersion,
-          kind: r.kind,
-        })),
-      ),
+async function mergeResources(
+  rules: Unwrap<types.input.rbac.v1.PolicyRule>[],
+  resources: (Resource | k8s.Resource)[],
+): Promise<types.input.rbac.v1.PolicyRule[]> {
+  for (const resource of resources) {
+    const entity = await toPromise(
+      resource instanceof NamespacedResource ? resource.entity : resource,
     )
 
-    if (resolved.length === 0) {
-      throw new Error("No resources provided to forResources.")
-    }
+    const apiGroup = entity.apiVersion.includes("/") // e.g., "apps/v1"
+      ? entity.apiVersion.split("/")[0]
+      : ""
 
-    if (unique(resolved.map(r => r.namespaceId)).length > 1) {
-      throw new Error("All resources must belong to the same namespace.")
-    }
-
-    const saNamespaceId = await toPromise(output(args.namespace).metadata.uid)
-
-    if (resolved[0].namespaceId !== saNamespaceId) {
-      throw new Error("The resources must belong to the same namespace as the ServiceAccount.")
-    }
+    const resourceCollection = `${entity.kind.toLowerCase()}s`
 
-    if (args.collectionAccess) {
-      // when collection access is requested, we only need to know the types and api groups
-      const uniqueTypes = unique(resolved.map(r => `${r.apiVersion}::${r.kind}`))
+    const matchingRule = rules.find(rule => {
+      const apiGroupsMatch = rule.apiGroups?.length === 1 && rule.apiGroups[0] === apiGroup
+      const resourcesMatch =
+        rule.resources?.length === 1 && rule.resources[0] === resourceCollection
 
-      return new ClusterAccessScope(
-        name,
-        {
-          namespace: args.namespace,
-          rules: uniqueTypes.map(t => {
-            const [apiVersion, kind] = t.split("::")
+      return apiGroupsMatch && resourcesMatch
+    })
 
-            return {
-              apiGroups: apiVersion === "v1" ? [""] : [apiVersion.split("/")[0]],
-              resources: [`${kind.toLowerCase()}s`],
-              verbs: args.verbs,
-            }
-          }),
-        },
-        opts,
-      )
+    if (!matchingRule) {
+      continue
     }
 
-    return new ClusterAccessScope(
-      name,
-      {
-        namespace: args.namespace,
-        rules: resolved.map(r => ({
-          apiGroups: r.apiVersion === "v1" ? [""] : [r.apiVersion.split("/")[0]],
-          resources: [r.kind.toLowerCase() + (r.metadata?.name ? "s" : "")],
-          resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,
-          verbs: args.verbs,
-        })),
-      },
-      opts,
+    matchingRule.resourceNames = await toPromise(
+      unique([
+        //
+        ...(matchingRule.resourceNames ?? []),
+        entity.metadata.name,
+      ]),
     )
   }
+
+  return rules
 }

package/src/scripting/bundle.ts

@@ -1,7 +1,7 @@
 import type { network } from "@highstate/library"
 import type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from "../container"
 import type { ScopedResourceArgs } from "../shared"
-import { parseL34Endpoint } from "@highstate/common"
+import { parseEndpoint } from "@highstate/common"
 import { text, trimIndentation } from "@highstate/contract"
 import { type InputArray, normalize } from "@highstate/pulumi"
 import {
@@ -76,7 +76,7 @@ export class ScriptBundle extends ComponentResource {
   /**
    * The list of endpoints that the script is allowed to access.
    */
-  readonly allowedEndpoints: Output<network.L34Endpoint[]>
+  readonly allowedEndpoints: Output<network.L3Endpoint[]>
 
   constructor(name: string, args: ScriptBundleArgs, opts?: ComponentResourceOptions) {
     super("highstate:k8s:ScriptBundle", name, args, opts)
@@ -113,7 +113,7 @@ export class ScriptBundle extends ComponentResource {
           allowedEndpoints.push("tcp://registry.npmjs.org:443")
         }
 
-        return allowedEndpoints.map(parseL34Endpoint)
+        return allowedEndpoints.map(endpoint => parseEndpoint(endpoint))
       },
     )
 

package/src/scripting/environment.ts

@@ -1,4 +1,4 @@
-import type { InputL34Endpoint } from "@highstate/common"
+import type { InputEndpoint } from "@highstate/common"
 import type { Input, InputArray, InputRecord } from "@highstate/pulumi"
 import type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from "../container"
 
@@ -35,7 +35,7 @@ export type DistributionEnvironment = {
    *
    * Will be used to generate a network policy.
    */
-  allowedEndpoints?: InputArray<InputL34Endpoint>
+  allowedEndpoints?: InputArray<InputEndpoint>
 }
 
 export type ScriptProgram = () => unknown
@@ -78,7 +78,7 @@ export type ScriptEnvironment = {
    *
    * Will be used to generate a network policy.
    */
-  allowedEndpoints?: InputArray<InputL34Endpoint>
+  allowedEndpoints?: InputArray<InputEndpoint>
 }
 
 export type ResolvedScriptEnvironment = Omit<Required<ScriptEnvironment>, ScriptDistribution> & {

package/src/secret.ts

@@ -11,7 +11,7 @@ import {
   output,
 } from "@pulumi/pulumi"
 import { Namespace } from "./namespace"
-import { getProvider, mapMetadata, ScopedResource, type ScopedResourceArgs } from "./shared"
+import { getProvider, mapMetadata, NamespacedResource, type ScopedResourceArgs } from "./shared"
 
 export type SecretArgs = ScopedResourceArgs &
   Omit<types.input.core.v1.Secret, "kind" | "metadata" | "apiVersion">
@@ -20,23 +20,24 @@ export type CreateOrGetSecretArgs = SecretArgs & {
   /**
    * The secret entity to patch/retrieve.
    */
-  existing: Input<k8s.ScopedResource> | undefined
+  existing: Input<k8s.NamespacedResource> | undefined
 }
 
 /**
  * Represents a Kubernetes Secret resource with metadata and data.
  */
-export abstract class Secret extends ScopedResource {
+export abstract class Secret extends NamespacedResource {
+  static apiVersion = "v1"
+  static kind = "Secret"
+
   protected constructor(
     type: string,
     name: string,
     args: Inputs,
     opts: ComponentResourceOptions | undefined,
 
-    apiVersion: Output<string>,
-    kind: Output<string>,
-    namespace: Output<Namespace>,
     metadata: Output<types.output.meta.v1.ObjectMeta>,
+    namespace: Output<Namespace>,
 
     /**
      * The data of the underlying Kubernetes secret.
@@ -48,19 +49,14 @@ export abstract class Secret extends ScopedResource {
      */
     readonly stringData: Output<Record<string, string>>,
   ) {
-    super(type, name, args, opts, apiVersion, kind, namespace, metadata)
+    super(type, name, args, opts, metadata, namespace)
   }
 
   /**
    * The Highstate secret entity.
    */
-  get entity(): Output<k8s.ScopedResource> {
-    return output({
-      type: "secret",
-      clusterId: this.cluster.id,
-      clusterName: this.cluster.name,
-      metadata: this.metadata,
-    })
+  get entity(): Output<k8s.Secret> {
+    return output(this.entityBase)
   }
 
   /**
@@ -165,7 +161,7 @@ export abstract class Secret extends ScopedResource {
    * @param entity The entity to get the secret for.
    * @param cluster The cluster where the secret is located.
    */
-  static for(entity: k8s.ScopedResource, cluster: Input<k8s.Cluster>): Secret {
+  static for(entity: k8s.NamespacedResource, cluster: Input<k8s.Cluster>): Secret {
     return getOrCreate(
       Secret.secretCache,
       `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
@@ -190,7 +186,7 @@ export abstract class Secret extends ScopedResource {
    * @param cluster The cluster where the secret is located.
    */
   static async forAsync(
-    entity: Input<k8s.ScopedResource>,
+    entity: Input<k8s.NamespacedResource>,
     cluster: Input<k8s.Cluster>,
   ): Promise<Secret> {
     const resolvedEntity = await toPromise(entity)
@@ -223,10 +219,8 @@ class CreatedSecret extends Secret {
       name,
       args,
       opts,
-      secret.apiVersion,
-      secret.kind,
-      output(args.namespace),
       secret.metadata,
+      output(args.namespace),
       secret.data,
       secret.stringData,
     )
@@ -258,10 +252,8 @@ class SecretPatch extends Secret {
       name,
       args,
       opts,
-      secret.apiVersion,
-      secret.kind,
-      output(args.namespace),
       secret.metadata,
+      output(args.namespace),
       secret.data,
       secret.stringData,
     )
@@ -287,11 +279,8 @@ class WrappedSecret extends Secret {
       name,
       args,
       opts,
-
-      output(args.secret).apiVersion,
-      output(args.secret).kind,
-      output(args.namespace),
       output(args.secret).metadata,
+      output(args.namespace),
       output(args.secret).data,
       output(args.secret).stringData,
     )
@@ -335,11 +324,8 @@ class ExternalSecret extends Secret {
       name,
       args,
       opts,
-
-      secret.apiVersion,
-      secret.kind,
-      output(args.namespace),
       secret.metadata,
+      output(args.namespace),
       secret.data,
       secret.stringData,
     )