@highstate/k8s 0.15.0 → 0.16.0

package/src/impl/gateway-route.ts

@@ -1,10 +1,5 @@
 import type { Secret } from "../secret"
-import {
-  filterEndpoints,
-  type GatewayRouteSpec,
-  gatewayRouteMediator,
-  type TlsCertificate,
-} from "@highstate/common"
+import { type GatewayRouteSpec, gatewayRouteMediator, type TlsCertificate } from "@highstate/common"
 import { k8s, type network } from "@highstate/library"
 import { type ComponentResourceOptions, type Input, toPromise } from "@highstate/pulumi"
 import { core } from "@pulumi/kubernetes"
@@ -279,13 +274,10 @@ async function createServiceFromEndpoints(
     throw new Error(`Gateway route "${name}" has no endpoints to expose.`)
   }
 
-  const hostnameEndpoints = filterEndpoints(endpoints, undefined, ["hostname"])
-  const ipEndpoints = filterEndpoints(endpoints, undefined, ["ipv4", "ipv6"])
+  const hostnameEndpoints = endpoints.filter(endpoint => endpoint.type === "hostname")
+  const ipEndpoints = endpoints.filter(endpoint => endpoint.type !== "hostname")
 
-  if (
-    hostnameEndpoints.length > 0 &&
-    hostnameEndpoints[0].visibility > ipEndpoints[0]?.visibility
-  ) {
+  if (hostnameEndpoints.length > 0) {
     const hostnamePortInfos: ServicePortInfo[] = []
     for (const endpoint of hostnameEndpoints) {
       hostnamePortInfos.push(toServicePortInfoFromEndpoint(endpoint))
@@ -326,7 +318,7 @@ async function createServiceFromEndpoints(
     {
       metadata: mapMetadata({ namespace }, endpointsName),
       subsets: ipEndpoints.map(endpoint => ({
-        addresses: [{ ip: endpoint.address }],
+        addresses: [{ ip: endpoint.address.value }],
         ports: [l4EndpointToServicePort(endpoint)],
       })),
     },

package/src/job.ts

@@ -36,25 +36,26 @@ export type CreateOrGetJobArgs = JobArgs & {
   /**
    * The job entity to patch/retrieve.
    */
-  existing: Input<k8s.ScopedResource> | undefined
+  existing: Input<k8s.NamespacedResource> | undefined
 }
 
 /**
  * Represents a Kubernetes Job resource with metadata and spec.
  */
 export abstract class Job extends Workload {
+  static apiVersion = "batch/v1"
+  static kind = "Job"
+
   protected constructor(
     type: string,
     name: string,
     args: Inputs,
     opts: ComponentResourceOptions | undefined,
 
-    apiVersion: Output<string>,
-    kind: Output<string>,
+    metadata: Output<types.output.meta.v1.ObjectMeta>,
+    namespace: Output<Namespace>,
     terminalArgs: Output<Unwrap<WorkloadTerminalArgs>>,
     containers: Output<Container[]>,
-    namespace: Output<Namespace>,
-    metadata: Output<types.output.meta.v1.ObjectMeta>,
     networkPolicy: Output<NetworkPolicy | undefined>,
 
     /**
@@ -72,12 +73,10 @@ export abstract class Job extends Workload {
       name,
       args,
       opts,
-      apiVersion,
-      kind,
+      metadata,
+      namespace,
       terminalArgs,
       containers,
-      namespace,
-      metadata,
       spec.template,
       networkPolicy,
     )
@@ -90,13 +89,8 @@ export abstract class Job extends Workload {
   /**
    * The Highstate job entity.
    */
-  get entity(): Output<k8s.ScopedResource> {
-    return output({
-      type: "job",
-      clusterId: this.cluster.id,
-      clusterName: this.cluster.name,
-      metadata: this.metadata,
-    })
+  get entity(): Output<k8s.Job> {
+    return output(this.entityBase)
   }
 
   protected getTerminalMeta(): Output<UnitTerminal["meta"]> {
@@ -203,7 +197,7 @@ export abstract class Job extends Workload {
    * @param entity The entity to get the job for.
    * @param cluster The cluster where the job is located.
    */
-  static for(entity: k8s.ScopedResource, cluster: Input<k8s.Cluster>): Job {
+  static for(entity: k8s.NamespacedResource, cluster: Input<k8s.Cluster>): Job {
     return getOrCreate(
       Job.jobCache,
       `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
@@ -228,7 +222,7 @@ export abstract class Job extends Workload {
    * @param cluster The cluster where the job is located.
    */
   static async forAsync(
-    entity: Input<k8s.ScopedResource>,
+    entity: Input<k8s.NamespacedResource>,
     cluster: Input<k8s.Cluster>,
   ): Promise<Job> {
     const resolvedEntity = await toPromise(entity)
@@ -277,15 +271,11 @@ class CreatedJob extends Job {
       name,
       args,
       opts,
-
-      job.apiVersion,
-      job.kind,
+      job.metadata,
+      output(args.namespace),
       output(args.terminal ?? {}),
       containers,
-      output(args.namespace),
-      job.metadata,
       networkPolicy,
-
       job.spec,
       job.status,
     )
@@ -323,15 +313,11 @@ class JobPatch extends Job {
       name,
       args,
       opts,
-
-      job.apiVersion,
-      job.kind,
+      job.metadata,
+      output(args.namespace),
       output(args.terminal ?? {}),
       containers,
-      output(args.namespace),
-      job.metadata,
       networkPolicy,
-
       job.spec,
       job.status,
     )
@@ -369,12 +355,10 @@ class WrappedJob extends Job {
       args,
       opts,
 
-      output(args.job).apiVersion,
-      output(args.job).kind,
+      output(args.job).metadata,
+      output(args.namespace),
       output(args.terminal ?? {}),
       output([]),
-      output(args.namespace),
-      output(args.job).metadata,
       output(undefined),
 
       output(args.job).spec,
@@ -411,12 +395,10 @@ class ExternalJob extends Job {
       args,
       opts,
 
-      job.apiVersion,
-      job.kind,
+      job.metadata,
+      output(args.namespace),
       output({}),
       output([]),
-      output(args.namespace),
-      job.metadata,
       output(undefined),
 
       job.spec,

package/src/namespace.ts

@@ -3,7 +3,6 @@ import { getOrCreate } from "@highstate/contract"
 import { toPromise } from "@highstate/pulumi"
 import { core, type types } from "@pulumi/kubernetes"
 import {
-  ComponentResource,
   type ComponentResourceOptions,
   type Input,
   type Inputs,
@@ -11,7 +10,13 @@ import {
   output,
   type Unwrap,
 } from "@pulumi/pulumi"
-import { getProvider, mapMetadata, type ScopedResourceArgs, validateCluster } from "./shared"
+import {
+  getProvider,
+  mapMetadata,
+  Resource,
+  type ScopedResourceArgs,
+  validateCluster,
+} from "./shared"
 
 export type NamespaceArgs = Omit<ScopedResourceArgs, "namespace"> & {
   /**
@@ -31,7 +36,7 @@ export type CreateOrGetNamespaceArgs = NamespaceArgs & {
    *
    * If not provided, the namespace will be created, otherwise it will be retrieved/patched.
    */
-  resource?: Input<k8s.ScopedResource>
+  resource?: Input<k8s.NamespacedResource>
 
   /**
    * The namespace entity to patch/retrieve.
@@ -39,22 +44,18 @@ export type CreateOrGetNamespaceArgs = NamespaceArgs & {
   existing?: Input<k8s.Namespace> | undefined
 }
 
-export abstract class Namespace extends ComponentResource {
+export abstract class Namespace extends Resource {
+  static readonly apiVersion = "v1"
+  static readonly kind = "Namespace"
+
   constructor(
     type: string,
     name: string,
     args: Inputs,
     opts: ComponentResourceOptions | undefined,
 
-    /**
-     * The cluster where the namespace is created.
-     */
-    readonly cluster: Output<k8s.Cluster>,
-
-    /*
-     * The metadata of the underlying Kubernetes namespace.
-     */
-    readonly metadata: Output<types.output.meta.v1.ObjectMeta>,
+    cluster: Output<k8s.Cluster>,
+    metadata: Output<types.output.meta.v1.ObjectMeta>,
 
     /**
      * The spec of the underlying Kubernetes namespace.
@@ -66,19 +67,14 @@ export abstract class Namespace extends ComponentResource {
      */
     readonly status: Output<types.output.core.v1.NamespaceStatus>,
   ) {
-    super(type, name, args, opts)
+    super(type, name, args, opts, cluster, metadata)
   }
 
   /**
    * The Highstate namespace entity.
    */
   get entity(): Output<k8s.Namespace> {
-    return output({
-      type: "namespace",
-      clusterId: this.cluster.id,
-      clusterName: this.cluster.name,
-      metadata: this.metadata,
-    })
+    return output(this.entityBase) as Output<k8s.Namespace>
   }
 
   /**
@@ -236,7 +232,7 @@ export abstract class Namespace extends ComponentResource {
    * @param resource The resource to get the namespace for.
    * @param cluster The cluster where the namespace is located.
    */
-  static forResource(resource: k8s.ScopedResource, cluster: Input<k8s.Cluster>): Namespace {
+  static forResource(resource: k8s.NamespacedResource, cluster: Input<k8s.Cluster>): Namespace {
     return getOrCreate(
       Namespace.namespaceCache,
       `${resource.clusterName}.${resource.metadata.namespace}.${resource.clusterId}`,
@@ -257,7 +253,7 @@ export abstract class Namespace extends ComponentResource {
    * @param cluster The cluster where the namespace is located.
    */
   static async forResourceAsync(
-    resource: Input<k8s.ScopedResource>,
+    resource: Input<k8s.NamespacedResource>,
     cluster: Input<k8s.Cluster>,
   ): Promise<Namespace> {
     const resolvedResource = await toPromise(resource)

package/src/network-policy.ts

@@ -1,11 +1,12 @@
 import type { k8s, network } from "@highstate/library"
 import type { Namespace } from "./namespace"
 import {
+  addressToCidr,
+  endpointToString,
   ImplementationMediator,
-  type InputL34Endpoint,
+  type InputEndpoint,
   l3EndpointToCidr,
-  l34EndpointToString,
-  parseL34Endpoint,
+  parseEndpoint,
 } from "@highstate/common"
 import { z } from "@highstate/contract"
 import {
@@ -22,7 +23,7 @@ import {
   type Unwrap,
 } from "@highstate/pulumi"
 import { type core, networking, type types } from "@pulumi/kubernetes"
-import { flat, groupBy, merge, mergeDeep, uniqueBy } from "remeda"
+import { flat, groupBy, isNonNullish, merge, mergeDeep, uniqueBy } from "remeda"
 import { requireBestEndpoint } from "./network"
 import { isEndpointFromCluster, mapServiceToLabelSelector } from "./service"
 import {
@@ -90,7 +91,7 @@ export type IngressRuleArgs = {
    * If a single endpoint also has a port/protocol/service metadata,
    * it will produce separate rule for it with them and ORed with the rest of the rules.
    */
-  fromEndpoint?: Input<InputL34Endpoint>
+  fromEndpoint?: Input<InputEndpoint>
 
   /**
    * The list of allowed L3 or L4 endpoints for incoming traffic.
@@ -102,7 +103,7 @@ export type IngressRuleArgs = {
    * If a single endpoint also has a port/protocol/service metadata,
    * it will produce separate rule for it with them and ORed with the rest of the rules.
    */
-  fromEndpoints?: InputArray<InputL34Endpoint>
+  fromEndpoints?: InputArray<InputEndpoint>
 
   /**
    * The service to allow traffic from.
@@ -219,7 +220,7 @@ export type EgressRuleArgs = {
    * If a single endpoint also has a port/protocol/service metadata,
    * it will produce separate rule for it with them and ORed with the rest of the rules.
    */
-  toEndpoint?: Input<InputL34Endpoint>
+  toEndpoint?: Input<InputEndpoint>
 
   /**
    * The list of allowed L3 or L4 endpoints for outgoing traffic.
@@ -231,7 +232,7 @@ export type EgressRuleArgs = {
    * If a single endpoint also has a port/protocol/service metadata,
    * it will produce separate rule for it with them and ORed with the rest of the rules.
    */
-  toEndpoints?: InputArray<InputL34Endpoint>
+  toEndpoints?: InputArray<InputEndpoint>
 
   /**
    * The service to allow traffic to.
@@ -443,7 +444,7 @@ export class NetworkPolicy extends ComponentResource {
 
         ingressRules: ingressRules.flatMap(rule => {
           const endpoints = normalize(rule?.fromEndpoint, rule?.fromEndpoints)
-          const parsedEndpoints = endpoints.map(parseL34Endpoint)
+          const parsedEndpoints = endpoints.map(endpoint => parseEndpoint(endpoint))
 
           const endpointsNamespaces = groupBy(parsedEndpoints, endpoint => {
             const namespace = isEndpointFromCluster(endpoint, cluster)
@@ -481,7 +482,7 @@ export class NetworkPolicy extends ComponentResource {
         egressRules: egressRules
           .flatMap(rule => {
             const endpoints = normalize(rule?.toEndpoint, rule?.toEndpoints)
-            const parsedEndpoints = endpoints.map(parseL34Endpoint)
+            const parsedEndpoints = endpoints.map(endpoint => parseEndpoint(endpoint))
 
             const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, endpoint => {
               const namespace = isEndpointFromCluster(endpoint, cluster)
@@ -490,7 +491,9 @@ export class NetworkPolicy extends ComponentResource {
 
               const port = isEndpointFromCluster(endpoint, cluster)
                 ? endpoint.metadata["k8s.service"].targetPort
-                : endpoint.port
+                : endpoint.level !== 3
+                  ? endpoint.port
+                  : undefined
 
               return `${port ?? "0"}:${namespace}`
             })
@@ -554,30 +557,24 @@ export class NetworkPolicy extends ComponentResource {
     )
   }
 
-  private static mapCidrFromEndpoint(
-    this: void,
-    result: network.L3Endpoint & { type: "ipv4" | "ipv6" },
-  ): string {
-    if (result.type === "ipv4") {
-      return `${result.address}/32`
-    }
-
-    return `${result.address}/128`
-  }
-
   private static getRuleFromEndpoint(
     port: number | string | undefined,
-    endpoints: network.L34Endpoint[],
+    endpoints: network.L3Endpoint[],
     cluster: k8s.Cluster,
   ): NormalizedRuleArgs {
     const ports: NetworkPolicyPort[] = port
-      ? [{ port, protocol: endpoints[0].protocol?.toUpperCase() }]
+      ? [
+          {
+            port,
+            protocol: endpoints[0].level !== 3 ? endpoints[0].protocol?.toUpperCase() : undefined,
+          },
+        ]
       : []
 
     const cidrs = endpoints
       .filter(endpoint => !isEndpointFromCluster(endpoint, cluster))
-      .filter(endpoint => endpoint.type === "ipv4" || endpoint.type === "ipv6")
-      .map(NetworkPolicy.mapCidrFromEndpoint)
+      .map(endpoint => (endpoint.address ? addressToCidr(endpoint.address) : null))
+      .filter(isNonNullish)
 
     const fqdns = endpoints
       .filter(endpoint => endpoint.type === "hostname")
@@ -784,11 +781,11 @@ export class NetworkPolicy extends ComponentResource {
    */
   static async allowEgressToEndpoint(
     namespace: Input<Namespace>,
-    endpoint: InputL34Endpoint,
+    endpoint: InputEndpoint,
     opts?: ResourceOptions,
   ): Promise<NetworkPolicy> {
-    const parsedEndpoint = parseL34Endpoint(endpoint)
-    const endpointStr = l34EndpointToString(parsedEndpoint).replace(/:/g, "-")
+    const parsedEndpoint = parseEndpoint(endpoint)
+    const endpointStr = endpointToString(parsedEndpoint).replace(/:/g, "-")
     const nsName = await toPromise(output(namespace).metadata.name)
     const cluster = await toPromise(output(namespace).cluster)
 
@@ -796,7 +793,7 @@ export class NetworkPolicy extends ComponentResource {
       `allow-egress-to-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        description: `Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
+        description: `Allow egress traffic to "${endpointToString(parsedEndpoint)}" from the namespace.`,
         egressRule: { toEndpoint: endpoint },
       },
       opts,
@@ -814,12 +811,16 @@ export class NetworkPolicy extends ComponentResource {
    */
   static async allowEgressToBestEndpoint(
     namespace: Input<Namespace>,
-    endpoints: InputArray<InputL34Endpoint>,
+    endpoints: InputArray<InputEndpoint>,
     opts?: ResourceOptions,
   ): Promise<NetworkPolicy> {
     const cluster = await toPromise(output(namespace).cluster)
     const resolvedEndpoints = await toPromise(output(endpoints))
-    const bestEndpoint = requireBestEndpoint(resolvedEndpoints.map(parseL34Endpoint), cluster)
+
+    const bestEndpoint = requireBestEndpoint(
+      resolvedEndpoints.map(endpoint => parseEndpoint(endpoint)),
+      cluster,
+    )
 
     return await NetworkPolicy.allowEgressToEndpoint(namespace, bestEndpoint, opts)
   }
@@ -835,11 +836,11 @@ export class NetworkPolicy extends ComponentResource {
    */
   static async allowIngressFromEndpoint(
     namespace: Input<Namespace>,
-    endpoint: InputL34Endpoint,
+    endpoint: InputEndpoint,
     opts?: ResourceOptions,
   ): Promise<NetworkPolicy> {
-    const parsedEndpoint = parseL34Endpoint(endpoint)
-    const endpointStr = l34EndpointToString(parsedEndpoint).replace(/:/g, "-")
+    const parsedEndpoint = parseEndpoint(endpoint)
+    const endpointStr = endpointToString(parsedEndpoint).replace(/:/g, "-")
     const nsName = await toPromise(output(namespace).metadata.name)
     const cluster = await toPromise(output(namespace).cluster)
 
@@ -847,7 +848,7 @@ export class NetworkPolicy extends ComponentResource {
       `allow-ingress-from-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        description: interpolate`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
+        description: interpolate`Allow ingress traffic from "${endpointToString(parsedEndpoint)}" to the namespace.`,
         ingressRule: { fromEndpoint: endpoint },
       },
       opts,

package/src/network.ts

@@ -1,8 +1,7 @@
 import type { k8s, network } from "@highstate/library"
-import { filterEndpoints } from "@highstate/common"
 import { isEndpointFromCluster } from "./service"
 
-export function getBestEndpoint<TEndpoint extends network.L34Endpoint>(
+export function getBestEndpoint<TEndpoint extends network.L3Endpoint>(
   endpoints: TEndpoint[],
   cluster?: k8s.Cluster,
 ): TEndpoint | undefined {
@@ -14,20 +13,29 @@ export function getBestEndpoint<TEndpoint extends network.L34Endpoint>(
     return endpoints[0]
   }
 
-  if (!cluster) {
-    return filterEndpoints(endpoints)[0]
-  }
+  // try to find an endpoint from the same cluster and access it via internal endpoint
+  if (cluster) {
+    const clusterEndpoint = endpoints.find(
+      endpoint =>
+        isEndpointFromCluster(endpoint, cluster) && endpoint.metadata["k8s.service"].isInternal,
+    )
 
-  const clusterEndpoint = endpoints.find(endpoint => isEndpointFromCluster(endpoint, cluster))
+    if (clusterEndpoint) {
+      return clusterEndpoint
+    }
+  }
 
-  if (clusterEndpoint) {
-    return clusterEndpoint
+  // if there is no internal endpoint, try to find any public endpoint
+  const publicEndpoint = endpoints.find(endpoint => endpoint.metadata["iana.scope"] === "global")
+  if (publicEndpoint) {
+    return publicEndpoint
   }
 
-  return filterEndpoints(endpoints)[0]
+  // otherwise, return the first one
+  return endpoints[0]
 }
 
-export function requireBestEndpoint<TEndpoint extends network.L34Endpoint>(
+export function requireBestEndpoint<TEndpoint extends network.L3Endpoint>(
   endpoints: TEndpoint[],
   cluster: k8s.Cluster,
 ): TEndpoint {

package/src/pvc.ts

@@ -17,7 +17,7 @@ import {
   commonExtraArgs,
   getProvider,
   mapMetadata,
-  ScopedResource,
+  NamespacedResource,
   type ScopedResourceArgs,
 } from "./shared"
 
@@ -43,17 +43,18 @@ const extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size"] as const
 /**
  * Represents a Kubernetes PersistentVolumeClaim resource with metadata and spec.
  */
-export abstract class PersistentVolumeClaim extends ScopedResource {
+export abstract class PersistentVolumeClaim extends NamespacedResource {
+  static apiVersion = "v1"
+  static kind = "PersistentVolumeClaim"
+
   protected constructor(
     type: string,
     name: string,
     args: Inputs,
     opts: ComponentResourceOptions | undefined,
 
-    apiVersion: Output<string>,
-    kind: Output<string>,
-    namespace: Output<Namespace>,
     metadata: Output<types.output.meta.v1.ObjectMeta>,
+    namespace: Output<Namespace>,
 
     /**
      * The spec of the underlying Kubernetes PVC.
@@ -65,19 +66,14 @@ export abstract class PersistentVolumeClaim extends ScopedResource {
      */
     readonly status: Output<types.output.core.v1.PersistentVolumeClaimStatus>,
   ) {
-    super(type, name, args, opts, apiVersion, kind, namespace, metadata)
+    super(type, name, args, opts, metadata, namespace)
   }
 
   /**
    * The Highstate PVC entity.
    */
   get entity(): Output<k8s.PersistentVolumeClaim> {
-    return output({
-      type: "persistent-volume-claim",
-      clusterId: this.cluster.id,
-      clusterName: this.cluster.name,
-      metadata: this.metadata,
-    })
+    return output(this.entityBase)
   }
 
   /**
@@ -256,11 +252,8 @@ class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
       name,
       args,
       opts,
-
-      pvc.apiVersion,
-      pvc.kind,
-      output(args.namespace),
       pvc.metadata,
+      output(args.namespace),
       pvc.spec,
       pvc.status,
     )
@@ -301,11 +294,8 @@ class PersistentVolumeClaimPatch extends PersistentVolumeClaim {
       name,
       args,
       opts,
-
-      pvc.apiVersion,
-      pvc.kind,
-      output(args.namespace),
       pvc.metadata,
+      output(args.namespace),
       pvc.spec,
       pvc.status,
     )
@@ -335,11 +325,8 @@ class WrappedPersistentVolumeClaim extends PersistentVolumeClaim {
       name,
       args,
       opts,
-
-      output(args.pvc).apiVersion,
-      output(args.pvc).kind,
-      output(args.namespace),
       output(args.pvc).metadata,
+      output(args.namespace),
       output(args.pvc).spec,
       output(args.pvc).status,
     )
@@ -377,11 +364,8 @@ class ExternalPersistentVolumeClaim extends PersistentVolumeClaim {
       name,
       args,
       opts,
-
-      pvc.apiVersion,
-      pvc.kind,
-      output(args.namespace),
       pvc.metadata,
+      output(args.namespace),
       pvc.spec,
       pvc.status,
     )