@highstate/k8s 0.18.0 → 0.20.0

package/dist/{chunk-P2VOUU7E.js → chunk-SZKOAHNX.js}

@@ -1,13 +1,13 @@
-import { isEndpointFromCluster, mapServiceToLabelSelector, Service, mapContainerPortToServicePort } from './chunk-TWBMG6TD.js';
-import { Secret } from './chunk-4G6LLC2X.js';
-import { commonExtraArgs, NamespacedResource, Namespace, mapMetadata, getProvider, mapSelectorLikeToSelector, getProviderAsync, mapNamespaceNameToSelector, getNamespaceName, images_exports } from './chunk-OBDQONMV.js';
+import { isEndpointFromCluster, mapServiceToLabelSelector, Service, mapContainerPortToServicePort } from './chunk-OG2OPX7B.js';
+import { commonExtraArgs, NamespacedResource, Namespace, mapMetadata, getProvider, Secret, mapSelectorLikeToSelector, getProviderAsync, mapNamespaceNameToSelector, getNamespaceName, images_exports, getClusterKubeconfigContent } from './chunk-TOLFVF4S.js';
 import { z, getOrCreate, trimIndentation } from '@highstate/contract';
-import { ComponentResource, toPromise, output as output$1, interpolate as interpolate$1, normalize, normalizeInputs, fileFromString } from '@highstate/pulumi';
+import { k8s } from '@highstate/library';
+import { ComponentResource, makeEntityOutput, output, toPromise, interpolate, normalize, normalizeInputs, makeFileOutput } from '@highstate/pulumi';
 import { core, networking } from '@pulumi/kubernetes';
-import { output, interpolate } from '@pulumi/pulumi';
 import { deepmerge } from 'deepmerge-ts';
-import { omit, concat, map, groupBy, isNonNullish, mergeDeep, uniqueBy, flat, merge, filter, unique } from 'remeda';
+import { omit, concat, map, groupBy, isNonNullish, mergeDeep, uniqueBy, flat, merge, unique, filter } from 'remeda';
 import { ImplementationMediator, parseEndpoint, addressToCidr, endpointToString, l3EndpointToCidr, AccessPointRoute, mergeEndpoints } from '@highstate/common';
+import { output as output$1, interpolate as interpolate$1 } from '@pulumi/pulumi';
 import { sha256 } from 'crypto-hash';
 
 var ConfigMap = class _ConfigMap extends NamespacedResource {
@@ -21,7 +21,16 @@ var ConfigMap = class _ConfigMap extends NamespacedResource {
    * The Highstate config map entity.
    */
   get entity() {
-    return output(this.entityBase);
+    return makeEntityOutput({
+      entity: k8s.configMapEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
   }
   /**
    * Creates a new config map.
@@ -224,7 +233,16 @@ var PersistentVolumeClaim = class _PersistentVolumeClaim extends NamespacedResou
    * The Highstate PVC entity.
    */
   get entity() {
-    return output$1(this.entityBase);
+    return makeEntityOutput({
+      entity: k8s.persistentVolumeClaimEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
   }
   /**
    * Creates a new PVC.
@@ -243,7 +261,7 @@ var PersistentVolumeClaim = class _PersistentVolumeClaim extends NamespacedResou
     if (args.existing) {
       return new PersistentVolumeClaimPatch(name, {
         ...args,
-        name: output$1(args.existing).metadata.name
+        name: output(args.existing).metadata.name
       });
     }
     return new CreatedPersistentVolumeClaim(name, args, opts);
@@ -257,7 +275,7 @@ var PersistentVolumeClaim = class _PersistentVolumeClaim extends NamespacedResou
    */
   static async createOrGet(name, args, opts) {
     if (args.existing) {
-      return await _PersistentVolumeClaim.forAsync(args.existing, output$1(args.namespace).cluster);
+      return await _PersistentVolumeClaim.forAsync(args.existing, output(args.namespace).cluster);
     }
     return new CreatedPersistentVolumeClaim(name, args, opts);
   }
@@ -329,12 +347,12 @@ var PersistentVolumeClaim = class _PersistentVolumeClaim extends NamespacedResou
 };
 var CreatedPersistentVolumeClaim = class extends PersistentVolumeClaim {
   constructor(name, args, opts) {
-    const pvc = output$1(args.namespace).cluster.apply((cluster) => {
+    const pvc = output(args.namespace).cluster.apply((cluster) => {
       return new core.v1.PersistentVolumeClaim(
         name,
         {
           metadata: mapMetadata(args, name),
-          spec: output$1(args).apply((args2) => {
+          spec: output(args).apply((args2) => {
             return deepmerge(
               {
                 accessModes: ["ReadWriteOnce"],
@@ -361,7 +379,7 @@ var CreatedPersistentVolumeClaim = class extends PersistentVolumeClaim {
       args,
       opts,
       pvc.metadata,
-      output$1(args.namespace),
+      output(args.namespace),
       pvc.spec,
       pvc.status
     );
@@ -369,12 +387,12 @@ var CreatedPersistentVolumeClaim = class extends PersistentVolumeClaim {
 };
 var PersistentVolumeClaimPatch = class extends PersistentVolumeClaim {
   constructor(name, args, opts) {
-    const pvc = output$1(args.namespace).cluster.apply((cluster) => {
+    const pvc = output(args.namespace).cluster.apply((cluster) => {
       return new core.v1.PersistentVolumeClaimPatch(
         name,
         {
           metadata: mapMetadata(args, name),
-          spec: output$1(args).apply((args2) => {
+          spec: output(args).apply((args2) => {
             return deepmerge(
               {
                 accessModes: ["ReadWriteOnce"],
@@ -401,7 +419,7 @@ var PersistentVolumeClaimPatch = class extends PersistentVolumeClaim {
       args,
       opts,
       pvc.metadata,
-      output$1(args.namespace),
+      output(args.namespace),
       pvc.spec,
       pvc.status
     );
@@ -414,19 +432,19 @@ var WrappedPersistentVolumeClaim = class extends PersistentVolumeClaim {
       name,
       args,
       opts,
-      output$1(args.pvc).metadata,
-      output$1(args.namespace),
-      output$1(args.pvc).spec,
-      output$1(args.pvc).status
+      output(args.pvc).metadata,
+      output(args.namespace),
+      output(args.pvc).spec,
+      output(args.pvc).status
     );
   }
 };
 var ExternalPersistentVolumeClaim = class extends PersistentVolumeClaim {
   constructor(name, args, opts) {
-    const pvc = output$1(args.namespace).cluster.apply((cluster) => {
+    const pvc = output(args.namespace).cluster.apply((cluster) => {
       return core.v1.PersistentVolumeClaim.get(
         name,
-        interpolate$1`${output$1(args.namespace).metadata.name}/${args.name}`,
+        interpolate`${output(args.namespace).metadata.name}/${args.name}`,
         { ...opts, parent: this, provider: getProvider(cluster) }
       );
     });
@@ -436,7 +454,7 @@ var ExternalPersistentVolumeClaim = class extends PersistentVolumeClaim {
       args,
       opts,
       pvc.metadata,
-      output$1(args.namespace),
+      output(args.namespace),
       pvc.spec,
       pvc.status
     );
@@ -543,7 +561,7 @@ function mapVolumeMount(volumeMount) {
     return omit(
       {
         ...volumeMount,
-        name: output$1(volumeMount.volume).apply(mapWorkloadVolume).apply((volume) => output$1(volume.name))
+        name: output(volumeMount.volume).apply(mapWorkloadVolume).apply((volume) => output(volume.name))
       },
       ["volume"]
     );
@@ -554,14 +572,14 @@ function mapVolumeMount(volumeMount) {
   };
 }
 function mapEnvironmentSource(envFrom) {
-  if (envFrom instanceof core.v1.ConfigMap) {
+  if (envFrom instanceof core.v1.ConfigMap || envFrom instanceof ConfigMap) {
     return {
       configMapRef: {
         name: envFrom.metadata.name
       }
     };
   }
-  if (envFrom instanceof core.v1.Secret) {
+  if (envFrom instanceof core.v1.Secret || envFrom instanceof Secret) {
     return {
       secretRef: {
         name: envFrom.metadata.name
@@ -640,7 +658,7 @@ function getWorkloadVolumeResourceUuid(volume) {
   if (core.v1.Secret.isInstance(volume)) {
     return volume.metadata.uid;
   }
-  return output$1(void 0);
+  return output(void 0);
 }
 
 // src/network.ts
@@ -684,7 +702,7 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
   networkPolicy;
   constructor(name, args, opts) {
     super("k8s:network-policy", name, args, opts);
-    const normalizedArgs = output$1(args).apply(async (args2) => {
+    const normalizedArgs = output(args).apply(async (args2) => {
       const ingressRules = normalize(args2.ingressRule, args2.ingressRules);
       const egressRules = normalize(args2.egressRule, args2.egressRules);
       const cluster = await toPromise(args2.namespace.cluster);
@@ -774,7 +792,7 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
         }).concat(extraEgressRules)
       };
     });
-    this.networkPolicy = output$1(
+    this.networkPolicy = output(
       normalizedArgs.apply(async (args2) => {
         const cluster = args2.cluster;
         if (cluster.networkPolicyImplRef) {
@@ -786,7 +804,7 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
         const nativePolicy = new NativeNetworkPolicy(name, args2, {
           ...opts,
           parent: this,
-          provider: await getProviderAsync(output$1(args2.namespace).cluster)
+          provider: await getProviderAsync(output(args2.namespace).cluster)
         });
         return nativePolicy.networkPolicy;
       })
@@ -827,8 +845,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
    * @param opts Optional resource options.
    */
   static async isolateNamespace(namespace, opts) {
-    const name = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const name = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `isolate-namespace.${cluster.name}.${name}.${cluster.id}`,
       {
@@ -849,8 +867,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
    * @param opts Optional resource options.
    */
   static async allowInsideNamespace(namespace, opts) {
-    const nsName = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const nsName = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `allow-inside-namespace.${cluster.name}.${nsName}.${cluster.id}`,
       {
@@ -871,8 +889,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
    * @param opts Optional resource options.
    */
   static async allowKubeApiServer(namespace, opts) {
-    const nsName = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const nsName = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `allow-kube-api-server.${cluster.name}.${nsName}.${cluster.id}`,
       {
@@ -892,8 +910,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
    * @param opts Optional resource options.
    */
   static async allowKubeDns(namespace, opts) {
-    const nsName = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const nsName = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `allow-kube-dns.${cluster.name}.${nsName}.${cluster.id}`,
       {
@@ -913,8 +931,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
    * @param opts Optional resource options.
    */
   static async allowAllEgress(namespace, opts) {
-    const nsName = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const nsName = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `allow-all-egress.${cluster.name}.${nsName}.${cluster.id}`,
       {
@@ -934,8 +952,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
    * @param opts Optional resource options.
    */
   static async allowAllIngress(namespace, opts) {
-    const nsName = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const nsName = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `allow-all-ingress.${cluster.name}.${nsName}.${cluster.id}`,
       {
@@ -958,8 +976,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
   static async allowEgressToEndpoint(namespace, endpoint, opts) {
     const parsedEndpoint = parseEndpoint(endpoint);
     const endpointStr = endpointToString(parsedEndpoint).replace(/:/g, "-");
-    const nsName = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const nsName = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `allow-egress-to-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
       {
@@ -980,8 +998,8 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
    * @param opts Optional resource options.
    */
   static async allowEgressToBestEndpoint(namespace, endpoints, opts) {
-    const cluster = await toPromise(output$1(namespace).cluster);
-    const resolvedEndpoints = await toPromise(output$1(endpoints));
+    const cluster = await toPromise(output(namespace).cluster);
+    const resolvedEndpoints = await toPromise(output(endpoints));
     const bestEndpoint = requireBestEndpoint(
       resolvedEndpoints.map((endpoint) => parseEndpoint(endpoint)),
       cluster
@@ -1000,13 +1018,13 @@ var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
   static async allowIngressFromEndpoint(namespace, endpoint, opts) {
     const parsedEndpoint = parseEndpoint(endpoint);
     const endpointStr = endpointToString(parsedEndpoint).replace(/:/g, "-");
-    const nsName = await toPromise(output$1(namespace).metadata.name);
-    const cluster = await toPromise(output$1(namespace).cluster);
+    const nsName = await toPromise(output(namespace).metadata.name);
+    const cluster = await toPromise(output(namespace).cluster);
     return new _NetworkPolicy(
       `allow-ingress-from-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        description: interpolate$1`Allow ingress traffic from "${endpointToString(parsedEndpoint)}" to the namespace.`,
+        description: interpolate`Allow ingress traffic from "${endpointToString(parsedEndpoint)}" to the namespace.`,
         ingressRule: { fromEndpoint: endpoint }
       },
       opts
@@ -1179,7 +1197,40 @@ var podSpecDefaults = {
   automountServiceAccountToken: false
 };
 var workloadExtraArgs = [...commonExtraArgs, "container", "containers"];
-var exposableWorkloadExtraArgs = [
+function filterPatchOwnedContainersInTemplate(template, ownedTemplate) {
+  const ownedContainerNames = unique(
+    (ownedTemplate.spec?.containers ?? []).map((container) => container.name).filter(isNonNullish)
+  );
+  const ownedInitContainerNames = unique(
+    (ownedTemplate.spec?.initContainers ?? []).map((container) => container.name).filter(isNonNullish)
+  );
+  const filterByOwnedNames = (source, ownedNames) => {
+    if (!source || source.length === 0 || ownedNames.length === 0) {
+      return void 0;
+    }
+    const filtered = source.filter(
+      (container) => container.name ? ownedNames.includes(container.name) : false
+    );
+    return filtered.length > 0 ? filtered : void 0;
+  };
+  const containers = filterByOwnedNames(template.spec?.containers, ownedContainerNames);
+  const initContainers = filterByOwnedNames(template.spec?.initContainers, ownedInitContainerNames);
+  const {
+    containers: _containers,
+    initContainers: _initContainers,
+    ...restSpec
+  } = template.spec ?? {};
+  const spec = {
+    ...restSpec,
+    ...containers ? { containers } : {},
+    ...initContainers ? { initContainers } : {}
+  };
+  return {
+    ...template,
+    spec
+  };
+}
+var workloadServiceExtraArgs = [
   ...workloadExtraArgs,
   "service",
   "route",
@@ -1187,11 +1238,11 @@ var exposableWorkloadExtraArgs = [
 ];
 function getWorkloadComponents(name, args, parent, opts, isForPatch) {
   const labels = isForPatch ? void 0 : { "app.kubernetes.io/name": name };
-  const containers = output(args).apply((args2) => normalize(args2.container, args2.containers));
-  const initContainers = output(args).apply(
+  const containers = output$1(args).apply((args2) => normalize(args2.container, args2.containers));
+  const initContainers = output$1(args).apply(
     (args2) => normalize(args2.initContainer, args2.initContainers)
   );
-  const rawVolumes = output({ containers, initContainers }).apply(
+  const rawVolumes = output$1({ containers, initContainers }).apply(
     ({ containers: containers2, initContainers: initContainers2 }) => {
       const containerVolumes = [...containers2, ...initContainers2].flatMap(
         (container) => normalize(container.volume, container.volumes)
@@ -1201,14 +1252,14 @@ function getWorkloadComponents(name, args, parent, opts, isForPatch) {
           return "volume" in volumeMount ? volumeMount.volume : void 0;
         }).filter(Boolean);
       });
-      return output([...containerVolumes, ...containerVolumeMounts]);
+      return output$1([...containerVolumes, ...containerVolumeMounts]);
     }
   );
   const volumes = rawVolumes.apply((rawVolumes2) => {
-    return output(rawVolumes2.map(mapWorkloadVolume)).apply(uniqueBy((volume) => volume.name));
+    return output$1(rawVolumes2.map(mapWorkloadVolume)).apply(uniqueBy((volume) => volume.name));
   });
-  const podSpec = output({
-    cluster: output(args.namespace).cluster,
+  const podSpec = output$1({
+    cluster: output$1(args.namespace).cluster,
     containers,
     initContainers,
     volumes
@@ -1224,7 +1275,7 @@ function getWorkloadComponents(name, args, parent, opts, isForPatch) {
       ...podSpecDefaults
     };
     if (containers2.some((container) => container.enableTun) && cluster.quirks?.tunDevicePolicy?.type !== "plugin") {
-      spec.volumes = output(spec.volumes).apply((volumes3) => [
+      spec.volumes = output$1(spec.volumes).apply((volumes3) => [
         ...volumes3 ?? [],
         {
           name: "tun-device",
@@ -1237,9 +1288,9 @@ function getWorkloadComponents(name, args, parent, opts, isForPatch) {
     return spec;
   });
   const dependencyHash = rawVolumes.apply((rawVolumes2) => {
-    return output(rawVolumes2.map(getWorkloadVolumeResourceUuid)).apply(filter(isNonNullish)).apply(unique()).apply((ids) => sha256(ids.join(",")));
+    return output$1(rawVolumes2.map(getWorkloadVolumeResourceUuid)).apply(filter(isNonNullish)).apply(unique()).apply((ids) => sha256(ids.join(",")));
   });
-  const podTemplate = output({ podSpec, dependencyHash }).apply(({ podSpec: podSpec2, dependencyHash: dependencyHash2 }) => {
+  const podTemplate = output$1({ podSpec, dependencyHash }).apply(({ podSpec: podSpec2, dependencyHash: dependencyHash2 }) => {
     return {
       metadata: {
         labels,
@@ -1252,15 +1303,15 @@ function getWorkloadComponents(name, args, parent, opts, isForPatch) {
       spec: podSpec2
     };
   });
-  const networkPolicy = output({ containers }).apply(({ containers: containers2 }) => {
+  const networkPolicy = output$1({ containers }).apply(({ containers: containers2 }) => {
     if (isForPatch) {
-      return output(void 0);
+      return output$1(void 0);
     }
     const allowedEndpoints = containers2.flatMap((container) => container.allowedEndpoints ?? []);
     if (allowedEndpoints.length === 0 && !args.networkPolicy) {
-      return output(void 0);
+      return output$1(void 0);
     }
-    return output(
+    return output$1(
       new NetworkPolicy(
         name,
         {
@@ -1268,7 +1319,7 @@ function getWorkloadComponents(name, args, parent, opts, isForPatch) {
           selector: labels,
           description: `Network policy for "${name}"`,
           ...args.networkPolicy,
-          egressRules: output(args.networkPolicy?.egressRules).apply((egressRules) => [
+          egressRules: output$1(args.networkPolicy?.egressRules).apply((egressRules) => [
             ...egressRules ?? [],
             ...allowedEndpoints.length > 0 ? [{ toEndpoints: allowedEndpoints }] : []
           ])
@@ -1279,9 +1330,9 @@ function getWorkloadComponents(name, args, parent, opts, isForPatch) {
   });
   return { labels, containers, volumes, podSpec, podTemplate, networkPolicy };
 }
-function getExposableWorkloadComponents(name, args, parent, opts, isForPatch) {
+function getWorkloadServiceComponents(name, args, parent, opts, isForPatch) {
   const { labels, containers, volumes, podSpec, podTemplate, networkPolicy } = getWorkloadComponents(name, args, parent, opts, isForPatch);
-  const service = output({
+  const service = output$1({
     existing: args.existing,
     serviceArgs: args.service,
     containers
@@ -1290,7 +1341,7 @@ function getExposableWorkloadComponents(name, args, parent, opts, isForPatch) {
       return void 0;
     }
     if (existing?.service) {
-      return Service.for(existing.service, output(args.namespace).cluster);
+      return Service.for(existing.service, output$1(args.namespace).cluster);
     }
     if (existing) {
       return void 0;
@@ -1306,41 +1357,160 @@ function getExposableWorkloadComponents(name, args, parent, opts, isForPatch) {
       )
     });
   });
-  const routes = output({
+  const routes = output$1({
     routesArgs: normalizeInputs(args.route, args.routes),
     service,
-    namespace: output(args.namespace)
-  }).apply(({ routesArgs, service: service2, namespace }) => {
+    namespace: output$1(args.namespace)
+  }).apply(async ({ routesArgs, service: service2, namespace }) => {
     if (!routesArgs.length || !service2) {
       return [];
     }
     if (args.existing) {
       return [];
     }
-    return routesArgs.map((routeArgs, index) => {
-      return new AccessPointRoute(`${name}.${index}`, {
-        ...routeArgs,
-        endpoints: service2.endpoints,
-        // pass the native data to the route to allow implementation to use it
-        gatewayNativeData: service2,
-        tlsCertificateNativeData: namespace
-      });
-    });
+    const serviceEndpoints = await toPromise(service2.endpoints);
+    const servicePorts = await toPromise(service2.spec.ports);
+    const resolveServiceEndpoints = async (servicePort, routeName) => {
+      if (serviceEndpoints.length === 0) {
+        throw new Error(`No endpoints found for workload service in route "${routeName}"`);
+      }
+      let resolvedServicePort;
+      if (servicePort != null) {
+        const requestedServicePort = await toPromise(servicePort);
+        if (typeof requestedServicePort === "string") {
+          const namedPort = servicePorts?.find((port) => port.name === requestedServicePort);
+          if (!namedPort) {
+            throw new Error(
+              `Named port "${requestedServicePort}" not found for workload service in route "${routeName}"`
+            );
+          }
+          resolvedServicePort = namedPort.port;
+        } else {
+          resolvedServicePort = requestedServicePort;
+        }
+      } else {
+        resolvedServicePort = serviceEndpoints[0]?.port;
+      }
+      if (resolvedServicePort == null) {
+        throw new Error(
+          `Unable to resolve service port for workload service in route "${routeName}"`
+        );
+      }
+      const filteredEndpoints = serviceEndpoints.filter(
+        (endpoint) => endpoint.port === resolvedServicePort
+      );
+      if (filteredEndpoints.length === 0) {
+        throw new Error(
+          `No endpoints with port ${resolvedServicePort} found for workload service in route "${routeName}"`
+        );
+      }
+      return filteredEndpoints;
+    };
+    return await Promise.all(
+      routesArgs.map(async (routeArgs, index) => {
+        const routeName = `${name}.${index}`;
+        const routeRules = await toPromise(routeArgs.rules);
+        const routeRuleValues = Object.values(routeRules ?? {});
+        const needsDefaultBackend = routeRuleValues.length === 0 || routeRuleValues.some((rule) => rule.servicePort == null);
+        const defaultServiceEndpoints = needsDefaultBackend ? await resolveServiceEndpoints(routeArgs.servicePort, routeName) : void 0;
+        const resolvedRules = routeRules ? await Promise.all(
+          Object.entries(routeRules).map(async ([ruleName, rule]) => {
+            const ruleServiceEndpoints = await resolveServiceEndpoints(
+              rule.servicePort ?? routeArgs.servicePort,
+              `${routeName}:${ruleName}`
+            );
+            return [
+              ruleName,
+              {
+                ...omit(rule, ["servicePort"]),
+                backend: {
+                  endpoints: ruleServiceEndpoints
+                }
+              }
+            ];
+          })
+        ) : void 0;
+        const resolvedRulesInput = resolvedRules ? Object.fromEntries(resolvedRules) : void 0;
+        return new AccessPointRoute(routeName, {
+          ...omit(routeArgs, ["servicePort", "rules"]),
+          ...defaultServiceEndpoints ? {
+            backend: {
+              endpoints: defaultServiceEndpoints
+            }
+          } : {},
+          rules: resolvedRulesInput,
+          metadata: {
+            ...routeArgs.metadata ?? {},
+            "k8s.namespace": namespace
+          }
+        });
+      })
+    );
   });
   return { labels, containers, volumes, podSpec, podTemplate, networkPolicy, service, routes };
 }
 var Workload = class extends NamespacedResource {
-  constructor(type, name, args, opts, metadata, namespace, terminalArgs, containers, podTemplate, networkPolicy) {
+  constructor(type, name, args, opts, metadata, namespace, terminalArgs, containers, podTemplate, networkPolicy, _service = output$1(void 0), routes = output$1([])) {
     super(type, name, args, opts, metadata, namespace);
     this.name = name;
     this.terminalArgs = terminalArgs;
     this.containers = containers;
     this.podTemplate = podTemplate;
     this.networkPolicy = networkPolicy;
+    this._service = _service;
+    this.routes = routes;
   }
-  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: for pulumi which for some reason tries to copy all properties
   set terminal(_value) {
   }
+  set logsTerminal(_value) {
+  }
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: for pulumi which for some reason tries to copy all properties
+  set terminals(_value) {
+  }
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: for pulumi which for some reason tries to copy all properties
+  set optionalService(_value) {
+  }
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: for pulumi which for some reason tries to copy all properties
+  set service(_value) {
+  }
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: for pulumi which for some reason tries to copy all properties
+  set selector(_value) {
+  }
+  /**
+   * The service associated with the workload.
+   */
+  get optionalService() {
+    return this._service;
+  }
+  /**
+   * The service associated with the workload.
+   *
+   * Will throw an error if the service is not available.
+   */
+  get service() {
+    return this._service.apply((service) => {
+      if (!service) {
+        throw new Error(`The service of the workload "${this.name}" is not available.`);
+      }
+      return service;
+    });
+  }
+  /**
+   * The merged and deduplicated L3 endpoints of all routes.
+   */
+  get endpoints() {
+    return this.routes.apply(
+      (routes) => output$1(routes.map((route) => route.route.endpoints)).apply((endpoints) => flat(endpoints)).apply(mergeEndpoints)
+    );
+  }
+  /**
+   * The selector matching pods created from this workload's template labels.
+   */
+  get selector() {
+    return this.podTemplate.apply((template) => ({
+      matchLabels: template.metadata?.labels
+    }));
+  }
   /**
    * The instance terminal to interact with the workload's pods.
    */
@@ -1350,17 +1520,21 @@ var Workload = class extends NamespacedResource {
     const podLabelSelector = this.templateMetadata.apply((meta) => meta.labels ?? {}).apply(
       (labels) => Object.entries(labels).map(([key, value]) => `${key}=${value}`).join(",")
     );
-    return output({
+    return output$1({
       name: this.metadata.name,
       meta: this.getTerminalMeta(),
       spec: {
         image: images_exports["terminal-kubectl"].image,
         command: ["bash", "/welcome.sh"],
         files: {
-          "/kubeconfig": fileFromString("kubeconfig", this.cluster.kubeconfig, { isSecret: true }),
-          "/welcome.sh": fileFromString(
-            "welcome.sh",
-            interpolate`
+          "/kubeconfig": makeFileOutput({
+            name: "kubeconfig",
+            content: getClusterKubeconfigContent(this.cluster),
+            isSecret: true
+          }),
+          "/welcome.sh": makeFileOutput({
+            name: "welcome.sh",
+            content: interpolate$1`
               #!/bin/bash
               set -euo pipefail
 
@@ -1405,7 +1579,7 @@ var Workload = class extends NamespacedResource {
               # execute into the selected pod
               exec kubectl exec -it -n "$NAMESPACE" "$SELECTED_POD" -c "$CONTAINER_NAME" -- "$SHELL"
             `.apply(trimIndentation)
-          )
+          })
         },
         env: {
           KUBECONFIG: "/kubeconfig"
@@ -1413,6 +1587,91 @@ var Workload = class extends NamespacedResource {
       }
     });
   }
+  /**
+   * The instance terminal to view the workload's logs.
+   */
+  get logsTerminal() {
+    const containerName = this.podTemplate.spec.containers.apply((containers) => containers[0].name);
+    const podLabelSelector = this.templateMetadata.apply((meta) => meta.labels ?? {}).apply(
+      (labels) => Object.entries(labels).map(([key, value]) => `${key}=${value}`).join(",")
+    );
+    return output$1({
+      name: interpolate$1`${this.metadata.name}.logs`,
+      meta: output$1(this.getTerminalMeta()).apply((meta) => ({
+        ...meta,
+        title: `${meta.title} Logs`,
+        globalTitle: `${meta.globalTitle} | Logs`,
+        description: `The logs of ${meta.title.toLowerCase()}.`
+      })),
+      spec: {
+        image: images_exports["terminal-kubectl"].image,
+        command: ["bash", "/welcome.sh"],
+        files: {
+          "/kubeconfig": makeFileOutput({
+            name: "kubeconfig",
+            content: getClusterKubeconfigContent(this.cluster),
+            isSecret: true
+          }),
+          "/welcome.sh": makeFileOutput({
+            name: "welcome.sh",
+            content: interpolate$1`
+              #!/bin/bash
+              set -euo pipefail
+
+              NAMESPACE="${this.metadata.namespace}"
+              RESOURCE_TYPE="${this.kind.toLowerCase()}"
+              RESOURCE_NAME="${this.metadata.name}"
+              CONTAINER_NAME="${containerName}"
+              LABEL_SELECTOR="${podLabelSelector}"
+
+              echo "Connecting to logs of $RESOURCE_TYPE \"$RESOURCE_NAME\" in namespace \"$NAMESPACE\""
+
+              # get all pods for this workload
+              PODS=$(kubectl get pods -n "$NAMESPACE" -l "$LABEL_SELECTOR" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null || echo "")
+
+              if [ -z "$PODS" ]; then
+                echo "No pods found"
+                exit 1
+              fi
+
+              # convert space-separated string to array
+              read -ra POD_ARRAY <<< "$PODS"
+
+              if [ \${#POD_ARRAY[@]} -eq 1 ]; then
+                # single pod found, connect directly
+                SELECTED_POD="\${POD_ARRAY[0]}"
+                echo "Found single pod: $SELECTED_POD"
+              else
+                # multiple pods found, use fzf for selection
+                echo "Found \${#POD_ARRAY[@]} pods. Please select one."
+
+                SELECTED_POD=$(printf '%s\n' "\${POD_ARRAY[@]}" | fzf --prompt="Select pod: " --height 10 --border --info=inline)
+
+                if [ -z "$SELECTED_POD" ]; then
+                  echo "No pod selected"
+                  exit 1
+                fi
+
+                echo "Selected pod: $SELECTED_POD"
+              fi
+
+              # stream logs for the selected pod
+              exec kubectl logs -f -n "$NAMESPACE" "$SELECTED_POD" -c "$CONTAINER_NAME"
+            `.apply(trimIndentation)
+          })
+        },
+        env: {
+          KUBECONFIG: "/kubeconfig"
+        }
+      }
+    });
+  }
+  /**
+   * The instance terminals to interact with the workload's pods and view its logs.
+   */
+  get terminals() {
+    return [this.logsTerminal, this.terminal];
+  }
   /**
    * Creates a terminal with a custom command.
    *
@@ -1421,32 +1680,34 @@ var Workload = class extends NamespacedResource {
    * @param spec Additional spec options for the terminal.
    */
   createTerminal(name, meta, command, spec) {
-    const containerName = output(this.containers).apply((containers) => {
-      return containers[0]?.name ?? this.name;
-    });
-    return output({
+    const containerName = this.podTemplate.spec.containers.apply((containers) => containers[0].name);
+    return output$1({
       name,
-      meta: output(this.getTerminalMeta()).apply((currentMeta) => ({
+      meta: output$1(this.getTerminalMeta()).apply((currentMeta) => ({
         ...currentMeta,
         ...meta
       })),
       spec: {
         image: images_exports["terminal-kubectl"].image,
-        command: output(command).apply((command2) => [
+        command: output$1(command).apply((command2) => [
           "exec",
           "kubectl",
           "exec",
           "-it",
           "-n",
           this.metadata.namespace,
-          `${this.kind.toLowerCase()}/${this.metadata.name}`,
+          interpolate$1`${this.kind.toLowerCase()}/${this.metadata.name}`,
           "-c",
           containerName,
           "--",
           ...command2
         ]),
         files: {
-          "/kubeconfig": fileFromString("kubeconfig", this.cluster.kubeconfig, { isSecret: true }),
+          "/kubeconfig": makeFileOutput({
+            name: "kubeconfig",
+            content: getClusterKubeconfigContent(this.cluster),
+            isSecret: true
+          }),
           ...spec?.files
         },
         env: {
@@ -1460,167 +1721,84 @@ var Workload = class extends NamespacedResource {
    * Creates a generic workload or patches the existing one.
    */
   static createOrPatchGeneric(name, args, opts) {
-    return output(args).apply(async (args2) => {
+    return output$1(args).apply(async (args2) => {
       if (args2.existing?.kind === "Deployment") {
-        const { Deployment } = await import('./deployment-O2LJ5WR5.js');
+        const { Deployment } = await import('./deployment-T35TUOL2.js');
         return Deployment.patch(
           name,
           {
             ...deepmerge(args2, args2.deployment),
             name: args2.existing.metadata.name,
-            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
+            namespace: Namespace.forResourceAsync(args2.existing, output$1(args2.namespace).cluster)
           },
           opts
         );
       }
       if (args2.existing?.kind === "StatefulSet") {
-        const { StatefulSet } = await import('./stateful-set-VJYKTQ72.js');
+        const { StatefulSet } = await import('./stateful-set-LUIRHQJY.js');
         return StatefulSet.patch(
           name,
           {
             ...deepmerge(args2, args2.statefulSet),
             name: args2.existing.metadata.name,
-            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
+            namespace: Namespace.forResourceAsync(args2.existing, output$1(args2.namespace).cluster)
           },
           opts
         );
       }
       if (args2.existing?.kind === "Job") {
-        const { Job } = await import('./job-SYME6Y43.js');
+        const { Job } = await import('./job-PE4AKOHB.js');
         return Job.patch(
           name,
           {
             ...deepmerge(args2, args2.job),
             name: args2.existing.metadata.name,
-            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
+            namespace: Namespace.forResourceAsync(args2.existing, output$1(args2.namespace).cluster)
           },
           opts
         );
       }
       if (args2.existing?.kind === "CronJob") {
-        const { CronJob } = await import('./cron-job-NX4HD4FI.js');
+        const { CronJob } = await import('./cron-job-RKB2HYTO.js');
         return CronJob.patch(
           name,
           {
             ...deepmerge(args2, args2.cronJob),
             name: args2.existing.metadata.name,
-            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
+            namespace: Namespace.forResourceAsync(args2.existing, output$1(args2.namespace).cluster)
           },
           opts
         );
       }
       if (args2.defaultType === "Deployment") {
-        const { Deployment } = await import('./deployment-O2LJ5WR5.js');
-        return Deployment.create(name, deepmerge(args2, args2.deployment), opts);
+        const { Deployment } = await import('./deployment-T35TUOL2.js');
+        const deploymentArgs = deepmerge(
+          omit(args2, ["defaultType", "existing", "deployment", "statefulSet", "job", "cronJob"]),
+          args2.deployment ?? {}
+        );
+        return Deployment.create(name, deploymentArgs, opts);
       }
       if (args2.defaultType === "StatefulSet") {
-        const { StatefulSet } = await import('./stateful-set-VJYKTQ72.js');
-        return StatefulSet.create(name, deepmerge(args2, args2.statefulSet), opts);
+        const { StatefulSet } = await import('./stateful-set-LUIRHQJY.js');
+        const statefulSetArgs = deepmerge(
+          omit(args2, ["defaultType", "existing", "deployment", "statefulSet", "job", "cronJob"]),
+          args2.statefulSet ?? {}
+        );
+        return StatefulSet.create(name, statefulSetArgs, opts);
       }
       if (args2.defaultType === "Job") {
-        const { Job } = await import('./job-SYME6Y43.js');
+        const { Job } = await import('./job-PE4AKOHB.js');
         return Job.create(name, deepmerge(args2, args2.job), opts);
       }
       if (args2.defaultType === "CronJob") {
-        const { CronJob } = await import('./cron-job-NX4HD4FI.js');
+        const { CronJob } = await import('./cron-job-RKB2HYTO.js');
         return CronJob.create(name, deepmerge(args2, args2.cronJob), opts);
       }
       throw new Error(`Unknown workload type: ${args2.defaultType}`);
     });
   }
 };
-var ExposableWorkload = class extends Workload {
-  constructor(type, name, args, opts, metadata, namespace, terminalArgs, containers, podTemplate, networkPolicy, _service, routes) {
-    super(
-      type,
-      name,
-      args,
-      opts,
-      metadata,
-      namespace,
-      terminalArgs,
-      containers,
-      podTemplate,
-      networkPolicy
-    );
-    this._service = _service;
-    this.routes = routes;
-  }
-  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: for pulumi which for some reason tries to copy all properties
-  set optionalService(_value) {
-  }
-  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: for pulumi which for some reason tries to copy all properties
-  set service(_value) {
-  }
-  /**
-   * The service associated with the workload.
-   */
-  get optionalService() {
-    return this._service;
-  }
-  /**
-   * The service associated with the workload.
-   *
-   * Will throw an error if the service is not available.
-   */
-  get service() {
-    return this._service.apply((service) => {
-      if (!service) {
-        throw new Error(`The service of the workload "${this.name}" is not available.`);
-      }
-      return service;
-    });
-  }
-  /**
-   * The merged and deduplicated L3 endpoints of all routes.
-   */
-  get endpoints() {
-    return this.routes.apply(
-      (routes) => output(routes.map((route) => route.route.endpoints)).apply((endpoints) => flat(endpoints)).apply(mergeEndpoints)
-    );
-  }
-  /**
-   * Creates a generic exposable workload or patches the existing one.
-   */
-  static createOrPatchGeneric(name, args, opts) {
-    return output(args).apply(async (args2) => {
-      if (args2.existing?.kind === "Deployment") {
-        const { Deployment } = await import('./deployment-O2LJ5WR5.js');
-        return Deployment.patch(
-          name,
-          {
-            ...deepmerge(args2, args2.deployment),
-            name: args2.existing.metadata.name,
-            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
-          },
-          opts
-        );
-      }
-      if (args2.existing?.kind === "StatefulSet") {
-        const { StatefulSet } = await import('./stateful-set-VJYKTQ72.js');
-        return StatefulSet.patch(
-          name,
-          {
-            ...deepmerge(args2, args2.statefulSet),
-            name: args2.existing.metadata.name,
-            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
-          },
-          opts
-        );
-      }
-      if (args2.defaultType === "Deployment") {
-        const { Deployment } = await import('./deployment-O2LJ5WR5.js');
-        return Deployment.create(name, deepmerge(args2, args2.deployment), opts);
-      }
-      if (args2.defaultType === "StatefulSet") {
-        const { StatefulSet } = await import('./stateful-set-VJYKTQ72.js');
-        return StatefulSet.create(name, deepmerge(args2, args2.statefulSet), opts);
-      }
-      throw new Error(`Unknown workload type: ${args2.defaultType}`);
-    });
-  }
-};
 
-export { ConfigMap, ExposableWorkload, NativeNetworkPolicy, NetworkPolicy, PersistentVolumeClaim, Workload, exposableWorkloadExtraArgs, getAutoVolumeName, getBestEndpoint, getExposableWorkloadComponents, getFallbackContainerName, getWorkloadComponents, getWorkloadVolumeResourceUuid, mapContainerEnvironment, mapContainerToRaw, mapEnvironmentSource, mapVolumeMount, mapWorkloadVolume, networkPolicyMediator, podSpecDefaults, requireBestEndpoint, workloadExtraArgs };
-//# sourceMappingURL=chunk-P2VOUU7E.js.map
-//# sourceMappingURL=chunk-P2VOUU7E.js.map
+export { ConfigMap, NativeNetworkPolicy, NetworkPolicy, PersistentVolumeClaim, Workload, filterPatchOwnedContainersInTemplate, getAutoVolumeName, getBestEndpoint, getFallbackContainerName, getWorkloadComponents, getWorkloadServiceComponents, getWorkloadVolumeResourceUuid, mapContainerEnvironment, mapContainerToRaw, mapEnvironmentSource, mapVolumeMount, mapWorkloadVolume, networkPolicyMediator, podSpecDefaults, requireBestEndpoint, workloadExtraArgs, workloadServiceExtraArgs };
+//# sourceMappingURL=chunk-SZKOAHNX.js.map
+//# sourceMappingURL=chunk-SZKOAHNX.js.map