@highstate/k8s 0.18.0 → 0.20.0

package/dist/chunk-TOLFVF4S.js

@@ -0,0 +1,889 @@
+import { __export } from './chunk-PZYGZSN5.js';
+import { getOrCreate } from '@highstate/contract';
+import { common, k8s } from '@highstate/library';
+import { secret, toPromise, output, ComponentResource, normalizeInputs, interpolate, makeEntity, makeEntityOutput } from '@highstate/pulumi';
+import { Provider, core, rbac } from '@pulumi/kubernetes';
+import { output as output$1 } from '@pulumi/pulumi';
+import { KubeConfig } from '@kubernetes/client-node';
+import { map, unique } from 'remeda';
+
+// assets/images.json
+var images_exports = {};
+__export(images_exports, {
+  alpine: () => alpine,
+  default: () => images_default,
+  "terminal-kubectl": () => terminal_kubectl,
+  ubuntu: () => ubuntu,
+  "worker.k8s-monitor": () => worker_k8s_monitor
+});
+var terminal_kubectl = {
+  name: "ghcr.io/highstate-io/highstate/terminal.kubectl",
+  tag: "latest",
+  image: "ghcr.io/highstate-io/highstate/terminal.kubectl:latest@sha256:31cf095ec6acc0b3a5088c92483d88dc1e2e7dd7fcbf2ec8de29a0171debd8aa"
+};
+var worker_k8s_monitor = {
+  name: "ghcr.io/highstate-io/highstate/worker.k8s-monitor",
+  tag: "debug",
+  image: "ghcr.io/highstate-io/highstate/worker.k8s-monitor:debug@sha256:808eccda739d1e963d345a92612f3ca64ecf64de71a6010daa0e1fffbfc7aa5c"
+};
+var alpine = {
+  name: "alpine",
+  tag: "latest",
+  image: "alpine:latest@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659"
+};
+var ubuntu = {
+  name: "ubuntu",
+  tag: "latest",
+  image: "ubuntu:latest@sha256:84e77dee7d1bc93fb029a45e3c6cb9d8aa4831ccfcc7103d36e876938d28895b"
+};
+var images_default = {
+  "terminal-kubectl": terminal_kubectl,
+  "worker.k8s-monitor": worker_k8s_monitor,
+  alpine,
+  ubuntu
+};
+var providers = /* @__PURE__ */ new Map();
+function getProvider(cluster) {
+  const name = `${cluster.name}.${cluster.connectionId}`;
+  const existing = providers.get(name);
+  if (existing) {
+    return existing;
+  }
+  if (cluster.kubeconfig.content.type !== "embedded-secret") {
+    throw new Error("Only embedded secrets are supported for cluster kubeconfig for now");
+  }
+  const provider = new Provider(name, {
+    kubeconfig: secret(cluster.kubeconfig.content.value.value)
+  });
+  providers.set(name, provider);
+  return provider;
+}
+async function getProviderAsync(cluster) {
+  const resolvedCluster = await toPromise(cluster);
+  return getProvider(resolvedCluster);
+}
+function getEmbeddedSecretFileContent(file) {
+  return output(file).apply((file2) => {
+    if (file2.content.type !== "embedded-secret") {
+      throw new Error("Only embedded-secret file contents are supported for kubeconfig for now");
+    }
+    return file2.content.value.value;
+  });
+}
+function getClusterKubeconfigContent(cluster) {
+  return output(cluster).apply((cluster2) => {
+    if (cluster2.kubeconfig.content.type !== "embedded-secret") {
+      throw new Error(
+        "Only embedded-secret file contents are supported for cluster kubeconfig for now"
+      );
+    }
+    return cluster2.kubeconfig.content.value.value;
+  });
+}
+var commonExtraArgs = ["name", "namespace", "metadata"];
+function mapMetadata(args, fallbackName) {
+  return output(args.metadata).apply(
+    (metadata) => output({
+      ...metadata,
+      name: args.name ?? metadata?.name ?? fallbackName,
+      namespace: metadata?.namespace ?? (args.namespace ? output(args.namespace).metadata.name : void 0)
+    })
+  );
+}
+function mapSelectorLikeToSelector(selector) {
+  if ("matchLabels" in selector || "matchExpressions" in selector) {
+    return selector;
+  }
+  return {
+    matchLabels: selector
+  };
+}
+function getNamespaceName(namespace) {
+  if (Namespace.isInstance(namespace)) {
+    return namespace.metadata.name;
+  }
+  if (core.v1.Namespace.isInstance(namespace)) {
+    return namespace.metadata.name;
+  }
+  return output(namespace);
+}
+function mapNamespaceNameToSelector(namespace) {
+  return {
+    matchLabels: {
+      "kubernetes.io/metadata.name": namespace
+    }
+  };
+}
+function validateCluster(entity, cluster) {
+  return output({ entity, cluster }).apply(({ entity: entity2, cluster: cluster2 }) => {
+    if (entity2.clusterId !== cluster2.id) {
+      throw new Error(
+        `Cluster mismatch for ${entity2.kind} "${entity2.metadata.name}": "${entity2.clusterId}" != "${cluster2.id}"`
+      );
+    }
+    return cluster2;
+  });
+}
+var Resource = class extends ComponentResource {
+  constructor(type, name, args, opts, cluster, metadata) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+  }
+  /**
+   * The Kubernetes API version (e.g., "v1", "apps/v1", "batch/v1").
+   */
+  static apiVersion;
+  /**
+   * The Kubernetes kind (e.g., "ConfigMap", "Deployment", "CronJob").
+   */
+  static kind;
+  /**
+   * Whether the resource is namespaced.
+   */
+  static isNamespaced = false;
+  /**
+   * The Kubernetes API version (e.g., "v1", "apps/v1", "batch/v1").
+   */
+  get apiVersion() {
+    return this.constructor.apiVersion;
+  }
+  /**
+   * The Kubernetes kind (e.g., "ConfigMap", "Deployment", "CronJob").
+   */
+  get kind() {
+    return this.constructor.kind;
+  }
+  get isNamespaced() {
+    return this.constructor.isNamespaced;
+  }
+  get entityBase() {
+    return {
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      apiVersion: this.apiVersion,
+      kind: this.kind,
+      isNamespaced: false,
+      metadata: this.metadata
+    };
+  }
+};
+var NamespacedResource = class extends Resource {
+  constructor(type, name, args, opts, metadata, namespace) {
+    super(type, name, args, opts, namespace.cluster, metadata);
+    this.namespace = namespace;
+  }
+  static isNamespaced = true;
+  get entityBase() {
+    return {
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      apiVersion: this.apiVersion,
+      kind: this.kind,
+      isNamespaced: true,
+      metadata: this.metadata
+    };
+  }
+};
+
+// src/rbac.ts
+var ClusterAccessScope = class extends ComponentResource {
+  /**
+   * The cluster entity with the reduced access.
+   */
+  cluster;
+  constructor(name, args, opts) {
+    super("highstate:k8s:ClusterAccessScope", name, args, opts);
+    const { serviceAccount, kubeconfig } = output(args.namespace).cluster.apply((cluster) => {
+      const provider = getProvider(cluster);
+      const namespaceName = output(args.namespace).metadata.name;
+      const serviceAccount2 = new core.v1.ServiceAccount(
+        name,
+        {
+          metadata: {
+            name,
+            namespace: namespaceName
+          }
+        },
+        { provider }
+      );
+      const clusterRole = new rbac.v1.ClusterRole(
+        name,
+        {
+          metadata: {
+            name: interpolate`hs.${namespaceName}.${name}`,
+            annotations: {
+              "kubernetes.io/description": interpolate`Created by Highstate for the ServiceAccount "${name}" in the namespace "${namespaceName}".`
+            }
+          },
+          rules: output({
+            rules: normalizeInputs(args.rule, args.rules),
+            resources: args.resources ?? []
+          }).apply(({ rules, resources }) => mergeResources(rules, resources))
+        },
+        { provider }
+      );
+      const createRoleBinding = (namespace) => {
+        return new rbac.v1.RoleBinding(
+          name,
+          {
+            metadata: { name, namespace },
+            roleRef: {
+              kind: "ClusterRole",
+              name: clusterRole.metadata.name,
+              apiGroup: "rbac.authorization.k8s.io"
+            },
+            subjects: [
+              {
+                kind: "ServiceAccount",
+                name: serviceAccount2.metadata.name,
+                namespace: namespaceName
+              }
+            ]
+          },
+          { provider }
+        );
+      };
+      if (args.clusterWide) {
+        new rbac.v1.ClusterRoleBinding(
+          name,
+          {
+            metadata: { name },
+            roleRef: {
+              kind: "ClusterRole",
+              name: clusterRole.metadata.name,
+              apiGroup: "rbac.authorization.k8s.io"
+            },
+            subjects: [
+              {
+                kind: "ServiceAccount",
+                name: serviceAccount2.metadata.name,
+                namespace: namespaceName
+              }
+            ]
+          },
+          { provider }
+        );
+      } else {
+        if (args.allowOriginNamespace !== false) {
+          createRoleBinding(namespaceName);
+        }
+        output(args.extraNamespaces ?? []).apply(map(getNamespaceName)).apply(map(createRoleBinding));
+      }
+      return { serviceAccount: serviceAccount2, kubeconfig: cluster.kubeconfig };
+    });
+    const accessTokenSecret = Secret.create(`${name}-token`, {
+      namespace: args.namespace,
+      type: "kubernetes.io/service-account-token",
+      metadata: {
+        annotations: {
+          "kubernetes.io/service-account.name": serviceAccount.metadata.name
+        }
+      }
+    });
+    this.cluster = output({
+      cluster: output(args.namespace).cluster,
+      kubeconfig,
+      newToken: accessTokenSecret.getValue("token"),
+      serviceAccount: serviceAccount.metadata.name,
+      serviceAccountId: serviceAccount.metadata.uid
+    }).apply(({ cluster, kubeconfig: kubeconfig2, newToken, serviceAccount: serviceAccount2, serviceAccountId }) => {
+      if (kubeconfig2.content.type !== "embedded-secret") {
+        throw new Error("Only embedded secrets are supported for cluster kubeconfig for now");
+      }
+      const config = new KubeConfig();
+      config.loadFromString(kubeconfig2.content.value.value);
+      config.users = [];
+      config.contexts = [];
+      config.addUser({ name: serviceAccount2, token: newToken });
+      config.addContext({
+        name: config.clusters[0].name,
+        cluster: config.clusters[0].name,
+        user: serviceAccount2
+      });
+      config.setCurrentContext(config.clusters[0].name);
+      return {
+        ...cluster,
+        connectionId: serviceAccountId,
+        kubeconfig: makeEntity({
+          entity: common.fileEntity,
+          identity: `${serviceAccountId}:kubeconfig`,
+          meta: {
+            title: `kubeconfig for SA ${serviceAccount2}`
+          },
+          value: {
+            content: {
+              type: "embedded-secret",
+              value: config.exportConfig()
+            },
+            meta: {
+              name: "kubeconfig",
+              contentType: "text/yaml",
+              mode: 384
+            }
+          }
+        })
+      };
+    });
+  }
+};
+async function mergeResources(rules, resources) {
+  for (const resource of resources) {
+    const entity = await toPromise(
+      resource instanceof NamespacedResource ? resource.entity : resource
+    );
+    const apiGroup = entity.apiVersion.includes("/") ? entity.apiVersion.split("/")[0] : "";
+    const resourceCollection = `${entity.kind.toLowerCase()}s`;
+    const matchingRule = rules.find((rule) => {
+      const apiGroupsMatch = rule.apiGroups?.length === 1 && rule.apiGroups[0] === apiGroup;
+      const resourcesMatch = rule.resources?.length === 1 && rule.resources[0] === resourceCollection;
+      return apiGroupsMatch && resourcesMatch;
+    });
+    if (!matchingRule) {
+      continue;
+    }
+    matchingRule.resourceNames = await toPromise(
+      unique([
+        //
+        ...matchingRule.resourceNames ?? [],
+        entity.metadata.name
+      ])
+    );
+  }
+  return rules;
+}
+
+// src/namespace.ts
+var Namespace = class _Namespace extends Resource {
+  constructor(type, name, args, opts, cluster, metadata, spec, status) {
+    super(type, name, args, opts, cluster, metadata);
+    this.spec = spec;
+    this.status = status;
+  }
+  static apiVersion = "v1";
+  static kind = "Namespace";
+  /**
+   * The cluster entity authorized to port-forward into the namespace.
+   *
+   * Only created for namespaces created with `create` or `createOrGet` methods, not for wrapped or external namespaces.
+   */
+  portForwardCluster;
+  /**
+   * The Highstate namespace entity.
+   */
+  get entity() {
+    return makeEntityOutput({
+      entity: k8s.namespaceEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
+  }
+  /**
+   * Creates a new namespace.
+   */
+  static create(name, args, opts) {
+    return new CreatedNamespace(name, args, opts);
+  }
+  /**
+   * Wraps an existing Kubernetes namespace.
+   */
+  static wrap(name, args, opts) {
+    return new WrappedNamespace(name, args, opts);
+  }
+  /**
+   * Creates a new namespace or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the namespace name. Will not be used when existing namespace is retrieved.
+   * @param args The arguments to create or get the namespace with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(name, args, opts) {
+    if (args.resource) {
+      return await _Namespace.forResourceAsync(args.resource, args.cluster);
+    }
+    if (args.existing) {
+      return await _Namespace.forAsync(args.existing, args.cluster);
+    }
+    return new CreatedNamespace(name, args, opts);
+  }
+  /**
+   * Creates a new namespace or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the namespace name.
+   * @param args The arguments to create or patch the namespace with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(name, args, opts) {
+    if (args.resource) {
+      return new NamespacePatch(name, {
+        ...args,
+        name: output$1(args.resource).metadata.namespace,
+        cluster: validateCluster(args.resource, args.cluster)
+      });
+    }
+    if (args.existing) {
+      return new NamespacePatch(name, {
+        ...args,
+        name: output$1(args.existing).metadata.name,
+        cluster: validateCluster(args.existing, args.cluster)
+      });
+    }
+    return new CreatedNamespace(name, args, opts);
+  }
+  /**
+   * Patches an existing namespace.
+   *
+   * Will throw an error if the namespace does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the namespace name.
+   * @param args The arguments to patch the namespace with.
+   * @param opts Optional resource options.
+   */
+  static patch(name, args, opts) {
+    return new NamespacePatch(name, args, opts);
+  }
+  /**
+   * Gets an existing namespace.
+   *
+   * Will throw an error if the namespace does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the namespace name.
+   * @param args The arguments to get the namespace with.
+   * @param opts Optional resource options.
+   */
+  static get(name, args, opts) {
+    return new ExternalNamespace(name, args, opts);
+  }
+  static namespaceCache = /* @__PURE__ */ new Map();
+  /**
+   * Gets an existing namespace for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{clusterId}`.
+   *
+   * This method it idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the namespace for.
+   * @param cluster The cluster where the namespace is located.
+   */
+  static for(entity, cluster) {
+    return getOrCreate(
+      _Namespace.namespaceCache,
+      `${entity.clusterName}.${entity.metadata.name}.${entity.clusterId}`,
+      (name) => {
+        return _Namespace.get(name, {
+          name: entity.metadata.name,
+          cluster: validateCluster(entity, cluster)
+        });
+      }
+    );
+  }
+  /**
+   * Gets an existing namespace for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * @param entity The entity to get the namespace for.
+   * @param cluster The cluster where the namespace is located.
+   */
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise(entity);
+    return _Namespace.for(resolvedEntity, cluster);
+  }
+  /**
+   * Gets an existing namespace where the provided resource is located.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{clusterId}`.
+   *
+   * This method it idempotent and will return the same instance for the same resource.
+   *
+   * @param resource The resource to get the namespace for.
+   * @param cluster The cluster where the namespace is located.
+   */
+  static forResource(resource, cluster) {
+    return getOrCreate(
+      _Namespace.namespaceCache,
+      `${resource.clusterName}.${resource.metadata.namespace}.${resource.clusterId}`,
+      (name) => {
+        return _Namespace.get(name, {
+          name: resource.metadata.namespace,
+          cluster: validateCluster(resource, cluster)
+        });
+      }
+    );
+  }
+  /**
+   * Gets an existing namespace for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * @param resource The resource to get the namespace for.
+   * @param cluster The cluster where the namespace is located.
+   */
+  static async forResourceAsync(resource, cluster) {
+    const resolvedResource = await toPromise(resource);
+    return _Namespace.forResource(resolvedResource, cluster);
+  }
+};
+function mapNamespaceMetadata(args, fallbackName) {
+  return mapMetadata(args, fallbackName).apply((metadata) => {
+    if (args.privileged) {
+      metadata.labels = {
+        ...metadata.labels,
+        "pod-security.kubernetes.io/enforce": "privileged"
+      };
+    }
+    return metadata;
+  });
+}
+var CreatedNamespace = class extends Namespace {
+  constructor(name, args, opts) {
+    const namespace = output$1(args.cluster).apply((cluster) => {
+      return new core.v1.Namespace(
+        name,
+        { metadata: mapNamespaceMetadata(args, name) },
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:Namespace",
+      name,
+      args,
+      opts,
+      output$1(args.cluster),
+      namespace.metadata,
+      namespace.spec,
+      namespace.status
+    );
+    const scope = new ClusterAccessScope(
+      `${name}-port-forward`,
+      {
+        namespace: this,
+        rules: [
+          {
+            apiGroups: [""],
+            resources: ["services"],
+            verbs: ["get"]
+          },
+          {
+            apiGroups: [""],
+            resources: ["pods"],
+            verbs: ["get", "list"]
+          },
+          {
+            apiGroups: [""],
+            resources: ["pods/portforward"],
+            verbs: ["create"]
+          }
+        ]
+      },
+      { parent: this }
+    );
+    this.portForwardCluster = scope.cluster;
+  }
+};
+var NamespacePatch = class extends Namespace {
+  constructor(name, args, opts) {
+    const namespace = output$1(args.cluster).apply((cluster) => {
+      return new core.v1.NamespacePatch(
+        name,
+        { metadata: mapNamespaceMetadata(args, name) },
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:NamespacePatch",
+      name,
+      args,
+      opts,
+      output$1(args.cluster),
+      namespace.metadata,
+      namespace.spec,
+      namespace.status
+    );
+  }
+};
+var ExternalNamespace = class extends Namespace {
+  constructor(name, args, opts) {
+    const namespace = output$1(args.cluster).apply((cluster) => {
+      return core.v1.Namespace.get(name, args.name, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super(
+      "highstate:k8s:ExternalNamespace",
+      name,
+      args,
+      opts,
+      output$1(args.cluster),
+      namespace.metadata,
+      namespace.spec,
+      namespace.status
+    );
+  }
+};
+var WrappedNamespace = class extends Namespace {
+  constructor(name, args, opts) {
+    super(
+      "highstate:k8s:WrappedNamespace",
+      name,
+      args,
+      opts,
+      output$1(args.cluster),
+      output$1(args.namespace).metadata,
+      output$1(args.namespace).spec,
+      output$1(args.namespace).status
+    );
+  }
+};
+
+// src/secret.ts
+var Secret = class _Secret extends NamespacedResource {
+  constructor(type, name, args, opts, metadata, namespace, data, stringData) {
+    super(type, name, args, opts, metadata, namespace);
+    this.data = data;
+    this.stringData = stringData;
+  }
+  static apiVersion = "v1";
+  static kind = "Secret";
+  /**
+   * The Highstate secret entity.
+   */
+  get entity() {
+    return makeEntityOutput({
+      entity: k8s.secretEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
+  }
+  /**
+   * Gets the value of the secret field by the given key in `data`.
+   *
+   * Automatically decodes the base64 value.
+   *
+   * @param key The key of the secret.
+   * @returns The value of the secret.
+   */
+  getValue(key) {
+    return this.data[key].apply((value) => Buffer.from(value, "base64").toString());
+  }
+  /**
+   * Creates a new secret.
+   */
+  static create(name, args, opts) {
+    return new CreatedSecret(name, args, opts);
+  }
+  /**
+   * Creates a new secret or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the secret name.
+   * @param args The arguments to create or patch the secret with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new SecretPatch(name, {
+        ...args,
+        name: output(args.existing).metadata.name
+      });
+    }
+    return new CreatedSecret(name, args, opts);
+  }
+  /**
+   * Creates a new secret or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the secret name. Will not be used when existing secret is retrieved.
+   * @param args The arguments to create or get the secret with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await _Secret.forAsync(args.existing, output(args.namespace).cluster);
+    }
+    return new CreatedSecret(name, args, opts);
+  }
+  /**
+   * Patches an existing secret.
+   *
+   * Will throw an error if the secret does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the secret name.
+   * @param args The arguments to patch the secret with.
+   * @param opts Optional resource options.
+   */
+  static patch(name, args, opts) {
+    return new SecretPatch(name, args, opts);
+  }
+  /**
+   * Wraps an existing Kubernetes secret.
+   */
+  static wrap(name, args, opts) {
+    return new WrappedSecret(name, args, opts);
+  }
+  /**
+   * Gets an existing secret.
+   *
+   * Will throw an error if the secret does not exist.
+   */
+  static get(name, args, opts) {
+    return new ExternalSecret(name, args, opts);
+  }
+  static secretCache = /* @__PURE__ */ new Map();
+  /**
+   * Gets an existing secret for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the secret for.
+   * @param cluster The cluster where the secret is located.
+   */
+  static for(entity, cluster) {
+    return getOrCreate(
+      _Secret.secretCache,
+      `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
+      (name) => {
+        return _Secret.get(name, {
+          name: entity.metadata.name,
+          namespace: Namespace.forResource(entity, cluster)
+        });
+      }
+    );
+  }
+  /**
+   * Gets an existing secret for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the secret for.
+   * @param cluster The cluster where the secret is located.
+   */
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise(entity);
+    return _Secret.for(resolvedEntity, cluster);
+  }
+};
+var CreatedSecret = class extends Secret {
+  constructor(name, args, opts) {
+    const secret2 = output(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.Secret(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          data: args.data,
+          stringData: args.stringData,
+          type: args.type,
+          immutable: args.immutable
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:Secret",
+      name,
+      args,
+      opts,
+      secret2.metadata,
+      output(args.namespace),
+      secret2.data,
+      secret2.stringData
+    );
+  }
+};
+var SecretPatch = class extends Secret {
+  constructor(name, args, opts) {
+    const secret2 = output(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.SecretPatch(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          data: args.data,
+          stringData: args.stringData,
+          type: args.type,
+          immutable: args.immutable
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:SecretPatch",
+      name,
+      args,
+      opts,
+      secret2.metadata,
+      output(args.namespace),
+      secret2.data,
+      secret2.stringData
+    );
+  }
+};
+var WrappedSecret = class extends Secret {
+  constructor(name, args, opts) {
+    super(
+      "highstate:k8s:WrappedSecret",
+      name,
+      args,
+      opts,
+      output(args.secret).metadata,
+      output(args.namespace),
+      output(args.secret).data,
+      output(args.secret).stringData
+    );
+  }
+};
+var ExternalSecret = class extends Secret {
+  constructor(name, args, opts) {
+    const secret2 = output(args.namespace).cluster.apply(async (cluster) => {
+      const secret3 = core.v1.Secret.get(
+        name,
+        interpolate`${output(args.namespace).metadata.name}/${args.name}`,
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+      const namespace = await toPromise(output(args.namespace).metadata.name);
+      const resolvedName = await toPromise(args.name);
+      const metadata = await toPromise(secret3.metadata);
+      if (!metadata) {
+        throw new Error(`Secret ${resolvedName} in namespace ${namespace} not found`);
+      }
+      return secret3;
+    });
+    super(
+      "highstate:k8s:ExternalSecret",
+      name,
+      args,
+      opts,
+      secret2.metadata,
+      output(args.namespace),
+      secret2.data,
+      secret2.stringData
+    );
+  }
+};
+
+export { ClusterAccessScope, Namespace, NamespacedResource, Resource, Secret, commonExtraArgs, getClusterKubeconfigContent, getEmbeddedSecretFileContent, getNamespaceName, getProvider, getProviderAsync, images_exports, mapMetadata, mapNamespaceNameToSelector, mapSelectorLikeToSelector, validateCluster };
+//# sourceMappingURL=chunk-TOLFVF4S.js.map
+//# sourceMappingURL=chunk-TOLFVF4S.js.map