npm - @highstate/k8s - Versions diffs - 0.19.1 → 0.20.0 - Mend

@highstate/k8s 0.19.1 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/dist/{chunk-FE4SHRAJ.js → chunk-23X5SXQG.js} +22 -7
package/dist/chunk-23X5SXQG.js.map +1 -0
package/dist/{chunk-LGHFSXNT.js → chunk-ADHZK6V2.js} +14 -10
package/dist/chunk-ADHZK6V2.js.map +1 -0
package/dist/{chunk-VCXWCZ43.js → chunk-BTAEFJ5N.js} +27 -15
package/dist/chunk-BTAEFJ5N.js.map +1 -0
package/dist/{chunk-BR2CLUUD.js → chunk-IXE3OKB4.js} +27 -8
package/dist/chunk-IXE3OKB4.js.map +1 -0
package/dist/{chunk-TWBMG6TD.js → chunk-OG2OPX7B.js} +30 -12
package/dist/chunk-OG2OPX7B.js.map +1 -0
package/dist/{chunk-DCUMJSO6.js → chunk-P26SQ2ZB.js} +17 -51
package/dist/chunk-P26SQ2ZB.js.map +1 -0
package/dist/{chunk-MIC2BHGS.js → chunk-PG27ZY2H.js} +25 -7
package/dist/chunk-PG27ZY2H.js.map +1 -0
package/dist/chunk-PZYGZSN5.js +54 -0
package/dist/{chunk-PZ5AY32C.js.map → chunk-PZYGZSN5.js.map} +1 -1
package/dist/{chunk-YIJUVPU2.js → chunk-S77TE7UC.js} +27 -15
package/dist/chunk-S77TE7UC.js.map +1 -0
package/dist/{chunk-P2VOUU7E.js → chunk-SZKOAHNX.js} +383 -205
package/dist/chunk-SZKOAHNX.js.map +1 -0
package/dist/chunk-TOLFVF4S.js +889 -0
package/dist/chunk-TOLFVF4S.js.map +1 -0
package/dist/{chunk-RVB4WWZZ.js → chunk-TVKT3ZYX.js} +174 -18
package/dist/chunk-TVKT3ZYX.js.map +1 -0
package/dist/cron-job-RKB2HYTO.js +7 -0
package/dist/{cron-job-NX4HD4FI.js.map → cron-job-RKB2HYTO.js.map} +1 -1
package/dist/deployment-T35TUOL2.js +7 -0
package/dist/{deployment-O2LJ5WR5.js.map → deployment-T35TUOL2.js.map} +1 -1
package/dist/highstate.manifest.json +3 -2
package/dist/impl/dynamic-endpoint-resolver.js +90 -0
package/dist/impl/dynamic-endpoint-resolver.js.map +1 -0
package/dist/impl/gateway-route.js +159 -62
package/dist/impl/gateway-route.js.map +1 -1
package/dist/impl/tls-certificate.js +6 -5
package/dist/impl/tls-certificate.js.map +1 -1
package/dist/index.js +106 -23
package/dist/index.js.map +1 -1
package/dist/job-PE4AKOHB.js +7 -0
package/dist/job-PE4AKOHB.js.map +1 -0
package/dist/stateful-set-LUIRHQJY.js +7 -0
package/dist/{stateful-set-VJYKTQ72.js.map → stateful-set-LUIRHQJY.js.map} +1 -1
package/dist/units/cert-manager/index.js +7 -8
package/dist/units/cert-manager/index.js.map +1 -1
package/dist/units/cluster-patch/index.js +6 -6
package/dist/units/cluster-patch/index.js.map +1 -1
package/dist/units/dns01-issuer/index.js +52 -15
package/dist/units/dns01-issuer/index.js.map +1 -1
package/dist/units/existing-cluster/index.js +39 -18
package/dist/units/existing-cluster/index.js.map +1 -1
package/dist/units/gateway-api/index.js +2 -2
package/dist/units/reduced-access-cluster/index.js +8 -8
package/dist/units/reduced-access-cluster/index.js.map +1 -1
package/package.json +9 -7
package/src/cluster.ts +12 -8
package/src/config-map.ts +15 -5
package/src/container.ts +4 -2
package/src/cron-job.ts +25 -4
package/src/deployment.ts +32 -17
package/src/gateway/backend.ts +3 -3
package/src/gateway/gateway.ts +12 -56
package/src/helm.ts +354 -22
package/src/impl/dynamic-endpoint-resolver.ts +109 -0
package/src/impl/gateway-route.ts +231 -57
package/src/impl/tls-certificate.ts +8 -3
package/src/index.ts +1 -0
package/src/job.ts +23 -5
package/src/kubectl.ts +166 -0
package/src/namespace.ts +47 -3
package/src/network-policy.ts +1 -1
package/src/pvc.ts +12 -2
package/src/rbac.ts +28 -5
package/src/scripting/environment.ts +3 -2
package/src/secret.ts +15 -5
package/src/service.ts +28 -6
package/src/shared.ts +30 -2
package/src/stateful-set.ts +32 -17
package/src/tls.ts +31 -5
package/src/units/cluster-patch/index.ts +5 -5
package/src/units/dns01-issuer/index.ts +56 -12
package/src/units/existing-cluster/index.ts +36 -15
package/src/units/reduced-access-cluster/index.ts +6 -3
package/src/worker.ts +4 -2
package/src/workload.ts +453 -213
package/dist/chunk-4G6LLC2X.js +0 -240
package/dist/chunk-4G6LLC2X.js.map +0 -1
package/dist/chunk-BR2CLUUD.js.map +0 -1
package/dist/chunk-DCUMJSO6.js.map +0 -1
package/dist/chunk-FE4SHRAJ.js.map +0 -1
package/dist/chunk-KMLRI5UZ.js +0 -155
package/dist/chunk-KMLRI5UZ.js.map +0 -1
package/dist/chunk-LGHFSXNT.js.map +0 -1
package/dist/chunk-MIC2BHGS.js.map +0 -1
package/dist/chunk-OBDQONMV.js +0 -401
package/dist/chunk-OBDQONMV.js.map +0 -1
package/dist/chunk-P2VOUU7E.js.map +0 -1
package/dist/chunk-PZ5AY32C.js +0 -9
package/dist/chunk-RVB4WWZZ.js.map +0 -1
package/dist/chunk-TWBMG6TD.js.map +0 -1
package/dist/chunk-VCXWCZ43.js.map +0 -1
package/dist/chunk-YIJUVPU2.js.map +0 -1
package/dist/cron-job-NX4HD4FI.js +0 -8
package/dist/deployment-O2LJ5WR5.js +0 -8
package/dist/job-SYME6Y43.js +0 -8
package/dist/job-SYME6Y43.js.map +0 -1
package/dist/stateful-set-VJYKTQ72.js +0 -8

package/src/impl/gateway-route.ts CHANGED Viewed

@@ -1,23 +1,20 @@
 import type { Secret } from "../secret"
-import { type GatewayRouteSpec, gatewayRouteMediator, type TlsCertificate } from "@highstate/common"
-import { k8s, type network } from "@highstate/library"
+import { gatewayRouteMediator, type TlsCertificate } from "@highstate/common"
+import { type common, k8s, type network } from "@highstate/library"
 import { type ComponentResourceOptions, type Input, toPromise } from "@highstate/pulumi"
 import { core } from "@pulumi/kubernetes"
 import { Gateway, HttpRoute, TcpRoute, UdpRoute } from "../gateway"
 import { Namespace } from "../namespace"
-import { l4EndpointToServicePort, Service } from "../service"
+import { isEndpointFromCluster, l4EndpointToServicePort, Service } from "../service"
 import { getProvider, mapMetadata } from "../shared"
 import { Certificate } from "../tls"
 export const createGatewayRoute = gatewayRouteMediator.implement(
   k8s.gatewayDataSchema,
-  async ({ name, spec, opts }, data) => {
-    const namespace =
-      spec.nativeData instanceof Service
-        ? await toPromise(spec.nativeData.namespace)
-        : Namespace.for(data.namespace, data.cluster)
+  async ({ name, args: spec, opts }, data) => {
+    const namespace = resolveRouteNamespace(spec, data)
-    const certSecret = await getCertificateSecret(name, namespace, spec.tlsCertificate)
+    const certSecret = await getCertificateSecret(name, namespace, spec.certificate)
     const certificateRef = certSecret
       ? {
@@ -27,7 +24,9 @@ export const createGatewayRoute = gatewayRouteMediator.implement(
         }
       : undefined
-    if (spec.type === "http") {
+    const routeProtocol = resolveRouteProtocol(spec)
+    if (routeProtocol === "http") {
       return await createHttpGatewayRoute({
         name,
         spec,
@@ -38,25 +37,48 @@ export const createGatewayRoute = gatewayRouteMediator.implement(
       })
     }
-    const protocol = spec.type === "tcp" ? "TCP" : "UDP"
     return await createL4GatewayRoute({
       name,
       spec,
       opts,
       data,
       namespace,
-      protocol,
+      protocol: routeProtocol === "tcp" ? "TCP" : "UDP",
     })
   },
 )
-type HttpGatewayRouteSpec = Extract<GatewayRouteSpec, { type: "http" }>
-type L4GatewayRouteSpec = Extract<GatewayRouteSpec, { type: "tcp" | "udp" }>
+type GatewayRouteRuleSpec = {
+  type: "http" | "tcp" | "udp"
+  paths: string[]
+  backends: {
+    endpoints: network.L4Endpoint[]
+    weight?: number
+  }[]
+}
+function resolveRouteNamespace(spec: GatewayRouteSpec, data: k8s.GatewayData): Namespace {
+  const metadataNamespace = spec.metadata["k8s.namespace"]
+  if (metadataNamespace instanceof Namespace) {
+    return metadataNamespace
+  }
+  return Namespace.for(data.namespace, data.cluster)
+}
+type GatewayRouteSpec = {
+  gateway: common.Gateway
+  metadata: Record<string, unknown>
+  fqdns: string[]
+  certificate?: TlsCertificate
+  port?: number
+  rules: Record<string, GatewayRouteRuleSpec>
+}
 type CreateHttpGatewayRouteArgs = {
   name: string
-  spec: HttpGatewayRouteSpec
+  spec: GatewayRouteSpec
   opts: ComponentResourceOptions | undefined
   data: k8s.GatewayData
   namespace: Namespace
@@ -77,17 +99,16 @@ async function createHttpGatewayRoute({
   namespace,
   certificateRef,
 }: CreateHttpGatewayRouteArgs) {
-  const backendService =
-    spec.nativeData instanceof Service
-      ? spec.nativeData
-      : (await createServiceFromEndpoints(name, namespace, spec.endpoints, data.cluster, opts))
-          .service
+  const listenerPort = spec.port ?? (certificateRef ? data.httpsPort : data.httpPort)
+  const listenerProtocol = certificateRef ? "HTTPS" : "HTTP"
+  const listenerHostname = spec.fqdns[0]
   const listeners = [
     {
-      name: "https",
-      port: data.httpsPort,
-      protocol: "HTTPS",
+      name: `${listenerProtocol.toLowerCase()}-${listenerPort}`,
+      port: listenerPort,
+      protocol: listenerProtocol,
+      hostname: listenerHostname,
       tls: {
         mode: "Terminate",
         certificateRefs: certificateRef ? [certificateRef] : undefined,
@@ -95,9 +116,9 @@ async function createHttpGatewayRoute({
     },
   ]
-  const gateway = await Gateway.createOnce(
+  const gateway = Gateway.create(
+    name,
     {
-      name: data.className,
       namespace,
       gatewayClassName: data.className,
       listeners,
@@ -105,13 +126,50 @@ async function createHttpGatewayRoute({
     opts,
   )
+  const ruleSpecs = Object.values(spec.rules)
+  const rules = await Promise.all(
+    ruleSpecs.map(async (ruleSpec, ruleIndex) => {
+      const backendRefs = await Promise.all(
+        ruleSpec.backends.map(async (backend, backendIndex) => {
+          const backendData = await resolveBackendFromEndpoints({
+            routeName: name,
+            backendName: `${ruleIndex}-${backendIndex}`,
+            endpoints: backend.endpoints,
+            namespace,
+            cluster: data.cluster,
+            opts,
+          })
+          const backendPort = await selectBackendPort({
+            ports: backendData.ports,
+            protocol: "TCP",
+            targetPort: backendData.preferredTargetPort,
+            serviceName: backendData.serviceName,
+            routeName: name,
+          })
+          return {
+            name: backendData.serviceName,
+            namespace: backendData.serviceNamespace,
+            port: backendPort.port,
+          }
+        }),
+      )
+      return {
+        matches: ruleSpec.paths,
+        backends: backendRefs,
+      }
+    }),
+  )
   const httpRoute = new HttpRoute(
     name,
     {
       gateway,
-      rule: {
-        backend: backendService,
-      },
+      hostnames: spec.fqdns,
+      rules,
     },
     opts,
   )
@@ -124,7 +182,7 @@ async function createHttpGatewayRoute({
 type CreateL4GatewayRouteArgs = {
   name: string
-  spec: L4GatewayRouteSpec
+  spec: GatewayRouteSpec
   opts: ComponentResourceOptions | undefined
   data: k8s.GatewayData
   namespace: Namespace
@@ -139,21 +197,28 @@ async function createL4GatewayRoute({
   namespace,
   protocol,
 }: CreateL4GatewayRouteArgs) {
-  const serviceData =
-    spec.nativeData instanceof Service
-      ? {
-          service: spec.nativeData,
-          ports: await getServicePorts(spec.nativeData),
-        }
-      : await createServiceFromEndpoints(name, namespace, spec.endpoints, data.cluster, opts)
+  const backends = Object.values(spec.rules).flatMap(rule => rule.backends)
+  if (backends.length === 0) {
+    throw new Error(`Gateway route "${name}" has no backends to expose.`)
+  }
-  const serviceName = await toPromise(serviceData.service.metadata.name)
+  const firstBackend = backends[0]
+  const backendData = await resolveBackendFromEndpoints({
+    routeName: name,
+    backendName: "0",
+    endpoints: firstBackend.endpoints,
+    namespace,
+    cluster: data.cluster,
+    opts,
+  })
   const backendPort = await selectBackendPort({
-    ports: serviceData.ports,
+    ports: backendData.ports,
     protocol,
-    targetPort: spec.targetPort,
-    serviceName,
+    targetPort: backendData.preferredTargetPort,
+    serviceName: backendData.serviceName,
     routeName: name,
   })
@@ -166,9 +231,13 @@ async function createL4GatewayRoute({
   const listenerName = `${protocol.toLowerCase()}-${listenerPort}`
-  const gateway = await Gateway.createOnce(
+  const gatewayName = name
+  const gatewayResourceName = name
+  const gateway = Gateway.create(
+    gatewayResourceName,
     {
-      name: data.className,
+      name: gatewayName,
       namespace,
       gatewayClassName: data.className,
       listeners: [
@@ -182,19 +251,11 @@ async function createL4GatewayRoute({
     opts,
   )
-  const backendRef = serviceData.service.metadata.apply(metadata => {
-    if (!metadata?.name) {
-      throw new Error(
-        `Service "${serviceName}" referenced by gateway route "${name}" does not have a name.`,
-      )
-    }
-    return {
-      name: metadata.name,
-      namespace: metadata.namespace,
-      port: backendPort.port,
-    }
-  })
+  const backendRef = {
+    name: backendData.serviceName,
+    namespace: backendData.serviceNamespace,
+    port: backendPort.port,
+  }
   const routeOpts = { ...opts, parent: gateway }
@@ -254,6 +315,119 @@ async function getCertificateSecret(
   )
 }
+function resolveRouteProtocol(spec: GatewayRouteSpec): GatewayRouteRuleSpec["type"] {
+  const rules = Object.values(spec.rules)
+  if (rules.length === 0) {
+    throw new Error("Gateway route must contain at least one rule")
+  }
+  const type = rules[0].type
+  if (rules.some(rule => rule.type !== type)) {
+    throw new Error("Gateway route rules must use the same protocol type")
+  }
+  return type
+}
+async function resolveBackendFromEndpoints({
+  routeName,
+  backendName,
+  endpoints,
+  namespace,
+  cluster,
+  opts,
+}: {
+  routeName: string
+  backendName: string
+  endpoints: network.L4Endpoint[]
+  namespace: Namespace
+  cluster: k8s.Cluster
+  opts: ComponentResourceOptions | undefined
+}): Promise<{
+  serviceName: string
+  serviceNamespace: string
+  ports: ServicePortInfo[]
+  preferredTargetPort?: number | string
+}> {
+  const serviceMeta = getServiceMetadataFromEndpoints(endpoints, cluster)
+  if (serviceMeta) {
+    const metadataPorts: ServicePortInfo[] = endpoints.map(endpoint => ({
+      name: typeof serviceMeta.targetPort === "string" ? serviceMeta.targetPort : undefined,
+      port: endpoint.port,
+      protocol: endpoint.protocol.toUpperCase() as "TCP" | "UDP",
+      targetPort: serviceMeta.targetPort,
+    }))
+    return {
+      serviceName: serviceMeta.name,
+      serviceNamespace: serviceMeta.namespace,
+      ports: metadataPorts,
+      preferredTargetPort: serviceMeta.targetPort,
+    }
+  }
+  const syntheticService = await createServiceFromEndpoints(
+    `${routeName}-${backendName}`,
+    namespace,
+    endpoints,
+    cluster,
+    opts,
+  )
+  const syntheticServiceName = await toPromise(syntheticService.service.metadata.name)
+  const syntheticServiceNamespace = await toPromise(syntheticService.service.metadata.namespace)
+  if (!syntheticServiceNamespace) {
+    throw new Error(
+      `Synthetic backend service "${syntheticServiceName}" for gateway route "${routeName}" has no namespace.`,
+    )
+  }
+  return {
+    serviceName: syntheticServiceName,
+    serviceNamespace: syntheticServiceNamespace,
+    ports: syntheticService.ports,
+  }
+}
+function getServiceMetadataFromEndpoints(
+  endpoints: network.L4Endpoint[],
+  cluster: k8s.Cluster,
+):
+  | {
+      name: string
+      namespace: string
+      targetPort?: number | string
+    }
+  | undefined {
+  const serviceEndpoints = endpoints.filter(endpoint => isEndpointFromCluster(endpoint, cluster))
+  if (serviceEndpoints.length === 0 || serviceEndpoints.length !== endpoints.length) {
+    return undefined
+  }
+  const first = serviceEndpoints[0].metadata["k8s.service"]
+  if (
+    serviceEndpoints.some(
+      endpoint =>
+        endpoint.metadata["k8s.service"].name !== first.name ||
+        endpoint.metadata["k8s.service"].namespace !== first.namespace,
+    )
+  ) {
+    return undefined
+  }
+  return {
+    name: first.name,
+    namespace: first.namespace,
+    targetPort: first.targetPort,
+  }
+}
 type ServicePortInfo = {
   name: string | undefined
   port: number
@@ -331,7 +505,7 @@ async function createServiceFromEndpoints(
   }
 }
-async function getServicePorts(service: Service): Promise<ServicePortInfo[]> {
+async function _getServicePorts(service: Service): Promise<ServicePortInfo[]> {
   const spec = await toPromise(service.spec)
   const ports = spec.ports ?? []

package/src/impl/tls-certificate.ts CHANGED Viewed

@@ -9,10 +9,15 @@ export const createCertificate = tlsCertificateMediator.implement(
   ({ name, spec, opts }, data) => {
     const provider = getProvider(data.cluster)
+    const metadata = spec.metadata as Record<string, unknown> | undefined
+    const metadataNamespace = metadata?.["k8s.namespace"]
     const namespace =
-      spec.nativeData instanceof Namespace
-        ? spec.nativeData
-        : Namespace.get("cert-manager", { name: "cert-manager", cluster: data.cluster })
+      metadataNamespace instanceof Namespace
+        ? metadataNamespace
+        : metadataNamespace
+          ? Namespace.for(metadataNamespace as k8s.Namespace, data.cluster)
+          : Namespace.get("cert-manager", { name: "cert-manager", cluster: data.cluster })
     return Certificate.create(
       name,

package/src/index.ts CHANGED Viewed

@@ -7,6 +7,7 @@ export * from "./dns01-solver"
 export * from "./gateway"
 export * from "./helm"
 export * from "./job"
+export * from "./kubectl"
 export * from "./namespace"
 export * from "./network"
 export * from "./network-policy"

package/src/job.ts CHANGED Viewed

@@ -1,12 +1,13 @@
-import type { k8s } from "@highstate/library"
 import type { Container } from "./container"
 import type { NetworkPolicy } from "./network-policy"
 import { getOrCreate, type UnitTerminal } from "@highstate/contract"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
   toPromise,
@@ -18,6 +19,7 @@ import { omit } from "remeda"
 import { Namespace } from "./namespace"
 import { commonExtraArgs, getProvider, mapMetadata, type ScopedResourceArgs } from "./shared"
 import {
+  filterPatchOwnedContainersInTemplate,
   getWorkloadComponents,
   Workload,
   type WorkloadArgs,
@@ -90,7 +92,17 @@ export abstract class Job extends Workload {
    * The Highstate job entity.
    */
   get entity(): Output<k8s.Job> {
-    return output(this.entityBase)
+    return makeEntityOutput({
+      entity: k8s.jobEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+        spec: this.spec,
+      },
+    })
   }
   protected getTerminalMeta(): Output<UnitTerminal["meta"]> {
@@ -298,10 +310,16 @@ class JobPatch extends Job {
         {
           metadata: mapMetadata(args, name),
           spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {
-            return deepmerge(
+            const spec = deepmerge(
               { template: podTemplate } satisfies types.input.batch.v1.JobSpec,
-              omit(args, jobExtraArgs) as types.input.batch.v1.JobSpec,
-            )
+              omit(args, jobExtraArgs),
+            ) as Unwrap<types.input.batch.v1.JobSpec>
+            if (spec.template) {
+              spec.template = filterPatchOwnedContainersInTemplate(spec.template, podTemplate)
+            }
+            return spec
           }),
         },
         { ...opts, parent: this, provider: getProvider(cluster) },

package/src/kubectl.ts ADDED Viewed

@@ -0,0 +1,166 @@
+import type { k8s } from "@highstate/library"
+import type { InputOrArray } from "@highstate/pulumi"
+import type { Namespace } from "./namespace"
+import type { Workload } from "./workload"
+import { Command, MaterializedFile } from "@highstate/common"
+import {
+  ComponentResource,
+  type ComponentResourceOptions,
+  type Input,
+  type Output,
+  output,
+} from "@pulumi/pulumi"
+import { images } from "./shared"
+export type KubeCommandArgs = {
+  /**
+   * The kubernetes cluster to run the command against.
+   */
+  cluster: Input<k8s.Cluster>
+  /**
+   * The namespace to run the command in, if any.
+   */
+  namespace?: Input<string>
+  /**
+   * The create command to run.
+   */
+  create: InputOrArray<string>
+  /**
+   * The update command to run.
+   */
+  update?: InputOrArray<string>
+  /**
+   * The delete command to run.
+   */
+  delete?: InputOrArray<string>
+}
+export type NamespaceKubeCommandArgs = Omit<KubeCommandArgs, "cluster" | "namespace"> & {
+  /**
+   * The namespace to run the command in.
+   */
+  namespace: Input<Namespace>
+}
+export type ExecKubeCommandArgs = Omit<KubeCommandArgs, "cluster" | "namespace"> & {
+  /**
+   * The workload to exec into.
+   */
+  workload: Input<Workload>
+}
+function createCommand(command: string | string[]): string {
+  if (Array.isArray(command)) {
+    return command.join(" ")
+  }
+  return command
+}
+function buildKubeCommand(
+  command: InputOrArray<string>,
+  namespace?: Input<string>,
+): Output<string> {
+  if (namespace) {
+    return output([command, namespace]).apply(
+      ([cmd, ns]) => `kubectl -n ${ns} ${createCommand(cmd)}`,
+    )
+  }
+  return output(command).apply(cmd => `kubectl ${createCommand(cmd)}`)
+}
+function buildWorkloadExecCommand(
+  command: InputOrArray<string>,
+  workload: Input<Workload>,
+): Output<string> {
+  return output({
+    command,
+    kind: output(workload).kind,
+    name: output(workload).metadata.name,
+  }).apply(({ command, kind, name }) => {
+    const type = kind.toLowerCase()
+    return `exec -it ${type}/${name} -- ${createCommand(command)}`
+  })
+}
+export class KubeCommand extends ComponentResource {
+  /**
+   * The underlying command that will be executed when this unit is invoked.
+   */
+  readonly command: Output<Command>
+  /**
+   * The standard output of the command.
+   */
+  readonly stdout: Output<string>
+  /**
+   * The standard error of the command.
+   */
+  readonly stderr: Output<string>
+  constructor(name: string, args: KubeCommandArgs, opts?: ComponentResourceOptions) {
+    super("highstate:k8s:KubeCommand", name, args, opts)
+    this.command = output(args.cluster).apply(cluster => {
+      const kubeconfig = MaterializedFile.for(cluster.kubeconfig)
+      return new Command(`kubectl-${name}`, {
+        host: "local",
+        create: buildKubeCommand(args.create, args.namespace),
+        update: args.update ? buildKubeCommand(args.update, args.namespace) : undefined,
+        delete: args.delete ? buildKubeCommand(args.delete, args.namespace) : undefined,
+        files: [kubeconfig],
+        image: images["terminal-kubectl"].image,
+        containerShell: "bash",
+        environment: {
+          KUBECONFIG: kubeconfig.path,
+        },
+      })
+    })
+    this.stdout = this.command.stdout
+    this.stderr = this.command.stderr
+  }
+  static forNamespace(
+    name: string,
+    args: NamespaceKubeCommandArgs,
+    opts?: ComponentResourceOptions,
+  ): KubeCommand {
+    return new KubeCommand(
+      name,
+      {
+        cluster: output(args.namespace).cluster,
+        create: args.create,
+        update: args.update,
+        delete: args.delete,
+        namespace: output(args.namespace).metadata.name,
+      },
+      opts,
+    )
+  }
+  static execInto(
+    name: string,
+    args: ExecKubeCommandArgs,
+    opts?: ComponentResourceOptions,
+  ): KubeCommand {
+    return KubeCommand.forNamespace(
+      name,
+      {
+        namespace: output(args.workload).namespace,
+        create: buildWorkloadExecCommand(args.create, args.workload),
+        update: args.update ? buildWorkloadExecCommand(args.update, args.workload) : undefined,
+        delete: args.delete ? buildWorkloadExecCommand(args.delete, args.workload) : undefined,
+      },
+      opts,
+    )
+  }
+}