@highstate/k8s 0.19.1 → 0.20.0

package/src/namespace.ts

@@ -1,6 +1,6 @@
-import type { k8s } from "@highstate/library"
 import { getOrCreate } from "@highstate/contract"
-import { toPromise } from "@highstate/pulumi"
+import { k8s } from "@highstate/library"
+import { makeEntityOutput, toPromise } from "@highstate/pulumi"
 import { core, type types } from "@pulumi/kubernetes"
 import {
   type ComponentResourceOptions,
@@ -10,6 +10,7 @@ import {
   output,
   type Unwrap,
 } from "@pulumi/pulumi"
+import { ClusterAccessScope } from "./rbac"
 import {
   getProvider,
   mapMetadata,
@@ -48,6 +49,13 @@ export abstract class Namespace extends Resource {
   static readonly apiVersion = "v1"
   static readonly kind = "Namespace"
 
+  /**
+   * The cluster entity authorized to port-forward into the namespace.
+   *
+   * Only created for namespaces created with `create` or `createOrGet` methods, not for wrapped or external namespaces.
+   */
+  portForwardCluster?: Output<k8s.Cluster>
+
   constructor(
     type: string,
     name: string,
@@ -74,7 +82,16 @@ export abstract class Namespace extends Resource {
    * The Highstate namespace entity.
    */
   get entity(): Output<k8s.Namespace> {
-    return output(this.entityBase) as Output<k8s.Namespace>
+    return makeEntityOutput({
+      entity: k8s.namespaceEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**
@@ -298,6 +315,33 @@ class CreatedNamespace extends Namespace {
       namespace.spec,
       namespace.status,
     )
+
+    const scope = new ClusterAccessScope(
+      `${name}-port-forward`,
+      {
+        namespace: this,
+        rules: [
+          {
+            apiGroups: [""],
+            resources: ["services"],
+            verbs: ["get"],
+          },
+          {
+            apiGroups: [""],
+            resources: ["pods"],
+            verbs: ["get", "list"],
+          },
+          {
+            apiGroups: [""],
+            resources: ["pods/portforward"],
+            verbs: ["create"],
+          },
+        ],
+      },
+      { parent: this },
+    )
+
+    this.portForwardCluster = scope.cluster
   }
 }
 

package/src/network-policy.ts

@@ -360,7 +360,7 @@ export type NetworkPolicyArgs = ScopedResourceArgs & {
    * The pod selector for this network policy.
    * If not provided, it will select all pods in the namespace.
    */
-  selector?: SelectorLike
+  selector?: Input<SelectorLike>
 
   /**
    * The rule for incoming traffic.

package/src/pvc.ts

@@ -1,10 +1,11 @@
-import type { k8s } from "@highstate/library"
 import { getOrCreate } from "@highstate/contract"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
   toPromise,
@@ -73,7 +74,16 @@ export abstract class PersistentVolumeClaim extends NamespacedResource {
    * The Highstate PVC entity.
    */
   get entity(): Output<k8s.PersistentVolumeClaim> {
-    return output(this.entityBase)
+    return makeEntityOutput({
+      entity: k8s.persistentVolumeClaimEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**

package/src/rbac.ts

@@ -1,11 +1,12 @@
-import type { k8s } from "@highstate/library"
 import type { Namespace } from "./namespace"
+import { common, type k8s } from "@highstate/library"
 import {
   ComponentResource,
   type ComponentResourceOptions,
   type Input,
   type InputArray,
   interpolate,
+  makeEntity,
   normalizeInputs,
   type Output,
   output,
@@ -15,7 +16,6 @@ import {
 import { KubeConfig } from "@kubernetes/client-node"
 import { core, rbac, type types } from "@pulumi/kubernetes"
 import { map, unique } from "remeda"
-import { stringify } from "yaml"
 import { Secret } from "./secret"
 import {
   getNamespaceName,
@@ -185,9 +185,14 @@ export class ClusterAccessScope extends ComponentResource {
       kubeconfig,
       newToken: accessTokenSecret.getValue("token"),
       serviceAccount: serviceAccount.metadata.name,
-    }).apply(({ cluster, kubeconfig, newToken, serviceAccount }) => {
+      serviceAccountId: serviceAccount.metadata.uid,
+    }).apply(({ cluster, kubeconfig, newToken, serviceAccount, serviceAccountId }) => {
+      if (kubeconfig.content.type !== "embedded-secret") {
+        throw new Error("Only embedded secrets are supported for cluster kubeconfig for now")
+      }
+
       const config = new KubeConfig()
-      config.loadFromString(kubeconfig)
+      config.loadFromString(kubeconfig.content.value.value)
 
       // clear all existing contexts and users
       config.users = []
@@ -205,7 +210,25 @@ export class ClusterAccessScope extends ComponentResource {
 
       return {
         ...cluster,
-        kubeconfig: stringify(JSON.parse(config.exportConfig())),
+        connectionId: serviceAccountId,
+        kubeconfig: makeEntity({
+          entity: common.fileEntity,
+          identity: `${serviceAccountId}:kubeconfig`,
+          meta: {
+            title: `kubeconfig for SA ${serviceAccount}`,
+          },
+          value: {
+            content: {
+              type: "embedded-secret",
+              value: config.exportConfig(),
+            },
+            meta: {
+              name: "kubeconfig",
+              contentType: "text/yaml",
+              mode: 0o600,
+            },
+          },
+        }),
       }
     })
   }

package/src/scripting/environment.ts

@@ -1,6 +1,7 @@
 import type { InputEndpoint } from "@highstate/common"
 import type { Input, InputArray, InputRecord } from "@highstate/pulumi"
 import type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from "../container"
+import { images } from ".."
 
 export type ScriptDistribution = "alpine" | "ubuntu"
 
@@ -94,7 +95,7 @@ const emptyDistributionEnvironment = {
 export const emptyScriptEnvironment: ResolvedScriptEnvironment = {
   alpine: {
     ...emptyDistributionEnvironment,
-    image: "alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c",
+    image: images.alpine.image,
     allowedEndpoints: [
       //
       "tcp://dl-cdn.alpinelinux.org:443",
@@ -104,7 +105,7 @@ export const emptyScriptEnvironment: ResolvedScriptEnvironment = {
 
   ubuntu: {
     ...emptyDistributionEnvironment,
-    image: "ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782",
+    image: images.ubuntu.image,
     allowedEndpoints: [
       //
       "tcp://archive.ubuntu.com:80",

package/src/secret.ts

@@ -1,15 +1,16 @@
-import type { k8s } from "@highstate/library"
 import { getOrCreate } from "@highstate/contract"
-import { toPromise } from "@highstate/pulumi"
-import { core, type types } from "@pulumi/kubernetes"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
-} from "@pulumi/pulumi"
+  toPromise,
+} from "@highstate/pulumi"
+import { core, type types } from "@pulumi/kubernetes"
 import { Namespace } from "./namespace"
 import { getProvider, mapMetadata, NamespacedResource, type ScopedResourceArgs } from "./shared"
 
@@ -56,7 +57,16 @@ export abstract class Secret extends NamespacedResource {
    * The Highstate secret entity.
    */
   get entity(): Output<k8s.Secret> {
-    return output(this.entityBase)
+    return makeEntityOutput({
+      entity: k8s.secretEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**

package/src/service.ts

@@ -6,12 +6,13 @@ import {
   parseL4Protocol,
 } from "@highstate/common"
 import { check, getOrCreate } from "@highstate/contract"
-import { k8s, type network } from "@highstate/library"
+import { type ImplementationReference, k8s, type network } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   normalize,
   type Output,
   output,
@@ -101,9 +102,16 @@ export abstract class Service extends NamespacedResource {
    * The Highstate service entity.
    */
   get entity(): Output<k8s.Service> {
-    return output({
-      ...this.entityBase,
-      endpoints: this.endpoints,
+    return makeEntityOutput({
+      entity: k8s.serviceEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+        endpoints: this.endpoints,
+      },
     })
   }
 
@@ -230,6 +238,8 @@ export abstract class Service extends NamespacedResource {
 
   /**
    * Returns the endpoints of the service including both internal and external endpoints.
+   *
+   * Also includes an `implRef` for port-forwarding if the namespace was created with port-forwarding enabled.
    */
   get endpoints(): Output<k8s.ServiceEndpoint[]> {
     return output({
@@ -237,7 +247,8 @@ export abstract class Service extends NamespacedResource {
       metadata: this.metadata,
       spec: this.spec,
       status: this.status,
-    }).apply(({ cluster, metadata, spec, status }) => {
+      portForwardCluster: this.namespace.portForwardCluster,
+    }).apply(({ cluster, metadata, spec, status, portForwardCluster }) => {
       function createMetadata(isInternal: boolean): k8s.EndpointServiceMetadata {
         return {
           "k8s.service": {
@@ -252,6 +263,15 @@ export abstract class Service extends NamespacedResource {
         }
       }
 
+      const implRef: ImplementationReference | undefined = portForwardCluster
+        ? {
+            package: "@highstate/k8s",
+            data: {
+              cluster: portForwardCluster,
+            },
+          }
+        : undefined
+
       const internalHosts = spec.clusterIPs.length
         ? [...spec.clusterIPs, `${metadata.name}.${metadata.namespace}.svc.cluster.local`]
         : []
@@ -263,6 +283,7 @@ export abstract class Service extends NamespacedResource {
             parseEndpoint,
             endpoint => l3EndpointToL4(endpoint, port.port, parseL4Protocol(port.protocol)),
             endpoint => addEndpointMetadata(endpoint, createMetadata(true)),
+            endpoint => (implRef ? { ...endpoint, implRef } : endpoint),
           ),
         ),
       )
@@ -282,8 +303,9 @@ export abstract class Service extends NamespacedResource {
           pipe(
             ip,
             parseEndpoint,
-            endpoint => l3EndpointToL4(endpoint, port.port, parseL4Protocol(port.protocol)),
+            endpoint => l3EndpointToL4(endpoint, port.nodePort, parseL4Protocol(port.protocol)),
             endpoint => addEndpointMetadata(endpoint, createMetadata(false)),
+            endpoint => (implRef ? { ...endpoint, implRef } : endpoint),
           ),
         ),
       )

package/src/shared.ts

@@ -1,5 +1,5 @@
 import type { PartialKeys } from "@highstate/contract"
-import type { k8s } from "@highstate/library"
+import type { common, k8s } from "@highstate/library"
 import {
   ComponentResource,
   type ComponentResourceOptions,
@@ -24,7 +24,13 @@ export function getProvider(cluster: k8s.Cluster): Provider {
     return existing
   }
 
-  const provider = new Provider(name, { kubeconfig: secret(cluster.kubeconfig) })
+  if (cluster.kubeconfig.content.type !== "embedded-secret") {
+    throw new Error("Only embedded secrets are supported for cluster kubeconfig for now")
+  }
+
+  const provider = new Provider(name, {
+    kubeconfig: secret(cluster.kubeconfig.content.value.value),
+  })
   providers.set(name, provider)
 
   return provider
@@ -36,6 +42,28 @@ export async function getProviderAsync(cluster: Input<k8s.Cluster>): Promise<Pro
   return getProvider(resolvedCluster)
 }
 
+export function getEmbeddedSecretFileContent(file: Input<common.File>): Output<string> {
+  return output(file).apply(file => {
+    if (file.content.type !== "embedded-secret") {
+      throw new Error("Only embedded-secret file contents are supported for kubeconfig for now")
+    }
+
+    return file.content.value.value
+  })
+}
+
+export function getClusterKubeconfigContent(cluster: Input<k8s.Cluster>): Output<string> {
+  return output(cluster).apply(cluster => {
+    if (cluster.kubeconfig.content.type !== "embedded-secret") {
+      throw new Error(
+        "Only embedded-secret file contents are supported for cluster kubeconfig for now",
+      )
+    }
+
+    return cluster.kubeconfig.content.value.value
+  })
+}
+
 export type NamespaceLike = core.v1.Namespace | Namespace | string
 
 export type ScopedResourceArgs = {

package/src/stateful-set.ts

@@ -1,14 +1,15 @@
 import type { AccessPointRoute } from "@highstate/common"
-import type { k8s } from "@highstate/library"
 import type { Container } from "./container"
 import type { NetworkPolicy } from "./network-policy"
 import type { Service } from "./service"
 import { getOrCreate, type UnitTerminal } from "@highstate/contract"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
   toPromise,
@@ -20,14 +21,15 @@ import { omit } from "remeda"
 import { Namespace } from "./namespace"
 import { getProvider, mapMetadata } from "./shared"
 import {
-  ExposableWorkload,
-  type ExposableWorkloadArgs,
-  exposableWorkloadExtraArgs,
-  getExposableWorkloadComponents,
+  filterPatchOwnedContainersInTemplate,
+  getWorkloadServiceComponents,
+  Workload,
+  type WorkloadServiceArgs,
   type WorkloadTerminalArgs,
+  workloadServiceExtraArgs,
 } from "./workload"
 
-export type StatefulSetArgs = Omit<ExposableWorkloadArgs, "existing"> &
+export type StatefulSetArgs = Omit<WorkloadServiceArgs, "existing"> &
   Omit<Partial<types.input.apps.v1.StatefulSetSpec>, "template"> & {
     template?: {
       metadata?: types.input.meta.v1.ObjectMeta
@@ -42,7 +44,7 @@ export type CreateOrGetStatefulSetArgs = StatefulSetArgs & {
   existing: Input<k8s.StatefulSet> | undefined
 }
 
-export abstract class StatefulSet extends ExposableWorkload {
+export abstract class StatefulSet extends Workload {
   static apiVersion = "apps/v1"
   static kind = "StatefulSet"
 
@@ -95,10 +97,17 @@ export abstract class StatefulSet extends ExposableWorkload {
    * The Highstate stateful set entity.
    */
   get entity(): Output<k8s.StatefulSet> {
-    return output({
-      ...this.entityBase,
-      service: this.service.entity,
-      endpoints: this.service.endpoints,
+    return makeEntityOutput({
+      entity: k8s.statefulSetEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+        service: this.service.entity,
+        spec: this.spec,
+      },
     })
   }
 
@@ -250,7 +259,7 @@ export abstract class StatefulSet extends ExposableWorkload {
 class CreatedStatefulSet extends StatefulSet {
   constructor(name: string, args: StatefulSetArgs, opts?: ComponentResourceOptions) {
     const { labels, podTemplate, networkPolicy, containers, service, routes } =
-      getExposableWorkloadComponents(
+      getWorkloadServiceComponents(
         name,
         {
           ...args,
@@ -275,7 +284,7 @@ class CreatedStatefulSet extends StatefulSet {
                   template: podTemplate,
                   selector: { matchLabels: labels },
                 },
-                omit(args, exposableWorkloadExtraArgs),
+                omit(args, workloadServiceExtraArgs),
               ) as types.input.apps.v1.StatefulSetSpec
             },
           ),
@@ -312,7 +321,7 @@ class CreatedStatefulSet extends StatefulSet {
 class StatefulSetPatch extends StatefulSet {
   constructor(name: string, args: StatefulSetArgs, opts?: ComponentResourceOptions) {
     const { podTemplate, networkPolicy, containers, service, routes } =
-      getExposableWorkloadComponents(name, args, () => this, opts, true)
+      getWorkloadServiceComponents(name, args, () => this, opts, true)
 
     const statefulSet = output(args.namespace).cluster.apply(cluster => {
       return new apps.v1.StatefulSetPatch(
@@ -320,10 +329,16 @@ class StatefulSetPatch extends StatefulSet {
         {
           metadata: mapMetadata(args, name),
           spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {
-            return deepmerge(
+            const spec = deepmerge(
               { template: podTemplate },
-              omit(args, exposableWorkloadExtraArgs),
-            ) as types.input.apps.v1.StatefulSetSpec
+              omit(args, workloadServiceExtraArgs),
+            ) as Unwrap<types.input.apps.v1.StatefulSetSpec>
+
+            if (spec.template) {
+              spec.template = filterPatchOwnedContainersInTemplate(spec.template, podTemplate)
+            }
+
+            return spec
           }),
         },
         {

package/src/tls.ts

@@ -1,12 +1,13 @@
-import type { k8s } from "@highstate/library"
 import type { types } from "@pulumi/kubernetes"
 import { cert_manager, type types as cmTypes } from "@highstate/cert-manager"
 import { getOrCreate } from "@highstate/contract"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
   toPromise,
@@ -31,6 +32,22 @@ export type CreateOrGetCertificateArgs = CertificateArgs & {
   existing: Input<k8s.Certificate> | undefined
 }
 
+const certManagerCertificateWaitFor = "condition=Ready"
+
+function mapCertificateMetadata(
+  args: CertificateArgs,
+  fallbackName: string,
+): Output<types.input.meta.v1.ObjectMeta> {
+  return mapMetadata(args, fallbackName).apply(metadata => ({
+    ...metadata,
+    annotations: {
+      ...metadata.annotations,
+      "pulumi.com/waitFor":
+        metadata.annotations?.["pulumi.com/waitFor"] ?? certManagerCertificateWaitFor,
+    },
+  }))
+}
+
 /**
  * Represents a cert-manager Certificate resource with metadata and secret.
  */
@@ -65,8 +82,17 @@ export abstract class Certificate extends NamespacedResource {
   /**
    * The Highstate certificate entity.
    */
-  get entity(): Output<k8s.NamespacedResource> {
-    return output(this.entityBase)
+  get entity(): Output<k8s.Certificate> {
+    return makeEntityOutput({
+      entity: k8s.certificateEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**
@@ -228,7 +254,7 @@ class CreatedCertificate extends Certificate {
       return new cert_manager.v1.Certificate(
         name,
         {
-          metadata: mapMetadata(args, name),
+          metadata: mapCertificateMetadata(args, name),
           spec: omit(args, commonExtraArgs),
         },
         { ...opts, parent: this, provider: getProvider(cluster) },
@@ -255,7 +281,7 @@ class CertificatePatch extends Certificate {
       return new cert_manager.v1.CertificatePatch(
         name,
         {
-          metadata: mapMetadata(args, name),
+          metadata: mapCertificateMetadata(args, name),
           spec: omit(args, commonExtraArgs),
         },
         { ...opts, parent: this, provider: getProvider(cluster) },

package/src/units/cluster-patch/index.ts

@@ -5,18 +5,18 @@ import { forUnit, toPromise } from "@highstate/pulumi"
 const { args, inputs, outputs } = forUnit(k8s.clusterPatch)
 
 const cluster = await toPromise(inputs.k8sCluster)
-const endpoints = await parseEndpoints(args.endpoints, inputs.endpoints, 3)
-const apiEndpoints = await parseEndpoints(args.apiEndpoints, inputs.apiEndpoints, 4)
+const endpoints = parseEndpoints([...args.endpoints, ...inputs.endpoints], 3)
+const apiEndpoints = parseEndpoints([...args.apiEndpoints, ...inputs.apiEndpoints], 4)
 
 const newEndpoints = endpoints.length > 0 ? endpoints : cluster.endpoints
 const newApiEndpoints = apiEndpoints.length > 0 ? apiEndpoints : cluster.apiEndpoints
 
 export default outputs({
-  k8sCluster: inputs.k8sCluster.apply(k8sCluster => ({
-    ...k8sCluster,
+  k8sCluster: {
+    ...inputs.k8sCluster,
     endpoints: newEndpoints,
     apiEndpoints: newApiEndpoints,
-  })),
+  },
 
   $statusFields: {
     endpoints: endpoints.map(l3EndpointToString),