@highstate/k8s 0.19.1 → 0.21.1

package/src/namespace.ts

@@ -1,6 +1,6 @@
-import type { k8s } from "@highstate/library"
 import { getOrCreate } from "@highstate/contract"
-import { toPromise } from "@highstate/pulumi"
+import { k8s } from "@highstate/library"
+import { makeEntityOutput, toPromise } from "@highstate/pulumi"
 import { core, type types } from "@pulumi/kubernetes"
 import {
   type ComponentResourceOptions,
@@ -10,6 +10,7 @@ import {
   output,
   type Unwrap,
 } from "@pulumi/pulumi"
+import { ClusterAccessScope } from "./rbac"
 import {
   getProvider,
   mapMetadata,
@@ -48,6 +49,13 @@ export abstract class Namespace extends Resource {
   static readonly apiVersion = "v1"
   static readonly kind = "Namespace"
 
+  /**
+   * The cluster entity authorized to port-forward into the namespace.
+   *
+   * Only created for namespaces created with `create` or `createOrGet` methods, not for wrapped or external namespaces.
+   */
+  portForwardCluster?: Output<k8s.Cluster>
+
   constructor(
     type: string,
     name: string,
@@ -74,7 +82,16 @@ export abstract class Namespace extends Resource {
    * The Highstate namespace entity.
    */
   get entity(): Output<k8s.Namespace> {
-    return output(this.entityBase) as Output<k8s.Namespace>
+    return makeEntityOutput({
+      entity: k8s.namespaceEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**
@@ -298,6 +315,33 @@ class CreatedNamespace extends Namespace {
       namespace.spec,
       namespace.status,
     )
+
+    const scope = new ClusterAccessScope(
+      `${name}-port-forward`,
+      {
+        namespace: this,
+        rules: [
+          {
+            apiGroups: [""],
+            resources: ["services"],
+            verbs: ["get"],
+          },
+          {
+            apiGroups: [""],
+            resources: ["pods"],
+            verbs: ["get", "list"],
+          },
+          {
+            apiGroups: [""],
+            resources: ["pods/portforward"],
+            verbs: ["create"],
+          },
+        ],
+      },
+      { parent: this },
+    )
+
+    this.portForwardCluster = scope.cluster
   }
 }
 

package/src/network-policy.ts

@@ -360,7 +360,7 @@ export type NetworkPolicyArgs = ScopedResourceArgs & {
    * The pod selector for this network policy.
    * If not provided, it will select all pods in the namespace.
    */
-  selector?: SelectorLike
+  selector?: Input<SelectorLike>
 
   /**
    * The rule for incoming traffic.

package/src/pvc.ts

@@ -1,10 +1,11 @@
-import type { k8s } from "@highstate/library"
 import { getOrCreate } from "@highstate/contract"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
   toPromise,
@@ -73,7 +74,16 @@ export abstract class PersistentVolumeClaim extends NamespacedResource {
    * The Highstate PVC entity.
    */
   get entity(): Output<k8s.PersistentVolumeClaim> {
-    return output(this.entityBase)
+    return makeEntityOutput({
+      entity: k8s.persistentVolumeClaimEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**

package/src/rbac.ts

@@ -1,11 +1,12 @@
-import type { k8s } from "@highstate/library"
 import type { Namespace } from "./namespace"
+import { common, type k8s } from "@highstate/library"
 import {
   ComponentResource,
   type ComponentResourceOptions,
   type Input,
   type InputArray,
   interpolate,
+  makeEntity,
   normalizeInputs,
   type Output,
   output,
@@ -15,7 +16,6 @@ import {
 import { KubeConfig } from "@kubernetes/client-node"
 import { core, rbac, type types } from "@pulumi/kubernetes"
 import { map, unique } from "remeda"
-import { stringify } from "yaml"
 import { Secret } from "./secret"
 import {
   getNamespaceName,
@@ -185,9 +185,14 @@ export class ClusterAccessScope extends ComponentResource {
       kubeconfig,
       newToken: accessTokenSecret.getValue("token"),
       serviceAccount: serviceAccount.metadata.name,
-    }).apply(({ cluster, kubeconfig, newToken, serviceAccount }) => {
+      serviceAccountId: serviceAccount.metadata.uid,
+    }).apply(({ cluster, kubeconfig, newToken, serviceAccount, serviceAccountId }) => {
+      if (kubeconfig.content.type !== "embedded-secret") {
+        throw new Error("Only embedded secrets are supported for cluster kubeconfig for now")
+      }
+
       const config = new KubeConfig()
-      config.loadFromString(kubeconfig)
+      config.loadFromString(kubeconfig.content.value.value)
 
       // clear all existing contexts and users
       config.users = []
@@ -205,7 +210,25 @@ export class ClusterAccessScope extends ComponentResource {
 
       return {
         ...cluster,
-        kubeconfig: stringify(JSON.parse(config.exportConfig())),
+        connectionId: serviceAccountId,
+        kubeconfig: makeEntity({
+          entity: common.fileEntity,
+          identity: `${serviceAccountId}:kubeconfig`,
+          meta: {
+            title: `kubeconfig for SA ${serviceAccount}`,
+          },
+          value: {
+            content: {
+              type: "embedded-secret",
+              value: config.exportConfig(),
+            },
+            meta: {
+              name: "kubeconfig",
+              contentType: "text/yaml",
+              mode: 0o600,
+            },
+          },
+        }),
       }
     })
   }

package/src/scripting/bundle.ts

@@ -12,14 +12,10 @@ import {
   output,
   type Unwrap,
 } from "@pulumi/pulumi"
-import { serializeFunction } from "@pulumi/pulumi/runtime/index.js"
 import { deepmerge } from "deepmerge-ts"
-import { readPackageJSON } from "pkg-types"
-import { mapValues, omitBy } from "remeda"
 import { ConfigMap } from "../config-map"
 import {
   emptyScriptEnvironment,
-  functionScriptImages,
   type ResolvedScriptEnvironment,
   type ScriptDistribution,
   type ScriptEnvironment,
@@ -87,35 +83,19 @@ export class ScriptBundle extends ComponentResource {
       Unwrap<ResolvedScriptEnvironment>
     >
 
-    const hasFunctionScripts = scriptEnvironment.apply(scriptEnvironment => {
-      return Object.values(scriptEnvironment.files).some(file => typeof file === "function")
-    })
-
     this.distribution = args.distribution
     this.environment = scriptEnvironment.environment
 
-    this.image = hasFunctionScripts.apply(hasFunctionScripts =>
-      output(
-        hasFunctionScripts
-          ? functionScriptImages[args.distribution]
-          : scriptEnvironment[args.distribution].image,
-      ),
-    )
+    this.image = scriptEnvironment[args.distribution].image
 
-    this.allowedEndpoints = output({ scriptEnvironment, hasFunctionScripts }).apply(
-      ({ scriptEnvironment, hasFunctionScripts }) => {
-        const allowedEndpoints = [
-          ...scriptEnvironment.allowedEndpoints,
-          ...scriptEnvironment[args.distribution].allowedEndpoints,
-        ]
-
-        if (hasFunctionScripts) {
-          allowedEndpoints.push("tcp://registry.npmjs.org:443")
-        }
+    this.allowedEndpoints = scriptEnvironment.apply(scriptEnvironment => {
+      const allowedEndpoints = [
+        ...scriptEnvironment.allowedEndpoints,
+        ...scriptEnvironment[args.distribution].allowedEndpoints,
+      ]
 
-        return allowedEndpoints.map(endpoint => parseEndpoint(endpoint))
-      },
-    )
+      return allowedEndpoints.map(endpoint => parseEndpoint(endpoint))
+    })
 
     this.configMap = output({ scriptEnvironment, args }).apply(({ scriptEnvironment, args }) => {
       return ConfigMap.create(
@@ -129,49 +109,32 @@ export class ScriptBundle extends ComponentResource {
       )
     })
 
-    this.volumes = output({ hasFunctionScripts, volumes: scriptEnvironment.volumes }).apply(
-      ({ hasFunctionScripts, volumes }) => {
-        return [
-          ...volumes,
-          {
-            name: this.configMap.metadata.name,
+    this.volumes = scriptEnvironment.volumes.apply(volumes => {
+      return [
+        ...volumes,
+        {
+          name: this.configMap.metadata.name,
 
-            configMap: {
-              name: this.configMap.metadata.name,
-              defaultMode: 0o550, // read and execute permissions
-            },
+          configMap: {
+            name: this.configMap.metadata.name,
+            defaultMode: 0o550, // read and execute permissions
           },
-          ...(hasFunctionScripts ? [{ name: "node-modules", emptyDir: {} }] : []),
-        ]
-      },
-    )
+        },
+      ]
+    })
 
-    this.volumeMounts = output({
-      hasFunctionScripts,
-      volumeMounts: scriptEnvironment.volumeMounts,
-    }).apply(({ hasFunctionScripts, volumeMounts }) => {
+    this.volumeMounts = scriptEnvironment.volumeMounts.apply(volumeMounts => {
       return [
         ...volumeMounts,
         {
           volume: this.configMap,
           mountPath: "/scripts",
         },
-        ...(hasFunctionScripts
-          ? [{ name: "node-modules", mountPath: "/scripts/node_modules" }]
-          : []),
       ]
     })
   }
 }
 
-function stripWorkspacePrefix(value: string): string {
-  if (value.startsWith("workspace:")) {
-    return value.replace("workspace:", "")
-  }
-
-  return value
-}
-
 async function createScriptData(
   distribution: ScriptDistribution,
   environment: Unwrap<ResolvedScriptEnvironment>,
@@ -182,48 +145,8 @@ async function createScriptData(
   const distributionEnvironment = environment[distribution]
   const setupScripts = { ...environment.setupScripts }
 
-  let hasFunctionScripts = false
-
   for (const key in environment.files) {
-    if (typeof environment.files[key] === "function") {
-      const serialized = await serializeFunction(environment.files[key])
-
-      scriptData[key] = text`
-        #!/usr/local/bin/bun
-        
-        ${serialized.text}
-
-        exports.${serialized.exportName}()
-      `
-
-      hasFunctionScripts = true
-    } else {
-      scriptData[key] = environment.files[key]
-    }
-  }
-
-  if (hasFunctionScripts) {
-    const packageJson = await readPackageJSON()
-
-    packageJson.dependencies = omitBy(
-      mapValues(packageJson.dependencies ?? {}, stripWorkspacePrefix),
-      (_, key) => key.startsWith("@highstate/"),
-    )
-
-    packageJson.devDependencies = omitBy(
-      mapValues(packageJson.devDependencies ?? {}, stripWorkspacePrefix),
-      (_, key) => key.startsWith("@highstate/"),
-    )
-
-    scriptData["package.json"] = JSON.stringify(packageJson, null, 2)
-
-    setupScripts["resolve-dependencies.sh"] = text`
-      #!/usr/local/bin/bun
-      set -e
-
-      cd /scripts
-      bun install --production
-    `
+    scriptData[key] = environment.files[key]
   }
 
   if (distributionEnvironment.preInstallPackages.length > 0) {

package/src/scripting/environment.ts

@@ -1,6 +1,7 @@
 import type { InputEndpoint } from "@highstate/common"
 import type { Input, InputArray, InputRecord } from "@highstate/pulumi"
 import type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from "../container"
+import images from "../../assets/images.json"
 
 export type ScriptDistribution = "alpine" | "ubuntu"
 
@@ -38,8 +39,6 @@ export type DistributionEnvironment = {
   allowedEndpoints?: InputArray<InputEndpoint>
 }
 
-export type ScriptProgram = () => unknown
-
 export type ScriptEnvironment = {
   [distribution in ScriptDistribution]?: DistributionEnvironment
 } & {
@@ -56,7 +55,7 @@ export type ScriptEnvironment = {
   /**
    * The arbitrary files available in the environment including scripts.
    */
-  files?: InputRecord<string | ScriptProgram>
+  files?: InputRecord<string>
 
   /**
    * The volumes that should be defined in the environment.
@@ -94,7 +93,7 @@ const emptyDistributionEnvironment = {
 export const emptyScriptEnvironment: ResolvedScriptEnvironment = {
   alpine: {
     ...emptyDistributionEnvironment,
-    image: "alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c",
+    image: images.alpine.image,
     allowedEndpoints: [
       //
       "tcp://dl-cdn.alpinelinux.org:443",
@@ -104,7 +103,7 @@ export const emptyScriptEnvironment: ResolvedScriptEnvironment = {
 
   ubuntu: {
     ...emptyDistributionEnvironment,
-    image: "ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782",
+    image: images.ubuntu.image,
     allowedEndpoints: [
       //
       "tcp://archive.ubuntu.com:80",
@@ -122,8 +121,3 @@ export const emptyScriptEnvironment: ResolvedScriptEnvironment = {
   environment: {},
   allowedEndpoints: [],
 }
-
-export const functionScriptImages: Record<ScriptDistribution, string> = {
-  alpine: "oven/bun@sha256:6b14922b0885c3890cdb0b396090af1da486ba941df5ee94391eef64f7113c61",
-  ubuntu: "oven/bun@sha256:66b431441dc4c36d7e8164bfc61e6348ec1d7ce2862fc3a29f5dc9856e8205e4",
-}

package/src/secret.ts

@@ -1,15 +1,16 @@
-import type { k8s } from "@highstate/library"
 import { getOrCreate } from "@highstate/contract"
-import { toPromise } from "@highstate/pulumi"
-import { core, type types } from "@pulumi/kubernetes"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
-} from "@pulumi/pulumi"
+  toPromise,
+} from "@highstate/pulumi"
+import { core, type types } from "@pulumi/kubernetes"
 import { Namespace } from "./namespace"
 import { getProvider, mapMetadata, NamespacedResource, type ScopedResourceArgs } from "./shared"
 
@@ -56,7 +57,16 @@ export abstract class Secret extends NamespacedResource {
    * The Highstate secret entity.
    */
   get entity(): Output<k8s.Secret> {
-    return output(this.entityBase)
+    return makeEntityOutput({
+      entity: k8s.secretEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**

package/src/service.ts

@@ -6,12 +6,13 @@ import {
   parseL4Protocol,
 } from "@highstate/common"
 import { check, getOrCreate } from "@highstate/contract"
-import { k8s, type network } from "@highstate/library"
+import { type ImplementationReference, k8s, type network } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   normalize,
   type Output,
   output,
@@ -101,9 +102,16 @@ export abstract class Service extends NamespacedResource {
    * The Highstate service entity.
    */
   get entity(): Output<k8s.Service> {
-    return output({
-      ...this.entityBase,
-      endpoints: this.endpoints,
+    return makeEntityOutput({
+      entity: k8s.serviceEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+        endpoints: this.endpoints,
+      },
     })
   }
 
@@ -230,6 +238,8 @@ export abstract class Service extends NamespacedResource {
 
   /**
    * Returns the endpoints of the service including both internal and external endpoints.
+   *
+   * Also includes an `implRef` for port-forwarding if the namespace was created with port-forwarding enabled.
    */
   get endpoints(): Output<k8s.ServiceEndpoint[]> {
     return output({
@@ -237,7 +247,8 @@ export abstract class Service extends NamespacedResource {
       metadata: this.metadata,
       spec: this.spec,
       status: this.status,
-    }).apply(({ cluster, metadata, spec, status }) => {
+      portForwardCluster: this.namespace.portForwardCluster,
+    }).apply(({ cluster, metadata, spec, status, portForwardCluster }) => {
       function createMetadata(isInternal: boolean): k8s.EndpointServiceMetadata {
         return {
           "k8s.service": {
@@ -252,6 +263,15 @@ export abstract class Service extends NamespacedResource {
         }
       }
 
+      const implRef: ImplementationReference | undefined = portForwardCluster
+        ? {
+            package: "@highstate/k8s",
+            data: {
+              cluster: portForwardCluster,
+            },
+          }
+        : undefined
+
       const internalHosts = spec.clusterIPs.length
         ? [...spec.clusterIPs, `${metadata.name}.${metadata.namespace}.svc.cluster.local`]
         : []
@@ -263,6 +283,7 @@ export abstract class Service extends NamespacedResource {
             parseEndpoint,
             endpoint => l3EndpointToL4(endpoint, port.port, parseL4Protocol(port.protocol)),
             endpoint => addEndpointMetadata(endpoint, createMetadata(true)),
+            endpoint => (implRef ? { ...endpoint, implRef } : endpoint),
           ),
         ),
       )
@@ -282,8 +303,9 @@ export abstract class Service extends NamespacedResource {
           pipe(
             ip,
             parseEndpoint,
-            endpoint => l3EndpointToL4(endpoint, port.port, parseL4Protocol(port.protocol)),
+            endpoint => l3EndpointToL4(endpoint, port.nodePort, parseL4Protocol(port.protocol)),
             endpoint => addEndpointMetadata(endpoint, createMetadata(false)),
+            endpoint => (implRef ? { ...endpoint, implRef } : endpoint),
           ),
         ),
       )

package/src/shared.ts

@@ -1,5 +1,5 @@
 import type { PartialKeys } from "@highstate/contract"
-import type { k8s } from "@highstate/library"
+import type { common, k8s } from "@highstate/library"
 import {
   ComponentResource,
   type ComponentResourceOptions,
@@ -12,7 +12,7 @@ import {
   type Unwrap,
 } from "@highstate/pulumi"
 import { core, Provider, type types } from "@pulumi/kubernetes"
-import * as images from "../assets/images.json"
+import images from "../assets/images.json"
 import { Namespace } from "./namespace"
 
 const providers = new Map<`${string}.${string}`, Provider>()
@@ -24,7 +24,13 @@ export function getProvider(cluster: k8s.Cluster): Provider {
     return existing
   }
 
-  const provider = new Provider(name, { kubeconfig: secret(cluster.kubeconfig) })
+  if (cluster.kubeconfig.content.type !== "embedded-secret") {
+    throw new Error("Only embedded secrets are supported for cluster kubeconfig for now")
+  }
+
+  const provider = new Provider(name, {
+    kubeconfig: secret(cluster.kubeconfig.content.value.value),
+  })
   providers.set(name, provider)
 
   return provider
@@ -36,6 +42,28 @@ export async function getProviderAsync(cluster: Input<k8s.Cluster>): Promise<Pro
   return getProvider(resolvedCluster)
 }
 
+export function getEmbeddedSecretFileContent(file: Input<common.File>): Output<string> {
+  return output(file).apply(file => {
+    if (file.content.type !== "embedded-secret") {
+      throw new Error("Only embedded-secret file contents are supported for kubeconfig for now")
+    }
+
+    return file.content.value.value
+  })
+}
+
+export function getClusterKubeconfigContent(cluster: Input<k8s.Cluster>): Output<string> {
+  return output(cluster).apply(cluster => {
+    if (cluster.kubeconfig.content.type !== "embedded-secret") {
+      throw new Error(
+        "Only embedded-secret file contents are supported for cluster kubeconfig for now",
+      )
+    }
+
+    return cluster.kubeconfig.content.value.value
+  })
+}
+
 export type NamespaceLike = core.v1.Namespace | Namespace | string
 
 export type ScopedResourceArgs = {