@highstate/k8s 0.19.1 → 0.21.1

package/src/stateful-set.ts

@@ -1,14 +1,15 @@
 import type { AccessPointRoute } from "@highstate/common"
-import type { k8s } from "@highstate/library"
 import type { Container } from "./container"
 import type { NetworkPolicy } from "./network-policy"
 import type { Service } from "./service"
 import { getOrCreate, type UnitTerminal } from "@highstate/contract"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
   toPromise,
@@ -20,14 +21,15 @@ import { omit } from "remeda"
 import { Namespace } from "./namespace"
 import { getProvider, mapMetadata } from "./shared"
 import {
-  ExposableWorkload,
-  type ExposableWorkloadArgs,
-  exposableWorkloadExtraArgs,
-  getExposableWorkloadComponents,
+  filterPatchOwnedContainersInTemplate,
+  getWorkloadServiceComponents,
+  Workload,
+  type WorkloadServiceArgs,
   type WorkloadTerminalArgs,
+  workloadServiceExtraArgs,
 } from "./workload"
 
-export type StatefulSetArgs = Omit<ExposableWorkloadArgs, "existing"> &
+export type StatefulSetArgs = Omit<WorkloadServiceArgs, "existing"> &
   Omit<Partial<types.input.apps.v1.StatefulSetSpec>, "template"> & {
     template?: {
       metadata?: types.input.meta.v1.ObjectMeta
@@ -42,7 +44,7 @@ export type CreateOrGetStatefulSetArgs = StatefulSetArgs & {
   existing: Input<k8s.StatefulSet> | undefined
 }
 
-export abstract class StatefulSet extends ExposableWorkload {
+export abstract class StatefulSet extends Workload {
   static apiVersion = "apps/v1"
   static kind = "StatefulSet"
 
@@ -95,10 +97,17 @@ export abstract class StatefulSet extends ExposableWorkload {
    * The Highstate stateful set entity.
    */
   get entity(): Output<k8s.StatefulSet> {
-    return output({
-      ...this.entityBase,
-      service: this.service.entity,
-      endpoints: this.service.endpoints,
+    return makeEntityOutput({
+      entity: k8s.statefulSetEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+        service: this.service.entity,
+        spec: this.spec,
+      },
     })
   }
 
@@ -250,7 +259,7 @@ export abstract class StatefulSet extends ExposableWorkload {
 class CreatedStatefulSet extends StatefulSet {
   constructor(name: string, args: StatefulSetArgs, opts?: ComponentResourceOptions) {
     const { labels, podTemplate, networkPolicy, containers, service, routes } =
-      getExposableWorkloadComponents(
+      getWorkloadServiceComponents(
         name,
         {
           ...args,
@@ -275,7 +284,7 @@ class CreatedStatefulSet extends StatefulSet {
                   template: podTemplate,
                   selector: { matchLabels: labels },
                 },
-                omit(args, exposableWorkloadExtraArgs),
+                omit(args, workloadServiceExtraArgs),
               ) as types.input.apps.v1.StatefulSetSpec
             },
           ),
@@ -312,7 +321,7 @@ class CreatedStatefulSet extends StatefulSet {
 class StatefulSetPatch extends StatefulSet {
   constructor(name: string, args: StatefulSetArgs, opts?: ComponentResourceOptions) {
     const { podTemplate, networkPolicy, containers, service, routes } =
-      getExposableWorkloadComponents(name, args, () => this, opts, true)
+      getWorkloadServiceComponents(name, args, () => this, opts, true)
 
     const statefulSet = output(args.namespace).cluster.apply(cluster => {
       return new apps.v1.StatefulSetPatch(
@@ -320,10 +329,16 @@ class StatefulSetPatch extends StatefulSet {
         {
           metadata: mapMetadata(args, name),
           spec: output({ args, podTemplate }).apply(({ args, podTemplate }) => {
-            return deepmerge(
+            const spec = deepmerge(
               { template: podTemplate },
-              omit(args, exposableWorkloadExtraArgs),
-            ) as types.input.apps.v1.StatefulSetSpec
+              omit(args, workloadServiceExtraArgs),
+            ) as Unwrap<types.input.apps.v1.StatefulSetSpec>
+
+            if (spec.template) {
+              spec.template = filterPatchOwnedContainersInTemplate(spec.template, podTemplate)
+            }
+
+            return spec
           }),
         },
         {
@@ -334,6 +349,22 @@ class StatefulSetPatch extends StatefulSet {
       )
     })
 
+    const filteredSpec = output({ spec: statefulSet.spec, podTemplate }).apply(
+      ({ spec, podTemplate }) => {
+        if (!spec.template) {
+          return spec
+        }
+
+        return {
+          ...spec,
+          template: filterPatchOwnedContainersInTemplate(
+            spec.template as Unwrap<types.input.core.v1.PodTemplateSpec>,
+            podTemplate,
+          ) as types.output.core.v1.PodTemplateSpec,
+        }
+      },
+    ) as Output<types.output.apps.v1.StatefulSetSpec>
+
     super(
       "highstate:k8s:StatefulSetPatch",
       name,
@@ -349,7 +380,7 @@ class StatefulSetPatch extends StatefulSet {
       service,
       routes,
 
-      statefulSet.spec,
+      filteredSpec,
       statefulSet.status,
     )
   }

package/src/tls.ts

@@ -1,12 +1,13 @@
-import type { k8s } from "@highstate/library"
 import type { types } from "@pulumi/kubernetes"
 import { cert_manager, type types as cmTypes } from "@highstate/cert-manager"
 import { getOrCreate } from "@highstate/contract"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
   toPromise,
@@ -31,6 +32,22 @@ export type CreateOrGetCertificateArgs = CertificateArgs & {
   existing: Input<k8s.Certificate> | undefined
 }
 
+const certManagerCertificateWaitFor = "condition=Ready"
+
+function mapCertificateMetadata(
+  args: CertificateArgs,
+  fallbackName: string,
+): Output<types.input.meta.v1.ObjectMeta> {
+  return mapMetadata(args, fallbackName).apply(metadata => ({
+    ...metadata,
+    annotations: {
+      ...metadata.annotations,
+      "pulumi.com/waitFor":
+        metadata.annotations?.["pulumi.com/waitFor"] ?? certManagerCertificateWaitFor,
+    },
+  }))
+}
+
 /**
  * Represents a cert-manager Certificate resource with metadata and secret.
  */
@@ -65,8 +82,17 @@ export abstract class Certificate extends NamespacedResource {
   /**
    * The Highstate certificate entity.
    */
-  get entity(): Output<k8s.NamespacedResource> {
-    return output(this.entityBase)
+  get entity(): Output<k8s.Certificate> {
+    return makeEntityOutput({
+      entity: k8s.certificateEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**
@@ -228,7 +254,7 @@ class CreatedCertificate extends Certificate {
       return new cert_manager.v1.Certificate(
         name,
         {
-          metadata: mapMetadata(args, name),
+          metadata: mapCertificateMetadata(args, name),
           spec: omit(args, commonExtraArgs),
         },
         { ...opts, parent: this, provider: getProvider(cluster) },
@@ -255,7 +281,7 @@ class CertificatePatch extends Certificate {
       return new cert_manager.v1.CertificatePatch(
         name,
         {
-          metadata: mapMetadata(args, name),
+          metadata: mapCertificateMetadata(args, name),
           spec: omit(args, commonExtraArgs),
         },
         { ...opts, parent: this, provider: getProvider(cluster) },

package/src/units/cluster-patch/index.ts

@@ -5,18 +5,18 @@ import { forUnit, toPromise } from "@highstate/pulumi"
 const { args, inputs, outputs } = forUnit(k8s.clusterPatch)
 
 const cluster = await toPromise(inputs.k8sCluster)
-const endpoints = await parseEndpoints(args.endpoints, inputs.endpoints, 3)
-const apiEndpoints = await parseEndpoints(args.apiEndpoints, inputs.apiEndpoints, 4)
+const endpoints = parseEndpoints([...args.endpoints, ...inputs.endpoints], 3)
+const apiEndpoints = parseEndpoints([...args.apiEndpoints, ...inputs.apiEndpoints], 4)
 
 const newEndpoints = endpoints.length > 0 ? endpoints : cluster.endpoints
 const newApiEndpoints = apiEndpoints.length > 0 ? apiEndpoints : cluster.apiEndpoints
 
 export default outputs({
-  k8sCluster: inputs.k8sCluster.apply(k8sCluster => ({
-    ...k8sCluster,
+  k8sCluster: {
+    ...inputs.k8sCluster,
     endpoints: newEndpoints,
     apiEndpoints: newApiEndpoints,
-  })),
+  },
 
   $statusFields: {
     endpoints: endpoints.map(l3EndpointToString),

package/src/units/dns01-issuer/index.ts

@@ -1,11 +1,12 @@
 import { cert_manager } from "@highstate/cert-manager"
-import { k8s } from "@highstate/library"
-import { forUnit } from "@highstate/pulumi"
+import { common, k8s } from "@highstate/library"
+import { forUnit, makeEntityOutput } from "@highstate/pulumi"
 import { dns01SolverMediator } from "../../dns01-solver"
 import { Namespace } from "../../namespace"
+import { Secret } from "../../secret"
 import { getProviderAsync } from "../../shared"
 
-const { name, inputs, outputs } = forUnit(k8s.dns01TlsIssuer)
+const { name, args, secrets, inputs, outputs } = forUnit(k8s.dns01TlsIssuer)
 
 const provider = await getProviderAsync(inputs.k8sCluster)
 
@@ -14,6 +15,33 @@ const certManagerNs = Namespace.get("cert-manager", {
   cluster: inputs.k8sCluster,
 })
 
+let eabSecret: Secret | undefined
+
+if (args.acmeServer.type === "zerossl") {
+  if (!secrets.eabKeyId || !secrets.eabKeySecret) {
+    throw new Error("EAB key ID and secret are required for ZeroSSL ACME server")
+  }
+
+  eabSecret = Secret.create(`${name}-eab`, {
+    namespace: certManagerNs,
+    stringData: {
+      keyId: secrets.eabKeyId,
+      keySecret: secrets.eabKeySecret,
+    },
+  })
+}
+
+const getAcmeServer = () => {
+  switch (args.acmeServer.type) {
+    case "zerossl":
+      return "https://acme.zerossl.com/v2/DV90"
+    case "letsencrypt":
+      return "https://acme-v02.api.letsencrypt.org/directory"
+    case "custom":
+      return args.acmeServer.url
+  }
+}
+
 new cert_manager.v1.ClusterIssuer(
   name,
   {
@@ -22,7 +50,7 @@ new cert_manager.v1.ClusterIssuer(
     },
     spec: {
       acme: {
-        server: "https://acme-v02.api.letsencrypt.org/directory",
+        server: getAcmeServer(),
         solvers: [
           {
             dns01: dns01SolverMediator.callOutput(inputs.dnsProvider.implRef, {
@@ -34,6 +62,15 @@ new cert_manager.v1.ClusterIssuer(
         privateKeySecretRef: {
           name,
         },
+        externalAccountBinding: eabSecret
+          ? {
+              keyID: eabSecret.stringData.keyId,
+              keySecretRef: {
+                name: eabSecret.metadata.name,
+                key: "keySecret",
+              },
+            }
+          : undefined,
       },
     },
   },
@@ -41,16 +78,23 @@ new cert_manager.v1.ClusterIssuer(
 )
 
 export default outputs({
-  tlsIssuer: {
-    zones: inputs.dnsProvider.zones,
-    implRef: {
-      package: "@highstate/k8s",
-      data: {
-        clusterIssuerName: name,
-        cluster: inputs.k8sCluster,
+  tlsIssuer: makeEntityOutput({
+    entity: common.tlsIssuerEntity,
+    identity: `${name}:tls-issuer`,
+    meta: {
+      title: name,
+    },
+    value: {
+      zones: inputs.dnsProvider.zones,
+      implRef: {
+        package: "@highstate/k8s",
+        data: {
+          clusterIssuerName: name,
+          cluster: inputs.k8sCluster,
+        },
       },
     },
-  },
+  }),
 
   $statusFields: {
     zones: inputs.dnsProvider.zones,

package/src/units/existing-cluster/index.ts

@@ -7,8 +7,8 @@ import {
   parseEndpoint,
   parseEndpoints,
 } from "@highstate/common"
-import { type ImplementationReference, k8s } from "@highstate/library"
-import { forUnit, secret, toPromise } from "@highstate/pulumi"
+import { common, type ImplementationReference, k8s } from "@highstate/library"
+import { forUnit, makeEntityOutput, toPromise } from "@highstate/pulumi"
 import { AppsV1Api, KubeConfig } from "@kubernetes/client-node"
 import { core, Provider } from "@pulumi/kubernetes"
 import { createK8sTerminal, detectExternalIps } from "../../cluster"
@@ -47,7 +47,7 @@ if (args.autoDetectExternalIps) {
 }
 
 // calculate endpoints
-let endpoints = await parseEndpoints(args.endpoints, inputs.endpoints)
+let endpoints = parseEndpoints([...args.endpoints, ...inputs.endpoints])
 
 if (args.useExternalIpsAsEndpoints) {
   const ipEndpoints = externalIps.map(ip => parseEndpoint(ip))
@@ -55,7 +55,7 @@ if (args.useExternalIpsAsEndpoints) {
 }
 
 // calculate api endpoints
-let apiEndpoints = await parseEndpoints(args.apiEndpoints, inputs.endpoints, 4)
+let apiEndpoints = parseEndpoints([...args.apiEndpoints, ...inputs.endpoints], 4)
 
 if (args.useKubeconfigApiEndpoint) {
   const configEndpoint = parseEndpoint(kubeConfig.clusters[0].server.replace("https://", ""), 4)
@@ -65,17 +65,38 @@ if (args.useKubeconfigApiEndpoint) {
 const kubeSystem = core.v1.Namespace.get("kube-system", "kube-system", { provider })
 
 export default outputs({
-  k8sCluster: {
-    id: kubeSystem.metadata.uid,
-    connectionId: kubeSystem.metadata.uid,
-    name,
-    networkPolicyImplRef,
-    externalIps,
-    endpoints,
-    apiEndpoints,
-    quirks: args.quirks,
-    kubeconfig: secret(kubeconfigContent),
-  },
+  k8sCluster: makeEntityOutput({
+    entity: k8s.clusterEntity,
+    identity: kubeSystem.metadata.uid,
+    value: {
+      id: kubeSystem.metadata.uid,
+      connectionId: kubeSystem.metadata.uid,
+      name,
+      networkPolicyImplRef,
+      externalIps,
+      endpoints,
+      apiEndpoints,
+      quirks: args.quirks,
+      kubeconfig: makeEntityOutput({
+        entity: common.fileEntity,
+        identity: `${name}:kubeconfig`,
+        meta: {
+          title: "Kubeconfig",
+        },
+        value: {
+          content: {
+            type: "embedded-secret",
+            value: kubeconfigContent,
+          },
+          meta: {
+            name: "kubeconfig",
+            contentType: "text/yaml",
+            mode: 0o600,
+          },
+        },
+      }),
+    },
+  }),
 
   $terminals: [createK8sTerminal(kubeconfigContent)],
 

package/src/units/reduced-access-cluster/index.ts

@@ -1,10 +1,11 @@
 import { text, trimIndentation } from "@highstate/contract"
 import { k8s } from "@highstate/library"
-import { fileFromString, forUnit, interpolate, output, secret, toPromise } from "@highstate/pulumi"
+import { forUnit, interpolate, makeFileOutput, output, secret, toPromise } from "@highstate/pulumi"
 import { join } from "remeda"
 import { createK8sTerminal } from "../../cluster"
 import { Namespace } from "../../namespace"
 import { ClusterAccessScope } from "../../rbac"
+import { getClusterKubeconfigContent } from "../../shared"
 
 const { args, inputs, outputs } = forUnit(k8s.reducedAccessCluster)
 
@@ -34,7 +35,7 @@ const resourceLines = await toPromise(
 export default outputs({
   k8sCluster: accessScope.cluster,
 
-  $terminals: [createK8sTerminal(accessScope.cluster.kubeconfig)],
+  $terminals: [createK8sTerminal(secret(getClusterKubeconfigContent(accessScope.cluster)))],
 
   $pages: {
     index: {
@@ -58,7 +59,9 @@ export default outputs({
         },
         {
           type: "file",
-          file: fileFromString("kubeconfig", accessScope.cluster.kubeconfig, {
+          file: makeFileOutput({
+            name: "kubeconfig",
+            content: secret(getClusterKubeconfigContent(accessScope.cluster)),
             contentType: "text/yaml",
             isSecret: true,
           }),

package/src/worker.ts

@@ -4,7 +4,7 @@ import type { DeepInput, Input, InputArray, Unwrap } from "@highstate/pulumi"
 import type { Namespace } from "./namespace"
 import { type Output, output } from "@pulumi/pulumi"
 import { ClusterAccessScope } from "./rbac"
-import { images, type NamespacedResource } from "./shared"
+import { getClusterKubeconfigContent, images, type NamespacedResource } from "./shared"
 
 export async function createMonitorWorker(
   namespace: Input<Namespace>,
@@ -12,6 +12,8 @@ export async function createMonitorWorker(
 ): Promise<Output<Unwrap<UnitWorker>>> {
   const scope = new ClusterAccessScope("monitor", {
     rule: {
+      apiGroups: ["", "apps"],
+      resources: ["deployments", "statefulsets", "services", "pods"],
       verbs: ["get", "list", "watch"],
     },
 
@@ -24,7 +26,7 @@ export async function createMonitorWorker(
     image: images["worker.k8s-monitor"].image,
 
     params: {
-      kubeconfig: scope.cluster.kubeconfig,
+      kubeconfig: getClusterKubeconfigContent(scope.cluster),
       resources: output(resources).apply(resources => resources.map(r => r.entity)),
     } satisfies DeepInput<k8s.MonitorWorkerParams>,
   })