@highstate/k8s 0.19.1 → 0.21.1

package/dist/chunk-h1b79v66.js

@@ -0,0 +1,1425 @@
+// @bun
+import {
+  Service,
+  isEndpointFromCluster,
+  mapContainerPortToServicePort,
+  mapServiceToLabelSelector
+} from "./chunk-k4w9zpn5.js";
+import {
+  Namespace,
+  NamespacedResource,
+  Secret,
+  commonExtraArgs,
+  getClusterKubeconfigContent,
+  getNamespaceName,
+  getProvider,
+  getProviderAsync,
+  images_default,
+  mapMetadata,
+  mapNamespaceNameToSelector,
+  mapSelectorLikeToSelector
+} from "./chunk-facs31cb.js";
+import {
+  __require
+} from "./chunk-b05q6fm2.js";
+
+// src/config-map.ts
+import { getOrCreate } from "@highstate/contract";
+import { k8s } from "@highstate/library";
+import {
+  interpolate,
+  makeEntityOutput,
+  output,
+  toPromise
+} from "@highstate/pulumi";
+import { core } from "@pulumi/kubernetes";
+class ConfigMap extends NamespacedResource {
+  data;
+  static apiVersion = "v1";
+  static kind = "ConfigMap";
+  constructor(type, name, args, opts, metadata, namespace, data) {
+    super(type, name, args, opts, metadata, namespace);
+    this.data = data;
+  }
+  get entity() {
+    return makeEntityOutput({
+      entity: k8s.configMapEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedConfigMap(name, args, opts);
+  }
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new ConfigMapPatch(name, {
+        ...args,
+        name: output(args.existing).metadata.name
+      });
+    }
+    return new CreatedConfigMap(name, args, opts);
+  }
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await ConfigMap.forAsync(args.existing, output(args.namespace).cluster);
+    }
+    return new CreatedConfigMap(name, args, opts);
+  }
+  static patch(name, args, opts) {
+    return new ConfigMapPatch(name, args, opts);
+  }
+  static wrap(name, args, opts) {
+    return new WrappedConfigMap(name, args, opts);
+  }
+  static get(name, args, opts) {
+    return new ExternalConfigMap(name, args, opts);
+  }
+  static configMapCache = new Map;
+  static for(entity, cluster) {
+    return getOrCreate(ConfigMap.configMapCache, `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`, (name) => {
+      return ConfigMap.get(name, {
+        name: entity.metadata.name,
+        namespace: Namespace.forResource(entity, cluster)
+      });
+    });
+  }
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise(entity);
+    return ConfigMap.for(resolvedEntity, cluster);
+  }
+}
+
+class CreatedConfigMap extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.ConfigMap(name, {
+        metadata: mapMetadata(args, name),
+        data: args.data
+      }, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super("highstate:k8s:ConfigMap", name, args, opts, configMap.metadata, output(args.namespace), configMap.data);
+  }
+}
+
+class ConfigMapPatch extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.ConfigMapPatch(name, {
+        metadata: mapMetadata(args, name),
+        data: args.data
+      }, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super("highstate:k8s:ConfigMapPatch", name, args, opts, configMap.metadata, output(args.namespace), configMap.data);
+  }
+}
+
+class WrappedConfigMap extends ConfigMap {
+  constructor(name, args, opts) {
+    super("highstate:k8s:WrappedConfigMap", name, args, opts, output(args.configMap).metadata, output(args.namespace), output(args.configMap).data);
+  }
+}
+
+class ExternalConfigMap extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output(args.namespace).cluster.apply((cluster) => {
+      return core.v1.ConfigMap.get(name, interpolate`${output(args.namespace).metadata.name}/${args.name}`, { ...opts, parent: this, provider: getProvider(cluster) });
+    });
+    super("highstate:k8s:ExternalConfigMap", name, args, opts, configMap.metadata, output(args.namespace), configMap.data);
+  }
+}
+
+// src/pvc.ts
+import { getOrCreate as getOrCreate2 } from "@highstate/contract";
+import { k8s as k8s2 } from "@highstate/library";
+import {
+  interpolate as interpolate2,
+  makeEntityOutput as makeEntityOutput2,
+  output as output2,
+  toPromise as toPromise2
+} from "@highstate/pulumi";
+import { core as core2 } from "@pulumi/kubernetes";
+import { deepmerge } from "deepmerge-ts";
+import { omit } from "remeda";
+var extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size"];
+
+class PersistentVolumeClaim extends NamespacedResource {
+  spec;
+  status;
+  static apiVersion = "v1";
+  static kind = "PersistentVolumeClaim";
+  constructor(type, name, args, opts, metadata, namespace, spec, status) {
+    super(type, name, args, opts, metadata, namespace);
+    this.spec = spec;
+    this.status = status;
+  }
+  get entity() {
+    return makeEntityOutput2({
+      entity: k8s2.persistentVolumeClaimEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new PersistentVolumeClaimPatch(name, {
+        ...args,
+        name: output2(args.existing).metadata.name
+      });
+    }
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await PersistentVolumeClaim.forAsync(args.existing, output2(args.namespace).cluster);
+    }
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  static patch(name, args, opts) {
+    return new PersistentVolumeClaimPatch(name, args, opts);
+  }
+  static wrap(name, args, opts) {
+    return new WrappedPersistentVolumeClaim(name, args, opts);
+  }
+  static get(name, args, opts) {
+    return new ExternalPersistentVolumeClaim(name, args, opts);
+  }
+  static pvcCache = new Map;
+  static for(entity, cluster) {
+    return getOrCreate2(PersistentVolumeClaim.pvcCache, `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`, (name) => {
+      return PersistentVolumeClaim.get(name, {
+        name: entity.metadata.name,
+        namespace: Namespace.forResource(entity, cluster)
+      });
+    });
+  }
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise2(entity);
+    return PersistentVolumeClaim.for(resolvedEntity, cluster);
+  }
+}
+
+class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output2(args.namespace).cluster.apply((cluster) => {
+      return new core2.v1.PersistentVolumeClaim(name, {
+        metadata: mapMetadata(args, name),
+        spec: output2(args).apply((args2) => {
+          return deepmerge({
+            accessModes: ["ReadWriteOnce"],
+            resources: {
+              requests: {
+                storage: args2.size ?? "100Mi"
+              }
+            }
+          }, omit(args2, extraPersistentVolumeClaimArgs));
+        })
+      }, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super("highstate:k8s:PersistentVolumeClaim", name, args, opts, pvc.metadata, output2(args.namespace), pvc.spec, pvc.status);
+  }
+}
+
+class PersistentVolumeClaimPatch extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output2(args.namespace).cluster.apply((cluster) => {
+      return new core2.v1.PersistentVolumeClaimPatch(name, {
+        metadata: mapMetadata(args, name),
+        spec: output2(args).apply((args2) => {
+          return deepmerge({
+            accessModes: ["ReadWriteOnce"],
+            resources: {
+              requests: {
+                storage: args2.size ?? "100Mi"
+              }
+            }
+          }, omit(args2, extraPersistentVolumeClaimArgs));
+        })
+      }, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super("highstate:k8s:PersistentVolumeClaimPatch", name, args, opts, pvc.metadata, output2(args.namespace), pvc.spec, pvc.status);
+  }
+}
+
+class WrappedPersistentVolumeClaim extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    super("highstate:k8s:WrappedPersistentVolumeClaim", name, args, opts, output2(args.pvc).metadata, output2(args.namespace), output2(args.pvc).spec, output2(args.pvc).status);
+  }
+}
+
+class ExternalPersistentVolumeClaim extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output2(args.namespace).cluster.apply((cluster) => {
+      return core2.v1.PersistentVolumeClaim.get(name, interpolate2`${output2(args.namespace).metadata.name}/${args.name}`, { ...opts, parent: this, provider: getProvider(cluster) });
+    });
+    super("highstate:k8s:ExternalPersistentVolumeClaim", name, args, opts, pvc.metadata, output2(args.namespace), pvc.spec, pvc.status);
+  }
+}
+function getAutoVolumeName(workloadName, index) {
+  if (index === 0) {
+    return `${workloadName}-data`;
+  }
+  return `${workloadName}-data-${index}`;
+}
+
+// src/container.ts
+import {
+  normalize,
+  output as output3
+} from "@highstate/pulumi";
+import { core as core3 } from "@pulumi/kubernetes";
+import { concat, map, omit as omit2 } from "remeda";
+var containerExtraArgs = [
+  "port",
+  "volumeMount",
+  "volume",
+  "environment",
+  "environmentSource",
+  "environmentSources"
+];
+function getFallbackContainerName(name, index) {
+  if (index === 0) {
+    return name;
+  }
+  return `${name}-${index}`;
+}
+function mapContainerToRaw(container, cluster, fallbackName) {
+  const containerName = container.name ?? fallbackName;
+  const spec = {
+    ...omit2(container, containerExtraArgs),
+    name: containerName,
+    ports: normalize(container.port, container.ports),
+    volumeMounts: map(normalize(container.volumeMount, container.volumeMounts), mapVolumeMount),
+    env: concat(container.environment ? mapContainerEnvironment(container.environment) : [], container.env ?? []),
+    envFrom: concat(map(normalize(container.environmentSource, container.environmentSources), mapEnvironmentSource), container.envFrom ?? [])
+  };
+  if (container.enableTun) {
+    spec.securityContext ??= {};
+    spec.securityContext.capabilities ??= {};
+    spec.securityContext.capabilities.add = ["NET_ADMIN"];
+    if (cluster.quirks?.tunDevicePolicy?.type === "plugin") {
+      spec.resources ??= {};
+      spec.resources.limits ??= {};
+      spec.resources.limits[cluster.quirks.tunDevicePolicy.resourceName] = cluster.quirks.tunDevicePolicy.resourceValue;
+    } else {
+      spec.volumeMounts ??= [];
+      spec.volumeMounts.push({
+        name: "tun-device",
+        mountPath: "/dev/net/tun",
+        readOnly: false
+      });
+    }
+  }
+  return spec;
+}
+function mapContainerEnvironment(environment) {
+  const envVars = [];
+  for (const [name, value] of Object.entries(environment)) {
+    if (!value) {
+      continue;
+    }
+    if (typeof value === "string") {
+      envVars.push({ name, value });
+      continue;
+    }
+    if ("secret" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          secretKeyRef: {
+            name: value.secret.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    if ("configMap" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          configMapKeyRef: {
+            name: value.configMap.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    envVars.push({ name, valueFrom: value });
+  }
+  return envVars;
+}
+function mapVolumeMount(volumeMount) {
+  if ("volume" in volumeMount) {
+    return omit2({
+      ...volumeMount,
+      name: output3(volumeMount.volume).apply(mapWorkloadVolume).apply((volume) => output3(volume.name))
+    }, ["volume"]);
+  }
+  return {
+    ...volumeMount,
+    name: volumeMount.name
+  };
+}
+function mapEnvironmentSource(envFrom) {
+  if (envFrom instanceof core3.v1.ConfigMap || envFrom instanceof ConfigMap) {
+    return {
+      configMapRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  if (envFrom instanceof core3.v1.Secret || envFrom instanceof Secret) {
+    return {
+      secretRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  return envFrom;
+}
+function mapWorkloadVolume(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (volume instanceof Secret) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  if (volume instanceof ConfigMap) {
+    return {
+      name: volume.metadata.name,
+      configMap: {
+        name: volume.metadata.name
+      }
+    };
+  }
+  if (core3.v1.PersistentVolumeClaim.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (core3.v1.ConfigMap.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      configMap: {
+        name: volume.metadata.name
+      }
+    };
+  }
+  if (core3.v1.Secret.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  return volume;
+}
+function getWorkloadVolumeResourceUuid(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return volume.metadata.uid;
+  }
+  if (volume instanceof Secret) {
+    return volume.metadata.uid;
+  }
+  if (volume instanceof ConfigMap) {
+    return volume.metadata.uid;
+  }
+  if (core3.v1.PersistentVolumeClaim.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  if (core3.v1.ConfigMap.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  if (core3.v1.Secret.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  return output3(undefined);
+}
+
+// src/network.ts
+function getBestEndpoint(endpoints, cluster) {
+  if (!endpoints.length) {
+    return;
+  }
+  if (endpoints.length === 1) {
+    return endpoints[0];
+  }
+  if (cluster) {
+    const clusterEndpoint = endpoints.find((endpoint) => isEndpointFromCluster(endpoint, cluster) && endpoint.metadata["k8s.service"].isInternal);
+    if (clusterEndpoint) {
+      return clusterEndpoint;
+    }
+  }
+  const publicEndpoint = endpoints.find((endpoint) => endpoint.metadata["iana.scope"] === "global");
+  if (publicEndpoint) {
+    return publicEndpoint;
+  }
+  return endpoints[0];
+}
+function requireBestEndpoint(endpoints, cluster) {
+  const endpoint = getBestEndpoint(endpoints, cluster);
+  if (!endpoint) {
+    throw new Error(`No best endpoint found for cluster "${cluster.name}" (${cluster.id})`);
+  }
+  return endpoint;
+}
+
+// src/network-policy.ts
+import {
+  addressToCidr,
+  endpointToString,
+  ImplementationMediator,
+  l3EndpointToCidr,
+  parseEndpoint
+} from "@highstate/common";
+import { z } from "@highstate/contract";
+import {
+  ComponentResource,
+  interpolate as interpolate3,
+  normalize as normalize2,
+  output as output4,
+  toPromise as toPromise3
+} from "@highstate/pulumi";
+import { networking } from "@pulumi/kubernetes";
+import { flat, groupBy, isNonNullish, merge, mergeDeep, uniqueBy } from "remeda";
+var networkPolicyMediator = new ImplementationMediator("network-policy", z.object({ name: z.string(), args: z.custom() }), z.instanceof(ComponentResource));
+
+class NetworkPolicy extends ComponentResource {
+  networkPolicy;
+  constructor(name, args, opts) {
+    super("k8s:network-policy", name, args, opts);
+    const normalizedArgs = output4(args).apply(async (args2) => {
+      const ingressRules = normalize2(args2.ingressRule, args2.ingressRules);
+      const egressRules = normalize2(args2.egressRule, args2.egressRules);
+      const cluster = await toPromise3(args2.namespace.cluster);
+      const extraEgressRules = [];
+      if (args2.allowKubeDns) {
+        extraEgressRules.push({
+          namespaces: ["kube-system"],
+          namespaceSelectors: [],
+          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
+          ports: [{ port: 53, protocol: "UDP" }],
+          all: false,
+          clusterPods: false,
+          cidrs: [],
+          fqdns: [],
+          services: []
+        });
+      }
+      return {
+        ...args2,
+        podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
+        cluster,
+        isolateEgress: args2.isolateEgress ?? false,
+        isolateIngress: args2.isolateIngress ?? false,
+        allowKubeApiServer: args2.allowKubeApiServer ?? false,
+        ingressRules: ingressRules.flatMap((rule) => {
+          const endpoints = normalize2(rule?.fromEndpoint, rule?.fromEndpoints);
+          const parsedEndpoints = endpoints.map((endpoint) => parseEndpoint(endpoint));
+          const endpointsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isEndpointFromCluster(endpoint, cluster) ? endpoint.metadata["k8s.service"].namespace : "";
+            return namespace;
+          });
+          const l3OnlyRule = endpointsNamespaces[""] ? NetworkPolicy.getRuleFromEndpoint(undefined, endpointsNamespaces[""], cluster) : undefined;
+          const otherRules = Object.entries(endpointsNamespaces).filter(([key]) => key !== "").map(([, endpoints2]) => {
+            return NetworkPolicy.getRuleFromEndpoint(undefined, endpoints2, cluster);
+          });
+          return [
+            {
+              all: rule.fromAll ?? false,
+              clusterPods: rule.fromClusterPods ?? false,
+              cidrs: normalize2(rule.fromCidr, rule.fromCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: [],
+              services: normalize2(rule.fromService, rule.fromServices),
+              namespaces: normalize2(rule.fromNamespace, rule.fromNamespaces),
+              namespaceSelectors: normalize2(rule.fromNamespaceSelector, rule.fromNamespaceSelectors),
+              selectors: normalize2(rule.fromSelector, rule.fromSelectors),
+              ports: normalize2(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !NetworkPolicy.isEmptyRule(rule2));
+        }),
+        egressRules: egressRules.flatMap((rule) => {
+          const endpoints = normalize2(rule?.toEndpoint, rule?.toEndpoints);
+          const parsedEndpoints = endpoints.map((endpoint) => parseEndpoint(endpoint));
+          const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isEndpointFromCluster(endpoint, cluster) ? endpoint.metadata["k8s.service"].namespace : "";
+            const port = isEndpointFromCluster(endpoint, cluster) ? endpoint.metadata["k8s.service"].targetPort : endpoint.level !== 3 ? endpoint.port : undefined;
+            return `${port ?? "0"}:${namespace}`;
+          });
+          const l3OnlyRule = endpointsByPortsAnsNamespaces["0:"] ? NetworkPolicy.getRuleFromEndpoint(undefined, endpointsByPortsAnsNamespaces["0:"], cluster) : undefined;
+          const otherRules = Object.entries(endpointsByPortsAnsNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
+            const [port] = key.split(":");
+            const portNumber = parseInt(port, 10);
+            const portValue = Number.isNaN(portNumber) ? port : portNumber;
+            return NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, cluster);
+          });
+          return [
+            {
+              all: rule.toAll ?? false,
+              clusterPods: rule.toClusterPods ?? false,
+              cidrs: normalize2(rule.toCidr, rule.toCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: normalize2(rule.toFqdn, rule.toFqdns).concat(l3OnlyRule?.fqdns ?? []),
+              services: normalize2(rule.toService, rule.toServices),
+              namespaces: normalize2(rule.toNamespace, rule.toNamespaces),
+              namespaceSelectors: normalize2(rule.toNamespaceSelector, rule.toNamespaceSelectors),
+              selectors: normalize2(rule.toSelector, rule.toSelectors),
+              ports: normalize2(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !NetworkPolicy.isEmptyRule(rule2));
+        }).concat(extraEgressRules)
+      };
+    });
+    this.networkPolicy = output4(normalizedArgs.apply(async (args2) => {
+      const cluster = args2.cluster;
+      if (cluster.networkPolicyImplRef) {
+        return networkPolicyMediator.call(cluster.networkPolicyImplRef, {
+          name,
+          args: args2
+        });
+      }
+      const nativePolicy = new NativeNetworkPolicy(name, args2, {
+        ...opts,
+        parent: this,
+        provider: await getProviderAsync(output4(args2.namespace).cluster)
+      });
+      return nativePolicy.networkPolicy;
+    }));
+  }
+  static getRuleFromEndpoint(port, endpoints, cluster) {
+    const ports = port ? [
+      {
+        port,
+        protocol: endpoints[0].level !== 3 ? endpoints[0].protocol?.toUpperCase() : undefined
+      }
+    ] : [];
+    const cidrs = endpoints.filter((endpoint) => !isEndpointFromCluster(endpoint, cluster)).map((endpoint) => endpoint.address ? addressToCidr(endpoint.address) : null).filter(isNonNullish);
+    const fqdns = endpoints.filter((endpoint) => endpoint.type === "hostname").map((endpoint) => endpoint.hostname);
+    const selectors = endpoints.filter((endpoint) => isEndpointFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata["k8s.service"].selector);
+    const namespace = endpoints.filter((endpoint) => isEndpointFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata["k8s.service"].namespace)[0];
+    return {
+      all: false,
+      clusterPods: false,
+      cidrs,
+      fqdns,
+      services: [],
+      namespaces: namespace ? [namespace] : [],
+      namespaceSelectors: [],
+      selectors,
+      ports
+    };
+  }
+  static isEmptyRule(rule) {
+    return !rule.all && !rule.clusterPods && rule.cidrs.length === 0 && rule.fqdns.length === 0 && rule.services.length === 0 && rule.namespaces.length === 0 && rule.namespaceSelectors.length === 0 && rule.selectors.length === 0 && rule.ports.length === 0;
+  }
+  static async isolateNamespace(namespace, opts) {
+    const name = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`isolate-namespace.${cluster.name}.${name}.${cluster.id}`, {
+      namespace,
+      description: "By default, deny all traffic to/from the namespace.",
+      isolateEgress: true,
+      isolateIngress: true
+    }, opts);
+  }
+  static async allowInsideNamespace(namespace, opts) {
+    const nsName = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`allow-inside-namespace.${cluster.name}.${nsName}.${cluster.id}`, {
+      namespace,
+      description: "Allow all traffic inside the namespace.",
+      ingressRule: { fromNamespace: namespace },
+      egressRule: { toNamespace: namespace }
+    }, opts);
+  }
+  static async allowKubeApiServer(namespace, opts) {
+    const nsName = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`allow-kube-api-server.${cluster.name}.${nsName}.${cluster.id}`, {
+      namespace,
+      description: "Allow all traffic to the Kubernetes API server from the namespace.",
+      allowKubeApiServer: true
+    }, opts);
+  }
+  static async allowKubeDns(namespace, opts) {
+    const nsName = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`allow-kube-dns.${cluster.name}.${nsName}.${cluster.id}`, {
+      namespace,
+      description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
+      allowKubeDns: true
+    }, opts);
+  }
+  static async allowAllEgress(namespace, opts) {
+    const nsName = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`allow-all-egress.${cluster.name}.${nsName}.${cluster.id}`, {
+      namespace,
+      description: "Allow all egress traffic from the namespace.",
+      egressRule: { toAll: true }
+    }, opts);
+  }
+  static async allowAllIngress(namespace, opts) {
+    const nsName = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`allow-all-ingress.${cluster.name}.${nsName}.${cluster.id}`, {
+      namespace,
+      description: "Allow all ingress traffic to the namespace.",
+      ingressRule: { fromAll: true }
+    }, opts);
+  }
+  static async allowEgressToEndpoint(namespace, endpoint, opts) {
+    const parsedEndpoint = parseEndpoint(endpoint);
+    const endpointStr = endpointToString(parsedEndpoint).replace(/:/g, "-");
+    const nsName = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`allow-egress-to-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`, {
+      namespace,
+      description: `Allow egress traffic to "${endpointToString(parsedEndpoint)}" from the namespace.`,
+      egressRule: { toEndpoint: endpoint }
+    }, opts);
+  }
+  static async allowEgressToBestEndpoint(namespace, endpoints, opts) {
+    const cluster = await toPromise3(output4(namespace).cluster);
+    const resolvedEndpoints = await toPromise3(output4(endpoints));
+    const bestEndpoint = requireBestEndpoint(resolvedEndpoints.map((endpoint) => parseEndpoint(endpoint)), cluster);
+    return await NetworkPolicy.allowEgressToEndpoint(namespace, bestEndpoint, opts);
+  }
+  static async allowIngressFromEndpoint(namespace, endpoint, opts) {
+    const parsedEndpoint = parseEndpoint(endpoint);
+    const endpointStr = endpointToString(parsedEndpoint).replace(/:/g, "-");
+    const nsName = await toPromise3(output4(namespace).metadata.name);
+    const cluster = await toPromise3(output4(namespace).cluster);
+    return new NetworkPolicy(`allow-ingress-from-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`, {
+      namespace,
+      description: interpolate3`Allow ingress traffic from "${endpointToString(parsedEndpoint)}" to the namespace.`,
+      ingressRule: { fromEndpoint: endpoint }
+    }, opts);
+  }
+}
+
+class NativeNetworkPolicy extends ComponentResource {
+  networkPolicy;
+  constructor(name, args, opts) {
+    super("k8s:native-network-policy", name, args, opts);
+    const ingress = NativeNetworkPolicy.createIngressRules(args);
+    const egress = NativeNetworkPolicy.createEgressRules(args);
+    const policyTypes = [];
+    if (ingress.length > 0 || args.isolateIngress) {
+      policyTypes.push("Ingress");
+    }
+    if (egress.length > 0 || args.isolateEgress) {
+      policyTypes.push("Egress");
+    }
+    this.networkPolicy = new networking.v1.NetworkPolicy(name, {
+      metadata: mergeDeep(mapMetadata(args, name), {
+        annotations: args.description ? { "kubernetes.io/description": args.description } : undefined
+      }),
+      spec: {
+        podSelector: args.podSelector,
+        ingress,
+        egress,
+        policyTypes
+      }
+    }, { ...opts, parent: this });
+  }
+  static fallbackIpBlock = {
+    cidr: "0.0.0.0/0",
+    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  };
+  static fallbackDnsRule = {
+    to: [
+      {
+        namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } },
+        podSelector: { matchLabels: { "k8s-app": "kube-dns" } }
+      }
+    ],
+    ports: [{ port: 53, protocol: "UDP" }]
+  };
+  static createIngressRules(args) {
+    return uniqueBy(args.ingressRules.map((rule) => ({
+      from: rule.all ? [] : rule.clusterPods ? [{ namespaceSelector: {} }] : NativeNetworkPolicy.createRulePeers(rule),
+      ports: NativeNetworkPolicy.mapPorts(rule.ports)
+    })), (rule) => JSON.stringify(rule));
+  }
+  static createEgressRules(args) {
+    const extraRules = [];
+    const needKubeDns = args.egressRules.some((rule) => rule.fqdns.length > 0);
+    if (needKubeDns) {
+      extraRules.push(NativeNetworkPolicy.fallbackDnsRule);
+    }
+    const needFallback = args.egressRules.some((rule) => rule.fqdns.some((fqdn) => !fqdn.endsWith(".cluster.local")));
+    if (needFallback) {
+      extraRules.push({ to: [{ ipBlock: NativeNetworkPolicy.fallbackIpBlock }] });
+    }
+    if (args.allowKubeApiServer) {
+      const { quirks, apiEndpoints } = args.cluster;
+      if (quirks?.fallbackKubeApiAccess) {
+        extraRules.push({
+          to: [{ ipBlock: { cidr: `${quirks?.fallbackKubeApiAccess.serverIp}/32` } }],
+          ports: [{ port: quirks?.fallbackKubeApiAccess.serverPort, protocol: "TCP" }]
+        });
+      } else {
+        const rules = apiEndpoints.filter((endpoint) => endpoint.type !== "hostname").map((endpoint) => ({
+          to: [{ ipBlock: { cidr: l3EndpointToCidr(endpoint) } }],
+          ports: [{ port: endpoint.port, protocol: "TCP" }]
+        }));
+        extraRules.push(...rules);
+      }
+    }
+    return uniqueBy(args.egressRules.map((rule) => {
+      return {
+        to: rule.all ? [] : rule.clusterPods ? [{ namespaceSelector: {} }] : NativeNetworkPolicy.createRulePeers(rule),
+        ports: NativeNetworkPolicy.mapPorts(rule.ports)
+      };
+    }).filter((rule) => rule.to !== undefined).concat(extraRules), (rule) => JSON.stringify(rule));
+  }
+  static createRulePeers(args) {
+    const peers = uniqueBy([
+      ...NativeNetworkPolicy.createCidrPeers(args),
+      ...NativeNetworkPolicy.createServicePeers(args),
+      ...NativeNetworkPolicy.createSelectorPeers(args)
+    ], (peer) => JSON.stringify(peer));
+    return peers.length > 0 ? peers : undefined;
+  }
+  static createCidrPeers(args) {
+    return args.cidrs.map((cidr) => ({ ipBlock: { cidr } }));
+  }
+  static createServicePeers(args) {
+    return args.services.map((service) => {
+      const selector = mapServiceToLabelSelector(service);
+      return {
+        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
+        podSelector: selector
+      };
+    });
+  }
+  static createSelectorPeers(args) {
+    const selectorPeers = args.selectors.map((selector) => ({
+      podSelector: mapSelectorLikeToSelector(selector)
+    }));
+    const namespacePeers = [
+      ...args.namespaces.map(NativeNetworkPolicy.createNamespacePeer),
+      ...args.namespaceSelectors.map(NativeNetworkPolicy.createNamespaceSelectorPeer)
+    ];
+    if (namespacePeers.length === 0) {
+      return selectorPeers;
+    }
+    if (selectorPeers.length === 0) {
+      return namespacePeers;
+    }
+    return flat(selectorPeers.map((selectorPeer) => {
+      return namespacePeers.map((namespacePeer) => merge(selectorPeer, namespacePeer));
+    }));
+  }
+  static createNamespacePeer(namespace) {
+    const namespaceName = getNamespaceName(namespace);
+    const namespaceSelector = mapNamespaceNameToSelector(namespaceName);
+    return { namespaceSelector };
+  }
+  static createNamespaceSelectorPeer(selector) {
+    return {
+      namespaceSelector: mapSelectorLikeToSelector(selector)
+    };
+  }
+  static mapPorts(ports) {
+    return ports.map((port) => {
+      if ("port" in port) {
+        return {
+          port: port.port,
+          protocol: port.protocol ?? "TCP"
+        };
+      }
+      return {
+        port: port.range[0],
+        endPort: port.range[1],
+        protocol: port.protocol ?? "TCP"
+      };
+    });
+  }
+}
+
+// src/pod.ts
+var podSpecDefaults = {
+  automountServiceAccountToken: false
+};
+
+// src/workload.ts
+import {
+  AccessPointRoute,
+  mergeEndpoints
+} from "@highstate/common";
+import { trimIndentation } from "@highstate/contract";
+import {
+  makeFileOutput,
+  normalize as normalize3,
+  normalizeInputs,
+  toPromise as toPromise4
+} from "@highstate/pulumi";
+import {
+  interpolate as interpolate4,
+  output as output5
+} from "@pulumi/pulumi";
+import { sha256 } from "crypto-hash";
+import { deepmerge as deepmerge2 } from "deepmerge-ts";
+import { filter, flat as flat2, isNonNullish as isNonNullish2, omit as omit3, unique, uniqueBy as uniqueBy2 } from "remeda";
+var workloadExtraArgs = [...commonExtraArgs, "container", "containers"];
+function filterPatchOwnedContainersInTemplate(template, ownedTemplate) {
+  const ownedContainerNames = unique((ownedTemplate.spec?.containers ?? []).map((container) => container.name).filter(isNonNullish2));
+  const ownedInitContainerNames = unique((ownedTemplate.spec?.initContainers ?? []).map((container) => container.name).filter(isNonNullish2));
+  const filterByOwnedNames = (source, ownedNames) => {
+    if (!source || source.length === 0 || ownedNames.length === 0) {
+      return;
+    }
+    const filtered = source.filter((container) => container.name ? ownedNames.includes(container.name) : false);
+    return filtered.length > 0 ? filtered : undefined;
+  };
+  const containers = filterByOwnedNames(template.spec?.containers, ownedContainerNames);
+  const initContainers = filterByOwnedNames(template.spec?.initContainers, ownedInitContainerNames);
+  const {
+    containers: _containers,
+    initContainers: _initContainers,
+    ...restSpec
+  } = template.spec ?? {};
+  const spec = {
+    ...restSpec,
+    ...containers ? { containers } : {},
+    ...initContainers ? { initContainers } : {}
+  };
+  return {
+    ...template,
+    spec
+  };
+}
+var workloadServiceExtraArgs = [
+  ...workloadExtraArgs,
+  "service",
+  "route",
+  "routes"
+];
+var genericWorkloadExtraArgs = [
+  "defaultType",
+  "existing",
+  "deployment",
+  "statefulSet",
+  "job",
+  "cronJob"
+];
+function getWorkloadComponents(name, args, parent, opts, isForPatch) {
+  const labels = isForPatch ? undefined : { "app.kubernetes.io/name": name };
+  const containers = output5(args).apply((args2) => normalize3(args2.container, args2.containers));
+  const initContainers = output5(args).apply((args2) => normalize3(args2.initContainer, args2.initContainers));
+  const rawVolumes = output5({ containers, initContainers }).apply(({ containers: containers2, initContainers: initContainers2 }) => {
+    const containerVolumes = [...containers2, ...initContainers2].flatMap((container) => normalize3(container.volume, container.volumes));
+    const containerVolumeMounts = containers2.flatMap((container) => {
+      return normalize3(container.volumeMount, container.volumeMounts).map((volumeMount) => {
+        return "volume" in volumeMount ? volumeMount.volume : undefined;
+      }).filter(Boolean);
+    });
+    return output5([...containerVolumes, ...containerVolumeMounts]);
+  });
+  const volumes = rawVolumes.apply((rawVolumes2) => {
+    return output5(rawVolumes2.map(mapWorkloadVolume)).apply(uniqueBy2((volume) => volume.name));
+  });
+  const podSpec = output5({
+    cluster: output5(args.namespace).cluster,
+    containers,
+    initContainers,
+    volumes
+  }).apply(({ cluster, containers: containers2, initContainers: initContainers2, volumes: volumes2 }) => {
+    const spec = {
+      volumes: volumes2,
+      containers: containers2.map((container, index) => mapContainerToRaw(container, cluster, getFallbackContainerName(name, index))),
+      initContainers: initContainers2.map((container, index) => mapContainerToRaw(container, cluster, getFallbackContainerName(`init-${name}`, index))),
+      ...podSpecDefaults
+    };
+    if (containers2.some((container) => container.enableTun) && cluster.quirks?.tunDevicePolicy?.type !== "plugin") {
+      spec.volumes = output5(spec.volumes).apply((volumes3) => [
+        ...volumes3 ?? [],
+        {
+          name: "tun-device",
+          hostPath: {
+            path: "/dev/net/tun"
+          }
+        }
+      ]);
+    }
+    return spec;
+  });
+  const dependencyHash = rawVolumes.apply((rawVolumes2) => {
+    return output5(rawVolumes2.map(getWorkloadVolumeResourceUuid)).apply(filter(isNonNullish2)).apply(unique()).apply((ids) => sha256(ids.join(",")));
+  });
+  const podTemplate = output5({ podSpec, dependencyHash }).apply(({ podSpec: podSpec2, dependencyHash: dependencyHash2 }) => {
+    return {
+      metadata: {
+        labels,
+        annotations: {
+          [`highstate.io/dependency-hash-${dependencyHash2.slice(32)}`]: "1"
+        }
+      },
+      spec: podSpec2
+    };
+  });
+  const networkPolicy = output5({ containers }).apply(({ containers: containers2 }) => {
+    if (isForPatch) {
+      return output5(undefined);
+    }
+    const allowedEndpoints = containers2.flatMap((container) => container.allowedEndpoints ?? []);
+    if (allowedEndpoints.length === 0 && !args.networkPolicy) {
+      return output5(undefined);
+    }
+    return output5(new NetworkPolicy(name, {
+      namespace: args.namespace,
+      selector: labels,
+      description: `Network policy for "${name}"`,
+      ...args.networkPolicy,
+      egressRules: output5(args.networkPolicy?.egressRules).apply((egressRules) => [
+        ...egressRules ?? [],
+        ...allowedEndpoints.length > 0 ? [{ toEndpoints: allowedEndpoints }] : []
+      ])
+    }, { ...opts, parent: parent() }));
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy };
+}
+function getWorkloadServiceComponents(name, args, parent, opts, isForPatch) {
+  const { labels, containers, volumes, podSpec, podTemplate, networkPolicy } = getWorkloadComponents(name, args, parent, opts, isForPatch);
+  const service = output5({
+    existing: args.existing,
+    serviceArgs: args.service,
+    containers
+  }).apply(({ existing, serviceArgs, containers: containers2 }) => {
+    if (!args.service && !args.route && !args.routes) {
+      return;
+    }
+    if (existing?.service) {
+      return Service.for(existing.service, output5(args.namespace).cluster);
+    }
+    if (existing) {
+      return;
+    }
+    const ports = containers2.flatMap((container) => normalize3(container.port, container.ports));
+    return Service.create(name, {
+      ...serviceArgs,
+      selector: labels,
+      namespace: args.namespace,
+      ports: !serviceArgs?.port && !serviceArgs?.ports ? ports.map(mapContainerPortToServicePort) : serviceArgs?.ports
+    });
+  });
+  const routes = output5({
+    routesArgs: normalizeInputs(args.route, args.routes),
+    service,
+    namespace: output5(args.namespace)
+  }).apply(async ({ routesArgs, service: service2, namespace }) => {
+    if (!routesArgs.length || !service2) {
+      return [];
+    }
+    if (args.existing) {
+      return [];
+    }
+    const serviceEndpoints = await toPromise4(service2.endpoints);
+    const servicePorts = await toPromise4(service2.spec.ports);
+    const resolveServiceEndpoints = async (servicePort, routeName) => {
+      if (serviceEndpoints.length === 0) {
+        throw new Error(`No endpoints found for workload service in route "${routeName}"`);
+      }
+      let resolvedServicePort;
+      if (servicePort != null) {
+        const requestedServicePort = await toPromise4(servicePort);
+        if (typeof requestedServicePort === "string") {
+          const namedPort = servicePorts?.find((port) => port.name === requestedServicePort);
+          if (!namedPort) {
+            throw new Error(`Named port "${requestedServicePort}" not found for workload service in route "${routeName}"`);
+          }
+          resolvedServicePort = namedPort.port;
+        } else {
+          resolvedServicePort = requestedServicePort;
+        }
+      } else {
+        resolvedServicePort = serviceEndpoints[0]?.port;
+      }
+      if (resolvedServicePort == null) {
+        throw new Error(`Unable to resolve service port for workload service in route "${routeName}"`);
+      }
+      const filteredEndpoints = serviceEndpoints.filter((endpoint) => endpoint.port === resolvedServicePort);
+      if (filteredEndpoints.length === 0) {
+        throw new Error(`No endpoints with port ${resolvedServicePort} found for workload service in route "${routeName}"`);
+      }
+      return filteredEndpoints;
+    };
+    return await Promise.all(routesArgs.map(async (routeArgs, index) => {
+      const routeName = `${name}.${index}`;
+      const routeRules = await toPromise4(routeArgs.rules);
+      const routeRuleValues = Object.values(routeRules ?? {});
+      const needsDefaultBackend = routeRuleValues.length === 0 || routeRuleValues.some((rule) => rule.servicePort == null);
+      const defaultServiceEndpoints = needsDefaultBackend ? await resolveServiceEndpoints(routeArgs.servicePort, routeName) : undefined;
+      const resolvedRules = routeRules ? await Promise.all(Object.entries(routeRules).map(async ([ruleName, rule]) => {
+        const ruleServiceEndpoints = await resolveServiceEndpoints(rule.servicePort ?? routeArgs.servicePort, `${routeName}:${ruleName}`);
+        return [
+          ruleName,
+          {
+            ...omit3(rule, ["servicePort"]),
+            backend: {
+              endpoints: ruleServiceEndpoints
+            }
+          }
+        ];
+      })) : undefined;
+      const resolvedRulesInput = resolvedRules ? Object.fromEntries(resolvedRules) : undefined;
+      return new AccessPointRoute(routeName, {
+        ...omit3(routeArgs, ["servicePort", "rules"]),
+        ...defaultServiceEndpoints ? {
+          backend: {
+            endpoints: defaultServiceEndpoints
+          }
+        } : {},
+        rules: resolvedRulesInput,
+        metadata: {
+          ...routeArgs.metadata ?? {},
+          "k8s.namespace": namespace
+        }
+      });
+    }));
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy, service, routes };
+}
+
+class Workload extends NamespacedResource {
+  name;
+  terminalArgs;
+  containers;
+  podTemplate;
+  networkPolicy;
+  _service;
+  routes;
+  constructor(type, name, args, opts, metadata, namespace, terminalArgs, containers, podTemplate, networkPolicy, _service = output5(undefined), routes = output5([])) {
+    super(type, name, args, opts, metadata, namespace);
+    this.name = name;
+    this.terminalArgs = terminalArgs;
+    this.containers = containers;
+    this.podTemplate = podTemplate;
+    this.networkPolicy = networkPolicy;
+    this._service = _service;
+    this.routes = routes;
+  }
+  set terminal(_value) {}
+  set logsTerminal(_value) {}
+  set terminals(_value) {}
+  set optionalService(_value) {}
+  set service(_value) {}
+  set selector(_value) {}
+  get optionalService() {
+    return this._service;
+  }
+  get service() {
+    return this._service.apply((service) => {
+      if (!service) {
+        throw new Error(`The service of the workload "${this.name}" is not available.`);
+      }
+      return service;
+    });
+  }
+  get endpoints() {
+    return this.routes.apply((routes) => output5(routes.map((route) => route.route.endpoints)).apply((endpoints) => flat2(endpoints)).apply(mergeEndpoints));
+  }
+  get selector() {
+    return this.podTemplate.apply((template) => ({
+      matchLabels: template.metadata?.labels
+    }));
+  }
+  get terminal() {
+    const containerName = this.podTemplate.spec.containers.apply((containers) => containers[0].name);
+    const shell = this.terminalArgs.apply((args) => args.shell ?? "bash");
+    const podLabelSelector = this.templateMetadata.apply((meta) => meta.labels ?? {}).apply((labels) => Object.entries(labels).map(([key, value]) => `${key}=${value}`).join(","));
+    return output5({
+      name: this.metadata.name,
+      meta: this.getTerminalMeta(),
+      spec: {
+        image: images_default["terminal-kubectl"].image,
+        command: ["bash", "/welcome.sh"],
+        files: {
+          "/kubeconfig": makeFileOutput({
+            name: "kubeconfig",
+            content: getClusterKubeconfigContent(this.cluster),
+            isSecret: true
+          }),
+          "/welcome.sh": makeFileOutput({
+            name: "welcome.sh",
+            content: interpolate4`
+              #!/bin/bash
+              set -euo pipefail
+
+              NAMESPACE="${this.metadata.namespace}"
+              RESOURCE_TYPE="${this.kind.toLowerCase()}"
+              RESOURCE_NAME="${this.metadata.name}"
+              CONTAINER_NAME="${containerName}"
+              SHELL="${shell}"
+              LABEL_SELECTOR="${podLabelSelector}"
+
+              echo "Connecting to $RESOURCE_TYPE \\"$RESOURCE_NAME\\" in namespace \\"$NAMESPACE\\""
+
+              # get all pods for this workload
+              PODS=$(kubectl get pods -n "$NAMESPACE" -l "$LABEL_SELECTOR" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null || echo "")
+
+              if [ -z "$PODS" ]; then
+                echo "No pods found"
+                exit 1
+              fi
+
+              # convert space-separated string to array
+              read -ra POD_ARRAY <<< "$PODS"
+
+              if [ \${#POD_ARRAY[@]} -eq 1 ]; then
+                # single pod found, connect directly
+                SELECTED_POD="\${POD_ARRAY[0]}"
+                echo "Found single pod: $SELECTED_POD"
+              else
+                # multiple pods found, use fzf for selection
+                echo "Found \${#POD_ARRAY[@]} pods. Please select one."
+                
+                SELECTED_POD=$(printf '%s\n' "\${POD_ARRAY[@]}" | fzf --prompt="Select pod: " --height 10 --border --info=inline)
+                
+                if [ -z "$SELECTED_POD" ]; then
+                  echo "No pod selected"
+                  exit 1
+                fi
+                
+                echo "Selected pod: $SELECTED_POD"
+              fi
+
+              # execute into the selected pod
+              exec kubectl exec -it -n "$NAMESPACE" "$SELECTED_POD" -c "$CONTAINER_NAME" -- "$SHELL"
+            `.apply(trimIndentation)
+          })
+        },
+        env: {
+          KUBECONFIG: "/kubeconfig"
+        }
+      }
+    });
+  }
+  get logsTerminal() {
+    const containerName = this.podTemplate.spec.containers.apply((containers) => containers[0].name);
+    const podLabelSelector = this.templateMetadata.apply((meta) => meta.labels ?? {}).apply((labels) => Object.entries(labels).map(([key, value]) => `${key}=${value}`).join(","));
+    return output5({
+      name: interpolate4`${this.metadata.name}.logs`,
+      meta: output5(this.getTerminalMeta()).apply((meta) => ({
+        ...meta,
+        title: `${meta.title} Logs`,
+        globalTitle: `${meta.globalTitle} | Logs`,
+        description: `The logs of ${meta.title.toLowerCase()}.`
+      })),
+      spec: {
+        image: images_default["terminal-kubectl"].image,
+        command: ["bash", "/welcome.sh"],
+        files: {
+          "/kubeconfig": makeFileOutput({
+            name: "kubeconfig",
+            content: getClusterKubeconfigContent(this.cluster),
+            isSecret: true
+          }),
+          "/welcome.sh": makeFileOutput({
+            name: "welcome.sh",
+            content: interpolate4`
+              #!/bin/bash
+              set -euo pipefail
+
+              NAMESPACE="${this.metadata.namespace}"
+              RESOURCE_TYPE="${this.kind.toLowerCase()}"
+              RESOURCE_NAME="${this.metadata.name}"
+              CONTAINER_NAME="${containerName}"
+              LABEL_SELECTOR="${podLabelSelector}"
+
+              echo "Connecting to logs of $RESOURCE_TYPE \"$RESOURCE_NAME\" in namespace \"$NAMESPACE\""
+
+              # get all pods for this workload
+              PODS=$(kubectl get pods -n "$NAMESPACE" -l "$LABEL_SELECTOR" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null || echo "")
+
+              if [ -z "$PODS" ]; then
+                echo "No pods found"
+                exit 1
+              fi
+
+              # convert space-separated string to array
+              read -ra POD_ARRAY <<< "$PODS"
+
+              if [ \${#POD_ARRAY[@]} -eq 1 ]; then
+                # single pod found, connect directly
+                SELECTED_POD="\${POD_ARRAY[0]}"
+                echo "Found single pod: $SELECTED_POD"
+              else
+                # multiple pods found, use fzf for selection
+                echo "Found \${#POD_ARRAY[@]} pods. Please select one."
+
+                SELECTED_POD=$(printf '%s\n' "\${POD_ARRAY[@]}" | fzf --prompt="Select pod: " --height 10 --border --info=inline)
+
+                if [ -z "$SELECTED_POD" ]; then
+                  echo "No pod selected"
+                  exit 1
+                fi
+
+                echo "Selected pod: $SELECTED_POD"
+              fi
+
+              # stream logs for the selected pod
+              exec kubectl logs -f -n "$NAMESPACE" "$SELECTED_POD" -c "$CONTAINER_NAME"
+            `.apply(trimIndentation)
+          })
+        },
+        env: {
+          KUBECONFIG: "/kubeconfig"
+        }
+      }
+    });
+  }
+  get terminals() {
+    return [this.logsTerminal, this.terminal];
+  }
+  createTerminal(name, meta, command, spec) {
+    const containerName = this.podTemplate.spec.containers.apply((containers) => containers[0].name);
+    return output5({
+      name,
+      meta: output5(this.getTerminalMeta()).apply((currentMeta) => ({
+        ...currentMeta,
+        ...meta
+      })),
+      spec: {
+        image: images_default["terminal-kubectl"].image,
+        command: output5(command).apply((command2) => [
+          "exec",
+          "kubectl",
+          "exec",
+          "-it",
+          "-n",
+          this.metadata.namespace,
+          interpolate4`${this.kind.toLowerCase()}/${this.metadata.name}`,
+          "-c",
+          containerName,
+          "--",
+          ...command2
+        ]),
+        files: {
+          "/kubeconfig": makeFileOutput({
+            name: "kubeconfig",
+            content: getClusterKubeconfigContent(this.cluster),
+            isSecret: true
+          }),
+          ...spec?.files
+        },
+        env: {
+          KUBECONFIG: "/kubeconfig",
+          ...spec?.env
+        }
+      }
+    });
+  }
+  static createOrPatchGeneric(name, args, opts) {
+    return output5(args).apply(async (args2) => {
+      const baseArgs = omit3(args2, genericWorkloadExtraArgs);
+      if (args2.existing?.kind === "Deployment") {
+        const { Deployment } = await import("./chunk-aame3x1b.js");
+        const deploymentArgs = deepmerge2(baseArgs, args2.deployment ?? {});
+        return Deployment.patch(name, {
+          ...deploymentArgs,
+          name: args2.existing.metadata.name,
+          namespace: Namespace.forResourceAsync(args2.existing, output5(args2.namespace).cluster)
+        }, opts);
+      }
+      if (args2.existing?.kind === "StatefulSet") {
+        const { StatefulSet } = await import("./chunk-23vn2rdc.js");
+        const statefulSetArgs = deepmerge2(baseArgs, args2.statefulSet ?? {});
+        return StatefulSet.patch(name, {
+          ...statefulSetArgs,
+          name: args2.existing.metadata.name,
+          namespace: Namespace.forResourceAsync(args2.existing, output5(args2.namespace).cluster)
+        }, opts);
+      }
+      if (args2.existing?.kind === "Job") {
+        const { Job } = await import("./chunk-2pfx13ay.js");
+        const jobArgs = deepmerge2(baseArgs, args2.job ?? {});
+        return Job.patch(name, {
+          ...jobArgs,
+          name: args2.existing.metadata.name,
+          namespace: Namespace.forResourceAsync(args2.existing, output5(args2.namespace).cluster)
+        }, opts);
+      }
+      if (args2.existing?.kind === "CronJob") {
+        const { CronJob } = await import("./chunk-bmvc9d2d.js");
+        const cronJobArgs = deepmerge2(baseArgs, args2.cronJob ?? {});
+        return CronJob.patch(name, {
+          ...cronJobArgs,
+          name: args2.existing.metadata.name,
+          namespace: Namespace.forResourceAsync(args2.existing, output5(args2.namespace).cluster)
+        }, opts);
+      }
+      if (args2.defaultType === "Deployment") {
+        const { Deployment } = await import("./chunk-aame3x1b.js");
+        const deploymentArgs = deepmerge2(baseArgs, args2.deployment ?? {});
+        return Deployment.create(name, deploymentArgs, opts);
+      }
+      if (args2.defaultType === "StatefulSet") {
+        const { StatefulSet } = await import("./chunk-23vn2rdc.js");
+        const statefulSetArgs = deepmerge2(baseArgs, args2.statefulSet ?? {});
+        return StatefulSet.create(name, statefulSetArgs, opts);
+      }
+      if (args2.defaultType === "Job") {
+        const { Job } = await import("./chunk-2pfx13ay.js");
+        const jobArgs = deepmerge2(baseArgs, args2.job ?? {});
+        return Job.create(name, jobArgs, opts);
+      }
+      if (args2.defaultType === "CronJob") {
+        const { CronJob } = await import("./chunk-bmvc9d2d.js");
+        const cronJobArgs = deepmerge2(baseArgs, args2.cronJob ?? {});
+        return CronJob.create(name, cronJobArgs, opts);
+      }
+      throw new Error(`Unknown workload type: ${args2.defaultType}`);
+    });
+  }
+}
+
+export { ConfigMap, PersistentVolumeClaim, getAutoVolumeName, getFallbackContainerName, mapContainerToRaw, mapContainerEnvironment, mapVolumeMount, mapEnvironmentSource, mapWorkloadVolume, getWorkloadVolumeResourceUuid, getBestEndpoint, requireBestEndpoint, networkPolicyMediator, NetworkPolicy, NativeNetworkPolicy, podSpecDefaults, workloadExtraArgs, filterPatchOwnedContainersInTemplate, workloadServiceExtraArgs, getWorkloadComponents, getWorkloadServiceComponents, Workload };