@highstate/k8s 0.19.1 → 0.21.1

package/dist/units/dns01-issuer/index.js

@@ -1,57 +1,97 @@
-import { dns01SolverMediator } from '../../chunk-HH2JJELM.js';
-import { getProviderAsync, Namespace } from '../../chunk-OBDQONMV.js';
-import '../../chunk-PZ5AY32C.js';
-import { cert_manager } from '@highstate/cert-manager';
-import { k8s } from '@highstate/library';
-import { forUnit } from '@highstate/pulumi';
+// @bun
+import {
+  dns01SolverMediator
+} from "../../chunk-de82bbp2.js";
+import {
+  Namespace,
+  Secret,
+  getProviderAsync
+} from "../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
-var { name, inputs, outputs } = forUnit(k8s.dns01TlsIssuer);
+// src/units/dns01-issuer/index.ts
+import { cert_manager } from "@highstate/cert-manager";
+import { common, k8s } from "@highstate/library";
+import { forUnit, makeEntityOutput } from "@highstate/pulumi";
+var { name, args, secrets, inputs, outputs } = forUnit(k8s.dns01TlsIssuer);
 var provider = await getProviderAsync(inputs.k8sCluster);
 var certManagerNs = Namespace.get("cert-manager", {
   name: "cert-manager",
   cluster: inputs.k8sCluster
 });
-new cert_manager.v1.ClusterIssuer(
-  name,
-  {
-    metadata: {
-      name
-    },
-    spec: {
-      acme: {
-        server: "https://acme-v02.api.letsencrypt.org/directory",
-        solvers: [
-          {
-            dns01: dns01SolverMediator.callOutput(inputs.dnsProvider.implRef, {
-              namespace: certManagerNs
-            }),
-            selector: { dnsZones: inputs.dnsProvider.zones }
-          }
-        ],
-        privateKeySecretRef: {
-          name
-        }
-      }
+var eabSecret;
+if (args.acmeServer.type === "zerossl") {
+  if (!secrets.eabKeyId || !secrets.eabKeySecret) {
+    throw new Error("EAB key ID and secret are required for ZeroSSL ACME server");
+  }
+  eabSecret = Secret.create(`${name}-eab`, {
+    namespace: certManagerNs,
+    stringData: {
+      keyId: secrets.eabKeyId,
+      keySecret: secrets.eabKeySecret
     }
+  });
+}
+var getAcmeServer = () => {
+  switch (args.acmeServer.type) {
+    case "zerossl":
+      return "https://acme.zerossl.com/v2/DV90";
+    case "letsencrypt":
+      return "https://acme-v02.api.letsencrypt.org/directory";
+    case "custom":
+      return args.acmeServer.url;
+  }
+};
+new cert_manager.v1.ClusterIssuer(name, {
+  metadata: {
+    name
   },
-  { provider }
-);
+  spec: {
+    acme: {
+      server: getAcmeServer(),
+      solvers: [
+        {
+          dns01: dns01SolverMediator.callOutput(inputs.dnsProvider.implRef, {
+            namespace: certManagerNs
+          }),
+          selector: { dnsZones: inputs.dnsProvider.zones }
+        }
+      ],
+      privateKeySecretRef: {
+        name
+      },
+      externalAccountBinding: eabSecret ? {
+        keyID: eabSecret.stringData.keyId,
+        keySecretRef: {
+          name: eabSecret.metadata.name,
+          key: "keySecret"
+        }
+      } : undefined
+    }
+  }
+}, { provider });
 var dns01_issuer_default = outputs({
-  tlsIssuer: {
-    zones: inputs.dnsProvider.zones,
-    implRef: {
-      package: "@highstate/k8s",
-      data: {
-        clusterIssuerName: name,
-        cluster: inputs.k8sCluster
+  tlsIssuer: makeEntityOutput({
+    entity: common.tlsIssuerEntity,
+    identity: `${name}:tls-issuer`,
+    meta: {
+      title: name
+    },
+    value: {
+      zones: inputs.dnsProvider.zones,
+      implRef: {
+        package: "@highstate/k8s",
+        data: {
+          clusterIssuerName: name,
+          cluster: inputs.k8sCluster
+        }
       }
     }
-  },
+  }),
   $statusFields: {
     zones: inputs.dnsProvider.zones
   }
 });
-
-export { dns01_issuer_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  dns01_issuer_default as default
+};

package/dist/units/existing-cluster/index.js

@@ -1,17 +1,30 @@
-import { detectExternalIps, createK8sTerminal } from '../../chunk-LGHFSXNT.js';
-import '../../chunk-OBDQONMV.js';
-import '../../chunk-PZ5AY32C.js';
-import { parseAddress, mergeAddresses, parseEndpoints, parseEndpoint, mergeEndpoints, l4EndpointToString, l3EndpointToString } from '@highstate/common';
-import { k8s } from '@highstate/library';
-import { forUnit, toPromise, secret } from '@highstate/pulumi';
-import { KubeConfig, AppsV1Api } from '@kubernetes/client-node';
-import { Provider, core } from '@pulumi/kubernetes';
+// @bun
+import {
+  createK8sTerminal,
+  detectExternalIps
+} from "../../chunk-9hs97f1q.js";
+import"../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
+// src/units/existing-cluster/index.ts
+import {
+  l3EndpointToString,
+  l4EndpointToString,
+  mergeAddresses,
+  mergeEndpoints,
+  parseAddress,
+  parseEndpoint,
+  parseEndpoints
+} from "@highstate/common";
+import { common, k8s } from "@highstate/library";
+import { forUnit, makeEntityOutput, toPromise } from "@highstate/pulumi";
+import { AppsV1Api, KubeConfig } from "@kubernetes/client-node";
+import { core, Provider } from "@pulumi/kubernetes";
 var { name, args, inputs, secrets, outputs } = forUnit(k8s.existingCluster);
 var kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringify));
 var provider = new Provider(name, { kubeconfig: kubeconfigContent });
 var networkPolicyImplRef;
-var kubeConfig = new KubeConfig();
+var kubeConfig = new KubeConfig;
 kubeConfig.loadFromString(kubeconfigContent);
 var appsApi = kubeConfig.makeApiClient(AppsV1Api);
 var hasCilium = await appsApi.readNamespacedDaemonSet({ name: "cilium", namespace: "kube-system" }).then(() => true).catch(() => false);
@@ -26,29 +39,50 @@ if (args.autoDetectExternalIps) {
   const detectedIps = await detectExternalIps(kubeConfig, args.internalIpsPolicy);
   externalIps = mergeAddresses([...externalIps, ...detectedIps]);
 }
-var endpoints = await parseEndpoints(args.endpoints, inputs.endpoints);
+var endpoints = parseEndpoints([...args.endpoints, ...inputs.endpoints]);
 if (args.useExternalIpsAsEndpoints) {
   const ipEndpoints = externalIps.map((ip) => parseEndpoint(ip));
   endpoints = mergeEndpoints([...endpoints, ...ipEndpoints]);
 }
-var apiEndpoints = await parseEndpoints(args.apiEndpoints, inputs.endpoints, 4);
+var apiEndpoints = parseEndpoints([...args.apiEndpoints, ...inputs.endpoints], 4);
 if (args.useKubeconfigApiEndpoint) {
   const configEndpoint = parseEndpoint(kubeConfig.clusters[0].server.replace("https://", ""), 4);
   apiEndpoints = mergeEndpoints([configEndpoint, ...apiEndpoints]);
 }
 var kubeSystem = core.v1.Namespace.get("kube-system", "kube-system", { provider });
 var existing_cluster_default = outputs({
-  k8sCluster: {
-    id: kubeSystem.metadata.uid,
-    connectionId: kubeSystem.metadata.uid,
-    name,
-    networkPolicyImplRef,
-    externalIps,
-    endpoints,
-    apiEndpoints,
-    quirks: args.quirks,
-    kubeconfig: secret(kubeconfigContent)
-  },
+  k8sCluster: makeEntityOutput({
+    entity: k8s.clusterEntity,
+    identity: kubeSystem.metadata.uid,
+    value: {
+      id: kubeSystem.metadata.uid,
+      connectionId: kubeSystem.metadata.uid,
+      name,
+      networkPolicyImplRef,
+      externalIps,
+      endpoints,
+      apiEndpoints,
+      quirks: args.quirks,
+      kubeconfig: makeEntityOutput({
+        entity: common.fileEntity,
+        identity: `${name}:kubeconfig`,
+        meta: {
+          title: "Kubeconfig"
+        },
+        value: {
+          content: {
+            type: "embedded-secret",
+            value: kubeconfigContent
+          },
+          meta: {
+            name: "kubeconfig",
+            contentType: "text/yaml",
+            mode: 384
+          }
+        }
+      })
+    }
+  }),
   $terminals: [createK8sTerminal(kubeconfigContent)],
   $statusFields: {
     clusterId: kubeSystem.metadata.uid,
@@ -56,7 +90,6 @@ var existing_cluster_default = outputs({
     apiEndpoints: apiEndpoints.map(l4EndpointToString)
   }
 });
-
-export { existing_cluster_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  existing_cluster_default as default
+};

package/dist/units/gateway-api/index.js

@@ -1,22 +1,21 @@
-import { getProviderAsync } from '../../chunk-OBDQONMV.js';
-import '../../chunk-PZ5AY32C.js';
-import { k8s } from '@highstate/library';
-import { forUnit } from '@highstate/pulumi';
-import { yaml } from '@pulumi/kubernetes';
+// @bun
+import {
+  getProviderAsync
+} from "../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
+// src/units/gateway-api/index.ts
+import { k8s } from "@highstate/library";
+import { forUnit } from "@highstate/pulumi";
+import { yaml } from "@pulumi/kubernetes";
 var { inputs, outputs } = forUnit(k8s.gatewayApi);
 var provider = await getProviderAsync(inputs.k8sCluster);
-new yaml.v2.ConfigFile(
-  "gateway-api",
-  {
-    file: "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml"
-  },
-  { provider }
-);
+new yaml.v2.ConfigFile("gateway-api", {
+  file: "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml"
+}, { provider });
 var gateway_api_default = outputs({
   k8sCluster: inputs.k8sCluster
 });
-
-export { gateway_api_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  gateway_api_default as default
+};

package/dist/units/reduced-access-cluster/index.js

@@ -1,35 +1,32 @@
-import { ClusterAccessScope } from '../../chunk-KMLRI5UZ.js';
-import { createK8sTerminal } from '../../chunk-LGHFSXNT.js';
-import '../../chunk-4G6LLC2X.js';
-import { Namespace } from '../../chunk-OBDQONMV.js';
-import '../../chunk-PZ5AY32C.js';
-import { text, trimIndentation } from '@highstate/contract';
-import { k8s } from '@highstate/library';
-import { forUnit, toPromise, output, interpolate, fileFromString, secret } from '@highstate/pulumi';
-import { join } from 'remeda';
+// @bun
+import {
+  createK8sTerminal
+} from "../../chunk-9hs97f1q.js";
+import {
+  ClusterAccessScope,
+  Namespace,
+  getClusterKubeconfigContent
+} from "../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
+// src/units/reduced-access-cluster/index.ts
+import { text, trimIndentation } from "@highstate/contract";
+import { k8s } from "@highstate/library";
+import { forUnit, interpolate, makeFileOutput, output, secret, toPromise } from "@highstate/pulumi";
+import { join } from "remeda";
 var { args, inputs, outputs } = forUnit(k8s.reducedAccessCluster);
 var resolvedInputs = await toPromise(inputs);
-var accessScope = new ClusterAccessScope(
-  "scope",
-  {
-    namespace: Namespace.for(resolvedInputs.namespace, inputs.k8sCluster),
-    extraNamespaces: resolvedInputs.extraNamespaces.map((ns) => Namespace.for(ns, inputs.k8sCluster)),
-    rules: args.rules,
-    resources: resolvedInputs.resources
-  },
-  {}
-);
-var resourceLines = await toPromise(
-  output(
-    resolvedInputs.resources.map(
-      (r) => r.isNamespaced ? interpolate`- ${r.kind} "${r.metadata.namespace}/${r.metadata.name}"` : interpolate`- ${r.kind} "${r.metadata.name}"`
-    )
-  ).apply(join("\n"))
-);
+var accessScope = new ClusterAccessScope("scope", {
+  namespace: Namespace.for(resolvedInputs.namespace, inputs.k8sCluster),
+  extraNamespaces: resolvedInputs.extraNamespaces.map((ns) => Namespace.for(ns, inputs.k8sCluster)),
+  rules: args.rules,
+  resources: resolvedInputs.resources
+}, {});
+var resourceLines = await toPromise(output(resolvedInputs.resources.map((r) => r.isNamespaced ? interpolate`- ${r.kind} "${r.metadata.namespace}/${r.metadata.name}"` : interpolate`- ${r.kind} "${r.metadata.name}"`)).apply(join(`
+`)));
 var reduced_access_cluster_default = outputs({
   k8sCluster: accessScope.cluster,
-  $terminals: [createK8sTerminal(accessScope.cluster.kubeconfig)],
+  $terminals: [createK8sTerminal(secret(getClusterKubeconfigContent(accessScope.cluster)))],
   $pages: {
     index: {
       meta: {
@@ -52,22 +49,22 @@ var reduced_access_cluster_default = outputs({
         },
         {
           type: "file",
-          file: fileFromString("kubeconfig", accessScope.cluster.kubeconfig, {
+          file: makeFileOutput({
+            name: "kubeconfig",
+            content: secret(getClusterKubeconfigContent(accessScope.cluster)),
             contentType: "text/yaml",
             isSecret: true
           })
         },
         {
           type: "markdown",
-          content: secret(
-            interpolate`
+          content: secret(interpolate`
               You can also copy the following content of the kubeconfig file:
 
               \`\`\`yaml
               ${accessScope.cluster.kubeconfig}
               \`\`\`
-            `.apply(trimIndentation)
-          )
+            `.apply(trimIndentation))
         },
         {
           type: "markdown",
@@ -77,7 +74,6 @@ var reduced_access_cluster_default = outputs({
     }
   }
 });
-
-export { reduced_access_cluster_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  reduced_access_cluster_default as default
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/k8s",
-  "version": "0.19.1",
+  "version": "0.21.1",
   "type": "module",
   "files": [
     "dist",
@@ -49,6 +49,7 @@
     "./units/existing-cluster": "./dist/units/existing-cluster/index.js",
     "./units/gateway-api": "./dist/units/gateway-api/index.js",
     "./units/reduced-access-cluster": "./dist/units/reduced-access-cluster/index.js",
+    "./impl/dynamic-endpoint-resolver": "./dist/impl/dynamic-endpoint-resolver.js",
     "./impl/gateway-route": "./dist/impl/gateway-route.js",
     "./impl/tls-certificate": "./dist/impl/tls-certificate.js"
   },
@@ -60,41 +61,42 @@
       "stdlib"
     ]
   },
+  "scripts": {
+    "build": "highstate build",
+    "update-charts": "../../../scripts/update-charts.sh ./assets/charts.json",
+    "update-images": "../../../scripts/update-images.sh ./assets/images.json",
+    "generate-crds": "./scripts/generate-crds.sh",
+    "typecheck": "tsgo --noEmit --skipLibCheck",
+    "biome": "biome check --write --unsafe --error-on-warnings",
+    "biome:check": "biome check --error-on-warnings"
+  },
   "dependencies": {
+    "@highstate/cert-manager": "0.20.0",
+    "@highstate/common": "0.20.0",
+    "@highstate/contract": "0.20.0",
+    "@highstate/gateway-api": "0.20.0",
+    "@highstate/library": "0.20.0",
+    "@highstate/pulumi": "0.20.0",
     "@kubernetes/client-node": "^1.1.0",
     "@pulumi/command": "^1.0.2",
     "@pulumi/kubernetes": "^4.18.0",
-    "@pulumi/pulumi": "3.198.0",
+    "@pulumi/pulumi": "3.232.0",
     "crypto-hash": "^3.1.0",
     "deepmerge-ts": "^7.1.5",
     "glob": "^11.0.1",
     "nano-spawn": "^0.2.0",
+    "get-port-please": "^3.1.2",
     "pkg-types": "^2.1.0",
     "remeda": "^2.21.0",
-    "yaml": "^2.8.1",
-    "@highstate/cert-manager": "0.14.0",
-    "@highstate/gateway-api": "0.14.0",
-    "@highstate/contract": "0.19.1",
-    "@highstate/pulumi": "0.19.1",
-    "@highstate/common": "0.19.1",
-    "@highstate/library": "0.19.1"
+    "yaml": "^2.8.1"
   },
   "devDependencies": {
     "@biomejs/biome": "2.2.0",
+    "@highstate/cli": "0.20.0",
     "@typescript/native-preview": "^7.0.0-dev.20250920.1",
-    "type-fest": "^4.41.0",
-    "@highstate/cli": "0.19.1"
+    "type-fest": "^4.41.0"
   },
   "repository": {
     "url": "https://github.com/highstate-io/highstate"
-  },
-  "scripts": {
-    "build": "highstate build",
-    "update-charts": "../../../scripts/update-charts.sh ./assets/charts.json",
-    "update-images": "../../../scripts/update-images.sh ./assets/images.json",
-    "generate-crds": "./scripts/generate-crds.sh",
-    "typecheck": "tsgo --noEmit --skipLibCheck",
-    "biome": "biome check --write --unsafe --error-on-warnings",
-    "biome:check": "biome check --error-on-warnings"
   }
-}
+}

package/src/cluster.ts

@@ -1,7 +1,7 @@
 import type { k8s, network } from "@highstate/library"
 import { isPrivateAddress, parseAddress } from "@highstate/common"
 import { text, type UnitTerminal } from "@highstate/contract"
-import { fileFromString, type Input, type Output, output } from "@highstate/pulumi"
+import { type Input, makeFileOutput, type Output, output } from "@highstate/pulumi"
 import { CoreV1Api, type KubeConfig } from "@kubernetes/client-node"
 import { images } from "./shared"
 
@@ -54,20 +54,24 @@ export function createK8sTerminal(kubeconfig: Input<string>): Output<UnitTermina
       command: ["bash", "/welcome.sh"],
 
       files: {
-        "/kubeconfig": fileFromString("kubeconfig", kubeconfig, { isSecret: true }),
-
-        "/welcome.sh": fileFromString(
-          "welcome.sh",
-          text`
+        "/kubeconfig": makeFileOutput({
+          name: "kubeconfig",
+          content: kubeconfig,
+          isSecret: true,
+        }),
+
+        "/welcome.sh": makeFileOutput({
+          name: "welcome.sh",
+          content: text`
             echo "Connecting to the cluster..."
             kubectl cluster-info
 
-            echo "Use 'kubectl' and 'helm' to manage the cluster."
+            echo "Use 'kubectl', 'helm' or 'k9s' to manage the cluster."
             echo
 
             exec bash
           `,
-        ),
+        }),
       },
 
       env: {

package/src/config-map.ts

@@ -1,15 +1,16 @@
-import type { k8s } from "@highstate/library"
 import { getOrCreate } from "@highstate/contract"
-import { toPromise } from "@highstate/pulumi"
-import { core, type types } from "@pulumi/kubernetes"
+import { k8s } from "@highstate/library"
 import {
   type ComponentResourceOptions,
   type Input,
   type Inputs,
   interpolate,
+  makeEntityOutput,
   type Output,
   output,
-} from "@pulumi/pulumi"
+  toPromise,
+} from "@highstate/pulumi"
+import { core, type types } from "@pulumi/kubernetes"
 import { Namespace } from "./namespace"
 import { getProvider, mapMetadata, NamespacedResource, type ScopedResourceArgs } from "./shared"
 
@@ -51,7 +52,16 @@ export abstract class ConfigMap extends NamespacedResource {
    * The Highstate config map entity.
    */
   get entity(): Output<k8s.ConfigMap> {
-    return output(this.entityBase)
+    return makeEntityOutput({
+      entity: k8s.configMapEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name,
+      },
+      value: {
+        ...this.entityBase,
+      },
+    })
   }
 
   /**

package/src/container.ts

@@ -120,6 +120,8 @@ export type ContainerEnvironmentSource =
   | types.input.core.v1.EnvFromSource
   | core.v1.ConfigMap
   | core.v1.Secret
+  | ConfigMap
+  | Secret
 
 export type ContainerVolumeMount =
   | types.input.core.v1.VolumeMount
@@ -268,7 +270,7 @@ export function mapVolumeMount(volumeMount: ContainerVolumeMount): types.input.c
 export function mapEnvironmentSource(
   envFrom: ContainerEnvironmentSource,
 ): types.input.core.v1.EnvFromSource {
-  if (envFrom instanceof core.v1.ConfigMap) {
+  if (envFrom instanceof core.v1.ConfigMap || envFrom instanceof ConfigMap) {
     return {
       configMapRef: {
         name: envFrom.metadata.name,
@@ -276,7 +278,7 @@ export function mapEnvironmentSource(
     }
   }
 
-  if (envFrom instanceof core.v1.Secret) {
+  if (envFrom instanceof core.v1.Secret || envFrom instanceof Secret) {
     return {
       secretRef: {
         name: envFrom.metadata.name,