@highstate/k8s 0.20.0 → 0.21.1

package/dist/chunk-aame3x1b.js

@@ -0,0 +1,11 @@
+// @bun
+import {
+  Deployment
+} from "./chunk-7kgjgcft.js";
+import"./chunk-h1b79v66.js";
+import"./chunk-k4w9zpn5.js";
+import"./chunk-facs31cb.js";
+import"./chunk-b05q6fm2.js";
+export {
+  Deployment
+};

package/dist/chunk-b05q6fm2.js

@@ -0,0 +1,37 @@
+// @bun
+var __require = import.meta.require;
+var __using = (stack, value, async) => {
+  if (value != null) {
+    if (typeof value !== "object" && typeof value !== "function")
+      throw TypeError('Object expected to be assigned to "using" declaration');
+    let dispose;
+    if (async)
+      dispose = value[Symbol.asyncDispose];
+    if (dispose === undefined)
+      dispose = value[Symbol.dispose];
+    if (typeof dispose !== "function")
+      throw TypeError("Object not disposable");
+    stack.push([async, dispose, value]);
+  } else if (async) {
+    stack.push([async]);
+  }
+  return value;
+};
+var __callDispose = (stack, error, hasError) => {
+  let fail = (e) => error = hasError ? new SuppressedError(e, error, "An error was suppressed during disposal") : (hasError = true, e), next = (it) => {
+    while (it = stack.pop()) {
+      try {
+        var result = it[1] && it[1].call(it[2]);
+        if (it[0])
+          return Promise.resolve(result).then(next, (e) => (fail(e), next()));
+      } catch (e) {
+        fail(e);
+      }
+    }
+    if (hasError)
+      throw error;
+  };
+  return next();
+};
+
+export { __require, __using, __callDispose };

package/dist/chunk-bmvc9d2d.js

@@ -0,0 +1,11 @@
+// @bun
+import {
+  CronJob
+} from "./chunk-tpfyj6fe.js";
+import"./chunk-h1b79v66.js";
+import"./chunk-k4w9zpn5.js";
+import"./chunk-facs31cb.js";
+import"./chunk-b05q6fm2.js";
+export {
+  CronJob
+};

package/dist/chunk-de82bbp2.js

@@ -0,0 +1,7 @@
+// @bun
+// src/dns01-solver.ts
+import { ImplementationMediator } from "@highstate/common";
+import { z } from "@highstate/contract";
+var dns01SolverMediator = new ImplementationMediator("dns01-solver", z.object({ namespace: z.custom() }), z.custom());
+
+export { dns01SolverMediator };

package/dist/chunk-facs31cb.js

@@ -0,0 +1,624 @@
+// @bun
+// assets/images.json
+var images_default = {
+  "terminal-kubectl": {
+    name: "ghcr.io/highstate-io/highstate/terminal.kubectl",
+    tag: "latest",
+    image: "ghcr.io/highstate-io/highstate/terminal.kubectl:latest@sha256:cc0a15d9960422d77f4a8e2c8bff1161d171565e0fe81b5827f02a9bdac7bcd8"
+  },
+  "worker.k8s-monitor": {
+    name: "ghcr.io/highstate-io/highstate/worker.k8s-monitor",
+    tag: "latest",
+    image: "ghcr.io/highstate-io/highstate/worker.k8s-monitor:latest@sha256:5acae35c3163a75b83ee574e7274eb7692dfd3c7f615deceede9b44bc1e475f9"
+  },
+  alpine: {
+    name: "alpine",
+    tag: "latest",
+    image: "alpine:latest@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11"
+  },
+  ubuntu: {
+    name: "ubuntu",
+    tag: "latest",
+    image: "ubuntu:latest@sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b"
+  }
+};
+
+// src/secret.ts
+import { getOrCreate as getOrCreate2 } from "@highstate/contract";
+import { k8s as k8s2 } from "@highstate/library";
+import {
+  interpolate as interpolate2,
+  makeEntityOutput as makeEntityOutput2,
+  output as output4,
+  toPromise as toPromise4
+} from "@highstate/pulumi";
+import { core as core4 } from "@pulumi/kubernetes";
+
+// src/namespace.ts
+import { getOrCreate } from "@highstate/contract";
+import { k8s } from "@highstate/library";
+import { makeEntityOutput, toPromise as toPromise3 } from "@highstate/pulumi";
+import { core as core3 } from "@pulumi/kubernetes";
+import {
+  output as output3
+} from "@pulumi/pulumi";
+
+// src/rbac.ts
+import { common } from "@highstate/library";
+import {
+  ComponentResource as ComponentResource2,
+  interpolate,
+  makeEntity,
+  normalizeInputs,
+  output as output2,
+  toPromise as toPromise2
+} from "@highstate/pulumi";
+import { KubeConfig } from "@kubernetes/client-node";
+import { core as core2, rbac } from "@pulumi/kubernetes";
+import { map, unique } from "remeda";
+
+// src/shared.ts
+import {
+  ComponentResource,
+  output,
+  secret,
+  toPromise
+} from "@highstate/pulumi";
+import { core, Provider } from "@pulumi/kubernetes";
+var providers = new Map;
+function getProvider(cluster) {
+  const name = `${cluster.name}.${cluster.connectionId}`;
+  const existing = providers.get(name);
+  if (existing) {
+    return existing;
+  }
+  if (cluster.kubeconfig.content.type !== "embedded-secret") {
+    throw new Error("Only embedded secrets are supported for cluster kubeconfig for now");
+  }
+  const provider = new Provider(name, {
+    kubeconfig: secret(cluster.kubeconfig.content.value.value)
+  });
+  providers.set(name, provider);
+  return provider;
+}
+async function getProviderAsync(cluster) {
+  const resolvedCluster = await toPromise(cluster);
+  return getProvider(resolvedCluster);
+}
+function getEmbeddedSecretFileContent(file) {
+  return output(file).apply((file2) => {
+    if (file2.content.type !== "embedded-secret") {
+      throw new Error("Only embedded-secret file contents are supported for kubeconfig for now");
+    }
+    return file2.content.value.value;
+  });
+}
+function getClusterKubeconfigContent(cluster) {
+  return output(cluster).apply((cluster2) => {
+    if (cluster2.kubeconfig.content.type !== "embedded-secret") {
+      throw new Error("Only embedded-secret file contents are supported for cluster kubeconfig for now");
+    }
+    return cluster2.kubeconfig.content.value.value;
+  });
+}
+var commonExtraArgs = ["name", "namespace", "metadata"];
+function mapMetadata(args, fallbackName) {
+  return output(args.metadata).apply((metadata) => output({
+    ...metadata,
+    name: args.name ?? metadata?.name ?? fallbackName,
+    namespace: metadata?.namespace ?? (args.namespace ? output(args.namespace).metadata.name : undefined)
+  }));
+}
+function mapSelectorLikeToSelector(selector) {
+  if ("matchLabels" in selector || "matchExpressions" in selector) {
+    return selector;
+  }
+  return {
+    matchLabels: selector
+  };
+}
+function getNamespaceName(namespace) {
+  if (Namespace.isInstance(namespace)) {
+    return namespace.metadata.name;
+  }
+  if (core.v1.Namespace.isInstance(namespace)) {
+    return namespace.metadata.name;
+  }
+  return output(namespace);
+}
+function mapNamespaceNameToSelector(namespace) {
+  return {
+    matchLabels: {
+      "kubernetes.io/metadata.name": namespace
+    }
+  };
+}
+function validateCluster(entity, cluster) {
+  return output({ entity, cluster }).apply(({ entity: entity2, cluster: cluster2 }) => {
+    if (entity2.clusterId !== cluster2.id) {
+      throw new Error(`Cluster mismatch for ${entity2.kind} "${entity2.metadata.name}": "${entity2.clusterId}" != "${cluster2.id}"`);
+    }
+    return cluster2;
+  });
+}
+class Resource extends ComponentResource {
+  cluster;
+  metadata;
+  static apiVersion;
+  static kind;
+  static isNamespaced = false;
+  constructor(type, name, args, opts, cluster, metadata) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+  }
+  get apiVersion() {
+    return this.constructor.apiVersion;
+  }
+  get kind() {
+    return this.constructor.kind;
+  }
+  get isNamespaced() {
+    return this.constructor.isNamespaced;
+  }
+  get entityBase() {
+    return {
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      apiVersion: this.apiVersion,
+      kind: this.kind,
+      isNamespaced: false,
+      metadata: this.metadata
+    };
+  }
+}
+
+class NamespacedResource extends Resource {
+  namespace;
+  static isNamespaced = true;
+  constructor(type, name, args, opts, metadata, namespace) {
+    super(type, name, args, opts, namespace.cluster, metadata);
+    this.namespace = namespace;
+  }
+  get entityBase() {
+    return {
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      apiVersion: this.apiVersion,
+      kind: this.kind,
+      isNamespaced: true,
+      metadata: this.metadata
+    };
+  }
+}
+
+// src/rbac.ts
+class ClusterAccessScope extends ComponentResource2 {
+  cluster;
+  constructor(name, args, opts) {
+    super("highstate:k8s:ClusterAccessScope", name, args, opts);
+    const { serviceAccount, kubeconfig } = output2(args.namespace).cluster.apply((cluster) => {
+      const provider = getProvider(cluster);
+      const namespaceName = output2(args.namespace).metadata.name;
+      const serviceAccount2 = new core2.v1.ServiceAccount(name, {
+        metadata: {
+          name,
+          namespace: namespaceName
+        }
+      }, { provider });
+      const clusterRole = new rbac.v1.ClusterRole(name, {
+        metadata: {
+          name: interpolate`hs.${namespaceName}.${name}`,
+          annotations: {
+            "kubernetes.io/description": interpolate`Created by Highstate for the ServiceAccount "${name}" in the namespace "${namespaceName}".`
+          }
+        },
+        rules: output2({
+          rules: normalizeInputs(args.rule, args.rules),
+          resources: args.resources ?? []
+        }).apply(({ rules, resources }) => mergeResources(rules, resources))
+      }, { provider });
+      const createRoleBinding = (namespace) => {
+        return new rbac.v1.RoleBinding(name, {
+          metadata: { name, namespace },
+          roleRef: {
+            kind: "ClusterRole",
+            name: clusterRole.metadata.name,
+            apiGroup: "rbac.authorization.k8s.io"
+          },
+          subjects: [
+            {
+              kind: "ServiceAccount",
+              name: serviceAccount2.metadata.name,
+              namespace: namespaceName
+            }
+          ]
+        }, { provider });
+      };
+      if (args.clusterWide) {
+        new rbac.v1.ClusterRoleBinding(name, {
+          metadata: { name },
+          roleRef: {
+            kind: "ClusterRole",
+            name: clusterRole.metadata.name,
+            apiGroup: "rbac.authorization.k8s.io"
+          },
+          subjects: [
+            {
+              kind: "ServiceAccount",
+              name: serviceAccount2.metadata.name,
+              namespace: namespaceName
+            }
+          ]
+        }, { provider });
+      } else {
+        if (args.allowOriginNamespace !== false) {
+          createRoleBinding(namespaceName);
+        }
+        output2(args.extraNamespaces ?? []).apply(map(getNamespaceName)).apply(map(createRoleBinding));
+      }
+      return { serviceAccount: serviceAccount2, kubeconfig: cluster.kubeconfig };
+    });
+    const accessTokenSecret = Secret.create(`${name}-token`, {
+      namespace: args.namespace,
+      type: "kubernetes.io/service-account-token",
+      metadata: {
+        annotations: {
+          "kubernetes.io/service-account.name": serviceAccount.metadata.name
+        }
+      }
+    });
+    this.cluster = output2({
+      cluster: output2(args.namespace).cluster,
+      kubeconfig,
+      newToken: accessTokenSecret.getValue("token"),
+      serviceAccount: serviceAccount.metadata.name,
+      serviceAccountId: serviceAccount.metadata.uid
+    }).apply(({ cluster, kubeconfig: kubeconfig2, newToken, serviceAccount: serviceAccount2, serviceAccountId }) => {
+      if (kubeconfig2.content.type !== "embedded-secret") {
+        throw new Error("Only embedded secrets are supported for cluster kubeconfig for now");
+      }
+      const config = new KubeConfig;
+      config.loadFromString(kubeconfig2.content.value.value);
+      config.users = [];
+      config.contexts = [];
+      config.addUser({ name: serviceAccount2, token: newToken });
+      config.addContext({
+        name: config.clusters[0].name,
+        cluster: config.clusters[0].name,
+        user: serviceAccount2
+      });
+      config.setCurrentContext(config.clusters[0].name);
+      return {
+        ...cluster,
+        connectionId: serviceAccountId,
+        kubeconfig: makeEntity({
+          entity: common.fileEntity,
+          identity: `${serviceAccountId}:kubeconfig`,
+          meta: {
+            title: `kubeconfig for SA ${serviceAccount2}`
+          },
+          value: {
+            content: {
+              type: "embedded-secret",
+              value: config.exportConfig()
+            },
+            meta: {
+              name: "kubeconfig",
+              contentType: "text/yaml",
+              mode: 384
+            }
+          }
+        })
+      };
+    });
+  }
+}
+async function mergeResources(rules, resources) {
+  for (const resource of resources) {
+    const entity = await toPromise2(resource instanceof NamespacedResource ? resource.entity : resource);
+    const apiGroup = entity.apiVersion.includes("/") ? entity.apiVersion.split("/")[0] : "";
+    const resourceCollection = `${entity.kind.toLowerCase()}s`;
+    const matchingRule = rules.find((rule) => {
+      const apiGroupsMatch = rule.apiGroups?.length === 1 && rule.apiGroups[0] === apiGroup;
+      const resourcesMatch = rule.resources?.length === 1 && rule.resources[0] === resourceCollection;
+      return apiGroupsMatch && resourcesMatch;
+    });
+    if (!matchingRule) {
+      continue;
+    }
+    matchingRule.resourceNames = await toPromise2(unique([
+      ...matchingRule.resourceNames ?? [],
+      entity.metadata.name
+    ]));
+  }
+  return rules;
+}
+
+// src/namespace.ts
+class Namespace extends Resource {
+  spec;
+  status;
+  static apiVersion = "v1";
+  static kind = "Namespace";
+  portForwardCluster;
+  constructor(type, name, args, opts, cluster, metadata, spec, status) {
+    super(type, name, args, opts, cluster, metadata);
+    this.spec = spec;
+    this.status = status;
+  }
+  get entity() {
+    return makeEntityOutput({
+      entity: k8s.namespaceEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedNamespace(name, args, opts);
+  }
+  static wrap(name, args, opts) {
+    return new WrappedNamespace(name, args, opts);
+  }
+  static async createOrGet(name, args, opts) {
+    if (args.resource) {
+      return await Namespace.forResourceAsync(args.resource, args.cluster);
+    }
+    if (args.existing) {
+      return await Namespace.forAsync(args.existing, args.cluster);
+    }
+    return new CreatedNamespace(name, args, opts);
+  }
+  static createOrPatch(name, args, opts) {
+    if (args.resource) {
+      return new NamespacePatch(name, {
+        ...args,
+        name: output3(args.resource).metadata.namespace,
+        cluster: validateCluster(args.resource, args.cluster)
+      });
+    }
+    if (args.existing) {
+      return new NamespacePatch(name, {
+        ...args,
+        name: output3(args.existing).metadata.name,
+        cluster: validateCluster(args.existing, args.cluster)
+      });
+    }
+    return new CreatedNamespace(name, args, opts);
+  }
+  static patch(name, args, opts) {
+    return new NamespacePatch(name, args, opts);
+  }
+  static get(name, args, opts) {
+    return new ExternalNamespace(name, args, opts);
+  }
+  static namespaceCache = new Map;
+  static for(entity, cluster) {
+    return getOrCreate(Namespace.namespaceCache, `${entity.clusterName}.${entity.metadata.name}.${entity.clusterId}`, (name) => {
+      return Namespace.get(name, {
+        name: entity.metadata.name,
+        cluster: validateCluster(entity, cluster)
+      });
+    });
+  }
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise3(entity);
+    return Namespace.for(resolvedEntity, cluster);
+  }
+  static forResource(resource, cluster) {
+    return getOrCreate(Namespace.namespaceCache, `${resource.clusterName}.${resource.metadata.namespace}.${resource.clusterId}`, (name) => {
+      return Namespace.get(name, {
+        name: resource.metadata.namespace,
+        cluster: validateCluster(resource, cluster)
+      });
+    });
+  }
+  static async forResourceAsync(resource, cluster) {
+    const resolvedResource = await toPromise3(resource);
+    return Namespace.forResource(resolvedResource, cluster);
+  }
+}
+function mapNamespaceMetadata(args, fallbackName) {
+  return mapMetadata(args, fallbackName).apply((metadata) => {
+    if (args.privileged) {
+      metadata.labels = {
+        ...metadata.labels,
+        "pod-security.kubernetes.io/enforce": "privileged"
+      };
+    }
+    return metadata;
+  });
+}
+
+class CreatedNamespace extends Namespace {
+  constructor(name, args, opts) {
+    const namespace = output3(args.cluster).apply((cluster) => {
+      return new core3.v1.Namespace(name, { metadata: mapNamespaceMetadata(args, name) }, { ...opts, parent: this, provider: getProvider(cluster) });
+    });
+    super("highstate:k8s:Namespace", name, args, opts, output3(args.cluster), namespace.metadata, namespace.spec, namespace.status);
+    const scope = new ClusterAccessScope(`${name}-port-forward`, {
+      namespace: this,
+      rules: [
+        {
+          apiGroups: [""],
+          resources: ["services"],
+          verbs: ["get"]
+        },
+        {
+          apiGroups: [""],
+          resources: ["pods"],
+          verbs: ["get", "list"]
+        },
+        {
+          apiGroups: [""],
+          resources: ["pods/portforward"],
+          verbs: ["create"]
+        }
+      ]
+    }, { parent: this });
+    this.portForwardCluster = scope.cluster;
+  }
+}
+
+class NamespacePatch extends Namespace {
+  constructor(name, args, opts) {
+    const namespace = output3(args.cluster).apply((cluster) => {
+      return new core3.v1.NamespacePatch(name, { metadata: mapNamespaceMetadata(args, name) }, { ...opts, parent: this, provider: getProvider(cluster) });
+    });
+    super("highstate:k8s:NamespacePatch", name, args, opts, output3(args.cluster), namespace.metadata, namespace.spec, namespace.status);
+  }
+}
+
+class ExternalNamespace extends Namespace {
+  constructor(name, args, opts) {
+    const namespace = output3(args.cluster).apply((cluster) => {
+      return core3.v1.Namespace.get(name, args.name, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super("highstate:k8s:ExternalNamespace", name, args, opts, output3(args.cluster), namespace.metadata, namespace.spec, namespace.status);
+  }
+}
+
+class WrappedNamespace extends Namespace {
+  constructor(name, args, opts) {
+    super("highstate:k8s:WrappedNamespace", name, args, opts, output3(args.cluster), output3(args.namespace).metadata, output3(args.namespace).spec, output3(args.namespace).status);
+  }
+}
+
+// src/secret.ts
+class Secret extends NamespacedResource {
+  data;
+  stringData;
+  static apiVersion = "v1";
+  static kind = "Secret";
+  constructor(type, name, args, opts, metadata, namespace, data, stringData) {
+    super(type, name, args, opts, metadata, namespace);
+    this.data = data;
+    this.stringData = stringData;
+  }
+  get entity() {
+    return makeEntityOutput2({
+      entity: k8s2.secretEntity,
+      identity: this.metadata.uid,
+      meta: {
+        title: this.metadata.name
+      },
+      value: {
+        ...this.entityBase
+      }
+    });
+  }
+  getValue(key) {
+    return this.data[key].apply((value) => Buffer.from(value, "base64").toString());
+  }
+  static create(name, args, opts) {
+    return new CreatedSecret(name, args, opts);
+  }
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new SecretPatch(name, {
+        ...args,
+        name: output4(args.existing).metadata.name
+      });
+    }
+    return new CreatedSecret(name, args, opts);
+  }
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await Secret.forAsync(args.existing, output4(args.namespace).cluster);
+    }
+    return new CreatedSecret(name, args, opts);
+  }
+  static patch(name, args, opts) {
+    return new SecretPatch(name, args, opts);
+  }
+  static wrap(name, args, opts) {
+    return new WrappedSecret(name, args, opts);
+  }
+  static get(name, args, opts) {
+    return new ExternalSecret(name, args, opts);
+  }
+  static secretCache = new Map;
+  static for(entity, cluster) {
+    return getOrCreate2(Secret.secretCache, `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`, (name) => {
+      return Secret.get(name, {
+        name: entity.metadata.name,
+        namespace: Namespace.forResource(entity, cluster)
+      });
+    });
+  }
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise4(entity);
+    return Secret.for(resolvedEntity, cluster);
+  }
+}
+
+class CreatedSecret extends Secret {
+  constructor(name, args, opts) {
+    const secret2 = output4(args.namespace).cluster.apply((cluster) => {
+      return new core4.v1.Secret(name, {
+        metadata: mapMetadata(args, name),
+        data: args.data,
+        stringData: args.stringData,
+        type: args.type,
+        immutable: args.immutable
+      }, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super("highstate:k8s:Secret", name, args, opts, secret2.metadata, output4(args.namespace), secret2.data, secret2.stringData);
+  }
+}
+
+class SecretPatch extends Secret {
+  constructor(name, args, opts) {
+    const secret2 = output4(args.namespace).cluster.apply((cluster) => {
+      return new core4.v1.SecretPatch(name, {
+        metadata: mapMetadata(args, name),
+        data: args.data,
+        stringData: args.stringData,
+        type: args.type,
+        immutable: args.immutable
+      }, {
+        ...opts,
+        parent: this,
+        provider: getProvider(cluster)
+      });
+    });
+    super("highstate:k8s:SecretPatch", name, args, opts, secret2.metadata, output4(args.namespace), secret2.data, secret2.stringData);
+  }
+}
+
+class WrappedSecret extends Secret {
+  constructor(name, args, opts) {
+    super("highstate:k8s:WrappedSecret", name, args, opts, output4(args.secret).metadata, output4(args.namespace), output4(args.secret).data, output4(args.secret).stringData);
+  }
+}
+
+class ExternalSecret extends Secret {
+  constructor(name, args, opts) {
+    const secret2 = output4(args.namespace).cluster.apply(async (cluster) => {
+      const secret3 = core4.v1.Secret.get(name, interpolate2`${output4(args.namespace).metadata.name}/${args.name}`, { ...opts, parent: this, provider: getProvider(cluster) });
+      const namespace = await toPromise4(output4(args.namespace).metadata.name);
+      const resolvedName = await toPromise4(args.name);
+      const metadata = await toPromise4(secret3.metadata);
+      if (!metadata) {
+        throw new Error(`Secret ${resolvedName} in namespace ${namespace} not found`);
+      }
+      return secret3;
+    });
+    super("highstate:k8s:ExternalSecret", name, args, opts, secret2.metadata, output4(args.namespace), secret2.data, secret2.stringData);
+  }
+}
+
+export { images_default, Secret, ClusterAccessScope, Namespace, getProvider, getProviderAsync, getEmbeddedSecretFileContent, getClusterKubeconfigContent, commonExtraArgs, mapMetadata, mapSelectorLikeToSelector, getNamespaceName, mapNamespaceNameToSelector, validateCluster, Resource, NamespacedResource };