@highstate/k8s 0.20.0 → 0.21.1

package/dist/units/dns01-issuer/index.js

@@ -1,10 +1,18 @@
-import { dns01SolverMediator } from '../../chunk-HH2JJELM.js';
-import { getProviderAsync, Namespace, Secret } from '../../chunk-TOLFVF4S.js';
-import '../../chunk-PZYGZSN5.js';
-import { cert_manager } from '@highstate/cert-manager';
-import { k8s, common } from '@highstate/library';
-import { forUnit, makeEntityOutput } from '@highstate/pulumi';
+// @bun
+import {
+  dns01SolverMediator
+} from "../../chunk-de82bbp2.js";
+import {
+  Namespace,
+  Secret,
+  getProviderAsync
+} from "../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
+// src/units/dns01-issuer/index.ts
+import { cert_manager } from "@highstate/cert-manager";
+import { common, k8s } from "@highstate/library";
+import { forUnit, makeEntityOutput } from "@highstate/pulumi";
 var { name, args, secrets, inputs, outputs } = forUnit(k8s.dns01TlsIssuer);
 var provider = await getProviderAsync(inputs.k8sCluster);
 var certManagerNs = Namespace.get("cert-manager", {
@@ -34,38 +42,34 @@ var getAcmeServer = () => {
       return args.acmeServer.url;
   }
 };
-new cert_manager.v1.ClusterIssuer(
-  name,
-  {
-    metadata: {
-      name
-    },
-    spec: {
-      acme: {
-        server: getAcmeServer(),
-        solvers: [
-          {
-            dns01: dns01SolverMediator.callOutput(inputs.dnsProvider.implRef, {
-              namespace: certManagerNs
-            }),
-            selector: { dnsZones: inputs.dnsProvider.zones }
-          }
-        ],
-        privateKeySecretRef: {
-          name
-        },
-        externalAccountBinding: eabSecret ? {
-          keyID: eabSecret.stringData.keyId,
-          keySecretRef: {
-            name: eabSecret.metadata.name,
-            key: "keySecret"
-          }
-        } : void 0
-      }
-    }
+new cert_manager.v1.ClusterIssuer(name, {
+  metadata: {
+    name
   },
-  { provider }
-);
+  spec: {
+    acme: {
+      server: getAcmeServer(),
+      solvers: [
+        {
+          dns01: dns01SolverMediator.callOutput(inputs.dnsProvider.implRef, {
+            namespace: certManagerNs
+          }),
+          selector: { dnsZones: inputs.dnsProvider.zones }
+        }
+      ],
+      privateKeySecretRef: {
+        name
+      },
+      externalAccountBinding: eabSecret ? {
+        keyID: eabSecret.stringData.keyId,
+        keySecretRef: {
+          name: eabSecret.metadata.name,
+          key: "keySecret"
+        }
+      } : undefined
+    }
+  }
+}, { provider });
 var dns01_issuer_default = outputs({
   tlsIssuer: makeEntityOutput({
     entity: common.tlsIssuerEntity,
@@ -88,7 +92,6 @@ var dns01_issuer_default = outputs({
     zones: inputs.dnsProvider.zones
   }
 });
-
-export { dns01_issuer_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  dns01_issuer_default as default
+};

package/dist/units/existing-cluster/index.js

@@ -1,17 +1,30 @@
-import { detectExternalIps, createK8sTerminal } from '../../chunk-ADHZK6V2.js';
-import '../../chunk-TOLFVF4S.js';
-import '../../chunk-PZYGZSN5.js';
-import { parseAddress, mergeAddresses, parseEndpoints, parseEndpoint, mergeEndpoints, l4EndpointToString, l3EndpointToString } from '@highstate/common';
-import { k8s, common } from '@highstate/library';
-import { forUnit, toPromise, makeEntityOutput } from '@highstate/pulumi';
-import { KubeConfig, AppsV1Api } from '@kubernetes/client-node';
-import { Provider, core } from '@pulumi/kubernetes';
+// @bun
+import {
+  createK8sTerminal,
+  detectExternalIps
+} from "../../chunk-9hs97f1q.js";
+import"../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
+// src/units/existing-cluster/index.ts
+import {
+  l3EndpointToString,
+  l4EndpointToString,
+  mergeAddresses,
+  mergeEndpoints,
+  parseAddress,
+  parseEndpoint,
+  parseEndpoints
+} from "@highstate/common";
+import { common, k8s } from "@highstate/library";
+import { forUnit, makeEntityOutput, toPromise } from "@highstate/pulumi";
+import { AppsV1Api, KubeConfig } from "@kubernetes/client-node";
+import { core, Provider } from "@pulumi/kubernetes";
 var { name, args, inputs, secrets, outputs } = forUnit(k8s.existingCluster);
 var kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringify));
 var provider = new Provider(name, { kubeconfig: kubeconfigContent });
 var networkPolicyImplRef;
-var kubeConfig = new KubeConfig();
+var kubeConfig = new KubeConfig;
 kubeConfig.loadFromString(kubeconfigContent);
 var appsApi = kubeConfig.makeApiClient(AppsV1Api);
 var hasCilium = await appsApi.readNamespacedDaemonSet({ name: "cilium", namespace: "kube-system" }).then(() => true).catch(() => false);
@@ -77,7 +90,6 @@ var existing_cluster_default = outputs({
     apiEndpoints: apiEndpoints.map(l4EndpointToString)
   }
 });
-
-export { existing_cluster_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  existing_cluster_default as default
+};

package/dist/units/gateway-api/index.js

@@ -1,22 +1,21 @@
-import { getProviderAsync } from '../../chunk-TOLFVF4S.js';
-import '../../chunk-PZYGZSN5.js';
-import { k8s } from '@highstate/library';
-import { forUnit } from '@highstate/pulumi';
-import { yaml } from '@pulumi/kubernetes';
+// @bun
+import {
+  getProviderAsync
+} from "../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
+// src/units/gateway-api/index.ts
+import { k8s } from "@highstate/library";
+import { forUnit } from "@highstate/pulumi";
+import { yaml } from "@pulumi/kubernetes";
 var { inputs, outputs } = forUnit(k8s.gatewayApi);
 var provider = await getProviderAsync(inputs.k8sCluster);
-new yaml.v2.ConfigFile(
-  "gateway-api",
-  {
-    file: "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml"
-  },
-  { provider }
-);
+new yaml.v2.ConfigFile("gateway-api", {
+  file: "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml"
+}, { provider });
 var gateway_api_default = outputs({
   k8sCluster: inputs.k8sCluster
 });
-
-export { gateway_api_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  gateway_api_default as default
+};

package/dist/units/reduced-access-cluster/index.js

@@ -1,30 +1,29 @@
-import { createK8sTerminal } from '../../chunk-ADHZK6V2.js';
-import { ClusterAccessScope, Namespace, getClusterKubeconfigContent } from '../../chunk-TOLFVF4S.js';
-import '../../chunk-PZYGZSN5.js';
-import { text, trimIndentation } from '@highstate/contract';
-import { k8s } from '@highstate/library';
-import { forUnit, toPromise, output, interpolate, makeFileOutput, secret } from '@highstate/pulumi';
-import { join } from 'remeda';
+// @bun
+import {
+  createK8sTerminal
+} from "../../chunk-9hs97f1q.js";
+import {
+  ClusterAccessScope,
+  Namespace,
+  getClusterKubeconfigContent
+} from "../../chunk-facs31cb.js";
+import"../../chunk-b05q6fm2.js";
 
+// src/units/reduced-access-cluster/index.ts
+import { text, trimIndentation } from "@highstate/contract";
+import { k8s } from "@highstate/library";
+import { forUnit, interpolate, makeFileOutput, output, secret, toPromise } from "@highstate/pulumi";
+import { join } from "remeda";
 var { args, inputs, outputs } = forUnit(k8s.reducedAccessCluster);
 var resolvedInputs = await toPromise(inputs);
-var accessScope = new ClusterAccessScope(
-  "scope",
-  {
-    namespace: Namespace.for(resolvedInputs.namespace, inputs.k8sCluster),
-    extraNamespaces: resolvedInputs.extraNamespaces.map((ns) => Namespace.for(ns, inputs.k8sCluster)),
-    rules: args.rules,
-    resources: resolvedInputs.resources
-  },
-  {}
-);
-var resourceLines = await toPromise(
-  output(
-    resolvedInputs.resources.map(
-      (r) => r.isNamespaced ? interpolate`- ${r.kind} "${r.metadata.namespace}/${r.metadata.name}"` : interpolate`- ${r.kind} "${r.metadata.name}"`
-    )
-  ).apply(join("\n"))
-);
+var accessScope = new ClusterAccessScope("scope", {
+  namespace: Namespace.for(resolvedInputs.namespace, inputs.k8sCluster),
+  extraNamespaces: resolvedInputs.extraNamespaces.map((ns) => Namespace.for(ns, inputs.k8sCluster)),
+  rules: args.rules,
+  resources: resolvedInputs.resources
+}, {});
+var resourceLines = await toPromise(output(resolvedInputs.resources.map((r) => r.isNamespaced ? interpolate`- ${r.kind} "${r.metadata.namespace}/${r.metadata.name}"` : interpolate`- ${r.kind} "${r.metadata.name}"`)).apply(join(`
+`)));
 var reduced_access_cluster_default = outputs({
   k8sCluster: accessScope.cluster,
   $terminals: [createK8sTerminal(secret(getClusterKubeconfigContent(accessScope.cluster)))],
@@ -59,15 +58,13 @@ var reduced_access_cluster_default = outputs({
         },
         {
           type: "markdown",
-          content: secret(
-            interpolate`
+          content: secret(interpolate`
               You can also copy the following content of the kubeconfig file:
 
               \`\`\`yaml
               ${accessScope.cluster.kubeconfig}
               \`\`\`
-            `.apply(trimIndentation)
-          )
+            `.apply(trimIndentation))
         },
         {
           type: "markdown",
@@ -77,7 +74,6 @@ var reduced_access_cluster_default = outputs({
     }
   }
 });
-
-export { reduced_access_cluster_default as default };
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map
+export {
+  reduced_access_cluster_default as default
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/k8s",
-  "version": "0.20.0",
+  "version": "0.21.1",
   "type": "module",
   "files": [
     "dist",
@@ -61,11 +61,26 @@
       "stdlib"
     ]
   },
+  "scripts": {
+    "build": "highstate build",
+    "update-charts": "../../../scripts/update-charts.sh ./assets/charts.json",
+    "update-images": "../../../scripts/update-images.sh ./assets/images.json",
+    "generate-crds": "./scripts/generate-crds.sh",
+    "typecheck": "tsgo --noEmit --skipLibCheck",
+    "biome": "biome check --write --unsafe --error-on-warnings",
+    "biome:check": "biome check --error-on-warnings"
+  },
   "dependencies": {
+    "@highstate/cert-manager": "0.20.0",
+    "@highstate/common": "0.20.0",
+    "@highstate/contract": "0.20.0",
+    "@highstate/gateway-api": "0.20.0",
+    "@highstate/library": "0.20.0",
+    "@highstate/pulumi": "0.20.0",
     "@kubernetes/client-node": "^1.1.0",
     "@pulumi/command": "^1.0.2",
     "@pulumi/kubernetes": "^4.18.0",
-    "@pulumi/pulumi": "3.220.0",
+    "@pulumi/pulumi": "3.232.0",
     "crypto-hash": "^3.1.0",
     "deepmerge-ts": "^7.1.5",
     "glob": "^11.0.1",
@@ -73,30 +88,15 @@
     "get-port-please": "^3.1.2",
     "pkg-types": "^2.1.0",
     "remeda": "^2.21.0",
-    "yaml": "^2.8.1",
-    "@highstate/cert-manager": "0.14.0",
-    "@highstate/common": "0.20.0",
-    "@highstate/contract": "0.20.0",
-    "@highstate/gateway-api": "0.14.0",
-    "@highstate/library": "0.20.0",
-    "@highstate/pulumi": "0.20.0"
+    "yaml": "^2.8.1"
   },
   "devDependencies": {
     "@biomejs/biome": "2.2.0",
+    "@highstate/cli": "0.20.0",
     "@typescript/native-preview": "^7.0.0-dev.20250920.1",
-    "type-fest": "^4.41.0",
-    "@highstate/cli": "0.20.0"
+    "type-fest": "^4.41.0"
   },
   "repository": {
     "url": "https://github.com/highstate-io/highstate"
-  },
-  "scripts": {
-    "build": "highstate build",
-    "update-charts": "../../../scripts/update-charts.sh ./assets/charts.json",
-    "update-images": "../../../scripts/update-images.sh ./assets/images.json",
-    "generate-crds": "./scripts/generate-crds.sh",
-    "typecheck": "tsgo --noEmit --skipLibCheck",
-    "biome": "biome check --write --unsafe --error-on-warnings",
-    "biome:check": "biome check --error-on-warnings"
   }
-}
+}

package/src/cron-job.ts

@@ -355,6 +355,31 @@ class CronJobPatch extends CronJob {
       )
     })
 
+    const filteredSpec = output({ spec: cronJob.spec, podTemplate }).apply(
+      ({ spec, podTemplate }) => {
+        const template = spec.jobTemplate?.spec?.template
+        if (!template) {
+          return spec
+        }
+
+        const filteredTemplate = filterPatchOwnedContainersInTemplate(
+          template as Unwrap<types.input.core.v1.PodTemplateSpec>,
+          podTemplate,
+        ) as types.output.core.v1.PodTemplateSpec
+
+        return {
+          ...spec,
+          jobTemplate: {
+            ...spec.jobTemplate,
+            spec: {
+              ...spec.jobTemplate.spec,
+              template: filteredTemplate,
+            },
+          },
+        }
+      },
+    ) as Output<types.output.batch.v1.CronJobSpec>
+
     super(
       "highstate:k8s:CronJobPatch",
       name,
@@ -365,7 +390,7 @@ class CronJobPatch extends CronJob {
       output(args.terminal ?? {}),
       containers,
       networkPolicy,
-      cronJob.spec,
+      filteredSpec,
       cronJob.status,
     )
   }

package/src/deployment.ts

@@ -332,6 +332,22 @@ class DeploymentPatch extends Deployment {
       )
     })
 
+    const filteredSpec = output({ spec: deployment.spec, podTemplate }).apply(
+      ({ spec, podTemplate }) => {
+        if (!spec.template) {
+          return spec
+        }
+
+        return {
+          ...spec,
+          template: filterPatchOwnedContainersInTemplate(
+            spec.template as Unwrap<types.input.core.v1.PodTemplateSpec>,
+            podTemplate,
+          ) as types.output.core.v1.PodTemplateSpec,
+        }
+      },
+    ) as Output<types.output.apps.v1.DeploymentSpec>
+
     super(
       "highstate:k8s:DeploymentPatch",
       name,
@@ -347,7 +363,7 @@ class DeploymentPatch extends Deployment {
       service,
       routes,
 
-      deployment.spec,
+      filteredSpec,
       deployment.status,
     )
   }

package/src/job.ts

@@ -326,6 +326,20 @@ class JobPatch extends Job {
       )
     })
 
+    const filteredSpec = output({ spec: job.spec, podTemplate }).apply(({ spec, podTemplate }) => {
+      if (!spec.template) {
+        return spec
+      }
+
+      return {
+        ...spec,
+        template: filterPatchOwnedContainersInTemplate(
+          spec.template as Unwrap<types.input.core.v1.PodTemplateSpec>,
+          podTemplate,
+        ) as types.output.core.v1.PodTemplateSpec,
+      }
+    }) as Output<types.output.batch.v1.JobSpec>
+
     super(
       "highstate:k8s:JobPatch",
       name,
@@ -336,7 +350,7 @@ class JobPatch extends Job {
       output(args.terminal ?? {}),
       containers,
       networkPolicy,
-      job.spec,
+      filteredSpec,
       job.status,
     )
 

package/src/scripting/bundle.ts

@@ -12,14 +12,10 @@ import {
   output,
   type Unwrap,
 } from "@pulumi/pulumi"
-import { serializeFunction } from "@pulumi/pulumi/runtime/index.js"
 import { deepmerge } from "deepmerge-ts"
-import { readPackageJSON } from "pkg-types"
-import { mapValues, omitBy } from "remeda"
 import { ConfigMap } from "../config-map"
 import {
   emptyScriptEnvironment,
-  functionScriptImages,
   type ResolvedScriptEnvironment,
   type ScriptDistribution,
   type ScriptEnvironment,
@@ -87,35 +83,19 @@ export class ScriptBundle extends ComponentResource {
       Unwrap<ResolvedScriptEnvironment>
     >
 
-    const hasFunctionScripts = scriptEnvironment.apply(scriptEnvironment => {
-      return Object.values(scriptEnvironment.files).some(file => typeof file === "function")
-    })
-
     this.distribution = args.distribution
     this.environment = scriptEnvironment.environment
 
-    this.image = hasFunctionScripts.apply(hasFunctionScripts =>
-      output(
-        hasFunctionScripts
-          ? functionScriptImages[args.distribution]
-          : scriptEnvironment[args.distribution].image,
-      ),
-    )
+    this.image = scriptEnvironment[args.distribution].image
 
-    this.allowedEndpoints = output({ scriptEnvironment, hasFunctionScripts }).apply(
-      ({ scriptEnvironment, hasFunctionScripts }) => {
-        const allowedEndpoints = [
-          ...scriptEnvironment.allowedEndpoints,
-          ...scriptEnvironment[args.distribution].allowedEndpoints,
-        ]
-
-        if (hasFunctionScripts) {
-          allowedEndpoints.push("tcp://registry.npmjs.org:443")
-        }
+    this.allowedEndpoints = scriptEnvironment.apply(scriptEnvironment => {
+      const allowedEndpoints = [
+        ...scriptEnvironment.allowedEndpoints,
+        ...scriptEnvironment[args.distribution].allowedEndpoints,
+      ]
 
-        return allowedEndpoints.map(endpoint => parseEndpoint(endpoint))
-      },
-    )
+      return allowedEndpoints.map(endpoint => parseEndpoint(endpoint))
+    })
 
     this.configMap = output({ scriptEnvironment, args }).apply(({ scriptEnvironment, args }) => {
       return ConfigMap.create(
@@ -129,49 +109,32 @@ export class ScriptBundle extends ComponentResource {
       )
     })
 
-    this.volumes = output({ hasFunctionScripts, volumes: scriptEnvironment.volumes }).apply(
-      ({ hasFunctionScripts, volumes }) => {
-        return [
-          ...volumes,
-          {
-            name: this.configMap.metadata.name,
+    this.volumes = scriptEnvironment.volumes.apply(volumes => {
+      return [
+        ...volumes,
+        {
+          name: this.configMap.metadata.name,
 
-            configMap: {
-              name: this.configMap.metadata.name,
-              defaultMode: 0o550, // read and execute permissions
-            },
+          configMap: {
+            name: this.configMap.metadata.name,
+            defaultMode: 0o550, // read and execute permissions
           },
-          ...(hasFunctionScripts ? [{ name: "node-modules", emptyDir: {} }] : []),
-        ]
-      },
-    )
+        },
+      ]
+    })
 
-    this.volumeMounts = output({
-      hasFunctionScripts,
-      volumeMounts: scriptEnvironment.volumeMounts,
-    }).apply(({ hasFunctionScripts, volumeMounts }) => {
+    this.volumeMounts = scriptEnvironment.volumeMounts.apply(volumeMounts => {
       return [
         ...volumeMounts,
         {
           volume: this.configMap,
           mountPath: "/scripts",
         },
-        ...(hasFunctionScripts
-          ? [{ name: "node-modules", mountPath: "/scripts/node_modules" }]
-          : []),
       ]
     })
   }
 }
 
-function stripWorkspacePrefix(value: string): string {
-  if (value.startsWith("workspace:")) {
-    return value.replace("workspace:", "")
-  }
-
-  return value
-}
-
 async function createScriptData(
   distribution: ScriptDistribution,
   environment: Unwrap<ResolvedScriptEnvironment>,
@@ -182,48 +145,8 @@ async function createScriptData(
   const distributionEnvironment = environment[distribution]
   const setupScripts = { ...environment.setupScripts }
 
-  let hasFunctionScripts = false
-
   for (const key in environment.files) {
-    if (typeof environment.files[key] === "function") {
-      const serialized = await serializeFunction(environment.files[key])
-
-      scriptData[key] = text`
-        #!/usr/local/bin/bun
-        
-        ${serialized.text}
-
-        exports.${serialized.exportName}()
-      `
-
-      hasFunctionScripts = true
-    } else {
-      scriptData[key] = environment.files[key]
-    }
-  }
-
-  if (hasFunctionScripts) {
-    const packageJson = await readPackageJSON()
-
-    packageJson.dependencies = omitBy(
-      mapValues(packageJson.dependencies ?? {}, stripWorkspacePrefix),
-      (_, key) => key.startsWith("@highstate/"),
-    )
-
-    packageJson.devDependencies = omitBy(
-      mapValues(packageJson.devDependencies ?? {}, stripWorkspacePrefix),
-      (_, key) => key.startsWith("@highstate/"),
-    )
-
-    scriptData["package.json"] = JSON.stringify(packageJson, null, 2)
-
-    setupScripts["resolve-dependencies.sh"] = text`
-      #!/usr/local/bin/bun
-      set -e
-
-      cd /scripts
-      bun install --production
-    `
+    scriptData[key] = environment.files[key]
   }
 
   if (distributionEnvironment.preInstallPackages.length > 0) {

package/src/scripting/environment.ts

@@ -1,7 +1,7 @@
 import type { InputEndpoint } from "@highstate/common"
 import type { Input, InputArray, InputRecord } from "@highstate/pulumi"
 import type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from "../container"
-import { images } from ".."
+import images from "../../assets/images.json"
 
 export type ScriptDistribution = "alpine" | "ubuntu"
 
@@ -39,8 +39,6 @@ export type DistributionEnvironment = {
   allowedEndpoints?: InputArray<InputEndpoint>
 }
 
-export type ScriptProgram = () => unknown
-
 export type ScriptEnvironment = {
   [distribution in ScriptDistribution]?: DistributionEnvironment
 } & {
@@ -57,7 +55,7 @@ export type ScriptEnvironment = {
   /**
    * The arbitrary files available in the environment including scripts.
    */
-  files?: InputRecord<string | ScriptProgram>
+  files?: InputRecord<string>
 
   /**
    * The volumes that should be defined in the environment.
@@ -123,8 +121,3 @@ export const emptyScriptEnvironment: ResolvedScriptEnvironment = {
   environment: {},
   allowedEndpoints: [],
 }
-
-export const functionScriptImages: Record<ScriptDistribution, string> = {
-  alpine: "oven/bun@sha256:6b14922b0885c3890cdb0b396090af1da486ba941df5ee94391eef64f7113c61",
-  ubuntu: "oven/bun@sha256:66b431441dc4c36d7e8164bfc61e6348ec1d7ce2862fc3a29f5dc9856e8205e4",
-}

package/src/shared.ts

@@ -12,7 +12,7 @@ import {
   type Unwrap,
 } from "@highstate/pulumi"
 import { core, Provider, type types } from "@pulumi/kubernetes"
-import * as images from "../assets/images.json"
+import images from "../assets/images.json"
 import { Namespace } from "./namespace"
 
 const providers = new Map<`${string}.${string}`, Provider>()