@highstate/k8s 0.7.0 → 0.7.1

package/dist/index.js

@@ -1,14 +1,16 @@
-import { m as mapMetadata, c as commonExtraArgs, a as mapSelectorLikeToSelector, b as mapNamespaceNameToSelector, d as mapNamespaceLikeToNamespaceName } from './shared-r5jBysdR.js';
-export { f as createNamespace, e as createProvider } from './shared-r5jBysdR.js';
-import { normalize, output, ComponentResource, toPromise, apply } from '@highstate/pulumi';
+import { m as mapMetadata, c as commonExtraArgs, v as verifyProvider, r as resourceIdToString, a as mapSelectorLikeToSelector, b as mapNamespaceNameToSelector, d as mapNamespaceLikeToNamespaceName, g as getAppDisplayName, e as getAppName } from './shared-Clzbl5K-.js';
+export { h as createNamespace, f as createProvider, i as getNamespace } from './shared-Clzbl5K-.js';
+import { ComponentResource, output, normalize, toPromise, apply } from '@highstate/pulumi';
 import { core, apps, networking, batch } from '@pulumi/kubernetes';
-import { concat, map, omit, mergeDeep, capitalize, flat, merge, pipe } from 'remeda';
-import { S as Service, m as mapContainerPortToServicePort, H as HttpRoute, a as mapServiceToLabelSelector } from './helm-BV9UE-B8.js';
-export { C as Chart, R as RenderedChart, c as getChartService, b as getChartServiceOutput, g as getServiceHost, r as resolveHelmChart } from './helm-BV9UE-B8.js';
+import { omit, concat, map, uniqueBy, capitalize, mergeDeep, flat, merge, pipe } from 'remeda';
+import { deepmerge } from 'deepmerge-ts';
+import { output as output$1, ComponentResource as ComponentResource$1 } from '@pulumi/pulumi';
+import { S as Service, m as mapContainerPortToServicePort, H as HttpRoute, a as mapServiceToLabelSelector } from './helm-wPTgVV1N.js';
+export { C as Chart, R as RenderedChart, b as getChartService, g as getChartServiceOutput, r as resolveHelmChart } from './helm-wPTgVV1N.js';
+import { parseDomain, ParseResultType } from 'parse-domain';
+import '@highstate/library';
 import { DnsRecord } from '@highstate/common';
 import { gateway } from '@highstate/gateway-api';
-import { ComponentResource as ComponentResource$1, output as output$1 } from '@pulumi/pulumi';
-import { deepmerge } from 'deepmerge-ts';
 import { trimIndentation, text } from '@highstate/contract';
 import 'path';
 import 'node:fs/promises';
@@ -17,6 +19,95 @@ import 'crypto-hash';
 import '@pulumi/command';
 import 'glob';
 
+const extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size", "cluster"];
+class PersistentVolumeClaim extends ComponentResource {
+  constructor(type, name, args, opts, clusterInfo, metadata, spec, status) {
+    super(type, name, args, opts);
+    this.clusterInfo = clusterInfo;
+    this.metadata = metadata;
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate service entity.
+   */
+  get entity() {
+    return output({
+      type: "k8s.persistent-volume-claim",
+      clusterInfo: this.clusterInfo,
+      metadata: this.metadata
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  static of(name, entity, opts) {
+    return new ExternalPersistentVolumeClaim(
+      name,
+      output(entity).metadata,
+      output(entity).clusterInfo,
+      opts
+    );
+  }
+}
+class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output(args).apply((args2) => {
+      return new core.v1.PersistentVolumeClaim(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          spec: deepmerge(
+            {
+              accessModes: ["ReadWriteOnce"],
+              resources: {
+                requests: {
+                  storage: args2.size ?? "100Mi"
+                }
+              }
+            },
+            omit(args2, extraPersistentVolumeClaimArgs)
+          )
+        },
+        opts
+      );
+    });
+    super(
+      "k8s:PersistentVolumeClaim",
+      name,
+      args,
+      opts,
+      output(args.cluster).info,
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+}
+class ExternalPersistentVolumeClaim extends PersistentVolumeClaim {
+  constructor(name, id, clusterInfo, opts) {
+    const pvc = output(id).apply(async (id2) => {
+      await verifyProvider(opts.provider, this.clusterInfo);
+      return core.v1.PersistentVolumeClaim.get(
+        //
+        name,
+        resourceIdToString(id2),
+        { parent: this, provider: opts.provider }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalPersistentVolumeClaim",
+      name,
+      { id, clusterInfo },
+      opts,
+      output(clusterInfo),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+}
+
 const containerExtraArgs = [
   "port",
   "volumeMount",
@@ -25,10 +116,11 @@ const containerExtraArgs = [
   "environmentSource",
   "environmentSources"
 ];
-function mapContainerToRaw(fallbackName, container) {
+function mapContainerToRaw(container, fallbackName) {
+  const containerName = container.name ?? fallbackName;
   return {
     ...omit(container, containerExtraArgs),
-    name: container.name ?? fallbackName,
+    name: containerName,
     ports: normalize(container.port, container.ports),
     volumeMounts: map(normalize(container.volumeMount, container.volumeMounts), mapVolumeMount),
     env: concat(
@@ -92,7 +184,10 @@ function mapVolumeMount(volumeMount) {
       ["volume"]
     );
   }
-  return volumeMount;
+  return {
+    ...volumeMount,
+    name: volumeMount.name
+  };
 }
 function mapEnvironmentSource(envFrom) {
   if (envFrom instanceof core.v1.ConfigMap) {
@@ -112,6 +207,14 @@ function mapEnvironmentSource(envFrom) {
   return envFrom;
 }
 function mapWorkloadVolume(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
   if (volume instanceof core.v1.PersistentVolumeClaim) {
     return {
       name: volume.metadata.name,
@@ -139,177 +242,272 @@ function mapWorkloadVolume(volume) {
   return volume;
 }
 
-const deploymentExtraArgs = [
-  ...commonExtraArgs,
-  "container",
-  "containers",
-  "service",
-  "httpRoute"
-];
+const workloadExtraArgs = [...commonExtraArgs, "container", "containers"];
+const publicWorkloadExtraArgs = [...workloadExtraArgs, "service", "httpRoute"];
+function getWorkloadComponents(name, args) {
+  const labels = {
+    "app.kubernetes.io/name": name
+  };
+  const containers = output$1(args).apply((args2) => normalize(args2.container, args2.containers));
+  const volumes = containers.apply((containers2) => {
+    const containerVolumes = containers2.flatMap((container) => normalize(container.volume, container.volumes)).map(mapWorkloadVolume);
+    const containerVolumeMounts = containers2.flatMap((container) => {
+      return normalize(container.volumeMount, container.volumeMounts).map((volumeMount) => {
+        return "volume" in volumeMount ? volumeMount.volume : void 0;
+      }).filter(Boolean);
+    }).map(mapWorkloadVolume);
+    return uniqueBy([...containerVolumes, ...containerVolumeMounts], (volume) => volume.name);
+  });
+  return { labels, containers, volumes };
+}
+function getPublicWorkloadComponents(name, args, parent, opts) {
+  const { labels, containers, volumes } = getWorkloadComponents(name, args);
+  const service = output$1({ args, containers }).apply(({ args: args2, containers: containers2 }) => {
+    if (!args2.service && !args2.httpRoute) {
+      return void 0;
+    }
+    if (args2.patch?.service) {
+      return Service.of(name, args2.patch.service, { parent: parent(), ...opts });
+    }
+    if (args2.patch) {
+      return void 0;
+    }
+    const ports = containers2.flatMap((container) => normalize(container.port, container.ports));
+    return Service.create(
+      name,
+      {
+        ...args2.service,
+        selector: labels,
+        cluster: args2.cluster,
+        namespace: args2.namespace,
+        ports: (
+          // allow to completely override the ports
+          !args2.service?.port && !args2.service?.ports ? ports.map(mapContainerPortToServicePort) : args2.service?.ports
+        )
+      },
+      { parent: parent(), ...opts }
+    );
+  });
+  const httpRoute = output$1({
+    args,
+    service
+  }).apply(({ args: args2, service: service2 }) => {
+    if (!args2.httpRoute || !service2) {
+      return void 0;
+    }
+    if (args2.patch) {
+      return void 0;
+    }
+    return new HttpRoute(
+      name,
+      {
+        ...args2.httpRoute,
+        rule: {
+          backend: service2
+        }
+      },
+      { parent: parent(), ...opts }
+    );
+  });
+  return { labels, containers, volumes, service, httpRoute };
+}
+
 class Deployment extends ComponentResource {
+  constructor(type, name, args, opts, clusterInfo, metadata, spec, status, _service, _httpRoute, resources) {
+    super(type, name, args, opts);
+    this.clusterInfo = clusterInfo;
+    this.metadata = metadata;
+    this.spec = spec;
+    this.status = status;
+    this._service = _service;
+    this._httpRoute = _httpRoute;
+    this.resources = resources;
+  }
   /**
-   * The underlying Kubernetes deployment.
+   * The Highstate deployment entity.
    */
-  deployment;
+  get entity() {
+    return output({
+      type: "k8s.deployment",
+      clusterInfo: this.clusterInfo,
+      metadata: this.metadata,
+      spec: this.spec,
+      service: this._service.apply((service) => service?.entity)
+    });
+  }
   /**
    * The service associated with the deployment.
    */
-  service;
+  get service() {
+    return this._service.apply((service) => {
+      if (!service) {
+        throw new Error("The service is not available.");
+      }
+      return service;
+    });
+  }
   /**
    * The HTTP route associated with the deployment.
    */
-  httpRoute;
+  get httpRoute() {
+    return this._httpRoute.apply((httpRoute) => {
+      if (!httpRoute) {
+        throw new Error("The HTTP route is not available.");
+      }
+      return httpRoute;
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedDeployment(name, args, opts);
+  }
+}
+class CreatedDeployment extends Deployment {
   constructor(name, args, opts) {
-    super("highstate:k8s:Deployment", name, args, opts);
-    const labels = {
-      "app.kubernetes.io/name": name
-    };
-    this.deployment = output(args).apply((args2) => {
-      const containers = normalize(args2.container, args2.containers);
-      return new apps.v1.Deployment(
-        name,
-        {
-          metadata: mapMetadata(args2, name),
-          spec: mergeDeep(
-            {
-              template: {
-                metadata: {
-                  labels
+    const { labels, containers, volumes, service, httpRoute } = getPublicWorkloadComponents(
+      name,
+      args,
+      () => this,
+      opts
+    );
+    const deployment = output({ args, containers, volumes }).apply(
+      async ({ args: args2, containers: containers2, volumes: volumes2 }) => {
+        await verifyProvider(opts.provider, args2.cluster.info);
+        return new (args2.patch ? apps.v1.DeploymentPatch : apps.v1.Deployment)(
+          name,
+          {
+            metadata: mapMetadata(args2.patch?.metadata ?? args2, name),
+            spec: deepmerge(
+              {
+                template: {
+                  metadata: {
+                    labels
+                  },
+                  spec: {
+                    containers: containers2.map((container) => mapContainerToRaw(container, name)),
+                    volumes: volumes2
+                  }
                 },
-                spec: {
-                  containers: containers.map((container) => mapContainerToRaw(name, container)),
-                  volumes: containers.flatMap((container) => normalize(container.volume, container.volumes)).map(mapWorkloadVolume)
+                selector: {
+                  matchLabels: labels
                 }
               },
-              selector: {
-                matchLabels: labels
-              }
-            },
-            omit(args2, deploymentExtraArgs)
-          )
-        },
-        {
-          ...opts,
-          parent: this
-        }
-      );
-    });
-    this.service = output({
-      args: args.service,
-      httpRouteArgs: args.httpRoute,
-      namespace: this.deployment.metadata.namespace,
-      containers: this.deployment.spec.template.spec.containers
-    }).apply(({ args: args2, httpRouteArgs, namespace, containers }) => {
-      if (!args2 && !httpRouteArgs) {
-        return void 0;
-      }
-      const ports = containers.flatMap((container) => container.ports ?? []);
-      return new Service(
-        args2?.name ?? name,
-        {
-          ...args2,
-          namespace,
-          ports: (
-            // allow to completely override the ports
-            !args2?.port && !args2?.ports ? ports.map(mapContainerPortToServicePort) : args2?.ports
-          ),
-          selector: labels
-        },
-        {
-          ...opts,
-          parent: this
-        }
-      );
-    });
-    this.httpRoute = output({
-      args: args.httpRoute,
-      service: this.service
-    }).apply(({ args: args2, service }) => {
-      if (!args2 || !service) {
-        return void 0;
-      }
-      return new HttpRoute(
-        name,
-        {
-          ...args2,
-          rule: {
-            backend: service.service
-          }
-        },
-        { ...opts, parent: this }
-      );
-    });
-    this.registerOutputs({
-      deployment: this.deployment,
-      service: this.service
-    });
-  }
-  getRequiredService() {
-    return this.service.apply((service) => {
-      if (!service) {
-        throw new Error("The service is not available for this deployment.");
+              omit(args2, publicWorkloadExtraArgs)
+            )
+          },
+          { parent: this, ...opts }
+        );
       }
-      return service;
-    });
+    );
+    super(
+      "highstate:k8s:Deployment",
+      name,
+      args,
+      opts,
+      output(args.cluster).info,
+      deployment.metadata,
+      deployment.spec,
+      deployment.status,
+      service,
+      httpRoute,
+      [deployment]
+    );
   }
 }
 
-function mapPersistentVolumeClaimToRaw(args) {
-  return {
-    metadata: mapMetadata(args),
-    spec: args
-  };
-}
-
 class StatefulSet extends ComponentResource {
+  constructor(type, name, args, opts, clusterInfo, metadata, spec, status, _service, _httpRoute) {
+    super(type, name, args, opts);
+    this.clusterInfo = clusterInfo;
+    this.metadata = metadata;
+    this.spec = spec;
+    this.status = status;
+    this._service = _service;
+    this._httpRoute = _httpRoute;
+  }
   /**
-   * The underlying Kubernetes stateful set.
+   * The Highstate stateful set entity.
    */
-  statefulSet;
+  get entity() {
+    return output({
+      type: "k8s.stateful-set",
+      clusterInfo: this.clusterInfo,
+      metadata: this.metadata,
+      service: this.service.entity
+    });
+  }
   /**
    * The service associated with the stateful set.
    */
-  service;
-  constructor(name, args, opts) {
-    super("highstate:k8s:StatefulSet", name, args, opts);
-    const labels = {
-      "app.kubernetes.io/name": name
-    };
-    this.service = output(args.service).apply((service) => {
-      return new Service(
-        service?.name ?? name,
-        {
-          ...service,
-          clusterIP: "None"
-        },
-        { ...opts, parent: this }
-      );
-    });
-    this.statefulSet = output(args).apply((args2) => {
-      return new apps.v1.StatefulSet(name, {
-        metadata: mapMetadata(args2),
-        spec: mergeDeep(args2, {
-          serviceName: this.service.service.metadata.name,
-          template: {
-            metadata: {
-              labels
-            },
-            spec: {
-              containers: normalize(args2.container, args2.containers).map((container) => mapContainerToRaw(name, container))
-            }
-          },
-          selector: {
-            matchLabels: labels
-          },
-          volumeClaimTemplates: normalize(args2.volumeClaim, args2.volumeClaims).map(mapPersistentVolumeClaimToRaw)
-        })
-      });
+  get service() {
+    return this._service.apply((service) => {
+      if (!service) {
+        throw new Error("The service is not available.");
+      }
+      return service;
     });
-    this.registerOutputs({
-      statefulSet: this.statefulSet,
-      service: this.service
+  }
+  /**
+   * The HTTP route associated with the stateful set.
+   */
+  get httpRoute() {
+    return this._httpRoute.apply((httpRoute) => {
+      if (!httpRoute) {
+        throw new Error("The HTTP route is not available.");
+      }
+      return httpRoute;
     });
   }
+  static create(name, args, opts) {
+    return new CreatedStatefulSet(name, args, opts);
+  }
+}
+class CreatedStatefulSet extends StatefulSet {
+  constructor(name, args, opts) {
+    const { containers, volumes, labels, service, httpRoute } = getPublicWorkloadComponents(
+      name,
+      args,
+      () => this,
+      opts
+    );
+    const statefulSet = output({ args, containers, volumes, service }).apply(
+      async ({ args: args2, containers: containers2, volumes: volumes2, service: service2 }) => {
+        await verifyProvider(opts.provider, args2.cluster?.info);
+        return new (args2.patch ? apps.v1.StatefulSetPatch : apps.v1.StatefulSet)(
+          name,
+          {
+            metadata: mapMetadata(args2.patch?.metadata ?? args2, name),
+            spec: deepmerge(
+              {
+                serviceName: service2?.metadata.name || name,
+                template: {
+                  metadata: !args2.patch ? { labels } : void 0,
+                  spec: {
+                    containers: containers2.map((container) => mapContainerToRaw(container, name)),
+                    volumes: volumes2
+                  }
+                },
+                selector: !args2.patch ? { matchLabels: labels } : void 0
+              },
+              omit(args2, publicWorkloadExtraArgs)
+            )
+          },
+          { parent: this, ...opts }
+        );
+      }
+    );
+    super(
+      "highstate:k8s:StatefulSet",
+      name,
+      args,
+      opts,
+      output(args.cluster).info,
+      statefulSet.metadata,
+      statefulSet.spec,
+      statefulSet.status,
+      service,
+      httpRoute
+    );
+  }
 }
 
 class NetworkPolicy extends ComponentResource {
@@ -322,11 +520,28 @@ class NetworkPolicy extends ComponentResource {
     const normalizedArgs = output(args).apply((args2) => {
       const ingressRules = normalize(args2.ingressRule, args2.ingressRules);
       const egressRules = normalize(args2.egressRule, args2.egressRules);
+      const endpoints = normalize(args2.egressRule?.toEndpoint, args2.egressRule?.toEndpoints);
+      const parsedEndpoints = endpoints.map((endpoint) => parseDomain(endpoint));
+      const cidrsFromEndpoints = parsedEndpoints.filter((result) => result.type === ParseResultType.Ip).map((result) => NetworkPolicy.mapCidrFromEndpoint(result));
+      const fqdnsFromEndpoints = parsedEndpoints.filter((result) => result.type !== ParseResultType.Invalid).map((result) => result.hostname);
+      const extraEgressRules = [];
+      if (args2.allowKubeDns) {
+        extraEgressRules.push({
+          namespaces: ["kube-system"],
+          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
+          ports: [{ port: 53, protocol: "UDP" }],
+          all: false,
+          cidrs: [],
+          fqdns: [],
+          services: []
+        });
+      }
       return {
         ...args2,
         podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
         isolateEgress: args2.isolateEgress ?? false,
         isolateIngress: args2.isolateIngress ?? false,
+        allowKubeApiServer: args2.allowKubeApiServer ?? false,
         ingressRules: ingressRules.map((rule) => ({
           all: rule.fromAll ?? false,
           cidrs: normalize(rule.fromCidr, rule.fromCidrs),
@@ -336,15 +551,17 @@ class NetworkPolicy extends ComponentResource {
           selectors: normalize(rule.fromSelector, rule.fromSelectors),
           ports: normalize(rule.toPort, rule.toPorts)
         })),
-        egressRules: egressRules.map((rule) => ({
-          all: rule.toAll ?? false,
-          cidrs: normalize(rule.toCidr, rule.toCidrs),
-          fqdns: normalize(rule.toFqdn, rule.toFqdns),
-          services: normalize(rule.toService, rule.toServices),
-          namespaces: normalize(rule.toNamespace, rule.toNamespaces),
-          selectors: normalize(rule.toSelector, rule.toSelectors),
-          ports: normalize(rule.toPort, rule.toPorts)
-        }))
+        egressRules: egressRules.map((rule) => {
+          return {
+            all: rule.toAll ?? false,
+            cidrs: normalize(rule.toCidr, rule.toCidrs).concat(cidrsFromEndpoints),
+            fqdns: normalize(rule.toFqdn, rule.toFqdns).concat(fqdnsFromEndpoints),
+            services: normalize(rule.toService, rule.toServices),
+            namespaces: normalize(rule.toNamespace, rule.toNamespaces),
+            selectors: normalize(rule.toSelector, rule.toSelectors),
+            ports: normalize(rule.toPort, rule.toPorts)
+          };
+        }).concat(extraEgressRules)
       };
     });
     this.networkPolicy = normalizedArgs.apply((args2) => {
@@ -354,9 +571,16 @@ class NetworkPolicy extends ComponentResource {
     });
     this.registerOutputs({ networkPolicy: this.networkPolicy });
   }
+  static mapCidrFromEndpoint(result) {
+    if (result.ipVersion === 4) {
+      return `${result.hostname}/32`;
+    }
+    return `${result.hostname}/128`;
+  }
+  static supportedCNIs = ["cilium"];
   static create(name, args, opts) {
     return output(args).apply(async (args2) => {
-      if (!args2.cni || args2.cni === "unknown") {
+      if (!args2.cni || !NetworkPolicy.supportedCNIs.includes(args2.cni)) {
         return new NativeNetworkPolicy(name, args2, opts);
       }
       const implName = `${capitalize(args2.cni)}NetworkPolicy`;
@@ -368,6 +592,56 @@ class NetworkPolicy extends ComponentResource {
       return new implClass(name, args2, opts);
     });
   }
+  static allowInsideNamespace(namespace, k8sCluster, opts) {
+    return NetworkPolicy.create(
+      "allow-inside-namespace",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+        description: "Allow all traffic inside the namespace.",
+        selector: {},
+        ingressRule: { fromNamespace: namespace },
+        egressRule: { toNamespace: namespace }
+      },
+      opts
+    );
+  }
+  static allowKubeApiServer(namespace, k8sCluster, opts) {
+    return NetworkPolicy.create(
+      "allow-kube-api-server",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+        description: "Allow all traffic to the Kubernetes API server from the namespace.",
+        allowKubeApiServer: true
+      },
+      opts
+    );
+  }
+  static allowKubeDns(namespace, k8sCluster, opts) {
+    return NetworkPolicy.create(
+      "allow-kube-dns",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
+        allowKubeDns: true
+      },
+      opts
+    );
+  }
+  static allowAllEgress(namespace, k8sCluster, opts) {
+    return NetworkPolicy.create(
+      "allow-all-egress",
+      {
+        namespace,
+        cni: output(k8sCluster).info.cni,
+        description: "Allow all egress traffic from the namespace.",
+        egressRule: { toAll: true }
+      },
+      opts
+    );
+  }
 }
 class NativeNetworkPolicy extends NetworkPolicy {
   create(name, args, opts) {
@@ -411,10 +685,16 @@ class NativeNetworkPolicy extends NetworkPolicy {
     if (needFallback) {
       return [{ to: [{ ipBlock: NativeNetworkPolicy.fallbackIpBlock }] }];
     }
-    return args.egressRules.map((rule) => ({
-      to: rule.all ? void 0 : NativeNetworkPolicy.createRulePeers(rule),
-      ports: NativeNetworkPolicy.mapPorts(rule.ports)
-    }));
+    const extraRules = [];
+    if (args.allowKubeApiServer) {
+      extraRules.push({ to: [{ ipBlock: { cidr: "10.96.0.1" } }] });
+    }
+    return args.egressRules.map((rule) => {
+      return {
+        to: rule.all ? void 0 : NativeNetworkPolicy.createRulePeers(rule),
+        ports: NativeNetworkPolicy.mapPorts(rule.ports)
+      };
+    }).concat(extraRules);
   }
   static createRulePeers(args) {
     return [
@@ -475,28 +755,80 @@ class NativeNetworkPolicy extends NetworkPolicy {
 }
 
 function useAccessPoint(args) {
-  const result = output(args).apply((args2) => {
-    const gateway2 = createGateway({
-      ...args2,
-      annotations: {
-        "cert-manager.io/cluster-issuer": args2.accessPoint.tlsIssuer.clusterIssuerName
-      },
-      gateway: args2.accessPoint.gateway
-    });
-    const dnsRecord = DnsRecord.create(args2.fqdn, {
-      provider: args2.accessPoint.dnsProvider,
-      type: "A",
-      value: args2.accessPoint.gateway.ip
-    });
-    return output({
-      gateway: gateway2,
-      dnsRecord
-    });
-  });
+  const result = output({ args, namespaceName: output(args.namespace).metadata.name }).apply(
+    ({ args: args2, namespaceName }) => {
+      const gateway2 = createGateway({
+        ...args2,
+        annotations: {
+          "cert-manager.io/cluster-issuer": args2.accessPoint.tlsIssuer.clusterIssuerName
+        },
+        gateway: args2.accessPoint.gateway
+      });
+      const dnsRecords = normalize(args2.fqdn, args2.fqdns).map((fqdn) => {
+        return DnsRecord.create(fqdn, {
+          provider: args2.accessPoint.dnsProvider,
+          type: "A",
+          value: args2.accessPoint.gateway.ip
+        });
+      });
+      const networkPolicies = [];
+      if (args2.accessPoint.gateway.service) {
+        const displayName = getAppDisplayName(args2.accessPoint.gateway.service.metadata);
+        networkPolicies.push(
+          NetworkPolicy.create(
+            `allow-ingress-from-${getAppName(args2.accessPoint.gateway.service.metadata)}`,
+            {
+              cni: args2.accessPoint.gateway.service.clusterInfo.cni,
+              namespace: args2.namespace,
+              description: `Allow ingress traffic from the gateway "${displayName}".`,
+              ingressRule: {
+                fromNamespace: args2.accessPoint.gateway.service.metadata.namespace,
+                fromSelector: args2.accessPoint.gateway.service.spec.selector
+              }
+            },
+            { provider: args2.provider }
+          ),
+          NetworkPolicy.create(
+            `allow-egress-to-${namespaceName}`,
+            {
+              cni: args2.accessPoint.gateway.service.clusterInfo.cni,
+              namespace: args2.accessPoint.gateway.service.metadata.namespace,
+              selector: args2.accessPoint.gateway.service.spec.selector,
+              description: `Allow egress traffic to the namespace "${namespaceName}".`,
+              egressRule: {
+                toNamespace: args2.namespace
+              }
+            },
+            { provider: args2.provider }
+          )
+        );
+      }
+      return output({
+        gateway: gateway2,
+        dnsRecords,
+        networkPolicies
+      });
+    }
+  );
   return toPromise(result);
 }
+function useStandardAcessPoint(appName, namespace, args, inputs, provider) {
+  return useAccessPoint({
+    name: appName,
+    namespace,
+    fqdn: args.fqdn,
+    accessPoint: inputs.accessPoint,
+    clusterInfo: inputs.k8sCluster.info,
+    provider
+  });
+}
 function createGateway(args) {
   return output(args).apply((args2) => {
+    if (args2.clusterInfo.id !== args2.gateway.clusterInfo.id) {
+      throw new Error(
+        "The provided Kubernetes cluster is different from the one where the gateway controller is deployed."
+      );
+    }
     return new gateway.v1.Gateway(
       args2.name,
       {
@@ -507,18 +839,19 @@ function createGateway(args) {
         },
         spec: {
           gatewayClassName: output(args2.gateway).gatewayClassName,
-          listeners: [
-            {
-              name: "https",
+          listeners: normalize(args2.fqdn, args2.fqdns).map((fqdn) => {
+            const normalizedName = fqdn.replace(/\*/g, "wildcard");
+            return {
+              name: `https-${normalizedName}`,
               port: output(args2.gateway).httpsListenerPort,
               protocol: "HTTPS",
-              hostname: args2.fqdn,
+              hostname: fqdn,
               tls: {
                 mode: "Terminate",
-                certificateRefs: [{ name: args2.fqdn }]
+                certificateRefs: [{ name: normalizedName }]
               }
-            }
-          ]
+            };
+          })
         }
       },
       { provider: args2.provider, deletedWith: args2.namespace }
@@ -748,7 +1081,7 @@ class Job extends ComponentResource {
             {
               template: {
                 spec: {
-                  containers: containers.map((container) => mapContainerToRaw(name, container)),
+                  containers: containers.map((container) => mapContainerToRaw(container, name)),
                   volumes: containers.flatMap((container) => normalize(container.volume, container.volumes)).map(mapWorkloadVolume),
                   restartPolicy: "Never"
                 }
@@ -784,7 +1117,7 @@ class CronJob extends ComponentResource {
                 spec: {
                   template: {
                     spec: {
-                      containers: containers.map((container) => mapContainerToRaw(name, container)),
+                      containers: containers.map((container) => mapContainerToRaw(container, name)),
                       volumes: containers.flatMap((container) => normalize(container.volume, container.volumes)).map(mapWorkloadVolume)
                     }
                   }
@@ -802,4 +1135,4 @@ class CronJob extends ComponentResource {
   }
 }
 
-export { CronJob, Deployment, HttpRoute, Job, NetworkPolicy, ScriptBundle, Service, StatefulSet, createScriptContainer, mapContainerPortToServicePort, mapMetadata, mapNamespaceLikeToNamespaceName, mapNamespaceNameToSelector, mapSelectorLikeToSelector, mapServiceToLabelSelector, useAccessPoint };
+export { CronJob, Deployment, HttpRoute, Job, NetworkPolicy, PersistentVolumeClaim, ScriptBundle, Service, StatefulSet, createScriptContainer, getAppDisplayName, getAppName, mapContainerPortToServicePort, mapMetadata, mapNamespaceLikeToNamespaceName, mapNamespaceNameToSelector, mapSelectorLikeToSelector, mapServiceToLabelSelector, useAccessPoint, useStandardAcessPoint };