@highstate/k8s 0.9.13 → 0.9.15

package/dist/chunk-WEKIQRCZ.js

@@ -1,792 +0,0 @@
-import {
-  commonExtraArgs,
-  getProvider,
-  mapMetadata,
-  mapNamespaceLikeToNamespaceName,
-  mapNamespaceNameToSelector,
-  mapSelectorLikeToSelector,
-  resourceIdToString
-} from "./chunk-Y3LZSX7I.js";
-
-// src/service.ts
-import { core } from "@pulumi/kubernetes";
-import {
-  ComponentResource,
-  normalize,
-  output
-} from "@highstate/pulumi";
-import { omit, uniqueBy } from "remeda";
-import { deepmerge } from "deepmerge-ts";
-import { filterEndpoints, l4EndpointToString, parseL3Endpoint } from "@highstate/common";
-var serviceExtraArgs = [...commonExtraArgs, "port", "ports", "external"];
-function hasServiceMetadata(endpoint) {
-  return endpoint.metadata?.k8sService !== void 0;
-}
-function getServiceMetadata(endpoint) {
-  return endpoint.metadata?.k8sService;
-}
-function withServiceMetadata(endpoint, metadata) {
-  return {
-    ...endpoint,
-    metadata: {
-      ...endpoint.metadata,
-      k8sService: metadata
-    }
-  };
-}
-function isFromCluster(endpoint, cluster) {
-  return getServiceMetadata(endpoint)?.clusterId === cluster.id;
-}
-var Service = class extends ComponentResource {
-  constructor(type, name, args, opts, cluster, metadata, spec, status) {
-    super(type, name, args, opts);
-    this.cluster = cluster;
-    this.metadata = metadata;
-    this.spec = spec;
-    this.status = status;
-  }
-  /**
-   * The Highstate service entity.
-   */
-  get entity() {
-    return output({
-      type: "k8s.service",
-      clusterId: this.cluster.id,
-      metadata: this.metadata,
-      endpoints: this.endpoints
-    });
-  }
-  static create(name, args, opts) {
-    return new CreatedService(name, args, opts);
-  }
-  static wrap(name, service, cluster, opts) {
-    return new WrappedService(name, service, cluster, opts);
-  }
-  static get(name, id, cluster, opts) {
-    return new ExternalService(name, id, cluster, opts);
-  }
-  static of(name, entity, cluster, opts) {
-    return new ExternalService(
-      name,
-      output(entity).metadata,
-      output({ cluster, entity }).apply(({ cluster: cluster2, entity: entity2 }) => {
-        if (cluster2.id !== entity2.clusterId) {
-          throw new Error(
-            `Cluster mismatch when wrapping service "${name}": "${cluster2.id}" != "${entity2.clusterId}"`
-          );
-        }
-        return cluster2;
-      }),
-      opts
-    );
-  }
-  /**
-   * Returns the endpoints of the service applying the given filter.
-   *
-   * If no filter is specified, the default behavior of `filterEndpoints` is used.
-   *
-   * @param filter If specified, the endpoints are filtered based on the given filter.
-   * @returns The endpoints of the service.
-   */
-  filterEndpoints(filter) {
-    return output({ endpoints: this.endpoints }).apply(({ endpoints }) => {
-      return filterEndpoints(endpoints, filter);
-    });
-  }
-  /**
-   * Returns the endpoints of the service including both internal and external endpoints.
-   */
-  get endpoints() {
-    return output({
-      cluster: this.cluster,
-      metadata: this.metadata,
-      spec: this.spec,
-      status: this.status
-    }).apply(({ cluster, metadata, spec, status }) => {
-      const endpointMetadata = {
-        k8sService: {
-          clusterId: cluster.id,
-          name: metadata.name,
-          namespace: metadata.namespace,
-          selector: spec.selector,
-          targetPort: spec.ports[0].targetPort ?? spec.ports[0].port
-        }
-      };
-      const clusterIpEndpoints = spec.clusterIPs?.map((ip) => ({
-        ...parseL3Endpoint(ip),
-        visibility: "internal",
-        port: spec.ports[0].port,
-        protocol: spec.ports[0].protocol?.toLowerCase(),
-        metadata: endpointMetadata
-      }));
-      if (clusterIpEndpoints.length > 0) {
-        clusterIpEndpoints.unshift({
-          type: "hostname",
-          visibility: "internal",
-          hostname: `${metadata.name}.${metadata.namespace}.svc.cluster.local`,
-          port: spec.ports[0].port,
-          protocol: spec.ports[0].protocol?.toLowerCase(),
-          metadata: endpointMetadata
-        });
-      }
-      const nodePortEndpoints = spec.type === "NodePort" ? cluster.endpoints.map((endpoint) => ({
-        ...endpoint,
-        port: spec.ports[0].nodePort,
-        protocol: spec.ports[0].protocol?.toLowerCase(),
-        metadata: endpointMetadata
-      })) : [];
-      const loadBalancerEndpoints = spec.type === "LoadBalancer" ? status.loadBalancer?.ingress?.map((endpoint) => ({
-        ...parseL3Endpoint(endpoint.ip ?? endpoint.hostname),
-        port: spec.ports[0].port,
-        protocol: spec.ports[0].protocol?.toLowerCase(),
-        metadata: endpointMetadata
-      })) : [];
-      return uniqueBy(
-        [
-          ...clusterIpEndpoints ?? [],
-          ...loadBalancerEndpoints ?? [],
-          ...nodePortEndpoints ?? []
-        ],
-        (endpoint) => l4EndpointToString(endpoint)
-      );
-    });
-  }
-};
-var CreatedService = class extends Service {
-  constructor(name, args, opts) {
-    const service = output(args).apply((args2) => {
-      return new core.v1.Service(
-        name,
-        {
-          metadata: mapMetadata(args2, name),
-          spec: deepmerge(
-            {
-              ports: normalize(args2.port, args2.ports),
-              externalIPs: args2.external ? args2.externalIPs ?? args2.cluster.externalIps : args2.cluster.externalIps,
-              type: getServiceType(args2, args2.cluster)
-            },
-            omit(args2, serviceExtraArgs)
-          )
-        },
-        { parent: this, ...opts }
-      );
-    });
-    super(
-      "highstate:k8s:Service",
-      name,
-      args,
-      opts,
-      output(args.cluster),
-      service.metadata,
-      service.spec,
-      service.status
-    );
-  }
-};
-var WrappedService = class extends Service {
-  constructor(name, service, cluster, opts) {
-    super(
-      "highstate:k8s:WrappedService",
-      name,
-      { service, clusterInfo: cluster },
-      opts,
-      output(cluster),
-      output(service).metadata,
-      output(service).spec,
-      output(service).status
-    );
-  }
-};
-var ExternalService = class extends Service {
-  constructor(name, id, cluster, opts) {
-    const service = output(id).apply((id2) => {
-      return core.v1.Service.get(
-        //
-        name,
-        resourceIdToString(id2),
-        { ...opts, parent: this }
-      );
-    });
-    super(
-      "highstate:k8s:ExternalService",
-      name,
-      { id, cluster },
-      opts,
-      output(cluster),
-      service.metadata,
-      service.spec,
-      service.status
-    );
-  }
-};
-function mapContainerPortToServicePort(port) {
-  return {
-    name: port.name,
-    port: port.containerPort,
-    targetPort: port.containerPort,
-    protocol: port.protocol
-  };
-}
-function mapServiceToLabelSelector(service) {
-  return {
-    matchLabels: service.spec.selector
-  };
-}
-function getServiceType(service, cluster) {
-  if (service?.type) {
-    return service.type;
-  }
-  if (!service?.external) {
-    return "ClusterIP";
-  }
-  return cluster.quirks?.externalServiceType === "LoadBalancer" ? "LoadBalancer" : "NodePort";
-}
-
-// src/gateway/http-route.ts
-import {
-  ComponentResource as ComponentResource2,
-  normalize as normalize2,
-  output as output3
-} from "@highstate/pulumi";
-import { gateway } from "@highstate/gateway-api";
-import { map, pipe } from "remeda";
-
-// src/gateway/backend.ts
-import "@pulumi/kubernetes";
-import { output as output2 } from "@highstate/pulumi";
-function resolveBackendRef(ref) {
-  if (Service.isInstance(ref)) {
-    return output2({
-      name: ref.metadata.name,
-      namespace: ref.metadata.namespace,
-      port: ref.spec.ports[0].port
-    });
-  }
-  if ("service" in ref) {
-    const service = output2(ref.service);
-    return output2({
-      name: service.metadata.name,
-      namespace: service.metadata.namespace,
-      port: ref.port
-    });
-  }
-  return output2({
-    name: ref.name,
-    namespace: ref.namespace,
-    port: ref.port
-  });
-}
-
-// src/gateway/http-route.ts
-var HttpRoute = class extends ComponentResource2 {
-  /**
-   * The underlying Kubernetes resource.
-   */
-  route;
-  constructor(name, args, opts) {
-    super("highstate:k8s:HttpRoute", name, args, opts);
-    this.route = output3({
-      args,
-      gatewayNamespace: output3(args.gateway).metadata.namespace
-    }).apply(async ({ args: args2, gatewayNamespace }) => {
-      return new gateway.v1.HTTPRoute(
-        name,
-        {
-          metadata: mapMetadata(
-            {
-              ...args2,
-              namespace: gatewayNamespace
-            },
-            name
-          ),
-          spec: {
-            hostnames: normalize2(args2.hostname, args2.hostnames),
-            parentRefs: [
-              {
-                name: args2.gateway.metadata.name
-              }
-            ],
-            rules: normalize2(args2.rule, args2.rules).map((rule) => ({
-              timeouts: rule.timeouts,
-              matches: pipe(
-                normalize2(rule.match, rule.matches),
-                map(mapHttpRouteRuleMatch),
-                addDefaultPathMatch
-              ),
-              filters: normalize2(rule.filter, rule.filters),
-              backendRefs: rule.backend ? [resolveBackendRef(rule.backend)] : void 0
-            }))
-          }
-        },
-        {
-          ...opts,
-          parent: this,
-          provider: await getProvider(args2.cluster)
-        }
-      );
-    });
-  }
-};
-function addDefaultPathMatch(matches) {
-  return matches.length ? matches : [{ path: { type: "PathPrefix", value: "/" } }];
-}
-function mapHttpRouteRuleMatch(match) {
-  if (typeof match === "string") {
-    return { path: { type: "PathPrefix", value: match } };
-  }
-  return match;
-}
-
-// src/network.ts
-import { filterEndpoints as filterEndpoints2 } from "@highstate/common";
-function getBestEndpoint(endpoints, cluster) {
-  if (!endpoints.length) {
-    return void 0;
-  }
-  if (endpoints.length === 1) {
-    return endpoints[0];
-  }
-  if (!cluster) {
-    return filterEndpoints2(endpoints)[0];
-  }
-  const clusterEndpoint = endpoints.find((endpoint) => isFromCluster(endpoint, cluster));
-  if (clusterEndpoint) {
-    return clusterEndpoint;
-  }
-  return filterEndpoints2(endpoints)[0];
-}
-function requireBestEndpoint(endpoints, cluster) {
-  const endpoint = getBestEndpoint(endpoints, cluster);
-  if (!endpoint) {
-    throw new Error(`No best endpoint found for cluster "${cluster.name}" (${cluster.id})`);
-  }
-  return endpoint;
-}
-
-// src/network-policy.ts
-import { networking } from "@pulumi/kubernetes";
-import {
-  ComponentResource as ComponentResource3,
-  interpolate,
-  normalize as normalize3,
-  output as output4
-} from "@highstate/pulumi";
-import { capitalize, flat, groupBy, merge, mergeDeep, uniqueBy as uniqueBy2 } from "remeda";
-import "@highstate/library";
-import {
-  l34EndpointToString,
-  l3EndpointToCidr,
-  parseL34Endpoint
-} from "@highstate/common";
-var NetworkPolicy = class _NetworkPolicy extends ComponentResource3 {
-  /**
-   * The underlying network policy resource.
-   */
-  networkPolicy;
-  constructor(name, args, opts) {
-    super("k8s:network-policy", name, args, opts);
-    const normalizedArgs = output4(args).apply((args2) => {
-      const ingressRules = normalize3(args2.ingressRule, args2.ingressRules);
-      const egressRules = normalize3(args2.egressRule, args2.egressRules);
-      const extraEgressRules = [];
-      if (args2.allowKubeDns) {
-        extraEgressRules.push({
-          namespaces: ["kube-system"],
-          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
-          ports: [{ port: 53, protocol: "UDP" }],
-          all: false,
-          cidrs: [],
-          fqdns: [],
-          services: []
-        });
-      }
-      return {
-        ...args2,
-        podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
-        isolateEgress: args2.isolateEgress ?? false,
-        isolateIngress: args2.isolateIngress ?? false,
-        allowKubeApiServer: args2.allowKubeApiServer ?? false,
-        ingressRules: ingressRules.flatMap((rule) => {
-          const endpoints = normalize3(
-            args2.ingressRule?.fromEndpoint,
-            args2.ingressRule?.fromEndpoints
-          );
-          const parsedEndpoints = endpoints.map(parseL34Endpoint);
-          const endpointsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
-            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
-            return namespace;
-          });
-          const l3OnlyRule = endpointsNamespaces[""] ? _NetworkPolicy.getRuleFromEndpoint(void 0, endpointsNamespaces[""], args2.cluster) : void 0;
-          const otherRules = Object.entries(endpointsNamespaces).filter(([key]) => key !== "").map(([, endpoints2]) => {
-            return _NetworkPolicy.getRuleFromEndpoint(void 0, endpoints2, args2.cluster);
-          });
-          return [
-            {
-              all: rule.fromAll ?? false,
-              cidrs: normalize3(rule.fromCidr, rule.fromCidrs).concat(l3OnlyRule?.cidrs ?? []),
-              fqdns: [],
-              services: normalize3(rule.fromService, rule.fromServices),
-              namespaces: normalize3(rule.fromNamespace, rule.fromNamespaces),
-              selectors: normalize3(rule.fromSelector, rule.fromSelectors),
-              ports: normalize3(rule.toPort, rule.toPorts)
-            },
-            ...otherRules
-          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
-        }),
-        egressRules: egressRules.flatMap((rule) => {
-          const endpoints = normalize3(args2.egressRule?.toEndpoint, args2.egressRule?.toEndpoints);
-          const parsedEndpoints = endpoints.map(parseL34Endpoint);
-          const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
-            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
-            const port = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.targetPort : endpoint.port;
-            return `${port ?? "0"}:${namespace}`;
-          });
-          const l3OnlyRule = endpointsByPortsAnsNamespaces["0:"] ? _NetworkPolicy.getRuleFromEndpoint(
-            void 0,
-            endpointsByPortsAnsNamespaces["0:"],
-            args2.cluster
-          ) : void 0;
-          const otherRules = Object.entries(endpointsByPortsAnsNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
-            const [port] = key.split(":");
-            const portNumber = parseInt(port, 10);
-            const portValue = isNaN(portNumber) ? port : portNumber;
-            return _NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, args2.cluster);
-          });
-          return [
-            {
-              all: rule.toAll ?? false,
-              cidrs: normalize3(rule.toCidr, rule.toCidrs).concat(l3OnlyRule?.cidrs ?? []),
-              fqdns: normalize3(rule.toFqdn, rule.toFqdns).concat(l3OnlyRule?.fqdns ?? []),
-              services: normalize3(rule.toService, rule.toServices),
-              namespaces: normalize3(rule.toNamespace, rule.toNamespaces),
-              selectors: normalize3(rule.toSelector, rule.toSelectors),
-              ports: normalize3(rule.toPort, rule.toPorts)
-            },
-            ...otherRules
-          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
-        }).concat(extraEgressRules)
-      };
-    });
-    this.networkPolicy = output4(
-      normalizedArgs.apply(async (args2) => {
-        return output4(
-          this.create(name, args2, {
-            ...opts,
-            parent: this,
-            provider: await getProvider(args2.cluster)
-          })
-        );
-      })
-    );
-  }
-  static mapCidrFromEndpoint(result) {
-    if (result.type === "ipv4") {
-      return `${result.address}/32`;
-    }
-    return `${result.address}/128`;
-  }
-  static getRuleFromEndpoint(port, endpoints, cluster) {
-    const ports = port ? [{ port, protocol: endpoints[0].protocol?.toUpperCase() }] : [];
-    const cidrs = endpoints.filter((endpoint) => !isFromCluster(endpoint, cluster)).filter((endpoint) => endpoint.type === "ipv4" || endpoint.type === "ipv6").map(_NetworkPolicy.mapCidrFromEndpoint);
-    const fqdns = endpoints.filter((endpoint) => endpoint.type === "hostname").map((endpoint) => endpoint.hostname);
-    const selectors = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata.k8sService.selector);
-    const namespace = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => getServiceMetadata(endpoint)?.namespace)[0];
-    return {
-      all: false,
-      cidrs,
-      fqdns,
-      services: [],
-      namespaces: namespace ? [namespace] : [],
-      selectors,
-      ports
-    };
-  }
-  static isEmptyRule(rule) {
-    return !rule.all && rule.cidrs.length === 0 && rule.fqdns.length === 0 && rule.services.length === 0 && rule.namespaces.length === 0 && rule.selectors.length === 0 && rule.ports.length === 0;
-  }
-  static create(name, args, opts) {
-    return output4(args).apply(async (args2) => {
-      const cni = args2.cluster.cni;
-      if (cni === "other") {
-        return new NativeNetworkPolicy(name, args2, opts);
-      }
-      const implName = `${capitalize(cni)}NetworkPolicy`;
-      const implModule = await import(`@highstate/${cni}`);
-      const implClass = implModule[implName];
-      if (!implClass) {
-        throw new Error(`No implementation found for ${cni}`);
-      }
-      return new implClass(name, args2, opts);
-    });
-  }
-  static isolate(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "isolate",
-      {
-        namespace,
-        cluster,
-        description: "By default, deny all traffic to/from the namespace.",
-        isolateEgress: true,
-        isolateIngress: true
-      },
-      opts
-    );
-  }
-  static allowInsideNamespace(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-inside-namespace",
-      {
-        namespace,
-        cluster,
-        description: "Allow all traffic inside the namespace.",
-        selector: {},
-        ingressRule: { fromNamespace: namespace },
-        egressRule: { toNamespace: namespace }
-      },
-      opts
-    );
-  }
-  static allowKubeApiServer(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-kube-api-server",
-      {
-        namespace,
-        cluster,
-        description: "Allow all traffic to the Kubernetes API server from the namespace.",
-        allowKubeApiServer: true
-      },
-      opts
-    );
-  }
-  static allowKubeDns(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-kube-dns",
-      {
-        namespace,
-        cluster,
-        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
-        allowKubeDns: true
-      },
-      opts
-    );
-  }
-  static allowAllEgress(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-all-egress",
-      {
-        namespace,
-        cluster,
-        description: "Allow all egress traffic from the namespace.",
-        egressRule: { toAll: true }
-      },
-      opts
-    );
-  }
-  static allowAllIngress(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-all-ingress",
-      {
-        namespace,
-        cluster,
-        description: "Allow all ingress traffic to the namespace.",
-        ingressRule: { fromAll: true }
-      },
-      opts
-    );
-  }
-  static allowEgressToEndpoint(endpoint, namespace, cluster, opts) {
-    const parsedEndpoint = parseL34Endpoint(endpoint);
-    return _NetworkPolicy.create(
-      `allow-egress-to-${l34EndpointToString(parsedEndpoint).replace(":", "-")}`,
-      {
-        namespace,
-        cluster,
-        description: interpolate`Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
-        egressRule: { toEndpoint: endpoint }
-      },
-      opts
-    );
-  }
-  static allowEgressToBestEndpoint(endpoints, namespace, cluster, opts) {
-    return output4({ endpoints, cluster }).apply(({ endpoints: endpoints2, cluster: cluster2 }) => {
-      const bestEndpoint = requireBestEndpoint(endpoints2.map(parseL34Endpoint), cluster2);
-      return _NetworkPolicy.allowEgressToEndpoint(bestEndpoint, namespace, cluster2, opts);
-    });
-  }
-  static allowIngressFromEndpoint(endpoint, namespace, cluster, opts) {
-    const parsedEndpoint = parseL34Endpoint(endpoint);
-    return _NetworkPolicy.create(
-      `allow-ingress-from-${l34EndpointToString(parsedEndpoint)}`,
-      {
-        namespace,
-        cluster,
-        description: interpolate`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
-        ingressRule: { fromEndpoint: endpoint }
-      },
-      opts
-    );
-  }
-};
-var NativeNetworkPolicy = class _NativeNetworkPolicy extends NetworkPolicy {
-  create(name, args, opts) {
-    const ingress = _NativeNetworkPolicy.createIngressRules(args);
-    const egress = _NativeNetworkPolicy.createEgressRules(args);
-    const policyTypes = [];
-    if (ingress.length > 0 || args.isolateIngress) {
-      policyTypes.push("Ingress");
-    }
-    if (egress.length > 0 || args.isolateEgress) {
-      policyTypes.push("Egress");
-    }
-    return new networking.v1.NetworkPolicy(
-      name,
-      {
-        metadata: mergeDeep(mapMetadata(args, name), {
-          annotations: args.description ? { "kubernetes.io/description": args.description } : void 0
-        }),
-        spec: {
-          podSelector: args.podSelector,
-          ingress,
-          egress,
-          policyTypes
-        }
-      },
-      opts
-    );
-  }
-  static fallbackIpBlock = {
-    cidr: "0.0.0.0/0",
-    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-  };
-  static fallbackDnsRule = {
-    to: [
-      {
-        namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } },
-        podSelector: { matchLabels: { "k8s-app": "kube-dns" } }
-      }
-    ],
-    ports: [{ port: 53, protocol: "UDP" }]
-  };
-  static createIngressRules(args) {
-    return uniqueBy2(
-      args.ingressRules.map((rule) => ({
-        from: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
-        ports: _NativeNetworkPolicy.mapPorts(rule.ports)
-      })),
-      (rule) => JSON.stringify(rule)
-    );
-  }
-  static createEgressRules(args) {
-    const extraRules = [];
-    const needKubeDns = args.egressRules.some((rule) => rule.fqdns.length > 0);
-    if (needKubeDns) {
-      extraRules.push(_NativeNetworkPolicy.fallbackDnsRule);
-    }
-    const needFallback = args.egressRules.some(
-      (rule) => rule.fqdns.some((fqdn) => !fqdn.endsWith(".cluster.local"))
-    );
-    if (needFallback) {
-      extraRules.push({ to: [{ ipBlock: _NativeNetworkPolicy.fallbackIpBlock }] });
-    }
-    if (args.allowKubeApiServer) {
-      const { quirks, apiEndpoints } = args.cluster;
-      if (quirks?.fallbackKubeApiAccess) {
-        extraRules.push({
-          to: [{ ipBlock: { cidr: `${quirks?.fallbackKubeApiAccess.serverIp}/32` } }],
-          ports: [{ port: quirks?.fallbackKubeApiAccess.serverPort, protocol: "TCP" }]
-        });
-      } else {
-        const rules = apiEndpoints.filter((endpoint) => endpoint.type !== "hostname").map((endpoint) => ({
-          to: [{ ipBlock: { cidr: l3EndpointToCidr(endpoint) } }],
-          ports: [{ port: endpoint.port, protocol: "TCP" }]
-        }));
-        extraRules.push(...rules);
-      }
-    }
-    return uniqueBy2(
-      args.egressRules.map((rule) => {
-        return {
-          to: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
-          ports: _NativeNetworkPolicy.mapPorts(rule.ports)
-        };
-      }).filter((rule) => rule.to !== void 0).concat(extraRules),
-      (rule) => JSON.stringify(rule)
-    );
-  }
-  static createRulePeers(args) {
-    const peers = uniqueBy2(
-      [
-        ..._NativeNetworkPolicy.createCidrPeers(args),
-        ..._NativeNetworkPolicy.createServicePeers(args),
-        ..._NativeNetworkPolicy.createSelectorPeers(args)
-      ],
-      (peer) => JSON.stringify(peer)
-    );
-    return peers.length > 0 ? peers : void 0;
-  }
-  static createCidrPeers(args) {
-    return args.cidrs.map((cidr) => ({ ipBlock: { cidr } }));
-  }
-  static createServicePeers(args) {
-    return args.services.map((service) => {
-      const selector = mapServiceToLabelSelector(service);
-      return {
-        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
-        podSelector: selector
-      };
-    });
-  }
-  static createSelectorPeers(args) {
-    const selectorPeers = args.selectors.map((selector) => ({
-      podSelector: mapSelectorLikeToSelector(selector)
-    }));
-    const namespacePeers = args.namespaces.map(_NativeNetworkPolicy.createNamespacePeer);
-    if (namespacePeers.length === 0) {
-      return selectorPeers;
-    }
-    if (selectorPeers.length === 0) {
-      return namespacePeers;
-    }
-    return flat(
-      selectorPeers.map((selectorPeer) => {
-        return namespacePeers.map((namespacePeer) => merge(selectorPeer, namespacePeer));
-      })
-    );
-  }
-  static createNamespacePeer(namespace) {
-    const namespaceName = mapNamespaceLikeToNamespaceName(namespace);
-    const namespaceSelector = mapNamespaceNameToSelector(namespaceName);
-    return { namespaceSelector };
-  }
-  static mapPorts(ports) {
-    return ports.map((port) => {
-      if ("port" in port) {
-        return {
-          port: port.port,
-          protocol: port.protocol ?? "TCP"
-        };
-      }
-      return {
-        port: port.range[0],
-        endPort: port.range[1],
-        protocol: port.protocol ?? "TCP"
-      };
-    });
-  }
-};
-
-export {
-  hasServiceMetadata,
-  getServiceMetadata,
-  withServiceMetadata,
-  isFromCluster,
-  Service,
-  mapContainerPortToServicePort,
-  mapServiceToLabelSelector,
-  getServiceType,
-  HttpRoute,
-  getBestEndpoint,
-  requireBestEndpoint,
-  NetworkPolicy
-};
-//# sourceMappingURL=chunk-WEKIQRCZ.js.map