@highstate/k8s 0.9.14 → 0.9.15

package/dist/chunk-P2UABKGA.js

@@ -0,0 +1,1664 @@
+import {
+  commonExtraArgs,
+  getProvider,
+  images_exports,
+  mapMetadata,
+  mapNamespaceLikeToNamespaceName,
+  mapNamespaceNameToSelector,
+  mapSelectorLikeToSelector,
+  resourceIdToString,
+  withPatchName
+} from "./chunk-YUMBUWA4.js";
+
+// src/service.ts
+import { core } from "@pulumi/kubernetes";
+import {
+  ComponentResource,
+  normalize,
+  output
+} from "@highstate/pulumi";
+import { omit, uniqueBy } from "remeda";
+import { deepmerge } from "deepmerge-ts";
+import { filterEndpoints, l4EndpointToString, parseL3Endpoint } from "@highstate/common";
+var serviceExtraArgs = [...commonExtraArgs, "port", "ports", "external"];
+function hasServiceMetadata(endpoint) {
+  return endpoint.metadata?.k8sService !== void 0;
+}
+function getServiceMetadata(endpoint) {
+  return endpoint.metadata?.k8sService;
+}
+function withServiceMetadata(endpoint, metadata) {
+  return {
+    ...endpoint,
+    metadata: {
+      ...endpoint.metadata,
+      k8sService: metadata
+    }
+  };
+}
+function isFromCluster(endpoint, cluster) {
+  return getServiceMetadata(endpoint)?.clusterId === cluster.id;
+}
+var Service = class extends ComponentResource {
+  constructor(type, name, args, opts, cluster, metadata, spec, status) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate service entity.
+   */
+  get entity() {
+    return output({
+      type: "k8s.service",
+      clusterId: this.cluster.id,
+      metadata: this.metadata,
+      endpoints: this.endpoints
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedService(name, args, opts);
+  }
+  static wrap(name, service, cluster, opts) {
+    return new WrappedService(name, service, cluster, opts);
+  }
+  static get(name, id, cluster, opts) {
+    return new ExternalService(name, id, cluster, opts);
+  }
+  static of(name, entity, cluster, opts) {
+    return new ExternalService(
+      name,
+      output(entity).metadata,
+      output({ cluster, entity }).apply(({ cluster: cluster2, entity: entity2 }) => {
+        if (cluster2.id !== entity2.clusterId) {
+          throw new Error(
+            `Cluster mismatch when wrapping service "${name}": "${cluster2.id}" != "${entity2.clusterId}"`
+          );
+        }
+        return cluster2;
+      }),
+      opts
+    );
+  }
+  /**
+   * Returns the endpoints of the service applying the given filter.
+   *
+   * If no filter is specified, the default behavior of `filterEndpoints` is used.
+   *
+   * @param filter If specified, the endpoints are filtered based on the given filter.
+   * @returns The endpoints of the service.
+   */
+  filterEndpoints(filter2) {
+    return output({ endpoints: this.endpoints }).apply(({ endpoints }) => {
+      return filterEndpoints(endpoints, filter2);
+    });
+  }
+  /**
+   * Returns the endpoints of the service including both internal and external endpoints.
+   */
+  get endpoints() {
+    return output({
+      cluster: this.cluster,
+      metadata: this.metadata,
+      spec: this.spec,
+      status: this.status
+    }).apply(({ cluster, metadata, spec, status }) => {
+      const endpointMetadata = {
+        k8sService: {
+          clusterId: cluster.id,
+          name: metadata.name,
+          namespace: metadata.namespace,
+          selector: spec.selector,
+          targetPort: spec.ports[0].targetPort ?? spec.ports[0].port
+        }
+      };
+      const clusterIpEndpoints = spec.clusterIPs?.map((ip) => ({
+        ...parseL3Endpoint(ip),
+        visibility: "internal",
+        port: spec.ports[0].port,
+        protocol: spec.ports[0].protocol?.toLowerCase(),
+        metadata: endpointMetadata
+      }));
+      if (clusterIpEndpoints.length > 0) {
+        clusterIpEndpoints.unshift({
+          type: "hostname",
+          visibility: "internal",
+          hostname: `${metadata.name}.${metadata.namespace}.svc.cluster.local`,
+          port: spec.ports[0].port,
+          protocol: spec.ports[0].protocol?.toLowerCase(),
+          metadata: endpointMetadata
+        });
+      }
+      const nodePortEndpoints = spec.type === "NodePort" ? cluster.endpoints.map((endpoint) => ({
+        ...endpoint,
+        port: spec.ports[0].nodePort,
+        protocol: spec.ports[0].protocol?.toLowerCase(),
+        metadata: endpointMetadata
+      })) : [];
+      const loadBalancerEndpoints = spec.type === "LoadBalancer" ? status.loadBalancer?.ingress?.map((endpoint) => ({
+        ...parseL3Endpoint(endpoint.ip ?? endpoint.hostname),
+        port: spec.ports[0].port,
+        protocol: spec.ports[0].protocol?.toLowerCase(),
+        metadata: endpointMetadata
+      })) : [];
+      return uniqueBy(
+        [
+          ...clusterIpEndpoints ?? [],
+          ...loadBalancerEndpoints ?? [],
+          ...nodePortEndpoints ?? []
+        ],
+        (endpoint) => l4EndpointToString(endpoint)
+      );
+    });
+  }
+};
+var CreatedService = class extends Service {
+  constructor(name, args, opts) {
+    const service = output(args).apply((args2) => {
+      return new core.v1.Service(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          spec: deepmerge(
+            {
+              ports: normalize(args2.port, args2.ports),
+              externalIPs: args2.external ? args2.externalIPs ?? args2.cluster.externalIps : args2.cluster.externalIps,
+              type: getServiceType(args2, args2.cluster)
+            },
+            omit(args2, serviceExtraArgs)
+          )
+        },
+        { parent: this, ...opts }
+      );
+    });
+    super(
+      "highstate:k8s:Service",
+      name,
+      args,
+      opts,
+      output(args.cluster),
+      service.metadata,
+      service.spec,
+      service.status
+    );
+  }
+};
+var WrappedService = class extends Service {
+  constructor(name, service, cluster, opts) {
+    super(
+      "highstate:k8s:WrappedService",
+      name,
+      { service, clusterInfo: cluster },
+      opts,
+      output(cluster),
+      output(service).metadata,
+      output(service).spec,
+      output(service).status
+    );
+  }
+};
+var ExternalService = class extends Service {
+  constructor(name, id, cluster, opts) {
+    const service = output(id).apply((id2) => {
+      return core.v1.Service.get(
+        //
+        name,
+        resourceIdToString(id2),
+        { ...opts, parent: this }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalService",
+      name,
+      { id, cluster },
+      opts,
+      output(cluster),
+      service.metadata,
+      service.spec,
+      service.status
+    );
+  }
+};
+function mapContainerPortToServicePort(port) {
+  return {
+    name: port.name,
+    port: port.containerPort,
+    targetPort: port.containerPort,
+    protocol: port.protocol
+  };
+}
+function mapServiceToLabelSelector(service) {
+  return {
+    matchLabels: service.spec.selector
+  };
+}
+function getServiceType(service, cluster) {
+  if (service?.type) {
+    return service.type;
+  }
+  if (!service?.external) {
+    return "ClusterIP";
+  }
+  return cluster.quirks?.externalServiceType === "LoadBalancer" ? "LoadBalancer" : "NodePort";
+}
+
+// src/gateway/http-route.ts
+import {
+  ComponentResource as ComponentResource2,
+  normalize as normalize2,
+  output as output3
+} from "@highstate/pulumi";
+import { gateway } from "@highstate/gateway-api";
+import { map, pipe } from "remeda";
+
+// src/gateway/backend.ts
+import "@pulumi/kubernetes";
+import { output as output2 } from "@highstate/pulumi";
+function resolveBackendRef(ref) {
+  if (Service.isInstance(ref)) {
+    return output2({
+      name: ref.metadata.name,
+      namespace: ref.metadata.namespace,
+      port: ref.spec.ports[0].port
+    });
+  }
+  if ("service" in ref) {
+    const service = output2(ref.service);
+    return output2({
+      name: service.metadata.name,
+      namespace: service.metadata.namespace,
+      port: ref.port
+    });
+  }
+  return output2({
+    name: ref.name,
+    namespace: ref.namespace,
+    port: ref.port
+  });
+}
+
+// src/gateway/http-route.ts
+var HttpRoute = class extends ComponentResource2 {
+  /**
+   * The underlying Kubernetes resource.
+   */
+  route;
+  constructor(name, args, opts) {
+    super("highstate:k8s:HttpRoute", name, args, opts);
+    this.route = output3({
+      args,
+      gatewayNamespace: output3(args.gateway).metadata.namespace
+    }).apply(async ({ args: args2, gatewayNamespace }) => {
+      return new gateway.v1.HTTPRoute(
+        name,
+        {
+          metadata: mapMetadata(
+            {
+              ...args2,
+              namespace: gatewayNamespace
+            },
+            name
+          ),
+          spec: {
+            hostnames: normalize2(args2.hostname, args2.hostnames),
+            parentRefs: [
+              {
+                name: args2.gateway.metadata.name
+              }
+            ],
+            rules: normalize2(args2.rule, args2.rules).map((rule) => ({
+              timeouts: rule.timeouts,
+              matches: pipe(
+                normalize2(rule.match, rule.matches),
+                map(mapHttpRouteRuleMatch),
+                addDefaultPathMatch
+              ),
+              filters: normalize2(rule.filter, rule.filters),
+              backendRefs: rule.backend ? [resolveBackendRef(rule.backend)] : void 0
+            }))
+          }
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+  }
+};
+function addDefaultPathMatch(matches) {
+  return matches.length ? matches : [{ path: { type: "PathPrefix", value: "/" } }];
+}
+function mapHttpRouteRuleMatch(match) {
+  if (typeof match === "string") {
+    return { path: { type: "PathPrefix", value: match } };
+  }
+  return match;
+}
+
+// src/pvc.ts
+import { core as core3 } from "@pulumi/kubernetes";
+import {
+  ComponentResource as ComponentResource3,
+  output as output4
+} from "@highstate/pulumi";
+import { deepmerge as deepmerge2 } from "deepmerge-ts";
+import { omit as omit2 } from "remeda";
+var extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size"];
+var PersistentVolumeClaim = class extends ComponentResource3 {
+  constructor(type, name, args, opts, cluster, metadata, spec, status) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate PVC entity.
+   */
+  get entity() {
+    return output4({
+      type: "k8s.persistent-volume-claim",
+      clusterId: this.cluster.id,
+      metadata: this.metadata
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  static of(name, entity, cluster, opts) {
+    return new ExternalPersistentVolumeClaim(name, output4(entity).metadata, cluster, opts);
+  }
+  static createOrGet(name, args, opts) {
+    if (!args.existing) {
+      return new CreatedPersistentVolumeClaim(name, args, opts);
+    }
+    return new ExternalPersistentVolumeClaim(
+      name,
+      output4(args.existing).metadata,
+      args.cluster,
+      opts
+    );
+  }
+};
+var CreatedPersistentVolumeClaim = class extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output4(args).apply(async (args2) => {
+      return new core3.v1.PersistentVolumeClaim(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          spec: deepmerge2(
+            {
+              accessModes: ["ReadWriteOnce"],
+              resources: {
+                requests: {
+                  storage: args2.size ?? "100Mi"
+                }
+              }
+            },
+            omit2(args2, extraPersistentVolumeClaimArgs)
+          )
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "k8s:PersistentVolumeClaim",
+      name,
+      args,
+      opts,
+      output4(args.cluster),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+};
+var ExternalPersistentVolumeClaim = class extends PersistentVolumeClaim {
+  constructor(name, id, cluster, opts) {
+    const pvc = output4(id).apply(async (id2) => {
+      return core3.v1.PersistentVolumeClaim.get(
+        //
+        name,
+        resourceIdToString(id2),
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalPersistentVolumeClaim",
+      name,
+      { id, cluster },
+      opts,
+      output4(cluster),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+};
+
+// src/secret.ts
+import { core as core4 } from "@pulumi/kubernetes";
+import {
+  ComponentResource as ComponentResource4,
+  output as output5
+} from "@pulumi/pulumi";
+var Secret = class extends ComponentResource4 {
+  constructor(type, name, args, opts, cluster, metadata, data, stringData) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.data = data;
+    this.stringData = stringData;
+  }
+  /**
+   * Creates a new secret.
+   */
+  static create(name, args, opts) {
+    return new CreatedSecret(name, args, opts);
+  }
+  /**
+   * Creates a new secret or patches an existing one.
+   *
+   * Will throw an error if the secret does not exist when `args.resource` is provided.
+   */
+  static createOrPatch(name, args, opts) {
+    if (!args.existing) {
+      return new CreatedSecret(name, args, opts);
+    }
+    return new SecretPatch(
+      name,
+      {
+        ...args,
+        name: withPatchName("secret", args.existing, args.cluster),
+        namespace: output5(args.existing).metadata.namespace
+      },
+      opts
+    );
+  }
+  /**
+   * Gets an existing secret.
+   *
+   * Will throw an error if the secret does not exist.
+   */
+  static get(name, id, cluster, opts) {
+    return new ExternalSecret(name, id, cluster, opts);
+  }
+};
+var CreatedSecret = class extends Secret {
+  constructor(name, args, opts) {
+    const secret = output5(args).apply(async (args2) => {
+      return new core4.v1.Secret(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          data: args2.data,
+          stringData: args2.stringData,
+          type: args2.type,
+          immutable: args2.immutable
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:Secret",
+      name,
+      args,
+      opts,
+      output5(args.cluster),
+      secret.metadata,
+      secret.data,
+      secret.stringData
+    );
+  }
+};
+var SecretPatch = class extends Secret {
+  constructor(name, args, opts) {
+    const secret = output5(args).apply(async (args2) => {
+      return new core4.v1.SecretPatch(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          data: args2.data,
+          stringData: args2.stringData,
+          type: args2.type,
+          immutable: args2.immutable
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:SecretPatch",
+      name,
+      args,
+      opts,
+      output5(args.cluster),
+      secret.metadata,
+      secret.data,
+      secret.stringData
+    );
+  }
+};
+var ExternalSecret = class extends Secret {
+  constructor(name, id, cluster, opts) {
+    const secret = output5(id).apply(async (realName) => {
+      return core4.v1.Secret.get(
+        //
+        name,
+        realName,
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalSecret",
+      name,
+      { id, cluster },
+      opts,
+      output5(cluster),
+      secret.metadata,
+      secret.data,
+      secret.stringData
+    );
+  }
+};
+
+// src/config-map.ts
+import { core as core5 } from "@pulumi/kubernetes";
+import {
+  ComponentResource as ComponentResource5,
+  output as output6
+} from "@pulumi/pulumi";
+var ConfigMap = class extends ComponentResource5 {
+  constructor(type, name, args, opts, cluster, metadata, data) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.data = data;
+  }
+  /**
+   * Creates a new config map.
+   */
+  static create(name, args, opts) {
+    return new CreatedConfigMap(name, args, opts);
+  }
+  /**
+   * Creates a new config map or patches an existing one.
+   *
+   * Will throw an error if the config map does not exist when `args.resource` is provided.
+   */
+  static createOrPatch(name, args, opts) {
+    if (!args.existing) {
+      return new CreatedConfigMap(name, args, opts);
+    }
+    return new ConfigMapPatch(
+      name,
+      {
+        ...args,
+        name: withPatchName("configmap", args.existing, args.cluster),
+        namespace: output6(args.existing).metadata.namespace
+      },
+      opts
+    );
+  }
+  /**
+   * Gets an existing config map.
+   *
+   * Will throw an error if the config map does not exist.
+   */
+  static get(name, id, cluster, opts) {
+    return new ExternalConfigMap(name, id, cluster, opts);
+  }
+};
+var CreatedConfigMap = class extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output6(args).apply(async (args2) => {
+      return new core5.v1.ConfigMap(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          data: args2.data
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ConfigMap",
+      name,
+      args,
+      opts,
+      output6(args.cluster),
+      configMap.metadata,
+      configMap.data
+    );
+  }
+};
+var ConfigMapPatch = class extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output6(args).apply(async (args2) => {
+      return new core5.v1.ConfigMapPatch(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          data: args2.data
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ConfigMapPatch",
+      name,
+      args,
+      opts,
+      output6(args.cluster),
+      configMap.metadata,
+      configMap.data
+    );
+  }
+};
+var ExternalConfigMap = class extends ConfigMap {
+  constructor(name, id, cluster, opts) {
+    const configMap = output6(id).apply(async (realName) => {
+      return core5.v1.ConfigMap.get(name, realName, {
+        ...opts,
+        parent: this,
+        provider: await getProvider(cluster)
+      });
+    });
+    super(
+      "highstate:k8s:ExternalConfigMap",
+      name,
+      { id, cluster },
+      opts,
+      output6(cluster),
+      configMap.metadata,
+      configMap.data
+    );
+  }
+};
+
+// src/container.ts
+import { core as core6 } from "@pulumi/kubernetes";
+import {
+  normalize as normalize3,
+  output as output7
+} from "@highstate/pulumi";
+import { concat, map as map2, omit as omit3 } from "remeda";
+var containerExtraArgs = [
+  "port",
+  "volumeMount",
+  "volume",
+  "environment",
+  "environmentSource",
+  "environmentSources"
+];
+function mapContainerToRaw(container, cluster, fallbackName) {
+  const containerName = container.name ?? fallbackName;
+  const spec = {
+    ...omit3(container, containerExtraArgs),
+    name: containerName,
+    ports: normalize3(container.port, container.ports),
+    volumeMounts: map2(normalize3(container.volumeMount, container.volumeMounts), mapVolumeMount),
+    env: concat(
+      container.environment ? mapContainerEnvironment(container.environment) : [],
+      container.env ?? []
+    ),
+    envFrom: concat(
+      map2(
+        normalize3(container.environmentSource, container.environmentSources),
+        mapEnvironmentSource
+      ),
+      container.envFrom ?? []
+    )
+  };
+  if (container.enableTun) {
+    spec.securityContext ??= {};
+    spec.securityContext.capabilities ??= {};
+    spec.securityContext.capabilities.add = ["NET_ADMIN"];
+    if (cluster.quirks?.tunDevicePolicy?.type === "plugin") {
+      spec.resources ??= {};
+      spec.resources.limits ??= {};
+      spec.resources.limits[cluster.quirks.tunDevicePolicy.resourceName] = cluster.quirks.tunDevicePolicy.resourceValue;
+    } else {
+      spec.volumeMounts ??= [];
+      spec.volumeMounts.push({
+        name: "tun-device",
+        mountPath: "/dev/net/tun",
+        readOnly: false
+      });
+    }
+  }
+  return spec;
+}
+function mapContainerEnvironment(environment) {
+  const envVars = [];
+  for (const [name, value] of Object.entries(environment)) {
+    if (!value) {
+      continue;
+    }
+    if (typeof value === "string") {
+      envVars.push({ name, value });
+      continue;
+    }
+    if ("secret" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          secretKeyRef: {
+            name: value.secret.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    if ("configMap" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          configMapKeyRef: {
+            name: value.configMap.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    envVars.push({ name, valueFrom: value });
+  }
+  return envVars;
+}
+function mapVolumeMount(volumeMount) {
+  if ("volume" in volumeMount) {
+    return omit3(
+      {
+        ...volumeMount,
+        name: output7(volumeMount.volume).apply(mapWorkloadVolume).apply((volume) => output7(volume.name))
+      },
+      ["volume"]
+    );
+  }
+  return {
+    ...volumeMount,
+    name: volumeMount.name
+  };
+}
+function mapEnvironmentSource(envFrom) {
+  if (envFrom instanceof core6.v1.ConfigMap) {
+    return {
+      configMapRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  if (envFrom instanceof core6.v1.Secret) {
+    return {
+      secretRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  return envFrom;
+}
+function mapWorkloadVolume(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (volume instanceof Secret) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  if (volume instanceof ConfigMap) {
+    return {
+      name: volume.metadata.name,
+      configMap: {
+        name: volume.metadata.name
+      }
+    };
+  }
+  if (core6.v1.PersistentVolumeClaim.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (core6.v1.ConfigMap.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      configMap: {
+        name: volume.metadata.name
+      }
+    };
+  }
+  if (core6.v1.Secret.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  return volume;
+}
+function getWorkloadVolumeResourceUuid(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return volume.metadata.uid;
+  }
+  if (volume instanceof Secret) {
+    return volume.metadata.uid;
+  }
+  if (volume instanceof ConfigMap) {
+    return volume.metadata.uid;
+  }
+  if (core6.v1.PersistentVolumeClaim.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  if (core6.v1.ConfigMap.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  if (core6.v1.Secret.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  return output7(void 0);
+}
+
+// src/network.ts
+import { filterEndpoints as filterEndpoints2 } from "@highstate/common";
+function getBestEndpoint(endpoints, cluster) {
+  if (!endpoints.length) {
+    return void 0;
+  }
+  if (endpoints.length === 1) {
+    return endpoints[0];
+  }
+  if (!cluster) {
+    return filterEndpoints2(endpoints)[0];
+  }
+  const clusterEndpoint = endpoints.find((endpoint) => isFromCluster(endpoint, cluster));
+  if (clusterEndpoint) {
+    return clusterEndpoint;
+  }
+  return filterEndpoints2(endpoints)[0];
+}
+function requireBestEndpoint(endpoints, cluster) {
+  const endpoint = getBestEndpoint(endpoints, cluster);
+  if (!endpoint) {
+    throw new Error(`No best endpoint found for cluster "${cluster.name}" (${cluster.id})`);
+  }
+  return endpoint;
+}
+
+// src/network-policy.ts
+import { networking } from "@pulumi/kubernetes";
+import {
+  ComponentResource as ComponentResource6,
+  interpolate,
+  normalize as normalize4,
+  output as output8
+} from "@highstate/pulumi";
+import { capitalize, flat, groupBy, merge, mergeDeep, uniqueBy as uniqueBy2 } from "remeda";
+import "@highstate/library";
+import {
+  l34EndpointToString,
+  l3EndpointToCidr,
+  parseL34Endpoint
+} from "@highstate/common";
+var NetworkPolicy = class _NetworkPolicy extends ComponentResource6 {
+  /**
+   * The underlying network policy resource.
+   */
+  networkPolicy;
+  constructor(name, args, opts) {
+    super("k8s:network-policy", name, args, opts);
+    const normalizedArgs = output8(args).apply((args2) => {
+      const ingressRules = normalize4(args2.ingressRule, args2.ingressRules);
+      const egressRules = normalize4(args2.egressRule, args2.egressRules);
+      const extraEgressRules = [];
+      if (args2.allowKubeDns) {
+        extraEgressRules.push({
+          namespaces: ["kube-system"],
+          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
+          ports: [{ port: 53, protocol: "UDP" }],
+          all: false,
+          cidrs: [],
+          fqdns: [],
+          services: []
+        });
+      }
+      return {
+        ...args2,
+        podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
+        isolateEgress: args2.isolateEgress ?? false,
+        isolateIngress: args2.isolateIngress ?? false,
+        allowKubeApiServer: args2.allowKubeApiServer ?? false,
+        ingressRules: ingressRules.flatMap((rule) => {
+          const endpoints = normalize4(rule?.fromEndpoint, rule?.fromEndpoints);
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
+            return namespace;
+          });
+          const l3OnlyRule = endpointsNamespaces[""] ? _NetworkPolicy.getRuleFromEndpoint(void 0, endpointsNamespaces[""], args2.cluster) : void 0;
+          const otherRules = Object.entries(endpointsNamespaces).filter(([key]) => key !== "").map(([, endpoints2]) => {
+            return _NetworkPolicy.getRuleFromEndpoint(void 0, endpoints2, args2.cluster);
+          });
+          return [
+            {
+              all: rule.fromAll ?? false,
+              cidrs: normalize4(rule.fromCidr, rule.fromCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: [],
+              services: normalize4(rule.fromService, rule.fromServices),
+              namespaces: normalize4(rule.fromNamespace, rule.fromNamespaces),
+              selectors: normalize4(rule.fromSelector, rule.fromSelectors),
+              ports: normalize4(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }),
+        egressRules: egressRules.flatMap((rule) => {
+          const endpoints = normalize4(rule?.toEndpoint, rule?.toEndpoints);
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
+            const port = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.targetPort : endpoint.port;
+            return `${port ?? "0"}:${namespace}`;
+          });
+          const l3OnlyRule = endpointsByPortsAnsNamespaces["0:"] ? _NetworkPolicy.getRuleFromEndpoint(
+            void 0,
+            endpointsByPortsAnsNamespaces["0:"],
+            args2.cluster
+          ) : void 0;
+          const otherRules = Object.entries(endpointsByPortsAnsNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
+            const [port] = key.split(":");
+            const portNumber = parseInt(port, 10);
+            const portValue = isNaN(portNumber) ? port : portNumber;
+            return _NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, args2.cluster);
+          });
+          return [
+            {
+              all: rule.toAll ?? false,
+              cidrs: normalize4(rule.toCidr, rule.toCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: normalize4(rule.toFqdn, rule.toFqdns).concat(l3OnlyRule?.fqdns ?? []),
+              services: normalize4(rule.toService, rule.toServices),
+              namespaces: normalize4(rule.toNamespace, rule.toNamespaces),
+              selectors: normalize4(rule.toSelector, rule.toSelectors),
+              ports: normalize4(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }).concat(extraEgressRules)
+      };
+    });
+    this.networkPolicy = output8(
+      normalizedArgs.apply(async (args2) => {
+        return output8(
+          this.create(name, args2, {
+            ...opts,
+            parent: this,
+            provider: await getProvider(args2.cluster)
+          })
+        );
+      })
+    );
+  }
+  static mapCidrFromEndpoint(result) {
+    if (result.type === "ipv4") {
+      return `${result.address}/32`;
+    }
+    return `${result.address}/128`;
+  }
+  static getRuleFromEndpoint(port, endpoints, cluster) {
+    const ports = port ? [{ port, protocol: endpoints[0].protocol?.toUpperCase() }] : [];
+    const cidrs = endpoints.filter((endpoint) => !isFromCluster(endpoint, cluster)).filter((endpoint) => endpoint.type === "ipv4" || endpoint.type === "ipv6").map(_NetworkPolicy.mapCidrFromEndpoint);
+    const fqdns = endpoints.filter((endpoint) => endpoint.type === "hostname").map((endpoint) => endpoint.hostname);
+    const selectors = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata.k8sService.selector);
+    const namespace = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => getServiceMetadata(endpoint)?.namespace)[0];
+    return {
+      all: false,
+      cidrs,
+      fqdns,
+      services: [],
+      namespaces: namespace ? [namespace] : [],
+      selectors,
+      ports
+    };
+  }
+  static isEmptyRule(rule) {
+    return !rule.all && rule.cidrs.length === 0 && rule.fqdns.length === 0 && rule.services.length === 0 && rule.namespaces.length === 0 && rule.selectors.length === 0 && rule.ports.length === 0;
+  }
+  static create(name, args, opts) {
+    return output8(args).apply(async (args2) => {
+      const cni = args2.cluster.cni;
+      if (cni === "other") {
+        return new NativeNetworkPolicy(name, args2, opts);
+      }
+      const implName = `${capitalize(cni)}NetworkPolicy`;
+      const implModule = await import(`@highstate/${cni}`);
+      const implClass = implModule[implName];
+      if (!implClass) {
+        throw new Error(`No implementation found for ${cni}`);
+      }
+      return new implClass(name, args2, opts);
+    });
+  }
+  static isolate(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "isolate",
+      {
+        namespace,
+        cluster,
+        description: "By default, deny all traffic to/from the namespace.",
+        isolateEgress: true,
+        isolateIngress: true
+      },
+      opts
+    );
+  }
+  static allowInsideNamespace(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-inside-namespace",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic inside the namespace.",
+        selector: {},
+        ingressRule: { fromNamespace: namespace },
+        egressRule: { toNamespace: namespace }
+      },
+      opts
+    );
+  }
+  static allowKubeApiServer(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-kube-api-server",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic to the Kubernetes API server from the namespace.",
+        allowKubeApiServer: true
+      },
+      opts
+    );
+  }
+  static allowKubeDns(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-kube-dns",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
+        allowKubeDns: true
+      },
+      opts
+    );
+  }
+  static allowAllEgress(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-all-egress",
+      {
+        namespace,
+        cluster,
+        description: "Allow all egress traffic from the namespace.",
+        egressRule: { toAll: true }
+      },
+      opts
+    );
+  }
+  static allowAllIngress(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-all-ingress",
+      {
+        namespace,
+        cluster,
+        description: "Allow all ingress traffic to the namespace.",
+        ingressRule: { fromAll: true }
+      },
+      opts
+    );
+  }
+  static allowEgressToEndpoint(endpoint, namespace, cluster, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    return _NetworkPolicy.create(
+      `allow-egress-to-${l34EndpointToString(parsedEndpoint).replace(":", "-")}`,
+      {
+        namespace,
+        cluster,
+        description: interpolate`Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
+        egressRule: { toEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+  static allowEgressToBestEndpoint(endpoints, namespace, cluster, opts) {
+    return output8({ endpoints, cluster }).apply(({ endpoints: endpoints2, cluster: cluster2 }) => {
+      const bestEndpoint = requireBestEndpoint(endpoints2.map(parseL34Endpoint), cluster2);
+      return _NetworkPolicy.allowEgressToEndpoint(bestEndpoint, namespace, cluster2, opts);
+    });
+  }
+  static allowIngressFromEndpoint(endpoint, namespace, cluster, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    return _NetworkPolicy.create(
+      `allow-ingress-from-${l34EndpointToString(parsedEndpoint)}`,
+      {
+        namespace,
+        cluster,
+        description: interpolate`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
+        ingressRule: { fromEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+};
+var NativeNetworkPolicy = class _NativeNetworkPolicy extends NetworkPolicy {
+  create(name, args, opts) {
+    const ingress = _NativeNetworkPolicy.createIngressRules(args);
+    const egress = _NativeNetworkPolicy.createEgressRules(args);
+    const policyTypes = [];
+    if (ingress.length > 0 || args.isolateIngress) {
+      policyTypes.push("Ingress");
+    }
+    if (egress.length > 0 || args.isolateEgress) {
+      policyTypes.push("Egress");
+    }
+    return new networking.v1.NetworkPolicy(
+      name,
+      {
+        metadata: mergeDeep(mapMetadata(args, name), {
+          annotations: args.description ? { "kubernetes.io/description": args.description } : void 0
+        }),
+        spec: {
+          podSelector: args.podSelector,
+          ingress,
+          egress,
+          policyTypes
+        }
+      },
+      opts
+    );
+  }
+  static fallbackIpBlock = {
+    cidr: "0.0.0.0/0",
+    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  };
+  static fallbackDnsRule = {
+    to: [
+      {
+        namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } },
+        podSelector: { matchLabels: { "k8s-app": "kube-dns" } }
+      }
+    ],
+    ports: [{ port: 53, protocol: "UDP" }]
+  };
+  static createIngressRules(args) {
+    return uniqueBy2(
+      args.ingressRules.map((rule) => ({
+        from: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+        ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+      })),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createEgressRules(args) {
+    const extraRules = [];
+    const needKubeDns = args.egressRules.some((rule) => rule.fqdns.length > 0);
+    if (needKubeDns) {
+      extraRules.push(_NativeNetworkPolicy.fallbackDnsRule);
+    }
+    const needFallback = args.egressRules.some(
+      (rule) => rule.fqdns.some((fqdn) => !fqdn.endsWith(".cluster.local"))
+    );
+    if (needFallback) {
+      extraRules.push({ to: [{ ipBlock: _NativeNetworkPolicy.fallbackIpBlock }] });
+    }
+    if (args.allowKubeApiServer) {
+      const { quirks, apiEndpoints } = args.cluster;
+      if (quirks?.fallbackKubeApiAccess) {
+        extraRules.push({
+          to: [{ ipBlock: { cidr: `${quirks?.fallbackKubeApiAccess.serverIp}/32` } }],
+          ports: [{ port: quirks?.fallbackKubeApiAccess.serverPort, protocol: "TCP" }]
+        });
+      } else {
+        const rules = apiEndpoints.filter((endpoint) => endpoint.type !== "hostname").map((endpoint) => ({
+          to: [{ ipBlock: { cidr: l3EndpointToCidr(endpoint) } }],
+          ports: [{ port: endpoint.port, protocol: "TCP" }]
+        }));
+        extraRules.push(...rules);
+      }
+    }
+    return uniqueBy2(
+      args.egressRules.map((rule) => {
+        return {
+          to: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+          ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+        };
+      }).filter((rule) => rule.to !== void 0).concat(extraRules),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createRulePeers(args) {
+    const peers = uniqueBy2(
+      [
+        ..._NativeNetworkPolicy.createCidrPeers(args),
+        ..._NativeNetworkPolicy.createServicePeers(args),
+        ..._NativeNetworkPolicy.createSelectorPeers(args)
+      ],
+      (peer) => JSON.stringify(peer)
+    );
+    return peers.length > 0 ? peers : void 0;
+  }
+  static createCidrPeers(args) {
+    return args.cidrs.map((cidr) => ({ ipBlock: { cidr } }));
+  }
+  static createServicePeers(args) {
+    return args.services.map((service) => {
+      const selector = mapServiceToLabelSelector(service);
+      return {
+        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
+        podSelector: selector
+      };
+    });
+  }
+  static createSelectorPeers(args) {
+    const selectorPeers = args.selectors.map((selector) => ({
+      podSelector: mapSelectorLikeToSelector(selector)
+    }));
+    const namespacePeers = args.namespaces.map(_NativeNetworkPolicy.createNamespacePeer);
+    if (namespacePeers.length === 0) {
+      return selectorPeers;
+    }
+    if (selectorPeers.length === 0) {
+      return namespacePeers;
+    }
+    return flat(
+      selectorPeers.map((selectorPeer) => {
+        return namespacePeers.map((namespacePeer) => merge(selectorPeer, namespacePeer));
+      })
+    );
+  }
+  static createNamespacePeer(namespace) {
+    const namespaceName = mapNamespaceLikeToNamespaceName(namespace);
+    const namespaceSelector = mapNamespaceNameToSelector(namespaceName);
+    return { namespaceSelector };
+  }
+  static mapPorts(ports) {
+    return ports.map((port) => {
+      if ("port" in port) {
+        return {
+          port: port.port,
+          protocol: port.protocol ?? "TCP"
+        };
+      }
+      return {
+        port: port.range[0],
+        endPort: port.range[1],
+        protocol: port.protocol ?? "TCP"
+      };
+    });
+  }
+};
+
+// src/workload.ts
+import {
+  normalize as normalize5
+} from "@highstate/pulumi";
+import {
+  ComponentResource as ComponentResource7,
+  interpolate as interpolate2,
+  output as output9
+} from "@pulumi/pulumi";
+import { filter, isNonNullish, unique, uniqueBy as uniqueBy3 } from "remeda";
+import { deepmerge as deepmerge3 } from "deepmerge-ts";
+import { sha256 } from "crypto-hash";
+
+// src/pod.ts
+var podSpecDefaults = {
+  automountServiceAccountToken: false
+};
+
+// src/workload.ts
+var workloadExtraArgs = [...commonExtraArgs, "container", "containers"];
+var exposableWorkloadExtraArgs = [...workloadExtraArgs, "service", "httpRoute"];
+function getWorkloadComponents(name, args, parent, opts) {
+  const labels = {
+    "app.kubernetes.io/name": name
+  };
+  const containers = output9(args).apply((args2) => normalize5(args2.container, args2.containers));
+  const rawVolumes = containers.apply((containers2) => {
+    const containerVolumes = containers2.flatMap(
+      (container) => normalize5(container.volume, container.volumes)
+    );
+    const containerVolumeMounts = containers2.flatMap((container) => {
+      return normalize5(container.volumeMount, container.volumeMounts).map((volumeMount) => {
+        return "volume" in volumeMount ? volumeMount.volume : void 0;
+      }).filter(Boolean);
+    });
+    return output9([...containerVolumes, ...containerVolumeMounts]);
+  });
+  const volumes = rawVolumes.apply((rawVolumes2) => {
+    return output9(rawVolumes2.map(mapWorkloadVolume)).apply(uniqueBy3((volume) => volume.name));
+  });
+  const podSpec = output9({ args, containers, volumes }).apply(({ args: args2, containers: containers2, volumes: volumes2 }) => {
+    const spec = {
+      volumes: volumes2,
+      containers: containers2.map((container) => mapContainerToRaw(container, args2.cluster, name)),
+      ...podSpecDefaults
+    };
+    if (containers2.some((container) => container.enableTun) && args2.cluster.quirks?.tunDevicePolicy?.type !== "plugin") {
+      spec.volumes = output9(spec.volumes).apply((volumes3) => [
+        ...volumes3 ?? [],
+        {
+          name: "tun-device",
+          hostPath: {
+            path: "/dev/net/tun"
+          }
+        }
+      ]);
+    }
+    return spec;
+  });
+  const dependencyHash = rawVolumes.apply((rawVolumes2) => {
+    return output9(rawVolumes2.map(getWorkloadVolumeResourceUuid)).apply(filter(isNonNullish)).apply(unique()).apply((ids) => sha256(ids.join(",")));
+  });
+  const podTemplate = output9({ podSpec, dependencyHash }).apply(({ podSpec: podSpec2, dependencyHash: dependencyHash2 }) => {
+    return {
+      metadata: {
+        labels,
+        annotations: {
+          "highstate.io/dependency-hash": dependencyHash2
+        }
+      },
+      spec: podSpec2
+    };
+  });
+  const networkPolicy = output9({ args, containers }).apply(({ args: args2, containers: containers2 }) => {
+    const allowedEndpoints = containers2.flatMap((container) => container.allowedEndpoints ?? []);
+    if (allowedEndpoints.length === 0 && !args2.networkPolicy) {
+      return output9(void 0);
+    }
+    return NetworkPolicy.create(
+      name,
+      {
+        cluster: args2.cluster,
+        namespace: args2.namespace,
+        selector: labels,
+        ...args2.networkPolicy,
+        egressRules: [
+          ...args2.networkPolicy?.egressRules ?? [],
+          ...allowedEndpoints.length > 0 ? [{ toEndpoints: allowedEndpoints }] : []
+        ]
+      },
+      { ...opts, parent: parent() }
+    );
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy };
+}
+function getExposableWorkloadComponents(name, args, parent, opts) {
+  const { labels, containers, volumes, podSpec, podTemplate, networkPolicy } = getWorkloadComponents(name, args, parent, opts);
+  const service = output9({ args, containers }).apply(async ({ args: args2, containers: containers2 }) => {
+    if (!args2.service && !args2.httpRoute) {
+      return void 0;
+    }
+    if (args2.existing?.service) {
+      return Service.of(name, args2.existing.service, args2.cluster, { ...opts, parent: parent() });
+    }
+    if (args2.existing) {
+      return void 0;
+    }
+    const ports = containers2.flatMap((container) => normalize5(container.port, container.ports));
+    return Service.create(
+      name,
+      {
+        ...args2.service,
+        selector: labels,
+        cluster: args2.cluster,
+        namespace: args2.namespace,
+        ports: (
+          // allow to completely override the ports
+          !args2.service?.port && !args2.service?.ports ? ports.map(mapContainerPortToServicePort) : args2.service?.ports
+        )
+      },
+      {
+        ...opts,
+        parent: parent(),
+        provider: await getProvider(args2.cluster)
+      }
+    );
+  });
+  const httpRoute = output9({
+    args,
+    service
+  }).apply(async ({ args: args2, service: service2 }) => {
+    if (!args2.httpRoute || !service2) {
+      return void 0;
+    }
+    if (args2.existing) {
+      return void 0;
+    }
+    return new HttpRoute(
+      name,
+      {
+        ...args2.httpRoute,
+        cluster: args2.cluster,
+        rule: {
+          backend: service2
+        }
+      },
+      {
+        ...opts,
+        parent: parent(),
+        provider: await getProvider(args2.cluster)
+      }
+    );
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy, service, httpRoute };
+}
+var Workload = class _Workload extends ComponentResource7 {
+  constructor(type, name, args, opts, resourceType, cluster, metadata, networkPolicy) {
+    super(type, name, args, opts);
+    this.name = name;
+    this.args = args;
+    this.resourceType = resourceType;
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.networkPolicy = networkPolicy;
+  }
+  /**
+   * The instance terminal to interact with the deployment.
+   */
+  get terminal() {
+    const containerName = output9(this.args).apply((args) => {
+      const containers = normalize5(args.container, args.containers);
+      return containers[0]?.name ?? this.name;
+    });
+    return output9({
+      name: this.metadata.name,
+      title: interpolate2`${_Workload.getResourceDisplayType(this.resourceType)} (${this.metadata.name})`,
+      description: "Connect to the container of the workload",
+      icon: "devicon:kubernetes",
+      image: images_exports["terminal-kubectl"].image,
+      command: [
+        "exec",
+        "kubectl",
+        "exec",
+        "-it",
+        "-n",
+        this.metadata.namespace,
+        interpolate2`${this.resourceType}/${this.metadata.name}`,
+        "-c",
+        containerName,
+        "--",
+        this.args.terminalShell ?? "bash"
+      ],
+      files: {
+        "/kubeconfig": this.cluster.kubeconfig
+      },
+      env: {
+        KUBECONFIG: "/kubeconfig"
+      }
+    });
+  }
+  static getResourceDisplayType(resourceType) {
+    switch (resourceType) {
+      case "deployment":
+        return "Deployment";
+      case "statefulset":
+        return "StatefulSet";
+      case "daemonset":
+        return "DaemonSet";
+      default:
+        return resourceType.charAt(0).toUpperCase() + resourceType.slice(1);
+    }
+  }
+};
+var ExposableWorkload = class extends Workload {
+  constructor(type, name, args, opts, resourceType, cluster, metadata, networkPolicy, _service, _httpRoute) {
+    super(type, name, args, opts, resourceType, cluster, metadata, networkPolicy);
+    this.name = name;
+    this._service = _service;
+    this._httpRoute = _httpRoute;
+  }
+  /**
+   * The service associated with the workload.
+   */
+  get optionalService() {
+    return this._service;
+  }
+  /**
+   * The HTTP route associated with the workload.
+   */
+  get optionalHttpRoute() {
+    return this._httpRoute;
+  }
+  /**
+   * The service associated with the workload.
+   *
+   * Will throw an error if the service is not available.
+   */
+  get service() {
+    return this._service.apply((service) => {
+      if (!service) {
+        throw new Error(`The service of the workload "${this.name}" is not available.`);
+      }
+      return service;
+    });
+  }
+  /**
+   * The HTTP route associated with the workload.
+   *
+   * Will throw an error if the HTTP route is not available.
+   */
+  get httpRoute() {
+    return this._httpRoute.apply((httpRoute) => {
+      if (!httpRoute) {
+        throw new Error(`The HTTP route of the workload "${this.name}" is not available.`);
+      }
+      return httpRoute;
+    });
+  }
+  /**
+   * Creates a generic workload or patches the existing one.
+   */
+  static createOrPatchGeneric(name, args, opts) {
+    return output9(args).apply(async (args2) => {
+      if (args2.existing?.type === "k8s.deployment") {
+        const { Deployment } = await import("./deployment-KOZNZXJA.js");
+        return Deployment.patch(
+          name,
+          {
+            ...deepmerge3(args2, args2.deployment),
+            name: args2.existing.metadata.name,
+            namespace: args2.existing.metadata.namespace
+          },
+          opts
+        );
+      }
+      if (args2.existing?.type === "k8s.stateful-set") {
+        const { StatefulSet } = await import("./stateful-set-H5BR3H5D.js");
+        return StatefulSet.patch(
+          name,
+          {
+            ...deepmerge3(args2, args2.statefulSet),
+            name: args2.existing.metadata.name,
+            namespace: args2.existing.metadata.namespace
+          },
+          opts
+        );
+      }
+      if (args2.type === "Deployment") {
+        const { Deployment } = await import("./deployment-KOZNZXJA.js");
+        return Deployment.create(name, deepmerge3(args2, args2.deployment), opts);
+      }
+      if (args2.type === "StatefulSet") {
+        const { StatefulSet } = await import("./stateful-set-H5BR3H5D.js");
+        return StatefulSet.create(name, deepmerge3(args2, args2.statefulSet), opts);
+      }
+      throw new Error(`Unknown workload type: ${args2.type}`);
+    });
+  }
+};
+
+export {
+  hasServiceMetadata,
+  getServiceMetadata,
+  withServiceMetadata,
+  isFromCluster,
+  Service,
+  mapContainerPortToServicePort,
+  mapServiceToLabelSelector,
+  getServiceType,
+  HttpRoute,
+  PersistentVolumeClaim,
+  Secret,
+  ConfigMap,
+  getBestEndpoint,
+  requireBestEndpoint,
+  NetworkPolicy,
+  exposableWorkloadExtraArgs,
+  getWorkloadComponents,
+  getExposableWorkloadComponents,
+  Workload,
+  ExposableWorkload
+};
+//# sourceMappingURL=chunk-P2UABKGA.js.map