@highstate/k8s 0.9.16 → 0.9.19

package/src/helm.ts

@@ -1,26 +1,33 @@
-import type { k8s } from "@highstate/library"
-import type { Workload } from "./workload"
-import { resolve } from "node:path"
+import type { UnitTerminal } from "@highstate/contract"
+import type { Namespace } from "./namespace"
+import type { Workload, WorkloadTerminalArgs } from "./workload"
 import { mkdir, readFile, unlink } from "node:fs/promises"
-import { normalize, toPromise, type InputMap, type InstanceTerminal } from "@highstate/pulumi"
-import { apps, core, helm, types } from "@pulumi/kubernetes"
+import { resolve } from "node:path"
+import { AccessPointRoute, type AccessPointRouteArgs } from "@highstate/common"
+import {
+  type InputArray,
+  type InputRecord,
+  normalize,
+  normalizeInputs,
+  toPromise,
+} from "@highstate/pulumi"
+import { local } from "@pulumi/command"
+import { apps, core, helm, type types } from "@pulumi/kubernetes"
 import {
   ComponentResource,
-  output,
   type ComponentResourceOptions,
   type Input,
   type Output,
+  output,
 } from "@pulumi/pulumi"
-import spawn from "nano-spawn"
 import { sha256 } from "crypto-hash"
-import { omit } from "remeda"
-import { local } from "@pulumi/command"
 import { glob } from "glob"
+import spawn from "nano-spawn"
+import { isNonNullish, omit } from "remeda"
+import { Deployment } from "./deployment"
 import { NetworkPolicy, type NetworkPolicyArgs } from "./network-policy"
-import { HttpRoute, type HttpRouteArgs } from "./gateway"
-import { getProvider, mapNamespaceLikeToNamespaceName, type NamespaceLike } from "./shared"
 import { getServiceType, Service, type ServiceArgs } from "./service"
-import { Deployment } from "./deployment"
+import { getNamespaceName, getProvider, type NamespaceLike } from "./shared"
 import { StatefulSet } from "./stateful-set"
 
 export type ChartArgs = Omit<
@@ -30,7 +37,7 @@ export type ChartArgs = Omit<
   /**
    * The namespace to deploy the chart into.
    */
-  namespace?: Input<NamespaceLike>
+  namespace: Input<Namespace>
 
   /**
    * The custom name of the primary service exposed by the chart.
@@ -52,14 +59,21 @@ export type ChartArgs = Omit<
   chart: ChartManifest
 
   /**
-   * The cluster to create the resource in.
+   * The args for the terminal to use.
+   *
+   * Will be applied to all workloads created by the chart.
+   */
+  terminal?: Input<WorkloadTerminalArgs>
+
+  /**
+   * The configuration for the access point route to create.
    */
-  cluster: Input<k8s.Cluster>
+  route?: Input<Omit<AccessPointRouteArgs, "endpoints" | "customData">>
 
   /**
-   * The http route args to bind the service to.
+   * The configuration for the access point routes to create.
    */
-  httpRoute?: Input<Omit<HttpRouteArgs, "cluster">>
+  routes?: InputArray<Omit<AccessPointRouteArgs, "endpoints" | "customData">>
 
   /**
    * The network policy to apply to the chart.
@@ -79,9 +93,9 @@ export class Chart extends ComponentResource {
   public readonly chart: Output<helm.v4.Chart>
 
   /**
-   * The HTTP route associated with the deployment.
+   * The access point routes created for the chart.
    */
-  public readonly httpRoute: Output<HttpRoute | undefined>
+  public readonly routes: Output<AccessPointRoute[]>
 
   /**
    * The network policies applied to the chart.
@@ -101,10 +115,10 @@ export class Chart extends ComponentResource {
     super("highstate:k8s:Chart", name, args, opts)
 
     const namespace = output(args.namespace).apply(namespace =>
-      output(namespace ? mapNamespaceLikeToNamespaceName(namespace) : "default"),
+      output(namespace ? getNamespaceName(namespace) : "default"),
     )
 
-    this.chart = output({ args, namespace }).apply(async ({ args, namespace }) => {
+    this.chart = output(args.namespace).cluster.apply(cluster => {
       return new helm.v4.Chart(
         name,
         omit(
@@ -113,17 +127,19 @@ export class Chart extends ComponentResource {
             chart: resolveHelmChart(args.chart),
             namespace,
           },
-          ["httpRoute"],
+          ["route", "routes"],
         ),
         {
           ...opts,
           parent: this,
-          provider: await getProvider(args.cluster),
+          provider: getProvider(cluster),
 
           transforms: [
             ...(opts?.transforms ?? []),
 
-            resourceArgs => {
+            async resourceArgs => {
+              const namespace = await toPromise(output(args.namespace).metadata.name)
+
               const serviceName = args.serviceName ?? name
               const expectedName = `${name}:${namespace}/${serviceName}`
 
@@ -140,10 +156,10 @@ export class Chart extends ComponentResource {
                       ...spec,
                       ...(args.service ?? {}),
 
-                      type: getServiceType(args.service, args.cluster),
+                      type: getServiceType(args.service, cluster),
 
                       externalIPs:
-                        args.service?.externalIPs ?? args.cluster.externalIps ?? spec.externalIPs,
+                        args.service?.externalIPs ?? cluster.externalIps ?? spec.externalIPs,
                     },
                   },
                   opts: resourceArgs.opts,
@@ -157,21 +173,27 @@ export class Chart extends ComponentResource {
       )
     })
 
-    this.httpRoute = output(args.httpRoute).apply(httpRoute => {
-      if (!httpRoute) {
-        return undefined
+    this.routes = output(normalizeInputs(args.route, args.routes)).apply(async routes => {
+      if (routes.length === 0) {
+        return []
       }
 
-      return new HttpRoute(
-        name,
-        {
-          ...httpRoute,
-          cluster: args.cluster,
-          rule: {
-            backend: this.service,
-          },
-        },
-        { ...opts, parent: this },
+      return await Promise.all(
+        routes.map(async route => {
+          return new AccessPointRoute(
+            name,
+            {
+              ...route,
+
+              endpoints: this.service.endpoints,
+
+              // pass the native data to the route to allow implementation to use it
+              gatewayNativeData: await toPromise(this.service),
+              tlsCertificateNativeData: await toPromise(args.namespace),
+            },
+            { ...opts, parent: this },
+          )
+        }),
       )
     })
 
@@ -180,13 +202,12 @@ export class Chart extends ComponentResource {
 
       return output(
         policies.map(policy => {
-          return NetworkPolicy.create(
+          return new NetworkPolicy(
             name,
             {
               ...policy,
-
-              cluster: args.cluster,
               namespace: args.namespace,
+              description: `Network policy for Helm chart "${name}"`,
             },
             { ...opts, parent: this },
           )
@@ -201,19 +222,32 @@ export class Chart extends ComponentResource {
             .map(resource => {
               if (apps.v1.Deployment.isInstance(resource)) {
                 return resource.metadata.name.apply(name => {
-                  return Deployment.wrap(name, resource, this.args.cluster, this.opts)
+                  return Deployment.wrap(
+                    name,
+                    { namespace: args.namespace, deployment: resource, terminal: args.terminal },
+                    this.opts,
+                  )
                 })
               }
 
               if (apps.v1.StatefulSet.isInstance(resource)) {
                 return resource.metadata.name.apply(name => {
-                  return StatefulSet.wrap(name, resource, this.args.cluster, this.opts)
+                  return StatefulSet.wrap(
+                    name,
+                    {
+                      namespace: args.namespace,
+                      statefulSet: resource,
+                      service: this.getServiceOutput(name),
+                      terminal: args.terminal,
+                    },
+                    this.opts,
+                  )
                 })
               }
 
               return undefined
             })
-            .filter(workload => workload !== undefined) as Output<Workload>[]
+            .filter(isNonNullish)
         }),
       )
     })
@@ -223,7 +257,7 @@ export class Chart extends ComponentResource {
     return this.getServiceOutput(undefined)
   }
 
-  get terminals(): Output<InstanceTerminal[]> {
+  get terminals(): Output<UnitTerminal[]> {
     return this.workloads.apply(workloads => output(workloads.map(workload => workload.terminal)))
   }
 
@@ -241,10 +275,8 @@ export class Chart extends ComponentResource {
       const service = getChartServiceOutput(chart, resolvedName)
 
       const wrappedService = Service.wrap(
-        //
         resolvedName,
-        service,
-        args.cluster,
+        { namespace: args.namespace, service },
         { ...this.opts, parent: this },
       )
 
@@ -272,7 +304,7 @@ export type RenderedChartArgs = {
   /**
    * The values to pass to the chart.
    */
-  values?: InputMap<string>
+  values?: InputRecord<string>
 }
 
 export class RenderedChart extends ComponentResource {
@@ -302,9 +334,7 @@ export class RenderedChart extends ComponentResource {
             "template",
             resolveHelmChart(args.chart),
 
-            ...(args.namespace
-              ? ["--namespace", mapNamespaceLikeToNamespaceName(args.namespace)]
-              : []),
+            ...(args.namespace ? ["--namespace", getNamespaceName(args.namespace)] : []),
 
             ...values,
           ]).apply(command => command.join(" ")),

package/src/impl/gateway-route.ts

@@ -0,0 +1,155 @@
+import type { Secret } from "../secret"
+import { filterEndpoints, gatewayRouteMediator, type TlsCertificate } from "@highstate/common"
+import { k8s } from "@highstate/library"
+import { type Input, toPromise } from "@highstate/pulumi"
+import { core } from "@pulumi/kubernetes"
+import { Gateway, HttpRoute } from "../gateway"
+import { Namespace } from "../namespace"
+import { l4EndpointToServicePort, Service } from "../service"
+import { getProvider, mapMetadata } from "../shared"
+import { Certificate } from "../tls"
+
+export const createGatewayRoute = gatewayRouteMediator.implement(
+  k8s.gatewayDataSchema,
+  async ({ name, spec, opts }, data) => {
+    const namespace =
+      spec.nativeData instanceof Service
+        ? await toPromise(spec.nativeData.namespace)
+        : Namespace.for(data.namespace, data.cluster)
+
+    const certSecret = await getCertificateSecret(name, namespace, spec.tlsCertificate)
+
+    const certificateRef = certSecret
+      ? {
+          kind: "Secret",
+          group: "",
+          name: certSecret.metadata.name,
+        }
+      : undefined
+
+    const gateway = await Gateway.createOnce(
+      {
+        name,
+        namespace,
+        gatewayClassName: data.className,
+        listeners: [
+          {
+            name: "https",
+            port: data.httpsPort,
+            protocol: "HTTPS",
+            tls: {
+              mode: "Terminate",
+              certificateRefs: certificateRef ? [certificateRef] : undefined,
+            },
+          },
+        ],
+      },
+      opts,
+    )
+
+    // 1. short path - just create an HTTP route backed by a service
+    if (spec.nativeData instanceof Service) {
+      const httpRoute = new HttpRoute(
+        name,
+        {
+          gateway,
+          rule: { backend: spec.nativeData },
+        },
+        opts,
+      )
+
+      return {
+        resource: httpRoute,
+        endpoints: await toPromise(gateway.endpoints),
+      }
+    }
+
+    // 2. long path - create a virtual service with provided endpoints
+    const endpoints = await toPromise(spec.endpoints)
+    const hostnameEndpoints = filterEndpoints(endpoints, undefined, ["hostname"])
+    const ipEndpoints = filterEndpoints(endpoints, undefined, ["ipv4", "ipv6"])
+
+    let service: Service
+
+    if (
+      hostnameEndpoints.length > 0 &&
+      hostnameEndpoints[0].visibility > ipEndpoints[0]?.visibility
+    ) {
+      // if the hostname endpoints are more visible, create a service for the first hostname with ExternalName
+      service = Service.create(`hs-backend-${name}`, {
+        namespace,
+        type: "ExternalName",
+        externalName: hostnameEndpoints[0].hostname,
+        ports: hostnameEndpoints.map(l4EndpointToServicePort),
+      })
+    } else {
+      // otherwise, create a headless service and populate it with IPs
+      service = Service.create(`hs-backend-${name}`, {
+        namespace,
+        type: "ClusterIP",
+        ports: ipEndpoints.map(l4EndpointToServicePort),
+      })
+
+      const endpointsName = `hs-backend-${name}`
+
+      new core.v1.Endpoints(
+        endpointsName,
+        {
+          metadata: mapMetadata({ namespace }, endpointsName),
+          subsets: ipEndpoints.map(endpoint => ({
+            addresses: [{ ip: endpoint.address }],
+            ports: [l4EndpointToServicePort(endpoint)],
+          })),
+        },
+        { ...opts, provider: getProvider(data.cluster), parent: service },
+      )
+    }
+
+    const httpRoute = new HttpRoute(
+      name,
+      {
+        gateway,
+        rule: {
+          backend: service,
+        },
+      },
+      opts,
+    )
+
+    return {
+      resource: httpRoute,
+      endpoints: await toPromise(gateway.endpoints),
+    }
+  },
+)
+
+async function getCertificateSecret(
+  _name: string,
+  namespace: Namespace,
+  tlsCertificate: Input<TlsCertificate | undefined> | undefined,
+): Promise<Secret | undefined> {
+  const resolvedCertificate = await toPromise(tlsCertificate)
+  if (!resolvedCertificate) {
+    return undefined
+  }
+
+  const resource = await toPromise(resolvedCertificate.resource)
+
+  if (resource instanceof Certificate) {
+    const certNamespace = await toPromise(resource.namespace.metadata.name)
+    const certClusterId = await toPromise(resource.namespace.cluster.id)
+
+    const targetNamespace = await toPromise(namespace.metadata.name)
+    const targetClusterId = await toPromise(namespace.cluster.id)
+
+    if (certNamespace === targetNamespace && certClusterId === targetClusterId) {
+      // 1. short path - same namespace and cluster, just return the secret
+      return await toPromise(resource.secret)
+    }
+  }
+
+  // 2. long path - create a new secret in the target namespace with the certificate data
+  throw new Error(
+    "Not implemented: copying certificate secret across namespaces/clusters/different systems",
+  )
+}

package/src/impl/tls-certificate.ts

@@ -0,0 +1,33 @@
+import { tlsCertificateMediator } from "@highstate/common"
+import { k8s } from "@highstate/library"
+import { getProvider } from "../shared"
+import { Namespace } from "../namespace"
+import { Certificate } from "../tls"
+
+export const createCertificate = tlsCertificateMediator.implement(
+  k8s.tlsIssuerDataSchema,
+  ({ name, spec, opts }, data) => {
+    const provider = getProvider(data.cluster)
+
+    const namespace =
+      spec.nativeData instanceof Namespace
+        ? spec.nativeData
+        : Namespace.get("cert-manager", { name: "cert-manager", cluster: data.cluster })
+
+    return Certificate.create(
+      name,
+      {
+        namespace,
+
+        commonName: spec.commonName,
+        dnsNames: spec.dnsNames,
+        issuerRef: {
+          name: data.clusterIssuerName,
+          kind: "ClusterIssuer",
+        },
+        secretName: `hs.certificate.${name}`,
+      },
+      { ...opts, provider },
+    )
+  },
+)

package/src/index.ts

@@ -1,67 +1,22 @@
-export {
-  getProvider,
-  mapMetadata,
-  mapNamespaceLikeToNamespaceName,
-  mapNamespaceNameToSelector,
-  mapSelectorLikeToSelector,
-  type CommonArgs,
-  type NamespaceLike,
-  type SelectorLike,
-} from "./shared"
-export { type DeploymentArgs, Deployment } from "./deployment"
-export {
-  type ServiceArgs,
-  type ServiceEndpointMetadata,
-  Service,
-  mapContainerPortToServicePort,
-  mapServiceToLabelSelector,
-  hasServiceMetadata,
-  getServiceMetadata,
-  withServiceMetadata,
-  isFromCluster,
-} from "./service"
-export { type SecretArgs, type CreateOrPatchSecretArgs, Secret } from "./secret"
-export { type ConfigMapArgs, type CreateOrPatchConfigMapArgs, ConfigMap } from "./config-map"
-export { type StatefulSetArgs, StatefulSet } from "./stateful-set"
-export {
-  type NetworkPolicyArgs,
-  type NormalizedNetworkPolicyArgs,
-  type NormalizedRuleArgs,
-  type NetworkPolicyPort,
-  NetworkPolicy,
-} from "./network-policy"
-export { useAccessPoint, useStandardAcessPoint } from "./access-point"
-export {
-  type ScriptBundleArgs,
-  type ScriptContainer,
-  type ScriptEnvironment,
-  type ScriptDistribution,
-  ScriptBundle,
-  createScriptContainer,
-} from "./scripting"
-export { type JobArgs, Job } from "./job"
-export { type CronJobArgs, CronJob } from "./cron-job"
-export {
-  type Container,
-  type ContainerEnvironment,
-  type ContainerEnvironmentSource,
-  type ContainerEnvironmentVariable,
-  type ContainerVolumeMount,
-  type WorkloadVolume,
-} from "./container"
-export {
-  type ChartArgs,
-  type ChartManifest,
-  type RenderedChartArgs,
-  Chart,
-  RenderedChart,
-  getChartServiceOutput,
-  getChartService,
-  resolveHelmChart,
-} from "./helm"
-export { type HttpRouteArgs, HttpRoute } from "./gateway"
-export { type PersistentVolumeClaimArgs, PersistentVolumeClaim } from "./pvc"
-export { detectExternalIps, createK8sTerminal } from "./cluster"
-export { getBestEndpoint, requireBestEndpoint } from "./network"
-export { Workload, ExposableWorkload } from "./workload"
-export { type NamespaceArgs, type CreateOrPatchNamespaceArgs, Namespace } from "./namespace"
+export * from "./cluster"
+export * from "./config-map"
+export * from "./container"
+export * from "./cron-job"
+export * from "./deployment"
+export * from "./dns01-solver"
+export * from "./gateway"
+export * from "./helm"
+export * from "./job"
+export * from "./namespace"
+export * from "./network"
+export * from "./network-policy"
+export * from "./pod"
+export * from "./pvc"
+export * from "./rbac"
+export * from "./scripting"
+export * from "./secret"
+export * from "./service"
+export * from "./shared"
+export * from "./stateful-set"
+export * from "./worker"
+export * from "./workload"