@highstate/k8s 0.9.16 → 0.9.19

package/src/pvc.ts

@@ -1,26 +1,27 @@
 import type { k8s } from "@highstate/library"
 import { core, type types } from "@pulumi/kubernetes"
 import {
-  ComponentResource,
-  Output,
+  interpolate,
+  type Output,
   output,
   type ComponentResourceOptions,
-  type CustomResourceOptions,
   type Input,
   type Inputs,
 } from "@highstate/pulumi"
+import { toPromise } from "@highstate/pulumi"
 import { deepmerge } from "deepmerge-ts"
 import { omit } from "remeda"
+import { getOrCreate } from "@highstate/contract"
 import {
   commonExtraArgs,
   getProvider,
   mapMetadata,
-  resourceIdToString,
-  type CommonArgs,
-  type ResourceId,
+  type ScopedResourceArgs,
+  ScopedResource,
 } from "./shared"
+import { Namespace } from "./namespace"
 
-export type PersistentVolumeClaimArgs = CommonArgs &
+export type PersistentVolumeClaimArgs = ScopedResourceArgs &
   types.input.core.v1.PersistentVolumeClaimSpec & {
     /**
      * The size of the volume to request.
@@ -31,27 +32,28 @@ export type PersistentVolumeClaimArgs = CommonArgs &
   }
 
 export type CreateOrGetPersistentVolumeClaimArgs = PersistentVolumeClaimArgs & {
+  /**
+   * The PVC entity to patch/retrieve.
+   */
   existing: Input<k8s.PersistentVolumeClaim> | undefined
 }
 
 const extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size"] as const
 
-export abstract class PersistentVolumeClaim extends ComponentResource {
+/**
+ * Represents a Kubernetes PersistentVolumeClaim resource with metadata and spec.
+ */
+export abstract class PersistentVolumeClaim extends ScopedResource {
   protected constructor(
     type: string,
     name: string,
     args: Inputs,
-    opts: ComponentResourceOptions,
+    opts: ComponentResourceOptions | undefined,
 
-    /**
-     * The cluster where the PVC is created.
-     */
-    readonly cluster: Output<k8s.Cluster>,
-
-    /**
-     * The metadata of the underlying Kubernetes PVC.
-     */
-    readonly metadata: Output<types.output.meta.v1.ObjectMeta>,
+    apiVersion: Output<string>,
+    kind: Output<string>,
+    namespace: Output<Namespace>,
+    metadata: Output<types.output.meta.v1.ObjectMeta>,
 
     /**
      * The spec of the underlying Kubernetes PVC.
@@ -63,7 +65,7 @@ export abstract class PersistentVolumeClaim extends ComponentResource {
      */
     readonly status: Output<types.output.core.v1.PersistentVolumeClaimStatus>,
   ) {
-    super(type, name, args, opts)
+    super(type, name, args, opts, apiVersion, kind, namespace, metadata)
   }
 
   /**
@@ -71,81 +73,238 @@ export abstract class PersistentVolumeClaim extends ComponentResource {
    */
   get entity(): Output<k8s.PersistentVolumeClaim> {
     return output({
-      type: "k8s.persistent-volume-claim",
+      type: "persistent-volume-claim",
       clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
       metadata: this.metadata,
     })
   }
 
+  /**
+   * Creates a new PVC.
+   */
   static create(
     name: string,
     args: PersistentVolumeClaimArgs,
-    opts: ComponentResourceOptions,
+    opts?: ComponentResourceOptions,
   ): PersistentVolumeClaim {
     return new CreatedPersistentVolumeClaim(name, args, opts)
   }
 
-  static of(
+  /**
+   * Creates a new PVC or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the PVC name.
+   * @param args The arguments to create or patch the PVC with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(
     name: string,
-    entity: Input<k8s.PersistentVolumeClaim>,
-    cluster: Input<k8s.Cluster>,
-    opts: ComponentResourceOptions,
+    args: CreateOrGetPersistentVolumeClaimArgs,
+    opts?: ComponentResourceOptions,
   ): PersistentVolumeClaim {
-    return new ExternalPersistentVolumeClaim(name, output(entity).metadata, cluster, opts)
+    if (args.existing) {
+      return new PersistentVolumeClaimPatch(name, {
+        ...args,
+        name: output(args.existing).metadata.name,
+      })
+    }
+
+    return new CreatedPersistentVolumeClaim(name, args, opts)
   }
 
-  static createOrGet(
+  /**
+   * Creates a new PVC or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the PVC name. Will not be used when existing PVC is retrieved.
+   * @param args The arguments to create or get the PVC with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(
     name: string,
     args: CreateOrGetPersistentVolumeClaimArgs,
-    opts: ComponentResourceOptions,
-  ): PersistentVolumeClaim {
-    if (!args.existing) {
-      return new CreatedPersistentVolumeClaim(name, args, opts)
+    opts?: ComponentResourceOptions,
+  ): Promise<PersistentVolumeClaim> {
+    if (args.existing) {
+      return await PersistentVolumeClaim.forAsync(args.existing, output(args.namespace).cluster)
     }
 
-    return new ExternalPersistentVolumeClaim(
+    return new CreatedPersistentVolumeClaim(name, args, opts)
+  }
+
+  /**
+   * Patches an existing PVC.
+   *
+   * Will throw an error if the PVC does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the PVC name.
+   * @param args The arguments to patch the PVC with.
+   * @param opts Optional resource options.
+   */
+  static patch(
+    name: string,
+    args: PersistentVolumeClaimArgs,
+    opts?: ComponentResourceOptions,
+  ): PersistentVolumeClaim {
+    return new PersistentVolumeClaimPatch(name, args, opts)
+  }
+
+  /**
+   * Wraps an existing Kubernetes PVC.
+   */
+  static wrap(
+    name: string,
+    args: WrappedPersistentVolumeClaimArgs,
+    opts?: ComponentResourceOptions,
+  ): PersistentVolumeClaim {
+    return new WrappedPersistentVolumeClaim(name, args, opts)
+  }
+
+  /**
+   * Gets an existing PVC.
+   *
+   * Will throw an error if the PVC does not exist.
+   */
+  static get(
+    name: string,
+    args: ExternalPersistentVolumeClaimArgs,
+    opts?: ComponentResourceOptions,
+  ): PersistentVolumeClaim {
+    return new ExternalPersistentVolumeClaim(name, args, opts)
+  }
+
+  private static readonly pvcCache = new Map<string, PersistentVolumeClaim>()
+
+  /**
+   * Gets an existing PVC for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the PVC for.
+   * @param cluster The cluster where the PVC is located.
+   */
+  static for(
+    entity: k8s.PersistentVolumeClaim,
+    cluster: Input<k8s.Cluster>,
+  ): PersistentVolumeClaim {
+    return getOrCreate(
+      PersistentVolumeClaim.pvcCache,
+      `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
+      name => {
+        return PersistentVolumeClaim.get(name, {
+          name: entity.metadata.name,
+          namespace: Namespace.forResource(entity, cluster),
+        })
+      },
+    )
+  }
+
+  /**
+   * Gets an existing PVC for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the PVC for.
+   * @param cluster The cluster where the PVC is located.
+   */
+  static async forAsync(
+    entity: Input<k8s.PersistentVolumeClaim>,
+    cluster: Input<k8s.Cluster>,
+  ): Promise<PersistentVolumeClaim> {
+    const resolvedEntity = await toPromise(entity)
+    return PersistentVolumeClaim.for(resolvedEntity, cluster)
+  }
+}
+
+class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
+  constructor(name: string, args: PersistentVolumeClaimArgs, opts?: ComponentResourceOptions) {
+    const pvc = output(args.namespace).cluster.apply(cluster => {
+      return new core.v1.PersistentVolumeClaim(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: output(args).apply(args => {
+            return deepmerge(
+              {
+                accessModes: ["ReadWriteOnce"],
+                resources: {
+                  requests: {
+                    storage: args.size ?? "100Mi",
+                  },
+                },
+              } satisfies types.input.core.v1.PersistentVolumeClaimSpec,
+              omit(args, extraPersistentVolumeClaimArgs),
+            )
+          }),
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster),
+        },
+      )
+    })
+
+    super(
+      "highstate:k8s:PersistentVolumeClaim",
       name,
-      output(args.existing).metadata,
-      args.cluster,
+      args,
       opts,
+
+      pvc.apiVersion,
+      pvc.kind,
+      output(args.namespace),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status,
     )
   }
 }
 
-export class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
-  constructor(name: string, args: PersistentVolumeClaimArgs, opts: CustomResourceOptions) {
-    const pvc = output(args).apply(async args => {
-      return new core.v1.PersistentVolumeClaim(
+class PersistentVolumeClaimPatch extends PersistentVolumeClaim {
+  constructor(name: string, args: PersistentVolumeClaimArgs, opts?: ComponentResourceOptions) {
+    const pvc = output(args.namespace).cluster.apply(cluster => {
+      return new core.v1.PersistentVolumeClaimPatch(
         name,
         {
           metadata: mapMetadata(args, name),
-          spec: deepmerge(
-            {
-              accessModes: ["ReadWriteOnce"],
-              resources: {
-                requests: {
-                  storage: args.size ?? "100Mi",
+          spec: output(args).apply(args => {
+            return deepmerge(
+              {
+                accessModes: ["ReadWriteOnce"],
+                resources: {
+                  requests: {
+                    storage: args.size ?? "100Mi",
+                  },
                 },
-              },
-            } satisfies types.input.core.v1.PersistentVolumeClaimSpec,
-            omit(args, extraPersistentVolumeClaimArgs),
-          ),
+              } satisfies types.input.core.v1.PersistentVolumeClaimSpec,
+              omit(args, extraPersistentVolumeClaimArgs),
+            )
+          }),
         },
         {
           ...opts,
           parent: this,
-          provider: await getProvider(args.cluster),
+          provider: getProvider(cluster),
         },
       )
     })
 
     super(
-      "k8s:PersistentVolumeClaim",
+      "highstate:k8s:PersistentVolumeClaimPatch",
       name,
       args,
       opts,
 
-      output(args.cluster),
+      pvc.apiVersion,
+      pvc.kind,
+      output(args.namespace),
       pvc.metadata,
       pvc.spec,
       pvc.status,
@@ -153,33 +312,75 @@ export class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
   }
 }
 
-export class ExternalPersistentVolumeClaim extends PersistentVolumeClaim {
+export type WrappedPersistentVolumeClaimArgs = {
+  /**
+   * The underlying Kubernetes PVC to wrap.
+   */
+  pvc: Input<core.v1.PersistentVolumeClaim>
+
+  /**
+   * The namespace where the PVC is located.
+   */
+  namespace: Input<Namespace>
+}
+
+class WrappedPersistentVolumeClaim extends PersistentVolumeClaim {
+  constructor(
+    name: string,
+    args: WrappedPersistentVolumeClaimArgs,
+    opts?: ComponentResourceOptions,
+  ) {
+    super(
+      "highstate:k8s:WrappedPersistentVolumeClaim",
+      name,
+      args,
+      opts,
+
+      output(args.pvc).apiVersion,
+      output(args.pvc).kind,
+      output(args.namespace),
+      output(args.pvc).metadata,
+      output(args.pvc).spec,
+      output(args.pvc).status,
+    )
+  }
+}
+
+export type ExternalPersistentVolumeClaimArgs = {
+  /**
+   * The name of the PVC to get.
+   */
+  name: Input<string>
+
+  /**
+   * The namespace where the PVC is located.
+   */
+  namespace: Input<Namespace>
+}
+
+class ExternalPersistentVolumeClaim extends PersistentVolumeClaim {
   constructor(
     name: string,
-    id: Input<ResourceId>,
-    cluster: Input<k8s.Cluster>,
-    opts: ComponentResourceOptions,
+    args: ExternalPersistentVolumeClaimArgs,
+    opts?: ComponentResourceOptions,
   ) {
-    const pvc = output(id).apply(async id => {
+    const pvc = output(args.namespace).cluster.apply(cluster => {
       return core.v1.PersistentVolumeClaim.get(
-        //
         name,
-        resourceIdToString(id),
-        {
-          ...opts,
-          parent: this,
-          provider: await getProvider(cluster),
-        },
+        interpolate`${output(args.namespace).metadata.name}/${args.name}`,
+        { ...opts, parent: this, provider: getProvider(cluster) },
       )
     })
 
     super(
       "highstate:k8s:ExternalPersistentVolumeClaim",
       name,
-      { id, cluster },
+      args,
       opts,
 
-      output(cluster),
+      pvc.apiVersion,
+      pvc.kind,
+      output(args.namespace),
       pvc.metadata,
       pvc.spec,
       pvc.status,

package/src/rbac.ts

@@ -0,0 +1,218 @@
+import type { k8s } from "@highstate/library"
+import type { Namespace } from "./namespace"
+import {
+  ComponentResource,
+  type ComponentResourceOptions,
+  type Input,
+  type InputArray,
+  interpolate,
+  normalizeInputs,
+  type Output,
+  output,
+  toPromise,
+} from "@highstate/pulumi"
+import { KubeConfig } from "@kubernetes/client-node"
+import { core, rbac, type types } from "@pulumi/kubernetes"
+import { map, unique } from "remeda"
+import { Secret } from "./secret"
+import { getNamespaceName, getProvider, type NamespaceLike, type ScopedResource } from "./shared"
+
+export type ClusterAccessScopeArgs = {
+  /**
+   * The namespace to locate the ServiceAccount in.
+   */
+  namespace: Input<Namespace>
+
+  /**
+   * The RBAC rule to apply to the `ServiceAccount`.
+   *
+   * It will be used to create ClusterRole.
+   */
+  rule?: Input<types.input.rbac.v1.PolicyRule>
+
+  /**
+   * The RBAC rules to apply to the `ServiceAccount`.
+   *
+   * It will be used to create `ClusterRole`.
+   */
+  rules?: InputArray<types.input.rbac.v1.PolicyRule>
+
+  /**
+   * Whether to allow the `ServiceAccount` to access resources in the namespace where it is created.
+   *
+   * By default, it is set to `true`.
+   */
+  allowOriginNamespace?: boolean
+
+  /**
+   * The extra namespaces to bind to the `ClusterRole` and allow `ServiceAccount` to access them
+   * with specified `rules`.
+   */
+  extraNamespaces?: InputArray<NamespaceLike>
+
+  /**
+   * Whether to create `ClusterRoleBinding` to bind the `ServiceAccount` to the `ClusterRole`.
+   *
+   * This will allow the `ServiceAccount` to access all namespaces and cluster resources.
+   */
+  clusterWide?: boolean
+}
+
+export class ClusterAccessScope extends ComponentResource {
+  /**
+   * The cluster entity with the reduced access.
+   */
+  readonly cluster: Output<k8s.Cluster>
+
+  constructor(name: string, args: ClusterAccessScopeArgs, opts?: ComponentResourceOptions) {
+    super("highstate:k8s:ClusterAccessScope", name, args, opts)
+
+    const { serviceAccount, kubeconfig } = output(args.namespace).cluster.apply(cluster => {
+      const provider = getProvider(cluster)
+      const namespaceName = output(args.namespace).metadata.name
+
+      const serviceAccount = new core.v1.ServiceAccount(
+        name,
+        {
+          metadata: {
+            name,
+            namespace: namespaceName,
+          },
+        },
+        { provider },
+      )
+
+      const clusterRole = new rbac.v1.ClusterRole(
+        name,
+        {
+          metadata: {
+            name: interpolate`highstate.${namespaceName}.${name}`,
+            annotations: {
+              "kubernetes.io/description": interpolate`Created by Highstate for the ServiceAccount "${name}" in the namespace "${namespaceName}".`,
+            },
+          },
+          rules: normalizeInputs(args.rule, args.rules),
+        },
+        { provider },
+      )
+
+      const createRoleBinding = (namespace: Input<string>) => {
+        return new rbac.v1.RoleBinding(
+          name,
+          {
+            metadata: { name, namespace },
+            roleRef: {
+              kind: "ClusterRole",
+              name: clusterRole.metadata.name,
+              apiGroup: "rbac.authorization.k8s.io",
+            },
+            subjects: [
+              {
+                kind: "ServiceAccount",
+                name: serviceAccount.metadata.name,
+                namespace: namespaceName,
+              },
+            ],
+          },
+          { provider },
+        )
+      }
+
+      if (args.allowOriginNamespace ?? true) {
+        createRoleBinding(namespaceName)
+      }
+
+      output(args.extraNamespaces ?? [])
+        .apply(map(getNamespaceName))
+        .apply(map(createRoleBinding))
+
+      return { serviceAccount, kubeconfig: cluster.kubeconfig }
+    })
+
+    const accessTokenSecret = Secret.create(`${name}-token`, {
+      namespace: args.namespace,
+      type: "kubernetes.io/service-account-token",
+      metadata: {
+        annotations: {
+          "kubernetes.io/service-account.name": serviceAccount.metadata.name,
+        },
+      },
+    })
+
+    this.cluster = output({
+      cluster: output(args.namespace).cluster,
+      kubeconfig,
+      newToken: accessTokenSecret.getValue("token"),
+      serviceAccount: serviceAccount.metadata.name,
+    }).apply(({ cluster, kubeconfig, newToken, serviceAccount }) => {
+      const config = new KubeConfig()
+      config.loadFromString(kubeconfig)
+
+      // clear all existing contexts and users
+      config.users = []
+      config.contexts = []
+
+      config.addUser({ name: serviceAccount, token: newToken })
+
+      config.addContext({
+        name: config.clusters[0].name,
+        cluster: config.clusters[0].name,
+        user: serviceAccount,
+      })
+
+      config.setCurrentContext(config.clusters[0].name)
+
+      return {
+        ...cluster,
+        kubeconfig: config.exportConfig(),
+      }
+    })
+  }
+
+  /**
+   * Creates `ClusterAccessScope` for the given resources with the specified verbs.
+   *
+   * All resources must belong to the same namespace in the same cluster.
+   *
+   * @param name The name of the resource and the ServiceAccount.
+   * @param resources The resources to create access scope for.
+   * @param verbs The verbs to allow on the resources.
+   */
+  static async forResources(
+    name: string,
+    resources: InputArray<ScopedResource>,
+    verbs: string[],
+  ): Promise<ClusterAccessScope> {
+    const resolved = await toPromise(
+      output(resources).apply(resources =>
+        resources.map(r => ({
+          namespaceId: r.namespace.metadata.uid,
+          namespace: r.namespace,
+          metadata: r.metadata,
+          apiVersion: r.apiVersion,
+          kind: r.kind,
+        })),
+      ),
+    )
+
+    if (resolved.length === 0) {
+      throw new Error("No resources provided to forResources.")
+    }
+
+    // verify all resources belong to the same namespace
+    if (unique(resolved.map(r => r.namespaceId)).length !== 1) {
+      throw new Error("All resources must belong to the same namespace.")
+    }
+
+    return new ClusterAccessScope(name, {
+      namespace: resolved[0].namespace,
+      rules: resolved.map(r => ({
+        apiGroups: r.apiVersion === "v1" ? [""] : [r.apiVersion.split("/")[0]],
+        resources: [r.kind.toLowerCase() + (r.metadata?.name ? "s" : "")],
+        // TODO: critical
+        // resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,
+        verbs,
+      })),
+    })
+  }
+}