@highstate/k8s 0.9.16 → 0.9.19

package/src/tls.ts

@@ -0,0 +1,344 @@
+import type { k8s } from "@highstate/library"
+import type { types } from "@pulumi/kubernetes"
+import { cert_manager, type types as cmTypes } from "@highstate/cert-manager"
+import { getOrCreate } from "@highstate/contract"
+import {
+  ComponentResource,
+  type ComponentResourceOptions,
+  type Input,
+  type Inputs,
+  interpolate,
+  type Output,
+  output,
+  toPromise,
+} from "@highstate/pulumi"
+import { omit } from "remeda"
+import { Namespace } from "./namespace"
+import { Secret } from "./secret"
+import { commonExtraArgs, getProvider, mapMetadata, type ScopedResourceArgs } from "./shared"
+
+export type CertificateArgs = ScopedResourceArgs & cmTypes.input.cert_manager.v1.CertificateSpec
+
+export type CreateOrGetCertificateArgs = CertificateArgs & {
+  /**
+   * The certificate entity to patch/retrieve.
+   */
+  existing: Input<k8s.Certificate> | undefined
+}
+
+/**
+ * Represents a cert-manager Certificate resource with metadata and secret.
+ */
+export abstract class Certificate extends ComponentResource {
+  protected constructor(
+    type: string,
+    private readonly name: string,
+    args: Inputs,
+    opts: ComponentResourceOptions | undefined,
+
+    /**
+     * The namespace where the certificate is located.
+     */
+    readonly namespace: Output<Namespace>,
+
+    /**
+     * The metadata of the underlying cert-manager certificate.
+     */
+    readonly metadata: Output<types.output.meta.v1.ObjectMeta>,
+
+    /**
+     * The spec of the underlying cert-manager certificate.
+     */
+    readonly spec: Output<cmTypes.output.cert_manager.v1.CertificateSpec>,
+
+    /**
+     * The status of the underlying cert-manager certificate.
+     */
+    readonly status: Output<cmTypes.output.cert_manager.v1.CertificateStatus>,
+  ) {
+    super(type, name, args, opts)
+  }
+
+  /**
+   * The cluster where the certificate is located.
+   */
+  get cluster(): Output<k8s.Cluster> {
+    return this.namespace.cluster
+  }
+
+  /**
+   * The Highstate certificate entity.
+   */
+  get entity(): Output<k8s.ScopedResource> {
+    return output({
+      type: "certificate",
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      metadata: this.metadata,
+    })
+  }
+
+  /**
+   * The secret containing the certificate data.
+   */
+  get secret(): Output<Secret> {
+    return output({
+      secretName: this.spec.apply(spec => spec.secretName),
+      namespace: this.namespace,
+    }).apply(({ secretName, namespace }) => {
+      return Secret.get(`${this.name}.secret`, {
+        name: secretName,
+        namespace,
+      })
+    })
+  }
+
+  /**
+   * Creates a new certificate.
+   */
+  static create(name: string, args: CertificateArgs, opts?: ComponentResourceOptions): Certificate {
+    return new CreatedCertificate(name, args, opts)
+  }
+
+  /**
+   * Creates a new certificate or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the certificate name.
+   * @param args The arguments to create or patch the certificate with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(
+    name: string,
+    args: CreateOrGetCertificateArgs,
+    opts?: ComponentResourceOptions,
+  ): Certificate {
+    if (args.existing) {
+      return new CertificatePatch(name, {
+        ...args,
+        name: output(args.existing).metadata.name,
+        namespace: Namespace.forResourceAsync(args.existing, output(args.namespace).cluster),
+      })
+    }
+
+    return new CreatedCertificate(name, args, opts)
+  }
+
+  /**
+   * Creates a new certificate or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the certificate name. Will not be used when existing certificate is retrieved.
+   * @param args The arguments to create or get the certificate with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(
+    name: string,
+    args: CreateOrGetCertificateArgs,
+    opts?: ComponentResourceOptions,
+  ): Promise<Certificate> {
+    if (args.existing) {
+      return await Certificate.forAsync(args.existing, output(args.namespace).cluster)
+    }
+
+    return new CreatedCertificate(name, args, opts)
+  }
+
+  /**
+   * Patches an existing certificate.
+   *
+   * Will throw an error if the certificate does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the certificate name.
+   * @param args The arguments to patch the certificate with.
+   * @param opts Optional resource options.
+   */
+  static patch(name: string, args: CertificateArgs, opts?: ComponentResourceOptions): Certificate {
+    return new CertificatePatch(name, args, opts)
+  }
+
+  /**
+   * Wraps an existing cert-manager certificate.
+   */
+  static wrap(
+    name: string,
+    args: WrappedCertificateArgs,
+    opts?: ComponentResourceOptions,
+  ): Certificate {
+    return new WrappedCertificate(name, args, opts)
+  }
+
+  /**
+   * Gets an existing certificate.
+   *
+   * Will throw an error if the certificate does not exist.
+   */
+  static get(
+    name: string,
+    args: ExternalCertificateArgs,
+    opts?: ComponentResourceOptions,
+  ): Certificate {
+    return new ExternalCertificate(name, args, opts)
+  }
+
+  private static readonly certificateCache = new Map<string, Certificate>()
+
+  /**
+   * Gets an existing certificate for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the certificate for.
+   * @param cluster The cluster where the certificate is located.
+   */
+  static for(entity: k8s.Certificate, cluster: Input<k8s.Cluster>): Certificate {
+    return getOrCreate(
+      Certificate.certificateCache,
+      `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
+      name => {
+        return Certificate.get(name, {
+          name: entity.metadata.name,
+          namespace: Namespace.forResourceAsync(entity, cluster),
+        })
+      },
+    )
+  }
+
+  /**
+   * Gets an existing certificate for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the certificate for.
+   * @param cluster The cluster where the certificate is located.
+   */
+  static async forAsync(
+    entity: Input<k8s.Certificate>,
+    cluster: Input<k8s.Cluster>,
+  ): Promise<Certificate> {
+    const resolvedEntity = await toPromise(entity)
+    return Certificate.for(resolvedEntity, output(cluster))
+  }
+}
+
+class CreatedCertificate extends Certificate {
+  constructor(name: string, args: CertificateArgs, opts?: ComponentResourceOptions) {
+    const certificate = output(args.namespace).cluster.apply(cluster => {
+      return new cert_manager.v1.Certificate(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: omit(args, commonExtraArgs),
+        },
+        { ...opts, parent: this, provider: getProvider(cluster) },
+      )
+    })
+
+    super(
+      "highstate:k8s:Certificate",
+      name,
+      args,
+      opts,
+
+      output(args.namespace),
+      certificate.metadata as Output<types.output.meta.v1.ObjectMeta>,
+      certificate.spec,
+      certificate.status,
+    )
+  }
+}
+
+class CertificatePatch extends Certificate {
+  constructor(name: string, args: CertificateArgs, opts?: ComponentResourceOptions) {
+    const certificate = output(args.namespace).cluster.apply(cluster => {
+      return new cert_manager.v1.CertificatePatch(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: omit(args, commonExtraArgs),
+        },
+        { ...opts, parent: this, provider: getProvider(cluster) },
+      )
+    })
+
+    super(
+      "highstate:k8s:CertificatePatch",
+      name,
+      args,
+      opts,
+
+      output(args.namespace),
+      certificate.metadata as Output<types.output.meta.v1.ObjectMeta>,
+      certificate.spec,
+      certificate.status,
+    )
+  }
+}
+
+export type WrappedCertificateArgs = {
+  /**
+   * The underlying cert-manager certificate to wrap.
+   */
+  certificate: Input<cert_manager.v1.Certificate>
+
+  /**
+   * The namespace where the certificate is located.
+   */
+  namespace: Input<Namespace>
+}
+
+class WrappedCertificate extends Certificate {
+  constructor(name: string, args: WrappedCertificateArgs, opts?: ComponentResourceOptions) {
+    super(
+      "highstate:k8s:WrappedCertificate",
+      name,
+      args,
+      opts,
+
+      output(args.namespace),
+      output(args.certificate).metadata as Output<types.output.meta.v1.ObjectMeta>,
+      output(args.certificate).spec,
+      output(args.certificate).status,
+    )
+  }
+}
+
+export type ExternalCertificateArgs = {
+  /**
+   * The name of the certificate to get.
+   */
+  name: Input<string>
+
+  /**
+   * The namespace of the certificate to get.
+   */
+  namespace: Input<Namespace>
+}
+
+class ExternalCertificate extends Certificate {
+  constructor(name: string, args: ExternalCertificateArgs, opts?: ComponentResourceOptions) {
+    const certificate = output(args.namespace).cluster.apply(cluster => {
+      return cert_manager.v1.Certificate.get(
+        name,
+        interpolate`${output(args.namespace).metadata.name}/${args.name}`,
+        { ...opts, parent: this, provider: getProvider(cluster) },
+      )
+    })
+
+    super(
+      "highstate:k8s:ExternalCertificate",
+      name,
+      args,
+      opts,
+
+      output(args.namespace),
+      certificate.metadata as Output<types.output.meta.v1.ObjectMeta>,
+      certificate.spec,
+      certificate.status,
+    )
+  }
+}

package/src/units/cert-manager/index.ts

@@ -4,12 +4,11 @@ import { Chart } from "../../helm"
 import charts from "../../../assets/charts.json"
 import { Namespace } from "../../namespace"
 
-const { inputs, outputs } = forUnit(k8s.certManager)
+const { args, inputs, outputs } = forUnit(k8s.certManager)
 
 const namespace = Namespace.create("cert-manager", { cluster: inputs.k8sCluster })
 
 new Chart("cert-manager", {
-  cluster: inputs.k8sCluster,
   namespace,
 
   chart: charts["cert-manager"],
@@ -22,7 +21,7 @@ new Chart("cert-manager", {
     config: {
       apiVersion: "controller.config.cert-manager.io/v1alpha1",
       kind: "ControllerConfiguration",
-      enableGatewayAPI: true,
+      enableGatewayAPI: args.enableGatewayApi,
     },
   },
 })

package/src/units/dns01-issuer/index.ts

@@ -1,12 +1,18 @@
 import { k8s } from "@highstate/library"
-import { forUnit, unsecret } from "@highstate/pulumi"
+import { forUnit } from "@highstate/pulumi"
 import { cert_manager } from "@highstate/cert-manager"
-import { getProvider } from "../../shared"
-import { createDns01Solver } from "./solver"
+import { getProviderAsync } from "../../shared"
+import { dns01SolverMediator } from "../../dns01-solver"
+import { Namespace } from "../../namespace"
 
 const { name, inputs, outputs } = forUnit(k8s.dns01TlsIssuer)
 
-const provider = await getProvider(inputs.k8sCluster)
+const provider = await getProviderAsync(inputs.k8sCluster)
+
+const certManagerNs = Namespace.get("cert-manager", {
+  name: "cert-manager",
+  cluster: inputs.k8sCluster,
+})
 
 new cert_manager.v1.ClusterIssuer(
   name,
@@ -17,14 +23,14 @@ new cert_manager.v1.ClusterIssuer(
     spec: {
       acme: {
         server: "https://acme-v02.api.letsencrypt.org/directory",
-        solvers: inputs.dnsProviders.apply(dnsProviders =>
-          dnsProviders.map(dnsProvider => {
-            return {
-              dns01: createDns01Solver(dnsProvider, provider),
-              selector: { dnsZones: [dnsProvider.domain] },
-            }
-          }),
-        ),
+        solvers: [
+          {
+            dns01: dns01SolverMediator.callOutput(inputs.dnsProvider.implRef, {
+              namespace: certManagerNs,
+            }),
+            selector: { dnsZones: [inputs.dnsProvider.domain] },
+          },
+        ],
         privateKeySecretRef: {
           name,
         },
@@ -35,8 +41,18 @@ new cert_manager.v1.ClusterIssuer(
 )
 
 export default outputs({
+  $statusFields: {
+    domain: inputs.dnsProvider.domain,
+  },
+
   tlsIssuer: {
-    clusterId: unsecret(inputs.k8sCluster.id),
-    clusterIssuerName: name,
+    domain: inputs.dnsProvider.domain,
+    implRef: {
+      package: "@highstate/k8s",
+      data: {
+        clusterIssuerName: name,
+        cluster: inputs.k8sCluster,
+      },
+    },
   },
 })

package/src/units/existing-cluster/index.ts

@@ -1,4 +1,4 @@
-import { k8s } from "@highstate/library"
+import { k8s, type ImplementationReference } from "@highstate/library"
 import { forUnit, secret, toPromise } from "@highstate/pulumi"
 import { core, Provider } from "@pulumi/kubernetes"
 import { KubeConfig, AppsV1Api } from "@kubernetes/client-node"
@@ -16,20 +16,23 @@ const kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringif
 
 const provider = new Provider(name, { kubeconfig: kubeconfigContent })
 
-let cni: k8s.CNI = "other"
+let networkPolicyImplRef: ImplementationReference | undefined
 
 const kubeConfig = new KubeConfig()
 kubeConfig.loadFromString(kubeconfigContent)
 
 const appsApi = kubeConfig.makeApiClient(AppsV1Api)
 
-const isCilium = await appsApi
+const hasCilium = await appsApi
   .readNamespacedDaemonSet({ name: "cilium", namespace: "kube-system" })
   .then(() => true)
   .catch(() => false)
 
-if (isCilium) {
-  cni = "cilium"
+if (hasCilium) {
+  networkPolicyImplRef = {
+    package: "@highstate/cilium",
+    data: {},
+  }
 }
 
 const externalIps =
@@ -43,8 +46,9 @@ const kubeSystem = core.v1.Namespace.get("kube-system", "kube-system", { provide
 export default outputs({
   k8sCluster: {
     id: kubeSystem.metadata.uid,
+    connectionId: kubeSystem.metadata.uid,
     name,
-    cni,
+    networkPolicyImplRef,
     externalIps,
     endpoints,
     apiEndpoints,
@@ -59,7 +63,6 @@ export default outputs({
 
   $statusFields: {
     clusterId: kubeSystem.metadata.uid,
-    cni,
     endpoints: endpoints.map(l3EndpointToString),
     apiEndpoints: apiEndpoints.map(l4EndpointToString),
   },

package/src/units/gateway-api/index.ts

@@ -1,11 +1,11 @@
 import { k8s } from "@highstate/library"
 import { forUnit } from "@highstate/pulumi"
 import { yaml } from "@pulumi/kubernetes"
-import { getProvider } from "../../shared"
+import { getProviderAsync } from "../../shared"
 
 const { inputs, outputs } = forUnit(k8s.gatewayApi)
 
-const provider = await getProvider(inputs.k8sCluster)
+const provider = await getProviderAsync(inputs.k8sCluster)
 
 new yaml.v2.ConfigFile(
   "gateway-api",

package/src/worker.ts

@@ -0,0 +1,26 @@
+import type { UnitWorker } from "@highstate/contract"
+import type { k8s } from "@highstate/library"
+import type { DeepInput, InputArray, Unwrap } from "@highstate/pulumi"
+import { type Output, output } from "@pulumi/pulumi"
+import { ClusterAccessScope } from "./rbac"
+import { images, type ScopedResource } from "./shared"
+
+export async function createMonitorWorker(
+  resources: InputArray<ScopedResource>,
+): Promise<Output<Unwrap<UnitWorker>>> {
+  const scope = await ClusterAccessScope.forResources("monitor", resources, [
+    "get",
+    "list",
+    "watch",
+  ])
+
+  return output({
+    name: "monitor",
+    image: images["worker-k8s-monitor"].image,
+
+    params: {
+      kubeconfig: scope.cluster.kubeconfig,
+      resources: output(resources).apply(resources => resources.map(r => r.entity)),
+    } satisfies DeepInput<k8s.MonitorWorkerParams>,
+  })
+}