@highstate/k8s 0.9.16 → 0.9.19

package/dist/chunk-SBC3TUIN.js

@@ -0,0 +1,1513 @@
+import { isEndpointFromCluster, mapServiceToLabelSelector, Service, mapContainerPortToServicePort } from './chunk-SI7X6N46.js';
+import { Secret } from './chunk-IMTXUK2U.js';
+import { commonExtraArgs, ScopedResource, Namespace, mapMetadata, getProvider, mapSelectorLikeToSelector, getProviderAsync, mapNamespaceNameToSelector, getNamespaceName, images_exports } from './chunk-WGMJCZSK.js';
+import { z, getOrCreate, trimIndentation } from '@highstate/contract';
+import { ComponentResource, toPromise, output as output$1, interpolate as interpolate$1, normalize, normalizeInputs, fileFromString } from '@highstate/pulumi';
+import { core, networking } from '@pulumi/kubernetes';
+import { output, interpolate } from '@pulumi/pulumi';
+import { deepmerge } from 'deepmerge-ts';
+import { omit, concat, map, groupBy, mergeDeep, uniqueBy, flat, merge, filter, isNonNullish, unique } from 'remeda';
+import { ImplementationMediator, filterEndpoints, parseL34Endpoint, l34EndpointToString, l3EndpointToCidr, AccessPointRoute } from '@highstate/common';
+import { sha256 } from 'crypto-hash';
+
+var ConfigMap = class _ConfigMap extends ScopedResource {
+  constructor(type, name, args, opts, apiVersion, kind, namespace, metadata, data) {
+    super(type, name, args, opts, apiVersion, kind, namespace, metadata);
+    this.data = data;
+  }
+  /**
+   * The Highstate config map entity.
+   */
+  get entity() {
+    return output({
+      type: "config-map",
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      metadata: this.metadata
+    });
+  }
+  /**
+   * Creates a new config map.
+   */
+  static create(name, args, opts) {
+    return new CreatedConfigMap(name, args, opts);
+  }
+  /**
+   * Creates a new config map or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the config map name.
+   * @param args The arguments to create or patch the config map with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new ConfigMapPatch(name, {
+        ...args,
+        name: output(args.existing).metadata.name
+      });
+    }
+    return new CreatedConfigMap(name, args, opts);
+  }
+  /**
+   * Creates a new config map or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the config map name. Will not be used when existing config map is retrieved.
+   * @param args The arguments to create or get the config map with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await _ConfigMap.forAsync(args.existing, output(args.namespace).cluster);
+    }
+    return new CreatedConfigMap(name, args, opts);
+  }
+  /**
+   * Patches an existing config map.
+   *
+   * Will throw an error if the config map does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the config map name.
+   * @param args The arguments to patch the config map with.
+   * @param opts Optional resource options.
+   */
+  static patch(name, args, opts) {
+    return new ConfigMapPatch(name, args, opts);
+  }
+  /**
+   * Wraps an existing Kubernetes config map.
+   */
+  static wrap(name, args, opts) {
+    return new WrappedConfigMap(name, args, opts);
+  }
+  /**
+   * Gets an existing config map.
+   *
+   * Will throw an error if the config map does not exist.
+   */
+  static get(name, args, opts) {
+    return new ExternalConfigMap(name, args, opts);
+  }
+  static configMapCache = /* @__PURE__ */ new Map();
+  /**
+   * Gets an existing config map for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the config map for.
+   * @param cluster The cluster where the config map is located.
+   */
+  static for(entity, cluster) {
+    return getOrCreate(
+      _ConfigMap.configMapCache,
+      `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
+      (name) => {
+        return _ConfigMap.get(name, {
+          name: entity.metadata.name,
+          namespace: Namespace.forResource(entity, cluster)
+        });
+      }
+    );
+  }
+  /**
+   * Gets an existing config map for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the config map for.
+   * @param cluster The cluster where the config map is located.
+   */
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise(entity);
+    return _ConfigMap.for(resolvedEntity, cluster);
+  }
+};
+var CreatedConfigMap = class extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.ConfigMap(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          data: args.data
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ConfigMap",
+      name,
+      args,
+      opts,
+      configMap.apiVersion,
+      configMap.kind,
+      output(args.namespace),
+      configMap.metadata,
+      configMap.data
+    );
+  }
+};
+var ConfigMapPatch = class extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.ConfigMapPatch(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          data: args.data
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ConfigMapPatch",
+      name,
+      args,
+      opts,
+      configMap.apiVersion,
+      configMap.kind,
+      output(args.namespace),
+      configMap.metadata,
+      configMap.data
+    );
+  }
+};
+var WrappedConfigMap = class extends ConfigMap {
+  constructor(name, args, opts) {
+    super(
+      "highstate:k8s:WrappedConfigMap",
+      name,
+      args,
+      opts,
+      output(args.configMap).apiVersion,
+      output(args.configMap).kind,
+      output(args.namespace),
+      output(args.configMap).metadata,
+      output(args.configMap).data
+    );
+  }
+};
+var ExternalConfigMap = class extends ConfigMap {
+  constructor(name, args, opts) {
+    const configMap = output(args.namespace).cluster.apply((cluster) => {
+      return core.v1.ConfigMap.get(
+        name,
+        interpolate`${output(args.namespace).metadata.name}/${args.name}`,
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalConfigMap",
+      name,
+      args,
+      opts,
+      configMap.apiVersion,
+      configMap.kind,
+      output(args.namespace),
+      configMap.metadata,
+      configMap.data
+    );
+  }
+};
+var extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size"];
+var PersistentVolumeClaim = class _PersistentVolumeClaim extends ScopedResource {
+  constructor(type, name, args, opts, apiVersion, kind, namespace, metadata, spec, status) {
+    super(type, name, args, opts, apiVersion, kind, namespace, metadata);
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate PVC entity.
+   */
+  get entity() {
+    return output$1({
+      type: "persistent-volume-claim",
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      metadata: this.metadata
+    });
+  }
+  /**
+   * Creates a new PVC.
+   */
+  static create(name, args, opts) {
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  /**
+   * Creates a new PVC or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the PVC name.
+   * @param args The arguments to create or patch the PVC with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new PersistentVolumeClaimPatch(name, {
+        ...args,
+        name: output$1(args.existing).metadata.name
+      });
+    }
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  /**
+   * Creates a new PVC or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the PVC name. Will not be used when existing PVC is retrieved.
+   * @param args The arguments to create or get the PVC with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await _PersistentVolumeClaim.forAsync(args.existing, output$1(args.namespace).cluster);
+    }
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  /**
+   * Patches an existing PVC.
+   *
+   * Will throw an error if the PVC does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the PVC name.
+   * @param args The arguments to patch the PVC with.
+   * @param opts Optional resource options.
+   */
+  static patch(name, args, opts) {
+    return new PersistentVolumeClaimPatch(name, args, opts);
+  }
+  /**
+   * Wraps an existing Kubernetes PVC.
+   */
+  static wrap(name, args, opts) {
+    return new WrappedPersistentVolumeClaim(name, args, opts);
+  }
+  /**
+   * Gets an existing PVC.
+   *
+   * Will throw an error if the PVC does not exist.
+   */
+  static get(name, args, opts) {
+    return new ExternalPersistentVolumeClaim(name, args, opts);
+  }
+  static pvcCache = /* @__PURE__ */ new Map();
+  /**
+   * Gets an existing PVC for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the PVC for.
+   * @param cluster The cluster where the PVC is located.
+   */
+  static for(entity, cluster) {
+    return getOrCreate(
+      _PersistentVolumeClaim.pvcCache,
+      `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
+      (name) => {
+        return _PersistentVolumeClaim.get(name, {
+          name: entity.metadata.name,
+          namespace: Namespace.forResource(entity, cluster)
+        });
+      }
+    );
+  }
+  /**
+   * Gets an existing PVC for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the PVC for.
+   * @param cluster The cluster where the PVC is located.
+   */
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise(entity);
+    return _PersistentVolumeClaim.for(resolvedEntity, cluster);
+  }
+};
+var CreatedPersistentVolumeClaim = class extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output$1(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.PersistentVolumeClaim(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: output$1(args).apply((args2) => {
+            return deepmerge(
+              {
+                accessModes: ["ReadWriteOnce"],
+                resources: {
+                  requests: {
+                    storage: args2.size ?? "100Mi"
+                  }
+                }
+              },
+              omit(args2, extraPersistentVolumeClaimArgs)
+            );
+          })
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:PersistentVolumeClaim",
+      name,
+      args,
+      opts,
+      pvc.apiVersion,
+      pvc.kind,
+      output$1(args.namespace),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+};
+var PersistentVolumeClaimPatch = class extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output$1(args.namespace).cluster.apply((cluster) => {
+      return new core.v1.PersistentVolumeClaimPatch(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: output$1(args).apply((args2) => {
+            return deepmerge(
+              {
+                accessModes: ["ReadWriteOnce"],
+                resources: {
+                  requests: {
+                    storage: args2.size ?? "100Mi"
+                  }
+                }
+              },
+              omit(args2, extraPersistentVolumeClaimArgs)
+            );
+          })
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:PersistentVolumeClaimPatch",
+      name,
+      args,
+      opts,
+      pvc.apiVersion,
+      pvc.kind,
+      output$1(args.namespace),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+};
+var WrappedPersistentVolumeClaim = class extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    super(
+      "highstate:k8s:WrappedPersistentVolumeClaim",
+      name,
+      args,
+      opts,
+      output$1(args.pvc).apiVersion,
+      output$1(args.pvc).kind,
+      output$1(args.namespace),
+      output$1(args.pvc).metadata,
+      output$1(args.pvc).spec,
+      output$1(args.pvc).status
+    );
+  }
+};
+var ExternalPersistentVolumeClaim = class extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output$1(args.namespace).cluster.apply((cluster) => {
+      return core.v1.PersistentVolumeClaim.get(
+        name,
+        interpolate$1`${output$1(args.namespace).metadata.name}/${args.name}`,
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalPersistentVolumeClaim",
+      name,
+      args,
+      opts,
+      pvc.apiVersion,
+      pvc.kind,
+      output$1(args.namespace),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+};
+function getAutoVolumeName(workloadName, index) {
+  if (index === 0) {
+    return `${workloadName}-data`;
+  }
+  return `${workloadName}-data-${index}`;
+}
+var containerExtraArgs = [
+  "port",
+  "volumeMount",
+  "volume",
+  "environment",
+  "environmentSource",
+  "environmentSources"
+];
+function mapContainerToRaw(container, cluster, fallbackName) {
+  const containerName = container.name ?? fallbackName;
+  const spec = {
+    ...omit(container, containerExtraArgs),
+    name: containerName,
+    ports: normalize(container.port, container.ports),
+    volumeMounts: map(normalize(container.volumeMount, container.volumeMounts), mapVolumeMount),
+    env: concat(
+      container.environment ? mapContainerEnvironment(container.environment) : [],
+      container.env ?? []
+    ),
+    envFrom: concat(
+      map(
+        normalize(container.environmentSource, container.environmentSources),
+        mapEnvironmentSource
+      ),
+      container.envFrom ?? []
+    )
+  };
+  if (container.enableTun) {
+    spec.securityContext ??= {};
+    spec.securityContext.capabilities ??= {};
+    spec.securityContext.capabilities.add = ["NET_ADMIN"];
+    if (cluster.quirks?.tunDevicePolicy?.type === "plugin") {
+      spec.resources ??= {};
+      spec.resources.limits ??= {};
+      spec.resources.limits[cluster.quirks.tunDevicePolicy.resourceName] = cluster.quirks.tunDevicePolicy.resourceValue;
+    } else {
+      spec.volumeMounts ??= [];
+      spec.volumeMounts.push({
+        name: "tun-device",
+        mountPath: "/dev/net/tun",
+        readOnly: false
+      });
+    }
+  }
+  return spec;
+}
+function mapContainerEnvironment(environment) {
+  const envVars = [];
+  for (const [name, value] of Object.entries(environment)) {
+    if (!value) {
+      continue;
+    }
+    if (typeof value === "string") {
+      envVars.push({ name, value });
+      continue;
+    }
+    if ("secret" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          secretKeyRef: {
+            name: value.secret.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    if ("configMap" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          configMapKeyRef: {
+            name: value.configMap.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    envVars.push({ name, valueFrom: value });
+  }
+  return envVars;
+}
+function mapVolumeMount(volumeMount) {
+  if ("volume" in volumeMount) {
+    return omit(
+      {
+        ...volumeMount,
+        name: output$1(volumeMount.volume).apply(mapWorkloadVolume).apply((volume) => output$1(volume.name))
+      },
+      ["volume"]
+    );
+  }
+  return {
+    ...volumeMount,
+    name: volumeMount.name
+  };
+}
+function mapEnvironmentSource(envFrom) {
+  if (envFrom instanceof core.v1.ConfigMap) {
+    return {
+      configMapRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  if (envFrom instanceof core.v1.Secret) {
+    return {
+      secretRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  return envFrom;
+}
+function mapWorkloadVolume(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (volume instanceof Secret) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  if (volume instanceof ConfigMap) {
+    return {
+      name: volume.metadata.name,
+      configMap: {
+        name: volume.metadata.name
+      }
+    };
+  }
+  if (core.v1.PersistentVolumeClaim.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (core.v1.ConfigMap.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      configMap: {
+        name: volume.metadata.name
+      }
+    };
+  }
+  if (core.v1.Secret.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  return volume;
+}
+function getWorkloadVolumeResourceUuid(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return volume.metadata.uid;
+  }
+  if (volume instanceof Secret) {
+    return volume.metadata.uid;
+  }
+  if (volume instanceof ConfigMap) {
+    return volume.metadata.uid;
+  }
+  if (core.v1.PersistentVolumeClaim.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  if (core.v1.ConfigMap.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  if (core.v1.Secret.isInstance(volume)) {
+    return volume.metadata.uid;
+  }
+  return output$1(void 0);
+}
+function getBestEndpoint(endpoints, cluster) {
+  if (!endpoints.length) {
+    return void 0;
+  }
+  if (endpoints.length === 1) {
+    return endpoints[0];
+  }
+  if (!cluster) {
+    return filterEndpoints(endpoints)[0];
+  }
+  const clusterEndpoint = endpoints.find((endpoint) => isEndpointFromCluster(endpoint, cluster));
+  if (clusterEndpoint) {
+    return clusterEndpoint;
+  }
+  return filterEndpoints(endpoints)[0];
+}
+function requireBestEndpoint(endpoints, cluster) {
+  const endpoint = getBestEndpoint(endpoints, cluster);
+  if (!endpoint) {
+    throw new Error(`No best endpoint found for cluster "${cluster.name}" (${cluster.id})`);
+  }
+  return endpoint;
+}
+var networkPolicyMediator = new ImplementationMediator(
+  "network-policy",
+  z.object({ name: z.string(), args: z.custom() }),
+  z.instanceof(ComponentResource)
+);
+var NetworkPolicy = class _NetworkPolicy extends ComponentResource {
+  /**
+   * The underlying network policy resource.
+   */
+  networkPolicy;
+  constructor(name, args, opts) {
+    super("k8s:network-policy", name, args, opts);
+    const normalizedArgs = output$1(args).apply(async (args2) => {
+      const ingressRules = normalize(args2.ingressRule, args2.ingressRules);
+      const egressRules = normalize(args2.egressRule, args2.egressRules);
+      const cluster = await toPromise(args2.namespace.cluster);
+      const extraEgressRules = [];
+      if (args2.allowKubeDns) {
+        extraEgressRules.push({
+          namespaces: ["kube-system"],
+          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
+          ports: [{ port: 53, protocol: "UDP" }],
+          all: false,
+          cidrs: [],
+          fqdns: [],
+          services: []
+        });
+      }
+      return {
+        ...args2,
+        podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
+        cluster,
+        isolateEgress: args2.isolateEgress ?? false,
+        isolateIngress: args2.isolateIngress ?? false,
+        allowKubeApiServer: args2.allowKubeApiServer ?? false,
+        ingressRules: ingressRules.flatMap((rule) => {
+          const endpoints = normalize(rule?.fromEndpoint, rule?.fromEndpoints);
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isEndpointFromCluster(endpoint, cluster) ? endpoint.metadata["k8s.service"].namespace : "";
+            return namespace;
+          });
+          const l3OnlyRule = endpointsNamespaces[""] ? _NetworkPolicy.getRuleFromEndpoint(void 0, endpointsNamespaces[""], cluster) : void 0;
+          const otherRules = Object.entries(endpointsNamespaces).filter(([key]) => key !== "").map(([, endpoints2]) => {
+            return _NetworkPolicy.getRuleFromEndpoint(void 0, endpoints2, cluster);
+          });
+          return [
+            {
+              all: rule.fromAll ?? false,
+              cidrs: normalize(rule.fromCidr, rule.fromCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: [],
+              services: normalize(rule.fromService, rule.fromServices),
+              namespaces: normalize(rule.fromNamespace, rule.fromNamespaces),
+              selectors: normalize(rule.fromSelector, rule.fromSelectors),
+              ports: normalize(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }),
+        egressRules: egressRules.flatMap((rule) => {
+          const endpoints = normalize(rule?.toEndpoint, rule?.toEndpoints);
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isEndpointFromCluster(endpoint, cluster) ? endpoint.metadata["k8s.service"].namespace : "";
+            const port = isEndpointFromCluster(endpoint, cluster) ? endpoint.metadata["k8s.service"].targetPort : endpoint.port;
+            return `${port ?? "0"}:${namespace}`;
+          });
+          const l3OnlyRule = endpointsByPortsAnsNamespaces["0:"] ? _NetworkPolicy.getRuleFromEndpoint(
+            void 0,
+            endpointsByPortsAnsNamespaces["0:"],
+            cluster
+          ) : void 0;
+          const otherRules = Object.entries(endpointsByPortsAnsNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
+            const [port] = key.split(":");
+            const portNumber = parseInt(port, 10);
+            const portValue = Number.isNaN(portNumber) ? port : portNumber;
+            return _NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, cluster);
+          });
+          return [
+            {
+              all: rule.toAll ?? false,
+              cidrs: normalize(rule.toCidr, rule.toCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: normalize(rule.toFqdn, rule.toFqdns).concat(l3OnlyRule?.fqdns ?? []),
+              services: normalize(rule.toService, rule.toServices),
+              namespaces: normalize(rule.toNamespace, rule.toNamespaces),
+              selectors: normalize(rule.toSelector, rule.toSelectors),
+              ports: normalize(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }).concat(extraEgressRules)
+      };
+    });
+    this.networkPolicy = output$1(
+      normalizedArgs.apply(async (args2) => {
+        const cluster = args2.cluster;
+        if (cluster.networkPolicyImplRef) {
+          return networkPolicyMediator.call(cluster.networkPolicyImplRef, {
+            name,
+            args: args2
+          });
+        }
+        const nativePolicy = new NativeNetworkPolicy(name, args2, {
+          ...opts,
+          parent: this,
+          provider: await getProviderAsync(output$1(args2.namespace).cluster)
+        });
+        return nativePolicy.networkPolicy;
+      })
+    );
+  }
+  static mapCidrFromEndpoint(result) {
+    if (result.type === "ipv4") {
+      return `${result.address}/32`;
+    }
+    return `${result.address}/128`;
+  }
+  static getRuleFromEndpoint(port, endpoints, cluster) {
+    const ports = port ? [{ port, protocol: endpoints[0].protocol?.toUpperCase() }] : [];
+    const cidrs = endpoints.filter((endpoint) => !isEndpointFromCluster(endpoint, cluster)).filter((endpoint) => endpoint.type === "ipv4" || endpoint.type === "ipv6").map(_NetworkPolicy.mapCidrFromEndpoint);
+    const fqdns = endpoints.filter((endpoint) => endpoint.type === "hostname").map((endpoint) => endpoint.hostname);
+    const selectors = endpoints.filter((endpoint) => isEndpointFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata["k8s.service"].selector);
+    const namespace = endpoints.filter((endpoint) => isEndpointFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata["k8s.service"].namespace)[0];
+    return {
+      all: false,
+      cidrs,
+      fqdns,
+      services: [],
+      namespaces: namespace ? [namespace] : [],
+      selectors,
+      ports
+    };
+  }
+  static isEmptyRule(rule) {
+    return !rule.all && rule.cidrs.length === 0 && rule.fqdns.length === 0 && rule.services.length === 0 && rule.namespaces.length === 0 && rule.selectors.length === 0 && rule.ports.length === 0;
+  }
+  /**
+   * Creates network policy to isolate the namespace by denying all traffic to/from it.
+   *
+   * Automatically names the policy as: `isolate-namespace.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to isolate.
+   * @param opts Optional resource options.
+   */
+  static async isolateNamespace(namespace, opts) {
+    const name = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `isolate-namespace.${cluster.name}.${name}.${cluster.id}`,
+      {
+        namespace,
+        description: "By default, deny all traffic to/from the namespace.",
+        isolateEgress: true,
+        isolateIngress: true
+      },
+      opts
+    );
+  }
+  /**
+   * Creates network policy to allow all traffic inside the namespace (pod to pod within same namespace).
+   *
+   * Automatically names the policy as: `allow-inside-namespace.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowInsideNamespace(namespace, opts) {
+    const nsName = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `allow-inside-namespace.${cluster.name}.${nsName}.${cluster.id}`,
+      {
+        namespace,
+        description: "Allow all traffic inside the namespace.",
+        ingressRule: { fromNamespace: namespace },
+        egressRule: { toNamespace: namespace }
+      },
+      opts
+    );
+  }
+  /**
+   * Creates network policy to allow traffic from the namespace to the Kubernetes API server.
+   *
+   * Automatically names the policy as: `allow-kube-api-server.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowKubeApiServer(namespace, opts) {
+    const nsName = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `allow-kube-api-server.${cluster.name}.${nsName}.${cluster.id}`,
+      {
+        namespace,
+        description: "Allow all traffic to the Kubernetes API server from the namespace.",
+        allowKubeApiServer: true
+      },
+      opts
+    );
+  }
+  /**
+   * Creates network policy to allow egress DNS traffic (UDP 53) required for name resolution.
+   *
+   * Automatically names the policy as: `allow-kube-dns.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowKubeDns(namespace, opts) {
+    const nsName = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `allow-kube-dns.${cluster.name}.${nsName}.${cluster.id}`,
+      {
+        namespace,
+        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
+        allowKubeDns: true
+      },
+      opts
+    );
+  }
+  /**
+   * Creates network policy to allow all egress traffic from the namespace.
+   *
+   * Automatically names the policy as: `allow-all-egress.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowAllEgress(namespace, opts) {
+    const nsName = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `allow-all-egress.${cluster.name}.${nsName}.${cluster.id}`,
+      {
+        namespace,
+        description: "Allow all egress traffic from the namespace.",
+        egressRule: { toAll: true }
+      },
+      opts
+    );
+  }
+  /**
+   * Creates network policy to allow all ingress traffic to the namespace.
+   *
+   * Automatically names the policy as: `allow-all-ingress.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowAllIngress(namespace, opts) {
+    const nsName = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `allow-all-ingress.${cluster.name}.${nsName}.${cluster.id}`,
+      {
+        namespace,
+        description: "Allow all ingress traffic to the namespace.",
+        ingressRule: { fromAll: true }
+      },
+      opts
+    );
+  }
+  /**
+   * Creates network policy to allow egress traffic to a specific L3/L4 endpoint.
+   *
+   * Automatically names the policy as: `allow-egress-to-<endpoint>.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param endpoint The endpoint to allow egress to.
+   * @param opts Optional resource options.
+   */
+  static async allowEgressToEndpoint(namespace, endpoint, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    const endpointStr = l34EndpointToString(parsedEndpoint).replace(/:/g, "-");
+    const nsName = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `allow-egress-to-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
+      {
+        namespace,
+        description: `Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
+        egressRule: { toEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+  /**
+   * Creates network policy to allow egress traffic to the best endpoint among provided candidates.
+   *
+   * Automatically names the policy as: `allow-egress-to-<bestEndpoint>.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param endpoints The candidate endpoints to select from.
+   * @param opts Optional resource options.
+   */
+  static async allowEgressToBestEndpoint(namespace, endpoints, opts) {
+    const cluster = await toPromise(output$1(namespace).cluster);
+    const resolvedEndpoints = await toPromise(output$1(endpoints));
+    const bestEndpoint = requireBestEndpoint(resolvedEndpoints.map(parseL34Endpoint), cluster);
+    return await _NetworkPolicy.allowEgressToEndpoint(namespace, bestEndpoint, opts);
+  }
+  /**
+   * Creates network policy to allow ingress traffic from a specific L3/L4 endpoint.
+   *
+   * Automatically names the policy as: `allow-ingress-from-<endpoint>.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param endpoint The endpoint to allow ingress from.
+   * @param opts Optional resource options.
+   */
+  static async allowIngressFromEndpoint(namespace, endpoint, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    const endpointStr = l34EndpointToString(parsedEndpoint).replace(/:/g, "-");
+    const nsName = await toPromise(output$1(namespace).metadata.name);
+    const cluster = await toPromise(output$1(namespace).cluster);
+    return new _NetworkPolicy(
+      `allow-ingress-from-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
+      {
+        namespace,
+        description: interpolate$1`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
+        ingressRule: { fromEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+};
+var NativeNetworkPolicy = class _NativeNetworkPolicy extends ComponentResource {
+  /**
+   * The underlying native network policy resource.
+   */
+  networkPolicy;
+  constructor(name, args, opts) {
+    super("k8s:native-network-policy", name, args, opts);
+    const ingress = _NativeNetworkPolicy.createIngressRules(args);
+    const egress = _NativeNetworkPolicy.createEgressRules(args);
+    const policyTypes = [];
+    if (ingress.length > 0 || args.isolateIngress) {
+      policyTypes.push("Ingress");
+    }
+    if (egress.length > 0 || args.isolateEgress) {
+      policyTypes.push("Egress");
+    }
+    this.networkPolicy = new networking.v1.NetworkPolicy(
+      name,
+      {
+        metadata: mergeDeep(mapMetadata(args, name), {
+          annotations: args.description ? { "kubernetes.io/description": args.description } : void 0
+        }),
+        spec: {
+          podSelector: args.podSelector,
+          ingress,
+          egress,
+          policyTypes
+        }
+      },
+      { ...opts, parent: this }
+    );
+  }
+  static fallbackIpBlock = {
+    cidr: "0.0.0.0/0",
+    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  };
+  static fallbackDnsRule = {
+    to: [
+      {
+        namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } },
+        podSelector: { matchLabels: { "k8s-app": "kube-dns" } }
+      }
+    ],
+    ports: [{ port: 53, protocol: "UDP" }]
+  };
+  static createIngressRules(args) {
+    return uniqueBy(
+      args.ingressRules.map((rule) => ({
+        from: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+        ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+      })),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createEgressRules(args) {
+    const extraRules = [];
+    const needKubeDns = args.egressRules.some((rule) => rule.fqdns.length > 0);
+    if (needKubeDns) {
+      extraRules.push(_NativeNetworkPolicy.fallbackDnsRule);
+    }
+    const needFallback = args.egressRules.some(
+      (rule) => rule.fqdns.some((fqdn) => !fqdn.endsWith(".cluster.local"))
+    );
+    if (needFallback) {
+      extraRules.push({ to: [{ ipBlock: _NativeNetworkPolicy.fallbackIpBlock }] });
+    }
+    if (args.allowKubeApiServer) {
+      const { quirks, apiEndpoints } = args.cluster;
+      if (quirks?.fallbackKubeApiAccess) {
+        extraRules.push({
+          to: [{ ipBlock: { cidr: `${quirks?.fallbackKubeApiAccess.serverIp}/32` } }],
+          ports: [{ port: quirks?.fallbackKubeApiAccess.serverPort, protocol: "TCP" }]
+        });
+      } else {
+        const rules = apiEndpoints.filter((endpoint) => endpoint.type !== "hostname").map((endpoint) => ({
+          to: [{ ipBlock: { cidr: l3EndpointToCidr(endpoint) } }],
+          ports: [{ port: endpoint.port, protocol: "TCP" }]
+        }));
+        extraRules.push(...rules);
+      }
+    }
+    return uniqueBy(
+      args.egressRules.map((rule) => {
+        return {
+          to: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+          ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+        };
+      }).filter((rule) => rule.to !== void 0).concat(extraRules),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createRulePeers(args) {
+    const peers = uniqueBy(
+      [
+        ..._NativeNetworkPolicy.createCidrPeers(args),
+        ..._NativeNetworkPolicy.createServicePeers(args),
+        ..._NativeNetworkPolicy.createSelectorPeers(args)
+      ],
+      (peer) => JSON.stringify(peer)
+    );
+    return peers.length > 0 ? peers : void 0;
+  }
+  static createCidrPeers(args) {
+    return args.cidrs.map((cidr) => ({ ipBlock: { cidr } }));
+  }
+  static createServicePeers(args) {
+    return args.services.map((service) => {
+      const selector = mapServiceToLabelSelector(service);
+      return {
+        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
+        podSelector: selector
+      };
+    });
+  }
+  static createSelectorPeers(args) {
+    const selectorPeers = args.selectors.map((selector) => ({
+      podSelector: mapSelectorLikeToSelector(selector)
+    }));
+    const namespacePeers = args.namespaces.map(_NativeNetworkPolicy.createNamespacePeer);
+    if (namespacePeers.length === 0) {
+      return selectorPeers;
+    }
+    if (selectorPeers.length === 0) {
+      return namespacePeers;
+    }
+    return flat(
+      selectorPeers.map((selectorPeer) => {
+        return namespacePeers.map((namespacePeer) => merge(selectorPeer, namespacePeer));
+      })
+    );
+  }
+  static createNamespacePeer(namespace) {
+    const namespaceName = getNamespaceName(namespace);
+    const namespaceSelector = mapNamespaceNameToSelector(namespaceName);
+    return { namespaceSelector };
+  }
+  static mapPorts(ports) {
+    return ports.map((port) => {
+      if ("port" in port) {
+        return {
+          port: port.port,
+          protocol: port.protocol ?? "TCP"
+        };
+      }
+      return {
+        port: port.range[0],
+        endPort: port.range[1],
+        protocol: port.protocol ?? "TCP"
+      };
+    });
+  }
+};
+
+// src/pod.ts
+var podSpecDefaults = {
+  automountServiceAccountToken: false
+};
+var workloadExtraArgs = [...commonExtraArgs, "container", "containers"];
+var exposableWorkloadExtraArgs = [
+  ...workloadExtraArgs,
+  "service",
+  "route",
+  "routes"
+];
+function getWorkloadComponents(name, args, parent, opts) {
+  const labels = {
+    "app.kubernetes.io/name": name
+  };
+  const containers = output(args).apply((args2) => normalize(args2.container, args2.containers));
+  const rawVolumes = containers.apply((containers2) => {
+    const containerVolumes = containers2.flatMap(
+      (container) => normalize(container.volume, container.volumes)
+    );
+    const containerVolumeMounts = containers2.flatMap((container) => {
+      return normalize(container.volumeMount, container.volumeMounts).map((volumeMount) => {
+        return "volume" in volumeMount ? volumeMount.volume : void 0;
+      }).filter(Boolean);
+    });
+    return output([...containerVolumes, ...containerVolumeMounts]);
+  });
+  const volumes = rawVolumes.apply((rawVolumes2) => {
+    return output(rawVolumes2.map(mapWorkloadVolume)).apply(uniqueBy((volume) => volume.name));
+  });
+  const podSpec = output({
+    cluster: output(args.namespace).cluster,
+    containers,
+    volumes
+  }).apply(({ cluster, containers: containers2, volumes: volumes2 }) => {
+    const spec = {
+      volumes: volumes2,
+      containers: containers2.map((container) => mapContainerToRaw(container, cluster, name)),
+      ...podSpecDefaults
+    };
+    if (containers2.some((container) => container.enableTun) && cluster.quirks?.tunDevicePolicy?.type !== "plugin") {
+      spec.volumes = output(spec.volumes).apply((volumes3) => [
+        ...volumes3 ?? [],
+        {
+          name: "tun-device",
+          hostPath: {
+            path: "/dev/net/tun"
+          }
+        }
+      ]);
+    }
+    return spec;
+  });
+  const dependencyHash = rawVolumes.apply((rawVolumes2) => {
+    return output(rawVolumes2.map(getWorkloadVolumeResourceUuid)).apply(filter(isNonNullish)).apply(unique()).apply((ids) => sha256(ids.join(",")));
+  });
+  const podTemplate = output({ podSpec, dependencyHash }).apply(({ podSpec: podSpec2, dependencyHash: dependencyHash2 }) => {
+    return {
+      metadata: {
+        labels,
+        annotations: {
+          // to trigger a redeployment when the volumes change
+          "highstate.io/dependency-hash": dependencyHash2
+        }
+      },
+      spec: podSpec2
+    };
+  });
+  const networkPolicy = output({ containers }).apply(({ containers: containers2 }) => {
+    const allowedEndpoints = containers2.flatMap((container) => container.allowedEndpoints ?? []);
+    if (allowedEndpoints.length === 0 && !args.networkPolicy) {
+      return output(void 0);
+    }
+    return output(
+      new NetworkPolicy(
+        name,
+        {
+          namespace: args.namespace,
+          selector: labels,
+          description: `Network policy for "${name}"`,
+          ...args.networkPolicy,
+          egressRules: output(args.networkPolicy?.egressRules).apply((egressRules) => [
+            ...egressRules ?? [],
+            ...allowedEndpoints.length > 0 ? [{ toEndpoints: allowedEndpoints }] : []
+          ])
+        },
+        { ...opts, parent: parent() }
+      )
+    );
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy };
+}
+function getExposableWorkloadComponents(name, args, parent, opts) {
+  const { labels, containers, volumes, podSpec, podTemplate, networkPolicy } = getWorkloadComponents(name, args, parent, opts);
+  const service = output({
+    existing: args.existing,
+    serviceArgs: args.service,
+    containers
+  }).apply(({ existing, serviceArgs, containers: containers2 }) => {
+    if (!args.service && !args.route) {
+      return void 0;
+    }
+    if (existing?.service) {
+      return Service.for(existing.service, output(args.namespace).cluster);
+    }
+    if (existing) {
+      return void 0;
+    }
+    const ports = containers2.flatMap((container) => normalize(container.port, container.ports));
+    return Service.create(name, {
+      ...serviceArgs,
+      selector: labels,
+      namespace: args.namespace,
+      ports: (
+        // allow to completely override the ports
+        !serviceArgs?.port && !serviceArgs?.ports ? ports.map(mapContainerPortToServicePort) : serviceArgs?.ports
+      )
+    });
+  });
+  const routes = output({
+    routesArgs: normalizeInputs(args.route, args.routes),
+    service,
+    namespace: output(args.namespace)
+  }).apply(({ routesArgs, service: service2, namespace }) => {
+    if (!routesArgs.length || !service2) {
+      return [];
+    }
+    if (args.existing) {
+      return [];
+    }
+    return routesArgs.map((routeArgs) => {
+      return new AccessPointRoute(name, {
+        ...routeArgs,
+        endpoints: service2.endpoints,
+        // pass the native data to the route to allow implementation to use it
+        gatewayNativeData: service2,
+        tlsCertificateNativeData: namespace
+      });
+    });
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy, service, routes };
+}
+var Workload = class extends ScopedResource {
+  constructor(type, name, args, opts, apiVersion, kind, terminalArgs, containers, namespace, metadata, networkPolicy) {
+    super(type, name, args, opts, apiVersion, kind, namespace, metadata);
+    this.name = name;
+    this.terminalArgs = terminalArgs;
+    this.containers = containers;
+    this.networkPolicy = networkPolicy;
+  }
+  /**
+   * The instance terminal to interact with the deployment.
+   */
+  get terminal() {
+    const containerName = output(this.containers).apply((containers) => {
+      return containers[0]?.name ?? this.name;
+    });
+    const shell = this.terminalArgs.apply((args) => args.shell ?? "bash");
+    const workloadLabelQuery = output(this.metadata).apply((meta) => meta.labels ?? {}).apply(
+      (labels) => Object.entries(labels).map(([key, value]) => `${key}=${value}`).join(",")
+    );
+    return output({
+      name: this.metadata.name,
+      meta: this.getTerminalMeta(),
+      spec: {
+        image: images_exports["terminal-kubectl"].image,
+        command: ["bash", "/welcome.sh"],
+        files: {
+          "/kubeconfig": fileFromString("kubeconfig", this.cluster.kubeconfig, { isSecret: true }),
+          "/welcome.sh": fileFromString(
+            "welcome.sh",
+            interpolate`
+              #!/bin/bash
+              set -euo pipefail
+
+              NAMESPACE="${this.metadata.namespace}"
+              RESOURCE_TYPE="${this.kind.apply((k) => k.toLowerCase())}"
+              RESOURCE_NAME="${this.metadata.name}"
+              CONTAINER_NAME="${containerName}"
+              SHELL="${shell}"
+
+              echo "Connecting to $RESOURCE_TYPE \\"$RESOURCE_NAME\\" in namespace \\"$NAMESPACE\\""
+
+              # get all pods for this workload
+              PODS=$(kubectl get pods -n "$NAMESPACE" -l "${workloadLabelQuery}" -o jsonpath='{.items[*].metadata.name}' 2>/dev/null || echo "")
+
+              if [ -z "$PODS" ]; then
+                echo "No pods found"
+                exit 1
+              fi
+
+              # convert space-separated string to array
+              read -ra POD_ARRAY <<< "$PODS"
+
+              if [ \${#POD_ARRAY[@]} -eq 1 ]; then
+                # single pod found, connect directly
+                SELECTED_POD="\${POD_ARRAY[0]}"
+                echo "Found single pod: $SELECTED_POD"
+              else
+                # multiple pods found, use fzf for selection
+                echo "Found \${#POD_ARRAY[@]} pods. Please select one."
+                
+                SELECTED_POD=$(printf '%s\n' "\${POD_ARRAY[@]}" | fzf --prompt="Select pod: " --height 10 --border --info=inline)
+                
+                if [ -z "$SELECTED_POD" ]; then
+                  echo "No pod selected"
+                  exit 1
+                fi
+                
+                echo "Selected pod: $SELECTED_POD"
+              fi
+
+              # execute into the selected pod
+              exec kubectl exec -it -n "$NAMESPACE" "$SELECTED_POD" -c "$CONTAINER_NAME" -- "$SHELL"
+            `.apply(trimIndentation)
+          )
+        },
+        env: {
+          KUBECONFIG: "/kubeconfig"
+        }
+      }
+    });
+  }
+  /**
+   * Creates a terminal with a custom command.
+   *
+   * @param meta The metadata for the terminal.
+   * @param command The command to run in the terminal.
+   * @param spec Additional spec options for the terminal.
+   */
+  createTerminal(name, meta, command, spec) {
+    const containerName = output(this.containers).apply((containers) => {
+      return containers[0]?.name ?? this.name;
+    });
+    return output({
+      name,
+      meta: output(this.getTerminalMeta()).apply((currentMeta) => ({
+        ...currentMeta,
+        ...meta
+      })),
+      spec: {
+        image: images_exports["terminal-kubectl"].image,
+        command: output(command).apply((command2) => [
+          "exec",
+          "kubectl",
+          "exec",
+          "-it",
+          "-n",
+          this.metadata.namespace,
+          interpolate`${this.kind.apply((k) => k.toLowerCase())}/${this.metadata.name}`,
+          "-c",
+          containerName,
+          "--",
+          ...command2
+        ]),
+        files: {
+          "/kubeconfig": fileFromString("kubeconfig", this.cluster.kubeconfig, { isSecret: true }),
+          ...spec?.files
+        },
+        env: {
+          KUBECONFIG: "/kubeconfig",
+          ...spec?.env
+        }
+      }
+    });
+  }
+};
+var ExposableWorkload = class extends Workload {
+  constructor(type, name, args, opts, apiVersion, kind, terminalArgs, containers, namespace, metadata, networkPolicy, _service, routes) {
+    super(
+      type,
+      name,
+      args,
+      opts,
+      apiVersion,
+      kind,
+      terminalArgs,
+      containers,
+      namespace,
+      metadata,
+      networkPolicy
+    );
+    this._service = _service;
+    this.routes = routes;
+  }
+  /**
+   * The service associated with the workload.
+   */
+  get optionalService() {
+    return this._service;
+  }
+  /**
+   * The service associated with the workload.
+   *
+   * Will throw an error if the service is not available.
+   */
+  get service() {
+    return this._service.apply((service) => {
+      if (!service) {
+        throw new Error(`The service of the workload "${this.name}" is not available.`);
+      }
+      return service;
+    });
+  }
+  /**
+   * Creates a generic workload or patches the existing one.
+   */
+  static createOrPatchGeneric(name, args, opts) {
+    return output(args).apply(async (args2) => {
+      if (args2.existing?.type === "deployment") {
+        const { Deployment } = await import('./deployment-752P6JIT.js');
+        return Deployment.patch(
+          name,
+          {
+            ...deepmerge(args2, args2.deployment),
+            name: args2.existing.metadata.name,
+            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
+          },
+          opts
+        );
+      }
+      if (args2.existing?.type === "stateful-set") {
+        const { StatefulSet } = await import('./stateful-set-N64YVKR7.js');
+        return StatefulSet.patch(
+          name,
+          {
+            ...deepmerge(args2, args2.statefulSet),
+            name: args2.existing.metadata.name,
+            namespace: Namespace.forResourceAsync(args2.existing, output(args2.namespace).cluster)
+          },
+          opts
+        );
+      }
+      if (args2.type === "Deployment") {
+        const { Deployment } = await import('./deployment-752P6JIT.js');
+        return Deployment.create(name, deepmerge(args2, args2.deployment), opts);
+      }
+      if (args2.type === "StatefulSet") {
+        const { StatefulSet } = await import('./stateful-set-N64YVKR7.js');
+        return StatefulSet.create(name, deepmerge(args2, args2.statefulSet), opts);
+      }
+      throw new Error(`Unknown workload type: ${args2.type}`);
+    });
+  }
+};
+
+export { ConfigMap, ExposableWorkload, NativeNetworkPolicy, NetworkPolicy, PersistentVolumeClaim, Workload, exposableWorkloadExtraArgs, getAutoVolumeName, getBestEndpoint, getExposableWorkloadComponents, getWorkloadComponents, getWorkloadVolumeResourceUuid, mapContainerEnvironment, mapContainerToRaw, mapEnvironmentSource, mapVolumeMount, mapWorkloadVolume, networkPolicyMediator, podSpecDefaults, requireBestEndpoint, workloadExtraArgs };
+//# sourceMappingURL=chunk-SBC3TUIN.js.map
+//# sourceMappingURL=chunk-SBC3TUIN.js.map