@highstate/k8s 0.9.16 → 0.9.19

package/dist/index.js

@@ -1,132 +1,738 @@
-export { Chart, RenderedChart, getChartService, getChartServiceOutput, resolveHelmChart } from './chunk-OFFSHGC6.js';
-export { StatefulSet } from './chunk-TZHOUJRC.js';
-export { Deployment } from './chunk-YWRJ4EZM.js';
-import { NetworkPolicy, isFromCluster, ConfigMap, getWorkloadComponents } from './chunk-BBIY3KUN.js';
-export { ConfigMap, ExposableWorkload, HttpRoute, NetworkPolicy, PersistentVolumeClaim, Secret, Service, Workload, getBestEndpoint, getServiceMetadata, hasServiceMetadata, isFromCluster, mapContainerPortToServicePort, mapServiceToLabelSelector, requireBestEndpoint, withServiceMetadata } from './chunk-BBIY3KUN.js';
-export { createK8sTerminal, detectExternalIps } from './chunk-5C2BJGES.js';
-import { commonExtraArgs, getProvider, mapNamespaceLikeToNamespaceName, mapMetadata } from './chunk-5TLC5BXR.js';
-export { Namespace, getProvider, mapMetadata, mapNamespaceLikeToNamespaceName, mapNamespaceNameToSelector, mapSelectorLikeToSelector } from './chunk-5TLC5BXR.js';
+export { Chart, RenderedChart, getChartService, getChartServiceOutput, resolveHelmChart } from './chunk-4JGXGN2L.js';
+export { Deployment } from './chunk-JYNXQ3I3.js';
+export { StatefulSet } from './chunk-A3XGSDIW.js';
+import { Workload, getWorkloadComponents, ConfigMap } from './chunk-SBC3TUIN.js';
+export { ConfigMap, ExposableWorkload, NativeNetworkPolicy, NetworkPolicy, PersistentVolumeClaim, Workload, exposableWorkloadExtraArgs, getAutoVolumeName, getBestEndpoint, getExposableWorkloadComponents, getWorkloadComponents, getWorkloadVolumeResourceUuid, mapContainerEnvironment, mapContainerToRaw, mapEnvironmentSource, mapVolumeMount, mapWorkloadVolume, networkPolicyMediator, podSpecDefaults, requireBestEndpoint, workloadExtraArgs } from './chunk-SBC3TUIN.js';
+export { dns01SolverMediator } from './chunk-2EEHJZPD.js';
+export { createK8sTerminal, detectExternalIps } from './chunk-KDD6XUWM.js';
+export { Gateway, HttpRoute, mapHttpRouteRuleMatch, resolveBackendRef } from './chunk-NXSYCA3V.js';
+export { Service, getServiceType, isEndpointFromCluster, l4EndpointToServicePort, mapContainerPortToServicePort, mapServiceToLabelSelector } from './chunk-SI7X6N46.js';
+import { Secret } from './chunk-IMTXUK2U.js';
+export { Secret } from './chunk-IMTXUK2U.js';
+import { commonExtraArgs, Namespace, mapMetadata, getProvider, getNamespaceName, images_exports } from './chunk-WGMJCZSK.js';
+export { Namespace, ScopedResource, commonExtraArgs, getNamespaceName, getProvider, getProviderAsync, images_exports as images, mapMetadata, mapNamespaceNameToSelector, mapSelectorLikeToSelector, validateCluster } from './chunk-WGMJCZSK.js';
 import './chunk-PZ5AY32C.js';
-import { DnsRecordSet, filterEndpoints, l3EndpointToString, parseL34Endpoint } from '@highstate/common';
-import { gateway } from '@highstate/gateway-api';
-import { output, normalize, toPromise, apply, ComponentResource as ComponentResource$1 } from '@highstate/pulumi';
-import { ComponentResource, output as output$1 } from '@pulumi/pulumi';
-import { pipe, omitBy, mapValues, merge, mergeDeep, omit } from 'remeda';
+import { getOrCreate, text, trimIndentation } from '@highstate/contract';
+import { output, interpolate, toPromise, ComponentResource, normalizeInputs, normalize } from '@highstate/pulumi';
+import { batch, core, rbac } from '@pulumi/kubernetes';
 import { deepmerge } from 'deepmerge-ts';
+import { omit, map, unique, omitBy, mapValues, merge } from 'remeda';
+import { KubeConfig } from '@kubernetes/client-node';
+import { ComponentResource as ComponentResource$1, output as output$1 } from '@pulumi/pulumi';
 import { readPackageJSON } from 'pkg-types';
-import { text, trimIndentation } from '@highstate/contract';
+import { parseL34Endpoint } from '@highstate/common';
 import { serializeFunction } from '@pulumi/pulumi/runtime/index.js';
-import { batch } from '@pulumi/kubernetes';
 
-function useAccessPoint(args) {
-  const result = output({ args, namespaceName: output(args.namespace).metadata.name }).apply(
-    ({ args: args2, namespaceName }) => {
-      if (args2.accessPoint.clusterId !== args2.cluster.id) {
-        throw new Error(
-          "The provided Kubernetes cluster is different from the one where the access point is deployed."
-        );
+var CronJob = class _CronJob extends Workload {
+  constructor(type, name, args, opts, apiVersion, kind, terminalArgs, containers, namespace, metadata, networkPolicy, spec, status) {
+    super(
+      type,
+      name,
+      args,
+      opts,
+      apiVersion,
+      kind,
+      terminalArgs,
+      containers,
+      namespace,
+      metadata,
+      networkPolicy
+    );
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate cron job entity.
+   */
+  get entity() {
+    return output({
+      type: "cron-job",
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      metadata: this.metadata
+    });
+  }
+  getTerminalMeta() {
+    return output({
+      title: "CronJob",
+      globalTitle: interpolate`CronJob | ${this.metadata.name}`,
+      description: "The shell inside the cron job.",
+      icon: "devicon:kubernetes"
+    });
+  }
+  get resourceType() {
+    return "cronjob";
+  }
+  /**
+   * Creates a new cron job.
+   */
+  static create(name, args, opts) {
+    return new CreatedCronJob(name, args, opts);
+  }
+  /**
+   * Creates a new cron job or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the cron job name.
+   * @param args The arguments to create or patch the cron job with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new CronJobPatch(name, {
+        ...args,
+        name: output(args.existing).metadata.name,
+        namespace: Namespace.forResourceAsync(args.existing, output(args.namespace).cluster)
+      });
+    }
+    return new CreatedCronJob(name, args, opts);
+  }
+  /**
+   * Creates a new cron job or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the cron job name. Will not be used when existing cron job is retrieved.
+   * @param args The arguments to create or get the cron job with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await _CronJob.forAsync(args.existing, output(args.namespace).cluster);
+    }
+    return new CreatedCronJob(name, args, opts);
+  }
+  /**
+   * Patches an existing cron job.
+   *
+   * Will throw an error if the cron job does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the cron job name.
+   * @param args The arguments to patch the cron job with.
+   * @param opts Optional resource options.
+   */
+  static patch(name, args, opts) {
+    return new CronJobPatch(name, args, opts);
+  }
+  /**
+   * Wraps an existing Kubernetes cron job.
+   */
+  static wrap(name, args, opts) {
+    return new WrappedCronJob(name, args, opts);
+  }
+  /**
+   * Gets an existing cron job.
+   *
+   * Will throw an error if the cron job does not exist.
+   */
+  static get(name, args, opts) {
+    return new ExternalCronJob(name, args, opts);
+  }
+  static cronJobCache = /* @__PURE__ */ new Map();
+  /**
+   * Gets an existing cron job for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the cron job for.
+   * @param cluster The cluster where the cron job is located.
+   */
+  static for(entity, cluster) {
+    return getOrCreate(
+      _CronJob.cronJobCache,
+      `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
+      (name) => {
+        return _CronJob.get(name, {
+          name: entity.metadata.name,
+          namespace: Namespace.forResource(entity, cluster)
+        });
       }
-      const gateway2 = createGateway({
-        ...args2,
-        annotations: {
-          "cert-manager.io/cluster-issuer": args2.accessPoint.tlsIssuer.clusterIssuerName
+    );
+  }
+  /**
+   * Gets an existing cron job for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the cron job for.
+   * @param cluster The cluster where the cron job is located.
+   */
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise(entity);
+    return _CronJob.for(resolvedEntity, cluster);
+  }
+};
+var cronJobExtraArgs = [...commonExtraArgs, "container", "containers"];
+var CreatedCronJob = class extends CronJob {
+  constructor(name, args, opts) {
+    const { podTemplate, containers, networkPolicy } = getWorkloadComponents(
+      name,
+      args,
+      () => this,
+      opts
+    );
+    const cronJob = output(args.namespace).cluster.apply((cluster) => {
+      return new batch.v1.CronJob(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: output({ args, podTemplate }).apply(({ args: args2, podTemplate: podTemplate2 }) => {
+            return deepmerge(
+              {
+                jobTemplate: {
+                  spec: {
+                    template: deepmerge(
+                      {
+                        spec: {
+                          restartPolicy: "Never"
+                        }
+                      },
+                      podTemplate2
+                    )
+                  }
+                },
+                schedule: args2.schedule
+              },
+              omit(args2, cronJobExtraArgs)
+            );
+          })
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:CronJob",
+      name,
+      args,
+      opts,
+      cronJob.apiVersion,
+      cronJob.kind,
+      output(args.terminal ?? {}),
+      containers,
+      output(args.namespace),
+      cronJob.metadata,
+      networkPolicy,
+      cronJob.spec,
+      cronJob.status
+    );
+  }
+};
+var CronJobPatch = class extends CronJob {
+  constructor(name, args, opts) {
+    const { podTemplate, containers, networkPolicy } = getWorkloadComponents(
+      name,
+      args,
+      () => this,
+      opts
+    );
+    const cronJob = output(args.namespace).cluster.apply((cluster) => {
+      return new batch.v1.CronJobPatch(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: output({ args, podTemplate }).apply(({ args: args2, podTemplate: podTemplate2 }) => {
+            return deepmerge(
+              {
+                jobTemplate: {
+                  spec: {
+                    template: podTemplate2
+                  }
+                },
+                schedule: args2.schedule
+              },
+              omit(args2, cronJobExtraArgs)
+            );
+          })
         },
-        gateway: args2.accessPoint.gateway
+        {
+          ...opts,
+          parent: this,
+          provider: getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:CronJobPatch",
+      name,
+      args,
+      opts,
+      cronJob.apiVersion,
+      cronJob.kind,
+      output(args.terminal ?? {}),
+      containers,
+      output(args.namespace),
+      cronJob.metadata,
+      networkPolicy,
+      cronJob.spec,
+      cronJob.status
+    );
+  }
+};
+var WrappedCronJob = class extends CronJob {
+  constructor(name, args, opts) {
+    super(
+      "highstate:k8s:WrappedCronJob",
+      name,
+      args,
+      opts,
+      output(args.cronJob).apiVersion,
+      output(args.cronJob).kind,
+      output(args.terminal ?? {}),
+      output([]),
+      output(args.namespace),
+      output(args.cronJob).metadata,
+      output(void 0),
+      output(args.cronJob).spec,
+      output(args.cronJob).status
+    );
+  }
+};
+var ExternalCronJob = class extends CronJob {
+  constructor(name, args, opts) {
+    const cronJob = output(args.namespace).cluster.apply((cluster) => {
+      return batch.v1.CronJob.get(
+        name,
+        interpolate`${output(args.namespace).metadata.name}/${args.name}`,
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalCronJob",
+      name,
+      args,
+      opts,
+      cronJob.apiVersion,
+      cronJob.kind,
+      output({}),
+      output([]),
+      output(args.namespace),
+      cronJob.metadata,
+      output(void 0),
+      cronJob.spec,
+      cronJob.status
+    );
+  }
+};
+var Job = class _Job extends Workload {
+  constructor(type, name, args, opts, apiVersion, kind, terminalArgs, containers, namespace, metadata, networkPolicy, spec, status) {
+    super(
+      type,
+      name,
+      args,
+      opts,
+      apiVersion,
+      kind,
+      terminalArgs,
+      containers,
+      namespace,
+      metadata,
+      networkPolicy
+    );
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate job entity.
+   */
+  get entity() {
+    return output({
+      type: "job",
+      clusterId: this.cluster.id,
+      clusterName: this.cluster.name,
+      metadata: this.metadata
+    });
+  }
+  getTerminalMeta() {
+    return output({
+      title: "Job",
+      globalTitle: interpolate`Job | ${this.metadata.name}`,
+      description: "The shell inside the job.",
+      icon: "devicon:kubernetes"
+    });
+  }
+  get resourceType() {
+    return "job";
+  }
+  /**
+   * Creates a new job.
+   */
+  static create(name, args, opts) {
+    return new CreatedJob(name, args, opts);
+  }
+  /**
+   * Creates a new job or patches an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the job name.
+   * @param args The arguments to create or patch the job with.
+   * @param opts Optional resource options.
+   */
+  static createOrPatch(name, args, opts) {
+    if (args.existing) {
+      return new JobPatch(name, {
+        ...args,
+        name: output(args.existing).metadata.name,
+        namespace: Namespace.forResourceAsync(args.existing, output(args.namespace).cluster)
       });
-      const dnsRecordSets = normalize(args2.fqdn, args2.fqdns).flatMap((fqdn) => {
-        return DnsRecordSet.create(fqdn, {
-          providers: args2.accessPoint.dnsProviders,
-          values: filterEndpoints(
-            args2.accessPoint.gateway.endpoints.filter((endpoint) => endpoint.type !== "hostname")
-          )
+    }
+    return new CreatedJob(name, args, opts);
+  }
+  /**
+   * Creates a new job or gets an existing one.
+   *
+   * @param name The name of the resource. May not be the same as the job name. Will not be used when existing job is retrieved.
+   * @param args The arguments to create or get the job with.
+   * @param opts Optional resource options.
+   */
+  static async createOrGet(name, args, opts) {
+    if (args.existing) {
+      return await _Job.forAsync(args.existing, output(args.namespace).cluster);
+    }
+    return new CreatedJob(name, args, opts);
+  }
+  /**
+   * Patches an existing job.
+   *
+   * Will throw an error if the job does not exist.
+   *
+   * @param name The name of the resource. May not be the same as the job name.
+   * @param args The arguments to patch the job with.
+   * @param opts Optional resource options.
+   */
+  static patch(name, args, opts) {
+    return new JobPatch(name, args, opts);
+  }
+  /**
+   * Wraps an existing Kubernetes job.
+   */
+  static wrap(name, args, opts) {
+    return new WrappedJob(name, args, opts);
+  }
+  /**
+   * Gets an existing job.
+   *
+   * Will throw an error if the job does not exist.
+   */
+  static get(name, args, opts) {
+    return new ExternalJob(name, args, opts);
+  }
+  static jobCache = /* @__PURE__ */ new Map();
+  /**
+   * Gets an existing job for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the job for.
+   * @param cluster The cluster where the job is located.
+   */
+  static for(entity, cluster) {
+    return getOrCreate(
+      _Job.jobCache,
+      `${entity.clusterName}.${entity.metadata.namespace}.${entity.metadata.name}.${entity.clusterId}`,
+      (name) => {
+        return _Job.get(name, {
+          name: entity.metadata.name,
+          namespace: Namespace.forResource(entity, cluster)
         });
-      });
-      const networkPolicies = [
-        NetworkPolicy.create(
-          `allow-ingress-from-${l3EndpointToString(args2.accessPoint.gateway.endpoints[0])}`,
-          {
-            namespace: args2.namespace,
-            cluster: args2.cluster,
-            description: `Allow ingress traffic from the gateway at "${l3EndpointToString(args2.accessPoint.gateway.endpoints[0])}".`,
-            ingressRule: {
-              fromEndpoints: args2.accessPoint.gateway.endpoints
+      }
+    );
+  }
+  /**
+   * Gets an existing job for a given entity.
+   * Prefer this method over `get` when possible.
+   *
+   * It automatically names the resource with the following format: `{clusterName}.{namespace}.{name}.{clusterId}`.
+   *
+   * This method is idempotent and will return the same instance for the same entity.
+   *
+   * @param entity The entity to get the job for.
+   * @param cluster The cluster where the job is located.
+   */
+  static async forAsync(entity, cluster) {
+    const resolvedEntity = await toPromise(entity);
+    return _Job.for(resolvedEntity, cluster);
+  }
+};
+var jobExtraArgs = [...commonExtraArgs, "container", "containers"];
+var CreatedJob = class extends Job {
+  constructor(name, args, opts) {
+    const { podTemplate, containers, networkPolicy } = getWorkloadComponents(
+      name,
+      args,
+      () => this,
+      opts
+    );
+    const job = output(args.namespace).cluster.apply((cluster) => {
+      return new batch.v1.Job(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: output({ args, podTemplate }).apply(({ args: args2, podTemplate: podTemplate2 }) => {
+            return deepmerge(
+              {
+                template: deepmerge(
+                  {
+                    spec: {
+                      restartPolicy: "Never"
+                    }
+                  },
+                  podTemplate2
+                )
+              },
+              omit(args2, jobExtraArgs)
+            );
+          })
+        },
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:Job",
+      name,
+      args,
+      opts,
+      job.apiVersion,
+      job.kind,
+      output(args.terminal ?? {}),
+      containers,
+      output(args.namespace),
+      job.metadata,
+      networkPolicy,
+      job.spec,
+      job.status
+    );
+  }
+};
+var JobPatch = class extends Job {
+  constructor(name, args, opts) {
+    const { podTemplate, containers, networkPolicy } = getWorkloadComponents(
+      name,
+      args,
+      () => this,
+      opts
+    );
+    const job = output(args.namespace).cluster.apply((cluster) => {
+      return new batch.v1.JobPatch(
+        name,
+        {
+          metadata: mapMetadata(args, name),
+          spec: output({ args, podTemplate }).apply(({ args: args2, podTemplate: podTemplate2 }) => {
+            return deepmerge(
+              { template: podTemplate2 },
+              omit(args2, jobExtraArgs)
+            );
+          })
+        },
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:JobPatch",
+      name,
+      args,
+      opts,
+      job.apiVersion,
+      job.kind,
+      output(args.terminal ?? {}),
+      containers,
+      output(args.namespace),
+      job.metadata,
+      networkPolicy,
+      job.spec,
+      job.status
+    );
+    this.registerOutputs({
+      metadata: this.metadata,
+      spec: this.spec,
+      status: this.status
+    });
+  }
+};
+var WrappedJob = class extends Job {
+  constructor(name, args, opts) {
+    super(
+      "highstate:k8s:WrappedJob",
+      name,
+      args,
+      opts,
+      output(args.job).apiVersion,
+      output(args.job).kind,
+      output(args.terminal ?? {}),
+      output([]),
+      output(args.namespace),
+      output(args.job).metadata,
+      output(void 0),
+      output(args.job).spec,
+      output(args.job).status
+    );
+  }
+};
+var ExternalJob = class extends Job {
+  constructor(name, args, opts) {
+    const job = output(args.namespace).cluster.apply((cluster) => {
+      return batch.v1.Job.get(
+        name,
+        interpolate`${output(args.namespace).metadata.name}/${args.name}`,
+        { ...opts, parent: this, provider: getProvider(cluster) }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalJob",
+      name,
+      args,
+      opts,
+      job.apiVersion,
+      job.kind,
+      output({}),
+      output([]),
+      output(args.namespace),
+      job.metadata,
+      output(void 0),
+      job.spec,
+      job.status
+    );
+  }
+};
+var ClusterAccessScope = class _ClusterAccessScope extends ComponentResource {
+  /**
+   * The cluster entity with the reduced access.
+   */
+  cluster;
+  constructor(name, args, opts) {
+    super("highstate:k8s:ClusterAccessScope", name, args, opts);
+    const { serviceAccount, kubeconfig } = output(args.namespace).cluster.apply((cluster) => {
+      const provider = getProvider(cluster);
+      const namespaceName = output(args.namespace).metadata.name;
+      const serviceAccount2 = new core.v1.ServiceAccount(
+        name,
+        {
+          metadata: {
+            name,
+            namespace: namespaceName
+          }
+        },
+        { provider }
+      );
+      const clusterRole = new rbac.v1.ClusterRole(
+        name,
+        {
+          metadata: {
+            name: interpolate`highstate.${namespaceName}.${name}`,
+            annotations: {
+              "kubernetes.io/description": interpolate`Created by Highstate for the ServiceAccount "${name}" in the namespace "${namespaceName}".`
             }
           },
-          { provider: args2.provider }
-        )
-      ];
-      if (isFromCluster(args2.accessPoint.gateway.endpoints[0], args2.cluster)) {
-        networkPolicies.push(
-          NetworkPolicy.create(
-            `allow-egress-to-${namespaceName}`,
-            {
-              namespace: args2.accessPoint.gateway.endpoints[0].metadata.k8sService.namespace,
-              cluster: args2.cluster,
-              selector: args2.accessPoint.gateway.endpoints[0].metadata.k8sService.selector,
-              description: `Allow egress traffic to the namespace "${namespaceName}".`,
-              egressRule: {
-                toNamespace: args2.namespace
-              }
+          rules: normalizeInputs(args.rule, args.rules)
+        },
+        { provider }
+      );
+      const createRoleBinding = (namespace) => {
+        return new rbac.v1.RoleBinding(
+          name,
+          {
+            metadata: { name, namespace },
+            roleRef: {
+              kind: "ClusterRole",
+              name: clusterRole.metadata.name,
+              apiGroup: "rbac.authorization.k8s.io"
             },
-            { provider: args2.provider }
-          )
+            subjects: [
+              {
+                kind: "ServiceAccount",
+                name: serviceAccount2.metadata.name,
+                namespace: namespaceName
+              }
+            ]
+          },
+          { provider }
         );
+      };
+      if (args.allowOriginNamespace ?? true) {
+        createRoleBinding(namespaceName);
+      }
+      output(args.extraNamespaces ?? []).apply(map(getNamespaceName)).apply(map(createRoleBinding));
+      return { serviceAccount: serviceAccount2, kubeconfig: cluster.kubeconfig };
+    });
+    const accessTokenSecret = Secret.create(`${name}-token`, {
+      namespace: args.namespace,
+      type: "kubernetes.io/service-account-token",
+      metadata: {
+        annotations: {
+          "kubernetes.io/service-account.name": serviceAccount.metadata.name
+        }
       }
-      return output({
-        gateway: gateway2,
-        dnsRecordSets,
-        networkPolicies
+    });
+    this.cluster = output({
+      cluster: output(args.namespace).cluster,
+      kubeconfig,
+      newToken: accessTokenSecret.getValue("token"),
+      serviceAccount: serviceAccount.metadata.name
+    }).apply(({ cluster, kubeconfig: kubeconfig2, newToken, serviceAccount: serviceAccount2 }) => {
+      const config = new KubeConfig();
+      config.loadFromString(kubeconfig2);
+      config.users = [];
+      config.contexts = [];
+      config.addUser({ name: serviceAccount2, token: newToken });
+      config.addContext({
+        name: config.clusters[0].name,
+        cluster: config.clusters[0].name,
+        user: serviceAccount2
       });
+      config.setCurrentContext(config.clusters[0].name);
+      return {
+        ...cluster,
+        kubeconfig: config.exportConfig()
+      };
+    });
+  }
+  /**
+   * Creates `ClusterAccessScope` for the given resources with the specified verbs.
+   *
+   * All resources must belong to the same namespace in the same cluster.
+   *
+   * @param name The name of the resource and the ServiceAccount.
+   * @param resources The resources to create access scope for.
+   * @param verbs The verbs to allow on the resources.
+   */
+  static async forResources(name, resources, verbs) {
+    const resolved = await toPromise(
+      output(resources).apply(
+        (resources2) => resources2.map((r) => ({
+          namespaceId: r.namespace.metadata.uid,
+          namespace: r.namespace,
+          metadata: r.metadata,
+          apiVersion: r.apiVersion,
+          kind: r.kind
+        }))
+      )
+    );
+    if (resolved.length === 0) {
+      throw new Error("No resources provided to forResources.");
     }
-  );
-  return toPromise(result);
-}
-async function useStandardAcessPoint(namespace, args, inputs) {
-  return await useAccessPoint({
-    name: args.appName,
-    namespace,
-    fqdn: args.fqdn,
-    accessPoint: inputs.accessPoint,
-    cluster: inputs.k8sCluster,
-    provider: await getProvider(inputs.k8sCluster)
-  });
-}
-function createGateway(args) {
-  return output(args).apply((args2) => {
-    if (args2.cluster.id !== args2.gateway.clusterId) {
-      throw new Error(
-        "The provided Kubernetes cluster is different from the one where the gateway controller is deployed."
-      );
+    if (unique(resolved.map((r) => r.namespaceId)).length !== 1) {
+      throw new Error("All resources must belong to the same namespace.");
     }
-    return new gateway.v1.Gateway(
-      args2.name,
-      {
-        metadata: {
-          name: args2.name,
-          namespace: mapNamespaceLikeToNamespaceName(args2.namespace),
-          annotations: args2.annotations
-        },
-        spec: {
-          gatewayClassName: output(args2.gateway).gatewayClassName,
-          listeners: normalize(args2.fqdn, args2.fqdns).map((fqdn) => {
-            const normalizedName = fqdn.replace(/\*/g, "wildcard");
-            return {
-              name: `https-${normalizedName}`,
-              port: output(args2.gateway).httpsListenerPort,
-              protocol: "HTTPS",
-              hostname: fqdn,
-              tls: {
-                mode: "Terminate",
-                certificateRefs: [{ name: normalizedName }]
-              }
-            };
-          })
-        }
-      },
-      { provider: args2.provider, deletedWith: args2.namespace }
-    );
-  });
-}
+    return new _ClusterAccessScope(name, {
+      namespace: resolved[0].namespace,
+      rules: resolved.map((r) => ({
+        apiGroups: r.apiVersion === "v1" ? [""] : [r.apiVersion.split("/")[0]],
+        resources: [r.kind.toLowerCase() + (r.metadata?.name ? "s" : "")],
+        // TODO: critical
+        // resourceNames: r.metadata?.name ? [r.metadata.name] : undefined,
+        verbs
+      }))
+    });
+  }
+};
 
 // src/scripting/environment.ts
 var emptyDistributionEnvironment = {
@@ -169,7 +775,7 @@ var functionScriptImages = {
 };
 
 // src/scripting/bundle.ts
-var ScriptBundle = class extends ComponentResource {
+var ScriptBundle = class extends ComponentResource$1 {
   /**
    * The config map containing the scripts.
    */
@@ -200,11 +806,7 @@ var ScriptBundle = class extends ComponentResource {
   allowedEndpoints;
   constructor(name, args, opts) {
     super("highstate:k8s:ScriptBundle", name, args, opts);
-    const scriptEnvironment = pipe(
-      output$1(args),
-      apply((args2) => normalize(args2.environment, args2.environments)),
-      apply((args2) => deepmerge(emptyScriptEnvironment, ...args2))
-    );
+    const scriptEnvironment = output$1(args).apply((args2) => normalize(args2.environment, args2.environments)).apply((args2) => deepmerge(emptyScriptEnvironment, ...args2));
     const hasFunctionScripts = scriptEnvironment.apply((scriptEnvironment2) => {
       return Object.values(scriptEnvironment2.files).some((file) => typeof file === "function");
     });
@@ -231,7 +833,6 @@ var ScriptBundle = class extends ComponentResource {
       return ConfigMap.create(
         name,
         {
-          cluster: args2.cluster,
           namespace: args2.namespace,
           data: createScriptData(this.distribution, scriptEnvironment2)
         },
@@ -267,15 +868,6 @@ var ScriptBundle = class extends ComponentResource {
         ...hasFunctionScripts2 ? [{ name: "node-modules", mountPath: "/scripts/node_modules" }] : []
       ];
     });
-    this.registerOutputs({
-      configMap: this.configMap,
-      volumes: this.volumes,
-      volumeMounts: this.volumeMounts,
-      environment: this.environment,
-      distribution: this.distribution,
-      allowedEndpoints: this.allowedEndpoints,
-      image: this.image
-    });
   }
 };
 function stripWorkspacePrefix(value) {
@@ -441,86 +1033,22 @@ function createScriptContainer(options) {
     };
   });
 }
-var jobExtraArgs = [...commonExtraArgs, "container", "containers"];
-var Job = class extends ComponentResource$1 {
-  /**
-   * The underlying Kubernetes job.
-   */
-  job;
-  constructor(name, args, opts) {
-    super("highstate:k8s:Job", name, args, opts);
-    const { podTemplate } = getWorkloadComponents(name, args, () => this, opts);
-    this.job = output({ args, podTemplate }).apply(async ({ args: args2, podTemplate: podTemplate2 }) => {
-      return new batch.v1.Job(
-        name,
-        {
-          metadata: mapMetadata(args2, name),
-          spec: mergeDeep(
-            {
-              template: mergeDeep(
-                {
-                  spec: {
-                    restartPolicy: "Never"
-                  }
-                },
-                podTemplate2
-              )
-            },
-            omit(args2, jobExtraArgs)
-          )
-        },
-        {
-          ...opts,
-          parent: this,
-          provider: await getProvider(args2.cluster)
-        }
-      );
-    });
-  }
-};
-var cronJobExtraArgs = [...commonExtraArgs, "container", "containers"];
-var CronJob = class extends ComponentResource$1 {
-  /**
-   * The underlying Kubernetes job.
-   */
-  cronJob;
-  constructor(name, args, opts) {
-    super("highstate:k8s:CronJob", name, args, opts);
-    const { podTemplate } = getWorkloadComponents(name, args, () => this, opts);
-    this.cronJob = output({ args, podTemplate }).apply(async ({ args: args2, podTemplate: podTemplate2 }) => {
-      return new batch.v1.CronJob(
-        name,
-        {
-          metadata: mapMetadata(args2, name),
-          spec: mergeDeep(
-            {
-              jobTemplate: {
-                spec: {
-                  template: mergeDeep(
-                    {
-                      spec: {
-                        restartPolicy: "Never"
-                      }
-                    },
-                    podTemplate2
-                  )
-                }
-              },
-              schedule: args2.schedule
-            },
-            omit(args2, cronJobExtraArgs)
-          )
-        },
-        {
-          ...opts,
-          parent: this,
-          provider: await getProvider(args2.cluster)
-        }
-      );
-    });
-  }
-};
+async function createMonitorWorker(resources) {
+  const scope = await ClusterAccessScope.forResources("monitor", resources, [
+    "get",
+    "list",
+    "watch"
+  ]);
+  return output$1({
+    name: "monitor",
+    image: images_exports["worker-k8s-monitor"].image,
+    params: {
+      kubeconfig: scope.cluster.kubeconfig,
+      resources: output$1(resources).apply((resources2) => resources2.map((r) => r.entity))
+    }
+  });
+}
 
-export { CronJob, Job, ScriptBundle, createScriptContainer, useAccessPoint, useStandardAcessPoint };
+export { ClusterAccessScope, CronJob, Job, ScriptBundle, createMonitorWorker, createScriptContainer, emptyScriptEnvironment, functionScriptImages };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map