@highstate/k8s 0.9.18 → 0.9.20

package/src/network-policy.ts

@@ -1,9 +1,11 @@
-import { networking, types, type core } from "@pulumi/kubernetes"
+import type { Namespace } from "./namespace"
+import { networking, type types, type core } from "@pulumi/kubernetes"
 import {
   ComponentResource,
   interpolate,
   normalize,
   output,
+  toPromise,
   type Input,
   type InputArray,
   type Output,
@@ -11,25 +13,27 @@ import {
   type ResourceOptions,
   type Unwrap,
 } from "@highstate/pulumi"
-import { capitalize, flat, groupBy, merge, mergeDeep, uniqueBy } from "remeda"
-import { k8s, network } from "@highstate/library"
+import { flat, groupBy, merge, mergeDeep, uniqueBy } from "remeda"
+import type { k8s, network } from "@highstate/library"
 import {
   l34EndpointToString,
   l3EndpointToCidr,
   parseL34Endpoint,
   type InputL34Endpoint,
+  ImplementationMediator,
 } from "@highstate/common"
+import { z } from "@highstate/contract"
 import {
-  getProvider,
+  getProviderAsync,
   mapMetadata,
-  mapNamespaceLikeToNamespaceName,
+  getNamespaceName,
   mapNamespaceNameToSelector,
   mapSelectorLikeToSelector,
-  type CommonArgs,
+  type ScopedResourceArgs,
   type NamespaceLike,
   type SelectorLike,
 } from "./shared"
-import { getServiceMetadata, isFromCluster, mapServiceToLabelSelector } from "./service"
+import { isEndpointFromCluster, mapServiceToLabelSelector } from "./service"
 import { requireBestEndpoint } from "./network"
 
 export type NetworkPolicyPort = {
@@ -295,7 +299,7 @@ export type EgressRuleArgs = {
   toPorts?: InputArray<NetworkPolicyPort>
 }
 
-export type NetworkPolicyArgs = CommonArgs & {
+export type NetworkPolicyArgs = ScopedResourceArgs & {
   /**
    * The description of this network policy.
    */
@@ -350,11 +354,6 @@ export type NetworkPolicyArgs = CommonArgs & {
    * By default, `false`.
    */
   allowKubeDns?: Input<boolean>
-
-  /**
-   * The cluster to create the network policy in.
-   */
-  cluster: Input<k8s.Cluster>
 }
 
 export type NormalizedRuleArgs = {
@@ -379,6 +378,7 @@ export type NormalizedNetworkPolicyArgs = Omit<
   | "allowKubeApiServer"
   | "allowKubeDNS"
 > & {
+  cluster: k8s.Cluster
   podSelector: Unwrap<types.input.meta.v1.LabelSelector>
 
   isolateIngress: boolean
@@ -390,24 +390,31 @@ export type NormalizedNetworkPolicyArgs = Omit<
   egressRules: NormalizedRuleArgs[]
 }
 
+export const networkPolicyMediator = new ImplementationMediator(
+  "network-policy",
+  z.object({ name: z.string(), args: z.custom<NormalizedNetworkPolicyArgs>() }),
+  z.instanceof(ComponentResource),
+)
+
 /**
- * The abstract resource for creating network policies.
- * Will use different resources depending on the environment.
+ * The resource for creating network policies.
+ * Will use different resources depending on the cluster configuration.
  *
  * Note: In the worst case, it will create native `NetworkPolicy` resources and ignore some features like L7 rules.
  */
-export abstract class NetworkPolicy extends ComponentResource {
+export class NetworkPolicy extends ComponentResource {
   /**
    * The underlying network policy resource.
    */
   public readonly networkPolicy: Output<Resource>
 
-  protected constructor(name: string, args: Unwrap<NetworkPolicyArgs>, opts?: ResourceOptions) {
+  constructor(name: string, args: NetworkPolicyArgs, opts?: ResourceOptions) {
     super("k8s:network-policy", name, args, opts)
 
-    const normalizedArgs = output(args).apply(args => {
+    const normalizedArgs = output(args).apply(async args => {
       const ingressRules = normalize(args.ingressRule, args.ingressRules)
       const egressRules = normalize(args.egressRule, args.egressRules)
+      const cluster = await toPromise(args.namespace.cluster)
 
       const extraEgressRules: NormalizedRuleArgs[] = []
 
@@ -427,6 +434,7 @@ export abstract class NetworkPolicy extends ComponentResource {
         ...args,
 
         podSelector: args.selector ? mapSelectorLikeToSelector(args.selector) : {},
+        cluster,
 
         isolateEgress: args.isolateEgress ?? false,
         isolateIngress: args.isolateIngress ?? false,
@@ -438,21 +446,21 @@ export abstract class NetworkPolicy extends ComponentResource {
           const parsedEndpoints = endpoints.map(parseL34Endpoint)
 
           const endpointsNamespaces = groupBy(parsedEndpoints, endpoint => {
-            const namespace = isFromCluster(endpoint, args.cluster)
-              ? endpoint.metadata.k8sService.namespace
+            const namespace = isEndpointFromCluster(endpoint, cluster)
+              ? endpoint.metadata["k8s.service"].namespace
               : ""
 
             return namespace
           })
 
           const l3OnlyRule = endpointsNamespaces[""]
-            ? NetworkPolicy.getRuleFromEndpoint(undefined, endpointsNamespaces[""], args.cluster)
+            ? NetworkPolicy.getRuleFromEndpoint(undefined, endpointsNamespaces[""], cluster)
             : undefined
 
           const otherRules = Object.entries(endpointsNamespaces)
             .filter(([key]) => key !== "")
             .map(([, endpoints]) => {
-              return NetworkPolicy.getRuleFromEndpoint(undefined, endpoints, args.cluster)
+              return NetworkPolicy.getRuleFromEndpoint(undefined, endpoints, cluster)
             })
 
           return [
@@ -476,12 +484,12 @@ export abstract class NetworkPolicy extends ComponentResource {
             const parsedEndpoints = endpoints.map(parseL34Endpoint)
 
             const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, endpoint => {
-              const namespace = isFromCluster(endpoint, args.cluster)
-                ? endpoint.metadata.k8sService.namespace
+              const namespace = isEndpointFromCluster(endpoint, cluster)
+                ? endpoint.metadata["k8s.service"].namespace
                 : ""
 
-              const port = isFromCluster(endpoint, args.cluster)
-                ? endpoint.metadata.k8sService.targetPort
+              const port = isEndpointFromCluster(endpoint, cluster)
+                ? endpoint.metadata["k8s.service"].targetPort
                 : endpoint.port
 
               return `${port ?? "0"}:${namespace}`
@@ -491,7 +499,7 @@ export abstract class NetworkPolicy extends ComponentResource {
               ? NetworkPolicy.getRuleFromEndpoint(
                   undefined,
                   endpointsByPortsAnsNamespaces["0:"],
-                  args.cluster,
+                  cluster,
                 )
               : undefined
 
@@ -500,9 +508,9 @@ export abstract class NetworkPolicy extends ComponentResource {
               .map(([key, endpoints]) => {
                 const [port] = key.split(":")
                 const portNumber = parseInt(port, 10)
-                const portValue = isNaN(portNumber) ? port : portNumber
+                const portValue = Number.isNaN(portNumber) ? port : portNumber
 
-                return NetworkPolicy.getRuleFromEndpoint(portValue, endpoints, args.cluster)
+                return NetworkPolicy.getRuleFromEndpoint(portValue, endpoints, cluster)
               })
 
             return [
@@ -525,13 +533,23 @@ export abstract class NetworkPolicy extends ComponentResource {
 
     this.networkPolicy = output(
       normalizedArgs.apply(async args => {
-        return output(
-          this.create(name, args as NormalizedNetworkPolicyArgs, {
-            ...opts,
-            parent: this,
-            provider: await getProvider(args.cluster),
-          }),
-        )
+        const cluster = args.cluster
+
+        // Check if cluster has a custom network policy implementation
+        if (cluster.networkPolicyImplRef) {
+          return networkPolicyMediator.call(cluster.networkPolicyImplRef, {
+            name,
+            args: args as NormalizedNetworkPolicyArgs,
+          })
+        }
+
+        // Fallback to native network policy
+        const nativePolicy = new NativeNetworkPolicy(name, args as NormalizedNetworkPolicyArgs, {
+          ...opts,
+          parent: this,
+          provider: await getProviderAsync(output(args.namespace).cluster),
+        })
+        return nativePolicy.networkPolicy
       }),
     )
   }
@@ -557,7 +575,7 @@ export abstract class NetworkPolicy extends ComponentResource {
       : []
 
     const cidrs = endpoints
-      .filter(endpoint => !isFromCluster(endpoint, cluster))
+      .filter(endpoint => !isEndpointFromCluster(endpoint, cluster))
       .filter(endpoint => endpoint.type === "ipv4" || endpoint.type === "ipv6")
       .map(NetworkPolicy.mapCidrFromEndpoint)
 
@@ -566,12 +584,12 @@ export abstract class NetworkPolicy extends ComponentResource {
       .map(endpoint => endpoint.hostname)
 
     const selectors = endpoints
-      .filter(endpoint => isFromCluster(endpoint, cluster))
-      .map(endpoint => endpoint.metadata.k8sService.selector)
+      .filter(endpoint => isEndpointFromCluster(endpoint, cluster))
+      .map(endpoint => endpoint.metadata["k8s.service"].selector)
 
     const namespace = endpoints
-      .filter(endpoint => isFromCluster(endpoint, cluster))
-      .map(endpoint => getServiceMetadata(endpoint)?.namespace)[0]
+      .filter(endpoint => isEndpointFromCluster(endpoint, cluster))
+      .map(endpoint => endpoint.metadata["k8s.service"].namespace)[0]
 
     return {
       all: false,
@@ -596,52 +614,25 @@ export abstract class NetworkPolicy extends ComponentResource {
     )
   }
 
-  protected abstract create(
-    name: string,
-    args: NormalizedNetworkPolicyArgs,
-    opts?: ResourceOptions,
-  ): Input<Resource>
-
-  static create(
-    name: string,
-    args: NetworkPolicyArgs,
+  /**
+   * Creates network policy to isolate the namespace by denying all traffic to/from it.
+   *
+   * Automatically names the policy as: `isolate-namespace.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to isolate.
+   * @param opts Optional resource options.
+   */
+  static async isolateNamespace(
+    namespace: Input<Namespace>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
-    return output(args).apply(async args => {
-      const cni = args.cluster.cni
-
-      if (cni === "other") {
-        return new NativeNetworkPolicy(name, args, opts)
-      }
-
-      const implName = `${capitalize(cni)}NetworkPolicy`
-      const implModule = (await import(`@highstate/${cni}`)) as Record<string, unknown>
-
-      type NetworkPolicyFactory = new (
-        name: string,
-        args: Unwrap<NetworkPolicyArgs>,
-        opts?: ResourceOptions,
-      ) => NetworkPolicy
-
-      const implClass = implModule[implName] as NetworkPolicyFactory | undefined
-      if (!implClass) {
-        throw new Error(`No implementation found for ${cni}`)
-      }
+  ): Promise<NetworkPolicy> {
+    const name = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
 
-      return new implClass(name, args, opts)
-    })
-  }
-
-  static isolate(
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
-    opts?: ResourceOptions,
-  ) {
-    return NetworkPolicy.create(
-      "isolate",
+    return new NetworkPolicy(
+      `isolate-namespace.${cluster.name}.${name}.${cluster.id}`,
       {
         namespace,
-        cluster,
 
         description: "By default, deny all traffic to/from the namespace.",
 
@@ -652,20 +643,26 @@ export abstract class NetworkPolicy extends ComponentResource {
     )
   }
 
-  static allowInsideNamespace(
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
+  /**
+   * Creates network policy to allow all traffic inside the namespace (pod to pod within same namespace).
+   *
+   * Automatically names the policy as: `allow-inside-namespace.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowInsideNamespace(
+    namespace: Input<Namespace>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
-    return NetworkPolicy.create(
-      "allow-inside-namespace",
+  ): Promise<NetworkPolicy> {
+    const nsName = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
+
+    return new NetworkPolicy(
+      `allow-inside-namespace.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        cluster,
-
         description: "Allow all traffic inside the namespace.",
-        selector: {},
-
         ingressRule: { fromNamespace: namespace },
         egressRule: { toNamespace: namespace },
       },
@@ -673,133 +670,184 @@ export abstract class NetworkPolicy extends ComponentResource {
     )
   }
 
-  static allowKubeApiServer(
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
+  /**
+   * Creates network policy to allow traffic from the namespace to the Kubernetes API server.
+   *
+   * Automatically names the policy as: `allow-kube-api-server.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowKubeApiServer(
+    namespace: Input<Namespace>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
-    return NetworkPolicy.create(
-      "allow-kube-api-server",
+  ): Promise<NetworkPolicy> {
+    const nsName = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
+
+    return new NetworkPolicy(
+      `allow-kube-api-server.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        cluster,
-
         description: "Allow all traffic to the Kubernetes API server from the namespace.",
-
         allowKubeApiServer: true,
       },
       opts,
     )
   }
 
-  static allowKubeDns(
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
+  /**
+   * Creates network policy to allow egress DNS traffic (UDP 53) required for name resolution.
+   *
+   * Automatically names the policy as: `allow-kube-dns.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowKubeDns(
+    namespace: Input<Namespace>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
-    return NetworkPolicy.create(
-      "allow-kube-dns",
+  ): Promise<NetworkPolicy> {
+    const nsName = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
+
+    return new NetworkPolicy(
+      `allow-kube-dns.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        cluster,
-
         description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
-
         allowKubeDns: true,
       },
       opts,
     )
   }
 
-  static allowAllEgress(
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
+  /**
+   * Creates network policy to allow all egress traffic from the namespace.
+   *
+   * Automatically names the policy as: `allow-all-egress.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowAllEgress(
+    namespace: Input<Namespace>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
-    return NetworkPolicy.create(
-      "allow-all-egress",
+  ): Promise<NetworkPolicy> {
+    const nsName = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
+
+    return new NetworkPolicy(
+      `allow-all-egress.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        cluster,
-
         description: "Allow all egress traffic from the namespace.",
-
         egressRule: { toAll: true },
       },
       opts,
     )
   }
 
-  static allowAllIngress(
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
+  /**
+   * Creates network policy to allow all ingress traffic to the namespace.
+   *
+   * Automatically names the policy as: `allow-all-ingress.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param opts Optional resource options.
+   */
+  static async allowAllIngress(
+    namespace: Input<Namespace>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
-    return NetworkPolicy.create(
-      "allow-all-ingress",
+  ): Promise<NetworkPolicy> {
+    const nsName = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
+    return new NetworkPolicy(
+      `allow-all-ingress.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        cluster,
-
         description: "Allow all ingress traffic to the namespace.",
-
         ingressRule: { fromAll: true },
       },
       opts,
     )
   }
 
-  static allowEgressToEndpoint(
+  /**
+   * Creates network policy to allow egress traffic to a specific L3/L4 endpoint.
+   *
+   * Automatically names the policy as: `allow-egress-to-<endpoint>.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param endpoint The endpoint to allow egress to.
+   * @param opts Optional resource options.
+   */
+  static async allowEgressToEndpoint(
+    namespace: Input<Namespace>,
     endpoint: InputL34Endpoint,
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
+  ): Promise<NetworkPolicy> {
     const parsedEndpoint = parseL34Endpoint(endpoint)
+    const endpointStr = l34EndpointToString(parsedEndpoint).replace(/:/g, "-")
+    const nsName = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
 
-    return NetworkPolicy.create(
-      `allow-egress-to-${l34EndpointToString(parsedEndpoint).replace(":", "-")}`,
+    return new NetworkPolicy(
+      `allow-egress-to-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        cluster,
-
-        description: interpolate`Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
-
+        description: `Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
         egressRule: { toEndpoint: endpoint },
       },
       opts,
     )
   }
 
-  static allowEgressToBestEndpoint(
+  /**
+   * Creates network policy to allow egress traffic to the best endpoint among provided candidates.
+   *
+   * Automatically names the policy as: `allow-egress-to-<bestEndpoint>.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param endpoints The candidate endpoints to select from.
+   * @param opts Optional resource options.
+   */
+  static async allowEgressToBestEndpoint(
+    namespace: Input<Namespace>,
     endpoints: InputArray<InputL34Endpoint>,
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
-    return output({ endpoints, cluster }).apply(({ endpoints, cluster }) => {
-      const bestEndpoint = requireBestEndpoint(endpoints.map(parseL34Endpoint), cluster)
+  ): Promise<NetworkPolicy> {
+    const cluster = await toPromise(output(namespace).cluster)
+    const resolvedEndpoints = await toPromise(output(endpoints))
+    const bestEndpoint = requireBestEndpoint(resolvedEndpoints.map(parseL34Endpoint), cluster)
 
-      return NetworkPolicy.allowEgressToEndpoint(bestEndpoint, namespace, cluster, opts)
-    })
+    return await NetworkPolicy.allowEgressToEndpoint(namespace, bestEndpoint, opts)
   }
 
-  static allowIngressFromEndpoint(
+  /**
+   * Creates network policy to allow ingress traffic from a specific L3/L4 endpoint.
+   *
+   * Automatically names the policy as: `allow-ingress-from-<endpoint>.{clusterName}.{namespace}.{clusterId}`.
+   *
+   * @param namespace The namespace to create the policy in.
+   * @param endpoint The endpoint to allow ingress from.
+   * @param opts Optional resource options.
+   */
+  static async allowIngressFromEndpoint(
+    namespace: Input<Namespace>,
     endpoint: InputL34Endpoint,
-    namespace: Input<NamespaceLike>,
-    cluster: Input<k8s.Cluster>,
     opts?: ResourceOptions,
-  ): Output<NetworkPolicy> {
+  ): Promise<NetworkPolicy> {
     const parsedEndpoint = parseL34Endpoint(endpoint)
+    const endpointStr = l34EndpointToString(parsedEndpoint).replace(/:/g, "-")
+    const nsName = await toPromise(output(namespace).metadata.name)
+    const cluster = await toPromise(output(namespace).cluster)
 
-    return NetworkPolicy.create(
-      `allow-ingress-from-${l34EndpointToString(parsedEndpoint)}`,
+    return new NetworkPolicy(
+      `allow-ingress-from-${endpointStr}.${cluster.name}.${nsName}.${cluster.id}`,
       {
         namespace,
-        cluster,
-
         description: interpolate`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
-
         ingressRule: { fromEndpoint: endpoint },
       },
       opts,
@@ -807,12 +855,15 @@ export abstract class NetworkPolicy extends ComponentResource {
   }
 }
 
-export class NativeNetworkPolicy extends NetworkPolicy {
-  protected create(
-    name: string,
-    args: NormalizedNetworkPolicyArgs,
-    opts?: ResourceOptions,
-  ): Resource {
+export class NativeNetworkPolicy extends ComponentResource {
+  /**
+   * The underlying native network policy resource.
+   */
+  public readonly networkPolicy: Resource
+
+  constructor(name: string, args: NormalizedNetworkPolicyArgs, opts?: ResourceOptions) {
+    super("k8s:native-network-policy", name, args, opts)
+
     const ingress = NativeNetworkPolicy.createIngressRules(args)
     const egress = NativeNetworkPolicy.createEgressRules(args)
 
@@ -826,7 +877,7 @@ export class NativeNetworkPolicy extends NetworkPolicy {
       policyTypes.push("Egress")
     }
 
-    return new networking.v1.NetworkPolicy(
+    this.networkPolicy = new networking.v1.NetworkPolicy(
       name,
       {
         metadata: mergeDeep(mapMetadata(args, name), {
@@ -841,7 +892,7 @@ export class NativeNetworkPolicy extends NetworkPolicy {
           policyTypes,
         },
       },
-      opts,
+      { ...opts, parent: this },
     )
   }
 
@@ -992,7 +1043,7 @@ export class NativeNetworkPolicy extends NetworkPolicy {
     this: void,
     namespace: NamespaceLike,
   ): types.input.networking.v1.NetworkPolicyPeer {
-    const namespaceName = mapNamespaceLikeToNamespaceName(namespace)
+    const namespaceName = getNamespaceName(namespace)
     const namespaceSelector = mapNamespaceNameToSelector(namespaceName)
 
     return { namespaceSelector }

package/src/network.ts

@@ -1,6 +1,6 @@
 import type { k8s, network } from "@highstate/library"
 import { filterEndpoints } from "@highstate/common"
-import { isFromCluster } from "./service"
+import { isEndpointFromCluster } from "./service"
 
 export function getBestEndpoint<TEndpoint extends network.L34Endpoint>(
   endpoints: TEndpoint[],
@@ -18,7 +18,7 @@ export function getBestEndpoint<TEndpoint extends network.L34Endpoint>(
     return filterEndpoints(endpoints)[0]
   }
 
-  const clusterEndpoint = endpoints.find(endpoint => isFromCluster(endpoint, cluster))
+  const clusterEndpoint = endpoints.find(endpoint => isEndpointFromCluster(endpoint, cluster))
 
   if (clusterEndpoint) {
     return clusterEndpoint