@highstate/k8s 0.9.3 → 0.9.5

package/src/pvc.ts

@@ -13,9 +13,9 @@ import { deepmerge } from "deepmerge-ts"
 import { omit } from "remeda"
 import {
   commonExtraArgs,
+  getProvider,
   mapMetadata,
   resourceIdToString,
-  verifyProvider,
   type CommonArgs,
   type ResourceId,
 } from "./shared"
@@ -28,14 +28,13 @@ export type PersistentVolumeClaimArgs = CommonArgs &
      * By default, the size is set to "100Mi".
      */
     size?: string
-
-    /**
-     * The cluster to create the resource in.
-     */
-    cluster: Input<k8s.Cluster>
   }
 
-const extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size", "cluster"] as const
+export type CreateOrGetPersistentVolumeClaimArgs = PersistentVolumeClaimArgs & {
+  existing: Input<k8s.PersistentVolumeClaim> | undefined
+}
+
+const extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size"] as const
 
 export abstract class PersistentVolumeClaim extends ComponentResource {
   protected constructor(
@@ -45,22 +44,22 @@ export abstract class PersistentVolumeClaim extends ComponentResource {
     opts: ComponentResourceOptions,
 
     /**
-     * The cluster info associated with the pvc.
+     * The cluster where the PVC is created.
      */
-    readonly clusterInfo: Output<k8s.ClusterInfo>,
+    readonly cluster: Output<k8s.Cluster>,
 
     /**
-     * The metadata of the underlying Kubernetes pvc.
+     * The metadata of the underlying Kubernetes PVC.
      */
     readonly metadata: Output<types.output.meta.v1.ObjectMeta>,
 
     /**
-     * The spec of the underlying Kubernetes pvc.
+     * The spec of the underlying Kubernetes PVC.
      */
     readonly spec: Output<types.output.core.v1.PersistentVolumeClaimSpec>,
 
     /**
-     * The status of the underlying Kubernetes pvc.
+     * The status of the underlying Kubernetes PVC.
      */
     readonly status: Output<types.output.core.v1.PersistentVolumeClaimStatus>,
   ) {
@@ -68,12 +67,12 @@ export abstract class PersistentVolumeClaim extends ComponentResource {
   }
 
   /**
-   * The Highstate service entity.
+   * The Highstate PVC entity.
    */
   get entity(): Output<k8s.PersistentVolumeClaim> {
     return output({
       type: "k8s.persistent-volume-claim",
-      clusterInfo: this.clusterInfo,
+      clusterId: this.cluster.id,
       metadata: this.metadata,
     })
   }
@@ -89,12 +88,25 @@ export abstract class PersistentVolumeClaim extends ComponentResource {
   static of(
     name: string,
     entity: Input<k8s.PersistentVolumeClaim>,
+    cluster: Input<k8s.Cluster>,
+    opts: ComponentResourceOptions,
+  ): PersistentVolumeClaim {
+    return new ExternalPersistentVolumeClaim(name, output(entity).metadata, cluster, opts)
+  }
+
+  static createOrGet(
+    name: string,
+    args: CreateOrGetPersistentVolumeClaimArgs,
     opts: ComponentResourceOptions,
   ): PersistentVolumeClaim {
+    if (!args.existing) {
+      return new CreatedPersistentVolumeClaim(name, args, opts)
+    }
+
     return new ExternalPersistentVolumeClaim(
       name,
-      output(entity).metadata,
-      output(entity).clusterInfo,
+      output(args.existing).metadata,
+      args.cluster,
       opts,
     )
   }
@@ -102,7 +114,7 @@ export abstract class PersistentVolumeClaim extends ComponentResource {
 
 export class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
   constructor(name: string, args: PersistentVolumeClaimArgs, opts: CustomResourceOptions) {
-    const pvc = output(args).apply(args => {
+    const pvc = output(args).apply(async args => {
       return new core.v1.PersistentVolumeClaim(
         name,
         {
@@ -119,7 +131,11 @@ export class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
             omit(args, extraPersistentVolumeClaimArgs),
           ),
         },
-        opts,
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args.cluster),
+        },
       )
     })
 
@@ -129,7 +145,7 @@ export class CreatedPersistentVolumeClaim extends PersistentVolumeClaim {
       args,
       opts,
 
-      output(args.cluster).info,
+      output(args.cluster),
       pvc.metadata,
       pvc.spec,
       pvc.status,
@@ -141,27 +157,29 @@ export class ExternalPersistentVolumeClaim extends PersistentVolumeClaim {
   constructor(
     name: string,
     id: Input<ResourceId>,
-    clusterInfo: Input<k8s.ClusterInfo>,
+    cluster: Input<k8s.Cluster>,
     opts: ComponentResourceOptions,
   ) {
     const pvc = output(id).apply(async id => {
-      await verifyProvider(opts.provider, this.clusterInfo)
-
       return core.v1.PersistentVolumeClaim.get(
         //
         name,
         resourceIdToString(id),
-        { parent: this, provider: opts.provider },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(cluster),
+        },
       )
     })
 
     super(
       "highstate:k8s:ExternalPersistentVolumeClaim",
       name,
-      { id, clusterInfo },
+      { id, cluster },
       opts,
 
-      output(clusterInfo),
+      output(cluster),
       pvc.metadata,
       pvc.spec,
       pvc.status,

package/src/scripting/bundle.ts

@@ -1,4 +1,5 @@
 import type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from "../container"
+import type { network } from "@highstate/library"
 import { core } from "@pulumi/kubernetes"
 import { apply, normalize, type InputArray } from "@highstate/pulumi"
 import {
@@ -9,12 +10,16 @@ import {
   type Output,
   type Unwrap,
 } from "@pulumi/pulumi"
-import { pipe } from "remeda"
+import { mapValues, omitBy, pipe } from "remeda"
 import { deepmerge } from "deepmerge-ts"
+import { readPackageJSON } from "pkg-types"
 import { text, trimIndentation } from "@highstate/contract"
+import { parseL34Endpoint } from "@highstate/common"
+import { serializeFunction } from "@pulumi/pulumi/runtime/index.js"
 import { mapMetadata, type CommonArgs } from "../shared"
 import {
   emptyScriptEnvironment,
+  functionScriptImages,
   type ResolvedScriptEnvironment,
   type ScriptDistribution,
   type ScriptEnvironment,
@@ -58,11 +63,21 @@ export class ScriptBundle extends ComponentResource {
    */
   readonly environment: Output<ContainerEnvironment>
 
+  /**
+   * The image to use for the scripts.
+   */
+  readonly image: Output<string>
+
   /**
    * The distribution to use for the scripts.
    */
   readonly distribution: ScriptDistribution
 
+  /**
+   * The list of endpoints that the script is allowed to access.
+   */
+  readonly allowedEndpoints: Output<network.L34Endpoint[]>
+
   constructor(name: string, args: ScriptBundleArgs, opts?: ComponentResourceOptions) {
     super("highstate:k8s:ScriptBundle", name, args, opts)
 
@@ -72,9 +87,36 @@ export class ScriptBundle extends ComponentResource {
       apply(args => deepmerge(emptyScriptEnvironment, ...args)),
     ) as Output<Unwrap<ResolvedScriptEnvironment>>
 
+    const hasFunctionScripts = scriptEnvironment.apply(scriptEnvironment => {
+      return Object.values(scriptEnvironment.files).some(file => typeof file === "function")
+    })
+
     this.distribution = args.distribution
     this.environment = scriptEnvironment.environment
 
+    this.image = hasFunctionScripts.apply(hasFunctionScripts =>
+      output(
+        hasFunctionScripts
+          ? functionScriptImages[args.distribution]
+          : scriptEnvironment[args.distribution].image,
+      ),
+    )
+
+    this.allowedEndpoints = output({ scriptEnvironment, hasFunctionScripts }).apply(
+      ({ scriptEnvironment, hasFunctionScripts }) => {
+        const allowedEndpoints = [
+          ...scriptEnvironment.allowedEndpoints,
+          ...scriptEnvironment[args.distribution].allowedEndpoints,
+        ]
+
+        if (hasFunctionScripts) {
+          allowedEndpoints.push("tcp://registry.npmjs.org:443")
+        }
+
+        return allowedEndpoints.map(parseL34Endpoint)
+      },
+    )
+
     this.configMap = output({ scriptEnvironment, args }).apply(({ scriptEnvironment, args }) => {
       return new core.v1.ConfigMap(
         name,
@@ -86,27 +128,36 @@ export class ScriptBundle extends ComponentResource {
       )
     })
 
-    this.volumes = scriptEnvironment.volumes.apply(volumes => {
-      return [
-        ...volumes,
-        {
-          name: this.configMap.metadata.name,
-
-          configMap: {
+    this.volumes = output({ hasFunctionScripts, volumes: scriptEnvironment.volumes }).apply(
+      ({ hasFunctionScripts, volumes }) => {
+        return [
+          ...volumes,
+          {
             name: this.configMap.metadata.name,
-            defaultMode: 0o550, // read and execute permissions
+
+            configMap: {
+              name: this.configMap.metadata.name,
+              defaultMode: 0o550, // read and execute permissions
+            },
           },
-        },
-      ]
-    })
+          ...(hasFunctionScripts ? [{ name: "node-modules", emptyDir: {} }] : []),
+        ]
+      },
+    )
 
-    this.volumeMounts = scriptEnvironment.volumeMounts.apply(volumeMounts => {
+    this.volumeMounts = output({
+      hasFunctionScripts,
+      volumeMounts: scriptEnvironment.volumeMounts,
+    }).apply(({ hasFunctionScripts, volumeMounts }) => {
       return [
         ...volumeMounts,
         {
           volume: this.configMap,
           mountPath: "/scripts",
         },
+        ...(hasFunctionScripts
+          ? [{ name: "node-modules", mountPath: "/scripts/node_modules" }]
+          : []),
       ]
     })
 
@@ -115,18 +166,74 @@ export class ScriptBundle extends ComponentResource {
       volumes: this.volumes,
       volumeMounts: this.volumeMounts,
       environment: this.environment,
+      distribution: this.distribution,
+      allowedEndpoints: this.allowedEndpoints,
+      image: this.image,
     })
   }
 }
 
-function createScriptData(
+function stripWorkspacePrefix(value: string): string {
+  if (value.startsWith("workspace:")) {
+    return value.replace("workspace:", "")
+  }
+
+  return value
+}
+
+async function createScriptData(
   distribution: ScriptDistribution,
   environment: Unwrap<ResolvedScriptEnvironment>,
-): Record<string, string> {
+): Promise<Record<string, string>> {
   const scriptData: Record<string, string> = {}
   const actions: string[] = []
 
   const distributionEnvironment = environment[distribution]
+  const setupScripts = { ...environment.setupScripts }
+
+  let hasFunctionScripts = false
+
+  for (const key in environment.files) {
+    if (typeof environment.files[key] === "function") {
+      const serialized = await serializeFunction(environment.files[key])
+
+      scriptData[key] = text`
+        #!/usr/local/bin/bun
+        
+        ${serialized.text}
+
+        exports.${serialized.exportName}()
+      `
+
+      hasFunctionScripts = true
+    } else {
+      scriptData[key] = environment.files[key]
+    }
+  }
+
+  if (hasFunctionScripts) {
+    const packageJson = await readPackageJSON()
+
+    packageJson.dependencies = omitBy(
+      mapValues(packageJson.dependencies ?? {}, stripWorkspacePrefix),
+      (_, key) => key.startsWith("@highstate/"),
+    )
+
+    packageJson.devDependencies = omitBy(
+      mapValues(packageJson.devDependencies ?? {}, stripWorkspacePrefix),
+      (_, key) => key.startsWith("@highstate/"),
+    )
+
+    scriptData["package.json"] = JSON.stringify(packageJson, null, 2)
+
+    setupScripts["resolve-dependencies.sh"] = text`
+      #!/usr/local/bin/bun
+      set -e
+
+      cd /scripts
+      bun install --production
+    `
+  }
 
   if (distributionEnvironment.preInstallPackages.length > 0) {
     scriptData["pre-install-packages.sh"] = getInstallPackagesScript(
@@ -166,9 +273,9 @@ function createScriptData(
     `)
   }
 
-  if (Object.keys(environment.setupScripts).length > 0) {
-    for (const key in environment.setupScripts) {
-      scriptData[`setup-${key}`] = environment.setupScripts[key]
+  if (Object.keys(setupScripts).length > 0) {
+    for (const key in setupScripts) {
+      scriptData[`setup-${key}`] = setupScripts[key]
 
       actions.push(`
         echo "+ Running setup script '${key}'..."
@@ -201,10 +308,6 @@ function createScriptData(
     `)
   }
 
-  for (const key in environment.scripts) {
-    scriptData[key] = environment.scripts[key]
-  }
-
   scriptData["entrypoint.sh"] = trimIndentation(`
     #!/bin/sh
     set -e

package/src/scripting/container.ts

@@ -1,9 +1,9 @@
 import type { Container } from "../container"
 import type { ScriptBundle } from "./bundle"
-import { Output, output, type Input } from "@pulumi/pulumi"
 import { merge } from "remeda"
+import { Output, output, type Input } from "@pulumi/pulumi"
 
-export interface ScriptContainer extends Container {
+export type ScriptContainer = Container & {
   /**
    * The script bundle to use.
    */
@@ -24,21 +24,26 @@ export interface ScriptContainer extends Container {
  * @returns The container spec.
  */
 export function createScriptContainer(options: ScriptContainer): Output<Container> {
-  return output(options).apply(options => {
-    const image =
-      options.bundle.distribution === "alpine"
-        ? "alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c"
-        : "ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782"
+  const bundle = output(options.bundle)
 
+  return output({
+    options,
+    image: bundle.image,
+    volumeMounts: bundle.volumeMounts,
+    volumes: bundle.volumes,
+    environment: bundle.environment,
+    allowedEndpoints: bundle.allowedEndpoints,
+  }).apply(({ options, image, volumeMounts, volumes, environment, allowedEndpoints }) => {
     return {
       image,
       command: ["/scripts/entrypoint.sh", `/scripts/${options.main}`],
 
       ...options,
 
-      volumeMounts: merge(options.bundle.volumeMounts, options.volumeMounts),
-      volumes: merge(options.bundle.volumes, options.volumes),
-      environment: merge(options.bundle.environment, options.environment),
-    }
+      volumeMounts: [...volumeMounts, ...(options.volumeMounts ?? [])],
+      volumes: [...volumes, ...(options.volumes ?? [])],
+      environment: merge(environment, options.environment),
+      allowedEndpoints: [...allowedEndpoints, ...(options.allowedEndpoints ?? [])],
+    } as Container
   })
 }

package/src/scripting/environment.ts

@@ -1,9 +1,15 @@
 import type { Input, InputArray, InputMap } from "@highstate/pulumi"
 import type { ContainerEnvironment, ContainerVolumeMount, WorkloadVolume } from "../container"
+import type { InputL34Endpoint } from "@highstate/common"
 
 export type ScriptDistribution = "alpine" | "ubuntu"
 
 export type DistributionEnvironment = {
+  /**
+   * The image that should be used for the distribution.
+   */
+  image?: Input<string>
+
   /**
    * The utility packages that should be installed before running "preInstallScripts".
    *
@@ -21,8 +27,19 @@ export type DistributionEnvironment = {
    * The packages that are available in the environment.
    */
   packages?: InputArray<string>
+
+  /**
+   * The endpoint which the script is allowed to access scoped to the distribution.
+   *
+   * Typically, this is used to allow access to the package manager.
+   *
+   * Will be used to generate a network policy.
+   */
+  allowedEndpoints?: InputArray<InputL34Endpoint>
 }
 
+export type ScriptProgram = () => unknown
+
 export type ScriptEnvironment = {
   [distribution in ScriptDistribution]?: DistributionEnvironment
 } & {
@@ -37,9 +54,9 @@ export type ScriptEnvironment = {
   cleanupScripts?: InputMap<string>
 
   /**
-   * The arbitrary scripts available in the environment.
+   * The arbitrary files available in the environment including scripts.
    */
-  scripts?: InputMap<string>
+  files?: InputMap<string | ScriptProgram>
 
   /**
    * The volumes that should be defined in the environment.
@@ -55,25 +72,58 @@ export type ScriptEnvironment = {
    * The environment variables that should be defined in the environment.
    */
   environment?: Input<ContainerEnvironment>
+
+  /**
+   * The endpoint which the script is allowed to access.
+   *
+   * Will be used to generate a network policy.
+   */
+  allowedEndpoints?: InputArray<InputL34Endpoint>
 }
 
 export type ResolvedScriptEnvironment = Omit<Required<ScriptEnvironment>, ScriptDistribution> & {
   [distribution in ScriptDistribution]: Required<DistributionEnvironment>
 }
 
-const emptyDistributionEnvironment: Required<DistributionEnvironment> = {
+const emptyDistributionEnvironment = {
   preInstallPackages: [],
   preInstallScripts: {},
   packages: [],
 }
 
 export const emptyScriptEnvironment: ResolvedScriptEnvironment = {
-  alpine: emptyDistributionEnvironment,
-  ubuntu: emptyDistributionEnvironment,
+  alpine: {
+    ...emptyDistributionEnvironment,
+    image: "alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c",
+    allowedEndpoints: [
+      //
+      "tcp://dl-cdn.alpinelinux.org:443",
+      "tcp://dl-cdn.alpinelinux.org:80",
+    ],
+  },
+
+  ubuntu: {
+    ...emptyDistributionEnvironment,
+    image: "ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782",
+    allowedEndpoints: [
+      //
+      "tcp://archive.ubuntu.com:80",
+      "tcp://archive.ubuntu.com:443",
+      "tcp://security.ubuntu.com:80",
+      "tcp://security.ubuntu.com:443",
+    ],
+  },
+
   setupScripts: {},
   cleanupScripts: {},
-  scripts: {},
+  files: {},
   volumes: [],
   volumeMounts: [],
   environment: {},
+  allowedEndpoints: [],
+}
+
+export const functionScriptImages: Record<ScriptDistribution, string> = {
+  alpine: "oven/bun@sha256:6b14922b0885c3890cdb0b396090af1da486ba941df5ee94391eef64f7113c61",
+  ubuntu: "oven/bun@sha256:66b431441dc4c36d7e8164bfc61e6348ec1d7ce2862fc3a29f5dc9856e8205e4",
 }