@highstate/k8s 0.9.3 → 0.9.5

package/dist/units/existing-cluster/index.js

@@ -8,10 +8,16 @@ import { k8s } from "@highstate/library";
 import { forUnit, secret, toPromise } from "@highstate/pulumi";
 import { core, Provider } from "@pulumi/kubernetes";
 import { KubeConfig, AppsV1Api } from "@kubernetes/client-node";
+import {
+  l3EndpointToString,
+  l4EndpointToString,
+  parseL3Endpoint,
+  parseL4Endpoint
+} from "@highstate/common";
 var { name, args, secrets, outputs } = forUnit(k8s.existingCluster);
 var kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringify));
 var provider = new Provider(name, { kubeconfig: kubeconfigContent });
-var cni;
+var cni = "other";
 var kubeConfig = new KubeConfig();
 kubeConfig.loadFromString(kubeconfigContent);
 var appsApi = kubeConfig.makeApiClient(AppsV1Api);
@@ -19,27 +25,29 @@ var isCilium = await appsApi.readNamespacedDaemonSet({ name: "cilium", namespace
 if (isCilium) {
   cni = "cilium";
 }
-var externalIps = await detectExternalIps(kubeConfig, args.internalIpsPolicy);
+var externalIps = args.externalIps ?? await detectExternalIps(kubeConfig, args.internalIpsPolicy);
+var endpoints = externalIps.map(parseL3Endpoint);
+var apiEndpoints = [parseL4Endpoint(kubeConfig.clusters[0].server.replace("https://", ""))];
 var kubeSystem = core.v1.Namespace.get("kube-system", "kube-system", { provider });
 var existing_cluster_default = outputs({
-  cluster: {
-    info: {
-      id: kubeSystem.metadata.uid,
-      name,
-      cni,
-      externalIps,
-      tunDevicePolicy: args.tunDevicePolicy
-    },
+  k8sCluster: {
+    id: kubeSystem.metadata.uid,
+    name,
+    cni,
+    externalIps,
+    endpoints,
+    apiEndpoints,
+    quirks: args.quirks,
     kubeconfig: secret(kubeconfigContent)
   },
+  endpoints,
+  apiEndpoints,
   $terminals: [createK8sTerminal(kubeconfigContent)],
   $status: {
     clusterId: kubeSystem.metadata.uid,
-    cni: cni ?? "unknown",
-    externalIps: {
-      value: externalIps.join(", "),
-      complementaryTo: "externalIps"
-    }
+    cni,
+    endpoints: endpoints.map(l3EndpointToString),
+    apiEndpoints: apiEndpoints.map(l4EndpointToString)
   }
 });
 export {

package/dist/units/existing-cluster/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/units/existing-cluster/index.ts"],"sourcesContent":["import { k8s } from \"@highstate/library\"\nimport { forUnit, secret, toPromise } from \"@highstate/pulumi\"\nimport { core, Provider } from \"@pulumi/kubernetes\"\nimport { KubeConfig, AppsV1Api } from \"@kubernetes/client-node\"\nimport { createK8sTerminal, detectExternalIps } from \"../../cluster\"\n\nconst { name, args, secrets, outputs } = forUnit(k8s.existingCluster)\n\nconst kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringify))\n\nconst provider = new Provider(name, { kubeconfig: kubeconfigContent })\n\nlet cni: string | undefined\n\nconst kubeConfig = new KubeConfig()\nkubeConfig.loadFromString(kubeconfigContent)\n\nconst appsApi = kubeConfig.makeApiClient(AppsV1Api)\n\nconst isCilium = await appsApi\n  .readNamespacedDaemonSet({ name: \"cilium\", namespace: \"kube-system\" })\n  .then(() => true)\n  .catch(() => false)\n\nif (isCilium) {\n  cni = \"cilium\"\n}\n\nconst externalIps = await detectExternalIps(kubeConfig, args.internalIpsPolicy)\n\nconst kubeSystem = core.v1.Namespace.get(\"kube-system\", \"kube-system\", { provider })\n\nexport default outputs({\n  cluster: {\n    info: {\n      id: kubeSystem.metadata.uid,\n      name,\n      cni,\n      externalIps,\n      tunDevicePolicy: args.tunDevicePolicy,\n    },\n    kubeconfig: secret(kubeconfigContent),\n  },\n\n  $terminals: [createK8sTerminal(kubeconfigContent)],\n\n  $status: {\n    clusterId: kubeSystem.metadata.uid,\n    cni: cni ?? \"unknown\",\n    externalIps: {\n      value: externalIps.join(\", \"),\n      complementaryTo: \"externalIps\",\n    },\n  },\n})\n"],"mappings":";;;;;;AAAA,SAAS,WAAW;AACpB,SAAS,SAAS,QAAQ,iBAAiB;AAC3C,SAAS,MAAM,gBAAgB;AAC/B,SAAS,YAAY,iBAAiB;AAGtC,IAAM,EAAE,MAAM,MAAM,SAAS,QAAQ,IAAI,QAAQ,IAAI,eAAe;AAEpE,IAAM,oBAAoB,MAAM,UAAU,QAAQ,WAAW,MAAM,KAAK,SAAS,CAAC;AAElF,IAAM,WAAW,IAAI,SAAS,MAAM,EAAE,YAAY,kBAAkB,CAAC;AAErE,IAAI;AAEJ,IAAM,aAAa,IAAI,WAAW;AAClC,WAAW,eAAe,iBAAiB;AAE3C,IAAM,UAAU,WAAW,cAAc,SAAS;AAElD,IAAM,WAAW,MAAM,QACpB,wBAAwB,EAAE,MAAM,UAAU,WAAW,cAAc,CAAC,EACpE,KAAK,MAAM,IAAI,EACf,MAAM,MAAM,KAAK;AAEpB,IAAI,UAAU;AACZ,QAAM;AACR;AAEA,IAAM,cAAc,MAAM,kBAAkB,YAAY,KAAK,iBAAiB;AAE9E,IAAM,aAAa,KAAK,GAAG,UAAU,IAAI,eAAe,eAAe,EAAE,SAAS,CAAC;AAEnF,IAAO,2BAAQ,QAAQ;AAAA,EACrB,SAAS;AAAA,IACP,MAAM;AAAA,MACJ,IAAI,WAAW,SAAS;AAAA,MACxB;AAAA,MACA;AAAA,MACA;AAAA,MACA,iBAAiB,KAAK;AAAA,IACxB;AAAA,IACA,YAAY,OAAO,iBAAiB;AAAA,EACtC;AAAA,EAEA,YAAY,CAAC,kBAAkB,iBAAiB,CAAC;AAAA,EAEjD,SAAS;AAAA,IACP,WAAW,WAAW,SAAS;AAAA,IAC/B,KAAK,OAAO;AAAA,IACZ,aAAa;AAAA,MACX,OAAO,YAAY,KAAK,IAAI;AAAA,MAC5B,iBAAiB;AAAA,IACnB;AAAA,EACF;AACF,CAAC;","names":[]}
+{"version":3,"sources":["../../../src/units/existing-cluster/index.ts"],"sourcesContent":["import { k8s } from \"@highstate/library\"\nimport { forUnit, secret, toPromise } from \"@highstate/pulumi\"\nimport { core, Provider } from \"@pulumi/kubernetes\"\nimport { KubeConfig, AppsV1Api } from \"@kubernetes/client-node\"\nimport {\n  l3EndpointToString,\n  l4EndpointToString,\n  parseL3Endpoint,\n  parseL4Endpoint,\n} from \"@highstate/common\"\nimport { createK8sTerminal, detectExternalIps } from \"../../cluster\"\n\nconst { name, args, secrets, outputs } = forUnit(k8s.existingCluster)\n\nconst kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringify))\n\nconst provider = new Provider(name, { kubeconfig: kubeconfigContent })\n\nlet cni: k8s.CNI = \"other\"\n\nconst kubeConfig = new KubeConfig()\nkubeConfig.loadFromString(kubeconfigContent)\n\nconst appsApi = kubeConfig.makeApiClient(AppsV1Api)\n\nconst isCilium = await appsApi\n  .readNamespacedDaemonSet({ name: \"cilium\", namespace: \"kube-system\" })\n  .then(() => true)\n  .catch(() => false)\n\nif (isCilium) {\n  cni = \"cilium\"\n}\n\nconst externalIps =\n  args.externalIps ?? (await detectExternalIps(kubeConfig, args.internalIpsPolicy))\n\nconst endpoints = externalIps.map(parseL3Endpoint)\nconst apiEndpoints = [parseL4Endpoint(kubeConfig.clusters[0].server.replace(\"https://\", \"\"))]\n\nconst kubeSystem = core.v1.Namespace.get(\"kube-system\", \"kube-system\", { provider })\n\nexport default outputs({\n  k8sCluster: {\n    id: kubeSystem.metadata.uid,\n    name,\n    cni,\n    externalIps,\n    endpoints,\n    apiEndpoints,\n    quirks: args.quirks,\n    kubeconfig: secret(kubeconfigContent),\n  },\n\n  endpoints,\n  apiEndpoints,\n\n  $terminals: [createK8sTerminal(kubeconfigContent)],\n\n  $status: {\n    clusterId: kubeSystem.metadata.uid,\n    cni,\n    endpoints: endpoints.map(l3EndpointToString),\n    apiEndpoints: apiEndpoints.map(l4EndpointToString),\n  },\n})\n"],"mappings":";;;;;;AAAA,SAAS,WAAW;AACpB,SAAS,SAAS,QAAQ,iBAAiB;AAC3C,SAAS,MAAM,gBAAgB;AAC/B,SAAS,YAAY,iBAAiB;AACtC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAGP,IAAM,EAAE,MAAM,MAAM,SAAS,QAAQ,IAAI,QAAQ,IAAI,eAAe;AAEpE,IAAM,oBAAoB,MAAM,UAAU,QAAQ,WAAW,MAAM,KAAK,SAAS,CAAC;AAElF,IAAM,WAAW,IAAI,SAAS,MAAM,EAAE,YAAY,kBAAkB,CAAC;AAErE,IAAI,MAAe;AAEnB,IAAM,aAAa,IAAI,WAAW;AAClC,WAAW,eAAe,iBAAiB;AAE3C,IAAM,UAAU,WAAW,cAAc,SAAS;AAElD,IAAM,WAAW,MAAM,QACpB,wBAAwB,EAAE,MAAM,UAAU,WAAW,cAAc,CAAC,EACpE,KAAK,MAAM,IAAI,EACf,MAAM,MAAM,KAAK;AAEpB,IAAI,UAAU;AACZ,QAAM;AACR;AAEA,IAAM,cACJ,KAAK,eAAgB,MAAM,kBAAkB,YAAY,KAAK,iBAAiB;AAEjF,IAAM,YAAY,YAAY,IAAI,eAAe;AACjD,IAAM,eAAe,CAAC,gBAAgB,WAAW,SAAS,CAAC,EAAE,OAAO,QAAQ,YAAY,EAAE,CAAC,CAAC;AAE5F,IAAM,aAAa,KAAK,GAAG,UAAU,IAAI,eAAe,eAAe,EAAE,SAAS,CAAC;AAEnF,IAAO,2BAAQ,QAAQ;AAAA,EACrB,YAAY;AAAA,IACV,IAAI,WAAW,SAAS;AAAA,IACxB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,QAAQ,KAAK;AAAA,IACb,YAAY,OAAO,iBAAiB;AAAA,EACtC;AAAA,EAEA;AAAA,EACA;AAAA,EAEA,YAAY,CAAC,kBAAkB,iBAAiB,CAAC;AAAA,EAEjD,SAAS;AAAA,IACP,WAAW,WAAW,SAAS;AAAA,IAC/B;AAAA,IACA,WAAW,UAAU,IAAI,kBAAkB;AAAA,IAC3C,cAAc,aAAa,IAAI,kBAAkB;AAAA,EACnD;AACF,CAAC;","names":[]}

package/dist/units/gateway-api/index.js

@@ -1,6 +1,6 @@
 import {
   getProvider
-} from "../../chunk-T5Z2M4JE.js";
+} from "../../chunk-FKNHHKOL.js";
 
 // src/units/gateway-api/index.ts
 import { k8s } from "@highstate/library";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/k8s",
-  "version": "0.9.3",
+  "version": "0.9.5",
   "type": "module",
   "files": [
     "dist",
@@ -13,6 +13,8 @@
     },
     "./units/access-point": "./dist/units/access-point/index.js",
     "./units/cert-manager": "./dist/units/cert-manager/index.js",
+    "./units/cluster-patch": "./dist/units/cluster-patch/index.js",
+    "./units/cluster-dns": "./dist/units/cluster-dns/index.js",
     "./units/dns01-issuer": "./dist/units/dns01-issuer/index.js",
     "./units/existing-cluster": "./dist/units/existing-cluster/index.js",
     "./units/gateway-api": "./dist/units/gateway-api/index.js"
@@ -26,12 +28,12 @@
     "generate-crds": "./scripts/generate-crds.sh"
   },
   "dependencies": {
-    "@highstate/cert-manager": "^0.9.3",
-    "@highstate/common": "^0.9.3",
-    "@highstate/contract": "^0.9.3",
-    "@highstate/gateway-api": "^0.9.3",
-    "@highstate/library": "^0.9.3",
-    "@highstate/pulumi": "^0.9.3",
+    "@highstate/cert-manager": "^0.9.5",
+    "@highstate/common": "^0.9.5",
+    "@highstate/contract": "^0.9.5",
+    "@highstate/gateway-api": "^0.9.5",
+    "@highstate/library": "^0.9.5",
+    "@highstate/pulumi": "^0.9.5",
     "@kubernetes/client-node": "^1.1.0",
     "@pulumi/command": "^1.0.2",
     "@pulumi/kubernetes": "^4.18.0",
@@ -40,11 +42,11 @@
     "deepmerge-ts": "^7.1.5",
     "glob": "^11.0.1",
     "nano-spawn": "^0.2.0",
-    "parse-domain": "^8.2.2",
+    "pkg-types": "^2.1.0",
     "remeda": "^2.21.0"
   },
   "devDependencies": {
-    "@highstate/cli": "^0.9.3"
+    "@highstate/cli": "^0.9.5"
   },
-  "gitHead": "cdd2bb1d9001ba4a39f64087eb29af6f50d82bec"
+  "gitHead": "93fa1e8b1189a5232055c852fd79a684d8b80444"
 }

package/src/access-point.ts

@@ -1,6 +1,7 @@
 import type { k8s } from "@highstate/library"
-import type { core, Provider } from "@pulumi/kubernetes"
-import { DnsRecord } from "@highstate/common"
+import type { Provider } from "@pulumi/kubernetes"
+import type { Namespace } from "./namespace"
+import { DnsRecordSet, filterEndpoints, l3EndpointToString } from "@highstate/common"
 import { gateway } from "@highstate/gateway-api"
 import {
   normalize,
@@ -11,7 +12,8 @@ import {
   type InputArray,
 } from "@highstate/pulumi"
 import { NetworkPolicy } from "./network-policy"
-import { getAppDisplayName, getAppName, mapNamespaceLikeToNamespaceName } from "./shared"
+import { getProvider, mapNamespaceLikeToNamespaceName } from "./shared"
+import { isFromCluster } from "./service"
 
 export type UseAccessPointResult = {
   /**
@@ -20,9 +22,9 @@ export type UseAccessPointResult = {
   gateway: gateway.v1.Gateway
 
   /**
-   * The DNS record associated created according to the access point and gateway.
+   * The DNS record sets associated created according to the access point and gateway.
    */
-  dnsRecords: DnsRecord[]
+  dnsRecordSets: DnsRecordSet[]
 
   /**
    * The network policies associated with the access point.
@@ -37,6 +39,12 @@ export type UseAccessPointArgs = Omit<CreateGatewayArgs, "gateway"> & {
 export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPointResult> {
   const result = output({ args, namespaceName: output(args.namespace).metadata.name }).apply(
     ({ args, namespaceName }) => {
+      if (args.accessPoint.clusterId !== args.cluster.id) {
+        throw new Error(
+          "The provided Kubernetes cluster is different from the one where the access point is deployed.",
+        )
+      }
+
       const gateway = createGateway({
         ...args,
         annotations: {
@@ -45,43 +53,41 @@ export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPoint
         gateway: args.accessPoint.gateway,
       })
 
-      const dnsRecords = normalize(args.fqdn, args.fqdns).flatMap(fqdn => {
-        return DnsRecord.createSet(fqdn, {
+      const dnsRecordSets = normalize(args.fqdn, args.fqdns).flatMap(fqdn => {
+        return DnsRecordSet.create(fqdn, {
           providers: args.accessPoint.dnsProviders,
-          type: "A",
-          value: args.accessPoint.gateway.ip,
+          values: filterEndpoints(
+            args.accessPoint.gateway.endpoints.filter(endpoint => endpoint.type !== "hostname"),
+          ),
         })
       })
 
-      const networkPolicies: Output<NetworkPolicy>[] = []
-
-      if (args.accessPoint.gateway.service) {
-        const displayName = getAppDisplayName(args.accessPoint.gateway.service.metadata)
-
-        networkPolicies.push(
-          NetworkPolicy.create(
-            `allow-ingress-from-${getAppName(args.accessPoint.gateway.service.metadata)}`,
-            {
-              namespace: args.namespace,
-              cluster: args.cluster,
+      const networkPolicies: Output<NetworkPolicy>[] = [
+        NetworkPolicy.create(
+          `allow-ingress-from-${l3EndpointToString(args.accessPoint.gateway.endpoints[0])}`,
+          {
+            namespace: args.namespace,
+            cluster: args.cluster,
 
-              description: `Allow ingress traffic from the gateway "${displayName}".`,
+            description: `Allow ingress traffic from the gateway at "${l3EndpointToString(args.accessPoint.gateway.endpoints[0])}".`,
 
-              ingressRule: {
-                fromNamespace: args.accessPoint.gateway.service.metadata.namespace,
-                fromSelector: args.accessPoint.gateway.service.spec.selector,
-              },
+            ingressRule: {
+              fromEndpoints: args.accessPoint.gateway.endpoints,
             },
-            { provider: args.provider },
-          ),
+          },
+          { provider: args.provider },
+        ),
+      ]
 
+      if (isFromCluster(args.accessPoint.gateway.endpoints[0], args.cluster)) {
+        networkPolicies.push(
           NetworkPolicy.create(
             `allow-egress-to-${namespaceName}`,
             {
-              namespace: args.accessPoint.gateway.service.metadata.namespace,
+              namespace: args.accessPoint.gateway.endpoints[0].metadata.k8sService.namespace,
               cluster: args.cluster,
 
-              selector: args.accessPoint.gateway.service.spec.selector,
+              selector: args.accessPoint.gateway.endpoints[0].metadata.k8sService.selector,
 
               description: `Allow egress traffic to the namespace "${namespaceName}".`,
 
@@ -96,7 +102,7 @@ export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPoint
 
       return output({
         gateway,
-        dnsRecords: output(dnsRecords).apply(records => records.flat()),
+        dnsRecordSets,
         networkPolicies,
       })
     },
@@ -106,6 +112,7 @@ export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPoint
 }
 
 export type StandardAccessPointArgs = {
+  appName: string
   fqdn: string
 }
 
@@ -114,28 +121,26 @@ export type StandardAccessPointInputs = {
   k8sCluster: Output<k8s.Cluster>
 }
 
-export function useStandardAcessPoint(
-  appName: string,
-  namespace: core.v1.Namespace,
+export async function useStandardAcessPoint(
+  namespace: Namespace,
   args: StandardAccessPointArgs,
   inputs: StandardAccessPointInputs,
-  provider: Provider,
 ): Promise<UseAccessPointResult> {
-  return useAccessPoint({
-    name: appName,
+  return await useAccessPoint({
+    name: args.appName,
     namespace,
 
     fqdn: args.fqdn,
 
     accessPoint: inputs.accessPoint,
     cluster: inputs.k8sCluster,
-    provider,
+    provider: await getProvider(inputs.k8sCluster),
   })
 }
 
 export type CreateGatewayArgs = {
   name: string
-  namespace: Input<core.v1.Namespace>
+  namespace: Input<Namespace>
   annotations?: Input<Record<string, string>>
 
   fqdn?: Input<string>
@@ -148,7 +153,7 @@ export type CreateGatewayArgs = {
 
 export function createGateway(args: CreateGatewayArgs): Output<gateway.v1.Gateway> {
   return output(args).apply(args => {
-    if (args.cluster.info.id !== args.gateway.clusterInfo.id) {
+    if (args.cluster.id !== args.gateway.clusterId) {
       throw new Error(
         "The provided Kubernetes cluster is different from the one where the gateway controller is deployed.",
       )

package/src/container.ts

@@ -1,8 +1,10 @@
 import type { PartialKeys } from "@highstate/contract"
+import type { k8s, network } from "@highstate/library"
 import { core, type types } from "@pulumi/kubernetes"
 import { normalize, output, type Input, type InputArray, type Unwrap } from "@highstate/pulumi"
 import { concat, map, omit } from "remeda"
 import { PersistentVolumeClaim } from "./pvc"
+import { Secret } from "./secret"
 
 export type Container = Omit<PartialKeys<types.input.core.v1.Container, "name">, "volumeMounts"> & {
   /**
@@ -51,6 +53,20 @@ export type Container = Omit<PartialKeys<types.input.core.v1.Container, "name">,
    * It is like the `envFrom` property, but more convenient to use.
    */
   environmentSources?: InputArray<ContainerEnvironmentSource>
+
+  /**
+   * The list of endpoints that the container is allowed to access.
+   *
+   * This is used to generate a network policy.
+   */
+  allowedEndpoints?: InputArray<network.L34Endpoint>
+
+  /**
+   * Enable the TUN device in the container.
+   *
+   * All necessary security context settings will be applied to the container.
+   */
+  enableTun?: Input<boolean>
 }
 
 const containerExtraArgs = [
@@ -73,7 +89,7 @@ export type ContainerEnvironmentVariable =
       /**
        * The secret to select from.
        */
-      secret: Input<core.v1.Secret>
+      secret: Input<core.v1.Secret | Secret>
 
       /**
        * The key of the secret to select from.
@@ -110,16 +126,18 @@ export type WorkloadVolume =
   | types.input.core.v1.Volume
   | core.v1.PersistentVolumeClaim
   | PersistentVolumeClaim
+  | Secret
   | core.v1.ConfigMap
   | core.v1.Secret
 
 export function mapContainerToRaw(
   container: Unwrap<Container>,
+  cluster: k8s.Cluster,
   fallbackName: string,
 ): types.input.core.v1.Container {
   const containerName = container.name ?? fallbackName
 
-  return {
+  const spec = {
     ...omit(container, containerExtraArgs),
 
     name: containerName,
@@ -139,7 +157,29 @@ export function mapContainerToRaw(
       ),
       container.envFrom ?? [],
     ),
+  } as Unwrap<types.input.core.v1.Container>
+
+  if (container.enableTun) {
+    spec.securityContext ??= {}
+    spec.securityContext.capabilities ??= {}
+    spec.securityContext.capabilities.add = ["NET_ADMIN"]
+
+    if (cluster.quirks?.tunDevicePolicy?.type === "plugin") {
+      spec.resources ??= {}
+      spec.resources.limits ??= {}
+      spec.resources.limits[cluster.quirks.tunDevicePolicy.resourceName] =
+        cluster.quirks.tunDevicePolicy.resourceValue
+    } else {
+      spec.volumeMounts ??= []
+      spec.volumeMounts.push({
+        name: "tun-device",
+        mountPath: "/dev/net/tun",
+        readOnly: false,
+      })
+    }
   }
+
+  return spec
 }
 
 export function mapContainerEnvironment(
@@ -240,7 +280,16 @@ export function mapWorkloadVolume(volume: WorkloadVolume) {
     }
   }
 
-  if (volume instanceof core.v1.PersistentVolumeClaim) {
+  if (volume instanceof Secret) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name,
+      },
+    }
+  }
+
+  if (core.v1.PersistentVolumeClaim.isInstance(volume)) {
     return {
       name: volume.metadata.name,
       persistentVolumeClaim: {
@@ -249,7 +298,7 @@ export function mapWorkloadVolume(volume: WorkloadVolume) {
     }
   }
 
-  if (volume instanceof core.v1.ConfigMap) {
+  if (core.v1.ConfigMap.isInstance(volume)) {
     return {
       name: volume.metadata.name,
       configMap: {
@@ -258,7 +307,7 @@ export function mapWorkloadVolume(volume: WorkloadVolume) {
     }
   }
 
-  if (volume instanceof core.v1.Secret) {
+  if (core.v1.Secret.isInstance(volume)) {
     return {
       name: volume.metadata.name,
       secret: {

package/src/cron-job.ts

@@ -1,22 +1,12 @@
 import type { RequiredKeys } from "@highstate/contract"
 import { batch, type types } from "@pulumi/kubernetes"
-import {
-  ComponentResource,
-  normalize,
-  Output,
-  output,
-  type ComponentResourceOptions,
-  type Input,
-  type InputArray,
-} from "@highstate/pulumi"
+import { ComponentResource, Output, output, type ComponentResourceOptions } from "@highstate/pulumi"
 import { mergeDeep, omit } from "remeda"
-import { mapContainerToRaw, mapWorkloadVolume, type Container } from "./container"
-import { commonExtraArgs, mapMetadata, type CommonArgs } from "./shared"
+import { commonExtraArgs, getProvider, mapMetadata } from "./shared"
+import { getWorkloadComponents, type WorkloadArgs } from "./workload"
 
-export type CronJobArgs = CommonArgs & {
-  container?: Input<Container>
-  containers?: InputArray<Container>
-} & Omit<RequiredKeys<Partial<types.input.batch.v1.CronJobSpec>, "schedule">, "jobTemplate"> & {
+export type CronJobArgs = WorkloadArgs &
+  Omit<RequiredKeys<Partial<types.input.batch.v1.CronJobSpec>, "schedule">, "jobTemplate"> & {
     jobTemplate?: {
       metadata?: types.input.meta.v1.ObjectMeta
       spec?: Omit<types.input.batch.v1.JobSpec, "template"> & {
@@ -36,12 +26,12 @@ export class CronJob extends ComponentResource {
    */
   public readonly cronJob: Output<batch.v1.CronJob>
 
-  constructor(name: string, args: CronJobArgs, opts?: ComponentResourceOptions) {
+  constructor(name: string, args: CronJobArgs, opts: ComponentResourceOptions) {
     super("highstate:k8s:CronJob", name, args, opts)
 
-    this.cronJob = output(args).apply(args => {
-      const containers = normalize(args.container, args.containers)
+    const { podTemplate } = getWorkloadComponents(name, args, () => this, opts)
 
+    this.cronJob = output({ args, podTemplate }).apply(async ({ args, podTemplate }) => {
       return new batch.v1.CronJob(
         name,
         {
@@ -51,15 +41,7 @@ export class CronJob extends ComponentResource {
             {
               jobTemplate: {
                 spec: {
-                  template: {
-                    spec: {
-                      containers: containers.map(container => mapContainerToRaw(container, name)),
-
-                      volumes: containers
-                        .flatMap(container => normalize(container.volume, container.volumes))
-                        .map(mapWorkloadVolume),
-                    },
-                  },
+                  template: podTemplate,
                 },
               },
 
@@ -68,10 +50,12 @@ export class CronJob extends ComponentResource {
             omit(args, cronJobExtraArgs) as types.input.batch.v1.CronJobSpec,
           ),
         },
-        { parent: this, ...opts },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args.cluster),
+        },
       )
     })
-
-    this.registerOutputs({ cronJob: this.cronJob })
   }
 }