@highstate/k8s 0.9.31 → 0.9.33

package/src/gateway/udp-route.ts

@@ -0,0 +1,87 @@
+import type { Gateway } from "./gateway"
+import { gateway, type types } from "@highstate/gateway-api"
+import {
+  ComponentResource,
+  type ComponentResourceOptions,
+  type Input,
+  type InputArray,
+  normalizeInputsAndMap,
+  type Output,
+  output,
+} from "@highstate/pulumi"
+import { getProvider, mapMetadata, type ScopedResourceArgs } from "../shared"
+import { type BackendRef, resolveBackendRef } from "./backend"
+
+export type UdpRouteArgs = Omit<ScopedResourceArgs, "namespace"> & {
+  /**
+   * The gateway to associate with the route.
+   */
+  gateway: Input<Gateway>
+
+  /**
+   * The name of the listener to attach the route to.
+   */
+  listenerName: Input<string>
+
+  /**
+   * The backend reference handled by the route.
+   */
+  backend?: Input<BackendRef>
+
+  /**
+   * The backend references handled by the route.
+   */
+  backends?: InputArray<BackendRef>
+}
+
+export class UdpRoute extends ComponentResource {
+  /**
+   * The underlying Kubernetes resource.
+   */
+  public readonly route: Output<gateway.v1alpha2.UDPRoute>
+
+  constructor(name: string, args: UdpRouteArgs, opts?: ComponentResourceOptions) {
+    super("highstate:k8s:UdpRoute", name, args, opts)
+
+    const gatewayOutput = output(args.gateway)
+
+    const parentRefs = output({
+      gateway: gatewayOutput,
+      listenerName: args.listenerName,
+    }).apply(
+      ({ gateway, listenerName }) =>
+        [
+          {
+            group: "gateway.networking.k8s.io",
+            kind: "Gateway",
+            name: gateway.metadata.name,
+            namespace: gateway.namespace.metadata.name,
+            sectionName: listenerName,
+          },
+        ] satisfies types.input.gateway.v1alpha2.UDPRouteSpecParentRefs[],
+    )
+
+    const backendRefs = normalizeInputsAndMap(args.backend, args.backends, resolveBackendRef)
+
+    this.route = gatewayOutput.cluster.apply(cluster => {
+      return new gateway.v1alpha2.UDPRoute(
+        name,
+        {
+          metadata: mapMetadata(args, name).apply(metadata => ({
+            ...metadata,
+            namespace: gatewayOutput.namespace.metadata.name,
+          })),
+          spec: {
+            parentRefs,
+            rules: [
+              {
+                backendRefs,
+              },
+            ],
+          } satisfies types.input.gateway.v1alpha2.UDPRouteSpec,
+        },
+        { ...opts, parent: this, provider: getProvider(cluster) },
+      )
+    })
+  }
+}

package/src/impl/gateway-route.ts

@@ -1,9 +1,14 @@
 import type { Secret } from "../secret"
-import { filterEndpoints, gatewayRouteMediator, type TlsCertificate } from "@highstate/common"
-import { k8s } from "@highstate/library"
-import { type Input, toPromise } from "@highstate/pulumi"
+import {
+  filterEndpoints,
+  type GatewayRouteSpec,
+  gatewayRouteMediator,
+  type TlsCertificate,
+} from "@highstate/common"
+import { k8s, type network } from "@highstate/library"
+import { type ComponentResourceOptions, type Input, toPromise } from "@highstate/pulumi"
 import { core } from "@pulumi/kubernetes"
-import { Gateway, HttpRoute } from "../gateway"
+import { Gateway, HttpRoute, TcpRoute, UdpRoute } from "../gateway"
 import { Namespace } from "../namespace"
 import { l4EndpointToServicePort, Service } from "../service"
 import { getProvider, mapMetadata } from "../shared"
@@ -21,107 +26,209 @@ export const createGatewayRoute = gatewayRouteMediator.implement(
 
     const certificateRef = certSecret
       ? {
-          kind: "Secret",
-          group: "",
+          kind: "Secret" as const,
+          group: "" as const,
           name: certSecret.metadata.name,
         }
       : undefined
 
-    const gateway = await Gateway.createOnce(
-      {
+    if (spec.type === "http") {
+      return await createHttpGatewayRoute({
         name,
+        spec,
+        opts,
+        data,
         namespace,
-        gatewayClassName: data.className,
-        listeners: [
-          {
-            name: "https",
-            port: data.httpsPort,
-            protocol: "HTTPS",
-            tls: {
-              mode: "Terminate",
-              certificateRefs: certificateRef ? [certificateRef] : undefined,
-            },
-          },
-        ],
-      },
+        certificateRef,
+      })
+    }
+
+    const protocol = spec.type === "tcp" ? "TCP" : "UDP"
+
+    return await createL4GatewayRoute({
+      name,
+      spec,
       opts,
-    )
+      data,
+      namespace,
+      protocol,
+    })
+  },
+)
 
-    // 1. short path - just create an HTTP route backed by a service
-    if (spec.nativeData instanceof Service) {
-      const httpRoute = new HttpRoute(
-        name,
-        {
-          gateway,
-          rule: { backend: spec.nativeData },
-        },
-        opts,
-      )
+type HttpGatewayRouteSpec = Extract<GatewayRouteSpec, { type: "http" }>
+type L4GatewayRouteSpec = Extract<GatewayRouteSpec, { type: "tcp" | "udp" }>
 
-      return {
-        resource: httpRoute,
-        endpoints: await toPromise(gateway.endpoints),
+type CreateHttpGatewayRouteArgs = {
+  name: string
+  spec: HttpGatewayRouteSpec
+  opts: ComponentResourceOptions | undefined
+  data: k8s.GatewayData
+  namespace: Namespace
+  certificateRef:
+    | {
+        kind: "Secret"
+        group: ""
+        name: Input<string>
       }
-    }
+    | undefined
+}
 
-    // 2. long path - create a virtual service with provided endpoints
-    const endpoints = await toPromise(spec.endpoints)
-    const hostnameEndpoints = filterEndpoints(endpoints, undefined, ["hostname"])
-    const ipEndpoints = filterEndpoints(endpoints, undefined, ["ipv4", "ipv6"])
+async function createHttpGatewayRoute({
+  name,
+  spec,
+  opts,
+  data,
+  namespace,
+  certificateRef,
+}: CreateHttpGatewayRouteArgs) {
+  const backendService =
+    spec.nativeData instanceof Service
+      ? spec.nativeData
+      : (await createServiceFromEndpoints(name, namespace, spec.endpoints, data.cluster, opts))
+          .service
 
-    let service: Service
+  const listeners = [
+    {
+      name: "https",
+      port: data.httpsPort,
+      protocol: "HTTPS",
+      tls: {
+        mode: "Terminate",
+        certificateRefs: certificateRef ? [certificateRef] : undefined,
+      },
+    },
+  ]
 
-    if (
-      hostnameEndpoints.length > 0 &&
-      hostnameEndpoints[0].visibility > ipEndpoints[0]?.visibility
-    ) {
-      // if the hostname endpoints are more visible, create a service for the first hostname with ExternalName
-      service = Service.create(`hs-backend-${name}`, {
-        namespace,
-        type: "ExternalName",
-        externalName: hostnameEndpoints[0].hostname,
-        ports: hostnameEndpoints.map(l4EndpointToServicePort),
-      })
-    } else {
-      // otherwise, create a headless service and populate it with IPs
-      service = Service.create(`hs-backend-${name}`, {
-        namespace,
-        type: "ClusterIP",
-        ports: ipEndpoints.map(l4EndpointToServicePort),
-      })
+  const gateway = await Gateway.createOnce(
+    {
+      name: data.className,
+      namespace,
+      gatewayClassName: data.className,
+      listeners,
+    },
+    opts,
+  )
+
+  const httpRoute = new HttpRoute(
+    name,
+    {
+      gateway,
+      rule: {
+        backend: backendService,
+      },
+    },
+    opts,
+  )
+
+  return {
+    resource: httpRoute,
+    endpoints: await toPromise(gateway.endpoints),
+  }
+}
+
+type CreateL4GatewayRouteArgs = {
+  name: string
+  spec: L4GatewayRouteSpec
+  opts: ComponentResourceOptions | undefined
+  data: k8s.GatewayData
+  namespace: Namespace
+  protocol: "TCP" | "UDP"
+}
+
+async function createL4GatewayRoute({
+  name,
+  spec,
+  opts,
+  data,
+  namespace,
+  protocol,
+}: CreateL4GatewayRouteArgs) {
+  const serviceData =
+    spec.nativeData instanceof Service
+      ? {
+          service: spec.nativeData,
+          ports: await getServicePorts(spec.nativeData),
+        }
+      : await createServiceFromEndpoints(name, namespace, spec.endpoints, data.cluster, opts)
+
+  const serviceName = await toPromise(serviceData.service.metadata.name)
+
+  const backendPort = await selectBackendPort({
+    ports: serviceData.ports,
+    protocol,
+    targetPort: spec.targetPort,
+    serviceName,
+    routeName: name,
+  })
 
-      const endpointsName = `hs-backend-${name}`
+  const listenerPort = await resolveListenerPort({
+    requestedPort: spec.port,
+    backendPort,
+    protocol,
+    routeName: name,
+  })
 
-      new core.v1.Endpoints(
-        endpointsName,
+  const listenerName = `${protocol.toLowerCase()}-${listenerPort}`
+
+  const gateway = await Gateway.createOnce(
+    {
+      name: data.className,
+      namespace,
+      gatewayClassName: data.className,
+      listeners: [
         {
-          metadata: mapMetadata({ namespace }, endpointsName),
-          subsets: ipEndpoints.map(endpoint => ({
-            addresses: [{ ip: endpoint.address }],
-            ports: [l4EndpointToServicePort(endpoint)],
-          })),
+          name: listenerName,
+          port: listenerPort,
+          protocol,
         },
-        { ...opts, provider: getProvider(data.cluster), parent: service },
+      ],
+    },
+    opts,
+  )
+
+  const backendRef = serviceData.service.metadata.apply(metadata => {
+    if (!metadata?.name) {
+      throw new Error(
+        `Service "${serviceName}" referenced by gateway route "${name}" does not have a name.`,
       )
     }
 
-    const httpRoute = new HttpRoute(
-      name,
-      {
-        gateway,
-        rule: {
-          backend: service,
-        },
-      },
-      opts,
-    )
-
     return {
-      resource: httpRoute,
-      endpoints: await toPromise(gateway.endpoints),
+      name: metadata.name,
+      namespace: metadata.namespace,
+      port: backendPort.port,
     }
-  },
-)
+  })
+
+  const routeOpts = { ...opts, parent: gateway }
+
+  const route =
+    protocol === "TCP"
+      ? new TcpRoute(
+          name,
+          {
+            gateway,
+            listenerName,
+            backend: backendRef,
+          },
+          routeOpts,
+        )
+      : new UdpRoute(
+          name,
+          {
+            gateway,
+            listenerName,
+            backend: backendRef,
+          },
+          routeOpts,
+        )
+
+  return {
+    resource: route,
+    endpoints: await toPromise(gateway.endpoints),
+  }
+}
 
 async function getCertificateSecret(
   _name: string,
@@ -143,13 +250,239 @@ async function getCertificateSecret(
     const targetClusterId = await toPromise(namespace.cluster.id)
 
     if (certNamespace === targetNamespace && certClusterId === targetClusterId) {
-      // 1. short path - same namespace and cluster, just return the secret
       return await toPromise(resource.secret)
     }
   }
 
-  // 2. long path - create a new secret in the target namespace with the certificate data
   throw new Error(
     "Not implemented: copying certificate secret across namespaces/clusters/different systems",
   )
 }
+
+type ServicePortInfo = {
+  name: string | undefined
+  port: number
+  protocol: "TCP" | "UDP"
+  targetPort?: number | string
+}
+
+async function createServiceFromEndpoints(
+  name: string,
+  namespace: Namespace,
+  endpointsInput: Input<network.L4Endpoint[]>,
+  cluster: k8s.Cluster,
+  opts: ComponentResourceOptions | undefined,
+): Promise<{ service: Service; ports: ServicePortInfo[] }> {
+  const endpoints = await toPromise(endpointsInput)
+
+  if (!endpoints.length) {
+    throw new Error(`Gateway route "${name}" has no endpoints to expose.`)
+  }
+
+  const hostnameEndpoints = filterEndpoints(endpoints, undefined, ["hostname"])
+  const ipEndpoints = filterEndpoints(endpoints, undefined, ["ipv4", "ipv6"])
+
+  if (
+    hostnameEndpoints.length > 0 &&
+    hostnameEndpoints[0].visibility > ipEndpoints[0]?.visibility
+  ) {
+    const hostnamePortInfos: ServicePortInfo[] = []
+    for (const endpoint of hostnameEndpoints) {
+      hostnamePortInfos.push(toServicePortInfoFromEndpoint(endpoint))
+    }
+
+    const service = Service.create(`hs-backend-${name}`, {
+      namespace,
+      type: "ExternalName",
+      externalName: hostnameEndpoints[0].hostname,
+      ports: hostnameEndpoints.map(l4EndpointToServicePort),
+    })
+
+    return {
+      service,
+      ports: hostnamePortInfos,
+    }
+  }
+
+  if (ipEndpoints.length === 0) {
+    throw new Error(`Gateway route "${name}" requires at least one IP endpoint.`)
+  }
+
+  const ipPortInfos: ServicePortInfo[] = []
+  for (const endpoint of ipEndpoints) {
+    ipPortInfos.push(toServicePortInfoFromEndpoint(endpoint))
+  }
+
+  const service = Service.create(`hs-backend-${name}`, {
+    namespace,
+    type: "ClusterIP",
+    ports: ipEndpoints.map(l4EndpointToServicePort),
+  })
+
+  const endpointsName = `hs-backend-${name}`
+
+  new core.v1.Endpoints(
+    endpointsName,
+    {
+      metadata: mapMetadata({ namespace }, endpointsName),
+      subsets: ipEndpoints.map(endpoint => ({
+        addresses: [{ ip: endpoint.address }],
+        ports: [l4EndpointToServicePort(endpoint)],
+      })),
+    },
+    { ...opts, provider: getProvider(cluster), parent: service },
+  )
+
+  return {
+    service,
+    ports: ipPortInfos,
+  }
+}
+
+async function getServicePorts(service: Service): Promise<ServicePortInfo[]> {
+  const spec = await toPromise(service.spec)
+  const ports = spec.ports ?? []
+
+  const result: ServicePortInfo[] = []
+
+  for (const port of ports) {
+    const value = port.port
+    const protocol = (port.protocol ?? "TCP").toUpperCase()
+
+    if (value === undefined || (protocol !== "TCP" && protocol !== "UDP")) {
+      continue
+    }
+
+    result.push({
+      name: port.name ?? undefined,
+      port: value,
+      protocol: protocol as "TCP" | "UDP",
+      targetPort: port.targetPort as number | string | undefined,
+    })
+  }
+
+  return result
+}
+
+function toServicePortInfoFromEndpoint(endpoint: network.L4Endpoint): ServicePortInfo {
+  return {
+    name: undefined,
+    port: endpoint.port,
+    protocol: endpoint.protocol.toUpperCase() as "TCP" | "UDP",
+    targetPort: endpoint.port,
+  }
+}
+
+async function selectBackendPort({
+  ports,
+  protocol,
+  targetPort,
+  serviceName,
+  routeName,
+}: {
+  ports: ServicePortInfo[]
+  protocol: "TCP" | "UDP"
+  targetPort: Input<string | number | undefined> | undefined
+  serviceName: string
+  routeName: string
+}): Promise<ServicePortInfo> {
+  const candidates = ports.filter(port => port.protocol === protocol)
+
+  if (candidates.length === 0) {
+    throw new Error(
+      `Service "${serviceName}" does not expose any ${protocol} ports required by gateway route "${routeName}".`,
+    )
+  }
+
+  if (!targetPort) {
+    return candidates[0]
+  }
+
+  const resolvedTarget = await toPromise(targetPort)
+
+  if (resolvedTarget === undefined || resolvedTarget === null) {
+    return candidates[0]
+  }
+
+  if (typeof resolvedTarget === "number") {
+    const match = candidates.find(candidate => {
+      if (candidate.port === resolvedTarget) {
+        return true
+      }
+
+      if (typeof candidate.targetPort === "number") {
+        return candidate.targetPort === resolvedTarget
+      }
+
+      return false
+    })
+
+    if (match) {
+      return match
+    }
+
+    throw new Error(
+      `Gateway route "${routeName}" requested target port ${resolvedTarget}, but service "${serviceName}" does not expose it for ${protocol} backends.`,
+    )
+  }
+
+  const targetString = String(resolvedTarget)
+
+  const match = candidates.find(candidate => {
+    if (candidate.name === targetString) {
+      return true
+    }
+
+    if (typeof candidate.targetPort === "string") {
+      return candidate.targetPort === targetString
+    }
+
+    return false
+  })
+
+  if (match) {
+    return match
+  }
+
+  throw new Error(
+    `Gateway route "${routeName}" requested target port "${targetString}", but service "${serviceName}" does not expose it for ${protocol} backends.`,
+  )
+}
+
+async function resolveListenerPort({
+  requestedPort,
+  backendPort,
+  protocol,
+  routeName,
+}: {
+  requestedPort: Input<number | undefined> | undefined
+  backendPort: ServicePortInfo
+  protocol: "TCP" | "UDP"
+  routeName: string
+}): Promise<number> {
+  if (!requestedPort) {
+    return backendPort.port
+  }
+
+  const resolved = await toPromise(requestedPort)
+
+  if (resolved === undefined || resolved === null) {
+    return backendPort.port
+  }
+
+  if (!Number.isInteger(resolved)) {
+    throw new Error(
+      `Gateway route "${routeName}" must use integer listener ports for ${protocol.toLowerCase()} traffic.`,
+    )
+  }
+
+  const port = Number(resolved)
+
+  if (port < 1 || port > 65535) {
+    throw new Error(
+      `Gateway route "${routeName}" specified listener port ${port}, which is outside the valid range 1-65535.`,
+    )
+  }
+
+  return port
+}

package/src/impl/tls-certificate.ts

@@ -25,7 +25,7 @@ export const createCertificate = tlsCertificateMediator.implement(
           name: data.clusterIssuerName,
           kind: "ClusterIssuer",
         },
-        secretName: `hs.certificate.${name}`,
+        secretName: `hs-certificate-${name}`,
       },
       { ...opts, provider },
     )

package/src/index.ts

@@ -18,5 +18,6 @@ export * from "./secret"
 export * from "./service"
 export * from "./shared"
 export * from "./stateful-set"
+export * from "./tls"
 export * from "./worker"
 export * from "./workload"

package/src/job.ts

@@ -82,6 +82,10 @@ export abstract class Job extends Workload {
     )
   }
 
+  protected override get templateMetadata(): Output<types.output.meta.v1.ObjectMeta> {
+    return this.spec.template.metadata
+  }
+
   /**
    * The Highstate job entity.
    */

package/src/stateful-set.ts

@@ -87,6 +87,10 @@ export abstract class StatefulSet extends ExposableWorkload {
     )
   }
 
+  protected override get templateMetadata(): Output<types.output.meta.v1.ObjectMeta> {
+    return this.spec.template.metadata
+  }
+
   /**
    * The Highstate stateful set entity.
    */

package/src/tls.ts

@@ -30,6 +30,8 @@ export type CreateOrGetCertificateArgs = CertificateArgs & {
  * Represents a cert-manager Certificate resource with metadata and secret.
  */
 export abstract class Certificate extends ComponentResource {
+  private _secret?: Output<Secret>
+
   protected constructor(
     type: string,
     private readonly name: string,
@@ -82,7 +84,11 @@ export abstract class Certificate extends ComponentResource {
    * The secret containing the certificate data.
    */
   get secret(): Output<Secret> {
-    return output({
+    if (this._secret) {
+      return this._secret
+    }
+
+    this._secret = output({
       secretName: this.spec.apply(spec => spec.secretName),
       namespace: this.namespace,
     }).apply(({ secretName, namespace }) => {
@@ -91,6 +97,8 @@ export abstract class Certificate extends ComponentResource {
         namespace,
       })
     })
+
+    return this._secret
   }
 
   /**