@highstate/k8s 0.9.4 → 0.9.5

package/src/units/existing-cluster/index.ts

@@ -2,6 +2,12 @@ import { k8s } from "@highstate/library"
 import { forUnit, secret, toPromise } from "@highstate/pulumi"
 import { core, Provider } from "@pulumi/kubernetes"
 import { KubeConfig, AppsV1Api } from "@kubernetes/client-node"
+import {
+  l3EndpointToString,
+  l4EndpointToString,
+  parseL3Endpoint,
+  parseL4Endpoint,
+} from "@highstate/common"
 import { createK8sTerminal, detectExternalIps } from "../../cluster"
 
 const { name, args, secrets, outputs } = forUnit(k8s.existingCluster)
@@ -10,7 +16,7 @@ const kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringif
 
 const provider = new Provider(name, { kubeconfig: kubeconfigContent })
 
-let cni: string | undefined
+let cni: k8s.CNI = "other"
 
 const kubeConfig = new KubeConfig()
 kubeConfig.loadFromString(kubeconfigContent)
@@ -29,28 +35,32 @@ if (isCilium) {
 const externalIps =
   args.externalIps ?? (await detectExternalIps(kubeConfig, args.internalIpsPolicy))
 
+const endpoints = externalIps.map(parseL3Endpoint)
+const apiEndpoints = [parseL4Endpoint(kubeConfig.clusters[0].server.replace("https://", ""))]
+
 const kubeSystem = core.v1.Namespace.get("kube-system", "kube-system", { provider })
 
 export default outputs({
-  cluster: {
-    info: {
-      id: kubeSystem.metadata.uid,
-      name,
-      cni,
-      externalIps,
-      tunDevicePolicy: args.tunDevicePolicy,
-    },
+  k8sCluster: {
+    id: kubeSystem.metadata.uid,
+    name,
+    cni,
+    externalIps,
+    endpoints,
+    apiEndpoints,
+    quirks: args.quirks,
     kubeconfig: secret(kubeconfigContent),
   },
 
+  endpoints,
+  apiEndpoints,
+
   $terminals: [createK8sTerminal(kubeconfigContent)],
 
   $status: {
     clusterId: kubeSystem.metadata.uid,
-    cni: cni ?? "unknown",
-    externalIps: {
-      value: externalIps.join(", "),
-      complementaryTo: "externalIps",
-    },
+    cni,
+    endpoints: endpoints.map(l3EndpointToString),
+    apiEndpoints: apiEndpoints.map(l4EndpointToString),
   },
 })

package/src/workload.ts

@@ -1,9 +1,24 @@
-import type { types } from "@pulumi/kubernetes"
 import type { k8s } from "@highstate/library"
-import { normalize, type ComponentResourceOptions, type InputArray } from "@highstate/pulumi"
-import { ComponentResource, output, type Input, type Output } from "@pulumi/pulumi"
+import type { DeploymentArgs } from "./deployment"
+import type { StatefulSetArgs } from "./stateful-set"
+import type { types } from "@pulumi/kubernetes"
+import {
+  normalize,
+  type ComponentResourceOptions,
+  type InputArray,
+  type InstanceTerminal,
+} from "@highstate/pulumi"
+import {
+  ComponentResource,
+  interpolate,
+  Output,
+  output,
+  type CustomResourceOptions,
+  type Input,
+} from "@pulumi/pulumi"
 import { uniqueBy } from "remeda"
-import { commonExtraArgs, type CommonArgs } from "./shared"
+import { deepmerge } from "deepmerge-ts"
+import { commonExtraArgs, getProvider, type CommonArgs } from "./shared"
 import { mapContainerPortToServicePort, Service, type ServiceArgs } from "./service"
 import { HttpRoute, type HttpRouteArgs } from "./gateway"
 import {
@@ -12,54 +27,77 @@ import {
   type Container,
   type WorkloadVolume,
 } from "./container"
+import { NetworkPolicy } from "./network-policy"
+import { podSpecDefaults } from "./pod"
 
 export type WorkloadArgs = CommonArgs & {
   container?: Input<Container>
   containers?: InputArray<Container>
 
   /**
-   * The cluster to create the resource in.
+   * The shell to use in the terminal.
+   *
+   * By default, `bash` is used.
    */
-  cluster: Input<k8s.Cluster>
+  terminalShell?: string
 }
 
 export const workloadExtraArgs = [...commonExtraArgs, "container", "containers"] as const
 
-export class WorkloadBase<TArgs extends WorkloadArgs> extends ComponentResource {
-  protected readonly containers: Output<types.input.core.v1.Container[]>
-  protected readonly volumes: Output<types.input.core.v1.Volume[]>
+export type ExposableWorkloadArgs = WorkloadArgs & {
+  service?: Input<Omit<ServiceArgs, "cluster" | "namespace">>
+  httpRoute?: Input<Omit<HttpRouteArgs, "cluster" | "namespace">>
 
-  constructor(type: string, name: string, args: TArgs, opts: ComponentResourceOptions | undefined) {
-    super(type, name, args, opts)
+  /**
+   * The existing workload to patch.
+   */
+  existing?: Input<k8s.ExposableWorkload>
+}
 
-    const containers = output(args).apply(args => normalize(args.container, args.containers))
+export const exposableWorkloadExtraArgs = [...workloadExtraArgs, "service", "httpRoute"] as const
 
-    this.containers = containers.apply(containers =>
-      containers.map(container => mapContainerToRaw(container, name)),
-    )
+export type ExposableWorkloadType = "Deployment" | "StatefulSet"
 
-    this.volumes = containers.apply(containers =>
-      containers
-        .flatMap(container => normalize(container.volume, container.volumes))
-        .map(mapWorkloadVolume),
-    )
-  }
-}
+export type GenericExposableWorkloadArgs = Omit<ExposableWorkloadArgs, "existing"> & {
+  /**
+   * The type of workload to create.
+   *
+   * Will be ignored if the `existing` argument is provided.
+   */
+  type: ExposableWorkloadType
 
-export type PublicWorkloadArgs = WorkloadArgs & {
-  service?: Input<Omit<ServiceArgs, "cluster" | "namespace">>
-  httpRoute?: Input<Omit<HttpRouteArgs, "cluster" | "namespace">>
-  patch?: Input<k8s.Deployment | k8s.StatefulSet>
-} & Partial<types.input.apps.v1.StatefulSetSpec>
+  /**
+   * The existing workload to patch.
+   */
+  existing: Input<k8s.ExposableWorkload | undefined>
+
+  /**
+   * The args specific to the "Deployment" workload type.
+   *
+   * Will be ignored for other workload types.
+   */
+  deployment?: Input<DeploymentArgs>
 
-export const publicWorkloadExtraArgs = [...workloadExtraArgs, "service", "httpRoute"] as const
+  /**
+   * The args specific to the "StatefulSet" workload type.
+   *
+   * Will be ignored for other workload types.
+   */
+  statefulSet?: Input<StatefulSetArgs>
+}
 
-export function getWorkloadComponents(name: string, args: WorkloadArgs) {
+export function getWorkloadComponents(
+  name: string,
+  args: WorkloadArgs,
+  parent: () => ComponentResource,
+  opts: ComponentResourceOptions | undefined,
+) {
   const labels = {
     "app.kubernetes.io/name": name,
   }
 
   const containers = output(args).apply(args => normalize(args.container, args.containers))
+
   const volumes = containers.apply(containers => {
     const containerVolumes = containers
       .flatMap(container => normalize(container.volume, container.volumes))
@@ -75,30 +113,87 @@ export function getWorkloadComponents(name: string, args: WorkloadArgs) {
       })
       .map(mapWorkloadVolume)
 
-    return uniqueBy([...containerVolumes, ...containerVolumeMounts], volume => volume.name)
+    return output([...containerVolumes, ...containerVolumeMounts]).apply(
+      uniqueBy(volume => volume.name),
+    )
+  })
+
+  const podSpec = output({ args, containers, volumes }).apply(({ args, containers, volumes }) => {
+    const spec = {
+      volumes,
+      containers: containers.map(container => mapContainerToRaw(container, args.cluster, name)),
+      ...podSpecDefaults,
+    } satisfies types.input.core.v1.PodSpec
+
+    if (
+      containers.some(container => container.enableTun) &&
+      args.cluster.quirks?.tunDevicePolicy?.type !== "plugin"
+    ) {
+      spec.volumes = output(spec.volumes).apply(volumes => [
+        ...(volumes ?? []),
+        {
+          name: "tun-device",
+          hostPath: {
+            path: "/dev/net/tun",
+          },
+        },
+      ])
+    }
+
+    return spec
   })
 
-  return { labels, containers, volumes }
+  const podTemplate = podSpec.apply(podSpec => {
+    return {
+      metadata: { labels },
+      spec: podSpec,
+    } satisfies types.input.core.v1.PodTemplateSpec
+  })
+
+  const networkPolicy = containers.apply(containers => {
+    const allowedEndpoints = containers.flatMap(container => container.allowedEndpoints ?? [])
+
+    if (allowedEndpoints.length === 0) {
+      return undefined
+    }
+
+    return NetworkPolicy.create(
+      name,
+      {
+        cluster: args.cluster,
+        namespace: args.namespace,
+        selector: labels,
+
+        egressRule: {
+          toEndpoints: allowedEndpoints,
+        },
+      },
+      { ...opts, parent: parent() },
+    )
+  }) as Output<NetworkPolicy | undefined>
+
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy }
 }
 
-export function getPublicWorkloadComponents(
+export function getExposableWorkloadComponents(
   name: string,
-  args: PublicWorkloadArgs,
+  args: ExposableWorkloadArgs,
   parent: () => ComponentResource,
-  opts: ComponentResourceOptions,
+  opts: ComponentResourceOptions | undefined,
 ) {
-  const { labels, containers, volumes } = getWorkloadComponents(name, args)
+  const { labels, containers, volumes, podSpec, podTemplate, networkPolicy } =
+    getWorkloadComponents(name, args, parent, opts)
 
-  const service = output({ args, containers }).apply(({ args, containers }) => {
+  const service = output({ args, containers }).apply(async ({ args, containers }) => {
     if (!args.service && !args.httpRoute) {
       return undefined
     }
 
-    if (args.patch?.service) {
-      return Service.of(name, args.patch.service, { parent: parent(), ...opts })
+    if (args.existing?.service) {
+      return Service.of(name, args.existing.service, args.cluster, { ...opts, parent: parent() })
     }
 
-    if (args.patch) {
+    if (args.existing) {
       return undefined
     }
 
@@ -118,19 +213,23 @@ export function getPublicWorkloadComponents(
             ? ports.map(mapContainerPortToServicePort)
             : args.service?.ports,
       },
-      { parent: parent(), ...opts },
+      {
+        ...opts,
+        parent: parent(),
+        provider: await getProvider(args.cluster),
+      },
     )
   })
 
   const httpRoute = output({
     args,
     service,
-  }).apply(({ args, service }) => {
+  }).apply(async ({ args, service }) => {
     if (!args.httpRoute || !service) {
       return undefined
     }
 
-    if (args.patch) {
+    if (args.existing) {
       return undefined
     }
 
@@ -138,13 +237,212 @@ export function getPublicWorkloadComponents(
       name,
       {
         ...args.httpRoute,
+        cluster: args.cluster,
         rule: {
           backend: service,
         },
       },
-      { parent: parent(), ...opts },
+      {
+        ...opts,
+        parent: parent(),
+        provider: await getProvider(args.cluster),
+      },
     )
   })
 
-  return { labels, containers, volumes, service, httpRoute }
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy, service, httpRoute }
+}
+
+export abstract class Workload extends ComponentResource {
+  protected constructor(
+    type: string,
+    protected readonly name: string,
+    private readonly args: WorkloadArgs,
+    opts: ComponentResourceOptions | undefined,
+
+    protected readonly resourceType: string,
+
+    /**
+     * The cluster where the workload is created.
+     */
+    readonly cluster: Output<k8s.Cluster>,
+
+    /**
+     * The metadata of the underlying Kubernetes workload.
+     */
+    readonly metadata: Output<types.output.meta.v1.ObjectMeta>,
+
+    /**
+     * The network policy associated with the workload.
+     *
+     * Will be created if one or more containers have `allowedEndpoints` defined.
+     */
+    readonly networkPolicy: Output<NetworkPolicy | undefined>,
+  ) {
+    super(type, name, args, opts)
+  }
+
+  /**
+   * The instance terminal to interact with the deployment.
+   */
+  get terminal(): Output<InstanceTerminal> {
+    const containerName = output(this.args).apply(args => {
+      const containers = normalize(args.container, args.containers)
+
+      return containers[0]?.name ?? this.name
+    })
+
+    return output({
+      name: this.metadata.name,
+      title: this.metadata.name,
+      image: "ghcr.io/exeteres/highstate/terminal-kubectl",
+      command: [
+        "exec",
+        "kubectl",
+        "exec",
+        "-it",
+        "-n",
+        this.metadata.namespace,
+        interpolate`${this.resourceType}/${this.metadata.name}`,
+        "-c",
+        containerName,
+        "--",
+        this.args.terminalShell ?? "bash",
+      ],
+      files: {
+        "/kubeconfig": this.cluster.kubeconfig,
+      },
+      env: {
+        KUBECONFIG: "/kubeconfig",
+      },
+    })
+  }
+}
+
+export abstract class ExposableWorkload extends Workload {
+  protected constructor(
+    type: string,
+    protected readonly name: string,
+    args: ExposableWorkloadArgs,
+    opts: ComponentResourceOptions | undefined,
+
+    resourceType: string,
+    cluster: Output<k8s.Cluster>,
+    metadata: Output<types.output.meta.v1.ObjectMeta>,
+    networkPolicy: Output<NetworkPolicy | undefined>,
+
+    protected readonly _service: Output<Service | undefined>,
+    protected readonly _httpRoute: Output<HttpRoute | undefined>,
+  ) {
+    super(type, name, args, opts, resourceType, cluster, metadata, networkPolicy)
+  }
+
+  /**
+   * The service associated with the workload.
+   */
+  get optionalService(): Output<Service | undefined> {
+    return this._service
+  }
+
+  /**
+   * The HTTP route associated with the workload.
+   */
+  get optionalHttpRoute(): Output<HttpRoute | undefined> {
+    return this._httpRoute
+  }
+
+  /**
+   * The service associated with the workload.
+   *
+   * Will throw an error if the service is not available.
+   */
+  get service(): Output<Service> {
+    return this._service.apply(service => {
+      if (!service) {
+        throw new Error(`The service of the workload "${this.name}" is not available.`)
+      }
+
+      return service
+    })
+  }
+
+  /**
+   * The HTTP route associated with the workload.
+   *
+   * Will throw an error if the HTTP route is not available.
+   */
+  get httpRoute(): Output<HttpRoute> {
+    return this._httpRoute.apply(httpRoute => {
+      if (!httpRoute) {
+        throw new Error(`The HTTP route of the workload "${this.name}" is not available.`)
+      }
+
+      return httpRoute
+    })
+  }
+
+  /**
+   * The entity of the workload.
+   */
+  abstract get entity(): Output<k8s.ExposableWorkload>
+
+  /**
+   * The sped of the underlying Kubernetes workload.
+   */
+  abstract get spec(): Output<
+    types.output.apps.v1.DeploymentSpec | types.output.apps.v1.StatefulSetSpec
+  >
+
+  /**
+   * Creates a generic workload or patches the existing one.
+   */
+  static createOrPatchGeneric(
+    name: string,
+    args: GenericExposableWorkloadArgs,
+    opts?: CustomResourceOptions,
+  ): Output<ExposableWorkload> {
+    return output(args).apply(async args => {
+      if (args.existing?.type === "k8s.deployment") {
+        const { Deployment } = await import("./deployment")
+
+        return Deployment.patch(
+          name,
+          {
+            ...deepmerge(args, args.deployment),
+            name: args.existing.metadata.name,
+            namespace: args.existing.metadata.namespace,
+          },
+          opts,
+        )
+      }
+
+      if (args.existing?.type === "k8s.stateful-set") {
+        const { StatefulSet } = await import("./stateful-set")
+
+        return StatefulSet.patch(
+          name,
+          {
+            ...deepmerge(args, args.statefulSet),
+            name: args.existing.metadata.name,
+            namespace: args.existing.metadata.namespace,
+          },
+          opts,
+        )
+      }
+
+      if (args.type === "Deployment") {
+        const { Deployment } = await import("./deployment")
+
+        return Deployment.create(name, deepmerge(args, args.deployment), opts)
+      }
+
+      if (args.type === "StatefulSet") {
+        const { StatefulSet } = await import("./stateful-set")
+
+        return StatefulSet.create(name, deepmerge(args, args.statefulSet), opts)
+      }
+
+      throw new Error(`Unknown workload type: ${args.type as string}`)
+    })
+  }
 }