npm - @highstate/k8s - Versions diffs - 0.9.4 → 0.9.5 - Mend

@highstate/k8s 0.9.4 → 0.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/dist/chunk-DQSCJM5S.js +183 -0
package/dist/chunk-DQSCJM5S.js.map +1 -0
package/dist/chunk-FKNHHKOL.js +260 -0
package/dist/chunk-FKNHHKOL.js.map +1 -0
package/dist/chunk-HW3NS3MC.js +347 -0
package/dist/chunk-HW3NS3MC.js.map +1 -0
package/dist/chunk-OQ7UXASD.js +193 -0
package/dist/chunk-OQ7UXASD.js.map +1 -0
package/dist/chunk-QGHMLKTW.js +1123 -0
package/dist/chunk-QGHMLKTW.js.map +1 -0
package/dist/chunk-UNVSWG6D.js +214 -0
package/dist/chunk-UNVSWG6D.js.map +1 -0
package/dist/deployment-ZP3ASKPT.js +10 -0
package/dist/deployment-ZP3ASKPT.js.map +1 -0
package/dist/highstate.manifest.json +8 -6
package/dist/index.js +291 -954
package/dist/index.js.map +1 -1
package/dist/stateful-set-2AH7RAF7.js +10 -0
package/dist/stateful-set-2AH7RAF7.js.map +1 -0
package/dist/units/access-point/index.js +6 -1
package/dist/units/access-point/index.js.map +1 -1
package/dist/units/cert-manager/index.js +19 -24
package/dist/units/cert-manager/index.js.map +1 -1
package/dist/units/cluster-dns/index.js +36 -0
package/dist/units/cluster-dns/index.js.map +1 -0
package/dist/units/cluster-patch/index.js +34 -0
package/dist/units/cluster-patch/index.js.map +1 -0
package/dist/units/dns01-issuer/index.js +2 -2
package/dist/units/dns01-issuer/index.js.map +1 -1
package/dist/units/existing-cluster/index.js +22 -14
package/dist/units/existing-cluster/index.js.map +1 -1
package/dist/units/gateway-api/index.js +1 -1
package/package.json +12 -10
package/src/access-point.ts +44 -39
package/src/container.ts +54 -5
package/src/cron-job.ts +14 -30
package/src/deployment.ts +170 -127
package/src/gateway/http-route.ts +7 -5
package/src/helm.ts +57 -8
package/src/index.ts +11 -4
package/src/job.ts +14 -32
package/src/namespace.ts +241 -0
package/src/network-policy.ts +371 -87
package/src/network.ts +41 -0
package/src/pvc.ts +43 -25
package/src/scripting/bundle.ts +125 -22
package/src/scripting/container.ts +16 -11
package/src/scripting/environment.ts +56 -6
package/src/secret.ts +195 -0
package/src/service.ts +209 -89
package/src/shared.ts +42 -51
package/src/stateful-set.ts +193 -88
package/src/units/access-point/index.ts +8 -1
package/src/units/cert-manager/index.ts +15 -20
package/src/units/cluster-dns/index.ts +37 -0
package/src/units/cluster-patch/index.ts +35 -0
package/src/units/dns01-issuer/index.ts +1 -1
package/src/units/existing-cluster/index.ts +24 -14
package/src/workload.ts +342 -44
package/dist/chunk-K4WKJ4L5.js +0 -455
package/dist/chunk-K4WKJ4L5.js.map +0 -1
package/dist/chunk-T5Z2M4JE.js +0 -103
package/dist/chunk-T5Z2M4JE.js.map +0 -1

package/dist/chunk-QGHMLKTW.js ADDED Viewed

@@ -0,0 +1,1123 @@
+import {
+  HttpRoute,
+  Service,
+  getServiceMetadata,
+  isFromCluster,
+  mapContainerPortToServicePort,
+  mapServiceToLabelSelector
+} from "./chunk-HW3NS3MC.js";
+import {
+  commonExtraArgs,
+  getProvider,
+  mapMetadata,
+  mapNamespaceLikeToNamespaceName,
+  mapNamespaceNameToSelector,
+  mapSelectorLikeToSelector,
+  resourceIdToString,
+  withPatchName
+} from "./chunk-FKNHHKOL.js";
+// src/pvc.ts
+import { core } from "@pulumi/kubernetes";
+import {
+  ComponentResource,
+  output
+} from "@highstate/pulumi";
+import { deepmerge } from "deepmerge-ts";
+import { omit } from "remeda";
+var extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size"];
+var PersistentVolumeClaim = class extends ComponentResource {
+  constructor(type, name, args, opts, cluster, metadata, spec, status) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate PVC entity.
+   */
+  get entity() {
+    return output({
+      type: "k8s.persistent-volume-claim",
+      clusterId: this.cluster.id,
+      metadata: this.metadata
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedPersistentVolumeClaim(name, args, opts);
+  }
+  static of(name, entity, cluster, opts) {
+    return new ExternalPersistentVolumeClaim(name, output(entity).metadata, cluster, opts);
+  }
+  static createOrGet(name, args, opts) {
+    if (!args.existing) {
+      return new CreatedPersistentVolumeClaim(name, args, opts);
+    }
+    return new ExternalPersistentVolumeClaim(
+      name,
+      output(args.existing).metadata,
+      args.cluster,
+      opts
+    );
+  }
+};
+var CreatedPersistentVolumeClaim = class extends PersistentVolumeClaim {
+  constructor(name, args, opts) {
+    const pvc = output(args).apply(async (args2) => {
+      return new core.v1.PersistentVolumeClaim(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          spec: deepmerge(
+            {
+              accessModes: ["ReadWriteOnce"],
+              resources: {
+                requests: {
+                  storage: args2.size ?? "100Mi"
+                }
+              }
+            },
+            omit(args2, extraPersistentVolumeClaimArgs)
+          )
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "k8s:PersistentVolumeClaim",
+      name,
+      args,
+      opts,
+      output(args.cluster),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+};
+var ExternalPersistentVolumeClaim = class extends PersistentVolumeClaim {
+  constructor(name, id, cluster, opts) {
+    const pvc = output(id).apply(async (id2) => {
+      return core.v1.PersistentVolumeClaim.get(
+        //
+        name,
+        resourceIdToString(id2),
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalPersistentVolumeClaim",
+      name,
+      { id, cluster },
+      opts,
+      output(cluster),
+      pvc.metadata,
+      pvc.spec,
+      pvc.status
+    );
+  }
+};
+// src/secret.ts
+import { core as core2 } from "@pulumi/kubernetes";
+import {
+  ComponentResource as ComponentResource2,
+  output as output2
+} from "@pulumi/pulumi";
+var Secret = class extends ComponentResource2 {
+  constructor(type, name, args, opts, cluster, metadata, data, stringData) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.data = data;
+    this.stringData = stringData;
+  }
+  /**
+   * Creates a new secret.
+   */
+  static create(name, args, opts) {
+    return new CreatedSecret(name, args, opts);
+  }
+  /**
+   * Creates a new secret or patches an existing one.
+   *
+   * Will throw an error if the secret does not exist when `args.resource` is provided.
+   */
+  static createOrPatch(name, args, opts) {
+    if (!args.existing) {
+      return new CreatedSecret(name, args, opts);
+    }
+    return new SecretPatch(
+      name,
+      {
+        ...args,
+        name: withPatchName("secret", args.existing, args.cluster),
+        namespace: output2(args.existing).metadata.namespace
+      },
+      opts
+    );
+  }
+  /**
+   * Gets an existing secret.
+   *
+   * Will throw an error if the secret does not exist.
+   */
+  static get(name, id, cluster, opts) {
+    return new ExternalSecret(name, id, cluster, opts);
+  }
+};
+var CreatedSecret = class extends Secret {
+  constructor(name, args, opts) {
+    const secret = output2(args).apply(async (args2) => {
+      return new core2.v1.Secret(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          data: args2.data,
+          stringData: args2.stringData
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:Secret",
+      name,
+      args,
+      opts,
+      output2(args.cluster),
+      secret.metadata,
+      secret.data,
+      secret.stringData
+    );
+  }
+};
+var SecretPatch = class extends Secret {
+  constructor(name, args, opts) {
+    const secret = output2(args).apply(async (args2) => {
+      return new core2.v1.SecretPatch(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          data: args2.data,
+          stringData: args2.stringData
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:SecretPatch",
+      name,
+      args,
+      opts,
+      output2(args.cluster),
+      secret.metadata,
+      secret.data,
+      secret.stringData
+    );
+  }
+};
+var ExternalSecret = class extends Secret {
+  constructor(name, id, cluster, opts) {
+    const secret = output2(id).apply(async (realName) => {
+      return core2.v1.Secret.get(
+        //
+        name,
+        realName,
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(cluster)
+        }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalSecret",
+      name,
+      { id, cluster },
+      opts,
+      output2(cluster),
+      secret.metadata,
+      secret.data,
+      secret.stringData
+    );
+  }
+};
+// src/container.ts
+import { core as core3 } from "@pulumi/kubernetes";
+import { normalize, output as output3 } from "@highstate/pulumi";
+import { concat, map, omit as omit2 } from "remeda";
+var containerExtraArgs = [
+  "port",
+  "volumeMount",
+  "volume",
+  "environment",
+  "environmentSource",
+  "environmentSources"
+];
+function mapContainerToRaw(container, cluster, fallbackName) {
+  const containerName = container.name ?? fallbackName;
+  const spec = {
+    ...omit2(container, containerExtraArgs),
+    name: containerName,
+    ports: normalize(container.port, container.ports),
+    volumeMounts: map(normalize(container.volumeMount, container.volumeMounts), mapVolumeMount),
+    env: concat(
+      container.environment ? mapContainerEnvironment(container.environment) : [],
+      container.env ?? []
+    ),
+    envFrom: concat(
+      map(
+        normalize(container.environmentSource, container.environmentSources),
+        mapEnvironmentSource
+      ),
+      container.envFrom ?? []
+    )
+  };
+  if (container.enableTun) {
+    spec.securityContext ??= {};
+    spec.securityContext.capabilities ??= {};
+    spec.securityContext.capabilities.add = ["NET_ADMIN"];
+    if (cluster.quirks?.tunDevicePolicy?.type === "plugin") {
+      spec.resources ??= {};
+      spec.resources.limits ??= {};
+      spec.resources.limits[cluster.quirks.tunDevicePolicy.resourceName] = cluster.quirks.tunDevicePolicy.resourceValue;
+    } else {
+      spec.volumeMounts ??= [];
+      spec.volumeMounts.push({
+        name: "tun-device",
+        mountPath: "/dev/net/tun",
+        readOnly: false
+      });
+    }
+  }
+  return spec;
+}
+function mapContainerEnvironment(environment) {
+  const envVars = [];
+  for (const [name, value] of Object.entries(environment)) {
+    if (!value) {
+      continue;
+    }
+    if (typeof value === "string") {
+      envVars.push({ name, value });
+      continue;
+    }
+    if ("secret" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          secretKeyRef: {
+            name: value.secret.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    if ("configMap" in value) {
+      envVars.push({
+        name,
+        valueFrom: {
+          configMapKeyRef: {
+            name: value.configMap.metadata.name,
+            key: value.key
+          }
+        }
+      });
+      continue;
+    }
+    envVars.push({ name, valueFrom: value });
+  }
+  return envVars;
+}
+function mapVolumeMount(volumeMount) {
+  if ("volume" in volumeMount) {
+    return omit2(
+      {
+        ...volumeMount,
+        name: output3(volumeMount.volume).apply(mapWorkloadVolume).apply((volume) => output3(volume.name))
+      },
+      ["volume"]
+    );
+  }
+  return {
+    ...volumeMount,
+    name: volumeMount.name
+  };
+}
+function mapEnvironmentSource(envFrom) {
+  if (envFrom instanceof core3.v1.ConfigMap) {
+    return {
+      configMapRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  if (envFrom instanceof core3.v1.Secret) {
+    return {
+      secretRef: {
+        name: envFrom.metadata.name
+      }
+    };
+  }
+  return envFrom;
+}
+function mapWorkloadVolume(volume) {
+  if (volume instanceof PersistentVolumeClaim) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (volume instanceof Secret) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  if (core3.v1.PersistentVolumeClaim.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      persistentVolumeClaim: {
+        claimName: volume.metadata.name
+      }
+    };
+  }
+  if (core3.v1.ConfigMap.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      configMap: {
+        name: volume.metadata.name
+      }
+    };
+  }
+  if (core3.v1.Secret.isInstance(volume)) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name
+      }
+    };
+  }
+  return volume;
+}
+// src/network-policy.ts
+import { networking } from "@pulumi/kubernetes";
+import {
+  ComponentResource as ComponentResource3,
+  interpolate,
+  normalize as normalize2,
+  output as output4
+} from "@highstate/pulumi";
+import { capitalize, flat, groupBy, merge, mergeDeep, uniqueBy } from "remeda";
+import "@highstate/library";
+import {
+  l34EndpointToString,
+  l3EndpointToCidr,
+  parseL34Endpoint
+} from "@highstate/common";
+var NetworkPolicy = class _NetworkPolicy extends ComponentResource3 {
+  /**
+   * The underlying network policy resource.
+   */
+  networkPolicy;
+  constructor(name, args, opts) {
+    super("k8s:network-policy", name, args, opts);
+    const normalizedArgs = output4(args).apply((args2) => {
+      const ingressRules = normalize2(args2.ingressRule, args2.ingressRules);
+      const egressRules = normalize2(args2.egressRule, args2.egressRules);
+      const extraEgressRules = [];
+      if (args2.allowKubeDns) {
+        extraEgressRules.push({
+          namespaces: ["kube-system"],
+          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
+          ports: [{ port: 53, protocol: "UDP" }],
+          all: false,
+          cidrs: [],
+          fqdns: [],
+          services: []
+        });
+      }
+      return {
+        ...args2,
+        podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
+        isolateEgress: args2.isolateEgress ?? false,
+        isolateIngress: args2.isolateIngress ?? false,
+        allowKubeApiServer: args2.allowKubeApiServer ?? false,
+        ingressRules: ingressRules.flatMap((rule) => {
+          const endpoints = normalize2(
+            args2.ingressRule?.fromEndpoint,
+            args2.ingressRule?.fromEndpoints
+          );
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsByPortsAndNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
+            const port = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.targetPort : endpoint.port;
+            return `${port ?? "0"}:${namespace}`;
+          });
+          const l3OnlyRule = endpointsByPortsAndNamespaces["0:"] ? _NetworkPolicy.getRuleFromEndpoint(
+            void 0,
+            endpointsByPortsAndNamespaces["0:"],
+            args2.cluster
+          ) : void 0;
+          const otherRules = Object.entries(endpointsByPortsAndNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
+            const [port] = key.split(":");
+            const portNumber = parseInt(port, 10);
+            const portValue = isNaN(portNumber) ? port : portNumber;
+            return _NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, args2.cluster);
+          });
+          return [
+            {
+              all: rule.fromAll ?? false,
+              cidrs: normalize2(rule.fromCidr, rule.fromCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: [],
+              services: normalize2(rule.fromService, rule.fromServices),
+              namespaces: normalize2(rule.fromNamespace, rule.fromNamespaces),
+              selectors: normalize2(rule.fromSelector, rule.fromSelectors),
+              ports: normalize2(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }),
+        egressRules: egressRules.flatMap((rule) => {
+          const endpoints = normalize2(args2.egressRule?.toEndpoint, args2.egressRule?.toEndpoints);
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
+            const port = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.targetPort : endpoint.port;
+            return `${port ?? "0"}:${namespace}`;
+          });
+          const l3OnlyRule = endpointsByPortsAnsNamespaces["0:"] ? _NetworkPolicy.getRuleFromEndpoint(
+            void 0,
+            endpointsByPortsAnsNamespaces["0:"],
+            args2.cluster
+          ) : void 0;
+          const otherRules = Object.entries(endpointsByPortsAnsNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
+            const [port] = key.split(":");
+            const portNumber = parseInt(port, 10);
+            const portValue = isNaN(portNumber) ? port : portNumber;
+            return _NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, args2.cluster);
+          });
+          return [
+            {
+              all: rule.toAll ?? false,
+              cidrs: normalize2(rule.toCidr, rule.toCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: normalize2(rule.toFqdn, rule.toFqdns).concat(l3OnlyRule?.fqdns ?? []),
+              services: normalize2(rule.toService, rule.toServices),
+              namespaces: normalize2(rule.toNamespace, rule.toNamespaces),
+              selectors: normalize2(rule.toSelector, rule.toSelectors),
+              ports: normalize2(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }).concat(extraEgressRules)
+      };
+    });
+    this.networkPolicy = output4(
+      normalizedArgs.apply(async (args2) => {
+        return output4(
+          this.create(name, args2, {
+            ...opts,
+            parent: this,
+            provider: await getProvider(args2.cluster)
+          })
+        );
+      })
+    );
+  }
+  static mapCidrFromEndpoint(result) {
+    if (result.type === "ipv4") {
+      return `${result.address}/32`;
+    }
+    return `${result.address}/128`;
+  }
+  static getRuleFromEndpoint(port, endpoints, cluster) {
+    const ports = port ? [{ port, protocol: endpoints[0].protocol?.toUpperCase() }] : [];
+    const cidrs = endpoints.filter((endpoint) => !isFromCluster(endpoint, cluster)).filter((endpoint) => endpoint.type === "ipv4" || endpoint.type === "ipv6").map(_NetworkPolicy.mapCidrFromEndpoint);
+    const fqdns = endpoints.filter((endpoint) => endpoint.type === "hostname").map((endpoint) => endpoint.hostname);
+    const selectors = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata.k8sService.selector);
+    const namespace = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => getServiceMetadata(endpoint)?.namespace)[0];
+    return {
+      all: false,
+      cidrs,
+      fqdns,
+      services: [],
+      namespaces: namespace ? [namespace] : [],
+      selectors,
+      ports
+    };
+  }
+  static isEmptyRule(rule) {
+    return !rule.all && rule.cidrs.length === 0 && rule.fqdns.length === 0 && rule.services.length === 0 && rule.namespaces.length === 0 && rule.selectors.length === 0 && rule.ports.length === 0;
+  }
+  static create(name, args, opts) {
+    return output4(args).apply(async (args2) => {
+      const cni = args2.cluster.cni;
+      if (cni === "other") {
+        return new NativeNetworkPolicy(name, args2, opts);
+      }
+      const implName = `${capitalize(cni)}NetworkPolicy`;
+      const implModule = await import(`@highstate/${cni}`);
+      const implClass = implModule[implName];
+      if (!implClass) {
+        throw new Error(`No implementation found for ${cni}`);
+      }
+      return new implClass(name, args2, opts);
+    });
+  }
+  static isolate(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "isolate",
+      {
+        namespace,
+        cluster,
+        description: "By default, deny all traffic to/from the namespace.",
+        isolateEgress: true,
+        isolateIngress: true
+      },
+      opts
+    );
+  }
+  static allowInsideNamespace(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-inside-namespace",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic inside the namespace.",
+        selector: {},
+        ingressRule: { fromNamespace: namespace },
+        egressRule: { toNamespace: namespace }
+      },
+      opts
+    );
+  }
+  static allowKubeApiServer(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-kube-api-server",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic to the Kubernetes API server from the namespace.",
+        allowKubeApiServer: true
+      },
+      opts
+    );
+  }
+  static allowKubeDns(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-kube-dns",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
+        allowKubeDns: true
+      },
+      opts
+    );
+  }
+  static allowAllEgress(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-all-egress",
+      {
+        namespace,
+        cluster,
+        description: "Allow all egress traffic from the namespace.",
+        egressRule: { toAll: true }
+      },
+      opts
+    );
+  }
+  static allowAllIngress(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-all-ingress",
+      {
+        namespace,
+        cluster,
+        description: "Allow all ingress traffic to the namespace.",
+        ingressRule: { fromAll: true }
+      },
+      opts
+    );
+  }
+  static allowEgressToEndpoint(endpoint, namespace, cluster, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    return _NetworkPolicy.create(
+      `allow-egress-to-${l34EndpointToString(parsedEndpoint)}`,
+      {
+        namespace,
+        cluster,
+        description: interpolate`Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
+        egressRule: { toEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+  static allowIngressFromEndpoint(endpoint, namespace, cluster, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    return _NetworkPolicy.create(
+      `allow-ingress-from-${l34EndpointToString(parsedEndpoint)}`,
+      {
+        namespace,
+        cluster,
+        description: interpolate`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
+        ingressRule: { fromEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+};
+var NativeNetworkPolicy = class _NativeNetworkPolicy extends NetworkPolicy {
+  create(name, args, opts) {
+    const ingress = _NativeNetworkPolicy.createIngressRules(args);
+    const egress = _NativeNetworkPolicy.createEgressRules(args);
+    const policyTypes = [];
+    if (ingress.length > 0 || args.isolateIngress) {
+      policyTypes.push("Ingress");
+    }
+    if (egress.length > 0 || args.isolateEgress) {
+      policyTypes.push("Egress");
+    }
+    return new networking.v1.NetworkPolicy(
+      name,
+      {
+        metadata: mergeDeep(mapMetadata(args, name), {
+          annotations: args.description ? { "kubernetes.io/description": args.description } : void 0
+        }),
+        spec: {
+          podSelector: args.podSelector,
+          ingress,
+          egress,
+          policyTypes
+        }
+      },
+      opts
+    );
+  }
+  static fallbackIpBlock = {
+    cidr: "0.0.0.0/0",
+    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  };
+  static fallbackDnsRule = {
+    to: [
+      {
+        namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } },
+        podSelector: { matchLabels: { "k8s-app": "kube-dns" } }
+      }
+    ],
+    ports: [{ port: 53, protocol: "UDP" }]
+  };
+  static createIngressRules(args) {
+    return uniqueBy(
+      args.ingressRules.map((rule) => ({
+        from: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+        ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+      })),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createEgressRules(args) {
+    const extraRules = [];
+    const needKubeDns = args.egressRules.some((rule) => rule.fqdns.length > 0);
+    if (needKubeDns) {
+      extraRules.push(_NativeNetworkPolicy.fallbackDnsRule);
+    }
+    const needFallback = args.egressRules.some(
+      (rule) => rule.fqdns.some((fqdn) => !fqdn.endsWith(".cluster.local"))
+    );
+    if (needFallback) {
+      extraRules.push({ to: [{ ipBlock: _NativeNetworkPolicy.fallbackIpBlock }] });
+    }
+    if (args.allowKubeApiServer) {
+      const { quirks, apiEndpoints } = args.cluster;
+      if (quirks?.fallbackKubeApiAccess) {
+        extraRules.push({
+          to: [{ ipBlock: { cidr: `${quirks?.fallbackKubeApiAccess.serverIp}/32` } }],
+          ports: [{ port: quirks?.fallbackKubeApiAccess.serverPort, protocol: "TCP" }]
+        });
+      } else {
+        const rules = apiEndpoints.filter((endpoint) => endpoint.type !== "hostname").map((endpoint) => ({
+          to: [{ ipBlock: { cidr: l3EndpointToCidr(endpoint) } }],
+          ports: [{ port: endpoint.port, protocol: "TCP" }]
+        }));
+        extraRules.push(...rules);
+      }
+    }
+    return uniqueBy(
+      args.egressRules.map((rule) => {
+        return {
+          to: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+          ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+        };
+      }).filter((rule) => rule.to !== void 0).concat(extraRules),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createRulePeers(args) {
+    const peers = uniqueBy(
+      [
+        ..._NativeNetworkPolicy.createCidrPeers(args),
+        ..._NativeNetworkPolicy.createServicePeers(args),
+        ..._NativeNetworkPolicy.createSelectorPeers(args)
+      ],
+      (peer) => JSON.stringify(peer)
+    );
+    return peers.length > 0 ? peers : void 0;
+  }
+  static createCidrPeers(args) {
+    return args.cidrs.map((cidr) => ({ ipBlock: { cidr } }));
+  }
+  static createServicePeers(args) {
+    return args.services.map((service) => {
+      const selector = mapServiceToLabelSelector(service);
+      return {
+        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
+        podSelector: selector
+      };
+    });
+  }
+  static createSelectorPeers(args) {
+    const selectorPeers = args.selectors.map((selector) => ({
+      podSelector: mapSelectorLikeToSelector(selector)
+    }));
+    const namespacePeers = args.namespaces.map(_NativeNetworkPolicy.createNamespacePeer);
+    if (namespacePeers.length === 0) {
+      return selectorPeers;
+    }
+    if (selectorPeers.length === 0) {
+      return namespacePeers;
+    }
+    return flat(
+      selectorPeers.map((selectorPeer) => {
+        return namespacePeers.map((namespacePeer) => merge(selectorPeer, namespacePeer));
+      })
+    );
+  }
+  static createNamespacePeer(namespace) {
+    const namespaceName = mapNamespaceLikeToNamespaceName(namespace);
+    const namespaceSelector = mapNamespaceNameToSelector(namespaceName);
+    return { namespaceSelector };
+  }
+  static mapPorts(ports) {
+    return ports.map((port) => {
+      if ("port" in port) {
+        return {
+          port: port.port,
+          protocol: port.protocol ?? "TCP"
+        };
+      }
+      return {
+        port: port.range[0],
+        endPort: port.range[1],
+        protocol: port.protocol ?? "TCP"
+      };
+    });
+  }
+};
+// src/workload.ts
+import {
+  normalize as normalize3
+} from "@highstate/pulumi";
+import {
+  ComponentResource as ComponentResource4,
+  interpolate as interpolate2,
+  output as output5
+} from "@pulumi/pulumi";
+import { uniqueBy as uniqueBy2 } from "remeda";
+import { deepmerge as deepmerge2 } from "deepmerge-ts";
+// src/pod.ts
+var podSpecDefaults = {
+  automountServiceAccountToken: false
+};
+// src/workload.ts
+var workloadExtraArgs = [...commonExtraArgs, "container", "containers"];
+var exposableWorkloadExtraArgs = [...workloadExtraArgs, "service", "httpRoute"];
+function getWorkloadComponents(name, args, parent, opts) {
+  const labels = {
+    "app.kubernetes.io/name": name
+  };
+  const containers = output5(args).apply((args2) => normalize3(args2.container, args2.containers));
+  const volumes = containers.apply((containers2) => {
+    const containerVolumes = containers2.flatMap((container) => normalize3(container.volume, container.volumes)).map(mapWorkloadVolume);
+    const containerVolumeMounts = containers2.flatMap((container) => {
+      return normalize3(container.volumeMount, container.volumeMounts).map((volumeMount) => {
+        return "volume" in volumeMount ? volumeMount.volume : void 0;
+      }).filter(Boolean);
+    }).map(mapWorkloadVolume);
+    return output5([...containerVolumes, ...containerVolumeMounts]).apply(
+      uniqueBy2((volume) => volume.name)
+    );
+  });
+  const podSpec = output5({ args, containers, volumes }).apply(({ args: args2, containers: containers2, volumes: volumes2 }) => {
+    const spec = {
+      volumes: volumes2,
+      containers: containers2.map((container) => mapContainerToRaw(container, args2.cluster, name)),
+      ...podSpecDefaults
+    };
+    if (containers2.some((container) => container.enableTun) && args2.cluster.quirks?.tunDevicePolicy?.type !== "plugin") {
+      spec.volumes = output5(spec.volumes).apply((volumes3) => [
+        ...volumes3 ?? [],
+        {
+          name: "tun-device",
+          hostPath: {
+            path: "/dev/net/tun"
+          }
+        }
+      ]);
+    }
+    return spec;
+  });
+  const podTemplate = podSpec.apply((podSpec2) => {
+    return {
+      metadata: { labels },
+      spec: podSpec2
+    };
+  });
+  const networkPolicy = containers.apply((containers2) => {
+    const allowedEndpoints = containers2.flatMap((container) => container.allowedEndpoints ?? []);
+    if (allowedEndpoints.length === 0) {
+      return void 0;
+    }
+    return NetworkPolicy.create(
+      name,
+      {
+        cluster: args.cluster,
+        namespace: args.namespace,
+        selector: labels,
+        egressRule: {
+          toEndpoints: allowedEndpoints
+        }
+      },
+      { ...opts, parent: parent() }
+    );
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy };
+}
+function getExposableWorkloadComponents(name, args, parent, opts) {
+  const { labels, containers, volumes, podSpec, podTemplate, networkPolicy } = getWorkloadComponents(name, args, parent, opts);
+  const service = output5({ args, containers }).apply(async ({ args: args2, containers: containers2 }) => {
+    if (!args2.service && !args2.httpRoute) {
+      return void 0;
+    }
+    if (args2.existing?.service) {
+      return Service.of(name, args2.existing.service, args2.cluster, { ...opts, parent: parent() });
+    }
+    if (args2.existing) {
+      return void 0;
+    }
+    const ports = containers2.flatMap((container) => normalize3(container.port, container.ports));
+    return Service.create(
+      name,
+      {
+        ...args2.service,
+        selector: labels,
+        cluster: args2.cluster,
+        namespace: args2.namespace,
+        ports: (
+          // allow to completely override the ports
+          !args2.service?.port && !args2.service?.ports ? ports.map(mapContainerPortToServicePort) : args2.service?.ports
+        )
+      },
+      {
+        ...opts,
+        parent: parent(),
+        provider: await getProvider(args2.cluster)
+      }
+    );
+  });
+  const httpRoute = output5({
+    args,
+    service
+  }).apply(async ({ args: args2, service: service2 }) => {
+    if (!args2.httpRoute || !service2) {
+      return void 0;
+    }
+    if (args2.existing) {
+      return void 0;
+    }
+    return new HttpRoute(
+      name,
+      {
+        ...args2.httpRoute,
+        cluster: args2.cluster,
+        rule: {
+          backend: service2
+        }
+      },
+      {
+        ...opts,
+        parent: parent(),
+        provider: await getProvider(args2.cluster)
+      }
+    );
+  });
+  return { labels, containers, volumes, podSpec, podTemplate, networkPolicy, service, httpRoute };
+}
+var Workload = class extends ComponentResource4 {
+  constructor(type, name, args, opts, resourceType, cluster, metadata, networkPolicy) {
+    super(type, name, args, opts);
+    this.name = name;
+    this.args = args;
+    this.resourceType = resourceType;
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.networkPolicy = networkPolicy;
+  }
+  /**
+   * The instance terminal to interact with the deployment.
+   */
+  get terminal() {
+    const containerName = output5(this.args).apply((args) => {
+      const containers = normalize3(args.container, args.containers);
+      return containers[0]?.name ?? this.name;
+    });
+    return output5({
+      name: this.metadata.name,
+      title: this.metadata.name,
+      image: "ghcr.io/exeteres/highstate/terminal-kubectl",
+      command: [
+        "exec",
+        "kubectl",
+        "exec",
+        "-it",
+        "-n",
+        this.metadata.namespace,
+        interpolate2`${this.resourceType}/${this.metadata.name}`,
+        "-c",
+        containerName,
+        "--",
+        this.args.terminalShell ?? "bash"
+      ],
+      files: {
+        "/kubeconfig": this.cluster.kubeconfig
+      },
+      env: {
+        KUBECONFIG: "/kubeconfig"
+      }
+    });
+  }
+};
+var ExposableWorkload = class extends Workload {
+  constructor(type, name, args, opts, resourceType, cluster, metadata, networkPolicy, _service, _httpRoute) {
+    super(type, name, args, opts, resourceType, cluster, metadata, networkPolicy);
+    this.name = name;
+    this._service = _service;
+    this._httpRoute = _httpRoute;
+  }
+  /**
+   * The service associated with the workload.
+   */
+  get optionalService() {
+    return this._service;
+  }
+  /**
+   * The HTTP route associated with the workload.
+   */
+  get optionalHttpRoute() {
+    return this._httpRoute;
+  }
+  /**
+   * The service associated with the workload.
+   *
+   * Will throw an error if the service is not available.
+   */
+  get service() {
+    return this._service.apply((service) => {
+      if (!service) {
+        throw new Error(`The service of the workload "${this.name}" is not available.`);
+      }
+      return service;
+    });
+  }
+  /**
+   * The HTTP route associated with the workload.
+   *
+   * Will throw an error if the HTTP route is not available.
+   */
+  get httpRoute() {
+    return this._httpRoute.apply((httpRoute) => {
+      if (!httpRoute) {
+        throw new Error(`The HTTP route of the workload "${this.name}" is not available.`);
+      }
+      return httpRoute;
+    });
+  }
+  /**
+   * Creates a generic workload or patches the existing one.
+   */
+  static createOrPatchGeneric(name, args, opts) {
+    return output5(args).apply(async (args2) => {
+      if (args2.existing?.type === "k8s.deployment") {
+        const { Deployment } = await import("./deployment-ZP3ASKPT.js");
+        return Deployment.patch(
+          name,
+          {
+            ...deepmerge2(args2, args2.deployment),
+            name: args2.existing.metadata.name,
+            namespace: args2.existing.metadata.namespace
+          },
+          opts
+        );
+      }
+      if (args2.existing?.type === "k8s.stateful-set") {
+        const { StatefulSet } = await import("./stateful-set-2AH7RAF7.js");
+        return StatefulSet.patch(
+          name,
+          {
+            ...deepmerge2(args2, args2.statefulSet),
+            name: args2.existing.metadata.name,
+            namespace: args2.existing.metadata.namespace
+          },
+          opts
+        );
+      }
+      if (args2.type === "Deployment") {
+        const { Deployment } = await import("./deployment-ZP3ASKPT.js");
+        return Deployment.create(name, deepmerge2(args2, args2.deployment), opts);
+      }
+      if (args2.type === "StatefulSet") {
+        const { StatefulSet } = await import("./stateful-set-2AH7RAF7.js");
+        return StatefulSet.create(name, deepmerge2(args2, args2.statefulSet), opts);
+      }
+      throw new Error(`Unknown workload type: ${args2.type}`);
+    });
+  }
+};
+export {
+  PersistentVolumeClaim,
+  Secret,
+  NetworkPolicy,
+  exposableWorkloadExtraArgs,
+  getWorkloadComponents,
+  getExposableWorkloadComponents,
+  Workload,
+  ExposableWorkload
+};
+//# sourceMappingURL=chunk-QGHMLKTW.js.map