@highstate/k8s 0.9.4 → 0.9.6

package/dist/index.js

@@ -1,861 +1,66 @@
+import {
+  StatefulSet
+} from "./chunk-OQ7UXASD.js";
+import {
+  Deployment
+} from "./chunk-DQSCJM5S.js";
+import {
+  ExposableWorkload,
+  NetworkPolicy,
+  PersistentVolumeClaim,
+  Secret,
+  Workload,
+  getWorkloadComponents
+} from "./chunk-QGHMLKTW.js";
 import {
   Chart,
-  HttpRoute,
   RenderedChart,
-  Service,
   getChartService,
   getChartServiceOutput,
+  resolveHelmChart
+} from "./chunk-UNVSWG6D.js";
+import {
+  HttpRoute,
+  Service,
+  getServiceMetadata,
+  hasServiceMetadata,
+  isFromCluster,
   mapContainerPortToServicePort,
   mapServiceToLabelSelector,
-  resolveHelmChart
-} from "./chunk-K4WKJ4L5.js";
+  withServiceMetadata
+} from "./chunk-HW3NS3MC.js";
 import {
   createK8sTerminal,
   detectExternalIps
 } from "./chunk-QLQ3QVGT.js";
 import {
+  Namespace,
   commonExtraArgs,
-  createNamespace,
   getAppDisplayName,
   getAppName,
-  getNamespace,
   getProvider,
   mapMetadata,
   mapNamespaceLikeToNamespaceName,
   mapNamespaceNameToSelector,
-  mapSelectorLikeToSelector,
-  resourceIdToString,
-  verifyProvider
-} from "./chunk-T5Z2M4JE.js";
-
-// src/deployment.ts
-import {
-  output as output4,
-  ComponentResource as ComponentResource3,
-  interpolate
-} from "@highstate/pulumi";
-import { apps } from "@pulumi/kubernetes";
-import { omit as omit3 } from "remeda";
-import { deepmerge as deepmerge2 } from "deepmerge-ts";
-import { trimIndentation } from "@highstate/contract";
-
-// src/container.ts
-import { core as core2 } from "@pulumi/kubernetes";
-import { normalize, output as output2 } from "@highstate/pulumi";
-import { concat, map, omit as omit2 } from "remeda";
-
-// src/pvc.ts
-import { core } from "@pulumi/kubernetes";
-import {
-  ComponentResource,
-  output
-} from "@highstate/pulumi";
-import { deepmerge } from "deepmerge-ts";
-import { omit } from "remeda";
-var extraPersistentVolumeClaimArgs = [...commonExtraArgs, "size", "cluster"];
-var PersistentVolumeClaim = class extends ComponentResource {
-  constructor(type, name, args, opts, clusterInfo, metadata, spec, status) {
-    super(type, name, args, opts);
-    this.clusterInfo = clusterInfo;
-    this.metadata = metadata;
-    this.spec = spec;
-    this.status = status;
-  }
-  /**
-   * The Highstate service entity.
-   */
-  get entity() {
-    return output({
-      type: "k8s.persistent-volume-claim",
-      clusterInfo: this.clusterInfo,
-      metadata: this.metadata
-    });
-  }
-  static create(name, args, opts) {
-    return new CreatedPersistentVolumeClaim(name, args, opts);
-  }
-  static of(name, entity, opts) {
-    return new ExternalPersistentVolumeClaim(
-      name,
-      output(entity).metadata,
-      output(entity).clusterInfo,
-      opts
-    );
-  }
-};
-var CreatedPersistentVolumeClaim = class extends PersistentVolumeClaim {
-  constructor(name, args, opts) {
-    const pvc = output(args).apply((args2) => {
-      return new core.v1.PersistentVolumeClaim(
-        name,
-        {
-          metadata: mapMetadata(args2, name),
-          spec: deepmerge(
-            {
-              accessModes: ["ReadWriteOnce"],
-              resources: {
-                requests: {
-                  storage: args2.size ?? "100Mi"
-                }
-              }
-            },
-            omit(args2, extraPersistentVolumeClaimArgs)
-          )
-        },
-        opts
-      );
-    });
-    super(
-      "k8s:PersistentVolumeClaim",
-      name,
-      args,
-      opts,
-      output(args.cluster).info,
-      pvc.metadata,
-      pvc.spec,
-      pvc.status
-    );
-  }
-};
-var ExternalPersistentVolumeClaim = class extends PersistentVolumeClaim {
-  constructor(name, id, clusterInfo, opts) {
-    const pvc = output(id).apply(async (id2) => {
-      await verifyProvider(opts.provider, this.clusterInfo);
-      return core.v1.PersistentVolumeClaim.get(
-        //
-        name,
-        resourceIdToString(id2),
-        { parent: this, provider: opts.provider }
-      );
-    });
-    super(
-      "highstate:k8s:ExternalPersistentVolumeClaim",
-      name,
-      { id, clusterInfo },
-      opts,
-      output(clusterInfo),
-      pvc.metadata,
-      pvc.spec,
-      pvc.status
-    );
-  }
-};
-
-// src/container.ts
-var containerExtraArgs = [
-  "port",
-  "volumeMount",
-  "volume",
-  "environment",
-  "environmentSource",
-  "environmentSources"
-];
-function mapContainerToRaw(container, fallbackName) {
-  const containerName = container.name ?? fallbackName;
-  return {
-    ...omit2(container, containerExtraArgs),
-    name: containerName,
-    ports: normalize(container.port, container.ports),
-    volumeMounts: map(normalize(container.volumeMount, container.volumeMounts), mapVolumeMount),
-    env: concat(
-      container.environment ? mapContainerEnvironment(container.environment) : [],
-      container.env ?? []
-    ),
-    envFrom: concat(
-      map(
-        normalize(container.environmentSource, container.environmentSources),
-        mapEnvironmentSource
-      ),
-      container.envFrom ?? []
-    )
-  };
-}
-function mapContainerEnvironment(environment) {
-  const envVars = [];
-  for (const [name, value] of Object.entries(environment)) {
-    if (!value) {
-      continue;
-    }
-    if (typeof value === "string") {
-      envVars.push({ name, value });
-      continue;
-    }
-    if ("secret" in value) {
-      envVars.push({
-        name,
-        valueFrom: {
-          secretKeyRef: {
-            name: value.secret.metadata.name,
-            key: value.key
-          }
-        }
-      });
-      continue;
-    }
-    if ("configMap" in value) {
-      envVars.push({
-        name,
-        valueFrom: {
-          configMapKeyRef: {
-            name: value.configMap.metadata.name,
-            key: value.key
-          }
-        }
-      });
-      continue;
-    }
-    envVars.push({ name, valueFrom: value });
-  }
-  return envVars;
-}
-function mapVolumeMount(volumeMount) {
-  if ("volume" in volumeMount) {
-    return omit2(
-      {
-        ...volumeMount,
-        name: output2(volumeMount.volume).apply(mapWorkloadVolume).apply((volume) => output2(volume.name))
-      },
-      ["volume"]
-    );
-  }
-  return {
-    ...volumeMount,
-    name: volumeMount.name
-  };
-}
-function mapEnvironmentSource(envFrom) {
-  if (envFrom instanceof core2.v1.ConfigMap) {
-    return {
-      configMapRef: {
-        name: envFrom.metadata.name
-      }
-    };
-  }
-  if (envFrom instanceof core2.v1.Secret) {
-    return {
-      secretRef: {
-        name: envFrom.metadata.name
-      }
-    };
-  }
-  return envFrom;
-}
-function mapWorkloadVolume(volume) {
-  if (volume instanceof PersistentVolumeClaim) {
-    return {
-      name: volume.metadata.name,
-      persistentVolumeClaim: {
-        claimName: volume.metadata.name
-      }
-    };
-  }
-  if (volume instanceof core2.v1.PersistentVolumeClaim) {
-    return {
-      name: volume.metadata.name,
-      persistentVolumeClaim: {
-        claimName: volume.metadata.name
-      }
-    };
-  }
-  if (volume instanceof core2.v1.ConfigMap) {
-    return {
-      name: volume.metadata.name,
-      configMap: {
-        name: volume.metadata.name
-      }
-    };
-  }
-  if (volume instanceof core2.v1.Secret) {
-    return {
-      name: volume.metadata.name,
-      secret: {
-        secretName: volume.metadata.name
-      }
-    };
-  }
-  return volume;
-}
-
-// src/workload.ts
-import { normalize as normalize2 } from "@highstate/pulumi";
-import { ComponentResource as ComponentResource2, output as output3 } from "@pulumi/pulumi";
-import { uniqueBy } from "remeda";
-var workloadExtraArgs = [...commonExtraArgs, "container", "containers"];
-var publicWorkloadExtraArgs = [...workloadExtraArgs, "service", "httpRoute"];
-function getWorkloadComponents(name, args) {
-  const labels = {
-    "app.kubernetes.io/name": name
-  };
-  const containers = output3(args).apply((args2) => normalize2(args2.container, args2.containers));
-  const volumes = containers.apply((containers2) => {
-    const containerVolumes = containers2.flatMap((container) => normalize2(container.volume, container.volumes)).map(mapWorkloadVolume);
-    const containerVolumeMounts = containers2.flatMap((container) => {
-      return normalize2(container.volumeMount, container.volumeMounts).map((volumeMount) => {
-        return "volume" in volumeMount ? volumeMount.volume : void 0;
-      }).filter(Boolean);
-    }).map(mapWorkloadVolume);
-    return uniqueBy([...containerVolumes, ...containerVolumeMounts], (volume) => volume.name);
-  });
-  return { labels, containers, volumes };
-}
-function getPublicWorkloadComponents(name, args, parent, opts) {
-  const { labels, containers, volumes } = getWorkloadComponents(name, args);
-  const service = output3({ args, containers }).apply(({ args: args2, containers: containers2 }) => {
-    if (!args2.service && !args2.httpRoute) {
-      return void 0;
-    }
-    if (args2.patch?.service) {
-      return Service.of(name, args2.patch.service, { parent: parent(), ...opts });
-    }
-    if (args2.patch) {
-      return void 0;
-    }
-    const ports = containers2.flatMap((container) => normalize2(container.port, container.ports));
-    return Service.create(
-      name,
-      {
-        ...args2.service,
-        selector: labels,
-        cluster: args2.cluster,
-        namespace: args2.namespace,
-        ports: (
-          // allow to completely override the ports
-          !args2.service?.port && !args2.service?.ports ? ports.map(mapContainerPortToServicePort) : args2.service?.ports
-        )
-      },
-      { parent: parent(), ...opts }
-    );
-  });
-  const httpRoute = output3({
-    args,
-    service
-  }).apply(({ args: args2, service: service2 }) => {
-    if (!args2.httpRoute || !service2) {
-      return void 0;
-    }
-    if (args2.patch) {
-      return void 0;
-    }
-    return new HttpRoute(
-      name,
-      {
-        ...args2.httpRoute,
-        rule: {
-          backend: service2
-        }
-      },
-      { parent: parent(), ...opts }
-    );
-  });
-  return { labels, containers, volumes, service, httpRoute };
-}
-
-// src/deployment.ts
-var Deployment = class extends ComponentResource3 {
-  constructor(type, name, args, opts, cluster, metadata, spec, status, _service, _httpRoute, resources) {
-    super(type, name, args, opts);
-    this.args = args;
-    this.cluster = cluster;
-    this.metadata = metadata;
-    this.spec = spec;
-    this.status = status;
-    this._service = _service;
-    this._httpRoute = _httpRoute;
-    this.resources = resources;
-  }
-  /**
-   * The Highstate deployment entity.
-   */
-  get entity() {
-    return output4({
-      type: "k8s.deployment",
-      clusterInfo: this.cluster.info,
-      metadata: this.metadata,
-      spec: this.spec,
-      service: this._service.apply((service) => service?.entity)
-    });
-  }
-  get optionalService() {
-    return this._service;
-  }
-  /**
-   * The service associated with the deployment.
-   */
-  get service() {
-    return this._service.apply((service) => {
-      if (!service) {
-        throw new Error("The service is not available.");
-      }
-      return service;
-    });
-  }
-  /**
-   * The HTTP route associated with the deployment.
-   */
-  get httpRoute() {
-    return this._httpRoute.apply((httpRoute) => {
-      if (!httpRoute) {
-        throw new Error("The HTTP route is not available.");
-      }
-      return httpRoute;
-    });
-  }
-  /**
-   * The instance terminal to interact with the deployment.
-   */
-  get terminal() {
-    return output4({
-      name: this.metadata.name,
-      title: this.metadata.name,
-      image: "ghcr.io/exeteres/highstate/terminal-kubectl",
-      command: ["script", "-q", "-c", "/enter-container.sh", "/dev/null"],
-      files: {
-        "/kubeconfig": this.cluster.kubeconfig,
-        "/enter-container.sh": {
-          mode: 493,
-          content: interpolate`
-            #!/bin/bash
-
-            exec kubectl exec -it -n ${this.metadata.namespace} deployment/${this.metadata.name} -- ${this.args.terminalShell ?? "bash"}
-          `.apply(trimIndentation)
-        }
-      },
-      env: {
-        KUBECONFIG: "/kubeconfig"
-      }
-    });
-  }
-  static create(name, args, opts) {
-    return new CreatedDeployment(name, args, opts);
-  }
-};
-var CreatedDeployment = class extends Deployment {
-  constructor(name, args, opts) {
-    const { labels, containers, volumes, service, httpRoute } = getPublicWorkloadComponents(
-      name,
-      args,
-      () => this,
-      opts
-    );
-    const deployment = output4({ args, containers, volumes }).apply(
-      async ({ args: args2, containers: containers2, volumes: volumes2 }) => {
-        await verifyProvider(opts.provider, args2.cluster.info);
-        return new (args2.patch ? apps.v1.DeploymentPatch : apps.v1.Deployment)(
-          name,
-          {
-            metadata: mapMetadata(args2.patch?.metadata ?? args2, name),
-            spec: deepmerge2(
-              {
-                template: {
-                  metadata: !args2.patch ? { labels } : void 0,
-                  spec: {
-                    containers: containers2.map((container) => mapContainerToRaw(container, name)),
-                    volumes: volumes2
-                  }
-                },
-                selector: !args2.patch ? { matchLabels: labels } : void 0
-              },
-              omit3(args2, publicWorkloadExtraArgs)
-            )
-          },
-          { parent: this, ...opts }
-        );
-      }
-    );
-    super(
-      "highstate:k8s:Deployment",
-      name,
-      args,
-      opts,
-      output4(args.cluster),
-      deployment.metadata,
-      deployment.spec,
-      deployment.status,
-      service,
-      httpRoute,
-      [deployment]
-    );
-  }
-};
-
-// src/stateful-set.ts
-import {
-  output as output5,
-  ComponentResource as ComponentResource4
-} from "@highstate/pulumi";
-import { apps as apps2 } from "@pulumi/kubernetes";
-import { omit as omit4 } from "remeda";
-import { deepmerge as deepmerge3 } from "deepmerge-ts";
-var StatefulSet = class extends ComponentResource4 {
-  constructor(type, name, args, opts, clusterInfo, metadata, spec, status, _service, _httpRoute) {
-    super(type, name, args, opts);
-    this.clusterInfo = clusterInfo;
-    this.metadata = metadata;
-    this.spec = spec;
-    this.status = status;
-    this._service = _service;
-    this._httpRoute = _httpRoute;
-  }
-  /**
-   * The Highstate stateful set entity.
-   */
-  get entity() {
-    return output5({
-      type: "k8s.stateful-set",
-      clusterInfo: this.clusterInfo,
-      metadata: this.metadata,
-      service: this.service.entity
-    });
-  }
-  get optionalService() {
-    return this._service;
-  }
-  /**
-   * The service associated with the stateful set.
-   */
-  get service() {
-    return this._service.apply((service) => {
-      if (!service) {
-        throw new Error("The service is not available.");
-      }
-      return service;
-    });
-  }
-  /**
-   * The HTTP route associated with the stateful set.
-   */
-  get httpRoute() {
-    return this._httpRoute.apply((httpRoute) => {
-      if (!httpRoute) {
-        throw new Error("The HTTP route is not available.");
-      }
-      return httpRoute;
-    });
-  }
-  static create(name, args, opts) {
-    return new CreatedStatefulSet(name, args, opts);
-  }
-};
-var CreatedStatefulSet = class extends StatefulSet {
-  constructor(name, args, opts) {
-    const { containers, volumes, labels, service, httpRoute } = getPublicWorkloadComponents(
-      name,
-      args,
-      () => this,
-      opts
-    );
-    const statefulSet = output5({ args, containers, volumes, service }).apply(
-      async ({ args: args2, containers: containers2, volumes: volumes2, service: service2 }) => {
-        await verifyProvider(opts.provider, args2.cluster?.info);
-        return new (args2.patch ? apps2.v1.StatefulSetPatch : apps2.v1.StatefulSet)(
-          name,
-          {
-            metadata: mapMetadata(args2.patch?.metadata ?? args2, name),
-            spec: deepmerge3(
-              {
-                serviceName: service2?.metadata.name || name,
-                template: {
-                  metadata: !args2.patch ? { labels } : void 0,
-                  spec: {
-                    containers: containers2.map((container) => mapContainerToRaw(container, name)),
-                    volumes: volumes2
-                  }
-                },
-                selector: !args2.patch ? { matchLabels: labels } : void 0
-              },
-              omit4(args2, publicWorkloadExtraArgs)
-            )
-          },
-          { parent: this, ...opts }
-        );
-      }
-    );
-    super(
-      "highstate:k8s:StatefulSet",
-      name,
-      args,
-      opts,
-      output5(args.cluster).info,
-      statefulSet.metadata,
-      statefulSet.spec,
-      statefulSet.status,
-      service,
-      httpRoute
-    );
-  }
-};
-
-// src/network-policy.ts
-import { networking } from "@pulumi/kubernetes";
-import {
-  ComponentResource as ComponentResource5,
-  normalize as normalize3,
-  output as output6
-} from "@highstate/pulumi";
-import { capitalize, flat, merge, mergeDeep } from "remeda";
-import { parseDomain, ParseResultType } from "parse-domain";
-import "@highstate/library";
-var NetworkPolicy = class _NetworkPolicy extends ComponentResource5 {
-  /**
-   * The underlying network policy resource.
-   */
-  networkPolicy;
-  constructor(name, args, opts) {
-    super("k8s:network-policy", name, args, opts);
-    const normalizedArgs = output6(args).apply((args2) => {
-      const ingressRules = normalize3(args2.ingressRule, args2.ingressRules);
-      const egressRules = normalize3(args2.egressRule, args2.egressRules);
-      const endpoints = normalize3(args2.egressRule?.toEndpoint, args2.egressRule?.toEndpoints);
-      const parsedEndpoints = endpoints.map((endpoint) => parseDomain(endpoint));
-      const cidrsFromEndpoints = parsedEndpoints.filter((result) => result.type === ParseResultType.Ip).map((result) => _NetworkPolicy.mapCidrFromEndpoint(result));
-      const fqdnsFromEndpoints = parsedEndpoints.filter((result) => result.type !== ParseResultType.Invalid).map((result) => result.hostname);
-      const extraEgressRules = [];
-      if (args2.allowKubeDns) {
-        extraEgressRules.push({
-          namespaces: ["kube-system"],
-          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
-          ports: [{ port: 53, protocol: "UDP" }],
-          all: false,
-          cidrs: [],
-          fqdns: [],
-          services: []
-        });
-      }
-      return {
-        ...args2,
-        podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
-        isolateEgress: args2.isolateEgress ?? false,
-        isolateIngress: args2.isolateIngress ?? false,
-        allowKubeApiServer: args2.allowKubeApiServer ?? false,
-        ingressRules: ingressRules.map((rule) => ({
-          all: rule.fromAll ?? false,
-          cidrs: normalize3(rule.fromCidr, rule.fromCidrs),
-          fqdns: [],
-          services: normalize3(rule.fromService, rule.fromServices),
-          namespaces: normalize3(rule.fromNamespace, rule.fromNamespaces),
-          selectors: normalize3(rule.fromSelector, rule.fromSelectors),
-          ports: normalize3(rule.toPort, rule.toPorts)
-        })),
-        egressRules: egressRules.map((rule) => {
-          return {
-            all: rule.toAll ?? false,
-            cidrs: normalize3(rule.toCidr, rule.toCidrs).concat(cidrsFromEndpoints),
-            fqdns: normalize3(rule.toFqdn, rule.toFqdns).concat(fqdnsFromEndpoints),
-            services: normalize3(rule.toService, rule.toServices),
-            namespaces: normalize3(rule.toNamespace, rule.toNamespaces),
-            selectors: normalize3(rule.toSelector, rule.toSelectors),
-            ports: normalize3(rule.toPort, rule.toPorts)
-          };
-        }).concat(extraEgressRules)
-      };
-    });
-    this.networkPolicy = normalizedArgs.apply((args2) => {
-      return output6(
-        this.create(name, args2, { ...opts, parent: this })
-      );
-    });
-    this.registerOutputs({ networkPolicy: this.networkPolicy });
-  }
-  static mapCidrFromEndpoint(result) {
-    if (result.ipVersion === 4) {
-      return `${result.hostname}/32`;
-    }
-    return `${result.hostname}/128`;
-  }
-  static supportedCNIs = ["cilium"];
-  static create(name, args, opts) {
-    return output6(args).apply(async (args2) => {
-      const cni = args2.cluster.info.cni;
-      if (!cni || !_NetworkPolicy.supportedCNIs.includes(cni)) {
-        return new NativeNetworkPolicy(name, args2, opts);
-      }
-      const implName = `${capitalize(cni)}NetworkPolicy`;
-      const implModule = await import(`@highstate/${cni}`);
-      const implClass = implModule[implName];
-      if (!implClass) {
-        throw new Error(`No implementation found for ${cni}`);
-      }
-      return new implClass(name, args2, opts);
-    });
-  }
-  static allowInsideNamespace(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-inside-namespace",
-      {
-        namespace,
-        cluster,
-        description: "Allow all traffic inside the namespace.",
-        selector: {},
-        ingressRule: { fromNamespace: namespace },
-        egressRule: { toNamespace: namespace }
-      },
-      opts
-    );
-  }
-  static allowKubeApiServer(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-kube-api-server",
-      {
-        namespace,
-        cluster,
-        description: "Allow all traffic to the Kubernetes API server from the namespace.",
-        allowKubeApiServer: true
-      },
-      opts
-    );
-  }
-  static allowKubeDns(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-kube-dns",
-      {
-        namespace,
-        cluster,
-        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
-        allowKubeDns: true
-      },
-      opts
-    );
-  }
-  static allowAllEgress(namespace, cluster, opts) {
-    return _NetworkPolicy.create(
-      "allow-all-egress",
-      {
-        namespace,
-        cluster,
-        description: "Allow all egress traffic from the namespace.",
-        egressRule: { toAll: true }
-      },
-      opts
-    );
-  }
-};
-var NativeNetworkPolicy = class _NativeNetworkPolicy extends NetworkPolicy {
-  create(name, args, opts) {
-    const ingress = _NativeNetworkPolicy.createIngressRules(args);
-    const egress = _NativeNetworkPolicy.createEgressRules(args);
-    const policyTypes = [];
-    if (ingress.length > 0 || args.isolateIngress) {
-      policyTypes.push("Ingress");
-    }
-    if (egress.length > 0 || args.isolateEgress) {
-      policyTypes.push("Egress");
-    }
-    return new networking.v1.NetworkPolicy(
-      name,
-      {
-        metadata: mergeDeep(mapMetadata(args, name), {
-          annotations: args.description ? { "kubernetes.io/description": args.description } : void 0
-        }),
-        spec: {
-          podSelector: args.podSelector,
-          ingress,
-          egress,
-          policyTypes
-        }
-      },
-      opts
-    );
-  }
-  static fallbackIpBlock = {
-    cidr: "0.0.0.0/0",
-    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-  };
-  static createIngressRules(args) {
-    return args.ingressRules.map((rule) => ({
-      from: rule.all ? void 0 : _NativeNetworkPolicy.createRulePeers(rule),
-      ports: _NativeNetworkPolicy.mapPorts(rule.ports)
-    }));
-  }
-  static createEgressRules(args) {
-    const needFallback = args.egressRules.some((rule) => rule.fqdns.length > 0);
-    if (needFallback) {
-      return [{ to: [{ ipBlock: _NativeNetworkPolicy.fallbackIpBlock }] }];
-    }
-    const extraRules = [];
-    if (args.allowKubeApiServer) {
-      const apiServerIp = args.cluster.info.kubeApiServerIp ?? "10.96.0.1";
-      const apiServerPort = args.cluster.info.kubeApiServerPort ?? 443;
-      extraRules.push({
-        to: [{ ipBlock: { cidr: `${apiServerIp}/32` } }],
-        ports: [{ port: apiServerPort, protocol: "TCP" }]
-      });
-    }
-    return args.egressRules.map((rule) => {
-      return {
-        to: rule.all ? void 0 : _NativeNetworkPolicy.createRulePeers(rule),
-        ports: _NativeNetworkPolicy.mapPorts(rule.ports)
-      };
-    }).concat(extraRules);
-  }
-  static createRulePeers(args) {
-    return [
-      ..._NativeNetworkPolicy.createCidrPeers(args),
-      ..._NativeNetworkPolicy.createServicePeers(args),
-      ..._NativeNetworkPolicy.createSelectorPeers(args)
-    ];
-  }
-  static createCidrPeers(args) {
-    return args.cidrs.map((cidr) => ({ ipBlock: { cidr } }));
-  }
-  static createServicePeers(args) {
-    return args.services.map((service) => {
-      const selector = mapServiceToLabelSelector(service);
-      return {
-        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
-        podSelector: selector
-      };
-    });
-  }
-  static createSelectorPeers(args) {
-    const selectorPeers = args.selectors.map((selector) => ({
-      podSelector: mapSelectorLikeToSelector(selector)
-    }));
-    const namespacePeers = args.namespaces.map(_NativeNetworkPolicy.createNamespacePeer);
-    if (namespacePeers.length === 0) {
-      return selectorPeers;
-    }
-    if (selectorPeers.length === 0) {
-      return namespacePeers;
-    }
-    return flat(
-      selectorPeers.map((selectorPeer) => {
-        return namespacePeers.map((namespacePeer) => merge(selectorPeer, namespacePeer));
-      })
-    );
-  }
-  static createNamespacePeer(namespace) {
-    const namespaceName = mapNamespaceLikeToNamespaceName(namespace);
-    const namespaceSelector = mapNamespaceNameToSelector(namespaceName);
-    return { namespaceSelector };
-  }
-  static mapPorts(ports) {
-    return ports.map((port) => {
-      if ("port" in port) {
-        return {
-          port: port.port,
-          protocol: port.protocol ?? "TCP"
-        };
-      }
-      return {
-        port: port.range[0],
-        endPort: port.range[1],
-        protocol: port.protocol ?? "TCP"
-      };
-    });
-  }
-};
+  mapSelectorLikeToSelector
+} from "./chunk-FKNHHKOL.js";
 
 // src/access-point.ts
-import { DnsRecord } from "@highstate/common";
+import { DnsRecordSet, filterEndpoints, l3EndpointToString } from "@highstate/common";
 import { gateway } from "@highstate/gateway-api";
 import {
-  normalize as normalize4,
-  output as output7,
+  normalize,
+  output,
   toPromise
 } from "@highstate/pulumi";
 function useAccessPoint(args) {
-  const result = output7({ args, namespaceName: output7(args.namespace).metadata.name }).apply(
+  const result = output({ args, namespaceName: output(args.namespace).metadata.name }).apply(
     ({ args: args2, namespaceName }) => {
+      if (args2.accessPoint.clusterId !== args2.cluster.id) {
+        throw new Error(
+          "The provided Kubernetes cluster is different from the one where the access point is deployed."
+        );
+      }
       const gateway2 = createGateway({
         ...args2,
         annotations: {
@@ -863,36 +68,36 @@ function useAccessPoint(args) {
         },
         gateway: args2.accessPoint.gateway
       });
-      const dnsRecords = normalize4(args2.fqdn, args2.fqdns).flatMap((fqdn) => {
-        return DnsRecord.createSet(fqdn, {
+      const dnsRecordSets = normalize(args2.fqdn, args2.fqdns).flatMap((fqdn) => {
+        return DnsRecordSet.create(fqdn, {
           providers: args2.accessPoint.dnsProviders,
-          type: "A",
-          value: args2.accessPoint.gateway.ip
+          values: filterEndpoints(
+            args2.accessPoint.gateway.endpoints.filter((endpoint) => endpoint.type !== "hostname")
+          )
         });
       });
-      const networkPolicies = [];
-      if (args2.accessPoint.gateway.service) {
-        const displayName = getAppDisplayName(args2.accessPoint.gateway.service.metadata);
+      const networkPolicies = [
+        NetworkPolicy.create(
+          `allow-ingress-from-${l3EndpointToString(args2.accessPoint.gateway.endpoints[0])}`,
+          {
+            namespace: args2.namespace,
+            cluster: args2.cluster,
+            description: `Allow ingress traffic from the gateway at "${l3EndpointToString(args2.accessPoint.gateway.endpoints[0])}".`,
+            ingressRule: {
+              fromEndpoints: args2.accessPoint.gateway.endpoints
+            }
+          },
+          { provider: args2.provider }
+        )
+      ];
+      if (isFromCluster(args2.accessPoint.gateway.endpoints[0], args2.cluster)) {
         networkPolicies.push(
-          NetworkPolicy.create(
-            `allow-ingress-from-${getAppName(args2.accessPoint.gateway.service.metadata)}`,
-            {
-              namespace: args2.namespace,
-              cluster: args2.cluster,
-              description: `Allow ingress traffic from the gateway "${displayName}".`,
-              ingressRule: {
-                fromNamespace: args2.accessPoint.gateway.service.metadata.namespace,
-                fromSelector: args2.accessPoint.gateway.service.spec.selector
-              }
-            },
-            { provider: args2.provider }
-          ),
           NetworkPolicy.create(
             `allow-egress-to-${namespaceName}`,
             {
-              namespace: args2.accessPoint.gateway.service.metadata.namespace,
+              namespace: args2.accessPoint.gateway.endpoints[0].metadata.k8sService.namespace,
               cluster: args2.cluster,
-              selector: args2.accessPoint.gateway.service.spec.selector,
+              selector: args2.accessPoint.gateway.endpoints[0].metadata.k8sService.selector,
               description: `Allow egress traffic to the namespace "${namespaceName}".`,
               egressRule: {
                 toNamespace: args2.namespace
@@ -902,28 +107,28 @@ function useAccessPoint(args) {
           )
         );
       }
-      return output7({
+      return output({
         gateway: gateway2,
-        dnsRecords: output7(dnsRecords).apply((records) => records.flat()),
+        dnsRecordSets,
         networkPolicies
       });
     }
   );
   return toPromise(result);
 }
-function useStandardAcessPoint(appName, namespace, args, inputs, provider) {
-  return useAccessPoint({
-    name: appName,
+async function useStandardAcessPoint(namespace, args, inputs) {
+  return await useAccessPoint({
+    name: args.appName,
     namespace,
     fqdn: args.fqdn,
     accessPoint: inputs.accessPoint,
     cluster: inputs.k8sCluster,
-    provider
+    provider: await getProvider(inputs.k8sCluster)
   });
 }
 function createGateway(args) {
-  return output7(args).apply((args2) => {
-    if (args2.cluster.info.id !== args2.gateway.clusterInfo.id) {
+  return output(args).apply((args2) => {
+    if (args2.cluster.id !== args2.gateway.clusterId) {
       throw new Error(
         "The provided Kubernetes cluster is different from the one where the gateway controller is deployed."
       );
@@ -937,12 +142,12 @@ function createGateway(args) {
           annotations: args2.annotations
         },
         spec: {
-          gatewayClassName: output7(args2.gateway).gatewayClassName,
-          listeners: normalize4(args2.fqdn, args2.fqdns).map((fqdn) => {
+          gatewayClassName: output(args2.gateway).gatewayClassName,
+          listeners: normalize(args2.fqdn, args2.fqdns).map((fqdn) => {
             const normalizedName = fqdn.replace(/\*/g, "wildcard");
             return {
               name: `https-${normalizedName}`,
-              port: output7(args2.gateway).httpsListenerPort,
+              port: output(args2.gateway).httpsListenerPort,
               protocol: "HTTPS",
               hostname: fqdn,
               tls: {
@@ -959,15 +164,18 @@ function createGateway(args) {
 }
 
 // src/scripting/bundle.ts
-import { core as core3 } from "@pulumi/kubernetes";
-import { apply, normalize as normalize5 } from "@highstate/pulumi";
+import { core } from "@pulumi/kubernetes";
+import { apply, normalize as normalize2 } from "@highstate/pulumi";
 import {
-  ComponentResource as ComponentResource6,
-  output as output8
+  ComponentResource,
+  output as output2
 } from "@pulumi/pulumi";
-import { pipe } from "remeda";
-import { deepmerge as deepmerge4 } from "deepmerge-ts";
-import { text, trimIndentation as trimIndentation2 } from "@highstate/contract";
+import { mapValues, omitBy, pipe } from "remeda";
+import { deepmerge } from "deepmerge-ts";
+import { readPackageJSON } from "pkg-types";
+import { text, trimIndentation } from "@highstate/contract";
+import { parseL34Endpoint } from "@highstate/common";
+import { serializeFunction } from "@pulumi/pulumi/runtime/index.js";
 
 // src/scripting/environment.ts
 var emptyDistributionEnvironment = {
@@ -976,18 +184,41 @@ var emptyDistributionEnvironment = {
   packages: []
 };
 var emptyScriptEnvironment = {
-  alpine: emptyDistributionEnvironment,
-  ubuntu: emptyDistributionEnvironment,
+  alpine: {
+    ...emptyDistributionEnvironment,
+    image: "alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c",
+    allowedEndpoints: [
+      //
+      "tcp://dl-cdn.alpinelinux.org:443",
+      "tcp://dl-cdn.alpinelinux.org:80"
+    ]
+  },
+  ubuntu: {
+    ...emptyDistributionEnvironment,
+    image: "ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782",
+    allowedEndpoints: [
+      //
+      "tcp://archive.ubuntu.com:80",
+      "tcp://archive.ubuntu.com:443",
+      "tcp://security.ubuntu.com:80",
+      "tcp://security.ubuntu.com:443"
+    ]
+  },
   setupScripts: {},
   cleanupScripts: {},
-  scripts: {},
+  files: {},
   volumes: [],
   volumeMounts: [],
-  environment: {}
+  environment: {},
+  allowedEndpoints: []
+};
+var functionScriptImages = {
+  alpine: "oven/bun@sha256:6b14922b0885c3890cdb0b396090af1da486ba941df5ee94391eef64f7113c61",
+  ubuntu: "oven/bun@sha256:66b431441dc4c36d7e8164bfc61e6348ec1d7ce2862fc3a29f5dc9856e8205e4"
 };
 
 // src/scripting/bundle.ts
-var ScriptBundle = class extends ComponentResource6 {
+var ScriptBundle = class extends ComponentResource {
   /**
    * The config map containing the scripts.
    */
@@ -1004,21 +235,49 @@ var ScriptBundle = class extends ComponentResource6 {
    * The environment variables that should be defined in the container.
    */
   environment;
+  /**
+   * The image to use for the scripts.
+   */
+  image;
   /**
    * The distribution to use for the scripts.
    */
   distribution;
+  /**
+   * The list of endpoints that the script is allowed to access.
+   */
+  allowedEndpoints;
   constructor(name, args, opts) {
     super("highstate:k8s:ScriptBundle", name, args, opts);
     const scriptEnvironment = pipe(
-      output8(args),
-      apply((args2) => normalize5(args2.environment, args2.environments)),
-      apply((args2) => deepmerge4(emptyScriptEnvironment, ...args2))
+      output2(args),
+      apply((args2) => normalize2(args2.environment, args2.environments)),
+      apply((args2) => deepmerge(emptyScriptEnvironment, ...args2))
     );
+    const hasFunctionScripts = scriptEnvironment.apply((scriptEnvironment2) => {
+      return Object.values(scriptEnvironment2.files).some((file) => typeof file === "function");
+    });
     this.distribution = args.distribution;
     this.environment = scriptEnvironment.environment;
-    this.configMap = output8({ scriptEnvironment, args }).apply(({ scriptEnvironment: scriptEnvironment2, args: args2 }) => {
-      return new core3.v1.ConfigMap(
+    this.image = hasFunctionScripts.apply(
+      (hasFunctionScripts2) => output2(
+        hasFunctionScripts2 ? functionScriptImages[args.distribution] : scriptEnvironment[args.distribution].image
+      )
+    );
+    this.allowedEndpoints = output2({ scriptEnvironment, hasFunctionScripts }).apply(
+      ({ scriptEnvironment: scriptEnvironment2, hasFunctionScripts: hasFunctionScripts2 }) => {
+        const allowedEndpoints = [
+          ...scriptEnvironment2.allowedEndpoints,
+          ...scriptEnvironment2[args.distribution].allowedEndpoints
+        ];
+        if (hasFunctionScripts2) {
+          allowedEndpoints.push("tcp://registry.npmjs.org:443");
+        }
+        return allowedEndpoints.map(parseL34Endpoint);
+      }
+    );
+    this.configMap = output2({ scriptEnvironment, args }).apply(({ scriptEnvironment: scriptEnvironment2, args: args2 }) => {
+      return new core.v1.ConfigMap(
         name,
         {
           metadata: mapMetadata(args2, name),
@@ -1027,40 +286,92 @@ var ScriptBundle = class extends ComponentResource6 {
         { ...opts, parent: this }
       );
     });
-    this.volumes = scriptEnvironment.volumes.apply((volumes) => {
-      return [
-        ...volumes,
-        {
-          name: this.configMap.metadata.name,
-          configMap: {
+    this.volumes = output2({ hasFunctionScripts, volumes: scriptEnvironment.volumes }).apply(
+      ({ hasFunctionScripts: hasFunctionScripts2, volumes }) => {
+        return [
+          ...volumes,
+          {
             name: this.configMap.metadata.name,
-            defaultMode: 360
-            // read and execute permissions
-          }
-        }
-      ];
-    });
-    this.volumeMounts = scriptEnvironment.volumeMounts.apply((volumeMounts) => {
+            configMap: {
+              name: this.configMap.metadata.name,
+              defaultMode: 360
+              // read and execute permissions
+            }
+          },
+          ...hasFunctionScripts2 ? [{ name: "node-modules", emptyDir: {} }] : []
+        ];
+      }
+    );
+    this.volumeMounts = output2({
+      hasFunctionScripts,
+      volumeMounts: scriptEnvironment.volumeMounts
+    }).apply(({ hasFunctionScripts: hasFunctionScripts2, volumeMounts }) => {
       return [
         ...volumeMounts,
         {
           volume: this.configMap,
           mountPath: "/scripts"
-        }
+        },
+        ...hasFunctionScripts2 ? [{ name: "node-modules", mountPath: "/scripts/node_modules" }] : []
       ];
     });
     this.registerOutputs({
       configMap: this.configMap,
       volumes: this.volumes,
       volumeMounts: this.volumeMounts,
-      environment: this.environment
+      environment: this.environment,
+      distribution: this.distribution,
+      allowedEndpoints: this.allowedEndpoints,
+      image: this.image
     });
   }
 };
-function createScriptData(distribution, environment) {
+function stripWorkspacePrefix(value) {
+  if (value.startsWith("workspace:")) {
+    return value.replace("workspace:", "");
+  }
+  return value;
+}
+async function createScriptData(distribution, environment) {
   const scriptData = {};
   const actions = [];
   const distributionEnvironment = environment[distribution];
+  const setupScripts = { ...environment.setupScripts };
+  let hasFunctionScripts = false;
+  for (const key in environment.files) {
+    if (typeof environment.files[key] === "function") {
+      const serialized = await serializeFunction(environment.files[key]);
+      scriptData[key] = text`
+        #!/usr/local/bin/bun
+        
+        ${serialized.text}
+
+        exports.${serialized.exportName}()
+      `;
+      hasFunctionScripts = true;
+    } else {
+      scriptData[key] = environment.files[key];
+    }
+  }
+  if (hasFunctionScripts) {
+    const packageJson = await readPackageJSON();
+    packageJson.dependencies = omitBy(
+      mapValues(packageJson.dependencies ?? {}, stripWorkspacePrefix),
+      (_, key) => key.startsWith("@highstate/")
+    );
+    packageJson.devDependencies = omitBy(
+      mapValues(packageJson.devDependencies ?? {}, stripWorkspacePrefix),
+      (_, key) => key.startsWith("@highstate/")
+    );
+    scriptData["package.json"] = JSON.stringify(packageJson, null, 2);
+    setupScripts["resolve-dependencies.sh"] = text`
+      #!/usr/local/bin/bun
+      set -e
+
+      cd /scripts
+      bun install --production
+    `;
+  }
   if (distributionEnvironment.preInstallPackages.length > 0) {
     scriptData["pre-install-packages.sh"] = getInstallPackagesScript(
       distribution,
@@ -1093,9 +404,9 @@ function createScriptData(distribution, environment) {
       echo "+ Packages installed successfully"
     `);
   }
-  if (Object.keys(environment.setupScripts).length > 0) {
-    for (const key in environment.setupScripts) {
-      scriptData[`setup-${key}`] = environment.setupScripts[key];
+  if (Object.keys(setupScripts).length > 0) {
+    for (const key in setupScripts) {
+      scriptData[`setup-${key}`] = setupScripts[key];
       actions.push(`
         echo "+ Running setup script '${key}'..."
         /scripts/setup-${key}
@@ -1122,10 +433,7 @@ function createScriptData(distribution, environment) {
       trap cleanup SIGTERM
     `);
   }
-  for (const key in environment.scripts) {
-    scriptData[key] = environment.scripts[key];
-  }
-  scriptData["entrypoint.sh"] = trimIndentation2(`
+  scriptData["entrypoint.sh"] = trimIndentation(`
     #!/bin/sh
     set -e
 
@@ -1162,139 +470,168 @@ function getInstallPackagesScript(distribution, packages) {
 }
 
 // src/scripting/container.ts
-import { output as output9 } from "@pulumi/pulumi";
-import { merge as merge2 } from "remeda";
+import { merge } from "remeda";
+import { output as output3 } from "@pulumi/pulumi";
 function createScriptContainer(options) {
-  return output9(options).apply((options2) => {
-    const image = options2.bundle.distribution === "alpine" ? "alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c" : "ubuntu@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782";
+  const bundle = output3(options.bundle);
+  return output3({
+    options,
+    image: bundle.image,
+    volumeMounts: bundle.volumeMounts,
+    volumes: bundle.volumes,
+    environment: bundle.environment,
+    allowedEndpoints: bundle.allowedEndpoints
+  }).apply(({ options: options2, image, volumeMounts, volumes, environment, allowedEndpoints }) => {
     return {
       image,
       command: ["/scripts/entrypoint.sh", `/scripts/${options2.main}`],
       ...options2,
-      volumeMounts: merge2(options2.bundle.volumeMounts, options2.volumeMounts),
-      volumes: merge2(options2.bundle.volumes, options2.volumes),
-      environment: merge2(options2.bundle.environment, options2.environment)
+      volumeMounts: [...volumeMounts, ...options2.volumeMounts ?? []],
+      volumes: [...volumes, ...options2.volumes ?? []],
+      environment: merge(environment, options2.environment),
+      allowedEndpoints: [...allowedEndpoints, ...options2.allowedEndpoints ?? []]
     };
   });
 }
 
 // src/job.ts
 import { batch } from "@pulumi/kubernetes";
-import {
-  ComponentResource as ComponentResource7,
-  normalize as normalize6,
-  output as output10
-} from "@highstate/pulumi";
-import { mergeDeep as mergeDeep2, omit as omit5 } from "remeda";
+import { ComponentResource as ComponentResource2, output as output4 } from "@highstate/pulumi";
+import { mergeDeep, omit } from "remeda";
 var jobExtraArgs = [...commonExtraArgs, "container", "containers"];
-var Job = class extends ComponentResource7 {
+var Job = class extends ComponentResource2 {
   /**
    * The underlying Kubernetes job.
    */
   job;
   constructor(name, args, opts) {
     super("highstate:k8s:Job", name, args, opts);
-    this.job = output10(args).apply((args2) => {
-      const containers = normalize6(args2.container, args2.containers);
+    const { podTemplate } = getWorkloadComponents(name, args, () => this, opts);
+    this.job = output4({ args, podTemplate }).apply(async ({ args: args2, podTemplate: podTemplate2 }) => {
       return new batch.v1.Job(
         name,
         {
           metadata: mapMetadata(args2, name),
-          spec: mergeDeep2(
+          spec: mergeDeep(
             {
-              template: {
-                spec: {
-                  containers: containers.map((container) => mapContainerToRaw(container, name)),
-                  volumes: containers.flatMap((container) => normalize6(container.volume, container.volumes)).map(mapWorkloadVolume),
-                  restartPolicy: "Never"
-                }
-              }
+              template: podTemplate2
             },
-            omit5(args2, jobExtraArgs)
+            omit(args2, jobExtraArgs)
           )
         },
-        { parent: this, ...opts }
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
       );
     });
-    this.registerOutputs({ job: this.job });
   }
 };
 
 // src/cron-job.ts
 import { batch as batch2 } from "@pulumi/kubernetes";
-import {
-  ComponentResource as ComponentResource8,
-  normalize as normalize7,
-  output as output11
-} from "@highstate/pulumi";
-import { mergeDeep as mergeDeep3, omit as omit6 } from "remeda";
+import { ComponentResource as ComponentResource3, output as output5 } from "@highstate/pulumi";
+import { mergeDeep as mergeDeep2, omit as omit2 } from "remeda";
 var cronJobExtraArgs = [...commonExtraArgs, "container", "containers"];
-var CronJob = class extends ComponentResource8 {
+var CronJob = class extends ComponentResource3 {
   /**
    * The underlying Kubernetes job.
    */
   cronJob;
   constructor(name, args, opts) {
     super("highstate:k8s:CronJob", name, args, opts);
-    this.cronJob = output11(args).apply((args2) => {
-      const containers = normalize7(args2.container, args2.containers);
+    const { podTemplate } = getWorkloadComponents(name, args, () => this, opts);
+    this.cronJob = output5({ args, podTemplate }).apply(async ({ args: args2, podTemplate: podTemplate2 }) => {
       return new batch2.v1.CronJob(
         name,
         {
           metadata: mapMetadata(args2, name),
-          spec: mergeDeep3(
+          spec: mergeDeep2(
             {
               jobTemplate: {
                 spec: {
-                  template: {
-                    spec: {
-                      containers: containers.map((container) => mapContainerToRaw(container, name)),
-                      volumes: containers.flatMap((container) => normalize7(container.volume, container.volumes)).map(mapWorkloadVolume)
-                    }
-                  }
+                  template: podTemplate2
                 }
               },
               schedule: args2.schedule
             },
-            omit6(args2, cronJobExtraArgs)
+            omit2(args2, cronJobExtraArgs)
           )
         },
-        { parent: this, ...opts }
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
       );
     });
-    this.registerOutputs({ cronJob: this.cronJob });
   }
 };
+
+// src/network.ts
+import { filterEndpoints as filterEndpoints2 } from "@highstate/common";
+function getBestEndpoint(endpoints, cluster) {
+  if (!endpoints.length) {
+    return void 0;
+  }
+  if (endpoints.length === 1) {
+    return endpoints[0];
+  }
+  if (!cluster) {
+    return filterEndpoints2(endpoints)[0];
+  }
+  const clusterEndpoint = endpoints.find((endpoint) => isFromCluster(endpoint, cluster));
+  if (clusterEndpoint) {
+    return clusterEndpoint;
+  }
+  return filterEndpoints2(endpoints)[0];
+}
+function requireBestEndpoint(endpoints, cluster) {
+  const endpoint = getBestEndpoint(endpoints, cluster);
+  if (!endpoint) {
+    throw new Error(`No best endpoint found for cluster "${cluster.name}" (${cluster.id})`);
+  }
+  return endpoint;
+}
 export {
   Chart,
   CronJob,
   Deployment,
+  ExposableWorkload,
   HttpRoute,
   Job,
+  Namespace,
   NetworkPolicy,
   PersistentVolumeClaim,
   RenderedChart,
   ScriptBundle,
+  Secret,
   Service,
   StatefulSet,
+  Workload,
   createK8sTerminal,
-  createNamespace,
-  getProvider as createProvider,
   createScriptContainer,
   detectExternalIps,
   getAppDisplayName,
   getAppName,
+  getBestEndpoint,
   getChartService,
   getChartServiceOutput,
-  getNamespace,
+  getProvider,
+  getServiceMetadata,
+  hasServiceMetadata,
+  isFromCluster,
   mapContainerPortToServicePort,
   mapMetadata,
   mapNamespaceLikeToNamespaceName,
   mapNamespaceNameToSelector,
   mapSelectorLikeToSelector,
   mapServiceToLabelSelector,
+  requireBestEndpoint,
   resolveHelmChart,
   useAccessPoint,
-  useStandardAcessPoint
+  useStandardAcessPoint,
+  withServiceMetadata
 };
 //# sourceMappingURL=index.js.map