npm - @highstate/k8s - Versions diffs - 0.9.4 → 0.9.6 - Mend

@highstate/k8s 0.9.4 → 0.9.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/dist/chunk-DQSCJM5S.js +183 -0
package/dist/chunk-DQSCJM5S.js.map +1 -0
package/dist/chunk-FKNHHKOL.js +260 -0
package/dist/chunk-FKNHHKOL.js.map +1 -0
package/dist/chunk-HW3NS3MC.js +347 -0
package/dist/chunk-HW3NS3MC.js.map +1 -0
package/dist/chunk-OQ7UXASD.js +193 -0
package/dist/chunk-OQ7UXASD.js.map +1 -0
package/dist/chunk-QGHMLKTW.js +1123 -0
package/dist/chunk-QGHMLKTW.js.map +1 -0
package/dist/chunk-UNVSWG6D.js +214 -0
package/dist/chunk-UNVSWG6D.js.map +1 -0
package/dist/deployment-ZP3ASKPT.js +10 -0
package/dist/deployment-ZP3ASKPT.js.map +1 -0
package/dist/highstate.manifest.json +8 -6
package/dist/index.js +291 -954
package/dist/index.js.map +1 -1
package/dist/stateful-set-2AH7RAF7.js +10 -0
package/dist/stateful-set-2AH7RAF7.js.map +1 -0
package/dist/units/access-point/index.js +6 -1
package/dist/units/access-point/index.js.map +1 -1
package/dist/units/cert-manager/index.js +19 -24
package/dist/units/cert-manager/index.js.map +1 -1
package/dist/units/cluster-dns/index.js +36 -0
package/dist/units/cluster-dns/index.js.map +1 -0
package/dist/units/cluster-patch/index.js +34 -0
package/dist/units/cluster-patch/index.js.map +1 -0
package/dist/units/dns01-issuer/index.js +2 -2
package/dist/units/dns01-issuer/index.js.map +1 -1
package/dist/units/existing-cluster/index.js +22 -14
package/dist/units/existing-cluster/index.js.map +1 -1
package/dist/units/gateway-api/index.js +1 -1
package/package.json +12 -10
package/src/access-point.ts +44 -39
package/src/container.ts +54 -5
package/src/cron-job.ts +14 -30
package/src/deployment.ts +170 -127
package/src/gateway/http-route.ts +7 -5
package/src/helm.ts +57 -8
package/src/index.ts +11 -4
package/src/job.ts +14 -32
package/src/namespace.ts +241 -0
package/src/network-policy.ts +371 -87
package/src/network.ts +41 -0
package/src/pvc.ts +43 -25
package/src/scripting/bundle.ts +125 -22
package/src/scripting/container.ts +16 -11
package/src/scripting/environment.ts +56 -6
package/src/secret.ts +195 -0
package/src/service.ts +209 -89
package/src/shared.ts +42 -51
package/src/stateful-set.ts +193 -88
package/src/units/access-point/index.ts +8 -1
package/src/units/cert-manager/index.ts +15 -20
package/src/units/cluster-dns/index.ts +37 -0
package/src/units/cluster-patch/index.ts +35 -0
package/src/units/dns01-issuer/index.ts +1 -1
package/src/units/existing-cluster/index.ts +24 -14
package/src/workload.ts +342 -44
package/dist/chunk-K4WKJ4L5.js +0 -455
package/dist/chunk-K4WKJ4L5.js.map +0 -1
package/dist/chunk-T5Z2M4JE.js +0 -103
package/dist/chunk-T5Z2M4JE.js.map +0 -1

package/dist/units/existing-cluster/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../../src/units/existing-cluster/index.ts"],"sourcesContent":["import { k8s } from \"@highstate/library\"\nimport { forUnit, secret, toPromise } from \"@highstate/pulumi\"\nimport { core, Provider } from \"@pulumi/kubernetes\"\nimport { KubeConfig, AppsV1Api } from \"@kubernetes/client-node\"\nimport { createK8sTerminal, detectExternalIps } from \"../../cluster\"\n\nconst { name, args, secrets, outputs } = forUnit(k8s.existingCluster)\n\nconst kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringify))\n\nconst provider = new Provider(name, { kubeconfig: kubeconfigContent })\n\nlet cni: ~~string~~ \| ~~undefined~~\n\nconst kubeConfig = new KubeConfig()\nkubeConfig.loadFromString(kubeconfigContent)\n\nconst appsApi = kubeConfig.makeApiClient(AppsV1Api)\n\nconst isCilium = await appsApi\n .readNamespacedDaemonSet({ name: \"cilium\", namespace: \"kube-system\" })\n .then(() => true)\n .catch(() => false)\n\nif (isCilium) {\n cni = \"cilium\"\n}\n\nconst externalIps =\n args.externalIps ?? (await detectExternalIps(kubeConfig, args.internalIpsPolicy))\n\nconst kubeSystem = core.v1.Namespace.get(\"kube-system\", \"kube-system\", { provider })\n\nexport default outputs({\n ~~cluster~~: {\n ~~info: {\n~~ id: kubeSystem.metadata.uid,\n name,\n cni,\n externalIps,\n ~~tunDevicePolicy~~: args.~~tunDevicePolicy~~,\n ~~},\n~~ kubeconfig: secret(kubeconfigContent),\n },\n\n $terminals: [createK8sTerminal(kubeconfigContent)],\n\n $status: {\n clusterId: kubeSystem.metadata.uid,\n cni~~: cni ?? \"unknown\"~~,\n ~~externalIps~~: ~~{\n value: externalIps~~.~~join~~(~~\", \"~~),\n ~~complementaryTo~~: ~~\"externalIps\"~~,\n ~~},\n~~ },\n})\n"],"mappings":";;;;;;AAAA,SAAS,WAAW;AACpB,SAAS,SAAS,QAAQ,iBAAiB;AAC3C,SAAS,MAAM,gBAAgB;AAC/B,SAAS,YAAY,iBAAiB;~~AAGtC~~,IAAM,EAAE,MAAM,MAAM,SAAS,QAAQ,IAAI,QAAQ,IAAI,eAAe;AAEpE,IAAM,oBAAoB,MAAM,UAAU,QAAQ,WAAW,MAAM,KAAK,SAAS,CAAC;AAElF,IAAM,WAAW,IAAI,SAAS,MAAM,EAAE,YAAY,kBAAkB,CAAC;AAErE,IAAI;~~AAEJ~~,IAAM,aAAa,IAAI,WAAW;AAClC,WAAW,eAAe,iBAAiB;AAE3C,IAAM,UAAU,WAAW,cAAc,SAAS;AAElD,IAAM,WAAW,MAAM,QACpB,wBAAwB,EAAE,MAAM,UAAU,WAAW,cAAc,CAAC,EACpE,KAAK,MAAM,IAAI,EACf,MAAM,MAAM,KAAK;AAEpB,IAAI,UAAU;AACZ,QAAM;AACR;AAEA,IAAM,cACJ,KAAK,eAAgB,MAAM,kBAAkB,YAAY,KAAK,iBAAiB;AAEjF,IAAM,aAAa,KAAK,GAAG,UAAU,IAAI,eAAe,eAAe,EAAE,SAAS,CAAC;AAEnF,IAAO,2BAAQ,QAAQ;AAAA,EACrB,~~SAAS~~;AAAA,~~IACP~~,~~MAAM;AAAA,MACJ,~~IAAI,WAAW,SAAS;AAAA,~~MACxB~~;AAAA,~~MACA~~;AAAA,~~MACA~~;AAAA,~~MACA,iBAAiB,KAAK~~;AAAA,~~IACxB~~;AAAA,IACA,YAAY,OAAO,iBAAiB;AAAA,EACtC;AAAA,EAEA,YAAY,CAAC,kBAAkB,iBAAiB,CAAC;AAAA,EAEjD,SAAS;AAAA,IACP,WAAW,WAAW,SAAS;AAAA,IAC/B~~,KAAK,OAAO~~;AAAA,~~IACZ~~,~~aAAa~~;AAAA,~~MACX~~,~~OAAO~~,~~YAAY~~,~~KAAK,~~IAAI~~;AAAA~~,~~MAC5B,iBAAiB~~;AAAA,~~IACnB~~;~~AAAA,EACF;~~AACF,CAAC;","names":[]}
1	+ {"version":3,"sources":["../../../src/units/existing-cluster/index.ts"],"sourcesContent":["import { k8s } from \"@highstate/library\"\nimport { forUnit, secret, toPromise } from \"@highstate/pulumi\"\nimport { core, Provider } from \"@pulumi/kubernetes\"\nimport { KubeConfig, AppsV1Api } from \"@kubernetes/client-node\"\nimport {\n l3EndpointToString,\n l4EndpointToString,\n parseL3Endpoint,\n parseL4Endpoint,\n} from \"@highstate/common\"\nimport { createK8sTerminal, detectExternalIps } from \"../../cluster\"\n\nconst { name, args, secrets, outputs } = forUnit(k8s.existingCluster)\n\nconst kubeconfigContent = await toPromise(secrets.kubeconfig.apply(JSON.stringify))\n\nconst provider = new Provider(name, { kubeconfig: kubeconfigContent })\n\nlet cni: k8s.CNI = \"other\"\n\nconst kubeConfig = new KubeConfig()\nkubeConfig.loadFromString(kubeconfigContent)\n\nconst appsApi = kubeConfig.makeApiClient(AppsV1Api)\n\nconst isCilium = await appsApi\n .readNamespacedDaemonSet({ name: \"cilium\", namespace: \"kube-system\" })\n .then(() => true)\n .catch(() => false)\n\nif (isCilium) {\n cni = \"cilium\"\n}\n\nconst externalIps =\n args.externalIps ?? (await detectExternalIps(kubeConfig, args.internalIpsPolicy))\n\nconst endpoints = externalIps.map(parseL3Endpoint)\nconst apiEndpoints = [parseL4Endpoint(kubeConfig.clusters[0].server.replace(\"https://\", \"\"))]\n\nconst kubeSystem = core.v1.Namespace.get(\"kube-system\", \"kube-system\", { provider })\n\nexport default outputs({\n k8sCluster: {\n id: kubeSystem.metadata.uid,\n name,\n cni,\n externalIps,\n endpoints,\n apiEndpoints,\n quirks: args.quirks,\n kubeconfig: secret(kubeconfigContent),\n },\n\n endpoints,\n apiEndpoints,\n\n $terminals: [createK8sTerminal(kubeconfigContent)],\n\n $status: {\n clusterId: kubeSystem.metadata.uid,\n cni,\n endpoints: endpoints.map(l3EndpointToString),\n apiEndpoints: apiEndpoints.map(l4EndpointToString),\n },\n})\n"],"mappings":";;;;;;AAAA,SAAS,WAAW;AACpB,SAAS,SAAS,QAAQ,iBAAiB;AAC3C,SAAS,MAAM,gBAAgB;AAC/B,SAAS,YAAY,iBAAiB;AACtC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAGP,IAAM,EAAE,MAAM,MAAM,SAAS,QAAQ,IAAI,QAAQ,IAAI,eAAe;AAEpE,IAAM,oBAAoB,MAAM,UAAU,QAAQ,WAAW,MAAM,KAAK,SAAS,CAAC;AAElF,IAAM,WAAW,IAAI,SAAS,MAAM,EAAE,YAAY,kBAAkB,CAAC;AAErE,IAAI,MAAe;AAEnB,IAAM,aAAa,IAAI,WAAW;AAClC,WAAW,eAAe,iBAAiB;AAE3C,IAAM,UAAU,WAAW,cAAc,SAAS;AAElD,IAAM,WAAW,MAAM,QACpB,wBAAwB,EAAE,MAAM,UAAU,WAAW,cAAc,CAAC,EACpE,KAAK,MAAM,IAAI,EACf,MAAM,MAAM,KAAK;AAEpB,IAAI,UAAU;AACZ,QAAM;AACR;AAEA,IAAM,cACJ,KAAK,eAAgB,MAAM,kBAAkB,YAAY,KAAK,iBAAiB;AAEjF,IAAM,YAAY,YAAY,IAAI,eAAe;AACjD,IAAM,eAAe,CAAC,gBAAgB,WAAW,SAAS,CAAC,EAAE,OAAO,QAAQ,YAAY,EAAE,CAAC,CAAC;AAE5F,IAAM,aAAa,KAAK,GAAG,UAAU,IAAI,eAAe,eAAe,EAAE,SAAS,CAAC;AAEnF,IAAO,2BAAQ,QAAQ;AAAA,EACrB,YAAY;AAAA,IACV,IAAI,WAAW,SAAS;AAAA,IACxB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,QAAQ,KAAK;AAAA,IACb,YAAY,OAAO,iBAAiB;AAAA,EACtC;AAAA,EAEA;AAAA,EACA;AAAA,EAEA,YAAY,CAAC,kBAAkB,iBAAiB,CAAC;AAAA,EAEjD,SAAS;AAAA,IACP,WAAW,WAAW,SAAS;AAAA,IAC/B;AAAA,IACA,WAAW,UAAU,IAAI,kBAAkB;AAAA,IAC3C,cAAc,aAAa,IAAI,kBAAkB;AAAA,EACnD;AACF,CAAC;","names":[]}

package/dist/units/gateway-api/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import {
   getProvider
-} from "../../chunk-T5Z2M4JE.js";
+} from "../../chunk-FKNHHKOL.js";
 // src/units/gateway-api/index.ts
 import { k8s } from "@highstate/library";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/k8s",
-  "version": "0.9.4",
+  "version": "0.9.6",
   "type": "module",
   "files": [
     "dist",
@@ -13,6 +13,8 @@
     },
     "./units/access-point": "./dist/units/access-point/index.js",
     "./units/cert-manager": "./dist/units/cert-manager/index.js",
+    "./units/cluster-patch": "./dist/units/cluster-patch/index.js",
+    "./units/cluster-dns": "./dist/units/cluster-dns/index.js",
     "./units/dns01-issuer": "./dist/units/dns01-issuer/index.js",
     "./units/existing-cluster": "./dist/units/existing-cluster/index.js",
     "./units/gateway-api": "./dist/units/gateway-api/index.js"
@@ -26,12 +28,12 @@
     "generate-crds": "./scripts/generate-crds.sh"
   },
   "dependencies": {
-    "@highstate/cert-manager": "^0.9.4",
-    "@highstate/common": "^0.9.4",
-    "@highstate/contract": "^0.9.4",
-    "@highstate/gateway-api": "^0.9.4",
-    "@highstate/library": "^0.9.4",
-    "@highstate/pulumi": "^0.9.4",
+    "@highstate/cert-manager": "^0.9.6",
+    "@highstate/common": "^0.9.6",
+    "@highstate/contract": "^0.9.6",
+    "@highstate/gateway-api": "^0.9.6",
+    "@highstate/library": "^0.9.6",
+    "@highstate/pulumi": "^0.9.6",
     "@kubernetes/client-node": "^1.1.0",
     "@pulumi/command": "^1.0.2",
     "@pulumi/kubernetes": "^4.18.0",
@@ -40,11 +42,11 @@
     "deepmerge-ts": "^7.1.5",
     "glob": "^11.0.1",
     "nano-spawn": "^0.2.0",
-    "parse-domain": "^8.2.2",
+    "pkg-types": "^2.1.0",
     "remeda": "^2.21.0"
   },
   "devDependencies": {
-    "@highstate/cli": "^0.9.4"
+    "@highstate/cli": "^0.9.6"
   },
-  "gitHead": "021af8cde467823881e2dc82ccb606c9617772ea"
+  "gitHead": "3c7e8883ef6cbc3e3f7c2c5529115767aae5c96a"
 }

package/src/access-point.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { k8s } from "@highstate/library"
-import type { core, Provider } from "@pulumi/kubernetes"
-import { DnsRecord } from "@highstate/common"
+import type { Provider } from "@pulumi/kubernetes"
+import type { Namespace } from "./namespace"
+import { DnsRecordSet, filterEndpoints, l3EndpointToString } from "@highstate/common"
 import { gateway } from "@highstate/gateway-api"
 import {
   normalize,
@@ -11,7 +12,8 @@ import {
   type InputArray,
 } from "@highstate/pulumi"
 import { NetworkPolicy } from "./network-policy"
-import { getAppDisplayName, getAppName, mapNamespaceLikeToNamespaceName } from "./shared"
+import { getProvider, mapNamespaceLikeToNamespaceName } from "./shared"
+import { isFromCluster } from "./service"
 export type UseAccessPointResult = {
   /**
@@ -20,9 +22,9 @@ export type UseAccessPointResult = {
   gateway: gateway.v1.Gateway
   /**
-   * The DNS record associated created according to the access point and gateway.
+   * The DNS record sets associated created according to the access point and gateway.
    */
-  dnsRecords: DnsRecord[]
+  dnsRecordSets: DnsRecordSet[]
   /**
    * The network policies associated with the access point.
@@ -37,6 +39,12 @@ export type UseAccessPointArgs = Omit<CreateGatewayArgs, "gateway"> & {
 export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPointResult> {
   const result = output({ args, namespaceName: output(args.namespace).metadata.name }).apply(
     ({ args, namespaceName }) => {
+      if (args.accessPoint.clusterId !== args.cluster.id) {
+        throw new Error(
+          "The provided Kubernetes cluster is different from the one where the access point is deployed.",
+        )
+      }
       const gateway = createGateway({
         ...args,
         annotations: {
@@ -45,43 +53,41 @@ export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPoint
         gateway: args.accessPoint.gateway,
       })
-      const dnsRecords = normalize(args.fqdn, args.fqdns).flatMap(fqdn => {
-        return DnsRecord.createSet(fqdn, {
+      const dnsRecordSets = normalize(args.fqdn, args.fqdns).flatMap(fqdn => {
+        return DnsRecordSet.create(fqdn, {
           providers: args.accessPoint.dnsProviders,
-          type: "A",
-          value: args.accessPoint.gateway.ip,
+          values: filterEndpoints(
+            args.accessPoint.gateway.endpoints.filter(endpoint => endpoint.type !== "hostname"),
+          ),
         })
       })
-      const networkPolicies: Output<NetworkPolicy>[] = []
-      if (args.accessPoint.gateway.service) {
-        const displayName = getAppDisplayName(args.accessPoint.gateway.service.metadata)
-        networkPolicies.push(
-          NetworkPolicy.create(
-            `allow-ingress-from-${getAppName(args.accessPoint.gateway.service.metadata)}`,
-            {
-              namespace: args.namespace,
-              cluster: args.cluster,
+      const networkPolicies: Output<NetworkPolicy>[] = [
+        NetworkPolicy.create(
+          `allow-ingress-from-${l3EndpointToString(args.accessPoint.gateway.endpoints[0])}`,
+          {
+            namespace: args.namespace,
+            cluster: args.cluster,
-              description: `Allow ingress traffic from the gateway "${displayName}".`,
+            description: `Allow ingress traffic from the gateway at "${l3EndpointToString(args.accessPoint.gateway.endpoints[0])}".`,
-              ingressRule: {
-                fromNamespace: args.accessPoint.gateway.service.metadata.namespace,
-                fromSelector: args.accessPoint.gateway.service.spec.selector,
-              },
+            ingressRule: {
+              fromEndpoints: args.accessPoint.gateway.endpoints,
             },
-            { provider: args.provider },
-          ),
+          },
+          { provider: args.provider },
+        ),
+      ]
+      if (isFromCluster(args.accessPoint.gateway.endpoints[0], args.cluster)) {
+        networkPolicies.push(
           NetworkPolicy.create(
             `allow-egress-to-${namespaceName}`,
             {
-              namespace: args.accessPoint.gateway.service.metadata.namespace,
+              namespace: args.accessPoint.gateway.endpoints[0].metadata.k8sService.namespace,
               cluster: args.cluster,
-              selector: args.accessPoint.gateway.service.spec.selector,
+              selector: args.accessPoint.gateway.endpoints[0].metadata.k8sService.selector,
               description: `Allow egress traffic to the namespace "${namespaceName}".`,
@@ -96,7 +102,7 @@ export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPoint
       return output({
         gateway,
-        dnsRecords: output(dnsRecords).apply(records => records.flat()),
+        dnsRecordSets,
         networkPolicies,
       })
     },
@@ -106,6 +112,7 @@ export function useAccessPoint(args: UseAccessPointArgs): Promise<UseAccessPoint
 }
 export type StandardAccessPointArgs = {
+  appName: string
   fqdn: string
 }
@@ -114,28 +121,26 @@ export type StandardAccessPointInputs = {
   k8sCluster: Output<k8s.Cluster>
 }
-export function useStandardAcessPoint(
-  appName: string,
-  namespace: core.v1.Namespace,
+export async function useStandardAcessPoint(
+  namespace: Namespace,
   args: StandardAccessPointArgs,
   inputs: StandardAccessPointInputs,
-  provider: Provider,
 ): Promise<UseAccessPointResult> {
-  return useAccessPoint({
-    name: appName,
+  return await useAccessPoint({
+    name: args.appName,
     namespace,
     fqdn: args.fqdn,
     accessPoint: inputs.accessPoint,
     cluster: inputs.k8sCluster,
-    provider,
+    provider: await getProvider(inputs.k8sCluster),
   })
 }
 export type CreateGatewayArgs = {
   name: string
-  namespace: Input<core.v1.Namespace>
+  namespace: Input<Namespace>
   annotations?: Input<Record<string, string>>
   fqdn?: Input<string>
@@ -148,7 +153,7 @@ export type CreateGatewayArgs = {
 export function createGateway(args: CreateGatewayArgs): Output<gateway.v1.Gateway> {
   return output(args).apply(args => {
-    if (args.cluster.info.id !== args.gateway.clusterInfo.id) {
+    if (args.cluster.id !== args.gateway.clusterId) {
       throw new Error(
         "The provided Kubernetes cluster is different from the one where the gateway controller is deployed.",
       )

package/src/container.ts CHANGED Viewed

@@ -1,8 +1,10 @@
 import type { PartialKeys } from "@highstate/contract"
+import type { k8s, network } from "@highstate/library"
 import { core, type types } from "@pulumi/kubernetes"
 import { normalize, output, type Input, type InputArray, type Unwrap } from "@highstate/pulumi"
 import { concat, map, omit } from "remeda"
 import { PersistentVolumeClaim } from "./pvc"
+import { Secret } from "./secret"
 export type Container = Omit<PartialKeys<types.input.core.v1.Container, "name">, "volumeMounts"> & {
   /**
@@ -51,6 +53,20 @@ export type Container = Omit<PartialKeys<types.input.core.v1.Container, "name">,
    * It is like the `envFrom` property, but more convenient to use.
    */
   environmentSources?: InputArray<ContainerEnvironmentSource>
+  /**
+   * The list of endpoints that the container is allowed to access.
+   *
+   * This is used to generate a network policy.
+   */
+  allowedEndpoints?: InputArray<network.L34Endpoint>
+  /**
+   * Enable the TUN device in the container.
+   *
+   * All necessary security context settings will be applied to the container.
+   */
+  enableTun?: Input<boolean>
 }
 const containerExtraArgs = [
@@ -73,7 +89,7 @@ export type ContainerEnvironmentVariable =
       /**
        * The secret to select from.
        */
-      secret: Input<core.v1.Secret>
+      secret: Input<core.v1.Secret | Secret>
       /**
        * The key of the secret to select from.
@@ -110,16 +126,18 @@ export type WorkloadVolume =
   | types.input.core.v1.Volume
   | core.v1.PersistentVolumeClaim
   | PersistentVolumeClaim
+  | Secret
   | core.v1.ConfigMap
   | core.v1.Secret
 export function mapContainerToRaw(
   container: Unwrap<Container>,
+  cluster: k8s.Cluster,
   fallbackName: string,
 ): types.input.core.v1.Container {
   const containerName = container.name ?? fallbackName
-  return {
+  const spec = {
     ...omit(container, containerExtraArgs),
     name: containerName,
@@ -139,7 +157,29 @@ export function mapContainerToRaw(
       ),
       container.envFrom ?? [],
     ),
+  } as Unwrap<types.input.core.v1.Container>
+  if (container.enableTun) {
+    spec.securityContext ??= {}
+    spec.securityContext.capabilities ??= {}
+    spec.securityContext.capabilities.add = ["NET_ADMIN"]
+    if (cluster.quirks?.tunDevicePolicy?.type === "plugin") {
+      spec.resources ??= {}
+      spec.resources.limits ??= {}
+      spec.resources.limits[cluster.quirks.tunDevicePolicy.resourceName] =
+        cluster.quirks.tunDevicePolicy.resourceValue
+    } else {
+      spec.volumeMounts ??= []
+      spec.volumeMounts.push({
+        name: "tun-device",
+        mountPath: "/dev/net/tun",
+        readOnly: false,
+      })
+    }
   }
+  return spec
 }
 export function mapContainerEnvironment(
@@ -240,7 +280,16 @@ export function mapWorkloadVolume(volume: WorkloadVolume) {
     }
   }
-  if (volume instanceof core.v1.PersistentVolumeClaim) {
+  if (volume instanceof Secret) {
+    return {
+      name: volume.metadata.name,
+      secret: {
+        secretName: volume.metadata.name,
+      },
+    }
+  }
+  if (core.v1.PersistentVolumeClaim.isInstance(volume)) {
     return {
       name: volume.metadata.name,
       persistentVolumeClaim: {
@@ -249,7 +298,7 @@ export function mapWorkloadVolume(volume: WorkloadVolume) {
     }
   }
-  if (volume instanceof core.v1.ConfigMap) {
+  if (core.v1.ConfigMap.isInstance(volume)) {
     return {
       name: volume.metadata.name,
       configMap: {
@@ -258,7 +307,7 @@ export function mapWorkloadVolume(volume: WorkloadVolume) {
     }
   }
-  if (volume instanceof core.v1.Secret) {
+  if (core.v1.Secret.isInstance(volume)) {
     return {
       name: volume.metadata.name,
       secret: {

package/src/cron-job.ts CHANGED Viewed

@@ -1,22 +1,12 @@
 import type { RequiredKeys } from "@highstate/contract"
 import { batch, type types } from "@pulumi/kubernetes"
-import {
-  ComponentResource,
-  normalize,
-  Output,
-  output,
-  type ComponentResourceOptions,
-  type Input,
-  type InputArray,
-} from "@highstate/pulumi"
+import { ComponentResource, Output, output, type ComponentResourceOptions } from "@highstate/pulumi"
 import { mergeDeep, omit } from "remeda"
-import { mapContainerToRaw, mapWorkloadVolume, type Container } from "./container"
-import { commonExtraArgs, mapMetadata, type CommonArgs } from "./shared"
+import { commonExtraArgs, getProvider, mapMetadata } from "./shared"
+import { getWorkloadComponents, type WorkloadArgs } from "./workload"
-export type CronJobArgs = CommonArgs & {
-  container?: Input<Container>
-  containers?: InputArray<Container>
-} & Omit<RequiredKeys<Partial<types.input.batch.v1.CronJobSpec>, "schedule">, "jobTemplate"> & {
+export type CronJobArgs = WorkloadArgs &
+  Omit<RequiredKeys<Partial<types.input.batch.v1.CronJobSpec>, "schedule">, "jobTemplate"> & {
     jobTemplate?: {
       metadata?: types.input.meta.v1.ObjectMeta
       spec?: Omit<types.input.batch.v1.JobSpec, "template"> & {
@@ -36,12 +26,12 @@ export class CronJob extends ComponentResource {
    */
   public readonly cronJob: Output<batch.v1.CronJob>
-  constructor(name: string, args: CronJobArgs, opts?: ComponentResourceOptions) {
+  constructor(name: string, args: CronJobArgs, opts: ComponentResourceOptions) {
     super("highstate:k8s:CronJob", name, args, opts)
-    this.cronJob = output(args).apply(args => {
-      const containers = normalize(args.container, args.containers)
+    const { podTemplate } = getWorkloadComponents(name, args, () => this, opts)
+    this.cronJob = output({ args, podTemplate }).apply(async ({ args, podTemplate }) => {
       return new batch.v1.CronJob(
         name,
         {
@@ -51,15 +41,7 @@ export class CronJob extends ComponentResource {
             {
               jobTemplate: {
                 spec: {
-                  template: {
-                    spec: {
-                      containers: containers.map(container => mapContainerToRaw(container, name)),
-                      volumes: containers
-                        .flatMap(container => normalize(container.volume, container.volumes))
-                        .map(mapWorkloadVolume),
-                    },
-                  },
+                  template: podTemplate,
                 },
               },
@@ -68,10 +50,12 @@ export class CronJob extends ComponentResource {
             omit(args, cronJobExtraArgs) as types.input.batch.v1.CronJobSpec,
           ),
         },
-        { parent: this, ...opts },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args.cluster),
+        },
       )
     })
-    this.registerOutputs({ cronJob: this.cronJob })
   }
 }