@highstate/k8s 0.9.7 → 0.9.9

package/dist/chunk-OP75IMU7.js

@@ -0,0 +1,766 @@
+import {
+  commonExtraArgs,
+  getProvider,
+  mapMetadata,
+  mapNamespaceLikeToNamespaceName,
+  mapNamespaceNameToSelector,
+  mapSelectorLikeToSelector,
+  resourceIdToString
+} from "./chunk-HTQP2NB4.js";
+
+// src/service.ts
+import { core } from "@pulumi/kubernetes";
+import {
+  ComponentResource,
+  normalize,
+  output
+} from "@highstate/pulumi";
+import { omit, uniqueBy } from "remeda";
+import { deepmerge } from "deepmerge-ts";
+import { filterEndpoints, l4EndpointToString, parseL3Endpoint } from "@highstate/common";
+var serviceExtraArgs = [...commonExtraArgs, "port", "ports", "external"];
+function hasServiceMetadata(endpoint) {
+  return endpoint.metadata?.k8sService !== void 0;
+}
+function getServiceMetadata(endpoint) {
+  return endpoint.metadata?.k8sService;
+}
+function withServiceMetadata(endpoint, metadata) {
+  return {
+    ...endpoint,
+    metadata: {
+      ...endpoint.metadata,
+      k8sService: metadata
+    }
+  };
+}
+function isFromCluster(endpoint, cluster) {
+  return getServiceMetadata(endpoint)?.clusterId === cluster.id;
+}
+var Service = class extends ComponentResource {
+  constructor(type, name, args, opts, cluster, metadata, spec, status) {
+    super(type, name, args, opts);
+    this.cluster = cluster;
+    this.metadata = metadata;
+    this.spec = spec;
+    this.status = status;
+  }
+  /**
+   * The Highstate service entity.
+   */
+  get entity() {
+    return output({
+      type: "k8s.service",
+      clusterId: this.cluster.id,
+      metadata: this.metadata,
+      endpoints: this.endpoints
+    });
+  }
+  static create(name, args, opts) {
+    return new CreatedService(name, args, opts);
+  }
+  static wrap(name, service, cluster, opts) {
+    return new WrappedService(name, service, cluster, opts);
+  }
+  static external(name, id, cluster, opts) {
+    return new ExternalService(name, id, cluster, opts);
+  }
+  static of(name, entity, cluster, opts) {
+    return new ExternalService(
+      name,
+      output(entity).metadata,
+      output({ cluster, entity }).apply(({ cluster: cluster2, entity: entity2 }) => {
+        if (cluster2.id !== entity2.clusterId) {
+          throw new Error(
+            `Cluster mismatch when wrapping service "${name}": "${cluster2.id}" != "${entity2.clusterId}"`
+          );
+        }
+        return cluster2;
+      }),
+      opts
+    );
+  }
+  /**
+   * Returns the endpoints of the service applying the given filter.
+   *
+   * If no filter is specified, the default behavior of `filterEndpoints` is used.
+   *
+   * @param filter If specified, the endpoints are filtered based on the given filter.
+   * @returns The endpoints of the service.
+   */
+  filterEndpoints(filter) {
+    return output({ endpoints: this.endpoints }).apply(({ endpoints }) => {
+      return filterEndpoints(endpoints, filter);
+    });
+  }
+  /**
+   * Returns the endpoints of the service including both internal and external endpoints.
+   */
+  get endpoints() {
+    return output({
+      cluster: this.cluster,
+      metadata: this.metadata,
+      spec: this.spec,
+      status: this.status
+    }).apply(({ cluster, metadata, spec, status }) => {
+      const endpointMetadata = {
+        k8sService: {
+          clusterId: cluster.id,
+          name: metadata.name,
+          namespace: metadata.namespace,
+          selector: spec.selector,
+          targetPort: spec.ports[0].targetPort ?? spec.ports[0].port
+        }
+      };
+      const clusterIpEndpoints = spec.clusterIPs?.map((ip) => ({
+        ...parseL3Endpoint(ip),
+        visibility: "internal",
+        port: spec.ports[0].port,
+        protocol: spec.ports[0].protocol?.toLowerCase(),
+        metadata: endpointMetadata
+      }));
+      if (clusterIpEndpoints.length > 0) {
+        clusterIpEndpoints.unshift({
+          type: "hostname",
+          visibility: "internal",
+          hostname: `${metadata.name}.${metadata.namespace}.svc.cluster.local`,
+          port: spec.ports[0].port,
+          protocol: spec.ports[0].protocol?.toLowerCase(),
+          metadata: endpointMetadata
+        });
+      }
+      const nodePortEndpoints = spec.type === "NodePort" ? cluster.endpoints.map((endpoint) => ({
+        ...endpoint,
+        port: spec.ports[0].nodePort,
+        protocol: spec.ports[0].protocol?.toLowerCase(),
+        metadata: endpointMetadata
+      })) : [];
+      const loadBalancerEndpoints = spec.type === "LoadBalancer" ? status.loadBalancer?.ingress?.map((endpoint) => ({
+        ...parseL3Endpoint(endpoint.ip ?? endpoint.hostname),
+        port: spec.ports[0].port,
+        protocol: spec.ports[0].protocol?.toLowerCase(),
+        metadata: endpointMetadata
+      })) : [];
+      return uniqueBy(
+        [
+          ...clusterIpEndpoints ?? [],
+          ...loadBalancerEndpoints ?? [],
+          ...nodePortEndpoints ?? []
+        ],
+        (endpoint) => l4EndpointToString(endpoint)
+      );
+    });
+  }
+};
+var CreatedService = class extends Service {
+  constructor(name, args, opts) {
+    const service = output(args).apply((args2) => {
+      return new core.v1.Service(
+        name,
+        {
+          metadata: mapMetadata(args2, name),
+          spec: deepmerge(
+            {
+              ports: normalize(args2.port, args2.ports),
+              externalIPs: args2.external ? args2.externalIPs ?? args2.cluster.externalIps : args2.cluster.externalIps,
+              type: getServiceType(args2, args2.cluster)
+            },
+            omit(args2, serviceExtraArgs)
+          )
+        },
+        { parent: this, ...opts }
+      );
+    });
+    super(
+      "highstate:k8s:Service",
+      name,
+      args,
+      opts,
+      output(args.cluster),
+      service.metadata,
+      service.spec,
+      service.status
+    );
+  }
+};
+var WrappedService = class extends Service {
+  constructor(name, service, cluster, opts) {
+    super(
+      "highstate:k8s:WrappedService",
+      name,
+      { service, clusterInfo: cluster },
+      opts,
+      output(cluster),
+      output(service).metadata,
+      output(service).spec,
+      output(service).status
+    );
+  }
+};
+var ExternalService = class extends Service {
+  constructor(name, id, cluster, opts) {
+    const service = output(id).apply((id2) => {
+      return core.v1.Service.get(
+        //
+        name,
+        resourceIdToString(id2),
+        { ...opts, parent: this }
+      );
+    });
+    super(
+      "highstate:k8s:ExternalService",
+      name,
+      { id, cluster },
+      opts,
+      output(cluster),
+      service.metadata,
+      service.spec,
+      service.status
+    );
+  }
+};
+function mapContainerPortToServicePort(port) {
+  return {
+    name: port.name,
+    port: port.containerPort,
+    targetPort: port.containerPort,
+    protocol: port.protocol
+  };
+}
+function mapServiceToLabelSelector(service) {
+  return {
+    matchLabels: service.spec.selector
+  };
+}
+function getServiceType(service, cluster) {
+  if (service?.type) {
+    return service.type;
+  }
+  if (!service?.external) {
+    return "ClusterIP";
+  }
+  return cluster.quirks?.externalServiceType === "LoadBalancer" ? "LoadBalancer" : "NodePort";
+}
+
+// src/gateway/http-route.ts
+import {
+  ComponentResource as ComponentResource2,
+  normalize as normalize2,
+  output as output3
+} from "@highstate/pulumi";
+import { gateway } from "@highstate/gateway-api";
+import { map, pipe } from "remeda";
+
+// src/gateway/backend.ts
+import "@pulumi/kubernetes";
+import { output as output2 } from "@highstate/pulumi";
+function resolveBackendRef(ref) {
+  if (Service.isInstance(ref)) {
+    return output2({
+      name: ref.metadata.name,
+      namespace: ref.metadata.namespace,
+      port: ref.spec.ports[0].port
+    });
+  }
+  if ("service" in ref) {
+    const service = output2(ref.service);
+    return output2({
+      name: service.metadata.name,
+      namespace: service.metadata.namespace,
+      port: ref.port
+    });
+  }
+  return output2({
+    name: ref.name,
+    namespace: ref.namespace,
+    port: ref.port
+  });
+}
+
+// src/gateway/http-route.ts
+var HttpRoute = class extends ComponentResource2 {
+  /**
+   * The underlying Kubernetes resource.
+   */
+  route;
+  constructor(name, args, opts) {
+    super("highstate:k8s:HttpRoute", name, args, opts);
+    this.route = output3({
+      args,
+      gatewayNamespace: output3(args.gateway).metadata.namespace
+    }).apply(async ({ args: args2, gatewayNamespace }) => {
+      return new gateway.v1.HTTPRoute(
+        name,
+        {
+          metadata: mapMetadata(
+            {
+              ...args2,
+              namespace: gatewayNamespace
+            },
+            name
+          ),
+          spec: {
+            hostnames: normalize2(args2.hostname, args2.hostnames),
+            parentRefs: [
+              {
+                name: args2.gateway.metadata.name
+              }
+            ],
+            rules: normalize2(args2.rule, args2.rules).map((rule) => ({
+              timeouts: rule.timeouts,
+              matches: pipe(
+                normalize2(rule.match, rule.matches),
+                map(mapHttpRouteRuleMatch),
+                addDefaultPathMatch
+              ),
+              filters: normalize2(rule.filter, rule.filters),
+              backendRefs: rule.backend ? [resolveBackendRef(rule.backend)] : void 0
+            }))
+          }
+        },
+        {
+          ...opts,
+          parent: this,
+          provider: await getProvider(args2.cluster)
+        }
+      );
+    });
+  }
+};
+function addDefaultPathMatch(matches) {
+  return matches.length ? matches : [{ path: { type: "PathPrefix", value: "/" } }];
+}
+function mapHttpRouteRuleMatch(match) {
+  if (typeof match === "string") {
+    return { path: { type: "PathPrefix", value: match } };
+  }
+  return match;
+}
+
+// src/network-policy.ts
+import { networking } from "@pulumi/kubernetes";
+import {
+  ComponentResource as ComponentResource3,
+  interpolate,
+  normalize as normalize3,
+  output as output4
+} from "@highstate/pulumi";
+import { capitalize, flat, groupBy, merge, mergeDeep, uniqueBy as uniqueBy2 } from "remeda";
+import "@highstate/library";
+import {
+  l34EndpointToString,
+  l3EndpointToCidr,
+  parseL34Endpoint
+} from "@highstate/common";
+var NetworkPolicy = class _NetworkPolicy extends ComponentResource3 {
+  /**
+   * The underlying network policy resource.
+   */
+  networkPolicy;
+  constructor(name, args, opts) {
+    super("k8s:network-policy", name, args, opts);
+    const normalizedArgs = output4(args).apply((args2) => {
+      const ingressRules = normalize3(args2.ingressRule, args2.ingressRules);
+      const egressRules = normalize3(args2.egressRule, args2.egressRules);
+      const extraEgressRules = [];
+      if (args2.allowKubeDns) {
+        extraEgressRules.push({
+          namespaces: ["kube-system"],
+          selectors: [{ matchLabels: { "k8s-app": "kube-dns" } }],
+          ports: [{ port: 53, protocol: "UDP" }],
+          all: false,
+          cidrs: [],
+          fqdns: [],
+          services: []
+        });
+      }
+      return {
+        ...args2,
+        podSelector: args2.selector ? mapSelectorLikeToSelector(args2.selector) : {},
+        isolateEgress: args2.isolateEgress ?? false,
+        isolateIngress: args2.isolateIngress ?? false,
+        allowKubeApiServer: args2.allowKubeApiServer ?? false,
+        ingressRules: ingressRules.flatMap((rule) => {
+          const endpoints = normalize3(
+            args2.ingressRule?.fromEndpoint,
+            args2.ingressRule?.fromEndpoints
+          );
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsByPortsAndNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
+            const port = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.targetPort : endpoint.port;
+            return `${port ?? "0"}:${namespace}`;
+          });
+          const l3OnlyRule = endpointsByPortsAndNamespaces["0:"] ? _NetworkPolicy.getRuleFromEndpoint(
+            void 0,
+            endpointsByPortsAndNamespaces["0:"],
+            args2.cluster
+          ) : void 0;
+          const otherRules = Object.entries(endpointsByPortsAndNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
+            const [port] = key.split(":");
+            const portNumber = parseInt(port, 10);
+            const portValue = isNaN(portNumber) ? port : portNumber;
+            return _NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, args2.cluster);
+          });
+          return [
+            {
+              all: rule.fromAll ?? false,
+              cidrs: normalize3(rule.fromCidr, rule.fromCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: [],
+              services: normalize3(rule.fromService, rule.fromServices),
+              namespaces: normalize3(rule.fromNamespace, rule.fromNamespaces),
+              selectors: normalize3(rule.fromSelector, rule.fromSelectors),
+              ports: normalize3(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }),
+        egressRules: egressRules.flatMap((rule) => {
+          const endpoints = normalize3(args2.egressRule?.toEndpoint, args2.egressRule?.toEndpoints);
+          const parsedEndpoints = endpoints.map(parseL34Endpoint);
+          const endpointsByPortsAnsNamespaces = groupBy(parsedEndpoints, (endpoint) => {
+            const namespace = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.namespace : "";
+            const port = isFromCluster(endpoint, args2.cluster) ? endpoint.metadata.k8sService.targetPort : endpoint.port;
+            return `${port ?? "0"}:${namespace}`;
+          });
+          const l3OnlyRule = endpointsByPortsAnsNamespaces["0:"] ? _NetworkPolicy.getRuleFromEndpoint(
+            void 0,
+            endpointsByPortsAnsNamespaces["0:"],
+            args2.cluster
+          ) : void 0;
+          const otherRules = Object.entries(endpointsByPortsAnsNamespaces).filter(([key]) => key !== "0:").map(([key, endpoints2]) => {
+            const [port] = key.split(":");
+            const portNumber = parseInt(port, 10);
+            const portValue = isNaN(portNumber) ? port : portNumber;
+            return _NetworkPolicy.getRuleFromEndpoint(portValue, endpoints2, args2.cluster);
+          });
+          return [
+            {
+              all: rule.toAll ?? false,
+              cidrs: normalize3(rule.toCidr, rule.toCidrs).concat(l3OnlyRule?.cidrs ?? []),
+              fqdns: normalize3(rule.toFqdn, rule.toFqdns).concat(l3OnlyRule?.fqdns ?? []),
+              services: normalize3(rule.toService, rule.toServices),
+              namespaces: normalize3(rule.toNamespace, rule.toNamespaces),
+              selectors: normalize3(rule.toSelector, rule.toSelectors),
+              ports: normalize3(rule.toPort, rule.toPorts)
+            },
+            ...otherRules
+          ].filter((rule2) => !_NetworkPolicy.isEmptyRule(rule2));
+        }).concat(extraEgressRules)
+      };
+    });
+    this.networkPolicy = output4(
+      normalizedArgs.apply(async (args2) => {
+        return output4(
+          this.create(name, args2, {
+            ...opts,
+            parent: this,
+            provider: await getProvider(args2.cluster)
+          })
+        );
+      })
+    );
+  }
+  static mapCidrFromEndpoint(result) {
+    if (result.type === "ipv4") {
+      return `${result.address}/32`;
+    }
+    return `${result.address}/128`;
+  }
+  static getRuleFromEndpoint(port, endpoints, cluster) {
+    const ports = port ? [{ port, protocol: endpoints[0].protocol?.toUpperCase() }] : [];
+    const cidrs = endpoints.filter((endpoint) => !isFromCluster(endpoint, cluster)).filter((endpoint) => endpoint.type === "ipv4" || endpoint.type === "ipv6").map(_NetworkPolicy.mapCidrFromEndpoint);
+    const fqdns = endpoints.filter((endpoint) => endpoint.type === "hostname").map((endpoint) => endpoint.hostname);
+    const selectors = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => endpoint.metadata.k8sService.selector);
+    const namespace = endpoints.filter((endpoint) => isFromCluster(endpoint, cluster)).map((endpoint) => getServiceMetadata(endpoint)?.namespace)[0];
+    return {
+      all: false,
+      cidrs,
+      fqdns,
+      services: [],
+      namespaces: namespace ? [namespace] : [],
+      selectors,
+      ports
+    };
+  }
+  static isEmptyRule(rule) {
+    return !rule.all && rule.cidrs.length === 0 && rule.fqdns.length === 0 && rule.services.length === 0 && rule.namespaces.length === 0 && rule.selectors.length === 0 && rule.ports.length === 0;
+  }
+  static create(name, args, opts) {
+    return output4(args).apply(async (args2) => {
+      const cni = args2.cluster.cni;
+      if (cni === "other") {
+        return new NativeNetworkPolicy(name, args2, opts);
+      }
+      const implName = `${capitalize(cni)}NetworkPolicy`;
+      const implModule = await import(`@highstate/${cni}`);
+      const implClass = implModule[implName];
+      if (!implClass) {
+        throw new Error(`No implementation found for ${cni}`);
+      }
+      return new implClass(name, args2, opts);
+    });
+  }
+  static isolate(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "isolate",
+      {
+        namespace,
+        cluster,
+        description: "By default, deny all traffic to/from the namespace.",
+        isolateEgress: true,
+        isolateIngress: true
+      },
+      opts
+    );
+  }
+  static allowInsideNamespace(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-inside-namespace",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic inside the namespace.",
+        selector: {},
+        ingressRule: { fromNamespace: namespace },
+        egressRule: { toNamespace: namespace }
+      },
+      opts
+    );
+  }
+  static allowKubeApiServer(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-kube-api-server",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic to the Kubernetes API server from the namespace.",
+        allowKubeApiServer: true
+      },
+      opts
+    );
+  }
+  static allowKubeDns(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-kube-dns",
+      {
+        namespace,
+        cluster,
+        description: "Allow all traffic to the Kubernetes DNS server from the namespace.",
+        allowKubeDns: true
+      },
+      opts
+    );
+  }
+  static allowAllEgress(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-all-egress",
+      {
+        namespace,
+        cluster,
+        description: "Allow all egress traffic from the namespace.",
+        egressRule: { toAll: true }
+      },
+      opts
+    );
+  }
+  static allowAllIngress(namespace, cluster, opts) {
+    return _NetworkPolicy.create(
+      "allow-all-ingress",
+      {
+        namespace,
+        cluster,
+        description: "Allow all ingress traffic to the namespace.",
+        ingressRule: { fromAll: true }
+      },
+      opts
+    );
+  }
+  static allowEgressToEndpoint(endpoint, namespace, cluster, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    return _NetworkPolicy.create(
+      `allow-egress-to-${l34EndpointToString(parsedEndpoint)}`,
+      {
+        namespace,
+        cluster,
+        description: interpolate`Allow egress traffic to "${l34EndpointToString(parsedEndpoint)}" from the namespace.`,
+        egressRule: { toEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+  static allowIngressFromEndpoint(endpoint, namespace, cluster, opts) {
+    const parsedEndpoint = parseL34Endpoint(endpoint);
+    return _NetworkPolicy.create(
+      `allow-ingress-from-${l34EndpointToString(parsedEndpoint)}`,
+      {
+        namespace,
+        cluster,
+        description: interpolate`Allow ingress traffic from "${l34EndpointToString(parsedEndpoint)}" to the namespace.`,
+        ingressRule: { fromEndpoint: endpoint }
+      },
+      opts
+    );
+  }
+};
+var NativeNetworkPolicy = class _NativeNetworkPolicy extends NetworkPolicy {
+  create(name, args, opts) {
+    const ingress = _NativeNetworkPolicy.createIngressRules(args);
+    const egress = _NativeNetworkPolicy.createEgressRules(args);
+    const policyTypes = [];
+    if (ingress.length > 0 || args.isolateIngress) {
+      policyTypes.push("Ingress");
+    }
+    if (egress.length > 0 || args.isolateEgress) {
+      policyTypes.push("Egress");
+    }
+    return new networking.v1.NetworkPolicy(
+      name,
+      {
+        metadata: mergeDeep(mapMetadata(args, name), {
+          annotations: args.description ? { "kubernetes.io/description": args.description } : void 0
+        }),
+        spec: {
+          podSelector: args.podSelector,
+          ingress,
+          egress,
+          policyTypes
+        }
+      },
+      opts
+    );
+  }
+  static fallbackIpBlock = {
+    cidr: "0.0.0.0/0",
+    except: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+  };
+  static fallbackDnsRule = {
+    to: [
+      {
+        namespaceSelector: { matchLabels: { "kubernetes.io/metadata.name": "kube-system" } },
+        podSelector: { matchLabels: { "k8s-app": "kube-dns" } }
+      }
+    ],
+    ports: [{ port: 53, protocol: "UDP" }]
+  };
+  static createIngressRules(args) {
+    return uniqueBy2(
+      args.ingressRules.map((rule) => ({
+        from: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+        ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+      })),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createEgressRules(args) {
+    const extraRules = [];
+    const needKubeDns = args.egressRules.some((rule) => rule.fqdns.length > 0);
+    if (needKubeDns) {
+      extraRules.push(_NativeNetworkPolicy.fallbackDnsRule);
+    }
+    const needFallback = args.egressRules.some(
+      (rule) => rule.fqdns.some((fqdn) => !fqdn.endsWith(".cluster.local"))
+    );
+    if (needFallback) {
+      extraRules.push({ to: [{ ipBlock: _NativeNetworkPolicy.fallbackIpBlock }] });
+    }
+    if (args.allowKubeApiServer) {
+      const { quirks, apiEndpoints } = args.cluster;
+      if (quirks?.fallbackKubeApiAccess) {
+        extraRules.push({
+          to: [{ ipBlock: { cidr: `${quirks?.fallbackKubeApiAccess.serverIp}/32` } }],
+          ports: [{ port: quirks?.fallbackKubeApiAccess.serverPort, protocol: "TCP" }]
+        });
+      } else {
+        const rules = apiEndpoints.filter((endpoint) => endpoint.type !== "hostname").map((endpoint) => ({
+          to: [{ ipBlock: { cidr: l3EndpointToCidr(endpoint) } }],
+          ports: [{ port: endpoint.port, protocol: "TCP" }]
+        }));
+        extraRules.push(...rules);
+      }
+    }
+    return uniqueBy2(
+      args.egressRules.map((rule) => {
+        return {
+          to: rule.all ? [] : _NativeNetworkPolicy.createRulePeers(rule),
+          ports: _NativeNetworkPolicy.mapPorts(rule.ports)
+        };
+      }).filter((rule) => rule.to !== void 0).concat(extraRules),
+      (rule) => JSON.stringify(rule)
+    );
+  }
+  static createRulePeers(args) {
+    const peers = uniqueBy2(
+      [
+        ..._NativeNetworkPolicy.createCidrPeers(args),
+        ..._NativeNetworkPolicy.createServicePeers(args),
+        ..._NativeNetworkPolicy.createSelectorPeers(args)
+      ],
+      (peer) => JSON.stringify(peer)
+    );
+    return peers.length > 0 ? peers : void 0;
+  }
+  static createCidrPeers(args) {
+    return args.cidrs.map((cidr) => ({ ipBlock: { cidr } }));
+  }
+  static createServicePeers(args) {
+    return args.services.map((service) => {
+      const selector = mapServiceToLabelSelector(service);
+      return {
+        namespaceSelector: mapNamespaceNameToSelector(service.metadata.namespace),
+        podSelector: selector
+      };
+    });
+  }
+  static createSelectorPeers(args) {
+    const selectorPeers = args.selectors.map((selector) => ({
+      podSelector: mapSelectorLikeToSelector(selector)
+    }));
+    const namespacePeers = args.namespaces.map(_NativeNetworkPolicy.createNamespacePeer);
+    if (namespacePeers.length === 0) {
+      return selectorPeers;
+    }
+    if (selectorPeers.length === 0) {
+      return namespacePeers;
+    }
+    return flat(
+      selectorPeers.map((selectorPeer) => {
+        return namespacePeers.map((namespacePeer) => merge(selectorPeer, namespacePeer));
+      })
+    );
+  }
+  static createNamespacePeer(namespace) {
+    const namespaceName = mapNamespaceLikeToNamespaceName(namespace);
+    const namespaceSelector = mapNamespaceNameToSelector(namespaceName);
+    return { namespaceSelector };
+  }
+  static mapPorts(ports) {
+    return ports.map((port) => {
+      if ("port" in port) {
+        return {
+          port: port.port,
+          protocol: port.protocol ?? "TCP"
+        };
+      }
+      return {
+        port: port.range[0],
+        endPort: port.range[1],
+        protocol: port.protocol ?? "TCP"
+      };
+    });
+  }
+};
+
+export {
+  hasServiceMetadata,
+  getServiceMetadata,
+  withServiceMetadata,
+  isFromCluster,
+  Service,
+  mapContainerPortToServicePort,
+  mapServiceToLabelSelector,
+  getServiceType,
+  HttpRoute,
+  NetworkPolicy
+};
+//# sourceMappingURL=chunk-OP75IMU7.js.map