@highstate/library 0.14.2 → 0.16.0

package/src/dns.ts

@@ -1,7 +1,8 @@
 import { defineEntity, defineUnit, z } from "@highstate/contract"
+import { mapValues, pick } from "remeda"
+import { serverEntity } from "./common/server"
 import { implementationReferenceSchema } from "./impl-ref"
-import { endpointFilterSchema, l3EndpointEntity, l4EndpointEntity } from "./network"
-import { arrayPatchModeSchema, prefixKeysWith } from "./utils"
+import { l3EndpointEntity, l4EndpointEntity, networkArgs } from "./network"
 
 export const providerEntity = defineEntity({
   type: "dns.provider.v1",
@@ -13,11 +14,9 @@ export const providerEntity = defineEntity({
     id: z.string(),
 
     /**
-     * The domain apex for which the DNS records will be created.
-     *
-     * If the provider manages multiple domains, the separate provider entity should be created for each domain.
+     * The zones managed by the DNS provider.
      */
-    domain: z.string(),
+    zones: z.string().array(),
 
     /**
      * The reference to the implementation of the DNS provider.
@@ -34,13 +33,26 @@ export const recordSet = defineUnit({
   type: "dns.record-set.v1",
 
   args: {
-    ...createArgs(),
+    /**
+     * The FQDN of the DNS to create.
+     *
+     * If not provided, the name of the unit will be used.
+     */
+    recordName: z.string().optional(),
 
     /**
      * The values of the DNS record.
+     *
+     * Will be parsed as endpoints and merged with provided L3/L4/L7 endpoint inputs.
      */
     values: z.string().array().default([]),
 
+    ...mapValues(
+      //
+      pick(networkArgs, ["endpointFilter"]),
+      arg => ({ ...arg, schema: arg.schema.default(`type != "hostname"`) }),
+    ),
+
     /**
      * The TTL of the DNS record.
      */
@@ -57,6 +69,11 @@ export const recordSet = defineUnit({
      * Available only for public IPs and some DNS providers like Cloudflare.
      */
     proxied: z.boolean().default(false),
+
+    /**
+     * Wait for the DNS record creation/update to be visible at local DNS before continuing.
+     */
+    waitLocal: z.boolean().default(true),
   },
 
   inputs: {
@@ -70,6 +87,15 @@ export const recordSet = defineUnit({
       multiple: true,
     },
 
+    /**
+     * The servers to wait for the DNS records to be visible at before continuing.
+     */
+    waitServers: {
+      entity: serverEntity,
+      required: false,
+      multiple: true,
+    },
+
     /**
      * The L3 endpoints to use as values of the DNS records.
      */
@@ -87,18 +113,44 @@ export const recordSet = defineUnit({
       required: false,
       multiple: true,
     },
+
+    /**
+     * The L7 endpoints to use as values of the DNS records.
+     */
+    l7Endpoints: {
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true,
+    },
   },
 
   outputs: {
+    /**
+     * The filtered L3 endpoints with all IPs replaced with FQDNs.
+     * The duplicates are removed and metadata is merged.
+     */
     l3Endpoints: {
       entity: l3EndpointEntity,
       multiple: true,
     },
 
+    /**
+     * The filtered L4 endpoints with all IPs replaced with FQDNs.
+     * The duplicates are removed and metadata is merged.
+     */
     l4Endpoints: {
       entity: l4EndpointEntity,
       multiple: true,
     },
+
+    /**
+     * The filtered L7 endpoints with all IPs replaced with FQDNs.
+     * The duplicates are removed and metadata is merged.
+     */
+    l7Endpoints: {
+      entity: l4EndpointEntity,
+      multiple: true,
+    },
   },
 
   meta: {
@@ -115,48 +167,6 @@ export const recordSet = defineUnit({
   },
 })
 
-export function createArgs<TPrefix extends string = "">(prefix?: TPrefix) {
-  return prefixKeysWith(prefix, {
-    /**
-     * The FQDN to register the existing endpoints with.
-     *
-     * Will be inserted at the beginning of the resulting endpoint list.
-     *
-     * Will throw an error if no matching provider is found.
-     */
-    fqdn: z.string().optional(),
-
-    /**
-     * The endpoint filter to filter the endpoints before creating the DNS records.
-     *
-     * Possible values:
-     *
-     * - `public`: only endpoints exposed to the public internet;
-     * - `external`: reachable from outside the system but not public (e.g., LAN, VPC);
-     * - `internal`: reachable only from within the system boundary (e.g., inside a cluster).
-     *
-     * You can select one or more values.
-     *
-     * If no value is provided, the endpoints will be filtered by the most accessible type:
-     *
-     * - if any public endpoints exist, all public endpoints are selected;
-     * - otherwise, if any external endpoints exist, all external endpoints are selected;
-     * - if neither exist, all internal endpoints are selected.
-     */
-    endpointFilter: endpointFilterSchema.default([]),
-
-    /**
-     * The mode to use for patching the existing endpoints.
-     *
-     * - `prepend`: Prepend the FQDN to the existing endpoints. It will make them prioritized.
-     * - `replace`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
-     *
-     * The default is `prepend`.
-     */
-    patchMode: arrayPatchModeSchema.default("prepend"),
-  })
-}
-
 export const inputs = {
   /**
    * The DNS providers to use to create the DNS records.

package/src/k8s/apps/etcd.ts

@@ -0,0 +1,46 @@
+import { defineUnit } from "@highstate/contract"
+import { pick } from "remeda"
+import * as databases from "../../databases"
+import {
+  appName,
+  optionalSharedInputs,
+  sharedArgs,
+  sharedInputs,
+  sharedSecrets,
+  source,
+} from "./shared"
+
+/**
+ * The etcd instance deployed on Kubernetes.
+ */
+export const etcd = defineUnit({
+  type: "k8s.apps.etcd.v1",
+
+  args: {
+    ...appName("etcd"),
+    ...pick(sharedArgs, ["external"]),
+  },
+
+  secrets: {
+    ...pick(sharedSecrets, ["backupKey"]),
+  },
+
+  inputs: {
+    ...pick(sharedInputs, ["k8sCluster"]),
+    ...pick(optionalSharedInputs, ["resticRepo"]),
+  },
+
+  outputs: {
+    etcd: databases.etcdEntity,
+  },
+
+  meta: {
+    title: "etcd",
+    icon: "simple-icons:etcd",
+    iconColor: "#0069ab",
+    secondaryIcon: "mdi:database",
+    category: "Databases",
+  },
+
+  source: source("etcd/app"),
+})

package/src/k8s/apps/index.ts

@@ -1,4 +1,5 @@
 export * from "./code-server"
+export * from "./etcd"
 export * from "./grocy"
 export * from "./hubble"
 export * from "./kubernetes-dashboard"
@@ -22,4 +23,5 @@ export * from "./syncthing"
 export * from "./traefik"
 export * from "./valkey"
 export * from "./vaultwarden"
+export * from "./wg-feed-server"
 export * from "./workload"

package/src/k8s/apps/mariadb.ts

@@ -1,7 +1,6 @@
 import { defineUnit } from "@highstate/contract"
 import { pick } from "remeda"
 import * as databases from "../../databases"
-import { l4EndpointEntity } from "../../network"
 import { serviceEntity } from "../service"
 import {
   appName,
@@ -36,10 +35,6 @@ export const mariadb = defineUnit({
   outputs: {
     mariadb: databases.mariadbEntity,
     service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true,
-    },
   },
 
   meta: {

package/src/k8s/apps/minio.ts

@@ -1,7 +1,6 @@
 import { $secrets, defineUnit, text, z } from "@highstate/contract"
 import { pick } from "remeda"
 import * as databases from "../../databases"
-import { l4EndpointEntity } from "../../network"
 import { serviceEntity } from "../service"
 import { appName, optionalSharedInputs, sharedArgs, sharedInputs, source } from "./shared"
 
@@ -64,10 +63,6 @@ export const minio = defineUnit({
   outputs: {
     s3: databases.s3Entity,
     service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true,
-    },
   },
 
   meta: {

package/src/k8s/apps/mongodb.ts

@@ -1,7 +1,6 @@
 import { defineUnit } from "@highstate/contract"
 import { pick } from "remeda"
 import * as databases from "../../databases"
-import { l4EndpointEntity } from "../../network"
 import { serviceEntity } from "../service"
 import {
   appName,
@@ -37,10 +36,6 @@ export const mongodb = defineUnit({
   outputs: {
     mongodb: databases.mongodbEntity,
     service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true,
-    },
   },
 
   meta: {

package/src/k8s/apps/postgresql.ts

@@ -1,7 +1,6 @@
 import { defineUnit } from "@highstate/contract"
 import { pick } from "remeda"
 import * as databases from "../../databases"
-import { l4EndpointEntity } from "../../network"
 import { serviceEntity } from "../service"
 import {
   appName,
@@ -37,10 +36,6 @@ export const postgresql = defineUnit({
   outputs: {
     postgresql: databases.postgresqlEntity,
     service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true,
-    },
   },
 
   meta: {

package/src/k8s/apps/shared.ts

@@ -12,7 +12,13 @@ import {
 } from "@highstate/contract"
 import { mapValues } from "remeda"
 import { accessPointEntity } from "../../common"
-import { mariadbEntity, mongodbEntity, postgresqlEntity, redisEntity } from "../../databases"
+import {
+  etcdEntity,
+  mariadbEntity,
+  mongodbEntity,
+  postgresqlEntity,
+  redisEntity,
+} from "../../databases"
 import { providerEntity } from "../../dns"
 import { repositoryEntity } from "../../restic"
 import { namespaceEntity, persistentVolumeClaimEntity } from "../resources"
@@ -141,6 +147,9 @@ export const sharedInputs = $inputs({
   redis: {
     entity: redisEntity,
   },
+  etcd: {
+    entity: etcdEntity,
+  },
 })
 
 type ToOptionalInputs<T extends Record<string, FullComponentInputOptions>> = Simplify<{

package/src/k8s/apps/traefik.ts

@@ -13,7 +13,7 @@ export const traefik = defineUnit({
 
   args: {
     ...appName("traefik"),
-    ...pick(sharedArgs, ["external", "replicas", "endpoints"]),
+    ...pick(sharedArgs, ["external", "replicas"]),
 
     /**
      * The name of the class to configure for ingress and gateway resources.
@@ -21,6 +21,21 @@ export const traefik = defineUnit({
      * Defaults to "traefik".
      */
     className: z.string().default("traefik"),
+
+    /**
+     * Whether to create and enable reconciliation for Traefik CRDs.
+     */
+    enableTraefikCrds: z.boolean().default(true),
+
+    /**
+     * Whether to enable reconciliation for Ingress resources and create ingress class.
+     */
+    enableIngressApi: z.boolean().default(true),
+
+    /**
+     * Whether to enable reconciliation for Gateway API resources and create gateway class.
+     */
+    enableGatewayApi: z.boolean().default(false),
   },
 
   inputs: {

package/src/k8s/apps/valkey.ts

@@ -1,7 +1,6 @@
 import { defineUnit } from "@highstate/contract"
 import { pick } from "remeda"
 import { databases } from "../.."
-import { l4EndpointEntity } from "../../network"
 import { serviceEntity } from "../service"
 import {
   appName,
@@ -35,10 +34,6 @@ export const valkey = defineUnit({
   outputs: {
     redis: databases.redisEntity,
     service: serviceEntity,
-    endpoints: {
-      entity: l4EndpointEntity,
-      multiple: true,
-    },
   },
 
   meta: {

package/src/k8s/apps/wg-feed-server.ts

@@ -0,0 +1,34 @@
+import { defineUnit } from "@highstate/contract"
+import { pick } from "remeda"
+import { l4EndpointEntity } from "../../network"
+import { appName, sharedArgs, sharedInputs, source } from "./shared"
+
+/**
+ * The WG Feed Server deployed on Kubernetes.
+ */
+export const wgFeedServer = defineUnit({
+  type: "k8s.apps.wg-feed-server.v1",
+
+  args: {
+    ...appName("wg-feed-server"),
+    ...pick(sharedArgs, ["fqdn"]),
+  },
+
+  inputs: {
+    ...pick(sharedInputs, ["k8sCluster", "accessPoint", "etcd"]),
+  },
+
+  outputs: {
+    endpoint: l4EndpointEntity,
+  },
+
+  meta: {
+    title: "WG Feed Server",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
+    secondaryIcon: "mdi:broadcast",
+    category: "Wireguard",
+  },
+
+  source: source("wg-feed-server"),
+})

package/src/k8s/reduced-access.ts

@@ -1,10 +1,8 @@
 import { defineUnit, z } from "@highstate/contract"
-import { certificateEntity, namespaceEntity, persistentVolumeClaimEntity } from "./resources"
-import { serviceEntity } from "./service"
+import { namespaceEntity, resourceEntity } from "./resources"
 import { clusterEntity } from "./shared"
-import { deploymentEntity, statefulSetEntity } from "./workload"
 
-const k8sVerbsSchema = z.enum([
+export const accessVerbSchema = z.enum([
   "get",
   "list",
   "watch",
@@ -15,26 +13,34 @@ const k8sVerbsSchema = z.enum([
   "deletecollection",
 ])
 
+export const acessRuleSchema = z.object({
+  apiGroups: z.string().array(),
+  resources: z.string().array(),
+  verbs: accessVerbSchema.array(),
+  resourceNames: z.string().array().default([]),
+})
+
 /**
  * Creates a reduced access cluster with ServiceAccount-based authentication for specific Kubernetes resources.
  */
 export const reducedAccessCluster = defineUnit({
-  type: "k8s.reduced-access-cluster.v0",
+  type: "k8s.reduced-access-cluster.v1",
 
   args: {
     /**
-     * The verbs to allow on the specified resources.
+     * The name of the ServiceAccount to create.
      *
-     * Defaults to read-only access (get, list, watch).
+     * If not provided, will be the same as the unit name.
      */
-    verbs: k8sVerbsSchema.array().default(["get", "list", "watch"]),
+    serviceAccountName: z.string().optional(),
 
     /**
-     * The name of the ServiceAccount to create.
+     * The rules defining the access permissions for the ServiceAccount.
      *
-     * If not provided, will be the same as the unit name.
+     * If rule's `apiGroups` and `resources` exactly match resources from the `resources` input,
+     * their names will be added to the rule's `resourceNames` list.
      */
-    serviceAccountName: z.string().optional(),
+    rules: acessRuleSchema.array().default([]),
   },
 
   inputs: {
@@ -46,55 +52,19 @@ export const reducedAccessCluster = defineUnit({
     namespace: namespaceEntity,
 
     /**
-     * The deployments to grant access to.
-     */
-    deployments: {
-      entity: deploymentEntity,
-      multiple: true,
-      required: false,
-    },
-
-    /**
-     * The stateful sets to grant access to.
-     */
-    statefulSets: {
-      entity: statefulSetEntity,
-      multiple: true,
-      required: false,
-    },
-
-    /**
-     * The services to grant access to.
-     */
-    services: {
-      entity: serviceEntity,
-      multiple: true,
-      required: false,
-    },
-
-    /**
-     * The persistent volume claims to grant access to.
-     */
-    persistentVolumeClaims: {
-      entity: persistentVolumeClaimEntity,
-      multiple: true,
-      required: false,
-    },
-
-    /**
-     * The secrets to grant access to.
+     * The extra namespaces to bind to the ClusterRole and allow ServiceAccount to access them with specified rules.
      */
-    secrets: {
-      entity: certificateEntity,
+    extraNamespaces: {
+      entity: namespaceEntity,
       multiple: true,
       required: false,
     },
 
     /**
-     * The config maps to grant access to.
+     * The resources to which access will be granted.
      */
-    configMaps: {
-      entity: certificateEntity,
+    resources: {
+      entity: resourceEntity,
       multiple: true,
       required: false,
     },