@highstate/library 0.9.26 → 0.9.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highstate/library",
-  "version": "0.9.26",
+  "version": "0.9.28",
   "type": "module",
   "highstate": {
     "type": "library"
@@ -25,14 +25,14 @@
     "biome:check": "biome check --error-on-warnings"
   },
   "dependencies": {
-    "@highstate/contract": "^0.9.26",
+    "@highstate/contract": "^0.9.28",
     "remeda": "^2.21.0"
   },
   "devDependencies": {
     "@biomejs/biome": "2.2.0",
-    "@highstate/cli": "^0.9.26",
+    "@highstate/cli": "^0.9.28",
     "@typescript/native-preview": "^7.0.0-dev.20250920.1",
     "type-fest": "^4.41.0"
   },
-  "gitHead": "64e8a656a17dfcce88727c24969f9a3b73539ac9"
+  "gitHead": "6de09d98fa66e808c42aba7fe65e6e0762945b9b"
 }

package/src/common/access-point.ts

@@ -55,6 +55,11 @@ export const accessPointEntity = defineEntity({
      * The DNS providers used to manage the DNS records for the access point.
      */
     dnsProviders: dns.providerEntity.schema.array(),
+
+    /**
+     * Whether the DNS records created for the access point should be proxied.
+     */
+    proxied: z.boolean().default(false),
   }),
 
   meta: {
@@ -70,6 +75,18 @@ export const accessPointEntity = defineEntity({
 export const accessPoint = defineUnit({
   type: "common.access-point.v1",
 
+  args: {
+    /**
+     * Whether the DNS records created for the access point should be proxied.
+     *
+     * This option is specific to certain DNS providers that support proxying, such as Cloudflare.
+     * When enabled, the DNS records will be proxied through the provider's network, providing additional security and performance benefits.
+     *
+     * Defaults to `false`.
+     */
+    proxied: z.boolean().default(false),
+  },
+
   inputs: {
     gateway: gatewayEntity,
     tlsIssuers: {

package/src/k8s/apps/workload.ts

@@ -1,6 +1,7 @@
 import { defineUnit, z } from "@highstate/contract"
 import { pick } from "remeda"
 import { portSchema } from "../../network"
+import { namespaceEntity } from "../resources"
 import { serviceEntity, serviceTypeSchema } from "../service"
 import { deploymentEntity } from "../workload"
 import { optionalSharedInputs, sharedInputs, source } from "./shared"
@@ -71,6 +72,11 @@ export const workload = defineUnit({
      */
     image: z.string(),
 
+    /**
+     * The command to run in the container.
+     */
+    command: z.array(z.string()).default([]),
+
     /**
      * The port to expose for the workload.
      *
@@ -199,6 +205,7 @@ export const workload = defineUnit({
   },
 
   outputs: {
+    namespace: namespaceEntity,
     deployment: deploymentEntity,
     service: serviceEntity,
   },
@@ -210,5 +217,5 @@ export const workload = defineUnit({
     category: "Kubernetes",
   },
 
-  source: source("deployment"),
+  source: source("workload"),
 })

package/src/k8s/index.ts

@@ -3,6 +3,7 @@ export * from "./cert-manager"
 export * from "./cilium"
 export * from "./gateway"
 export * as obfuscators from "./obfuscators"
+export * from "./reduced-access"
 export * from "./resources"
 export * from "./service"
 export * from "./shared"

package/src/k8s/reduced-access.ts

@@ -0,0 +1,118 @@
+import { defineUnit, z } from "@highstate/contract"
+import { certificateEntity, namespaceEntity, persistentVolumeClaimEntity } from "./resources"
+import { serviceEntity } from "./service"
+import { clusterEntity } from "./shared"
+import { deploymentEntity, statefulSetEntity } from "./workload"
+
+const k8sVerbsSchema = z.enum([
+  "get",
+  "list",
+  "watch",
+  "create",
+  "update",
+  "patch",
+  "delete",
+  "deletecollection",
+])
+
+/**
+ * Creates a reduced access cluster with ServiceAccount-based authentication for specific Kubernetes resources.
+ */
+export const reducedAccessCluster = defineUnit({
+  type: "k8s.reduced-access-cluster.v1",
+
+  args: {
+    /**
+     * The verbs to allow on the specified resources.
+     *
+     * Defaults to read-only access (get, list, watch).
+     */
+    verbs: k8sVerbsSchema.array().default(["get", "list", "watch"]),
+
+    /**
+     * The name of the ServiceAccount to create.
+     *
+     * If not provided, will be the same as the unit name.
+     */
+    serviceAccountName: z.string().optional(),
+  },
+
+  inputs: {
+    k8sCluster: clusterEntity,
+
+    /**
+     * The namespace where the ServiceAccount will be created.
+     */
+    namespace: namespaceEntity,
+
+    /**
+     * The deployments to grant access to.
+     */
+    deployments: {
+      entity: deploymentEntity,
+      multiple: true,
+      required: false,
+    },
+
+    /**
+     * The stateful sets to grant access to.
+     */
+    statefulSets: {
+      entity: statefulSetEntity,
+      multiple: true,
+      required: false,
+    },
+
+    /**
+     * The services to grant access to.
+     */
+    services: {
+      entity: serviceEntity,
+      multiple: true,
+      required: false,
+    },
+
+    /**
+     * The persistent volume claims to grant access to.
+     */
+    persistentVolumeClaims: {
+      entity: persistentVolumeClaimEntity,
+      multiple: true,
+      required: false,
+    },
+
+    /**
+     * The secrets to grant access to.
+     */
+    secrets: {
+      entity: certificateEntity,
+      multiple: true,
+      required: false,
+    },
+
+    /**
+     * The config maps to grant access to.
+     */
+    configMaps: {
+      entity: certificateEntity,
+      multiple: true,
+      required: false,
+    },
+  },
+
+  outputs: {
+    k8sCluster: clusterEntity,
+  },
+
+  meta: {
+    title: "Reduced Access Cluster",
+    icon: "devicon:kubernetes",
+    secondaryIcon: "mdi:shield-lock",
+    category: "Kubernetes",
+  },
+
+  source: {
+    package: "@highstate/k8s",
+    path: "units/reduced-access-cluster",
+  },
+})