@intentius/chant-lexicon-gcp 0.0.22 → 0.1.0

package/src/composites/gke-cluster.ts

@@ -5,9 +5,14 @@
  * workload identity and autoscaling.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { GKECluster, NodePool } from "../generated";
+
 export interface GkeClusterProps {
   /** Cluster name. */
   name: string;
+  /** GCP project ID for workload identity pool. Falls back to GCP_PROJECT_ID env var. */
+  projectId?: string;
   /** GCP region for regional cluster (default: uses GCP.Region). */
   location?: string;
   /** Initial node count per zone (default: 1). */
@@ -22,21 +27,46 @@ export interface GkeClusterProps {
   workloadIdentity?: boolean;
   /** Disk size in GB for nodes (default: 100). */
   diskSizeGb?: number;
+  /** Boot disk type for nodes (default: "pd-standard"). */
+  diskType?: string;
+  /** VPC network name (if omitted, uses default network). */
+  network?: string;
+  /** Subnetwork name for the cluster nodes. */
+  subnetwork?: string;
+  /**
+   * Enable private nodes — nodes have only internal IPs, no external IPs.
+   * Requires Cloud NAT for egress. Keeps master endpoint public so kubectl works from outside.
+   * Requires masterCidr when enabled.
+   */
+  privateNodes?: boolean;
+  /**
+   * CIDR block for the master's private endpoint (e.g. "172.16.0.0/28").
+   * Must be /28, unique per cluster, and not overlap with node/pod CIDRs.
+   * Required when privateNodes is true.
+   */
+  masterCidr?: string;
+  /**
+   * Restrict node pools to specific zones within the region.
+   * Useful when a region has capacity issues in some zones.
+   * E.g. ["us-east4-b"] to use only zone b of us-east4.
+   */
+  nodeLocations?: string[];
   /** GKE release channel (default: "REGULAR"). */
   releaseChannel?: "RAPID" | "REGULAR" | "STABLE";
   /** Additional labels. */
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-
-export interface GkeClusterResult {
-  cluster: Record<string, unknown>;
-  nodePool: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    cluster?: Partial<ConstructorParameters<typeof GKECluster>[0]>;
+    nodePool?: Partial<ConstructorParameters<typeof NodePool>[0]>;
+    defaultPool?: Partial<ConstructorParameters<typeof NodePool>[0]>;
+  };
 }
 
 /**
- * Create a GkeCluster composite — returns prop objects for
+ * Create a GkeCluster composite — returns declarable instances for
  * a ContainerCluster and ContainerNodePool.
  *
  * @example
@@ -50,9 +80,10 @@ export interface GkeClusterResult {
  * });
  * ```
  */
-export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
+export const GkeCluster = Composite<GkeClusterProps>((props) => {
   const {
     name,
+    projectId: rawProjectId,
     location,
     initialNodeCount = 1,
     machineType = "e2-medium",
@@ -60,11 +91,20 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
     maxNodeCount = 5,
     workloadIdentity = true,
     diskSizeGb = 100,
+    diskType = "pd-standard",
+    network: networkName,
+    subnetwork: subnetworkName,
+    privateNodes = false,
+    masterCidr,
+    nodeLocations,
     releaseChannel = "REGULAR",
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
+  const projectId = rawProjectId ?? process.env.GCP_PROJECT_ID ?? "PROJECT_ID";
+
   const commonLabels: Record<string, string> = {
     "app.kubernetes.io/name": name,
     "app.kubernetes.io/managed-by": "chant",
@@ -72,29 +112,47 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
   };
 
   const clusterSpec: Record<string, unknown> = {
-    initialNodeCount: 1, // Minimal default pool, real nodes in separate pool
-    removeDefaultNodePool: true,
+    // GKE API requires initialNodeCount > 0 even when using a separate
+    // ContainerNodePool. Force pd-standard so the default pool doesn't
+    // consume SSD_TOTAL_GB quota (pd-balanced counts as SSD).
+    initialNodeCount: 1,
+    nodeConfig: {
+      machineType,
+      diskType: "pd-standard",
+      diskSizeGb: 50,
+    },
     releaseChannel: { channel: releaseChannel },
     ...(location && { location }),
+    ...(networkName && { networkRef: { name: networkName } }),
+    ...(subnetworkName && { subnetworkRef: { name: subnetworkName } }),
+    ...(nodeLocations && { nodeLocations }),
+    ...(privateNodes && {
+      privateClusterConfig: {
+        enablePrivateNodes: true,
+        // Keep master endpoint public so kubectl works from outside the VPC.
+        enablePrivateEndpoint: false,
+        ...(masterCidr && { masterIpv4CidrBlock: masterCidr }),
+      },
+    }),
   };
 
   if (workloadIdentity) {
     clusterSpec.workloadIdentityConfig = {
-      workloadPool: `PROJECT_ID.svc.id.goog`,
+      workloadPool: `${projectId}.svc.id.goog`,
     };
   }
 
-  const cluster: Record<string, unknown> = {
+  const cluster = new GKECluster(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "cluster" },
     },
     ...clusterSpec,
-  };
+  } as Record<string, unknown>, defs?.cluster));
 
   const nodePoolName = `${name}-nodes`;
-  const nodePool: Record<string, unknown> = {
+  const nodePool = new NodePool(mergeDefaults({
     metadata: {
       name: nodePoolName,
       ...(namespace && { namespace }),
@@ -109,6 +167,7 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
     nodeConfig: {
       machineType,
       diskSizeGb,
+      diskType,
       oauthScopes: ["https://www.googleapis.com/auth/cloud-platform"],
       ...(workloadIdentity && {
         workloadMetadataConfig: { mode: "GKE_METADATA" },
@@ -119,7 +178,23 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
       autoUpgrade: true,
     },
     ...(location && { location }),
-  };
+  } as Record<string, unknown>, defs?.nodePool));
 
-  return { cluster, nodePool };
-}
+  // Adopt and scale the GKE-required default pool to 0.
+  // resourceID maps this K8s resource to the GCP pool named "default-pool".
+  // Config Connector retries until the workload pool has nodes, at which
+  // point GKE accepts the resize-to-zero.
+  const defaultPool = new NodePool(mergeDefaults({
+    metadata: {
+      name: `${name}-default-pool`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "default-pool" },
+    },
+    resourceID: "default-pool",
+    clusterRef: { name },
+    nodeCount: 0,
+    ...(location && { location }),
+  } as Record<string, unknown>, defs?.defaultPool));
+
+  return { cluster, nodePool, defaultPool };
+}, "GkeCluster");

package/src/composites/index.ts

@@ -1,20 +1,22 @@
 export { GkeCluster } from "./gke-cluster";
-export type { GkeClusterProps, GkeClusterResult } from "./gke-cluster";
-export { CloudRunService } from "./cloud-run-service";
-export type { CloudRunServiceProps, CloudRunServiceResult } from "./cloud-run-service";
+export type { GkeClusterProps } from "./gke-cluster";
+export { CloudRunServiceComposite } from "./cloud-run-service";
+export type { CloudRunServiceProps } from "./cloud-run-service";
 export { CloudSqlInstance } from "./cloud-sql-instance";
-export type { CloudSqlInstanceProps, CloudSqlInstanceResult } from "./cloud-sql-instance";
+export type { CloudSqlInstanceProps } from "./cloud-sql-instance";
 export { GcsBucket } from "./gcs-bucket";
-export type { GcsBucketProps, GcsBucketResult } from "./gcs-bucket";
+export type { GcsBucketProps } from "./gcs-bucket";
 export { VpcNetwork } from "./vpc-network";
-export type { VpcNetworkProps, VpcNetworkResult, VpcSubnet } from "./vpc-network";
+export type { VpcNetworkProps, VpcSubnet } from "./vpc-network";
 export { PubSubPipeline } from "./pubsub-pipeline";
-export type { PubSubPipelineProps, PubSubPipelineResult } from "./pubsub-pipeline";
+export type { PubSubPipelineProps } from "./pubsub-pipeline";
 export { CloudFunctionWithTrigger } from "./cloud-function";
-export type { CloudFunctionWithTriggerProps, CloudFunctionWithTriggerResult } from "./cloud-function";
+export type { CloudFunctionWithTriggerProps } from "./cloud-function";
 export { PrivateService } from "./private-service";
-export type { PrivateServiceProps, PrivateServiceResult } from "./private-service";
+export type { PrivateServiceProps } from "./private-service";
 export { ManagedCertificate } from "./managed-certificate";
-export type { ManagedCertificateProps, ManagedCertificateResult } from "./managed-certificate";
+export type { ManagedCertificateProps } from "./managed-certificate";
 export { SecureProject } from "./secure-project";
-export type { SecureProjectProps, SecureProjectResult } from "./secure-project";
+export type { SecureProjectProps } from "./secure-project";
+export { MemorystoreRedis } from "./memorystore-redis";
+export type { MemorystoreRedisProps } from "./memorystore-redis";

package/src/composites/managed-certificate.ts

@@ -2,6 +2,9 @@
  * ManagedCertificate composite — ManagedSslCertificate + optional TargetHttpsProxy + UrlMap.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { ManagedSSLCertificate, TargetHTTPSProxy, URLMap } from "../generated";
+
 export interface ManagedCertificateProps {
   /** Certificate name. */
   name: string;
@@ -15,15 +18,15 @@ export interface ManagedCertificateProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    certificate?: Partial<ConstructorParameters<typeof ManagedSSLCertificate>[0]>;
+    targetHttpsProxy?: Partial<ConstructorParameters<typeof TargetHTTPSProxy>[0]>;
+    urlMap?: Partial<ConstructorParameters<typeof URLMap>[0]>;
+  };
 }
 
-export interface ManagedCertificateResult {
-  certificate: Record<string, unknown>;
-  targetHttpsProxy?: Record<string, unknown>;
-  urlMap?: Record<string, unknown>;
-}
-
-export function ManagedCertificate(props: ManagedCertificateProps): ManagedCertificateResult {
+export const ManagedCertificate = Composite<ManagedCertificateProps>((props) => {
   const {
     name,
     domains,
@@ -31,6 +34,7 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
     backendServiceName,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -39,7 +43,7 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
     ...extraLabels,
   };
 
-  const certificate: Record<string, unknown> = {
+  const certificate = new ManagedSSLCertificate(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -48,12 +52,12 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
     managed: {
       domains,
     },
-  };
+  } as Record<string, unknown>, defs?.certificate));
 
-  const result: ManagedCertificateResult = { certificate };
+  const result: Record<string, any> = { certificate };
 
   if (createProxy && backendServiceName) {
-    result.urlMap = {
+    result.urlMap = new URLMap(mergeDefaults({
       metadata: {
         name: `${name}-url-map`,
         ...(namespace && { namespace }),
@@ -62,9 +66,9 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
       defaultService: {
         backendServiceRef: { name: backendServiceName },
       },
-    };
+    } as Record<string, unknown>, defs?.urlMap));
 
-    result.targetHttpsProxy = {
+    result.targetHttpsProxy = new TargetHTTPSProxy(mergeDefaults({
       metadata: {
         name: `${name}-proxy`,
         ...(namespace && { namespace }),
@@ -72,8 +76,8 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
       },
       urlMapRef: { name: `${name}-url-map` },
       sslCertificates: [{ name }],
-    };
+    } as Record<string, unknown>, defs?.targetHttpsProxy));
   }
 
   return result;
-}
+}, "ManagedCertificate");

package/src/composites/memorystore-redis.ts

@@ -0,0 +1,101 @@
+/**
+ * MemorystoreRedis composite — RedisInstance with purpose-driven defaults.
+ */
+
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { RedisInstance } from "../generated";
+
+export interface MemorystoreRedisProps {
+  /** Instance name. */
+  name: string;
+  /**
+   * Purpose drives the maxmemory-policy default:
+   * - "persistent" → "noeviction" (queues, shared_state must not evict)
+   * - "cache"      → "allkeys-lru" (cache/sessions can evict LRU)
+   */
+  purpose: "persistent" | "cache";
+  /** Memorystore tier (e.g. "BASIC", "STANDARD_HA"). */
+  tier: string;
+  /** Memory size in GB. */
+  memorySizeGb: number;
+  /** GCP region. */
+  region: string;
+  /** authorizedNetworkRef.name — the VPC network to authorize. */
+  networkRef: string;
+  /** Redis version (default: "REDIS_7_0"). */
+  redisVersion?: string;
+  /** Enable AUTH (default: true). */
+  authEnabled?: boolean;
+  /** Namespace for all resources. */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    instance?: Partial<Record<string, unknown>>;
+  };
+}
+
+/**
+ * Create a MemorystoreRedis composite.
+ *
+ * @example
+ * ```ts
+ * import { MemorystoreRedis } from "@intentius/chant-lexicon-gcp";
+ *
+ * const { instance } = MemorystoreRedis({
+ *   name: "my-app-persistent",
+ *   purpose: "persistent",
+ *   tier: "STANDARD_HA",
+ *   memorySizeGb: 5,
+ *   region: "us-central1",
+ *   networkRef: "my-vpc",
+ * });
+ * ```
+ */
+export const MemorystoreRedis = Composite<MemorystoreRedisProps>((props) => {
+  const {
+    name,
+    purpose,
+    tier,
+    memorySizeGb,
+    region,
+    networkRef,
+    redisVersion = "REDIS_7_0",
+    authEnabled = true,
+    namespace,
+    labels: extraLabels = {},
+    defaults: defs,
+  } = props;
+
+  const maxmemoryPolicy = purpose === "persistent" ? "noeviction" : "allkeys-lru";
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const instance = new RedisInstance(mergeDefaults({
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "cache" },
+    },
+    region,
+    tier,
+    memorySizeGb,
+    authEnabled,
+    redisVersion,
+    connectMode: "PRIVATE_SERVICE_ACCESS",
+    authorizedNetworkRef: { name: networkRef },
+    // TLS disabled: GitLab's redis-rb client requires either no TLS or a custom CA cert
+    // injected via REDIS_SSL_CA_FILE. AUTH (authEnabled: true) provides access control.
+    transitEncryptionMode: "DISABLED",
+    redisConfigs: {
+      "maxmemory-policy": maxmemoryPolicy,
+    },
+  } as Record<string, unknown>, defs?.instance));
+
+  return { instance };
+}, "MemorystoreRedis");

package/src/composites/private-service.ts

@@ -2,6 +2,13 @@
  * PrivateService composite — GlobalAddress + ServiceNetworkingConnection + optional DNS.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import {
+  ComputeAddress,
+  ServicenetworkingConnection,
+  DNSManagedZone,
+} from "../generated";
+
 export interface PrivateServiceProps {
   /** Service name. */
   name: string;
@@ -23,15 +30,15 @@ export interface PrivateServiceProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    globalAddress?: Partial<ConstructorParameters<typeof ComputeAddress>[0]>;
+    serviceConnection?: Partial<ConstructorParameters<typeof ServicenetworkingConnection>[0]>;
+    dnsZone?: Partial<ConstructorParameters<typeof DNSManagedZone>[0]>;
+  };
 }
 
-export interface PrivateServiceResult {
-  globalAddress: Record<string, unknown>;
-  serviceConnection: Record<string, unknown>;
-  dnsZone?: Record<string, unknown>;
-}
-
-export function PrivateService(props: PrivateServiceProps): PrivateServiceResult {
+export const PrivateService = Composite<PrivateServiceProps>((props) => {
   const {
     name,
     networkName,
@@ -43,6 +50,7 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     dnsSuffix = "internal.",
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -51,7 +59,7 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     ...extraLabels,
   };
 
-  const globalAddress: Record<string, unknown> = {
+  const globalAddress = new ComputeAddress(mergeDefaults({
     metadata: {
       name: `${name}-address`,
       ...(namespace && { namespace }),
@@ -61,9 +69,9 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     purpose,
     prefixLength,
     networkRef: { name: networkName },
-  };
+  } as Record<string, unknown>, defs?.globalAddress));
 
-  const serviceConnection: Record<string, unknown> = {
+  const serviceConnection = new ServicenetworkingConnection(mergeDefaults({
     metadata: {
       name: `${name}-connection`,
       ...(namespace && { namespace }),
@@ -72,12 +80,12 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     networkRef: { name: networkName },
     service: "servicenetworking.googleapis.com",
     reservedPeeringRanges: [{ name: `${name}-address` }],
-  };
+  } as Record<string, unknown>, defs?.serviceConnection));
 
-  const result: PrivateServiceResult = { globalAddress, serviceConnection };
+  const result: Record<string, any> = { globalAddress, serviceConnection };
 
   if (enableDns) {
-    result.dnsZone = {
+    result.dnsZone = new DNSManagedZone(mergeDefaults({
       metadata: {
         name: dnsZoneName ?? `${name}-dns`,
         ...(namespace && { namespace }),
@@ -88,8 +96,8 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
       privateVisibilityConfig: {
         networks: [{ networkRef: { name: networkName } }],
       },
-    };
+    } as Record<string, unknown>, defs?.dnsZone));
   }
 
   return result;
-}
+}, "PrivateService");

package/src/composites/pubsub-pipeline.ts

@@ -2,6 +2,9 @@
  * PubSubPipeline composite — Topic + Subscription + optional DLQ topic + subscriber IAM binding.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { PubSubTopic, PubSubSubscription, IAMPolicyMember } from "../generated";
+
 export interface PubSubPipelineProps {
   /** Pipeline name. */
   name: string;
@@ -19,16 +22,16 @@ export interface PubSubPipelineProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    topic?: Partial<ConstructorParameters<typeof PubSubTopic>[0]>;
+    subscription?: Partial<ConstructorParameters<typeof PubSubSubscription>[0]>;
+    deadLetterTopic?: Partial<ConstructorParameters<typeof PubSubTopic>[0]>;
+    subscriberIam?: Partial<ConstructorParameters<typeof IAMPolicyMember>[0]>;
+  };
 }
 
-export interface PubSubPipelineResult {
-  topic: Record<string, unknown>;
-  subscription: Record<string, unknown>;
-  deadLetterTopic?: Record<string, unknown>;
-  subscriberIam?: Record<string, unknown>;
-}
-
-export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult {
+export const PubSubPipeline = Composite<PubSubPipelineProps>((props) => {
   const {
     name,
     ackDeadlineSeconds = 10,
@@ -38,6 +41,7 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
     subscriberServiceAccount,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -46,15 +50,15 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
     ...extraLabels,
   };
 
-  const topic: Record<string, unknown> = {
+  const topic = new PubSubTopic(mergeDefaults({
     metadata: {
       name: `${name}-topic`,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "topic" },
     },
-  };
+  } as Record<string, unknown>, defs?.topic));
 
-  const subscription: Record<string, unknown> = {
+  const subscriptionProps: Record<string, unknown> = {
     metadata: {
       name: `${name}-subscription`,
       ...(namespace && { namespace }),
@@ -65,24 +69,32 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
     messageRetentionDuration,
   };
 
-  const result: PubSubPipelineResult = { topic, subscription };
+  const result: Record<string, any> = { topic };
 
   if (enableDeadLetterQueue) {
-    result.deadLetterTopic = {
+    result.deadLetterTopic = new PubSubTopic(mergeDefaults({
       metadata: {
         name: `${name}-dlq`,
         ...(namespace && { namespace }),
         labels: { ...commonLabels, "app.kubernetes.io/component": "dead-letter" },
       },
-    };
-    subscription.deadLetterPolicy = {
+    } as Record<string, unknown>, defs?.deadLetterTopic));
+
+    subscriptionProps.deadLetterPolicy = {
       deadLetterTopicRef: { name: `${name}-dlq` },
       maxDeliveryAttempts,
     };
   }
 
+  const subscription = new PubSubSubscription(mergeDefaults(
+    subscriptionProps,
+    defs?.subscription,
+  ));
+
+  result.subscription = subscription;
+
   if (subscriberServiceAccount) {
-    result.subscriberIam = {
+    result.subscriberIam = new IAMPolicyMember(mergeDefaults({
       metadata: {
         name: `${name}-subscriber`,
         ...(namespace && { namespace }),
@@ -95,8 +107,8 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
         kind: "PubSubSubscription",
         name: `${name}-subscription`,
       },
-    };
+    } as Record<string, unknown>, defs?.subscriberIam));
   }
 
   return result;
-}
+}, "PubSubPipeline");