@intentius/chant-lexicon-helm 0.0.16

package/src/composites/helm-batch-job.ts

@@ -0,0 +1,209 @@
+/**
+ * HelmBatchJob composite — Job + optional ServiceAccount + RBAC.
+ *
+ * One-shot batch job pattern with optional RBAC for jobs that need
+ * Kubernetes API access (e.g., data migrations, cluster operations).
+ */
+
+import { values, include, printf, toYaml, If, With } from "../intrinsics";
+
+export interface HelmBatchJobProps {
+  /** Chart and release name. */
+  name: string;
+  /** Default container image repository. */
+  imageRepository?: string;
+  /** Default container image tag. */
+  imageTag?: string;
+  /** Backoff limit for retries. */
+  backoffLimit?: number;
+  /** Number of completions required. */
+  completions?: number;
+  /** Parallelism level. */
+  parallelism?: number;
+  /** Default restart policy. */
+  restartPolicy?: string;
+  /** TTL seconds after job finishes. */
+  ttlSecondsAfterFinished?: number;
+  /** Include ServiceAccount. Default: true. */
+  serviceAccount?: boolean;
+  /** Include RBAC (Role + RoleBinding). Default: false. */
+  rbac?: boolean;
+  /** Pod-level security context defaults. */
+  podSecurityContext?: Record<string, unknown>;
+  /** Container-level security context defaults. */
+  securityContext?: Record<string, unknown>;
+  /** Node selector defaults. */
+  nodeSelector?: Record<string, string>;
+  /** Tolerations defaults. */
+  tolerations?: Array<Record<string, unknown>>;
+  /** Chart appVersion. */
+  appVersion?: string;
+}
+
+export interface HelmBatchJobResult {
+  chart: Record<string, unknown>;
+  values: Record<string, unknown>;
+  job: Record<string, unknown>;
+  serviceAccount?: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+export function HelmBatchJob(props: HelmBatchJobProps): HelmBatchJobResult {
+  const {
+    name,
+    imageRepository = "busybox",
+    imageTag = "latest",
+    backoffLimit = 6,
+    completions = 1,
+    parallelism = 1,
+    restartPolicy = "OnFailure",
+    serviceAccount = true,
+    rbac = false,
+    appVersion = "1.0.0",
+  } = props;
+
+  const chart = {
+    apiVersion: "v2",
+    name,
+    version: "0.1.0",
+    appVersion,
+    type: "application",
+    description: `A Helm chart for ${name} batch job`,
+  };
+
+  const valuesObj: Record<string, unknown> = {
+    image: {
+      repository: imageRepository,
+      tag: imageTag,
+      pullPolicy: "IfNotPresent",
+    },
+    job: {
+      backoffLimit,
+      completions,
+      parallelism,
+    },
+    restartPolicy,
+    command: [],
+    args: [],
+    resources: {},
+  };
+
+  if (props.ttlSecondsAfterFinished !== undefined) {
+    (valuesObj.job as Record<string, unknown>).ttlSecondsAfterFinished = props.ttlSecondsAfterFinished;
+  }
+
+  if (props.podSecurityContext) valuesObj.podSecurityContext = props.podSecurityContext;
+  if (props.securityContext) valuesObj.securityContext = props.securityContext;
+  if (props.nodeSelector) valuesObj.nodeSelector = props.nodeSelector;
+  if (props.tolerations) valuesObj.tolerations = props.tolerations;
+
+  if (serviceAccount) {
+    valuesObj.serviceAccount = {
+      create: true,
+      name: "",
+      annotations: {},
+    };
+  }
+
+  if (rbac) {
+    valuesObj.rbac = {
+      create: true,
+      rules: [],
+    };
+  }
+
+  const containerSpec: Record<string, unknown> = {
+    name,
+    image: printf("%s:%s", values.image.repository, values.image.tag),
+    imagePullPolicy: values.image.pullPolicy,
+    command: values.command,
+    args: values.args,
+    resources: toYaml(values.resources),
+  };
+
+  if (props.securityContext) containerSpec.securityContext = toYaml(values.securityContext);
+
+  const podSpec: Record<string, unknown> = {
+    restartPolicy: values.restartPolicy,
+    containers: [containerSpec],
+  };
+
+  if (props.podSecurityContext) podSpec.securityContext = toYaml(values.podSecurityContext);
+  if (props.nodeSelector) podSpec.nodeSelector = With(values.nodeSelector, toYaml(values.nodeSelector));
+  if (props.tolerations) podSpec.tolerations = With(values.tolerations, toYaml(values.tolerations));
+  if (serviceAccount) podSpec.serviceAccountName = include(`${name}.serviceAccountName`);
+
+  const jobSpec: Record<string, unknown> = {
+    backoffLimit: values.job.backoffLimit,
+    completions: values.job.completions,
+    parallelism: values.job.parallelism,
+    template: {
+      metadata: {
+        labels: include(`${name}.selectorLabels`),
+      },
+      spec: podSpec,
+    },
+  };
+
+  if (props.ttlSecondsAfterFinished !== undefined) {
+    jobSpec.ttlSecondsAfterFinished = values.job.ttlSecondsAfterFinished;
+  }
+
+  const job = {
+    apiVersion: "batch/v1",
+    kind: "Job",
+    metadata: {
+      name: include(`${name}.fullname`),
+      labels: include(`${name}.labels`),
+    },
+    spec: jobSpec,
+  };
+
+  const result: HelmBatchJobResult = { chart, values: valuesObj, job };
+
+  if (serviceAccount) {
+    result.serviceAccount = {
+      apiVersion: "v1",
+      kind: "ServiceAccount",
+      metadata: {
+        name: include(`${name}.serviceAccountName`),
+        labels: include(`${name}.labels`),
+        annotations: toYaml(values.serviceAccount.annotations),
+      },
+    };
+  }
+
+  if (rbac) {
+    result.role = {
+      apiVersion: "rbac.authorization.k8s.io/v1",
+      kind: "Role",
+      metadata: {
+        name: include(`${name}.fullname`),
+        labels: include(`${name}.labels`),
+      },
+      rules: toYaml(values.rbac.rules),
+    };
+
+    result.roleBinding = {
+      apiVersion: "rbac.authorization.k8s.io/v1",
+      kind: "RoleBinding",
+      metadata: {
+        name: include(`${name}.fullname`),
+        labels: include(`${name}.labels`),
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: include(`${name}.fullname`),
+      },
+      subjects: [{
+        kind: "ServiceAccount",
+        name: include(`${name}.serviceAccountName`),
+        namespace: values.namespace ?? undefined,
+      }],
+    };
+  }
+
+  return result;
+}

package/src/composites/helm-crd-lifecycle.ts

@@ -0,0 +1,184 @@
+/**
+ * HelmCRDLifecycle composite — managed CRD lifecycle via Helm hooks.
+ *
+ * Produces a Job-based CRD installer that runs as a pre-install/pre-upgrade
+ * hook, solving the Helm limitation that CRDs in crds/ are never upgraded
+ * or deleted.
+ */
+
+import { values, include, printf } from "../intrinsics";
+
+export interface HelmCRDLifecycleProps {
+  /** Chart and release name. */
+  name: string;
+  /** Raw CRD YAML content. */
+  crdContent: string;
+  /** kubectl image. Default: "bitnami/kubectl" */
+  kubectlImage?: string;
+  /** kubectl image tag. Default: "latest" */
+  kubectlTag?: string;
+  /** ServiceAccount name for RBAC. */
+  serviceAccountName?: string;
+}
+
+export interface HelmCRDLifecycleResult {
+  chart: Record<string, unknown>;
+  values: Record<string, unknown>;
+  crdInstallJob: Record<string, unknown>;
+  crdConfigMap: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+}
+
+export function HelmCRDLifecycle(props: HelmCRDLifecycleProps): HelmCRDLifecycleResult {
+  const {
+    name,
+    crdContent,
+    kubectlImage = "bitnami/kubectl",
+    kubectlTag = "latest",
+    serviceAccountName,
+  } = props;
+
+  const saName = serviceAccountName ?? `${name}-crd-installer`;
+
+  const chart = {
+    apiVersion: "v2",
+    name,
+    version: "0.1.0",
+    type: "application",
+    description: `CRD lifecycle management for ${name}`,
+  };
+
+  const valuesObj = {
+    crdLifecycle: {
+      enabled: true,
+      kubectl: {
+        image: kubectlImage,
+        tag: kubectlTag,
+      },
+      serviceAccount: {
+        name: saName,
+      },
+    },
+  };
+
+  const hookAnnotations = {
+    "helm.sh/hook": "pre-install,pre-upgrade",
+    "helm.sh/hook-weight": "-5",
+    "helm.sh/hook-delete-policy": "before-hook-creation",
+  };
+
+  const crdConfigMap = {
+    apiVersion: "v1",
+    kind: "ConfigMap",
+    metadata: {
+      name: printf("%s-crd-content", include(`${name}.fullname`)),
+      labels: include(`${name}.labels`),
+      annotations: hookAnnotations,
+    },
+    data: {
+      "crds.yaml": crdContent,
+    },
+  };
+
+  const serviceAccount = {
+    apiVersion: "v1",
+    kind: "ServiceAccount",
+    metadata: {
+      name: values.crdLifecycle.serviceAccount.name,
+      labels: include(`${name}.labels`),
+      annotations: hookAnnotations,
+    },
+  };
+
+  const clusterRole = {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRole",
+    metadata: {
+      name: printf("%s-crd-installer", include(`${name}.fullname`)),
+      labels: include(`${name}.labels`),
+      annotations: hookAnnotations,
+    },
+    rules: [{
+      apiGroups: ["apiextensions.k8s.io"],
+      resources: ["customresourcedefinitions"],
+      verbs: ["get", "list", "create", "update", "patch"],
+    }],
+  };
+
+  const clusterRoleBinding = {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRoleBinding",
+    metadata: {
+      name: printf("%s-crd-installer", include(`${name}.fullname`)),
+      labels: include(`${name}.labels`),
+      annotations: hookAnnotations,
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: printf("%s-crd-installer", include(`${name}.fullname`)),
+    },
+    subjects: [{
+      kind: "ServiceAccount",
+      name: values.crdLifecycle.serviceAccount.name,
+      namespace: "{{ .Release.Namespace }}",
+    }],
+  };
+
+  const crdInstallJob = {
+    apiVersion: "batch/v1",
+    kind: "Job",
+    metadata: {
+      name: printf("%s-crd-install", include(`${name}.fullname`)),
+      labels: include(`${name}.labels`),
+      annotations: hookAnnotations,
+    },
+    spec: {
+      template: {
+        metadata: {
+          labels: include(`${name}.selectorLabels`),
+        },
+        spec: {
+          serviceAccountName: values.crdLifecycle.serviceAccount.name,
+          restartPolicy: "Never",
+          securityContext: {
+            runAsNonRoot: true,
+            runAsUser: 1000,
+          },
+          containers: [{
+            name: "crd-installer",
+            image: printf("%s:%s", values.crdLifecycle.kubectl.image, values.crdLifecycle.kubectl.tag),
+            command: ["kubectl", "apply", "-f", "/crds/"],
+            securityContext: {
+              readOnlyRootFilesystem: true,
+              allowPrivilegeEscalation: false,
+            },
+            volumeMounts: [{
+              name: "crd-content",
+              mountPath: "/crds",
+              readOnly: true,
+            }],
+          }],
+          volumes: [{
+            name: "crd-content",
+            configMap: {
+              name: printf("%s-crd-content", include(`${name}.fullname`)),
+            },
+          }],
+        },
+      },
+    },
+  };
+
+  return {
+    chart,
+    values: valuesObj,
+    crdInstallJob,
+    crdConfigMap,
+    serviceAccount,
+    clusterRole,
+    clusterRoleBinding,
+  };
+}

package/src/composites/helm-cron-job.ts

@@ -0,0 +1,177 @@
+/**
+ * HelmCronJob composite — CronJob chart.
+ *
+ * Produces a Helm chart for scheduled batch workloads.
+ */
+
+import { values, include, printf, toYaml, With } from "../intrinsics";
+
+export interface HelmCronJobProps {
+  /** Chart and release name. */
+  name: string;
+  /** Default container image repository. */
+  imageRepository?: string;
+  /** Default container image tag. */
+  imageTag?: string;
+  /** Default cron schedule. */
+  schedule?: string;
+  /** Default restart policy. */
+  restartPolicy?: string;
+  /** Chart appVersion. */
+  appVersion?: string;
+  /** Pod-level security context defaults. */
+  podSecurityContext?: Record<string, unknown>;
+  /** Container-level security context defaults. */
+  securityContext?: Record<string, unknown>;
+  /** Node selector defaults. */
+  nodeSelector?: Record<string, string>;
+  /** Tolerations defaults. */
+  tolerations?: Array<Record<string, unknown>>;
+  /** Affinity defaults. */
+  affinity?: Record<string, unknown>;
+  /** Pod annotations defaults. */
+  podAnnotations?: Record<string, string>;
+  /** Concurrency policy. */
+  concurrencyPolicy?: string;
+  /** Number of successful job completions to retain. */
+  successfulJobsHistoryLimit?: number;
+  /** Number of failed job completions to retain. */
+  failedJobsHistoryLimit?: number;
+  /** Backoff limit for job retries. */
+  backoffLimit?: number;
+  /** Include ServiceAccount. Default: false. */
+  serviceAccount?: boolean;
+}
+
+export interface HelmCronJobResult {
+  chart: Record<string, unknown>;
+  values: Record<string, unknown>;
+  cronJob: Record<string, unknown>;
+  serviceAccount?: Record<string, unknown>;
+}
+
+export function HelmCronJob(props: HelmCronJobProps): HelmCronJobResult {
+  const {
+    name,
+    imageRepository = "busybox",
+    imageTag = "latest",
+    schedule = "0 * * * *",
+    restartPolicy = "OnFailure",
+    appVersion = "1.0.0",
+    serviceAccount = false,
+  } = props;
+
+  const chart = {
+    apiVersion: "v2",
+    name,
+    version: "0.1.0",
+    appVersion,
+    type: "application",
+    description: `A Helm chart for ${name} (cron job)`,
+  };
+
+  const valuesObj: Record<string, unknown> = {
+    image: {
+      repository: imageRepository,
+      tag: imageTag,
+      pullPolicy: "IfNotPresent",
+    },
+    schedule,
+    restartPolicy,
+    command: [],
+    args: [],
+    resources: {},
+  };
+
+  if (props.podSecurityContext) valuesObj.podSecurityContext = props.podSecurityContext;
+  if (props.securityContext) valuesObj.securityContext = props.securityContext;
+  if (props.nodeSelector) valuesObj.nodeSelector = props.nodeSelector;
+  if (props.tolerations) valuesObj.tolerations = props.tolerations;
+  if (props.affinity) valuesObj.affinity = props.affinity;
+  if (props.podAnnotations) valuesObj.podAnnotations = props.podAnnotations;
+  if (props.concurrencyPolicy) valuesObj.concurrencyPolicy = props.concurrencyPolicy;
+  if (props.successfulJobsHistoryLimit !== undefined) valuesObj.successfulJobsHistoryLimit = props.successfulJobsHistoryLimit;
+  if (props.failedJobsHistoryLimit !== undefined) valuesObj.failedJobsHistoryLimit = props.failedJobsHistoryLimit;
+  if (props.backoffLimit !== undefined) valuesObj.backoffLimit = props.backoffLimit;
+
+  if (serviceAccount) {
+    valuesObj.serviceAccount = {
+      create: true,
+      name: "",
+      annotations: {},
+    };
+  }
+
+  const containerSpec: Record<string, unknown> = {
+    name,
+    image: printf("%s:%s", values.image.repository, values.image.tag),
+    imagePullPolicy: values.image.pullPolicy,
+    command: values.command,
+    args: values.args,
+    resources: toYaml(values.resources),
+  };
+
+  if (props.securityContext) containerSpec.securityContext = toYaml(values.securityContext);
+
+  const podSpec: Record<string, unknown> = {
+    restartPolicy: values.restartPolicy,
+    containers: [containerSpec],
+  };
+
+  if (props.podSecurityContext) podSpec.securityContext = toYaml(values.podSecurityContext);
+  if (props.nodeSelector) podSpec.nodeSelector = With(values.nodeSelector, toYaml(values.nodeSelector));
+  if (props.tolerations) podSpec.tolerations = With(values.tolerations, toYaml(values.tolerations));
+  if (props.affinity) podSpec.affinity = With(values.affinity, toYaml(values.affinity));
+  if (serviceAccount) podSpec.serviceAccountName = include(`${name}.serviceAccountName`);
+
+  const templateMetadata: Record<string, unknown> = {
+    labels: include(`${name}.selectorLabels`),
+  };
+  if (props.podAnnotations) templateMetadata.annotations = toYaml(values.podAnnotations);
+
+  const jobSpec: Record<string, unknown> = {
+    template: {
+      metadata: templateMetadata,
+      spec: podSpec,
+    },
+  };
+
+  if (props.backoffLimit !== undefined) jobSpec.backoffLimit = values.backoffLimit;
+
+  const cronJobSpec: Record<string, unknown> = {
+    schedule: values.schedule,
+    jobTemplate: {
+      spec: jobSpec,
+    },
+  };
+
+  if (props.concurrencyPolicy) cronJobSpec.concurrencyPolicy = values.concurrencyPolicy;
+  if (props.successfulJobsHistoryLimit !== undefined) cronJobSpec.successfulJobsHistoryLimit = values.successfulJobsHistoryLimit;
+  if (props.failedJobsHistoryLimit !== undefined) cronJobSpec.failedJobsHistoryLimit = values.failedJobsHistoryLimit;
+
+  const cronJob = {
+    apiVersion: "batch/v1",
+    kind: "CronJob",
+    metadata: {
+      name: include(`${name}.fullname`),
+      labels: include(`${name}.labels`),
+    },
+    spec: cronJobSpec,
+  };
+
+  const result: HelmCronJobResult = { chart, values: valuesObj, cronJob };
+
+  if (serviceAccount) {
+    result.serviceAccount = {
+      apiVersion: "v1",
+      kind: "ServiceAccount",
+      metadata: {
+        name: include(`${name}.serviceAccountName`),
+        labels: include(`${name}.labels`),
+        annotations: toYaml(values.serviceAccount.annotations),
+      },
+    };
+  }
+
+  return result;
+}