@intentius/chant-lexicon-k8s 0.0.12 → 0.0.14

package/src/composites/alb-ingress.ts

@@ -0,0 +1,151 @@
+/**
+ * AlbIngress composite — Ingress with AWS Load Balancer Controller annotations.
+ *
+ * @eks Full `alb.ingress.kubernetes.io/*` annotation set including group name
+ * (shared ALB), SSL redirect, subnets, security groups.
+ */
+
+export interface AlbIngressHost {
+  /** Hostname (e.g., "api.example.com"). */
+  hostname: string;
+  /** Path rules for this host. */
+  paths: Array<{
+    path: string;
+    pathType?: string;
+    serviceName: string;
+    servicePort: number;
+  }>;
+}
+
+export interface AlbIngressProps {
+  /** Ingress name — used in metadata and labels. */
+  name: string;
+  /** Host definitions with paths. */
+  hosts: AlbIngressHost[];
+  /** ALB scheme (default: "internet-facing"). */
+  scheme?: "internet-facing" | "internal";
+  /** Target type (default: "ip"). */
+  targetType?: "ip" | "instance";
+  /** ACM certificate ARN for TLS. */
+  certificateArn?: string;
+  /** WAF Web ACL ARN. */
+  wafAclArn?: string;
+  /** Health check path for target group. */
+  healthCheckPath?: string;
+  /** Ingress group name for shared ALB. */
+  groupName?: string;
+  /** Enable HTTP→HTTPS redirect (default: true when certificateArn set). */
+  sslRedirect?: boolean;
+  /** Additional annotations on the Ingress. */
+  annotations?: Record<string, string>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface AlbIngressResult {
+  ingress: Record<string, unknown>;
+}
+
+/**
+ * Create an AlbIngress composite — returns prop objects for
+ * an Ingress with AWS ALB Controller annotations.
+ *
+ * @eks
+ * @example
+ * ```ts
+ * import { AlbIngress } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { ingress } = AlbIngress({
+ *   name: "api-ingress",
+ *   hosts: [
+ *     {
+ *       hostname: "api.example.com",
+ *       paths: [{ path: "/", serviceName: "api", servicePort: 80 }],
+ *     },
+ *   ],
+ *   scheme: "internet-facing",
+ *   certificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abc-123",
+ *   groupName: "shared-alb",
+ * });
+ * ```
+ */
+export function AlbIngress(props: AlbIngressProps): AlbIngressResult {
+  const {
+    name,
+    hosts,
+    scheme = "internet-facing",
+    targetType = "ip",
+    certificateArn,
+    wafAclArn,
+    healthCheckPath,
+    groupName,
+    sslRedirect,
+    annotations: extraAnnotations = {},
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  // Build ALB annotations
+  const annotations: Record<string, string> = {
+    "alb.ingress.kubernetes.io/scheme": scheme,
+    "alb.ingress.kubernetes.io/target-type": targetType,
+    ...extraAnnotations,
+  };
+
+  if (certificateArn) {
+    annotations["alb.ingress.kubernetes.io/certificate-arn"] = certificateArn;
+    annotations["alb.ingress.kubernetes.io/listen-ports"] = '[{"HTTPS":443}]';
+  }
+
+  if (sslRedirect ?? (certificateArn !== undefined)) {
+    annotations["alb.ingress.kubernetes.io/ssl-redirect"] = "443";
+  }
+
+  if (wafAclArn) {
+    annotations["alb.ingress.kubernetes.io/wafv2-acl-arn"] = wafAclArn;
+  }
+
+  if (healthCheckPath) {
+    annotations["alb.ingress.kubernetes.io/healthcheck-path"] = healthCheckPath;
+  }
+
+  if (groupName) {
+    annotations["alb.ingress.kubernetes.io/group.name"] = groupName;
+  }
+
+  const ingressRules = hosts.map((host) => ({
+    host: host.hostname,
+    http: {
+      paths: host.paths.map((p) => ({
+        path: p.path,
+        pathType: p.pathType ?? "Prefix",
+        backend: {
+          service: { name: p.serviceName, port: { number: p.servicePort } },
+        },
+      })),
+    },
+  }));
+
+  const ingressProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "ingress" },
+      annotations,
+    },
+    spec: {
+      ingressClassName: "alb",
+      rules: ingressRules,
+    },
+  };
+
+  return { ingress: ingressProps };
+}

package/src/composites/autoscaled-service.ts

@@ -40,6 +40,24 @@ export interface AutoscaledServiceProps {
   livenessPath?: string;
   /** Readiness probe path (default: "/readyz"). */
   readinessPath?: string;
+  /** Init containers (e.g., migrations, cert setup). */
+  initContainers?: Array<{
+    name: string;
+    image: string;
+    command?: string[];
+    args?: string[];
+  }>;
+  /** Pod security context. */
+  securityContext?: {
+    runAsNonRoot?: boolean;
+    readOnlyRootFilesystem?: boolean;
+    runAsUser?: number;
+    runAsGroup?: number;
+  };
+  /** Termination grace period in seconds. */
+  terminationGracePeriodSeconds?: number;
+  /** Priority class name for pod scheduling. */
+  priorityClassName?: string;
   /** Additional labels to apply to all resources. */
   labels?: Record<string, string>;
   /** Namespace for all resources. */
@@ -89,6 +107,10 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
     topologySpread = false,
     livenessPath = "/healthz",
     readinessPath = "/readyz",
+    initContainers,
+    securityContext,
+    terminationGracePeriodSeconds,
+    priorityClassName,
     labels: extraLabels = {},
     namespace,
     env,
@@ -156,9 +178,20 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
                 periodSeconds: 5,
               },
               ...(env && { env }),
+              ...(securityContext && { securityContext }),
             },
           ],
+          ...(initContainers && {
+            initContainers: initContainers.map((ic) => ({
+              name: ic.name,
+              image: ic.image,
+              ...(ic.command && { command: ic.command }),
+              ...(ic.args && { args: ic.args }),
+            })),
+          }),
           ...(topologyConstraints && { topologySpreadConstraints: topologyConstraints }),
+          ...(terminationGracePeriodSeconds !== undefined && { terminationGracePeriodSeconds }),
+          ...(priorityClassName && { priorityClassName }),
         },
       },
     },

package/src/composites/batch-job.ts

@@ -0,0 +1,188 @@
+/**
+ * BatchJob composite — Job + optional RBAC (ServiceAccount + Role + RoleBinding).
+ *
+ * A higher-level construct for one-shot batch jobs (data migrations,
+ * seed tasks, backups). For scheduled workloads, use CronWorkload instead.
+ */
+
+export interface BatchJobProps {
+  /** Job name — used in metadata and labels. */
+  name: string;
+  /** Container image. */
+  image: string;
+  /** Command to run in the container. */
+  command?: string[];
+  /** Arguments to the command. */
+  args?: string[];
+  /** Number of retries before marking the job as failed (default: 6). */
+  backoffLimit?: number;
+  /** Seconds after completion before the job is eligible for GC. */
+  ttlSecondsAfterFinished?: number;
+  /** Number of completions required (default: 1). */
+  completions?: number;
+  /** Number of pods running in parallel (default: 1). */
+  parallelism?: number;
+  /** Restart policy (default: "OnFailure"). */
+  restartPolicy?: string;
+  /** RBAC rules for the service account. Omit for defaults; pass [] to skip RBAC entirely. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+  /** CPU request (default: "100m"). */
+  cpuRequest?: string;
+  /** Memory request (default: "128Mi"). */
+  memoryRequest?: string;
+  /** CPU limit (default: "500m"). */
+  cpuLimit?: string;
+  /** Memory limit (default: "256Mi"). */
+  memoryLimit?: string;
+  /** Environment variables for the container. */
+  env?: Array<{ name: string; value: string }>;
+}
+
+export interface BatchJobResult {
+  job: Record<string, unknown>;
+  serviceAccount?: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create a BatchJob composite — returns prop objects for
+ * a Job, and optional ServiceAccount, Role, and RoleBinding.
+ *
+ * @example
+ * ```ts
+ * import { BatchJob } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { job, serviceAccount, role, roleBinding } = BatchJob({
+ *   name: "db-migrate",
+ *   image: "migrate:1.0",
+ *   command: ["python", "manage.py", "migrate"],
+ *   backoffLimit: 3,
+ *   ttlSecondsAfterFinished: 3600,
+ * });
+ * ```
+ */
+export function BatchJob(props: BatchJobProps): BatchJobResult {
+  const {
+    name,
+    image,
+    command,
+    args,
+    backoffLimit = 6,
+    ttlSecondsAfterFinished,
+    completions = 1,
+    parallelism = 1,
+    restartPolicy = "OnFailure",
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+    cpuRequest = "100m",
+    memoryRequest = "128Mi",
+    cpuLimit = "500m",
+    memoryLimit = "256Mi",
+    env,
+  } = props;
+
+  const saName = `${name}-sa`;
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  // undefined → default RBAC rules; explicit [] → no RBAC resources
+  const createRbac = rbacRules === undefined || rbacRules.length > 0;
+  const effectiveRbacRules = rbacRules === undefined
+    ? [{ apiGroups: [""], resources: ["pods"], verbs: ["get", "list"] }]
+    : rbacRules;
+
+  const container: Record<string, unknown> = {
+    name,
+    image,
+    ...(command && { command }),
+    ...(args && { args }),
+    resources: {
+      limits: { cpu: cpuLimit, memory: memoryLimit },
+      requests: { cpu: cpuRequest, memory: memoryRequest },
+    },
+    ...(env && { env }),
+  };
+
+  const jobProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "batch" },
+    },
+    spec: {
+      backoffLimit,
+      completions,
+      parallelism,
+      ...(ttlSecondsAfterFinished !== undefined && { ttlSecondsAfterFinished }),
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          ...(createRbac && { serviceAccountName: saName }),
+          restartPolicy,
+          containers: [container],
+        },
+      },
+    },
+  };
+
+  const result: BatchJobResult = {
+    job: jobProps,
+  };
+
+  if (createRbac) {
+    result.serviceAccount = {
+      metadata: {
+        name: saName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "batch" },
+      },
+    };
+
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: effectiveRbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name: saName,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}