@intentius/chant-lexicon-k8s 0.0.12 → 0.0.14

package/src/composites/fluent-bit-agent.ts

@@ -0,0 +1,215 @@
+/**
+ * FluentBitAgent composite — DaemonSet + RBAC + ConfigMap for Fluent Bit.
+ *
+ * @eks Thin wrapper around the NodeAgent pattern with Fluent Bit defaults
+ * (image, RBAC, CloudWatch output config).
+ */
+
+export interface FluentBitAgentProps {
+  /** Agent name (default: "fluent-bit"). */
+  name?: string;
+  /** Fluent Bit image (default: "public.ecr.aws/aws-observability/aws-for-fluent-bit:stable"). */
+  image?: string;
+  /** CloudWatch log group name. */
+  logGroup: string;
+  /** AWS region. */
+  region: string;
+  /** Cluster name — used as log stream prefix. */
+  clusterName: string;
+  /** Namespace (default: "amazon-cloudwatch"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** CPU request (default: "50m"). */
+  cpuRequest?: string;
+  /** Memory request (default: "64Mi"). */
+  memoryRequest?: string;
+  /** CPU limit (default: "200m"). */
+  cpuLimit?: string;
+  /** Memory limit (default: "128Mi"). */
+  memoryLimit?: string;
+  /** IAM Role ARN for IRSA (adds eks.amazonaws.com/role-arn annotation to ServiceAccount). */
+  iamRoleArn?: string;
+}
+
+export interface FluentBitAgentResult {
+  daemonSet: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+  configMap: Record<string, unknown>;
+}
+
+/**
+ * Create a FluentBitAgent composite — returns prop objects for
+ * a DaemonSet, ServiceAccount, ClusterRole, ClusterRoleBinding, and ConfigMap.
+ *
+ * @eks
+ * @example
+ * ```ts
+ * import { FluentBitAgent } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { daemonSet, serviceAccount, clusterRole, clusterRoleBinding, configMap } = FluentBitAgent({
+ *   logGroup: "/aws/eks/my-cluster/containers",
+ *   region: "us-east-1",
+ *   clusterName: "my-cluster",
+ * });
+ * ```
+ */
+export function FluentBitAgent(props: FluentBitAgentProps): FluentBitAgentResult {
+  const {
+    name = "fluent-bit",
+    image = "public.ecr.aws/aws-observability/aws-for-fluent-bit:stable",
+    logGroup,
+    region,
+    clusterName,
+    namespace = "amazon-cloudwatch",
+    labels: extraLabels = {},
+    cpuRequest = "50m",
+    memoryRequest = "64Mi",
+    cpuLimit = "200m",
+    memoryLimit = "128Mi",
+    iamRoleArn,
+  } = props;
+
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+  const configMapName = `${name}-config`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const fluentBitConfig = `[SERVICE]
+    Flush         5
+    Log_Level     info
+    Daemon        off
+    Parsers_File  parsers.conf
+
+[INPUT]
+    Name              tail
+    Tag               kube.*
+    Path              /var/log/containers/*.log
+    Parser            docker
+    DB                /var/fluent-bit/state/flb_container.db
+    Mem_Buf_Limit     5MB
+    Skip_Long_Lines   On
+    Refresh_Interval  10
+
+[FILTER]
+    Name                kubernetes
+    Match               kube.*
+    Kube_URL            https://kubernetes.default.svc:443
+    Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
+    Merge_Log           On
+    K8S-Logging.Parser  On
+    K8S-Logging.Exclude Off
+
+[OUTPUT]
+    Name                cloudwatch_logs
+    Match               *
+    region              ${region}
+    log_group_name      ${logGroup}
+    log_stream_prefix   ${clusterName}/
+    auto_create_group   true
+`;
+
+  const container: Record<string, unknown> = {
+    name,
+    image,
+    resources: {
+      requests: { cpu: cpuRequest, memory: memoryRequest },
+      limits: { cpu: cpuLimit, memory: memoryLimit },
+    },
+    volumeMounts: [
+      { name: "varlog", mountPath: "/var/log", readOnly: true },
+      { name: "config", mountPath: `/etc/${name}`, readOnly: true },
+      { name: "state", mountPath: "/var/fluent-bit/state" },
+    ],
+  };
+
+  const daemonSetProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+    },
+    spec: {
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          serviceAccountName: saName,
+          containers: [container],
+          volumes: [
+            { name: "varlog", hostPath: { path: "/var/log" } },
+            { name: "config", configMap: { name: configMapName } },
+            { name: "state", hostPath: { path: `/var/fluent-bit/state/${name}` } },
+          ],
+          tolerations: [{ operator: "Exists" }],
+        },
+      },
+    },
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+      ...(iamRoleArn ? { annotations: { "eks.amazonaws.com/role-arn": iamRoleArn } } : {}),
+    },
+  };
+
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["namespaces", "pods"], verbs: ["get", "list", "watch"] },
+    ],
+  };
+
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+
+  const configMapProps: Record<string, unknown> = {
+    metadata: {
+      name: configMapName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "config" },
+    },
+    data: {
+      "fluent-bit.conf": fluentBitConfig,
+    },
+  };
+
+  return {
+    daemonSet: daemonSetProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+    configMap: configMapProps,
+  };
+}

package/src/composites/index.ts

@@ -12,3 +12,31 @@ export { NamespaceEnv } from "./namespace-env";
 export type { NamespaceEnvProps, NamespaceEnvResult } from "./namespace-env";
 export { NodeAgent } from "./node-agent";
 export type { NodeAgentProps, NodeAgentResult } from "./node-agent";
+export { BatchJob } from "./batch-job";
+export type { BatchJobProps, BatchJobResult } from "./batch-job";
+export { SecureIngress } from "./secure-ingress";
+export type { SecureIngressProps, SecureIngressResult } from "./secure-ingress";
+export { ConfiguredApp } from "./configured-app";
+export type { ConfiguredAppProps, ConfiguredAppResult } from "./configured-app";
+export { SidecarApp } from "./sidecar-app";
+export type { SidecarAppProps, SidecarAppResult } from "./sidecar-app";
+export { MonitoredService } from "./monitored-service";
+export type { MonitoredServiceProps, MonitoredServiceResult } from "./monitored-service";
+export { NetworkIsolatedApp } from "./network-isolated-app";
+export type { NetworkIsolatedAppProps, NetworkIsolatedAppResult } from "./network-isolated-app";
+export { IrsaServiceAccount } from "./irsa-service-account";
+export type { IrsaServiceAccountProps, IrsaServiceAccountResult } from "./irsa-service-account";
+export { AlbIngress } from "./alb-ingress";
+export type { AlbIngressProps, AlbIngressResult } from "./alb-ingress";
+export { EbsStorageClass } from "./ebs-storage-class";
+export type { EbsStorageClassProps, EbsStorageClassResult } from "./ebs-storage-class";
+export { EfsStorageClass } from "./efs-storage-class";
+export type { EfsStorageClassProps, EfsStorageClassResult } from "./efs-storage-class";
+export { FluentBitAgent } from "./fluent-bit-agent";
+export type { FluentBitAgentProps, FluentBitAgentResult } from "./fluent-bit-agent";
+export { ExternalDnsAgent } from "./external-dns-agent";
+export type { ExternalDnsAgentProps, ExternalDnsAgentResult } from "./external-dns-agent";
+export { AdotCollector } from "./adot-collector";
+export type { AdotCollectorProps, AdotCollectorResult } from "./adot-collector";
+export { MetricsServer } from "./metrics-server";
+export type { MetricsServerProps, MetricsServerResult } from "./metrics-server";

package/src/composites/irsa-service-account.ts

@@ -0,0 +1,114 @@
+/**
+ * IrsaServiceAccount composite — ServiceAccount + IAM annotation + optional RBAC.
+ *
+ * @eks Creates a ServiceAccount with the `eks.amazonaws.com/role-arn`
+ * annotation for IAM Roles for Service Accounts (IRSA).
+ */
+
+export interface IrsaServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** IAM Role ARN for IRSA annotation. */
+  iamRoleArn: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface IrsaServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create an IrsaServiceAccount composite — returns prop objects for
+ * a ServiceAccount with IRSA annotation, and optional Role + RoleBinding.
+ *
+ * @eks
+ * @example
+ * ```ts
+ * import { IrsaServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = IrsaServiceAccount({
+ *   name: "app-sa",
+ *   iamRoleArn: "arn:aws:iam::123456789012:role/my-app-role",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function IrsaServiceAccount(props: IrsaServiceAccountProps): IrsaServiceAccountResult {
+  const {
+    name,
+    iamRoleArn,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "service-account" },
+      annotations: {
+        "eks.amazonaws.com/role-arn": iamRoleArn,
+      },
+    },
+  };
+
+  const result: IrsaServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}

package/src/composites/metrics-server.ts

@@ -0,0 +1,224 @@
+/**
+ * MetricsServer composite — Deployment + Service + ServiceAccount + RBAC + APIService.
+ *
+ * Deploys metrics-server for HPA pod CPU/memory metrics. metrics-server is not an
+ * EKS managed addon — it needs K8s workloads. Uses in-cluster RBAC only (no IRSA).
+ */
+
+export interface MetricsServerProps {
+  /** Agent name (default: "metrics-server"). */
+  name?: string;
+  /** Container image (default: "registry.k8s.io/metrics-server/metrics-server:v0.7.2"). */
+  image?: string;
+  /** Replicas (default: 1). */
+  replicas?: number;
+  /** Namespace (default: "kube-system"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface MetricsServerResult {
+  deployment: Record<string, unknown>;
+  service: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+  /** ClusterRole for aggregated API access. */
+  aggregatedClusterRole: Record<string, unknown>;
+  /** Binding for aggregated API auth-delegator. */
+  authDelegatorBinding: Record<string, unknown>;
+  /** APIService registration for v1beta1.metrics.k8s.io. */
+  apiService: Record<string, unknown>;
+}
+
+/**
+ * Create a MetricsServer composite — returns prop objects for a Deployment,
+ * Service, ServiceAccount, ClusterRoles, ClusterRoleBindings, and APIService.
+ *
+ * @example
+ * ```ts
+ * import { MetricsServer } from "@intentius/chant-lexicon-k8s";
+ *
+ * const ms = MetricsServer({});
+ * ```
+ */
+export function MetricsServer(props: MetricsServerProps): MetricsServerResult {
+  const {
+    name = "metrics-server",
+    image = "registry.k8s.io/metrics-server/metrics-server:v0.7.2",
+    replicas = 1,
+    namespace = "kube-system",
+    labels: extraLabels = {},
+  } = props;
+
+  const saName = `${name}-sa`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const deployment: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "metrics" },
+    },
+    spec: {
+      replicas,
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          serviceAccountName: saName,
+          containers: [
+            {
+              name,
+              image,
+              args: [
+                "--cert-dir=/tmp",
+                "--secure-port=10250",
+                "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
+                "--kubelet-use-node-status-port",
+                "--metric-resolution=15s",
+              ],
+              ports: [{ containerPort: 10250, name: "https", protocol: "TCP" }],
+              resources: {
+                requests: { cpu: "100m", memory: "200Mi" },
+                limits: { cpu: "100m", memory: "200Mi" },
+              },
+              livenessProbe: {
+                httpGet: { path: "/livez", port: 10250, scheme: "HTTPS" },
+                initialDelaySeconds: 0,
+                periodSeconds: 10,
+                failureThreshold: 3,
+              },
+              readinessProbe: {
+                httpGet: { path: "/readyz", port: 10250, scheme: "HTTPS" },
+                initialDelaySeconds: 20,
+                periodSeconds: 10,
+                failureThreshold: 3,
+              },
+              securityContext: {
+                runAsNonRoot: true,
+                readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: false,
+              },
+              volumeMounts: [{ name: "tmp-dir", mountPath: "/tmp" }],
+            },
+          ],
+          volumes: [{ name: "tmp-dir", emptyDir: {} }],
+          priorityClassName: "system-cluster-critical",
+        },
+      },
+    },
+  };
+
+  const service: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: {
+        ...commonLabels,
+        "app.kubernetes.io/component": "metrics",
+        "kubernetes.io/cluster-service": "true",
+        "kubernetes.io/name": "Metrics-server",
+      },
+    },
+    spec: {
+      selector: { "app.kubernetes.io/name": name },
+      ports: [{ port: 443, targetPort: 10250, protocol: "TCP", name: "https" }],
+    },
+  };
+
+  const serviceAccount: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "metrics" },
+    },
+  };
+
+  const clusterRole: Record<string, unknown> = {
+    metadata: {
+      name: `system:${name}`,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["pods", "nodes", "namespaces"], verbs: ["get", "list", "watch"] },
+      { apiGroups: [""], resources: ["nodes/metrics", "nodes/stats"], verbs: ["get"] },
+    ],
+  };
+
+  const clusterRoleBinding: Record<string, unknown> = {
+    metadata: {
+      name: `system:${name}`,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: `system:${name}`,
+    },
+    subjects: [{ kind: "ServiceAccount", name: saName, namespace }],
+  };
+
+  const aggregatedClusterRole: Record<string, unknown> = {
+    metadata: {
+      name: `system:${name}-aggregated-reader`,
+      labels: {
+        ...commonLabels,
+        "app.kubernetes.io/component": "rbac",
+        "rbac.authorization.k8s.io/aggregate-to-admin": "true",
+        "rbac.authorization.k8s.io/aggregate-to-edit": "true",
+        "rbac.authorization.k8s.io/aggregate-to-view": "true",
+      },
+    },
+    rules: [
+      { apiGroups: ["metrics.k8s.io"], resources: ["pods", "nodes"], verbs: ["get", "list", "watch"] },
+    ],
+  };
+
+  const authDelegatorBinding: Record<string, unknown> = {
+    metadata: {
+      name: `${name}:system:auth-delegator`,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: "system:auth-delegator",
+    },
+    subjects: [{ kind: "ServiceAccount", name: saName, namespace }],
+  };
+
+  const apiService: Record<string, unknown> = {
+    apiVersion: "apiregistration.k8s.io/v1",
+    kind: "APIService",
+    metadata: {
+      name: "v1beta1.metrics.k8s.io",
+      labels: { ...commonLabels, "app.kubernetes.io/component": "metrics" },
+    },
+    spec: {
+      service: { name, namespace },
+      group: "metrics.k8s.io",
+      version: "v1beta1",
+      insecureSkipTLSVerify: true,
+      groupPriorityMinimum: 100,
+      versionPriority: 100,
+    },
+  };
+
+  return {
+    deployment,
+    service,
+    serviceAccount,
+    clusterRole,
+    clusterRoleBinding,
+    aggregatedClusterRole,
+    authDelegatorBinding,
+    apiService,
+  };
+}