@intentius/chant-lexicon-k8s 0.0.13 → 0.0.15

package/src/composites/worker-pool.ts

@@ -5,6 +5,8 @@
  * that need RBAC for secrets/configmaps and optional autoscaling, but no Service.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface WorkerPoolProps {
   /** Worker name — used in metadata and labels. */
   name: string;
@@ -30,6 +32,14 @@ export interface WorkerPoolProps {
     maxReplicas: number;
     targetCPUPercent?: number;
   };
+  /** PodDisruptionBudget minAvailable — if set, creates a PDB. */
+  minAvailable?: number | string;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
+  /** Termination grace period in seconds. */
+  terminationGracePeriodSeconds?: number;
+  /** Priority class name for pod scheduling. */
+  priorityClassName?: string;
   /** CPU request (default: "100m"). */
   cpuRequest?: string;
   /** Memory request (default: "128Mi"). */
@@ -53,6 +63,7 @@ export interface WorkerPoolResult {
   roleBinding?: Record<string, unknown>;
   configMap?: Record<string, unknown>;
   hpa?: Record<string, unknown>;
+  pdb?: Record<string, unknown>;
 }
 
 /**
@@ -81,6 +92,10 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
     config,
     rbacRules,
     autoscaling,
+    minAvailable,
+    securityContext,
+    terminationGracePeriodSeconds,
+    priorityClassName,
     cpuRequest = "100m",
     memoryRequest = "128Mi",
     cpuLimit = "500m",
@@ -122,6 +137,14 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
     ...(config && {
       envFrom: [{ configMapRef: { name: configMapName } }],
     }),
+    ...(securityContext && { securityContext }),
+  };
+
+  const podSpec: Record<string, unknown> = {
+    ...(createRbac && { serviceAccountName: saName }),
+    containers: [container],
+    ...(terminationGracePeriodSeconds !== undefined && { terminationGracePeriodSeconds }),
+    ...(priorityClassName && { priorityClassName }),
   };
 
   const deploymentProps: Record<string, unknown> = {
@@ -135,10 +158,7 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
       selector: { matchLabels: { "app.kubernetes.io/name": name } },
       template: {
         metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
-        spec: {
-          ...(createRbac && { serviceAccountName: saName }),
-          containers: [container],
-        },
+        spec: podSpec,
       },
     },
   };
@@ -197,6 +217,20 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
     };
   }
 
+  if (minAvailable !== undefined) {
+    result.pdb = {
+      metadata: {
+        name,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "disruption-budget" },
+      },
+      spec: {
+        minAvailable,
+        selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      },
+    };
+  }
+
   if (autoscaling) {
     const targetCPUPercent = autoscaling.targetCPUPercent ?? 70;
     result.hpa = {

package/src/composites/workload-identity-sa.ts

@@ -0,0 +1,118 @@
+/**
+ * WorkloadIdentityServiceAccount composite — ServiceAccount + Workload Identity annotation + optional RBAC.
+ *
+ * @aks Creates a ServiceAccount with the `azure.workload.identity/client-id`
+ * annotation and `azure.workload.identity/use: "true"` label for AKS Workload Identity.
+ */
+
+export interface WorkloadIdentityServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** Azure AD application client ID for Workload Identity. */
+  clientId: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface WorkloadIdentityServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create a WorkloadIdentityServiceAccount composite — returns prop objects for
+ * a ServiceAccount with AKS Workload Identity annotation, and optional Role + RoleBinding.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { WorkloadIdentityServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = WorkloadIdentityServiceAccount({
+ *   name: "app-sa",
+ *   clientId: "00000000-0000-0000-0000-000000000000",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function WorkloadIdentityServiceAccount(props: WorkloadIdentityServiceAccountProps): WorkloadIdentityServiceAccountResult {
+  const {
+    name,
+    clientId,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: {
+        ...commonLabels,
+        "app.kubernetes.io/component": "service-account",
+        "azure.workload.identity/use": "true",
+      },
+      annotations: {
+        "azure.workload.identity/client-id": clientId,
+      },
+    },
+  };
+
+  const result: WorkloadIdentityServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}

package/src/composites/workload-identity-service-account.ts

@@ -0,0 +1,116 @@
+/**
+ * WorkloadIdentityServiceAccount composite — ServiceAccount + GKE Workload Identity annotation + optional RBAC.
+ *
+ * @gke Creates a ServiceAccount with the `iam.gke.io/gcp-service-account`
+ * annotation for GKE Workload Identity Federation.
+ */
+
+export interface WorkloadIdentityServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** GCP service account email for Workload Identity annotation. */
+  gcpServiceAccountEmail: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface WorkloadIdentityServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create a WorkloadIdentityServiceAccount composite — returns prop objects for
+ * a ServiceAccount with GKE Workload Identity annotation, and optional Role + RoleBinding.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { WorkloadIdentityServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = WorkloadIdentityServiceAccount({
+ *   name: "app-sa",
+ *   gcpServiceAccountEmail: "sa@my-project.iam.gserviceaccount.com",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function WorkloadIdentityServiceAccount(
+  props: WorkloadIdentityServiceAccountProps,
+): WorkloadIdentityServiceAccountResult {
+  const {
+    name,
+    gcpServiceAccountEmail,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "service-account" },
+      annotations: {
+        "iam.gke.io/gcp-service-account": gcpServiceAccountEmail,
+      },
+    },
+  };
+
+  const result: WorkloadIdentityServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}

package/src/index.ts

@@ -16,8 +16,30 @@ export { K8sLabels, K8sAnnotations } from "./variables";
 export * from "./generated/index";
 
 // Composites
-export { WebApp, StatefulApp, CronWorkload, AutoscaledService, WorkerPool, NamespaceEnv, NodeAgent } from "./composites/index";
-export type { WebAppProps, WebAppResult, StatefulAppProps, StatefulAppResult, CronWorkloadProps, CronWorkloadResult, AutoscaledServiceProps, AutoscaledServiceResult, WorkerPoolProps, WorkerPoolResult, NamespaceEnvProps, NamespaceEnvResult, NodeAgentProps, NodeAgentResult } from "./composites/index";
+export {
+  WebApp, StatefulApp, CronWorkload, AutoscaledService, WorkerPool, NamespaceEnv, NodeAgent,
+  BatchJob, SecureIngress, ConfiguredApp, SidecarApp, MonitoredService, NetworkIsolatedApp,
+  IrsaServiceAccount, AlbIngress, EbsStorageClass, EfsStorageClass, FluentBitAgent, ExternalDnsAgent, AdotCollector,
+  MetricsServer, WorkloadIdentityServiceAccount, GcePdStorageClass, FilestoreStorageClass, GkeGateway, ConfigConnectorContext,
+} from "./composites/index";
+export type {
+  WebAppProps, WebAppResult, StatefulAppProps, StatefulAppResult, CronWorkloadProps, CronWorkloadResult,
+  AutoscaledServiceProps, AutoscaledServiceResult, WorkerPoolProps, WorkerPoolResult,
+  NamespaceEnvProps, NamespaceEnvResult, NodeAgentProps, NodeAgentResult,
+  BatchJobProps, BatchJobResult, SecureIngressProps, SecureIngressResult,
+  ConfiguredAppProps, ConfiguredAppResult, SidecarAppProps, SidecarAppResult,
+  MonitoredServiceProps, MonitoredServiceResult, NetworkIsolatedAppProps, NetworkIsolatedAppResult,
+  IrsaServiceAccountProps, IrsaServiceAccountResult, AlbIngressProps, AlbIngressResult,
+  EbsStorageClassProps, EbsStorageClassResult, EfsStorageClassProps, EfsStorageClassResult,
+  FluentBitAgentProps, FluentBitAgentResult, ExternalDnsAgentProps, ExternalDnsAgentResult,
+  AdotCollectorProps, AdotCollectorResult,
+  MetricsServerProps, MetricsServerResult,
+  WorkloadIdentityServiceAccountProps, WorkloadIdentityServiceAccountResult,
+  GcePdStorageClassProps, GcePdStorageClassResult,
+  FilestoreStorageClassProps, FilestoreStorageClassResult,
+  GkeGatewayProps, GkeGatewayResult,
+  ConfigConnectorContextProps, ConfigConnectorContextResult,
+} from "./composites/index";
 
 // RBAC verb constants
 export * from "./actions/index";