@intentius/chant-lexicon-k8s 0.0.13 → 0.0.15

package/src/composites/composites.test.ts

@@ -1,4 +1,5 @@
 import { describe, test, expect, jest } from "bun:test";
+import { emitYAML } from "@intentius/chant/yaml";
 import { WebApp } from "./web-app";
 import { StatefulApp } from "./stateful-app";
 import { CronWorkload } from "./cron-workload";
@@ -6,6 +7,25 @@ import { AutoscaledService } from "./autoscaled-service";
 import { WorkerPool } from "./worker-pool";
 import { NamespaceEnv } from "./namespace-env";
 import { NodeAgent } from "./node-agent";
+import { BatchJob } from "./batch-job";
+import { SecureIngress } from "./secure-ingress";
+import { ConfiguredApp } from "./configured-app";
+import { SidecarApp } from "./sidecar-app";
+import { MonitoredService } from "./monitored-service";
+import { NetworkIsolatedApp } from "./network-isolated-app";
+import { IrsaServiceAccount } from "./irsa-service-account";
+import { AlbIngress } from "./alb-ingress";
+import { EbsStorageClass } from "./ebs-storage-class";
+import { EfsStorageClass } from "./efs-storage-class";
+import { FluentBitAgent } from "./fluent-bit-agent";
+import { ExternalDnsAgent } from "./external-dns-agent";
+import { AdotCollector } from "./adot-collector";
+import { MetricsServer } from "./metrics-server";
+import { WorkloadIdentityServiceAccount } from "./workload-identity-service-account";
+import { GcePdStorageClass } from "./gce-pd-storage-class";
+import { FilestoreStorageClass } from "./filestore-storage-class";
+import { GkeGateway } from "./gke-gateway";
+import { ConfigConnectorContext } from "./config-connector-context";
 
 // ── WebApp ──────────────────────────────────────────────────────────
 
@@ -523,6 +543,63 @@ describe("AutoscaledService", () => {
     expect(podLabels.team).toBe("platform");
     expect(podLabels["app.kubernetes.io/name"]).toBe("api");
   });
+
+  test("serviceAccountName wired into pod spec", () => {
+    const result = AutoscaledService({ ...minProps, serviceAccountName: "my-sa" });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.serviceAccountName).toBe("my-sa");
+  });
+
+  test("no serviceAccountName by default", () => {
+    const result = AutoscaledService(minProps);
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.serviceAccountName).toBeUndefined();
+  });
+
+  test("volumes and volumeMounts wired into pod spec", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      volumes: [{ name: "data", emptyDir: {} }],
+      volumeMounts: [{ name: "data", mountPath: "/data" }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.volumes).toEqual([{ name: "data", emptyDir: {} }]);
+    expect(spec.template.spec.containers[0].volumeMounts).toEqual([{ name: "data", mountPath: "/data" }]);
+  });
+
+  test("tmpDirs generates emptyDir volumes and mounts", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      tmpDirs: ["/tmp", "/var/cache/nginx"],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.volumes).toEqual([
+      { name: "tmp-0", emptyDir: {} },
+      { name: "tmp-1", emptyDir: {} },
+    ]);
+    expect(spec.template.spec.containers[0].volumeMounts).toEqual([
+      { name: "tmp-0", mountPath: "/tmp" },
+      { name: "tmp-1", mountPath: "/var/cache/nginx" },
+    ]);
+  });
+
+  test("tmpDirs merges with explicit volumes/volumeMounts", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      volumes: [{ name: "config", configMap: { name: "app-config" } }],
+      volumeMounts: [{ name: "config", mountPath: "/etc/config" }],
+      tmpDirs: ["/tmp"],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.volumes).toEqual([
+      { name: "config", configMap: { name: "app-config" } },
+      { name: "tmp-0", emptyDir: {} },
+    ]);
+    expect(spec.template.spec.containers[0].volumeMounts).toEqual([
+      { name: "config", mountPath: "/etc/config" },
+      { name: "tmp-0", mountPath: "/tmp" },
+    ]);
+  });
 });
 
 // ── WorkerPool ─────────────────────────────────────────────────────
@@ -1107,3 +1184,1510 @@ describe("NodeAgent", () => {
     expect((result.configMap!.metadata as any).labels["app.kubernetes.io/component"]).toBe("config");
   });
 });
+
+// ── Hardening Additions ─────────────────────────────────────────────
+
+describe("WebApp hardening", () => {
+  test("PDB created when minAvailable set", () => {
+    const result = WebApp({ name: "app", image: "app:1.0", minAvailable: 1 });
+    expect(result.pdb).toBeDefined();
+    const spec = result.pdb!.spec as any;
+    expect(spec.minAvailable).toBe(1);
+    expect(spec.selector.matchLabels["app.kubernetes.io/name"]).toBe("app");
+  });
+
+  test("no PDB by default", () => {
+    const result = WebApp({ name: "app", image: "app:1.0" });
+    expect(result.pdb).toBeUndefined();
+  });
+
+  test("initContainers passed through", () => {
+    const result = WebApp({
+      name: "app",
+      image: "app:1.0",
+      initContainers: [{ name: "migrate", image: "migrate:1.0", command: ["./migrate.sh"] }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.initContainers).toHaveLength(1);
+    expect(spec.template.spec.initContainers[0].name).toBe("migrate");
+  });
+
+  test("securityContext passed through", () => {
+    const result = WebApp({
+      name: "app",
+      image: "app:1.0",
+      securityContext: { runAsNonRoot: true, readOnlyRootFilesystem: true },
+    });
+    const spec = result.deployment.spec as any;
+    const container = spec.template.spec.containers[0];
+    expect(container.securityContext.runAsNonRoot).toBe(true);
+  });
+
+  test("securityContext supports PSS restricted fields", () => {
+    const result = WebApp({
+      name: "app",
+      image: "app:1.0",
+      securityContext: {
+        runAsNonRoot: true,
+        readOnlyRootFilesystem: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+
+  test("terminationGracePeriodSeconds set", () => {
+    const result = WebApp({ name: "app", image: "app:1.0", terminationGracePeriodSeconds: 60 });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.terminationGracePeriodSeconds).toBe(60);
+  });
+
+  test("priorityClassName set", () => {
+    const result = WebApp({ name: "app", image: "app:1.0", priorityClassName: "high-priority" });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.priorityClassName).toBe("high-priority");
+  });
+
+  test("multi-path ingress", () => {
+    const result = WebApp({
+      name: "app",
+      image: "app:1.0",
+      ingressHost: "app.example.com",
+      ingressPaths: [
+        { path: "/api", serviceName: "api", servicePort: 8080 },
+        { path: "/web", serviceName: "web", servicePort: 3000 },
+      ],
+    });
+    const spec = result.ingress!.spec as any;
+    expect(spec.rules[0].http.paths).toHaveLength(2);
+    expect(spec.rules[0].http.paths[0].path).toBe("/api");
+    expect(spec.rules[0].http.paths[1].backend.service.name).toBe("web");
+  });
+});
+
+describe("StatefulApp hardening", () => {
+  test("PDB created when minAvailable set", () => {
+    const result = StatefulApp({ name: "db", image: "postgres:16", minAvailable: 1 });
+    expect(result.pdb).toBeDefined();
+    const spec = result.pdb!.spec as any;
+    expect(spec.minAvailable).toBe(1);
+  });
+
+  test("initContainers passed through", () => {
+    const result = StatefulApp({
+      name: "db",
+      image: "postgres:16",
+      initContainers: [{ name: "init", image: "init:1.0" }],
+    });
+    const spec = result.statefulSet.spec as any;
+    expect(spec.template.spec.initContainers).toHaveLength(1);
+  });
+
+  test("securityContext passed through", () => {
+    const result = StatefulApp({
+      name: "db",
+      image: "postgres:16",
+      securityContext: { runAsNonRoot: true },
+    });
+    const spec = result.statefulSet.spec as any;
+    expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
+  });
+
+  test("securityContext supports PSS restricted fields", () => {
+    const result = StatefulApp({
+      name: "db",
+      image: "postgres:16",
+      securityContext: {
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.statefulSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("WorkerPool hardening", () => {
+  test("PDB created when minAvailable set", () => {
+    const result = WorkerPool({ name: "w", image: "w:1.0", minAvailable: 1 });
+    expect(result.pdb).toBeDefined();
+    const spec = result.pdb!.spec as any;
+    expect(spec.minAvailable).toBe(1);
+  });
+
+  test("securityContext on container", () => {
+    const result = WorkerPool({
+      name: "w",
+      image: "w:1.0",
+      securityContext: { runAsNonRoot: true },
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
+  });
+
+  test("securityContext supports PSS restricted fields", () => {
+    const result = WorkerPool({
+      name: "w",
+      image: "w:1.0",
+      securityContext: {
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("AutoscaledService hardening", () => {
+  const minProps = { name: "api", image: "api:1.0", maxReplicas: 10, cpuRequest: "100m", memoryRequest: "128Mi" };
+
+  test("initContainers passed through", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      initContainers: [{ name: "migrate", image: "m:1.0" }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.initContainers).toHaveLength(1);
+  });
+
+  test("securityContext on container", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      securityContext: { runAsNonRoot: true },
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
+  });
+
+  test("securityContext supports PSS restricted fields", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      securityContext: {
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+
+  test("terminationGracePeriodSeconds set", () => {
+    const result = AutoscaledService({ ...minProps, terminationGracePeriodSeconds: 30 });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.terminationGracePeriodSeconds).toBe(30);
+  });
+});
+
+// ── BatchJob ────────────────────────────────────────────────────────
+
+describe("BatchJob", () => {
+  const minProps = { name: "migrate", image: "migrate:1.0" };
+
+  test("returns job with default RBAC", () => {
+    const result = BatchJob(minProps);
+    expect(result.job).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.role).toBeDefined();
+    expect(result.roleBinding).toBeDefined();
+  });
+
+  test("default backoffLimit is 6", () => {
+    const result = BatchJob(minProps);
+    const spec = result.job.spec as any;
+    expect(spec.backoffLimit).toBe(6);
+  });
+
+  test("custom backoffLimit and ttl", () => {
+    const result = BatchJob({ ...minProps, backoffLimit: 3, ttlSecondsAfterFinished: 3600 });
+    const spec = result.job.spec as any;
+    expect(spec.backoffLimit).toBe(3);
+    expect(spec.ttlSecondsAfterFinished).toBe(3600);
+  });
+
+  test("parallelism and completions", () => {
+    const result = BatchJob({ ...minProps, parallelism: 3, completions: 10 });
+    const spec = result.job.spec as any;
+    expect(spec.parallelism).toBe(3);
+    expect(spec.completions).toBe(10);
+  });
+
+  test("rbacRules: [] skips RBAC", () => {
+    const result = BatchJob({ ...minProps, rbacRules: [] });
+    expect(result.serviceAccount).toBeUndefined();
+    expect(result.role).toBeUndefined();
+    expect(result.roleBinding).toBeUndefined();
+  });
+
+  test("command and args passed through", () => {
+    const result = BatchJob({ ...minProps, command: ["python"], args: ["migrate.py"] });
+    const spec = result.job.spec as any;
+    const container = spec.template.spec.containers[0];
+    expect(container.command).toEqual(["python"]);
+    expect(container.args).toEqual(["migrate.py"]);
+  });
+
+  test("namespace propagated", () => {
+    const result = BatchJob({ ...minProps, namespace: "jobs" });
+    expect((result.job.metadata as any).namespace).toBe("jobs");
+    expect((result.serviceAccount!.metadata as any).namespace).toBe("jobs");
+  });
+
+  test("component labels", () => {
+    const result = BatchJob(minProps);
+    expect((result.job.metadata as any).labels["app.kubernetes.io/component"]).toBe("batch");
+    expect((result.role!.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+  });
+});
+
+// ── SecureIngress ───────────────────────────────────────────────────
+
+describe("SecureIngress", () => {
+  const minProps = {
+    name: "app-ingress",
+    hosts: [{ hostname: "app.example.com", paths: [{ path: "/", serviceName: "app", servicePort: 80 }] }],
+  };
+
+  test("returns ingress without certificate by default", () => {
+    const result = SecureIngress(minProps);
+    expect(result.ingress).toBeDefined();
+    expect(result.certificate).toBeUndefined();
+  });
+
+  test("creates certificate when clusterIssuer set", () => {
+    const result = SecureIngress({ ...minProps, clusterIssuer: "letsencrypt-prod" });
+    expect(result.certificate).toBeDefined();
+    const certSpec = result.certificate!.spec as any;
+    expect(certSpec.issuerRef.name).toBe("letsencrypt-prod");
+    expect(certSpec.dnsNames).toEqual(["app.example.com"]);
+  });
+
+  test("TLS on ingress when clusterIssuer set", () => {
+    const result = SecureIngress({ ...minProps, clusterIssuer: "letsencrypt-prod" });
+    const spec = result.ingress.spec as any;
+    expect(spec.tls).toBeDefined();
+    expect(spec.tls[0].hosts).toEqual(["app.example.com"]);
+  });
+
+  test("multi-host support", () => {
+    const result = SecureIngress({
+      name: "multi",
+      hosts: [
+        { hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }] },
+        { hostname: "admin.example.com", paths: [{ path: "/", serviceName: "admin", servicePort: 80 }] },
+      ],
+      clusterIssuer: "letsencrypt-prod",
+    });
+    const spec = result.ingress.spec as any;
+    expect(spec.rules).toHaveLength(2);
+    const certSpec = result.certificate!.spec as any;
+    expect(certSpec.dnsNames).toHaveLength(2);
+  });
+
+  test("multi-path support", () => {
+    const result = SecureIngress({
+      name: "multi-path",
+      hosts: [{
+        hostname: "app.example.com",
+        paths: [
+          { path: "/api", serviceName: "api", servicePort: 8080 },
+          { path: "/web", serviceName: "web", servicePort: 3000 },
+        ],
+      }],
+    });
+    const spec = result.ingress.spec as any;
+    expect(spec.rules[0].http.paths).toHaveLength(2);
+  });
+
+  test("ingressClassName set", () => {
+    const result = SecureIngress({ ...minProps, ingressClassName: "nginx" });
+    const spec = result.ingress.spec as any;
+    expect(spec.ingressClassName).toBe("nginx");
+  });
+
+  test("cert-manager annotation added", () => {
+    const result = SecureIngress({ ...minProps, clusterIssuer: "letsencrypt-prod" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["cert-manager.io/cluster-issuer"]).toBe("letsencrypt-prod");
+  });
+});
+
+// ── ConfiguredApp ───────────────────────────────────────────────────
+
+describe("ConfiguredApp", () => {
+  const minProps = { name: "api", image: "api:1.0" };
+
+  test("returns deployment and service", () => {
+    const result = ConfiguredApp(minProps);
+    expect(result.deployment).toBeDefined();
+    expect(result.service).toBeDefined();
+    expect(result.configMap).toBeUndefined();
+  });
+
+  test("creates ConfigMap when configData provided", () => {
+    const result = ConfiguredApp({ ...minProps, configData: { "app.conf": "key=val" }, configMountPath: "/etc/app" });
+    expect(result.configMap).toBeDefined();
+    expect((result.configMap as any).data["app.conf"]).toBe("key=val");
+  });
+
+  test("configMap volume mounted", () => {
+    const result = ConfiguredApp({ ...minProps, configData: { "k": "v" }, configMountPath: "/etc/app" });
+    const spec = result.deployment.spec as any;
+    const container = spec.template.spec.containers[0];
+    expect(container.volumeMounts).toHaveLength(1);
+    expect(container.volumeMounts[0].mountPath).toBe("/etc/app");
+    expect(spec.template.spec.volumes[0].configMap.name).toBe("api-config");
+  });
+
+  test("secret volume mounted", () => {
+    const result = ConfiguredApp({ ...minProps, secretName: "creds", secretMountPath: "/secrets" });
+    const spec = result.deployment.spec as any;
+    const container = spec.template.spec.containers[0];
+    expect(container.volumeMounts[0].mountPath).toBe("/secrets");
+    expect(spec.template.spec.volumes[0].secret.secretName).toBe("creds");
+  });
+
+  test("envFrom with configMapRef and secretRef", () => {
+    const result = ConfiguredApp({
+      ...minProps,
+      envFrom: { configMapRef: "my-config", secretRef: "my-secret" },
+    });
+    const spec = result.deployment.spec as any;
+    const container = spec.template.spec.containers[0];
+    expect(container.envFrom).toHaveLength(2);
+    expect(container.envFrom[0].configMapRef.name).toBe("my-config");
+    expect(container.envFrom[1].secretRef.name).toBe("my-secret");
+  });
+
+  test("initContainers supported", () => {
+    const result = ConfiguredApp({
+      ...minProps,
+      initContainers: [{ name: "init", image: "init:1.0", command: ["sh"] }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.initContainers).toHaveLength(1);
+  });
+
+  test("namespace propagated", () => {
+    const result = ConfiguredApp({ ...minProps, namespace: "prod" });
+    expect((result.deployment.metadata as any).namespace).toBe("prod");
+    expect((result.service.metadata as any).namespace).toBe("prod");
+  });
+});
+
+// ── SidecarApp ──────────────────────────────────────────────────────
+
+describe("SidecarApp", () => {
+  const minProps = {
+    name: "api",
+    image: "api:1.0",
+    sidecars: [{ name: "envoy", image: "envoy:v1.28" }],
+  };
+
+  test("returns deployment and service", () => {
+    const result = SidecarApp(minProps);
+    expect(result.deployment).toBeDefined();
+    expect(result.service).toBeDefined();
+  });
+
+  test("has multiple containers", () => {
+    const result = SidecarApp(minProps);
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.containers).toHaveLength(2);
+    expect(spec.template.spec.containers[0].name).toBe("api");
+    expect(spec.template.spec.containers[1].name).toBe("envoy");
+  });
+
+  test("sidecar ports passed through", () => {
+    const result = SidecarApp({
+      ...minProps,
+      sidecars: [{ name: "envoy", image: "envoy:v1.28", ports: [{ containerPort: 9901, name: "admin" }] }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.containers[1].ports[0].containerPort).toBe(9901);
+  });
+
+  test("initContainers supported", () => {
+    const result = SidecarApp({
+      ...minProps,
+      initContainers: [{ name: "migrate", image: "m:1.0", command: ["./migrate.sh"] }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.initContainers).toHaveLength(1);
+  });
+
+  test("sharedVolumes creates volumes", () => {
+    const result = SidecarApp({
+      ...minProps,
+      sharedVolumes: [{ name: "tmp" }, { name: "config", configMapName: "my-config" }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.volumes).toHaveLength(2);
+    expect(spec.template.spec.volumes[0].emptyDir).toBeDefined();
+    expect(spec.template.spec.volumes[1].configMap.name).toBe("my-config");
+  });
+
+  test("common labels on all resources", () => {
+    const result = SidecarApp(minProps);
+    expect((result.deployment.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    expect((result.service.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+  });
+});
+
+// ── MonitoredService ────────────────────────────────────────────────
+
+describe("MonitoredService", () => {
+  const minProps = { name: "api", image: "api:1.0" };
+
+  test("returns deployment, service, serviceMonitor", () => {
+    const result = MonitoredService(minProps);
+    expect(result.deployment).toBeDefined();
+    expect(result.service).toBeDefined();
+    expect(result.serviceMonitor).toBeDefined();
+    expect(result.prometheusRule).toBeUndefined();
+  });
+
+  test("prometheusRule created when alertRules provided", () => {
+    const result = MonitoredService({
+      ...minProps,
+      alertRules: [{ name: "HighError", expr: "rate(errors[5m]) > 0.1", severity: "critical" }],
+    });
+    expect(result.prometheusRule).toBeDefined();
+    const spec = result.prometheusRule!.spec as any;
+    expect(spec.groups[0].rules[0].alert).toBe("HighError");
+    expect(spec.groups[0].rules[0].labels.severity).toBe("critical");
+  });
+
+  test("serviceMonitor has correct selector and endpoint", () => {
+    const result = MonitoredService({ ...minProps, metricsPort: 9090, metricsPath: "/metrics", scrapeInterval: "15s" });
+    const spec = result.serviceMonitor.spec as any;
+    expect(spec.selector.matchLabels["app.kubernetes.io/name"]).toBe("api");
+    expect(spec.endpoints[0].port).toBe("metrics");
+    expect(spec.endpoints[0].path).toBe("/metrics");
+    expect(spec.endpoints[0].interval).toBe("15s");
+  });
+
+  test("separate metrics port on container and service", () => {
+    const result = MonitoredService({ ...minProps, port: 8080, metricsPort: 9090 });
+    const spec = result.deployment.spec as any;
+    const ports = spec.template.spec.containers[0].ports;
+    expect(ports).toHaveLength(2);
+    expect(ports[0].containerPort).toBe(8080);
+    expect(ports[1].containerPort).toBe(9090);
+  });
+
+  test("component labels", () => {
+    const result = MonitoredService({ ...minProps, alertRules: [{ name: "A", expr: "1" }] });
+    expect((result.serviceMonitor.metadata as any).labels["app.kubernetes.io/component"]).toBe("monitoring");
+    expect((result.prometheusRule!.metadata as any).labels["app.kubernetes.io/component"]).toBe("monitoring");
+  });
+});
+
+// ── NetworkIsolatedApp ──────────────────────────────────────────────
+
+describe("NetworkIsolatedApp", () => {
+  const minProps = { name: "api", image: "api:1.0" };
+
+  test("returns deployment, service, networkPolicy", () => {
+    const result = NetworkIsolatedApp(minProps);
+    expect(result.deployment).toBeDefined();
+    expect(result.service).toBeDefined();
+    expect(result.networkPolicy).toBeDefined();
+  });
+
+  test("networkPolicy podSelector matches app", () => {
+    const result = NetworkIsolatedApp(minProps);
+    const spec = result.networkPolicy.spec as any;
+    expect(spec.podSelector.matchLabels["app.kubernetes.io/name"]).toBe("api");
+  });
+
+  test("ingress rules created", () => {
+    const result = NetworkIsolatedApp({
+      ...minProps,
+      allowIngressFrom: [{ podSelector: { "app.kubernetes.io/name": "frontend" } }],
+    });
+    const spec = result.networkPolicy.spec as any;
+    expect(spec.policyTypes).toContain("Ingress");
+    expect(spec.ingress[0].from[0].podSelector.matchLabels["app.kubernetes.io/name"]).toBe("frontend");
+  });
+
+  test("egress rules with ports", () => {
+    const result = NetworkIsolatedApp({
+      ...minProps,
+      allowEgressTo: [{ podSelector: { "app.kubernetes.io/name": "db" }, ports: [{ port: 5432 }] }],
+    });
+    const spec = result.networkPolicy.spec as any;
+    expect(spec.policyTypes).toContain("Egress");
+    expect(spec.egress[0].ports[0].port).toBe(5432);
+  });
+
+  test("namespace propagated", () => {
+    const result = NetworkIsolatedApp({ ...minProps, namespace: "prod" });
+    expect((result.networkPolicy.metadata as any).namespace).toBe("prod");
+  });
+
+  test("component label on networkPolicy", () => {
+    const result = NetworkIsolatedApp(minProps);
+    expect((result.networkPolicy.metadata as any).labels["app.kubernetes.io/component"]).toBe("network-policy");
+  });
+});
+
+// ── IrsaServiceAccount ──────────────────────────────────────────────
+
+describe("IrsaServiceAccount", () => {
+  const minProps = { name: "app-sa", iamRoleArn: "arn:aws:iam::123456789012:role/app-role" };
+
+  test("returns serviceAccount with IRSA annotation", () => {
+    const result = IrsaServiceAccount(minProps);
+    expect(result.serviceAccount).toBeDefined();
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/app-role");
+  });
+
+  test("no RBAC by default", () => {
+    const result = IrsaServiceAccount(minProps);
+    expect(result.role).toBeUndefined();
+    expect(result.roleBinding).toBeUndefined();
+  });
+
+  test("RBAC created when rules provided", () => {
+    const result = IrsaServiceAccount({
+      ...minProps,
+      rbacRules: [{ apiGroups: [""], resources: ["secrets"], verbs: ["get"] }],
+    });
+    expect(result.role).toBeDefined();
+    expect(result.roleBinding).toBeDefined();
+    const role = result.role as any;
+    expect(role.rules[0].resources).toEqual(["secrets"]);
+  });
+
+  test("namespace propagated", () => {
+    const result = IrsaServiceAccount({ ...minProps, namespace: "prod" });
+    expect((result.serviceAccount.metadata as any).namespace).toBe("prod");
+  });
+
+  test("component labels", () => {
+    const result = IrsaServiceAccount(minProps);
+    expect((result.serviceAccount.metadata as any).labels["app.kubernetes.io/component"]).toBe("service-account");
+  });
+});
+
+// ── AlbIngress ──────────────────────────────────────────────────────
+
+describe("AlbIngress", () => {
+  const minProps = {
+    name: "api-ingress",
+    hosts: [{ hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }] }],
+  };
+
+  test("returns ingress with ALB annotations", () => {
+    const result = AlbIngress(minProps);
+    expect(result.ingress).toBeDefined();
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/scheme"]).toBe("internet-facing");
+    expect(meta.annotations["alb.ingress.kubernetes.io/target-type"]).toBe("ip");
+  });
+
+  test("ingressClassName is alb", () => {
+    const result = AlbIngress(minProps);
+    const spec = result.ingress.spec as any;
+    expect(spec.ingressClassName).toBe("alb");
+  });
+
+  test("certificate ARN sets TLS annotations", () => {
+    const result = AlbIngress({ ...minProps, certificateArn: "arn:aws:acm:us-east-1:123:cert/abc" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/certificate-arn"]).toBe("arn:aws:acm:us-east-1:123:cert/abc");
+    expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBe("443");
+  });
+
+  test("groupName annotation set", () => {
+    const result = AlbIngress({ ...minProps, groupName: "shared-alb" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/group.name"]).toBe("shared-alb");
+  });
+
+  test("WAF ACL annotation set", () => {
+    const result = AlbIngress({ ...minProps, wafAclArn: "arn:aws:wafv2:us-east-1:123:regional/webacl/abc" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/wafv2-acl-arn"]).toBe("arn:aws:wafv2:us-east-1:123:regional/webacl/abc");
+  });
+
+  test("internal scheme", () => {
+    const result = AlbIngress({ ...minProps, scheme: "internal" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/scheme"]).toBe("internal");
+  });
+
+  test("empty-string certificateArn does NOT set ssl-redirect", () => {
+    const result = AlbIngress({ ...minProps, certificateArn: "" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBeUndefined();
+    expect(meta.annotations["alb.ingress.kubernetes.io/certificate-arn"]).toBeUndefined();
+  });
+
+  test("explicit sslRedirect: true overrides empty certificateArn", () => {
+    const result = AlbIngress({ ...minProps, certificateArn: "", sslRedirect: true });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBe("443");
+  });
+
+  test("explicit sslRedirect: false suppresses redirect even with cert", () => {
+    const result = AlbIngress({ ...minProps, certificateArn: "arn:aws:acm:us-east-1:123:cert/abc", sslRedirect: false });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBeUndefined();
+  });
+});
+
+// ── EbsStorageClass ─────────────────────────────────────────────────
+
+describe("EbsStorageClass", () => {
+  test("returns storageClass with EBS provisioner", () => {
+    const result = EbsStorageClass({ name: "gp3" });
+    expect(result.storageClass).toBeDefined();
+    expect((result.storageClass as any).provisioner).toBe("ebs.csi.aws.com");
+  });
+
+  test("default type is gp3", () => {
+    const result = EbsStorageClass({ name: "default" });
+    expect((result.storageClass as any).parameters.type).toBe("gp3");
+  });
+
+  test("encryption enabled by default", () => {
+    const result = EbsStorageClass({ name: "enc" });
+    expect((result.storageClass as any).parameters.encrypted).toBe("true");
+  });
+
+  test("custom parameters", () => {
+    const result = EbsStorageClass({ name: "custom", type: "io2", iops: "5000", throughput: "250" });
+    const params = (result.storageClass as any).parameters;
+    expect(params.type).toBe("io2");
+    expect(params.iops).toBe("5000");
+    expect(params.throughput).toBe("250");
+  });
+
+  test("allowVolumeExpansion default true", () => {
+    const result = EbsStorageClass({ name: "exp" });
+    expect((result.storageClass as any).allowVolumeExpansion).toBe(true);
+  });
+
+  test("storageClass is cluster-scoped (no namespace)", () => {
+    const result = EbsStorageClass({ name: "sc" });
+    expect((result.storageClass.metadata as any).namespace).toBeUndefined();
+  });
+
+  test("numeric iops and throughput coerced to strings", () => {
+    const result = EbsStorageClass({ name: "perf", iops: 5000, throughput: 250 });
+    const params = (result.storageClass as any).parameters;
+    expect(params.iops).toBe("5000");
+    expect(params.throughput).toBe("250");
+  });
+
+  test("string iops and throughput passed through", () => {
+    const result = EbsStorageClass({ name: "perf", iops: "3000", throughput: "125" });
+    const params = (result.storageClass as any).parameters;
+    expect(params.iops).toBe("3000");
+    expect(params.throughput).toBe("125");
+  });
+});
+
+// ── EfsStorageClass ─────────────────────────────────────────────────
+
+describe("EfsStorageClass", () => {
+  test("returns storageClass with EFS provisioner", () => {
+    const result = EfsStorageClass({ name: "efs", fileSystemId: "fs-123" });
+    expect((result.storageClass as any).provisioner).toBe("efs.csi.aws.com");
+  });
+
+  test("fileSystemId in parameters", () => {
+    const result = EfsStorageClass({ name: "efs", fileSystemId: "fs-abc" });
+    expect((result.storageClass as any).parameters.fileSystemId).toBe("fs-abc");
+  });
+
+  test("default provisioningMode is efs-ap", () => {
+    const result = EfsStorageClass({ name: "efs", fileSystemId: "fs-123" });
+    expect((result.storageClass as any).parameters.provisioningMode).toBe("efs-ap");
+  });
+});
+
+// ── FluentBitAgent ──────────────────────────────────────────────────
+
+describe("FluentBitAgent", () => {
+  const minProps = { logGroup: "/aws/eks/cluster/containers", region: "us-east-1", clusterName: "cluster" };
+
+  test("returns all 5 resources", () => {
+    const result = FluentBitAgent(minProps);
+    expect(result.daemonSet).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+    expect(result.configMap).toBeDefined();
+  });
+
+  test("default namespace is amazon-cloudwatch", () => {
+    const result = FluentBitAgent(minProps);
+    expect((result.daemonSet.metadata as any).namespace).toBe("amazon-cloudwatch");
+  });
+
+  test("configMap contains fluent-bit config with region", () => {
+    const result = FluentBitAgent(minProps);
+    const data = (result.configMap as any).data;
+    expect(data["fluent-bit.conf"]).toContain("us-east-1");
+    expect(data["fluent-bit.conf"]).toContain("/aws/eks/cluster/containers");
+  });
+
+  test("tolerations for all nodes", () => {
+    const result = FluentBitAgent(minProps);
+    const spec = result.daemonSet.spec as any;
+    expect(spec.template.spec.tolerations).toEqual([{ operator: "Exists" }]);
+  });
+
+  test("clusterRole is cluster-scoped", () => {
+    const result = FluentBitAgent(minProps);
+    expect((result.clusterRole.metadata as any).namespace).toBeUndefined();
+  });
+
+  test("IRSA annotation when iamRoleArn set", () => {
+    const result = FluentBitAgent({ ...minProps, iamRoleArn: "arn:aws:iam::123456789012:role/fb-role" });
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/fb-role");
+  });
+
+  test("no annotation when iamRoleArn omitted", () => {
+    const result = FluentBitAgent(minProps);
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations).toBeUndefined();
+  });
+});
+
+// ── ExternalDnsAgent ────────────────────────────────────────────────
+
+describe("ExternalDnsAgent", () => {
+  const minProps = {
+    iamRoleArn: "arn:aws:iam::123456789012:role/external-dns",
+    domainFilters: ["example.com"],
+  };
+
+  test("returns deployment, serviceAccount, clusterRole, clusterRoleBinding", () => {
+    const result = ExternalDnsAgent(minProps);
+    expect(result.deployment).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+  });
+
+  test("IRSA annotation on serviceAccount", () => {
+    const result = ExternalDnsAgent(minProps);
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/external-dns");
+  });
+
+  test("domain filter in args", () => {
+    const result = ExternalDnsAgent(minProps);
+    const spec = result.deployment.spec as any;
+    const args = spec.template.spec.containers[0].args;
+    expect(args).toContain("--domain-filter=example.com");
+  });
+
+  test("txtOwnerId in args when set", () => {
+    const result = ExternalDnsAgent({ ...minProps, txtOwnerId: "my-cluster" });
+    const spec = result.deployment.spec as any;
+    const args = spec.template.spec.containers[0].args;
+    expect(args).toContain("--txt-owner-id=my-cluster");
+  });
+
+  test("default namespace is kube-system", () => {
+    const result = ExternalDnsAgent(minProps);
+    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
+  });
+
+  test("replicas is 1", () => {
+    const result = ExternalDnsAgent(minProps);
+    const spec = result.deployment.spec as any;
+    expect(spec.replicas).toBe(1);
+  });
+});
+
+// ── AdotCollector ───────────────────────────────────────────────────
+
+describe("AdotCollector", () => {
+  const minProps = { region: "us-east-1", clusterName: "cluster" };
+
+  test("returns all 5 resources", () => {
+    const result = AdotCollector(minProps);
+    expect(result.daemonSet).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+    expect(result.configMap).toBeDefined();
+  });
+
+  test("default namespace is amazon-metrics", () => {
+    const result = AdotCollector(minProps);
+    expect((result.daemonSet.metadata as any).namespace).toBe("amazon-metrics");
+  });
+
+  test("configMap contains ADOT config with region", () => {
+    const result = AdotCollector(minProps);
+    const data = (result.configMap as any).data;
+    expect(data["config.yaml"]).toContain("us-east-1");
+    expect(data["config.yaml"]).toContain("cluster");
+  });
+
+  test("OTLP ports on container", () => {
+    const result = AdotCollector(minProps);
+    const spec = result.daemonSet.spec as any;
+    const ports = spec.template.spec.containers[0].ports;
+    expect(ports).toHaveLength(2);
+    expect(ports[0].containerPort).toBe(4317);
+    expect(ports[1].containerPort).toBe(4318);
+  });
+
+  test("tolerations for all nodes", () => {
+    const result = AdotCollector(minProps);
+    const spec = result.daemonSet.spec as any;
+    expect(spec.template.spec.tolerations).toEqual([{ operator: "Exists" }]);
+  });
+
+  test("custom exporters", () => {
+    const result = AdotCollector({ ...minProps, exporters: ["prometheus"] });
+    const data = (result.configMap as any).data;
+    expect(data["config.yaml"]).toContain("prometheusremotewrite");
+  });
+
+  test("IRSA annotation when iamRoleArn set", () => {
+    const result = AdotCollector({ ...minProps, iamRoleArn: "arn:aws:iam::123456789012:role/adot-role" });
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/adot-role");
+  });
+
+  test("no annotation when iamRoleArn omitted", () => {
+    const result = AdotCollector(minProps);
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations).toBeUndefined();
+  });
+});
+
+// ── MetricsServer ──────────────────────────────────────────────────
+
+describe("MetricsServer", () => {
+  test("returns all 8 resources", () => {
+    const result = MetricsServer({});
+    expect(result.deployment).toBeDefined();
+    expect(result.service).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+    expect(result.aggregatedClusterRole).toBeDefined();
+    expect(result.authDelegatorBinding).toBeDefined();
+    expect(result.apiService).toBeDefined();
+  });
+
+  test("default namespace is kube-system", () => {
+    const result = MetricsServer({});
+    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
+    expect((result.service.metadata as any).namespace).toBe("kube-system");
+    expect((result.serviceAccount.metadata as any).namespace).toBe("kube-system");
+  });
+
+  test("service targets port 10250", () => {
+    const result = MetricsServer({});
+    const spec = result.service.spec as any;
+    expect(spec.ports[0].port).toBe(443);
+    expect(spec.ports[0].targetPort).toBe(10250);
+  });
+
+  test("deployment container has correct image and args", () => {
+    const result = MetricsServer({});
+    const spec = result.deployment.spec as any;
+    const container = spec.template.spec.containers[0];
+    expect(container.image).toBe("registry.k8s.io/metrics-server/metrics-server:v0.7.2");
+    expect(container.args).toContain("--secure-port=10250");
+    expect(container.args).toContain("--kubelet-use-node-status-port");
+    expect(container.args).toContain("--metric-resolution=15s");
+  });
+
+  test("clusterRole has nodes/metrics access", () => {
+    const result = MetricsServer({});
+    const rules = result.clusterRole.rules as any[];
+    const nodeMetricsRule = rules.find((r: any) => r.resources?.includes("nodes/metrics"));
+    expect(nodeMetricsRule).toBeDefined();
+  });
+
+  test("apiService references correct service", () => {
+    const result = MetricsServer({});
+    const spec = (result.apiService as any).spec;
+    expect(spec.service.name).toBe("metrics-server");
+    expect(spec.service.namespace).toBe("kube-system");
+    expect(spec.group).toBe("metrics.k8s.io");
+    expect(spec.version).toBe("v1beta1");
+  });
+
+  test("aggregated clusterRole has aggregate labels", () => {
+    const result = MetricsServer({});
+    const labels = (result.aggregatedClusterRole.metadata as any).labels;
+    expect(labels["rbac.authorization.k8s.io/aggregate-to-admin"]).toBe("true");
+    expect(labels["rbac.authorization.k8s.io/aggregate-to-view"]).toBe("true");
+  });
+
+  test("custom image and replicas", () => {
+    const result = MetricsServer({ image: "custom:v1", replicas: 2 });
+    const spec = result.deployment.spec as any;
+    expect(spec.replicas).toBe(2);
+    expect(spec.template.spec.containers[0].image).toBe("custom:v1");
+  });
+});
+
+// ── PSS restricted securityContext passthrough tests ─────────────
+
+const pssSecurityContext = {
+  runAsNonRoot: true,
+  readOnlyRootFilesystem: true,
+  allowPrivilegeEscalation: false,
+  capabilities: { drop: ["ALL"] },
+  seccompProfile: { type: "RuntimeDefault" },
+};
+
+describe("BatchJob securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = BatchJob({
+      name: "migrate",
+      image: "migrate:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.job.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("CronWorkload securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = CronWorkload({
+      name: "backup",
+      image: "backup:1.0",
+      schedule: "0 2 * * *",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.cronJob.spec as any;
+    const sc = spec.jobTemplate.spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("NodeAgent securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = NodeAgent({
+      name: "agent",
+      image: "agent:1.0",
+      rbacRules: [{ apiGroups: [""], resources: ["pods"], verbs: ["get"] }],
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.daemonSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+  });
+});
+
+describe("ConfiguredApp securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = ConfiguredApp({
+      name: "api",
+      image: "api:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("SidecarApp securityContext", () => {
+  test("securityContext passed through to primary container", () => {
+    const result = SidecarApp({
+      name: "api",
+      image: "api:1.0",
+      sidecars: [{ name: "envoy", image: "envoy:1.0" }],
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("NetworkIsolatedApp securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = NetworkIsolatedApp({
+      name: "api",
+      image: "api:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("MonitoredService securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = MonitoredService({
+      name: "api",
+      image: "api:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+// ── Infrastructure composites: hardcoded security defaults ──────
+
+describe("ExternalDnsAgent security defaults", () => {
+  test("container has hardcoded PSS-safe securityContext", () => {
+    const result = ExternalDnsAgent({
+      iamRoleArn: "arn:aws:iam::123456789012:role/test",
+      domainFilters: ["example.com"],
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.readOnlyRootFilesystem).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+  });
+});
+
+describe("FluentBitAgent security defaults", () => {
+  test("container runs as root (needs host log access) with other PSS hardening", () => {
+    const result = FluentBitAgent({
+      logGroup: "/aws/eks/test/containers",
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const spec = result.daemonSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsUser).toBe(0);
+    expect(sc.runAsNonRoot).toBeUndefined();
+    expect(sc.readOnlyRootFilesystem).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+  });
+});
+
+describe("AdotCollector security defaults", () => {
+  test("container runs as non-root with explicit UID (ADOT 'aoc' user)", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const spec = result.daemonSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.runAsUser).toBe(10001);
+    expect(sc.readOnlyRootFilesystem).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+  });
+});
+
+// ── Phase 3B: Composite serialization smoke tests ───────────────
+
+describe("Composite YAML serialization smoke tests", () => {
+  function serializeCompositeProps(props: Record<string, Record<string, unknown>>): string {
+    return Object.values(props)
+      .map((p) => emitYAML(p, 0))
+      .join("\n---\n");
+  }
+
+  test("ExternalDnsAgent serializes to valid YAML", () => {
+    const result = ExternalDnsAgent({
+      iamRoleArn: "arn:aws:iam::123456789012:role/test",
+      domainFilters: ["example.com"],
+    });
+    const yaml = serializeCompositeProps(result as any);
+    expect(yaml).toContain("external-dns");
+    expect(yaml).not.toContain("[object Object]");
+  });
+
+  test("FluentBitAgent serializes multiline config correctly", () => {
+    const result = FluentBitAgent({
+      logGroup: "/aws/eks/test/containers",
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const yaml = serializeCompositeProps(result as any);
+    // Multiline config should use | block scalar, not flatten
+    expect(yaml).toContain("|");
+    expect(yaml).toContain("[SERVICE]");
+    expect(yaml).toContain("[INPUT]");
+    expect(yaml).not.toContain("\\n");
+  });
+
+  test("AdotCollector serializes multiline config correctly", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const yaml = serializeCompositeProps(result as any);
+    expect(yaml).toContain("|");
+    expect(yaml).toContain("receivers:");
+    expect(yaml).toContain("exporters:");
+    expect(yaml).not.toContain("\\n");
+  });
+
+  test("MetricsServer serializes to valid YAML", () => {
+    const result = MetricsServer({});
+    const yaml = serializeCompositeProps(result as any);
+    expect(yaml).toContain("metrics-server");
+    expect(yaml).not.toContain("[object Object]");
+  });
+});
+
+// ── Phase 4A: MetricsServer RBAC completeness ──────────────────
+
+describe("MetricsServer RBAC completeness", () => {
+  test("clusterRole includes configmaps resource", () => {
+    const result = MetricsServer({});
+    const rules = result.clusterRole.rules as any[];
+    const hasConfigmaps = rules.some((r: any) => r.resources?.includes("configmaps"));
+    expect(hasConfigmaps).toBe(true);
+  });
+});
+
+// ── Phase 4B: AdotCollector command vs args ─────────────────────
+
+describe("AdotCollector command vs args", () => {
+  test("container uses args (not command) for config flag", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const spec = result.daemonSet.spec as any;
+    const container = spec.template.spec.containers[0];
+    // Config flag should be in args, not command
+    expect(container.args).toContain("--config=/etc/adot/config.yaml");
+    expect(container.command).toBeUndefined();
+  });
+});
+
+// ── Phase 4C: AdotCollector pipeline exporter separation ────────
+
+describe("AdotCollector pipeline exporter separation", () => {
+  test("metrics pipeline does NOT include awsxray", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+      exporters: ["cloudwatch", "xray"],
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    // Extract metrics pipeline exporters line
+    const metricsMatch = config.match(/metrics:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
+    expect(metricsMatch).toBeDefined();
+    const metricsExporters = metricsMatch![1];
+    expect(metricsExporters).not.toContain("awsxray");
+    expect(metricsExporters).toContain("awsemf");
+  });
+
+  test("traces pipeline does NOT include awsemf", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+      exporters: ["cloudwatch", "xray"],
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    // Extract traces pipeline exporters line
+    const tracesMatch = config.match(/traces:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
+    expect(tracesMatch).toBeDefined();
+    const tracesExporters = tracesMatch![1];
+    expect(tracesExporters).not.toContain("awsemf");
+    expect(tracesExporters).toContain("awsxray");
+  });
+
+  test("cloudwatch-only: traces pipeline falls back to valid default", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+      exporters: ["cloudwatch"],
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    // Traces pipeline should still have an exporter (fallback to awsxray)
+    const tracesMatch = config.match(/traces:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
+    expect(tracesMatch).toBeDefined();
+    const tracesExporters = tracesMatch![1].trim();
+    expect(tracesExporters.length).toBeGreaterThan(0);
+  });
+});
+
+// ── Phase 4D: AdotCollector config parseable as YAML ────────────
+
+describe("AdotCollector config structure", () => {
+  test("generated config has required top-level sections", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    expect(config).toContain("receivers:");
+    expect(config).toContain("exporters:");
+    expect(config).toContain("processors:");
+    expect(config).toContain("service:");
+    expect(config).toContain("pipelines:");
+    expect(config).toContain("metrics:");
+    expect(config).toContain("traces:");
+  });
+});
+
+// ── WorkloadIdentityServiceAccount ──────────────────────────────────
+
+describe("WorkloadIdentityServiceAccount", () => {
+  const minProps = { name: "app-sa", gcpServiceAccountEmail: "sa@my-project.iam.gserviceaccount.com" };
+
+  test("returns serviceAccount with Workload Identity annotation", () => {
+    const result = WorkloadIdentityServiceAccount(minProps);
+    expect(result.serviceAccount).toBeDefined();
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe("sa@my-project.iam.gserviceaccount.com");
+  });
+
+  test("no RBAC by default", () => {
+    const result = WorkloadIdentityServiceAccount(minProps);
+    expect(result.role).toBeUndefined();
+    expect(result.roleBinding).toBeUndefined();
+  });
+
+  test("RBAC created when rules provided", () => {
+    const result = WorkloadIdentityServiceAccount({
+      ...minProps,
+      rbacRules: [{ apiGroups: [""], resources: ["secrets"], verbs: ["get"] }],
+    });
+    expect(result.role).toBeDefined();
+    expect(result.roleBinding).toBeDefined();
+    const role = result.role as any;
+    expect(role.rules[0].resources).toEqual(["secrets"]);
+  });
+
+  test("namespace propagated", () => {
+    const result = WorkloadIdentityServiceAccount({ ...minProps, namespace: "prod" });
+    expect((result.serviceAccount.metadata as any).namespace).toBe("prod");
+  });
+
+  test("component labels", () => {
+    const result = WorkloadIdentityServiceAccount(minProps);
+    expect((result.serviceAccount.metadata as any).labels["app.kubernetes.io/component"]).toBe("service-account");
+  });
+});
+
+// ── GcePdStorageClass ───────────────────────────────────────────────
+
+describe("GcePdStorageClass", () => {
+  test("returns storageClass with GCE PD provisioner", () => {
+    const result = GcePdStorageClass({ name: "pd-balanced" });
+    expect(result.storageClass).toBeDefined();
+    expect((result.storageClass as any).provisioner).toBe("pd.csi.storage.gke.io");
+  });
+
+  test("default type is pd-balanced", () => {
+    const result = GcePdStorageClass({ name: "default" });
+    expect((result.storageClass as any).parameters.type).toBe("pd-balanced");
+  });
+
+  test("custom type", () => {
+    const result = GcePdStorageClass({ name: "ssd", type: "pd-ssd" });
+    expect((result.storageClass as any).parameters.type).toBe("pd-ssd");
+  });
+
+  test("regional-pd replication type", () => {
+    const result = GcePdStorageClass({ name: "regional", replicationType: "regional-pd" });
+    expect((result.storageClass as any).parameters["replication-type"]).toBe("regional-pd");
+  });
+
+  test("no replication-type param when none", () => {
+    const result = GcePdStorageClass({ name: "default" });
+    expect((result.storageClass as any).parameters["replication-type"]).toBeUndefined();
+  });
+
+  test("allowVolumeExpansion default true", () => {
+    const result = GcePdStorageClass({ name: "exp" });
+    expect((result.storageClass as any).allowVolumeExpansion).toBe(true);
+  });
+
+  test("storageClass is cluster-scoped (no namespace)", () => {
+    const result = GcePdStorageClass({ name: "sc" });
+    expect((result.storageClass.metadata as any).namespace).toBeUndefined();
+  });
+});
+
+// ── FilestoreStorageClass ───────────────────────────────────────────
+
+describe("FilestoreStorageClass", () => {
+  test("returns storageClass with Filestore provisioner", () => {
+    const result = FilestoreStorageClass({ name: "filestore" });
+    expect((result.storageClass as any).provisioner).toBe("filestore.csi.storage.gke.io");
+  });
+
+  test("default tier is standard", () => {
+    const result = FilestoreStorageClass({ name: "fs" });
+    expect((result.storageClass as any).parameters.tier).toBe("standard");
+  });
+
+  test("custom tier", () => {
+    const result = FilestoreStorageClass({ name: "premium-fs", tier: "premium" });
+    expect((result.storageClass as any).parameters.tier).toBe("premium");
+  });
+
+  test("network parameter set when provided", () => {
+    const result = FilestoreStorageClass({ name: "fs", network: "my-vpc" });
+    expect((result.storageClass as any).parameters.network).toBe("my-vpc");
+  });
+
+  test("no network parameter by default", () => {
+    const result = FilestoreStorageClass({ name: "fs" });
+    expect((result.storageClass as any).parameters.network).toBeUndefined();
+  });
+});
+
+// ── GkeGateway ──────────────────────────────────────────────────────
+
+describe("GkeGateway", () => {
+  const minProps = {
+    name: "api-gateway",
+    hosts: [{ hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }] }],
+  };
+
+  test("returns gateway and httpRoute", () => {
+    const result = GkeGateway(minProps);
+    expect(result.gateway).toBeDefined();
+    expect(result.httpRoute).toBeDefined();
+  });
+
+  test("default gatewayClassName", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.gateway.spec as any;
+    expect(spec.gatewayClassName).toBe("gke-l7-global-external-managed");
+  });
+
+  test("custom gatewayClassName", () => {
+    const result = GkeGateway({ ...minProps, gatewayClassName: "gke-l7-rilb" });
+    const spec = result.gateway.spec as any;
+    expect(spec.gatewayClassName).toBe("gke-l7-rilb");
+  });
+
+  test("HTTP listener when no certificate", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.gateway.spec as any;
+    expect(spec.listeners[0].protocol).toBe("HTTP");
+    expect(spec.listeners[0].port).toBe(80);
+  });
+
+  test("HTTPS listener with certificate", () => {
+    const result = GkeGateway({ ...minProps, certificateName: "api-cert" });
+    const spec = result.gateway.spec as any;
+    expect(spec.listeners[0].protocol).toBe("HTTPS");
+    expect(spec.listeners[0].port).toBe(443);
+    expect(spec.listeners[0].tls.certificateRefs[0].name).toBe("api-cert");
+  });
+
+  test("httpRoute references parent gateway", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.httpRoute.spec as any;
+    expect(spec.parentRefs[0].name).toBe("api-gateway");
+  });
+
+  test("httpRoute has hostnames", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.httpRoute.spec as any;
+    expect(spec.hostnames).toEqual(["api.example.com"]);
+  });
+
+  test("httpRoute rules map to backend services", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.httpRoute.spec as any;
+    expect(spec.rules[0].backendRefs[0].name).toBe("api");
+    expect(spec.rules[0].backendRefs[0].port).toBe(80);
+  });
+
+  test("namespace propagated to both resources", () => {
+    const result = GkeGateway({ ...minProps, namespace: "prod" });
+    expect((result.gateway.metadata as any).namespace).toBe("prod");
+    expect((result.httpRoute.metadata as any).namespace).toBe("prod");
+  });
+});
+
+// ── ConfigConnectorContext ───────────────────────────────────────────
+
+describe("ConfigConnectorContext", () => {
+  const minProps = { googleServiceAccountEmail: "cnrm@my-project.iam.gserviceaccount.com" };
+
+  test("returns context with apiVersion and kind", () => {
+    const result = ConfigConnectorContext(minProps);
+    expect(result.context).toBeDefined();
+    expect((result.context as any).apiVersion).toBe("core.cnrm.cloud.google.com/v1beta1");
+    expect((result.context as any).kind).toBe("ConfigConnectorContext");
+  });
+
+  test("googleServiceAccount in spec", () => {
+    const result = ConfigConnectorContext(minProps);
+    const spec = (result.context as any).spec;
+    expect(spec.googleServiceAccount).toBe("cnrm@my-project.iam.gserviceaccount.com");
+  });
+
+  test("default stateIntoSpec is absent", () => {
+    const result = ConfigConnectorContext(minProps);
+    expect((result.context as any).spec.stateIntoSpec).toBe("absent");
+  });
+
+  test("custom stateIntoSpec", () => {
+    const result = ConfigConnectorContext({ ...minProps, stateIntoSpec: "merge" });
+    expect((result.context as any).spec.stateIntoSpec).toBe("merge");
+  });
+
+  test("default namespace is default", () => {
+    const result = ConfigConnectorContext(minProps);
+    expect((result.context as any).metadata.namespace).toBe("default");
+  });
+
+  test("custom namespace", () => {
+    const result = ConfigConnectorContext({ ...minProps, namespace: "config-connector" });
+    expect((result.context as any).metadata.namespace).toBe("config-connector");
+  });
+});