@intentius/chant-lexicon-k8s 0.0.13 → 0.0.15

package/src/composites/filestore-storage-class.ts

@@ -0,0 +1,79 @@
+/**
+ * FilestoreStorageClass composite — StorageClass for GCP Filestore CSI driver.
+ *
+ * @gke Creates a StorageClass with the `filestore.csi.storage.gke.io` provisioner.
+ * Filestore provides ReadWriteMany access mode (shared across pods/nodes).
+ */
+
+export interface FilestoreStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** Filestore tier (default: "standard"). */
+  tier?: "standard" | "premium" | "enterprise";
+  /** VPC network for the Filestore instance. */
+  network?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Volume binding mode (default: "WaitForFirstConsumer"). */
+  volumeBindingMode?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface FilestoreStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create a FilestoreStorageClass composite — returns prop objects for
+ * a StorageClass with the GCP Filestore CSI provisioner.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { FilestoreStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = FilestoreStorageClass({
+ *   name: "filestore-standard",
+ *   tier: "standard",
+ *   network: "default",
+ * });
+ * ```
+ */
+export function FilestoreStorageClass(props: FilestoreStorageClassProps): FilestoreStorageClassResult {
+  const {
+    name,
+    tier = "standard",
+    network,
+    reclaimPolicy = "Delete",
+    volumeBindingMode = "WaitForFirstConsumer",
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    tier,
+  };
+
+  if (network) {
+    parameters.network = network;
+  }
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "filestore.csi.storage.gke.io",
+    parameters,
+    reclaimPolicy,
+    volumeBindingMode,
+  };
+
+  return { storageClass: storageClassProps };
+}

package/src/composites/fluent-bit-agent.ts

@@ -0,0 +1,220 @@
+/**
+ * FluentBitAgent composite — DaemonSet + RBAC + ConfigMap for Fluent Bit.
+ *
+ * @eks Thin wrapper around the NodeAgent pattern with Fluent Bit defaults
+ * (image, RBAC, CloudWatch output config).
+ */
+
+export interface FluentBitAgentProps {
+  /** Agent name (default: "fluent-bit"). */
+  name?: string;
+  /** Fluent Bit image (default: "public.ecr.aws/aws-observability/aws-for-fluent-bit:stable"). */
+  image?: string;
+  /** CloudWatch log group name. */
+  logGroup: string;
+  /** AWS region. */
+  region: string;
+  /** Cluster name — used as log stream prefix. */
+  clusterName: string;
+  /** Namespace (default: "amazon-cloudwatch"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** CPU request (default: "50m"). */
+  cpuRequest?: string;
+  /** Memory request (default: "64Mi"). */
+  memoryRequest?: string;
+  /** CPU limit (default: "200m"). */
+  cpuLimit?: string;
+  /** Memory limit (default: "128Mi"). */
+  memoryLimit?: string;
+  /** IAM Role ARN for IRSA (adds eks.amazonaws.com/role-arn annotation to ServiceAccount). */
+  iamRoleArn?: string;
+}
+
+export interface FluentBitAgentResult {
+  daemonSet: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+  configMap: Record<string, unknown>;
+}
+
+/**
+ * Create a FluentBitAgent composite — returns prop objects for
+ * a DaemonSet, ServiceAccount, ClusterRole, ClusterRoleBinding, and ConfigMap.
+ *
+ * @eks
+ * @example
+ * ```ts
+ * import { FluentBitAgent } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { daemonSet, serviceAccount, clusterRole, clusterRoleBinding, configMap } = FluentBitAgent({
+ *   logGroup: "/aws/eks/my-cluster/containers",
+ *   region: "us-east-1",
+ *   clusterName: "my-cluster",
+ * });
+ * ```
+ */
+export function FluentBitAgent(props: FluentBitAgentProps): FluentBitAgentResult {
+  const {
+    name = "fluent-bit",
+    image = "public.ecr.aws/aws-observability/aws-for-fluent-bit:stable",
+    logGroup,
+    region,
+    clusterName,
+    namespace = "amazon-cloudwatch",
+    labels: extraLabels = {},
+    cpuRequest = "50m",
+    memoryRequest = "64Mi",
+    cpuLimit = "200m",
+    memoryLimit = "128Mi",
+    iamRoleArn,
+  } = props;
+
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+  const configMapName = `${name}-config`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const fluentBitConfig = `[SERVICE]
+    Flush         5
+    Log_Level     info
+    Daemon        off
+    Parsers_File  parsers.conf
+
+[INPUT]
+    Name              tail
+    Tag               kube.*
+    Path              /var/log/containers/*.log
+    Parser            docker
+    DB                /var/fluent-bit/state/flb_container.db
+    Mem_Buf_Limit     5MB
+    Skip_Long_Lines   On
+    Refresh_Interval  10
+
+[FILTER]
+    Name                kubernetes
+    Match               kube.*
+    Kube_URL            https://kubernetes.default.svc:443
+    Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
+    Merge_Log           On
+    K8S-Logging.Parser  On
+    K8S-Logging.Exclude Off
+
+[OUTPUT]
+    Name                cloudwatch_logs
+    Match               *
+    region              ${region}
+    log_group_name      ${logGroup}
+    log_stream_prefix   ${clusterName}/
+    auto_create_group   true
+`;
+
+  const container: Record<string, unknown> = {
+    name,
+    image,
+    resources: {
+      requests: { cpu: cpuRequest, memory: memoryRequest },
+      limits: { cpu: cpuLimit, memory: memoryLimit },
+    },
+    volumeMounts: [
+      { name: "varlog", mountPath: "/var/log", readOnly: true },
+      { name: "config", mountPath: `/etc/${name}`, readOnly: true },
+      { name: "state", mountPath: "/var/fluent-bit/state" },
+    ],
+    securityContext: {
+      runAsUser: 0,
+      readOnlyRootFilesystem: true,
+      allowPrivilegeEscalation: false,
+    },
+  };
+
+  const daemonSetProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+    },
+    spec: {
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          serviceAccountName: saName,
+          containers: [container],
+          volumes: [
+            { name: "varlog", hostPath: { path: "/var/log" } },
+            { name: "config", configMap: { name: configMapName } },
+            { name: "state", hostPath: { path: `/var/fluent-bit/state/${name}` } },
+          ],
+          tolerations: [{ operator: "Exists" }],
+        },
+      },
+    },
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+      ...(iamRoleArn ? { annotations: { "eks.amazonaws.com/role-arn": iamRoleArn } } : {}),
+    },
+  };
+
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["namespaces", "pods"], verbs: ["get", "list", "watch"] },
+    ],
+  };
+
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+
+  const configMapProps: Record<string, unknown> = {
+    metadata: {
+      name: configMapName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "config" },
+    },
+    data: {
+      "fluent-bit.conf": fluentBitConfig,
+    },
+  };
+
+  return {
+    daemonSet: daemonSetProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+    configMap: configMapProps,
+  };
+}

package/src/composites/gce-pd-storage-class.ts

@@ -0,0 +1,85 @@
+/**
+ * GcePdStorageClass composite — StorageClass for GCE Persistent Disk CSI driver.
+ *
+ * @gke Creates a StorageClass with the `pd.csi.storage.gke.io` provisioner.
+ */
+
+export interface GcePdStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** PD type (default: "pd-balanced"). */
+  type?: "pd-standard" | "pd-ssd" | "pd-balanced" | "pd-extreme";
+  /** Replication type (default: "none"). */
+  replicationType?: "none" | "regional-pd";
+  /** Filesystem type (default: "ext4"). */
+  fsType?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Volume binding mode (default: "WaitForFirstConsumer"). */
+  volumeBindingMode?: string;
+  /** Allow volume expansion (default: true). */
+  allowVolumeExpansion?: boolean;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface GcePdStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create a GcePdStorageClass composite — returns prop objects for
+ * a StorageClass with the GCE Persistent Disk CSI provisioner.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GcePdStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = GcePdStorageClass({
+ *   name: "pd-ssd",
+ *   type: "pd-ssd",
+ * });
+ * ```
+ */
+export function GcePdStorageClass(props: GcePdStorageClassProps): GcePdStorageClassResult {
+  const {
+    name,
+    type = "pd-balanced",
+    replicationType = "none",
+    fsType = "ext4",
+    reclaimPolicy = "Delete",
+    volumeBindingMode = "WaitForFirstConsumer",
+    allowVolumeExpansion = true,
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    type,
+    "csi.storage.k8s.io/fstype": fsType,
+  };
+
+  if (replicationType !== "none") {
+    parameters["replication-type"] = replicationType;
+  }
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "pd.csi.storage.gke.io",
+    parameters,
+    reclaimPolicy,
+    volumeBindingMode,
+    allowVolumeExpansion,
+  };
+
+  return { storageClass: storageClassProps };
+}

package/src/composites/gke-gateway.ts

@@ -0,0 +1,143 @@
+/**
+ * GkeGateway composite — Gateway + HTTPRoute for GKE Gateway API.
+ *
+ * @gke Creates a Gateway with a GKE-specific `gatewayClassName` and
+ * HTTPRoute resources for traffic routing.
+ */
+
+export interface GkeGatewayHost {
+  /** Hostname (e.g., "api.example.com"). */
+  hostname: string;
+  /** Path rules for this host. */
+  paths: Array<{
+    path: string;
+    serviceName: string;
+    servicePort: number;
+  }>;
+}
+
+export interface GkeGatewayProps {
+  /** Gateway name — used in metadata and labels. */
+  name: string;
+  /** GKE gateway class (default: "gke-l7-global-external-managed"). */
+  gatewayClassName?:
+    | "gke-l7-global-external-managed"
+    | "gke-l7-regional-external-managed"
+    | "gke-l7-rilb";
+  /** Host definitions with paths. */
+  hosts: GkeGatewayHost[];
+  /** Google-managed certificate name for TLS. */
+  certificateName?: string;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface GkeGatewayResult {
+  gateway: Record<string, unknown>;
+  httpRoute: Record<string, unknown>;
+}
+
+/**
+ * Create a GkeGateway composite — returns prop objects for
+ * a Gateway and HTTPRoute with GKE-specific gateway class.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GkeGateway } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { gateway, httpRoute } = GkeGateway({
+ *   name: "api-gateway",
+ *   hosts: [
+ *     {
+ *       hostname: "api.example.com",
+ *       paths: [{ path: "/", serviceName: "api", servicePort: 80 }],
+ *     },
+ *   ],
+ *   certificateName: "api-cert",
+ * });
+ * ```
+ */
+export function GkeGateway(props: GkeGatewayProps): GkeGatewayResult {
+  const {
+    name,
+    gatewayClassName = "gke-l7-global-external-managed",
+    hosts,
+    certificateName,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const routeName = `${name}-route`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  // Build Gateway listeners
+  const listeners: Array<Record<string, unknown>> = [];
+
+  if (certificateName) {
+    listeners.push({
+      name: "https",
+      protocol: "HTTPS",
+      port: 443,
+      tls: {
+        mode: "Terminate",
+        certificateRefs: [{ kind: "ManagedCertificate", name: certificateName }],
+      },
+    });
+  } else {
+    listeners.push({
+      name: "http",
+      protocol: "HTTP",
+      port: 80,
+    });
+  }
+
+  const gatewayProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "gateway" },
+    },
+    spec: {
+      gatewayClassName,
+      listeners,
+    },
+  };
+
+  // Build HTTPRoute rules
+  const hostnames = hosts.map((h) => h.hostname);
+
+  const rules = hosts.flatMap((host) =>
+    host.paths.map((p) => ({
+      matches: [{ path: { type: "PathPrefix", value: p.path } }],
+      backendRefs: [
+        { name: p.serviceName, port: p.servicePort },
+      ],
+    })),
+  );
+
+  const httpRouteProps: Record<string, unknown> = {
+    metadata: {
+      name: routeName,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "route" },
+    },
+    spec: {
+      parentRefs: [{ name }],
+      hostnames,
+      rules,
+    },
+  };
+
+  return {
+    gateway: gatewayProps,
+    httpRoute: httpRouteProps,
+  };
+}

package/src/composites/index.ts

@@ -1,3 +1,4 @@
+export type { ContainerSecurityContext } from "./security-context";
 export { WebApp } from "./web-app";
 export type { WebAppProps, WebAppResult } from "./web-app";
 export { StatefulApp } from "./stateful-app";
@@ -12,3 +13,49 @@ export { NamespaceEnv } from "./namespace-env";
 export type { NamespaceEnvProps, NamespaceEnvResult } from "./namespace-env";
 export { NodeAgent } from "./node-agent";
 export type { NodeAgentProps, NodeAgentResult } from "./node-agent";
+export { BatchJob } from "./batch-job";
+export type { BatchJobProps, BatchJobResult } from "./batch-job";
+export { SecureIngress } from "./secure-ingress";
+export type { SecureIngressProps, SecureIngressResult } from "./secure-ingress";
+export { ConfiguredApp } from "./configured-app";
+export type { ConfiguredAppProps, ConfiguredAppResult } from "./configured-app";
+export { SidecarApp } from "./sidecar-app";
+export type { SidecarAppProps, SidecarAppResult } from "./sidecar-app";
+export { MonitoredService } from "./monitored-service";
+export type { MonitoredServiceProps, MonitoredServiceResult } from "./monitored-service";
+export { NetworkIsolatedApp } from "./network-isolated-app";
+export type { NetworkIsolatedAppProps, NetworkIsolatedAppResult } from "./network-isolated-app";
+export { IrsaServiceAccount } from "./irsa-service-account";
+export type { IrsaServiceAccountProps, IrsaServiceAccountResult } from "./irsa-service-account";
+export { AlbIngress } from "./alb-ingress";
+export type { AlbIngressProps, AlbIngressResult } from "./alb-ingress";
+export { EbsStorageClass } from "./ebs-storage-class";
+export type { EbsStorageClassProps, EbsStorageClassResult } from "./ebs-storage-class";
+export { EfsStorageClass } from "./efs-storage-class";
+export type { EfsStorageClassProps, EfsStorageClassResult } from "./efs-storage-class";
+export { FluentBitAgent } from "./fluent-bit-agent";
+export type { FluentBitAgentProps, FluentBitAgentResult } from "./fluent-bit-agent";
+export { ExternalDnsAgent } from "./external-dns-agent";
+export type { ExternalDnsAgentProps, ExternalDnsAgentResult } from "./external-dns-agent";
+export { AdotCollector } from "./adot-collector";
+export type { AdotCollectorProps, AdotCollectorResult } from "./adot-collector";
+export { MetricsServer } from "./metrics-server";
+export type { MetricsServerProps, MetricsServerResult } from "./metrics-server";
+export { WorkloadIdentityServiceAccount } from "./workload-identity-service-account";
+export type { WorkloadIdentityServiceAccountProps, WorkloadIdentityServiceAccountResult } from "./workload-identity-service-account";
+export { GcePdStorageClass } from "./gce-pd-storage-class";
+export type { GcePdStorageClassProps, GcePdStorageClassResult } from "./gce-pd-storage-class";
+export { FilestoreStorageClass } from "./filestore-storage-class";
+export type { FilestoreStorageClassProps, FilestoreStorageClassResult } from "./filestore-storage-class";
+export { GkeGateway } from "./gke-gateway";
+export type { GkeGatewayProps, GkeGatewayResult } from "./gke-gateway";
+export { ConfigConnectorContext } from "./config-connector-context";
+export type { ConfigConnectorContextProps, ConfigConnectorContextResult } from "./config-connector-context";
+export { AgicIngress } from "./agic-ingress";
+export type { AgicIngressProps, AgicIngressResult } from "./agic-ingress";
+export { AzureDiskStorageClass } from "./azure-disk-storage-class";
+export type { AzureDiskStorageClassProps, AzureDiskStorageClassResult } from "./azure-disk-storage-class";
+export { AzureFileStorageClass } from "./azure-file-storage-class";
+export type { AzureFileStorageClassProps, AzureFileStorageClassResult } from "./azure-file-storage-class";
+export { AzureMonitorCollector } from "./azure-monitor-collector";
+export type { AzureMonitorCollectorProps, AzureMonitorCollectorResult } from "./azure-monitor-collector";

package/src/composites/irsa-service-account.ts

@@ -0,0 +1,114 @@
+/**
+ * IrsaServiceAccount composite — ServiceAccount + IAM annotation + optional RBAC.
+ *
+ * @eks Creates a ServiceAccount with the `eks.amazonaws.com/role-arn`
+ * annotation for IAM Roles for Service Accounts (IRSA).
+ */
+
+export interface IrsaServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** IAM Role ARN for IRSA annotation. */
+  iamRoleArn: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface IrsaServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create an IrsaServiceAccount composite — returns prop objects for
+ * a ServiceAccount with IRSA annotation, and optional Role + RoleBinding.
+ *
+ * @eks
+ * @example
+ * ```ts
+ * import { IrsaServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = IrsaServiceAccount({
+ *   name: "app-sa",
+ *   iamRoleArn: "arn:aws:iam::123456789012:role/my-app-role",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function IrsaServiceAccount(props: IrsaServiceAccountProps): IrsaServiceAccountResult {
+  const {
+    name,
+    iamRoleArn,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "service-account" },
+      annotations: {
+        "eks.amazonaws.com/role-arn": iamRoleArn,
+      },
+    },
+  };
+
+  const result: IrsaServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}