@intentius/chant-lexicon-k8s 0.0.14 → 0.0.15

package/src/composites/config-connector-context.ts

@@ -0,0 +1,62 @@
+/**
+ * ConfigConnectorContext composite — bootstrap Config Connector per-namespace context.
+ *
+ * @gke Creates a ConfigConnectorContext resource that configures
+ * Config Connector to manage GCP resources in a specific namespace.
+ */
+
+export interface ConfigConnectorContextProps {
+  /** Context name (default: "configconnectorcontext.core.cnrm.cloud.google.com"). */
+  name?: string;
+  /** Google service account email for Config Connector to use. */
+  googleServiceAccountEmail: string;
+  /** Namespace for the context (default: "default"). */
+  namespace?: string;
+  /** Whether to sync status into spec (default: "absent"). */
+  stateIntoSpec?: "absent" | "merge";
+}
+
+export interface ConfigConnectorContextResult {
+  context: Record<string, unknown>;
+}
+
+/**
+ * Create a ConfigConnectorContext composite — returns prop objects for
+ * a ConfigConnectorContext resource.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { ConfigConnectorContext } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { context } = ConfigConnectorContext({
+ *   googleServiceAccountEmail: "cnrm@my-project.iam.gserviceaccount.com",
+ *   namespace: "config-connector",
+ * });
+ * ```
+ */
+export function ConfigConnectorContext(
+  props: ConfigConnectorContextProps,
+): ConfigConnectorContextResult {
+  const {
+    name = "configconnectorcontext.core.cnrm.cloud.google.com",
+    googleServiceAccountEmail,
+    namespace = "default",
+    stateIntoSpec = "absent",
+  } = props;
+
+  const contextProps: Record<string, unknown> = {
+    apiVersion: "core.cnrm.cloud.google.com/v1beta1",
+    kind: "ConfigConnectorContext",
+    metadata: {
+      name,
+      namespace,
+    },
+    spec: {
+      googleServiceAccount: googleServiceAccountEmail,
+      stateIntoSpec,
+    },
+  };
+
+  return { context: contextProps };
+}

package/src/composites/configured-app.ts

@@ -6,6 +6,8 @@
  * Volume.fromSecret(), and container.mount() patterns.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface ConfiguredAppProps {
   /** Application name — used in metadata and labels. */
   name: string;
@@ -49,6 +51,8 @@ export interface ConfiguredAppProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface ConfiguredAppResult {
@@ -96,6 +100,7 @@ export function ConfiguredApp(props: ConfiguredAppProps): ConfiguredAppResult {
     memoryRequest = "128Mi",
     namespace,
     env,
+    securityContext,
   } = props;
 
   const configMapName = `${name}-config`;
@@ -154,6 +159,7 @@ export function ConfiguredApp(props: ConfiguredAppProps): ConfiguredAppResult {
     ...(env && { env }),
     ...(envFromList.length > 0 && { envFrom: envFromList }),
     ...(volumeMounts.length > 0 && { volumeMounts }),
+    ...(securityContext && { securityContext }),
   };
 
   const podSpec: Record<string, unknown> = {

package/src/composites/cron-workload.ts

@@ -5,6 +5,8 @@
  * proper RBAC permissions.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface CronWorkloadProps {
   /** Workload name — used in metadata and labels. */
   name: string;
@@ -33,6 +35,8 @@ export interface CronWorkloadProps {
   namespace?: string;
   /** Environment variables. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface CronWorkloadResult {
@@ -75,6 +79,7 @@ export function CronWorkload(props: CronWorkloadProps): CronWorkloadResult {
     labels: extraLabels = {},
     namespace,
     env,
+    securityContext,
   } = props;
 
   const saName = `${name}-sa`;
@@ -110,6 +115,7 @@ export function CronWorkload(props: CronWorkloadProps): CronWorkloadResult {
                   ...(command && { command }),
                   ...(args && { args }),
                   ...(env && { env }),
+                  ...(securityContext && { securityContext }),
                 },
               ],
             },

package/src/composites/ebs-storage-class.ts

@@ -10,9 +10,9 @@ export interface EbsStorageClassProps {
   /** EBS volume type (default: "gp3"). */
   type?: string;
   /** IOPS for io1/io2/gp3 volumes. */
-  iops?: string;
+  iops?: string | number;
   /** Throughput for gp3 volumes (MiB/s). */
-  throughput?: string;
+  throughput?: string | number;
   /** Enable encryption (default: true). */
   encrypted?: boolean;
   /** KMS key ID for encryption. */
@@ -76,8 +76,8 @@ export function EbsStorageClass(props: EbsStorageClassProps): EbsStorageClassRes
     encrypted: String(encrypted),
   };
 
-  if (iops) parameters.iops = iops;
-  if (throughput) parameters.throughput = throughput;
+  if (iops !== undefined) parameters.iops = String(iops);
+  if (throughput !== undefined) parameters.throughput = String(throughput);
   if (kmsKeyId) parameters.kmsKeyId = kmsKeyId;
 
   const storageClassProps: Record<string, unknown> = {

package/src/composites/external-dns-agent.ts

@@ -110,6 +110,12 @@ export function ExternalDnsAgent(props: ExternalDnsAgentProps): ExternalDnsAgent
                 requests: { cpu: "50m", memory: "64Mi" },
                 limits: { cpu: "100m", memory: "128Mi" },
               },
+              securityContext: {
+                runAsNonRoot: true,
+                runAsUser: 65534,
+                readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: false,
+              },
             },
           ],
         },

package/src/composites/filestore-storage-class.ts

@@ -0,0 +1,79 @@
+/**
+ * FilestoreStorageClass composite — StorageClass for GCP Filestore CSI driver.
+ *
+ * @gke Creates a StorageClass with the `filestore.csi.storage.gke.io` provisioner.
+ * Filestore provides ReadWriteMany access mode (shared across pods/nodes).
+ */
+
+export interface FilestoreStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** Filestore tier (default: "standard"). */
+  tier?: "standard" | "premium" | "enterprise";
+  /** VPC network for the Filestore instance. */
+  network?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Volume binding mode (default: "WaitForFirstConsumer"). */
+  volumeBindingMode?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface FilestoreStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create a FilestoreStorageClass composite — returns prop objects for
+ * a StorageClass with the GCP Filestore CSI provisioner.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { FilestoreStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = FilestoreStorageClass({
+ *   name: "filestore-standard",
+ *   tier: "standard",
+ *   network: "default",
+ * });
+ * ```
+ */
+export function FilestoreStorageClass(props: FilestoreStorageClassProps): FilestoreStorageClassResult {
+  const {
+    name,
+    tier = "standard",
+    network,
+    reclaimPolicy = "Delete",
+    volumeBindingMode = "WaitForFirstConsumer",
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    tier,
+  };
+
+  if (network) {
+    parameters.network = network;
+  }
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "filestore.csi.storage.gke.io",
+    parameters,
+    reclaimPolicy,
+    volumeBindingMode,
+  };
+
+  return { storageClass: storageClassProps };
+}

package/src/composites/fluent-bit-agent.ts

@@ -130,6 +130,11 @@ export function FluentBitAgent(props: FluentBitAgentProps): FluentBitAgentResult
       { name: "config", mountPath: `/etc/${name}`, readOnly: true },
       { name: "state", mountPath: "/var/fluent-bit/state" },
     ],
+    securityContext: {
+      runAsUser: 0,
+      readOnlyRootFilesystem: true,
+      allowPrivilegeEscalation: false,
+    },
   };
 
   const daemonSetProps: Record<string, unknown> = {

package/src/composites/gce-pd-storage-class.ts

@@ -0,0 +1,85 @@
+/**
+ * GcePdStorageClass composite — StorageClass for GCE Persistent Disk CSI driver.
+ *
+ * @gke Creates a StorageClass with the `pd.csi.storage.gke.io` provisioner.
+ */
+
+export interface GcePdStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** PD type (default: "pd-balanced"). */
+  type?: "pd-standard" | "pd-ssd" | "pd-balanced" | "pd-extreme";
+  /** Replication type (default: "none"). */
+  replicationType?: "none" | "regional-pd";
+  /** Filesystem type (default: "ext4"). */
+  fsType?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Volume binding mode (default: "WaitForFirstConsumer"). */
+  volumeBindingMode?: string;
+  /** Allow volume expansion (default: true). */
+  allowVolumeExpansion?: boolean;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface GcePdStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create a GcePdStorageClass composite — returns prop objects for
+ * a StorageClass with the GCE Persistent Disk CSI provisioner.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GcePdStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = GcePdStorageClass({
+ *   name: "pd-ssd",
+ *   type: "pd-ssd",
+ * });
+ * ```
+ */
+export function GcePdStorageClass(props: GcePdStorageClassProps): GcePdStorageClassResult {
+  const {
+    name,
+    type = "pd-balanced",
+    replicationType = "none",
+    fsType = "ext4",
+    reclaimPolicy = "Delete",
+    volumeBindingMode = "WaitForFirstConsumer",
+    allowVolumeExpansion = true,
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    type,
+    "csi.storage.k8s.io/fstype": fsType,
+  };
+
+  if (replicationType !== "none") {
+    parameters["replication-type"] = replicationType;
+  }
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "pd.csi.storage.gke.io",
+    parameters,
+    reclaimPolicy,
+    volumeBindingMode,
+    allowVolumeExpansion,
+  };
+
+  return { storageClass: storageClassProps };
+}

package/src/composites/gke-gateway.ts

@@ -0,0 +1,143 @@
+/**
+ * GkeGateway composite — Gateway + HTTPRoute for GKE Gateway API.
+ *
+ * @gke Creates a Gateway with a GKE-specific `gatewayClassName` and
+ * HTTPRoute resources for traffic routing.
+ */
+
+export interface GkeGatewayHost {
+  /** Hostname (e.g., "api.example.com"). */
+  hostname: string;
+  /** Path rules for this host. */
+  paths: Array<{
+    path: string;
+    serviceName: string;
+    servicePort: number;
+  }>;
+}
+
+export interface GkeGatewayProps {
+  /** Gateway name — used in metadata and labels. */
+  name: string;
+  /** GKE gateway class (default: "gke-l7-global-external-managed"). */
+  gatewayClassName?:
+    | "gke-l7-global-external-managed"
+    | "gke-l7-regional-external-managed"
+    | "gke-l7-rilb";
+  /** Host definitions with paths. */
+  hosts: GkeGatewayHost[];
+  /** Google-managed certificate name for TLS. */
+  certificateName?: string;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface GkeGatewayResult {
+  gateway: Record<string, unknown>;
+  httpRoute: Record<string, unknown>;
+}
+
+/**
+ * Create a GkeGateway composite — returns prop objects for
+ * a Gateway and HTTPRoute with GKE-specific gateway class.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GkeGateway } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { gateway, httpRoute } = GkeGateway({
+ *   name: "api-gateway",
+ *   hosts: [
+ *     {
+ *       hostname: "api.example.com",
+ *       paths: [{ path: "/", serviceName: "api", servicePort: 80 }],
+ *     },
+ *   ],
+ *   certificateName: "api-cert",
+ * });
+ * ```
+ */
+export function GkeGateway(props: GkeGatewayProps): GkeGatewayResult {
+  const {
+    name,
+    gatewayClassName = "gke-l7-global-external-managed",
+    hosts,
+    certificateName,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const routeName = `${name}-route`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  // Build Gateway listeners
+  const listeners: Array<Record<string, unknown>> = [];
+
+  if (certificateName) {
+    listeners.push({
+      name: "https",
+      protocol: "HTTPS",
+      port: 443,
+      tls: {
+        mode: "Terminate",
+        certificateRefs: [{ kind: "ManagedCertificate", name: certificateName }],
+      },
+    });
+  } else {
+    listeners.push({
+      name: "http",
+      protocol: "HTTP",
+      port: 80,
+    });
+  }
+
+  const gatewayProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "gateway" },
+    },
+    spec: {
+      gatewayClassName,
+      listeners,
+    },
+  };
+
+  // Build HTTPRoute rules
+  const hostnames = hosts.map((h) => h.hostname);
+
+  const rules = hosts.flatMap((host) =>
+    host.paths.map((p) => ({
+      matches: [{ path: { type: "PathPrefix", value: p.path } }],
+      backendRefs: [
+        { name: p.serviceName, port: p.servicePort },
+      ],
+    })),
+  );
+
+  const httpRouteProps: Record<string, unknown> = {
+    metadata: {
+      name: routeName,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "route" },
+    },
+    spec: {
+      parentRefs: [{ name }],
+      hostnames,
+      rules,
+    },
+  };
+
+  return {
+    gateway: gatewayProps,
+    httpRoute: httpRouteProps,
+  };
+}

package/src/composites/index.ts

@@ -1,3 +1,4 @@
+export type { ContainerSecurityContext } from "./security-context";
 export { WebApp } from "./web-app";
 export type { WebAppProps, WebAppResult } from "./web-app";
 export { StatefulApp } from "./stateful-app";
@@ -40,3 +41,21 @@ export { AdotCollector } from "./adot-collector";
 export type { AdotCollectorProps, AdotCollectorResult } from "./adot-collector";
 export { MetricsServer } from "./metrics-server";
 export type { MetricsServerProps, MetricsServerResult } from "./metrics-server";
+export { WorkloadIdentityServiceAccount } from "./workload-identity-service-account";
+export type { WorkloadIdentityServiceAccountProps, WorkloadIdentityServiceAccountResult } from "./workload-identity-service-account";
+export { GcePdStorageClass } from "./gce-pd-storage-class";
+export type { GcePdStorageClassProps, GcePdStorageClassResult } from "./gce-pd-storage-class";
+export { FilestoreStorageClass } from "./filestore-storage-class";
+export type { FilestoreStorageClassProps, FilestoreStorageClassResult } from "./filestore-storage-class";
+export { GkeGateway } from "./gke-gateway";
+export type { GkeGatewayProps, GkeGatewayResult } from "./gke-gateway";
+export { ConfigConnectorContext } from "./config-connector-context";
+export type { ConfigConnectorContextProps, ConfigConnectorContextResult } from "./config-connector-context";
+export { AgicIngress } from "./agic-ingress";
+export type { AgicIngressProps, AgicIngressResult } from "./agic-ingress";
+export { AzureDiskStorageClass } from "./azure-disk-storage-class";
+export type { AzureDiskStorageClassProps, AzureDiskStorageClassResult } from "./azure-disk-storage-class";
+export { AzureFileStorageClass } from "./azure-file-storage-class";
+export type { AzureFileStorageClassProps, AzureFileStorageClassResult } from "./azure-file-storage-class";
+export { AzureMonitorCollector } from "./azure-monitor-collector";
+export type { AzureMonitorCollectorProps, AzureMonitorCollectorResult } from "./azure-monitor-collector";

package/src/composites/metrics-server.ts

@@ -147,7 +147,7 @@ export function MetricsServer(props: MetricsServerProps): MetricsServerResult {
       labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
     },
     rules: [
-      { apiGroups: [""], resources: ["pods", "nodes", "namespaces"], verbs: ["get", "list", "watch"] },
+      { apiGroups: [""], resources: ["pods", "nodes", "namespaces", "configmaps"], verbs: ["get", "list", "watch"] },
       { apiGroups: [""], resources: ["nodes/metrics", "nodes/stats"], verbs: ["get"] },
     ],
   };

package/src/composites/monitored-service.ts

@@ -6,6 +6,8 @@
  * as raw objects that can be serialized alongside native K8s resources.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface AlertRule {
   /** Alert name. */
   name: string;
@@ -50,6 +52,8 @@ export interface MonitoredServiceProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface MonitoredServiceResult {
@@ -95,6 +99,7 @@ export function MonitoredService(props: MonitoredServiceProps): MonitoredService
     memoryRequest = "128Mi",
     namespace,
     env,
+    securityContext,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -132,6 +137,7 @@ export function MonitoredService(props: MonitoredServiceProps): MonitoredService
                 requests: { cpu: cpuRequest, memory: memoryRequest },
               },
               ...(env && { env }),
+              ...(securityContext && { securityContext }),
             },
           ],
         },

package/src/composites/network-isolated-app.ts

@@ -5,6 +5,8 @@
  * Creates fine-grained ingress/egress policies for a single application.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface NetworkPolicyPeer {
   /** Pod selector for the peer. */
   podSelector?: Record<string, string>;
@@ -44,6 +46,8 @@ export interface NetworkIsolatedAppProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface NetworkIsolatedAppResult {
@@ -88,6 +92,7 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
     memoryRequest = "128Mi",
     namespace,
     env,
+    securityContext,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -118,6 +123,7 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
                 requests: { cpu: cpuRequest, memory: memoryRequest },
               },
               ...(env && { env }),
+              ...(securityContext && { securityContext }),
             },
           ],
         },

package/src/composites/node-agent.ts

@@ -5,6 +5,8 @@
  * security scanners) that need cluster-wide RBAC and tolerations.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface NodeAgentProps {
   /** Agent name — used in metadata and labels. */
   name: string;
@@ -43,6 +45,8 @@ export interface NodeAgentProps {
   memoryLimit?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface NodeAgentResult {
@@ -87,6 +91,7 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
     memoryLimit = "128Mi",
     labels: extraLabels = {},
     env,
+    securityContext,
   } = props;
 
   const saName = `${name}-sa`;
@@ -139,6 +144,7 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
     },
     ...(env && { env }),
     ...(volumeMounts.length > 0 && { volumeMounts }),
+    ...(securityContext && { securityContext }),
   };
 
   const podSpec: Record<string, unknown> = {

package/src/composites/security-context.ts

@@ -0,0 +1,10 @@
+/** Container-level security context — covers PSS restricted requirements. */
+export interface ContainerSecurityContext {
+  runAsNonRoot?: boolean;
+  readOnlyRootFilesystem?: boolean;
+  runAsUser?: number;
+  runAsGroup?: number;
+  allowPrivilegeEscalation?: boolean;
+  capabilities?: { add?: string[]; drop?: string[] };
+  seccompProfile?: { type: string; localhostProfile?: string };
+}

package/src/composites/sidecar-app.ts

@@ -5,6 +5,8 @@
  * DB migration init). Supports shared volumes between containers.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface SidecarContainer {
   /** Sidecar container name. */
   name: string;
@@ -70,6 +72,8 @@ export interface SidecarAppProps {
   namespace?: string;
   /** Environment variables for the primary container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context for the primary container (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface SidecarAppResult {
@@ -115,6 +119,7 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
     memoryRequest = "128Mi",
     namespace,
     env,
+    securityContext,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -133,6 +138,7 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
       requests: { cpu: cpuRequest, memory: memoryRequest },
     },
     ...(env && { env }),
+    ...(securityContext && { securityContext }),
   };
 
   // Sidecar containers