@intentius/chant-lexicon-k8s 0.0.14 → 0.0.15

package/src/composites/stateful-app.ts

@@ -5,6 +5,8 @@
  * like databases, caches, and message queues.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface StatefulAppProps {
   /** Application name — used in metadata and labels. */
   name: string;
@@ -29,13 +31,8 @@ export interface StatefulAppProps {
     command?: string[];
     args?: string[];
   }>;
-  /** Pod security context. */
-  securityContext?: {
-    runAsNonRoot?: boolean;
-    readOnlyRootFilesystem?: boolean;
-    runAsUser?: number;
-    runAsGroup?: number;
-  };
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
   /** Termination grace period in seconds. */
   terminationGracePeriodSeconds?: number;
   /** Priority class name for pod scheduling. */

package/src/composites/web-app.ts

@@ -5,6 +5,8 @@
  * with common defaults (health probes, resource limits, labels).
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface WebAppProps {
   /** Application name — used in metadata and labels. */
   name: string;
@@ -34,13 +36,8 @@ export interface WebAppProps {
     command?: string[];
     args?: string[];
   }>;
-  /** Pod security context — safe defaults when enabled. */
-  securityContext?: {
-    runAsNonRoot?: boolean;
-    readOnlyRootFilesystem?: boolean;
-    runAsUser?: number;
-    runAsGroup?: number;
-  };
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
   /** Termination grace period in seconds. */
   terminationGracePeriodSeconds?: number;
   /** Priority class name for pod scheduling. */

package/src/composites/worker-pool.ts

@@ -5,6 +5,8 @@
  * that need RBAC for secrets/configmaps and optional autoscaling, but no Service.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface WorkerPoolProps {
   /** Worker name — used in metadata and labels. */
   name: string;
@@ -32,13 +34,8 @@ export interface WorkerPoolProps {
   };
   /** PodDisruptionBudget minAvailable — if set, creates a PDB. */
   minAvailable?: number | string;
-  /** Pod security context. */
-  securityContext?: {
-    runAsNonRoot?: boolean;
-    readOnlyRootFilesystem?: boolean;
-    runAsUser?: number;
-    runAsGroup?: number;
-  };
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
   /** Termination grace period in seconds. */
   terminationGracePeriodSeconds?: number;
   /** Priority class name for pod scheduling. */

package/src/composites/workload-identity-sa.ts

@@ -0,0 +1,118 @@
+/**
+ * WorkloadIdentityServiceAccount composite — ServiceAccount + Workload Identity annotation + optional RBAC.
+ *
+ * @aks Creates a ServiceAccount with the `azure.workload.identity/client-id`
+ * annotation and `azure.workload.identity/use: "true"` label for AKS Workload Identity.
+ */
+
+export interface WorkloadIdentityServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** Azure AD application client ID for Workload Identity. */
+  clientId: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface WorkloadIdentityServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create a WorkloadIdentityServiceAccount composite — returns prop objects for
+ * a ServiceAccount with AKS Workload Identity annotation, and optional Role + RoleBinding.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { WorkloadIdentityServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = WorkloadIdentityServiceAccount({
+ *   name: "app-sa",
+ *   clientId: "00000000-0000-0000-0000-000000000000",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function WorkloadIdentityServiceAccount(props: WorkloadIdentityServiceAccountProps): WorkloadIdentityServiceAccountResult {
+  const {
+    name,
+    clientId,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: {
+        ...commonLabels,
+        "app.kubernetes.io/component": "service-account",
+        "azure.workload.identity/use": "true",
+      },
+      annotations: {
+        "azure.workload.identity/client-id": clientId,
+      },
+    },
+  };
+
+  const result: WorkloadIdentityServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}

package/src/composites/workload-identity-service-account.ts

@@ -0,0 +1,116 @@
+/**
+ * WorkloadIdentityServiceAccount composite — ServiceAccount + GKE Workload Identity annotation + optional RBAC.
+ *
+ * @gke Creates a ServiceAccount with the `iam.gke.io/gcp-service-account`
+ * annotation for GKE Workload Identity Federation.
+ */
+
+export interface WorkloadIdentityServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** GCP service account email for Workload Identity annotation. */
+  gcpServiceAccountEmail: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface WorkloadIdentityServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create a WorkloadIdentityServiceAccount composite — returns prop objects for
+ * a ServiceAccount with GKE Workload Identity annotation, and optional Role + RoleBinding.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { WorkloadIdentityServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = WorkloadIdentityServiceAccount({
+ *   name: "app-sa",
+ *   gcpServiceAccountEmail: "sa@my-project.iam.gserviceaccount.com",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function WorkloadIdentityServiceAccount(
+  props: WorkloadIdentityServiceAccountProps,
+): WorkloadIdentityServiceAccountResult {
+  const {
+    name,
+    gcpServiceAccountEmail,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "service-account" },
+      annotations: {
+        "iam.gke.io/gcp-service-account": gcpServiceAccountEmail,
+      },
+    },
+  };
+
+  const result: WorkloadIdentityServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}

package/src/index.ts

@@ -20,7 +20,7 @@ export {
   WebApp, StatefulApp, CronWorkload, AutoscaledService, WorkerPool, NamespaceEnv, NodeAgent,
   BatchJob, SecureIngress, ConfiguredApp, SidecarApp, MonitoredService, NetworkIsolatedApp,
   IrsaServiceAccount, AlbIngress, EbsStorageClass, EfsStorageClass, FluentBitAgent, ExternalDnsAgent, AdotCollector,
-  MetricsServer,
+  MetricsServer, WorkloadIdentityServiceAccount, GcePdStorageClass, FilestoreStorageClass, GkeGateway, ConfigConnectorContext,
 } from "./composites/index";
 export type {
   WebAppProps, WebAppResult, StatefulAppProps, StatefulAppResult, CronWorkloadProps, CronWorkloadResult,
@@ -34,6 +34,11 @@ export type {
   FluentBitAgentProps, FluentBitAgentResult, ExternalDnsAgentProps, ExternalDnsAgentResult,
   AdotCollectorProps, AdotCollectorResult,
   MetricsServerProps, MetricsServerResult,
+  WorkloadIdentityServiceAccountProps, WorkloadIdentityServiceAccountResult,
+  GcePdStorageClassProps, GcePdStorageClassResult,
+  FilestoreStorageClassProps, FilestoreStorageClassResult,
+  GkeGatewayProps, GkeGatewayResult,
+  ConfigConnectorContextProps, ConfigConnectorContextResult,
 } from "./composites/index";
 
 // RBAC verb constants