@intentius/chant-lexicon-k8s 0.0.14 → 0.0.16

package/src/composites/agic-ingress.ts

@@ -0,0 +1,148 @@
+/**
+ * AgicIngress composite — Ingress with Azure Application Gateway Ingress Controller annotations.
+ *
+ * @aks Full `appgw.ingress.kubernetes.io/*` annotation set including SSL redirect,
+ * WAF policy, backend path prefix, and cookie-based affinity.
+ */
+
+export interface AgicIngressHost {
+  /** Hostname (e.g., "api.example.com"). */
+  hostname: string;
+  /** Path rules for this host. */
+  paths: Array<{
+    path: string;
+    pathType?: string;
+    serviceName: string;
+    servicePort: number;
+  }>;
+}
+
+export interface AgicIngressProps {
+  /** Ingress name — used in metadata and labels. */
+  name: string;
+  /** Host definitions with paths. */
+  hosts: AgicIngressHost[];
+  /** Azure Key Vault certificate URI or secret name for TLS. */
+  certificateArn?: string;
+  /** WAF policy resource ID. */
+  wafPolicyId?: string;
+  /** Health check path for backend. */
+  healthCheckPath?: string;
+  /** Enable HTTP->HTTPS redirect (default: true when certificateArn set). */
+  sslRedirect?: boolean;
+  /** Backend path prefix override. */
+  backendPathPrefix?: string;
+  /** Enable cookie-based affinity (default: false). */
+  cookieAffinity?: boolean;
+  /** Additional annotations on the Ingress. */
+  annotations?: Record<string, string>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface AgicIngressResult {
+  ingress: Record<string, unknown>;
+}
+
+/**
+ * Create an AgicIngress composite — returns prop objects for
+ * an Ingress with Azure Application Gateway Ingress Controller annotations.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { AgicIngress } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { ingress } = AgicIngress({
+ *   name: "api-ingress",
+ *   hosts: [
+ *     {
+ *       hostname: "api.example.com",
+ *       paths: [{ path: "/", serviceName: "api", servicePort: 80 }],
+ *     },
+ *   ],
+ *   certificateArn: "keyvault-secret-name",
+ *   wafPolicyId: "/subscriptions/.../Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/my-waf",
+ * });
+ * ```
+ */
+export function AgicIngress(props: AgicIngressProps): AgicIngressResult {
+  const {
+    name,
+    hosts,
+    certificateArn,
+    wafPolicyId,
+    healthCheckPath,
+    sslRedirect,
+    backendPathPrefix,
+    cookieAffinity = false,
+    annotations: extraAnnotations = {},
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  // Build AGIC annotations
+  const annotations: Record<string, string> = {
+    "kubernetes.io/ingress.class": "azure/application-gateway",
+    ...extraAnnotations,
+  };
+
+  if (sslRedirect ?? (certificateArn !== undefined)) {
+    annotations["appgw.ingress.kubernetes.io/ssl-redirect"] = "true";
+  }
+
+  if (certificateArn) {
+    annotations["appgw.ingress.kubernetes.io/appgw-ssl-certificate"] = certificateArn;
+  }
+
+  if (wafPolicyId) {
+    annotations["appgw.ingress.kubernetes.io/waf-policy-for-path"] = wafPolicyId;
+  }
+
+  if (healthCheckPath) {
+    annotations["appgw.ingress.kubernetes.io/health-probe-path"] = healthCheckPath;
+  }
+
+  if (backendPathPrefix) {
+    annotations["appgw.ingress.kubernetes.io/backend-path-prefix"] = backendPathPrefix;
+  }
+
+  if (cookieAffinity) {
+    annotations["appgw.ingress.kubernetes.io/cookie-based-affinity"] = "true";
+  }
+
+  const ingressRules = hosts.map((host) => ({
+    host: host.hostname,
+    http: {
+      paths: host.paths.map((p) => ({
+        path: p.path,
+        pathType: p.pathType ?? "Prefix",
+        backend: {
+          service: { name: p.serviceName, port: { number: p.servicePort } },
+        },
+      })),
+    },
+  }));
+
+  const ingressProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "ingress" },
+      annotations,
+    },
+    spec: {
+      rules: ingressRules,
+    },
+  };
+
+  return { ingress: ingressProps };
+}

package/src/composites/aks-external-dns-agent.ts

@@ -0,0 +1,199 @@
+/**
+ * AksExternalDnsAgent composite — Deployment + ServiceAccount + ClusterRole + ClusterRoleBinding.
+ *
+ * @aks Like ExternalDnsAgent but uses --provider=azure and AKS Workload Identity
+ * instead of IRSA for Azure DNS management.
+ */
+
+export interface AksExternalDnsAgentProps {
+  /** Azure managed identity client ID for Workload Identity. */
+  clientId: string;
+  /** Azure resource group containing the DNS zone. */
+  resourceGroup: string;
+  /** Azure subscription ID. */
+  subscriptionId: string;
+  /** Azure tenant ID. */
+  tenantId: string;
+  /** Domain filters — only manage DNS records for these domains. */
+  domainFilters: string[];
+  /** TXT record owner ID for identifying managed records. */
+  txtOwnerId?: string;
+  /** Source of DNS records (default: "ingress"). */
+  source?: string;
+  /** Agent name (default: "external-dns"). */
+  name?: string;
+  /** Container image (default: "registry.k8s.io/external-dns/external-dns:v0.14.0"). */
+  image?: string;
+  /** Namespace (default: "kube-system"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface AksExternalDnsAgentResult {
+  deployment: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+}
+
+/**
+ * Create an AksExternalDnsAgent composite — returns prop objects for
+ * a Deployment, ServiceAccount (with AKS Workload Identity), ClusterRole, and ClusterRoleBinding.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { AksExternalDnsAgent } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { deployment, serviceAccount, clusterRole, clusterRoleBinding } = AksExternalDnsAgent({
+ *   clientId: "00000000-0000-0000-0000-000000000000",
+ *   resourceGroup: "my-rg",
+ *   subscriptionId: "00000000-0000-0000-0000-000000000000",
+ *   tenantId: "00000000-0000-0000-0000-000000000000",
+ *   domainFilters: ["example.com"],
+ *   txtOwnerId: "my-cluster",
+ * });
+ * ```
+ */
+export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExternalDnsAgentResult {
+  const {
+    clientId,
+    resourceGroup,
+    subscriptionId,
+    tenantId,
+    domainFilters,
+    txtOwnerId,
+    source = "ingress",
+    name = "external-dns",
+    image = "registry.k8s.io/external-dns/external-dns:v0.14.0",
+    namespace = "kube-system",
+    labels: extraLabels = {},
+  } = props;
+
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const args: string[] = [
+    `--source=${source}`,
+    "--provider=azure",
+    `--azure-resource-group=${resourceGroup}`,
+    `--azure-subscription-id=${subscriptionId}`,
+    "--policy=upsert-only",
+    "--registry=txt",
+  ];
+
+  for (const domain of domainFilters) {
+    args.push(`--domain-filter=${domain}`);
+  }
+
+  if (txtOwnerId) {
+    args.push(`--txt-owner-id=${txtOwnerId}`);
+  }
+
+  const deploymentProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "dns" },
+    },
+    spec: {
+      replicas: 1,
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: {
+          labels: {
+            "app.kubernetes.io/name": name,
+            "azure.workload.identity/use": "true",
+            ...extraLabels,
+          },
+        },
+        spec: {
+          serviceAccountName: saName,
+          containers: [
+            {
+              name,
+              image,
+              args,
+              env: [
+                { name: "AZURE_TENANT_ID", value: tenantId },
+                { name: "AZURE_SUBSCRIPTION_ID", value: subscriptionId },
+                { name: "AZURE_RESOURCE_GROUP", value: resourceGroup },
+              ],
+              resources: {
+                requests: { cpu: "50m", memory: "64Mi" },
+                limits: { cpu: "100m", memory: "128Mi" },
+              },
+              securityContext: {
+                runAsNonRoot: true,
+                runAsUser: 65534,
+                readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: false,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: {
+        ...commonLabels,
+        "app.kubernetes.io/component": "dns",
+        "azure.workload.identity/use": "true",
+      },
+      annotations: {
+        "azure.workload.identity/client-id": clientId,
+      },
+    },
+  };
+
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["services", "endpoints", "pods"], verbs: ["get", "watch", "list"] },
+      { apiGroups: ["extensions", "networking.k8s.io"], resources: ["ingresses"], verbs: ["get", "watch", "list"] },
+      { apiGroups: [""], resources: ["nodes"], verbs: ["list", "watch"] },
+    ],
+  };
+
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+
+  return {
+    deployment: deploymentProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+  };
+}

package/src/composites/alb-ingress.ts

@@ -13,6 +13,7 @@ export interface AlbIngressHost {
     path: string;
     pathType?: string;
     serviceName: string;
+    /** Port on the Kubernetes Service (not the container port). */
     servicePort: number;
   }>;
 }
@@ -105,7 +106,7 @@ export function AlbIngress(props: AlbIngressProps): AlbIngressResult {
     annotations["alb.ingress.kubernetes.io/listen-ports"] = '[{"HTTPS":443}]';
   }
 
-  if (sslRedirect ?? (certificateArn !== undefined)) {
+  if (sslRedirect ?? !!certificateArn) {
     annotations["alb.ingress.kubernetes.io/ssl-redirect"] = "443";
   }
 

package/src/composites/autoscaled-service.ts

@@ -6,6 +6,8 @@
  * PDB selectors match pod labels, and resource requests are set.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface AutoscaledServiceProps {
   /** Application name — used in metadata and labels. */
   name: string;
@@ -47,13 +49,8 @@ export interface AutoscaledServiceProps {
     command?: string[];
     args?: string[];
   }>;
-  /** Pod security context. */
-  securityContext?: {
-    runAsNonRoot?: boolean;
-    readOnlyRootFilesystem?: boolean;
-    runAsUser?: number;
-    runAsGroup?: number;
-  };
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
   /** Termination grace period in seconds. */
   terminationGracePeriodSeconds?: number;
   /** Priority class name for pod scheduling. */
@@ -64,6 +61,14 @@ export interface AutoscaledServiceProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Service account name for the pod. */
+  serviceAccountName?: string;
+  /** Volumes to attach to the pod. */
+  volumes?: Array<Record<string, unknown>>;
+  /** Volume mounts for the primary container. */
+  volumeMounts?: Array<Record<string, unknown>>;
+  /** Convenience: auto-generate emptyDir volumes + mounts for writable temp dirs (e.g. ["/tmp", "/var/cache/nginx"]). */
+  tmpDirs?: string[];
 }
 
 export interface AutoscaledServiceResult {
@@ -114,6 +119,10 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
     labels: extraLabels = {},
     namespace,
     env,
+    serviceAccountName,
+    volumes: explicitVolumes = [],
+    volumeMounts: explicitMounts = [],
+    tmpDirs = [],
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -137,6 +146,12 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
     }];
   })();
 
+  // Generate emptyDir volumes/mounts from tmpDirs, then merge with explicit
+  const tmpVolumes = tmpDirs.map((_, i) => ({ name: `tmp-${i}`, emptyDir: {} }));
+  const tmpMounts = tmpDirs.map((dir, i) => ({ name: `tmp-${i}`, mountPath: dir }));
+  const allVolumes = [...explicitVolumes, ...tmpVolumes];
+  const allMounts = [...explicitMounts, ...tmpMounts];
+
   const resources: Record<string, unknown> = {
     requests: { cpu: cpuRequest, memory: memoryRequest },
     ...(cpuLimit || memoryLimit
@@ -179,6 +194,7 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
               },
               ...(env && { env }),
               ...(securityContext && { securityContext }),
+              ...(allMounts.length > 0 && { volumeMounts: allMounts }),
             },
           ],
           ...(initContainers && {
@@ -192,6 +208,8 @@ export function AutoscaledService(props: AutoscaledServiceProps): AutoscaledServ
           ...(topologyConstraints && { topologySpreadConstraints: topologyConstraints }),
           ...(terminationGracePeriodSeconds !== undefined && { terminationGracePeriodSeconds }),
           ...(priorityClassName && { priorityClassName }),
+          ...(serviceAccountName && { serviceAccountName }),
+          ...(allVolumes.length > 0 && { volumes: allVolumes }),
         },
       },
     },

package/src/composites/azure-disk-storage-class.ts

@@ -0,0 +1,82 @@
+/**
+ * AzureDiskStorageClass composite — StorageClass for Azure Disk CSI driver.
+ *
+ * @aks Creates a StorageClass with the `disk.csi.azure.com` provisioner.
+ */
+
+export interface AzureDiskStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** Azure Disk SKU name (default: "Premium_LRS"). */
+  skuName?: string;
+  /** OS disk caching mode (default: "ReadOnly"). */
+  cachingMode?: string;
+  /** Network access policy (default: "AllowAll"). */
+  networkAccessPolicy?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Volume binding mode (default: "WaitForFirstConsumer"). */
+  volumeBindingMode?: string;
+  /** Allow volume expansion (default: true). */
+  allowVolumeExpansion?: boolean;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface AzureDiskStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create an AzureDiskStorageClass composite — returns prop objects for
+ * a StorageClass with the Azure Disk CSI provisioner.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { AzureDiskStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = AzureDiskStorageClass({
+ *   name: "premium-disk",
+ *   skuName: "Premium_LRS",
+ * });
+ * ```
+ */
+export function AzureDiskStorageClass(props: AzureDiskStorageClassProps): AzureDiskStorageClassResult {
+  const {
+    name,
+    skuName = "Premium_LRS",
+    cachingMode = "ReadOnly",
+    networkAccessPolicy = "AllowAll",
+    reclaimPolicy = "Delete",
+    volumeBindingMode = "WaitForFirstConsumer",
+    allowVolumeExpansion = true,
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    skuName,
+    cachingMode,
+    networkAccessPolicy,
+  };
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "disk.csi.azure.com",
+    parameters,
+    reclaimPolicy,
+    volumeBindingMode,
+    allowVolumeExpansion,
+  };
+
+  return { storageClass: storageClassProps };
+}

package/src/composites/azure-file-storage-class.ts

@@ -0,0 +1,77 @@
+/**
+ * AzureFileStorageClass composite — StorageClass for Azure Files CSI driver.
+ *
+ * @aks Creates a StorageClass with the `file.csi.azure.com` provisioner.
+ * Azure Files provides ReadWriteMany access mode (shared across pods/nodes).
+ */
+
+export interface AzureFileStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** Azure Files SKU name (default: "Premium_LRS"). */
+  skuName?: string;
+  /** Protocol for Azure Files (default: "smb"). */
+  protocol?: string;
+  /** Specific Azure file share name (optional; dynamically provisioned if omitted). */
+  shareName?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface AzureFileStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create an AzureFileStorageClass composite — returns prop objects for
+ * a StorageClass with the Azure Files CSI provisioner.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { AzureFileStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = AzureFileStorageClass({
+ *   name: "azure-files-shared",
+ *   skuName: "Premium_LRS",
+ *   protocol: "nfs",
+ * });
+ * ```
+ */
+export function AzureFileStorageClass(props: AzureFileStorageClassProps): AzureFileStorageClassResult {
+  const {
+    name,
+    skuName = "Premium_LRS",
+    protocol = "smb",
+    shareName,
+    reclaimPolicy = "Delete",
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    skuName,
+    protocol,
+  };
+
+  if (shareName) parameters.shareName = shareName;
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "file.csi.azure.com",
+    parameters,
+    reclaimPolicy,
+  };
+
+  return { storageClass: storageClassProps };
+}