@intentius/chant-lexicon-k8s 0.0.14 → 0.0.16

package/src/composites/composites.test.ts

@@ -1,4 +1,5 @@
 import { describe, test, expect, jest } from "bun:test";
+import { emitYAML } from "@intentius/chant/yaml";
 import { WebApp } from "./web-app";
 import { StatefulApp } from "./stateful-app";
 import { CronWorkload } from "./cron-workload";
@@ -14,12 +15,18 @@ import { MonitoredService } from "./monitored-service";
 import { NetworkIsolatedApp } from "./network-isolated-app";
 import { IrsaServiceAccount } from "./irsa-service-account";
 import { AlbIngress } from "./alb-ingress";
+import { GceIngress } from "./gce-ingress";
 import { EbsStorageClass } from "./ebs-storage-class";
 import { EfsStorageClass } from "./efs-storage-class";
 import { FluentBitAgent } from "./fluent-bit-agent";
 import { ExternalDnsAgent } from "./external-dns-agent";
 import { AdotCollector } from "./adot-collector";
 import { MetricsServer } from "./metrics-server";
+import { WorkloadIdentityServiceAccount } from "./workload-identity-service-account";
+import { GcePdStorageClass } from "./gce-pd-storage-class";
+import { FilestoreStorageClass } from "./filestore-storage-class";
+import { GkeGateway } from "./gke-gateway";
+import { ConfigConnectorContext } from "./config-connector-context";
 
 // ── WebApp ──────────────────────────────────────────────────────────
 
@@ -537,6 +544,63 @@ describe("AutoscaledService", () => {
     expect(podLabels.team).toBe("platform");
     expect(podLabels["app.kubernetes.io/name"]).toBe("api");
   });
+
+  test("serviceAccountName wired into pod spec", () => {
+    const result = AutoscaledService({ ...minProps, serviceAccountName: "my-sa" });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.serviceAccountName).toBe("my-sa");
+  });
+
+  test("no serviceAccountName by default", () => {
+    const result = AutoscaledService(minProps);
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.serviceAccountName).toBeUndefined();
+  });
+
+  test("volumes and volumeMounts wired into pod spec", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      volumes: [{ name: "data", emptyDir: {} }],
+      volumeMounts: [{ name: "data", mountPath: "/data" }],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.volumes).toEqual([{ name: "data", emptyDir: {} }]);
+    expect(spec.template.spec.containers[0].volumeMounts).toEqual([{ name: "data", mountPath: "/data" }]);
+  });
+
+  test("tmpDirs generates emptyDir volumes and mounts", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      tmpDirs: ["/tmp", "/var/cache/nginx"],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.volumes).toEqual([
+      { name: "tmp-0", emptyDir: {} },
+      { name: "tmp-1", emptyDir: {} },
+    ]);
+    expect(spec.template.spec.containers[0].volumeMounts).toEqual([
+      { name: "tmp-0", mountPath: "/tmp" },
+      { name: "tmp-1", mountPath: "/var/cache/nginx" },
+    ]);
+  });
+
+  test("tmpDirs merges with explicit volumes/volumeMounts", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      volumes: [{ name: "config", configMap: { name: "app-config" } }],
+      volumeMounts: [{ name: "config", mountPath: "/etc/config" }],
+      tmpDirs: ["/tmp"],
+    });
+    const spec = result.deployment.spec as any;
+    expect(spec.template.spec.volumes).toEqual([
+      { name: "config", configMap: { name: "app-config" } },
+      { name: "tmp-0", emptyDir: {} },
+    ]);
+    expect(spec.template.spec.containers[0].volumeMounts).toEqual([
+      { name: "config", mountPath: "/etc/config" },
+      { name: "tmp-0", mountPath: "/tmp" },
+    ]);
+  });
 });
 
 // ── WorkerPool ─────────────────────────────────────────────────────
@@ -1160,6 +1224,25 @@ describe("WebApp hardening", () => {
     expect(container.securityContext.runAsNonRoot).toBe(true);
   });
 
+  test("securityContext supports PSS restricted fields", () => {
+    const result = WebApp({
+      name: "app",
+      image: "app:1.0",
+      securityContext: {
+        runAsNonRoot: true,
+        readOnlyRootFilesystem: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+
   test("terminationGracePeriodSeconds set", () => {
     const result = WebApp({ name: "app", image: "app:1.0", terminationGracePeriodSeconds: 60 });
     const spec = result.deployment.spec as any;
@@ -1216,6 +1299,24 @@ describe("StatefulApp hardening", () => {
     const spec = result.statefulSet.spec as any;
     expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
   });
+
+  test("securityContext supports PSS restricted fields", () => {
+    const result = StatefulApp({
+      name: "db",
+      image: "postgres:16",
+      securityContext: {
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.statefulSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
 });
 
 describe("WorkerPool hardening", () => {
@@ -1235,6 +1336,24 @@ describe("WorkerPool hardening", () => {
     const spec = result.deployment.spec as any;
     expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
   });
+
+  test("securityContext supports PSS restricted fields", () => {
+    const result = WorkerPool({
+      name: "w",
+      image: "w:1.0",
+      securityContext: {
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
 });
 
 describe("AutoscaledService hardening", () => {
@@ -1258,6 +1377,23 @@ describe("AutoscaledService hardening", () => {
     expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
   });
 
+  test("securityContext supports PSS restricted fields", () => {
+    const result = AutoscaledService({
+      ...minProps,
+      securityContext: {
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: { drop: ["ALL"] },
+        seccompProfile: { type: "RuntimeDefault" },
+      },
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+
   test("terminationGracePeriodSeconds set", () => {
     const result = AutoscaledService({ ...minProps, terminationGracePeriodSeconds: 30 });
     const spec = result.deployment.spec as any;
@@ -1704,6 +1840,98 @@ describe("AlbIngress", () => {
     const meta = result.ingress.metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/scheme"]).toBe("internal");
   });
+
+  test("empty-string certificateArn does NOT set ssl-redirect", () => {
+    const result = AlbIngress({ ...minProps, certificateArn: "" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBeUndefined();
+    expect(meta.annotations["alb.ingress.kubernetes.io/certificate-arn"]).toBeUndefined();
+  });
+
+  test("explicit sslRedirect: true overrides empty certificateArn", () => {
+    const result = AlbIngress({ ...minProps, certificateArn: "", sslRedirect: true });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBe("443");
+  });
+
+  test("explicit sslRedirect: false suppresses redirect even with cert", () => {
+    const result = AlbIngress({ ...minProps, certificateArn: "arn:aws:acm:us-east-1:123:cert/abc", sslRedirect: false });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBeUndefined();
+  });
+});
+
+// ── GceIngress ──────────────────────────────────────────────────────
+
+describe("GceIngress", () => {
+  const minProps = {
+    name: "api-ingress",
+    hosts: [{ hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }] }],
+  };
+
+  test("returns ingress with GCE annotations", () => {
+    const result = GceIngress(minProps);
+    expect(result.ingress).toBeDefined();
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["kubernetes.io/ingress.class"]).toBe("gce");
+  });
+
+  test("static IP annotation set", () => {
+    const result = GceIngress({ ...minProps, staticIpName: "microservice-ip" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["kubernetes.io/ingress.global-static-ip-name"]).toBe("microservice-ip");
+  });
+
+  test("managed certificate annotation set", () => {
+    const result = GceIngress({ ...minProps, managedCertificate: "api-cert" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["networking.gke.io/managed-certificates"]).toBe("api-cert");
+  });
+
+  test("frontendConfig annotation set", () => {
+    const result = GceIngress({ ...minProps, frontendConfig: "my-frontend" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBe("my-frontend");
+  });
+
+  test("managedCertificate sets default FrontendConfig for ssl redirect", () => {
+    const result = GceIngress({ ...minProps, managedCertificate: "api-cert" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBe("api-ingress-frontend-config");
+  });
+
+  test("explicit sslRedirect: false suppresses FrontendConfig even with cert", () => {
+    const result = GceIngress({ ...minProps, managedCertificate: "api-cert", sslRedirect: false });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBeUndefined();
+  });
+
+  test("explicit sslRedirect: true sets default FrontendConfig without cert", () => {
+    const result = GceIngress({ ...minProps, sslRedirect: true });
+    const meta = result.ingress.metadata as any;
+    expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBe("api-ingress-frontend-config");
+  });
+
+  test("namespace is set when provided", () => {
+    const result = GceIngress({ ...minProps, namespace: "production" });
+    const meta = result.ingress.metadata as any;
+    expect(meta.namespace).toBe("production");
+  });
+
+  test("host rules are mapped correctly", () => {
+    const result = GceIngress(minProps);
+    const spec = result.ingress.spec as any;
+    expect(spec.rules).toHaveLength(1);
+    expect(spec.rules[0].host).toBe("api.example.com");
+    expect(spec.rules[0].http.paths[0].backend.service.name).toBe("api");
+  });
+
+  test("labels include component: ingress", () => {
+    const result = GceIngress(minProps);
+    const meta = result.ingress.metadata as any;
+    expect(meta.labels["app.kubernetes.io/component"]).toBe("ingress");
+    expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
+  });
 });
 
 // ── EbsStorageClass ─────────────────────────────────────────────────
@@ -1742,6 +1970,20 @@ describe("EbsStorageClass", () => {
     const result = EbsStorageClass({ name: "sc" });
     expect((result.storageClass.metadata as any).namespace).toBeUndefined();
   });
+
+  test("numeric iops and throughput coerced to strings", () => {
+    const result = EbsStorageClass({ name: "perf", iops: 5000, throughput: 250 });
+    const params = (result.storageClass as any).parameters;
+    expect(params.iops).toBe("5000");
+    expect(params.throughput).toBe("250");
+  });
+
+  test("string iops and throughput passed through", () => {
+    const result = EbsStorageClass({ name: "perf", iops: "3000", throughput: "125" });
+    const params = (result.storageClass as any).parameters;
+    expect(params.iops).toBe("3000");
+    expect(params.throughput).toBe("125");
+  });
 });
 
 // ── EfsStorageClass ─────────────────────────────────────────────────
@@ -1990,3 +2232,821 @@ describe("MetricsServer", () => {
     expect(spec.template.spec.containers[0].image).toBe("custom:v1");
   });
 });
+
+// ── PSS restricted securityContext passthrough tests ─────────────
+
+const pssSecurityContext = {
+  runAsNonRoot: true,
+  readOnlyRootFilesystem: true,
+  allowPrivilegeEscalation: false,
+  capabilities: { drop: ["ALL"] },
+  seccompProfile: { type: "RuntimeDefault" },
+};
+
+describe("BatchJob securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = BatchJob({
+      name: "migrate",
+      image: "migrate:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.job.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("CronWorkload securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = CronWorkload({
+      name: "backup",
+      image: "backup:1.0",
+      schedule: "0 2 * * *",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.cronJob.spec as any;
+    const sc = spec.jobTemplate.spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("NodeAgent securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = NodeAgent({
+      name: "agent",
+      image: "agent:1.0",
+      rbacRules: [{ apiGroups: [""], resources: ["pods"], verbs: ["get"] }],
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.daemonSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+  });
+});
+
+describe("ConfiguredApp securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = ConfiguredApp({
+      name: "api",
+      image: "api:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("SidecarApp securityContext", () => {
+  test("securityContext passed through to primary container", () => {
+    const result = SidecarApp({
+      name: "api",
+      image: "api:1.0",
+      sidecars: [{ name: "envoy", image: "envoy:1.0" }],
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("NetworkIsolatedApp securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = NetworkIsolatedApp({
+      name: "api",
+      image: "api:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+describe("MonitoredService securityContext", () => {
+  test("securityContext passed through to container", () => {
+    const result = MonitoredService({
+      name: "api",
+      image: "api:1.0",
+      securityContext: pssSecurityContext,
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+    expect(sc.capabilities).toEqual({ drop: ["ALL"] });
+    expect(sc.seccompProfile).toEqual({ type: "RuntimeDefault" });
+  });
+});
+
+// ── Infrastructure composites: hardcoded security defaults ──────
+
+describe("ExternalDnsAgent security defaults", () => {
+  test("container has hardcoded PSS-safe securityContext", () => {
+    const result = ExternalDnsAgent({
+      iamRoleArn: "arn:aws:iam::123456789012:role/test",
+      domainFilters: ["example.com"],
+    });
+    const spec = result.deployment.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.readOnlyRootFilesystem).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+  });
+});
+
+describe("FluentBitAgent security defaults", () => {
+  test("container runs as root (needs host log access) with other PSS hardening", () => {
+    const result = FluentBitAgent({
+      logGroup: "/aws/eks/test/containers",
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const spec = result.daemonSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsUser).toBe(0);
+    expect(sc.runAsNonRoot).toBeUndefined();
+    expect(sc.readOnlyRootFilesystem).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+  });
+});
+
+describe("AdotCollector security defaults", () => {
+  test("container runs as non-root with explicit UID (ADOT 'aoc' user)", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const spec = result.daemonSet.spec as any;
+    const sc = spec.template.spec.containers[0].securityContext;
+    expect(sc.runAsNonRoot).toBe(true);
+    expect(sc.runAsUser).toBe(10001);
+    expect(sc.readOnlyRootFilesystem).toBe(true);
+    expect(sc.allowPrivilegeEscalation).toBe(false);
+  });
+});
+
+// ── Phase 3B: Composite serialization smoke tests ───────────────
+
+describe("Composite YAML serialization smoke tests", () => {
+  function serializeCompositeProps(props: Record<string, Record<string, unknown>>): string {
+    return Object.values(props)
+      .map((p) => emitYAML(p, 0))
+      .join("\n---\n");
+  }
+
+  test("ExternalDnsAgent serializes to valid YAML", () => {
+    const result = ExternalDnsAgent({
+      iamRoleArn: "arn:aws:iam::123456789012:role/test",
+      domainFilters: ["example.com"],
+    });
+    const yaml = serializeCompositeProps(result as any);
+    expect(yaml).toContain("external-dns");
+    expect(yaml).not.toContain("[object Object]");
+  });
+
+  test("FluentBitAgent serializes multiline config correctly", () => {
+    const result = FluentBitAgent({
+      logGroup: "/aws/eks/test/containers",
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const yaml = serializeCompositeProps(result as any);
+    // Multiline config should use | block scalar, not flatten
+    expect(yaml).toContain("|");
+    expect(yaml).toContain("[SERVICE]");
+    expect(yaml).toContain("[INPUT]");
+    expect(yaml).not.toContain("\\n");
+  });
+
+  test("AdotCollector serializes multiline config correctly", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const yaml = serializeCompositeProps(result as any);
+    expect(yaml).toContain("|");
+    expect(yaml).toContain("receivers:");
+    expect(yaml).toContain("exporters:");
+    expect(yaml).not.toContain("\\n");
+  });
+
+  test("MetricsServer serializes to valid YAML", () => {
+    const result = MetricsServer({});
+    const yaml = serializeCompositeProps(result as any);
+    expect(yaml).toContain("metrics-server");
+    expect(yaml).not.toContain("[object Object]");
+  });
+});
+
+// ── Phase 4A: MetricsServer RBAC completeness ──────────────────
+
+describe("MetricsServer RBAC completeness", () => {
+  test("clusterRole includes configmaps resource", () => {
+    const result = MetricsServer({});
+    const rules = result.clusterRole.rules as any[];
+    const hasConfigmaps = rules.some((r: any) => r.resources?.includes("configmaps"));
+    expect(hasConfigmaps).toBe(true);
+  });
+});
+
+// ── Phase 4B: AdotCollector command vs args ─────────────────────
+
+describe("AdotCollector command vs args", () => {
+  test("container uses args (not command) for config flag", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const spec = result.daemonSet.spec as any;
+    const container = spec.template.spec.containers[0];
+    // Config flag should be in args, not command
+    expect(container.args).toContain("--config=/etc/adot/config.yaml");
+    expect(container.command).toBeUndefined();
+  });
+});
+
+// ── Phase 4C: AdotCollector pipeline exporter separation ────────
+
+describe("AdotCollector pipeline exporter separation", () => {
+  test("metrics pipeline does NOT include awsxray", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+      exporters: ["cloudwatch", "xray"],
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    // Extract metrics pipeline exporters line
+    const metricsMatch = config.match(/metrics:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
+    expect(metricsMatch).toBeDefined();
+    const metricsExporters = metricsMatch![1];
+    expect(metricsExporters).not.toContain("awsxray");
+    expect(metricsExporters).toContain("awsemf");
+  });
+
+  test("traces pipeline does NOT include awsemf", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+      exporters: ["cloudwatch", "xray"],
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    // Extract traces pipeline exporters line
+    const tracesMatch = config.match(/traces:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
+    expect(tracesMatch).toBeDefined();
+    const tracesExporters = tracesMatch![1];
+    expect(tracesExporters).not.toContain("awsemf");
+    expect(tracesExporters).toContain("awsxray");
+  });
+
+  test("cloudwatch-only: traces pipeline falls back to valid default", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+      exporters: ["cloudwatch"],
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    // Traces pipeline should still have an exporter (fallback to awsxray)
+    const tracesMatch = config.match(/traces:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
+    expect(tracesMatch).toBeDefined();
+    const tracesExporters = tracesMatch![1].trim();
+    expect(tracesExporters.length).toBeGreaterThan(0);
+  });
+});
+
+// ── Phase 4D: AdotCollector config parseable as YAML ────────────
+
+describe("AdotCollector config structure", () => {
+  test("generated config has required top-level sections", () => {
+    const result = AdotCollector({
+      region: "us-east-1",
+      clusterName: "test",
+    });
+    const config = (result.configMap as any).data["config.yaml"] as string;
+    expect(config).toContain("receivers:");
+    expect(config).toContain("exporters:");
+    expect(config).toContain("processors:");
+    expect(config).toContain("service:");
+    expect(config).toContain("pipelines:");
+    expect(config).toContain("metrics:");
+    expect(config).toContain("traces:");
+  });
+});
+
+// ── WorkloadIdentityServiceAccount ──────────────────────────────────
+
+describe("WorkloadIdentityServiceAccount", () => {
+  const minProps = { name: "app-sa", gcpServiceAccountEmail: "sa@my-project.iam.gserviceaccount.com" };
+
+  test("returns serviceAccount with Workload Identity annotation", () => {
+    const result = WorkloadIdentityServiceAccount(minProps);
+    expect(result.serviceAccount).toBeDefined();
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe("sa@my-project.iam.gserviceaccount.com");
+  });
+
+  test("no RBAC by default", () => {
+    const result = WorkloadIdentityServiceAccount(minProps);
+    expect(result.role).toBeUndefined();
+    expect(result.roleBinding).toBeUndefined();
+  });
+
+  test("RBAC created when rules provided", () => {
+    const result = WorkloadIdentityServiceAccount({
+      ...minProps,
+      rbacRules: [{ apiGroups: [""], resources: ["secrets"], verbs: ["get"] }],
+    });
+    expect(result.role).toBeDefined();
+    expect(result.roleBinding).toBeDefined();
+    const role = result.role as any;
+    expect(role.rules[0].resources).toEqual(["secrets"]);
+  });
+
+  test("namespace propagated", () => {
+    const result = WorkloadIdentityServiceAccount({ ...minProps, namespace: "prod" });
+    expect((result.serviceAccount.metadata as any).namespace).toBe("prod");
+  });
+
+  test("component labels", () => {
+    const result = WorkloadIdentityServiceAccount(minProps);
+    expect((result.serviceAccount.metadata as any).labels["app.kubernetes.io/component"]).toBe("service-account");
+  });
+});
+
+// ── GcePdStorageClass ───────────────────────────────────────────────
+
+describe("GcePdStorageClass", () => {
+  test("returns storageClass with GCE PD provisioner", () => {
+    const result = GcePdStorageClass({ name: "pd-balanced" });
+    expect(result.storageClass).toBeDefined();
+    expect((result.storageClass as any).provisioner).toBe("pd.csi.storage.gke.io");
+  });
+
+  test("default type is pd-balanced", () => {
+    const result = GcePdStorageClass({ name: "default" });
+    expect((result.storageClass as any).parameters.type).toBe("pd-balanced");
+  });
+
+  test("custom type", () => {
+    const result = GcePdStorageClass({ name: "ssd", type: "pd-ssd" });
+    expect((result.storageClass as any).parameters.type).toBe("pd-ssd");
+  });
+
+  test("regional-pd replication type", () => {
+    const result = GcePdStorageClass({ name: "regional", replicationType: "regional-pd" });
+    expect((result.storageClass as any).parameters["replication-type"]).toBe("regional-pd");
+  });
+
+  test("no replication-type param when none", () => {
+    const result = GcePdStorageClass({ name: "default" });
+    expect((result.storageClass as any).parameters["replication-type"]).toBeUndefined();
+  });
+
+  test("allowVolumeExpansion default true", () => {
+    const result = GcePdStorageClass({ name: "exp" });
+    expect((result.storageClass as any).allowVolumeExpansion).toBe(true);
+  });
+
+  test("storageClass is cluster-scoped (no namespace)", () => {
+    const result = GcePdStorageClass({ name: "sc" });
+    expect((result.storageClass.metadata as any).namespace).toBeUndefined();
+  });
+});
+
+// ── FilestoreStorageClass ───────────────────────────────────────────
+
+describe("FilestoreStorageClass", () => {
+  test("returns storageClass with Filestore provisioner", () => {
+    const result = FilestoreStorageClass({ name: "filestore" });
+    expect((result.storageClass as any).provisioner).toBe("filestore.csi.storage.gke.io");
+  });
+
+  test("default tier is standard", () => {
+    const result = FilestoreStorageClass({ name: "fs" });
+    expect((result.storageClass as any).parameters.tier).toBe("standard");
+  });
+
+  test("custom tier", () => {
+    const result = FilestoreStorageClass({ name: "premium-fs", tier: "premium" });
+    expect((result.storageClass as any).parameters.tier).toBe("premium");
+  });
+
+  test("network parameter set when provided", () => {
+    const result = FilestoreStorageClass({ name: "fs", network: "my-vpc" });
+    expect((result.storageClass as any).parameters.network).toBe("my-vpc");
+  });
+
+  test("no network parameter by default", () => {
+    const result = FilestoreStorageClass({ name: "fs" });
+    expect((result.storageClass as any).parameters.network).toBeUndefined();
+  });
+});
+
+// ── GkeGateway ──────────────────────────────────────────────────────
+
+describe("GkeGateway", () => {
+  const minProps = {
+    name: "api-gateway",
+    hosts: [{ hostname: "api.example.com", paths: [{ path: "/", serviceName: "api", servicePort: 80 }] }],
+  };
+
+  test("returns gateway and httpRoute", () => {
+    const result = GkeGateway(minProps);
+    expect(result.gateway).toBeDefined();
+    expect(result.httpRoute).toBeDefined();
+  });
+
+  test("default gatewayClassName", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.gateway.spec as any;
+    expect(spec.gatewayClassName).toBe("gke-l7-global-external-managed");
+  });
+
+  test("custom gatewayClassName", () => {
+    const result = GkeGateway({ ...minProps, gatewayClassName: "gke-l7-rilb" });
+    const spec = result.gateway.spec as any;
+    expect(spec.gatewayClassName).toBe("gke-l7-rilb");
+  });
+
+  test("HTTP listener when no certificate", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.gateway.spec as any;
+    expect(spec.listeners[0].protocol).toBe("HTTP");
+    expect(spec.listeners[0].port).toBe(80);
+  });
+
+  test("HTTPS listener with certificate", () => {
+    const result = GkeGateway({ ...minProps, certificateName: "api-cert" });
+    const spec = result.gateway.spec as any;
+    expect(spec.listeners[0].protocol).toBe("HTTPS");
+    expect(spec.listeners[0].port).toBe(443);
+    expect(spec.listeners[0].tls.certificateRefs[0].name).toBe("api-cert");
+  });
+
+  test("httpRoute references parent gateway", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.httpRoute.spec as any;
+    expect(spec.parentRefs[0].name).toBe("api-gateway");
+  });
+
+  test("httpRoute has hostnames", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.httpRoute.spec as any;
+    expect(spec.hostnames).toEqual(["api.example.com"]);
+  });
+
+  test("httpRoute rules map to backend services", () => {
+    const result = GkeGateway(minProps);
+    const spec = result.httpRoute.spec as any;
+    expect(spec.rules[0].backendRefs[0].name).toBe("api");
+    expect(spec.rules[0].backendRefs[0].port).toBe(80);
+  });
+
+  test("namespace propagated to both resources", () => {
+    const result = GkeGateway({ ...minProps, namespace: "prod" });
+    expect((result.gateway.metadata as any).namespace).toBe("prod");
+    expect((result.httpRoute.metadata as any).namespace).toBe("prod");
+  });
+});
+
+// ── ConfigConnectorContext ───────────────────────────────────────────
+
+describe("ConfigConnectorContext", () => {
+  const minProps = { googleServiceAccountEmail: "cnrm@my-project.iam.gserviceaccount.com" };
+
+  test("returns context with apiVersion and kind", () => {
+    const result = ConfigConnectorContext(minProps);
+    expect(result.context).toBeDefined();
+    expect((result.context as any).apiVersion).toBe("core.cnrm.cloud.google.com/v1beta1");
+    expect((result.context as any).kind).toBe("ConfigConnectorContext");
+  });
+
+  test("googleServiceAccount in spec", () => {
+    const result = ConfigConnectorContext(minProps);
+    const spec = (result.context as any).spec;
+    expect(spec.googleServiceAccount).toBe("cnrm@my-project.iam.gserviceaccount.com");
+  });
+
+  test("default stateIntoSpec is absent", () => {
+    const result = ConfigConnectorContext(minProps);
+    expect((result.context as any).spec.stateIntoSpec).toBe("absent");
+  });
+
+  test("custom stateIntoSpec", () => {
+    const result = ConfigConnectorContext({ ...minProps, stateIntoSpec: "merge" });
+    expect((result.context as any).spec.stateIntoSpec).toBe("merge");
+  });
+
+  test("default namespace is default", () => {
+    const result = ConfigConnectorContext(minProps);
+    expect((result.context as any).metadata.namespace).toBe("default");
+  });
+
+  test("custom namespace", () => {
+    const result = ConfigConnectorContext({ ...minProps, namespace: "config-connector" });
+    expect((result.context as any).metadata.namespace).toBe("config-connector");
+  });
+});
+
+// ── GkeFluentBitAgent ────────────────────────────────────────────────
+
+describe("GkeFluentBitAgent", () => {
+  const { GkeFluentBitAgent } = require("./gke-fluent-bit-agent");
+
+  const minProps = {
+    clusterName: "test-cluster",
+    projectId: "test-project",
+    gcpServiceAccountEmail: "fluent-bit@test-project.iam.gserviceaccount.com",
+  };
+
+  test("returns all expected resources", () => {
+    const result = GkeFluentBitAgent(minProps);
+    expect(result.daemonSet).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+    expect(result.configMap).toBeDefined();
+  });
+
+  test("SA has GKE Workload Identity annotation", () => {
+    const result = GkeFluentBitAgent(minProps);
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe(
+      "fluent-bit@test-project.iam.gserviceaccount.com",
+    );
+  });
+
+  test("SA has no annotation when gcpServiceAccountEmail omitted", () => {
+    const result = GkeFluentBitAgent({
+      clusterName: "test-cluster",
+      projectId: "test-project",
+    });
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations).toBeUndefined();
+  });
+
+  test("configMap uses stackdriver output", () => {
+    const result = GkeFluentBitAgent(minProps);
+    const data = result.configMap.data as any;
+    expect(data["fluent-bit.conf"]).toContain("stackdriver");
+    expect(data["fluent-bit.conf"]).toContain("test-cluster");
+  });
+
+  test("default namespace is gke-logging", () => {
+    const result = GkeFluentBitAgent(minProps);
+    expect((result.daemonSet.metadata as any).namespace).toBe("gke-logging");
+    expect((result.serviceAccount.metadata as any).namespace).toBe("gke-logging");
+  });
+
+  test("common labels on all resources", () => {
+    const result = GkeFluentBitAgent(minProps);
+    for (const resource of [result.daemonSet, result.serviceAccount, result.clusterRole, result.clusterRoleBinding, result.configMap]) {
+      expect((resource.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    }
+  });
+
+  test("DaemonSet mounts host log directory", () => {
+    const result = GkeFluentBitAgent(minProps);
+    const spec = (result.daemonSet as any).spec.template.spec;
+    const varlog = spec.volumes.find((v: any) => v.name === "varlog");
+    expect(varlog.hostPath.path).toBe("/var/log");
+  });
+
+  test("container runs as root for log access", () => {
+    const result = GkeFluentBitAgent(minProps);
+    const container = (result.daemonSet as any).spec.template.spec.containers[0];
+    expect(container.securityContext.runAsUser).toBe(0);
+    expect(container.securityContext.readOnlyRootFilesystem).toBe(true);
+  });
+});
+
+// ── GkeOtelCollector ─────────────────────────────────────────────────
+
+describe("GkeOtelCollector", () => {
+  const { GkeOtelCollector } = require("./gke-otel-collector");
+
+  const minProps = {
+    clusterName: "test-cluster",
+    projectId: "test-project",
+    gcpServiceAccountEmail: "otel@test-project.iam.gserviceaccount.com",
+  };
+
+  test("returns all expected resources", () => {
+    const result = GkeOtelCollector(minProps);
+    expect(result.daemonSet).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+    expect(result.configMap).toBeDefined();
+  });
+
+  test("SA has GKE Workload Identity annotation", () => {
+    const result = GkeOtelCollector(minProps);
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe(
+      "otel@test-project.iam.gserviceaccount.com",
+    );
+  });
+
+  test("SA has no annotation when gcpServiceAccountEmail omitted", () => {
+    const result = GkeOtelCollector({
+      clusterName: "test-cluster",
+      projectId: "test-project",
+    });
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations).toBeUndefined();
+  });
+
+  test("configMap uses googlecloud exporter", () => {
+    const result = GkeOtelCollector(minProps);
+    const data = result.configMap.data as any;
+    expect(data["config.yaml"]).toContain("googlecloud");
+    expect(data["config.yaml"]).toContain("test-project");
+  });
+
+  test("default namespace is gke-monitoring", () => {
+    const result = GkeOtelCollector(minProps);
+    expect((result.daemonSet.metadata as any).namespace).toBe("gke-monitoring");
+  });
+
+  test("container exposes OTLP ports", () => {
+    const result = GkeOtelCollector(minProps);
+    const container = (result.daemonSet as any).spec.template.spec.containers[0];
+    const ports = container.ports.map((p: any) => p.containerPort);
+    expect(ports).toContain(4317);
+    expect(ports).toContain(4318);
+  });
+
+  test("container runs as non-root", () => {
+    const result = GkeOtelCollector(minProps);
+    const container = (result.daemonSet as any).spec.template.spec.containers[0];
+    expect(container.securityContext.runAsNonRoot).toBe(true);
+    expect(container.securityContext.runAsUser).toBe(10001);
+  });
+
+  test("common labels on all resources", () => {
+    const result = GkeOtelCollector(minProps);
+    for (const resource of [result.daemonSet, result.serviceAccount, result.clusterRole, result.clusterRoleBinding, result.configMap]) {
+      expect((resource.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    }
+  });
+});
+
+// ── GkeExternalDnsAgent ──────────────────────────────────────────────
+
+describe("GkeExternalDnsAgent", () => {
+  const { GkeExternalDnsAgent } = require("./gke-external-dns-agent");
+
+  const minProps = {
+    gcpServiceAccountEmail: "external-dns@test-project.iam.gserviceaccount.com",
+    gcpProjectId: "test-project",
+    domainFilters: ["example.com"],
+  };
+
+  test("returns all expected resources", () => {
+    const result = GkeExternalDnsAgent(minProps);
+    expect(result.deployment).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+  });
+
+  test("SA has GKE Workload Identity annotation", () => {
+    const result = GkeExternalDnsAgent(minProps);
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe(
+      "external-dns@test-project.iam.gserviceaccount.com",
+    );
+  });
+
+  test("uses google provider", () => {
+    const result = GkeExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.args).toContain("--provider=google");
+  });
+
+  test("passes google-project arg", () => {
+    const result = GkeExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.args).toContain("--google-project=test-project");
+  });
+
+  test("domain filters are applied", () => {
+    const result = GkeExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.args).toContain("--domain-filter=example.com");
+  });
+
+  test("txtOwnerId is applied when set", () => {
+    const result = GkeExternalDnsAgent({ ...minProps, txtOwnerId: "my-cluster" });
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.args).toContain("--txt-owner-id=my-cluster");
+  });
+
+  test("default namespace is kube-system", () => {
+    const result = GkeExternalDnsAgent(minProps);
+    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
+  });
+
+  test("container runs as non-root", () => {
+    const result = GkeExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.securityContext.runAsNonRoot).toBe(true);
+    expect(container.securityContext.runAsUser).toBe(65534);
+  });
+});
+
+// ── AksExternalDnsAgent ──────────────────────────────────────────────
+
+describe("AksExternalDnsAgent", () => {
+  const { AksExternalDnsAgent } = require("./aks-external-dns-agent");
+
+  const minProps = {
+    clientId: "00000000-0000-0000-0000-000000000000",
+    resourceGroup: "test-rg",
+    subscriptionId: "11111111-1111-1111-1111-111111111111",
+    tenantId: "22222222-2222-2222-2222-222222222222",
+    domainFilters: ["example.com"],
+  };
+
+  test("returns all expected resources", () => {
+    const result = AksExternalDnsAgent(minProps);
+    expect(result.deployment).toBeDefined();
+    expect(result.serviceAccount).toBeDefined();
+    expect(result.clusterRole).toBeDefined();
+    expect(result.clusterRoleBinding).toBeDefined();
+  });
+
+  test("SA has AKS Workload Identity annotation and label", () => {
+    const result = AksExternalDnsAgent(minProps);
+    const meta = result.serviceAccount.metadata as any;
+    expect(meta.annotations["azure.workload.identity/client-id"]).toBe(
+      "00000000-0000-0000-0000-000000000000",
+    );
+    expect(meta.labels["azure.workload.identity/use"]).toBe("true");
+  });
+
+  test("uses azure provider", () => {
+    const result = AksExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.args).toContain("--provider=azure");
+  });
+
+  test("passes azure resource group and subscription", () => {
+    const result = AksExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.args).toContain("--azure-resource-group=test-rg");
+    expect(container.args).toContain("--azure-subscription-id=11111111-1111-1111-1111-111111111111");
+  });
+
+  test("container has Azure env vars", () => {
+    const result = AksExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const envMap = Object.fromEntries(container.env.map((e: any) => [e.name, e.value]));
+    expect(envMap.AZURE_TENANT_ID).toBe("22222222-2222-2222-2222-222222222222");
+    expect(envMap.AZURE_SUBSCRIPTION_ID).toBe("11111111-1111-1111-1111-111111111111");
+    expect(envMap.AZURE_RESOURCE_GROUP).toBe("test-rg");
+  });
+
+  test("pod labels include workload identity use label", () => {
+    const result = AksExternalDnsAgent(minProps);
+    const podLabels = (result.deployment as any).spec.template.metadata.labels;
+    expect(podLabels["azure.workload.identity/use"]).toBe("true");
+  });
+
+  test("domain filters are applied", () => {
+    const result = AksExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.args).toContain("--domain-filter=example.com");
+  });
+
+  test("default namespace is kube-system", () => {
+    const result = AksExternalDnsAgent(minProps);
+    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
+  });
+
+  test("container runs as non-root", () => {
+    const result = AksExternalDnsAgent(minProps);
+    const container = (result.deployment as any).spec.template.spec.containers[0];
+    expect(container.securityContext.runAsNonRoot).toBe(true);
+    expect(container.securityContext.runAsUser).toBe(65534);
+  });
+});