@intentius/chant-lexicon-k8s 0.0.14 → 0.0.16

package/src/composites/config-connector-context.ts

@@ -0,0 +1,62 @@
+/**
+ * ConfigConnectorContext composite — bootstrap Config Connector per-namespace context.
+ *
+ * @gke Creates a ConfigConnectorContext resource that configures
+ * Config Connector to manage GCP resources in a specific namespace.
+ */
+
+export interface ConfigConnectorContextProps {
+  /** Context name (default: "configconnectorcontext.core.cnrm.cloud.google.com"). */
+  name?: string;
+  /** Google service account email for Config Connector to use. */
+  googleServiceAccountEmail: string;
+  /** Namespace for the context (default: "default"). */
+  namespace?: string;
+  /** Whether to sync status into spec (default: "absent"). */
+  stateIntoSpec?: "absent" | "merge";
+}
+
+export interface ConfigConnectorContextResult {
+  context: Record<string, unknown>;
+}
+
+/**
+ * Create a ConfigConnectorContext composite — returns prop objects for
+ * a ConfigConnectorContext resource.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { ConfigConnectorContext } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { context } = ConfigConnectorContext({
+ *   googleServiceAccountEmail: "cnrm@my-project.iam.gserviceaccount.com",
+ *   namespace: "config-connector",
+ * });
+ * ```
+ */
+export function ConfigConnectorContext(
+  props: ConfigConnectorContextProps,
+): ConfigConnectorContextResult {
+  const {
+    name = "configconnectorcontext.core.cnrm.cloud.google.com",
+    googleServiceAccountEmail,
+    namespace = "default",
+    stateIntoSpec = "absent",
+  } = props;
+
+  const contextProps: Record<string, unknown> = {
+    apiVersion: "core.cnrm.cloud.google.com/v1beta1",
+    kind: "ConfigConnectorContext",
+    metadata: {
+      name,
+      namespace,
+    },
+    spec: {
+      googleServiceAccount: googleServiceAccountEmail,
+      stateIntoSpec,
+    },
+  };
+
+  return { context: contextProps };
+}

package/src/composites/configured-app.ts

@@ -6,6 +6,8 @@
  * Volume.fromSecret(), and container.mount() patterns.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface ConfiguredAppProps {
   /** Application name — used in metadata and labels. */
   name: string;
@@ -49,6 +51,8 @@ export interface ConfiguredAppProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface ConfiguredAppResult {
@@ -96,6 +100,7 @@ export function ConfiguredApp(props: ConfiguredAppProps): ConfiguredAppResult {
     memoryRequest = "128Mi",
     namespace,
     env,
+    securityContext,
   } = props;
 
   const configMapName = `${name}-config`;
@@ -154,6 +159,7 @@ export function ConfiguredApp(props: ConfiguredAppProps): ConfiguredAppResult {
     ...(env && { env }),
     ...(envFromList.length > 0 && { envFrom: envFromList }),
     ...(volumeMounts.length > 0 && { volumeMounts }),
+    ...(securityContext && { securityContext }),
   };
 
   const podSpec: Record<string, unknown> = {

package/src/composites/cron-workload.ts

@@ -5,6 +5,8 @@
  * proper RBAC permissions.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface CronWorkloadProps {
   /** Workload name — used in metadata and labels. */
   name: string;
@@ -33,6 +35,8 @@ export interface CronWorkloadProps {
   namespace?: string;
   /** Environment variables. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface CronWorkloadResult {
@@ -75,6 +79,7 @@ export function CronWorkload(props: CronWorkloadProps): CronWorkloadResult {
     labels: extraLabels = {},
     namespace,
     env,
+    securityContext,
   } = props;
 
   const saName = `${name}-sa`;
@@ -110,6 +115,7 @@ export function CronWorkload(props: CronWorkloadProps): CronWorkloadResult {
                   ...(command && { command }),
                   ...(args && { args }),
                   ...(env && { env }),
+                  ...(securityContext && { securityContext }),
                 },
               ],
             },

package/src/composites/ebs-storage-class.ts

@@ -10,9 +10,9 @@ export interface EbsStorageClassProps {
   /** EBS volume type (default: "gp3"). */
   type?: string;
   /** IOPS for io1/io2/gp3 volumes. */
-  iops?: string;
+  iops?: string | number;
   /** Throughput for gp3 volumes (MiB/s). */
-  throughput?: string;
+  throughput?: string | number;
   /** Enable encryption (default: true). */
   encrypted?: boolean;
   /** KMS key ID for encryption. */
@@ -76,8 +76,8 @@ export function EbsStorageClass(props: EbsStorageClassProps): EbsStorageClassRes
     encrypted: String(encrypted),
   };
 
-  if (iops) parameters.iops = iops;
-  if (throughput) parameters.throughput = throughput;
+  if (iops !== undefined) parameters.iops = String(iops);
+  if (throughput !== undefined) parameters.throughput = String(throughput);
   if (kmsKeyId) parameters.kmsKeyId = kmsKeyId;
 
   const storageClassProps: Record<string, unknown> = {

package/src/composites/external-dns-agent.ts

@@ -110,6 +110,12 @@ export function ExternalDnsAgent(props: ExternalDnsAgentProps): ExternalDnsAgent
                 requests: { cpu: "50m", memory: "64Mi" },
                 limits: { cpu: "100m", memory: "128Mi" },
               },
+              securityContext: {
+                runAsNonRoot: true,
+                runAsUser: 65534,
+                readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: false,
+              },
             },
           ],
         },

package/src/composites/filestore-storage-class.ts

@@ -0,0 +1,79 @@
+/**
+ * FilestoreStorageClass composite — StorageClass for GCP Filestore CSI driver.
+ *
+ * @gke Creates a StorageClass with the `filestore.csi.storage.gke.io` provisioner.
+ * Filestore provides ReadWriteMany access mode (shared across pods/nodes).
+ */
+
+export interface FilestoreStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** Filestore tier (default: "standard"). */
+  tier?: "standard" | "premium" | "enterprise";
+  /** VPC network for the Filestore instance. */
+  network?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Volume binding mode (default: "WaitForFirstConsumer"). */
+  volumeBindingMode?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface FilestoreStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create a FilestoreStorageClass composite — returns prop objects for
+ * a StorageClass with the GCP Filestore CSI provisioner.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { FilestoreStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = FilestoreStorageClass({
+ *   name: "filestore-standard",
+ *   tier: "standard",
+ *   network: "default",
+ * });
+ * ```
+ */
+export function FilestoreStorageClass(props: FilestoreStorageClassProps): FilestoreStorageClassResult {
+  const {
+    name,
+    tier = "standard",
+    network,
+    reclaimPolicy = "Delete",
+    volumeBindingMode = "WaitForFirstConsumer",
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    tier,
+  };
+
+  if (network) {
+    parameters.network = network;
+  }
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "filestore.csi.storage.gke.io",
+    parameters,
+    reclaimPolicy,
+    volumeBindingMode,
+  };
+
+  return { storageClass: storageClassProps };
+}

package/src/composites/fluent-bit-agent.ts

@@ -130,6 +130,11 @@ export function FluentBitAgent(props: FluentBitAgentProps): FluentBitAgentResult
       { name: "config", mountPath: `/etc/${name}`, readOnly: true },
       { name: "state", mountPath: "/var/fluent-bit/state" },
     ],
+    securityContext: {
+      runAsUser: 0,
+      readOnlyRootFilesystem: true,
+      allowPrivilegeEscalation: false,
+    },
   };
 
   const daemonSetProps: Record<string, unknown> = {

package/src/composites/gce-ingress.ts

@@ -0,0 +1,143 @@
+/**
+ * GceIngress composite — Ingress with GCE Ingress Controller annotations.
+ *
+ * @gke Full `kubernetes.io/ingress.*` and `networking.gke.io/*` annotation set
+ * including static IP, managed certificates, and FrontendConfig.
+ */
+
+export interface GceIngressHost {
+  /** Hostname (e.g., "api.example.com"). */
+  hostname: string;
+  /** Path rules for this host. */
+  paths: Array<{
+    path: string;
+    pathType?: string;
+    serviceName: string;
+    /** Port on the Kubernetes Service (not the container port). */
+    servicePort: number;
+  }>;
+}
+
+export interface GceIngressProps {
+  /** Ingress name — used in metadata and labels. */
+  name: string;
+  /** Host definitions with paths. */
+  hosts: GceIngressHost[];
+  /** Global static IP name reserved in GCP (sets `kubernetes.io/ingress.global-static-ip-name`). */
+  staticIpName?: string;
+  /** GKE managed certificate name (sets `networking.gke.io/managed-certificates`). */
+  managedCertificate?: string;
+  /** FrontendConfig name for SSL policy / redirects (sets `networking.gke.io/v1beta1.FrontendConfig`). */
+  frontendConfig?: string;
+  /** Health check path for backend (sets `cloud.google.com/backend-config` is NOT handled here — use BackendConfig CRD). */
+  healthCheckPath?: string;
+  /** Enable HTTP->HTTPS redirect (default: true when managedCertificate set). */
+  sslRedirect?: boolean;
+  /** Additional annotations on the Ingress. */
+  annotations?: Record<string, string>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface GceIngressResult {
+  ingress: Record<string, unknown>;
+}
+
+/**
+ * Create a GceIngress composite — returns prop objects for
+ * an Ingress with GCE Ingress Controller annotations.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GceIngress } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { ingress } = GceIngress({
+ *   name: "api-ingress",
+ *   hosts: [
+ *     {
+ *       hostname: "api.example.com",
+ *       paths: [{ path: "/", serviceName: "api", servicePort: 80 }],
+ *     },
+ *   ],
+ *   staticIpName: "microservice-ip",
+ *   managedCertificate: "api-cert",
+ * });
+ * ```
+ */
+export function GceIngress(props: GceIngressProps): GceIngressResult {
+  const {
+    name,
+    hosts,
+    staticIpName,
+    managedCertificate,
+    frontendConfig,
+    healthCheckPath,
+    sslRedirect,
+    annotations: extraAnnotations = {},
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  // Build GCE annotations
+  const annotations: Record<string, string> = {
+    "kubernetes.io/ingress.class": "gce",
+    ...extraAnnotations,
+  };
+
+  if (staticIpName) {
+    annotations["kubernetes.io/ingress.global-static-ip-name"] = staticIpName;
+  }
+
+  if (managedCertificate) {
+    annotations["networking.gke.io/managed-certificates"] = managedCertificate;
+  }
+
+  if (frontendConfig) {
+    annotations["networking.gke.io/v1beta1.FrontendConfig"] = frontendConfig;
+  }
+
+  if (sslRedirect ?? !!managedCertificate) {
+    annotations["networking.gke.io/v1beta1.FrontendConfig"] =
+      annotations["networking.gke.io/v1beta1.FrontendConfig"] ?? `${name}-frontend-config`;
+  }
+
+  if (healthCheckPath) {
+    annotations["cloud.google.com/neg"] = '{"ingress": true}';
+  }
+
+  const ingressRules = hosts.map((host) => ({
+    host: host.hostname,
+    http: {
+      paths: host.paths.map((p) => ({
+        path: p.path,
+        pathType: p.pathType ?? "Prefix",
+        backend: {
+          service: { name: p.serviceName, port: { number: p.servicePort } },
+        },
+      })),
+    },
+  }));
+
+  const ingressProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "ingress" },
+      annotations,
+    },
+    spec: {
+      rules: ingressRules,
+    },
+  };
+
+  return { ingress: ingressProps };
+}

package/src/composites/gce-pd-storage-class.ts

@@ -0,0 +1,85 @@
+/**
+ * GcePdStorageClass composite — StorageClass for GCE Persistent Disk CSI driver.
+ *
+ * @gke Creates a StorageClass with the `pd.csi.storage.gke.io` provisioner.
+ */
+
+export interface GcePdStorageClassProps {
+  /** StorageClass name. */
+  name: string;
+  /** PD type (default: "pd-balanced"). */
+  type?: "pd-standard" | "pd-ssd" | "pd-balanced" | "pd-extreme";
+  /** Replication type (default: "none"). */
+  replicationType?: "none" | "regional-pd";
+  /** Filesystem type (default: "ext4"). */
+  fsType?: string;
+  /** Reclaim policy (default: "Delete"). */
+  reclaimPolicy?: string;
+  /** Volume binding mode (default: "WaitForFirstConsumer"). */
+  volumeBindingMode?: string;
+  /** Allow volume expansion (default: true). */
+  allowVolumeExpansion?: boolean;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface GcePdStorageClassResult {
+  storageClass: Record<string, unknown>;
+}
+
+/**
+ * Create a GcePdStorageClass composite — returns prop objects for
+ * a StorageClass with the GCE Persistent Disk CSI provisioner.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GcePdStorageClass } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { storageClass } = GcePdStorageClass({
+ *   name: "pd-ssd",
+ *   type: "pd-ssd",
+ * });
+ * ```
+ */
+export function GcePdStorageClass(props: GcePdStorageClassProps): GcePdStorageClassResult {
+  const {
+    name,
+    type = "pd-balanced",
+    replicationType = "none",
+    fsType = "ext4",
+    reclaimPolicy = "Delete",
+    volumeBindingMode = "WaitForFirstConsumer",
+    allowVolumeExpansion = true,
+    labels: extraLabels = {},
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const parameters: Record<string, string> = {
+    type,
+    "csi.storage.k8s.io/fstype": fsType,
+  };
+
+  if (replicationType !== "none") {
+    parameters["replication-type"] = replicationType;
+  }
+
+  const storageClassProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    provisioner: "pd.csi.storage.gke.io",
+    parameters,
+    reclaimPolicy,
+    volumeBindingMode,
+    allowVolumeExpansion,
+  };
+
+  return { storageClass: storageClassProps };
+}

package/src/composites/gke-external-dns-agent.ts

@@ -0,0 +1,175 @@
+/**
+ * GkeExternalDnsAgent composite — Deployment + ServiceAccount + ClusterRole + ClusterRoleBinding.
+ *
+ * @gke Like ExternalDnsAgent but uses --provider=google and GKE Workload Identity
+ * instead of IRSA for Cloud DNS management.
+ */
+
+export interface GkeExternalDnsAgentProps {
+  /** GCP service account email for Workload Identity (needs Cloud DNS permissions). */
+  gcpServiceAccountEmail: string;
+  /** GCP project ID. */
+  gcpProjectId: string;
+  /** Domain filters — only manage DNS records for these domains. */
+  domainFilters: string[];
+  /** TXT record owner ID for identifying managed records. */
+  txtOwnerId?: string;
+  /** Source of DNS records (default: "ingress"). */
+  source?: string;
+  /** Agent name (default: "external-dns"). */
+  name?: string;
+  /** Container image (default: "registry.k8s.io/external-dns/external-dns:v0.14.0"). */
+  image?: string;
+  /** Namespace (default: "kube-system"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface GkeExternalDnsAgentResult {
+  deployment: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+}
+
+/**
+ * Create a GkeExternalDnsAgent composite — returns prop objects for
+ * a Deployment, ServiceAccount (with Workload Identity), ClusterRole, and ClusterRoleBinding.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GkeExternalDnsAgent } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { deployment, serviceAccount, clusterRole, clusterRoleBinding } = GkeExternalDnsAgent({
+ *   gcpServiceAccountEmail: "external-dns@my-project.iam.gserviceaccount.com",
+ *   gcpProjectId: "my-project",
+ *   domainFilters: ["example.com"],
+ *   txtOwnerId: "my-cluster",
+ * });
+ * ```
+ */
+export function GkeExternalDnsAgent(props: GkeExternalDnsAgentProps): GkeExternalDnsAgentResult {
+  const {
+    gcpServiceAccountEmail,
+    gcpProjectId,
+    domainFilters,
+    txtOwnerId,
+    source = "ingress",
+    name = "external-dns",
+    image = "registry.k8s.io/external-dns/external-dns:v0.14.0",
+    namespace = "kube-system",
+    labels: extraLabels = {},
+  } = props;
+
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const args: string[] = [
+    `--source=${source}`,
+    "--provider=google",
+    `--google-project=${gcpProjectId}`,
+    "--policy=upsert-only",
+    "--registry=txt",
+  ];
+
+  for (const domain of domainFilters) {
+    args.push(`--domain-filter=${domain}`);
+  }
+
+  if (txtOwnerId) {
+    args.push(`--txt-owner-id=${txtOwnerId}`);
+  }
+
+  const deploymentProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "dns" },
+    },
+    spec: {
+      replicas: 1,
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          serviceAccountName: saName,
+          containers: [
+            {
+              name,
+              image,
+              args,
+              resources: {
+                requests: { cpu: "50m", memory: "64Mi" },
+                limits: { cpu: "100m", memory: "128Mi" },
+              },
+              securityContext: {
+                runAsNonRoot: true,
+                runAsUser: 65534,
+                readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: false,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "dns" },
+      annotations: {
+        "iam.gke.io/gcp-service-account": gcpServiceAccountEmail,
+      },
+    },
+  };
+
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["services", "endpoints", "pods"], verbs: ["get", "watch", "list"] },
+      { apiGroups: ["extensions", "networking.k8s.io"], resources: ["ingresses"], verbs: ["get", "watch", "list"] },
+      { apiGroups: [""], resources: ["nodes"], verbs: ["list", "watch"] },
+    ],
+  };
+
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+
+  return {
+    deployment: deploymentProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+  };
+}