@intentius/chant-lexicon-k8s 0.0.14 → 0.0.16

package/src/composites/network-isolated-app.ts

@@ -5,6 +5,8 @@
  * Creates fine-grained ingress/egress policies for a single application.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface NetworkPolicyPeer {
   /** Pod selector for the peer. */
   podSelector?: Record<string, string>;
@@ -44,6 +46,8 @@ export interface NetworkIsolatedAppProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface NetworkIsolatedAppResult {
@@ -88,6 +92,7 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
     memoryRequest = "128Mi",
     namespace,
     env,
+    securityContext,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -118,6 +123,7 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
                 requests: { cpu: cpuRequest, memory: memoryRequest },
               },
               ...(env && { env }),
+              ...(securityContext && { securityContext }),
             },
           ],
         },

package/src/composites/node-agent.ts

@@ -5,6 +5,8 @@
  * security scanners) that need cluster-wide RBAC and tolerations.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface NodeAgentProps {
   /** Agent name — used in metadata and labels. */
   name: string;
@@ -43,6 +45,8 @@ export interface NodeAgentProps {
   memoryLimit?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface NodeAgentResult {
@@ -87,6 +91,7 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
     memoryLimit = "128Mi",
     labels: extraLabels = {},
     env,
+    securityContext,
   } = props;
 
   const saName = `${name}-sa`;
@@ -139,6 +144,7 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
     },
     ...(env && { env }),
     ...(volumeMounts.length > 0 && { volumeMounts }),
+    ...(securityContext && { securityContext }),
   };
 
   const podSpec: Record<string, unknown> = {

package/src/composites/security-context.ts

@@ -0,0 +1,10 @@
+/** Container-level security context — covers PSS restricted requirements. */
+export interface ContainerSecurityContext {
+  runAsNonRoot?: boolean;
+  readOnlyRootFilesystem?: boolean;
+  runAsUser?: number;
+  runAsGroup?: number;
+  allowPrivilegeEscalation?: boolean;
+  capabilities?: { add?: string[]; drop?: string[] };
+  seccompProfile?: { type: string; localhostProfile?: string };
+}

package/src/composites/sidecar-app.ts

@@ -5,6 +5,8 @@
  * DB migration init). Supports shared volumes between containers.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface SidecarContainer {
   /** Sidecar container name. */
   name: string;
@@ -70,6 +72,8 @@ export interface SidecarAppProps {
   namespace?: string;
   /** Environment variables for the primary container. */
   env?: Array<{ name: string; value: string }>;
+  /** Container security context for the primary container (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
 }
 
 export interface SidecarAppResult {
@@ -115,6 +119,7 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
     memoryRequest = "128Mi",
     namespace,
     env,
+    securityContext,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -133,6 +138,7 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
       requests: { cpu: cpuRequest, memory: memoryRequest },
     },
     ...(env && { env }),
+    ...(securityContext && { securityContext }),
   };
 
   // Sidecar containers

package/src/composites/stateful-app.ts

@@ -5,6 +5,8 @@
  * like databases, caches, and message queues.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface StatefulAppProps {
   /** Application name — used in metadata and labels. */
   name: string;
@@ -29,13 +31,8 @@ export interface StatefulAppProps {
     command?: string[];
     args?: string[];
   }>;
-  /** Pod security context. */
-  securityContext?: {
-    runAsNonRoot?: boolean;
-    readOnlyRootFilesystem?: boolean;
-    runAsUser?: number;
-    runAsGroup?: number;
-  };
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
   /** Termination grace period in seconds. */
   terminationGracePeriodSeconds?: number;
   /** Priority class name for pod scheduling. */

package/src/composites/web-app.ts

@@ -5,6 +5,8 @@
  * with common defaults (health probes, resource limits, labels).
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface WebAppProps {
   /** Application name — used in metadata and labels. */
   name: string;
@@ -34,13 +36,8 @@ export interface WebAppProps {
     command?: string[];
     args?: string[];
   }>;
-  /** Pod security context — safe defaults when enabled. */
-  securityContext?: {
-    runAsNonRoot?: boolean;
-    readOnlyRootFilesystem?: boolean;
-    runAsUser?: number;
-    runAsGroup?: number;
-  };
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
   /** Termination grace period in seconds. */
   terminationGracePeriodSeconds?: number;
   /** Priority class name for pod scheduling. */

package/src/composites/worker-pool.ts

@@ -5,6 +5,8 @@
  * that need RBAC for secrets/configmaps and optional autoscaling, but no Service.
  */
 
+import type { ContainerSecurityContext } from "./security-context";
+
 export interface WorkerPoolProps {
   /** Worker name — used in metadata and labels. */
   name: string;
@@ -32,13 +34,8 @@ export interface WorkerPoolProps {
   };
   /** PodDisruptionBudget minAvailable — if set, creates a PDB. */
   minAvailable?: number | string;
-  /** Pod security context. */
-  securityContext?: {
-    runAsNonRoot?: boolean;
-    readOnlyRootFilesystem?: boolean;
-    runAsUser?: number;
-    runAsGroup?: number;
-  };
+  /** Container security context (supports PSS restricted fields). */
+  securityContext?: ContainerSecurityContext;
   /** Termination grace period in seconds. */
   terminationGracePeriodSeconds?: number;
   /** Priority class name for pod scheduling. */

package/src/composites/workload-identity-sa.ts

@@ -0,0 +1,118 @@
+/**
+ * WorkloadIdentityServiceAccount composite — ServiceAccount + Workload Identity annotation + optional RBAC.
+ *
+ * @aks Creates a ServiceAccount with the `azure.workload.identity/client-id`
+ * annotation and `azure.workload.identity/use: "true"` label for AKS Workload Identity.
+ */
+
+export interface WorkloadIdentityServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** Azure AD application client ID for Workload Identity. */
+  clientId: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface WorkloadIdentityServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create a WorkloadIdentityServiceAccount composite — returns prop objects for
+ * a ServiceAccount with AKS Workload Identity annotation, and optional Role + RoleBinding.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { WorkloadIdentityServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = WorkloadIdentityServiceAccount({
+ *   name: "app-sa",
+ *   clientId: "00000000-0000-0000-0000-000000000000",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function WorkloadIdentityServiceAccount(props: WorkloadIdentityServiceAccountProps): WorkloadIdentityServiceAccountResult {
+  const {
+    name,
+    clientId,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: {
+        ...commonLabels,
+        "app.kubernetes.io/component": "service-account",
+        "azure.workload.identity/use": "true",
+      },
+      annotations: {
+        "azure.workload.identity/client-id": clientId,
+      },
+    },
+  };
+
+  const result: WorkloadIdentityServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}

package/src/composites/workload-identity-service-account.ts

@@ -0,0 +1,116 @@
+/**
+ * WorkloadIdentityServiceAccount composite — ServiceAccount + GKE Workload Identity annotation + optional RBAC.
+ *
+ * @gke Creates a ServiceAccount with the `iam.gke.io/gcp-service-account`
+ * annotation for GKE Workload Identity Federation.
+ */
+
+export interface WorkloadIdentityServiceAccountProps {
+  /** ServiceAccount name — used in metadata and labels. */
+  name: string;
+  /** GCP service account email for Workload Identity annotation. */
+  gcpServiceAccountEmail: string;
+  /** Optional RBAC rules — if provided, creates Role + RoleBinding. */
+  rbacRules?: Array<{
+    apiGroups: string[];
+    resources: string[];
+    verbs: string[];
+  }>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface WorkloadIdentityServiceAccountResult {
+  serviceAccount: Record<string, unknown>;
+  role?: Record<string, unknown>;
+  roleBinding?: Record<string, unknown>;
+}
+
+/**
+ * Create a WorkloadIdentityServiceAccount composite — returns prop objects for
+ * a ServiceAccount with GKE Workload Identity annotation, and optional Role + RoleBinding.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { WorkloadIdentityServiceAccount } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { serviceAccount, role, roleBinding } = WorkloadIdentityServiceAccount({
+ *   name: "app-sa",
+ *   gcpServiceAccountEmail: "sa@my-project.iam.gserviceaccount.com",
+ *   rbacRules: [
+ *     { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
+ *   ],
+ * });
+ * ```
+ */
+export function WorkloadIdentityServiceAccount(
+  props: WorkloadIdentityServiceAccountProps,
+): WorkloadIdentityServiceAccountResult {
+  const {
+    name,
+    gcpServiceAccountEmail,
+    rbacRules,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const roleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "service-account" },
+      annotations: {
+        "iam.gke.io/gcp-service-account": gcpServiceAccountEmail,
+      },
+    },
+  };
+
+  const result: WorkloadIdentityServiceAccountResult = {
+    serviceAccount: serviceAccountProps,
+  };
+
+  if (rbacRules && rbacRules.length > 0) {
+    result.role = {
+      metadata: {
+        name: roleName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      rules: rbacRules,
+    };
+
+    result.roleBinding = {
+      metadata: {
+        name: bindingName,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+      },
+      roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "Role",
+        name: roleName,
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name,
+          ...(namespace && { namespace }),
+        },
+      ],
+    };
+  }
+
+  return result;
+}

package/src/index.ts

@@ -20,7 +20,11 @@ export {
   WebApp, StatefulApp, CronWorkload, AutoscaledService, WorkerPool, NamespaceEnv, NodeAgent,
   BatchJob, SecureIngress, ConfiguredApp, SidecarApp, MonitoredService, NetworkIsolatedApp,
   IrsaServiceAccount, AlbIngress, EbsStorageClass, EfsStorageClass, FluentBitAgent, ExternalDnsAgent, AdotCollector,
-  MetricsServer,
+  MetricsServer, WorkloadIdentityServiceAccount, GcePdStorageClass, FilestoreStorageClass, GkeGateway, ConfigConnectorContext,
+  GceIngress,
+  AgicIngress, AzureDiskStorageClass, AzureFileStorageClass, AzureMonitorCollector,
+  AksWorkloadIdentityServiceAccount,
+  GkeFluentBitAgent, GkeOtelCollector, GkeExternalDnsAgent, AksExternalDnsAgent,
 } from "./composites/index";
 export type {
   WebAppProps, WebAppResult, StatefulAppProps, StatefulAppResult, CronWorkloadProps, CronWorkloadResult,
@@ -34,6 +38,21 @@ export type {
   FluentBitAgentProps, FluentBitAgentResult, ExternalDnsAgentProps, ExternalDnsAgentResult,
   AdotCollectorProps, AdotCollectorResult,
   MetricsServerProps, MetricsServerResult,
+  WorkloadIdentityServiceAccountProps, WorkloadIdentityServiceAccountResult,
+  GcePdStorageClassProps, GcePdStorageClassResult,
+  FilestoreStorageClassProps, FilestoreStorageClassResult,
+  GkeGatewayProps, GkeGatewayResult,
+  ConfigConnectorContextProps, ConfigConnectorContextResult,
+  GceIngressProps, GceIngressResult,
+  AgicIngressProps, AgicIngressResult,
+  AzureDiskStorageClassProps, AzureDiskStorageClassResult,
+  AzureFileStorageClassProps, AzureFileStorageClassResult,
+  AzureMonitorCollectorProps, AzureMonitorCollectorResult,
+  AksWorkloadIdentityServiceAccountProps, AksWorkloadIdentityServiceAccountResult,
+  GkeFluentBitAgentProps, GkeFluentBitAgentResult,
+  GkeOtelCollectorProps, GkeOtelCollectorResult,
+  GkeExternalDnsAgentProps, GkeExternalDnsAgentResult,
+  AksExternalDnsAgentProps, AksExternalDnsAgentResult,
 } from "./composites/index";
 
 // RBAC verb constants