@intentius/chant-lexicon-k8s 0.0.15 → 0.0.16

package/dist/integrity.json

@@ -1,9 +1,11 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "490e9ca9417db298",
+    "manifest.json": "12a8a5033319b618",
     "meta.json": "1ce194f36f9b5f90",
     "types/index.d.ts": "beec4cc869064186",
+    "rules/missing-resource-limits.ts": "a6f776d2ff477948",
+    "rules/latest-image-tag.ts": "eb48e8d61e4ca84e",
     "rules/hardcoded-namespace.ts": "54b216c71018e101",
     "rules/wk8201.ts": "4dbbd20e21b5fa04",
     "rules/wk8204.ts": "9244d6fdd6d2f7d",
@@ -30,8 +32,7 @@
     "rules/k8s-helpers.ts": "53a6d3bfbedb2852",
     "rules/wk8207.ts": "6f2bc621d530afa2",
     "skills/chant-k8s.md": "c7db82c3ba37c78",
-    "skills/chant-k8s-eks.md": "f79f31f058c7f2ed",
     "skills/chant-k8s-patterns.md": "c5151ed799145c4b"
   },
-  "composite": "2a6c7f09f87d9a38"
+  "composite": "592308cdbd70d2ee"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "k8s",
-  "version": "0.0.15",
+  "version": "0.0.16",
   "chantVersion": ">=0.1.0",
   "namespace": "K8s",
   "intrinsics": [],

package/dist/rules/latest-image-tag.ts

@@ -0,0 +1,121 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WK8002: Latest Image Tag
+ *
+ * Detects when a K8s workload resource uses the `:latest` image tag or no tag
+ * at all in a container image string literal. Untagged or `:latest` images are
+ * non-deterministic and can cause unexpected rollouts.
+ *
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx:latest" }] } } } })
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx" }] } } } })
+ * Good: new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx:1.25" }] } } } })
+ */
+
+const WORKLOAD_KINDS = new Set([
+  "Deployment",
+  "StatefulSet",
+  "DaemonSet",
+  "CronJob",
+  "Job",
+  "ReplicaSet",
+  "Pod",
+]);
+
+/**
+ * Returns true if the string looks like a container image reference that is
+ * either untagged or using `:latest`.
+ *
+ * A string is considered a container image if it:
+ * - Contains at least one alphabetic character
+ * - Does not contain spaces
+ * - Is not a simple keyword like "true", "false", etc.
+ */
+function isProblematicImage(value: string): boolean {
+  if (!value || value.includes(" ") || value.length === 0) return false;
+
+  // Skip values that are clearly not images
+  const nonImagePatterns = [
+    /^(true|false|null|undefined|yes|no)$/i,
+    /^\d+$/, // pure numbers
+    /^[.\/]/, // relative/absolute paths without image-like structure
+  ];
+  for (const pat of nonImagePatterns) {
+    if (pat.test(value)) return false;
+  }
+
+  // Check for :latest explicitly
+  if (value.endsWith(":latest")) return true;
+
+  // Check for untagged image: no colon at all, but looks like an image name
+  // Images contain alphanumeric chars and may have / for registry prefix
+  // Must have at least one alpha char and match image naming conventions
+  if (!value.includes(":") && !value.includes("@") && /^[a-zA-Z0-9._\-\/]+$/.test(value) && /[a-zA-Z]/.test(value)) {
+    return true;
+  }
+
+  return false;
+}
+
+export const latestImageTagRule: LintRule = {
+  id: "WK8002",
+  severity: "warning",
+  category: "security",
+  description:
+    "Detects :latest or untagged container images — use explicit version tags for reproducibility",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function isInsideWorkloadConstructor(node: ts.Node): boolean {
+      let current: ts.Node | undefined = node.parent;
+      while (current) {
+        if (
+          ts.isNewExpression(current) &&
+          ts.isIdentifier(current.expression) &&
+          WORKLOAD_KINDS.has(current.expression.text)
+        ) {
+          return true;
+        }
+        current = current.parent;
+      }
+      return false;
+    }
+
+    function visit(node: ts.Node): void {
+      // Look for property assignments like `image: "nginx:latest"` or `image: "nginx"`
+      if (
+        ts.isPropertyAssignment(node) &&
+        ts.isIdentifier(node.name) &&
+        node.name.text === "image" &&
+        ts.isStringLiteral(node.initializer) &&
+        isInsideWorkloadConstructor(node)
+      ) {
+        const value = node.initializer.text;
+        if (isProblematicImage(value)) {
+          const { line, character } =
+            sourceFile.getLineAndCharacterOfPosition(
+              node.initializer.getStart(),
+            );
+          const isLatest = value.endsWith(":latest");
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WK8002",
+            severity: "warning",
+            message: isLatest
+              ? `Container image "${value}" uses the :latest tag. Pin to a specific version for reproducibility.`
+              : `Container image "${value}" has no tag. Pin to a specific version for reproducibility.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/dist/rules/missing-resource-limits.ts

@@ -0,0 +1,111 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WK8003: Missing Resource Limits
+ *
+ * Detects when a container in a Deployment/StatefulSet spec doesn't have
+ * resource limits or requests. Without resource limits, a container can
+ * consume unbounded cluster resources and cause noisy-neighbour issues.
+ *
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0" }] } } } })
+ * Good: new Deployment({ spec: { template: { spec: { containers: [{ name: "app", image: "app:1.0", resources: { limits: { cpu: "500m", memory: "256Mi" } } }] } } } })
+ */
+
+const WORKLOAD_KINDS = new Set([
+  "Deployment",
+  "StatefulSet",
+  "DaemonSet",
+  "CronJob",
+  "Job",
+  "ReplicaSet",
+]);
+
+export const missingResourceLimitsRule: LintRule = {
+  id: "WK8003",
+  severity: "warning",
+  category: "correctness",
+  description:
+    "Detects containers without resource limits/requests — always set resource constraints",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function isInsideWorkloadConstructor(node: ts.Node): boolean {
+      let current: ts.Node | undefined = node.parent;
+      while (current) {
+        if (
+          ts.isNewExpression(current) &&
+          ts.isIdentifier(current.expression) &&
+          WORKLOAD_KINDS.has(current.expression.text)
+        ) {
+          return true;
+        }
+        current = current.parent;
+      }
+      return false;
+    }
+
+    function objectLiteralHasProperty(
+      obj: ts.ObjectLiteralExpression,
+      name: string,
+    ): boolean {
+      return obj.properties.some(
+        (p) =>
+          ts.isPropertyAssignment(p) &&
+          ts.isIdentifier(p.name) &&
+          p.name.text === name,
+      );
+    }
+
+    function visit(node: ts.Node): void {
+      // Look for object literals inside arrays that represent container specs.
+      // A container object literal typically has "name" and "image" properties.
+      // We flag it if it lacks a "resources" property.
+      if (
+        ts.isObjectLiteralExpression(node) &&
+        isInsideWorkloadConstructor(node)
+      ) {
+        const hasName = objectLiteralHasProperty(node, "name");
+        const hasImage = objectLiteralHasProperty(node, "image");
+        const hasResources = objectLiteralHasProperty(node, "resources");
+
+        if (hasName && hasImage && !hasResources) {
+          // Confirm we're inside an array literal (containers array)
+          if (node.parent && ts.isArrayLiteralExpression(node.parent)) {
+            const { line, character } =
+              sourceFile.getLineAndCharacterOfPosition(node.getStart());
+
+            // Try to extract the container name for a better message
+            let containerName = "unknown";
+            for (const prop of node.properties) {
+              if (
+                ts.isPropertyAssignment(prop) &&
+                ts.isIdentifier(prop.name) &&
+                prop.name.text === "name" &&
+                ts.isStringLiteral(prop.initializer)
+              ) {
+                containerName = prop.initializer.text;
+                break;
+              }
+            }
+
+            diagnostics.push({
+              file: sourceFile.fileName,
+              line: line + 1,
+              column: character + 1,
+              ruleId: "WK8003",
+              severity: "warning",
+              message: `Container "${containerName}" is missing resource limits/requests. Set resources.limits and resources.requests to prevent unbounded resource consumption.`,
+            });
+          }
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-k8s",
-  "version": "0.0.15",
+  "version": "0.0.16",
   "license": "Apache-2.0",
   "type": "module",
   "files": [

package/src/composites/agic-ingress.ts

@@ -140,7 +140,6 @@ export function AgicIngress(props: AgicIngressProps): AgicIngressResult {
       annotations,
     },
     spec: {
-      ingressClassName: "azure/application-gateway",
       rules: ingressRules,
     },
   };

package/src/composites/aks-external-dns-agent.ts

@@ -0,0 +1,199 @@
+/**
+ * AksExternalDnsAgent composite — Deployment + ServiceAccount + ClusterRole + ClusterRoleBinding.
+ *
+ * @aks Like ExternalDnsAgent but uses --provider=azure and AKS Workload Identity
+ * instead of IRSA for Azure DNS management.
+ */
+
+export interface AksExternalDnsAgentProps {
+  /** Azure managed identity client ID for Workload Identity. */
+  clientId: string;
+  /** Azure resource group containing the DNS zone. */
+  resourceGroup: string;
+  /** Azure subscription ID. */
+  subscriptionId: string;
+  /** Azure tenant ID. */
+  tenantId: string;
+  /** Domain filters — only manage DNS records for these domains. */
+  domainFilters: string[];
+  /** TXT record owner ID for identifying managed records. */
+  txtOwnerId?: string;
+  /** Source of DNS records (default: "ingress"). */
+  source?: string;
+  /** Agent name (default: "external-dns"). */
+  name?: string;
+  /** Container image (default: "registry.k8s.io/external-dns/external-dns:v0.14.0"). */
+  image?: string;
+  /** Namespace (default: "kube-system"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+}
+
+export interface AksExternalDnsAgentResult {
+  deployment: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+}
+
+/**
+ * Create an AksExternalDnsAgent composite — returns prop objects for
+ * a Deployment, ServiceAccount (with AKS Workload Identity), ClusterRole, and ClusterRoleBinding.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { AksExternalDnsAgent } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { deployment, serviceAccount, clusterRole, clusterRoleBinding } = AksExternalDnsAgent({
+ *   clientId: "00000000-0000-0000-0000-000000000000",
+ *   resourceGroup: "my-rg",
+ *   subscriptionId: "00000000-0000-0000-0000-000000000000",
+ *   tenantId: "00000000-0000-0000-0000-000000000000",
+ *   domainFilters: ["example.com"],
+ *   txtOwnerId: "my-cluster",
+ * });
+ * ```
+ */
+export function AksExternalDnsAgent(props: AksExternalDnsAgentProps): AksExternalDnsAgentResult {
+  const {
+    clientId,
+    resourceGroup,
+    subscriptionId,
+    tenantId,
+    domainFilters,
+    txtOwnerId,
+    source = "ingress",
+    name = "external-dns",
+    image = "registry.k8s.io/external-dns/external-dns:v0.14.0",
+    namespace = "kube-system",
+    labels: extraLabels = {},
+  } = props;
+
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const args: string[] = [
+    `--source=${source}`,
+    "--provider=azure",
+    `--azure-resource-group=${resourceGroup}`,
+    `--azure-subscription-id=${subscriptionId}`,
+    "--policy=upsert-only",
+    "--registry=txt",
+  ];
+
+  for (const domain of domainFilters) {
+    args.push(`--domain-filter=${domain}`);
+  }
+
+  if (txtOwnerId) {
+    args.push(`--txt-owner-id=${txtOwnerId}`);
+  }
+
+  const deploymentProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "dns" },
+    },
+    spec: {
+      replicas: 1,
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: {
+          labels: {
+            "app.kubernetes.io/name": name,
+            "azure.workload.identity/use": "true",
+            ...extraLabels,
+          },
+        },
+        spec: {
+          serviceAccountName: saName,
+          containers: [
+            {
+              name,
+              image,
+              args,
+              env: [
+                { name: "AZURE_TENANT_ID", value: tenantId },
+                { name: "AZURE_SUBSCRIPTION_ID", value: subscriptionId },
+                { name: "AZURE_RESOURCE_GROUP", value: resourceGroup },
+              ],
+              resources: {
+                requests: { cpu: "50m", memory: "64Mi" },
+                limits: { cpu: "100m", memory: "128Mi" },
+              },
+              securityContext: {
+                runAsNonRoot: true,
+                runAsUser: 65534,
+                readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: false,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: {
+        ...commonLabels,
+        "app.kubernetes.io/component": "dns",
+        "azure.workload.identity/use": "true",
+      },
+      annotations: {
+        "azure.workload.identity/client-id": clientId,
+      },
+    },
+  };
+
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["services", "endpoints", "pods"], verbs: ["get", "watch", "list"] },
+      { apiGroups: ["extensions", "networking.k8s.io"], resources: ["ingresses"], verbs: ["get", "watch", "list"] },
+      { apiGroups: [""], resources: ["nodes"], verbs: ["list", "watch"] },
+    ],
+  };
+
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+
+  return {
+    deployment: deploymentProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+  };
+}

package/src/composites/azure-monitor-collector.ts

@@ -12,7 +12,7 @@ export interface AzureMonitorCollectorProps {
   clusterName: string;
   /** Agent name (default: "azure-monitor-collector"). */
   name?: string;
-  /** Collector image (default: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:latest"). */
+  /** Collector image (default: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.35"). */
   image?: string;
   /** Namespace (default: "azure-monitor"). */
   namespace?: string;
@@ -58,7 +58,7 @@ export function AzureMonitorCollector(props: AzureMonitorCollectorProps): AzureM
     workspaceId,
     clusterName,
     name = "azure-monitor-collector",
-    image = "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:latest",
+    image = "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.35",
     namespace = "azure-monitor",
     labels: extraLabels = {},
     cpuRequest = "100m",