@intentius/chant-lexicon-k8s 0.0.15 → 0.0.16

package/src/composites/gke-fluent-bit-agent.ts

@@ -0,0 +1,219 @@
+/**
+ * GkeFluentBitAgent composite — DaemonSet + RBAC + ConfigMap for Fluent Bit on GKE.
+ *
+ * @gke Like FluentBitAgent but targets Cloud Logging via the stackdriver
+ * output plugin and uses GKE Workload Identity instead of IRSA.
+ */
+
+export interface GkeFluentBitAgentProps {
+  /** GKE cluster name — used as log stream prefix. */
+  clusterName: string;
+  /** GCP project ID. */
+  projectId: string;
+  /** GCP service account email for Workload Identity. */
+  gcpServiceAccountEmail?: string;
+  /** Agent name (default: "fluent-bit"). */
+  name?: string;
+  /** Fluent Bit image (default: "fluent/fluent-bit:latest"). */
+  image?: string;
+  /** Namespace (default: "gke-logging"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** CPU request (default: "50m"). */
+  cpuRequest?: string;
+  /** Memory request (default: "64Mi"). */
+  memoryRequest?: string;
+  /** CPU limit (default: "200m"). */
+  cpuLimit?: string;
+  /** Memory limit (default: "128Mi"). */
+  memoryLimit?: string;
+}
+
+export interface GkeFluentBitAgentResult {
+  daemonSet: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+  configMap: Record<string, unknown>;
+}
+
+/**
+ * Create a GkeFluentBitAgent composite — returns prop objects for
+ * a DaemonSet, ServiceAccount, ClusterRole, ClusterRoleBinding, and ConfigMap.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GkeFluentBitAgent } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { daemonSet, serviceAccount, clusterRole, clusterRoleBinding, configMap } = GkeFluentBitAgent({
+ *   clusterName: "my-cluster",
+ *   projectId: "my-project",
+ *   gcpServiceAccountEmail: "fluent-bit@my-project.iam.gserviceaccount.com",
+ * });
+ * ```
+ */
+export function GkeFluentBitAgent(props: GkeFluentBitAgentProps): GkeFluentBitAgentResult {
+  const {
+    clusterName,
+    projectId,
+    gcpServiceAccountEmail,
+    name = "fluent-bit",
+    image = "fluent/fluent-bit:latest",
+    namespace = "gke-logging",
+    labels: extraLabels = {},
+    cpuRequest = "50m",
+    memoryRequest = "64Mi",
+    cpuLimit = "200m",
+    memoryLimit = "128Mi",
+  } = props;
+
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+  const configMapName = `${name}-config`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const fluentBitConfig = `[SERVICE]
+    Flush         5
+    Log_Level     info
+    Daemon        off
+    Parsers_File  parsers.conf
+
+[INPUT]
+    Name              tail
+    Tag               kube.*
+    Path              /var/log/containers/*.log
+    Parser            docker
+    DB                /var/fluent-bit/state/flb_container.db
+    Mem_Buf_Limit     5MB
+    Skip_Long_Lines   On
+    Refresh_Interval  10
+
+[FILTER]
+    Name                kubernetes
+    Match               kube.*
+    Kube_URL            https://kubernetes.default.svc:443
+    Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+    Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
+    Merge_Log           On
+    K8S-Logging.Parser  On
+    K8S-Logging.Exclude Off
+
+[OUTPUT]
+    Name                stackdriver
+    Match               *
+    google_service_credentials /var/run/secrets/kubernetes.io/serviceaccount/token
+    resource            k8s_container
+    k8s_cluster_name    ${clusterName}
+    k8s_cluster_location ${projectId}
+`;
+
+  const container: Record<string, unknown> = {
+    name,
+    image,
+    resources: {
+      requests: { cpu: cpuRequest, memory: memoryRequest },
+      limits: { cpu: cpuLimit, memory: memoryLimit },
+    },
+    volumeMounts: [
+      { name: "varlog", mountPath: "/var/log", readOnly: true },
+      { name: "config", mountPath: `/etc/${name}`, readOnly: true },
+      { name: "state", mountPath: "/var/fluent-bit/state" },
+    ],
+    securityContext: {
+      runAsUser: 0,
+      readOnlyRootFilesystem: true,
+      allowPrivilegeEscalation: false,
+    },
+  };
+
+  const daemonSetProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+    },
+    spec: {
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          serviceAccountName: saName,
+          containers: [container],
+          volumes: [
+            { name: "varlog", hostPath: { path: "/var/log" } },
+            { name: "config", configMap: { name: configMapName } },
+            { name: "state", hostPath: { path: `/var/fluent-bit/state/${name}` } },
+          ],
+          tolerations: [{ operator: "Exists" }],
+        },
+      },
+    },
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+      ...(gcpServiceAccountEmail
+        ? { annotations: { "iam.gke.io/gcp-service-account": gcpServiceAccountEmail } }
+        : {}),
+    },
+  };
+
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["namespaces", "pods"], verbs: ["get", "list", "watch"] },
+    ],
+  };
+
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+
+  const configMapProps: Record<string, unknown> = {
+    metadata: {
+      name: configMapName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "config" },
+    },
+    data: {
+      "fluent-bit.conf": fluentBitConfig,
+    },
+  };
+
+  return {
+    daemonSet: daemonSetProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+    configMap: configMapProps,
+  };
+}

package/src/composites/gke-otel-collector.ts

@@ -0,0 +1,229 @@
+/**
+ * GkeOtelCollector composite — DaemonSet + RBAC + ConfigMap for OpenTelemetry on GKE.
+ *
+ * @gke Like AdotCollector but targets Cloud Trace + Cloud Monitoring via the
+ * googlecloud exporter and uses GKE Workload Identity instead of IRSA.
+ */
+
+export interface GkeOtelCollectorProps {
+  /** GKE cluster name. */
+  clusterName: string;
+  /** GCP project ID. */
+  projectId: string;
+  /** GCP service account email for Workload Identity. */
+  gcpServiceAccountEmail?: string;
+  /** Agent name (default: "gke-otel-collector"). */
+  name?: string;
+  /** OTel Collector image (default: "otel/opentelemetry-collector-contrib:latest"). */
+  image?: string;
+  /** Namespace (default: "gke-monitoring"). */
+  namespace?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** CPU request (default: "100m"). */
+  cpuRequest?: string;
+  /** Memory request (default: "256Mi"). */
+  memoryRequest?: string;
+  /** CPU limit (default: "500m"). */
+  cpuLimit?: string;
+  /** Memory limit (default: "512Mi"). */
+  memoryLimit?: string;
+}
+
+export interface GkeOtelCollectorResult {
+  daemonSet: Record<string, unknown>;
+  serviceAccount: Record<string, unknown>;
+  clusterRole: Record<string, unknown>;
+  clusterRoleBinding: Record<string, unknown>;
+  configMap: Record<string, unknown>;
+}
+
+/**
+ * Create a GkeOtelCollector composite — returns prop objects for
+ * a DaemonSet, ServiceAccount, ClusterRole, ClusterRoleBinding, and ConfigMap.
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { GkeOtelCollector } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { daemonSet, serviceAccount, clusterRole, clusterRoleBinding, configMap } = GkeOtelCollector({
+ *   clusterName: "my-cluster",
+ *   projectId: "my-project",
+ *   gcpServiceAccountEmail: "otel@my-project.iam.gserviceaccount.com",
+ * });
+ * ```
+ */
+export function GkeOtelCollector(props: GkeOtelCollectorProps): GkeOtelCollectorResult {
+  const {
+    clusterName,
+    projectId,
+    gcpServiceAccountEmail,
+    name = "gke-otel-collector",
+    image = "otel/opentelemetry-collector-contrib:latest",
+    namespace = "gke-monitoring",
+    labels: extraLabels = {},
+    cpuRequest = "100m",
+    memoryRequest = "256Mi",
+    cpuLimit = "500m",
+    memoryLimit = "512Mi",
+  } = props;
+
+  const saName = `${name}-sa`;
+  const clusterRoleName = `${name}-role`;
+  const bindingName = `${name}-binding`;
+  const configMapName = `${name}-config`;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const otelConfig = `receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+      http:
+        endpoint: 0.0.0.0:4318
+
+processors:
+  batch:
+    timeout: 30s
+    send_batch_size: 8192
+  resourcedetection:
+    detectors: [gcp]
+    timeout: 10s
+
+exporters:
+  googlecloud:
+    project: ${projectId}
+    metric:
+      prefix: custom.googleapis.com/${clusterName}
+    trace:
+      attribute_mappings:
+        - key: service.name
+          replacement: g.co/r/service/name
+
+service:
+  pipelines:
+    metrics:
+      receivers: [otlp]
+      processors: [batch, resourcedetection]
+      exporters: [googlecloud]
+    traces:
+      receivers: [otlp]
+      processors: [batch, resourcedetection]
+      exporters: [googlecloud]
+`;
+
+  const container: Record<string, unknown> = {
+    name,
+    image,
+    args: ["--config=/etc/otel/config.yaml"],
+    ports: [
+      { containerPort: 4317, name: "otlp-grpc" },
+      { containerPort: 4318, name: "otlp-http" },
+    ],
+    resources: {
+      requests: { cpu: cpuRequest, memory: memoryRequest },
+      limits: { cpu: cpuLimit, memory: memoryLimit },
+    },
+    volumeMounts: [
+      { name: "config", mountPath: "/etc/otel", readOnly: true },
+    ],
+    securityContext: {
+      runAsNonRoot: true,
+      runAsUser: 10001,
+      readOnlyRootFilesystem: true,
+      allowPrivilegeEscalation: false,
+    },
+  };
+
+  const daemonSetProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+    },
+    spec: {
+      selector: { matchLabels: { "app.kubernetes.io/name": name } },
+      template: {
+        metadata: { labels: { "app.kubernetes.io/name": name, ...extraLabels } },
+        spec: {
+          serviceAccountName: saName,
+          containers: [container],
+          volumes: [
+            { name: "config", configMap: { name: configMapName } },
+          ],
+          tolerations: [{ operator: "Exists" }],
+        },
+      },
+    },
+  };
+
+  const serviceAccountProps: Record<string, unknown> = {
+    metadata: {
+      name: saName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
+      ...(gcpServiceAccountEmail
+        ? { annotations: { "iam.gke.io/gcp-service-account": gcpServiceAccountEmail } }
+        : {}),
+    },
+  };
+
+  const clusterRoleProps: Record<string, unknown> = {
+    metadata: {
+      name: clusterRoleName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    rules: [
+      { apiGroups: [""], resources: ["pods", "nodes", "endpoints"], verbs: ["get", "list", "watch"] },
+      { apiGroups: ["apps"], resources: ["replicasets"], verbs: ["get", "list", "watch"] },
+      { apiGroups: ["batch"], resources: ["jobs"], verbs: ["get", "list", "watch"] },
+      { apiGroups: [""], resources: ["nodes/proxy"], verbs: ["get"] },
+      { apiGroups: [""], resources: ["nodes/stats", "configmaps", "events"], verbs: ["create", "get"] },
+      { apiGroups: [""], resources: ["configmaps"], verbs: ["get", "update", "create"], resourceNames: ["otel-container-insight-clusterleader"] },
+    ],
+  };
+
+  const clusterRoleBindingProps: Record<string, unknown> = {
+    metadata: {
+      name: bindingName,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
+    },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name: clusterRoleName,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: saName,
+        namespace,
+      },
+    ],
+  };
+
+  const configMapProps: Record<string, unknown> = {
+    metadata: {
+      name: configMapName,
+      namespace,
+      labels: { ...commonLabels, "app.kubernetes.io/component": "config" },
+    },
+    data: {
+      "config.yaml": otelConfig,
+    },
+  };
+
+  return {
+    daemonSet: daemonSetProps,
+    serviceAccount: serviceAccountProps,
+    clusterRole: clusterRoleProps,
+    clusterRoleBinding: clusterRoleBindingProps,
+    configMap: configMapProps,
+  };
+}

package/src/composites/index.ts

@@ -51,6 +51,8 @@ export { GkeGateway } from "./gke-gateway";
 export type { GkeGatewayProps, GkeGatewayResult } from "./gke-gateway";
 export { ConfigConnectorContext } from "./config-connector-context";
 export type { ConfigConnectorContextProps, ConfigConnectorContextResult } from "./config-connector-context";
+export { GceIngress } from "./gce-ingress";
+export type { GceIngressProps, GceIngressResult } from "./gce-ingress";
 export { AgicIngress } from "./agic-ingress";
 export type { AgicIngressProps, AgicIngressResult } from "./agic-ingress";
 export { AzureDiskStorageClass } from "./azure-disk-storage-class";
@@ -59,3 +61,13 @@ export { AzureFileStorageClass } from "./azure-file-storage-class";
 export type { AzureFileStorageClassProps, AzureFileStorageClassResult } from "./azure-file-storage-class";
 export { AzureMonitorCollector } from "./azure-monitor-collector";
 export type { AzureMonitorCollectorProps, AzureMonitorCollectorResult } from "./azure-monitor-collector";
+export { WorkloadIdentityServiceAccount as AksWorkloadIdentityServiceAccount } from "./workload-identity-sa";
+export type { WorkloadIdentityServiceAccountProps as AksWorkloadIdentityServiceAccountProps, WorkloadIdentityServiceAccountResult as AksWorkloadIdentityServiceAccountResult } from "./workload-identity-sa";
+export { GkeFluentBitAgent } from "./gke-fluent-bit-agent";
+export type { GkeFluentBitAgentProps, GkeFluentBitAgentResult } from "./gke-fluent-bit-agent";
+export { GkeOtelCollector } from "./gke-otel-collector";
+export type { GkeOtelCollectorProps, GkeOtelCollectorResult } from "./gke-otel-collector";
+export { GkeExternalDnsAgent } from "./gke-external-dns-agent";
+export type { GkeExternalDnsAgentProps, GkeExternalDnsAgentResult } from "./gke-external-dns-agent";
+export { AksExternalDnsAgent } from "./aks-external-dns-agent";
+export type { AksExternalDnsAgentProps, AksExternalDnsAgentResult } from "./aks-external-dns-agent";

package/src/index.ts

@@ -21,6 +21,10 @@ export {
   BatchJob, SecureIngress, ConfiguredApp, SidecarApp, MonitoredService, NetworkIsolatedApp,
   IrsaServiceAccount, AlbIngress, EbsStorageClass, EfsStorageClass, FluentBitAgent, ExternalDnsAgent, AdotCollector,
   MetricsServer, WorkloadIdentityServiceAccount, GcePdStorageClass, FilestoreStorageClass, GkeGateway, ConfigConnectorContext,
+  GceIngress,
+  AgicIngress, AzureDiskStorageClass, AzureFileStorageClass, AzureMonitorCollector,
+  AksWorkloadIdentityServiceAccount,
+  GkeFluentBitAgent, GkeOtelCollector, GkeExternalDnsAgent, AksExternalDnsAgent,
 } from "./composites/index";
 export type {
   WebAppProps, WebAppResult, StatefulAppProps, StatefulAppResult, CronWorkloadProps, CronWorkloadResult,
@@ -39,6 +43,16 @@ export type {
   FilestoreStorageClassProps, FilestoreStorageClassResult,
   GkeGatewayProps, GkeGatewayResult,
   ConfigConnectorContextProps, ConfigConnectorContextResult,
+  GceIngressProps, GceIngressResult,
+  AgicIngressProps, AgicIngressResult,
+  AzureDiskStorageClassProps, AzureDiskStorageClassResult,
+  AzureFileStorageClassProps, AzureFileStorageClassResult,
+  AzureMonitorCollectorProps, AzureMonitorCollectorResult,
+  AksWorkloadIdentityServiceAccountProps, AksWorkloadIdentityServiceAccountResult,
+  GkeFluentBitAgentProps, GkeFluentBitAgentResult,
+  GkeOtelCollectorProps, GkeOtelCollectorResult,
+  GkeExternalDnsAgentProps, GkeExternalDnsAgentResult,
+  AksExternalDnsAgentProps, AksExternalDnsAgentResult,
 } from "./composites/index";
 
 // RBAC verb constants

package/src/lint/rules/latest-image-tag.ts

@@ -0,0 +1,121 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WK8002: Latest Image Tag
+ *
+ * Detects when a K8s workload resource uses the `:latest` image tag or no tag
+ * at all in a container image string literal. Untagged or `:latest` images are
+ * non-deterministic and can cause unexpected rollouts.
+ *
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx:latest" }] } } } })
+ * Bad:  new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx" }] } } } })
+ * Good: new Deployment({ spec: { template: { spec: { containers: [{ image: "nginx:1.25" }] } } } })
+ */
+
+const WORKLOAD_KINDS = new Set([
+  "Deployment",
+  "StatefulSet",
+  "DaemonSet",
+  "CronJob",
+  "Job",
+  "ReplicaSet",
+  "Pod",
+]);
+
+/**
+ * Returns true if the string looks like a container image reference that is
+ * either untagged or using `:latest`.
+ *
+ * A string is considered a container image if it:
+ * - Contains at least one alphabetic character
+ * - Does not contain spaces
+ * - Is not a simple keyword like "true", "false", etc.
+ */
+function isProblematicImage(value: string): boolean {
+  if (!value || value.includes(" ") || value.length === 0) return false;
+
+  // Skip values that are clearly not images
+  const nonImagePatterns = [
+    /^(true|false|null|undefined|yes|no)$/i,
+    /^\d+$/, // pure numbers
+    /^[.\/]/, // relative/absolute paths without image-like structure
+  ];
+  for (const pat of nonImagePatterns) {
+    if (pat.test(value)) return false;
+  }
+
+  // Check for :latest explicitly
+  if (value.endsWith(":latest")) return true;
+
+  // Check for untagged image: no colon at all, but looks like an image name
+  // Images contain alphanumeric chars and may have / for registry prefix
+  // Must have at least one alpha char and match image naming conventions
+  if (!value.includes(":") && !value.includes("@") && /^[a-zA-Z0-9._\-\/]+$/.test(value) && /[a-zA-Z]/.test(value)) {
+    return true;
+  }
+
+  return false;
+}
+
+export const latestImageTagRule: LintRule = {
+  id: "WK8002",
+  severity: "warning",
+  category: "security",
+  description:
+    "Detects :latest or untagged container images — use explicit version tags for reproducibility",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function isInsideWorkloadConstructor(node: ts.Node): boolean {
+      let current: ts.Node | undefined = node.parent;
+      while (current) {
+        if (
+          ts.isNewExpression(current) &&
+          ts.isIdentifier(current.expression) &&
+          WORKLOAD_KINDS.has(current.expression.text)
+        ) {
+          return true;
+        }
+        current = current.parent;
+      }
+      return false;
+    }
+
+    function visit(node: ts.Node): void {
+      // Look for property assignments like `image: "nginx:latest"` or `image: "nginx"`
+      if (
+        ts.isPropertyAssignment(node) &&
+        ts.isIdentifier(node.name) &&
+        node.name.text === "image" &&
+        ts.isStringLiteral(node.initializer) &&
+        isInsideWorkloadConstructor(node)
+      ) {
+        const value = node.initializer.text;
+        if (isProblematicImage(value)) {
+          const { line, character } =
+            sourceFile.getLineAndCharacterOfPosition(
+              node.initializer.getStart(),
+            );
+          const isLatest = value.endsWith(":latest");
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WK8002",
+            severity: "warning",
+            message: isLatest
+              ? `Container image "${value}" uses the :latest tag. Pin to a specific version for reproducibility.`
+              : `Container image "${value}" has no tag. Pin to a specific version for reproducibility.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};