@intentius/chant-lexicon-k8s 0.0.22 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/integrity.json +9 -4
- package/dist/manifest.json +1 -1
- package/dist/skills/chant-k8s-aks.md +146 -0
- package/{src/skills/kubernetes-patterns.md → dist/skills/chant-k8s-deployment-strategies.md} +1 -1
- package/dist/skills/chant-k8s-eks.md +156 -0
- package/dist/skills/chant-k8s-gke.md +246 -0
- package/{src/skills/kubernetes-security.md → dist/skills/chant-k8s-security.md} +1 -1
- package/dist/skills/chant-k8s.md +65 -2
- package/package.json +5 -4
- package/src/composites/adot-collector.ts +34 -22
- package/src/composites/agic-ingress.ts +14 -6
- package/src/composites/aks-external-dns-agent.ts +29 -18
- package/src/composites/alb-ingress.ts +14 -6
- package/src/composites/autoscaled-service.ts +25 -20
- package/src/composites/azure-disk-storage-class.ts +14 -6
- package/src/composites/azure-file-storage-class.ts +14 -6
- package/src/composites/azure-monitor-collector.ts +34 -22
- package/src/composites/batch-job.ts +25 -17
- package/src/composites/cockroachdb-cluster.ts +164 -58
- package/src/composites/composites.test.ts +371 -365
- package/src/composites/config-connector-context.ts +18 -11
- package/src/composites/configured-app.ts +21 -15
- package/src/composites/cron-workload.ts +25 -20
- package/src/composites/ebs-storage-class.ts +14 -6
- package/src/composites/efs-storage-class.ts +14 -6
- package/src/composites/external-dns-agent.ts +26 -20
- package/src/composites/filestore-storage-class.ts +14 -6
- package/src/composites/fluent-bit-agent.ts +30 -24
- package/src/composites/gce-ingress.ts +14 -6
- package/src/composites/gce-pd-storage-class.ts +14 -6
- package/src/composites/gke-external-dns-agent.ts +34 -21
- package/src/composites/gke-fluent-bit-agent.ts +34 -22
- package/src/composites/gke-gateway.ts +19 -12
- package/src/composites/gke-otel-collector.ts +34 -22
- package/src/composites/irsa-service-account.ts +22 -14
- package/src/composites/metrics-server.ts +41 -26
- package/src/composites/monitored-service.ts +26 -19
- package/src/composites/namespace-env.ts +26 -17
- package/src/composites/network-isolated-app.ts +21 -16
- package/src/composites/node-agent.ts +33 -22
- package/src/composites/secure-ingress.ts +19 -11
- package/src/composites/sidecar-app.ts +17 -12
- package/src/composites/stateful-app.ts +21 -12
- package/src/composites/web-app.ts +25 -21
- package/src/composites/worker-pool.ts +40 -26
- package/src/composites/workload-identity-sa.ts +22 -14
- package/src/composites/workload-identity-service-account.ts +22 -16
- package/src/plugin.ts +40 -614
- package/src/serializer.ts +7 -0
- package/src/skills/chant-k8s-deployment-strategies.md +183 -0
- package/src/skills/chant-k8s-gke.md +56 -1
- package/src/skills/chant-k8s-patterns.md +245 -0
- package/src/skills/chant-k8s-security.md +237 -0
- package/src/skills/chant-k8s.md +305 -0
|
@@ -5,6 +5,11 @@
|
|
|
5
5
|
* that need RBAC for secrets/configmaps and optional autoscaling, but no Service.
|
|
6
6
|
*/
|
|
7
7
|
|
|
8
|
+
import { Composite, mergeDefaults } from "@intentius/chant";
|
|
9
|
+
import {
|
|
10
|
+
Deployment, ServiceAccount, Role, RoleBinding,
|
|
11
|
+
ConfigMap, HorizontalPodAutoscaler, PodDisruptionBudget,
|
|
12
|
+
} from "../generated";
|
|
8
13
|
import type { ContainerSecurityContext } from "./security-context";
|
|
9
14
|
|
|
10
15
|
export interface WorkerPoolProps {
|
|
@@ -54,16 +59,26 @@ export interface WorkerPoolProps {
|
|
|
54
59
|
namespace?: string;
|
|
55
60
|
/** Environment variables for the container. */
|
|
56
61
|
env?: Array<{ name: string; value: string }>;
|
|
62
|
+
/** Per-member defaults for fine-grained overrides. */
|
|
63
|
+
defaults?: {
|
|
64
|
+
deployment?: Partial<Record<string, unknown>>;
|
|
65
|
+
serviceAccount?: Partial<Record<string, unknown>>;
|
|
66
|
+
role?: Partial<Record<string, unknown>>;
|
|
67
|
+
roleBinding?: Partial<Record<string, unknown>>;
|
|
68
|
+
configMap?: Partial<Record<string, unknown>>;
|
|
69
|
+
hpa?: Partial<Record<string, unknown>>;
|
|
70
|
+
pdb?: Partial<Record<string, unknown>>;
|
|
71
|
+
};
|
|
57
72
|
}
|
|
58
73
|
|
|
59
74
|
export interface WorkerPoolResult {
|
|
60
|
-
deployment:
|
|
61
|
-
serviceAccount?:
|
|
62
|
-
role?:
|
|
63
|
-
roleBinding?:
|
|
64
|
-
configMap?:
|
|
65
|
-
hpa?:
|
|
66
|
-
pdb?:
|
|
75
|
+
deployment: InstanceType<typeof Deployment>;
|
|
76
|
+
serviceAccount?: InstanceType<typeof ServiceAccount>;
|
|
77
|
+
role?: InstanceType<typeof Role>;
|
|
78
|
+
roleBinding?: InstanceType<typeof RoleBinding>;
|
|
79
|
+
configMap?: InstanceType<typeof ConfigMap>;
|
|
80
|
+
hpa?: InstanceType<typeof HorizontalPodAutoscaler>;
|
|
81
|
+
pdb?: InstanceType<typeof PodDisruptionBudget>;
|
|
67
82
|
}
|
|
68
83
|
|
|
69
84
|
/**
|
|
@@ -82,7 +97,7 @@ export interface WorkerPoolResult {
|
|
|
82
97
|
* });
|
|
83
98
|
* ```
|
|
84
99
|
*/
|
|
85
|
-
export
|
|
100
|
+
export const WorkerPool = Composite<WorkerPoolProps>((props) => {
|
|
86
101
|
const {
|
|
87
102
|
name,
|
|
88
103
|
image,
|
|
@@ -103,6 +118,7 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
|
|
|
103
118
|
labels: extraLabels = {},
|
|
104
119
|
namespace,
|
|
105
120
|
env,
|
|
121
|
+
defaults: defs,
|
|
106
122
|
} = props;
|
|
107
123
|
|
|
108
124
|
const saName = `${name}-sa`;
|
|
@@ -147,7 +163,7 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
|
|
|
147
163
|
...(priorityClassName && { priorityClassName }),
|
|
148
164
|
};
|
|
149
165
|
|
|
150
|
-
const
|
|
166
|
+
const deployment = new Deployment(mergeDefaults({
|
|
151
167
|
metadata: {
|
|
152
168
|
name,
|
|
153
169
|
...(namespace && { namespace }),
|
|
@@ -161,31 +177,29 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
|
|
|
161
177
|
spec: podSpec,
|
|
162
178
|
},
|
|
163
179
|
},
|
|
164
|
-
};
|
|
180
|
+
}, defs?.deployment));
|
|
165
181
|
|
|
166
|
-
const result:
|
|
167
|
-
deployment: deploymentProps,
|
|
168
|
-
};
|
|
182
|
+
const result: Record<string, any> = { deployment };
|
|
169
183
|
|
|
170
184
|
if (createRbac) {
|
|
171
|
-
result.serviceAccount = {
|
|
185
|
+
result.serviceAccount = new ServiceAccount(mergeDefaults({
|
|
172
186
|
metadata: {
|
|
173
187
|
name: saName,
|
|
174
188
|
...(namespace && { namespace }),
|
|
175
189
|
labels: { ...commonLabels, "app.kubernetes.io/component": "worker" },
|
|
176
190
|
},
|
|
177
|
-
};
|
|
191
|
+
}, defs?.serviceAccount));
|
|
178
192
|
|
|
179
|
-
result.role = {
|
|
193
|
+
result.role = new Role(mergeDefaults({
|
|
180
194
|
metadata: {
|
|
181
195
|
name: roleName,
|
|
182
196
|
...(namespace && { namespace }),
|
|
183
197
|
labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
|
|
184
198
|
},
|
|
185
199
|
rules: effectiveRbacRules,
|
|
186
|
-
};
|
|
200
|
+
}, defs?.role));
|
|
187
201
|
|
|
188
|
-
result.roleBinding = {
|
|
202
|
+
result.roleBinding = new RoleBinding(mergeDefaults({
|
|
189
203
|
metadata: {
|
|
190
204
|
name: bindingName,
|
|
191
205
|
...(namespace && { namespace }),
|
|
@@ -203,22 +217,22 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
|
|
|
203
217
|
...(namespace && { namespace }),
|
|
204
218
|
},
|
|
205
219
|
],
|
|
206
|
-
};
|
|
220
|
+
}, defs?.roleBinding));
|
|
207
221
|
}
|
|
208
222
|
|
|
209
223
|
if (config) {
|
|
210
|
-
result.configMap = {
|
|
224
|
+
result.configMap = new ConfigMap(mergeDefaults({
|
|
211
225
|
metadata: {
|
|
212
226
|
name: configMapName,
|
|
213
227
|
...(namespace && { namespace }),
|
|
214
228
|
labels: { ...commonLabels, "app.kubernetes.io/component": "config" },
|
|
215
229
|
},
|
|
216
230
|
data: config,
|
|
217
|
-
};
|
|
231
|
+
}, defs?.configMap));
|
|
218
232
|
}
|
|
219
233
|
|
|
220
234
|
if (minAvailable !== undefined) {
|
|
221
|
-
result.pdb = {
|
|
235
|
+
result.pdb = new PodDisruptionBudget(mergeDefaults({
|
|
222
236
|
metadata: {
|
|
223
237
|
name,
|
|
224
238
|
...(namespace && { namespace }),
|
|
@@ -228,12 +242,12 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
|
|
|
228
242
|
minAvailable,
|
|
229
243
|
selector: { matchLabels: { "app.kubernetes.io/name": name } },
|
|
230
244
|
},
|
|
231
|
-
};
|
|
245
|
+
}, defs?.pdb));
|
|
232
246
|
}
|
|
233
247
|
|
|
234
248
|
if (autoscaling) {
|
|
235
249
|
const targetCPUPercent = autoscaling.targetCPUPercent ?? 70;
|
|
236
|
-
result.hpa = {
|
|
250
|
+
result.hpa = new HorizontalPodAutoscaler(mergeDefaults({
|
|
237
251
|
metadata: {
|
|
238
252
|
name,
|
|
239
253
|
...(namespace && { namespace }),
|
|
@@ -257,8 +271,8 @@ export function WorkerPool(props: WorkerPoolProps): WorkerPoolResult {
|
|
|
257
271
|
},
|
|
258
272
|
],
|
|
259
273
|
},
|
|
260
|
-
};
|
|
274
|
+
}, defs?.hpa));
|
|
261
275
|
}
|
|
262
276
|
|
|
263
277
|
return result;
|
|
264
|
-
}
|
|
278
|
+
}, "WorkerPool");
|
|
@@ -5,6 +5,9 @@
|
|
|
5
5
|
* annotation and `azure.workload.identity/use: "true"` label for AKS Workload Identity.
|
|
6
6
|
*/
|
|
7
7
|
|
|
8
|
+
import { Composite, mergeDefaults } from "@intentius/chant";
|
|
9
|
+
import { ServiceAccount, Role, RoleBinding } from "../generated";
|
|
10
|
+
|
|
8
11
|
export interface WorkloadIdentityServiceAccountProps {
|
|
9
12
|
/** ServiceAccount name — used in metadata and labels. */
|
|
10
13
|
name: string;
|
|
@@ -20,12 +23,18 @@ export interface WorkloadIdentityServiceAccountProps {
|
|
|
20
23
|
labels?: Record<string, string>;
|
|
21
24
|
/** Namespace for all resources. */
|
|
22
25
|
namespace?: string;
|
|
26
|
+
/** Per-member defaults for fine-grained overrides. */
|
|
27
|
+
defaults?: {
|
|
28
|
+
serviceAccount?: Partial<Record<string, unknown>>;
|
|
29
|
+
role?: Partial<Record<string, unknown>>;
|
|
30
|
+
roleBinding?: Partial<Record<string, unknown>>;
|
|
31
|
+
};
|
|
23
32
|
}
|
|
24
33
|
|
|
25
34
|
export interface WorkloadIdentityServiceAccountResult {
|
|
26
|
-
serviceAccount:
|
|
27
|
-
role?:
|
|
28
|
-
roleBinding?:
|
|
35
|
+
serviceAccount: InstanceType<typeof ServiceAccount>;
|
|
36
|
+
role?: InstanceType<typeof Role>;
|
|
37
|
+
roleBinding?: InstanceType<typeof RoleBinding>;
|
|
29
38
|
}
|
|
30
39
|
|
|
31
40
|
/**
|
|
@@ -46,13 +55,14 @@ export interface WorkloadIdentityServiceAccountResult {
|
|
|
46
55
|
* });
|
|
47
56
|
* ```
|
|
48
57
|
*/
|
|
49
|
-
export
|
|
58
|
+
export const WorkloadIdentityServiceAccount = Composite<WorkloadIdentityServiceAccountProps>((props) => {
|
|
50
59
|
const {
|
|
51
60
|
name,
|
|
52
61
|
clientId,
|
|
53
62
|
rbacRules,
|
|
54
63
|
labels: extraLabels = {},
|
|
55
64
|
namespace,
|
|
65
|
+
defaults: defs,
|
|
56
66
|
} = props;
|
|
57
67
|
|
|
58
68
|
const roleName = `${name}-role`;
|
|
@@ -64,7 +74,7 @@ export function WorkloadIdentityServiceAccount(props: WorkloadIdentityServiceAcc
|
|
|
64
74
|
...extraLabels,
|
|
65
75
|
};
|
|
66
76
|
|
|
67
|
-
const
|
|
77
|
+
const serviceAccount = new ServiceAccount(mergeDefaults({
|
|
68
78
|
metadata: {
|
|
69
79
|
name,
|
|
70
80
|
...(namespace && { namespace }),
|
|
@@ -77,23 +87,21 @@ export function WorkloadIdentityServiceAccount(props: WorkloadIdentityServiceAcc
|
|
|
77
87
|
"azure.workload.identity/client-id": clientId,
|
|
78
88
|
},
|
|
79
89
|
},
|
|
80
|
-
};
|
|
90
|
+
}, defs?.serviceAccount));
|
|
81
91
|
|
|
82
|
-
const result:
|
|
83
|
-
serviceAccount: serviceAccountProps,
|
|
84
|
-
};
|
|
92
|
+
const result: Record<string, any> = { serviceAccount };
|
|
85
93
|
|
|
86
94
|
if (rbacRules && rbacRules.length > 0) {
|
|
87
|
-
result.role = {
|
|
95
|
+
result.role = new Role(mergeDefaults({
|
|
88
96
|
metadata: {
|
|
89
97
|
name: roleName,
|
|
90
98
|
...(namespace && { namespace }),
|
|
91
99
|
labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
|
|
92
100
|
},
|
|
93
101
|
rules: rbacRules,
|
|
94
|
-
};
|
|
102
|
+
}, defs?.role));
|
|
95
103
|
|
|
96
|
-
result.roleBinding = {
|
|
104
|
+
result.roleBinding = new RoleBinding(mergeDefaults({
|
|
97
105
|
metadata: {
|
|
98
106
|
name: bindingName,
|
|
99
107
|
...(namespace && { namespace }),
|
|
@@ -111,8 +119,8 @@ export function WorkloadIdentityServiceAccount(props: WorkloadIdentityServiceAcc
|
|
|
111
119
|
...(namespace && { namespace }),
|
|
112
120
|
},
|
|
113
121
|
],
|
|
114
|
-
};
|
|
122
|
+
}, defs?.roleBinding));
|
|
115
123
|
}
|
|
116
124
|
|
|
117
125
|
return result;
|
|
118
|
-
}
|
|
126
|
+
}, "WorkloadIdentityServiceAccount");
|
|
@@ -5,6 +5,9 @@
|
|
|
5
5
|
* annotation for GKE Workload Identity Federation.
|
|
6
6
|
*/
|
|
7
7
|
|
|
8
|
+
import { Composite, mergeDefaults } from "@intentius/chant";
|
|
9
|
+
import { ServiceAccount, Role, RoleBinding } from "../generated";
|
|
10
|
+
|
|
8
11
|
export interface WorkloadIdentityServiceAccountProps {
|
|
9
12
|
/** ServiceAccount name — used in metadata and labels. */
|
|
10
13
|
name: string;
|
|
@@ -20,12 +23,18 @@ export interface WorkloadIdentityServiceAccountProps {
|
|
|
20
23
|
labels?: Record<string, string>;
|
|
21
24
|
/** Namespace for all resources. */
|
|
22
25
|
namespace?: string;
|
|
26
|
+
/** Per-member defaults for fine-grained overrides. */
|
|
27
|
+
defaults?: {
|
|
28
|
+
serviceAccount?: Partial<Record<string, unknown>>;
|
|
29
|
+
role?: Partial<Record<string, unknown>>;
|
|
30
|
+
roleBinding?: Partial<Record<string, unknown>>;
|
|
31
|
+
};
|
|
23
32
|
}
|
|
24
33
|
|
|
25
34
|
export interface WorkloadIdentityServiceAccountResult {
|
|
26
|
-
serviceAccount:
|
|
27
|
-
role?:
|
|
28
|
-
roleBinding?:
|
|
35
|
+
serviceAccount: InstanceType<typeof ServiceAccount>;
|
|
36
|
+
role?: InstanceType<typeof Role>;
|
|
37
|
+
roleBinding?: InstanceType<typeof RoleBinding>;
|
|
29
38
|
}
|
|
30
39
|
|
|
31
40
|
/**
|
|
@@ -46,15 +55,14 @@ export interface WorkloadIdentityServiceAccountResult {
|
|
|
46
55
|
* });
|
|
47
56
|
* ```
|
|
48
57
|
*/
|
|
49
|
-
export
|
|
50
|
-
props: WorkloadIdentityServiceAccountProps,
|
|
51
|
-
): WorkloadIdentityServiceAccountResult {
|
|
58
|
+
export const WorkloadIdentityServiceAccount = Composite<WorkloadIdentityServiceAccountProps>((props) => {
|
|
52
59
|
const {
|
|
53
60
|
name,
|
|
54
61
|
gcpServiceAccountEmail,
|
|
55
62
|
rbacRules,
|
|
56
63
|
labels: extraLabels = {},
|
|
57
64
|
namespace,
|
|
65
|
+
defaults: defs,
|
|
58
66
|
} = props;
|
|
59
67
|
|
|
60
68
|
const roleName = `${name}-role`;
|
|
@@ -66,7 +74,7 @@ export function WorkloadIdentityServiceAccount(
|
|
|
66
74
|
...extraLabels,
|
|
67
75
|
};
|
|
68
76
|
|
|
69
|
-
const
|
|
77
|
+
const serviceAccount = new ServiceAccount(mergeDefaults({
|
|
70
78
|
metadata: {
|
|
71
79
|
name,
|
|
72
80
|
...(namespace && { namespace }),
|
|
@@ -75,23 +83,21 @@ export function WorkloadIdentityServiceAccount(
|
|
|
75
83
|
"iam.gke.io/gcp-service-account": gcpServiceAccountEmail,
|
|
76
84
|
},
|
|
77
85
|
},
|
|
78
|
-
};
|
|
86
|
+
}, defs?.serviceAccount));
|
|
79
87
|
|
|
80
|
-
const result:
|
|
81
|
-
serviceAccount: serviceAccountProps,
|
|
82
|
-
};
|
|
88
|
+
const result: Record<string, any> = { serviceAccount };
|
|
83
89
|
|
|
84
90
|
if (rbacRules && rbacRules.length > 0) {
|
|
85
|
-
result.role = {
|
|
91
|
+
result.role = new Role(mergeDefaults({
|
|
86
92
|
metadata: {
|
|
87
93
|
name: roleName,
|
|
88
94
|
...(namespace && { namespace }),
|
|
89
95
|
labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
|
|
90
96
|
},
|
|
91
97
|
rules: rbacRules,
|
|
92
|
-
};
|
|
98
|
+
}, defs?.role));
|
|
93
99
|
|
|
94
|
-
result.roleBinding = {
|
|
100
|
+
result.roleBinding = new RoleBinding(mergeDefaults({
|
|
95
101
|
metadata: {
|
|
96
102
|
name: bindingName,
|
|
97
103
|
...(namespace && { namespace }),
|
|
@@ -109,8 +115,8 @@ export function WorkloadIdentityServiceAccount(
|
|
|
109
115
|
...(namespace && { namespace }),
|
|
110
116
|
},
|
|
111
117
|
],
|
|
112
|
-
};
|
|
118
|
+
}, defs?.roleBinding));
|
|
113
119
|
}
|
|
114
120
|
|
|
115
121
|
return result;
|
|
116
|
-
}
|
|
122
|
+
}, "WorkloadIdentityServiceAccount");
|