@intentius/chant-lexicon-k8s 0.0.22 → 0.1.0

package/src/composites/network-isolated-app.ts

@@ -5,6 +5,8 @@
  * Creates fine-grained ingress/egress policies for a single application.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Deployment, Service, NetworkPolicy } from "../generated";
 import type { ContainerSecurityContext } from "./security-context";
 
 export interface NetworkPolicyPeer {
@@ -48,12 +50,18 @@ export interface NetworkIsolatedAppProps {
   env?: Array<{ name: string; value: string }>;
   /** Container security context (supports PSS restricted fields). */
   securityContext?: ContainerSecurityContext;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    deployment?: Partial<Record<string, unknown>>;
+    service?: Partial<Record<string, unknown>>;
+    networkPolicy?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface NetworkIsolatedAppResult {
-  deployment: Record<string, unknown>;
-  service: Record<string, unknown>;
-  networkPolicy: Record<string, unknown>;
+  deployment: InstanceType<typeof Deployment>;
+  service: InstanceType<typeof Service>;
+  networkPolicy: InstanceType<typeof NetworkPolicy>;
 }
 
 /**
@@ -77,7 +85,7 @@ export interface NetworkIsolatedAppResult {
  * });
  * ```
  */
-export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsolatedAppResult {
+export const NetworkIsolatedApp = Composite<NetworkIsolatedAppProps>((props) => {
   const {
     name,
     image,
@@ -93,6 +101,7 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
     namespace,
     env,
     securityContext,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -101,7 +110,7 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
     ...extraLabels,
   };
 
-  const deploymentProps: Record<string, unknown> = {
+  const deployment = new Deployment(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -129,9 +138,9 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
         },
       },
     },
-  };
+  }, defs?.deployment));
 
-  const serviceProps: Record<string, unknown> = {
+  const service = new Service(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -142,7 +151,7 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
       ports: [{ port: 80, targetPort: port, protocol: "TCP", name: "http" }],
       type: "ClusterIP",
     },
-  };
+  }, defs?.service));
 
   // Build network policy
   const policyTypes: string[] = [];
@@ -185,18 +194,14 @@ export function NetworkIsolatedApp(props: NetworkIsolatedAppProps): NetworkIsola
     policySpec.policyTypes = policyTypes;
   }
 
-  const networkPolicyProps: Record<string, unknown> = {
+  const networkPolicy = new NetworkPolicy(mergeDefaults({
     metadata: {
       name: `${name}-policy`,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "network-policy" },
     },
     spec: policySpec,
-  };
+  }, defs?.networkPolicy));
 
-  return {
-    deployment: deploymentProps,
-    service: serviceProps,
-    networkPolicy: networkPolicyProps,
-  };
-}
+  return { deployment, service, networkPolicy };
+}, "NetworkIsolatedApp");

package/src/composites/node-agent.ts

@@ -5,6 +5,8 @@
  * security scanners) that need cluster-wide RBAC and tolerations.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { DaemonSet, ServiceAccount, ClusterRole, ClusterRoleBinding, ConfigMap } from "../generated";
 import type { ContainerSecurityContext } from "./security-context";
 
 export interface NodeAgentProps {
@@ -47,14 +49,22 @@ export interface NodeAgentProps {
   env?: Array<{ name: string; value: string }>;
   /** Container security context (supports PSS restricted fields). */
   securityContext?: ContainerSecurityContext;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    daemonSet?: Partial<Record<string, unknown>>;
+    serviceAccount?: Partial<Record<string, unknown>>;
+    clusterRole?: Partial<Record<string, unknown>>;
+    clusterRoleBinding?: Partial<Record<string, unknown>>;
+    configMap?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface NodeAgentResult {
-  daemonSet: Record<string, unknown>;
-  serviceAccount: Record<string, unknown>;
-  clusterRole: Record<string, unknown>;
-  clusterRoleBinding: Record<string, unknown>;
-  configMap?: Record<string, unknown>;
+  daemonSet: InstanceType<typeof DaemonSet>;
+  serviceAccount: InstanceType<typeof ServiceAccount>;
+  clusterRole: InstanceType<typeof ClusterRole>;
+  clusterRoleBinding: InstanceType<typeof ClusterRoleBinding>;
+  configMap?: InstanceType<typeof ConfigMap>;
 }
 
 /**
@@ -75,7 +85,7 @@ export interface NodeAgentResult {
  * });
  * ```
  */
-export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
+export const NodeAgent = Composite<NodeAgentProps>((props) => {
   const {
     name,
     image,
@@ -92,6 +102,7 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
     labels: extraLabels = {},
     env,
     securityContext,
+    defaults: defs,
   } = props;
 
   const saName = `${name}-sa`;
@@ -156,7 +167,7 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
     }),
   };
 
-  const daemonSetProps: Record<string, unknown> = {
+  const daemonSet = new DaemonSet(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -169,27 +180,27 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
         spec: podSpec,
       },
     },
-  };
+  }, defs?.daemonSet));
 
-  const serviceAccountProps: Record<string, unknown> = {
+  const serviceAccount = new ServiceAccount(mergeDefaults({
     metadata: {
       name: saName,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "agent" },
     },
-  };
+  }, defs?.serviceAccount));
 
   // ClusterRole — cluster-scoped, no namespace
-  const clusterRoleProps: Record<string, unknown> = {
+  const clusterRole = new ClusterRole(mergeDefaults({
     metadata: {
       name: clusterRoleName,
       labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
     },
     rules: rbacRules,
-  };
+  }, defs?.clusterRole));
 
   // ClusterRoleBinding — cluster-scoped, no namespace
-  const clusterRoleBindingProps: Record<string, unknown> = {
+  const clusterRoleBinding = new ClusterRoleBinding(mergeDefaults({
     metadata: {
       name: bindingName,
       labels: { ...commonLabels, "app.kubernetes.io/component": "rbac" },
@@ -206,25 +217,25 @@ export function NodeAgent(props: NodeAgentProps): NodeAgentResult {
         ...(namespace && { namespace }),
       },
     ],
-  };
+  }, defs?.clusterRoleBinding));
 
-  const result: NodeAgentResult = {
-    daemonSet: daemonSetProps,
-    serviceAccount: serviceAccountProps,
-    clusterRole: clusterRoleProps,
-    clusterRoleBinding: clusterRoleBindingProps,
+  const result: Record<string, any> = {
+    daemonSet,
+    serviceAccount,
+    clusterRole,
+    clusterRoleBinding,
   };
 
   if (config) {
-    result.configMap = {
+    result.configMap = new ConfigMap(mergeDefaults({
       metadata: {
         name: configMapName,
         ...(namespace && { namespace }),
         labels: { ...commonLabels, "app.kubernetes.io/component": "config" },
       },
       data: config,
-    };
+    }, defs?.configMap));
   }
 
   return result;
-}
+}, "NodeAgent");

package/src/composites/secure-ingress.ts

@@ -5,6 +5,9 @@
  * multiple hosts and paths (unlike the single-path Ingress in WebApp).
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Ingress } from "../generated";
+
 export interface SecureIngressHost {
   /** Hostname (e.g., "api.example.com"). */
   hostname: string;
@@ -32,11 +35,16 @@ export interface SecureIngressProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    ingress?: Partial<Record<string, unknown>>;
+    certificate?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface SecureIngressResult {
-  ingress: Record<string, unknown>;
-  certificate?: Record<string, unknown>;
+  ingress: InstanceType<typeof Ingress>;
+  certificate?: InstanceType<typeof Ingress>; // CRD — use Ingress as proxy Declarable
 }
 
 /**
@@ -60,7 +68,7 @@ export interface SecureIngressResult {
  * });
  * ```
  */
-export function SecureIngress(props: SecureIngressProps): SecureIngressResult {
+export const SecureIngress = Composite<SecureIngressProps>((props) => {
   const {
     name,
     hosts,
@@ -69,6 +77,7 @@ export function SecureIngress(props: SecureIngressProps): SecureIngressResult {
     annotations: extraAnnotations = {},
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -102,7 +111,7 @@ export function SecureIngress(props: SecureIngressProps): SecureIngressResult {
 
   const hasAnnotations = Object.keys(ingressAnnotations).length > 0;
 
-  const ingressProps: Record<string, unknown> = {
+  const ingress = new Ingress(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -121,14 +130,13 @@ export function SecureIngress(props: SecureIngressProps): SecureIngressResult {
         ],
       }),
     },
-  };
+  }, defs?.ingress));
 
-  const result: SecureIngressResult = {
-    ingress: ingressProps,
-  };
+  const result: Record<string, any> = { ingress };
 
   if (clusterIssuer) {
-    result.certificate = {
+    // Certificate is a CRD — use Ingress constructor as a generic Declarable wrapper
+    result.certificate = new Ingress(mergeDefaults({
       metadata: {
         name: secretName,
         ...(namespace && { namespace }),
@@ -142,8 +150,8 @@ export function SecureIngress(props: SecureIngressProps): SecureIngressResult {
         },
         dnsNames: allHostnames,
       },
-    };
+    }, defs?.certificate));
   }
 
   return result;
-}
+}, "SecureIngress");

package/src/composites/sidecar-app.ts

@@ -5,6 +5,8 @@
  * DB migration init). Supports shared volumes between containers.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Deployment, Service } from "../generated";
 import type { ContainerSecurityContext } from "./security-context";
 
 export interface SidecarContainer {
@@ -74,11 +76,16 @@ export interface SidecarAppProps {
   env?: Array<{ name: string; value: string }>;
   /** Container security context for the primary container (supports PSS restricted fields). */
   securityContext?: ContainerSecurityContext;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    deployment?: Partial<Record<string, unknown>>;
+    service?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface SidecarAppResult {
-  deployment: Record<string, unknown>;
-  service: Record<string, unknown>;
+  deployment: InstanceType<typeof Deployment>;
+  service: InstanceType<typeof Service>;
 }
 
 /**
@@ -103,7 +110,7 @@ export interface SidecarAppResult {
  * });
  * ```
  */
-export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
+export const SidecarApp = Composite<SidecarAppProps>((props) => {
   const {
     name,
     image,
@@ -120,6 +127,7 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
     namespace,
     env,
     securityContext,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -171,7 +179,7 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
     ...(volumes && volumes.length > 0 && { volumes }),
   };
 
-  const deploymentProps: Record<string, unknown> = {
+  const deployment = new Deployment(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -185,9 +193,9 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
         spec: podSpec,
       },
     },
-  };
+  }, defs?.deployment));
 
-  const serviceProps: Record<string, unknown> = {
+  const service = new Service(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -198,10 +206,7 @@ export function SidecarApp(props: SidecarAppProps): SidecarAppResult {
       ports: [{ port: 80, targetPort: port, protocol: "TCP", name: "http" }],
       type: "ClusterIP",
     },
-  };
+  }, defs?.service));
 
-  return {
-    deployment: deploymentProps,
-    service: serviceProps,
-  };
-}
+  return { deployment, service };
+}, "SidecarApp");

package/src/composites/stateful-app.ts

@@ -5,6 +5,8 @@
  * like databases, caches, and message queues.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { StatefulSet, Service, PodDisruptionBudget } from "../generated";
 import type { ContainerSecurityContext } from "./security-context";
 
 export interface StatefulAppProps {
@@ -47,12 +49,18 @@ export interface StatefulAppProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    statefulSet?: Partial<Record<string, unknown>>;
+    service?: Partial<Record<string, unknown>>;
+    pdb?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface StatefulAppResult {
-  statefulSet: Record<string, unknown>;
-  service: Record<string, unknown>;
-  pdb?: Record<string, unknown>;
+  statefulSet: InstanceType<typeof StatefulSet>;
+  service: InstanceType<typeof Service>;
+  pdb?: InstanceType<typeof PodDisruptionBudget>;
 }
 
 /**
@@ -72,7 +80,7 @@ export interface StatefulAppResult {
  * });
  * ```
  */
-export function StatefulApp(props: StatefulAppProps): StatefulAppResult {
+export const StatefulApp = Composite<StatefulAppProps>((props) => {
   const {
     name,
     image,
@@ -91,6 +99,7 @@ export function StatefulApp(props: StatefulAppProps): StatefulAppResult {
     memoryLimit = "1Gi",
     namespace,
     env,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -125,7 +134,7 @@ export function StatefulApp(props: StatefulAppProps): StatefulAppResult {
     ...(priorityClassName && { priorityClassName }),
   };
 
-  const statefulSetProps: Record<string, unknown> = {
+  const statefulSet = new StatefulSet(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -150,10 +159,10 @@ export function StatefulApp(props: StatefulAppProps): StatefulAppResult {
         },
       ],
     },
-  };
+  }, defs?.statefulSet));
 
   // Headless service (clusterIP: None) for StatefulSet DNS
-  const serviceProps: Record<string, unknown> = {
+  const service = new Service(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -164,12 +173,12 @@ export function StatefulApp(props: StatefulAppProps): StatefulAppResult {
       ports: [{ port, targetPort: port, protocol: "TCP", name: "app" }],
       clusterIP: "None",
     },
-  };
+  }, defs?.service));
 
-  const result: StatefulAppResult = { statefulSet: statefulSetProps, service: serviceProps };
+  const result: Record<string, any> = { statefulSet, service };
 
   if (minAvailable !== undefined) {
-    result.pdb = {
+    result.pdb = new PodDisruptionBudget(mergeDefaults({
       metadata: {
         name,
         ...(namespace && { namespace }),
@@ -179,8 +188,8 @@ export function StatefulApp(props: StatefulAppProps): StatefulAppResult {
         minAvailable,
         selector: { matchLabels: { "app.kubernetes.io/name": name } },
       },
-    };
+    }, defs?.pdb));
   }
 
   return result;
-}
+}, "StatefulApp");

package/src/composites/web-app.ts

@@ -5,6 +5,8 @@
  * with common defaults (health probes, resource limits, labels).
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { Deployment, Service, Ingress, PodDisruptionBudget } from "../generated";
 import type { ContainerSecurityContext } from "./security-context";
 
 export interface WebAppProps {
@@ -56,13 +58,20 @@ export interface WebAppProps {
   namespace?: string;
   /** Environment variables for the container. */
   env?: Array<{ name: string; value: string }>;
+  /** Per-member defaults for fine-grained overrides. */
+  defaults?: {
+    deployment?: Partial<Record<string, unknown>>;
+    service?: Partial<Record<string, unknown>>;
+    ingress?: Partial<Record<string, unknown>>;
+    pdb?: Partial<Record<string, unknown>>;
+  };
 }
 
 export interface WebAppResult {
-  deployment: Record<string, unknown>;
-  service: Record<string, unknown>;
-  ingress?: Record<string, unknown>;
-  pdb?: Record<string, unknown>;
+  deployment: InstanceType<typeof Deployment>;
+  service: InstanceType<typeof Service>;
+  ingress?: InstanceType<typeof Ingress>;
+  pdb?: InstanceType<typeof PodDisruptionBudget>;
 }
 
 /**
@@ -84,7 +93,7 @@ export interface WebAppResult {
  * export { deployment, service, ingress };
  * ```
  */
-export function WebApp(props: WebAppProps): WebAppResult {
+export const WebApp = Composite<WebAppProps>((props) => {
   const {
     name,
     image,
@@ -102,6 +111,7 @@ export function WebApp(props: WebAppProps): WebAppResult {
     terminationGracePeriodSeconds,
     priorityClassName,
     minAvailable,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -146,9 +156,7 @@ export function WebApp(props: WebAppProps): WebAppResult {
     ...(priorityClassName && { priorityClassName }),
   };
 
-  // We return plain objects that users pass to constructors.
-  // The actual resource instantiation happens in user code with the generated classes.
-  const deploymentProps: Record<string, unknown> = {
+  const deployment = new Deployment(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -162,9 +170,9 @@ export function WebApp(props: WebAppProps): WebAppResult {
         spec: podSpec,
       },
     },
-  };
+  }, defs?.deployment));
 
-  const serviceProps: Record<string, unknown> = {
+  const service = new Service(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -175,12 +183,9 @@ export function WebApp(props: WebAppProps): WebAppResult {
       ports: [{ port: 80, targetPort: port, protocol: "TCP", name: "http" }],
       type: "ClusterIP",
     },
-  };
+  }, defs?.service));
 
-  const result: WebAppResult = {
-    deployment: deploymentProps,
-    service: serviceProps,
-  };
+  const result: Record<string, any> = { deployment, service };
 
   if (props.ingressHost) {
     // Build paths — use ingressPaths if provided, otherwise default single "/"
@@ -205,7 +210,7 @@ export function WebApp(props: WebAppProps): WebAppResult {
           },
         ];
 
-    const ingressProps: Record<string, unknown> = {
+    result.ingress = new Ingress(mergeDefaults({
       metadata: {
         name,
         ...(namespace && { namespace }),
@@ -227,12 +232,11 @@ export function WebApp(props: WebAppProps): WebAppResult {
           ],
         }),
       },
-    };
-    result.ingress = ingressProps;
+    }, defs?.ingress));
   }
 
   if (minAvailable !== undefined) {
-    result.pdb = {
+    result.pdb = new PodDisruptionBudget(mergeDefaults({
       metadata: {
         name,
         ...(namespace && { namespace }),
@@ -242,8 +246,8 @@ export function WebApp(props: WebAppProps): WebAppResult {
         minAvailable,
         selector: { matchLabels: { "app.kubernetes.io/name": name } },
       },
-    };
+    }, defs?.pdb));
   }
 
   return result;
-}
+}, "WebApp");