@intentius/chant-lexicon-k8s 0.0.24 → 0.1.4

package/dist/integrity.json

@@ -1,43 +1,46 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "65da11d30f270ee5",
-    "meta.json": "1ce194f36f9b5f90",
-    "types/index.d.ts": "beec4cc869064186",
+    "manifest.json": "ba34543f183fd269",
+    "meta.json": "939607658c0e8f4a",
+    "types/index.d.ts": "cbd8853f04c0849c",
+    "rules/hardcoded-namespace.ts": "54b216c71018e101",
     "rules/missing-resource-limits.ts": "a6f776d2ff477948",
     "rules/latest-image-tag.ts": "eb48e8d61e4ca84e",
-    "rules/hardcoded-namespace.ts": "54b216c71018e101",
-    "rules/wk8201.ts": "4dbbd20e21b5fa04",
-    "rules/wk8204.ts": "9244d6fdd6d2f7d",
-    "rules/wk8301.ts": "283265ab0c5b8511",
-    "rules/wk8306.ts": "5338575bfb0f9251",
-    "rules/wk8102.ts": "78d4aac387107b56",
-    "rules/wk8305.ts": "5c4b9482a0f3b91d",
-    "rules/wk8101.ts": "f8ffcf6e5c89076b",
-    "rules/wk8302.ts": "a80d1eab37c0dbe4",
-    "rules/wk8005.ts": "a9a1b93b80f3aa51",
     "rules/wk8209.ts": "820df53f304e0a59",
-    "rules/wk8203.ts": "f5bf17539c0428c5",
-    "rules/wk8104.ts": "94bd75c16b8d50b7",
-    "rules/wk8303.ts": "c545464e2af8fbb9",
-    "rules/wk8103.ts": "e5d6a506d966e312",
-    "rules/wk8205.ts": "d000527c6371a05",
-    "rules/wk8042.ts": "6064c84481ae8551",
-    "rules/wk8006.ts": "6e04f754f79f076e",
-    "rules/wk8041.ts": "4df512c93caaef50",
-    "rules/wk8304.ts": "f51bf894c5a08dbe",
     "rules/wk8202.ts": "6bd950ae2128256c",
     "rules/wk8208.ts": "1133f9e53c174ae9",
+    "rules/k8s-helpers.ts": "4611ed839c0219b5",
+    "rules/wk8302.ts": "a80d1eab37c0dbe4",
+    "rules/wk8205.ts": "d000527c6371a05",
+    "rules/wk8006.ts": "6e04f754f79f076e",
+    "rules/wk8305.ts": "5c4b9482a0f3b91d",
+    "rules/wk8204.ts": "9244d6fdd6d2f7d",
+    "rules/wk8402.ts": "83b420543e246d20",
+    "rules/wk8401.ts": "62d5acc6a674b8ed",
+    "rules/wk8201.ts": "4dbbd20e21b5fa04",
+    "rules/wk8104.ts": "94bd75c16b8d50b7",
+    "rules/wk8101.ts": "f8ffcf6e5c89076b",
     "rules/wk8105.ts": "8dbcfe399f23656a",
-    "rules/k8s-helpers.ts": "53a6d3bfbedb2852",
+    "rules/wk8041.ts": "4df512c93caaef50",
     "rules/wk8207.ts": "6f2bc621d530afa2",
+    "rules/wk8102.ts": "78d4aac387107b56",
+    "rules/wk8005.ts": "a9a1b93b80f3aa51",
+    "rules/wk8301.ts": "283265ab0c5b8511",
+    "rules/wk8304.ts": "f51bf894c5a08dbe",
+    "rules/wk8042.ts": "6064c84481ae8551",
+    "rules/wk8403.ts": "81397f7658d888a",
+    "rules/wk8103.ts": "e5d6a506d966e312",
+    "rules/wk8306.ts": "5338575bfb0f9251",
+    "rules/wk8203.ts": "f5bf17539c0428c5",
+    "rules/wk8303.ts": "c545464e2af8fbb9",
     "skills/chant-k8s.md": "bf3ac0c5bddd5d2a",
     "skills/chant-k8s-patterns.md": "c5151ed799145c4b",
     "skills/chant-k8s-deployment-strategies.md": "74f179e7cdb15ed5",
     "skills/chant-k8s-security.md": "f377edc5fe0a3587",
     "skills/chant-k8s-eks.md": "f79f31f058c7f2ed",
-    "skills/chant-k8s-gke.md": "196b839fc8a6849c",
+    "skills/chant-k8s-gke.md": "2f65ca45aef40c22",
     "skills/chant-k8s-aks.md": "764fa4b1408b618d"
   },
-  "composite": "91eed8e99d4982de"
+  "composite": "71a7bf45b20b1ebd"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "k8s",
-  "version": "0.0.24",
+  "version": "0.1.4",
   "chantVersion": ">=0.1.0",
   "namespace": "K8s",
   "intrinsics": [],

package/dist/meta.json

@@ -46,6 +46,11 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "AutoscalerOptions": {
+    "resourceType": "K8s::Ray::RayCluster.autoscalerOptions",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "BatchJob": {
     "resourceType": "K8s::Batch::Job",
     "kind": "resource",
@@ -439,6 +444,11 @@
     "apiVersion": "flowcontrol.apiserver.k8s.io/v1",
     "gvkKind": "FlowSchemaList"
   },
+  "GcsFaultToleranceOptions": {
+    "resourceType": "K8s::Ray::RayCluster.gcsFaultToleranceOptions",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "HPA": {
     "resourceType": "K8s::Autoscaling::HorizontalPodAutoscaler",
     "kind": "resource",
@@ -456,6 +466,11 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "HeadGroupSpec": {
+    "resourceType": "K8s::Ray::RayCluster.headGroupSpec",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "HorizontalPodAutoscaler": {
     "resourceType": "K8s::Autoscaling::HorizontalPodAutoscaler",
     "kind": "resource",
@@ -942,6 +957,87 @@
       }
     }
   },
+  "RayCluster": {
+    "resourceType": "K8s::Ray::RayCluster",
+    "kind": "resource",
+    "lexicon": "k8s",
+    "apiVersion": "ray.io/v1",
+    "gvkKind": "RayCluster"
+  },
+  "RayClusterConfig": {
+    "resourceType": "K8s::Ray::RayService.rayClusterConfig",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayClusterSpec": {
+    "resourceType": "K8s::Ray::RayJob.rayClusterSpec",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayCluster_AutoscalerOptions": {
+    "resourceType": "K8s::Ray::RayCluster.autoscalerOptions",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayCluster_GcsFaultToleranceOptions": {
+    "resourceType": "K8s::Ray::RayCluster.gcsFaultToleranceOptions",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayCluster_HeadGroupSpec": {
+    "resourceType": "K8s::Ray::RayCluster.headGroupSpec",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayCluster_WorkerGroupSpec": {
+    "resourceType": "K8s::Ray::RayCluster.workerGroupSpecs",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayJob": {
+    "resourceType": "K8s::Ray::RayJob",
+    "kind": "resource",
+    "lexicon": "k8s",
+    "apiVersion": "ray.io/v1",
+    "gvkKind": "RayJob"
+  },
+  "RayJob_RayClusterSpec": {
+    "resourceType": "K8s::Ray::RayJob.rayClusterSpec",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayJob_SubmitterConfig": {
+    "resourceType": "K8s::Ray::RayJob.submitterConfig",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayJob_SubmitterPodTemplate": {
+    "resourceType": "K8s::Ray::RayJob.submitterPodTemplate",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayService": {
+    "resourceType": "K8s::Ray::RayService",
+    "kind": "resource",
+    "lexicon": "k8s",
+    "apiVersion": "ray.io/v1",
+    "gvkKind": "RayService"
+  },
+  "RayService_RayClusterConfig": {
+    "resourceType": "K8s::Ray::RayService.rayClusterConfig",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayService_ServeService": {
+    "resourceType": "K8s::Ray::RayService.serveService",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "RayService_UpgradeStrategy": {
+    "resourceType": "K8s::Ray::RayService.upgradeStrategy",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "ReplicaSet": {
     "resourceType": "K8s::Apps::ReplicaSet",
     "kind": "resource",
@@ -1164,6 +1260,11 @@
     "apiVersion": "authorization.k8s.io/v1",
     "gvkKind": "SelfSubjectRulesReview"
   },
+  "ServeService": {
+    "resourceType": "K8s::Ray::RayService.serveService",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "Service": {
     "resourceType": "K8s::Core::Service",
     "kind": "resource",
@@ -1281,6 +1382,16 @@
     "apiVersion": "authorization.k8s.io/v1",
     "gvkKind": "SubjectAccessReview"
   },
+  "SubmitterConfig": {
+    "resourceType": "K8s::Ray::RayJob.submitterConfig",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "SubmitterPodTemplate": {
+    "resourceType": "K8s::Ray::RayJob.submitterPodTemplate",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "TCPSocketAction": {
     "resourceType": "K8s::Core::TCPSocketAction",
     "kind": "property",
@@ -1323,6 +1434,11 @@
       }
     }
   },
+  "UpgradeStrategy": {
+    "resourceType": "K8s::Ray::RayService.upgradeStrategy",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "ValidatingAdmissionPolicy": {
     "resourceType": "K8s::Admissionregistration::ValidatingAdmissionPolicy",
     "kind": "resource",
@@ -1409,5 +1525,10 @@
     "lexicon": "k8s",
     "apiVersion": "v1",
     "gvkKind": "WatchEvent"
+  },
+  "WorkerGroupSpec": {
+    "resourceType": "K8s::Ray::RayCluster.workerGroupSpecs",
+    "kind": "property",
+    "lexicon": "k8s"
   }
 }

package/dist/rules/k8s-helpers.ts

@@ -147,3 +147,42 @@ export const WORKLOAD_KINDS = new Set([
   "Job",
   "CronJob",
 ]);
+
+/**
+ * Parse a Kubernetes memory string to bytes.
+ *
+ * Handles binary suffixes (Ki, Mi, Gi, Ti) and SI suffixes (K, M, G, T).
+ * Returns NaN for unrecognised strings — callers should skip checks on NaN.
+ *
+ * @example
+ * parseMemoryBytes("4Gi")  // 4294967296
+ * parseMemoryBytes("512Mi") // 536870912
+ * parseMemoryBytes("2048") // 2048
+ */
+export function parseMemoryBytes(s: string): number {
+  const m = /^([0-9]+(?:\.[0-9]+)?)(Ki|Mi|Gi|Ti|K|M|G|T)?$/.exec(s.trim());
+  if (!m) return NaN;
+  const n = parseFloat(m[1]);
+  const multipliers: Record<string, number> = {
+    Ki: 1024, Mi: 1024 ** 2, Gi: 1024 ** 3, Ti: 1024 ** 4,
+    K: 1000, M: 1000 ** 2, G: 1000 ** 3, T: 1000 ** 4,
+  };
+  return n * (multipliers[m[2] ?? ""] ?? 1);
+}
+
+/**
+ * Extract the Ray version from an image tag.
+ *
+ * Looks for a semver-style version prefix in the image tag:
+ *   "rayproject/ray:2.40.0"          → "2.40.0"
+ *   "rayproject/ray:2.40.0-py310"    → "2.40.0"
+ *   "us-docker.pkg.dev/.../ray:2.9.3-gpu" → "2.9.3"
+ *   "rayproject/ray:latest"          → undefined
+ *
+ * Returns undefined when no version can be found.
+ */
+export function extractRayVersion(image: string): string | undefined {
+  const tag = image.includes(":") ? image.split(":").pop()! : image;
+  const m = /^([0-9]+\.[0-9]+\.[0-9]+)/.exec(tag);
+  return m ? m[1] : undefined;
+}

package/dist/rules/wk8401.ts

@@ -0,0 +1,98 @@
+/**
+ * WK8401: shmSize exceeds container memory limit
+ *
+ * A RayCluster pod uses an emptyDir volume with medium: Memory for /dev/shm.
+ * Kubernetes counts that memory against the container's memory limit — if the
+ * sizeLimit exceeds the container's memory limit the pod will never schedule
+ * (Kubelet rejects it with "Invalid value … must be less than or equal to memory limit").
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests, parseMemoryBytes } from "./k8s-helpers";
+
+export const wk8401: PostSynthCheck = {
+  id: "WK8401",
+  description: "shmSize must not exceed the container memory limit — pod will not schedule if it does",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      for (const manifest of manifests) {
+        if (manifest.kind !== "RayCluster") continue;
+
+        const clusterName = manifest.metadata?.name ?? "RayCluster";
+        const spec = manifest.spec as Record<string, unknown> | undefined;
+        if (!spec) continue;
+
+        const groups: Array<{ label: string; templateSpec: Record<string, unknown> }> = [];
+
+        // Head group
+        const headGroupSpec = spec.headGroupSpec as Record<string, unknown> | undefined;
+        if (headGroupSpec) {
+          const tmpl = headGroupSpec.template as Record<string, unknown> | undefined;
+          const podSpec = tmpl?.spec as Record<string, unknown> | undefined;
+          if (podSpec) groups.push({ label: "head", templateSpec: podSpec });
+        }
+
+        // Worker groups
+        const workerGroupSpecs = spec.workerGroupSpecs as Array<Record<string, unknown>> | undefined;
+        if (Array.isArray(workerGroupSpecs)) {
+          for (const wg of workerGroupSpecs) {
+            const name = (wg.groupName as string | undefined) ?? "worker";
+            const tmpl = wg.template as Record<string, unknown> | undefined;
+            const podSpec = tmpl?.spec as Record<string, unknown> | undefined;
+            if (podSpec) groups.push({ label: `worker "${name}"`, templateSpec: podSpec });
+          }
+        }
+
+        for (const { label, templateSpec } of groups) {
+          // Find the emptyDir Memory volume (dshm)
+          const volumes = templateSpec.volumes as Array<Record<string, unknown>> | undefined;
+          if (!Array.isArray(volumes)) continue;
+
+          for (const vol of volumes) {
+            const emptyDir = vol.emptyDir as Record<string, unknown> | undefined;
+            if (!emptyDir || emptyDir.medium !== "Memory") continue;
+
+            const sizeLimit = emptyDir.sizeLimit as string | undefined;
+            if (!sizeLimit) continue;
+
+            const shmBytes = parseMemoryBytes(sizeLimit);
+            if (isNaN(shmBytes)) continue;
+
+            // Find memory limit from the first container that mounts this volume
+            const containers = templateSpec.containers as Array<Record<string, unknown>> | undefined;
+            if (!Array.isArray(containers)) continue;
+
+            for (const container of containers) {
+              const resources = container.resources as Record<string, unknown> | undefined;
+              const limits = resources?.limits as Record<string, unknown> | undefined;
+              const memLimit = limits?.memory as string | undefined;
+              if (!memLimit) continue;
+
+              const memBytes = parseMemoryBytes(memLimit);
+              if (isNaN(memBytes)) continue;
+
+              if (shmBytes > memBytes) {
+                diagnostics.push({
+                  checkId: "WK8401",
+                  severity: "error",
+                  message: `RayCluster "${clusterName}" ${label}: shmSize "${sizeLimit}" exceeds memory limit "${memLimit}" — pod will not schedule`,
+                  entity: clusterName,
+                  lexicon: "k8s",
+                });
+              }
+              break; // Only check the first container per group
+            }
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wk8402.ts

@@ -0,0 +1,43 @@
+/**
+ * WK8402: RayCluster missing spec.rayVersion
+ *
+ * KubeRay uses spec.rayVersion to select the Ray autoscaler sidecar image.
+ * Without it, KubeRay defaults to the "latest" tag — autoscaler and Ray head
+ * may run mismatched versions, leading to silent protocol failures.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests } from "./k8s-helpers";
+
+export const wk8402: PostSynthCheck = {
+  id: "WK8402",
+  description: "RayCluster should set spec.rayVersion so KubeRay selects the correct autoscaler image",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      for (const manifest of manifests) {
+        if (manifest.kind !== "RayCluster") continue;
+
+        const name = manifest.metadata?.name ?? "RayCluster";
+        const rayVersion = (manifest.spec as Record<string, unknown> | undefined)?.rayVersion;
+
+        if (!rayVersion) {
+          diagnostics.push({
+            checkId: "WK8402",
+            severity: "warning",
+            message: `RayCluster "${name}" is missing spec.rayVersion — KubeRay autoscaler will pull the "latest" image tag`,
+            entity: name,
+            lexicon: "k8s",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wk8403.ts

@@ -0,0 +1,60 @@
+/**
+ * WK8403: spec.rayVersion does not match head image tag
+ *
+ * When spec.rayVersion is set but doesn't match the version in the head
+ * container image tag, the KubeRay autoscaler sidecar will run a different
+ * Ray version than the cluster. This can cause gRPC compatibility failures.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests, extractRayVersion } from "./k8s-helpers";
+
+export const wk8403: PostSynthCheck = {
+  id: "WK8403",
+  description: "spec.rayVersion should match the Ray version in the head container image tag",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      for (const manifest of manifests) {
+        if (manifest.kind !== "RayCluster") continue;
+
+        const clusterName = manifest.metadata?.name ?? "RayCluster";
+        const spec = manifest.spec as Record<string, unknown> | undefined;
+        if (!spec) continue;
+
+        const rayVersion = spec.rayVersion as string | undefined;
+        if (!rayVersion) continue; // WK8402 covers the missing case
+
+        // Extract version from head container image
+        const headGroupSpec = spec.headGroupSpec as Record<string, unknown> | undefined;
+        const tmpl = headGroupSpec?.template as Record<string, unknown> | undefined;
+        const podSpec = tmpl?.spec as Record<string, unknown> | undefined;
+        const containers = podSpec?.containers as Array<Record<string, unknown>> | undefined;
+        if (!Array.isArray(containers) || containers.length === 0) continue;
+
+        const image = containers[0].image as string | undefined;
+        if (!image) continue;
+
+        const imageVersion = extractRayVersion(image);
+        if (!imageVersion) continue; // Can't determine version from tag
+
+        if (imageVersion !== rayVersion) {
+          diagnostics.push({
+            checkId: "WK8403",
+            severity: "warning",
+            message: `RayCluster "${clusterName}": spec.rayVersion "${rayVersion}" does not match head image tag "${imageVersion}" — autoscaler may run a mismatched Ray version`,
+            entity: clusterName,
+            lexicon: "k8s",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/skills/chant-k8s-gke.md

@@ -206,7 +206,7 @@ import { ConfigConnectorContext } from "@intentius/chant-lexicon-k8s";
 const { context } = ConfigConnectorContext({
   googleServiceAccountEmail: "cc-sa@my-project.iam.gserviceaccount.com",
   namespace: "config-connector",
-  stateIntoSpec: "absent",
+  stateIntoSpec: "Absent",
 });
 ```
 

package/dist/types/index.d.ts

@@ -1244,6 +1244,36 @@ export declare class PVC {
   readonly uid: string;
 }
 
+export declare class RayCluster {
+  constructor(props: {
+    metadata?: Record<string, unknown>;
+    spec?: Record<string, unknown>;
+  });
+  readonly name: string;
+  readonly namespace: string;
+  readonly uid: string;
+}
+
+export declare class RayJob {
+  constructor(props: {
+    metadata?: Record<string, unknown>;
+    spec?: Record<string, unknown>;
+  });
+  readonly name: string;
+  readonly namespace: string;
+  readonly uid: string;
+}
+
+export declare class RayService {
+  constructor(props: {
+    metadata?: Record<string, unknown>;
+    spec?: Record<string, unknown>;
+  });
+  readonly name: string;
+  readonly namespace: string;
+  readonly uid: string;
+}
+
 export declare class ReplicaSet {
   constructor(props: {
     /** If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-k8s",
-  "version": "0.0.24",
+  "version": "0.1.4",
   "description": "Kubernetes lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",
@@ -42,10 +42,13 @@
     "docs": "bun run src/codegen/docs-cli.ts",
     "prepack": "bun run generate && bun run bundle && bun run validate"
   },
-  "dependencies": {
-    "@intentius/chant": "0.0.22"
-  },
   "devDependencies": {
+    "@intentius/chant": "0.1.4",
+    "@types/js-yaml": "^4.0.9",
+    "js-yaml": "^4.1.1",
     "typescript": "^5.9.3"
+  },
+  "peerDependencies": {
+    "@intentius/chant": "^0.1.0"
   }
 }

package/src/codegen/generate.ts

@@ -13,6 +13,8 @@ import {
 } from "@intentius/chant/codegen/generate";
 import { fetchSchemas } from "../spec/fetch";
 import { parseK8sSwagger, k8sShortName, type K8sParseResult } from "../spec/parse";
+import { loadMultipleCRDs } from "../crd/loader";
+import { CRD_SOURCES } from "../crd/crd-sources";
 import { NamingStrategy, propertyTypeName, extractDefName } from "./naming";
 import { generateLexiconJSON } from "./generate-lexicon";
 import { generateTypeScriptDeclarations } from "./generate-typescript";
@@ -54,6 +56,26 @@ export async function generate(opts: K8sGenerateOptions = {}): Promise<GenerateR
 
     createNaming: (results) => new NamingStrategy(results),
 
+    augmentSchemas: async (schemas, _opts, log) => {
+      // Load third-party CRDs and return as extraResults so they are
+      // included in the generated types alongside the core K8s resources.
+      const crdResults: K8sParseResult[] = [];
+      const warnings: Array<{ file: string; error: string }> = [];
+      for (const source of CRD_SOURCES) {
+        try {
+          const parsed = await loadMultipleCRDs([source]);
+          crdResults.push(...parsed);
+          log(`Loaded ${parsed.length} CRD type(s) from ${source.url ?? source.path ?? "cluster"}`);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          warnings.push({ file: source.url ?? source.path ?? "cluster", error: msg });
+          log(`Warning: failed to load CRD: ${msg}`);
+        }
+      }
+      log(`Total CRD types loaded: ${crdResults.length}`);
+      return { schemas, extraResults: crdResults, warnings };
+    },
+
     augmentResults: (results, _opts, log) => {
       // Add the remaining results from the single-schema parse
       if (pendingResults.length > 0) {

package/src/composites/cockroachdb-cluster.ts

@@ -66,6 +66,16 @@ export interface CockroachDbClusterProps {
    * E.g. pod "cockroachdb-0" in east advertises "cockroachdb-0.east.crdb.internal".
    */
   advertiseHostDomain?: string;
+  /**
+   * Mount the client certs secret (`${name}-client-certs`) into pods at
+   * `/cockroach/cockroach-client-certs` (default: false).
+   *
+   * Enable for multi-region deployments where `cockroach init`, `cockroach sql`,
+   * and backup schedule setup run inside a pod via `kubectl exec`. The client cert
+   * is separate from the node cert and is NOT included in the node certs secret.
+   * Without this flag you must inject client certs manually (e.g. via /tmp).
+   */
+  mountClientCerts?: boolean;
   /** Additional labels to apply to all resources. */
   labels?: Record<string, string>;
   /** Per-member defaults for fine-grained overrides. */
@@ -142,12 +152,14 @@ export const CockroachDbCluster = Composite<CockroachDbClusterProps>((props) =>
     skipCertGen = false,
     extraCertNodeAddresses = [],
     advertiseHostDomain,
+    mountClientCerts = false,
     labels: extraLabels = {},
     defaults: defs,
   } = props;
 
   const saName = name;
   const certsDir = "/cockroach/cockroach-certs";
+  const clientCertsDir = "/cockroach/cockroach-client-certs";
   const dataDir = "/cockroach/cockroach-data";
 
   const commonLabels: Record<string, string> = {
@@ -302,6 +314,10 @@ export const CockroachDbCluster = Composite<CockroachDbClusterProps>((props) =>
   if (secure) {
     volumes.push({ name: "certs", secret: { secretName: `${name}-node-certs`, defaultMode: 0o400 } });
     volumeMounts.push({ name: "certs", mountPath: certsDir });
+    if (mountClientCerts) {
+      volumes.push({ name: "client-certs", secret: { secretName: `${name}-client-certs`, defaultMode: 0o400 } });
+      volumeMounts.push({ name: "client-certs", mountPath: clientCertsDir });
+    }
   }
 
   const container: Record<string, unknown> = {

package/src/composites/composites.test.ts

@@ -2752,14 +2752,14 @@ describe("ConfigConnectorContext", () => {
     expect(spec.googleServiceAccount).toBe("cnrm@my-project.iam.gserviceaccount.com");
   });
 
-  test("default stateIntoSpec is absent", () => {
+  test("default stateIntoSpec is Absent", () => {
     const result = ConfigConnectorContext(minProps);
-    expect((p(result.context) as any).spec.stateIntoSpec).toBe("absent");
+    expect((p(result.context) as any).spec.stateIntoSpec).toBe("Absent");
   });
 
   test("custom stateIntoSpec", () => {
-    const result = ConfigConnectorContext({ ...minProps, stateIntoSpec: "merge" });
-    expect((p(result.context) as any).spec.stateIntoSpec).toBe("merge");
+    const result = ConfigConnectorContext({ ...minProps, stateIntoSpec: "Merge" });
+    expect((p(result.context) as any).spec.stateIntoSpec).toBe("Merge");
   });
 
   test("default namespace is default", () => {