@intentius/chant-lexicon-k8s 0.1.11 → 0.1.13

package/dist/integrity.json

@@ -1,7 +1,7 @@
 {
   "algorithm": "sha256",
   "artifacts": {
-    "manifest.json": "6de26c6a6dacd8f2231ef7347a2e49c14c486536a8524d288b3d5dafaf57f530",
+    "manifest.json": "f494467144f83651a59a46bbe17430b0b255af80d9cf03a2a2c7d990b896cf89",
     "meta.json": "970c70eb6eea1686f7cb8ce6ceccc46ce2e57d696d344f1dd52460e266f9a56c",
     "types/index.d.ts": "07473e029254345488bc9952585e88bcf18da79d1026cc26744027683f472554",
     "rules/hardcoded-namespace.ts": "ba3f43f2adbffdd87db20a2c45839354ceecda1b9f04f29ae31c4c077dddc7ec",
@@ -42,5 +42,5 @@
     "skills/chant-k8s-gke.md": "8938840bf9ef5ed58d6333fdd773b3dd54ecaf25a9df35e58f7f5c3355d4928f",
     "skills/chant-k8s-aks.md": "e18f0e2b055f72cd7a37deaf258d7027c2d4d3e286e8fd4975b27a1f981a3ad9"
   },
-  "composite": "b9199760d98da9cfac7eeb4fed7e8ecbe5a974861c58e661dfea8ead21773e82"
+  "composite": "638663928c965eceb5de58d6cc9a952e935ec92c6cc767de1278d341e9d6f3bc"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "k8s",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "chantVersion": ">=0.1.0",
   "namespace": "K8s",
   "intrinsics": [],

package/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@intentius/chant-lexicon-k8s",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "description": "Kubernetes lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",
   "repository": {
     "type": "git",
-    "url": "https://github.com/intentius/chant.git",
+    "url": "https://github.com/INTENTIUS/chant.git",
     "directory": "lexicons/k8s"
   },
   "bugs": {
-    "url": "https://github.com/intentius/chant/issues"
+    "url": "https://github.com/INTENTIUS/chant/issues"
   },
   "keywords": [
     "infrastructure-as-code",

package/src/serializer.test.ts

@@ -392,4 +392,50 @@ describe("k8sSerializer", () => {
     expect(kindIdx).toBeLessThan(metaIdx);
     expect(metaIdx).toBeLessThan(specIdx);
   });
+
+  test("CRD-wrapper trick: props.apiVersion/kind override gvk-derived defaults", () => {
+    // The Deployment-as-generic-CRD-wrapper pattern: pass arbitrary
+    // apiVersion + kind in props and the serializer should respect them
+    // (for emitting non-built-in CRDs through chant).
+    const entities = new Map<string, any>();
+    entities.set(
+      "esoStore",
+      mockResource("K8s::Apps::Deployment", {
+        apiVersion: "external-secrets.io/v1beta1",
+        kind: "ClusterSecretStore",
+        metadata: { name: "my-store" },
+        spec: { provider: { gcpsm: { projectID: "my-proj" } } },
+      }),
+    );
+
+    const result = k8sSerializer.serialize(entities);
+    expect(result).toContain("apiVersion: external-secrets.io/v1beta1");
+    expect(result).toContain("kind: ClusterSecretStore");
+    expect(result).not.toContain("apiVersion: apps/v1");
+    expect(result).not.toContain("kind: Deployment");
+  });
+
+  test("RBAC-shaped resources (rules/subjects/roleRef) stay at top level, not pushed under spec", () => {
+    // ClusterRole / Role / RoleBinding / ClusterRoleBinding don't have a
+    // spec field; their data is at the manifest root. When such a resource
+    // arrives via the CRD-wrapper trick (no spec set in props), the
+    // serializer used to dump rules/subjects/roleRef into a synthetic spec
+    // — produced invalid manifests. Now they stay at top level.
+    const entities = new Map<string, any>();
+    entities.set(
+      "viewerRole",
+      mockResource("K8s::Apps::Deployment", {
+        apiVersion: "rbac.authorization.k8s.io/v1",
+        kind: "ClusterRole",
+        metadata: { name: "viewer" },
+        rules: [{ apiGroups: [""], resources: ["pods"], verbs: ["get", "list"] }],
+      }),
+    );
+
+    const result = k8sSerializer.serialize(entities);
+    expect(result).toContain("kind: ClusterRole");
+    expect(result).toMatch(/^rules:/m);
+    // The bug being guarded against: rules ending up under spec.
+    expect(result).not.toMatch(/^spec:\s*\n\s+rules:/m);
+  });
 });

package/src/serializer.ts

@@ -218,6 +218,28 @@ export const k8sSerializer: Serializer = {
 
       manifest.metadata = metadata;
 
+      // Properties that always belong at the manifest root, never inside
+      // spec. apiVersion/kind allow consumers to override the gvk-derived
+      // defaults (the "CRD wrapper" trick used to declare arbitrary K8s
+      // resources via a generic Declarable class). rules/subjects/roleRef
+      // are the top-level fields for RBAC kinds. data/stringData are for
+      // ConfigMap/Secret. binaryData covers ConfigMap binary entries.
+      const TOP_LEVEL_PROPS = new Set([
+        "apiVersion",
+        "kind",
+        "rules",
+        "subjects",
+        "roleRef",
+        "data",
+        "stringData",
+        "binaryData",
+        "type",
+        "immutable",
+        "automountServiceAccountToken",
+        "secrets",
+        "imagePullSecrets",
+      ]);
+
       // The remaining properties go under spec (or directly on the manifest for certain types)
       if (SPECLESS_TYPES.has(gvk.kind)) {
         // These types have their data directly on the manifest (data, stringData, etc.)
@@ -235,10 +257,14 @@ export const k8sSerializer: Serializer = {
           }
         }
       } else {
-        // Place remaining props under spec
+        // Place remaining props under spec — except known top-level fields
+        // (apiVersion/kind for CRD-wrapper overrides; rules/subjects for RBAC).
         const spec: Record<string, unknown> = {};
         for (const [key, value] of Object.entries(props)) {
-          if (key !== "metadata") {
+          if (key === "metadata") continue;
+          if (TOP_LEVEL_PROPS.has(key)) {
+            manifest[key] = value;
+          } else {
             spec[key] = value;
           }
         }