@mizchi/k1c 0.2.0 → 0.4.0

package/README.md

@@ -49,7 +49,9 @@ $ K1C_ACCOUNT_ID=...  CLOUDFLARE_API_TOKEN=... pnpm k1c apply -f manifest.yaml
 | `DNSRecord` (CRD) | DNS records | working |
 | `LogpushJob` (CRD) | Logpush (zone- or account-scoped) | working |
 | `ai` / `browser` / `version_metadata` / `analytics_engine` Worker bindings | annotation- / volume-driven | working |
-| `Ingress` / `CustomHostname` / Zero Trust Access | — | not implemented (see [`TODO.md`](TODO.md)) |
+| `Ingress` (`networking.k8s.io/v1`) | generated router Worker + Custom Domain per literal host (Workers Route per wildcard host) | working |
+| `AccessApplication` (CRD) | Cloudflare Access self-hosted app with inline policies | working |
+| `CustomHostname` | — | not implemented (see [`TODO.md`](TODO.md)) |
 
 See [`docs/resources.md`](docs/resources.md) for the full mapping and limitations,
 and [`TODO.md`](TODO.md) for what's queued.
@@ -137,13 +139,14 @@ Versioning is automated via [release-please](https://github.com/googleapis/relea
 - Conventional Commit messages on `main` (`feat:`, `fix:`, `chore:`, etc.) feed
   into a release PR that bumps `package.json`, updates `CHANGELOG.md`, and
   cuts a Git tag plus a GitHub Release.
-- Merging that release PR triggers `.github/workflows/publish.yml`, which
-  publishes `@mizchi/k1c` to npm via [OIDC trusted publishing](https://docs.npmjs.com/trusted-publishers)
-  (no `NPM_TOKEN` involved) with `--provenance` SLSA attestation.
+- The same `release-please.yml` workflow then runs a `publish` job (gated on
+  `release_created == true`) that publishes `@mizchi/k1c` to npm via
+  [OIDC trusted publishing](https://docs.npmjs.com/trusted-publishers)
+  (no `NPM_TOKEN`) with `--provenance` SLSA attestation.
 
 The npm package must be registered as a trusted publisher on `npmjs.com` once,
-pointing at `mizchi/k1c` + the `publish.yml` workflow. After that the entire
-flow (PR → merge → tag → npm) is hands-off.
+pointing at `mizchi/k1c` + the `release-please.yml` workflow. After that the
+entire flow (PR → merge → tag → npm) is hands-off.
 
 ## License
 

package/dist/cli/main.js

@@ -152,7 +152,27 @@ function isApi404(err) {
     return err.status === 404;
 }
 main().then((code) => process.exit(code), (err) => {
-    process.stderr.write(`fatal: ${err instanceof Error ? err.stack ?? err.message : String(err)}\n`);
+    process.stderr.write(`fatal: ${formatError(err)}\n`);
     process.exit(1);
 });
+function formatError(err) {
+    if (err instanceof Error)
+        return err.stack ?? err.message;
+    // Provider errors are plain objects shaped as { code, recoverable, message, ... };
+    // formatting them through `String(err)` yields "[object Object]" and loses the
+    // useful fields. Render the structured form instead.
+    if (err !== null && typeof err === 'object') {
+        const e = err;
+        if (typeof e.message === 'string') {
+            return typeof e.code === 'string' ? `[${e.code}] ${e.message}` : e.message;
+        }
+        try {
+            return JSON.stringify(err);
+        }
+        catch {
+            return Object.prototype.toString.call(err);
+        }
+    }
+    return String(err);
+}
 //# sourceMappingURL=main.js.map

package/dist/ingress/router-template.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Generates the JavaScript source for a k1c Ingress router Worker.
+ *
+ * The router holds the Ingress routing table inline as a frozen literal and
+ * dispatches each request to the matching backend Worker via a `service`
+ * binding. Host matching supports k8s-style wildcards (`*.example.com`).
+ * Path matching follows k8s Ingress semantics: `Prefix` matches segment-wise
+ * (`/foo` matches `/foo` and `/foo/bar` but not `/foobar`), `Exact` requires
+ * full equality, `ImplementationSpecific` is treated as `Prefix`.
+ */
+export interface RouterRoute {
+    /**
+     * Hostname rule. Either a literal host (`api.example.com`), a wildcard
+     * (`*.example.com`), or null for the catch-all rule (`spec.rules[].host` omitted).
+     */
+    readonly host: string | null;
+    readonly paths: ReadonlyArray<RouterPath>;
+}
+export interface RouterPath {
+    readonly path: string;
+    readonly pathType: 'Prefix' | 'Exact' | 'ImplementationSpecific';
+    /** Binding identifier on `env` (e.g. `b0`, `b1`, ...) referencing the backend Worker. */
+    readonly backendBinding: string;
+}
+export interface RouterTemplateOptions {
+    readonly routes: ReadonlyArray<RouterRoute>;
+    readonly defaultBackend: string | null;
+}
+export declare function generateRouter(opts: RouterTemplateOptions): string;
+//# sourceMappingURL=router-template.d.ts.map

package/dist/ingress/router-template.js

@@ -0,0 +1,50 @@
+/**
+ * Generates the JavaScript source for a k1c Ingress router Worker.
+ *
+ * The router holds the Ingress routing table inline as a frozen literal and
+ * dispatches each request to the matching backend Worker via a `service`
+ * binding. Host matching supports k8s-style wildcards (`*.example.com`).
+ * Path matching follows k8s Ingress semantics: `Prefix` matches segment-wise
+ * (`/foo` matches `/foo` and `/foo/bar` but not `/foobar`), `Exact` requires
+ * full equality, `ImplementationSpecific` is treated as `Prefix`.
+ */
+export function generateRouter(opts) {
+    const tableLiteral = JSON.stringify(opts.routes, null, 2);
+    const defaultLiteral = opts.defaultBackend === null ? 'null' : JSON.stringify(opts.defaultBackend);
+    return `// k1c Ingress router (generated)
+const ROUTES = ${tableLiteral};
+const DEFAULT = ${defaultLiteral};
+
+export default {
+  async fetch(request, env) {
+    const url = new URL(request.url);
+    const host = (request.headers.get('host') ?? url.host).toLowerCase();
+    const path = url.pathname;
+
+    for (const rule of ROUTES) {
+      if (!matchHost(rule.host, host)) continue;
+      for (const p of rule.paths) {
+        if (matchPath(p, path)) return env[p.backendBinding].fetch(request);
+      }
+    }
+    if (DEFAULT !== null) return env[DEFAULT].fetch(request);
+    return new Response('Not Found', { status: 404 });
+  },
+};
+
+function matchHost(rule, host) {
+  if (rule === null) return true;
+  const r = rule.toLowerCase();
+  if (r.startsWith('*.')) return host.endsWith(r.slice(1));
+  return host === r;
+}
+
+function matchPath(p, path) {
+  if (p.pathType === 'Exact') return path === p.path;
+  if (p.path === '/') return true;
+  if (path === p.path) return true;
+  return path.startsWith(p.path + '/');
+}
+`;
+}
+//# sourceMappingURL=router-template.js.map

package/dist/manifest/lower.js

@@ -1,6 +1,7 @@
 import { Buffer } from 'node:buffer';
 import { createHash } from 'node:crypto';
 import { generateDispatcher } from "../canary/dispatcher-template.js";
+import { generateRouter } from "../ingress/router-template.js";
 export class LowerError extends Error {
     constructor(message) {
         super(message);
@@ -29,6 +30,8 @@ export async function lower(resources, options) {
     const jobs = [];
     const dnsRecords = [];
     const logpushJobs = [];
+    const ingresses = [];
+    const accessApplications = [];
     for (const r of resources) {
         const label = labelOf(r);
         switch (r.kind) {
@@ -85,6 +88,12 @@ export async function lower(resources, options) {
             case 'LogpushJob':
                 logpushJobs.push(r);
                 break;
+            case 'Ingress':
+                ingresses.push(r);
+                break;
+            case 'AccessApplication':
+                accessApplications.push(r);
+                break;
         }
     }
     const desired = [];
@@ -144,8 +153,63 @@ export async function lower(resources, options) {
         if (out !== null)
             desired.push(out);
     }
+    for (const ing of ingresses) {
+        for (const out of await lowerIngress(ing, tables, warnings, options)) {
+            desired.push(out);
+        }
+    }
+    for (const app of accessApplications) {
+        desired.push(lowerAccessApplication(app));
+    }
     return { desired, warnings };
 }
+function ruleToWire(rule) {
+    if ('email' in rule)
+        return { email: { email: rule.email.email } };
+    if ('emailDomain' in rule)
+        return { email_domain: { domain: rule.emailDomain.domain } };
+    if ('everyone' in rule)
+        return { everyone: {} };
+    if ('ip' in rule)
+        return { ip: { ip: rule.ip.ip } };
+    if ('country' in rule)
+        return { country: { country_code: rule.country.code } };
+    if ('serviceToken' in rule)
+        return { service_token: { token_id: rule.serviceToken.tokenId } };
+    return { any_valid_service_token: {} };
+}
+function policyToWire(p) {
+    return {
+        name: p.name,
+        decision: p.decision,
+        include: p.include.map(ruleToWire),
+        ...(p.exclude !== undefined ? { exclude: p.exclude.map(ruleToWire) } : {}),
+        ...(p.require !== undefined ? { require: p.require.map(ruleToWire) } : {}),
+        ...(p.sessionDuration !== undefined ? { session_duration: p.sessionDuration } : {}),
+    };
+}
+function lowerAccessApplication(app) {
+    const ns = app.metadata.namespace ?? 'default';
+    const name = app.metadata.name;
+    const properties = {
+        appName: `k1c-${ns}-${name}`,
+        domain: app.spec.domain,
+        ...(app.spec.sessionDuration !== undefined
+            ? { sessionDuration: app.spec.sessionDuration }
+            : {}),
+        ...(app.spec.autoRedirectToIdentity !== undefined
+            ? { autoRedirectToIdentity: app.spec.autoRedirectToIdentity }
+            : {}),
+        ...(app.spec.allowedIdps !== undefined ? { allowedIdps: [...app.spec.allowedIdps] } : {}),
+        policies: app.spec.policies.map(policyToWire),
+    };
+    return {
+        resourceType: 'AccessApplication',
+        ref: refOf(app),
+        label: `${ns}/${name}`,
+        properties,
+    };
+}
 function lowerVectorize(v) {
     const ns = v.metadata.namespace ?? 'default';
     const name = v.metadata.name;
@@ -316,6 +380,150 @@ function lowerService(s, deployments, rollouts, warnings) {
         ],
     };
 }
+async function lowerIngress(ing, tables, warnings, options) {
+    const ns = ing.metadata.namespace ?? 'default';
+    const name = ing.metadata.name;
+    const ref = refOf(ing);
+    const annotations = ing.metadata.annotations ?? {};
+    const zoneId = annotations['cloudflare.com/zone-id'];
+    if (!zoneId) {
+        throw new LowerError(`Ingress ${ns}/${name}: missing required annotation \`cloudflare.com/zone-id\``);
+    }
+    const literalHosts = new Set();
+    const wildcardHosts = new Set();
+    for (const rule of ing.spec.rules) {
+        if (rule.host === undefined)
+            continue;
+        if (rule.host.startsWith('*.')) {
+            wildcardHosts.add(rule.host);
+        }
+        else {
+            literalHosts.add(rule.host);
+        }
+    }
+    if (literalHosts.size === 0 && wildcardHosts.size === 0) {
+        throw new LowerError(`Ingress ${ns}/${name}: at least one rule must specify a host (literal or wildcard) so traffic can be bound to the router`);
+    }
+    // Assign one binding name per unique backend Service.
+    const backendBindings = new Map(); // serviceName -> bindingName
+    const serviceDeps = [];
+    function bindingFor(serviceName) {
+        const existing = backendBindings.get(serviceName);
+        if (existing !== undefined)
+            return existing;
+        const id = `b${backendBindings.size}`;
+        backendBindings.set(serviceName, id);
+        return id;
+    }
+    function resolveBackendScript(serviceName, where) {
+        const target = tables.serviceTargets.get(`${ns}/${serviceName}`);
+        if (target === undefined) {
+            throw new LowerError(`Ingress ${ns}/${name}: backend Service "${serviceName}" referenced by ${where} is not found (or has no matching workload) in namespace "${ns}"`);
+        }
+        pushUnique(serviceDeps, {
+            apiVersion: 'v1',
+            kind: 'Service',
+            namespace: ns,
+            name: serviceName,
+        });
+        return target;
+    }
+    // Pre-walk to collect bindings and validate.
+    const routes = [];
+    for (const rule of ing.spec.rules) {
+        const paths = [...rule.http.paths]
+            .map((p) => ({
+            path: p.path,
+            pathType: p.pathType,
+            backend: p.backend,
+        }))
+            // Longest path first so prefix matching picks the most specific.
+            .sort((a, b) => b.path.length - a.path.length);
+        const routerPaths = paths.map((p) => {
+            const sName = p.backend.service.name;
+            resolveBackendScript(sName, `rule host=${rule.host ?? '<any>'} path=${p.path}`);
+            return {
+                path: p.path,
+                pathType: p.pathType,
+                backendBinding: bindingFor(sName),
+            };
+        });
+        routes.push({ host: rule.host ?? null, paths: routerPaths });
+    }
+    let defaultBackendBinding = null;
+    if (ing.spec.defaultBackend !== undefined) {
+        const sName = ing.spec.defaultBackend.service.name;
+        resolveBackendScript(sName, 'defaultBackend');
+        defaultBackendBinding = bindingFor(sName);
+    }
+    // Build the router Worker.
+    const routerScriptName = `k1c--${ns}--${name}--ingress`;
+    const routerSource = generateRouter({ routes, defaultBackend: defaultBackendBinding });
+    const bindings = [];
+    for (const [serviceName, bindingName] of backendBindings) {
+        const target = tables.serviceTargets.get(`${ns}/${serviceName}`);
+        bindings.push({ type: 'service', name: bindingName, service: target });
+    }
+    const baseProperties = {
+        scriptName: routerScriptName,
+        entrypoint: '<k1c-generated:ingress-router>',
+        entrypointContent: routerSource,
+        compatibilityDate: annotations['cloudflare.com/compatibility-date'] ?? DEFAULT_COMPATIBILITY_DATE,
+        bindings,
+    };
+    const properties = {
+        ...baseProperties,
+        entrypointHash: await hashEntrypoint(baseProperties, options),
+    };
+    const routerRef = { ...ref, name: `${name}--router` };
+    const results = [
+        {
+            resourceType: 'Worker',
+            ref: routerRef,
+            label: `${ns}/${name}--router`,
+            properties,
+            ...(serviceDeps.length > 0 ? { dependsOn: serviceDeps } : {}),
+        },
+    ];
+    // One Custom Domain per literal host, all pointing at the router Worker.
+    const environment = annotations['cloudflare.com/environment'] ?? 'production';
+    for (const host of literalHosts) {
+        const cdRef = { ...ref, name: `${name}--cd--${host}` };
+        results.push({
+            resourceType: 'CustomDomain',
+            ref: cdRef,
+            label: host,
+            properties: {
+                hostname: host,
+                service: routerScriptName,
+                zoneId,
+                environment,
+            },
+            dependsOn: [routerRef],
+        });
+    }
+    // Wildcard hosts cannot be bound via Custom Domain (which takes literal
+    // hostnames only); fall back to a zone-scoped Workers Route at `<host>/*`.
+    // The router Worker already matches the wildcard in-source, so this just
+    // delivers traffic to it.
+    for (const host of wildcardHosts) {
+        const pattern = `${host}/*`;
+        const routeRef = { ...ref, name: `${name}--route--${host}` };
+        const routeProps = {
+            zoneId,
+            pattern,
+            scriptName: routerScriptName,
+        };
+        results.push({
+            resourceType: 'WorkerRoute',
+            ref: routeRef,
+            label: pattern,
+            properties: routeProps,
+            dependsOn: [routerRef],
+        });
+    }
+    return results;
+}
 function findWorkloadBySelector(selector, namespace, deployments, rollouts) {
     for (const d of deployments) {
         if ((d.metadata.namespace ?? 'default') !== namespace)
@@ -838,8 +1046,22 @@ async function buildContainerProperties(kind, ns, name, scriptName, container, t
                 dataset: vol.analyticsEngineRef.dataset,
             });
         }
+        else if (vol.mtlsCertificateRef) {
+            bindings.push({
+                type: 'mtls_certificate',
+                name: mount.mountPath,
+                certificateId: vol.mtlsCertificateRef.certificateId,
+            });
+        }
+        else if (vol.pipelinesRef) {
+            bindings.push({
+                type: 'pipelines',
+                name: mount.mountPath,
+                pipeline: vol.pipelinesRef.pipelineId,
+            });
+        }
         else {
-            throw new LowerError(`${ctxLabel}: volume "${vol.name}" has no recognised reference (r2BucketRef, kvNamespaceRef, serviceRef, hyperdriveRef, d1DatabaseRef, queueRef, vectorizeRef, or analyticsEngineRef)`);
+            throw new LowerError(`${ctxLabel}: volume "${vol.name}" has no recognised reference (r2BucketRef, kvNamespaceRef, serviceRef, hyperdriveRef, d1DatabaseRef, queueRef, vectorizeRef, analyticsEngineRef, mtlsCertificateRef, or pipelinesRef)`);
         }
     }
     // Pod-level annotations for the no-config bindings: AI, Browser Rendering,