UNPKG

kubricate

Version:

A TypeScript framework for building reusable, type-safe Kubernetes infrastructure — without the YAML mess.

github.com/thaitype/kubricate/tree/main/packages/kubricate

thaitype/kubricate

164 lines (163 loc) 5.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.SecretInjectionBuilder = void 0; /** * SecretInjectionBuilder provides a fluent API to define how a secret should be injected into a resource. * * @example * injector.secrets('MY_SECRET') * .inject({ kind: 'env', containerIndex: 0 }) * .intoResource('my-deployment'); // Optional */ class SecretInjectionBuilder { stack; secretName; provider; ctx; strategy; resourceIdOverride; /** * The injected name override (used when `.forName(...)` is called). * * This will appear in the final manifest, such as an env var name or volume mount name. * If not provided, the original secretName will be used. */ targetName; constructor(stack, secretName, provider, ctx) { this.stack = stack; this.secretName = secretName; this.provider = provider; this.ctx = ctx; } /** * Override the name to be injected into the target manifest. * * This is useful when the name used inside the resource (e.g., env var name) * should differ from the registered secret name in the SecretManager. * * If not provided, the original secret name will be used. * * Example: * .secrets('MY_SECRET').forName('API_KEY').inject({ kind: 'env' }); * * Output: * - name: API_KEY * valueFrom: * secretKeyRef: * name: secret-application * key: MY_SECRET * * @param name The name to use in the final manifest (e.g., environment variable name). */ forName(name) { this.targetName = name; return this; } inject(kind, strategyOptions) { if (kind === undefined) { // no arguments provided if (this.provider.supportedStrategies.length !== 1) { throw new Error(`[SecretInjectionBuilder] inject() requires a strategy because provider supports multiple strategies: ${this.provider.supportedStrategies.join(', ')}`); } const defaultKind = this.provider.supportedStrategies[0]; this.strategy = this.resolveDefaultStrategy(defaultKind); } else { this.strategy = { kind, ...strategyOptions }; } return this; } /** * Resolves a default injection strategy based on the `kind` supported by the provider. * This allows `.inject()` to be used without arguments when the provider supports exactly one kind. * * Each kind has its own defaults: * - `env` → `{ kind: 'env', containerIndex: 0 }` * - `imagePullSecret` → `{ kind: 'imagePullSecret' }` * - `annotation` → `{ kind: 'annotation' }` * * If the kind is unsupported for defaulting, an error is thrown. */ resolveDefaultStrategy(kind) { let strategy; if (kind === 'env') { strategy = { kind: 'env', containerIndex: 0 }; } else if (kind === 'imagePullSecret') { strategy = { kind: 'imagePullSecret' }; } else if (kind === 'annotation') { strategy = { kind: 'annotation' }; } else { throw new Error(`[SecretInjectionBuilder] inject() with no args is not implemented for kind="${kind}" yet`); } return strategy; } /** * Explicitly define the resource ID that defined in the composer e.g. 'my-deployment', 'my-job' to inject into. */ intoResource(resourceId) { this.resourceIdOverride = resourceId; return this; } /** * Resolve and register the final injection into the stack. * Should be called by SecretsInjectionContext after the injection chain ends. */ resolveInjection() { if (!this.strategy) { throw new Error(`No injection strategy defined for secret: ${this.secretName}`); } // resolve resourceId const resourceId = this.resolveResourceId(); // Get the target path for this injection const path = this.provider.getTargetPath(this.strategy); // Register the injection into the stack this.stack.registerSecretInjection({ provider: this.provider, providerId: this.ctx.providerId, resourceId, path, meta: { secretName: this.secretName, targetName: this.targetName ?? this.secretName } }); } /** * Resolve which resource ID to inject into. * Priority: .intoResource(...) > setDefaultResourceId(...) > infer from provider.targetKind */ resolveResourceId() { // Determine resourceId from override if (this.resourceIdOverride) return this.resourceIdOverride; // Determine resourceId from default if (this.ctx.defaultResourceId) return this.ctx.defaultResourceId; // Auto-resolve resourceId using targetKind // This is the default behavior if no resourceId is provided const kind = this.provider.targetKind; const composer = this.stack.getComposer(); if (!composer) { throw new Error(`[SecretInjectionBuilder] No resource composer found in stack. ` + `Make sure .from(...) is called before using .useSecrets(...)`); } const helperMessage = `Please specify a resourceId explicitly \n` + ` → Use .intoResource(...) to specify a resource ID explicitly,\n` + ` → or call setDefaultResourceId(...) in SecretsInjectionContext.`; const resourceId = composer.findResourceIdsByKind(kind); if (resourceId.length === 0) { throw new Error(`[SecretInjectionBuilder] Could not resolve resourceId from provider.targetKind="${kind}".\n` + helperMessage); } else if (resourceId.length > 1) { throw new Error(`[SecretInjectionBuilder] Multiple resourceIds found for provider.targetKind="${kind}".\n` + helperMessage); } return resourceId[0]; } } exports.SecretInjectionBuilder = SecretInjectionBuilder; //# sourceMappingURL=SecretInjectionBuilder.js.map