fix: Generate correct component files matching existing structure

- AlloyDB Omni: generate dbcluster.yml and user-authentication.yml (not deployment-patch)
- Network Policy: only generate network-policy.yml (not dns-network-policy)
- Autoscaling: generate horizontal-pod-autoscaler.yml (not hpa.yml)
- Workload Identity: generate service-account.yml and secret-store.yml (not patches)
- Update kustomization templates to reference correct files
- Ensures generated components match existing webapp-team-app structure

Author: pinetops

internal/generate/components.go

@@ -70,34 +70,35 @@ func GetComponentAdditionalFiles(cfg *config.AppConfig, componentName string) (m
 	// Define additional files for each component
 	switch componentName {
 	case "database/alloydb-omni":
-		// AlloyDB Omni component files
-		deploymentPatch, err := generateAlloyDBDeploymentPatch(ctx)
+		// AlloyDB Omni component files - only needed for preview environments
+		// These files define the DBCluster CRD for AlloyDB Omni operator
+		dbCluster, err := generateDBCluster(ctx)
 		if err != nil {
 			return nil, err
 		}
-		files["deployment-patch.yml"] = deploymentPatch
+		files["dbcluster.yml"] = dbCluster
 
-	case "networking/gke-network-policy":
-		// Network policy files
-		networkPolicy, err := generateNetworkPolicy(ctx)
+		userAuth, err := generateUserAuthentication(ctx)
 		if err != nil {
 			return nil, err
 		}
-		files["network-policy.yml"] = networkPolicy
+		files["user-authentication.yml"] = userAuth
 
-		dnsPolicy, err := generateDNSNetworkPolicy(ctx)
+	case "networking/gke-network-policy":
+		// Network policy files - single comprehensive policy
+		networkPolicy, err := generateNetworkPolicy(ctx)
 		if err != nil {
 			return nil, err
 		}
-		files["dns-network-policy.yml"] = dnsPolicy
+		files["network-policy.yml"] = networkPolicy
 
 	case "observability/autoscaling":
 		// HPA configuration
 		hpa, err := generateHPA(ctx)
 		if err != nil {
 			return nil, err
 		}
-		files["hpa.yml"] = hpa
+		files["horizontal-pod-autoscaler.yml"] = hpa
 
 		// PodDisruptionBudget configuration
 		pdb, err := generatePDB(ctx)
@@ -107,60 +108,93 @@ func GetComponentAdditionalFiles(cfg *config.AppConfig, componentName string) (m
 		files["pod-disruption-budget.yml"] = pdb
 
 	case "security/workload-identity":
-		// Service account patch
-		saPatch, err := generateServiceAccountPatch(ctx)
+		// Service account with workload identity annotation
+		sa, err := generateServiceAccount(ctx)
 		if err != nil {
 			return nil, err
 		}
-		files["service-account-patch.yml"] = saPatch
+		files["service-account.yml"] = sa
+		
+		// External Secrets Operator SecretStore for Google Secret Manager
+		ss, err := generateSecretStore(ctx)
+		if err != nil {
+			return nil, err
+		}
+		files["secret-store.yml"] = ss
 	}
 
 	return files, nil
 }
 
 // Helper functions to generate specific component files
-func generateAlloyDBDeploymentPatch(ctx componentContext) (string, error) {
-	patch := `apiVersion: apps/v1
-kind: Deployment
+func generateDBCluster(ctx componentContext) (string, error) {
+	cluster := `apiVersion: alloydbomni.dbadmin.goog/v1
+kind: DBCluster
 metadata:
-  name: ${APP_NAME} # from-param: ${APP_NAME}
+  name: alloydb-preview
+  namespace: ${NAMESPACE} # from-param: ${NAMESPACE}
+  labels:
+    app: alloydb-omni
+    component: database
 spec:
-  template:
-    spec:
-      containers:
-      - name: alloydb-omni
-        image: gcr.io/alloydb-omni/alloydbomni:16
-        env:
-        - name: POSTGRES_DB
-          value: ${DATABASE_NAME} # from-param: ${DATABASE_NAME}
-        - name: POSTGRES_USER
-          value: postgres
-        - name: POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: ${APP_NAME}-database-secret # from-param: ${APP_NAME}-database-secret
-              key: password
-        - name: PGDATA
-          value: /var/lib/postgresql/data/pgdata
-        ports:
-        - containerPort: 5432
-          name: postgres
-        volumeMounts:
-        - name: postgres-storage
-          mountPath: /var/lib/postgresql/data
-        - name: dshm
-          mountPath: /dev/shm
-      volumes:
-      - name: postgres-storage
-        emptyDir: {}
-      - name: dshm
-        emptyDir:
-          medium: Memory
-      securityContext:
-        fsGroup: 999
+  databaseVersion: "16.8.0"
+  availability:
+    numberOfStandbys: 0  # Explicitly disable HA for single-instance preview
+    enableStandbyAsReadReplica: false
+  primarySpec:
+    adminUser:
+      passwordRef:
+        name: db-pw-alloydb-preview
+    availabilityOptions:
+      # Single instance configuration - no HA needed for preview
+      livenessProbe: Enabled  # Keep container health checks
+      readinessProbe: Enabled
+    resources:
+      memory: 4Gi
+      cpu: 2
+      disk: 50Gi
+    featureGates:
+      enableSimulatedMaintenanceEvents: false
+`
+	
+	tmpl, err := template.New("dbcluster").Parse(cluster)
+	if err != nil {
+		return "", err
+	}
+	
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, ctx); err != nil {
+		return "", err
+	}
+	
+	return buf.String(), nil
+}
+
+func generateUserAuthentication(ctx componentContext) (string, error) {
+	auth := `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: alloydb-user-auth
+  namespace: ${NAMESPACE} # from-param: ${NAMESPACE}
+data:
+  pg_hba.conf: |
+    # TYPE  DATABASE        USER            ADDRESS                 METHOD
+    local   all             all                                     trust
+    host    all             all             127.0.0.1/32            trust
+    host    all             all             ::1/128                 trust
+    host    all             all             0.0.0.0/0               md5
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: db-pw-alloydb-preview
+  namespace: ${NAMESPACE} # from-param: ${NAMESPACE}
+type: Opaque
+stringData:
+  password: dev-password-123  # This should be replaced with a secure password
 `
 
-	tmpl, err := template.New("alloydb-patch").Parse(patch)
+	tmpl, err := template.New("user-auth").Parse(auth)
 	if err != nil {
 		return "", err
 	}
@@ -212,91 +246,53 @@ spec:
     ports:
     - protocol: TCP
       port: 80
+  # Allow DNS to node-local DNS cache (GKE uses NodeLocal DNSCache at 169.254.20.10)
+  - to:
+    - ipBlock:
+        cidr: 169.254.20.10/32
+    ports:
+    - protocol: UDP
+      port: 53
     - protocol: TCP
-      port: 443
-  # Allow DNS
+      port: 53
+  # Also allow DNS to kube-system namespace as fallback
   - to:
     - namespaceSelector:
         matchLabels:
           kubernetes.io/metadata.name: kube-system
-    - podSelector:
-        matchLabels:
-          k8s-app: kube-dns
     ports:
     - protocol: UDP
       port: 53
     - protocol: TCP
       port: 53
-  # Allow HTTPS to any destination
+  # Allow HTTPS outbound
   - to:
     - ipBlock:
         cidr: 0.0.0.0/0
     ports:
     - protocol: TCP
       port: 443
-  # Allow database connections to private networks (RFC1918)
+  # Allow database connections to private networks (for AlloyDB, Cloud SQL, etc.)
+  # RFC1918 private address ranges where databases typically reside
   - to:
     - ipBlock:
-        cidr: 10.0.0.0/8
+        cidr: 10.0.0.0/8      # Class A private
     - ipBlock:
-        cidr: 172.16.0.0/12
+        cidr: 172.16.0.0/12   # Class B private
     - ipBlock:
-        cidr: 192.168.0.0/16
+        cidr: 192.168.0.0/16  # Class C private
     ports:
     - protocol: TCP
-      port: 5432
+      port: 5432  # PostgreSQL
     - protocol: TCP
-      port: 3306
-`
-	
-	tmpl, err := template.New("network-policy").Parse(policy)
-	if err != nil {
-		return "", err
-	}
-	
-	var buf bytes.Buffer
-	if err := tmpl.Execute(&buf, ctx); err != nil {
-		return "", err
-	}
-	
-	return buf.String(), nil
-}
-
-func generateDNSNetworkPolicy(ctx componentContext) (string, error) {
-	policy := `apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: ${APP_NAME}-dns-policy # from-param: ${NAME_PREFIX}${APP_NAME}-dns-policy
-  namespace: ${NAMESPACE} # from-param: ${NAMESPACE}
-spec:
-  podSelector:
-    matchLabels:
-      app: ${APP_NAME} # from-param: ${APP_NAME}
-  policyTypes:
-  - Egress
-  egress:
-  # Allow DNS to GKE NodeLocal DNSCache
-  - to:
-    - ipBlock:
-        cidr: 169.254.20.10/32
-    ports:
-    - protocol: UDP
-      port: 53
+      port: 5433  # AlloyDB Auth Proxy
     - protocol: TCP
-      port: 53
-  # Allow DNS to kube-system namespace as fallback
-  - to:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: kube-system
-    ports:
-    - protocol: UDP
-      port: 53
+      port: 3306  # MySQL
     - protocol: TCP
-      port: 53
+      port: 3307  # Cloud SQL MySQL
 `
 
-	tmpl, err := template.New("dns-policy").Parse(policy)
+	tmpl, err := template.New("network-policy").Parse(policy)
 	if err != nil {
 		return "", err
 	}
@@ -309,6 +305,7 @@ spec:
 	return buf.String(), nil
 }
 
+
 func generateHPA(ctx componentContext) (string, error) {
 	hpa := `apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
@@ -395,18 +392,52 @@ spec:
 	return buf.String(), nil
 }
 
-func generateServiceAccountPatch(ctx componentContext) (string, error) {
-	patch := `apiVersion: v1
+func generateServiceAccount(ctx componentContext) (string, error) {
+	sa := `apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ${APP_NAME} # from-param: ${APP_NAME}
   namespace: ${NAMESPACE} # from-param: ${NAMESPACE}
+  labels:
+    app: ${APP_NAME} # from-param: ${APP_NAME}
+    stage: ${STAGE} # from-param: ${STAGE}
+    boundary: ${BOUNDARY} # from-param: ${BOUNDARY}
   annotations:
-    iam.gke.io/gcp-service-account: ${APP_NAME}-${STAGE}@${PROJECT_ID}.iam.gserviceaccount.com # from-param
-automountServiceAccountToken: true
+    iam.gke.io/gcp-service-account: ${APP_NAME}-k8s@${PROJECT_ID}.iam.gserviceaccount.com # from-param: ${APP_NAME}-k8s@${PROJECT_ID}.iam.gserviceaccount.com
+`
+	
+	tmpl, err := template.New("service-account").Parse(sa)
+	if err != nil {
+		return "", err
+	}
+	
+	var buf bytes.Buffer
+	if err := tmpl.Execute(&buf, ctx); err != nil {
+		return "", err
+	}
+	
+	return buf.String(), nil
+}
+
+func generateSecretStore(ctx componentContext) (string, error) {
+	ss := `apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: ${APP_NAME}-secret-store # from-param: ${APP_NAME}-secret-store
+  namespace: ${NAMESPACE} # from-param: ${NAMESPACE}
+spec:
+  provider:
+    gcpsm:
+      projectID: ${PROJECT_ID} # from-param: ${PROJECT_ID}
+      auth:
+        workloadIdentity:
+          clusterLocation: ${CLUSTER_LOCATION} # from-param: ${CLUSTER_LOCATION}
+          clusterName: ${CLUSTER_NAME} # from-param: ${CLUSTER_NAME}
+          serviceAccountRef:
+            name: ${APP_NAME} # from-param: ${APP_NAME}
 `
 
-	tmpl, err := template.New("sa-patch").Parse(patch)
+	tmpl, err := template.New("secret-store").Parse(ss)
 	if err != nil {
 		return "", err
 	}

internal/generate/templates/components/database-alloydb-omni/kustomization.yml.tmpl

@@ -1,12 +1,12 @@
-# AlloyDB Omni Database Component
-# Adds a PostgreSQL-compatible AlloyDB Omni sidecar container for preview environments
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
-resources: []
+resources:
+- dbcluster.yml
+- user-authentication.yml
 
-patches:
-  - path: deployment-patch.yml
-    target:
-      kind: Deployment
-      name: ${APP_NAME} # from-param: ${APP_NAME}
+# This component provides AlloyDB Omni for preview/dev environments
+# Includes:
+# - DBCluster with single instance configuration
+# - UserDefinedAuthentication for pg_hba.conf
+# - Secret for database password

internal/generate/templates/components/networking-gke-network-policy/kustomization.yml.tmpl

@@ -4,5 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
 resources:
-  - network-policy.yml
-  - dns-network-policy.yml
+  - network-policy.yml

internal/generate/templates/components/observability-autoscaling/kustomization.yml.tmpl

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
 resources:
-  - hpa.yml
+  - horizontal-pod-autoscaler.yml
   - pod-disruption-budget.yml