pepr 0.0.0-development

package/src/lib/assets/pods.ts

@@ -0,0 +1,353 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { V1EnvVar } from "@kubernetes/client-node";
+import { kind } from "kubernetes-fluent-client";
+import { gzipSync } from "zlib";
+import { secretOverLimit } from "../helpers";
+import { Assets } from ".";
+import { ModuleConfig } from "../module";
+import { Binding } from "../types";
+
+/** Generate the pepr-system namespace */
+export function namespace(namespaceLabels?: Record<string, string>) {
+  if (namespaceLabels) {
+    return {
+      apiVersion: "v1",
+      kind: "Namespace",
+      metadata: {
+        name: "pepr-system",
+        labels: namespaceLabels ?? {},
+      },
+    };
+  } else {
+    return {
+      apiVersion: "v1",
+      kind: "Namespace",
+      metadata: {
+        name: "pepr-system",
+      },
+    };
+  }
+}
+
+export function watcher(assets: Assets, hash: string, buildTimestamp: string) {
+  const { name, image, capabilities, config } = assets;
+
+  let hasSchedule = false;
+
+  // Append the watcher suffix
+  const app = `${name}-watcher`;
+  const bindings: Binding[] = [];
+
+  // Loop through the capabilities and find any Watch Actions
+  for (const capability of capabilities) {
+    if (capability.hasSchedule) {
+      hasSchedule = true;
+    }
+    const watchers = capability.bindings.filter(binding => binding.isWatch);
+    bindings.push(...watchers);
+  }
+
+  // If there are no watchers, don't deploy the watcher
+  if (bindings.length < 1 && !hasSchedule) {
+    return null;
+  }
+
+  return {
+    apiVersion: "apps/v1",
+    kind: "Deployment",
+    metadata: {
+      name: app,
+      namespace: "pepr-system",
+      annotations: {
+        "pepr.dev/description": config.description || "",
+      },
+      labels: {
+        app,
+        "pepr.dev/controller": "watcher",
+        "pepr.dev/uuid": config.uuid,
+      },
+    },
+    spec: {
+      replicas: 1,
+      strategy: {
+        type: "Recreate",
+      },
+      selector: {
+        matchLabels: {
+          app,
+          "pepr.dev/controller": "watcher",
+        },
+      },
+      template: {
+        metadata: {
+          annotations: {
+            buildTimestamp: `${buildTimestamp}`,
+          },
+          labels: {
+            app,
+            "pepr.dev/controller": "watcher",
+          },
+        },
+        spec: {
+          terminationGracePeriodSeconds: 5,
+          serviceAccountName: name,
+          securityContext: {
+            runAsUser: 65532,
+            runAsGroup: 65532,
+            runAsNonRoot: true,
+            fsGroup: 65532,
+          },
+          containers: [
+            {
+              name: "watcher",
+              image,
+              imagePullPolicy: "IfNotPresent",
+              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              readinessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              livenessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              ports: [
+                {
+                  containerPort: 3000,
+                },
+              ],
+              resources: {
+                requests: {
+                  memory: "64Mi",
+                  cpu: "100m",
+                },
+                limits: {
+                  memory: "256Mi",
+                  cpu: "500m",
+                },
+              },
+              securityContext: {
+                runAsUser: 65532,
+                runAsGroup: 65532,
+                runAsNonRoot: true,
+                allowPrivilegeEscalation: false,
+                capabilities: {
+                  drop: ["ALL"],
+                },
+              },
+              volumeMounts: [
+                {
+                  name: "tls-certs",
+                  mountPath: "/etc/certs",
+                  readOnly: true,
+                },
+                {
+                  name: "module",
+                  mountPath: `/app/load`,
+                  readOnly: true,
+                },
+              ],
+              env: genEnv(config, true),
+            },
+          ],
+          volumes: [
+            {
+              name: "tls-certs",
+              secret: {
+                secretName: `${name}-tls`,
+              },
+            },
+            {
+              name: "module",
+              secret: {
+                secretName: `${name}-module`,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+}
+
+export function deployment(assets: Assets, hash: string, buildTimestamp: string): kind.Deployment {
+  const { name, image, config } = assets;
+  const app = name;
+
+  return {
+    apiVersion: "apps/v1",
+    kind: "Deployment",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+      annotations: {
+        "pepr.dev/description": config.description || "",
+      },
+      labels: {
+        app,
+        "pepr.dev/controller": "admission",
+        "pepr.dev/uuid": config.uuid,
+      },
+    },
+    spec: {
+      replicas: 2,
+      selector: {
+        matchLabels: {
+          app,
+          "pepr.dev/controller": "admission",
+        },
+      },
+      template: {
+        metadata: {
+          annotations: {
+            buildTimestamp: `${buildTimestamp}`,
+          },
+          labels: {
+            app,
+            "pepr.dev/controller": "admission",
+          },
+        },
+        spec: {
+          terminationGracePeriodSeconds: 5,
+          priorityClassName: "system-node-critical",
+          serviceAccountName: name,
+          securityContext: {
+            runAsUser: 65532,
+            runAsGroup: 65532,
+            runAsNonRoot: true,
+            fsGroup: 65532,
+          },
+          containers: [
+            {
+              name: "server",
+              image,
+              imagePullPolicy: "IfNotPresent",
+              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              readinessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              livenessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              ports: [
+                {
+                  containerPort: 3000,
+                },
+              ],
+              resources: {
+                requests: {
+                  memory: "64Mi",
+                  cpu: "100m",
+                },
+                limits: {
+                  memory: "256Mi",
+                  cpu: "500m",
+                },
+              },
+              env: genEnv(config),
+              securityContext: {
+                runAsUser: 65532,
+                runAsGroup: 65532,
+                runAsNonRoot: true,
+                allowPrivilegeEscalation: false,
+                capabilities: {
+                  drop: ["ALL"],
+                },
+              },
+              volumeMounts: [
+                {
+                  name: "tls-certs",
+                  mountPath: "/etc/certs",
+                  readOnly: true,
+                },
+                {
+                  name: "api-token",
+                  mountPath: "/app/api-token",
+                  readOnly: true,
+                },
+                {
+                  name: "module",
+                  mountPath: `/app/load`,
+                  readOnly: true,
+                },
+              ],
+            },
+          ],
+          volumes: [
+            {
+              name: "tls-certs",
+              secret: {
+                secretName: `${name}-tls`,
+              },
+            },
+            {
+              name: "api-token",
+              secret: {
+                secretName: `${name}-api-token`,
+              },
+            },
+            {
+              name: "module",
+              secret: {
+                secretName: `${name}-module`,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+}
+
+export function moduleSecret(name: string, data: Buffer, hash: string): kind.Secret {
+  // Compress the data
+  const compressed = gzipSync(data);
+  const path = `module-${hash}.js.gz`;
+  const compressedData = compressed.toString("base64");
+  if (secretOverLimit(compressedData)) {
+    const error = new Error(`Module secret for ${name} is over the 1MB limit`);
+    console.error("Uncaught Exception:", error);
+    process.exit(1);
+  } else {
+    return {
+      apiVersion: "v1",
+      kind: "Secret",
+      metadata: {
+        name: `${name}-module`,
+        namespace: "pepr-system",
+      },
+      type: "Opaque",
+      data: {
+        [path]: compressed.toString("base64"),
+      },
+    };
+  }
+}
+
+function genEnv(config: ModuleConfig, watchMode = false): V1EnvVar[] {
+  const def = {
+    PEPR_WATCH_MODE: watchMode ? "true" : "false",
+    PEPR_PRETTY_LOG: "false",
+    LOG_LEVEL: config.logLevel || "info",
+  };
+  const cfg = config.env || {};
+  const env = Object.entries({ ...def, ...cfg }).map(([name, value]) => ({ name, value }));
+
+  return env;
+}

package/src/lib/assets/rbac.ts

@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { kind } from "kubernetes-fluent-client";
+import { CapabilityExport } from "../types";
+import { createRBACMap } from "../helpers";
+/**
+ * Grants the controller access to cluster resources beyond the mutating webhook.
+ *
+ * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
+ * @returns
+ */
+export function clusterRole(name: string, capabilities: CapabilityExport[], rbacMode: string = ""): kind.ClusterRole {
+  const rbacMap = createRBACMap(capabilities);
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRole",
+    metadata: { name },
+    rules:
+      rbacMode === "scoped"
+        ? [
+            ...Object.keys(rbacMap).map(key => {
+              // let group:string, version:string, kind:string;
+              let group: string;
+              key.split("/").length < 3 ? (group = "") : (group = key.split("/")[0]);
+
+              return {
+                apiGroups: [group],
+                resources: [rbacMap[key].plural],
+                verbs: rbacMap[key].verbs,
+              };
+            }),
+          ]
+        : [
+            {
+              apiGroups: ["*"],
+              resources: ["*"],
+              verbs: ["create", "delete", "get", "list", "patch", "update", "watch"],
+            },
+          ],
+  };
+}
+
+export function clusterRoleBinding(name: string): kind.ClusterRoleBinding {
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRoleBinding",
+    metadata: { name },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name,
+        namespace: "pepr-system",
+      },
+    ],
+  };
+}
+
+export function serviceAccount(name: string): kind.ServiceAccount {
+  return {
+    apiVersion: "v1",
+    kind: "ServiceAccount",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+    },
+  };
+}
+
+export function storeRole(name: string): kind.Role {
+  name = `${name}-store`;
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "Role",
+    metadata: { name, namespace: "pepr-system" },
+    rules: [
+      {
+        apiGroups: ["pepr.dev"],
+        resources: ["peprstores"],
+        resourceNames: [""],
+        verbs: ["create", "get", "patch", "watch"],
+      },
+    ],
+  };
+}
+
+export function storeRoleBinding(name: string): kind.RoleBinding {
+  name = `${name}-store`;
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "RoleBinding",
+    metadata: { name, namespace: "pepr-system" },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "Role",
+      name,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name,
+        namespace: "pepr-system",
+      },
+    ],
+  };
+}

package/src/lib/assets/store.ts

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { kind as k } from "kubernetes-fluent-client";
+
+import { peprStoreGVK } from "../k8s";
+
+export const { group, version, kind } = peprStoreGVK;
+export const singular = kind.toLocaleLowerCase();
+export const plural = `${singular}s`;
+export const name = `${plural}.${group}`;
+
+export const peprStoreCRD: k.CustomResourceDefinition = {
+  apiVersion: "apiextensions.k8s.io/v1",
+  kind: "CustomResourceDefinition",
+  metadata: {
+    name,
+  },
+  spec: {
+    group,
+    versions: [
+      {
+        // typescript doesn't know this is really already set, which is kind of annoying
+        name: version || "v1",
+        served: true,
+        storage: true,
+        schema: {
+          openAPIV3Schema: {
+            type: "object",
+            properties: {
+              data: {
+                type: "object",
+                additionalProperties: {
+                  type: "string",
+                },
+              },
+            },
+          },
+        },
+      },
+    ],
+    scope: "Namespaced",
+    names: {
+      plural,
+      singular,
+      kind,
+    },
+  },
+};

package/src/lib/assets/webhooks.ts

@@ -0,0 +1,147 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import {
+  AdmissionregistrationV1WebhookClientConfig as AdmissionRegnV1WebhookClientCfg,
+  V1LabelSelectorRequirement,
+  V1RuleWithOperations,
+} from "@kubernetes/client-node";
+import { kind } from "kubernetes-fluent-client";
+import { concat, equals, uniqWith } from "ramda";
+
+import { Assets } from ".";
+import { Event } from "../types";
+
+const peprIgnoreLabel: V1LabelSelectorRequirement = {
+  key: "pepr.dev",
+  operator: "NotIn",
+  values: ["ignore"],
+};
+
+const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
+
+export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean) {
+  const { config, capabilities } = assets;
+  const rules: V1RuleWithOperations[] = [];
+
+  // Iterate through the capabilities and generate the rules
+  for (const capability of capabilities) {
+    console.info(`Module ${config.uuid} has capability: ${capability.name}`);
+
+    // Read the bindings and generate the rules
+    for (const binding of capability.bindings) {
+      const { event, kind, isMutate, isValidate } = binding;
+
+      // If the module doesn't have a callback for the event, skip it
+      if (isMutateWebhook && !isMutate) {
+        continue;
+      }
+
+      if (!isMutateWebhook && !isValidate) {
+        continue;
+      }
+
+      const operations: string[] = [];
+
+      // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
+      if (event === Event.CreateOrUpdate) {
+        operations.push(Event.Create, Event.Update);
+      } else {
+        operations.push(event);
+      }
+
+      // Use the plural property if it exists, otherwise use lowercase kind + s
+      const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+      const ruleObject = {
+        apiGroups: [kind.group],
+        apiVersions: [kind.version || "*"],
+        operations,
+        resources: [resource],
+      };
+
+      // If the resource is pods, add ephemeralcontainers as well
+      if (resource === "pods") {
+        ruleObject.resources.push("pods/ephemeralcontainers");
+      }
+
+      // Add the rule to the rules array
+      rules.push(ruleObject);
+    }
+  }
+
+  // Return the rules with duplicates removed
+  return uniqWith(equals, rules);
+}
+
+export async function webhookConfig(
+  assets: Assets,
+  mutateOrValidate: "mutate" | "validate",
+  timeoutSeconds = 10,
+): Promise<kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration | null> {
+  const ignore = [peprIgnoreLabel];
+
+  const { name, tls, config, apiToken, host } = assets;
+  const ignoreNS = concat(peprIgnoreNamespaces, config.alwaysIgnore.namespaces || []);
+
+  // Add any namespaces to ignore
+  if (ignoreNS) {
+    ignore.push({
+      key: "kubernetes.io/metadata.name",
+      operator: "NotIn",
+      values: ignoreNS,
+    });
+  }
+
+  const clientConfig: AdmissionRegnV1WebhookClientCfg = {
+    caBundle: tls.ca,
+  };
+
+  // The URL must include the API Token
+  const apiPath = `/${mutateOrValidate}/${apiToken}`;
+
+  // If a host is specified, use that with a port of 3000
+  if (host) {
+    clientConfig.url = `https://${host}:3000${apiPath}`;
+  } else {
+    // Otherwise, use the service
+    clientConfig.service = {
+      name: name,
+      namespace: "pepr-system",
+      path: apiPath,
+    };
+  }
+
+  const isMutate = mutateOrValidate === "mutate";
+  const rules = await generateWebhookRules(assets, isMutate);
+
+  // If there are no rules, return null
+  if (rules.length < 1) {
+    return null;
+  }
+
+  return {
+    apiVersion: "admissionregistration.k8s.io/v1",
+    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
+    metadata: { name },
+    webhooks: [
+      {
+        name: `${name}.pepr.dev`,
+        admissionReviewVersions: ["v1", "v1beta1"],
+        clientConfig,
+        failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
+        matchPolicy: "Equivalent",
+        timeoutSeconds,
+        namespaceSelector: {
+          matchExpressions: ignore,
+        },
+        objectSelector: {
+          matchExpressions: ignore,
+        },
+        rules,
+        // @todo: track side effects state
+        sideEffects: "None",
+      },
+    ],
+  };
+}