pepr 0.1.21 → 0.1.24

package/README.md

@@ -2,6 +2,14 @@
 
 <img align="right" width="40%" src=".images/pepr.png" />
 
+Pepr is on a mission to save Kubernetes from the tyranny of YAML, intimidating glue code, bash scripts, and other makeshift solutions. As a Kubernetes controller, Pepr empowers you to define Kubernetes transformations using TypeScript, without software development expertise thanks to plain-english configurations. Pepr transforms a patchwork of forks, scripts, overlays, and other chaos into a cohesive, well-structured, and maintainable system. With Pepr, you can seamlessly transition IT ops tribal knowledge into code, simplifying documentation, testing, validation, and coordination of changes for a more predictable outcome.
+
+## Features
+
+- Define a set of Kubernetes transformations/actions as Pepr capabilities.
+- Write capabilities in TypeScript and bundle them for in-cluster processing in [NodeJS](https://nodejs.org/).
+- React to cluster resources by mutating them, creating new Kubernetes resources, or performing arbitrary exec/API operations.
+
 Pepr is an open-source project that helps IT Ops teams of all skill levels manage and modify resources in a Kubernetes (K8s) cluster using TypeScript. Kubernetes simplifies the management of multiple computers working together to run and scale applications. Pepr acts as a smart assistant, automatically changing or validating parts of the system as needed.
 
 TypeScript is used to create Pepr capabilities, benefiting from its error-catching and clean code features, but without requiring specialized software engineering experience or prior Typescript knowledge. Pepr also provides a user-friendly interface for writing commands in plain English in a [Fluent Interface](https://en.wikipedia.org/wiki/Fluent_interface) style.
@@ -10,12 +18,6 @@ Capabilities are logical groupings of actions, which are the atomic units of cha
 
 Imagine Pepr as a smart home system where different devices communicate with each other. Pepr provides instructions, simplifying the management of the smart home. The project enables both expert and novice capability authors to improve management and interactions within the Kubernetes environment, making its features accessible to everyone.
 
-## Features
-
-- Define a set of Kubernetes transformations/actions as Pepr capabilities.
-- Write capabilities in TypeScript and bundle them for in-cluster processing in [NodeJS](https://nodejs.org/).
-- React to cluster resources by mutating them, creating new Kubernetes resources, or performing arbitrary exec/API operations.
-
 ## Concepts
 
 ### Module

package/dist/pepr-cli.js

@@ -7,10 +7,7 @@ var typescript = require('@rollup/plugin-typescript');
 var fs = require('fs');
 var path = require('path');
 var rollup = require('rollup');
-var types = require('./types-672dd6e4.js');
-require('@kubernetes/client-node/dist');
-require('ramda');
-require('fast-json-patch');
+var types = require('./types-1709b44f.js');
 var clientNode = require('@kubernetes/client-node');
 var zlib = require('zlib');
 var forge = require('node-forge');
@@ -21,7 +18,7 @@ var uuid = require('uuid');
 var commander = require('commander');
 var chokidar = require('chokidar');
 
-var version = "0.1.21";
+var version = "0.1.24";
 
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
@@ -118,15 +115,21 @@ function genTLS(name) {
     ]);
     // Generate a new server key pair and create a server certificate signed by the CA
     const serverKeys = forge.pki.rsa.generateKeyPair(2048);
-    const serverCert = genCert(serverKeys, `${name}.pepr-system.svc`, caCert.subject.attributes);
+    const serverCert = genCert(serverKeys, name, caCert.subject.attributes);
     // Sign both certificates with the CA private key
     caCert.sign(caKeys.privateKey, forge.md.sha256.create());
     serverCert.sign(caKeys.privateKey, forge.md.sha256.create());
-    // Convert the keys and certificates to PEM format and Base64-encode them
-    const ca = Buffer.from(forge.pki.certificateToPem(caCert)).toString("base64");
-    const key = Buffer.from(forge.pki.privateKeyToPem(serverKeys.privateKey)).toString("base64");
-    const crt = Buffer.from(forge.pki.certificateToPem(serverCert)).toString("base64");
-    return { ca, key, crt };
+    // Convert the keys and certificates to PEM format
+    const pem = {
+        ca: forge.pki.certificateToPem(caCert),
+        crt: forge.pki.certificateToPem(serverCert),
+        key: forge.pki.privateKeyToPem(serverKeys.privateKey),
+    };
+    // Base64-encode the PEM strings
+    const ca = Buffer.from(pem.ca).toString("base64");
+    const key = Buffer.from(pem.key).toString("base64");
+    const crt = Buffer.from(pem.crt).toString("base64");
+    return { ca, key, crt, pem };
 }
 function genCert(key, name, issuer) {
     const crt = forge.pki.createCertificate();
@@ -159,12 +162,16 @@ const peprIgnore = {
     values: ["ignore"],
 };
 class Webhook {
-    constructor(config) {
+    get tls() {
+        return this._tls;
+    }
+    constructor(config, host) {
         this.config = config;
+        this.host = host;
         this.name = `pepr-${config.uuid}`;
         this.image = `ghcr.io/defenseunicorns/pepr/controller:${config.version}`;
         // Generate the ephemeral tls things
-        this.tls = genTLS(this.name);
+        this._tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
     }
     /** Generate the pepr-system namespace */
     namespace() {
@@ -235,8 +242,8 @@ class Webhook {
             },
             type: "kubernetes.io/tls",
             data: {
-                "tls.crt": this.tls.crt,
-                "tls.key": this.tls.key,
+                "tls.crt": this._tls.crt,
+                "tls.key": this._tls.key,
             },
         };
     }
@@ -251,6 +258,21 @@ class Webhook {
                 values: this.config.alwaysIgnore.namespaces,
             });
         }
+        const clientConfig = {
+            caBundle: this._tls.ca,
+        };
+        // If a host is specified, use that with a port of 3000
+        if (this.host) {
+            clientConfig.url = `https://${this.host}:3000/mutate`;
+        }
+        else {
+            // Otherwise, use the service
+            clientConfig.service = {
+                name: this.name,
+                namespace: "pepr-system",
+                path: "/mutate",
+            };
+        }
         return {
             apiVersion: "admissionregistration.k8s.io/v1",
             kind: "MutatingWebhookConfiguration",
@@ -259,14 +281,7 @@ class Webhook {
                 {
                     name: `${name}.pepr.dev`,
                     admissionReviewVersions: ["v1", "v1beta1"],
-                    clientConfig: {
-                        caBundle: this.tls.ca,
-                        service: {
-                            name: this.name,
-                            namespace: "pepr-system",
-                            path: "/mutate",
-                        },
-                    },
+                    clientConfig,
                     failurePolicy: "Ignore",
                     matchPolicy: "Equivalent",
                     timeoutSeconds: 15,
@@ -351,6 +366,11 @@ class Webhook {
                                         mountPath: "/etc/certs",
                                         readOnly: true,
                                     },
+                                    {
+                                        name: "module",
+                                        mountPath: "/app/module.js.gz",
+                                        readOnly: true,
+                                    },
                                 ],
                             },
                         ],
@@ -361,12 +381,56 @@ class Webhook {
                                     secretName: `${this.name}-tls`,
                                 },
                             },
+                            {
+                                name: "module",
+                                secret: {
+                                    secretName: `${this.name}-module`,
+                                },
+                            },
                         ],
                     },
                 },
             },
         };
     }
+    /** Only permit the  */
+    networkPolicy() {
+        return {
+            apiVersion: "networking.k8s.io/v1",
+            kind: "NetworkPolicy",
+            metadata: {
+                name: this.name,
+                namespace: "pepr-system",
+            },
+            spec: {
+                podSelector: {
+                    matchLabels: {
+                        app: this.name,
+                    },
+                },
+                policyTypes: ["Ingress"],
+                ingress: [
+                    {
+                        from: [
+                            {
+                                namespaceSelector: {
+                                    matchLabels: {
+                                        "kubernetes.io/metadata.name": "kube-system",
+                                    },
+                                },
+                            },
+                        ],
+                        ports: [
+                            {
+                                protocol: "TCP",
+                                port: 443,
+                            },
+                        ],
+                    },
+                ],
+            },
+        };
+    }
     service() {
         return {
             apiVersion: "v1",
@@ -433,6 +497,7 @@ class Webhook {
     allYaml(code) {
         const resources = [
             this.namespace(),
+            this.networkPolicy(),
             this.clusterRole(),
             this.clusterRoleBinding(),
             this.serviceAccount(),
@@ -446,7 +511,7 @@ class Webhook {
         return resources.map(r => clientNode.dumpYaml(r, { noRefs: true })).join("---\n");
     }
     async deploy(code) {
-        types.Log.info("Establishing connection to Kubernetes");
+        types.logger.info("Establishing connection to Kubernetes");
         const namespace = "pepr-system";
         // Deploy the resources using the k8s API
         const kubeConfig = new clientNode.KubeConfig();
@@ -455,106 +520,121 @@ class Webhook {
         const rbacApi = kubeConfig.makeApiClient(clientNode.RbacAuthorizationV1Api);
         const appsApi = kubeConfig.makeApiClient(clientNode.AppsV1Api);
         const admissionApi = kubeConfig.makeApiClient(clientNode.AdmissionregistrationV1Api);
+        const networkApi = kubeConfig.makeApiClient(clientNode.NetworkingV1Api);
         const ns = this.namespace();
         try {
-            types.Log.info("Checking for namespace");
+            types.logger.info("Checking for namespace");
             await coreV1Api.readNamespace(namespace);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Creating namespace");
+            types.logger.debug(e.body);
+            types.logger.info("Creating namespace");
             await coreV1Api.createNamespace(ns);
         }
+        const netpol = this.networkPolicy();
+        try {
+            types.logger.info("Checking for network policy");
+            await networkApi.readNamespacedNetworkPolicy(netpol.metadata.name, namespace);
+        }
+        catch (e) {
+            types.logger.debug(e.body);
+            types.logger.info("Creating network policy");
+            await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
+        }
         const wh = this.mutatingWebhook();
         try {
-            types.Log.info("Creating mutating webhook");
+            types.logger.info("Creating mutating webhook");
             await admissionApi.createMutatingWebhookConfiguration(wh);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating mutating webhook");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating mutating webhook");
             await admissionApi.deleteMutatingWebhookConfiguration(wh.metadata.name);
             await admissionApi.createMutatingWebhookConfiguration(wh);
         }
         const crb = this.clusterRoleBinding();
         try {
-            types.Log.info("Creating cluster role binding");
+            types.logger.info("Creating cluster role binding");
             await rbacApi.createClusterRoleBinding(crb);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating cluster role binding");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating cluster role binding");
             await rbacApi.deleteClusterRoleBinding(crb.metadata.name);
             await rbacApi.createClusterRoleBinding(crb);
         }
         const cr = this.clusterRole();
         try {
-            types.Log.info("Creating cluster role");
+            types.logger.info("Creating cluster role");
             await rbacApi.createClusterRole(cr);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating  the cluster role");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating  the cluster role");
             try {
                 await rbacApi.deleteClusterRole(cr.metadata.name);
                 await rbacApi.createClusterRole(cr);
             }
             catch (e) {
-                types.Log.debug(e.body);
+                types.logger.debug(e.body);
             }
         }
         const sa = this.serviceAccount();
         try {
-            types.Log.info("Creating service account");
+            types.logger.info("Creating service account");
             await coreV1Api.createNamespacedServiceAccount(namespace, sa);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating service account");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating service account");
             await coreV1Api.deleteNamespacedServiceAccount(sa.metadata.name, namespace);
             await coreV1Api.createNamespacedServiceAccount(namespace, sa);
         }
+        // If a host is specified, we don't need to deploy the rest of the resources
+        if (this.host) {
+            return;
+        }
         const mod = this.moduleSecret(code);
         try {
-            types.Log.info("Creating module secret");
+            types.logger.info("Creating module secret");
             await coreV1Api.createNamespacedSecret(namespace, mod);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating module secret");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating module secret");
             await coreV1Api.deleteNamespacedSecret(mod.metadata.name, namespace);
             await coreV1Api.createNamespacedSecret(namespace, mod);
         }
         const svc = this.service();
         try {
-            types.Log.info("Creating service");
+            types.logger.info("Creating service");
             await coreV1Api.createNamespacedService(namespace, svc);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating service");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating service");
             await coreV1Api.deleteNamespacedService(svc.metadata.name, namespace);
             await coreV1Api.createNamespacedService(namespace, svc);
         }
         const tls = this.tlsSecret();
         try {
-            types.Log.info("Creating TLS secret");
+            types.logger.info("Creating TLS secret");
             await coreV1Api.createNamespacedSecret(namespace, tls);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating TLS secret");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating TLS secret");
             await coreV1Api.deleteNamespacedSecret(tls.metadata.name, namespace);
             await coreV1Api.createNamespacedSecret(namespace, tls);
         }
         const dep = this.deployment();
         try {
-            types.Log.info("Creating deployment");
+            types.logger.info("Creating deployment");
             await appsApi.createNamespacedDeployment(namespace, dep);
         }
         catch (e) {
-            types.Log.debug(e.body);
-            types.Log.info("Removing and re-creating deployment");
+            types.logger.debug(e.body);
+            types.logger.info("Removing and re-creating deployment");
             await appsApi.deleteNamespacedDeployment(dep.metadata.name, namespace);
             await appsApi.createNamespacedDeployment(namespace, dep);
         }
@@ -584,8 +664,8 @@ function build (program) {
         const zarf = webhook.zarfYaml(yamlFile);
         await fs.promises.writeFile(yamlPath, yaml);
         await fs.promises.writeFile(zarfPath, zarf);
-        types.Log.debug(`Module compiled successfully at ${path$1}`);
-        types.Log.info(`K8s resource for the module saved to ${yamlPath}`);
+        types.logger.debug(`Module compiled successfully at ${path$1}`);
+        types.logger.info(`K8s resource for the module saved to ${yamlPath}`);
     });
 }
 const externalLibs = [
@@ -644,8 +724,8 @@ async function buildModule(moduleDir) {
     }
     catch (e) {
         // On any other error, exit with a non-zero exit code
-        types.Log.debug(e);
-        types.Log.error(e.message);
+        types.logger.debug(e);
+        types.logger.error(e.message);
         process.exit(1);
     }
 }
@@ -698,10 +778,51 @@ function deploy (program) {
         }
         try {
             await webhook.deploy(code);
-            types.Log.info(`Module deployed successfully`);
+            types.logger.info(`Module deployed successfully`);
         }
         catch (e) {
-            types.Log.error(`Error deploying module: ${e}`);
+            types.logger.error(`Error deploying module: ${e}`);
+            process.exit(1);
+        }
+    });
+}
+
+// SPDX-License-Identifier: Apache-2.0
+function dev (program) {
+    program
+        .command("dev")
+        .description("Setup a local webhook development environment")
+        .option("-d, --dir [directory]", "Pepr module directory", ".")
+        .option("-h, --host [host]", "Host to listen on", "host.docker.internal")
+        .action(async (opts) => {
+        // Prompt the user to confirm
+        const confirm = await prompt.prompt({
+            type: "confirm",
+            name: "confirm",
+            message: "This will remove and redeploy the module. Continue?",
+        });
+        // Exit if the user doesn't confirm
+        if (!confirm.confirm) {
+            process.exit(0);
+        }
+        // Build the module
+        const { cfg, path } = await buildModule(opts.dir);
+        // Read the compiled module code
+        const code = await fs.promises.readFile(path, { encoding: "utf-8" });
+        // Generate a secret for the module
+        const webhook = new Webhook({
+            ...cfg.pepr,
+            description: cfg.description,
+        }, opts.host);
+        // Write the TLS cert and key to disk
+        await fs.promises.writeFile("insecure-tls.crt", webhook.tls.pem.crt);
+        await fs.promises.writeFile("insecure-tls.key", webhook.tls.pem.key);
+        try {
+            await webhook.deploy(code);
+            types.logger.info(`Module deployed successfully`);
+        }
+        catch (e) {
+            types.logger.error(`Error deploying module: ${e}`);
             process.exit(1);
         }
     });
@@ -1027,11 +1148,7 @@ function walkthrough() {
             },
         ],
     };
-    return prompt([
-        askName,
-        askDescription,
-        askErrorBehavior,
-    ]);
+    return prompt([askName, askDescription, askErrorBehavior]);
 }
 async function confirm(dirName, packageJSON, peprTSPath) {
     console.log(`
@@ -1090,8 +1207,8 @@ function init (program) {
                 console.log(`Open VSCode or your editor of choice in ${dirName} to get started!`);
             }
             catch (e) {
-                types.Log.debug(e);
-                types.Log.error(e.message);
+                types.logger.debug(e);
+                types.logger.error(e.message);
                 process.exit(1);
             }
         }
@@ -1104,7 +1221,7 @@ class RootCmd extends commander.Command {
         const cmd = new commander.Command(name);
         cmd.option("-l, --log-level [level]", "Log level: debug, info, warn, error", "info");
         cmd.hook("preAction", run => {
-            types.Log.SetLogLevel(run.opts().logLevel);
+            types.logger.SetLogLevel(run.opts().logLevel);
         });
         return cmd;
     }
@@ -1119,15 +1236,15 @@ function test (program) {
         .option("-d, --dir [directory]", "Pepr module directory", ".")
         .option("-w, --watch", "Watch for changes and re-run the test")
         .action(async (opts) => {
-        types.Log.info("Test Module");
+        types.logger.info("Test Module");
         await buildAndTest(opts.dir);
         if (opts.watch) {
             const moduleFiles = path.resolve(opts.dir, "**", "*.ts");
             const watcher = chokidar.watch(moduleFiles);
             watcher.on("ready", () => {
-                types.Log.info(`Watching for changes in ${moduleFiles}`);
+                types.logger.info(`Watching for changes in ${moduleFiles}`);
                 watcher.on("all", async (event, path) => {
-                    types.Log.debug({ event, path }, "File changed");
+                    types.logger.debug({ event, path }, "File changed");
                     await buildAndTest(opts.dir);
                 });
             });
@@ -1136,15 +1253,15 @@ function test (program) {
 }
 async function buildAndTest(dir) {
     const { path } = await buildModule(dir);
-    types.Log.info(`Module built successfully at ${path}`);
+    types.logger.info(`Module built successfully at ${path}`);
     try {
         const { stdout, stderr } = await exec(`node ${path}`);
         console.log(stdout);
         console.log(stderr);
     }
     catch (e) {
-        types.Log.debug(e);
-        types.Log.error(`Error running module: ${e}`);
+        types.logger.debug(e);
+        types.logger.error(`Error running module: ${e}`);
         process.exit(1);
     }
 }
@@ -1165,4 +1282,5 @@ build(program);
 capability(program);
 test(program);
 deploy(program);
+dev(program);
 program.parse();

package/dist/pepr-core.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 'use strict';
 
-var types = require('./types-672dd6e4.js');
 var dist = require('@kubernetes/client-node/dist');
+var types = require('./types-1709b44f.js');
 var R = require('ramda');
 var fastJsonPatch = require('fast-json-patch');
 
@@ -501,6 +501,16 @@ function modelToGroupVersionKind(key) {
     return gvkMap[key];
 }
 
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+var Operation;
+(function (Operation) {
+    Operation["CREATE"] = "CREATE";
+    Operation["UPDATE"] = "UPDATE";
+    Operation["DELETE"] = "DELETE";
+    Operation["CONNECT"] = "CONNECT";
+})(Operation || (Operation = {}));
+
 // SPDX-License-Identifier: Apache-2.0
 /**
  * A capability is a unit of functionality that can be registered with the Pepr runtime.
@@ -553,10 +563,10 @@ class Capability {
                 callback: () => null,
             };
             const prefix = `${this._name}: ${model.name}`;
-            types.Log.info(`Binding created`, prefix);
+            types.logger.info(`Binding created`, prefix);
             const Then = (cb) => {
-                types.Log.info(`Binding action created`, prefix);
-                types.Log.debug(cb.toString(), prefix);
+                types.logger.info(`Binding action created`, prefix);
+                types.logger.debug(cb.toString(), prefix);
                 // Push the binding to the list of bindings for this capability as a new BindingAction
                 // with the callback function to preserve
                 this._bindings.push({
@@ -572,22 +582,22 @@ class Capability {
                 return { Then };
             };
             function InNamespace(...namespaces) {
-                types.Log.debug(`Add namespaces filter ${namespaces}`, prefix);
+                types.logger.debug(`Add namespaces filter ${namespaces}`, prefix);
                 binding.filters.namespaces.push(...namespaces);
                 return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
             }
             function WithName(name) {
-                types.Log.debug(`Add name filter ${name}`, prefix);
+                types.logger.debug(`Add name filter ${name}`, prefix);
                 binding.filters.name = name;
                 return { WithLabel, WithAnnotation, Then, ThenSet };
             }
             function WithLabel(key, value = "") {
-                types.Log.debug(`Add label filter ${key}=${value}`, prefix);
+                types.logger.debug(`Add label filter ${key}=${value}`, prefix);
                 binding.filters.labels[key] = value;
                 return { WithLabel, WithAnnotation, Then, ThenSet };
             }
             const WithAnnotation = (key, value = "") => {
-                types.Log.debug(`Add annotation filter ${key}=${value}`, prefix);
+                types.logger.debug(`Add annotation filter ${key}=${value}`, prefix);
                 binding.filters.annotations[key] = value;
                 return { WithLabel, WithAnnotation, Then, ThenSet };
             };
@@ -612,11 +622,54 @@ class Capability {
         this._name = cfg.name;
         this._description = cfg.description;
         this._namespaces = cfg.namespaces;
-        types.Log.info(`Capability ${this._name} registered`);
-        types.Log.debug(cfg);
+        types.logger.info(`Capability ${this._name} registered`);
+        types.logger.debug(cfg);
     }
 }
 
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * shouldSkipRequest determines if a request should be skipped based on the binding filters.
+ *
+ * @param binding the capability action binding
+ * @param req the incoming request
+ * @returns
+ */
+function shouldSkipRequest(binding, req) {
+    const { group, kind, version } = binding.kind;
+    const { namespaces, labels, annotations } = binding.filters;
+    const { metadata } = req.object;
+    if (kind !== req.kind.kind) {
+        types.logger.debug(`${req.kind.kind} does not match ${kind}`);
+        return true;
+    }
+    if (group && group !== req.kind.group) {
+        types.logger.debug(`${req.kind.group} does not match ${group}`);
+        return true;
+    }
+    if (version && version !== req.kind.version) {
+        types.logger.debug(`${req.kind.version} does not match ${version}`);
+        return true;
+    }
+    if (namespaces.length && !namespaces.includes(req.namespace || "")) {
+        types.logger.debug(`${req.namespace} is not in ${namespaces}`);
+        return true;
+    }
+    for (const [key, value] of Object.entries(labels)) {
+        if (metadata?.labels?.[key] !== value) {
+            types.logger.debug(`${metadata?.labels?.[key]} does not match ${value}`);
+            return true;
+        }
+    }
+    for (const [key, value] of Object.entries(annotations)) {
+        if (metadata?.annotations?.[key] !== value) {
+            types.logger.debug(`${metadata?.annotations?.[key]} does not match ${value}`);
+            return true;
+        }
+    }
+    return false;
+}
+
 // SPDX-License-Identifier: Apache-2.0
 /**
  * The RequestWrapper class provides methods to modify Kubernetes objects in the context
@@ -733,49 +786,6 @@ class RequestWrapper {
     }
 }
 
-// SPDX-License-Identifier: Apache-2.0
-/**
- * shouldSkipRequest determines if a request should be skipped based on the binding filters.
- *
- * @param binding the capability action binding
- * @param req the incoming request
- * @returns
- */
-function shouldSkipRequest(binding, req) {
-    const { group, kind, version } = binding.kind;
-    const { namespaces, labels, annotations } = binding.filters;
-    const { metadata } = req.object;
-    if (kind !== req.kind.kind) {
-        types.Log.debug(`${req.kind.kind} does not match ${kind}`);
-        return true;
-    }
-    if (group && group !== req.kind.group) {
-        types.Log.debug(`${req.kind.group} does not match ${group}`);
-        return true;
-    }
-    if (version && version !== req.kind.version) {
-        types.Log.debug(`${req.kind.version} does not match ${version}`);
-        return true;
-    }
-    if (namespaces.length && !namespaces.includes(req.namespace || "")) {
-        types.Log.debug(`${req.namespace} is not in ${namespaces}`);
-        return true;
-    }
-    for (const [key, value] of Object.entries(labels)) {
-        if (metadata?.labels?.[key] !== value) {
-            types.Log.debug(`${metadata?.labels?.[key]} does not match ${value}`);
-            return true;
-        }
-    }
-    for (const [key, value] of Object.entries(annotations)) {
-        if (metadata?.annotations?.[key] !== value) {
-            types.Log.debug(`${metadata?.annotations?.[key]} does not match ${value}`);
-            return true;
-        }
-    }
-    return false;
-}
-
 // SPDX-License-Identifier: Apache-2.0
 function processor(config, capabilities, req) {
     const wrapped = new RequestWrapper(req);
@@ -785,16 +795,16 @@ function processor(config, capabilities, req) {
         warnings: [],
         allowed: false,
     };
-    types.Log.info(`Processing '${req.uid}' for '${req.kind.kind}' '${req.name}'`);
+    types.logger.info(`Processing '${req.uid}' for '${req.kind.kind}' '${req.name}'`);
     for (const { name, bindings } of capabilities) {
         const prefix = `${req.uid} ${req.name}: ${name}`;
-        types.Log.info(`Processing capability ${name}`, prefix);
+        types.logger.info(`Processing capability ${name}`, prefix);
         for (const action of bindings) {
             // Continue to the next action without doing anything if this one should be skipped
             if (shouldSkipRequest(action, req)) {
                 continue;
             }
-            types.Log.info(`Processing matched action ${action.kind.kind}`, prefix);
+            types.logger.info(`Processing matched action ${action.kind.kind}`, prefix);
             // Add annotations to the request to indicate that the capability started processing
             // this will allow tracking of failed mutations that were permitted to continue
             const { metadata } = wrapped.Raw;
@@ -811,12 +821,12 @@ function processor(config, capabilities, req) {
                 response.warnings.push(`Action failed: ${e}`);
                 // If errors are not allowed, note the failure in the Reponse
                 if (config.onError) {
-                    types.Log.error(`Action failed: ${e}`, prefix);
+                    types.logger.error(`Action failed: ${e}`, prefix);
                     response.result = "Pepr module configured to reject on error";
                     return response;
                 }
                 else {
-                    types.Log.warn(`Action failed: ${e}`, prefix);
+                    types.logger.warn(`Action failed: ${e}`, prefix);
                     metadata.annotations[identifier] = "warning";
                 }
             }
@@ -834,7 +844,7 @@ function processor(config, capabilities, req) {
     if (response.warnings.length < 1) {
         delete response.warnings;
     }
-    types.Log.debug(patches);
+    types.logger.debug(patches);
     return response;
 }
 
@@ -859,7 +869,7 @@ class PeprModule {
         this._state = [];
         this._kinds = [];
         this.Register = (capability) => {
-            types.Log.info(`Registering capability ${capability.name}`);
+            types.logger.info(`Registering capability ${capability.name}`);
             // Add the kinds to the list of kinds (ignoring duplicates for now)
             this._kinds = capability.bindings.map(({ kind }) => kind);
             // Add the capability to the state
@@ -873,26 +883,7 @@ class PeprModule {
     }
 }
 
-Object.defineProperty(exports, 'ErrorBehavior', {
-    enumerable: true,
-    get: function () { return types.ErrorBehavior; }
-});
-Object.defineProperty(exports, 'Event', {
-    enumerable: true,
-    get: function () { return types.Event; }
-});
-Object.defineProperty(exports, 'HookPhase', {
-    enumerable: true,
-    get: function () { return types.HookPhase; }
-});
-exports.Log = types.Log;
-Object.defineProperty(exports, 'Operation', {
-    enumerable: true,
-    get: function () { return types.Operation; }
-});
+exports.Log = types.logger;
 exports.Capability = Capability;
 exports.PeprModule = PeprModule;
-exports.RequestWrapper = RequestWrapper;
 exports.a = upstream;
-exports.gvkMap = gvkMap;
-exports.modelToGroupVersionKind = modelToGroupVersionKind;

package/dist/{types-672dd6e4.js → types-1709b44f.js}

@@ -116,17 +116,7 @@ class Logger {
         return color + text + ConsoleColors.Reset;
     }
 }
-var Log = new Logger(LogLevel.info);
-
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-exports.Operation = void 0;
-(function (Operation) {
-    Operation["CREATE"] = "CREATE";
-    Operation["UPDATE"] = "UPDATE";
-    Operation["DELETE"] = "DELETE";
-    Operation["CONNECT"] = "CONNECT";
-})(exports.Operation || (exports.Operation = {}));
+var logger = new Logger(LogLevel.info);
 
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
@@ -160,4 +150,4 @@ exports.Event = void 0;
     Event["CreateOrUpdate"] = "createOrUpdate";
 })(exports.Event || (exports.Event = {}));
 
-exports.Log = Log;
+exports.logger = logger;

package/index.ts

@@ -1,2 +1,7 @@
-export * from "./src/lib";
-export * from "./src/lib/k8s";
+import { Capability } from './src/lib/capability';
+import { a } from './src/lib/k8s';
+import Log from './src/lib/logger';
+import { PeprModule } from './src/lib/module';
+
+export { a, PeprModule, Capability, Log };
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pepr",
-  "version": "0.1.21",
+  "version": "0.1.24",
   "description": "Kubernetes application engine",
   "author": "Defense Unicorns",
   "homepage": "https://github.com/defenseunicorns/pepr",
@@ -29,7 +29,10 @@
     "prettier": "npx prettier src --check",
     "prettier:fix": "npm run prettier -- --write",
     "prepublishOnly": "rm -fr dist/* && npm run lint:fix && npm run prettier:fix && npm run test && npm run build",
-    "e2e-dev": "npm run build && docker buildx build --tag pepr:dev . && k3d image import pepr:dev && node dist/pepr-cli.js deploy -f -i pepr:dev"
+    "e2e-dev-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev",
+    "e2e-dev": "npm run build && docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev && node dist/pepr-cli.js deploy -f -i pepr:dev",
+    "prestart": "ts-node src/cli dev",
+    "start": "chokidar 'src/**/*.ts' -c 'SSL_KEY_PATH=insecure-tls.key SSL_CERT_PATH=insecure-tls.crt ts-node src/controller/index.ts' --initial --silent"
   },
   "dependencies": {
     "@kubernetes/client-node": "^0.18.1",
@@ -59,6 +62,7 @@
     "@typescript-eslint/eslint-plugin": "^5.57.0",
     "@typescript-eslint/parser": "^5.57.0",
     "ava": "^5.2.0",
+    "chokidar-cli": "^3.0.0",
     "eslint": "^8.37.0",
     "ts-node": "^10.9.1",
     "tsconfig-paths": "^4.1.2"

package/src/lib/k8s/tls.ts

@@ -6,6 +6,11 @@ export interface TLSOut {
   ca: string;
   crt: string;
   key: string;
+  pem: {
+    ca: string;
+    crt: string;
+    key: string;
+  };
 }
 
 /**
@@ -36,18 +41,25 @@ export function genTLS(name: string): TLSOut {
 
   // Generate a new server key pair and create a server certificate signed by the CA
   const serverKeys = forge.pki.rsa.generateKeyPair(2048);
-  const serverCert = genCert(serverKeys, `${name}.pepr-system.svc`, caCert.subject.attributes);
+  const serverCert = genCert(serverKeys, name, caCert.subject.attributes);
 
   // Sign both certificates with the CA private key
   caCert.sign(caKeys.privateKey, forge.md.sha256.create());
   serverCert.sign(caKeys.privateKey, forge.md.sha256.create());
 
-  // Convert the keys and certificates to PEM format and Base64-encode them
-  const ca = Buffer.from(forge.pki.certificateToPem(caCert)).toString("base64");
-  const key = Buffer.from(forge.pki.privateKeyToPem(serverKeys.privateKey)).toString("base64");
-  const crt = Buffer.from(forge.pki.certificateToPem(serverCert)).toString("base64");
+  // Convert the keys and certificates to PEM format
+  const pem = {
+    ca: forge.pki.certificateToPem(caCert),
+    crt: forge.pki.certificateToPem(serverCert),
+    key: forge.pki.privateKeyToPem(serverKeys.privateKey),
+  };
 
-  return { ca, key, crt };
+  // Base64-encode the PEM strings
+  const ca = Buffer.from(pem.ca).toString("base64");
+  const key = Buffer.from(pem.key).toString("base64");
+  const crt = Buffer.from(pem.crt).toString("base64");
+
+  return { ca, key, crt, pem };
 }
 
 function genCert(key: forge.pki.rsa.KeyPair, name: string, issuer: forge.pki.CertificateField[]) {

package/src/lib/k8s/webhook.ts

@@ -3,9 +3,11 @@
 
 import {
   AdmissionregistrationV1Api,
+  AdmissionregistrationV1WebhookClientConfig,
   AppsV1Api,
   CoreV1Api,
   KubeConfig,
+  NetworkingV1Api,
   RbacAuthorizationV1Api,
   V1ClusterRole,
   V1ClusterRoleBinding,
@@ -13,13 +15,14 @@ import {
   V1LabelSelectorRequirement,
   V1MutatingWebhookConfiguration,
   V1Namespace,
+  V1NetworkPolicy,
   V1Secret,
   V1Service,
   V1ServiceAccount,
   dumpYaml,
 } from "@kubernetes/client-node";
 import { gzipSync } from "zlib";
-import logger from "../logger";
+import Log from "../logger";
 import { ModuleConfig } from "../types";
 import { TLSOut, genTLS } from "./tls";
 
@@ -31,17 +34,21 @@ const peprIgnore: V1LabelSelectorRequirement = {
 
 export class Webhook {
   private name: string;
-  private tls: TLSOut;
+  private _tls: TLSOut;
 
   public image: string;
 
-  constructor(private readonly config: ModuleConfig) {
+  public get tls(): TLSOut {
+    return this._tls;
+  }
+
+  constructor(private readonly config: ModuleConfig, private readonly host?: string) {
     this.name = `pepr-${config.uuid}`;
 
     this.image = `ghcr.io/defenseunicorns/pepr/controller:${config.version}`;
 
     // Generate the ephemeral tls things
-    this.tls = genTLS(this.name);
+    this._tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
   }
 
   /** Generate the pepr-system namespace */
@@ -117,8 +124,8 @@ export class Webhook {
       },
       type: "kubernetes.io/tls",
       data: {
-        "tls.crt": this.tls.crt,
-        "tls.key": this.tls.key,
+        "tls.crt": this._tls.crt,
+        "tls.key": this._tls.key,
       },
     };
   }
@@ -136,6 +143,22 @@ export class Webhook {
       });
     }
 
+    const clientConfig: AdmissionregistrationV1WebhookClientConfig = {
+      caBundle: this._tls.ca,
+    };
+
+    // If a host is specified, use that with a port of 3000
+    if (this.host) {
+      clientConfig.url = `https://${this.host}:3000/mutate`;
+    } else {
+      // Otherwise, use the service
+      clientConfig.service = {
+        name: this.name,
+        namespace: "pepr-system",
+        path: "/mutate",
+      };
+    }
+
     return {
       apiVersion: "admissionregistration.k8s.io/v1",
       kind: "MutatingWebhookConfiguration",
@@ -144,14 +167,7 @@ export class Webhook {
         {
           name: `${name}.pepr.dev`,
           admissionReviewVersions: ["v1", "v1beta1"],
-          clientConfig: {
-            caBundle: this.tls.ca,
-            service: {
-              name: this.name,
-              namespace: "pepr-system",
-              path: "/mutate",
-            },
-          },
+          clientConfig,
           failurePolicy: "Ignore",
           matchPolicy: "Equivalent",
           timeoutSeconds: 15,
@@ -237,6 +253,11 @@ export class Webhook {
                     mountPath: "/etc/certs",
                     readOnly: true,
                   },
+                  {
+                    name: "module",
+                    mountPath: "/app/module.js.gz",
+                    readOnly: true,
+                  },
                 ],
               },
             ],
@@ -247,6 +268,12 @@ export class Webhook {
                   secretName: `${this.name}-tls`,
                 },
               },
+              {
+                name: "module",
+                secret: {
+                  secretName: `${this.name}-module`,
+                },
+              },
             ],
           },
         },
@@ -254,6 +281,45 @@ export class Webhook {
     };
   }
 
+  /** Only permit the  */
+  networkPolicy(): V1NetworkPolicy {
+    return {
+      apiVersion: "networking.k8s.io/v1",
+      kind: "NetworkPolicy",
+      metadata: {
+        name: this.name,
+        namespace: "pepr-system",
+      },
+      spec: {
+        podSelector: {
+          matchLabels: {
+            app: this.name,
+          },
+        },
+        policyTypes: ["Ingress"],
+        ingress: [
+          {
+            from: [
+              {
+                namespaceSelector: {
+                  matchLabels: {
+                    "kubernetes.io/metadata.name": "kube-system",
+                  },
+                },
+              },
+            ],
+            ports: [
+              {
+                protocol: "TCP",
+                port: 443,
+              },
+            ],
+          },
+        ],
+      },
+    };
+  }
+
   service(): V1Service {
     return {
       apiVersion: "v1",
@@ -324,6 +390,7 @@ export class Webhook {
   allYaml(code: string) {
     const resources = [
       this.namespace(),
+      this.networkPolicy(),
       this.clusterRole(),
       this.clusterRoleBinding(),
       this.serviceAccount(),
@@ -339,7 +406,7 @@ export class Webhook {
   }
 
   async deploy(code: string) {
-    logger.info("Establishing connection to Kubernetes");
+    Log.info("Establishing connection to Kubernetes");
 
     const namespace = "pepr-system";
 
@@ -351,105 +418,121 @@ export class Webhook {
     const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
     const appsApi = kubeConfig.makeApiClient(AppsV1Api);
     const admissionApi = kubeConfig.makeApiClient(AdmissionregistrationV1Api);
+    const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
 
     const ns = this.namespace();
     try {
-      logger.info("Checking for namespace");
+      Log.info("Checking for namespace");
       await coreV1Api.readNamespace(namespace);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Creating namespace");
+      Log.debug(e.body);
+      Log.info("Creating namespace");
       await coreV1Api.createNamespace(ns);
     }
 
+    const netpol = this.networkPolicy();
+    try {
+      Log.info("Checking for network policy");
+      await networkApi.readNamespacedNetworkPolicy(netpol.metadata.name, namespace);
+    } catch (e) {
+      Log.debug(e.body);
+      Log.info("Creating network policy");
+      await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
+    }
+
     const wh = this.mutatingWebhook();
     try {
-      logger.info("Creating mutating webhook");
+      Log.info("Creating mutating webhook");
       await admissionApi.createMutatingWebhookConfiguration(wh);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating mutating webhook");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating mutating webhook");
       await admissionApi.deleteMutatingWebhookConfiguration(wh.metadata.name);
       await admissionApi.createMutatingWebhookConfiguration(wh);
     }
 
     const crb = this.clusterRoleBinding();
     try {
-      logger.info("Creating cluster role binding");
+      Log.info("Creating cluster role binding");
       await rbacApi.createClusterRoleBinding(crb);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating cluster role binding");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating cluster role binding");
       await rbacApi.deleteClusterRoleBinding(crb.metadata.name);
       await rbacApi.createClusterRoleBinding(crb);
     }
 
     const cr = this.clusterRole();
     try {
-      logger.info("Creating cluster role");
+      Log.info("Creating cluster role");
       await rbacApi.createClusterRole(cr);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating  the cluster role");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating  the cluster role");
       try {
         await rbacApi.deleteClusterRole(cr.metadata.name);
         await rbacApi.createClusterRole(cr);
       } catch (e) {
-        logger.debug(e.body);
+        Log.debug(e.body);
       }
     }
 
     const sa = this.serviceAccount();
     try {
-      logger.info("Creating service account");
+      Log.info("Creating service account");
       await coreV1Api.createNamespacedServiceAccount(namespace, sa);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating service account");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating service account");
       await coreV1Api.deleteNamespacedServiceAccount(sa.metadata.name, namespace);
       await coreV1Api.createNamespacedServiceAccount(namespace, sa);
     }
 
+    // If a host is specified, we don't need to deploy the rest of the resources
+    if (this.host) {
+      return;
+    }
+
     const mod = this.moduleSecret(code);
     try {
-      logger.info("Creating module secret");
+      Log.info("Creating module secret");
       await coreV1Api.createNamespacedSecret(namespace, mod);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating module secret");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating module secret");
       await coreV1Api.deleteNamespacedSecret(mod.metadata.name, namespace);
       await coreV1Api.createNamespacedSecret(namespace, mod);
     }
 
     const svc = this.service();
     try {
-      logger.info("Creating service");
+      Log.info("Creating service");
       await coreV1Api.createNamespacedService(namespace, svc);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating service");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating service");
       await coreV1Api.deleteNamespacedService(svc.metadata.name, namespace);
       await coreV1Api.createNamespacedService(namespace, svc);
     }
 
     const tls = this.tlsSecret();
     try {
-      logger.info("Creating TLS secret");
+      Log.info("Creating TLS secret");
       await coreV1Api.createNamespacedSecret(namespace, tls);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating TLS secret");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating TLS secret");
       await coreV1Api.deleteNamespacedSecret(tls.metadata.name, namespace);
       await coreV1Api.createNamespacedSecret(namespace, tls);
     }
 
     const dep = this.deployment();
     try {
-      logger.info("Creating deployment");
+      Log.info("Creating deployment");
       await appsApi.createNamespacedDeployment(namespace, dep);
     } catch (e) {
-      logger.debug(e.body);
-      logger.info("Removing and re-creating deployment");
+      Log.debug(e.body);
+      Log.info("Removing and re-creating deployment");
       await appsApi.deleteNamespacedDeployment(dep.metadata.name, namespace);
       await appsApi.createNamespacedDeployment(namespace, dep);
     }

package/src/lib/index.ts

@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import logger from "./logger";
-
-export { logger as Log };
-export * from "./capability";
-export * from "./request";
-export * from "./module";
-export * from "./types";