pepr 0.1.25 → 0.1.27

package/dist/pepr-cli.js

@@ -13,12 +13,12 @@ var zlib = require('zlib');
 var forge = require('node-forge');
 var prompt = require('prompts');
 var child_process = require('child_process');
+var chokidar = require('chokidar');
 var util = require('util');
 var uuid = require('uuid');
 var commander = require('commander');
-var chokidar = require('chokidar');
 
-var version = "0.1.25";
+var version = "0.1.27";
 
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
@@ -806,9 +806,9 @@ function dev (program) {
             process.exit(0);
         }
         // Build the module
-        const { cfg, path } = await buildModule(opts.dir);
+        const { cfg, path: path$1 } = await buildModule(opts.dir);
         // Read the compiled module code
-        const code = await fs.promises.readFile(path, { encoding: "utf-8" });
+        const code = await fs.promises.readFile(path$1, { encoding: "utf-8" });
         // Generate a secret for the module
         const webhook = new Webhook({
             ...cfg.pepr,
@@ -820,6 +820,25 @@ function dev (program) {
         try {
             await webhook.deploy(code);
             types.logger.info(`Module deployed successfully`);
+            const moduleFiles = path.resolve(opts.dir, "**", "*.ts");
+            const watcher = chokidar.watch(moduleFiles);
+            const peprTS = path.resolve(opts.dir, "pepr.ts");
+            let program;
+            // Run the module once to start the server
+            runDev(peprTS);
+            // Watch for changes
+            watcher.on("ready", () => {
+                types.logger.info(`Watching for changes in ${moduleFiles}`);
+                watcher.on("all", async (event, path) => {
+                    types.logger.debug({ event, path }, "File changed");
+                    // Kill the running process
+                    if (program) {
+                        program.kill("SIGKILL");
+                    }
+                    // Start the process again
+                    program = runDev(peprTS);
+                });
+            });
         }
         catch (e) {
             types.logger.error(`Error deploying module: ${e}`);
@@ -827,6 +846,28 @@ function dev (program) {
         }
     });
 }
+function runDev(path) {
+    try {
+        const program = child_process.spawn("./node_modules/.bin/ts-node", [path], {
+            env: {
+                ...process.env,
+                SSL_KEY_PATH: "insecure-tls.key",
+                SSL_CERT_PATH: "insecure-tls.crt",
+            },
+        });
+        program.stdout.on("data", data => console.log(data.toString()));
+        program.stderr.on("data", data => console.error(data.toString()));
+        program.on("close", code => {
+            types.logger.info(`Process exited with code ${code}`);
+        });
+        return program;
+    }
+    catch (e) {
+        types.logger.debug(e);
+        types.logger.error(`Error running module: ${e}`);
+        process.exit(1);
+    }
+}
 
 // SPDX-License-Identifier: Apache-2.0
 /**
@@ -883,28 +924,18 @@ function genPeprTS() {
         path: "pepr.ts",
         data: `import { PeprModule } from "pepr";
 import cfg from "./package.json";
-// import { HelloPepr } from "./capabilities/hello-pepr";
-
-// This initializes the Pepr module with the configuration from package.json
-export const { ProcessRequest, Register } = new PeprModule(cfg);
+import { HelloPepr } from "./capabilities/hello-pepr";
 
 /**
- * Each Pepr Capability is registered with the module using the Register function.
- * This will be automatically generated by the Pepr CLI when creating a new capability:
- * \`pepr new <capability name>\`
- *
- * Example:
- * import { Capability1 } from "./capabilities/capability1";
- * import { Capability2  } from "./capabilities/capability2";
- *
- * Capability1(Register);
- * Capability2(Register);
- *
- * Uncomment the line below and the import above to use the hello-pepr demo capability
+ * This is the main entrypoint for the Pepr module. It is the file that is run when the module is started.
+ * This is where you register your configurations and capabilities with the module.
  */
+new PeprModule(cfg, [
+  // "HelloPepr" is a demo capability that is included with Pepr. You can remove it if you want.
+  HelloPepr,
 
-// HelloPepr(Register);
-    
+  // Your additional capabilities go here
+]);    
 `,
     };
 }
@@ -1009,14 +1040,15 @@ const capabilityHelloPeprTS = {
     path: "hello-pepr.ts",
     data: `import { Capability, a } from "pepr";
 
-const { Register, When } = new Capability({
+export const HelloPepr = new Capability({
   name: "hello-pepr",
   description: "A simple example capability to show how things work.",
   namespaces: ["pepr-demo"],
 });
 
-export { Register as HelloPepr };
-
+// Use the 'When' function to create a new Capability Action
+const { When } = HelloPepr;
+  
 /**
  * This is a single Capability Action. They can be in the same file or put imported from other files.
  * In this exmaple, when a ConfigMap is created with the name \`example-1\`, then add a label and annotation.
@@ -1079,27 +1111,26 @@ When(a.ConfigMap)
 const capabilitySnippet = {
     path: "pepr.code-snippets",
     data: `{
-    "Create a new Pepr capability": {
-      "prefix": "create pepr capability",
-      "body": [
-        "import { Capability, a } from 'pepr';",
-        "",
-        "const { Register, When } = new Capability({",
-        "\tname: '$\{TM_FILENAME_BASE}',",
-        "\tdescription: '$\{1:A brief description of this capability.}',",
-        "\tnamespaces: [$\{2:}],",
-        "});",
-        "",
-        "// Export the capability so it can be imported in the pepr.ts file.",
-        "export { Register as $\{TM_FILENAME_BASE/(.*)/$\{1:/pascalcase}/} };",
-        "",
-        "// When(a.<Kind>).Is<Event>().Then(change => change.<changes>",
-        "When($\{3:})"
-      ],
-      "description": "Creates a new Pepr capability with a specified description, and optional namespaces, and adds a When statement for the specified value."
-    }
+  "Create a new Pepr capability": {
+    "prefix": "create pepr capability",
+    "body": [
+      "import { Capability, a } from 'pepr';",
+      "",
+      "export const $\{TM_FILENAME_BASE/(.*)/$\{1:/pascalcase}/} = new Capability({",
+      "\\tname: '$\{TM_FILENAME_BASE}',",
+      "\\tdescription: '$\{1:A brief description of this capability.}',",
+      "\\tnamespaces: [$\{2:}],",
+      "});",
+      "",
+      "// Use the 'When' function to create a new Capability Action",
+      "const { When } = $\{TM_FILENAME_BASE/(.*)/$\{1:/pascalcase}/};",
+      "",
+      "// When(a.<Kind>).Is<Event>().Then(change => change.<changes>",
+      "When($\{3:})"
+    ],
+    "description": "Creates a new Pepr capability with a specified description, and optional namespaces, and adds a When statement for the specified value."
   }
-  `,
+}`,
 };
 
 // SPDX-License-Identifier: Apache-2.0

package/dist/pepr-core.js

@@ -4,6 +4,9 @@
 var dist = require('@kubernetes/client-node/dist');
 var types = require('./types-1709b44f.js');
 var R = require('ramda');
+var express = require('express');
+var fs = require('fs');
+var https = require('https');
 var fastJsonPatch = require('fast-json-patch');
 
 function _interopNamespaceDefault(e) {
@@ -39,7 +42,6 @@ var upstream = /*#__PURE__*/Object.freeze({
     CustomResourceDefinition: dist.V1CustomResourceDefinition,
     DaemonSet: dist.V1DaemonSet,
     Deployment: dist.V1Deployment,
-    Endpoint: dist.V1Endpoint,
     EndpointSlice: dist.V1EndpointSlice,
     HorizontalPodAutoscaler: dist.V1HorizontalPodAutoscaler,
     Ingress: dist.V1Ingress,
@@ -535,13 +537,6 @@ class Capability {
         // Currently everything is considered a mutation
         this._mutateOrValidate = types.HookPhase.mutate;
         this._bindings = [];
-        /**
-         * The Register method is used to register a capability with the Pepr runtime. This method is
-         * called in the order that the capabilities should be executed.
-         *
-         * @param callback the state register method to call, passing the capability as an argument
-         */
-        this.Register = (register) => register(this);
         /**
          * The When method is used to register a capability action to be executed when a Kubernetes resource is
          * processed by Pepr. The action will be executed if the resource matches the specified kind and any
@@ -640,19 +635,16 @@ function shouldSkipRequest(binding, req) {
     const { namespaces, labels, annotations } = binding.filters;
     const { metadata } = req.object;
     if (kind !== req.kind.kind) {
-        types.logger.debug(`${req.kind.kind} does not match ${kind}`);
         return true;
     }
     if (group && group !== req.kind.group) {
-        types.logger.debug(`${req.kind.group} does not match ${group}`);
         return true;
     }
     if (version && version !== req.kind.version) {
-        types.logger.debug(`${req.kind.version} does not match ${version}`);
         return true;
     }
     if (namespaces.length && !namespaces.includes(req.namespace || "")) {
-        types.logger.debug(`${req.namespace} is not in ${namespaces}`);
+        types.logger.debug("Namespace does not match");
         return true;
     }
     for (const [key, value] of Object.entries(labels)) {
@@ -848,38 +840,106 @@ function processor(config, capabilities, req) {
     return response;
 }
 
+// SPDX-License-Identifier: Apache-2.0
+// Load SSL certificate and key
+const options = {
+    key: fs.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
+    cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
+};
+class Controller {
+    constructor(config, capabilities) {
+        this.config = config;
+        this.capabilities = capabilities;
+        this.app = express();
+        /** Start the webhook server */
+        this.startServer = (port) => {
+            // Create HTTPS server
+            https.createServer(options, this.app).listen(port, () => {
+                console.log(`Server listening on port ${port}`);
+            });
+        };
+        this.logger = (req, res, next) => {
+            const startTime = Date.now();
+            res.on("finish", () => {
+                const now = new Date().toISOString();
+                const elapsedTime = Date.now() - startTime;
+                const message = `[${now}] ${req.method} ${req.originalUrl} - ${res.statusCode} - ${elapsedTime} ms\n`;
+                res.statusCode >= 400 ? console.error(message) : console.info(message);
+            });
+            next();
+        };
+        this.healthz = (req, res) => {
+            try {
+                res.send("OK");
+            }
+            catch (err) {
+                console.error(err);
+                res.status(500).send("Internal Server Error");
+            }
+        };
+        this.mutate = (req, res) => {
+            try {
+                const name = req.body?.request?.name || "";
+                const namespace = req.body?.request?.namespace || "";
+                const gvk = req.body?.request?.kind || { group: "", version: "", kind: "" };
+                console.log(`Mutate request: ${gvk.group}/${gvk.version}/${gvk.kind}`);
+                name && console.log(`                ${namespace}/${name}\n`);
+                // @todo: make this actually do something
+                const response = processor(this.config, this.capabilities, req.body.request);
+                console.debug(response);
+                // Send a no prob bob response
+                res.send({
+                    apiVersion: "admission.k8s.io/v1",
+                    kind: "AdmissionReview",
+                    response: {
+                        uid: req.body.request.uid,
+                        allowed: true,
+                    },
+                });
+            }
+            catch (err) {
+                console.error(err);
+                res.status(500).send("Internal Server Error");
+            }
+        };
+        // Middleware for logging requests
+        this.app.use(this.logger);
+        // Middleware for parsing JSON
+        this.app.use(express.json());
+        // Health check endpoint
+        this.app.get("/healthz", this.healthz);
+        // Mutate endpoint
+        this.app.post("/mutate", this.mutate);
+    }
+}
+
 // SPDX-License-Identifier: Apache-2.0
 const alwaysIgnore = {
     namespaces: ["kube-system", "pepr-system"],
     labels: [{ "pepr.dev": "ignore" }],
 };
 class PeprModule {
-    get kinds() {
-        return this._kinds;
-    }
-    get UUID() {
-        return this._config.uuid;
-    }
     /**
      * Create a new Pepr runtime
      *
      * @param config The configuration for the Pepr runtime
      */
-    constructor({ description, pepr }) {
-        this._state = [];
-        this._kinds = [];
-        this.Register = (capability) => {
-            types.logger.info(`Registering capability ${capability.name}`);
-            // Add the kinds to the list of kinds (ignoring duplicates for now)
-            this._kinds = capability.bindings.map(({ kind }) => kind);
-            // Add the capability to the state
-            this._state.push(capability);
-        };
-        this.ProcessRequest = (req) => {
-            return processor(this._config, this._state, req);
-        };
-        pepr.description = description;
-        this._config = R.mergeDeepWith(R.concat, pepr, alwaysIgnore);
+    constructor({ description, pepr }, capabilities = [], deferStart = false) {
+        const config = R.mergeDeepWith(R.concat, pepr, alwaysIgnore);
+        config.description = description;
+        this._controller = new Controller(config, capabilities);
+        if (!deferStart) {
+            this.start();
+        }
+    }
+    /**
+     * Start the Pepr runtime manually.
+     * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
+     *
+     * @param port
+     */
+    start(port = 3000) {
+        this._controller.startServer(port);
     }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pepr",
-  "version": "0.1.25",
+  "version": "0.1.27",
   "description": "Kubernetes application engine",
   "author": "Defense Unicorns",
   "homepage": "https://github.com/defenseunicorns/pepr",
@@ -41,7 +41,6 @@
     "@rollup/plugin-node-resolve": "^15.0.1",
     "@rollup/plugin-typescript": "^11.0.0",
     "@types/ramda": "^0.28.23",
-    "body-parser": "^1.20.2",
     "chokidar": "^3.5.3",
     "commander": "^10.0.0",
     "express": "^4.18.2",

package/tsconfig.json

@@ -1,6 +1,8 @@
 {
   "compilerOptions": {
     "baseUrl": ".",
+    "declaration": true,
+    "declarationDir": "dist",
     "esModuleInterop": true,
     "lib": ["ES2020"],
     "moduleResolution": "node",

package/CODEOWNERS

@@ -1,6 +0,0 @@
-* @jeff-mccoy @bdw617
-
-# Additional privileged files
-/CODEOWNERS @jeff-mccoy @runyontr
-/cosign.pub @jeff-mccoy @runyontr
-/LICENSE @jeff-mccoy @runyontr

package/index.ts

@@ -1,7 +0,0 @@
-import { Capability } from './src/lib/capability';
-import { a } from './src/lib/k8s';
-import Log from './src/lib/logger';
-import { PeprModule } from './src/lib/module';
-
-export { a, PeprModule, Capability, Log };
-

package/src/lib/capability.ts

@@ -1,158 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import { modelToGroupVersionKind } from "./k8s";
-import logger from "./logger";
-import {
-  BindToAction,
-  Binding,
-  BindingFilter,
-  BindingWithName,
-  CapabilityAction,
-  CapabilityCfg,
-  DeepPartial,
-  Event,
-  GenericClass,
-  HookPhase,
-  WhenSelector,
-} from "./types";
-
-/**
- * A capability is a unit of functionality that can be registered with the Pepr runtime.
- */
-export class Capability implements CapabilityCfg {
-  private _name: string;
-  private _description: string;
-  private _namespaces?: string[] | undefined;
-
-  // Currently everything is considered a mutation
-  private _mutateOrValidate = HookPhase.mutate;
-
-  private _bindings: Binding[] = [];
-
-  get bindings(): Binding[] {
-    return this._bindings;
-  }
-
-  get name() {
-    return this._name;
-  }
-
-  get description() {
-    return this._description;
-  }
-
-  get namespaces() {
-    return this._namespaces || [];
-  }
-
-  get mutateOrValidate() {
-    return this._mutateOrValidate;
-  }
-
-  constructor(cfg: CapabilityCfg) {
-    this._name = cfg.name;
-    this._description = cfg.description;
-    this._namespaces = cfg.namespaces;
-    logger.info(`Capability ${this._name} registered`);
-    logger.debug(cfg);
-  }
-
-  /**
-   * The Register method is used to register a capability with the Pepr runtime. This method is
-   * called in the order that the capabilities should be executed.
-   *
-   * @param callback the state register method to call, passing the capability as an argument
-   */
-  Register = (register: (capability: Capability) => void) => register(this);
-
-  /**
-   * The When method is used to register a capability action to be executed when a Kubernetes resource is
-   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
-   * filters that are applied.
-   *
-   * @param model if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
-   * @returns
-   */
-  When = <T extends GenericClass>(model: T): WhenSelector<T> => {
-    const binding: Binding = {
-      // If the kind is not specified, use the default KubernetesObject
-      kind: modelToGroupVersionKind(model.name),
-      filters: {
-        name: "",
-        namespaces: [],
-        labels: {},
-        annotations: {},
-      },
-      callback: () => null,
-    };
-
-    const prefix = `${this._name}: ${model.name}`;
-
-    logger.info(`Binding created`, prefix);
-
-    const Then = (cb: CapabilityAction<T>): BindToAction<T> => {
-      logger.info(`Binding action created`, prefix);
-      logger.debug(cb.toString(), prefix);
-      // Push the binding to the list of bindings for this capability as a new BindingAction
-      // with the callback function to preserve
-      this._bindings.push({
-        ...binding,
-        callback: cb,
-      });
-
-      // Now only allow adding actions to the same binding
-      return { Then };
-    };
-
-    const ThenSet = (merge: DeepPartial<InstanceType<T>>): BindToAction<T> => {
-      // Add the new action to the binding
-      Then(req => req.Merge(merge));
-
-      return { Then };
-    };
-
-    function InNamespace(...namespaces: string[]): BindingWithName<T> {
-      logger.debug(`Add namespaces filter ${namespaces}`, prefix);
-      binding.filters.namespaces.push(...namespaces);
-      return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
-    }
-
-    function WithName(name: string): BindingFilter<T> {
-      logger.debug(`Add name filter ${name}`, prefix);
-      binding.filters.name = name;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
-    }
-
-    function WithLabel(key: string, value = ""): BindingFilter<T> {
-      logger.debug(`Add label filter ${key}=${value}`, prefix);
-      binding.filters.labels[key] = value;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
-    }
-
-    const WithAnnotation = (key: string, value = ""): BindingFilter<T> => {
-      logger.debug(`Add annotation filter ${key}=${value}`, prefix);
-      binding.filters.annotations[key] = value;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
-    };
-
-    const bindEvent = (event: Event) => {
-      binding.event = event;
-      return {
-        InNamespace,
-        Then,
-        ThenSet,
-        WithAnnotation,
-        WithLabel,
-        WithName,
-      };
-    };
-
-    return {
-      IsCreatedOrUpdated: () => bindEvent(Event.CreateOrUpdate),
-      IsCreated: () => bindEvent(Event.Create),
-      IsUpdated: () => bindEvent(Event.Update),
-      IsDeleted: () => bindEvent(Event.Delete),
-    };
-  };
-}

package/src/lib/filter.ts

@@ -1,55 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import { Request } from "./k8s";
-import logger from "./logger";
-import { Binding } from "./types";
-
-/**
- * shouldSkipRequest determines if a request should be skipped based on the binding filters.
- *
- * @param binding the capability action binding
- * @param req the incoming request
- * @returns
- */
-export function shouldSkipRequest(binding: Binding, req: Request) {
-  const { group, kind, version } = binding.kind;
-  const { namespaces, labels, annotations } = binding.filters;
-  const { metadata } = req.object;
-
-  if (kind !== req.kind.kind) {
-    logger.debug(`${req.kind.kind} does not match ${kind}`);
-    return true;
-  }
-
-  if (group && group !== req.kind.group) {
-    logger.debug(`${req.kind.group} does not match ${group}`);
-    return true;
-  }
-
-  if (version && version !== req.kind.version) {
-    logger.debug(`${req.kind.version} does not match ${version}`);
-    return true;
-  }
-
-  if (namespaces.length && !namespaces.includes(req.namespace || "")) {
-    logger.debug(`${req.namespace} is not in ${namespaces}`);
-    return true;
-  }
-
-  for (const [key, value] of Object.entries(labels)) {
-    if (metadata?.labels?.[key] !== value) {
-      logger.debug(`${metadata?.labels?.[key]} does not match ${value}`);
-      return true;
-    }
-  }
-
-  for (const [key, value] of Object.entries(annotations)) {
-    if (metadata?.annotations?.[key] !== value) {
-      logger.debug(`${metadata?.annotations?.[key]} does not match ${value}`);
-      return true;
-    }
-  }
-
-  return false;
-}

package/src/lib/k8s/index.ts

@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-// Export kinds as a single object
-import * as kind from "./upstream";
-export { kind as a };
-
-export { modelToGroupVersionKind, gvkMap } from "./kinds";
-
-export * from "./types";