pepr 0.1.26 → 0.1.28

package/dist/src/cli/init/utils.js

@@ -0,0 +1,50 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { promises as fs } from "fs";
+/**
+ * Sanitize a user input name to be used as a pepr module directory name
+ *
+ * @param name the user input name
+ * @returns the sanitized name
+ */
+export function sanitizeName(name) {
+    // Replace any characters outside of [^a-z0-9-] with "-"
+    let sanitized = name.toLowerCase().replace(/[^a-z0-9-]+/gi, "-");
+    // Remove any leading or trailing hyphens
+    sanitized = sanitized.replace(/^-+|-+$/g, "");
+    // Replace multiple hyphens with a single hyphen
+    sanitized = sanitized.replace(/--+/g, "-");
+    return sanitized;
+}
+/**
+ * Creates a directory and throws an error if it already exists
+ *
+ * @param dir - The directory to create
+ */
+export async function createDir(dir) {
+    try {
+        await fs.mkdir(dir);
+    }
+    catch (err) {
+        // The directory already exists
+        if (err.code === "EEXIST") {
+            throw new Error(`Directory ${dir} already exists`);
+        }
+        else {
+            throw err;
+        }
+    }
+}
+/**
+ * Write data to a file on disk
+ * @param path - The path to the file
+ * @param data - The data to write
+ * @returns A promise that resolves when the file has been written
+ */
+export function write(path, data) {
+    // If the data is not a string, stringify it
+    if (typeof data !== "string") {
+        data = JSON.stringify(data, null, 2);
+    }
+    return fs.writeFile(path, data);
+}

package/dist/src/cli/init/walkthrough.d.ts

@@ -0,0 +1,7 @@
+import { Answers } from "prompts";
+export type InitOptions = Answers<"name" | "description" | "errorBehavior">;
+export declare function walkthrough(): Promise<InitOptions>;
+export declare function confirm(dirName: string, packageJSON: {
+    path: string;
+    print: string;
+}, peprTSPath: string): Promise<any>;

package/dist/src/cli/init/walkthrough.js

@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { promises as fs } from "fs";
+import prompt from "prompts";
+import { ErrorBehavior } from "../../lib/types";
+import { gitIgnore, prettierRC, readme, tsConfig } from "./templates";
+import { sanitizeName } from "./utils";
+export function walkthrough() {
+    const askName = {
+        type: "text",
+        name: "name",
+        message: "Enter a name for the new Pepr module. This will create a new directory based on the name.\n",
+        validate: async (val) => {
+            try {
+                const name = sanitizeName(val);
+                await fs.access(name, fs.constants.F_OK);
+                return "A directory with this name already exists";
+            }
+            catch (e) {
+                return val.length > 2 || "The name must be at least 3 characters long";
+            }
+        },
+    };
+    const askDescription = {
+        type: "text",
+        name: "description",
+        message: "(Recommended) Enter a description for the new Pepr module.\n",
+    };
+    const askErrorBehavior = {
+        type: "select",
+        name: "errorBehavior",
+        validate: val => ErrorBehavior[val],
+        message: "How do you want Pepr to handle errors encountered during K8s operations?",
+        choices: [
+            {
+                title: "Ignore",
+                value: ErrorBehavior.ignore,
+                description: "Pepr will continue processing and generate an entry in the Pepr Controller log.",
+                selected: true,
+            },
+            {
+                title: "Log an audit event",
+                value: ErrorBehavior.audit,
+                description: "Pepr will continue processing and generate an entry in the Pepr Controller log as well as an audit event in the cluster.",
+            },
+            {
+                title: "Reject the operation",
+                value: ErrorBehavior.reject,
+                description: "Pepr will reject the operation and return an error to the client.",
+            },
+        ],
+    };
+    return prompt([askName, askDescription, askErrorBehavior]);
+}
+export async function confirm(dirName, packageJSON, peprTSPath) {
+    console.log(`
+  To be generated:
+
+    \x1b[1m${dirName}\x1b[0m
+    ├── \x1b[1m${gitIgnore.path}\x1b[0m
+    ├── \x1b[1m${prettierRC.path}\x1b[0m
+    ├── \x1b[1mcapabilties\x1b[0m
+    |   └── \x1b[1mhello-pepr.ts\x1b[0m     
+    ├── \x1b[1m${packageJSON.path}\x1b[0m
+${packageJSON.print.replace(/^/gm, "    │   ")}
+    ├── \x1b[1m${peprTSPath}\x1b[0m
+    ├── \x1b[1m${readme.path}\x1b[0m
+    └── \x1b[1m${tsConfig.path}\x1b[0m
+      `);
+    const confirm = await prompt({
+        type: "confirm",
+        name: "confirm",
+        message: "Create the new Pepr module?",
+    });
+    return confirm.confirm;
+}

package/dist/src/cli/root.d.ts

@@ -0,0 +1,4 @@
+import { Command } from "commander";
+export declare class RootCmd extends Command {
+    createCommand(name: string): Command;
+}

package/dist/src/cli/root.js

@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { Command } from "commander";
+import Log from "../lib/logger";
+export class RootCmd extends Command {
+    createCommand(name) {
+        const cmd = new Command(name);
+        cmd.option("-l, --log-level [level]", "Log level: debug, info, warn, error", "info");
+        cmd.hook("preAction", run => {
+            Log.SetLogLevel(run.opts().logLevel);
+        });
+        return cmd;
+    }
+}

package/dist/src/cli/test.d.ts

@@ -0,0 +1,2 @@
+import { RootCmd } from "./root";
+export default function (program: RootCmd): void;

package/dist/src/cli/test.js

@@ -0,0 +1,45 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { exec as execCallback } from "child_process";
+import { watch } from "chokidar";
+import { resolve } from "path";
+import { promisify } from "util";
+import Log from "../lib/logger";
+import { buildModule } from "./build";
+const exec = promisify(execCallback);
+export default function (program) {
+    program
+        .command("test")
+        .description("Test a Pepr Module locally")
+        .option("-d, --dir [directory]", "Pepr module directory", ".")
+        .option("-w, --watch", "Watch for changes and re-run the test")
+        .action(async (opts) => {
+        Log.info("Test Module");
+        await buildAndTest(opts.dir);
+        if (opts.watch) {
+            const moduleFiles = resolve(opts.dir, "**", "*.ts");
+            const watcher = watch(moduleFiles);
+            watcher.on("ready", () => {
+                Log.info(`Watching for changes in ${moduleFiles}`);
+                watcher.on("all", async (event, path) => {
+                    Log.debug({ event, path }, "File changed");
+                    await buildAndTest(opts.dir);
+                });
+            });
+        }
+    });
+}
+async function buildAndTest(dir) {
+    const { path } = await buildModule(dir);
+    Log.info(`Module built successfully at ${path}`);
+    try {
+        const { stdout, stderr } = await exec(`node ${path}`);
+        console.log(stdout);
+        console.log(stderr);
+    }
+    catch (e) {
+        Log.debug(e);
+        Log.error(`Error running module: ${e}`);
+        process.exit(1);
+    }
+}

package/dist/src/lib/capability.d.ts

@@ -0,0 +1,26 @@
+import { Binding, CapabilityCfg, GenericClass, HookPhase, WhenSelector } from "./types";
+/**
+ * A capability is a unit of functionality that can be registered with the Pepr runtime.
+ */
+export declare class Capability implements CapabilityCfg {
+    private _name;
+    private _description;
+    private _namespaces?;
+    private _mutateOrValidate;
+    private _bindings;
+    get bindings(): Binding[];
+    get name(): string;
+    get description(): string;
+    get namespaces(): string[];
+    get mutateOrValidate(): HookPhase;
+    constructor(cfg: CapabilityCfg);
+    /**
+     * The When method is used to register a capability action to be executed when a Kubernetes resource is
+     * processed by Pepr. The action will be executed if the resource matches the specified kind and any
+     * filters that are applied.
+     *
+     * @param model if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
+     * @returns
+     */
+    When: <T extends GenericClass>(model: T) => WhenSelector<T>;
+}

package/dist/src/lib/capability.js

@@ -0,0 +1,112 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { modelToGroupVersionKind } from "./k8s";
+import logger from "./logger";
+import { Event, HookPhase, } from "./types";
+/**
+ * A capability is a unit of functionality that can be registered with the Pepr runtime.
+ */
+export class Capability {
+    get bindings() {
+        return this._bindings;
+    }
+    get name() {
+        return this._name;
+    }
+    get description() {
+        return this._description;
+    }
+    get namespaces() {
+        return this._namespaces || [];
+    }
+    get mutateOrValidate() {
+        return this._mutateOrValidate;
+    }
+    constructor(cfg) {
+        // Currently everything is considered a mutation
+        this._mutateOrValidate = HookPhase.mutate;
+        this._bindings = [];
+        /**
+         * The When method is used to register a capability action to be executed when a Kubernetes resource is
+         * processed by Pepr. The action will be executed if the resource matches the specified kind and any
+         * filters that are applied.
+         *
+         * @param model if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
+         * @returns
+         */
+        this.When = (model) => {
+            const binding = {
+                // If the kind is not specified, use the default KubernetesObject
+                kind: modelToGroupVersionKind(model.name),
+                filters: {
+                    name: "",
+                    namespaces: [],
+                    labels: {},
+                    annotations: {},
+                },
+                callback: () => null,
+            };
+            const prefix = `${this._name}: ${model.name}`;
+            logger.info(`Binding created`, prefix);
+            const Then = (cb) => {
+                logger.info(`Binding action created`, prefix);
+                logger.debug(cb.toString(), prefix);
+                // Push the binding to the list of bindings for this capability as a new BindingAction
+                // with the callback function to preserve
+                this._bindings.push({
+                    ...binding,
+                    callback: cb,
+                });
+                // Now only allow adding actions to the same binding
+                return { Then };
+            };
+            const ThenSet = (merge) => {
+                // Add the new action to the binding
+                Then(req => req.Merge(merge));
+                return { Then };
+            };
+            function InNamespace(...namespaces) {
+                logger.debug(`Add namespaces filter ${namespaces}`, prefix);
+                binding.filters.namespaces.push(...namespaces);
+                return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
+            }
+            function WithName(name) {
+                logger.debug(`Add name filter ${name}`, prefix);
+                binding.filters.name = name;
+                return { WithLabel, WithAnnotation, Then, ThenSet };
+            }
+            function WithLabel(key, value = "") {
+                logger.debug(`Add label filter ${key}=${value}`, prefix);
+                binding.filters.labels[key] = value;
+                return { WithLabel, WithAnnotation, Then, ThenSet };
+            }
+            const WithAnnotation = (key, value = "") => {
+                logger.debug(`Add annotation filter ${key}=${value}`, prefix);
+                binding.filters.annotations[key] = value;
+                return { WithLabel, WithAnnotation, Then, ThenSet };
+            };
+            const bindEvent = (event) => {
+                binding.event = event;
+                return {
+                    InNamespace,
+                    Then,
+                    ThenSet,
+                    WithAnnotation,
+                    WithLabel,
+                    WithName,
+                };
+            };
+            return {
+                IsCreatedOrUpdated: () => bindEvent(Event.CreateOrUpdate),
+                IsCreated: () => bindEvent(Event.Create),
+                IsUpdated: () => bindEvent(Event.Update),
+                IsDeleted: () => bindEvent(Event.Delete),
+            };
+        };
+        this._name = cfg.name;
+        this._description = cfg.description;
+        this._namespaces = cfg.namespaces;
+        logger.info(`Capability ${this._name} registered`);
+        logger.debug(cfg);
+    }
+}

package/dist/src/lib/controller.d.ts

@@ -0,0 +1,13 @@
+import { ModuleConfig } from "./types";
+import { Capability } from "./capability";
+export declare class Controller {
+    private readonly config;
+    private readonly capabilities;
+    private readonly app;
+    constructor(config: ModuleConfig, capabilities: Capability[]);
+    /** Start the webhook server */
+    startServer: (port: number) => void;
+    private logger;
+    private healthz;
+    private mutate;
+}

package/dist/src/lib/controller.js

@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import express from "express";
+import fs from "fs";
+import https from "https";
+import { processor } from "./processor";
+// Load SSL certificate and key
+const options = {
+    key: fs.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
+    cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
+};
+export class Controller {
+    constructor(config, capabilities) {
+        this.config = config;
+        this.capabilities = capabilities;
+        this.app = express();
+        /** Start the webhook server */
+        this.startServer = (port) => {
+            // Create HTTPS server
+            https.createServer(options, this.app).listen(port, () => {
+                console.log(`Server listening on port ${port}`);
+            });
+        };
+        this.logger = (req, res, next) => {
+            const startTime = Date.now();
+            res.on("finish", () => {
+                const now = new Date().toISOString();
+                const elapsedTime = Date.now() - startTime;
+                const message = `[${now}] ${req.method} ${req.originalUrl} - ${res.statusCode} - ${elapsedTime} ms\n`;
+                res.statusCode >= 400 ? console.error(message) : console.info(message);
+            });
+            next();
+        };
+        this.healthz = (req, res) => {
+            try {
+                res.send("OK");
+            }
+            catch (err) {
+                console.error(err);
+                res.status(500).send("Internal Server Error");
+            }
+        };
+        this.mutate = (req, res) => {
+            try {
+                const name = req.body?.request?.name || "";
+                const namespace = req.body?.request?.namespace || "";
+                const gvk = req.body?.request?.kind || { group: "", version: "", kind: "" };
+                console.log(`Mutate request: ${gvk.group}/${gvk.version}/${gvk.kind}`);
+                name && console.log(`                ${namespace}/${name}\n`);
+                // @todo: make this actually do something
+                const response = processor(this.config, this.capabilities, req.body.request);
+                console.debug(response);
+                // Send a no prob bob response
+                res.send({
+                    apiVersion: "admission.k8s.io/v1",
+                    kind: "AdmissionReview",
+                    response: {
+                        uid: req.body.request.uid,
+                        allowed: true,
+                    },
+                });
+            }
+            catch (err) {
+                console.error(err);
+                res.status(500).send("Internal Server Error");
+            }
+        };
+        // Middleware for logging requests
+        this.app.use(this.logger);
+        // Middleware for parsing JSON
+        this.app.use(express.json());
+        // Health check endpoint
+        this.app.get("/healthz", this.healthz);
+        // Mutate endpoint
+        this.app.post("/mutate", this.mutate);
+    }
+}

package/dist/src/lib/filter.d.ts

@@ -0,0 +1,10 @@
+import { Request } from "./k8s";
+import { Binding } from "./types";
+/**
+ * shouldSkipRequest determines if a request should be skipped based on the binding filters.
+ *
+ * @param binding the capability action binding
+ * @param req the incoming request
+ * @returns
+ */
+export declare function shouldSkipRequest(binding: Binding, req: Request): boolean;

package/dist/src/lib/filter.js

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import logger from "./logger";
+/**
+ * shouldSkipRequest determines if a request should be skipped based on the binding filters.
+ *
+ * @param binding the capability action binding
+ * @param req the incoming request
+ * @returns
+ */
+export function shouldSkipRequest(binding, req) {
+    const { group, kind, version } = binding.kind;
+    const { namespaces, labels, annotations } = binding.filters;
+    const { metadata } = req.object;
+    if (kind !== req.kind.kind) {
+        return true;
+    }
+    if (group && group !== req.kind.group) {
+        return true;
+    }
+    if (version && version !== req.kind.version) {
+        return true;
+    }
+    if (namespaces.length && !namespaces.includes(req.namespace || "")) {
+        logger.debug("Namespace does not match");
+        return true;
+    }
+    for (const [key, value] of Object.entries(labels)) {
+        if (metadata?.labels?.[key] !== value) {
+            logger.debug(`${metadata?.labels?.[key]} does not match ${value}`);
+            return true;
+        }
+    }
+    for (const [key, value] of Object.entries(annotations)) {
+        if (metadata?.annotations?.[key] !== value) {
+            logger.debug(`${metadata?.annotations?.[key]} does not match ${value}`);
+            return true;
+        }
+    }
+    return false;
+}

package/dist/src/lib/k8s/index.d.ts

@@ -0,0 +1,4 @@
+import * as kind from "./upstream";
+export { kind as a };
+export { modelToGroupVersionKind, gvkMap } from "./kinds";
+export * from "./types";

package/{src/lib/k8s/index.ts → dist/src/lib/k8s/index.js}

@@ -1,10 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
 // Export kinds as a single object
 import * as kind from "./upstream";
 export { kind as a };
-
 export { modelToGroupVersionKind, gvkMap } from "./kinds";
-
 export * from "./types";

package/dist/src/lib/k8s/kinds.d.ts

@@ -0,0 +1,3 @@
+import { GroupVersionKind } from "./types";
+export declare const gvkMap: Record<string, GroupVersionKind>;
+export declare function modelToGroupVersionKind(key: string): GroupVersionKind;