pepr 0.1.27 → 0.1.28

package/dist/src/lib/k8s/webhook.d.ts

@@ -0,0 +1,33 @@
+import { V1ClusterRole, V1ClusterRoleBinding, V1Deployment, V1MutatingWebhookConfiguration, V1Namespace, V1NetworkPolicy, V1Secret, V1Service, V1ServiceAccount } from "@kubernetes/client-node";
+import { ModuleConfig } from "../types";
+import { TLSOut } from "./tls";
+export declare class Webhook {
+    private readonly config;
+    private readonly host?;
+    private name;
+    private _tls;
+    image: string;
+    get tls(): TLSOut;
+    constructor(config: ModuleConfig, host?: string);
+    /** Generate the pepr-system namespace */
+    namespace(): V1Namespace;
+    /**
+     * Grants the controller access to cluster resources beyond the mutating webhook.
+     *
+     * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
+     * @returns
+     */
+    clusterRole(): V1ClusterRole;
+    clusterRoleBinding(): V1ClusterRoleBinding;
+    serviceAccount(): V1ServiceAccount;
+    tlsSecret(): V1Secret;
+    mutatingWebhook(): V1MutatingWebhookConfiguration;
+    deployment(): V1Deployment;
+    /** Only permit the  */
+    networkPolicy(): V1NetworkPolicy;
+    service(): V1Service;
+    moduleSecret(data: string): V1Secret;
+    zarfYaml(path: string): string;
+    allYaml(code: string): string;
+    deploy(code: string): Promise<void>;
+}

package/dist/src/lib/k8s/webhook.js

@@ -0,0 +1,490 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { AdmissionregistrationV1Api, AppsV1Api, CoreV1Api, KubeConfig, NetworkingV1Api, RbacAuthorizationV1Api, dumpYaml, } from "@kubernetes/client-node";
+import { gzipSync } from "zlib";
+import Log from "../logger";
+import { genTLS } from "./tls";
+const peprIgnore = {
+    key: "pepr.dev",
+    operator: "NotIn",
+    values: ["ignore"],
+};
+export class Webhook {
+    get tls() {
+        return this._tls;
+    }
+    constructor(config, host) {
+        this.config = config;
+        this.host = host;
+        this.name = `pepr-${config.uuid}`;
+        this.image = `ghcr.io/defenseunicorns/pepr/controller:${config.version}`;
+        // Generate the ephemeral tls things
+        this._tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
+    }
+    /** Generate the pepr-system namespace */
+    namespace() {
+        return {
+            apiVersion: "v1",
+            kind: "Namespace",
+            metadata: { name: "pepr-system" },
+        };
+    }
+    /**
+     * Grants the controller access to cluster resources beyond the mutating webhook.
+     *
+     * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
+     * @returns
+     */
+    clusterRole() {
+        return {
+            apiVersion: "rbac.authorization.k8s.io/v1",
+            kind: "ClusterRole",
+            metadata: { name: this.name },
+            rules: [
+                {
+                    // @todo: make this configurable
+                    apiGroups: ["*"],
+                    resources: ["*"],
+                    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"],
+                },
+            ],
+        };
+    }
+    clusterRoleBinding() {
+        const name = this.name;
+        return {
+            apiVersion: "rbac.authorization.k8s.io/v1",
+            kind: "ClusterRoleBinding",
+            metadata: { name },
+            roleRef: {
+                apiGroup: "rbac.authorization.k8s.io",
+                kind: "ClusterRole",
+                name,
+            },
+            subjects: [
+                {
+                    kind: "ServiceAccount",
+                    name,
+                    namespace: "pepr-system",
+                },
+            ],
+        };
+    }
+    serviceAccount() {
+        return {
+            apiVersion: "v1",
+            kind: "ServiceAccount",
+            metadata: {
+                name: this.name,
+                namespace: "pepr-system",
+            },
+        };
+    }
+    tlsSecret() {
+        return {
+            apiVersion: "v1",
+            kind: "Secret",
+            metadata: {
+                name: `${this.name}-tls`,
+                namespace: "pepr-system",
+            },
+            type: "kubernetes.io/tls",
+            data: {
+                "tls.crt": this._tls.crt,
+                "tls.key": this._tls.key,
+            },
+        };
+    }
+    mutatingWebhook() {
+        const { name } = this;
+        const ignore = [peprIgnore];
+        // Add any namespaces to ignore
+        if (this.config.alwaysIgnore.namespaces.length > 0) {
+            ignore.push({
+                key: "kubernetes.io/metadata.name",
+                operator: "NotIn",
+                values: this.config.alwaysIgnore.namespaces,
+            });
+        }
+        const clientConfig = {
+            caBundle: this._tls.ca,
+        };
+        // If a host is specified, use that with a port of 3000
+        if (this.host) {
+            clientConfig.url = `https://${this.host}:3000/mutate`;
+        }
+        else {
+            // Otherwise, use the service
+            clientConfig.service = {
+                name: this.name,
+                namespace: "pepr-system",
+                path: "/mutate",
+            };
+        }
+        return {
+            apiVersion: "admissionregistration.k8s.io/v1",
+            kind: "MutatingWebhookConfiguration",
+            metadata: { name },
+            webhooks: [
+                {
+                    name: `${name}.pepr.dev`,
+                    admissionReviewVersions: ["v1", "v1beta1"],
+                    clientConfig,
+                    failurePolicy: "Ignore",
+                    matchPolicy: "Equivalent",
+                    timeoutSeconds: 15,
+                    namespaceSelector: {
+                        matchExpressions: ignore,
+                    },
+                    objectSelector: {
+                        matchExpressions: ignore,
+                    },
+                    // @todo: make this configurable
+                    rules: [
+                        {
+                            apiGroups: ["*"],
+                            apiVersions: ["*"],
+                            operations: ["CREATE", "UPDATE", "DELETE"],
+                            resources: ["*/*"],
+                        },
+                    ],
+                    // @todo: track side effects state
+                    sideEffects: "None",
+                },
+            ],
+        };
+    }
+    deployment() {
+        return {
+            apiVersion: "apps/v1",
+            kind: "Deployment",
+            metadata: {
+                name: this.name,
+                namespace: "pepr-system",
+                labels: {
+                    app: this.name,
+                },
+            },
+            spec: {
+                replicas: 2,
+                selector: {
+                    matchLabels: {
+                        app: this.name,
+                    },
+                },
+                template: {
+                    metadata: {
+                        labels: {
+                            app: this.name,
+                        },
+                    },
+                    spec: {
+                        priorityClassName: "system-node-critical",
+                        serviceAccountName: this.name,
+                        containers: [
+                            {
+                                name: "server",
+                                image: this.image,
+                                imagePullPolicy: "IfNotPresent",
+                                livenessProbe: {
+                                    httpGet: {
+                                        path: "/healthz",
+                                        port: 3000,
+                                        scheme: "HTTPS",
+                                    },
+                                },
+                                ports: [
+                                    {
+                                        containerPort: 3000,
+                                    },
+                                ],
+                                resources: {
+                                    requests: {
+                                        memory: "64Mi",
+                                        cpu: "100m",
+                                    },
+                                    limits: {
+                                        memory: "256Mi",
+                                        cpu: "500m",
+                                    },
+                                },
+                                volumeMounts: [
+                                    {
+                                        name: "tls-certs",
+                                        mountPath: "/etc/certs",
+                                        readOnly: true,
+                                    },
+                                    {
+                                        name: "module",
+                                        mountPath: "/app/module.js.gz",
+                                        readOnly: true,
+                                    },
+                                ],
+                            },
+                        ],
+                        volumes: [
+                            {
+                                name: "tls-certs",
+                                secret: {
+                                    secretName: `${this.name}-tls`,
+                                },
+                            },
+                            {
+                                name: "module",
+                                secret: {
+                                    secretName: `${this.name}-module`,
+                                },
+                            },
+                        ],
+                    },
+                },
+            },
+        };
+    }
+    /** Only permit the  */
+    networkPolicy() {
+        return {
+            apiVersion: "networking.k8s.io/v1",
+            kind: "NetworkPolicy",
+            metadata: {
+                name: this.name,
+                namespace: "pepr-system",
+            },
+            spec: {
+                podSelector: {
+                    matchLabels: {
+                        app: this.name,
+                    },
+                },
+                policyTypes: ["Ingress"],
+                ingress: [
+                    {
+                        from: [
+                            {
+                                namespaceSelector: {
+                                    matchLabels: {
+                                        "kubernetes.io/metadata.name": "kube-system",
+                                    },
+                                },
+                            },
+                        ],
+                        ports: [
+                            {
+                                protocol: "TCP",
+                                port: 443,
+                            },
+                        ],
+                    },
+                ],
+            },
+        };
+    }
+    service() {
+        return {
+            apiVersion: "v1",
+            kind: "Service",
+            metadata: {
+                name: this.name,
+                namespace: "pepr-system",
+            },
+            spec: {
+                selector: {
+                    app: this.name,
+                },
+                ports: [
+                    {
+                        port: 443,
+                        targetPort: 3000,
+                    },
+                ],
+            },
+        };
+    }
+    moduleSecret(data) {
+        // Compress the data
+        const compressed = gzipSync(data);
+        return {
+            apiVersion: "v1",
+            kind: "Secret",
+            metadata: {
+                name: `${this.name}-module`,
+                namespace: "pepr-system",
+            },
+            type: "Opaque",
+            data: {
+                module: compressed.toString("base64"),
+            },
+        };
+    }
+    zarfYaml(path) {
+        const zarfCfg = {
+            kind: "ZarfPackageConfig",
+            metadata: {
+                name: this.name,
+                description: `Pepr Module: ${this.config.description}`,
+                url: "https://github.com/defenseunicorns/pepr",
+                version: this.config.version,
+            },
+            components: [
+                {
+                    name: "module",
+                    required: true,
+                    manifests: [
+                        {
+                            name: "module",
+                            namespace: "pepr-system",
+                            files: [path],
+                        },
+                    ],
+                    images: [this.image],
+                },
+            ],
+        };
+        return dumpYaml(zarfCfg, { noRefs: true });
+    }
+    allYaml(code) {
+        const resources = [
+            this.namespace(),
+            this.networkPolicy(),
+            this.clusterRole(),
+            this.clusterRoleBinding(),
+            this.serviceAccount(),
+            this.tlsSecret(),
+            this.mutatingWebhook(),
+            this.deployment(),
+            this.service(),
+            this.moduleSecret(code),
+        ];
+        // Convert the resources to a single YAML string
+        return resources.map(r => dumpYaml(r, { noRefs: true })).join("---\n");
+    }
+    async deploy(code) {
+        Log.info("Establishing connection to Kubernetes");
+        const namespace = "pepr-system";
+        // Deploy the resources using the k8s API
+        const kubeConfig = new KubeConfig();
+        kubeConfig.loadFromDefault();
+        const coreV1Api = kubeConfig.makeApiClient(CoreV1Api);
+        const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
+        const appsApi = kubeConfig.makeApiClient(AppsV1Api);
+        const admissionApi = kubeConfig.makeApiClient(AdmissionregistrationV1Api);
+        const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
+        const ns = this.namespace();
+        try {
+            Log.info("Checking for namespace");
+            await coreV1Api.readNamespace(namespace);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Creating namespace");
+            await coreV1Api.createNamespace(ns);
+        }
+        const netpol = this.networkPolicy();
+        try {
+            Log.info("Checking for network policy");
+            await networkApi.readNamespacedNetworkPolicy(netpol.metadata.name, namespace);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Creating network policy");
+            await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
+        }
+        const wh = this.mutatingWebhook();
+        try {
+            Log.info("Creating mutating webhook");
+            await admissionApi.createMutatingWebhookConfiguration(wh);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating mutating webhook");
+            await admissionApi.deleteMutatingWebhookConfiguration(wh.metadata.name);
+            await admissionApi.createMutatingWebhookConfiguration(wh);
+        }
+        const crb = this.clusterRoleBinding();
+        try {
+            Log.info("Creating cluster role binding");
+            await rbacApi.createClusterRoleBinding(crb);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating cluster role binding");
+            await rbacApi.deleteClusterRoleBinding(crb.metadata.name);
+            await rbacApi.createClusterRoleBinding(crb);
+        }
+        const cr = this.clusterRole();
+        try {
+            Log.info("Creating cluster role");
+            await rbacApi.createClusterRole(cr);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating  the cluster role");
+            try {
+                await rbacApi.deleteClusterRole(cr.metadata.name);
+                await rbacApi.createClusterRole(cr);
+            }
+            catch (e) {
+                Log.debug(e.body);
+            }
+        }
+        const sa = this.serviceAccount();
+        try {
+            Log.info("Creating service account");
+            await coreV1Api.createNamespacedServiceAccount(namespace, sa);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating service account");
+            await coreV1Api.deleteNamespacedServiceAccount(sa.metadata.name, namespace);
+            await coreV1Api.createNamespacedServiceAccount(namespace, sa);
+        }
+        // If a host is specified, we don't need to deploy the rest of the resources
+        if (this.host) {
+            return;
+        }
+        const mod = this.moduleSecret(code);
+        try {
+            Log.info("Creating module secret");
+            await coreV1Api.createNamespacedSecret(namespace, mod);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating module secret");
+            await coreV1Api.deleteNamespacedSecret(mod.metadata.name, namespace);
+            await coreV1Api.createNamespacedSecret(namespace, mod);
+        }
+        const svc = this.service();
+        try {
+            Log.info("Creating service");
+            await coreV1Api.createNamespacedService(namespace, svc);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating service");
+            await coreV1Api.deleteNamespacedService(svc.metadata.name, namespace);
+            await coreV1Api.createNamespacedService(namespace, svc);
+        }
+        const tls = this.tlsSecret();
+        try {
+            Log.info("Creating TLS secret");
+            await coreV1Api.createNamespacedSecret(namespace, tls);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating TLS secret");
+            await coreV1Api.deleteNamespacedSecret(tls.metadata.name, namespace);
+            await coreV1Api.createNamespacedSecret(namespace, tls);
+        }
+        const dep = this.deployment();
+        try {
+            Log.info("Creating deployment");
+            await appsApi.createNamespacedDeployment(namespace, dep);
+        }
+        catch (e) {
+            Log.debug(e.body);
+            Log.info("Removing and re-creating deployment");
+            await appsApi.deleteNamespacedDeployment(dep.metadata.name, namespace);
+            await appsApi.createNamespacedDeployment(namespace, dep);
+        }
+    }
+}

package/dist/src/lib/logger.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Enumeration representing different logging levels.
+ */
+export declare enum LogLevel {
+    debug = 0,
+    info = 1,
+    warn = 2,
+    error = 3
+}
+/**
+ * Simple logger class that logs messages at different log levels.
+ */
+export declare class Logger {
+    private _logLevel;
+    /**
+     * Create a new logger instance.
+     * @param logLevel - The minimum log level to log messages for.
+     */
+    constructor(logLevel: LogLevel);
+    /**
+     * Change the log level of the logger.
+     * @param logLevel - The log level to log the message at.
+     */
+    SetLogLevel(logLevel: string): void;
+    /**
+     * Log a debug message.
+     * @param message - The message to log.
+     */
+    debug<T>(message: T, prefix?: string): void;
+    /**
+     * Log an info message.
+     * @param message - The message to log.
+     */
+    info<T>(message: T, prefix?: string): void;
+    /**
+     * Log a warning message.
+     * @param message - The message to log.
+     */
+    warn<T>(message: T, prefix?: string): void;
+    /**
+     * Log an error message.
+     * @param message - The message to log.
+     */
+    error<T>(message: T, prefix?: string): void;
+    /**
+     * Log a message at the specified log level.
+     * @param logLevel - The log level of the message.
+     * @param message - The message to log.
+     */
+    private log;
+    private colorize;
+}
+declare const _default: Logger;
+export default _default;

package/dist/{types-1709b44f.js → src/lib/logger.js}

@@ -1,12 +1,9 @@
-#!/usr/bin/env node
-'use strict';
-
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 /**
  * Enumeration representing different logging levels.
  */
-var LogLevel;
+export var LogLevel;
 (function (LogLevel) {
     LogLevel[LogLevel["debug"] = 0] = "debug";
     LogLevel[LogLevel["info"] = 1] = "info";
@@ -42,7 +39,7 @@ var ConsoleColors;
 /**
  * Simple logger class that logs messages at different log levels.
  */
-class Logger {
+export class Logger {
     /**
      * Create a new logger instance.
      * @param logLevel - The minimum log level to log messages for.
@@ -116,38 +113,4 @@ class Logger {
         return color + text + ConsoleColors.Reset;
     }
 }
-var logger = new Logger(LogLevel.info);
-
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-/**
- * The behavior of this module when an error occurs.
- */
-exports.ErrorBehavior = void 0;
-(function (ErrorBehavior) {
-    ErrorBehavior["ignore"] = "ignore";
-    ErrorBehavior["audit"] = "audit";
-    ErrorBehavior["reject"] = "reject";
-})(exports.ErrorBehavior || (exports.ErrorBehavior = {}));
-/**
- * The phase of the Kubernetes admission webhook that the capability is registered for.
- *
- * Currently only `mutate` is supported.
- */
-exports.HookPhase = void 0;
-(function (HookPhase) {
-    HookPhase["mutate"] = "mutate";
-    HookPhase["valdiate"] = "validate";
-})(exports.HookPhase || (exports.HookPhase = {}));
-/**
- * The type of Kubernetes mutating webhook event ethat the capability action is registered for.
- */
-exports.Event = void 0;
-(function (Event) {
-    Event["Create"] = "create";
-    Event["Update"] = "update";
-    Event["Delete"] = "delete";
-    Event["CreateOrUpdate"] = "createOrUpdate";
-})(exports.Event || (exports.Event = {}));
-
-exports.logger = logger;
+export default new Logger(LogLevel.info);

package/dist/src/lib/module.d.ts

@@ -0,0 +1,22 @@
+import { Capability } from "./capability";
+import { ModuleConfig } from "./types";
+export type PackageJSON = {
+    description: string;
+    pepr: ModuleConfig;
+};
+export declare class PeprModule {
+    private _controller;
+    /**
+     * Create a new Pepr runtime
+     *
+     * @param config The configuration for the Pepr runtime
+     */
+    constructor({ description, pepr }: PackageJSON, capabilities?: Capability[], deferStart?: boolean);
+    /**
+     * Start the Pepr runtime manually.
+     * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
+     *
+     * @param port
+     */
+    start(port?: number): void;
+}

package/dist/src/lib/module.js

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import R from "ramda";
+import { Controller } from "./controller";
+const alwaysIgnore = {
+    namespaces: ["kube-system", "pepr-system"],
+    labels: [{ "pepr.dev": "ignore" }],
+};
+export class PeprModule {
+    /**
+     * Create a new Pepr runtime
+     *
+     * @param config The configuration for the Pepr runtime
+     */
+    constructor({ description, pepr }, capabilities = [], deferStart = false) {
+        const config = R.mergeDeepWith(R.concat, pepr, alwaysIgnore);
+        config.description = description;
+        this._controller = new Controller(config, capabilities);
+        if (!deferStart) {
+            this.start();
+        }
+    }
+    /**
+     * Start the Pepr runtime manually.
+     * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
+     *
+     * @param port
+     */
+    start(port = 3000) {
+        this._controller.startServer(port);
+    }
+}

package/dist/src/lib/processor.d.ts

@@ -0,0 +1,4 @@
+import { Capability } from "./capability";
+import { Request, Response } from "./k8s/types";
+import { ModuleConfig } from "./types";
+export declare function processor(config: ModuleConfig, capabilities: Capability[], req: Request): Response;