pepr 0.12.1 → 0.13.0

package/src/lib/assets/deploy.ts

@@ -0,0 +1,179 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import {
+  AdmissionregistrationV1Api as AdmissionRegV1API,
+  AppsV1Api,
+  CoreV1Api,
+  HttpError,
+  KubeConfig,
+  RbacAuthorizationV1Api,
+} from "@kubernetes/client-node";
+import crypto from "crypto";
+import { promises as fs } from "fs";
+
+import { Assets } from ".";
+import Log from "../logger";
+import { apiTokenSecret, service, tlsSecret } from "./networking";
+import { deployment, moduleSecret, namespace } from "./pods";
+import { clusterRole, clusterRoleBinding, serviceAccount } from "./rbac";
+import { webhookConfig } from "./webhooks";
+
+export async function deploy(assets: Assets, webhookTimeout?: number) {
+  Log.info("Establishing connection to Kubernetes");
+
+  const peprNS = "pepr-system";
+  const { name, host, path } = assets;
+
+  // Deploy the resources using the k8s API
+  const kubeConfig = new KubeConfig();
+  kubeConfig.loadFromDefault();
+
+  const coreV1Api = kubeConfig.makeApiClient(CoreV1Api);
+  const admissionApi = kubeConfig.makeApiClient(AdmissionRegV1API);
+
+  try {
+    Log.info("Checking for namespace");
+    await coreV1Api.readNamespace(peprNS);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Creating namespace");
+    await coreV1Api.createNamespace(namespace);
+  }
+
+  // Create the mutating webhook configuration if it is needed
+  const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
+  if (mutateWebhook) {
+    try {
+      Log.info("Creating mutating webhook");
+      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
+    } catch (e) {
+      Log.debug(e instanceof HttpError ? e.body : e);
+      Log.info("Removing and re-creating mutating webhook");
+      await admissionApi.deleteMutatingWebhookConfiguration(mutateWebhook.metadata?.name ?? "");
+      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
+    }
+  }
+
+  // Create the validating webhook configuration if it is needed
+  const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
+  if (validateWebhook) {
+    try {
+      Log.info("Creating validating webhook");
+      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
+    } catch (e) {
+      Log.debug(e instanceof HttpError ? e.body : e);
+      Log.info("Removing and re-creating validating webhook");
+      await admissionApi.deleteValidatingWebhookConfiguration(validateWebhook.metadata?.name ?? "");
+      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
+    }
+  }
+
+  // If a host is specified, we don't need to deploy the rest of the resources
+  if (host) {
+    return;
+  }
+
+  if (!path) {
+    throw new Error("No code provided");
+  }
+
+  const code = await fs.readFile(path);
+
+  const hash = crypto.createHash("sha256").update(code).digest("hex");
+
+  const appsApi = kubeConfig.makeApiClient(AppsV1Api);
+  const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
+
+  const crb = clusterRoleBinding(name);
+  try {
+    Log.info("Creating cluster role binding");
+    await rbacApi.createClusterRoleBinding(crb);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating cluster role binding");
+    await rbacApi.deleteClusterRoleBinding(crb.metadata?.name ?? "");
+    await rbacApi.createClusterRoleBinding(crb);
+  }
+
+  const cr = clusterRole(name);
+  try {
+    Log.info("Creating cluster role");
+    await rbacApi.createClusterRole(cr);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating  the cluster role");
+    try {
+      await rbacApi.deleteClusterRole(cr.metadata?.name ?? "");
+      await rbacApi.createClusterRole(cr);
+    } catch (e) {
+      Log.debug(e instanceof HttpError ? e.body : e);
+    }
+  }
+
+  const sa = serviceAccount(name);
+  try {
+    Log.info("Creating service account");
+    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating service account");
+    await coreV1Api.deleteNamespacedServiceAccount(sa.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
+  }
+
+  const mod = moduleSecret(name, code, hash);
+  try {
+    Log.info("Creating module secret");
+    await coreV1Api.createNamespacedSecret(peprNS, mod);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating module secret");
+    await coreV1Api.deleteNamespacedSecret(mod.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedSecret(peprNS, mod);
+  }
+
+  const svc = service(name);
+  try {
+    Log.info("Creating service");
+    await coreV1Api.createNamespacedService(peprNS, svc);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating service");
+    await coreV1Api.deleteNamespacedService(svc.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedService(peprNS, svc);
+  }
+
+  const tls = tlsSecret(name, assets.tls);
+  try {
+    Log.info("Creating TLS secret");
+    await coreV1Api.createNamespacedSecret(peprNS, tls);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating TLS secret");
+    await coreV1Api.deleteNamespacedSecret(tls.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedSecret(peprNS, tls);
+  }
+
+  const apiToken = apiTokenSecret(name, assets.apiToken);
+  try {
+    Log.info("Creating API token secret");
+    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating API token secret");
+    await coreV1Api.deleteNamespacedSecret(apiToken.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
+  }
+
+  const dep = deployment(assets, hash);
+  try {
+    Log.info("Creating deployment");
+    await appsApi.createNamespacedDeployment(peprNS, dep);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating deployment");
+    await appsApi.deleteNamespacedDeployment(dep.metadata?.name ?? "", peprNS);
+    await appsApi.createNamespacedDeployment(peprNS, dep);
+  }
+}

package/src/lib/assets/index.ts

@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import crypto from "crypto";
+
+import { TLSOut, genTLS } from "../k8s/tls";
+import { ModuleConfig } from "../types";
+import { deploy } from "./deploy";
+import { ModuleCapabilities, loadCapabilities } from "./loader";
+import { allYaml, zarfYaml } from "./yaml";
+
+export class Assets {
+  readonly name: string;
+  readonly tls: TLSOut;
+  readonly apiToken: string;
+  capabilities!: ModuleCapabilities[];
+  image: string;
+
+  constructor(
+    readonly config: ModuleConfig,
+    readonly path: string,
+    readonly host?: string,
+  ) {
+    this.name = `pepr-${config.uuid}`;
+
+    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
+
+    // Generate the ephemeral tls things
+    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
+
+    // Generate the api token for the controller / webhook
+    this.apiToken = crypto.randomBytes(32).toString("hex");
+  }
+
+  deploy = async (webhookTimeout?: number) => {
+    this.capabilities = await loadCapabilities(this.path);
+    await deploy(this, webhookTimeout);
+  };
+
+  zarfYaml = (path: string) => zarfYaml(this, path);
+
+  allYaml = async () => {
+    this.capabilities = await loadCapabilities(this.path);
+    return allYaml(this);
+  };
+}

package/src/lib/assets/loader.ts

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { fork } from "child_process";
+
+import { Binding } from "../types";
+
+// We are receiving javascript so the private fields are now public
+export interface ModuleCapabilities {
+  _name: string;
+  _description: string;
+  _namespaces: string[];
+  _bindings: Binding[];
+}
+
+/**
+ * Read the capabilities from the module by running it in build mode
+ * @param path
+ * @returns
+ */
+export function loadCapabilities(path: string): Promise<ModuleCapabilities[]> {
+  return new Promise((resolve, reject) => {
+    // Fork is needed with the PEPR_MODE env var to ensure the module is loaded in build mode and will send back the capabilities
+    const program = fork(path, {
+      env: {
+        ...process.env,
+        LOG_LEVEL: "warn",
+        PEPR_MODE: "build",
+      },
+    });
+
+    // Wait for the module to send back the capabilities
+    program.on("message", message => {
+      // Cast the message to the ModuleCapabilities type
+      const capabilities = message.valueOf() as ModuleCapabilities[];
+
+      // Iterate through the capabilities and generate the rules
+      for (const capability of capabilities) {
+        console.info(`Registered Pepr Capability "${capability._name}"`);
+      }
+
+      resolve(capabilities);
+    });
+
+    program.on("error", error => {
+      reject(error);
+    });
+  });
+}

package/src/lib/assets/networking.ts

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { TLSOut } from "../k8s/tls";
+import { Secret, Service } from "../k8s/upstream";
+
+export function apiTokenSecret(name: string, apiToken: string): Secret {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-api-token`,
+      namespace: "pepr-system",
+    },
+    type: "Opaque",
+    data: {
+      value: Buffer.from(apiToken).toString("base64"),
+    },
+  };
+}
+
+export function tlsSecret(name: string, tls: TLSOut): Secret {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-tls`,
+      namespace: "pepr-system",
+    },
+    type: "kubernetes.io/tls",
+    data: {
+      "tls.crt": tls.crt,
+      "tls.key": tls.key,
+    },
+  };
+}
+
+export function service(name: string): Service {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+    },
+    spec: {
+      selector: {
+        app: name,
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3000,
+        },
+      ],
+    },
+  };
+}

package/src/lib/assets/pods.ts

@@ -0,0 +1,148 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { gzipSync } from "zlib";
+
+import { Assets } from ".";
+import { Deployment, Namespace, Secret } from "../k8s/upstream";
+
+/** Generate the pepr-system namespace */
+export const namespace: Namespace = {
+  apiVersion: "v1",
+  kind: "Namespace",
+  metadata: { name: "pepr-system" },
+};
+
+export function deployment(assets: Assets, hash: string): Deployment {
+  const { name, image } = assets;
+  const app = name;
+
+  return {
+    apiVersion: "apps/v1",
+    kind: "Deployment",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+      labels: {
+        app,
+      },
+    },
+    spec: {
+      replicas: 2,
+      selector: {
+        matchLabels: {
+          app,
+        },
+      },
+      template: {
+        metadata: {
+          labels: {
+            app,
+          },
+        },
+        spec: {
+          priorityClassName: "system-node-critical",
+          serviceAccountName: name,
+          containers: [
+            {
+              name: "server",
+              image,
+              imagePullPolicy: "IfNotPresent",
+              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              readinessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              livenessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              ports: [
+                {
+                  containerPort: 3000,
+                },
+              ],
+              env: [
+                {
+                  name: "PEPR_PRETTY_LOG",
+                  value: "false",
+                },
+              ],
+              resources: {
+                requests: {
+                  memory: "64Mi",
+                  cpu: "100m",
+                },
+                limits: {
+                  memory: "256Mi",
+                  cpu: "500m",
+                },
+              },
+              volumeMounts: [
+                {
+                  name: "tls-certs",
+                  mountPath: "/etc/certs",
+                  readOnly: true,
+                },
+                {
+                  name: "api-token",
+                  mountPath: "/app/api-token",
+                  readOnly: true,
+                },
+                {
+                  name: "module",
+                  mountPath: `/app/load`,
+                  readOnly: true,
+                },
+              ],
+            },
+          ],
+          volumes: [
+            {
+              name: "tls-certs",
+              secret: {
+                secretName: `${name}-tls`,
+              },
+            },
+            {
+              name: "api-token",
+              secret: {
+                secretName: `${name}-api-token`,
+              },
+            },
+            {
+              name: "module",
+              secret: {
+                secretName: `${name}-module`,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+}
+
+export function moduleSecret(name: string, data: Buffer, hash: string): Secret {
+  // Compress the data
+  const compressed = gzipSync(data);
+  const path = `module-${hash}.js.gz`;
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-module`,
+      namespace: "pepr-system",
+    },
+    type: "Opaque",
+    data: {
+      [path]: compressed.toString("base64"),
+    },
+  };
+}

package/src/lib/assets/rbac.ts

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { ClusterRole, ClusterRoleBinding, ServiceAccount } from "../k8s/upstream";
+
+/**
+ * Grants the controller access to cluster resources beyond the mutating webhook.
+ *
+ * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
+ * @returns
+ */
+export function clusterRole(name: string): ClusterRole {
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRole",
+    metadata: { name },
+    rules: [
+      {
+        // @todo: make this configurable
+        apiGroups: ["*"],
+        resources: ["*"],
+        verbs: ["create", "delete", "get", "list", "patch", "update", "watch"],
+      },
+    ],
+  };
+}
+
+export function clusterRoleBinding(name: string): ClusterRoleBinding {
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRoleBinding",
+    metadata: { name },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name,
+        namespace: "pepr-system",
+      },
+    ],
+  };
+}
+
+export function serviceAccount(name: string): ServiceAccount {
+  return {
+    apiVersion: "v1",
+    kind: "ServiceAccount",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+    },
+  };
+}

package/src/lib/assets/webhooks.ts

@@ -0,0 +1,139 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import {
+  AdmissionregistrationV1WebhookClientConfig as AdmissionRegnV1WebhookClientCfg,
+  V1LabelSelectorRequirement,
+  V1RuleWithOperations,
+} from "@kubernetes/client-node";
+import { concat, equals, uniqWith } from "ramda";
+
+import { Assets } from ".";
+import { MutatingWebhookConfiguration, ValidatingWebhookConfiguration } from "../k8s/upstream";
+import { Event } from "../types";
+
+const peprIgnoreLabel: V1LabelSelectorRequirement = {
+  key: "pepr.dev",
+  operator: "NotIn",
+  values: ["ignore"],
+};
+
+const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
+
+export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean) {
+  const { config, capabilities } = assets;
+  const rules: V1RuleWithOperations[] = [];
+
+  // Iterate through the capabilities and generate the rules
+  for (const capability of capabilities) {
+    console.info(`Module ${config.uuid} has capability: ${capability._name}`);
+
+    // Read the bindings and generate the rules
+    for (const binding of capability._bindings) {
+      const { event, kind, isMutate, isValidate } = binding;
+
+      // If the module doesn't have a callback for the event, skip it
+      if (isMutateWebhook && !isMutate) {
+        continue;
+      }
+
+      if (!isMutateWebhook && !isValidate) {
+        continue;
+      }
+
+      const operations: string[] = [];
+
+      // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
+      if (event === Event.CreateOrUpdate) {
+        operations.push(Event.Create, Event.Update);
+      } else {
+        operations.push(event);
+      }
+
+      // Use the plural property if it exists, otherwise use lowercase kind + s
+      const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+      rules.push({
+        apiGroups: [kind.group],
+        apiVersions: [kind.version || "*"],
+        operations,
+        resources: [resource],
+      });
+    }
+  }
+
+  // Return the rules with duplicates removed
+  return uniqWith(equals, rules);
+}
+
+export async function webhookConfig(
+  assets: Assets,
+  mutateOrValidate: "mutate" | "validate",
+  timeoutSeconds = 10,
+): Promise<MutatingWebhookConfiguration | ValidatingWebhookConfiguration | null> {
+  const ignore = [peprIgnoreLabel];
+
+  const { name, tls, config, apiToken, host } = assets;
+  const ignoreNS = concat(peprIgnoreNamespaces, config.alwaysIgnore.namespaces || []);
+
+  // Add any namespaces to ignore
+  if (ignoreNS) {
+    ignore.push({
+      key: "kubernetes.io/metadata.name",
+      operator: "NotIn",
+      values: ignoreNS,
+    });
+  }
+
+  const clientConfig: AdmissionRegnV1WebhookClientCfg = {
+    caBundle: tls.ca,
+  };
+
+  // The URL must include the API Token
+  const apiPath = `/${mutateOrValidate}/${apiToken}`;
+
+  // If a host is specified, use that with a port of 3000
+  if (host) {
+    clientConfig.url = `https://${host}:3000${apiPath}`;
+  } else {
+    // Otherwise, use the service
+    clientConfig.service = {
+      name: name,
+      namespace: "pepr-system",
+      path: apiPath,
+    };
+  }
+
+  const isMutate = mutateOrValidate === "mutate";
+  const rules = await generateWebhookRules(assets, isMutate);
+
+  // If there are no rules, return null
+  if (rules.length < 1) {
+    return null;
+  }
+
+  return {
+    apiVersion: "admissionregistration.k8s.io/v1",
+    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
+    metadata: { name },
+    webhooks: [
+      {
+        name: `${name}.pepr.dev`,
+        admissionReviewVersions: ["v1", "v1beta1"],
+        clientConfig,
+        failurePolicy: "Ignore",
+        matchPolicy: "Equivalent",
+        timeoutSeconds,
+        namespaceSelector: {
+          matchExpressions: ignore,
+        },
+        objectSelector: {
+          matchExpressions: ignore,
+        },
+        rules,
+        // @todo: track side effects state
+        sideEffects: "None",
+      },
+    ],
+  };
+}