pepr 0.12.2 → 0.13.1

package/src/lib/assets/index.ts

@@ -0,0 +1,53 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import crypto from "crypto";
+
+import { TLSOut, genTLS } from "../k8s/tls";
+import { CapabilityExport, ModuleConfig } from "../types";
+import { deploy } from "./deploy";
+import { loadCapabilities } from "./loader";
+import { allYaml, zarfYaml } from "./yaml";
+
+export class Assets {
+  readonly name: string;
+  readonly tls: TLSOut;
+  readonly apiToken: string;
+  capabilities!: CapabilityExport[];
+  image: string;
+
+  constructor(
+    readonly config: ModuleConfig,
+    readonly path: string,
+    readonly host?: string,
+  ) {
+    // Bind public methods
+    this.deploy = this.deploy.bind(this);
+    this.zarfYaml = this.zarfYaml.bind(this);
+    this.allYaml = this.allYaml.bind(this);
+
+    this.name = `pepr-${config.uuid}`;
+
+    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
+
+    // Generate the ephemeral tls things
+    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
+
+    // Generate the api token for the controller / webhook
+    this.apiToken = crypto.randomBytes(32).toString("hex");
+  }
+
+  async deploy(webhookTimeout?: number) {
+    this.capabilities = await loadCapabilities(this.path);
+    await deploy(this, webhookTimeout);
+  }
+
+  zarfYaml(path: string) {
+    return zarfYaml(this, path);
+  }
+
+  async allYaml() {
+    this.capabilities = await loadCapabilities(this.path);
+    return allYaml(this);
+  }
+}

package/src/lib/assets/loader.ts

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { fork } from "child_process";
+
+import { CapabilityExport } from "../types";
+
+/**
+ * Read the capabilities from the module by running it in build mode
+ * @param path
+ * @returns
+ */
+export function loadCapabilities(path: string): Promise<CapabilityExport[]> {
+  return new Promise((resolve, reject) => {
+    // Fork is needed with the PEPR_MODE env var to ensure the module is loaded in build mode and will send back the capabilities
+    const program = fork(path, {
+      env: {
+        ...process.env,
+        LOG_LEVEL: "warn",
+        PEPR_MODE: "build",
+      },
+    });
+
+    // Wait for the module to send back the capabilities
+    program.on("message", message => {
+      // Cast the message to the ModuleCapabilities type
+      const capabilities = message.valueOf() as CapabilityExport[];
+
+      // Iterate through the capabilities and generate the rules
+      for (const capability of capabilities) {
+        console.info(`Registered Pepr Capability "${capability.name}"`);
+      }
+
+      resolve(capabilities);
+    });
+
+    program.on("error", error => {
+      reject(error);
+    });
+  });
+}

package/src/lib/assets/networking.ts

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { TLSOut } from "../k8s/tls";
+import { Secret, Service } from "../k8s/upstream";
+
+export function apiTokenSecret(name: string, apiToken: string): Secret {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-api-token`,
+      namespace: "pepr-system",
+    },
+    type: "Opaque",
+    data: {
+      value: Buffer.from(apiToken).toString("base64"),
+    },
+  };
+}
+
+export function tlsSecret(name: string, tls: TLSOut): Secret {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-tls`,
+      namespace: "pepr-system",
+    },
+    type: "kubernetes.io/tls",
+    data: {
+      "tls.crt": tls.crt,
+      "tls.key": tls.key,
+    },
+  };
+}
+
+export function service(name: string): Service {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+    },
+    spec: {
+      selector: {
+        app: name,
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3000,
+        },
+      ],
+    },
+  };
+}

package/src/lib/assets/pods.ts

@@ -0,0 +1,148 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { gzipSync } from "zlib";
+
+import { Assets } from ".";
+import { Deployment, Namespace, Secret } from "../k8s/upstream";
+
+/** Generate the pepr-system namespace */
+export const namespace: Namespace = {
+  apiVersion: "v1",
+  kind: "Namespace",
+  metadata: { name: "pepr-system" },
+};
+
+export function deployment(assets: Assets, hash: string): Deployment {
+  const { name, image } = assets;
+  const app = name;
+
+  return {
+    apiVersion: "apps/v1",
+    kind: "Deployment",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+      labels: {
+        app,
+      },
+    },
+    spec: {
+      replicas: 2,
+      selector: {
+        matchLabels: {
+          app,
+        },
+      },
+      template: {
+        metadata: {
+          labels: {
+            app,
+          },
+        },
+        spec: {
+          priorityClassName: "system-node-critical",
+          serviceAccountName: name,
+          containers: [
+            {
+              name: "server",
+              image,
+              imagePullPolicy: "IfNotPresent",
+              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              readinessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              livenessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              ports: [
+                {
+                  containerPort: 3000,
+                },
+              ],
+              env: [
+                {
+                  name: "PEPR_PRETTY_LOG",
+                  value: "false",
+                },
+              ],
+              resources: {
+                requests: {
+                  memory: "64Mi",
+                  cpu: "100m",
+                },
+                limits: {
+                  memory: "256Mi",
+                  cpu: "500m",
+                },
+              },
+              volumeMounts: [
+                {
+                  name: "tls-certs",
+                  mountPath: "/etc/certs",
+                  readOnly: true,
+                },
+                {
+                  name: "api-token",
+                  mountPath: "/app/api-token",
+                  readOnly: true,
+                },
+                {
+                  name: "module",
+                  mountPath: `/app/load`,
+                  readOnly: true,
+                },
+              ],
+            },
+          ],
+          volumes: [
+            {
+              name: "tls-certs",
+              secret: {
+                secretName: `${name}-tls`,
+              },
+            },
+            {
+              name: "api-token",
+              secret: {
+                secretName: `${name}-api-token`,
+              },
+            },
+            {
+              name: "module",
+              secret: {
+                secretName: `${name}-module`,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+}
+
+export function moduleSecret(name: string, data: Buffer, hash: string): Secret {
+  // Compress the data
+  const compressed = gzipSync(data);
+  const path = `module-${hash}.js.gz`;
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-module`,
+      namespace: "pepr-system",
+    },
+    type: "Opaque",
+    data: {
+      [path]: compressed.toString("base64"),
+    },
+  };
+}

package/src/lib/assets/rbac.ts

@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { ClusterRole, ClusterRoleBinding, ServiceAccount } from "../k8s/upstream";
+
+/**
+ * Grants the controller access to cluster resources beyond the mutating webhook.
+ *
+ * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
+ * @returns
+ */
+export function clusterRole(name: string): ClusterRole {
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRole",
+    metadata: { name },
+    rules: [
+      {
+        // @todo: make this configurable
+        apiGroups: ["*"],
+        resources: ["*"],
+        verbs: ["create", "delete", "get", "list", "patch", "update", "watch"],
+      },
+    ],
+  };
+}
+
+export function clusterRoleBinding(name: string): ClusterRoleBinding {
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "ClusterRoleBinding",
+    metadata: { name },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "ClusterRole",
+      name,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name,
+        namespace: "pepr-system",
+      },
+    ],
+  };
+}
+
+export function serviceAccount(name: string): ServiceAccount {
+  return {
+    apiVersion: "v1",
+    kind: "ServiceAccount",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+    },
+  };
+}

package/src/lib/assets/webhooks.ts

@@ -0,0 +1,139 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import {
+  AdmissionregistrationV1WebhookClientConfig as AdmissionRegnV1WebhookClientCfg,
+  V1LabelSelectorRequirement,
+  V1RuleWithOperations,
+} from "@kubernetes/client-node";
+import { concat, equals, uniqWith } from "ramda";
+
+import { Assets } from ".";
+import { MutatingWebhookConfiguration, ValidatingWebhookConfiguration } from "../k8s/upstream";
+import { Event } from "../types";
+
+const peprIgnoreLabel: V1LabelSelectorRequirement = {
+  key: "pepr.dev",
+  operator: "NotIn",
+  values: ["ignore"],
+};
+
+const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
+
+export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean) {
+  const { config, capabilities } = assets;
+  const rules: V1RuleWithOperations[] = [];
+
+  // Iterate through the capabilities and generate the rules
+  for (const capability of capabilities) {
+    console.info(`Module ${config.uuid} has capability: ${capability.name}`);
+
+    // Read the bindings and generate the rules
+    for (const binding of capability.bindings) {
+      const { event, kind, isMutate, isValidate } = binding;
+
+      // If the module doesn't have a callback for the event, skip it
+      if (isMutateWebhook && !isMutate) {
+        continue;
+      }
+
+      if (!isMutateWebhook && !isValidate) {
+        continue;
+      }
+
+      const operations: string[] = [];
+
+      // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
+      if (event === Event.CreateOrUpdate) {
+        operations.push(Event.Create, Event.Update);
+      } else {
+        operations.push(event);
+      }
+
+      // Use the plural property if it exists, otherwise use lowercase kind + s
+      const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+      rules.push({
+        apiGroups: [kind.group],
+        apiVersions: [kind.version || "*"],
+        operations,
+        resources: [resource],
+      });
+    }
+  }
+
+  // Return the rules with duplicates removed
+  return uniqWith(equals, rules);
+}
+
+export async function webhookConfig(
+  assets: Assets,
+  mutateOrValidate: "mutate" | "validate",
+  timeoutSeconds = 10,
+): Promise<MutatingWebhookConfiguration | ValidatingWebhookConfiguration | null> {
+  const ignore = [peprIgnoreLabel];
+
+  const { name, tls, config, apiToken, host } = assets;
+  const ignoreNS = concat(peprIgnoreNamespaces, config.alwaysIgnore.namespaces || []);
+
+  // Add any namespaces to ignore
+  if (ignoreNS) {
+    ignore.push({
+      key: "kubernetes.io/metadata.name",
+      operator: "NotIn",
+      values: ignoreNS,
+    });
+  }
+
+  const clientConfig: AdmissionRegnV1WebhookClientCfg = {
+    caBundle: tls.ca,
+  };
+
+  // The URL must include the API Token
+  const apiPath = `/${mutateOrValidate}/${apiToken}`;
+
+  // If a host is specified, use that with a port of 3000
+  if (host) {
+    clientConfig.url = `https://${host}:3000${apiPath}`;
+  } else {
+    // Otherwise, use the service
+    clientConfig.service = {
+      name: name,
+      namespace: "pepr-system",
+      path: apiPath,
+    };
+  }
+
+  const isMutate = mutateOrValidate === "mutate";
+  const rules = await generateWebhookRules(assets, isMutate);
+
+  // If there are no rules, return null
+  if (rules.length < 1) {
+    return null;
+  }
+
+  return {
+    apiVersion: "admissionregistration.k8s.io/v1",
+    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
+    metadata: { name },
+    webhooks: [
+      {
+        name: `${name}.pepr.dev`,
+        admissionReviewVersions: ["v1", "v1beta1"],
+        clientConfig,
+        failurePolicy: "Ignore",
+        matchPolicy: "Equivalent",
+        timeoutSeconds,
+        namespaceSelector: {
+          matchExpressions: ignore,
+        },
+        objectSelector: {
+          matchExpressions: ignore,
+        },
+        rules,
+        // @todo: track side effects state
+        sideEffects: "None",
+      },
+    ],
+  };
+}

package/src/lib/assets/yaml.ts

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { dumpYaml } from "@kubernetes/client-node";
+import crypto from "crypto";
+import { promises as fs } from "fs";
+
+import { Assets } from ".";
+import { apiTokenSecret, service, tlsSecret } from "./networking";
+import { deployment, moduleSecret, namespace } from "./pods";
+import { clusterRole, clusterRoleBinding, serviceAccount } from "./rbac";
+import { webhookConfig } from "./webhooks";
+
+export function zarfYaml({ name, image, config }: Assets, path: string) {
+  const zarfCfg = {
+    kind: "ZarfPackageConfig",
+    metadata: {
+      name,
+      description: `Pepr Module: ${config.description}`,
+      url: "https://github.com/defenseunicorns/pepr",
+      version: `${config.appVersion || "0.0.1"}`,
+    },
+    components: [
+      {
+        name: "module",
+        required: true,
+        manifests: [
+          {
+            name: "module",
+            namespace: "pepr-system",
+            files: [path],
+          },
+        ],
+        images: [image],
+      },
+    ],
+  };
+
+  return dumpYaml(zarfCfg, { noRefs: true });
+}
+
+export async function allYaml(assets: Assets) {
+  const { name, tls, apiToken, path } = assets;
+
+  const code = await fs.readFile(path);
+
+  // Generate a hash of the code
+  const hash = crypto.createHash("sha256").update(code).digest("hex");
+
+  const mutateWebhook = await webhookConfig(assets, "mutate");
+  const validateWebhook = await webhookConfig(assets, "validate");
+
+  const resources = [
+    namespace,
+    clusterRole(name),
+    clusterRoleBinding(name),
+    serviceAccount(name),
+    apiTokenSecret(name, apiToken),
+    tlsSecret(name, tls),
+    deployment(assets, hash),
+    service(name),
+    moduleSecret(name, code, hash),
+  ];
+
+  if (mutateWebhook) {
+    resources.push(mutateWebhook);
+  }
+
+  if (validateWebhook) {
+    resources.push(validateWebhook);
+  }
+
+  // Convert the resources to a single YAML string
+  return resources.map(r => dumpYaml(r, { noRefs: true })).join("---\n");
+}