pepr 0.13.0 → 0.13.1

package/journey/pepr-build.ts

@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { expect, it } from "@jest/globals";
+import { loadYaml } from "@kubernetes/client-node";
+import { execSync } from "child_process";
+import { promises as fs } from "fs";
+import { resolve } from "path";
+
+import { cwd } from "./entrypoint.test";
+
+export function peprBuild() {
+  it("should successfully build the Pepr project", async () => {
+    execSync("npx pepr build", { cwd: cwd, stdio: "inherit" });
+  });
+
+  it("should generate produce the K8s yaml file", async () => {
+    await fs.access(resolve(cwd, "dist", "pepr-module-static-test.yaml"));
+  });
+
+  it("should generate the zarf.yaml f", async () => {
+    await fs.access(resolve(cwd, "dist", "zarf.yaml"));
+    await validateZarfYaml();
+  });
+}
+
+async function validateZarfYaml() {
+  // Get the version of the pepr binary
+  const peprVer = execSync("npx pepr --version", { cwd }).toString().trim();
+
+  // Read the generated yaml files
+  const k8sYaml = await fs.readFile(resolve(cwd, "dist", "pepr-module-static-test.yaml"), "utf8");
+  const zarfYAML = await fs.readFile(resolve(cwd, "dist", "zarf.yaml"), "utf8");
+
+  // The expected image name
+  const expectedImage = `ghcr.io/defenseunicorns/pepr/controller:v${peprVer}`;
+
+  // The expected zarf yaml contents
+  const expectedZarfYaml = {
+    kind: "ZarfPackageConfig",
+    metadata: {
+      name: "pepr-static-test",
+      description: "Pepr Module: A test module for Pepr",
+      url: "https://github.com/defenseunicorns/pepr",
+      version: "0.0.1",
+    },
+    components: [
+      {
+        name: "module",
+        required: true,
+        manifests: [
+          {
+            name: "module",
+            namespace: "pepr-system",
+            files: ["pepr-module-static-test.yaml"],
+          },
+        ],
+        images: [expectedImage],
+      },
+    ],
+  };
+
+  // Check the generated zarf yaml
+  const actualZarfYaml = loadYaml(zarfYAML);
+  expect(actualZarfYaml).toEqual(expectedZarfYaml);
+
+  // Check the generated k8s yaml
+  expect(k8sYaml).toMatch(`image: ${expectedImage}`);
+}

package/journey/pepr-deploy.ts

@@ -0,0 +1,133 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { describe, expect, it } from "@jest/globals";
+import { execSync, spawnSync } from "child_process";
+import { resolve } from "path";
+
+import { cwd } from "./entrypoint.test";
+import { waitForConfigMap, waitForDeploymentReady, waitForNamespace, waitForSecret } from "./k8s";
+
+export function peprDeploy() {
+  it("should deploy the Pepr controller into the test cluster", async () => {
+    execSync("npx pepr deploy -i pepr:dev --confirm", { cwd, stdio: "inherit" });
+
+    // Wait for the deployment to be ready
+    await waitForDeploymentReady("pepr-system", "pepr-static-test");
+  });
+
+  cleanupSamples();
+
+  it("should perform validation of resources applied to the test cluster", testValidate);
+
+  describe("should perform mutation of resources applied to the test cluster", testMutate);
+
+  cleanupSamples();
+}
+
+function cleanupSamples() {
+  try {
+    // Remove the sample yaml for the HelloPepr capability
+    execSync("kubectl delete -f hello-pepr.samples.yaml --ignore-not-found", {
+      cwd: resolve(cwd, "capabilities"),
+      stdio: "inherit",
+    });
+  } catch (e) {
+    // Ignore errors
+  }
+}
+
+async function testValidate() {
+  // Apply the sample yaml for the HelloPepr capability
+  const applyOut = spawnSync("kubectl apply -f hello-pepr.samples.yaml", {
+    shell: true, // Run command in a shell
+    encoding: "utf-8", // Encode result as string
+    cwd: resolve(cwd, "capabilities"),
+  });
+
+  const { stderr, status } = applyOut;
+
+  // Validation should return an error
+  expect(status).toBe(1);
+
+  // Check if the expected lines are in the output
+  const expected = [
+    `Error from server: error when creating "hello-pepr.samples.yaml": `,
+    `admission webhook "pepr-static-test.pepr.dev" denied the request: `,
+    `No evil CM annotations allowed.\n`,
+  ].join("");
+  expect(stderr).toBe(expected);
+}
+
+function testMutate() {
+  it("should mutate the namespace", async () => {
+    // Wait for the namespace to be created
+    const ns = await waitForNamespace("pepr-demo");
+
+    // Check if the namespace has the correct labels and annotations
+    expect(ns.metadata?.labels).toEqual({
+      "keep-me": "please",
+      "kubernetes.io/metadata.name": "pepr-demo",
+    });
+    expect(ns.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+  });
+
+  it("should mutate example-1", async () => {
+    const cm1 = await waitForConfigMap("pepr-demo", "example-1");
+    expect(cm1.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm1.metadata?.annotations?.["pepr.dev"]).toBe("annotations-work-too");
+    expect(cm1.metadata?.labels?.["pepr"]).toBe("was-here");
+  });
+
+  it("should mutate example-2", async () => {
+    const cm2 = await waitForConfigMap("pepr-demo", "example-2");
+    expect(cm2.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm2.metadata?.annotations?.["pepr.dev"]).toBe("annotations-work-too");
+    expect(cm2.metadata?.labels?.["pepr"]).toBe("was-here");
+  });
+
+  it("should mutate example-3", async () => {
+    const cm3 = await waitForConfigMap("pepr-demo", "example-3");
+
+    expect(cm3.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm3.metadata?.annotations?.["pepr.dev"]).toBe("making-waves");
+    expect(cm3.data).toEqual({ key: "ex-3-val", username: "system:admin" });
+  });
+
+  it("should mutate example-4", async () => {
+    const cm4 = await waitForConfigMap("pepr-demo", "example-4");
+    expect(cm4.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm4.metadata?.labels?.["pepr.dev/first"]).toBe("true");
+    expect(cm4.metadata?.labels?.["pepr.dev/second"]).toBe("true");
+    expect(cm4.metadata?.labels?.["pepr.dev/third"]).toBe("true");
+  });
+
+  it("should mutate example-4a", async () => {
+    const cm4a = await waitForConfigMap("pepr-demo-2", "example-4a");
+    expect(cm4a.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm4a.metadata?.labels?.["pepr.dev/first"]).toBe("true");
+    expect(cm4a.metadata?.labels?.["pepr.dev/second"]).toBe("true");
+    expect(cm4a.metadata?.labels?.["pepr.dev/third"]).toBe("true");
+  });
+
+  it("should mutate example-5", async () => {
+    const cm5 = await waitForConfigMap("pepr-demo", "example-5");
+
+    expect(cm5.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm5.data?.["chuck-says"]).toBeTruthy();
+  });
+
+  it("should mutate secret-1", async () => {
+    const s1 = await waitForSecret("pepr-demo", "secret-1");
+
+    expect(s1.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(s1.data?.["example"]).toBe("dW5pY29ybiBtYWdpYyAtIG1vZGlmaWVkIGJ5IFBlcHI=");
+    expect(s1.data?.["magic"]).toBe("Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc=");
+    expect(s1.data?.["binary-data"]).toBe(
+      "iCZQUg8xYucNUqD+8lyl2YcKjYYygvTtiDSEV9b9WKUkxSSLFJTgIWMJ9GcFFYs4T9JCdda51u74jfq8yHzRuEASl60EdTS/NfWgIIFTGqcNRfqMw+vgpyTMmCyJVaJEDFq6AA==",
+    );
+    expect(s1.data?.["ascii-with-white-space"]).toBe(
+      "VGhpcyBpcyBzb21lIHJhbmRvbSB0ZXh0OgoKICAgIC0gd2l0aCBsaW5lIGJyZWFrcwogICAgLSBhbmQgdGFicw==",
+    );
+  });
+}

package/journey/pepr-dev.ts

@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { afterAll, expect, it } from "@jest/globals";
+import { KubeConfig } from "@kubernetes/client-node";
+import { ChildProcessWithoutNullStreams, spawn } from "child_process";
+import { Agent } from "https";
+import { RequestInit } from "node-fetch";
+
+import { fetch } from "../src/lib/fetch";
+import { cwd } from "./entrypoint.test";
+
+const kc = new KubeConfig();
+kc.loadFromDefault();
+
+let expectedLines = [
+  "Establishing connection to Kubernetes",
+  "Capability hello-pepr registered",
+  "Mutate Action configured for CREATE",
+  "Validate Action configured for CREATE",
+  "Server listening on port 3000",
+];
+
+export function peprDev() {
+  let cmd: ChildProcessWithoutNullStreams;
+  let success = false;
+
+  it("should start the Pepr dev server", () => {
+    cmd = spawn("npx", ["pepr", "dev", "--confirm"], { cwd });
+
+    // This command should not exit on its own
+    cmd.on("close", code => {
+      if (!success) {
+        throw new Error(`Command exited with code ${code}`);
+      }
+    });
+
+    // Log stderr
+    cmd.stderr.on("data", data => {
+      if (!success) {
+        console.error(`stderr: ${data}`);
+      }
+    });
+
+    // Reject on error
+    cmd.on("error", error => {
+      if (!success) {
+        throw error;
+      }
+    });
+  });
+
+  it("should be properly configured by the test module", done => {
+    cmd.stdout.on("data", (data: Buffer) => {
+      if (success) {
+        return;
+      }
+
+      // Convert buffer to string
+      const strData = data.toString();
+      console.log(strData);
+
+      // Check if any expected lines are found
+      expectedLines = expectedLines.filter(expectedLine => {
+        // Check if the expected line is found in the output, ignoring whitespace
+        return !strData.replace(/\s+/g, " ").includes(expectedLine);
+      });
+
+      // If all expected lines are found, resolve the promise
+      if (expectedLines.length < 1) {
+        // Abort all further processing
+        success = true;
+
+        // Finish the test
+        done();
+      }
+    });
+  });
+
+  it("should protect the controller endpoint with an API token", async () => {
+    await validateAPIKey();
+  });
+
+  it("should expose Prometheus metrics", async () => {
+    const metrics = await validateMetrics();
+    expect(metrics).toMatch("pepr_Validate");
+    expect(metrics).toMatch("pepr_Mutate");
+    expect(metrics).toMatch("pepr_errors");
+    expect(metrics).toMatch("pepr_alerts");
+  });
+
+  afterAll(() => {
+    // Close or destroy the streams
+    if (cmd.stdin) {
+      cmd.stdin.end();
+    }
+    if (cmd.stdout) {
+      cmd.stdout.destroy();
+    }
+    if (cmd.stderr) {
+      cmd.stderr.destroy();
+    }
+
+    // Remove the event listeners
+    cmd.removeAllListeners("close");
+    cmd.removeAllListeners("error");
+
+    // Kill the process
+    cmd.kill(9);
+  });
+}
+
+async function validateAPIKey() {
+  const base = "https://localhost:3000/mutate/";
+
+  const fetchOpts: RequestInit = {
+    agent: new Agent({
+      // Avoid tls issues for self-signed certs
+      rejectUnauthorized: false,
+    }),
+    method: "POST",
+  };
+
+  // Test api token validation
+  const evilToken = await fetch(`${base}evil-token`, fetchOpts);
+
+  // Test for empty api token
+  const emptyToken = await fetch(base, fetchOpts);
+
+  if (evilToken.status !== 401) {
+    throw new Error("Expected evil token to return 401");
+  }
+
+  if (emptyToken.status !== 404) {
+    throw new Error("Expected empty token to return 404");
+  }
+}
+
+async function validateMetrics() {
+  const metricsEndpoint = "https://localhost:3000/metrics";
+
+  const fetchOpts: RequestInit = {
+    agent: new Agent({
+      // Avoid tls issues for self-signed certs
+      rejectUnauthorized: false,
+    }),
+  };
+  const metricsOk = await fetch<string>(metricsEndpoint, fetchOpts);
+
+  if (metricsOk.status !== 200) {
+    throw new Error("Expected metrics ok to return a 200");
+  }
+
+  return metricsOk.data;
+}

package/journey/pepr-format.ts

@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { it } from "@jest/globals";
+import { execSync } from "child_process";
+
+import { cwd } from "./entrypoint.test";
+
+export function peprFormat() {
+  it("should format the Pepr project", () => {
+    execSync("npx pepr format", { cwd, stdio: "inherit" });
+  });
+}

package/journey/pepr-init.ts

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { it } from "@jest/globals";
+import { execSync } from "child_process";
+
+export function peprInit() {
+  it("should create a new Pepr project", () => {
+    const peprAlias = "file:pepr-0.0.0-development.tgz";
+    execSync(`TEST_MODE=true npx --yes ${peprAlias} init`, { stdio: "inherit" });
+  });
+}

package/package.json

@@ -9,19 +9,20 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.13.0",
+  "version": "0.13.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
-    "prebuild": "rm -fr dist/* && node hack/build-template-data.js",
+    "gen-data-json": "node hack/build-template-data.js",
+    "prebuild": "rm -fr dist/* && npm run gen-data-json",
     "build": "tsc && node build.mjs",
-    "test": "npm run test:unit && npm run test:e2e",
-    "test:unit": "npm run build && tsc -p tsconfig.tests.json && ava dist/**/*.test.js",
-    "test:e2e": "npm run test:e2e:k3d && npm run test:e2e:build && npm run test:e2e:image && npm run test:e2e:run",
-    "test:e2e:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'",
-    "test:e2e:build": "npm run build && npm pack",
-    "test:e2e:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
-    "test:e2e:run": "ava hack/e2e.test.mjs --sequential --timeout=2m",
+    "test": "npm run test:unit && npm run test:journey",
+    "test:unit": "npm run gen-data-json && jest src --coverage",
+    "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run",
+    "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'",
+    "test:journey:build": "npm run build && npm pack",
+    "test:journey:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
+    "test:journey:run": "jest journey/entrypoint.test.ts",
     "format:check": "eslint src && prettier src --check",
     "format:fix": "eslint src --fix && prettier src --write"
   },
@@ -37,6 +38,7 @@
     "ramda": "0.29.0"
   },
   "devDependencies": {
+    "@jest/globals": "29.6.4",
     "@types/eslint": "8.44.2",
     "@types/express": "4.17.17",
     "@types/node": "18.x.x",
@@ -45,24 +47,21 @@
     "@types/prettier": "3.0.0",
     "@types/prompts": "2.4.4",
     "@types/ramda": "0.29.3",
-    "@types/uuid": "9.0.2",
-    "ava": "5.3.1",
-    "nock": "13.3.2"
+    "@types/uuid": "9.0.3",
+    "jest": "29.6.4",
+    "nock": "13.3.3",
+    "ts-jest": "29.1.1"
   },
   "peerDependencies": {
-    "@typescript-eslint/eslint-plugin": "6.4.0",
-    "@typescript-eslint/parser": "6.4.0",
+    "@typescript-eslint/eslint-plugin": "6.5.0",
+    "@typescript-eslint/parser": "6.5.0",
     "commander": "11.0.0",
     "esbuild": "0.19.2",
-    "eslint": "8.47.0",
+    "eslint": "8.48.0",
     "node-forge": "1.3.1",
-    "prettier": "3.0.1",
+    "prettier": "3.0.3",
     "prompts": "2.4.2",
-    "typescript": "5.1.6",
+    "typescript": "5.2.2",
     "uuid": "9.0.0"
-  },
-  "ava": {
-    "failFast": true,
-    "verbose": true
   }
 }

package/src/lib/assets/index.ts

@@ -4,16 +4,16 @@
 import crypto from "crypto";
 
 import { TLSOut, genTLS } from "../k8s/tls";
-import { ModuleConfig } from "../types";
+import { CapabilityExport, ModuleConfig } from "../types";
 import { deploy } from "./deploy";
-import { ModuleCapabilities, loadCapabilities } from "./loader";
+import { loadCapabilities } from "./loader";
 import { allYaml, zarfYaml } from "./yaml";
 
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
   readonly apiToken: string;
-  capabilities!: ModuleCapabilities[];
+  capabilities!: CapabilityExport[];
   image: string;
 
   constructor(
@@ -21,6 +21,11 @@ export class Assets {
     readonly path: string,
     readonly host?: string,
   ) {
+    // Bind public methods
+    this.deploy = this.deploy.bind(this);
+    this.zarfYaml = this.zarfYaml.bind(this);
+    this.allYaml = this.allYaml.bind(this);
+
     this.name = `pepr-${config.uuid}`;
 
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
@@ -32,15 +37,17 @@ export class Assets {
     this.apiToken = crypto.randomBytes(32).toString("hex");
   }
 
-  deploy = async (webhookTimeout?: number) => {
+  async deploy(webhookTimeout?: number) {
     this.capabilities = await loadCapabilities(this.path);
     await deploy(this, webhookTimeout);
-  };
+  }
 
-  zarfYaml = (path: string) => zarfYaml(this, path);
+  zarfYaml(path: string) {
+    return zarfYaml(this, path);
+  }
 
-  allYaml = async () => {
+  async allYaml() {
     this.capabilities = await loadCapabilities(this.path);
     return allYaml(this);
-  };
+  }
 }

package/src/lib/assets/loader.ts

@@ -3,22 +3,14 @@
 
 import { fork } from "child_process";
 
-import { Binding } from "../types";
-
-// We are receiving javascript so the private fields are now public
-export interface ModuleCapabilities {
-  _name: string;
-  _description: string;
-  _namespaces: string[];
-  _bindings: Binding[];
-}
+import { CapabilityExport } from "../types";
 
 /**
  * Read the capabilities from the module by running it in build mode
  * @param path
  * @returns
  */
-export function loadCapabilities(path: string): Promise<ModuleCapabilities[]> {
+export function loadCapabilities(path: string): Promise<CapabilityExport[]> {
   return new Promise((resolve, reject) => {
     // Fork is needed with the PEPR_MODE env var to ensure the module is loaded in build mode and will send back the capabilities
     const program = fork(path, {
@@ -32,11 +24,11 @@ export function loadCapabilities(path: string): Promise<ModuleCapabilities[]> {
     // Wait for the module to send back the capabilities
     program.on("message", message => {
       // Cast the message to the ModuleCapabilities type
-      const capabilities = message.valueOf() as ModuleCapabilities[];
+      const capabilities = message.valueOf() as CapabilityExport[];
 
       // Iterate through the capabilities and generate the rules
       for (const capability of capabilities) {
-        console.info(`Registered Pepr Capability "${capability._name}"`);
+        console.info(`Registered Pepr Capability "${capability.name}"`);
       }
 
       resolve(capabilities);

package/src/lib/assets/webhooks.ts

@@ -26,10 +26,10 @@ export async function generateWebhookRules(assets: Assets, isMutateWebhook: bool
 
   // Iterate through the capabilities and generate the rules
   for (const capability of capabilities) {
-    console.info(`Module ${config.uuid} has capability: ${capability._name}`);
+    console.info(`Module ${config.uuid} has capability: ${capability.name}`);
 
     // Read the bindings and generate the rules
-    for (const binding of capability._bindings) {
+    for (const binding of capability.bindings) {
       const { event, kind, isMutate, isValidate } = binding;
 
       // If the module doesn't have a callback for the event, skip it