pepr 0.13.0 → 0.13.1

package/src/lib/module.ts

@@ -5,8 +5,9 @@ import { clone } from "ramda";
 
 import { Capability } from "./capability";
 import { Controller } from "./controller";
+import { ValidateError } from "./errors";
 import { MutateResponse, Request, ValidateResponse } from "./k8s/types";
-import { ModuleConfig } from "./types";
+import { CapabilityExport, ModuleConfig } from "./types";
 
 export type PackageJSON = {
   description: string;
@@ -24,33 +25,46 @@ export type PeprModuleOptions = {
 };
 
 export class PeprModule {
-  private _controller!: Controller;
+  #controller!: Controller;
 
   /**
    * Create a new Pepr runtime
    *
    * @param config The configuration for the Pepr runtime
    * @param capabilities The capabilities to be loaded into the Pepr runtime
-   * @param _deferStart (optional) If set to `true`, the Pepr runtime will not be started automatically. This can be used to start the Pepr runtime manually with `start()`.
+   * @param opts Options for the Pepr runtime
    */
   constructor({ description, pepr }: PackageJSON, capabilities: Capability[] = [], opts: PeprModuleOptions = {}) {
     const config: ModuleConfig = clone(pepr);
     config.description = description;
 
     // Need to validate at runtime since TS gets sad about parsing the package.json
-    const validOnErrors = ["ignore", "warn", "fail"];
-    if (!validOnErrors.includes(config.onError || "")) {
-      throw new Error(`Invalid onErrors value: ${config.onError}`);
-    }
+    ValidateError(config.onError);
+
+    // Bind public methods
+    this.start = this.start.bind(this);
 
     // Handle build mode
     if (process.env.PEPR_MODE === "build" && process.send) {
+      const exportedCapabilities: CapabilityExport[] = [];
+
       // Send capability map to parent process
-      process.send(capabilities);
+      for (const capability of capabilities) {
+        // Convert the capability to a capability config
+        exportedCapabilities.push({
+          name: capability.name,
+          description: capability.description,
+          namespaces: capability.namespaces,
+          bindings: capability.bindings,
+        });
+      }
+
+      process.send(exportedCapabilities);
+
       return;
     }
 
-    this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
+    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
 
     // Stop processing if deferStart is set to true
     if (opts.deferStart) {
@@ -67,6 +81,6 @@ export class PeprModule {
    * @param port
    */
   start(port = 3000) {
-    this._controller.startServer(port);
+    this.#controller.startServer(port);
   }
 }

package/src/lib/mutate-processor.ts

@@ -4,6 +4,7 @@
 import jsonPatch from "fast-json-patch";
 
 import { Capability } from "./capability";
+import { Errors } from "./errors";
 import { shouldSkipRequest } from "./filter";
 import { MutateResponse, Request } from "./k8s/types";
 import { Secret } from "./k8s/upstream";
@@ -91,13 +92,14 @@ export async function mutateProcessor(
         response.warnings.push(`Action failed: ${e}`);
 
         switch (config.onError) {
-          case "reject":
+          case Errors.reject:
             Log.error(actionMetadata, `Action failed: ${e}`);
             response.result = "Pepr module configured to reject on error";
             return response;
 
-          case "audit":
-            // @todo: implement audit logging
+          case Errors.audit:
+            response.auditAnnotations = response.auditAnnotations || {};
+            response.auditAnnotations[Date.now()] = e;
             break;
         }
       }

package/src/lib/mutate-request.ts

@@ -11,10 +11,12 @@ import { DeepPartial } from "./types";
  * of a mutating webhook request.
  */
 export class PeprMutateRequest<T extends KubernetesObject> {
-  public Raw: T;
+  Raw: T;
+
+  #input: Request<T>;
 
   get PermitSideEffects() {
-    return !this._input.dryRun;
+    return !this.#input.dryRun;
   }
 
   /**
@@ -22,7 +24,7 @@ export class PeprMutateRequest<T extends KubernetesObject> {
    * @returns true if the request is a dry run, false otherwise.
    */
   get IsDryRun() {
-    return this._input.dryRun;
+    return this.#input.dryRun;
   }
 
   /**
@@ -30,7 +32,7 @@ export class PeprMutateRequest<T extends KubernetesObject> {
    * @returns The old Kubernetes resource object or null if not available.
    */
   get OldResource() {
-    return this._input.oldObject;
+    return this.#input.oldObject;
   }
 
   /**
@@ -38,20 +40,31 @@ export class PeprMutateRequest<T extends KubernetesObject> {
    * @returns The request object containing the Kubernetes resource.
    */
   get Request() {
-    return this._input;
+    return this.#input;
   }
 
   /**
    * Creates a new instance of the action class.
    * @param input - The request object containing the Kubernetes resource to modify.
    */
-  constructor(private _input: Request<T>) {
+  constructor(input: Request<T>) {
+    this.#input = input;
+
+    // Bind public methods
+    this.Merge = this.Merge.bind(this);
+    this.SetLabel = this.SetLabel.bind(this);
+    this.SetAnnotation = this.SetAnnotation.bind(this);
+    this.RemoveLabel = this.RemoveLabel.bind(this);
+    this.RemoveAnnotation = this.RemoveAnnotation.bind(this);
+    this.HasLabel = this.HasLabel.bind(this);
+    this.HasAnnotation = this.HasAnnotation.bind(this);
+
     // If this is a DELETE operation, use the oldObject instead
-    if (_input.operation.toUpperCase() === Operation.DELETE) {
-      this.Raw = clone(_input.oldObject as T);
+    if (input.operation.toUpperCase() === Operation.DELETE) {
+      this.Raw = clone(input.oldObject as T);
     } else {
       // Otherwise, use the incoming object
-      this.Raw = clone(_input.object);
+      this.Raw = clone(input.object);
     }
 
     if (!this.Raw) {

package/src/lib/types.ts

@@ -10,16 +10,6 @@ export type PackageJSON = {
   pepr: ModuleConfig;
 };
 
-/**
- * The phase of the Kubernetes admission webhook that the capability is registered for.
- *
- * Currently only `mutate` is supported.
- */
-export enum HookPhase {
-  mutate = "mutate",
-  validate = "validate",
-}
-
 /**
  * Recursively make all properties in T optional.
  */
@@ -54,6 +44,10 @@ export interface CapabilityCfg {
   namespaces?: string[];
 }
 
+export interface CapabilityExport extends CapabilityCfg {
+  bindings: Binding[];
+}
+
 export type ModuleSigning = {
   /**
    * Specifies the signing policy.

package/src/lib/validate-processor.ts

@@ -4,7 +4,9 @@
 import { Capability } from "./capability";
 import { shouldSkipRequest } from "./filter";
 import { Request, ValidateResponse } from "./k8s/types";
+import { Secret } from "./k8s/upstream";
 import Log from "./logger";
+import { convertFromBase64Map } from "./utils";
 import { PeprValidateRequest } from "./validate-request";
 
 export async function validateProcessor(
@@ -18,6 +20,12 @@ export async function validateProcessor(
     allowed: true, // Assume it's allowed until a validation check fails
   };
 
+  // If the resource is a secret, decode the data
+  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  if (isSecret) {
+    convertFromBase64Map(wrapped.Raw as unknown as Secret);
+  }
+
   Log.info(reqMetadata, `Processing validation request`);
 
   for (const { name, bindings } of capabilities) {

package/src/lib/validate-request.ts

@@ -1,6 +1,8 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+/* eslint-disable class-methods-use-this */
+
 import { clone } from "ramda";
 import { KubernetesObject, Operation, Request } from "./k8s/types";
 import { ValidateResponse } from "./types";
@@ -10,14 +12,16 @@ import { ValidateResponse } from "./types";
  * of a mutating webhook request.
  */
 export class PeprValidateRequest<T extends KubernetesObject> {
-  public Raw: T;
+  Raw: T;
+
+  #input: Request<T>;
 
   /**
    * Provides access to the old resource in the request if available.
    * @returns The old Kubernetes resource object or null if not available.
    */
   get OldResource() {
-    return this._input.oldObject;
+    return this.#input.oldObject;
   }
 
   /**
@@ -25,20 +29,28 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * @returns The request object containing the Kubernetes resource.
    */
   get Request() {
-    return this._input;
+    return this.#input;
   }
 
   /**
    * Creates a new instance of the Action class.
    * @param input - The request object containing the Kubernetes resource to modify.
    */
-  constructor(protected _input: Request<T>) {
+  constructor(input: Request<T>) {
+    this.#input = input;
+
+    // Bind public methods to this instance
+    this.HasLabel = this.HasLabel.bind(this);
+    this.HasAnnotation = this.HasAnnotation.bind(this);
+    this.Approve = this.Approve.bind(this);
+    this.Deny = this.Deny.bind(this);
+
     // If this is a DELETE operation, use the oldObject instead
-    if (_input.operation.toUpperCase() === Operation.DELETE) {
-      this.Raw = clone(_input.oldObject as T);
+    if (input.operation.toUpperCase() === Operation.DELETE) {
+      this.Raw = clone(input.oldObject as T);
     } else {
       // Otherwise, use the incoming object
-      this.Raw = clone(_input.object);
+      this.Raw = clone(input.object);
     }
 
     if (!this.Raw) {