pepr 0.13.3 → 0.14.0

package/src/lib/assets/deploy.ts

@@ -1,179 +1,121 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import {
-  AdmissionregistrationV1Api as AdmissionRegV1API,
-  AppsV1Api,
-  CoreV1Api,
-  HttpError,
-  KubeConfig,
-  RbacAuthorizationV1Api,
-} from "@kubernetes/client-node";
 import crypto from "crypto";
 import { promises as fs } from "fs";
+import { K8s, kind } from "kubernetes-fluent-client";
 
 import { Assets } from ".";
 import Log from "../logger";
-import { apiTokenSecret, service, tlsSecret } from "./networking";
-import { deployment, moduleSecret, namespace } from "./pods";
-import { clusterRole, clusterRoleBinding, serviceAccount } from "./rbac";
+import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
+import { deployment, moduleSecret, namespace, watcher } from "./pods";
+import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
+import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
 
 export async function deploy(assets: Assets, webhookTimeout?: number) {
   Log.info("Establishing connection to Kubernetes");
 
-  const peprNS = "pepr-system";
   const { name, host, path } = assets;
 
-  // Deploy the resources using the k8s API
-  const kubeConfig = new KubeConfig();
-  kubeConfig.loadFromDefault();
-
-  const coreV1Api = kubeConfig.makeApiClient(CoreV1Api);
-  const admissionApi = kubeConfig.makeApiClient(AdmissionRegV1API);
-
-  try {
-    Log.info("Checking for namespace");
-    await coreV1Api.readNamespace(peprNS);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Creating namespace");
-    await coreV1Api.createNamespace(namespace);
-  }
+  Log.info("Applying pepr-system namespace");
+  await K8s(kind.Namespace).Apply(namespace);
 
   // Create the mutating webhook configuration if it is needed
   const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
   if (mutateWebhook) {
-    try {
-      Log.info("Creating mutating webhook");
-      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
-    } catch (e) {
-      Log.debug(e instanceof HttpError ? e.body : e);
-      Log.info("Removing and re-creating mutating webhook");
-      await admissionApi.deleteMutatingWebhookConfiguration(mutateWebhook.metadata?.name ?? "");
-      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
-    }
+    Log.info("Applying mutating webhook");
+    await K8s(kind.MutatingWebhookConfiguration).Apply(mutateWebhook);
+  } else {
+    Log.info("Mutating webhook not needed, removing if it exists");
+    await K8s(kind.MutatingWebhookConfiguration).Delete(name);
   }
 
   // Create the validating webhook configuration if it is needed
   const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
   if (validateWebhook) {
-    try {
-      Log.info("Creating validating webhook");
-      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
-    } catch (e) {
-      Log.debug(e instanceof HttpError ? e.body : e);
-      Log.info("Removing and re-creating validating webhook");
-      await admissionApi.deleteValidatingWebhookConfiguration(validateWebhook.metadata?.name ?? "");
-      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
-    }
+    Log.info("Applying validating webhook");
+    await K8s(kind.ValidatingWebhookConfiguration).Apply(validateWebhook);
+  } else {
+    Log.info("Validating webhook not needed, removing if it exists");
+    await K8s(kind.ValidatingWebhookConfiguration).Delete(name);
   }
 
+  Log.info("Applying the Pepr Store CRD if it doesn't exist");
+  await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD);
+
   // If a host is specified, we don't need to deploy the rest of the resources
   if (host) {
     return;
   }
 
-  if (!path) {
-    throw new Error("No code provided");
-  }
-
   const code = await fs.readFile(path);
-
   const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-  const appsApi = kubeConfig.makeApiClient(AppsV1Api);
-  const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
+  if (code.length < 1) {
+    throw new Error("No code provided");
+  }
+
+  await setupRBAC(name);
+  await setupController(assets, code, hash);
+  await setupWatcher(assets, hash);
+}
 
+async function setupRBAC(name: string) {
+  Log.info("Applying cluster role binding");
   const crb = clusterRoleBinding(name);
-  try {
-    Log.info("Creating cluster role binding");
-    await rbacApi.createClusterRoleBinding(crb);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating cluster role binding");
-    await rbacApi.deleteClusterRoleBinding(crb.metadata?.name ?? "");
-    await rbacApi.createClusterRoleBinding(crb);
-  }
+  await K8s(kind.ClusterRoleBinding).Apply(crb);
 
+  Log.info("Applying cluster role");
   const cr = clusterRole(name);
-  try {
-    Log.info("Creating cluster role");
-    await rbacApi.createClusterRole(cr);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating  the cluster role");
-    try {
-      await rbacApi.deleteClusterRole(cr.metadata?.name ?? "");
-      await rbacApi.createClusterRole(cr);
-    } catch (e) {
-      Log.debug(e instanceof HttpError ? e.body : e);
-    }
-  }
+  await K8s(kind.ClusterRole).Apply(cr);
 
+  Log.info("Applying service account");
   const sa = serviceAccount(name);
-  try {
-    Log.info("Creating service account");
-    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating service account");
-    await coreV1Api.deleteNamespacedServiceAccount(sa.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
-  }
+  await K8s(kind.ServiceAccount).Apply(sa);
 
+  Log.info("Applying store role");
+  const role = storeRole(name);
+  await K8s(kind.Role).Apply(role);
+
+  Log.info("Applying store role binding");
+  const roleBinding = storeRoleBinding(name);
+  await K8s(kind.RoleBinding).Apply(roleBinding);
+}
+
+async function setupController(assets: Assets, code: Buffer, hash: string) {
+  const { name } = assets;
+
+  Log.info("Applying module secret");
   const mod = moduleSecret(name, code, hash);
-  try {
-    Log.info("Creating module secret");
-    await coreV1Api.createNamespacedSecret(peprNS, mod);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating module secret");
-    await coreV1Api.deleteNamespacedSecret(mod.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedSecret(peprNS, mod);
-  }
+  await K8s(kind.Secret).Apply(mod);
 
+  Log.info("Applying controller service");
   const svc = service(name);
-  try {
-    Log.info("Creating service");
-    await coreV1Api.createNamespacedService(peprNS, svc);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating service");
-    await coreV1Api.deleteNamespacedService(svc.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedService(peprNS, svc);
-  }
+  await K8s(kind.Service).Apply(svc);
 
+  Log.info("Applying TLS secret");
   const tls = tlsSecret(name, assets.tls);
-  try {
-    Log.info("Creating TLS secret");
-    await coreV1Api.createNamespacedSecret(peprNS, tls);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating TLS secret");
-    await coreV1Api.deleteNamespacedSecret(tls.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedSecret(peprNS, tls);
-  }
+  await K8s(kind.Secret).Apply(tls);
 
+  Log.info("Applying API token secret");
   const apiToken = apiTokenSecret(name, assets.apiToken);
-  try {
-    Log.info("Creating API token secret");
-    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating API token secret");
-    await coreV1Api.deleteNamespacedSecret(apiToken.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
-  }
+  await K8s(kind.Secret).Apply(apiToken);
 
+  Log.info("Applying deployment");
   const dep = deployment(assets, hash);
-  try {
-    Log.info("Creating deployment");
-    await appsApi.createNamespacedDeployment(peprNS, dep);
-  } catch (e) {
-    Log.debug(e instanceof HttpError ? e.body : e);
-    Log.info("Removing and re-creating deployment");
-    await appsApi.deleteNamespacedDeployment(dep.metadata?.name ?? "", peprNS);
-    await appsApi.createNamespacedDeployment(peprNS, dep);
+  await K8s(kind.Deployment).Apply(dep);
+}
+
+async function setupWatcher(assets: Assets, hash: string) {
+  // If the module has a watcher, deploy it
+  const watchDeployment = watcher(assets, hash);
+  if (watchDeployment) {
+    Log.info("Applying watcher deployment");
+    await K8s(kind.Deployment).Apply(watchDeployment);
+
+    Log.info("Applying watcher service");
+    const watchSvc = watcherService(assets.name);
+    await K8s(kind.Service).Apply(watchSvc);
   }
 }

package/src/lib/assets/destroy.ts

@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { K8s, kind } from "kubernetes-fluent-client";
+
+import Log from "../logger";
+import { peprStoreCRD } from "./store";
+
+export async function destroyModule(name: string) {
+  const namespace = "pepr-system";
+
+  Log.info("Destroying Pepr module");
+
+  await Promise.all([
+    K8s(kind.MutatingWebhookConfiguration).Delete(name),
+    K8s(kind.ValidatingWebhookConfiguration).Delete(name),
+
+    K8s(kind.CustomResourceDefinition).Delete(peprStoreCRD),
+    K8s(kind.ClusterRoleBinding).Delete(name),
+    K8s(kind.ClusterRole).Delete(name),
+    K8s(kind.ServiceAccount, { namespace }).Delete(name),
+    K8s(kind.Role, { namespace }).Delete(name),
+    K8s(kind.RoleBinding, { namespace }).Delete(`${name}-store`),
+
+    K8s(kind.Secret, { namespace }).Delete(`${name}-module`),
+    K8s(kind.Service, { namespace }).Delete(name),
+    K8s(kind.Secret, { namespace }).Delete(`${name}-tls`),
+    K8s(kind.Secret, { namespace }).Delete(`${name}-api-token`),
+    K8s(kind.Deployment, { namespace }).Delete(name),
+    K8s(kind.Deployment, { namespace }).Delete(`${name}-watcher`),
+    K8s(kind.Service, { namespace }).Delete(`${name}-watcher`),
+  ]);
+}

package/src/lib/assets/index.ts

@@ -3,8 +3,9 @@
 
 import crypto from "crypto";
 
-import { TLSOut, genTLS } from "../k8s/tls";
-import { CapabilityExport, ModuleConfig } from "../types";
+import { ModuleConfig } from "../module";
+import { TLSOut, genTLS } from "../tls";
+import { CapabilityExport } from "../types";
 import { deploy } from "./deploy";
 import { loadCapabilities } from "./loader";
 import { allYaml, zarfYaml } from "./yaml";
@@ -21,11 +22,6 @@ export class Assets {
     readonly path: string,
     readonly host?: string,
   ) {
-    // Bind public methods
-    this.deploy = this.deploy.bind(this);
-    this.zarfYaml = this.zarfYaml.bind(this);
-    this.allYaml = this.allYaml.bind(this);
-
     this.name = `pepr-${config.uuid}`;
 
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
@@ -37,17 +33,15 @@ export class Assets {
     this.apiToken = crypto.randomBytes(32).toString("hex");
   }
 
-  async deploy(webhookTimeout?: number) {
+  deploy = async (webhookTimeout?: number) => {
     this.capabilities = await loadCapabilities(this.path);
     await deploy(this, webhookTimeout);
-  }
+  };
 
-  zarfYaml(path: string) {
-    return zarfYaml(this, path);
-  }
+  zarfYaml = (path: string) => zarfYaml(this, path);
 
-  async allYaml() {
+  allYaml = async () => {
     this.capabilities = await loadCapabilities(this.path);
     return allYaml(this);
-  }
+  };
 }

package/src/lib/assets/networking.ts

@@ -1,10 +1,11 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { TLSOut } from "../k8s/tls";
-import { Secret, Service } from "../k8s/upstream";
+import { kind } from "kubernetes-fluent-client";
 
-export function apiTokenSecret(name: string, apiToken: string): Secret {
+import { TLSOut } from "../tls";
+
+export function apiTokenSecret(name: string, apiToken: string): kind.Secret {
   return {
     apiVersion: "v1",
     kind: "Secret",
@@ -19,7 +20,7 @@ export function apiTokenSecret(name: string, apiToken: string): Secret {
   };
 }
 
-export function tlsSecret(name: string, tls: TLSOut): Secret {
+export function tlsSecret(name: string, tls: TLSOut): kind.Secret {
   return {
     apiVersion: "v1",
     kind: "Secret",
@@ -35,7 +36,7 @@ export function tlsSecret(name: string, tls: TLSOut): Secret {
   };
 }
 
-export function service(name: string): Service {
+export function service(name: string): kind.Service {
   return {
     apiVersion: "v1",
     kind: "Service",
@@ -56,3 +57,25 @@ export function service(name: string): Service {
     },
   };
 }
+
+export function watcherService(name: string): kind.Service {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name: `${name}-watcher`,
+      namespace: "pepr-system",
+    },
+    spec: {
+      selector: {
+        app: `${name}-watcher`,
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3000,
+        },
+      ],
+    },
+  };
+}

package/src/lib/assets/pods.ts

@@ -1,20 +1,141 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 
 import { Assets } from ".";
-import { Deployment, Namespace, Secret } from "../k8s/upstream";
+import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
-export const namespace: Namespace = {
+export const namespace: kind.Namespace = {
   apiVersion: "v1",
   kind: "Namespace",
   metadata: { name: "pepr-system" },
 };
 
-export function deployment(assets: Assets, hash: string): Deployment {
-  const { name, image } = assets;
+export function watcher(assets: Assets, hash: string) {
+  const { name, image, capabilities, config } = assets;
+
+  // Append the watcher suffix
+  const app = `${name}-watcher`;
+  const bindings: Binding[] = [];
+
+  // Loop through the capabilities and find any Watch Actions
+  for (const capability of capabilities) {
+    const watchers = capability.bindings.filter(binding => binding.isWatch);
+    bindings.push(...watchers);
+  }
+
+  // If there are no watchers, don't deploy the watcher
+  if (bindings.length < 1) {
+    return null;
+  }
+
+  return {
+    apiVersion: "apps/v1",
+    kind: "Deployment",
+    metadata: {
+      name: app,
+      namespace: "pepr-system",
+      labels: {
+        app,
+      },
+    },
+    spec: {
+      replicas: 1,
+      strategy: {
+        type: "Recreate",
+      },
+      selector: {
+        matchLabels: {
+          app,
+        },
+      },
+      template: {
+        metadata: {
+          labels: {
+            app,
+          },
+        },
+        spec: {
+          serviceAccountName: name,
+          containers: [
+            {
+              name: "watcher",
+              image,
+              imagePullPolicy: "IfNotPresent",
+              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              readinessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              livenessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3000,
+                  scheme: "HTTPS",
+                },
+              },
+              ports: [
+                {
+                  containerPort: 3000,
+                },
+              ],
+              resources: {
+                requests: {
+                  memory: "64Mi",
+                  cpu: "100m",
+                },
+                limits: {
+                  memory: "256Mi",
+                  cpu: "500m",
+                },
+              },
+              volumeMounts: [
+                {
+                  name: "tls-certs",
+                  mountPath: "/etc/certs",
+                  readOnly: true,
+                },
+                {
+                  name: "module",
+                  mountPath: `/app/load`,
+                  readOnly: true,
+                },
+              ],
+              env: [
+                { name: "PEPR_WATCH_MODE", value: "true" },
+                { name: "PEPR_PRETTY_LOG", value: "false" },
+                { name: "LOG_LEVEL", value: config.logLevel || "debug" },
+              ],
+            },
+          ],
+          volumes: [
+            {
+              name: "tls-certs",
+              secret: {
+                secretName: `${name}-tls`,
+              },
+            },
+            {
+              name: "module",
+              secret: {
+                secretName: `${name}-module`,
+              },
+            },
+          ],
+        },
+      },
+    },
+  };
+}
+
+export function deployment(assets: Assets, hash: string): kind.Deployment {
+  const { name, image, config } = assets;
   const app = name;
 
   return {
@@ -68,12 +189,6 @@ export function deployment(assets: Assets, hash: string): Deployment {
                   containerPort: 3000,
                 },
               ],
-              env: [
-                {
-                  name: "PEPR_PRETTY_LOG",
-                  value: "false",
-                },
-              ],
               resources: {
                 requests: {
                   memory: "64Mi",
@@ -84,6 +199,10 @@ export function deployment(assets: Assets, hash: string): Deployment {
                   cpu: "500m",
                 },
               },
+              env: [
+                { name: "PEPR_PRETTY_LOG", value: "false" },
+                { name: "LOG_LEVEL", value: config.logLevel || "debug" },
+              ],
               volumeMounts: [
                 {
                   name: "tls-certs",
@@ -129,7 +248,7 @@ export function deployment(assets: Assets, hash: string): Deployment {
   };
 }
 
-export function moduleSecret(name: string, data: Buffer, hash: string): Secret {
+export function moduleSecret(name: string, data: Buffer, hash: string): kind.Secret {
   // Compress the data
   const compressed = gzipSync(data);
   const path = `module-${hash}.js.gz`;

package/src/lib/assets/rbac.ts

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { ClusterRole, ClusterRoleBinding, ServiceAccount } from "../k8s/upstream";
+import { kind } from "kubernetes-fluent-client";
 
 /**
  * Grants the controller access to cluster resources beyond the mutating webhook.
@@ -9,7 +9,7 @@ import { ClusterRole, ClusterRoleBinding, ServiceAccount } from "../k8s/upstream
  * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
  * @returns
  */
-export function clusterRole(name: string): ClusterRole {
+export function clusterRole(name: string): kind.ClusterRole {
   return {
     apiVersion: "rbac.authorization.k8s.io/v1",
     kind: "ClusterRole",
@@ -25,7 +25,7 @@ export function clusterRole(name: string): ClusterRole {
   };
 }
 
-export function clusterRoleBinding(name: string): ClusterRoleBinding {
+export function clusterRoleBinding(name: string): kind.ClusterRoleBinding {
   return {
     apiVersion: "rbac.authorization.k8s.io/v1",
     kind: "ClusterRoleBinding",
@@ -45,7 +45,7 @@ export function clusterRoleBinding(name: string): ClusterRoleBinding {
   };
 }
 
-export function serviceAccount(name: string): ServiceAccount {
+export function serviceAccount(name: string): kind.ServiceAccount {
   return {
     apiVersion: "v1",
     kind: "ServiceAccount",
@@ -55,3 +55,41 @@ export function serviceAccount(name: string): ServiceAccount {
     },
   };
 }
+
+export function storeRole(name: string): kind.Role {
+  name = `${name}-store`;
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "Role",
+    metadata: { name, namespace: "pepr-system" },
+    rules: [
+      {
+        apiGroups: ["pepr.dev/*"],
+        resources: ["peprstores"],
+        resourceNames: [""],
+        verbs: ["create", "get", "patch", "watch"],
+      },
+    ],
+  };
+}
+
+export function storeRoleBinding(name: string): kind.RoleBinding {
+  name = `${name}-store`;
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "RoleBinding",
+    metadata: { name, namespace: "pepr-system" },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "Role",
+      name,
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name,
+        namespace: "pepr-system",
+      },
+    ],
+  };
+}

package/src/lib/assets/store.ts

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { kind as k } from "kubernetes-fluent-client";
+
+import { peprStoreGVK } from "../k8s";
+
+export const { group, version, kind } = peprStoreGVK;
+export const singular = kind.toLocaleLowerCase();
+export const plural = `${singular}s`;
+export const name = `${plural}.${group}`;
+
+export const peprStoreCRD: k.CustomResourceDefinition = {
+  apiVersion: "apiextensions.k8s.io/v1",
+  kind: "CustomResourceDefinition",
+  metadata: {
+    name,
+  },
+  spec: {
+    group,
+    versions: [
+      {
+        // typescript doesn't know this is really already set, which is kind of annoying
+        name: version || "v1",
+        served: true,
+        storage: true,
+        schema: {
+          openAPIV3Schema: {
+            type: "object",
+            properties: {
+              data: {
+                type: "object",
+                additionalProperties: {
+                  type: "string",
+                },
+              },
+            },
+          },
+        },
+      },
+    ],
+    scope: "Namespaced",
+    names: {
+      plural,
+      singular,
+      kind,
+    },
+  },
+};