pepr 0.2.10 → 0.3.0-rc0

package/src/lib/capability.ts

@@ -0,0 +1,158 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { GroupVersionKind, modelToGroupVersionKind } from "./k8s";
+import logger from "./logger";
+import {
+  BindToAction,
+  Binding,
+  BindingFilter,
+  BindingWithName,
+  CapabilityAction,
+  CapabilityCfg,
+  DeepPartial,
+  Event,
+  GenericClass,
+  HookPhase,
+  WhenSelector,
+} from "./types";
+
+/**
+ * A capability is a unit of functionality that can be registered with the Pepr runtime.
+ */
+export class Capability implements CapabilityCfg {
+  private _name: string;
+  private _description: string;
+  private _namespaces?: string[] | undefined;
+
+  // Currently everything is considered a mutation
+  private _mutateOrValidate = HookPhase.mutate;
+
+  private _bindings: Binding[] = [];
+
+  get bindings(): Binding[] {
+    return this._bindings;
+  }
+
+  get name() {
+    return this._name;
+  }
+
+  get description() {
+    return this._description;
+  }
+
+  get namespaces() {
+    return this._namespaces || [];
+  }
+
+  get mutateOrValidate() {
+    return this._mutateOrValidate;
+  }
+
+  constructor(cfg: CapabilityCfg) {
+    this._name = cfg.name;
+    this._description = cfg.description;
+    this._namespaces = cfg.namespaces;
+    logger.info(`Capability ${this._name} registered`);
+    logger.debug(cfg);
+  }
+
+  /**
+   * The When method is used to register a capability action to be executed when a Kubernetes resource is
+   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
+   * filters that are applied.
+   *
+   * @param model the KubernetesObject model to match
+   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
+   * @returns
+   */
+  When = <T extends GenericClass>(model: T, kind?: GroupVersionKind): WhenSelector<T> => {
+    const matchedKind = modelToGroupVersionKind(model.name);
+
+    // If the kind is not specified and the model is not a KubernetesObject, throw an error
+    if (!matchedKind && !kind) {
+      throw new Error(`Kind not specified for ${model.name}`);
+    }
+
+    const binding: Binding = {
+      // If the kind is not specified, use the matched kind from the model
+      kind: kind || matchedKind,
+      filters: {
+        name: "",
+        namespaces: [],
+        labels: {},
+        annotations: {},
+      },
+      callback: () => undefined,
+    };
+
+    const prefix = `${this._name}: ${model.name}`;
+
+    logger.info(`Binding created`, prefix);
+
+    const Then = (cb: CapabilityAction<T>): BindToAction<T> => {
+      logger.info(`Binding action created`, prefix);
+      logger.debug(cb.toString(), prefix);
+      // Push the binding to the list of bindings for this capability as a new BindingAction
+      // with the callback function to preserve
+      this._bindings.push({
+        ...binding,
+        callback: cb,
+      });
+
+      // Now only allow adding actions to the same binding
+      return { Then };
+    };
+
+    const ThenSet = (merge: DeepPartial<InstanceType<T>>): BindToAction<T> => {
+      // Add the new action to the binding
+      Then(req => req.Merge(merge));
+
+      return { Then };
+    };
+
+    function InNamespace(...namespaces: string[]): BindingWithName<T> {
+      logger.debug(`Add namespaces filter ${namespaces}`, prefix);
+      binding.filters.namespaces.push(...namespaces);
+      return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
+    }
+
+    function WithName(name: string): BindingFilter<T> {
+      logger.debug(`Add name filter ${name}`, prefix);
+      binding.filters.name = name;
+      return { WithLabel, WithAnnotation, Then, ThenSet };
+    }
+
+    function WithLabel(key: string, value = ""): BindingFilter<T> {
+      logger.debug(`Add label filter ${key}=${value}`, prefix);
+      binding.filters.labels[key] = value;
+      return { WithLabel, WithAnnotation, Then, ThenSet };
+    }
+
+    const WithAnnotation = (key: string, value = ""): BindingFilter<T> => {
+      logger.debug(`Add annotation filter ${key}=${value}`, prefix);
+      binding.filters.annotations[key] = value;
+      return { WithLabel, WithAnnotation, Then, ThenSet };
+    };
+
+    const bindEvent = (event: Event) => {
+      binding.event = event;
+      return {
+        InNamespace,
+        Then,
+        ThenSet,
+        WithAnnotation,
+        WithLabel,
+        WithName,
+      };
+    };
+
+    return {
+      IsCreatedOrUpdated: () => bindEvent(Event.CreateOrUpdate),
+      IsCreated: () => bindEvent(Event.Create),
+      IsUpdated: () => bindEvent(Event.Update),
+      IsDeleted: () => bindEvent(Event.Delete),
+    };
+  };
+}

package/src/lib/controller.ts

@@ -0,0 +1,127 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import express from "express";
+import fs from "fs";
+import https from "https";
+import { Capability } from "./capability";
+import { Request, Response } from "./k8s/types";
+import { processor } from "./processor";
+import { ModuleConfig } from "./types";
+
+// Load SSL certificate and key
+const options = {
+  key: fs.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
+  cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
+};
+
+export class Controller {
+  private readonly app = express();
+  private running = false;
+
+  constructor(
+    private readonly config: ModuleConfig,
+    private readonly capabilities: Capability[],
+    private readonly beforeHook?: (req: Request) => void,
+    private readonly afterHook?: (res: Response) => void
+  ) {
+    // Middleware for logging requests
+    this.app.use(this.logger);
+
+    // Middleware for parsing JSON
+    this.app.use(express.json());
+
+    // Health check endpoint
+    this.app.get("/healthz", this.healthz);
+
+    // Mutate endpoint
+    this.app.post("/mutate", this.mutate);
+
+    if (beforeHook) {
+      console.info(`Using beforeHook: ${beforeHook}`);
+    }
+
+    if (afterHook) {
+      console.info(`Using afterHook: ${afterHook}`);
+    }
+  }
+
+  /** Start the webhook server */
+  public startServer = (port: number) => {
+    if (this.running) {
+      throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
+    }
+
+    // Create HTTPS server
+    const server = https.createServer(options, this.app).listen(port, () => {
+      console.log(`Server listening on port ${port}`);
+      // Track that the server is running
+      this.running = true;
+    });
+
+    // Listen for the SIGTERM signal and gracefully close the server
+    process.on("SIGTERM", () => {
+      console.log("Received SIGTERM, closing server");
+      server.close(() => {
+        console.log("Server closed");
+        process.exit(0);
+      });
+    });
+  };
+
+  private logger = (req: express.Request, res: express.Response, next: express.NextFunction) => {
+    const startTime = Date.now();
+
+    res.on("finish", () => {
+      const now = new Date().toISOString();
+      const elapsedTime = Date.now() - startTime;
+      const message = `[${now}] ${req.method} ${req.originalUrl} - ${res.statusCode} - ${elapsedTime} ms\n`;
+
+      res.statusCode >= 400 ? console.error(message) : console.info(message);
+    });
+
+    next();
+  };
+
+  private healthz = (req: express.Request, res: express.Response) => {
+    try {
+      res.send("OK");
+    } catch (err) {
+      console.error(err);
+      res.status(500).send("Internal Server Error");
+    }
+  };
+
+  private mutate = async (req: express.Request, res: express.Response) => {
+    try {
+      // Run the before hook if it exists
+      this.beforeHook && this.beforeHook(req.body?.request || {});
+
+      const name = req.body?.request?.name || "";
+      const namespace = req.body?.request?.namespace || "";
+      const gvk = req.body?.request?.kind || { group: "", version: "", kind: "" };
+
+      console.log(`Mutate request: ${gvk.group}/${gvk.version}/${gvk.kind}`);
+      name && console.log(`                ${namespace}/${name}\n`);
+
+      // Process the request
+      const response = await processor(this.config, this.capabilities, req.body.request);
+
+      // Run the after hook if it exists
+      this.afterHook && this.afterHook(response);
+
+      // Log the response
+      console.debug(response);
+
+      // Send a no prob bob response
+      res.send({
+        apiVersion: "admission.k8s.io/v1",
+        kind: "AdmissionReview",
+        response,
+      });
+    } catch (err) {
+      console.error(err);
+      res.status(500).send("Internal Server Error");
+    }
+  };
+}

package/src/lib/fetch.test.ts

@@ -0,0 +1,115 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+// fetch.test.ts
+
+import test from "ava";
+import { StatusCodes } from "http-status-codes";
+import nock from "nock";
+import { RequestInit } from "node-fetch";
+import { fetch } from "./fetch";
+
+test.beforeEach(() => {
+  nock("https://jsonplaceholder.typicode.com")
+    .get("/todos/1")
+    .reply(200, {
+      userId: 1,
+      id: 1,
+      title: "Example title",
+      completed: false,
+    })
+    .post("/todos", {
+      title: "test todo",
+      userId: 1,
+      completed: false,
+    })
+    .reply(200, (uri, requestBody) => requestBody)
+    .get("/todos/empty-null")
+    .reply(200, undefined)
+    .get("/todos/empty-string")
+    .reply(200, "")
+    .get("/todos/empty-object")
+    .reply(200, {})
+    .get("/todos/invalid")
+    .replyWithError("Something bad happened");
+});
+
+test("fetch: should return without type data", async t => {
+  const url = "https://jsonplaceholder.typicode.com/todos/1";
+  const { data, ok } = await fetch<{ title: string }>(url);
+  t.is(ok, true);
+  t.is(data["title"], "Example title");
+});
+
+test("fetch: should return parsed JSON response as a specific type", async t => {
+  interface Todo {
+    userId: number;
+    id: number;
+    title: string;
+    completed: boolean;
+  }
+
+  const url = "https://jsonplaceholder.typicode.com/todos/1";
+  const { data, ok } = await fetch<Todo>(url);
+  t.is(ok, true);
+  t.is(data.id, 1);
+  t.is(typeof data.title, "string");
+  t.is(typeof data.completed, "boolean");
+});
+
+test("fetch: should handle additional request options", async t => {
+  const url = "https://jsonplaceholder.typicode.com/todos";
+  const requestOptions: RequestInit = {
+    method: "POST",
+    body: JSON.stringify({
+      title: "test todo",
+      userId: 1,
+      completed: false,
+    }),
+    headers: {
+      "Content-type": "application/json; charset=UTF-8",
+    },
+  };
+
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const { data, ok } = await fetch<any>(url, requestOptions);
+  t.is(ok, true);
+  t.is(data["title"], "test todo");
+  t.is(data["userId"], 1);
+  t.is(data["completed"], false);
+});
+
+test("fetch: should handle empty (null) responses", async t => {
+  const url = "https://jsonplaceholder.typicode.com/todos/empty-null";
+  const resp = await fetch(url);
+
+  t.is(resp.data, "");
+  t.is(resp.ok, true);
+  t.is(resp.status, StatusCodes.OK);
+});
+
+test("fetch: should handle empty (string) responses", async t => {
+  const url = "https://jsonplaceholder.typicode.com/todos/empty-string";
+  const resp = await fetch(url);
+
+  t.is(resp.data, "");
+  t.is(resp.ok, true);
+  t.is(resp.status, StatusCodes.OK);
+});
+
+test("fetch: should handle empty (object) responses", async t => {
+  const url = "https://jsonplaceholder.typicode.com/todos/empty-object";
+  const resp = await fetch(url);
+
+  t.deepEqual(resp.data, {});
+  t.is(resp.ok, true);
+  t.is(resp.status, StatusCodes.OK);
+});
+
+test("fetch: should handle failed requests without throwing an error", async t => {
+  const url = "https://jsonplaceholder.typicode.com/todos/invalid";
+  const resp = await fetch(url);
+
+  t.is(resp.data, undefined);
+  t.is(resp.ok, false);
+  t.is(resp.status, StatusCodes.BAD_REQUEST);
+});

package/src/lib/fetch.ts

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { StatusCodes } from "http-status-codes";
+import f, { FetchError, RequestInfo, RequestInit } from "node-fetch";
+import logger from "./logger";
+export { f as fetchRaw };
+
+export type FetchResponse<T> = {
+  data: T;
+  ok: boolean;
+  status: number;
+  statusText: string;
+};
+
+/**
+ * Perform an async HTTP call and return the parsed JSON response, optionally
+ * as a specific type.
+ *
+ * @example
+ * ```ts
+ * fetch<string[]>("https://example.com/api/foo");
+ * ```
+ *
+ * @param url The URL or Request object to fetch
+ * @param init Additional options for the request
+ * @returns
+ */
+export async function fetch<T>(url: URL | RequestInfo, init?: RequestInit): Promise<FetchResponse<T>> {
+  let data = undefined as unknown as T;
+  try {
+    logger.debug(`Fetching ${url}`);
+
+    const resp = await f(url, init);
+    const contentType = resp.headers.get("content-type") || "";
+
+    if (resp.ok) {
+      // Parse the response as JSON if the content type is JSON
+      if (contentType.includes("application/json")) {
+        data = await resp.json();
+      } else {
+        // Otherwise, return however the response was read
+        data = (await resp.text()) as unknown as T;
+      }
+    }
+
+    return {
+      data,
+      ok: resp.ok,
+      status: resp.status,
+      statusText: resp.statusText,
+    };
+  } catch (e) {
+    if (e instanceof FetchError) {
+      logger.debug(`Fetch failed: ${e instanceof Error ? e.message : e}`);
+
+      // Parse the error code from the FetchError or default to 400 (Bad Request)
+      const status = parseInt(e.code || "400");
+
+      return {
+        data,
+        ok: false,
+        status,
+        statusText: e.message,
+      };
+    }
+
+    return {
+      data,
+      ok: false,
+      status: StatusCodes.BAD_REQUEST,
+      statusText: "Unknown error",
+    };
+  }
+}

package/src/lib/filter.test.ts

@@ -0,0 +1,231 @@
+import test from "ava";
+import { POD1 } from "../../fixtures/loader";
+import { shouldSkipRequest } from "./filter";
+import { gvkMap } from "./k8s";
+
+const callback = () => undefined;
+
+test("should reject when name does not match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "bleh",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.true(shouldSkipRequest(binding, pod));
+});
+
+test("should reject when kind does not match", t => {
+  const binding = {
+    kind: gvkMap.V1ConfigMap,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.true(shouldSkipRequest(binding, pod));
+});
+
+test("should reject when group does not match", t => {
+  const binding = {
+    kind: gvkMap.V1CronJob,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.true(shouldSkipRequest(binding, pod));
+});
+
+test("should reject when version does not match", t => {
+  const binding = {
+    kind: {
+      group: "",
+      version: "v2",
+      kind: "Pod",
+    },
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.true(shouldSkipRequest(binding, pod));
+});
+
+test("should allow when group, version, and kind match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.false(shouldSkipRequest(binding, pod));
+});
+
+test("should allow when kind match and others are empty", t => {
+  const binding = {
+    kind: {
+      group: "",
+      version: "",
+      kind: "Pod",
+    },
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.false(shouldSkipRequest(binding, pod));
+});
+
+test("should reject when namespace does not match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "",
+      namespaces: ["bleh"],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.true(shouldSkipRequest(binding, pod));
+});
+
+test("should allow when namespace is match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "",
+      namespaces: ["default", "unicorn", "things"],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.false(shouldSkipRequest(binding, pod));
+});
+
+test("should reject when label does not match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {
+        foo: "bar",
+      },
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.true(shouldSkipRequest(binding, pod));
+});
+
+test("should allow when label is match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "",
+
+      namespaces: [],
+      labels: {
+        foo: "bar",
+        test: "test1",
+      },
+      annotations: {},
+    },
+    callback,
+  };
+
+  const pod = POD1();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.labels = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  t.false(shouldSkipRequest(binding, pod));
+});
+
+test("should reject when annotation does not match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+      },
+    },
+    callback,
+  };
+  const pod = POD1();
+
+  t.true(shouldSkipRequest(binding, pod));
+});
+
+test("should allow when annotation is match", t => {
+  const binding = {
+    kind: gvkMap.V1Pod,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+        test: "test1",
+      },
+    },
+    callback,
+  };
+
+  const pod = POD1();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.annotations = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  t.false(shouldSkipRequest(binding, pod));
+});