pepr 0.24.0 → 0.25.0

package/src/lib/assets/pods.ts

@@ -4,7 +4,7 @@
 import { V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
-
+import { secretOverLimit } from "../helpers";
 import { Assets } from ".";
 import { ModuleConfig } from "../module";
 import { Binding } from "../types";
@@ -45,9 +45,13 @@ export function watcher(assets: Assets, hash: string) {
     metadata: {
       name: app,
       namespace: "pepr-system",
+      annotations: {
+        "pepr.dev/description": config.description || "",
+      },
       labels: {
         app,
         "pepr.dev/controller": "watcher",
+        "pepr.dev/uuid": config.uuid,
       },
     },
     spec: {
@@ -168,9 +172,13 @@ export function deployment(assets: Assets, hash: string): kind.Deployment {
     metadata: {
       name,
       namespace: "pepr-system",
+      annotations: {
+        "pepr.dev/description": config.description || "",
+      },
       labels: {
         app,
         "pepr.dev/controller": "admission",
+        "pepr.dev/uuid": config.uuid,
       },
     },
     spec: {
@@ -294,18 +302,25 @@ export function moduleSecret(name: string, data: Buffer, hash: string): kind.Sec
   // Compress the data
   const compressed = gzipSync(data);
   const path = `module-${hash}.js.gz`;
-  return {
-    apiVersion: "v1",
-    kind: "Secret",
-    metadata: {
-      name: `${name}-module`,
-      namespace: "pepr-system",
-    },
-    type: "Opaque",
-    data: {
-      [path]: compressed.toString("base64"),
-    },
-  };
+  const compressedData = compressed.toString("base64");
+  if (secretOverLimit(compressedData)) {
+    const error = new Error(`Module secret for ${name} is over the 1MB limit`);
+    console.error("Uncaught Exception:", error);
+    process.exit(1);
+  } else {
+    return {
+      apiVersion: "v1",
+      kind: "Secret",
+      metadata: {
+        name: `${name}-module`,
+        namespace: "pepr-system",
+      },
+      type: "Opaque",
+      data: {
+        [path]: compressed.toString("base64"),
+      },
+    };
+  }
 }
 
 function genEnv(config: ModuleConfig, watchMode = false): V1EnvVar[] {

package/src/lib/assets/yaml.ts

@@ -48,8 +48,8 @@ export async function allYaml(assets: Assets, rbacMode: string) {
   // Generate a hash of the code
   const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-  const mutateWebhook = await webhookConfig(assets, "mutate");
-  const validateWebhook = await webhookConfig(assets, "validate");
+  const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
+  const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
   const watchDeployment = watcher(assets, hash);
 
   const resources = [

package/src/lib/capability.ts

@@ -203,7 +203,7 @@ export class Capability implements CapabilityExport {
 
     const bindings = this.#bindings;
     const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch };
+    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch, Reconcile };
     const isNotEmpty = (value: object) => Object.keys(value).length > 0;
     const log = (message: string, cbString: string) => {
       const filteredObj = pickBy(isNotEmpty, binding.filters);
@@ -226,7 +226,7 @@ export class Capability implements CapabilityExport {
         });
       }
 
-      return { Watch };
+      return { Watch, Reconcile };
     }
 
     function Mutate(mutateCallback: MutateAction<T>): MutateActionChain<T> {
@@ -243,7 +243,7 @@ export class Capability implements CapabilityExport {
       }
 
       // Now only allow adding actions to the same binding
-      return { Watch, Validate };
+      return { Watch, Validate, Reconcile };
     }
 
     function Watch(watchCallback: WatchAction<T>) {
@@ -258,6 +258,19 @@ export class Capability implements CapabilityExport {
       }
     }
 
+    function Reconcile(watchCallback: WatchAction<T>) {
+      if (registerWatch) {
+        log("Reconcile Action", watchCallback.toString());
+
+        bindings.push({
+          ...binding,
+          isWatch: true,
+          isQueue: true,
+          watchCallback,
+        });
+      }
+    }
+
     function InNamespace(...namespaces: string[]): BindingWithName<T> {
       Log.debug(`Add namespaces filter ${namespaces}`, prefix);
       binding.filters.namespaces.push(...namespaces);

package/src/lib/helpers.ts

@@ -5,6 +5,7 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { CapabilityExport } from "./types";
 import { promises as fs } from "fs";
+import commander from "commander";
 
 type RBACMap = {
   [key: string]: {
@@ -161,3 +162,26 @@ export async function namespaceDeploymentsReady(namespace: string = "pepr-system
   }
   Log.info(`All ${namespace} deployments are ready`);
 }
+
+// check if secret is over the size limit
+export function secretOverLimit(str: string): boolean {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(str);
+  const sizeInBytes = encoded.length;
+  const oneMiBInBytes = 1048576;
+  return sizeInBytes > oneMiBInBytes;
+}
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+export const parseTimeout = (value: string, previous: unknown): number => {
+  const parsedValue = parseInt(value, 10);
+  const floatValue = parseFloat(value);
+  if (isNaN(parsedValue)) {
+    throw new commander.InvalidArgumentError("Not a number.");
+  } else if (parsedValue !== floatValue) {
+    throw new commander.InvalidArgumentError("Value must be an integer.");
+  } else if (parsedValue < 1 || parsedValue > 30) {
+    throw new commander.InvalidArgumentError("Number must be between 1 and 30.");
+  }
+  return parsedValue;
+};

package/src/lib/module.ts

@@ -23,6 +23,8 @@ export type ModuleConfig = {
   uuid: string;
   /** A description of the Pepr module and what it does. */
   description?: string;
+  /** The webhookTimeout */
+  webhookTimeout?: number;
   /** Reject K8s resource AdmissionRequests on error. */
   onError?: string;
   /** Configure global exclusions that will never be processed by Pepr. */

package/src/lib/queue.ts

@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { KubernetesObject } from "@kubernetes/client-node";
+import Log from "./logger";
+
+type QueueItem<K extends KubernetesObject> = {
+  item: K;
+  resolve: (value: void | PromiseLike<void>) => void;
+  reject: (reason?: string) => void;
+};
+
+/**
+ * Queue is a FIFO queue for reconciling
+ */
+export class Queue<K extends KubernetesObject> {
+  #queue: QueueItem<K>[] = [];
+  #pendingPromise = false;
+  #reconcile?: (...args: unknown[]) => Promise<void>;
+
+  constructor() {
+    this.#reconcile = async () => await new Promise(resolve => resolve());
+  }
+
+  setReconcile(reconcile: (...args: unknown[]) => Promise<void>) {
+    this.#reconcile = reconcile;
+  }
+  /**
+   * Enqueue adds an item to the queue and returns a promise that resolves when the item is
+   * reconciled.
+   *
+   * @param item The object to reconcile
+   * @returns A promise that resolves when the object is reconciled
+   */
+  enqueue(item: K) {
+    Log.debug(`Enqueueing ${item.metadata!.namespace}/${item.metadata!.name}`);
+    return new Promise<void>((resolve, reject) => {
+      this.#queue.push({ item, resolve, reject });
+      return this.#dequeue();
+    });
+  }
+
+  /**
+   * Dequeue reconciles the next item in the queue
+   *
+   * @returns A promise that resolves when the webapp is reconciled
+   */
+  async #dequeue() {
+    // If there is a pending promise, do nothing
+    if (this.#pendingPromise) return false;
+
+    // Take the next element from the queue
+    const element = this.#queue.shift();
+
+    // If there is no element, do nothing
+    if (!element) return false;
+
+    try {
+      // Set the pending promise flag to avoid concurrent reconciliations
+      this.#pendingPromise = true;
+
+      // Reconcile the webapp
+      if (this.#reconcile) {
+        await this.#reconcile(element.item);
+      }
+
+      element.resolve();
+    } catch (e) {
+      element.reject(e);
+    } finally {
+      // Reset the pending promise flag
+      this.#pendingPromise = false;
+
+      // After the element is reconciled, dequeue the next element
+      await this.#dequeue();
+    }
+  }
+}

package/src/lib/types.ts

@@ -72,6 +72,7 @@ export type Binding = {
   isMutate?: boolean;
   isValidate?: boolean;
   isWatch?: boolean;
+  isQueue?: boolean;
   readonly model: GenericClass;
   readonly kind: GroupVersionKind;
   readonly filters: {
@@ -159,6 +160,19 @@ export type ValidateActionChain<T extends GenericClass> = {
    * @returns
    */
   Watch: (action: WatchAction<T, InstanceType<T>>) => void;
+
+  /**
+   * Establish a reconcile for the specified resource. The callback function will be executed after the admission controller has
+   * processed the resource and the request has been persisted to the cluster.
+   *
+   * **Beta Function**: This method is still in early testing and edge cases may still exist.
+   *
+   * @since 0.14.0
+   *
+   * @param action
+   * @returns
+   */
+  Reconcile: (action: WatchAction<T, InstanceType<T>>) => void;
 };
 
 export type MutateActionChain<T extends GenericClass> = ValidateActionChain<T> & {

package/src/lib/watch-processor.ts

@@ -4,11 +4,13 @@
 import { createHash } from "crypto";
 import { K8s, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
-
+import { Queue } from "./queue";
 import { Capability } from "./capability";
 import { PeprStore } from "./k8s";
 import Log from "./logger";
 import { Binding, Event } from "./types";
+import { Watcher } from "kubernetes-fluent-client/dist/fluent/watch";
+import { GenericClass } from "kubernetes-fluent-client";
 
 // Track if the store has been updated
 let storeUpdates = false;
@@ -80,21 +82,42 @@ async function runBinding(binding: Binding) {
     retryDelaySec: 5,
   };
 
-  // Watch the resource
-  const watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
-    Log.debug(obj, `Watch event ${type} received`);
-
-    // If the type matches the phase, call the watch callback
-    if (phaseMatch.includes(type)) {
-      try {
-        // Perform the watch callback
-        await binding.watchCallback?.(obj, type);
-      } catch (e) {
-        // Errors in the watch callback should not crash the controller
-        Log.error(e, "Error executing watch callback");
+  let watcher: Watcher<GenericClass>;
+  if (binding.isQueue) {
+    const queue = new Queue();
+    // Watch the resource
+    watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
+      Log.debug(obj, `Watch event ${type} received`);
+
+      // If the type matches the phase, call the watch callback
+      if (phaseMatch.includes(type)) {
+        try {
+          queue.setReconcile(async () => await binding.watchCallback?.(obj, type));
+          // Enqueue the object for reconciliation through callback
+          await queue.enqueue(obj);
+        } catch (e) {
+          // Errors in the watch callback should not crash the controller
+          Log.error(e, "Error executing watch callback");
+        }
       }
-    }
-  }, watchCfg);
+    }, watchCfg);
+  } else {
+    // Watch the resource
+    watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
+      Log.debug(obj, `Watch event ${type} received`);
+
+      // If the type matches the phase, call the watch callback
+      if (phaseMatch.includes(type)) {
+        try {
+          // Perform the watch callback
+          await binding.watchCallback?.(obj, type);
+        } catch (e) {
+          // Errors in the watch callback should not crash the controller
+          Log.error(e, "Error executing watch callback");
+        }
+      }
+    }, watchCfg);
+  }
 
   // Create a unique cache ID for this watch binding in case multiple bindings are watching the same resource
   const cacheSuffix = createHash("sha224").update(binding.watchCallback!.toString()).digest("hex").substring(0, 5);