pepr 0.24.1 → 0.26.0

package/src/lib/assets/deploy.ts

@@ -20,7 +20,7 @@ export async function deploy(assets: Assets, force: boolean, webhookTimeout?: nu
   const { name, host, path } = assets;
 
   Log.info("Applying pepr-system namespace");
-  await K8s(kind.Namespace).Apply(namespace);
+  await K8s(kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace));
 
   // Create the mutating webhook configuration if it is needed
   const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);

package/src/lib/assets/pods.ts

@@ -4,17 +4,22 @@
 import { V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
-
+import { secretOverLimit } from "../helpers";
 import { Assets } from ".";
 import { ModuleConfig } from "../module";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
-export const namespace: kind.Namespace = {
-  apiVersion: "v1",
-  kind: "Namespace",
-  metadata: { name: "pepr-system" },
-};
+export function namespace(namespaceLabels?: Record<string, string>) {
+  return {
+    apiVersion: "v1",
+    kind: "Namespace",
+    metadata: {
+      name: "pepr-system",
+      labels: namespaceLabels ?? {},
+    },
+  };
+}
 
 export function watcher(assets: Assets, hash: string) {
   const { name, image, capabilities, config } = assets;
@@ -45,9 +50,13 @@ export function watcher(assets: Assets, hash: string) {
     metadata: {
       name: app,
       namespace: "pepr-system",
+      annotations: {
+        "pepr.dev/description": config.description || "",
+      },
       labels: {
         app,
         "pepr.dev/controller": "watcher",
+        "pepr.dev/uuid": config.uuid,
       },
     },
     spec: {
@@ -168,9 +177,13 @@ export function deployment(assets: Assets, hash: string): kind.Deployment {
     metadata: {
       name,
       namespace: "pepr-system",
+      annotations: {
+        "pepr.dev/description": config.description || "",
+      },
       labels: {
         app,
         "pepr.dev/controller": "admission",
+        "pepr.dev/uuid": config.uuid,
       },
     },
     spec: {
@@ -294,18 +307,25 @@ export function moduleSecret(name: string, data: Buffer, hash: string): kind.Sec
   // Compress the data
   const compressed = gzipSync(data);
   const path = `module-${hash}.js.gz`;
-  return {
-    apiVersion: "v1",
-    kind: "Secret",
-    metadata: {
-      name: `${name}-module`,
-      namespace: "pepr-system",
-    },
-    type: "Opaque",
-    data: {
-      [path]: compressed.toString("base64"),
-    },
-  };
+  const compressedData = compressed.toString("base64");
+  if (secretOverLimit(compressedData)) {
+    const error = new Error(`Module secret for ${name} is over the 1MB limit`);
+    console.error("Uncaught Exception:", error);
+    process.exit(1);
+  } else {
+    return {
+      apiVersion: "v1",
+      kind: "Secret",
+      metadata: {
+        name: `${name}-module`,
+        namespace: "pepr-system",
+      },
+      type: "Opaque",
+      data: {
+        [path]: compressed.toString("base64"),
+      },
+    };
+  }
 }
 
 function genEnv(config: ModuleConfig, watchMode = false): V1EnvVar[] {

package/src/lib/assets/yaml.ts

@@ -10,7 +10,6 @@ import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking
 import { deployment, moduleSecret, namespace, watcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { webhookConfig } from "./webhooks";
-import { peprStoreCRD } from "./store";
 
 export function zarfYaml({ name, image, config }: Assets, path: string) {
   const zarfCfg = {
@@ -48,12 +47,12 @@ export async function allYaml(assets: Assets, rbacMode: string) {
   // Generate a hash of the code
   const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-  const mutateWebhook = await webhookConfig(assets, "mutate");
-  const validateWebhook = await webhookConfig(assets, "validate");
+  const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
+  const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
   const watchDeployment = watcher(assets, hash);
 
   const resources = [
-    namespace,
+    namespace(assets.config.customLabels?.namespace),
     clusterRole(name, assets.capabilities, rbacMode),
     clusterRoleBinding(name),
     serviceAccount(name),
@@ -63,7 +62,6 @@ export async function allYaml(assets: Assets, rbacMode: string) {
     service(name),
     watcherService(name),
     moduleSecret(name, code, hash),
-    peprStoreCRD,
     storeRole(name),
     storeRoleBinding(name),
   ];

package/src/lib/capability.ts

@@ -203,7 +203,7 @@ export class Capability implements CapabilityExport {
 
     const bindings = this.#bindings;
     const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch };
+    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch, Reconcile };
     const isNotEmpty = (value: object) => Object.keys(value).length > 0;
     const log = (message: string, cbString: string) => {
       const filteredObj = pickBy(isNotEmpty, binding.filters);
@@ -226,7 +226,7 @@ export class Capability implements CapabilityExport {
         });
       }
 
-      return { Watch };
+      return { Watch, Reconcile };
     }
 
     function Mutate(mutateCallback: MutateAction<T>): MutateActionChain<T> {
@@ -243,7 +243,7 @@ export class Capability implements CapabilityExport {
       }
 
       // Now only allow adding actions to the same binding
-      return { Watch, Validate };
+      return { Watch, Validate, Reconcile };
     }
 
     function Watch(watchCallback: WatchAction<T>) {
@@ -258,6 +258,19 @@ export class Capability implements CapabilityExport {
       }
     }
 
+    function Reconcile(watchCallback: WatchAction<T>) {
+      if (registerWatch) {
+        log("Reconcile Action", watchCallback.toString());
+
+        bindings.push({
+          ...binding,
+          isWatch: true,
+          isQueue: true,
+          watchCallback,
+        });
+      }
+    }
+
     function InNamespace(...namespaces: string[]): BindingWithName<T> {
       Log.debug(`Add namespaces filter ${namespaces}`, prefix);
       binding.filters.namespaces.push(...namespaces);

package/src/lib/controller/index.ts

@@ -249,16 +249,23 @@ export class Controller {
             response: kubeAdmissionResponse,
           });
         } else {
-          kubeAdmissionResponse = {
-            uid: responseList[0].uid,
-            allowed: responseList.filter(r => !r.allowed).length === 0,
-            status: {
-              message: (responseList as ValidateResponse[])
-                .filter(rl => !rl.allowed)
-                .map(curr => curr.status?.message)
-                .join("; "),
-            },
-          };
+          kubeAdmissionResponse =
+            responseList.length === 0
+              ? {
+                  uid: request.uid,
+                  allowed: true,
+                  status: { message: "no in-scope validations -- allowed!" },
+                }
+              : {
+                  uid: responseList[0].uid,
+                  allowed: responseList.filter(r => !r.allowed).length === 0,
+                  status: {
+                    message: (responseList as ValidateResponse[])
+                      .filter(rl => !rl.allowed)
+                      .map(curr => curr.status?.message)
+                      .join("; "),
+                  },
+                };
           res.send({
             apiVersion: "admission.k8s.io/v1",
             kind: "AdmissionReview",

package/src/lib/helpers.ts

@@ -5,6 +5,7 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { CapabilityExport } from "./types";
 import { promises as fs } from "fs";
+import commander from "commander";
 
 type RBACMap = {
   [key: string]: {
@@ -161,3 +162,26 @@ export async function namespaceDeploymentsReady(namespace: string = "pepr-system
   }
   Log.info(`All ${namespace} deployments are ready`);
 }
+
+// check if secret is over the size limit
+export function secretOverLimit(str: string): boolean {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(str);
+  const sizeInBytes = encoded.length;
+  const oneMiBInBytes = 1048576;
+  return sizeInBytes > oneMiBInBytes;
+}
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+export const parseTimeout = (value: string, previous: unknown): number => {
+  const parsedValue = parseInt(value, 10);
+  const floatValue = parseFloat(value);
+  if (isNaN(parsedValue)) {
+    throw new commander.InvalidArgumentError("Not a number.");
+  } else if (parsedValue !== floatValue) {
+    throw new commander.InvalidArgumentError("Value must be an integer.");
+  } else if (parsedValue < 1 || parsedValue > 30) {
+    throw new commander.InvalidArgumentError("Number must be between 1 and 30.");
+  }
+  return parsedValue;
+};

package/src/lib/module.ts

@@ -1,8 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
 import { clone } from "ramda";
-
 import { Capability } from "./capability";
 import { Controller } from "./controller";
 import { ValidateError } from "./errors";
@@ -11,6 +9,10 @@ import { CapabilityExport } from "./types";
 import { setupWatch } from "./watch-processor";
 import { Log } from "../lib";
 
+/** Custom Labels Type for package.json */
+export interface CustomLabels {
+  namespace?: Record<string, string>;
+}
 /** Global configuration for the Pepr runtime. */
 export type ModuleConfig = {
   /** The user-defined name for the module */
@@ -23,6 +25,8 @@ export type ModuleConfig = {
   uuid: string;
   /** A description of the Pepr module and what it does. */
   description?: string;
+  /** The webhookTimeout */
+  webhookTimeout?: number;
   /** Reject K8s resource AdmissionRequests on error. */
   onError?: string;
   /** Configure global exclusions that will never be processed by Pepr. */
@@ -31,6 +35,8 @@ export type ModuleConfig = {
   logLevel?: string;
   /** Propagate env variables to in-cluster controllers */
   env?: Record<string, string>;
+  /** Custom Labels for Kubernetes Objects */
+  customLabels?: CustomLabels;
 };
 
 export type PackageJSON = {

package/src/lib/queue.ts

@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { KubernetesObject } from "@kubernetes/client-node";
+import Log from "./logger";
+
+type QueueItem<K extends KubernetesObject> = {
+  item: K;
+  resolve: (value: void | PromiseLike<void>) => void;
+  reject: (reason?: string) => void;
+};
+
+/**
+ * Queue is a FIFO queue for reconciling
+ */
+export class Queue<K extends KubernetesObject> {
+  #queue: QueueItem<K>[] = [];
+  #pendingPromise = false;
+  #reconcile?: (...args: unknown[]) => Promise<void>;
+
+  constructor() {
+    this.#reconcile = async () => await new Promise(resolve => resolve());
+  }
+
+  setReconcile(reconcile: (...args: unknown[]) => Promise<void>) {
+    this.#reconcile = reconcile;
+  }
+  /**
+   * Enqueue adds an item to the queue and returns a promise that resolves when the item is
+   * reconciled.
+   *
+   * @param item The object to reconcile
+   * @returns A promise that resolves when the object is reconciled
+   */
+  enqueue(item: K) {
+    Log.debug(`Enqueueing ${item.metadata!.namespace}/${item.metadata!.name}`);
+    return new Promise<void>((resolve, reject) => {
+      this.#queue.push({ item, resolve, reject });
+      return this.#dequeue();
+    });
+  }
+
+  /**
+   * Dequeue reconciles the next item in the queue
+   *
+   * @returns A promise that resolves when the webapp is reconciled
+   */
+  async #dequeue() {
+    // If there is a pending promise, do nothing
+    if (this.#pendingPromise) return false;
+
+    // Take the next element from the queue
+    const element = this.#queue.shift();
+
+    // If there is no element, do nothing
+    if (!element) return false;
+
+    try {
+      // Set the pending promise flag to avoid concurrent reconciliations
+      this.#pendingPromise = true;
+
+      // Reconcile the webapp
+      if (this.#reconcile) {
+        await this.#reconcile(element.item);
+      }
+
+      element.resolve();
+    } catch (e) {
+      element.reject(e);
+    } finally {
+      // Reset the pending promise flag
+      this.#pendingPromise = false;
+
+      // After the element is reconciled, dequeue the next element
+      await this.#dequeue();
+    }
+  }
+}

package/src/lib/types.ts

@@ -72,6 +72,7 @@ export type Binding = {
   isMutate?: boolean;
   isValidate?: boolean;
   isWatch?: boolean;
+  isQueue?: boolean;
   readonly model: GenericClass;
   readonly kind: GroupVersionKind;
   readonly filters: {
@@ -159,6 +160,19 @@ export type ValidateActionChain<T extends GenericClass> = {
    * @returns
    */
   Watch: (action: WatchAction<T, InstanceType<T>>) => void;
+
+  /**
+   * Establish a reconcile for the specified resource. The callback function will be executed after the admission controller has
+   * processed the resource and the request has been persisted to the cluster.
+   *
+   * **Beta Function**: This method is still in early testing and edge cases may still exist.
+   *
+   * @since 0.14.0
+   *
+   * @param action
+   * @returns
+   */
+  Reconcile: (action: WatchAction<T, InstanceType<T>>) => void;
 };
 
 export type MutateActionChain<T extends GenericClass> = ValidateActionChain<T> & {

package/src/lib/watch-processor.ts

@@ -4,11 +4,13 @@
 import { createHash } from "crypto";
 import { K8s, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
-
+import { Queue } from "./queue";
 import { Capability } from "./capability";
 import { PeprStore } from "./k8s";
 import Log from "./logger";
 import { Binding, Event } from "./types";
+import { Watcher } from "kubernetes-fluent-client/dist/fluent/watch";
+import { GenericClass } from "kubernetes-fluent-client";
 
 // Track if the store has been updated
 let storeUpdates = false;
@@ -80,21 +82,42 @@ async function runBinding(binding: Binding) {
     retryDelaySec: 5,
   };
 
-  // Watch the resource
-  const watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
-    Log.debug(obj, `Watch event ${type} received`);
-
-    // If the type matches the phase, call the watch callback
-    if (phaseMatch.includes(type)) {
-      try {
-        // Perform the watch callback
-        await binding.watchCallback?.(obj, type);
-      } catch (e) {
-        // Errors in the watch callback should not crash the controller
-        Log.error(e, "Error executing watch callback");
+  let watcher: Watcher<GenericClass>;
+  if (binding.isQueue) {
+    const queue = new Queue();
+    // Watch the resource
+    watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
+      Log.debug(obj, `Watch event ${type} received`);
+
+      // If the type matches the phase, call the watch callback
+      if (phaseMatch.includes(type)) {
+        try {
+          queue.setReconcile(async () => await binding.watchCallback?.(obj, type));
+          // Enqueue the object for reconciliation through callback
+          await queue.enqueue(obj);
+        } catch (e) {
+          // Errors in the watch callback should not crash the controller
+          Log.error(e, "Error executing watch callback");
+        }
       }
-    }
-  }, watchCfg);
+    }, watchCfg);
+  } else {
+    // Watch the resource
+    watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
+      Log.debug(obj, `Watch event ${type} received`);
+
+      // If the type matches the phase, call the watch callback
+      if (phaseMatch.includes(type)) {
+        try {
+          // Perform the watch callback
+          await binding.watchCallback?.(obj, type);
+        } catch (e) {
+          // Errors in the watch callback should not crash the controller
+          Log.error(e, "Error executing watch callback");
+        }
+      }
+    }, watchCfg);
+  }
 
   // Create a unique cache ID for this watch binding in case multiple bindings are watching the same resource
   const cacheSuffix = createHash("sha224").update(binding.watchCallback!.toString()).digest("hex").substring(0, 5);

package/src/runtime/controller.ts

@@ -7,9 +7,10 @@ import { fork } from "child_process";
 import crypto from "crypto";
 import fs from "fs";
 import { gunzipSync } from "zlib";
-
+import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "../lib/logger";
 import { packageJSON } from "../templates/data.json";
+import { peprStoreCRD } from "../lib/assets/store";
 
 const { version } = packageJSON;
 
@@ -67,5 +68,12 @@ Log.info(`Pepr Controller (v${version})`);
 
 const hash = process.argv[2];
 
-validateHash(hash);
-runModule(hash);
+const startup = async () => {
+  Log.info("Applying the Pepr Store CRD if it doesn't exist");
+  await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD, { force: true });
+
+  validateHash(hash);
+  runModule(hash);
+};
+
+startup().catch(err => Log.error(err));

package/src/templates/package.json

@@ -5,8 +5,11 @@
     "name": "Development Module",
     "uuid": "20e17cf6-a2e4-46b2-b626-75d88d96c88b",
     "description": "Development module for pepr",
-    "onError": "ignore",
+    "onError": "reject",
     "logLevel": "debug",
+    "customLabels": {
+      "namespace": {}
+    },
     "alwaysIgnore": {
       "namespaces": [],
       "labels": []