pepr 0.27.0 → 0.28.0

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.27.0",
+  "version": "0.28.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -19,7 +19,7 @@
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage",
     "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run",
-    "test:journey:prep": "git clone https://github.com/defenseunicorns/pepr-upgrade-test.git",
+    "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
     "test:journey-wasm": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run-wasm",
     "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:build": "npm run build && npm pack",
@@ -31,20 +31,20 @@
     "format:fix": "eslint src --fix && prettier src --write"
   },
   "dependencies": {
-    "@types/ramda": "0.29.10",
-    "express": "4.18.2",
+    "@types/ramda": "0.29.11",
+    "express": "4.18.3",
     "fast-json-patch": "3.1.1",
-    "kubernetes-fluent-client": "2.2.1",
+    "kubernetes-fluent-client": "2.2.2",
     "pino": "8.19.0",
     "pino-pretty": "10.3.1",
     "prom-client": "15.1.0",
     "ramda": "0.29.1"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.0.1",
-    "@commitlint/config-conventional": "19.0.0",
+    "@commitlint/cli": "19.0.3",
+    "@commitlint/config-conventional": "19.0.3",
     "@jest/globals": "29.7.0",
-    "@types/eslint": "8.56.4",
+    "@types/eslint": "8.56.5",
     "@types/express": "4.17.21",
     "@types/node": "18.x.x",
     "@types/node-forge": "1.3.11",

package/src/cli.ts

@@ -14,6 +14,7 @@ import uuid from "./cli/uuid";
 import { version } from "./cli/init/templates";
 import { RootCmd } from "./cli/root";
 import update from "./cli/update";
+import kfc from "./cli/kfc";
 
 if (process.env.npm_lifecycle_event !== "npx") {
   console.warn("Pepr should be run via `npx pepr <command>` instead of `pepr <command>`.");
@@ -43,4 +44,5 @@ update(program);
 format(program);
 monitor(program);
 uuid(program);
+kfc(program);
 program.parse();

package/src/lib/helpers.ts

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { K8s, kind } from "kubernetes-fluent-client";
+import { K8s, KubernetesObject, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { CapabilityExport } from "./types";
 import { promises as fs } from "fs";
-import commander from "commander";
+import { Binding } from "./types";
 
 type RBACMap = {
   [key: string]: {
@@ -14,6 +14,96 @@ type RBACMap = {
   };
 };
 
+// check for overlap with labels and annotations between bindings and kubernetes objects
+export function checkOverlap(record1: Record<string, string>, record2: Record<string, string>) {
+  if (Object.keys(record1).length === 0) {
+    return true;
+  }
+  for (const key in record1) {
+    if (
+      Object.prototype.hasOwnProperty.call(record1, key) &&
+      Object.prototype.hasOwnProperty.call(record2, key) &&
+      record1[key] === record2[key]
+    ) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Decide to run callback after the event comes back from API Server
+ **/
+export const filterMatcher = (
+  binding: Partial<Binding>,
+  obj: Partial<KubernetesObject>,
+  capabilityNamespaces: string[],
+): string => {
+  // binding kind is namespace with a InNamespace filter
+  if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
+    return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
+  }
+
+  if (typeof obj === "object" && obj !== null && "metadata" in obj && obj.metadata !== undefined && binding.filters) {
+    // binding labels and object labels dont match
+    if (obj.metadata.labels && !checkOverlap(binding.filters.labels, obj.metadata.labels)) {
+      return `Ignoring Watch Callback: No overlap between binding and object labels. Binding labels ${JSON.stringify(
+        binding.filters.labels,
+      )}, Object Labels ${JSON.stringify(obj.metadata.labels)}.`;
+    }
+
+    // binding annotations and object annotations dont match
+    if (obj.metadata.annotations && !checkOverlap(binding.filters.annotations, obj.metadata.annotations)) {
+      return `Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations ${JSON.stringify(
+        binding.filters.annotations,
+      )}, Object annotations ${JSON.stringify(obj.metadata.annotations)}.`;
+    }
+  }
+
+  // Check object is in the capability namespace
+  if (
+    Array.isArray(capabilityNamespaces) &&
+    capabilityNamespaces.length > 0 &&
+    obj.metadata &&
+    obj.metadata.namespace &&
+    !capabilityNamespaces.includes(obj.metadata.namespace)
+  ) {
+    return `Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ${capabilityNamespaces.join(
+      ", ",
+    )}, Object namespace: ${obj.metadata.namespace}.`;
+  }
+
+  // chceck every filter namespace is a capability namespace
+  if (
+    Array.isArray(capabilityNamespaces) &&
+    capabilityNamespaces.length > 0 &&
+    binding.filters &&
+    Array.isArray(binding.filters.namespaces) &&
+    binding.filters.namespaces.length > 0 &&
+    !binding.filters.namespaces.every(ns => capabilityNamespaces.includes(ns))
+  ) {
+    return `Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ${capabilityNamespaces.join(
+      ", ",
+    )}, Binding namespaces: ${binding.filters.namespaces.join(", ")}.`;
+  }
+
+  // filter namespace is not the same of object namespace
+  if (
+    binding.filters &&
+    Array.isArray(binding.filters.namespaces) &&
+    binding.filters.namespaces.length > 0 &&
+    obj.metadata &&
+    obj.metadata.namespace &&
+    !binding.filters.namespaces.includes(obj.metadata.namespace)
+  ) {
+    return `Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ${binding.filters.namespaces.join(
+      ", ",
+    )}, Object namespace: ${obj.metadata.namespace}.`;
+  }
+
+  // no problems
+  return "";
+};
 export const addVerbIfNotExists = (verbs: string[], verb: string) => {
   if (!verbs.includes(verb)) {
     verbs.push(verb);
@@ -177,11 +267,11 @@ export const parseTimeout = (value: string, previous: unknown): number => {
   const parsedValue = parseInt(value, 10);
   const floatValue = parseFloat(value);
   if (isNaN(parsedValue)) {
-    throw new commander.InvalidArgumentError("Not a number.");
+    throw new Error("Not a number.");
   } else if (parsedValue !== floatValue) {
-    throw new commander.InvalidArgumentError("Value must be an integer.");
+    throw new Error("Value must be an integer.");
   } else if (parsedValue < 1 || parsedValue > 30) {
-    throw new commander.InvalidArgumentError("Number must be between 1 and 30.");
+    throw new Error("Number must be between 1 and 30.");
   }
   return parsedValue;
 };

package/src/lib/k8s.ts

@@ -166,15 +166,4 @@ export type WebhookIgnore = {
    * Note: `kube-system` and `pepr-system` are always ignored.
    */
   namespaces?: string[];
-  /**
-   * List of Kubernetes labels to always ignore.
-   * Any resources with these labels will be ignored by Pepr.
-   *
-   * The example below will ignore any resources with the label `my-label=ulta-secret`:
-   * ```
-   * alwaysIgnore:
-   *   labels: [{ "my-label": "ultra-secret" }]
-   * ```
-   */
-  labels?: Record<string, string>[];
 };

package/src/lib/module.ts

@@ -15,8 +15,6 @@ export interface CustomLabels {
 }
 /** Global configuration for the Pepr runtime. */
 export type ModuleConfig = {
-  /** The user-defined name for the module */
-  name: string;
   /** The Pepr version this module uses */
   peprVersion?: string;
   /** The user-defined version of the module */

package/src/lib/watch-processor.ts

@@ -11,6 +11,7 @@ import Log from "./logger";
 import { Binding, Event } from "./types";
 import { Watcher } from "kubernetes-fluent-client/dist/fluent/watch";
 import { GenericClass } from "kubernetes-fluent-client";
+import { filterMatcher } from "./helpers";
 
 // Track if the store has been updated
 let storeUpdates = false;
@@ -58,13 +59,14 @@ export async function setupStore(uuid: string) {
 export async function setupWatch(uuid: string, capabilities: Capability[]) {
   await setupStore(uuid);
 
-  capabilities
-    .flatMap(c => c.bindings)
-    .filter(binding => binding.isWatch)
-    .forEach(runBinding);
+  capabilities.map(capability =>
+    capability.bindings
+      .filter(binding => binding.isWatch)
+      .forEach(bindingElement => runBinding(bindingElement, capability.namespaces)),
+  );
 }
 
-async function runBinding(binding: Binding) {
+async function runBinding(binding: Binding, capabilityNamespaces: string[]) {
   // Map the event to the watch phase
   const eventToPhaseMap = {
     [Event.Create]: [WatchPhase.Added],
@@ -92,9 +94,14 @@ async function runBinding(binding: Binding) {
       // If the type matches the phase, call the watch callback
       if (phaseMatch.includes(type)) {
         try {
-          queue.setReconcile(async () => await binding.watchCallback?.(obj, type));
-          // Enqueue the object for reconciliation through callback
-          await queue.enqueue(obj);
+          const filterMatch = filterMatcher(binding, obj, capabilityNamespaces);
+          if (filterMatch === "") {
+            queue.setReconcile(async () => await binding.watchCallback?.(obj, type));
+            // Enqueue the object for reconciliation through callback
+            await queue.enqueue(obj);
+          } else {
+            Log.debug(filterMatch);
+          }
         } catch (e) {
           // Errors in the watch callback should not crash the controller
           Log.error(e, "Error executing watch callback");
@@ -109,8 +116,12 @@ async function runBinding(binding: Binding) {
       // If the type matches the phase, call the watch callback
       if (phaseMatch.includes(type)) {
         try {
-          // Perform the watch callback
-          await binding.watchCallback?.(obj, type);
+          const filterMatch = filterMatcher(binding, obj, capabilityNamespaces);
+          if (filterMatch === "") {
+            await binding.watchCallback?.(obj, type);
+          } else {
+            Log.debug(filterMatch);
+          }
         } catch (e) {
           // Errors in the watch callback should not crash the controller
           Log.error(e, "Error executing watch callback");

package/src/templates/package.json

@@ -13,8 +13,7 @@
       }
     },
     "alwaysIgnore": {
-      "namespaces": [],
-      "labels": []
+      "namespaces": []
     },
     "includedFiles": []
   }