pepr 0.27.0 → 0.28.1

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.27.0",
+  "version": "0.28.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -19,7 +19,7 @@
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage",
     "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run",
-    "test:journey:prep": "git clone https://github.com/defenseunicorns/pepr-upgrade-test.git",
+    "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
     "test:journey-wasm": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run-wasm",
     "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:build": "npm run build && npm pack",
@@ -31,20 +31,20 @@
     "format:fix": "eslint src --fix && prettier src --write"
   },
   "dependencies": {
-    "@types/ramda": "0.29.10",
-    "express": "4.18.2",
+    "@types/ramda": "0.29.11",
+    "express": "4.18.3",
     "fast-json-patch": "3.1.1",
-    "kubernetes-fluent-client": "2.2.1",
+    "kubernetes-fluent-client": "2.2.3",
     "pino": "8.19.0",
     "pino-pretty": "10.3.1",
     "prom-client": "15.1.0",
     "ramda": "0.29.1"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.0.1",
-    "@commitlint/config-conventional": "19.0.0",
+    "@commitlint/cli": "19.1.0",
+    "@commitlint/config-conventional": "19.1.0",
     "@jest/globals": "29.7.0",
-    "@types/eslint": "8.56.4",
+    "@types/eslint": "8.56.5",
     "@types/express": "4.17.21",
     "@types/node": "18.x.x",
     "@types/node-forge": "1.3.11",

package/src/cli.ts

@@ -14,6 +14,7 @@ import uuid from "./cli/uuid";
 import { version } from "./cli/init/templates";
 import { RootCmd } from "./cli/root";
 import update from "./cli/update";
+import kfc from "./cli/kfc";
 
 if (process.env.npm_lifecycle_event !== "npx") {
   console.warn("Pepr should be run via `npx pepr <command>` instead of `pepr <command>`.");
@@ -43,4 +44,5 @@ update(program);
 format(program);
 monitor(program);
 uuid(program);
+kfc(program);
 program.parse();

package/src/lib/assets/helm.ts

@@ -74,6 +74,7 @@ export function watcherDeployTemplate(buildTimestamp: string) {
               app: {{ .Values.uuid }}-watcher
               pepr.dev/controller: watcher
           spec:
+            terminationGracePeriodSeconds: {{ .Values.watcher.terminationGracePeriodSeconds }}
             serviceAccountName: {{ .Values.uuid }}
             securityContext:
               {{- toYaml .Values.admission.securityContext | nindent 8 }}
@@ -145,6 +146,7 @@ export function admissionDeployTemplate(buildTimestamp: string) {
               app: {{ .Values.uuid }}
               pepr.dev/controller: admission
           spec:
+            terminationGracePeriodSeconds: {{ .Values.admission.terminationGracePeriodSeconds }}
             priorityClassName: system-node-critical
             serviceAccountName: {{ .Values.uuid }}
             securityContext:

package/src/lib/assets/pods.ts

@@ -91,6 +91,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string) {
           },
         },
         spec: {
+          terminationGracePeriodSeconds: 5,
           serviceAccountName: name,
           securityContext: {
             runAsUser: 65532,
@@ -215,6 +216,7 @@ export function deployment(assets: Assets, hash: string, buildTimestamp: string)
           },
         },
         spec: {
+          terminationGracePeriodSeconds: 5,
           priorityClassName: "system-node-critical",
           serviceAccountName: name,
           securityContext: {

package/src/lib/assets/yaml.ts

@@ -26,14 +26,13 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
     },
     uuid: name,
     admission: {
+      terminationGracePeriodSeconds: 5,
       failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
       webhookTimeout: config.webhookTimeout,
       env: [
         { name: "PEPR_WATCH_MODE", value: "false" },
         { name: "PEPR_PRETTY_LOG", value: "false" },
         { name: "LOG_LEVEL", value: "debug" },
-        process.env.PEPR_MODE === "dev" && { name: "MY_CUSTOM_VAR", value: "example-value" },
-        process.env.PEPR_MODE === "dev" && { name: "ZARF_VAR", value: "###ZARF_VAR_THING###" },
       ],
       image,
       annotations: {
@@ -74,12 +73,11 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       affinity: {},
     },
     watcher: {
+      terminationGracePeriodSeconds: 5,
       env: [
         { name: "PEPR_WATCH_MODE", value: "true" },
         { name: "PEPR_PRETTY_LOG", value: "false" },
         { name: "LOG_LEVEL", value: "debug" },
-        process.env.PEPR_MODE === "dev" && { name: "MY_CUSTOM_VAR", value: "example-value" },
-        process.env.PEPR_MODE === "dev" && { name: "ZARF_VAR", value: "###ZARF_VAR_THING###" },
       ],
       image,
       annotations: {
@@ -120,6 +118,12 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       affinity: {},
     },
   };
+  if (process.env.PEPR_MODE === "dev") {
+    overrides.admission.env.push({ name: "ZARF_VAR", value: "###ZARF_VAR_THING###" });
+    overrides.watcher.env.push({ name: "ZARF_VAR", value: "###ZARF_VAR_THING###" });
+    overrides.admission.env.push({ name: "MY_CUSTOM_VAR", value: "example-value" });
+    overrides.watcher.env.push({ name: "MY_CUSTOM_VAR", value: "example-value" });
+  }
 
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }

package/src/lib/controller/index.ts

@@ -32,13 +32,13 @@ export class Controller {
   readonly #config: ModuleConfig;
   readonly #capabilities: Capability[];
   readonly #beforeHook?: (req: AdmissionRequest) => void;
-  readonly #afterHook?: (res: MutateResponse) => void;
+  readonly #afterHook?: (res: MutateResponse | ValidateResponse) => void;
 
   constructor(
     config: ModuleConfig,
     capabilities: Capability[],
     beforeHook?: (req: AdmissionRequest) => void,
-    afterHook?: (res: MutateResponse) => void,
+    afterHook?: (res: MutateResponse | ValidateResponse) => void,
     onReady?: () => void,
   ) {
     this.#config = config;

package/src/lib/controller/store.ts

@@ -112,7 +112,7 @@ export class PeprControllerStore {
 
     // Debounce the update to 1 second to avoid multiple rapid calls
     clearTimeout(this.#sendDebounce);
-    this.#sendDebounce = setTimeout(debounced, debounceBackoff);
+    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoff);
   };
 
   #send = (capabilityName: string) => {

package/src/lib/helpers.ts

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { K8s, kind } from "kubernetes-fluent-client";
+import { K8s, KubernetesObject, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { CapabilityExport } from "./types";
 import { promises as fs } from "fs";
-import commander from "commander";
+import { Binding } from "./types";
 
 type RBACMap = {
   [key: string]: {
@@ -14,6 +14,96 @@ type RBACMap = {
   };
 };
 
+// check for overlap with labels and annotations between bindings and kubernetes objects
+export function checkOverlap(record1: Record<string, string>, record2: Record<string, string>) {
+  if (Object.keys(record1).length === 0) {
+    return true;
+  }
+  for (const key in record1) {
+    if (
+      Object.prototype.hasOwnProperty.call(record1, key) &&
+      Object.prototype.hasOwnProperty.call(record2, key) &&
+      record1[key] === record2[key]
+    ) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Decide to run callback after the event comes back from API Server
+ **/
+export const filterMatcher = (
+  binding: Partial<Binding>,
+  obj: Partial<KubernetesObject>,
+  capabilityNamespaces: string[],
+): string => {
+  // binding kind is namespace with a InNamespace filter
+  if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
+    return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
+  }
+
+  if (typeof obj === "object" && obj !== null && "metadata" in obj && obj.metadata !== undefined && binding.filters) {
+    // binding labels and object labels dont match
+    if (obj.metadata.labels && !checkOverlap(binding.filters.labels, obj.metadata.labels)) {
+      return `Ignoring Watch Callback: No overlap between binding and object labels. Binding labels ${JSON.stringify(
+        binding.filters.labels,
+      )}, Object Labels ${JSON.stringify(obj.metadata.labels)}.`;
+    }
+
+    // binding annotations and object annotations dont match
+    if (obj.metadata.annotations && !checkOverlap(binding.filters.annotations, obj.metadata.annotations)) {
+      return `Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations ${JSON.stringify(
+        binding.filters.annotations,
+      )}, Object annotations ${JSON.stringify(obj.metadata.annotations)}.`;
+    }
+  }
+
+  // Check object is in the capability namespace
+  if (
+    Array.isArray(capabilityNamespaces) &&
+    capabilityNamespaces.length > 0 &&
+    obj.metadata &&
+    obj.metadata.namespace &&
+    !capabilityNamespaces.includes(obj.metadata.namespace)
+  ) {
+    return `Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ${capabilityNamespaces.join(
+      ", ",
+    )}, Object namespace: ${obj.metadata.namespace}.`;
+  }
+
+  // chceck every filter namespace is a capability namespace
+  if (
+    Array.isArray(capabilityNamespaces) &&
+    capabilityNamespaces.length > 0 &&
+    binding.filters &&
+    Array.isArray(binding.filters.namespaces) &&
+    binding.filters.namespaces.length > 0 &&
+    !binding.filters.namespaces.every(ns => capabilityNamespaces.includes(ns))
+  ) {
+    return `Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ${capabilityNamespaces.join(
+      ", ",
+    )}, Binding namespaces: ${binding.filters.namespaces.join(", ")}.`;
+  }
+
+  // filter namespace is not the same of object namespace
+  if (
+    binding.filters &&
+    Array.isArray(binding.filters.namespaces) &&
+    binding.filters.namespaces.length > 0 &&
+    obj.metadata &&
+    obj.metadata.namespace &&
+    !binding.filters.namespaces.includes(obj.metadata.namespace)
+  ) {
+    return `Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ${binding.filters.namespaces.join(
+      ", ",
+    )}, Object namespace: ${obj.metadata.namespace}.`;
+  }
+
+  // no problems
+  return "";
+};
 export const addVerbIfNotExists = (verbs: string[], verb: string) => {
   if (!verbs.includes(verb)) {
     verbs.push(verb);
@@ -99,7 +189,7 @@ export function generateWatchNamespaceError(
   if (bindingAndCapabilityNSConflict(bindingNamespaces, capabilityNamespaces)) {
     err += `Binding uses namespace not governed by capability: bindingNamespaces: [${bindingNamespaces.join(
       ", ",
-    )}] capabilityNamespaces:$[${capabilityNamespaces.join(", ")}].`;
+    )}] capabilityNamespaces: [${capabilityNamespaces.join(", ")}].`;
   }
 
   // add a space if there is a period in the middle of the string
@@ -177,11 +267,11 @@ export const parseTimeout = (value: string, previous: unknown): number => {
   const parsedValue = parseInt(value, 10);
   const floatValue = parseFloat(value);
   if (isNaN(parsedValue)) {
-    throw new commander.InvalidArgumentError("Not a number.");
+    throw new Error("Not a number.");
   } else if (parsedValue !== floatValue) {
-    throw new commander.InvalidArgumentError("Value must be an integer.");
+    throw new Error("Value must be an integer.");
   } else if (parsedValue < 1 || parsedValue > 30) {
-    throw new commander.InvalidArgumentError("Number must be between 1 and 30.");
+    throw new Error("Number must be between 1 and 30.");
   }
   return parsedValue;
 };

package/src/lib/k8s.ts

@@ -166,15 +166,4 @@ export type WebhookIgnore = {
    * Note: `kube-system` and `pepr-system` are always ignored.
    */
   namespaces?: string[];
-  /**
-   * List of Kubernetes labels to always ignore.
-   * Any resources with these labels will be ignored by Pepr.
-   *
-   * The example below will ignore any resources with the label `my-label=ulta-secret`:
-   * ```
-   * alwaysIgnore:
-   *   labels: [{ "my-label": "ultra-secret" }]
-   * ```
-   */
-  labels?: Record<string, string>[];
 };

package/src/lib/module.ts

@@ -15,8 +15,6 @@ export interface CustomLabels {
 }
 /** Global configuration for the Pepr runtime. */
 export type ModuleConfig = {
-  /** The user-defined name for the module */
-  name: string;
   /** The Pepr version this module uses */
   peprVersion?: string;
   /** The user-defined version of the module */
@@ -109,10 +107,12 @@ export class PeprModule {
     this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
       // Wait for the controller to be ready before setting up watches
       if (isWatchMode() || isDevMode()) {
-        setupWatch(config.uuid, capabilities).catch(e => {
+        try {
+          setupWatch(capabilities);
+        } catch (e) {
           Log.error(e, "Error setting up watch");
           process.exit(1);
-        });
+        }
       }
     });
 

package/src/lib/watch-processor.ts

@@ -6,65 +6,23 @@ import { K8s, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 import { Queue } from "./queue";
 import { Capability } from "./capability";
-import { PeprStore } from "./k8s";
 import Log from "./logger";
 import { Binding, Event } from "./types";
 import { Watcher } from "kubernetes-fluent-client/dist/fluent/watch";
 import { GenericClass } from "kubernetes-fluent-client";
-
-// Track if the store has been updated
-let storeUpdates = false;
+import { filterMatcher } from "./helpers";
 
 const store: Record<string, string> = {};
 
-export async function setupStore(uuid: string) {
-  const name = `pepr-${uuid}-watch`;
-  const namespace = "pepr-system";
-
-  try {
-    // Try to read the watch store if it exists
-    const k8sStore = await K8s(PeprStore).InNamespace(namespace).Get(name);
-
-    // Iterate over the store and add the values to the local store
-    Object.entries(k8sStore.data).forEach(([key, value]) => {
-      store[key] = value;
-    });
-  } catch (e) {
-    // A store not existing is expected behavior on the first run
-    Log.debug(e, "Watch store does not exist yet");
-  }
-
-  // Update the store every 10 seconds if there are changes
-  setInterval(() => {
-    if (storeUpdates) {
-      K8s(PeprStore)
-        .Apply({
-          metadata: {
-            name,
-            namespace,
-          },
-          data: store,
-        })
-        // Reset the store updates flag
-        .then(() => (storeUpdates = false))
-        // Log the error if the store update fails, but don't reset the store updates flag
-        .catch(e => {
-          Log.error(e, "Error updating watch store");
-        });
-    }
-  }, 10 * 1000);
+export function setupWatch(capabilities: Capability[]) {
+  capabilities.map(capability =>
+    capability.bindings
+      .filter(binding => binding.isWatch)
+      .forEach(bindingElement => runBinding(bindingElement, capability.namespaces)),
+  );
 }
 
-export async function setupWatch(uuid: string, capabilities: Capability[]) {
-  await setupStore(uuid);
-
-  capabilities
-    .flatMap(c => c.bindings)
-    .filter(binding => binding.isWatch)
-    .forEach(runBinding);
-}
-
-async function runBinding(binding: Binding) {
+async function runBinding(binding: Binding, capabilityNamespaces: string[]) {
   // Map the event to the watch phase
   const eventToPhaseMap = {
     [Event.Create]: [WatchPhase.Added],
@@ -92,9 +50,14 @@ async function runBinding(binding: Binding) {
       // If the type matches the phase, call the watch callback
       if (phaseMatch.includes(type)) {
         try {
-          queue.setReconcile(async () => await binding.watchCallback?.(obj, type));
-          // Enqueue the object for reconciliation through callback
-          await queue.enqueue(obj);
+          const filterMatch = filterMatcher(binding, obj, capabilityNamespaces);
+          if (filterMatch === "") {
+            queue.setReconcile(async () => await binding.watchCallback?.(obj, type));
+            // Enqueue the object for reconciliation through callback
+            await queue.enqueue(obj);
+          } else {
+            Log.debug(filterMatch);
+          }
         } catch (e) {
           // Errors in the watch callback should not crash the controller
           Log.error(e, "Error executing watch callback");
@@ -109,8 +72,12 @@ async function runBinding(binding: Binding) {
       // If the type matches the phase, call the watch callback
       if (phaseMatch.includes(type)) {
         try {
-          // Perform the watch callback
-          await binding.watchCallback?.(obj, type);
+          const filterMatch = filterMatcher(binding, obj, capabilityNamespaces);
+          if (filterMatch === "") {
+            await binding.watchCallback?.(obj, type);
+          } else {
+            Log.debug(filterMatch);
+          }
         } catch (e) {
           // Errors in the watch callback should not crash the controller
           Log.error(e, "Error executing watch callback");
@@ -123,16 +90,6 @@ async function runBinding(binding: Binding) {
   const cacheSuffix = createHash("sha224").update(binding.watchCallback!.toString()).digest("hex").substring(0, 5);
   const cacheID = [watcher.getCacheID(), cacheSuffix].join("-");
 
-  // Track the resource version in the local store
-  watcher.events.on(WatchEvent.RESOURCE_VERSION, version => {
-    Log.debug(`Received watch cache: ${cacheID}:${version}`);
-    if (store[cacheID] !== version) {
-      Log.debug(`Updating watch cache: ${cacheID}: ${store[cacheID]} => ${version}`);
-      store[cacheID] = version;
-      storeUpdates = true;
-    }
-  });
-
   // If failure continues, log and exit
   watcher.events.on(WatchEvent.GIVE_UP, err => {
     Log.error(err, "Watch failed after 5 attempts, giving up");

package/src/templates/package.json

@@ -13,8 +13,7 @@
       }
     },
     "alwaysIgnore": {
-      "namespaces": [],
-      "labels": []
+      "namespaces": []
     },
     "includedFiles": []
   }