pepr 0.28.0 → 0.28.2

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.28.0",
+  "version": "0.28.2",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -34,15 +34,15 @@
     "@types/ramda": "0.29.11",
     "express": "4.18.3",
     "fast-json-patch": "3.1.1",
-    "kubernetes-fluent-client": "2.2.2",
+    "kubernetes-fluent-client": "2.2.3",
     "pino": "8.19.0",
     "pino-pretty": "10.3.1",
     "prom-client": "15.1.0",
     "ramda": "0.29.1"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.0.3",
-    "@commitlint/config-conventional": "19.0.3",
+    "@commitlint/cli": "19.1.0",
+    "@commitlint/config-conventional": "19.1.0",
     "@jest/globals": "29.7.0",
     "@types/eslint": "8.56.5",
     "@types/express": "4.17.21",

package/src/lib/assets/helm.ts

@@ -74,6 +74,7 @@ export function watcherDeployTemplate(buildTimestamp: string) {
               app: {{ .Values.uuid }}-watcher
               pepr.dev/controller: watcher
           spec:
+            terminationGracePeriodSeconds: {{ .Values.watcher.terminationGracePeriodSeconds }}
             serviceAccountName: {{ .Values.uuid }}
             securityContext:
               {{- toYaml .Values.admission.securityContext | nindent 8 }}
@@ -145,6 +146,7 @@ export function admissionDeployTemplate(buildTimestamp: string) {
               app: {{ .Values.uuid }}
               pepr.dev/controller: admission
           spec:
+            terminationGracePeriodSeconds: {{ .Values.admission.terminationGracePeriodSeconds }}
             priorityClassName: system-node-critical
             serviceAccountName: {{ .Values.uuid }}
             securityContext:

package/src/lib/assets/pods.ts

@@ -91,6 +91,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string) {
           },
         },
         spec: {
+          terminationGracePeriodSeconds: 5,
           serviceAccountName: name,
           securityContext: {
             runAsUser: 65532,
@@ -215,6 +216,7 @@ export function deployment(assets: Assets, hash: string, buildTimestamp: string)
           },
         },
         spec: {
+          terminationGracePeriodSeconds: 5,
           priorityClassName: "system-node-critical",
           serviceAccountName: name,
           securityContext: {

package/src/lib/assets/yaml.ts

@@ -26,14 +26,13 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
     },
     uuid: name,
     admission: {
+      terminationGracePeriodSeconds: 5,
       failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
       webhookTimeout: config.webhookTimeout,
       env: [
         { name: "PEPR_WATCH_MODE", value: "false" },
         { name: "PEPR_PRETTY_LOG", value: "false" },
         { name: "LOG_LEVEL", value: "debug" },
-        process.env.PEPR_MODE === "dev" && { name: "MY_CUSTOM_VAR", value: "example-value" },
-        process.env.PEPR_MODE === "dev" && { name: "ZARF_VAR", value: "###ZARF_VAR_THING###" },
       ],
       image,
       annotations: {
@@ -74,12 +73,11 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       affinity: {},
     },
     watcher: {
+      terminationGracePeriodSeconds: 5,
       env: [
         { name: "PEPR_WATCH_MODE", value: "true" },
         { name: "PEPR_PRETTY_LOG", value: "false" },
         { name: "LOG_LEVEL", value: "debug" },
-        process.env.PEPR_MODE === "dev" && { name: "MY_CUSTOM_VAR", value: "example-value" },
-        process.env.PEPR_MODE === "dev" && { name: "ZARF_VAR", value: "###ZARF_VAR_THING###" },
       ],
       image,
       annotations: {
@@ -120,6 +118,12 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       affinity: {},
     },
   };
+  if (process.env.PEPR_MODE === "dev") {
+    overrides.admission.env.push({ name: "ZARF_VAR", value: "###ZARF_VAR_THING###" });
+    overrides.watcher.env.push({ name: "ZARF_VAR", value: "###ZARF_VAR_THING###" });
+    overrides.admission.env.push({ name: "MY_CUSTOM_VAR", value: "example-value" });
+    overrides.watcher.env.push({ name: "MY_CUSTOM_VAR", value: "example-value" });
+  }
 
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }

package/src/lib/controller/index.ts

@@ -32,13 +32,13 @@ export class Controller {
   readonly #config: ModuleConfig;
   readonly #capabilities: Capability[];
   readonly #beforeHook?: (req: AdmissionRequest) => void;
-  readonly #afterHook?: (res: MutateResponse) => void;
+  readonly #afterHook?: (res: MutateResponse | ValidateResponse) => void;
 
   constructor(
     config: ModuleConfig,
     capabilities: Capability[],
     beforeHook?: (req: AdmissionRequest) => void,
-    afterHook?: (res: MutateResponse) => void,
+    afterHook?: (res: MutateResponse | ValidateResponse) => void,
     onReady?: () => void,
   ) {
     this.#config = config;

package/src/lib/controller/store.ts

@@ -112,7 +112,7 @@ export class PeprControllerStore {
 
     // Debounce the update to 1 second to avoid multiple rapid calls
     clearTimeout(this.#sendDebounce);
-    this.#sendDebounce = setTimeout(debounced, debounceBackoff);
+    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoff);
   };
 
   #send = (capabilityName: string) => {

package/src/lib/filter.ts

@@ -51,7 +51,22 @@ export function shouldSkipRequest(binding: Binding, req: AdmissionRequest, capab
     (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "")) ||
     (!namespaces.includes(req.namespace || "") && capabilityNamespaces.length !== 0 && namespaces.length !== 0)
   ) {
-    logger.debug("Namespace does not match");
+    let type = "";
+    let label = "";
+
+    if (binding.isMutate) {
+      type = "Mutate";
+      label = binding.mutateCallback!.name;
+    } else if (binding.isValidate) {
+      type = "Validate";
+      label = binding.validateCallback!.name;
+    } else if (binding.isWatch) {
+      type = "Watch";
+      label = binding.watchCallback!.name;
+    }
+
+    logger.debug(`${type} binding (${label}) does not match request namespace "${req.namespace}"`);
+
     return true;
   }
 

package/src/lib/helpers.ts

@@ -15,20 +15,33 @@ type RBACMap = {
 };
 
 // check for overlap with labels and annotations between bindings and kubernetes objects
-export function checkOverlap(record1: Record<string, string>, record2: Record<string, string>) {
-  if (Object.keys(record1).length === 0) {
+export function checkOverlap(bindingFilters: Record<string, string>, objectFilters: Record<string, string>): boolean {
+  // True if labels/annotations are empty
+  if (Object.keys(bindingFilters).length === 0) {
     return true;
   }
-  for (const key in record1) {
-    if (
-      Object.prototype.hasOwnProperty.call(record1, key) &&
-      Object.prototype.hasOwnProperty.call(record2, key) &&
-      record1[key] === record2[key]
-    ) {
-      return true;
+
+  let matchCount = 0;
+
+  for (const key in bindingFilters) {
+    // object must have label/annotation
+    if (Object.prototype.hasOwnProperty.call(objectFilters, key)) {
+      const val1 = bindingFilters[key];
+      const val2 = objectFilters[key];
+
+      // If bindingFilter has empty value for this key, only need to ensure objectFilter has this key
+      if (val1 === "" && key in objectFilters) {
+        matchCount++;
+      }
+      // If bindingFilter has a value, it must match the value in objectFilter
+      else if (val1 !== "" && val1 === val2) {
+        matchCount++;
+      }
     }
   }
-  return false;
+
+  // For single-key objects in bindingFilter or matching all keys in multiple-keys scenario
+  return matchCount === Object.keys(bindingFilters).length;
 }
 
 /**
@@ -189,7 +202,7 @@ export function generateWatchNamespaceError(
   if (bindingAndCapabilityNSConflict(bindingNamespaces, capabilityNamespaces)) {
     err += `Binding uses namespace not governed by capability: bindingNamespaces: [${bindingNamespaces.join(
       ", ",
-    )}] capabilityNamespaces:$[${capabilityNamespaces.join(", ")}].`;
+    )}] capabilityNamespaces: [${capabilityNamespaces.join(", ")}].`;
   }
 
   // add a space if there is a period in the middle of the string

package/src/lib/module.ts

@@ -107,10 +107,12 @@ export class PeprModule {
     this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
       // Wait for the controller to be ready before setting up watches
       if (isWatchMode() || isDevMode()) {
-        setupWatch(config.uuid, capabilities).catch(e => {
+        try {
+          setupWatch(capabilities);
+        } catch (e) {
           Log.error(e, "Error setting up watch");
           process.exit(1);
-        });
+        }
       }
     });
 

package/src/lib/mutate-processor.ts

@@ -55,7 +55,7 @@ export async function mutateProcessor(
       }
 
       const label = action.mutateCallback.name;
-      Log.info(actionMetadata, `Processing matched action ${label}`);
+      Log.info(actionMetadata, `Processing mutation action (${label})`);
 
       matchedAction = true;
 
@@ -79,7 +79,7 @@ export async function mutateProcessor(
         // Run the action
         await action.mutateCallback(wrapped);
 
-        Log.info(actionMetadata, `Action succeeded`);
+        Log.info(actionMetadata, `Mutation action succeeded (${label})`);
 
         // Add annotations to the request to indicate that the capability succeeded
         updateStatus("succeeded");

package/src/lib/validate-processor.ts

@@ -46,7 +46,7 @@ export async function validateProcessor(
       }
 
       const label = action.validateCallback.name;
-      Log.info(actionMetadata, `Processing matched action ${label}`);
+      Log.info(actionMetadata, `Processing validation action (${label})`);
 
       try {
         // Run the validation callback, if it fails set allowed to false
@@ -61,7 +61,7 @@ export async function validateProcessor(
           };
         }
 
-        Log.info(actionMetadata, `Validation Action completed: ${resp.allowed ? "allowed" : "denied"}`);
+        Log.info(actionMetadata, `Validation action complete (${label}): ${resp.allowed ? "allowed" : "denied"}`);
       } catch (e) {
         // If any validation throws an error, note the failure in the Response
         Log.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);

package/src/lib/watch-processor.ts

@@ -6,59 +6,15 @@ import { K8s, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 import { Queue } from "./queue";
 import { Capability } from "./capability";
-import { PeprStore } from "./k8s";
 import Log from "./logger";
 import { Binding, Event } from "./types";
 import { Watcher } from "kubernetes-fluent-client/dist/fluent/watch";
 import { GenericClass } from "kubernetes-fluent-client";
 import { filterMatcher } from "./helpers";
 
-// Track if the store has been updated
-let storeUpdates = false;
-
 const store: Record<string, string> = {};
 
-export async function setupStore(uuid: string) {
-  const name = `pepr-${uuid}-watch`;
-  const namespace = "pepr-system";
-
-  try {
-    // Try to read the watch store if it exists
-    const k8sStore = await K8s(PeprStore).InNamespace(namespace).Get(name);
-
-    // Iterate over the store and add the values to the local store
-    Object.entries(k8sStore.data).forEach(([key, value]) => {
-      store[key] = value;
-    });
-  } catch (e) {
-    // A store not existing is expected behavior on the first run
-    Log.debug(e, "Watch store does not exist yet");
-  }
-
-  // Update the store every 10 seconds if there are changes
-  setInterval(() => {
-    if (storeUpdates) {
-      K8s(PeprStore)
-        .Apply({
-          metadata: {
-            name,
-            namespace,
-          },
-          data: store,
-        })
-        // Reset the store updates flag
-        .then(() => (storeUpdates = false))
-        // Log the error if the store update fails, but don't reset the store updates flag
-        .catch(e => {
-          Log.error(e, "Error updating watch store");
-        });
-    }
-  }, 10 * 1000);
-}
-
-export async function setupWatch(uuid: string, capabilities: Capability[]) {
-  await setupStore(uuid);
-
+export function setupWatch(capabilities: Capability[]) {
   capabilities.map(capability =>
     capability.bindings
       .filter(binding => binding.isWatch)
@@ -134,16 +90,6 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[]) {
   const cacheSuffix = createHash("sha224").update(binding.watchCallback!.toString()).digest("hex").substring(0, 5);
   const cacheID = [watcher.getCacheID(), cacheSuffix].join("-");
 
-  // Track the resource version in the local store
-  watcher.events.on(WatchEvent.RESOURCE_VERSION, version => {
-    Log.debug(`Received watch cache: ${cacheID}:${version}`);
-    if (store[cacheID] !== version) {
-      Log.debug(`Updating watch cache: ${cacheID}: ${store[cacheID]} => ${version}`);
-      store[cacheID] = version;
-      storeUpdates = true;
-    }
-  });
-
   // If failure continues, log and exit
   watcher.events.on(WatchEvent.GIVE_UP, err => {
     Log.error(err, "Watch failed after 5 attempts, giving up");