pepr 0.28.4 → 0.28.6

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.28.4",
+  "version": "0.28.6",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -32,19 +32,19 @@
   },
   "dependencies": {
     "@types/ramda": "0.29.11",
-    "express": "4.18.3",
+    "express": "4.19.1",
     "fast-json-patch": "3.1.1",
-    "kubernetes-fluent-client": "2.2.3",
+    "kubernetes-fluent-client": "2.3.0",
     "pino": "8.19.0",
-    "pino-pretty": "10.3.1",
+    "pino-pretty": "11.0.0",
     "prom-client": "15.1.0",
     "ramda": "0.29.1"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.2.0",
+    "@commitlint/cli": "19.2.1",
     "@commitlint/config-conventional": "19.1.0",
     "@jest/globals": "29.7.0",
-    "@types/eslint": "8.56.5",
+    "@types/eslint": "8.56.6",
     "@types/express": "4.17.21",
     "@types/node": "18.x.x",
     "@types/node-forge": "1.3.11",

package/src/lib/assets/pods.ts

@@ -344,7 +344,7 @@ function genEnv(config: ModuleConfig, watchMode = false): V1EnvVar[] {
   const def = {
     PEPR_WATCH_MODE: watchMode ? "true" : "false",
     PEPR_PRETTY_LOG: "false",
-    LOG_LEVEL: config.logLevel || "debug",
+    LOG_LEVEL: config.logLevel || "info",
   };
   const cfg = config.env || {};
   const env = Object.entries({ ...def, ...cfg }).map(([name, value]) => ({ name, value }));

package/src/lib/assets/yaml.ts

@@ -32,7 +32,7 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       env: [
         { name: "PEPR_WATCH_MODE", value: "false" },
         { name: "PEPR_PRETTY_LOG", value: "false" },
-        { name: "LOG_LEVEL", value: "debug" },
+        { name: "LOG_LEVEL", value: "info" },
       ],
       image,
       annotations: {
@@ -77,7 +77,7 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       env: [
         { name: "PEPR_WATCH_MODE", value: "true" },
         { name: "PEPR_PRETTY_LOG", value: "false" },
-        { name: "LOG_LEVEL", value: "debug" },
+        { name: "LOG_LEVEL", value: "info" },
       ],
       image,
       annotations: {

package/src/lib/controller/index.ts

@@ -235,7 +235,7 @@ export class Controller {
         responseList.map(res => {
           this.#afterHook && this.#afterHook(res);
           // Log the response
-          Log.debug({ ...reqMetadata, res }, "Check response");
+          Log.info({ ...reqMetadata, res }, "Check response");
         });
 
         let kubeAdmissionResponse: ValidateResponse[] | MutateResponse | ResponseItem;

package/src/lib/helpers.ts

@@ -1,11 +1,10 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+import { promises as fs } from "fs";
 import { K8s, KubernetesObject, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
-import { CapabilityExport } from "./types";
-import { promises as fs } from "fs";
-import { Binding } from "./types";
+import { Binding, CapabilityExport } from "./types";
 
 type RBACMap = {
   [key: string]: {
@@ -47,11 +46,11 @@ export function checkOverlap(bindingFilters: Record<string, string>, objectFilte
 /**
  * Decide to run callback after the event comes back from API Server
  **/
-export const filterMatcher = (
+export function filterNoMatchReason(
   binding: Partial<Binding>,
   obj: Partial<KubernetesObject>,
   capabilityNamespaces: string[],
-): string => {
+): string {
   // binding kind is namespace with a InNamespace filter
   if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
     return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
@@ -116,14 +115,15 @@ export const filterMatcher = (
 
   // no problems
   return "";
-};
-export const addVerbIfNotExists = (verbs: string[], verb: string) => {
+}
+
+export function addVerbIfNotExists(verbs: string[], verb: string) {
   if (!verbs.includes(verb)) {
     verbs.push(verb);
   }
-};
+}
 
-export const createRBACMap = (capabilities: CapabilityExport[]): RBACMap => {
+export function createRBACMap(capabilities: CapabilityExport[]): RBACMap {
   return capabilities.reduce((acc: RBACMap, capability: CapabilityExport) => {
     capability.bindings.forEach(binding => {
       const key = `${binding.kind.group}/${binding.kind.version}/${binding.kind.kind}`;
@@ -148,7 +148,7 @@ export const createRBACMap = (capabilities: CapabilityExport[]): RBACMap => {
 
     return acc;
   }, {});
-};
+}
 
 export async function createDirectoryIfNotExists(path: string) {
   try {

package/src/lib/queue.ts

@@ -1,10 +1,12 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 import { KubernetesObject } from "@kubernetes/client-node";
+import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 import Log from "./logger";
 
 type QueueItem<K extends KubernetesObject> = {
   item: K;
+  type: WatchPhase;
   resolve: (value: void | PromiseLike<void>) => void;
   reject: (reason?: string) => void;
 };
@@ -15,15 +17,16 @@ type QueueItem<K extends KubernetesObject> = {
 export class Queue<K extends KubernetesObject> {
   #queue: QueueItem<K>[] = [];
   #pendingPromise = false;
-  #reconcile?: (...args: unknown[]) => Promise<void>;
+  #reconcile?: (obj: KubernetesObject, type: WatchPhase) => Promise<void>;
 
   constructor() {
     this.#reconcile = async () => await new Promise(resolve => resolve());
   }
 
-  setReconcile(reconcile: (...args: unknown[]) => Promise<void>) {
+  setReconcile(reconcile: (obj: KubernetesObject, type: WatchPhase) => Promise<void>) {
     this.#reconcile = reconcile;
   }
+
   /**
    * Enqueue adds an item to the queue and returns a promise that resolves when the item is
    * reconciled.
@@ -31,10 +34,10 @@ export class Queue<K extends KubernetesObject> {
    * @param item The object to reconcile
    * @returns A promise that resolves when the object is reconciled
    */
-  enqueue(item: K) {
+  enqueue(item: K, type: WatchPhase) {
     Log.debug(`Enqueueing ${item.metadata!.namespace}/${item.metadata!.name}`);
     return new Promise<void>((resolve, reject) => {
-      this.#queue.push({ item, resolve, reject });
+      this.#queue.push({ item, type, resolve, reject });
       return this.#dequeue();
     });
   }
@@ -46,28 +49,37 @@ export class Queue<K extends KubernetesObject> {
    */
   async #dequeue() {
     // If there is a pending promise, do nothing
-    if (this.#pendingPromise) return false;
+    if (this.#pendingPromise) {
+      Log.debug("Pending promise, not dequeuing");
+      return false;
+    }
 
     // Take the next element from the queue
     const element = this.#queue.shift();
 
     // If there is no element, do nothing
-    if (!element) return false;
+    if (!element) {
+      Log.debug("No element, not dequeuing");
+      return false;
+    }
 
     try {
       // Set the pending promise flag to avoid concurrent reconciliations
       this.#pendingPromise = true;
 
-      // Reconcile the webapp
+      // Reconcile the element
       if (this.#reconcile) {
-        await this.#reconcile(element.item);
+        Log.debug(`Reconciling ${element.item.metadata!.name}`);
+        await this.#reconcile(element.item, element.type);
       }
 
       element.resolve();
     } catch (e) {
+      Log.debug(`Error reconciling ${element.item.metadata!.name}`, { error: e });
       element.reject(e);
     } finally {
       // Reset the pending promise flag
+      Log.debug("Resetting pending promise and dequeuing");
       this.#pendingPromise = false;
 
       // After the element is reconciled, dequeue the next element

package/src/lib/watch-processor.ts

@@ -1,19 +1,33 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import { createHash } from "crypto";
-import { K8s, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
+import { K8s, KubernetesObject, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
-import { Queue } from "./queue";
 import { Capability } from "./capability";
+import { filterNoMatchReason } from "./helpers";
 import Log from "./logger";
+import { Queue } from "./queue";
 import { Binding, Event } from "./types";
-import { Watcher } from "kubernetes-fluent-client/dist/fluent/watch";
-import { GenericClass } from "kubernetes-fluent-client";
-import { filterMatcher } from "./helpers";
 
-const store: Record<string, string> = {};
+// Watch configuration
+const watchCfg: WatchCfg = {
+  retryMax: 5,
+  retryDelaySec: 5,
+};
 
+// Map the event to the watch phase
+const eventToPhaseMap = {
+  [Event.Create]: [WatchPhase.Added],
+  [Event.Update]: [WatchPhase.Modified],
+  [Event.CreateOrUpdate]: [WatchPhase.Added, WatchPhase.Modified],
+  [Event.Delete]: [WatchPhase.Deleted],
+  [Event.Any]: [WatchPhase.Added, WatchPhase.Modified, WatchPhase.Deleted],
+};
+
+/**
+ * Entrypoint for setting up watches for all capabilities
+ *
+ * @param capabilities The capabilities to load watches for
+ */
 export function setupWatch(capabilities: Capability[]) {
   capabilities.map(capability =>
     capability.bindings
@@ -22,73 +36,50 @@ export function setupWatch(capabilities: Capability[]) {
   );
 }
 
+/**
+ * Setup a watch for a binding
+ *
+ * @param binding the binding to watch
+ * @param capabilityNamespaces list of namespaces to filter on
+ */
 async function runBinding(binding: Binding, capabilityNamespaces: string[]) {
-  // Map the event to the watch phase
-  const eventToPhaseMap = {
-    [Event.Create]: [WatchPhase.Added],
-    [Event.Update]: [WatchPhase.Modified],
-    [Event.CreateOrUpdate]: [WatchPhase.Added, WatchPhase.Modified],
-    [Event.Delete]: [WatchPhase.Deleted],
-    [Event.Any]: [WatchPhase.Added, WatchPhase.Modified, WatchPhase.Deleted],
-  };
-
-  // Get the phases to match, default to any
+  // Get the phases to match, fallback to any
   const phaseMatch: WatchPhase[] = eventToPhaseMap[binding.event] || eventToPhaseMap[Event.Any];
 
-  const watchCfg: WatchCfg = {
-    retryMax: 5,
-    retryDelaySec: 5,
-  };
-
-  let watcher: Watcher<GenericClass>;
-  if (binding.isQueue) {
-    const queue = new Queue();
-    // Watch the resource
-    watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
-      Log.debug(obj, `Watch event ${type} received`);
-
-      // If the type matches the phase, call the watch callback
-      if (phaseMatch.includes(type)) {
-        try {
-          const filterMatch = filterMatcher(binding, obj, capabilityNamespaces);
-          if (filterMatch === "") {
-            queue.setReconcile(async () => await binding.watchCallback?.(obj, type));
-            // Enqueue the object for reconciliation through callback
-            await queue.enqueue(obj);
-          } else {
-            Log.debug(filterMatch);
-          }
-        } catch (e) {
-          // Errors in the watch callback should not crash the controller
-          Log.error(e, "Error executing watch callback");
+  // The watch callback is run when an object is received or dequeued
+  const watchCallback = async (obj: KubernetesObject, type: WatchPhase) => {
+    // First, filter the object based on the phase
+    if (phaseMatch.includes(type)) {
+      try {
+        // Then, check if the object matches the filter
+        const filterMatch = filterNoMatchReason(binding, obj, capabilityNamespaces);
+        if (filterMatch === "") {
+          await binding.watchCallback?.(obj, type);
+        } else {
+          Log.debug(filterMatch);
         }
+      } catch (e) {
+        // Errors in the watch callback should not crash the controller
+        Log.error(e, "Error executing watch callback");
       }
-    }, watchCfg);
-  } else {
-    // Watch the resource
-    watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
-      Log.debug(obj, `Watch event ${type} received`);
+    }
+  };
 
-      // If the type matches the phase, call the watch callback
-      if (phaseMatch.includes(type)) {
-        try {
-          const filterMatch = filterMatcher(binding, obj, capabilityNamespaces);
-          if (filterMatch === "") {
-            await binding.watchCallback?.(obj, type);
-          } else {
-            Log.debug(filterMatch);
-          }
-        } catch (e) {
-          // Errors in the watch callback should not crash the controller
-          Log.error(e, "Error executing watch callback");
-        }
-      }
-    }, watchCfg);
-  }
+  const queue = new Queue();
+  queue.setReconcile(watchCallback);
 
-  // Create a unique cache ID for this watch binding in case multiple bindings are watching the same resource
-  const cacheSuffix = createHash("sha224").update(binding.watchCallback!.toString()).digest("hex").substring(0, 5);
-  const cacheID = [watcher.getCacheID(), cacheSuffix].join("-");
+  // Setup the resource watch
+  const watcher = K8s(binding.model, binding.filters).Watch(async (obj, type) => {
+    Log.debug(obj, `Watch event ${type} received`);
+
+    // If the binding is a queue, enqueue the object
+    if (binding.isQueue) {
+      await queue.enqueue(obj, type);
+    } else {
+      // Otherwise, run the watch callback directly
+      await watchCallback(obj, type);
+    }
+  }, watchCfg);
 
   // If failure continues, log and exit
   watcher.events.on(WatchEvent.GIVE_UP, err => {
@@ -98,12 +89,6 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[]) {
 
   // Start the watch
   try {
-    const resourceVersion = store[cacheID];
-    if (resourceVersion) {
-      Log.debug(`Starting watch ${binding.model.name} from version ${resourceVersion}`);
-      watcher.resourceVersion = resourceVersion;
-    }
-
     await watcher.start();
   } catch (err) {
     Log.error(err, "Error starting watch");