pepr 0.28.7 → 0.29.0

package/dist/sdk/sdk.d.ts

@@ -0,0 +1,38 @@
+import { PeprValidateRequest } from "../lib/validate-request";
+import { PeprMutateRequest } from "../lib/mutate-request";
+import { a } from "../lib";
+import { V1OwnerReference } from "@kubernetes/client-node";
+import { GenericKind } from "kubernetes-fluent-client";
+import { kind } from "kubernetes-fluent-client";
+/**
+ * Returns all containers in a pod
+ * @param request the request/pod to get the containers from
+ * @param containerType the type of container to get
+ * @returns the list of containers in the pod
+ */
+export declare function containers(request: PeprValidateRequest<a.Pod> | PeprMutateRequest<a.Pod>, containerType?: "containers" | "initContainers" | "ephemeralContainers"): import("@kubernetes/client-node").V1Container[];
+/**
+ * Write a K8s event for a CRD
+ *
+ * @param cr The custom resource to write the event for
+ * @param event The event to write, should contain a human-readable message for the event
+ * @param eventType The type of event to write, for example "Warning"
+ * @param eventReason The reason for the event, for example "ReconciliationFailed"
+ * @param reportingComponent The component that is reporting the event, for example "uds.dev/operator"
+ * @param reportingInstance The instance of the component that is reporting the event, for example process.env.HOSTNAME
+ */
+export declare function writeEvent(cr: GenericKind, event: Partial<kind.CoreEvent>, eventType: string, eventReason: string, reportingComponent: string, reportingInstance: string): Promise<void>;
+/**
+ * Get the owner reference for a custom resource
+ * @param cr the custom resource to get the owner reference for
+ * @returns the owner reference for the custom resource
+ */
+export declare function getOwnerRefFrom(cr: GenericKind): V1OwnerReference[];
+/**
+ * Sanitize a resource name to make it a valid Kubernetes resource name.
+ *
+ * @param name the name of the resource to sanitize
+ * @returns the sanitized resource name
+ */
+export declare function sanitizeResourceName(name: string): string;
+//# sourceMappingURL=sdk.d.ts.map

package/dist/sdk/sdk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,QAAQ,CAAC;AAC3B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAGrD;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,EAC9D,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,mDAgBxE;AAED;;;;;;;;;GASG;AACH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,iBAwB1B;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,EAAE,EAAE,WAAW,GAAG,gBAAgB,EAAE,CAWnE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,UAYhD"}

package/package.json

@@ -9,13 +9,14 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.28.7",
+  "version": "0.29.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
     "gen-data-json": "node hack/build-template-data.js",
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
     "build": "tsc && node build.mjs",
+    "build:image": "npm run build && docker buildx build --tag pepr:dev .",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage",
     "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run",
@@ -31,7 +32,7 @@
     "format:fix": "eslint src --fix && prettier src --write"
   },
   "dependencies": {
-    "@types/ramda": "0.29.11",
+    "@types/ramda": "0.29.12",
     "express": "4.19.2",
     "fast-json-patch": "3.1.1",
     "kubernetes-fluent-client": "2.3.0",
@@ -44,7 +45,7 @@
     "@commitlint/cli": "19.2.1",
     "@commitlint/config-conventional": "19.1.0",
     "@jest/globals": "29.7.0",
-    "@types/eslint": "8.56.6",
+    "@types/eslint": "8.56.7",
     "@types/express": "4.17.21",
     "@types/node": "18.x.x",
     "@types/node-forge": "1.3.11",

package/src/lib/capability.ts

@@ -50,7 +50,7 @@ export class Capability implements CapabilityExport {
     const { name, every, unit, run, startTime, completions } = schedule;
     this.hasSchedule = true;
 
-    if (process.env.PEPR_WATCH_MODE === "true") {
+    if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") {
       // Only create/watch schedule store if necessary
 
       // Create a new schedule

package/src/lib/helpers.ts

@@ -6,6 +6,17 @@ import { K8s, KubernetesObject, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { Binding, CapabilityExport } from "./types";
 
+export class ValidationError extends Error {}
+
+export function validateHash(expectedHash: string): void {
+  // Require the hash to be a valid SHA-256 hash (64 characters, hexadecimal)
+  const sha256Regex = /^[a-f0-9]{64}$/i;
+  if (!expectedHash || !sha256Regex.test(expectedHash)) {
+    Log.error(`Invalid hash. Expected a valid SHA-256 hash, got ${expectedHash}`);
+    throw new ValidationError("Invalid hash");
+  }
+}
+
 type RBACMap = {
   [key: string]: {
     verbs: string[];

package/src/lib.ts

@@ -7,7 +7,7 @@ import { PeprModule } from "./lib/module";
 import { PeprMutateRequest } from "./lib/mutate-request";
 import * as PeprUtils from "./lib/utils";
 import { PeprValidateRequest } from "./lib/validate-request";
-import { containers } from "./lib/module-helpers";
+import * as sdk from "./sdk/sdk";
 
 export {
   Capability,
@@ -23,5 +23,5 @@ export {
   fetch,
   fetchStatus,
   kind,
-  containers,
+  sdk,
 };

package/src/runtime/controller.ts

@@ -11,17 +11,9 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "../lib/logger";
 import { packageJSON } from "../templates/data.json";
 import { peprStoreCRD } from "../lib/assets/store";
-
+import { validateHash } from "../lib/helpers";
 const { version } = packageJSON;
 
-function validateHash(expectedHash: string) {
-  // Require the hash to be 64 characters long
-  if (!expectedHash || expectedHash.length !== 64) {
-    Log.error("Invalid hash");
-    process.exit(1);
-  }
-}
-
 function runModule(expectedHash: string) {
   const gzPath = `/app/load/module-${expectedHash}.js.gz`;
   const jsPath = `/app/module-${expectedHash}.js`;
@@ -31,8 +23,7 @@ function runModule(expectedHash: string) {
 
   // Check if the path is a valid file
   if (!fs.existsSync(gzPath)) {
-    Log.error(`File not found: ${gzPath}`);
-    process.exit(1);
+    throw new Error(`File not found: ${gzPath}`);
   }
 
   try {
@@ -46,9 +37,10 @@ function runModule(expectedHash: string) {
     const actualHash = crypto.createHash("sha256").update(code).digest("hex");
 
     // If the hash doesn't match, exit
-    if (expectedHash !== actualHash) {
-      Log.error(`File hash does not match, expected ${expectedHash} but got ${actualHash}`);
-      process.exit(1);
+    // This is a timing safe comparison to prevent timing attacks
+    // https://en.wikipedia.org/wiki/Timing_attack
+    if (!crypto.timingSafeEqual(Buffer.from(expectedHash, "hex"), Buffer.from(actualHash, "hex"))) {
+      throw new Error(`File hash does not match, expected ${expectedHash} but got ${actualHash}`);
     }
 
     Log.info(`File hash matches, running module`);
@@ -59,8 +51,7 @@ function runModule(expectedHash: string) {
     // Run the module
     fork(jsPath);
   } catch (e) {
-    Log.error(`Failed to decompress module: ${e}`);
-    process.exit(1);
+    throw new Error(`Failed to decompress module: ${e}`);
   }
 }
 
@@ -69,11 +60,16 @@ Log.info(`Pepr Controller (v${version})`);
 const hash = process.argv[2];
 
 const startup = async () => {
-  Log.info("Applying the Pepr Store CRD if it doesn't exist");
-  await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD, { force: true });
+  try {
+    Log.info("Applying the Pepr Store CRD if it doesn't exist");
+    await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD, { force: true });
 
-  validateHash(hash);
-  runModule(hash);
+    validateHash(hash);
+    runModule(hash);
+  } catch (err) {
+    Log.error(err);
+    process.exit(1);
+  }
 };
 
 startup().catch(err => Log.error(err));

package/src/sdk/sdk.ts

@@ -0,0 +1,116 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { PeprValidateRequest } from "../lib/validate-request";
+import { PeprMutateRequest } from "../lib/mutate-request";
+import { a } from "../lib";
+import { V1OwnerReference } from "@kubernetes/client-node";
+import { GenericKind } from "kubernetes-fluent-client";
+import { K8s, kind } from "kubernetes-fluent-client";
+import Log from "../lib/logger";
+
+/**
+ * Returns all containers in a pod
+ * @param request the request/pod to get the containers from
+ * @param containerType the type of container to get
+ * @returns the list of containers in the pod
+ */
+export function containers(
+  request: PeprValidateRequest<a.Pod> | PeprMutateRequest<a.Pod>,
+  containerType?: "containers" | "initContainers" | "ephemeralContainers",
+) {
+  const containers = request.Raw.spec?.containers || [];
+  const initContainers = request.Raw.spec?.initContainers || [];
+  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
+
+  if (containerType === "containers") {
+    return containers;
+  }
+  if (containerType === "initContainers") {
+    return initContainers;
+  }
+  if (containerType === "ephemeralContainers") {
+    return ephemeralContainers;
+  }
+  return [...containers, ...initContainers, ...ephemeralContainers];
+}
+
+/**
+ * Write a K8s event for a CRD
+ *
+ * @param cr The custom resource to write the event for
+ * @param event The event to write, should contain a human-readable message for the event
+ * @param eventType The type of event to write, for example "Warning"
+ * @param eventReason The reason for the event, for example "ReconciliationFailed"
+ * @param reportingComponent The component that is reporting the event, for example "uds.dev/operator"
+ * @param reportingInstance The instance of the component that is reporting the event, for example process.env.HOSTNAME
+ */
+export async function writeEvent(
+  cr: GenericKind,
+  event: Partial<kind.CoreEvent>,
+  eventType: string,
+  eventReason: string,
+  reportingComponent: string,
+  reportingInstance: string,
+) {
+  Log.debug(cr.metadata, `Writing event: ${event.message}`);
+
+  await K8s(kind.CoreEvent).Create({
+    type: eventType,
+    reason: eventReason,
+    ...event,
+    // Fixed values
+    metadata: {
+      namespace: cr.metadata!.namespace,
+      generateName: cr.metadata!.name,
+    },
+    involvedObject: {
+      apiVersion: cr.apiVersion,
+      kind: cr.kind,
+      name: cr.metadata!.name,
+      namespace: cr.metadata!.namespace,
+      uid: cr.metadata!.uid,
+    },
+    firstTimestamp: new Date(),
+    reportingComponent: reportingComponent,
+    reportingInstance: reportingInstance,
+  });
+}
+
+/**
+ * Get the owner reference for a custom resource
+ * @param cr the custom resource to get the owner reference for
+ * @returns the owner reference for the custom resource
+ */
+export function getOwnerRefFrom(cr: GenericKind): V1OwnerReference[] {
+  const { name, uid } = cr.metadata!;
+
+  return [
+    {
+      apiVersion: cr.apiVersion!,
+      kind: cr.kind!,
+      uid: uid!,
+      name: name!,
+    },
+  ];
+}
+
+/**
+ * Sanitize a resource name to make it a valid Kubernetes resource name.
+ *
+ * @param name the name of the resource to sanitize
+ * @returns the sanitized resource name
+ */
+export function sanitizeResourceName(name: string) {
+  return (
+    name
+      // The name must be lowercase
+      .toLowerCase()
+      // Replace sequences of non-alphanumeric characters with a single '-'
+      .replace(/[^a-z0-9]+/g, "-")
+      // Truncate the name to 250 characters
+      .slice(0, 250)
+      // Remove leading and trailing non-letter characters
+      .replace(/^[^a-z]+|[^a-z]+$/g, "")
+  );
+}

package/dist/lib/module-helpers.d.ts

@@ -1,5 +0,0 @@
-import { PeprValidateRequest } from "./validate-request";
-import { PeprMutateRequest } from "./mutate-request";
-import { a } from "../lib";
-export declare function containers(request: PeprValidateRequest<a.Pod> | PeprMutateRequest<a.Pod>, containerType?: "containers" | "initContainers" | "ephemeralContainers"): import("@kubernetes/client-node").V1Container[];
-//# sourceMappingURL=module-helpers.d.ts.map

package/dist/lib/module-helpers.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"module-helpers.d.ts","sourceRoot":"","sources":["../../src/lib/module-helpers.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,CAAC,EAAE,MAAM,QAAQ,CAAC;AAG3B,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,EAC9D,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,mDAgBxE"}

package/src/lib/module-helpers.ts

@@ -1,27 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import { PeprValidateRequest } from "./validate-request";
-import { PeprMutateRequest } from "./mutate-request";
-import { a } from "../lib";
-
-// Returns all containers in the pod
-export function containers(
-  request: PeprValidateRequest<a.Pod> | PeprMutateRequest<a.Pod>,
-  containerType?: "containers" | "initContainers" | "ephemeralContainers",
-) {
-  const containers = request.Raw.spec?.containers || [];
-  const initContainers = request.Raw.spec?.initContainers || [];
-  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
-
-  if (containerType === "containers") {
-    return containers;
-  }
-  if (containerType === "initContainers") {
-    return initContainers;
-  }
-  if (containerType === "ephemeralContainers") {
-    return ephemeralContainers;
-  }
-  return [...containers, ...initContainers, ...ephemeralContainers];
-}