pepr 0.31.0 → 0.32.0

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.31.0",
+  "version": "0.32.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -35,11 +35,11 @@
     "@types/ramda": "0.30.0",
     "express": "4.19.2",
     "fast-json-patch": "3.1.1",
-    "kubernetes-fluent-client": "2.5.1",
-    "pino": "9.1.0",
-    "pino-pretty": "11.0.0",
+    "kubernetes-fluent-client": "2.6.1",
+    "pino": "9.2.0",
+    "pino-pretty": "11.2.0",
     "prom-client": "15.1.2",
-    "ramda": "0.30.0"
+    "ramda": "0.30.1"
   },
   "devDependencies": {
     "@commitlint/cli": "19.3.0",
@@ -53,7 +53,7 @@
     "@types/uuid": "9.0.8",
     "jest": "29.7.0",
     "nock": "13.5.4",
-    "ts-jest": "29.1.2"
+    "ts-jest": "29.1.4"
   },
   "peerDependencies": {
     "@typescript-eslint/eslint-plugin": "6.15.0",

package/src/lib/assets/helm.ts

@@ -70,6 +70,9 @@ export function watcherDeployTemplate(buildTimestamp: string) {
           metadata:
             annotations: 
               buildTimestamp: "${buildTimestamp}"
+              {{- if .Values.watcher.podAnnotations }}
+              {{- toYaml .Values.watcher.podAnnotations | nindent 8 }}
+              {{- end }}
             labels:
               app: {{ .Values.uuid }}-watcher
               pepr.dev/controller: watcher
@@ -111,6 +114,9 @@ export function watcherDeployTemplate(buildTimestamp: string) {
                   - name: module
                     mountPath: /app/load
                     readOnly: true
+                  {{- if .Values.watcher.extraVolumeMounts }}
+                  {{- toYaml .Values.watcher.extraVolumeMounts | nindent 12 }}
+                  {{- end }}
             volumes:
               - name: tls-certs
                 secret:
@@ -118,6 +124,9 @@ export function watcherDeployTemplate(buildTimestamp: string) {
               - name: module
                 secret:
                   secretName: {{ .Values.uuid }}-module
+              {{- if .Values.watcher.extraVolumes }}
+              {{- toYaml .Values.watcher.extraVolumes | nindent 8 }}
+              {{- end }}
     `;
 }
 
@@ -142,6 +151,9 @@ export function admissionDeployTemplate(buildTimestamp: string) {
           metadata:
             annotations:
               buildTimestamp: "${buildTimestamp}"
+              {{- if .Values.admission.podAnnotations }}
+              {{- toYaml .Values.admission.podAnnotations | nindent 8 }}
+              {{- end }}
             labels:
               app: {{ .Values.uuid }}
               pepr.dev/controller: admission
@@ -187,6 +199,9 @@ export function admissionDeployTemplate(buildTimestamp: string) {
                   - name: module
                     mountPath: /app/load
                     readOnly: true
+                  {{- if .Values.admission.extraVolumeMounts }}
+                  {{- toYaml .Values.admission.extraVolumeMounts | nindent 12 }}
+                  {{- end }}
             volumes:
               - name: tls-certs
                 secret:
@@ -197,5 +212,8 @@ export function admissionDeployTemplate(buildTimestamp: string) {
               - name: module
                 secret:
                   secretName: {{ .Values.uuid }}-module  
+              {{- if .Values.admission.extraVolumes }}
+              {{- toYaml .Values.admission.extraVolumes | nindent 8 }}
+              {{- end }}
     `;
 }

package/src/lib/assets/index.ts

@@ -9,7 +9,7 @@ import { CapabilityExport } from "../types";
 import { WebhookIgnore } from "../k8s";
 import { deploy } from "./deploy";
 import { loadCapabilities } from "./loader";
-import { allYaml, zarfYaml, overridesFile } from "./yaml";
+import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
 import { namespaceComplianceValidator, replaceString } from "../helpers";
 import { createDirectoryIfNotExists, dedent } from "../helpers";
 import { resolve } from "path";
@@ -59,6 +59,8 @@ export class Assets {
 
   zarfYaml = (path: string) => zarfYaml(this, path);
 
+  zarfYamlChart = (path: string) => zarfYamlChart(this, path);
+
   allYaml = async (rbacMode: string) => {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected

package/src/lib/assets/yaml.ts

@@ -68,8 +68,11 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
           drop: ["ALL"],
         },
       },
+      podAnnotations: {},
       nodeSelector: {},
       tolerations: [],
+      extraVolumeMounts: [],
+      extraVolumes: [],
       affinity: {},
     },
     watcher: {
@@ -115,7 +118,10 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       },
       nodeSelector: {},
       tolerations: [],
+      extraVolumeMounts: [],
+      extraVolumes: [],
       affinity: {},
+      podAnnotations: {},
     },
   };
   if (process.env.PEPR_MODE === "dev") {
@@ -155,6 +161,35 @@ export function zarfYaml({ name, image, config }: Assets, path: string) {
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
+export function zarfYamlChart({ name, image, config }: Assets, path: string) {
+  const zarfCfg = {
+    kind: "ZarfPackageConfig",
+    metadata: {
+      name,
+      description: `Pepr Module: ${config.description}`,
+      url: "https://github.com/defenseunicorns/pepr",
+      version: `${config.appVersion || "0.0.1"}`,
+    },
+    components: [
+      {
+        name: "module",
+        required: true,
+        charts: [
+          {
+            name: "module",
+            namespace: "pepr-system",
+            version: `${config.appVersion || "0.0.1"}`,
+            localPath: path,
+          },
+        ],
+        images: [image],
+      },
+    ],
+  };
+
+  return dumpYaml(zarfCfg, { noRefs: true });
+}
+
 export async function allYaml(assets: Assets, rbacMode: string) {
   const { name, tls, apiToken, path } = assets;
 

package/src/lib/controller/index.ts

@@ -182,7 +182,7 @@ export class Controller {
     try {
       res.send(await this.#metricsCollector.getMetrics());
     } catch (err) {
-      Log.error(err);
+      Log.error(err, `Error getting metrics`);
       res.status(500).send("Internal Server Error");
     }
   };
@@ -277,7 +277,7 @@ export class Controller {
 
         this.#metricsCollector.observeEnd(startTime, admissionKind);
       } catch (err) {
-        Log.error(err);
+        Log.error(err, `Error processing ${admissionKind} request`);
         res.status(500).send("Internal Server Error");
         this.#metricsCollector.error();
       }
@@ -319,7 +319,7 @@ export class Controller {
     try {
       res.send("OK");
     } catch (err) {
-      Log.error(err);
+      Log.error(err, `Error processing health check`);
       res.status(500).send("Internal Server Error");
     }
   }

package/src/lib/controller/store.ts

@@ -167,9 +167,13 @@ export class PeprControllerStore {
       } catch (err) {
         Log.error(err, "Pepr store update failure");
 
-        // On failure to update, re-add the operations to the cache to be retried
-        for (const idx of indexes) {
-          sendCache[idx] = payload[Number(idx)];
+        if (err.status === 422) {
+          Object.keys(sendCache).forEach(key => delete sendCache[key]);
+        } else {
+          // On failure to update, re-add the operations to the cache to be retried
+          for (const idx of indexes) {
+            sendCache[idx] = payload[Number(idx)];
+          }
         }
       }
     };

package/src/lib/mutate-processor.ts

@@ -84,22 +84,33 @@ export async function mutateProcessor(
         // Add annotations to the request to indicate that the capability succeeded
         updateStatus("succeeded");
       } catch (e) {
-        Log.warn(actionMetadata, `Action failed: ${e}`);
         updateStatus("warning");
-
-        // Annoying ts false positive
         response.warnings = response.warnings || [];
-        response.warnings.push(`Action failed: ${e}`);
+
+        let errorMessage = "";
+
+        try {
+          if (e.message && e.message !== "[object Object]") {
+            errorMessage = e.message;
+          } else {
+            throw new Error("An error occurred in the mutate action.");
+          }
+        } catch (e) {
+          errorMessage = "An error occurred with the mutate action.";
+        }
+
+        Log.error(actionMetadata, `Action failed: ${errorMessage}`);
+        response.warnings.push(`Action failed: ${errorMessage}`);
 
         switch (config.onError) {
           case Errors.reject:
-            Log.error(actionMetadata, `Action failed: ${e}`);
+            Log.error(actionMetadata, `Action failed: ${errorMessage}`);
             response.result = "Pepr module configured to reject on error";
             return response;
 
           case Errors.audit:
             response.auditAnnotations = response.auditAnnotations || {};
-            response.auditAnnotations[Date.now()] = e;
+            response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
             break;
         }
       }

package/src/lib/watch-processor.ts

@@ -15,7 +15,6 @@ const watchCfg: WatchCfg = {
   resyncIntervalSec: process.env.PEPR_RESYNCINTERVALSECONDS
     ? parseInt(process.env.PEPR_RESYNCINTERVALSECONDS, 10)
     : 300,
-  allowWatchBookmarks: process.env.PEPR_ALLOWWATCHBOOKMARKS === "false" ? false : true,
 };
 
 // Map the event to the watch phase
@@ -95,14 +94,7 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[]) {
 
   watcher.events.on(WatchEvent.CONNECT, url => logEvent(WatchEvent.CONNECT, url));
 
-  watcher.events.on(WatchEvent.BOOKMARK, obj =>
-    logEvent(WatchEvent.BOOKMARK, "Changes up to the given resourceVersion have been sent", obj),
-  );
-
   watcher.events.on(WatchEvent.DATA_ERROR, err => logEvent(WatchEvent.DATA_ERROR, err.message));
-  watcher.events.on(WatchEvent.RESOURCE_VERSION, resourceVersion =>
-    logEvent(WatchEvent.RESOURCE_VERSION, `${resourceVersion}`),
-  );
   watcher.events.on(WatchEvent.RECONNECT, (err, retryCount) =>
     logEvent(WatchEvent.RECONNECT, err ? `Reconnecting after ${retryCount} attempts` : ""),
   );
@@ -110,9 +102,9 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[]) {
   watcher.events.on(WatchEvent.GIVE_UP, err => logEvent(WatchEvent.GIVE_UP, err.message));
   watcher.events.on(WatchEvent.ABORT, err => logEvent(WatchEvent.ABORT, err.message));
   watcher.events.on(WatchEvent.OLD_RESOURCE_VERSION, err => logEvent(WatchEvent.OLD_RESOURCE_VERSION, err));
-  watcher.events.on(WatchEvent.RESYNC, err => logEvent(WatchEvent.RESYNC, err.message));
   watcher.events.on(WatchEvent.NETWORK_ERROR, err => logEvent(WatchEvent.NETWORK_ERROR, err.message));
-
+  watcher.events.on(WatchEvent.LIST_ERROR, err => logEvent(WatchEvent.LIST_ERROR, err.message));
+  watcher.events.on(WatchEvent.LIST, list => logEvent(WatchEvent.LIST, JSON.stringify(list, undefined, 2)));
   // Start the watch
   try {
     await watcher.start();

package/src/runtime/controller.ts

@@ -67,9 +67,9 @@ const startup = async () => {
     validateHash(hash);
     runModule(hash);
   } catch (err) {
-    Log.error(err);
+    Log.error(err, `Error starting Pepr Store CRD`);
     process.exit(1);
   }
 };
 
-startup().catch(err => Log.error(err));
+startup().catch(err => Log.error(err, `Error starting Pepr Controller`));

package/dist/cli.d.ts

@@ -1,3 +0,0 @@
-#!/usr/bin/env node
-export {};
-//# sourceMappingURL=cli.d.ts.map

package/dist/lib/assets/deploy.d.ts

@@ -1,3 +0,0 @@
-import { Assets } from ".";
-export declare function deploy(assets: Assets, force: boolean, webhookTimeout?: number): Promise<void>;
-//# sourceMappingURL=deploy.d.ts.map

package/dist/lib/assets/destroy.d.ts

@@ -1,2 +0,0 @@
-export declare function destroyModule(name: string): Promise<void>;
-//# sourceMappingURL=destroy.d.ts.map

package/dist/lib/assets/helm.d.ts

@@ -1,5 +0,0 @@
-export declare function nsTemplate(): string;
-export declare function chartYaml(name: string, description?: string): string;
-export declare function watcherDeployTemplate(buildTimestamp: string): string;
-export declare function admissionDeployTemplate(buildTimestamp: string): string;
-//# sourceMappingURL=helm.d.ts.map

package/dist/lib/assets/index.d.ts

@@ -1,24 +0,0 @@
-import { ModuleConfig } from "../module";
-import { TLSOut } from "../tls";
-import { CapabilityExport } from "../types";
-import { WebhookIgnore } from "../k8s";
-export declare class Assets {
-    readonly config: ModuleConfig;
-    readonly path: string;
-    readonly host?: string | undefined;
-    readonly name: string;
-    readonly tls: TLSOut;
-    readonly apiToken: string;
-    readonly alwaysIgnore: WebhookIgnore;
-    capabilities: CapabilityExport[];
-    image: string;
-    buildTimestamp: string;
-    hash: string;
-    constructor(config: ModuleConfig, path: string, host?: string | undefined);
-    setHash: (hash: string) => void;
-    deploy: (force: boolean, webhookTimeout?: number) => Promise<void>;
-    zarfYaml: (path: string) => string;
-    allYaml: (rbacMode: string) => Promise<string>;
-    generateHelmChart: (basePath: string) => Promise<void>;
-}
-//# sourceMappingURL=index.d.ts.map

package/dist/lib/assets/loader.d.ts

@@ -1,8 +0,0 @@
-import { CapabilityExport } from "../types";
-/**
- * Read the capabilities from the module by running it in build mode
- * @param path
- * @returns
- */
-export declare function loadCapabilities(path: string): Promise<CapabilityExport[]>;
-//# sourceMappingURL=loader.d.ts.map

package/dist/lib/assets/networking.d.ts

@@ -1,7 +0,0 @@
-import { kind } from "kubernetes-fluent-client";
-import { TLSOut } from "../tls";
-export declare function apiTokenSecret(name: string, apiToken: string): kind.Secret;
-export declare function tlsSecret(name: string, tls: TLSOut): kind.Secret;
-export declare function service(name: string): kind.Service;
-export declare function watcherService(name: string): kind.Service;
-//# sourceMappingURL=networking.d.ts.map

package/dist/lib/assets/pods.d.ts

@@ -1,126 +0,0 @@
-/// <reference types="node" />
-import { V1EnvVar } from "@kubernetes/client-node";
-import { kind } from "kubernetes-fluent-client";
-import { Assets } from ".";
-/** Generate the pepr-system namespace */
-export declare function namespace(namespaceLabels?: Record<string, string>): {
-    apiVersion: string;
-    kind: string;
-    metadata: {
-        name: string;
-        labels: Record<string, string>;
-    };
-} | {
-    apiVersion: string;
-    kind: string;
-    metadata: {
-        name: string;
-        labels?: undefined;
-    };
-};
-export declare function watcher(assets: Assets, hash: string, buildTimestamp: string): {
-    apiVersion: string;
-    kind: string;
-    metadata: {
-        name: string;
-        namespace: string;
-        annotations: {
-            "pepr.dev/description": string;
-        };
-        labels: {
-            app: string;
-            "pepr.dev/controller": string;
-            "pepr.dev/uuid": string;
-        };
-    };
-    spec: {
-        replicas: number;
-        strategy: {
-            type: string;
-        };
-        selector: {
-            matchLabels: {
-                app: string;
-                "pepr.dev/controller": string;
-            };
-        };
-        template: {
-            metadata: {
-                annotations: {
-                    buildTimestamp: string;
-                };
-                labels: {
-                    app: string;
-                    "pepr.dev/controller": string;
-                };
-            };
-            spec: {
-                terminationGracePeriodSeconds: number;
-                serviceAccountName: string;
-                securityContext: {
-                    runAsUser: number;
-                    runAsGroup: number;
-                    runAsNonRoot: boolean;
-                    fsGroup: number;
-                };
-                containers: {
-                    name: string;
-                    image: string;
-                    imagePullPolicy: string;
-                    command: string[];
-                    readinessProbe: {
-                        httpGet: {
-                            path: string;
-                            port: number;
-                            scheme: string;
-                        };
-                    };
-                    livenessProbe: {
-                        httpGet: {
-                            path: string;
-                            port: number;
-                            scheme: string;
-                        };
-                    };
-                    ports: {
-                        containerPort: number;
-                    }[];
-                    resources: {
-                        requests: {
-                            memory: string;
-                            cpu: string;
-                        };
-                        limits: {
-                            memory: string;
-                            cpu: string;
-                        };
-                    };
-                    securityContext: {
-                        runAsUser: number;
-                        runAsGroup: number;
-                        runAsNonRoot: boolean;
-                        allowPrivilegeEscalation: boolean;
-                        capabilities: {
-                            drop: string[];
-                        };
-                    };
-                    volumeMounts: {
-                        name: string;
-                        mountPath: string;
-                        readOnly: boolean;
-                    }[];
-                    env: V1EnvVar[];
-                }[];
-                volumes: {
-                    name: string;
-                    secret: {
-                        secretName: string;
-                    };
-                }[];
-            };
-        };
-    };
-} | null;
-export declare function deployment(assets: Assets, hash: string, buildTimestamp: string): kind.Deployment;
-export declare function moduleSecret(name: string, data: Buffer, hash: string): kind.Secret;
-//# sourceMappingURL=pods.d.ts.map

package/dist/lib/assets/rbac.d.ts

@@ -1,14 +0,0 @@
-import { kind } from "kubernetes-fluent-client";
-import { CapabilityExport } from "../types";
-/**
- * Grants the controller access to cluster resources beyond the mutating webhook.
- *
- * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
- * @returns
- */
-export declare function clusterRole(name: string, capabilities: CapabilityExport[], rbacMode?: string): kind.ClusterRole;
-export declare function clusterRoleBinding(name: string): kind.ClusterRoleBinding;
-export declare function serviceAccount(name: string): kind.ServiceAccount;
-export declare function storeRole(name: string): kind.Role;
-export declare function storeRoleBinding(name: string): kind.RoleBinding;
-//# sourceMappingURL=rbac.d.ts.map

package/dist/lib/assets/store.d.ts

@@ -1,7 +0,0 @@
-import { kind as k } from "kubernetes-fluent-client";
-export declare const group: string, version: string, kind: string;
-export declare const singular: string;
-export declare const plural: string;
-export declare const name: string;
-export declare const peprStoreCRD: k.CustomResourceDefinition;
-//# sourceMappingURL=store.d.ts.map

package/dist/lib/assets/webhooks.d.ts

@@ -1,6 +0,0 @@
-import { V1RuleWithOperations } from "@kubernetes/client-node";
-import { kind } from "kubernetes-fluent-client";
-import { Assets } from ".";
-export declare function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise<V1RuleWithOperations[]>;
-export declare function webhookConfig(assets: Assets, mutateOrValidate: "mutate" | "validate", timeoutSeconds?: number): Promise<kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration | null>;
-//# sourceMappingURL=webhooks.d.ts.map

package/dist/lib/assets/yaml.d.ts

@@ -1,5 +0,0 @@
-import { Assets } from ".";
-export declare function overridesFile({ hash, name, image, config, apiToken }: Assets, path: string): Promise<void>;
-export declare function zarfYaml({ name, image, config }: Assets, path: string): string;
-export declare function allYaml(assets: Assets, rbacMode: string): Promise<string>;
-//# sourceMappingURL=yaml.d.ts.map

package/dist/lib/capability.d.ts

@@ -1,66 +0,0 @@
-import { GenericClass, GroupVersionKind } from "kubernetes-fluent-client";
-import { PeprStore, Storage } from "./storage";
-import { Schedule } from "./schedule";
-import { Binding, CapabilityCfg, CapabilityExport, WhenSelector } from "./types";
-/**
- * A capability is a unit of functionality that can be registered with the Pepr runtime.
- */
-export declare class Capability implements CapabilityExport {
-    #private;
-    hasSchedule: boolean;
-    /**
-     * Run code on a schedule with the capability.
-     *
-     * @param schedule The schedule to run the code on
-     * @returns
-     */
-    OnSchedule: (schedule: Schedule) => void;
-    /**
-     * Store is a key-value data store that can be used to persist data that should be shared
-     * between requests. Each capability has its own store, and the data is persisted in Kubernetes
-     * in the `pepr-system` namespace.
-     *
-     * Note: You should only access the store from within an action.
-     */
-    Store: PeprStore;
-    /**
-     * ScheduleStore is a key-value data store used to persist schedule data that should be shared
-     * between intervals. Each Schedule shares store, and the data is persisted in Kubernetes
-     * in the `pepr-system` namespace.
-     *
-     * Note: There is no direct access to schedule store
-     */
-    ScheduleStore: PeprStore;
-    get bindings(): Binding[];
-    get name(): string;
-    get description(): string;
-    get namespaces(): string[];
-    constructor(cfg: CapabilityCfg);
-    /**
-     * Register the store with the capability. This is called automatically by the Pepr controller.
-     *
-     * @param store
-     */
-    registerScheduleStore: () => {
-        scheduleStore: Storage;
-    };
-    /**
-     * Register the store with the capability. This is called automatically by the Pepr controller.
-     *
-     * @param store
-     */
-    registerStore: () => {
-        store: Storage;
-    };
-    /**
-     * The When method is used to register a action to be executed when a Kubernetes resource is
-     * processed by Pepr. The action will be executed if the resource matches the specified kind and any
-     * filters that are applied.
-     *
-     * @param model the KubernetesObject model to match
-     * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
-     * @returns
-     */
-    When: <T extends GenericClass>(model: T, kind?: GroupVersionKind) => WhenSelector<T>;
-}
-//# sourceMappingURL=capability.d.ts.map

package/dist/lib/controller/index.d.ts

@@ -1,10 +0,0 @@
-import { Capability } from "../capability";
-import { MutateResponse, AdmissionRequest, ValidateResponse } from "../k8s";
-import { ModuleConfig } from "../module";
-export declare class Controller {
-    #private;
-    constructor(config: ModuleConfig, capabilities: Capability[], beforeHook?: (req: AdmissionRequest) => void, afterHook?: (res: MutateResponse | ValidateResponse) => void, onReady?: () => void);
-    /** Start the webhook server */
-    startServer: (port: number) => void;
-}
-//# sourceMappingURL=index.d.ts.map

package/dist/lib/controller/store.d.ts

@@ -1,7 +0,0 @@
-import { Capability } from "../capability";
-export declare const debounceBackoff = 5000;
-export declare class PeprControllerStore {
-    #private;
-    constructor(capabilities: Capability[], name: string, onReady?: () => void);
-}
-//# sourceMappingURL=store.d.ts.map

package/dist/lib/errors.d.ts

@@ -1,12 +0,0 @@
-export declare const Errors: {
-    audit: string;
-    ignore: string;
-    reject: string;
-};
-export declare const ErrorList: string[];
-/**
- * Validate the error or throw an error
- * @param error
- */
-export declare function ValidateError(error?: string): void;
-//# sourceMappingURL=errors.d.ts.map

package/dist/lib/filter.d.ts

@@ -1,11 +0,0 @@
-import { AdmissionRequest } from "./k8s";
-import { Binding } from "./types";
-/**
- * shouldSkipRequest determines if a request should be skipped based on the binding filters.
- *
- * @param binding the action binding
- * @param req the incoming request
- * @returns
- */
-export declare function shouldSkipRequest(binding: Binding, req: AdmissionRequest, capabilityNamespaces: string[]): boolean;
-//# sourceMappingURL=filter.d.ts.map