pepr 0.32.7 → 0.34.0

package/src/lib/assets/yaml.ts

@@ -4,13 +4,12 @@
 import { dumpYaml } from "@kubernetes/client-node";
 import crypto from "crypto";
 import { promises as fs } from "fs";
-
 import { Assets } from ".";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
 import { deployment, moduleSecret, namespace, watcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { webhookConfig } from "./webhooks";
-
+import { genEnv } from "./pods";
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile({ hash, name, image, config, apiToken }: Assets, path: string) {
   const overrides = {
@@ -29,11 +28,8 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       terminationGracePeriodSeconds: 5,
       failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
       webhookTimeout: config.webhookTimeout,
-      env: [
-        { name: "PEPR_WATCH_MODE", value: "false" },
-        { name: "PEPR_PRETTY_LOG", value: "false" },
-        { name: "LOG_LEVEL", value: "info" },
-      ],
+      env: genEnv(config, false, true),
+      envFrom: [],
       image,
       annotations: {
         "pepr.dev/description": `${config.description}` || "",
@@ -74,14 +70,16 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       extraVolumeMounts: [],
       extraVolumes: [],
       affinity: {},
+      serviceMonitor: {
+        enabled: false,
+        labels: {},
+        annotations: {},
+      },
     },
     watcher: {
       terminationGracePeriodSeconds: 5,
-      env: [
-        { name: "PEPR_WATCH_MODE", value: "true" },
-        { name: "PEPR_PRETTY_LOG", value: "false" },
-        { name: "LOG_LEVEL", value: "info" },
-      ],
+      env: genEnv(config, true, true),
+      envFrom: [],
       image,
       annotations: {
         "pepr.dev/description": `${config.description}` || "",
@@ -122,14 +120,13 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       extraVolumes: [],
       affinity: {},
       podAnnotations: {},
+      serviceMonitor: {
+        enabled: false,
+        labels: {},
+        annotations: {},
+      },
     },
   };
-  if (process.env.PEPR_MODE === "dev") {
-    overrides.admission.env.push({ name: "ZARF_VAR", value: "###ZARF_VAR_THING###" });
-    overrides.watcher.env.push({ name: "ZARF_VAR", value: "###ZARF_VAR_THING###" });
-    overrides.admission.env.push({ name: "MY_CUSTOM_VAR", value: "example-value" });
-    overrides.watcher.env.push({ name: "MY_CUSTOM_VAR", value: "example-value" });
-  }
 
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }

package/src/lib/controller/index.ts

@@ -8,7 +8,7 @@ import https from "https";
 import { Capability } from "../capability";
 import { MutateResponse, AdmissionRequest, ValidateResponse } from "../k8s";
 import Log from "../logger";
-import { MetricsCollector } from "../metrics";
+import { metricsCollector, MetricsCollector } from "../metrics";
 import { ModuleConfig, isWatchMode } from "../module";
 import { mutateProcessor } from "../mutate-processor";
 import { validateProcessor } from "../validate-processor";
@@ -20,7 +20,7 @@ export class Controller {
   #running = false;
 
   // Metrics collector
-  #metricsCollector = new MetricsCollector("pepr");
+  #metricsCollector = metricsCollector;
 
   // The token used to authenticate requests
   #token = "";

package/src/lib/controller/store.ts

@@ -61,8 +61,8 @@ export class PeprControllerStore {
         K8s(PeprStore)
           .InNamespace(namespace)
           .Get(this.#name)
-          // If the get succeeds, setup the watch
-          .then(this.#setupWatch)
+          // If the get succeeds, migrate and setup the watch
+          .then(async (store: PeprStore) => await this.#migrateAndSetupWatch(store))
           // Otherwise, create the resource
           .catch(this.#createStoreResource),
       Math.random() * 3000,
@@ -74,6 +74,91 @@ export class PeprControllerStore {
     watcher.start().catch(e => Log.error(e, "Error starting Pepr store watch"));
   };
 
+  #migrateAndSetupWatch = async (store: PeprStore) => {
+    Log.debug(store, "Pepr Store migration");
+    const data: DataStore = store.data || {};
+    const migrateCache: Record<string, Operation> = {};
+
+    // Send the cached updates to the cluster
+    const flushCache = async () => {
+      const indexes = Object.keys(migrateCache);
+      const payload = Object.values(migrateCache);
+
+      // Loop over each key in the cache and delete it to avoid collisions with other sender calls
+      for (const idx of indexes) {
+        delete migrateCache[idx];
+      }
+
+      try {
+        // Send the patch to the cluster
+        await K8s(PeprStore, { namespace, name: this.#name }).Patch(payload);
+      } catch (err) {
+        Log.error(err, "Pepr store update failure");
+
+        if (err.status === 422) {
+          Object.keys(migrateCache).forEach(key => delete migrateCache[key]);
+        } else {
+          // On failure to update, re-add the operations to the cache to be retried
+          for (const idx of indexes) {
+            migrateCache[idx] = payload[Number(idx)];
+          }
+        }
+      }
+    };
+
+    const fillCache = (name: string, op: DataOp, key: string[], val?: string) => {
+      if (op === "add") {
+        // adjust the path for the capability
+        const path = `/data/${name}-v2-${key}`;
+        const value = val || "";
+        const cacheIdx = [op, path, value].join(":");
+
+        // Add the operation to the cache
+        migrateCache[cacheIdx] = { op, path, value };
+
+        return;
+      }
+
+      if (op === "remove") {
+        if (key.length < 1) {
+          throw new Error(`Key is required for REMOVE operation`);
+        }
+
+        for (const k of key) {
+          const path = `/data/${name}-${k}`;
+          const cacheIdx = [op, path].join(":");
+
+          // Add the operation to the cache
+          migrateCache[cacheIdx] = { op, path };
+        }
+
+        return;
+      }
+
+      // If we get here, the operation is not supported
+      throw new Error(`Unsupported operation: ${op}`);
+    };
+
+    for (const name of Object.keys(this.#stores)) {
+      // Get the prefix offset for the keys
+      const offset = `${name}-`.length;
+
+      // Loop over each key in the store
+      for (const key of Object.keys(data)) {
+        // Match on the capability name as a prefix for non v2 keys
+        if (startsWith(name, key) && !startsWith(`${name}-v2`, key)) {
+          // populate migrate cache
+          fillCache(name, "remove", [key.slice(offset)], data[key]);
+          fillCache(name, "add", [key.slice(offset)], data[key]);
+        }
+      }
+
+      // await K8s(PeprStore, { namespace, name: this.#name }).Patch(payload);
+    }
+    await flushCache();
+    this.#setupWatch();
+  };
+
   #receive = (store: PeprStore) => {
     Log.debug(store, "Pepr Store update");
 
@@ -121,6 +206,7 @@ export class PeprControllerStore {
     // Load the sendCache with patch operations
     const fillCache = (op: DataOp, key: string[], val?: string) => {
       if (op === "add") {
+        // adjust the path for the capability
         const path = `/data/${capabilityName}-${key}`;
         const value = val || "";
         const cacheIdx = [op, path, value].join(":");

package/src/lib/errors.test.ts

@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { expect, test, describe } from "@jest/globals";
+import * as fc from "fast-check";
+import { Errors, ErrorList, ValidateError } from "./errors";
+
+describe("ValidateError Fuzz Testing", () => {
+  test("should only accept predefined error values", () => {
+    fc.assert(
+      fc.property(fc.string(), error => {
+        if (ErrorList.includes(error)) {
+          expect(() => ValidateError(error)).not.toThrow();
+        } else {
+          expect(() => ValidateError(error)).toThrow(
+            `Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`,
+          );
+        }
+      }),
+      { verbose: true },
+    );
+  });
+});
+describe("ValidateError Fake Data Testing", () => {
+  test("should correctly handle typical fake error data", () => {
+    const fakeErrors = ["error", "failure", "null", "undefined", "exception"];
+    fakeErrors.forEach(fakeError => {
+      if (ErrorList.includes(fakeError)) {
+        expect(() => ValidateError(fakeError)).not.toThrow();
+      } else {
+        expect(() => ValidateError(fakeError)).toThrow(
+          `Invalid error: ${fakeError}. Must be one of: ${ErrorList.join(", ")}`,
+        );
+      }
+    });
+  });
+});
+describe("ValidateError Property-Based Testing", () => {
+  test("should only validate errors that are part of the ErrorList", () => {
+    fc.assert(
+      fc.property(fc.constantFrom(...ErrorList), validError => {
+        expect(() => ValidateError(validError)).not.toThrow();
+      }),
+      { verbose: true },
+    );
+
+    fc.assert(
+      fc.property(
+        fc.string().filter(e => !ErrorList.includes(e)),
+        invalidError => {
+          expect(() => ValidateError(invalidError)).toThrow(
+            `Invalid error: ${invalidError}. Must be one of: ${ErrorList.join(", ")}`,
+          );
+        },
+      ),
+      { verbose: true },
+    );
+  });
+});
+
+test("Errors object should have correct properties", () => {
+  expect(Errors).toEqual({
+    audit: "audit",
+    ignore: "ignore",
+    reject: "reject",
+  });
+});
+
+test("ErrorList should contain correct values", () => {
+  expect(ErrorList).toEqual(["audit", "ignore", "reject"]);
+});
+
+test("ValidateError should not throw an error for valid errors", () => {
+  expect(() => {
+    ValidateError("audit");
+    ValidateError("ignore");
+    ValidateError("reject");
+  }).not.toThrow();
+});
+
+test("ValidateError should throw an error for invalid errors", () => {
+  expect(() => ValidateError("invalidError")).toThrowError({
+    message: "Invalid error: invalidError. Must be one of: audit, ignore, reject",
+  });
+});

package/src/lib/filter.test.ts

@@ -0,0 +1,384 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { expect, test, describe } from "@jest/globals";
+import { kind, modelToGroupVersionKind } from "kubernetes-fluent-client";
+import * as fc from "fast-check";
+import { CreatePod, DeletePod } from "../fixtures/loader";
+import { shouldSkipRequest } from "./filter";
+import { Event, Binding } from "./types";
+import { AdmissionRequest } from "./k8s";
+
+const callback = () => undefined;
+
+const podKind = modelToGroupVersionKind(kind.Pod.name);
+
+describe("Fuzzing shouldSkipRequest", () => {
+  test("should handle random inputs without crashing", () => {
+    fc.assert(
+      fc.property(
+        fc.record({
+          event: fc.constantFrom("CREATE", "UPDATE", "DELETE", "ANY"),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+          filters: fc.record({
+            name: fc.string(),
+            namespaces: fc.array(fc.string()),
+            labels: fc.dictionary(fc.string(), fc.string()),
+            annotations: fc.dictionary(fc.string(), fc.string()),
+          }),
+        }),
+        fc.record({
+          operation: fc.string(),
+          uid: fc.string(),
+          name: fc.string(),
+          namespace: fc.string(),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+        }),
+        fc.array(fc.string()),
+        (binding, req, capabilityNamespaces) => {
+          expect(() =>
+            shouldSkipRequest(binding as Binding, req as AdmissionRequest, capabilityNamespaces),
+          ).not.toThrow();
+        },
+      ),
+      { numRuns: 100 },
+    );
+  });
+});
+describe("Property-Based Testing shouldSkipRequest", () => {
+  test("should only skip requests that do not match the binding criteria", () => {
+    fc.assert(
+      fc.property(
+        fc.record({
+          event: fc.constantFrom("CREATE", "UPDATE", "DELETE", "ANY"),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+          filters: fc.record({
+            name: fc.string(),
+            namespaces: fc.array(fc.string()),
+            labels: fc.dictionary(fc.string(), fc.string()),
+            annotations: fc.dictionary(fc.string(), fc.string()),
+          }),
+        }),
+        fc.record({
+          operation: fc.string(),
+          uid: fc.string(),
+          name: fc.string(),
+          namespace: fc.string(),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+        }),
+        fc.array(fc.string()),
+        (binding, req, capabilityNamespaces) => {
+          const shouldSkip = shouldSkipRequest(binding as Binding, req as AdmissionRequest, capabilityNamespaces);
+          expect(typeof shouldSkip).toBe("boolean");
+        },
+      ),
+      { numRuns: 100 },
+    );
+  });
+});
+
+test("should reject when name does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "bleh",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should reject when kind does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: modelToGroupVersionKind(kind.CronJob.name),
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should reject when group does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: modelToGroupVersionKind(kind.CronJob.name),
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should reject when version does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: {
+      group: "",
+      version: "v2",
+      kind: "Pod",
+    },
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when group, version, and kind match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should allow when kind match and others are empty", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: {
+      group: "",
+      version: "",
+      kind: "Pod",
+    },
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should reject when teh capability namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, ["bleh", "bleh2"])).toBe(true);
+});
+
+test("should reject when namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: ["bleh"],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when namespace is match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: ["default", "unicorn", "things"],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should reject when label does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {
+        foo: "bar",
+      },
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when label is match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+
+      namespaces: [],
+      labels: {
+        foo: "bar",
+        test: "test1",
+      },
+      annotations: {},
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.labels = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should reject when annotation does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+      },
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when annotation is match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+        test: "test1",
+      },
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.annotations = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should use `oldObject` when the operation is `DELETE`", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Delete,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {
+        "app.kubernetes.io/name": "cool-name-podinfo",
+      },
+      annotations: {
+        "prometheus.io/scrape": "true",
+      },
+    },
+    callback,
+  };
+
+  const pod = DeletePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});