pepr 0.33.0 → 0.34.0

package/src/lib/assets/yaml.ts

@@ -9,21 +9,9 @@ import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking
 import { deployment, moduleSecret, namespace, watcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { webhookConfig } from "./webhooks";
-import { mergePkgJSONEnv, envMapToArray } from "../helpers";
-
+import { genEnv } from "./pods";
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile({ hash, name, image, config, apiToken }: Assets, path: string) {
-  const pkgJSONAdmissionEnv = {
-    PEPR_WATCH_MODE: "false",
-    PEPR_PRETTY_LOG: "false",
-    LOG_LEVEL: "info",
-  };
-  const pkgJSONWatchEnv = {
-    PEPR_WATCH_MODE: "true",
-    PEPR_PRETTY_LOG: "false",
-    LOG_LEVEL: "info",
-  };
-
   const overrides = {
     secrets: {
       apiToken: Buffer.from(apiToken).toString("base64"),
@@ -40,7 +28,8 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       terminationGracePeriodSeconds: 5,
       failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
       webhookTimeout: config.webhookTimeout,
-      env: envMapToArray(mergePkgJSONEnv(pkgJSONAdmissionEnv, config.env)),
+      env: genEnv(config, false, true),
+      envFrom: [],
       image,
       annotations: {
         "pepr.dev/description": `${config.description}` || "",
@@ -81,10 +70,16 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       extraVolumeMounts: [],
       extraVolumes: [],
       affinity: {},
+      serviceMonitor: {
+        enabled: false,
+        labels: {},
+        annotations: {},
+      },
     },
     watcher: {
       terminationGracePeriodSeconds: 5,
-      env: envMapToArray(mergePkgJSONEnv(pkgJSONWatchEnv, config.env)),
+      env: genEnv(config, true, true),
+      envFrom: [],
       image,
       annotations: {
         "pepr.dev/description": `${config.description}` || "",
@@ -125,6 +120,11 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
       extraVolumes: [],
       affinity: {},
       podAnnotations: {},
+      serviceMonitor: {
+        enabled: false,
+        labels: {},
+        annotations: {},
+      },
     },
   };
 

package/src/lib/controller/index.ts

@@ -8,7 +8,7 @@ import https from "https";
 import { Capability } from "../capability";
 import { MutateResponse, AdmissionRequest, ValidateResponse } from "../k8s";
 import Log from "../logger";
-import { MetricsCollector } from "../metrics";
+import { metricsCollector, MetricsCollector } from "../metrics";
 import { ModuleConfig, isWatchMode } from "../module";
 import { mutateProcessor } from "../mutate-processor";
 import { validateProcessor } from "../validate-processor";
@@ -20,7 +20,7 @@ export class Controller {
   #running = false;
 
   // Metrics collector
-  #metricsCollector = new MetricsCollector("pepr");
+  #metricsCollector = metricsCollector;
 
   // The token used to authenticate requests
   #token = "";

package/src/lib/errors.test.ts

@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { expect, test, describe } from "@jest/globals";
+import * as fc from "fast-check";
+import { Errors, ErrorList, ValidateError } from "./errors";
+
+describe("ValidateError Fuzz Testing", () => {
+  test("should only accept predefined error values", () => {
+    fc.assert(
+      fc.property(fc.string(), error => {
+        if (ErrorList.includes(error)) {
+          expect(() => ValidateError(error)).not.toThrow();
+        } else {
+          expect(() => ValidateError(error)).toThrow(
+            `Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`,
+          );
+        }
+      }),
+      { verbose: true },
+    );
+  });
+});
+describe("ValidateError Fake Data Testing", () => {
+  test("should correctly handle typical fake error data", () => {
+    const fakeErrors = ["error", "failure", "null", "undefined", "exception"];
+    fakeErrors.forEach(fakeError => {
+      if (ErrorList.includes(fakeError)) {
+        expect(() => ValidateError(fakeError)).not.toThrow();
+      } else {
+        expect(() => ValidateError(fakeError)).toThrow(
+          `Invalid error: ${fakeError}. Must be one of: ${ErrorList.join(", ")}`,
+        );
+      }
+    });
+  });
+});
+describe("ValidateError Property-Based Testing", () => {
+  test("should only validate errors that are part of the ErrorList", () => {
+    fc.assert(
+      fc.property(fc.constantFrom(...ErrorList), validError => {
+        expect(() => ValidateError(validError)).not.toThrow();
+      }),
+      { verbose: true },
+    );
+
+    fc.assert(
+      fc.property(
+        fc.string().filter(e => !ErrorList.includes(e)),
+        invalidError => {
+          expect(() => ValidateError(invalidError)).toThrow(
+            `Invalid error: ${invalidError}. Must be one of: ${ErrorList.join(", ")}`,
+          );
+        },
+      ),
+      { verbose: true },
+    );
+  });
+});
+
+test("Errors object should have correct properties", () => {
+  expect(Errors).toEqual({
+    audit: "audit",
+    ignore: "ignore",
+    reject: "reject",
+  });
+});
+
+test("ErrorList should contain correct values", () => {
+  expect(ErrorList).toEqual(["audit", "ignore", "reject"]);
+});
+
+test("ValidateError should not throw an error for valid errors", () => {
+  expect(() => {
+    ValidateError("audit");
+    ValidateError("ignore");
+    ValidateError("reject");
+  }).not.toThrow();
+});
+
+test("ValidateError should throw an error for invalid errors", () => {
+  expect(() => ValidateError("invalidError")).toThrowError({
+    message: "Invalid error: invalidError. Must be one of: audit, ignore, reject",
+  });
+});

package/src/lib/filter.test.ts

@@ -0,0 +1,384 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { expect, test, describe } from "@jest/globals";
+import { kind, modelToGroupVersionKind } from "kubernetes-fluent-client";
+import * as fc from "fast-check";
+import { CreatePod, DeletePod } from "../fixtures/loader";
+import { shouldSkipRequest } from "./filter";
+import { Event, Binding } from "./types";
+import { AdmissionRequest } from "./k8s";
+
+const callback = () => undefined;
+
+const podKind = modelToGroupVersionKind(kind.Pod.name);
+
+describe("Fuzzing shouldSkipRequest", () => {
+  test("should handle random inputs without crashing", () => {
+    fc.assert(
+      fc.property(
+        fc.record({
+          event: fc.constantFrom("CREATE", "UPDATE", "DELETE", "ANY"),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+          filters: fc.record({
+            name: fc.string(),
+            namespaces: fc.array(fc.string()),
+            labels: fc.dictionary(fc.string(), fc.string()),
+            annotations: fc.dictionary(fc.string(), fc.string()),
+          }),
+        }),
+        fc.record({
+          operation: fc.string(),
+          uid: fc.string(),
+          name: fc.string(),
+          namespace: fc.string(),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+        }),
+        fc.array(fc.string()),
+        (binding, req, capabilityNamespaces) => {
+          expect(() =>
+            shouldSkipRequest(binding as Binding, req as AdmissionRequest, capabilityNamespaces),
+          ).not.toThrow();
+        },
+      ),
+      { numRuns: 100 },
+    );
+  });
+});
+describe("Property-Based Testing shouldSkipRequest", () => {
+  test("should only skip requests that do not match the binding criteria", () => {
+    fc.assert(
+      fc.property(
+        fc.record({
+          event: fc.constantFrom("CREATE", "UPDATE", "DELETE", "ANY"),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+          filters: fc.record({
+            name: fc.string(),
+            namespaces: fc.array(fc.string()),
+            labels: fc.dictionary(fc.string(), fc.string()),
+            annotations: fc.dictionary(fc.string(), fc.string()),
+          }),
+        }),
+        fc.record({
+          operation: fc.string(),
+          uid: fc.string(),
+          name: fc.string(),
+          namespace: fc.string(),
+          kind: fc.record({
+            group: fc.string(),
+            version: fc.string(),
+            kind: fc.string(),
+          }),
+        }),
+        fc.array(fc.string()),
+        (binding, req, capabilityNamespaces) => {
+          const shouldSkip = shouldSkipRequest(binding as Binding, req as AdmissionRequest, capabilityNamespaces);
+          expect(typeof shouldSkip).toBe("boolean");
+        },
+      ),
+      { numRuns: 100 },
+    );
+  });
+});
+
+test("should reject when name does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "bleh",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should reject when kind does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: modelToGroupVersionKind(kind.CronJob.name),
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should reject when group does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: modelToGroupVersionKind(kind.CronJob.name),
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should reject when version does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: {
+      group: "",
+      version: "v2",
+      kind: "Pod",
+    },
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when group, version, and kind match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should allow when kind match and others are empty", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: {
+      group: "",
+      version: "",
+      kind: "Pod",
+    },
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should reject when teh capability namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, ["bleh", "bleh2"])).toBe(true);
+});
+
+test("should reject when namespace does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: ["bleh"],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when namespace is match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: ["default", "unicorn", "things"],
+      labels: {},
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should reject when label does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {
+        foo: "bar",
+      },
+      annotations: {},
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when label is match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+
+      namespaces: [],
+      labels: {
+        foo: "bar",
+        test: "test1",
+      },
+      annotations: {},
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.labels = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should reject when annotation does not match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+      },
+    },
+    callback,
+  };
+  const pod = CreatePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should allow when annotation is match", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+        test: "test1",
+      },
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.annotations = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});
+
+test("should use `oldObject` when the operation is `DELETE`", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Delete,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {
+        "app.kubernetes.io/name": "cool-name-podinfo",
+      },
+      annotations: {
+        "prometheus.io/scrape": "true",
+      },
+    },
+    callback,
+  };
+
+  const pod = DeletePod();
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});