pepr 0.33.0 → 0.34.1

package/src/lib/assets/helm.ts

@@ -105,6 +105,10 @@ export function watcherDeployTemplate(buildTimestamp: string) {
                   {{- toYaml .Values.watcher.resources | nindent 12 }}
                 env:
                   {{- toYaml .Values.watcher.env | nindent 12 }}
+                  - name: PEPR_WATCH_MODE
+                    value: "true"
+                envFrom:
+                  {{- toYaml .Values.watcher.envFrom | nindent 12 }}
                 securityContext:
                   {{- toYaml .Values.watcher.containerSecurityContext | nindent 12 }}
                 volumeMounts:
@@ -187,6 +191,10 @@ export function admissionDeployTemplate(buildTimestamp: string) {
                   {{- toYaml .Values.admission.resources | nindent 12 }}
                 env:
                   {{- toYaml .Values.admission.env | nindent 12 }}
+                  - name: PEPR_WATCH_MODE
+                    value: "false"
+                envFrom:
+                  {{- toYaml .Values.admission.envFrom | nindent 12 }}
                 securityContext:
                   {{- toYaml .Values.admission.containerSecurityContext | nindent 12 }}
                 volumeMounts:
@@ -217,3 +225,30 @@ export function admissionDeployTemplate(buildTimestamp: string) {
               {{- end }}
     `;
 }
+
+export function serviceMonitorTemplate(name: string) {
+  return `
+      {{- if .Values.${name}.serviceMonitor.enabled }}
+      apiVersion: monitoring.coreos.com/v1
+      kind: ServiceMonitor
+      metadata:
+        name: ${name}
+        annotations:
+          {{- toYaml .Values.${name}.serviceMonitor.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.${name}.serviceMonitor.labels | nindent 4 }}
+      spec:
+        selector:
+          matchLabels:
+            pepr.dev/controller: ${name}
+        namespaceSelector:
+          matchNames:
+            - pepr-system
+        endpoints:
+          - targetPort: 3000
+            scheme: https
+            tlsConfig:
+              insecureSkipVerify: true
+      {{- end }}
+    `;
+}

package/src/lib/assets/index.ts

@@ -13,7 +13,7 @@ import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
 import { namespaceComplianceValidator, replaceString } from "../helpers";
 import { createDirectoryIfNotExists, dedent } from "../helpers";
 import { resolve } from "path";
-import { chartYaml, nsTemplate, admissionDeployTemplate, watcherDeployTemplate } from "./helm";
+import { chartYaml, nsTemplate, admissionDeployTemplate, watcherDeployTemplate, serviceMonitorTemplate } from "./helm";
 import { promises as fs } from "fs";
 import { webhookConfig } from "./webhooks";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
@@ -82,7 +82,9 @@ export class Assets {
     const mutationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `mutation-webhook.yaml`);
     const validationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `validation-webhook.yaml`);
     const admissionDeployPath = resolve(CHAR_TEMPLATES_DIR, `admission-deployment.yaml`);
+    const admissionServiceMonitorPath = resolve(CHAR_TEMPLATES_DIR, `admission-service-monitor.yaml`);
     const watcherDeployPath = resolve(CHAR_TEMPLATES_DIR, `watcher-deployment.yaml`);
+    const watcherServiceMonitorPath = resolve(CHAR_TEMPLATES_DIR, `watcher-service-monitor.yaml`);
     const tlsSecretPath = resolve(CHAR_TEMPLATES_DIR, `tls-secret.yaml`);
     const apiTokenSecretPath = resolve(CHAR_TEMPLATES_DIR, `api-token-secret.yaml`);
     const moduleSecretPath = resolve(CHAR_TEMPLATES_DIR, `module-secret.yaml`);
@@ -134,6 +136,7 @@ export class Assets {
 
       if (validateWebhook || mutateWebhook) {
         await fs.writeFile(admissionDeployPath, dedent(admissionDeployTemplate(this.buildTimestamp)));
+        await fs.writeFile(admissionServiceMonitorPath, dedent(serviceMonitorTemplate("admission")));
       }
 
       if (mutateWebhook) {
@@ -166,6 +169,7 @@ export class Assets {
 
       if (watchDeployment) {
         await fs.writeFile(watcherDeployPath, dedent(watcherDeployTemplate(this.buildTimestamp)));
+        await fs.writeFile(watcherServiceMonitorPath, dedent(serviceMonitorTemplate("watcher")));
       }
     } catch (err) {
       console.error(`Error generating helm chart: ${err.message}`);

package/src/lib/assets/pods.test.ts

@@ -0,0 +1,553 @@
+import { namespace, watcher, deployment, moduleSecret, genEnv } from "./pods";
+import { expect, describe, test, jest, afterEach } from "@jest/globals";
+import { Assets } from ".";
+import { ModuleConfig } from "../module";
+import { gzipSync } from "zlib";
+
+jest.mock("zlib");
+
+const assets: Assets = JSON.parse(`{
+  "config": {
+    "uuid": "static-test",
+    "onError": "ignore",
+    "webhookTimeout": 10,
+    "customLabels": {
+      "namespace": {
+        "pepr.dev": ""
+      }
+    },
+    "alwaysIgnore": {
+      "namespaces": []
+    },
+    "includedFiles": [],
+    "env": {
+      "MY_CUSTOM_VAR": "example-value",
+      "ZARF_VAR": "###ZARF_VAR_THING###"
+    },
+    "peprVersion": "0.0.0-development",
+    "appVersion": "0.0.1",
+    "description": "A test module for Pepr"
+  },
+  "path": "/Users/cmwylie19/pepr/pepr-test-module/dist/pepr-static-test.js",
+  "name": "pepr-static-test",
+  "tls": {
+    "ca": "",
+    "key": "",
+    "crt": "",
+    "pem": {
+      "ca": "",
+      "crt": "",
+      "key": ""
+    }
+  },
+  "apiToken": "db5eb6d40e3744fcc2d7863c8f56ce24aaa94ff32cf22918700bdb9369e6d426",
+  "alwaysIgnore": {
+    "namespaces": []
+  },
+  "capabilities": [
+    {
+      "name": "hello-pepr",
+      "description": "A simple example capability to show how things work.",
+      "namespaces": [
+        "pepr-demo",
+        "pepr-demo-2"
+      ],
+      "bindings": [
+        {
+          "kind": {
+            "kind": "Namespace",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "kind": "Namespace",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "pepr-demo-2",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isWatch": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-1",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-2",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-2",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isValidate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-2",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isWatch": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isValidate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATEORUPDATE",
+          "filters": {
+            "name": "",
+            "namespaces": [],
+            "labels": {
+              "change": "by-label"
+            },
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "DELETE",
+          "filters": {
+            "name": "",
+            "namespaces": [],
+            "labels": {
+              "change": "by-label"
+            },
+            "annotations": {}
+          },
+          "isValidate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-4",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-4a",
+            "namespaces": [
+              "pepr-demo-2"
+            ],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "kind": "ConfigMap",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "",
+            "namespaces": [],
+            "labels": {
+              "chuck-norris": ""
+            },
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "kind": "Secret",
+            "version": "v1",
+            "group": ""
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "secret-1",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "group": "pepr.dev",
+            "version": "v1",
+            "kind": "Unicorn"
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-1",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        },
+        {
+          "kind": {
+            "group": "pepr.dev",
+            "version": "v1",
+            "kind": "Unicorn"
+          },
+          "event": "CREATE",
+          "filters": {
+            "name": "example-2",
+            "namespaces": [],
+            "labels": {},
+            "annotations": {}
+          },
+          "isMutate": true
+        }
+      ],
+      "hasSchedule": false
+    }
+  ],
+  "image": "ghcr.io/defenseunicorns/pepr/controller:v0.0.0-development",
+  "buildTimestamp": "1721936569867",
+  "hash": "e303205079a4445946f6eacde9ec4800534653f85aca6f84539d0f7158a22569"
+}`);
+describe("namespace function", () => {
+  test("should create a namespace object without labels if none are provided", () => {
+    const result = namespace();
+    expect(result).toEqual({
+      apiVersion: "v1",
+      kind: "Namespace",
+      metadata: {
+        name: "pepr-system",
+      },
+    });
+    const result1 = namespace({ one: "two" });
+    expect(result1).toEqual({
+      apiVersion: "v1",
+      kind: "Namespace",
+      metadata: {
+        name: "pepr-system",
+        labels: {
+          one: "two",
+        },
+      },
+    });
+  });
+
+  test("should create a namespace object with empty labels if an empty object is provided", () => {
+    const result = namespace({});
+    expect(result.metadata.labels).toEqual({});
+  });
+
+  test("should create a namespace object with provided labels", () => {
+    const labels = { "pepr.dev/controller": "admission", "istio-injection": "enabled" };
+    const result = namespace(labels);
+    expect(result.metadata.labels).toEqual(labels);
+  });
+});
+
+describe("watcher function", () => {
+  test("watcher with bindings", () => {
+    const result = watcher(assets, "test-hash", "test-timestamp");
+
+    expect(result).toBeTruthy();
+    expect(result!.metadata!.name).toBe("pepr-static-test-watcher");
+  });
+
+  test("watcher without bindings", () => {
+    assets.capabilities = [];
+    const result = watcher(assets, "test-hash", "test-timestamp");
+
+    expect(result).toBeNull();
+  });
+});
+describe("deployment function", () => {
+  test("deployment", () => {
+    const result = deployment(assets, "test-hash", "test-timestamp");
+
+    expect(result).toBeTruthy();
+    expect(result!.metadata!.name).toBe("pepr-static-test");
+  });
+});
+describe("moduleSecret function", () => {
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  test("moduleSecret within limit", () => {
+    const name = "test";
+    const data = Buffer.from("test data");
+    const hash = "test-hash";
+    const compressedData = Buffer.from("compressed data").toString("base64");
+
+    // Mock the return value of gzipSync
+    (gzipSync as jest.Mock).mockReturnValue(Buffer.from(compressedData));
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    jest.spyOn(require("../helpers"), "secretOverLimit").mockReturnValue(false);
+
+    const result = moduleSecret(name, data, hash);
+
+    expect(result).toEqual({
+      apiVersion: "v1",
+      kind: "Secret",
+      metadata: {
+        name: "test-module",
+        namespace: "pepr-system",
+      },
+      type: "Opaque",
+      data: {
+        [`module-${hash}.js.gz`]: "WTI5dGNISmxjM05sWkNCa1lYUmg=",
+      },
+    });
+  });
+
+  test("moduleSecret over limit", () => {
+    const name = "test";
+    const data = Buffer.from("test data");
+    const hash = "test-hash";
+
+    // Mock the return value of gzipSync
+    (gzipSync as jest.Mock).mockReturnValue(data);
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    jest.spyOn(require("../helpers"), "secretOverLimit").mockReturnValue(true);
+
+    const consoleErrorMock = jest.spyOn(console, "error").mockImplementation(() => {});
+    const processExitMock = jest.spyOn(process, "exit").mockImplementation(() => {
+      throw new Error("process.exit");
+    });
+
+    expect(() => moduleSecret(name, data, hash)).toThrow("process.exit");
+
+    expect(consoleErrorMock).toHaveBeenCalledWith(
+      "Uncaught Exception:",
+      new Error(`Module secret for ${name} is over the 1MB limit`),
+    );
+
+    consoleErrorMock.mockRestore();
+    processExitMock.mockRestore();
+  });
+});
+
+describe("genEnv", () => {
+  test("generates default environment variables without watch mode", () => {
+    const config: ModuleConfig = {
+      uuid: "12345",
+      alwaysIgnore: {
+        namespaces: [],
+      },
+    };
+
+    const expectedEnv = [
+      { name: "PEPR_WATCH_MODE", value: "false" },
+      { name: "PEPR_PRETTY_LOG", value: "false" },
+      { name: "LOG_LEVEL", value: "info" },
+    ];
+
+    const result = genEnv(config);
+
+    expect(result).toEqual(expectedEnv);
+  });
+
+  test("generates default environment variables with watch mode", () => {
+    const config: ModuleConfig = {
+      uuid: "12345",
+      alwaysIgnore: {
+        namespaces: [],
+      },
+    };
+
+    const expectedEnv = [
+      { name: "PEPR_WATCH_MODE", value: "true" },
+      { name: "PEPR_PRETTY_LOG", value: "false" },
+      { name: "LOG_LEVEL", value: "info" },
+    ];
+
+    const result = genEnv(config, true);
+
+    expect(result).toEqual(expectedEnv);
+  });
+
+  test("overrides default environment variables with config.env", () => {
+    const config: ModuleConfig = {
+      uuid: "12345",
+      logLevel: "debug",
+      env: {
+        CUSTOM_ENV_VAR: "custom_value",
+      },
+      alwaysIgnore: {
+        namespaces: [],
+      },
+    };
+
+    const expectedEnv = [
+      { name: "PEPR_WATCH_MODE", value: "false" },
+      { name: "PEPR_PRETTY_LOG", value: "false" },
+      { name: "LOG_LEVEL", value: "debug" },
+      { name: "CUSTOM_ENV_VAR", value: "custom_value" },
+    ];
+
+    const result = genEnv(config);
+
+    expect(result).toEqual(expectedEnv);
+  });
+
+  test("handles empty config.env correctly", () => {
+    const config: ModuleConfig = {
+      uuid: "12345",
+      logLevel: "error",
+      env: {},
+      alwaysIgnore: {
+        namespaces: [],
+      },
+    };
+
+    const expectedEnv = [
+      { name: "PEPR_WATCH_MODE", value: "false" },
+      { name: "PEPR_PRETTY_LOG", value: "false" },
+      { name: "LOG_LEVEL", value: "error" },
+    ];
+
+    const result = genEnv(config);
+
+    expect(result).toEqual(expectedEnv);
+  });
+
+  test("should not be able to override PEPR_WATCH_MODE in package.json pepr env", () => {
+    const config: ModuleConfig = {
+      uuid: "12345",
+      logLevel: "error",
+      env: {
+        PEPR_WATCH_MODE: "false",
+      },
+      alwaysIgnore: {
+        namespaces: [],
+      },
+    };
+
+    const result = genEnv(config, true);
+    const watchMode = result.filter(env => env.name === "PEPR_WATCH_MODE")[0];
+    expect(watchMode.value).toEqual("true");
+  });
+
+  test("handles no config.env correctly", () => {
+    const config: ModuleConfig = {
+      uuid: "12345",
+      logLevel: "error",
+      alwaysIgnore: {
+        namespaces: [],
+      },
+    };
+
+    const expectedEnv = [
+      { name: "PEPR_WATCH_MODE", value: "false" },
+      { name: "PEPR_PRETTY_LOG", value: "false" },
+      { name: "LOG_LEVEL", value: "error" },
+    ];
+
+    const result = genEnv(config);
+
+    expect(result).toEqual(expectedEnv);
+  });
+
+  test("handles ignoreWatchMode for helm chart", () => {
+    const config: ModuleConfig = {
+      uuid: "12345",
+      logLevel: "error",
+      alwaysIgnore: {
+        namespaces: [],
+      },
+    };
+
+    const expectedEnv = [
+      { name: "PEPR_PRETTY_LOG", value: "false" },
+      { name: "LOG_LEVEL", value: "error" },
+    ];
+
+    const result = genEnv(config, false, true);
+
+    expect(result).toEqual(expectedEnv);
+  });
+});

package/src/lib/assets/pods.ts

@@ -357,14 +357,22 @@ export function moduleSecret(name: string, data: Buffer, hash: string): kind.Sec
   }
 }
 
-function genEnv(config: ModuleConfig, watchMode = false): V1EnvVar[] {
-  const def = {
-    PEPR_WATCH_MODE: watchMode ? "true" : "false",
+export function genEnv(config: ModuleConfig, watchMode = false, ignoreWatchMode = false): V1EnvVar[] {
+  const noWatchDef = {
     PEPR_PRETTY_LOG: "false",
     LOG_LEVEL: config.logLevel || "info",
   };
-  const cfg = config.env || {};
-  const env = Object.entries({ ...def, ...cfg }).map(([name, value]) => ({ name, value }));
 
-  return env;
+  const def = {
+    PEPR_WATCH_MODE: watchMode ? "true" : "false",
+    ...noWatchDef,
+  };
+
+  if (config.env && config.env["PEPR_WATCH_MODE"]) {
+    delete config.env["PEPR_WATCH_MODE"];
+  }
+  const cfg = config.env || {};
+  return ignoreWatchMode
+    ? Object.entries({ ...noWatchDef, ...cfg }).map(([name, value]) => ({ name, value }))
+    : Object.entries({ ...def, ...cfg }).map(([name, value]) => ({ name, value }));
 }