pepr 0.34.1 → 0.36.0

package/dist/sdk/sdk.d.ts

@@ -24,10 +24,12 @@ export declare function containers(request: PeprValidateRequest<a.Pod> | PeprMut
 export declare function writeEvent(cr: GenericKind, event: Partial<kind.CoreEvent>, eventType: string, eventReason: string, reportingComponent: string, reportingInstance: string): Promise<void>;
 /**
  * Get the owner reference for a custom resource
- * @param cr the custom resource to get the owner reference for
- * @returns the owner reference for the custom resource
+ * @param customResource the custom resource to get the owner reference for
+ * @param blockOwnerDeletion if true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed.
+ * @param controller if true, this reference points to the managing controller.
+ * @returns the owner reference array for the custom resource
  */
-export declare function getOwnerRefFrom(cr: GenericKind): V1OwnerReference[];
+export declare function getOwnerRefFrom(customResource: GenericKind, blockOwnerDeletion?: boolean, controller?: boolean): V1OwnerReference[];
 /**
  * Sanitize a resource name to make it a valid Kubernetes resource name.
  *

package/dist/sdk/sdk.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,QAAQ,CAAC;AAC3B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAGrD;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,EAC9D,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,mDAgBxE;AAED;;;;;;;;;GASG;AACH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,iBAwB1B;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,EAAE,EAAE,WAAW,GAAG,gBAAgB,EAAE,CAWnE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,UAYhD"}
+{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,QAAQ,CAAC;AAC3B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAGrD;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,EAC9D,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,mDAgBxE;AAED;;;;;;;;;GASG;AACH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,iBAwB1B;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,UAYhD"}

package/package.json

@@ -13,7 +13,7 @@
     "/dist",
     "/src"
   ],
-  "version": "0.34.1",
+  "version": "0.36.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -38,22 +38,22 @@
     "format:fix": "eslint src --fix && prettier src --write"
   },
   "dependencies": {
-    "@types/ramda": "0.30.1",
-    "express": "4.19.2",
+    "@types/ramda": "0.30.2",
+    "express": "4.21.0",
     "fast-json-patch": "3.1.1",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.0.1",
-    "pino": "9.3.2",
+    "kubernetes-fluent-client": "3.0.3",
+    "pino": "9.4.0",
     "pino-pretty": "11.2.2",
     "prom-client": "15.1.3",
     "ramda": "0.30.1"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.4.0",
-    "@commitlint/config-conventional": "19.2.2",
+    "@commitlint/cli": "19.5.0",
+    "@commitlint/config-conventional": "19.5.0",
     "@fast-check/jest": "^2.0.1",
     "@jest/globals": "29.7.0",
-    "@types/eslint": "9.6.0",
+    "@types/eslint": "9.6.1",
     "@types/express": "4.17.21",
     "@types/json-pointer": "^1.0.34",
     "@types/node": "22.x.x",
@@ -63,8 +63,8 @@
     "fast-check": "^3.19.0",
     "jest": "29.7.0",
     "js-yaml": "^4.1.0",
-    "nock": "13.5.4",
-    "ts-jest": "29.2.4"
+    "nock": "^13.5.4",
+    "ts-jest": "29.2.5"
   },
   "peerDependencies": {
     "@typescript-eslint/eslint-plugin": "7.18.0",

package/src/cli/init/templates.ts

@@ -58,6 +58,7 @@ export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string) {
     },
     dependencies: {
       pepr: pgkVerOverride || version,
+      nock: "13.5.4",
     },
     devDependencies: {
       typescript,

package/src/lib/assets/helm.ts

@@ -90,15 +90,9 @@ export function watcherDeployTemplate(buildTimestamp: string) {
                   - /app/node_modules/pepr/dist/controller.js
                   - {{ .Values.hash }}
                 readinessProbe:
-                  httpGet:
-                    path: /healthz
-                    port: 3000
-                    scheme: HTTPS
+                  {{- toYaml .Values.watcher.readinessProbe | nindent 12 }}
                 livenessProbe:
-                  httpGet:
-                    path: /healthz
-                    port: 3000
-                    scheme: HTTPS
+                  {{- toYaml .Values.watcher.livenessProbe | nindent 12 }}
                 ports:
                   - containerPort: 3000
                 resources:
@@ -176,15 +170,9 @@ export function admissionDeployTemplate(buildTimestamp: string) {
                   - /app/node_modules/pepr/dist/controller.js
                   - {{ .Values.hash }}
                 readinessProbe:
-                  httpGet:
-                    path: /healthz
-                    port: 3000
-                    scheme: HTTPS
+                  {{- toYaml .Values.admission.readinessProbe | nindent 12 }}
                 livenessProbe:
-                  httpGet:
-                    path: /healthz
-                    port: 3000
-                    scheme: HTTPS
+                  {{- toYaml .Values.admission.livenessProbe | nindent 12 }}
                 ports:
                   - containerPort: 3000
                 resources:

package/src/lib/assets/pods.ts

@@ -111,6 +111,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string, im
                   port: 3000,
                   scheme: "HTTPS",
                 },
+                initialDelaySeconds: 10,
               },
               livenessProbe: {
                 httpGet: {
@@ -118,6 +119,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string, im
                   port: 3000,
                   scheme: "HTTPS",
                 },
+                initialDelaySeconds: 10,
               },
               ports: [
                 {
@@ -248,6 +250,7 @@ export function deployment(
                   port: 3000,
                   scheme: "HTTPS",
                 },
+                initialDelaySeconds: 10,
               },
               livenessProbe: {
                 httpGet: {
@@ -255,6 +258,7 @@ export function deployment(
                   port: 3000,
                   scheme: "HTTPS",
                 },
+                initialDelaySeconds: 10,
               },
               ports: [
                 {

package/src/lib/assets/yaml.ts

@@ -45,6 +45,22 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
         runAsNonRoot: true,
         fsGroup: 65532,
       },
+      readinessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3000,
+          scheme: "HTTPS",
+        },
+        initialDelaySeconds: 10,
+      },
+      livenessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3000,
+          scheme: "HTTPS",
+        },
+        initialDelaySeconds: 10,
+      },
       resources: {
         requests: {
           memory: "64Mi",
@@ -95,6 +111,22 @@ export async function overridesFile({ hash, name, image, config, apiToken }: Ass
         runAsNonRoot: true,
         fsGroup: 65532,
       },
+      readinessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3000,
+          scheme: "HTTPS",
+        },
+        initialDelaySeconds: 10,
+      },
+      livenessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3000,
+          scheme: "HTTPS",
+        },
+        initialDelaySeconds: 10,
+      },
       resources: {
         requests: {
           memory: "64Mi",

package/src/lib/capability.ts

@@ -198,12 +198,13 @@ export class Capability implements CapabilityExport {
         namespaces: [],
         labels: {},
         annotations: {},
+        deletionTimestamp: false,
       },
     };
 
     const bindings = this.#bindings;
     const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch, Reconcile };
+    const commonChain = { WithLabel, WithAnnotation, WithDeletionTimestamp, Mutate, Validate, Watch, Reconcile };
     const isNotEmpty = (value: object) => Object.keys(value).length > 0;
     const log = (message: string, cbString: string) => {
       const filteredObj = pickBy(isNotEmpty, binding.filters);
@@ -277,6 +278,12 @@ export class Capability implements CapabilityExport {
       return { ...commonChain, WithName };
     }
 
+    function WithDeletionTimestamp(): BindingFilter<T> {
+      Log.debug("Add deletionTimestamp filter");
+      binding.filters.deletionTimestamp = true;
+      return commonChain;
+    }
+
     function WithName(name: string): BindingFilter<T> {
       Log.debug(`Add name filter ${name}`, prefix);
       binding.filters.name = name;
@@ -301,6 +308,7 @@ export class Capability implements CapabilityExport {
         ...commonChain,
         InNamespace,
         WithName,
+        WithDeletionTimestamp,
       };
     }
 

package/src/lib/filter.test.ts

@@ -29,6 +29,7 @@ describe("Fuzzing shouldSkipRequest", () => {
             namespaces: fc.array(fc.string()),
             labels: fc.dictionary(fc.string(), fc.string()),
             annotations: fc.dictionary(fc.string(), fc.string()),
+            deletionTimestamp: fc.boolean(),
           }),
         }),
         fc.record({
@@ -41,6 +42,11 @@ describe("Fuzzing shouldSkipRequest", () => {
             version: fc.string(),
             kind: fc.string(),
           }),
+          object: fc.record({
+            metadata: fc.record({
+              deletionTimestamp: fc.option(fc.date()),
+            }),
+          }),
         }),
         fc.array(fc.string()),
         (binding, req, capabilityNamespaces) => {
@@ -69,6 +75,7 @@ describe("Property-Based Testing shouldSkipRequest", () => {
             namespaces: fc.array(fc.string()),
             labels: fc.dictionary(fc.string(), fc.string()),
             annotations: fc.dictionary(fc.string(), fc.string()),
+            deletionTimestamp: fc.boolean(),
           }),
         }),
         fc.record({
@@ -81,6 +88,11 @@ describe("Property-Based Testing shouldSkipRequest", () => {
             version: fc.string(),
             kind: fc.string(),
           }),
+          object: fc.record({
+            metadata: fc.record({
+              deletionTimestamp: fc.option(fc.date()),
+            }),
+          }),
         }),
         fc.array(fc.string()),
         (binding, req, capabilityNamespaces) => {
@@ -103,6 +115,7 @@ test("should reject when name does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -121,6 +134,7 @@ test("should reject when kind does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -139,6 +153,7 @@ test("should reject when group does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -161,6 +176,7 @@ test("should reject when version does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -179,6 +195,7 @@ test("should allow when group, version, and kind match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -201,6 +218,7 @@ test("should allow when kind match and others are empty", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -219,6 +237,7 @@ test("should reject when teh capability namespace does not match", () => {
       namespaces: [],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -237,6 +256,7 @@ test("should reject when namespace does not match", () => {
       namespaces: ["bleh"],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -255,6 +275,7 @@ test("should allow when namespace is match", () => {
       namespaces: ["default", "unicorn", "things"],
       labels: {},
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -275,6 +296,7 @@ test("should reject when label does not match", () => {
         foo: "bar",
       },
       annotations: {},
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -290,7 +312,7 @@ test("should allow when label is match", () => {
     kind: podKind,
     filters: {
       name: "",
-
+      deletionTimestamp: false,
       namespaces: [],
       labels: {
         foo: "bar",
@@ -324,6 +346,7 @@ test("should reject when annotation does not match", () => {
       annotations: {
         foo: "bar",
       },
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -345,6 +368,7 @@ test("should allow when annotation is match", () => {
         foo: "bar",
         test: "test1",
       },
+      deletionTimestamp: false,
     },
     callback,
   };
@@ -368,6 +392,7 @@ test("should use `oldObject` when the operation is `DELETE`", () => {
     filters: {
       name: "",
       namespaces: [],
+      deletionTimestamp: false,
       labels: {
         "app.kubernetes.io/name": "cool-name-podinfo",
       },
@@ -382,3 +407,62 @@ test("should use `oldObject` when the operation is `DELETE`", () => {
 
   expect(shouldSkipRequest(binding, pod, [])).toBe(false);
 });
+
+test("should skip processing when deletionTimestamp is not present on pod", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+        test: "test1",
+      },
+      deletionTimestamp: true,
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata.annotations = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+});
+
+test("should processing when deletionTimestamp is not present on pod", () => {
+  const binding = {
+    model: kind.Pod,
+    event: Event.Any,
+    kind: podKind,
+    filters: {
+      name: "",
+      namespaces: [],
+      labels: {},
+      annotations: {
+        foo: "bar",
+        test: "test1",
+      },
+      deletionTimestamp: true,
+    },
+    callback,
+  };
+
+  const pod = CreatePod();
+  pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata!.deletionTimestamp = new Date("2021-09-01T00:00:00Z");
+  pod.object.metadata.annotations = {
+    foo: "bar",
+    test: "test1",
+    test2: "test2",
+  };
+
+  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+});

package/src/lib/filter.ts

@@ -22,6 +22,15 @@ export function shouldSkipRequest(binding: Binding, req: AdmissionRequest, capab
   const { metadata } = srcObject || {};
   const combinedNamespaces = [...namespaces, ...capabilityNamespaces];
 
+  // Delete bindings do not work through admission with DeletionTimestamp
+  if (binding.event.includes(Event.Delete) && binding.filters?.deletionTimestamp) {
+    return true;
+  }
+
+  // Test for deletionTimestamp
+  if (binding.filters?.deletionTimestamp && !req.object.metadata?.deletionTimestamp) {
+    return true;
+  }
   // Test for matching operation
   if (!binding.event.includes(operation) && !binding.event.includes(Event.Any)) {
     return true;

package/src/lib/helpers.test.ts

@@ -1056,6 +1056,40 @@ describe("filterMatcher", () => {
     expect(result).toEqual("Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.");
   });
 
+  test("return deletionTimestamp error when there is no deletionTimestamp in the object", () => {
+    const binding = {
+      filters: { deletionTimestamp: true },
+    };
+    const obj = {
+      metadata: {},
+    };
+    const capabilityNamespaces: string[] = [];
+    const result = filterNoMatchReason(
+      binding as unknown as Partial<Binding>,
+      obj as unknown as Partial<KubernetesObject>,
+      capabilityNamespaces,
+    );
+    expect(result).toEqual("Ignoring Watch Callback: Object does not have a deletion timestamp.");
+  });
+
+  test("return no deletionTimestamp error when there is a deletionTimestamp in the object", () => {
+    const binding = {
+      filters: { deletionTimestamp: true },
+    };
+    const obj = {
+      metadata: {
+        deletionTimestamp: "2021-01-01T00:00:00Z",
+      },
+    };
+    const capabilityNamespaces: string[] = [];
+    const result = filterNoMatchReason(
+      binding as unknown as Partial<Binding>,
+      obj as unknown as Partial<KubernetesObject>,
+      capabilityNamespaces,
+    );
+    expect(result).not.toEqual("Ignoring Watch Callback: Object does not have a deletion timestamp.");
+  });
+
   test("returns label overlap error when there is no overlap between binding and object labels", () => {
     const binding = {
       filters: { labels: { key: "value" } },

package/src/lib/helpers.ts

@@ -73,6 +73,11 @@ export function filterNoMatchReason(
   obj: Partial<KubernetesObject>,
   capabilityNamespaces: string[],
 ): string {
+  // binding deletionTimestamp filter and object deletionTimestamp dont match
+  if (binding.filters?.deletionTimestamp && !obj.metadata?.deletionTimestamp) {
+    return `Ignoring Watch Callback: Object does not have a deletion timestamp.`;
+  }
+
   // binding kind is namespace with a InNamespace filter
   if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
     return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;