pepr 0.35.0 → 0.37.0

package/src/lib/helpers.ts

@@ -6,6 +6,39 @@ import { K8s, KubernetesObject, kind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { Binding, CapabilityExport } from "./types";
 import { sanitizeResourceName } from "../sdk/sdk";
+import {
+  carriedAnnotations,
+  carriedLabels,
+  carriedName,
+  carriedNamespace,
+  carriesIgnoredNamespace,
+  definedAnnotations,
+  definedLabels,
+  definedName,
+  definedNameRegex,
+  definedNamespaces,
+  definedNamespaceRegexes,
+  misboundNamespace,
+  mismatchedAnnotations,
+  mismatchedDeletionTimestamp,
+  mismatchedLabels,
+  mismatchedName,
+  mismatchedNameRegex,
+  mismatchedNamespace,
+  mismatchedNamespaceRegex,
+  unbindableNamespaces,
+  uncarryableNamespace,
+} from "./adjudicators";
+
+export function matchesRegex(pattern: string, testString: string): boolean {
+  // edge-case
+  if (!pattern) {
+    return false;
+  }
+
+  const regex = new RegExp(pattern);
+  return regex.test(testString);
+}
 
 export class ValidationError extends Error {}
 
@@ -35,36 +68,6 @@ type RBACMap = {
   };
 };
 
-// check for overlap with labels and annotations between bindings and kubernetes objects
-export function checkOverlap(bindingFilters: Record<string, string>, objectFilters: Record<string, string>): boolean {
-  // True if labels/annotations are empty
-  if (Object.keys(bindingFilters).length === 0) {
-    return true;
-  }
-
-  let matchCount = 0;
-
-  for (const key in bindingFilters) {
-    // object must have label/annotation
-    if (Object.prototype.hasOwnProperty.call(objectFilters, key)) {
-      const val1 = bindingFilters[key];
-      const val2 = objectFilters[key];
-
-      // If bindingFilter has empty value for this key, only need to ensure objectFilter has this key
-      if (val1 === "" && key in objectFilters) {
-        matchCount++;
-      }
-      // If bindingFilter has a value, it must match the value in objectFilter
-      else if (val1 !== "" && val1 === val2) {
-        matchCount++;
-      }
-    }
-  }
-
-  // For single-key objects in bindingFilter or matching all keys in multiple-keys scenario
-  return matchCount === Object.keys(bindingFilters).length;
-}
-
 /**
  * Decide to run callback after the event comes back from API Server
  **/
@@ -72,71 +75,72 @@ export function filterNoMatchReason(
   binding: Partial<Binding>,
   obj: Partial<KubernetesObject>,
   capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
 ): string {
-  // binding kind is namespace with a InNamespace filter
-  if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
-    return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
-  }
-
-  if (typeof obj === "object" && obj !== null && "metadata" in obj && obj.metadata !== undefined && binding.filters) {
-    // binding labels and object labels dont match
-    if (obj.metadata.labels && !checkOverlap(binding.filters.labels, obj.metadata.labels)) {
-      return `Ignoring Watch Callback: No overlap between binding and object labels. Binding labels ${JSON.stringify(
-        binding.filters.labels,
-      )}, Object Labels ${JSON.stringify(obj.metadata.labels)}.`;
-    }
-
-    // binding annotations and object annotations dont match
-    if (obj.metadata.annotations && !checkOverlap(binding.filters.annotations, obj.metadata.annotations)) {
-      return `Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations ${JSON.stringify(
-        binding.filters.annotations,
-      )}, Object annotations ${JSON.stringify(obj.metadata.annotations)}.`;
-    }
-  }
-
-  // Check object is in the capability namespace
-  if (
-    Array.isArray(capabilityNamespaces) &&
-    capabilityNamespaces.length > 0 &&
-    obj.metadata &&
-    obj.metadata.namespace &&
-    !capabilityNamespaces.includes(obj.metadata.namespace)
-  ) {
-    return `Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ${capabilityNamespaces.join(
-      ", ",
-    )}, Object namespace: ${obj.metadata.namespace}.`;
-  }
-
-  // chceck every filter namespace is a capability namespace
-  if (
-    Array.isArray(capabilityNamespaces) &&
-    capabilityNamespaces.length > 0 &&
-    binding.filters &&
-    Array.isArray(binding.filters.namespaces) &&
-    binding.filters.namespaces.length > 0 &&
-    !binding.filters.namespaces.every(ns => capabilityNamespaces.includes(ns))
-  ) {
-    return `Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ${capabilityNamespaces.join(
-      ", ",
-    )}, Binding namespaces: ${binding.filters.namespaces.join(", ")}.`;
-  }
-
-  // filter namespace is not the same of object namespace
-  if (
-    binding.filters &&
-    Array.isArray(binding.filters.namespaces) &&
-    binding.filters.namespaces.length > 0 &&
-    obj.metadata &&
-    obj.metadata.namespace &&
-    !binding.filters.namespaces.includes(obj.metadata.namespace)
-  ) {
-    return `Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ${binding.filters.namespaces.join(
-      ", ",
-    )}, Object namespace: ${obj.metadata.namespace}.`;
-  }
-
-  // no problems
-  return "";
+  const prefix = "Ignoring Watch Callback:";
+
+  // prettier-ignore
+  return (
+    mismatchedDeletionTimestamp(binding, obj) ?
+      `${prefix} Binding defines deletionTimestamp but Object does not carry it.` :
+
+    mismatchedName(binding, obj) ?
+      `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` :
+
+    misboundNamespace(binding) ?
+      `${prefix} Cannot use namespace filter on a namespace object.` :
+
+    mismatchedLabels(binding, obj) ?
+      (
+        `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' ` +
+        `but Object carries '${JSON.stringify(carriedLabels(obj))}'.`
+      ) :
+
+    mismatchedAnnotations(binding, obj) ?
+      (
+        `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' ` +
+        `but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.`
+      ) :
+
+    uncarryableNamespace(capabilityNamespaces, obj) ?
+      (
+        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
+    unbindableNamespaces(capabilityNamespaces, binding) ?
+      (
+        `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
+    mismatchedNamespace(binding, obj) ?
+      (
+        `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' ` +
+        `but Object carries '${carriedNamespace(obj)}'.`
+      ) :
+
+    mismatchedNamespaceRegex(binding, obj) ?
+      (
+        `${prefix} Binding defines namespace regexes ` +
+        `'${JSON.stringify(definedNamespaceRegexes(binding))}' ` +
+        `but Object carries '${carriedNamespace(obj)}'.`
+      ) :
+
+    mismatchedNameRegex(binding, obj) ?
+      (
+        `${prefix} Binding defines name regex '${definedNameRegex(binding)}' ` +
+        `but Object carries '${carriedName(obj)}'.`
+      ) :
+
+    carriesIgnoredNamespace(ignoredNamespaces, obj) ?
+      (
+        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
+        `but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
+      ) :
+
+    ""
+  );
 }
 
 export function addVerbIfNotExists(verbs: string[], verb: string) {
@@ -239,7 +243,8 @@ export function generateWatchNamespaceError(
 // namespaceComplianceValidator ensures that capability bindinds respect ignored and capability namespaces
 export function namespaceComplianceValidator(capability: CapabilityExport, ignoredNamespaces?: string[]) {
   const { namespaces: capabilityNamespaces, bindings, name } = capability;
-  const bindingNamespaces = bindings.flatMap(binding => binding.filters.namespaces);
+  const bindingNamespaces = bindings.flatMap((binding: Binding) => binding.filters.namespaces);
+  const bindingRegexNamespaces = bindings.flatMap((binding: Binding) => binding.filters.regexNamespaces || []);
 
   const namespaceError = generateWatchNamespaceError(
     ignoredNamespaces ? ignoredNamespaces : [],
@@ -251,6 +256,47 @@ export function namespaceComplianceValidator(capability: CapabilityExport, ignor
       `Error in ${name} capability. A binding violates namespace rules. Please check ignoredNamespaces and capability namespaces: ${namespaceError}`,
     );
   }
+
+  // Ensure that each regexNamespace matches a capabilityNamespace
+
+  if (
+    bindingRegexNamespaces &&
+    bindingRegexNamespaces.length > 0 &&
+    capabilityNamespaces &&
+    capabilityNamespaces.length > 0
+  ) {
+    for (const regexNamespace of bindingRegexNamespaces) {
+      let matches = false;
+      for (const capabilityNamespace of capabilityNamespaces) {
+        if (regexNamespace !== "" && matchesRegex(regexNamespace, capabilityNamespace)) {
+          matches = true;
+          break;
+        }
+      }
+      if (!matches) {
+        throw new Error(
+          `Ignoring Watch Callback: Object namespace does not match any capability namespace with regex ${regexNamespace}.`,
+        );
+      }
+    }
+  }
+  // ensure regexNamespaces do not match ignored ns
+  if (
+    bindingRegexNamespaces &&
+    bindingRegexNamespaces.length > 0 &&
+    ignoredNamespaces &&
+    ignoredNamespaces.length > 0
+  ) {
+    for (const regexNamespace of bindingRegexNamespaces) {
+      for (const ignoredNS of ignoredNamespaces) {
+        if (matchesRegex(regexNamespace, ignoredNS)) {
+          throw new Error(
+            `Ignoring Watch Callback: Regex namespace: ${regexNamespace}, is an ignored namespace: ${ignoredNS}.`,
+          );
+        }
+      }
+    }
+  }
 }
 
 // check to see if all replicas are ready for all deployments in the pepr-system namespace

package/src/lib/k8s.ts

@@ -3,6 +3,7 @@
 
 import { GenericKind, GroupVersionKind, KubernetesObject, RegisterKind } from "kubernetes-fluent-client";
 
+// DEPRECATED: Use Operation in types.ts instead
 export enum Operation {
   CREATE = "CREATE",
   UPDATE = "UPDATE",
@@ -27,6 +28,7 @@ export const peprStoreGVK = {
 
 RegisterKind(PeprStore, peprStoreGVK);
 
+// DEPRECATED: Use Operation in types.ts instead
 /**
  * GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion
  * to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling
@@ -37,6 +39,8 @@ export interface GroupVersionResource {
   readonly resource: string;
 }
 
+// DEPRECATED: Use Operation in types.ts instead
+
 /**
  * A Kubernetes admission request to be processed by a capability.
  */

package/src/lib/module.ts

@@ -4,8 +4,8 @@ import { clone } from "ramda";
 import { Capability } from "./capability";
 import { Controller } from "./controller";
 import { ValidateError } from "./errors";
-import { AdmissionRequest, MutateResponse, ValidateResponse, WebhookIgnore } from "./k8s";
-import { CapabilityExport } from "./types";
+import { MutateResponse, ValidateResponse, WebhookIgnore } from "./k8s";
+import { CapabilityExport, AdmissionRequest } from "./types";
 import { setupWatch } from "./watch-processor";
 import { Log } from "../lib";
 
@@ -108,7 +108,7 @@ export class PeprModule {
       // Wait for the controller to be ready before setting up watches
       if (isWatchMode() || isDevMode()) {
         try {
-          setupWatch(capabilities);
+          setupWatch(capabilities, pepr?.alwaysIgnore?.namespaces);
         } catch (e) {
           Log.error(e, "Error setting up watch");
           process.exit(1);

package/src/lib/mutate-processor.ts

@@ -7,7 +7,8 @@ import { kind } from "kubernetes-fluent-client";
 import { Capability } from "./capability";
 import { Errors } from "./errors";
 import { shouldSkipRequest } from "./filter";
-import { MutateResponse, AdmissionRequest } from "./k8s";
+import { MutateResponse } from "./k8s";
+import { AdmissionRequest } from "./types";
 import Log from "./logger";
 import { ModuleConfig } from "./module";
 import { PeprMutateRequest } from "./mutate-request";
@@ -42,7 +43,6 @@ export async function mutateProcessor(
 
   for (const { name, bindings, namespaces } of capabilities) {
     const actionMetadata = { ...reqMetadata, name };
-
     for (const action of bindings) {
       // Skip this action if it's not a mutate action
       if (!action.mutateCallback) {
@@ -50,13 +50,12 @@ export async function mutateProcessor(
       }
 
       // Continue to the next action without doing anything if this one should be skipped
-      if (shouldSkipRequest(action, req, namespaces)) {
+      if (shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces)) {
         continue;
       }
 
       const label = action.mutateCallback.name;
       Log.info(actionMetadata, `Processing mutation action (${label})`);
-
       matchedAction = true;
 
       // Add annotations to the request to indicate that the capability started processing
@@ -79,6 +78,7 @@ export async function mutateProcessor(
         // Run the action
         await action.mutateCallback(wrapped);
 
+        // Log on success
         Log.info(actionMetadata, `Mutation action succeeded (${label})`);
 
         // Add annotations to the request to indicate that the capability succeeded
@@ -99,6 +99,7 @@ export async function mutateProcessor(
           errorMessage = "An error occurred with the mutate action.";
         }
 
+        // Log on failure
         Log.error(actionMetadata, `Action failed: ${errorMessage}`);
         response.warnings.push(`Action failed: ${errorMessage}`);
 

package/src/lib/mutate-request.test.ts

@@ -3,8 +3,7 @@
 
 import { beforeEach, describe, expect, it } from "@jest/globals";
 import { KubernetesObject } from "kubernetes-fluent-client";
-
-import { Operation, AdmissionRequest } from "./k8s";
+import { Operation, AdmissionRequest } from "./types";
 import { PeprMutateRequest } from "./mutate-request";
 
 describe("PeprMutateRequest", () => {

package/src/lib/mutate-request.ts

@@ -3,9 +3,7 @@
 
 import { KubernetesObject } from "kubernetes-fluent-client";
 import { clone, mergeDeepRight } from "ramda";
-
-import { AdmissionRequest, Operation } from "./k8s";
-import { DeepPartial } from "./types";
+import { Operation, AdmissionRequest, DeepPartial } from "./types";
 
 /**
  * The RequestWrapper class provides methods to modify Kubernetes objects in the context

package/src/lib/queue.test.ts

@@ -1,58 +1,152 @@
-import { beforeEach, describe, expect, jest, test } from "@jest/globals";
-import { KubernetesObject } from "@kubernetes/client-node";
+import { afterEach, describe, expect, jest, it } from "@jest/globals";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 import { Queue } from "./queue";
 
+import Log from "./logger";
+jest.mock("./logger");
+
 describe("Queue", () => {
-  let queue: Queue<KubernetesObject>;
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  it("is uniquely identifiable", () => {
+    const name = "kind/namespace";
+    const queue = new Queue(name);
+
+    const label = queue.label();
+
+    expect(label).toEqual(
+      expect.objectContaining({
+        // given name of queue
+        name,
+
+        // unique, generated value (to disambiguate similarly-named queues)
+        // <epoch timestamp (ms)>-<4 char hex>
+        uid: expect.stringMatching(/[0-9]{13}-[0-9a-f]{4}/),
+      }),
+    );
+  });
+
+  it("exposes runtime stats", async () => {
+    const name = "kind/namespace";
+    const queue = new Queue(name);
+
+    expect(queue.stats()).toEqual(
+      expect.objectContaining({
+        queue: queue.label(),
+        stats: { length: 0 },
+      }),
+    );
+
+    const kubeObj = { metadata: { name: "test-nm", namespace: "test-ns" } };
+    const watchCb = () =>
+      new Promise<void>(res => {
+        setTimeout(res, 100);
+      });
+
+    await Promise.all([
+      queue.enqueue(kubeObj, WatchPhase.Added, watchCb),
+      queue.enqueue(kubeObj, WatchPhase.Added, watchCb),
+      queue.enqueue(kubeObj, WatchPhase.Added, watchCb),
+      queue.enqueue(kubeObj, WatchPhase.Added, watchCb),
+    ]);
+
+    const logDebug = Log.debug as jest.Mock;
+    const stats = logDebug.mock.calls
+      .flat()
+      .map(m => JSON.stringify(m))
+      .filter(m => m.includes('"stats":'));
 
-  beforeEach(() => {
-    queue = new Queue();
+    [
+      '"length":1', // 1st entry runs near-immediately, so queue won't fill
+      '"length":1', // afterward, queue fills & unfills as callbacks process
+      '"length":2',
+      '"length":3',
+      '"length":3',
+      '"length":2',
+      '"length":1',
+      '"length":0',
+    ].map((exp, idx) => {
+      expect(stats[idx]).toEqual(expect.stringContaining(exp));
+    });
   });
 
-  test("enqueue should add a pod to the queue and return a promise", async () => {
-    const pod = {
-      metadata: { name: "test-pod", namespace: "test-pod" },
-    };
-    const promise = queue.enqueue(pod, WatchPhase.Added);
+  it("resolves when an enqueued event dequeues without error", async () => {
+    const name = "kind/namespace";
+    const queue = new Queue(name);
+
+    const kubeObj = { metadata: { name: "test-nm", namespace: "test-ns" } };
+    const watchCb = () =>
+      new Promise<void>(res => {
+        setTimeout(res, 10);
+      });
+
+    const promise = queue.enqueue(kubeObj, WatchPhase.Added, watchCb);
     expect(promise).toBeInstanceOf(Promise);
-    await promise;
+
+    await expect(promise).resolves.not.toThrow();
   });
 
-  test("dequeue should process pods in FIFO order", async () => {
-    const mockPod = {
-      metadata: { name: "test-pod", namespace: "test-namespace" },
-    };
-    const mockPod2 = {
-      metadata: { name: "test-pod-2", namespace: "test-namespace-2" },
-    };
-
-    // Enqueue two packages
-    const promise1 = queue.enqueue(mockPod, WatchPhase.Added);
-    const promise2 = queue.enqueue(mockPod2, WatchPhase.Modified);
-
-    // Wait for both promises to resolve
-    await promise1;
-    await promise2;
+  it("rejects when an enqueued event dequeues with error", async () => {
+    const name = "kind/namespace";
+    const queue = new Queue(name);
+
+    const kubeObj = { metadata: { name: "test-nm", namespace: "test-ns" } };
+    const watchCb = () =>
+      new Promise<void>((_, reject) => {
+        setTimeout(() => {
+          reject("oof");
+        }, 10);
+      });
+
+    const promise = queue.enqueue(kubeObj, WatchPhase.Added, watchCb);
+    expect(promise).toBeInstanceOf(Promise);
+
+    await expect(promise).rejects.toBe("oof");
   });
 
-  test("dequeue should handle errors in pod processing", async () => {
-    const mockPod = {
-      metadata: { name: "test-pod", namespace: "test-namespace" },
-    };
-    const error = new Error("reconciliation failed");
-    jest.spyOn(queue, "setReconcile").mockRejectedValueOnce(error as never);
-
-    try {
-      await queue.enqueue(mockPod, WatchPhase.Added);
-    } catch (e) {
-      expect(e).toBe(error);
-    }
-
-    // Ensure that the queue is ready to process the next pod
-    const mockPod2 = {
-      metadata: { name: "test-pod-2", namespace: "test-namespace-2" },
-    };
-    await queue.enqueue(mockPod2, WatchPhase.Modified);
+  it("processes events in FIFO order", async () => {
+    const name = "kind/namespace";
+    const queue = new Queue(name);
+
+    const kubeObj = { metadata: { name: "test-nm", namespace: "test-ns" } };
+    const watchA = () =>
+      new Promise<void>(resolve => {
+        setTimeout(() => {
+          Log.info("watchA");
+          resolve();
+        }, 15);
+      });
+    const watchB = () =>
+      new Promise<void>(resolve => {
+        setTimeout(() => {
+          Log.info("watchB");
+          resolve();
+        }, 10);
+      });
+    const watchC = () =>
+      new Promise<void>(resolve => {
+        setTimeout(() => {
+          Log.info("watchC");
+          resolve();
+        }, 5);
+      });
+
+    await Promise.all([
+      queue.enqueue(kubeObj, WatchPhase.Added, watchA),
+      queue.enqueue(kubeObj, WatchPhase.Added, watchB),
+      queue.enqueue(kubeObj, WatchPhase.Added, watchC),
+    ]);
+
+    const logInfo = Log.info as jest.Mock;
+    const calls = logInfo.mock.calls
+      .flat()
+      .map(m => JSON.stringify(m))
+      .filter(m => /"watch[ABC]"/.test(m));
+
+    ['"watchA"', '"watchB"', '"watchC"'].map((exp, idx) => {
+      expect(calls[idx]).toEqual(expect.stringContaining(exp));
+    });
   });
 });