pepr 0.37.2 → 0.38.0

package/package.json

@@ -13,7 +13,7 @@
     "/dist",
     "/src"
   ],
-  "version": "0.37.2",
+  "version": "0.38.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -39,12 +39,12 @@
   },
   "dependencies": {
     "@types/ramda": "0.30.2",
-    "express": "4.21.0",
+    "express": "4.21.1",
     "fast-json-patch": "3.1.1",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.0.4",
-    "pino": "9.4.0",
-    "pino-pretty": "11.2.2",
+    "kubernetes-fluent-client": "3.1.1",
+    "pino": "9.5.0",
+    "pino-pretty": "11.3.0",
     "prom-client": "15.1.3",
     "ramda": "0.30.1"
   },

package/src/cli/build.ts

@@ -138,7 +138,7 @@ export default function (program: RootCmd) {
       );
 
       // If registry is set to Iron Bank, use Iron Bank image
-      if (opts?.registry == "Iron Bank") {
+      if (opts?.registry === "Iron Bank") {
         console.info(
           `\n\tThis command assumes the latest release. Pepr's Iron Bank image release cycle is dictated by renovate and is typically released a few days after the GitHub release.\n\tAs an alternative you may consider custom --custom-image to target a specific image and version.`,
         );

package/src/fixtures/loader.ts

@@ -1,6 +1,6 @@
 import { kind } from "kubernetes-fluent-client";
 
-import { AdmissionRequest } from "../lib/k8s";
+import { AdmissionRequest } from "../lib/types";
 import createPod from "./data/create-pod.json";
 import deletePod from "./data/delete-pod.json";
 

package/src/lib/capability.test.ts

@@ -6,7 +6,7 @@ import { V1Pod } from "@kubernetes/client-node";
 import { expect, describe, jest, beforeEach, it } from "@jest/globals";
 import { PeprMutateRequest } from "./mutate-request";
 import { PeprValidateRequest } from "./validate-request";
-import { Operation, AdmissionRequest } from "./k8s";
+import { Operation, AdmissionRequest } from "./types";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 import { Event } from "./types";
 import { GenericClass } from "kubernetes-fluent-client";

package/src/lib/controller/index.ts

@@ -6,14 +6,14 @@ import fs from "fs";
 import https from "https";
 
 import { Capability } from "../capability";
-import { MutateResponse, AdmissionRequest, ValidateResponse } from "../k8s";
+import { MutateResponse, ValidateResponse } from "../k8s";
 import Log from "../logger";
 import { metricsCollector, MetricsCollector } from "../metrics";
 import { ModuleConfig, isWatchMode } from "../module";
 import { mutateProcessor } from "../mutate-processor";
 import { validateProcessor } from "../validate-processor";
 import { PeprControllerStore } from "./store";
-import { ResponseItem } from "../types";
+import { ResponseItem, AdmissionRequest } from "../types";
 
 if (!process.env.PEPR_NODE_WARNINGS) {
   process.removeAllListeners("warning");

package/src/lib/k8s.ts

@@ -1,15 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { GenericKind, GroupVersionKind, KubernetesObject, RegisterKind } from "kubernetes-fluent-client";
-
-// DEPRECATED: Use Operation in types.ts instead
-export enum Operation {
-  CREATE = "CREATE",
-  UPDATE = "UPDATE",
-  DELETE = "DELETE",
-  CONNECT = "CONNECT",
-}
+import { GenericKind, RegisterKind } from "kubernetes-fluent-client";
 
 /**
  * PeprStore for internal use by Pepr. This is used to store arbitrary data in the cluster.
@@ -28,99 +20,6 @@ export const peprStoreGVK = {
 
 RegisterKind(PeprStore, peprStoreGVK);
 
-// DEPRECATED: Use Operation in types.ts instead
-/**
- * GroupVersionResource unambiguously identifies a resource. It doesn't anonymously include GroupVersion
- * to avoid automatic coercion. It doesn't use a GroupVersion to avoid custom marshalling
- */
-export interface GroupVersionResource {
-  readonly group: string;
-  readonly version: string;
-  readonly resource: string;
-}
-
-// DEPRECATED: Use Operation in types.ts instead
-
-/**
- * A Kubernetes admission request to be processed by a capability.
- */
-export interface AdmissionRequest<T = KubernetesObject> {
-  /** UID is an identifier for the individual request/response. */
-  readonly uid: string;
-
-  /** Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) */
-  readonly kind: GroupVersionKind;
-
-  /** Resource is the fully-qualified resource being requested (for example, v1.pods) */
-  readonly resource: GroupVersionResource;
-
-  /** SubResource is the sub-resource being requested, if any (for example, "status" or "scale") */
-  readonly subResource?: string;
-
-  /** RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). */
-  readonly requestKind?: GroupVersionKind;
-
-  /** RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). */
-  readonly requestResource?: GroupVersionResource;
-
-  /** RequestSubResource is the sub-resource of the original API request, if any (for example, "status" or "scale"). */
-  readonly requestSubResource?: string;
-
-  /**
-   * Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
-   * rely on the server to generate the name. If that is the case, this method will return the empty string.
-   */
-  readonly name: string;
-
-  /** Namespace is the namespace associated with the request (if any). */
-  readonly namespace?: string;
-
-  /**
-   * Operation is the operation being performed. This may be different than the operation
-   * requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
-   */
-  readonly operation: Operation;
-
-  /** UserInfo is information about the requesting user */
-  readonly userInfo: {
-    /** The name that uniquely identifies this user among all active users. */
-    username?: string;
-
-    /**
-     * A unique value that identifies this user across time. If this user is deleted
-     * and another user by the same name is added, they will have different UIDs.
-     */
-    uid?: string;
-
-    /** The names of groups this user is a part of. */
-    groups?: string[];
-
-    /** Any additional information provided by the authenticator. */
-    extra?: {
-      [key: string]: string[];
-    };
-  };
-
-  /** Object is the object from the incoming request prior to default values being applied */
-  readonly object: T;
-
-  /** OldObject is the existing object. Only populated for UPDATE or DELETE requests. */
-  readonly oldObject?: T;
-
-  /** DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false. */
-  readonly dryRun?: boolean;
-
-  /**
-   * Options contains the options for the operation being performed.
-   * e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
-   * different than the options the caller provided. e.g. for a patch request the performed
-   * Operation might be a CREATE, in which case the Options will a
-   * `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
-   */
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  readonly options?: any;
-}
-
 export interface MutateResponse {
   /** UID is an identifier for the individual request/response. This must be copied over from the corresponding AdmissionRequest. */
   uid: string;

package/src/lib/mutate-processor.ts

@@ -34,7 +34,7 @@ export async function mutateProcessor(
   let skipDecode: string[] = [];
 
   // If the resource is a secret, decode the data
-  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
   if (isSecret) {
     skipDecode = convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
   }
@@ -64,7 +64,7 @@ export async function mutateProcessor(
       // this will allow tracking of failed mutations that were permitted to continue
       const updateStatus = (status: string) => {
         // Only update the status if the request is a CREATE or UPDATE (we don't use CONNECT)
-        if (req.operation == "DELETE") {
+        if (req.operation === "DELETE") {
           return;
         }
 
@@ -130,7 +130,7 @@ export async function mutateProcessor(
   }
 
   // delete operations can't be mutate, just return before the transformation
-  if (req.operation == "DELETE") {
+  if (req.operation === "DELETE") {
     return response;
   }
 

package/src/lib/utils.ts

@@ -30,7 +30,7 @@ export function convertFromBase64Map(obj: { data?: Record<string, string> }) {
 
   obj.data = obj.data ?? {};
   for (const key in obj.data) {
-    if (obj.data[key] == undefined) {
+    if (obj.data[key] === undefined) {
       obj.data[key] = "";
     } else {
       const decoded = base64Decode(obj.data[key]);

package/src/lib/validate-processor.ts

@@ -22,7 +22,7 @@ export async function validateProcessor(
   const response: ValidateResponse[] = [];
 
   // If the resource is a secret, decode the data
-  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
   if (isSecret) {
     convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
   }

package/src/lib/watch-processor.test.ts

@@ -26,7 +26,6 @@ jest.mock("./metrics", () => ({
     incRetryCount: jest.fn(),
   },
 }));
-
 describe("WatchProcessor", () => {
   const mockStart = jest.fn();
   const mockK8s = jest.mocked(K8s);

package/src/lib/watch-processor.ts

@@ -49,6 +49,7 @@ export function getOrCreateQueue(obj: KubernetesObject) {
 
 // Watch configuration
 const watchCfg: WatchCfg = {
+  useHTTP2: process.env.PEPR_HTTP2_WATCH === "true",
   resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
   resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) : 5,
   lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS