pepr 0.38.3 → 0.39.0

package/src/cli/monitor.ts

@@ -49,43 +49,41 @@ export default function (program: RootCmd) {
 
         for (const line of lines) {
           // Check for `"msg":"Hello Pepr"`
-          if (line.includes(respMsg)) {
-            try {
-              const payload = JSON.parse(line.trim());
-              const isMutate = payload.res.patchType || payload.res.warnings;
-
-              const name = `${payload.namespace}${payload.name}`;
-              const uid = payload.res.uid;
-
-              if (isMutate) {
-                const plainPatch =
-                  payload.res?.patch !== undefined && payload.res?.patch !== null
-                    ? atob(payload.res.patch)
-                    : "";
-
-                const patch = plainPatch !== "" && JSON.stringify(JSON.parse(plainPatch), null, 2);
-                const patchType = payload.res.patchType || payload.res.warnings || "";
-                const allowOrDeny = payload.res.allowed ? "🔀" : "🚫";
-                console.log(`\n${allowOrDeny}  MUTATE     ${name} (${uid})`);
-                if (patchType.length > 0) {
-                  console.log(`\n\u001b[1;34m${patch}\u001b[0m`);
-                }
-              } else {
-                const failures = Array.isArray(payload.res) ? payload.res : [payload.res];
-
-                const filteredFailures = failures
-                  .filter((r: ResponseItem) => !r.allowed)
-                  .map((r: ResponseItem) => r.status.message);
-                if (filteredFailures.length > 0) {
-                  console.log(`\n❌  VALIDATE   ${name} (${uid})`);
-                  console.log(`\u001b[1;31m${filteredFailures}\u001b[0m`);
-                } else {
-                  console.log(`\n✅  VALIDATE   ${name} (${uid})`);
-                }
-              }
-            } catch {
-              // Do nothing
+          if (!line.includes(respMsg)) continue;
+          try {
+            const payload = JSON.parse(line.trim());
+            const isMutate = payload.res.patchType || payload.res.warnings;
+
+            const name = `${payload.namespace}${payload.name}`;
+            const uid = payload.res.uid;
+
+            if (isMutate) {
+              const plainPatch =
+                payload.res?.patch !== undefined && payload.res?.patch !== null
+                  ? atob(payload.res.patch)
+                  : "";
+
+              const patch = plainPatch !== "" && JSON.stringify(JSON.parse(plainPatch), null, 2);
+              const patchType = payload.res.patchType || payload.res.warnings || "";
+              const allowOrDeny = payload.res.allowed ? "🔀" : "🚫";
+              console.log(`\n${allowOrDeny}  MUTATE     ${name} (${uid})`);
+              patchType.length > 0 && console.log(`\n\u001b[1;34m${patch}\u001b[0m`);
+            } else {
+              const failures = Array.isArray(payload.res) ? payload.res : [payload.res];
+
+              const filteredFailures = failures
+                .filter((r: ResponseItem) => !r.allowed)
+                .map((r: ResponseItem) => r.status.message);
+
+              console.log(
+                `\n${filteredFailures.length > 0 ? "❌" : "✅"}  VALIDATE   ${name} (${uid})`,
+              );
+              console.log(
+                filteredFailures.length > 0 ? `\u001b[1;31m${filteredFailures}\u001b[0m` : "",
+              );
             }
+          } catch {
+            // Do nothing
           }
         }
       });

package/src/lib/assets/deploy.ts

@@ -4,6 +4,7 @@
 import crypto from "crypto";
 import { promises as fs } from "fs";
 import { K8s, kind } from "kubernetes-fluent-client";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 import { Assets } from ".";
 import Log from "../logger";
@@ -84,18 +85,25 @@ export async function deploy(assets: Assets, force: boolean, webhookTimeout?: nu
     throw new Error("No code provided");
   }
 
-  await setupRBAC(name, assets.capabilities, force);
+  await setupRBAC(name, assets.capabilities, force, assets.config);
   await setupController(assets, code, hash, force);
   await setupWatcher(assets, hash, force);
 }
 
-async function setupRBAC(name: string, capabilities: CapabilityExport[], force: boolean) {
+async function setupRBAC(
+  name: string,
+  capabilities: CapabilityExport[],
+  force: boolean,
+  config: { rbacMode?: string; rbac?: PolicyRule[] },
+) {
+  const { rbacMode, rbac } = config;
+
   Log.info("Applying cluster role binding");
   const crb = clusterRoleBinding(name);
   await K8s(kind.ClusterRoleBinding).Apply(crb, { force });
 
   Log.info("Applying cluster role");
-  const cr = clusterRole(name, capabilities);
+  const cr = clusterRole(name, capabilities, rbacMode, rbac);
   await K8s(kind.ClusterRole).Apply(cr, { force });
 
   Log.info("Applying service account");
@@ -135,6 +143,7 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   await K8s(kind.Deployment).Apply(dep, { force });
 }
 
+// Setup the watcher deployment and service
 async function setupWatcher(assets: Assets, hash: string, force: boolean) {
   // If the module has a watcher, deploy it
   const watchDeployment = watcher(assets, hash, assets.buildTimestamp);

package/src/lib/assets/helm.ts

@@ -1,6 +1,20 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+export function clusterRoleTemplate() {
+  return `
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: {{ .Values.uuid }}
+      namespace: pepr-system
+    rules: 
+      {{- if .Values.rbac }}
+      {{- toYaml .Values.rbac | nindent 2 }}
+      {{- end }}
+  `;
+}
+
 export function nsTemplate() {
   return `
     apiVersion: v1

package/src/lib/assets/index.ts

@@ -13,13 +13,20 @@ import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
 import { namespaceComplianceValidator, replaceString } from "../helpers";
 import { createDirectoryIfNotExists, dedent } from "../helpers";
 import { resolve } from "path";
-import { chartYaml, nsTemplate, admissionDeployTemplate, watcherDeployTemplate, serviceMonitorTemplate } from "./helm";
+import {
+  chartYaml,
+  nsTemplate,
+  admissionDeployTemplate,
+  watcherDeployTemplate,
+  clusterRoleTemplate,
+  serviceMonitorTemplate,
+} from "./helm";
 import { promises as fs } from "fs";
 import { webhookConfig } from "./webhooks";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
 import { watcher, moduleSecret } from "./pods";
 
-import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
+import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
@@ -61,14 +68,14 @@ export class Assets {
 
   zarfYamlChart = (path: string) => zarfYamlChart(this, path);
 
-  allYaml = async (rbacMode: string, imagePullSecret?: string) => {
+  allYaml = async (imagePullSecret?: string) => {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
       namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
     }
 
-    return allYaml(this, rbacMode, imagePullSecret);
+    return allYaml(this, imagePullSecret);
   };
 
   generateHelmChart = async (basePath: string) => {
@@ -123,10 +130,7 @@ export class Assets {
       await fs.writeFile(moduleSecretPath, dumpYaml(moduleSecret(this.name, code, this.hash), { noRefs: true }));
       await fs.writeFile(storeRolePath, dumpYaml(storeRole(this.name), { noRefs: true }));
       await fs.writeFile(storeRoleBindingPath, dumpYaml(storeRoleBinding(this.name), { noRefs: true }));
-      await fs.writeFile(
-        clusterRolePath,
-        dumpYaml(clusterRole(this.name, this.capabilities, "rbac"), { noRefs: true }),
-      );
+      await fs.writeFile(clusterRolePath, dedent(clusterRoleTemplate()));
       await fs.writeFile(clusterRoleBindingPath, dumpYaml(clusterRoleBinding(this.name), { noRefs: true }));
       await fs.writeFile(serviceAccountPath, dumpYaml(serviceAccount(this.name), { noRefs: true }));
 

package/src/lib/assets/rbac.ts

@@ -2,35 +2,63 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { kind } from "kubernetes-fluent-client";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { CapabilityExport } from "../types";
 import { createRBACMap } from "../helpers";
+
 /**
- * Grants the controller access to cluster resources beyond the mutating webhook.
+ * Creates a Kubernetes ClusterRole based on capabilities and optional custom RBAC rules.
  *
- * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
- * @returns
+ * @param {string} name - The name of the ClusterRole.
+ * @param {CapabilityExport[]} capabilities - Array of capabilities defining RBAC rules.
+ * @param {string} [rbacMode=""] - The RBAC mode; if "scoped", generates scoped rules, otherwise uses wildcard rules.
+ * @returns {kind.ClusterRole} - A Kubernetes ClusterRole object.
  */
-export function clusterRole(name: string, capabilities: CapabilityExport[], rbacMode: string = ""): kind.ClusterRole {
+export function clusterRole(
+  name: string,
+  capabilities: CapabilityExport[],
+  rbacMode: string = "admin",
+  customRbac: PolicyRule[] | undefined,
+): kind.ClusterRole {
+  // Create the RBAC map from capabilities
   const rbacMap = createRBACMap(capabilities);
+
+  // Generate scoped rules from rbacMap
+  const scopedRules = Object.keys(rbacMap).map(key => {
+    let group: string;
+    key.split("/").length < 3 ? (group = "") : (group = key.split("/")[0]);
+
+    return {
+      apiGroups: [group],
+      resources: [rbacMap[key].plural],
+      verbs: rbacMap[key].verbs,
+    };
+  });
+
+  // Merge and deduplicate custom RBAC and scoped rules
+  const mergedRBAC = [...(Array.isArray(customRbac) ? customRbac : []), ...scopedRules];
+  const deduper: Record<string, PolicyRule & { verbs: string[] }> = {};
+
+  mergedRBAC.forEach(rule => {
+    const key = `${rule.apiGroups}/${rule.resources}`;
+    if (deduper[key]) {
+      // Deduplicate verbs
+      deduper[key].verbs = Array.from(new Set([...deduper[key].verbs, ...rule.verbs]));
+    } else {
+      deduper[key] = { ...rule, verbs: rule.verbs || [] };
+    }
+  });
+
+  // Convert deduplicated RBAC rules back to an array
+  const deduplicatedRules = Object.values(deduper);
+
   return {
     apiVersion: "rbac.authorization.k8s.io/v1",
     kind: "ClusterRole",
     metadata: { name },
     rules:
       rbacMode === "scoped"
-        ? [
-            ...Object.keys(rbacMap).map(key => {
-              // let group:string, version:string, kind:string;
-              let group: string;
-              key.split("/").length < 3 ? (group = "") : (group = key.split("/")[0]);
-
-              return {
-                apiGroups: [group],
-                resources: [rbacMap[key].plural],
-                verbs: rbacMap[key].verbs,
-              };
-            }),
-          ]
+        ? deduplicatedRules
         : [
             {
               apiGroups: ["*"],
@@ -41,6 +69,12 @@ export function clusterRole(name: string, capabilities: CapabilityExport[], rbac
   };
 }
 
+/**
+ * Creates a Kubernetes ClusterRoleBinding for a specified ClusterRole.
+ *
+ * @param {string} name - The name of the ClusterRole to bind.
+ * @returns {kind.ClusterRoleBinding} - A Kubernetes ClusterRoleBinding object.
+ */
 export function clusterRoleBinding(name: string): kind.ClusterRoleBinding {
   return {
     apiVersion: "rbac.authorization.k8s.io/v1",
@@ -61,6 +95,12 @@ export function clusterRoleBinding(name: string): kind.ClusterRoleBinding {
   };
 }
 
+/**
+ * Creates a Kubernetes ServiceAccount with the specified name.
+ *
+ * @param {string} name - The name of the ServiceAccount.
+ * @returns {kind.ServiceAccount} - A Kubernetes ServiceAccount object.
+ */
 export function serviceAccount(name: string): kind.ServiceAccount {
   return {
     apiVersion: "v1",
@@ -72,6 +112,12 @@ export function serviceAccount(name: string): kind.ServiceAccount {
   };
 }
 
+/**
+ * Creates a Kubernetes Role for managing peprstores in a specified namespace.
+ *
+ * @param {string} name - The base name of the Role.
+ * @returns {kind.Role} - A Kubernetes Role object for peprstores.
+ */
 export function storeRole(name: string): kind.Role {
   name = `${name}-store`;
   return {
@@ -89,6 +135,12 @@ export function storeRole(name: string): kind.Role {
   };
 }
 
+/**
+ * Creates a Kubernetes RoleBinding for a specified Role in the pepr-system namespace.
+ *
+ * @param {string} name - The base name of the Role to bind.
+ * @returns {kind.RoleBinding} - A Kubernetes RoleBinding object.
+ */
 export function storeRoleBinding(name: string): kind.RoleBinding {
   name = `${name}-store`;
   return {

package/src/lib/assets/webhooks.ts

@@ -10,7 +10,7 @@ import { kind } from "kubernetes-fluent-client";
 import { concat, equals, uniqWith } from "ramda";
 
 import { Assets } from ".";
-import { Event } from "../types";
+import { Event } from "../enums";
 
 const peprIgnoreLabel: V1LabelSelectorRequirement = {
   key: "pepr.dev",

package/src/lib/assets/yaml.ts

@@ -10,9 +10,13 @@ import { deployment, moduleSecret, namespace, watcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { webhookConfig } from "./webhooks";
 import { genEnv } from "./pods";
+
 // Helm Chart overrides file (values.yaml) generated from assets
-export async function overridesFile({ hash, name, image, config, apiToken }: Assets, path: string) {
+export async function overridesFile({ hash, name, image, config, apiToken, capabilities }: Assets, path: string) {
+  const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules;
+
   const overrides = {
+    rbac: rbacOverrides,
     secrets: {
       apiToken: Buffer.from(apiToken).toString("base64"),
     },
@@ -219,8 +223,8 @@ export function zarfYamlChart({ name, image, config }: Assets, path: string) {
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
-export async function allYaml(assets: Assets, rbacMode: string, imagePullSecret?: string) {
-  const { name, tls, apiToken, path } = assets;
+export async function allYaml(assets: Assets, imagePullSecret?: string) {
+  const { name, tls, apiToken, path, config } = assets;
   const code = await fs.readFile(path);
 
   // Generate a hash of the code
@@ -232,7 +236,7 @@ export async function allYaml(assets: Assets, rbacMode: string, imagePullSecret?
 
   const resources = [
     namespace(assets.config.customLabels?.namespace),
-    clusterRole(name, assets.capabilities, rbacMode),
+    clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
     clusterRoleBinding(name),
     serviceAccount(name),
     apiTokenSecret(name, apiToken),

package/src/lib/capability.ts

@@ -1,3 +1,4 @@
+/* eslint-disable max-statements */
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
@@ -7,13 +8,13 @@ import Log from "./logger";
 import { isBuildMode, isDevMode, isWatchMode } from "./module";
 import { PeprStore, Storage } from "./storage";
 import { OnSchedule, Schedule } from "./schedule";
+import { Event } from "./enums";
 import {
   Binding,
   BindingFilter,
   BindingWithName,
   CapabilityCfg,
   CapabilityExport,
-  Event,
   MutateAction,
   MutateActionChain,
   ValidateAction,
@@ -139,10 +140,8 @@ export class Capability implements CapabilityExport {
 
   /**
    * Register the store with the capability. This is called automatically by the Pepr controller.
-   *
-   * @param store
    */
-  registerScheduleStore = () => {
+  registerScheduleStore = (): Storage => {
     Log.info(`Registering schedule store for ${this.#name}`);
 
     if (this.#scheduleRegistered) {
@@ -152,9 +151,7 @@ export class Capability implements CapabilityExport {
     this.#scheduleRegistered = true;
 
     // Pass back any ready callback to the controller
-    return {
-      scheduleStore: this.#scheduleStore,
-    };
+    return this.#scheduleStore;
   };
 
   /**
@@ -162,7 +159,7 @@ export class Capability implements CapabilityExport {
    *
    * @param store
    */
-  registerStore = () => {
+  registerStore = (): Storage => {
     Log.info(`Registering store for ${this.#name}`);
 
     if (this.#registered) {
@@ -172,9 +169,7 @@ export class Capability implements CapabilityExport {
     this.#registered = true;
 
     // Pass back any ready callback to the controller
-    return {
-      store: this.#store,
-    };
+    return this.#store;
   };
 
   /**
@@ -337,7 +332,7 @@ export class Capability implements CapabilityExport {
           event: Event.Update,
           finalizeCallback: async (update: InstanceType<T>, logger = aliasLogger) => {
             Log.info(`Executing finalize action with alias: ${binding.alias || "no alias provided"}`);
-            await finalizeCallback(update, logger);
+            return await finalizeCallback(update, logger);
           },
         };
         bindings.push(watchBinding);

package/src/lib/controller/index.ts

@@ -12,7 +12,7 @@ import { metricsCollector, MetricsCollector } from "../metrics";
 import { ModuleConfig, isWatchMode } from "../module";
 import { mutateProcessor } from "../mutate-processor";
 import { validateProcessor } from "../validate-processor";
-import { PeprControllerStore } from "./store";
+import { StoreController } from "./store";
 import { ResponseItem, AdmissionRequest } from "../types";
 
 if (!process.env.PEPR_NODE_WARNINGS) {
@@ -48,12 +48,12 @@ export class Controller {
     this.#capabilities = capabilities;
 
     // Initialize the Pepr store for each capability
-    new PeprControllerStore(capabilities, `pepr-${config.uuid}-store`, () => {
+    new StoreController(capabilities, `pepr-${config.uuid}-store`, () => {
       this.#bindEndpoints();
       onReady && onReady();
       Log.info("✅ Controller startup complete");
       // Initialize the schedule store for each capability
-      new PeprControllerStore(capabilities, `pepr-${config.uuid}-schedule`, () => {
+      new StoreController(capabilities, `pepr-${config.uuid}-schedule`, () => {
         Log.info("✅ Scheduling processed");
       });
     });