pepr 0.38.3 → 0.39.1

package/src/lib/helpers.ts

@@ -28,7 +28,7 @@ import {
   mismatchedNamespaceRegex,
   unbindableNamespaces,
   uncarryableNamespace,
-} from "./adjudicators";
+} from "./filter/adjudicators";
 
 export function matchesRegex(pattern: string, testString: string): boolean {
   // edge-case
@@ -61,7 +61,7 @@ export function validateHash(expectedHash: string): void {
   }
 }
 
-type RBACMap = {
+export type RBACMap = {
   [key: string]: {
     verbs: string[];
     plural: string;
@@ -170,6 +170,14 @@ export function createRBACMap(capabilities: CapabilityExport[]): RBACMap {
           plural: binding.kind.plural || `${binding.kind.kind.toLowerCase()}s`,
         };
       }
+
+      // Add finalizer rbac
+      if (binding.isFinalize) {
+        acc[key] = {
+          verbs: ["patch"],
+          plural: binding.kind.plural || `${binding.kind.kind.toLowerCase()}s`,
+        };
+      }
     });
 
     return acc;
@@ -267,12 +275,9 @@ export function namespaceComplianceValidator(capability: CapabilityExport, ignor
   ) {
     for (const regexNamespace of bindingRegexNamespaces) {
       let matches = false;
-      for (const capabilityNamespace of capabilityNamespaces) {
-        if (regexNamespace !== "" && matchesRegex(regexNamespace, capabilityNamespace)) {
-          matches = true;
-          break;
-        }
-      }
+      matches =
+        regexNamespace !== "" &&
+        capabilityNamespaces.some(capabilityNamespace => matchesRegex(regexNamespace, capabilityNamespace));
       if (!matches) {
         throw new Error(
           `Ignoring Watch Callback: Object namespace does not match any capability namespace with regex ${regexNamespace}.`,
@@ -288,12 +293,11 @@ export function namespaceComplianceValidator(capability: CapabilityExport, ignor
     ignoredNamespaces.length > 0
   ) {
     for (const regexNamespace of bindingRegexNamespaces) {
-      for (const ignoredNS of ignoredNamespaces) {
-        if (matchesRegex(regexNamespace, ignoredNS)) {
-          throw new Error(
-            `Ignoring Watch Callback: Regex namespace: ${regexNamespace}, is an ignored namespace: ${ignoredNS}.`,
-          );
-        }
+      const matchedNS = ignoredNamespaces.find(ignoredNS => matchesRegex(regexNamespace, ignoredNS));
+      if (matchedNS) {
+        throw new Error(
+          `Ignoring Watch Callback: Regex namespace: ${regexNamespace}, is an ignored namespace: ${matchedNS}.`,
+        );
       }
     }
   }
@@ -381,7 +385,7 @@ export function dedent(file: string) {
 }
 
 export function replaceString(str: string, stringA: string, stringB: string) {
-  //eslint-disable-next-line
+  // eslint-disable-next-line no-useless-escape
   const escapedStringA = stringA.replace(/[-\/\\^$*+?.()|[\]{}]/g, "\\$&");
   const regExp = new RegExp(escapedStringA, "g");
   return str.replace(regExp, stringB);

package/src/lib/k8s.ts

@@ -6,7 +6,7 @@ import { GenericKind, RegisterKind } from "kubernetes-fluent-client";
 /**
  * PeprStore for internal use by Pepr. This is used to store arbitrary data in the cluster.
  */
-export class PeprStore extends GenericKind {
+export class Store extends GenericKind {
   declare data: {
     [key: string]: string;
   };
@@ -18,7 +18,7 @@ export const peprStoreGVK = {
   group: "pepr.dev",
 };
 
-RegisterKind(PeprStore, peprStoreGVK);
+RegisterKind(Store, peprStoreGVK);
 
 export interface MutateResponse {
   /** UID is an identifier for the individual request/response. This must be copied over from the corresponding AdmissionRequest. */

package/src/lib/logger.ts

@@ -1,9 +1,12 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+import { Operation } from "fast-json-patch";
 import { pino, stdTimeFunctions } from "pino";
+import { Store } from "./k8s";
 
 const isPrettyLog = process.env.PEPR_PRETTY_LOGS === "true";
+const redactedValue = "**redacted**";
 
 const pretty = {
   target: "pino-pretty",
@@ -24,4 +27,42 @@ const Log = pino({
 if (process.env.LOG_LEVEL) {
   Log.level = process.env.LOG_LEVEL;
 }
+
+export function redactedStore(store: Store): Store {
+  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
+  return {
+    ...store,
+    data: Object.keys(store.data).reduce((acc: Record<string, string>, key: string) => {
+      acc[key] = redacted ? redactedValue : store.data[key];
+      return acc;
+    }, {}),
+  };
+}
+
+export function redactedPatch(patch: Record<string, Operation> = {}): Record<string, Operation> {
+  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
+
+  if (!redacted) {
+    return patch;
+  }
+
+  const redactedCache: Record<string, Operation> = {};
+
+  Object.entries(patch).forEach(([key, operation]) => {
+    const isRedacted = key.includes(":");
+    const targetKey = isRedacted ? `${key.substring(0, key.lastIndexOf(":"))}:**redacted**` : key;
+
+    const redactedOperation = isRedacted
+      ? {
+          ...operation,
+          ...(Object.hasOwn(operation, "value") ? { value: redactedValue } : {}),
+        }
+      : operation;
+
+    redactedCache[targetKey] = redactedOperation;
+  });
+
+  return redactedCache;
+}
+
 export default Log;

package/src/lib/metrics.ts

@@ -173,7 +173,9 @@ export class MetricsCollector {
 
     if (maxCacheMissWindows !== undefined && this.#cacheMissWindows.size >= maxCacheMissWindows) {
       const firstKey = this.#cacheMissWindows.keys().next().value;
-      this.#cacheMissWindows.delete(firstKey);
+      if (firstKey !== undefined) {
+        this.#cacheMissWindows.delete(firstKey);
+      }
       this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.remove({ window: firstKey });
     }
   };

package/src/lib/module.ts

@@ -8,6 +8,7 @@ import { MutateResponse, ValidateResponse, WebhookIgnore } from "./k8s";
 import { CapabilityExport, AdmissionRequest } from "./types";
 import { setupWatch } from "./watch-processor";
 import { Log } from "../lib";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 /** Custom Labels Type for package.json */
 export interface CustomLabels {
@@ -35,6 +36,10 @@ export type ModuleConfig = {
   env?: Record<string, string>;
   /** Custom Labels for Kubernetes Objects */
   customLabels?: CustomLabels;
+  /** Custom RBAC rules */
+  rbac?: PolicyRule[];
+  /** The RBAC mode; if "scoped", generates scoped rules, otherwise uses wildcard rules. */
+  rbacMode?: string;
 };
 
 export type PackageJSON = {

package/src/lib/mutate-processor.ts

@@ -6,7 +6,7 @@ import { kind } from "kubernetes-fluent-client";
 
 import { Capability } from "./capability";
 import { Errors } from "./errors";
-import { shouldSkipRequest } from "./filter";
+import { shouldSkipRequest } from "./filter/filter";
 import { MutateResponse } from "./k8s";
 import { AdmissionRequest } from "./types";
 import Log from "./logger";
@@ -89,17 +89,7 @@ export async function mutateProcessor(
         updateStatus("warning");
         response.warnings = response.warnings || [];
 
-        let errorMessage = "";
-
-        try {
-          if (e.message && e.message !== "[object Object]") {
-            errorMessage = e.message;
-          } else {
-            throw new Error("An error occurred in the mutate action.");
-          }
-        } catch (e) {
-          errorMessage = "An error occurred with the mutate action.";
-        }
+        const errorMessage = logMutateErrorMessage(e);
 
         // Log on failure
         Log.error(actionMetadata, `Action failed: ${errorMessage}`);
@@ -161,3 +151,15 @@ export async function mutateProcessor(
 
   return response;
 }
+
+const logMutateErrorMessage = (e: Error): string => {
+  try {
+    if (e.message && e.message !== "[object Object]") {
+      return e.message;
+    } else {
+      throw new Error("An error occurred in the mutate action.");
+    }
+  } catch (e) {
+    return "An error occurred with the mutate action.";
+  }
+};

package/src/lib/mutate-request.ts

@@ -1,54 +1,34 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+import { AdmissionRequest, DeepPartial } from "./types";
+import { Operation } from "./enums";
 import { KubernetesObject } from "kubernetes-fluent-client";
 import { clone, mergeDeepRight } from "ramda";
-import { Operation, AdmissionRequest, DeepPartial } from "./types";
 
-/**
- * The RequestWrapper class provides methods to modify Kubernetes objects in the context
- * of a mutating webhook request.
- */
+// PeprMutateRequest class for mutation request handling
 export class PeprMutateRequest<T extends KubernetesObject> {
   Raw: T;
-
   #input: AdmissionRequest<T>;
 
   get PermitSideEffects() {
     return !this.#input.dryRun;
   }
 
-  /**
-   * Indicates whether the request is a dry run.
-   * @returns true if the request is a dry run, false otherwise.
-   */
   get IsDryRun() {
     return this.#input.dryRun;
   }
 
-  /**
-   * Provides access to the old resource in the request if available.
-   * @returns The old Kubernetes resource object or null if not available.
-   */
   get OldResource() {
     return this.#input.oldObject;
   }
 
-  /**
-   * Provides access to the request object.
-   * @returns The request object containing the Kubernetes resource.
-   */
   get Request() {
     return this.#input;
   }
 
-  /**
-   * Creates a new instance of the action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
   constructor(input: AdmissionRequest<T>) {
     this.#input = input;
-
     // If this is a DELETE operation, use the oldObject instead
     if (input.operation.toUpperCase() === Operation.DELETE) {
       this.Raw = clone(input.oldObject as T);
@@ -58,93 +38,48 @@ export class PeprMutateRequest<T extends KubernetesObject> {
     }
 
     if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.RawP");
+      throw new Error("Unable to load the request object into PeprRequest.Raw");
     }
   }
 
-  /**
-   * Deep merges the provided object with the current resource.
-   *
-   * @param obj - The object to merge with the current resource.
-   */
   Merge = (obj: DeepPartial<T>) => {
     this.Raw = mergeDeepRight(this.Raw, obj) as unknown as T;
   };
 
-  /**
-   * Updates a label on the Kubernetes resource.
-   * @param key - The key of the label to update.
-   * @param value - The value of the label.
-   * @returns The current action instance for method chaining.
-   */
   SetLabel = (key: string, value: string) => {
     const ref = this.Raw;
-
     ref.metadata = ref.metadata ?? {};
     ref.metadata.labels = ref.metadata.labels ?? {};
     ref.metadata.labels[key] = value;
-
     return this;
   };
 
-  /**
-   * Updates an annotation on the Kubernetes resource.
-   * @param key - The key of the annotation to update.
-   * @param value - The value of the annotation.
-   * @returns The current action instance for method chaining.
-   */
   SetAnnotation = (key: string, value: string) => {
     const ref = this.Raw;
-
     ref.metadata = ref.metadata ?? {};
     ref.metadata.annotations = ref.metadata.annotations ?? {};
     ref.metadata.annotations[key] = value;
-
     return this;
   };
 
-  /**
-   * Removes a label from the Kubernetes resource.
-   * @param key - The key of the label to remove.
-   * @returns The current Action instance for method chaining.
-   */
   RemoveLabel = (key: string) => {
     if (this.Raw.metadata?.labels?.[key]) {
       delete this.Raw.metadata.labels[key];
     }
-
     return this;
   };
 
-  /**
-   * Removes an annotation from the Kubernetes resource.
-   * @param key - The key of the annotation to remove.
-   * @returns The current Action instance for method chaining.
-   */
   RemoveAnnotation = (key: string) => {
     if (this.Raw.metadata?.annotations?.[key]) {
       delete this.Raw.metadata.annotations[key];
     }
-
     return this;
   };
 
-  /**
-   * Check if a label exists on the Kubernetes resource.
-   *
-   * @param key the label key to check
-   * @returns
-   */
   HasLabel = (key: string) => {
     return this.Raw.metadata?.labels?.[key] !== undefined;
   };
 
-  /**
-   * Check if an annotation exists on the Kubernetes resource.
-   *
-   * @param key the annotation key to check
-   * @returns
-   */
   HasAnnotation = (key: string) => {
     return this.Raw.metadata?.annotations?.[key] !== undefined;
   };

package/src/lib/types.ts

@@ -2,20 +2,13 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { GenericClass, GroupVersionKind, KubernetesObject } from "kubernetes-fluent-client";
-
+import { Event, Operation } from "./enums";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
-
+import { Logger } from "pino";
 import { PeprMutateRequest } from "./mutate-request";
 import { PeprValidateRequest } from "./validate-request";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
-import { Logger } from "pino";
-
-export enum Operation {
-  CREATE = "CREATE",
-  UPDATE = "UPDATE",
-  DELETE = "DELETE",
-  CONNECT = "CONNECT",
-}
 /**
  * Specifically for deploying images with a private registry
  */
@@ -40,23 +33,6 @@ export interface ResponseItem {
     message: string;
   };
 }
-/**
- * Recursively make all properties in T optional.
- */
-export type DeepPartial<T> = {
-  [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P];
-};
-
-/**
- * The type of Kubernetes mutating webhook event that the action is registered for.
- */
-export enum Event {
-  Create = "CREATE",
-  Update = "UPDATE",
-  Delete = "DELETE",
-  CreateOrUpdate = "CREATEORUPDATE",
-  Any = "*",
-}
 
 export interface CapabilityCfg {
   /**
@@ -77,6 +53,7 @@ export interface CapabilityCfg {
 export interface CapabilityExport extends CapabilityCfg {
   bindings: Binding[];
   hasSchedule: boolean;
+  rbac?: PolicyRule[];
 }
 
 export type WhenSelector<T extends GenericClass> = {
@@ -267,7 +244,7 @@ export type ValidateActionResponse = {
 export type FinalizeAction<T extends GenericClass, K extends KubernetesObject = InstanceType<T>> = (
   update: K,
   logger?: Logger,
-) => Promise<void> | void;
+) => Promise<boolean | void> | boolean | void;
 
 export type FinalizeActionChain<T extends GenericClass> = {
   /**
@@ -373,3 +350,7 @@ export interface GroupVersionResource {
   readonly version: string;
   readonly resource: string;
 }
+// DeepPartial utility type for deep optional properties
+export type DeepPartial<T> = {
+  [P in keyof T]?: T[P] extends object ? DeepPartial<T[P]> : T[P];
+};

package/src/lib/validate-processor.ts

@@ -4,7 +4,7 @@
 import { kind } from "kubernetes-fluent-client";
 
 import { Capability } from "./capability";
-import { shouldSkipRequest } from "./filter";
+import { shouldSkipRequest } from "./filter/filter";
 import { ValidateResponse } from "./k8s";
 import { AdmissionRequest } from "./types";
 import Log from "./logger";

package/src/lib/validate-request.ts

@@ -6,8 +6,9 @@
 import { KubernetesObject } from "kubernetes-fluent-client";
 
 import { clone } from "ramda";
-import { AdmissionRequest, Operation } from "./types";
+import { AdmissionRequest } from "./types";
 import { ValidateActionResponse } from "./types";
+import { Operation } from "./enums";
 
 /**
  * The RequestWrapper class provides methods to modify Kubernetes objects in the context

package/src/lib/watch-processor.ts

@@ -7,7 +7,8 @@ import { filterNoMatchReason } from "./helpers";
 import { removeFinalizer } from "./finalizer";
 import Log from "./logger";
 import { Queue } from "./queue";
-import { Binding, Event } from "./types";
+import { Binding } from "./types";
+import { Event } from "./enums";
 import { metricsCollector } from "./metrics";
 
 // stores Queue instances
@@ -49,7 +50,7 @@ export function getOrCreateQueue(obj: KubernetesObject) {
 
 // Watch configuration
 const watchCfg: WatchCfg = {
-  useHTTP2: process.env.PEPR_HTTP2_WATCH === "true",
+  useLegacyWatch: process.env.PEPR_USE_LEGACY_WATCH === "true",
   resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
   resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) : 5,
   lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS
@@ -95,29 +96,20 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[], igno
   // The watch callback is run when an object is received or dequeued
   Log.debug({ watchCfg }, "Effective WatchConfig");
 
-  const watchCallback = async (obj: KubernetesObject, phase: WatchPhase) => {
+  const watchCallback = async (kubernetesObject: KubernetesObject, phase: WatchPhase) => {
     // First, filter the object based on the phase
     if (phaseMatch.includes(phase)) {
       try {
         // Then, check if the object matches the filter
-        const filterMatch = filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces);
-        if (filterMatch === "") {
-          if (binding.isFinalize) {
-            if (!obj.metadata?.deletionTimestamp) {
-              return;
-            }
-            try {
-              await binding.finalizeCallback?.(obj);
-
-              // irrespective of callback success / failure, remove pepr finalizer
-            } finally {
-              await removeFinalizer(binding, obj);
-            }
-          } else {
-            await binding.watchCallback?.(obj, phase);
-          }
-        } else {
+        const filterMatch = filterNoMatchReason(binding, kubernetesObject, capabilityNamespaces, ignoredNamespaces);
+        if (filterMatch !== "") {
           Log.debug(filterMatch);
+          return;
+        }
+        if (binding.isFinalize) {
+          await handleFinalizerRemoval(kubernetesObject);
+        } else {
+          await binding.watchCallback?.(kubernetesObject, phase);
         }
       } catch (e) {
         // Errors in the watch callback should not crash the controller
@@ -126,6 +118,28 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[], igno
     }
   };
 
+  const handleFinalizerRemoval = async (kubernetesObject: KubernetesObject) => {
+    if (!kubernetesObject.metadata?.deletionTimestamp) {
+      return;
+    }
+    let shouldRemoveFinalizer: boolean | void | undefined = true;
+    try {
+      shouldRemoveFinalizer = await binding.finalizeCallback?.(kubernetesObject);
+
+      // if not opt'ed out of / if in error state, remove pepr finalizer
+    } finally {
+      const peprFinal = "pepr.dev/finalizer";
+      const meta = kubernetesObject.metadata!;
+      const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
+
+      // [ true, void, undefined ] SHOULD remove finalizer
+      // [ false ] should NOT remove finalizer
+      shouldRemoveFinalizer === false
+        ? Log.debug({ obj: kubernetesObject }, `Skipping removal of finalizer '${peprFinal}' from '${resource}'`)
+        : await removeFinalizer(binding, kubernetesObject);
+    }
+  };
+
   // Setup the resource watch
   const watcher = K8s(binding.model, binding.filters).Watch(async (obj, phase) => {
     Log.debug(obj, `Watch event ${phase} received`);