pepr 0.38.3 → 0.39.1

package/src/lib/controller/store.ts

@@ -6,15 +6,15 @@ import { K8s } from "kubernetes-fluent-client";
 import { startsWith } from "ramda";
 
 import { Capability } from "../capability";
-import { PeprStore } from "../k8s";
-import Log from "../logger";
+import { Store } from "../k8s";
+import Log, { redactedPatch, redactedStore } from "../logger";
 import { DataOp, DataSender, DataStore, Storage } from "../storage";
+import { fillStoreCache, sendUpdatesAndFlushCache } from "./storeCache";
 
-const redactedValue = "**redacted**";
 const namespace = "pepr-system";
 export const debounceBackoff = 5000;
 
-export class PeprControllerStore {
+export class StoreController {
   #name: string;
   #stores: Record<string, Storage> = {};
   #sendDebounce: NodeJS.Timeout | undefined;
@@ -23,124 +23,53 @@ export class PeprControllerStore {
   constructor(capabilities: Capability[], name: string, onReady?: () => void) {
     this.#onReady = onReady;
 
-    // Setup Pepr State bindings
     this.#name = name;
 
+    const setStorageInstance = (registrationFunction: () => Storage, name: string) => {
+      const scheduleStore = registrationFunction();
+
+      // Bind the store sender to the capability
+      scheduleStore.registerSender(this.#send(name));
+
+      // Store the storage instance
+      this.#stores[name] = scheduleStore;
+    };
+
     if (name.includes("schedule")) {
       // Establish the store for each capability
       for (const { name, registerScheduleStore, hasSchedule } of capabilities) {
-        // Guard Clause to exit  early
-        if (hasSchedule !== true) {
-          continue;
+        if (hasSchedule === true) {
+          // Register the scheduleStore with the capability
+          setStorageInstance(registerScheduleStore, name);
         }
-        // Register the scheduleStore with the capability
-        const { scheduleStore } = registerScheduleStore();
-
-        // Bind the store sender to the capability
-        scheduleStore.registerSender(this.#send(name));
-
-        // Store the storage instance
-        this.#stores[name] = scheduleStore;
       }
     } else {
       // Establish the store for each capability
       for (const { name, registerStore } of capabilities) {
-        // Register the store with the capability
-        const { store } = registerStore();
-
-        // Bind the store sender to the capability
-        store.registerSender(this.#send(name));
-
-        // Store the storage instance
-        this.#stores[name] = store;
+        setStorageInstance(registerStore, name);
       }
     }
 
-    // Add a jitter to the Store creation to avoid collisions
     setTimeout(
       () =>
-        K8s(PeprStore)
+        K8s(Store)
           .InNamespace(namespace)
           .Get(this.#name)
-          // If the get succeeds, migrate and setup the watch
-          .then(async (store: PeprStore) => await this.#migrateAndSetupWatch(store))
-          // Otherwise, create the resource
+          .then(async (store: Store) => await this.#migrateAndSetupWatch(store))
           .catch(this.#createStoreResource),
-      Math.random() * 3000,
+      Math.random() * 3000, // Add a jitter to the Store creation to avoid collisions
     );
   }
 
   #setupWatch = () => {
-    const watcher = K8s(PeprStore, { name: this.#name, namespace }).Watch(this.#receive);
+    const watcher = K8s(Store, { name: this.#name, namespace }).Watch(this.#receive);
     watcher.start().catch(e => Log.error(e, "Error starting Pepr store watch"));
   };
 
-  #migrateAndSetupWatch = async (store: PeprStore) => {
+  #migrateAndSetupWatch = async (store: Store) => {
     Log.debug(redactedStore(store), "Pepr Store migration");
     const data: DataStore = store.data || {};
-    const migrateCache: Record<string, Operation> = {};
-
-    // Send the cached updates to the cluster
-    const flushCache = async () => {
-      const indexes = Object.keys(migrateCache);
-      const payload = Object.values(migrateCache);
-
-      // Loop over each key in the cache and delete it to avoid collisions with other sender calls
-      for (const idx of indexes) {
-        delete migrateCache[idx];
-      }
-
-      try {
-        // Send the patch to the cluster
-        if (payload.length > 0) {
-          await K8s(PeprStore, { namespace, name: this.#name }).Patch(payload);
-        }
-      } catch (err) {
-        Log.error(err, "Pepr store update failure");
-
-        if (err.status === 422) {
-          Object.keys(migrateCache).forEach(key => delete migrateCache[key]);
-        } else {
-          // On failure to update, re-add the operations to the cache to be retried
-          for (const idx of indexes) {
-            migrateCache[idx] = payload[Number(idx)];
-          }
-        }
-      }
-    };
-
-    const fillCache = (name: string, op: DataOp, key: string[], val?: string) => {
-      if (op === "add") {
-        // adjust the path for the capability
-        const path = `/data/${name}-v2-${key}`;
-        const value = val || "";
-        const cacheIdx = [op, path, value].join(":");
-
-        // Add the operation to the cache
-        migrateCache[cacheIdx] = { op, path, value };
-
-        return;
-      }
-
-      if (op === "remove") {
-        if (key.length < 1) {
-          throw new Error(`Key is required for REMOVE operation`);
-        }
-
-        for (const k of key) {
-          const path = `/data/${name}-${k}`;
-          const cacheIdx = [op, path].join(":");
-
-          // Add the operation to the cache
-          migrateCache[cacheIdx] = { op, path };
-        }
-
-        return;
-      }
-
-      // If we get here, the operation is not supported
-      throw new Error(`Unsupported operation: ${op}`);
-    };
+    let storeCache: Record<string, Operation> = {};
 
     for (const name of Object.keys(this.#stores)) {
       // Get the prefix offset for the keys
@@ -151,16 +80,23 @@ export class PeprControllerStore {
         // Match on the capability name as a prefix for non v2 keys
         if (startsWith(name, key) && !startsWith(`${name}-v2`, key)) {
           // populate migrate cache
-          fillCache(name, "remove", [key.slice(offset)], data[key]);
-          fillCache(name, "add", [key.slice(offset)], data[key]);
+          storeCache = fillStoreCache(storeCache, name, "remove", {
+            key: [key.slice(offset)],
+            value: data[key],
+          });
+          storeCache = fillStoreCache(storeCache, name, "add", {
+            key: [key.slice(offset)],
+            value: data[key],
+            version: "v2",
+          });
         }
       }
     }
-    await flushCache();
+    storeCache = await sendUpdatesAndFlushCache(storeCache, namespace, this.#name);
     this.#setupWatch();
   };
 
-  #receive = (store: PeprStore) => {
+  #receive = (store: Store) => {
     Log.debug(redactedStore(store), "Pepr Store update");
 
     // Wrap the update in a debounced function
@@ -202,81 +138,18 @@ export class PeprControllerStore {
   };
 
   #send = (capabilityName: string) => {
-    const sendCache: Record<string, Operation> = {};
-
-    // Load the sendCache with patch operations
-    const fillCache = (op: DataOp, key: string[], val?: string) => {
-      if (op === "add") {
-        // adjust the path for the capability
-        const path = `/data/${capabilityName}-${key}`;
-        const value = val || "";
-        const cacheIdx = [op, path, value].join(":");
-
-        // Add the operation to the cache
-        sendCache[cacheIdx] = { op, path, value };
-
-        return;
-      }
-
-      if (op === "remove") {
-        if (key.length < 1) {
-          throw new Error(`Key is required for REMOVE operation`);
-        }
-
-        for (const k of key) {
-          const path = `/data/${capabilityName}-${k}`;
-          const cacheIdx = [op, path].join(":");
-
-          // Add the operation to the cache
-          sendCache[cacheIdx] = { op, path };
-        }
-
-        return;
-      }
-
-      // If we get here, the operation is not supported
-      throw new Error(`Unsupported operation: ${op}`);
-    };
-
-    // Send the cached updates to the cluster
-    const flushCache = async () => {
-      const indexes = Object.keys(sendCache);
-      const payload = Object.values(sendCache);
-
-      // Loop over each key in the cache and delete it to avoid collisions with other sender calls
-      for (const idx of indexes) {
-        delete sendCache[idx];
-      }
-
-      try {
-        // Send the patch to the cluster
-        if (payload.length > 0) {
-          await K8s(PeprStore, { namespace, name: this.#name }).Patch(payload);
-        }
-      } catch (err) {
-        Log.error(err, "Pepr store update failure");
-
-        if (err.status === 422) {
-          Object.keys(sendCache).forEach(key => delete sendCache[key]);
-        } else {
-          // On failure to update, re-add the operations to the cache to be retried
-          for (const idx of indexes) {
-            sendCache[idx] = payload[Number(idx)];
-          }
-        }
-      }
-    };
+    let storeCache: Record<string, Operation> = {};
 
     // Create a sender function for the capability to add/remove data from the store
-    const sender: DataSender = async (op: DataOp, key: string[], val?: string) => {
-      fillCache(op, key, val);
+    const sender: DataSender = async (op: DataOp, key: string[], value?: string) => {
+      storeCache = fillStoreCache(storeCache, capabilityName, op, { key, value });
     };
 
     // Send any cached updates every debounceBackoff milliseconds
     setInterval(() => {
-      if (Object.keys(sendCache).length > 0) {
-        Log.debug(redactedPatch(sendCache), "Sending updates to Pepr store");
-        void flushCache();
+      if (Object.keys(storeCache).length > 0) {
+        Log.debug(redactedPatch(storeCache), "Sending updates to Pepr store");
+        void sendUpdatesAndFlushCache(storeCache, namespace, this.#name);
       }
     }, debounceBackoff);
 
@@ -288,7 +161,7 @@ export class PeprControllerStore {
     Log.debug(e);
 
     try {
-      await K8s(PeprStore).Apply({
+      await K8s(Store).Apply({
         metadata: {
           name: this.#name,
           namespace,
@@ -306,36 +179,3 @@ export class PeprControllerStore {
     }
   };
 }
-
-export function redactedStore(store: PeprStore): PeprStore {
-  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
-  return {
-    ...store,
-    data: Object.keys(store.data).reduce((acc: Record<string, string>, key: string) => {
-      acc[key] = redacted ? redactedValue : store.data[key];
-      return acc;
-    }, {}),
-  };
-}
-
-export function redactedPatch(patch: Record<string, Operation> = {}): Record<string, Operation> {
-  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
-
-  if (!redacted) {
-    return patch;
-  }
-
-  const redactedCache: Record<string, Operation> = {};
-
-  Object.keys(patch).forEach(key => {
-    const operation = patch[key];
-    const redactedKey = key.includes(":") ? key.substring(0, key.lastIndexOf(":")) + ":**redacted**" : key;
-    const redactedOperation: Operation = {
-      ...operation,
-      ...("value" in operation ? { value: "**redacted**" } : {}),
-    };
-    redactedCache[redactedKey] = redactedOperation;
-  });
-
-  return redactedCache;
-}

package/src/lib/controller/storeCache.ts

@@ -0,0 +1,63 @@
+import { DataOp } from "../storage";
+import Log from "../logger";
+import { K8s } from "kubernetes-fluent-client";
+import { Store } from "../k8s";
+import { StatusCodes } from "http-status-codes";
+import { Operation } from "fast-json-patch";
+
+export const sendUpdatesAndFlushCache = async (cache: Record<string, Operation>, namespace: string, name: string) => {
+  const indexes = Object.keys(cache);
+  const payload = Object.values(cache);
+
+  try {
+    if (payload.length > 0) {
+      await K8s(Store, { namespace, name }).Patch(payload); // Send patch to cluster
+      Object.keys(cache).forEach(key => delete cache[key]);
+    }
+  } catch (err) {
+    Log.error(err, "Pepr store update failure");
+
+    if (err.status === StatusCodes.UNPROCESSABLE_ENTITY) {
+      Object.keys(cache).forEach(key => delete cache[key]);
+    } else {
+      indexes.forEach(index => {
+        cache[index] = payload[Number(index)]; // On failure to update, re-add the operations to the cache to be retried
+      });
+    }
+  }
+  return cache;
+};
+
+type CacheItem = {
+  key: string[];
+  value?: string;
+  version?: string;
+};
+
+export const fillStoreCache = (
+  cache: Record<string, Operation>,
+  capabilityName: string,
+  op: DataOp,
+  cacheItem: CacheItem,
+): Record<string, Operation> => {
+  const path = [`/data/${capabilityName}`, cacheItem.version, cacheItem.key] // adjust the path, see ADR-0008
+    .filter(str => str !== "" && str !== undefined)
+    .join("-");
+  if (op === "add") {
+    const value = cacheItem.value || "";
+    const cacheIdx = [op, path, value].join(":");
+
+    // Add the operation to the cache
+    cache[cacheIdx] = { op, path, value };
+  } else if (op === "remove") {
+    if (cacheItem.key.length < 1) {
+      throw new Error(`Key is required for REMOVE operation`);
+    }
+    const cacheIndex = [op, path].join(":");
+    // Add the operation to the cache
+    cache[cacheIndex] = { op, path };
+  } else {
+    throw new Error(`Unsupported operation: ${op}`);
+  }
+  return cache;
+};

package/src/lib/enums.ts

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+// Operation type for mutation operations
+export enum Operation {
+  CREATE = "CREATE",
+  UPDATE = "UPDATE",
+  DELETE = "DELETE",
+  CONNECT = "CONNECT",
+}
+
+/**
+ * The type of Kubernetes mutating webhook event that the action is registered for.
+ */
+export enum Event {
+  Create = "CREATE",
+  Update = "UPDATE",
+  Delete = "DELETE",
+  CreateOrUpdate = "CREATEORUPDATE",
+  Any = "*",
+}

package/src/lib/{adjudicators.ts → filter/adjudicators.ts}

@@ -1,7 +1,8 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { Event, Operation } from "./types";
+import { Event, Operation } from "../enums";
+import { AdmissionRequest } from "../../lib/types";
 import {
   __,
   allPass,
@@ -18,6 +19,7 @@ import {
   nthArg,
   pipe,
 } from "ramda";
+import { KubernetesObject } from "kubernetes-fluent-client";
 
 /*
   Naming scheme:
@@ -29,34 +31,52 @@ import {
 /*
   AdmissionRequest collectors
 */
-export const declaredOperation = pipe(request => request?.operation, defaultTo(""));
-export const declaredGroup = pipe(request => request?.kind?.group, defaultTo(""));
-export const declaredVersion = pipe(request => request?.kind?.version, defaultTo(""));
-export const declaredKind = pipe(request => request?.kind?.kind, defaultTo(""));
-export const declaredUid = pipe(request => request?.uid, defaultTo(""));
+export const declaredOperation = pipe(
+  (request: AdmissionRequest<KubernetesObject>): Operation => request?.operation,
+  defaultTo(""),
+);
+export const declaredGroup = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string => request?.kind?.group,
+  defaultTo(""),
+);
+export const declaredVersion = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string | undefined => request?.kind?.version,
+  defaultTo(""),
+);
+export const declaredKind = pipe(
+  (request: AdmissionRequest<KubernetesObject>): string => request?.kind?.kind,
+  defaultTo(""),
+);
+export const declaredUid = pipe((request: AdmissionRequest<KubernetesObject>): string => request?.uid, defaultTo(""));
 
 /*
   KubernetesObject collectors
 */
-export const carriesDeletionTimestamp = pipe(obj => !!obj.metadata?.deletionTimestamp, defaultTo(false));
+export const carriesDeletionTimestamp = pipe(
+  kubernetesObject => !!kubernetesObject.metadata?.deletionTimestamp,
+  defaultTo(false),
+);
 export const missingDeletionTimestamp = complement(carriesDeletionTimestamp);
 
-export const carriedName = pipe(obj => obj?.metadata?.name, defaultTo(""));
+export const carriedKind = pipe(kubernetesObject => kubernetesObject?.metadata?.kind, defaultTo("not set"));
+export const carriedVersion = pipe(kubernetesObject => kubernetesObject?.metadata?.version, defaultTo("not set"));
+export const carriedName = pipe(kubernetesObject => kubernetesObject?.metadata?.name, defaultTo(""));
 export const carriesName = pipe(carriedName, equals(""), not);
 export const missingName = complement(carriesName);
 
-export const carriedNamespace = pipe(obj => obj?.metadata?.namespace, defaultTo(""));
+export const carriedNamespace = pipe(kubernetesObject => kubernetesObject?.metadata?.namespace, defaultTo(""));
 export const carriesNamespace = pipe(carriedNamespace, equals(""), not);
 
-export const carriedAnnotations = pipe(obj => obj?.metadata?.annotations, defaultTo({}));
+export const carriedAnnotations = pipe(kubernetesObject => kubernetesObject?.metadata?.annotations, defaultTo({}));
 export const carriesAnnotations = pipe(carriedAnnotations, equals({}), not);
 
-export const carriedLabels = pipe(obj => obj?.metadata?.labels, defaultTo({}));
+export const carriedLabels = pipe(kubernetesObject => kubernetesObject?.metadata?.labels, defaultTo({}));
 export const carriesLabels = pipe(carriedLabels, equals({}), not);
 
 /*
   Binding collectors
 */
+
 export const definesDeletionTimestamp = pipe(binding => binding?.filters?.deletionTimestamp, defaultTo(false));
 export const ignoresDeletionTimestamp = complement(definesDeletionTimestamp);
 
@@ -112,7 +132,7 @@ export const definedCallback = pipe(binding => {
     null
   );
 });
-export const definedCallbackName = pipe(definedCallback, defaultTo({ name: "" }), cb => cb.name);
+export const definedCallbackName = pipe(definedCallback, defaultTo({ name: "" }), callback => callback.name);
 
 /*
   post-collection comparitors
@@ -124,32 +144,32 @@ export const mismatchedDeletionTimestamp = allPass([
 
 export const mismatchedName = allPass([
   pipe(nthArg(0), definesName),
-  pipe((bnd, obj) => definedName(bnd) !== carriedName(obj)),
+  pipe((binding, kubernetesObject) => definedName(binding) !== carriedName(kubernetesObject)),
 ]);
 
 export const mismatchedNameRegex = allPass([
   pipe(nthArg(0), definesNameRegex),
-  pipe((bnd, obj) => new RegExp(definedNameRegex(bnd)).test(carriedName(obj)), not),
+  pipe((binding, kubernetesObject) => new RegExp(definedNameRegex(binding)).test(carriedName(kubernetesObject)), not),
 ]);
 
 export const bindsToKind = curry(
-  allPass([pipe(nthArg(0), definedKind, equals(""), not), pipe((bnd, knd) => definedKind(bnd) === knd)]),
+  allPass([pipe(nthArg(0), definedKind, equals(""), not), pipe((binding, kind) => definedKind(binding) === kind)]),
 );
 export const bindsToNamespace = curry(pipe(bindsToKind(__, "Namespace")));
 export const misboundNamespace = allPass([bindsToNamespace, definesNamespaces]);
 
 export const mismatchedNamespace = allPass([
   pipe(nthArg(0), definesNamespaces),
-  pipe((bnd, obj) => definedNamespaces(bnd).includes(carriedNamespace(obj)), not),
+  pipe((binding, kubernetesObject) => definedNamespaces(binding).includes(carriedNamespace(kubernetesObject)), not),
 ]);
 
 export const mismatchedNamespaceRegex = allPass([
   pipe(nthArg(0), definesNamespaceRegexes),
-  pipe((bnd, obj) =>
+  pipe((binding, kubernetesObject) =>
     pipe(
-      any((rex: string) => new RegExp(rex).test(carriedNamespace(obj))),
+      any((regEx: string) => new RegExp(regEx).test(carriedNamespace(kubernetesObject))),
       not,
-    )(definedNamespaceRegexes(bnd)),
+    )(definedNamespaceRegexes(binding)),
   ),
 ]);
 
@@ -158,18 +178,18 @@ export const metasMismatch = pipe(
     const result = { defined, carried, unalike: {} };
 
     result.unalike = Object.entries(result.defined)
-      .map(([key, val]) => {
+      .map(([key, value]) => {
         const keyMissing = !Object.hasOwn(result.carried, key);
-        const noValue = !val;
+        const noValue = !value;
         const valMissing = !result.carried[key];
         const valDiffers = result.carried[key] !== result.defined[key];
 
         // prettier-ignore
         return (
-          keyMissing ? { [key]: val } :
+          keyMissing ? { [key]: value } :
           noValue ? {} :
-          valMissing ? { [key]: val } :
-          valDiffers ? { [key]: val } :
+          valMissing ? { [key]: value } :
+          valDiffers ? { [key]: value } :
           {}
         )
       })
@@ -182,38 +202,43 @@ export const metasMismatch = pipe(
 
 export const mismatchedAnnotations = allPass([
   pipe(nthArg(0), definesAnnotations),
-  pipe((bnd, obj) => metasMismatch(definedAnnotations(bnd), carriedAnnotations(obj))),
+  pipe((binding, kubernetesObject) => metasMismatch(definedAnnotations(binding), carriedAnnotations(kubernetesObject))),
 ]);
 
 export const mismatchedLabels = allPass([
   pipe(nthArg(0), definesLabels),
-  pipe((bnd, obj) => metasMismatch(definedLabels(bnd), carriedLabels(obj))),
+  pipe((binding, kubernetesObject) => metasMismatch(definedLabels(binding), carriedLabels(kubernetesObject))),
 ]);
 
 export const uncarryableNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
   pipe(nthArg(1), carriesNamespace),
-  pipe((nss, obj) => nss.includes(carriedNamespace(obj)), not),
+  pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject)), not),
 ]);
 
 export const carriesIgnoredNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
   pipe(nthArg(1), carriesNamespace),
-  pipe((nss, obj) => nss.includes(carriedNamespace(obj))),
+  pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject))),
 ]);
 
 export const unbindableNamespaces = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
   pipe(nthArg(1), definesNamespaces),
-  pipe((nss, bnd) => difference(definedNamespaces(bnd), nss), length, equals(0), not),
+  pipe(
+    (namespaceSelector, binding) => difference(definedNamespaces(binding), namespaceSelector),
+    length,
+    equals(0),
+    not,
+  ),
 ]);
 
 export const misboundDeleteWithDeletionTimestamp = allPass([definesDelete, definesDeletionTimestamp]);
 
 export const operationMatchesEvent = anyPass([
   pipe(nthArg(1), equals(Event.Any)),
-  pipe((op, evt) => op === evt),
-  pipe((op, evt) => (op ? evt.includes(op) : false)),
+  pipe((operation, event) => operation === event),
+  pipe((operation, event) => (operation ? event.includes(operation) : false)),
 ]);
 
 export const mismatchedEvent = pipe(

package/src/lib/{filter.ts → filter/filter.ts}

@@ -1,7 +1,8 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { AdmissionRequest, Binding, Operation } from "./types";
+import { AdmissionRequest, Binding } from "../types";
+import { Operation } from "../enums";
 import {
   carriesIgnoredNamespace,
   carriedName,
@@ -56,7 +57,7 @@ export function shouldSkipRequest(
 
   // prettier-ignore
   return (
-    misboundDeleteWithDeletionTimestamp(binding) ? 
+    misboundDeleteWithDeletionTimestamp(binding) ?
       `${prefix} Cannot use deletionTimestamp filter on a DELETE operation.` :
 
     mismatchedDeletionTimestamp(binding, obj) ?

package/src/lib/finalizer.ts

@@ -4,7 +4,7 @@
 import { K8s, KubernetesObject, RegisterKind } from "kubernetes-fluent-client";
 import Log from "./logger";
 import { Binding, DeepPartial } from "./types";
-import { Operation } from "./types";
+import { Operation } from "./enums";
 import { PeprMutateRequest } from "./mutate-request";
 
 export function addFinalizer<K extends KubernetesObject>(request: PeprMutateRequest<K>) {