pepr 0.42.0 → 0.42.2

package/dist/lib/queue.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"queue.d.ts","sourceRoot":"","sources":["../../src/lib/queue.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,4CAA4C,CAAC;AAIxE,KAAK,aAAa,GAAG,CAAC,GAAG,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAUjF;;GAEG;AACH,qBAAa,KAAK,CAAC,CAAC,SAAS,gBAAgB;;gBAM/B,IAAI,EAAE,MAAM;IAKxB,KAAK;;;;IAIL,KAAK;;;;;;;;;IASL;;;;;;;;OAQG;IACH,OAAO,CAAC,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa;CAsE7D"}

package/dist/lib/schedule.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"schedule.d.ts","sourceRoot":"","sources":["../../src/lib/schedule.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,MAAM,IAAI,GAAG,SAAS,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,GAAG,MAAM,CAAC;AAElF,MAAM,WAAW,QAAQ;IACvB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,IAAI,EAAE,IAAI,CAAC;IACX;;OAEG;IACH,GAAG,EAAE,MAAM,IAAI,CAAC;IAChB;;OAEG;IACH,SAAS,CAAC,EAAE,IAAI,GAAG,SAAS,CAAC;IAE7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC;CAC7B;AAED,qBAAa,UAAW,YAAW,QAAQ;IACzC,UAAU,EAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAQ;IACzC,KAAK,EAAE,SAAS,GAAG,SAAS,CAAC;IAC7B,IAAI,EAAG,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,IAAI,CAAC;IACX,GAAG,EAAG,MAAM,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,GAAG,SAAS,CAAC;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,aAAa,EAAE,IAAI,GAAG,SAAS,CAAC;gBAEpB,QAAQ,EAAE,QAAQ;IAQ9B,QAAQ,CAAC,KAAK,EAAE,SAAS,GAAG,IAAI;IAIhC,aAAa,IAAI,IAAI;IAKrB;;;OAGG;IACH,UAAU,IAAI,IAAI;IAUlB;;;OAGG;IACH,WAAW,IAAI,IAAI;IAUnB;;OAEG;IACH,WAAW,IAAI,IAAI;IAmBnB;;OAEG;IACH,aAAa,IAAI,IAAI;IAwBrB;;OAEG;IACH,KAAK,IAAI,IAAI;IAgBb;;OAEG;IACH,IAAI,IAAI,IAAI;CAOb"}

package/dist/lib/storage.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/lib/storage.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;AACtC,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAC/C,MAAM,MAAM,UAAU,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;AAC9E,MAAM,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,CAAC;AACrD,MAAM,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC;AAKrC,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEjD;AACD,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACpC;;OAEG;IACH,KAAK,IAAI,IAAI,CAAC;IACd;;OAEG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B;;OAEG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1C;;;;;OAKG;IACH,SAAS,CAAC,QAAQ,EAAE,YAAY,GAAG,WAAW,CAAC;IAE/C;;OAEG;IACH,OAAO,CAAC,QAAQ,EAAE,YAAY,GAAG,IAAI,CAAC;IAEtC;;;OAGG;IACH,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1D;;;OAGG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC/C;AAED;;;;GAIG;AAEH,qBAAa,OAAQ,YAAW,SAAS;;IAOvC,cAAc,SAAU,UAAU,KAAG,IAAI,CAEvC;IAEF,OAAO,SAAU,SAAS,KAAG,IAAI,CAU/B;IAEF,OAAO,QAAS,MAAM,KAAG,MAAM,GAAG,IAAI,CAMpC;IAEF,KAAK,QAAO,IAAI,CAMd;IAEF,UAAU,QAAS,MAAM,KAAG,IAAI,CAE9B;IAEF,OAAO,QAAS,MAAM,SAAS,MAAM,KAAG,IAAI,CAE1C;IAEF;;;;;;;OAOG;IACH,cAAc,QAAS,MAAM,SAAS,MAAM,KAAG,QAAQ,IAAI,CAAC,CAiB1D;IAEF;;;;;;OAMG;IACH,iBAAiB,QAAS,MAAM,KAAG,QAAQ,IAAI,CAAC,CAgB9C;IAEF,SAAS,eAAgB,YAAY,KAAG,CAAC,MAAM,IAAI,CAAC,CAIlD;IAEF,OAAO,aAAc,YAAY,KAAG,IAAI,CAEtC;IAEF;;;OAGG;IACH,WAAW,QAAS,MAAM,KAAG,IAAI,CAE/B;CAqBH"}

package/dist/lib/validate-processor.d.ts

@@ -1,6 +0,0 @@
-import { Capability } from "./capability";
-import { ValidateResponse } from "./k8s";
-import { AdmissionRequest } from "./types";
-import { ModuleConfig } from "./module";
-export declare function validateProcessor(config: ModuleConfig, capabilities: Capability[], req: AdmissionRequest, reqMetadata: Record<string, string>): Promise<ValidateResponse[]>;
-//# sourceMappingURL=validate-processor.d.ts.map

package/dist/lib/validate-processor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"validate-processor.d.ts","sourceRoot":"","sources":["../../src/lib/validate-processor.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAI3C,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,YAAY,EACpB,YAAY,EAAE,UAAU,EAAE,EAC1B,GAAG,EAAE,gBAAgB,EACrB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAClC,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAiE7B"}

package/dist/lib/watch-processor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"watch-processor.d.ts","sourceRoot":"","sources":["../../src/lib/watch-processor.ts"],"names":[],"mappings":"AAEA,OAAO,EAAO,gBAAgB,EAAY,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAEvF,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI1C,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAQhC;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,gBAAgB,UAkB7C;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,2BAMrD;AAuBD;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,YAAY,EAAE,UAAU,EAAE,EAAE,iBAAiB,CAAC,EAAE,MAAM,EAAE,QAMlF;AA+GD,wBAAgB,QAAQ,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,GAAE,MAAW,EAAE,GAAG,CAAC,EAAE,gBAAgB,QAOvF"}

package/src/lib/mutate-processor.ts

@@ -1,165 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import jsonPatch from "fast-json-patch";
-import { kind } from "kubernetes-fluent-client";
-
-import { Capability } from "./capability";
-import { Errors } from "./errors";
-import { shouldSkipRequest } from "./filter/filter";
-import { MutateResponse } from "./k8s";
-import { AdmissionRequest } from "./types";
-import Log from "./telemetry/logger";
-import { ModuleConfig } from "./module";
-import { PeprMutateRequest } from "./mutate-request";
-import { base64Encode, convertFromBase64Map, convertToBase64Map } from "./utils";
-
-export async function mutateProcessor(
-  config: ModuleConfig,
-  capabilities: Capability[],
-  req: AdmissionRequest,
-  reqMetadata: Record<string, string>,
-): Promise<MutateResponse> {
-  const wrapped = new PeprMutateRequest(req);
-  const response: MutateResponse = {
-    uid: req.uid,
-    warnings: [],
-    allowed: false,
-  };
-
-  // Track whether any capability matched the request
-  let matchedAction = false;
-
-  // Track data fields that should be skipped during decoding
-  let skipDecode: string[] = [];
-
-  // If the resource is a secret, decode the data
-  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
-  if (isSecret) {
-    skipDecode = convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
-  }
-
-  Log.info(reqMetadata, `Processing request`);
-
-  for (const { name, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name };
-    for (const action of bindings) {
-      // Skip this action if it's not a mutate action
-      if (!action.mutateCallback) {
-        continue;
-      }
-
-      // Continue to the next action without doing anything if this one should be skipped
-      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
-      if (shouldSkip !== "") {
-        Log.debug(shouldSkip);
-        continue;
-      }
-
-      const label = action.mutateCallback.name;
-      Log.info(actionMetadata, `Processing mutation action (${label})`);
-      matchedAction = true;
-
-      // Add annotations to the request to indicate that the capability started processing
-      // this will allow tracking of failed mutations that were permitted to continue
-      const updateStatus = (status: string) => {
-        // Only update the status if the request is a CREATE or UPDATE (we don't use CONNECT)
-        if (req.operation === "DELETE") {
-          return;
-        }
-
-        const identifier = `${config.uuid}.pepr.dev/${name}`;
-        wrapped.Raw.metadata = wrapped.Raw.metadata || {};
-        wrapped.Raw.metadata.annotations = wrapped.Raw.metadata.annotations || {};
-        wrapped.Raw.metadata.annotations[identifier] = status;
-      };
-
-      updateStatus("started");
-
-      try {
-        // Run the action
-        await action.mutateCallback(wrapped);
-
-        // Log on success
-        Log.info(actionMetadata, `Mutation action succeeded (${label})`);
-
-        // Add annotations to the request to indicate that the capability succeeded
-        updateStatus("succeeded");
-      } catch (e) {
-        updateStatus("warning");
-        response.warnings = response.warnings || [];
-
-        const errorMessage = logMutateErrorMessage(e);
-
-        // Log on failure
-        Log.error(actionMetadata, `Action failed: ${errorMessage}`);
-        response.warnings.push(`Action failed: ${errorMessage}`);
-
-        switch (config.onError) {
-          case Errors.reject:
-            Log.error(actionMetadata, `Action failed: ${errorMessage}`);
-            response.result = "Pepr module configured to reject on error";
-            return response;
-
-          case Errors.audit:
-            response.auditAnnotations = response.auditAnnotations || {};
-            response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
-            break;
-        }
-      }
-    }
-  }
-
-  // If we've made it this far, the request is allowed
-  response.allowed = true;
-
-  // If no capability matched the request, exit early
-  if (!matchedAction) {
-    Log.info(reqMetadata, `No matching actions found`);
-    return response;
-  }
-
-  // delete operations can't be mutate, just return before the transformation
-  if (req.operation === "DELETE") {
-    return response;
-  }
-
-  const transformed = wrapped.Raw;
-
-  // Post-process the Secret requests to convert it back to the original format
-  if (isSecret) {
-    convertToBase64Map(transformed as unknown as kind.Secret, skipDecode);
-  }
-
-  // Compare the original request to the modified request to get the patches
-  const patches = jsonPatch.compare(req.object, transformed);
-
-  // Only add the patch if there are patches to apply
-  if (patches.length > 0) {
-    response.patchType = "JSONPatch";
-    // Webhook must be base64-encoded
-    // https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response
-    response.patch = base64Encode(JSON.stringify(patches));
-  }
-
-  // Remove the warnings array if it's empty
-  if (response.warnings && response.warnings.length < 1) {
-    delete response.warnings;
-  }
-
-  Log.debug({ ...reqMetadata, patches }, `Patches generated`);
-
-  return response;
-}
-
-const logMutateErrorMessage = (e: Error): string => {
-  try {
-    if (e.message && e.message !== "[object Object]") {
-      return e.message;
-    } else {
-      throw new Error("An error occurred in the mutate action.");
-    }
-  } catch (e) {
-    return "An error occurred with the mutate action.";
-  }
-};

package/src/lib/validate-processor.ts

@@ -1,85 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import { kind } from "kubernetes-fluent-client";
-
-import { Capability } from "./capability";
-import { shouldSkipRequest } from "./filter/filter";
-import { ValidateResponse } from "./k8s";
-import { AdmissionRequest } from "./types";
-import Log from "./telemetry/logger";
-import { convertFromBase64Map } from "./utils";
-import { PeprValidateRequest } from "./validate-request";
-import { ModuleConfig } from "./module";
-
-export async function validateProcessor(
-  config: ModuleConfig,
-  capabilities: Capability[],
-  req: AdmissionRequest,
-  reqMetadata: Record<string, string>,
-): Promise<ValidateResponse[]> {
-  const wrapped = new PeprValidateRequest(req);
-  const response: ValidateResponse[] = [];
-
-  // If the resource is a secret, decode the data
-  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
-  if (isSecret) {
-    convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
-  }
-
-  Log.info(reqMetadata, `Processing validation request`);
-
-  for (const { name, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name };
-
-    for (const action of bindings) {
-      // Skip this action if it's not a validation action
-      if (!action.validateCallback) {
-        continue;
-      }
-
-      const localResponse: ValidateResponse = {
-        uid: req.uid,
-        allowed: true, // Assume it's allowed until a validation check fails
-      };
-
-      // Continue to the next action without doing anything if this one should be skipped
-      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
-      if (shouldSkip !== "") {
-        Log.debug(shouldSkip);
-        continue;
-      }
-
-      const label = action.validateCallback.name;
-      Log.info(actionMetadata, `Processing validation action (${label})`);
-
-      try {
-        // Run the validation callback, if it fails set allowed to false
-        const resp = await action.validateCallback(wrapped);
-        localResponse.allowed = resp.allowed;
-
-        // If the validation callback returned a status code or message, set it in the Response
-        if (resp.statusCode || resp.statusMessage) {
-          localResponse.status = {
-            code: resp.statusCode || 400,
-            message: resp.statusMessage || `Validation failed for ${name}`,
-          };
-        }
-
-        Log.info(actionMetadata, `Validation action complete (${label}): ${resp.allowed ? "allowed" : "denied"}`);
-      } catch (e) {
-        // If any validation throws an error, note the failure in the Response
-        Log.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
-        localResponse.allowed = false;
-        localResponse.status = {
-          code: 500,
-          message: `Action failed with error: ${JSON.stringify(e)}`,
-        };
-        return [localResponse];
-      }
-      response.push(localResponse);
-    }
-  }
-
-  return response;
-}