pepr 0.42.1 → 0.42.2

package/dist/sdk/heredoc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"heredoc.d.ts","sourceRoot":"","sources":["../../src/sdk/heredoc.ts"],"names":[],"mappings":"AAGA,wBAAgB,OAAO,CAAC,OAAO,EAAE,oBAAoB,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,UAgCzE"}
+{"version":3,"file":"heredoc.d.ts","sourceRoot":"","sources":["../../src/sdk/heredoc.ts"],"names":[],"mappings":"AAGA,wBAAgB,OAAO,CAAC,OAAO,EAAE,oBAAoB,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAgClF"}

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.42.1",
+  "version": "0.42.2",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -47,14 +47,14 @@
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
     "kubernetes-fluent-client": "3.3.7",
-    "pino": "9.5.0",
+    "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
     "ramda": "0.30.1",
     "sigstore": "3.0.0"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.6.0",
+    "@commitlint/cli": "19.6.1",
     "@commitlint/config-conventional": "19.6.0",
     "@fast-check/jest": "^2.0.1",
     "@jest/globals": "29.7.0",
@@ -73,16 +73,16 @@
     "undici": "^7.0.1"
   },
   "peerDependencies": {
-    "@types/prompts": "2.4.9",
     "@typescript-eslint/eslint-plugin": "7.18.0",
     "@typescript-eslint/parser": "7.18.0",
-    "commander": "12.1.0",
-    "esbuild": "0.23.0",
+    "@types/prompts": "2.4.9",
     "eslint": "8.57.0",
+    "commander": "12.1.0",
+    "esbuild": "0.24.0",
     "node-forge": "1.3.1",
-    "prettier": "3.3.3",
+    "prettier": "3.4.2",
     "prompts": "2.4.2",
-    "typescript": "5.3.3",
-    "uuid": "10.0.0"
+    "typescript": "^5.3.3",
+    "uuid": "11.0.3"
   }
 }

package/src/cli/deploy.ts

@@ -12,7 +12,88 @@ import { sanitizeName } from "./init/utils";
 import { deployImagePullSecret } from "../lib/assets/deploy";
 import { namespaceDeploymentsReady } from "../lib/deploymentChecks";
 
-export default function (program: RootCmd) {
+export interface ImagePullSecretDetails {
+  pullSecret?: string;
+  dockerServer?: string;
+  dockerUsername?: string;
+  dockerEmail?: string;
+  dockerPassword?: string;
+}
+
+export function validateImagePullSecretDetails(details: ImagePullSecretDetails): {
+  valid: boolean;
+  error?: string;
+} {
+  if (!details.pullSecret) {
+    return { valid: true };
+  }
+
+  // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+  if (details.pullSecret !== sanitizeName(details.pullSecret)) {
+    return {
+      valid: false,
+      error: `Invalid --pullSecret. Must be valid name as defined in RFC 1123.`,
+    };
+  }
+
+  const missing: string[] = [];
+  if (!details.dockerEmail) {
+    missing.push("--docker-email");
+  }
+  if (!details.dockerServer) {
+    missing.push("--docker-server");
+  }
+  if (!details.dockerUsername) {
+    missing.push("--docker-username");
+  }
+  if (!details.dockerPassword) {
+    missing.push("--docker-password");
+  }
+
+  if (missing.length > 0) {
+    return {
+      valid: false,
+      error: `Error: Must provide ${missing.join(", ")} when providing --pullSecret`,
+    };
+  }
+
+  return { valid: true };
+}
+
+export type ValidatedImagePullSecretDetails = Required<ImagePullSecretDetails>;
+
+function generateImagePullSecret(details: ValidatedImagePullSecretDetails): ImagePullSecret {
+  const auth = Buffer.from(`${details.dockerUsername}:${details.dockerPassword}`).toString(
+    "base64",
+  );
+  return {
+    auths: {
+      [details.dockerServer]: {
+        username: details.dockerUsername,
+        password: details.dockerPassword,
+        email: details.dockerEmail,
+        auth,
+      },
+    },
+  };
+}
+
+export async function getUserConfirmation(opts: { confirm: boolean }): Promise<boolean> {
+  if (opts.confirm) {
+    return true;
+  }
+
+  // Prompt the user to confirm
+  const confirm = await prompt({
+    type: "confirm",
+    name: "confirm",
+    message: "This will remove and redeploy the module. Continue?",
+  });
+
+  return confirm.confirm ? true : false;
+}
+
+export default function (program: RootCmd): void {
   program
     .command("deploy")
     .description("Deploy a Pepr Module")
@@ -25,85 +106,43 @@ export default function (program: RootCmd) {
     .option("--docker-password <password>", "Password for Docker registry")
     .option("--force", "Force deploy the module, override manager field")
     .action(async opts => {
-      let imagePullSecret: ImagePullSecret | undefined;
-
-      if (
-        opts.pullSecret &&
-        opts.pullSecret.length > 0 &&
-        (!opts.dockerServer || !opts.dockerUsername || !opts.dockerEmail || !opts.dockerPassword)
-      ) {
-        console.error(
-          "Error: Must provide docker server, username, email, and password when providing pull secret",
-        );
+      const valResp = validateImagePullSecretDetails(opts);
+      if (!valResp.valid) {
+        console.error(valResp.error);
         process.exit(1);
-      } else if (opts.pullSecret && opts.pullSecret !== sanitizeName(opts.pullSecret)) {
-        // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
-        console.error(
-          "Invalid imagePullSecret name. Please provide a valid name as defined in RFC 1123.",
-        );
-        process.exit(1);
-      } else if (opts.pullSecret) {
-        imagePullSecret = {
-          auths: {
-            [opts.dockerServer]: {
-              username: opts.dockerUsername,
-              password: opts.dockerPassword,
-              email: opts.dockerEmail,
-              auth: Buffer.from(`${opts.dockerUsername}:${opts.dockerPassword}`).toString("base64"),
-            },
-          },
-        };
-
-        await deployImagePullSecret(imagePullSecret, opts.pullSecret);
+      }
+
+      if (opts.pullSecret) {
+        await deployImagePullSecret(generateImagePullSecret(opts), opts.pullSecret);
         return;
       }
 
-      if (!opts.confirm) {
-        // Prompt the user to confirm
-        const confirm = await prompt({
-          type: "confirm",
-          name: "confirm",
-          message: "This will remove and redeploy the module. Continue?",
-        });
-
-        // Exit if the user doesn't confirm
-        if (!confirm.confirm) {
-          process.exit(0);
-        }
+      (await getUserConfirmation(opts)) || process.exit(0);
+
+      const builtModule = await buildModule();
+      if (!builtModule) {
+        return;
       }
 
-      // Build the module
-      const buildModuleResult = await buildModule();
-      if (buildModuleResult?.cfg && buildModuleResult?.path) {
-        const { cfg, path } = buildModuleResult;
-
-        // Generate a secret for the module
-        const webhook = new Assets(
-          {
-            ...cfg.pepr,
-            description: cfg.description,
-          },
-          path,
-        );
-
-        if (opts.image) {
-          webhook.image = opts.image;
-        }
-
-        // Identify conf'd webhookTimeout to give to deploy call
-        const timeout = cfg.pepr.webhookTimeout ? cfg.pepr.webhookTimeout : 10;
-
-        try {
-          await webhook.deploy(opts.force, timeout);
-          // wait for capabilities to be loaded and test names
-          validateCapabilityNames(webhook.capabilities);
-          // Wait for the pepr-system resources to be fully up
-          await namespaceDeploymentsReady();
-          console.info(`✅ Module deployed successfully`);
-        } catch (e) {
-          console.error(`Error deploying module:`, e);
-          process.exit(1);
-        }
+      // Generate a secret for the module
+      const webhook = new Assets(
+        { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
+        builtModule.path,
+      );
+      webhook.image = opts.image ?? webhook.image;
+
+      try {
+        await webhook.deploy(opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
+
+        // wait for capabilities to be loaded and test names
+        validateCapabilityNames(webhook.capabilities);
+
+        // Wait for the pepr-system resources to be fully up
+        await namespaceDeploymentsReady();
+        console.info(`✅ Module deployed successfully`);
+      } catch (e) {
+        console.error(`Error deploying module:`, e);
+        process.exit(1);
       }
     });
 }

package/src/cli/dev.ts

@@ -10,7 +10,7 @@ import { buildModule, loadModule } from "./build";
 import { RootCmd } from "./root";
 import { K8s, kind } from "kubernetes-fluent-client";
 import { Store } from "../lib/k8s";
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   program
     .command("dev")
     .description("Setup a local webhook development environment")
@@ -55,7 +55,7 @@ export default function (program: RootCmd) {
         const store = `pepr-${cfg.pepr.uuid}-store`;
 
         // Run the processed javascript file
-        const runFork = async () => {
+        const runFork = async (): Promise<void> => {
           console.info(`Running module ${path}`);
 
           // Deploy the webhook with a 30 second timeout for debugging, don't force

package/src/cli/format.helpers.ts

@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { ESLint } from "eslint";
+import { promises as fs } from "fs";
+import { format, resolveConfig } from "prettier";
+
+export async function formatWithPrettier(
+  results: ESLint.LintResult[],
+  validateOnly: boolean,
+): Promise<boolean> {
+  let hasFailure = false;
+  for (const { filePath } of results) {
+    const content = await fs.readFile(filePath, "utf8");
+    const cfg = await resolveConfig(filePath);
+    const formatted = await format(content, { filepath: filePath, ...cfg });
+
+    // If in validate-only mode, check if the file is formatted correctly
+    if (validateOnly && formatted !== content) {
+      hasFailure = true;
+      console.error(`File ${filePath} is not formatted correctly`);
+    } else {
+      await fs.writeFile(filePath, formatted);
+    }
+  }
+  return hasFailure;
+}

package/src/cli/format.ts

@@ -2,12 +2,11 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { ESLint } from "eslint";
-import { promises as fs } from "fs";
-import { format, resolveConfig } from "prettier";
+import { formatWithPrettier } from "./format.helpers";
 
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   program
     .command("format")
     .description("Lint and format this Pepr module")
@@ -28,7 +27,7 @@ export default function (program: RootCmd) {
  * @param validateOnly
  * @returns success
  */
-export async function peprFormat(validateOnly: boolean) {
+export async function peprFormat(validateOnly: boolean): Promise<boolean> {
   {
     try {
       const eslint = new ESLint();
@@ -56,20 +55,7 @@ export async function peprFormat(validateOnly: boolean) {
         await ESLint.outputFixes(results);
       }
 
-      // Format with Prettier
-      for (const { filePath } of results) {
-        const content = await fs.readFile(filePath, "utf8");
-        const cfg = await resolveConfig(filePath);
-        const formatted = await format(content, { filepath: filePath, ...cfg });
-
-        // If in validate-only mode, check if the file is formatted correctly
-        if (validateOnly && formatted !== content) {
-          hasFailure = true;
-          console.error(`File ${filePath} is not formatted correctly`);
-        } else {
-          await fs.writeFile(filePath, formatted);
-        }
-      }
+      hasFailure = await formatWithPrettier(results, validateOnly);
 
       return !hasFailure;
     } catch (e) {

package/src/cli/init/enums.ts

@@ -0,0 +1,9 @@
+export enum RbacMode {
+  SCOPED = "scoped",
+  ADMIN = "admin",
+}
+export enum OnError {
+  AUDIT = "audit",
+  IGNORE = "ignore",
+  REJECT = "reject",
+}

package/src/cli/init/index.ts

@@ -21,9 +21,10 @@ import {
 } from "./templates";
 import { createDir, sanitizeName, write } from "./utils";
 import { confirm, PromptOptions, walkthrough } from "./walkthrough";
-import { ErrorList, Errors } from "../../lib/errors";
+import { ErrorList } from "../../lib/errors";
+import { OnError } from "./enums";
 
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   let response = {} as PromptOptions;
   let pkgOverride = "";
   program
@@ -33,7 +34,7 @@ export default function (program: RootCmd) {
     .option("--description <string>", "Explain the purpose of the new module.")
     .option("--name <string>", "Set the name of the new module.")
     .option("--skip-post-init", "Skip npm install, git init, and VSCode launch.")
-    .option(`--errorBehavior <${ErrorList.join("|")}>`, "Set an errorBehavior.", Errors.reject)
+    .option(`--errorBehavior <${ErrorList.join("|")}>`, "Set an errorBehavior.", OnError.REJECT)
     .hook("preAction", async thisCommand => {
       // TODO: Overrides for testing. Don't be so gross with Node CLI testing
       // TODO: See pepr/#1140

package/src/cli/init/templates.ts

@@ -14,10 +14,38 @@ import settingsJSON from "../../templates/settings.json";
 import tsConfigJSON from "../../templates/tsconfig.module.json";
 import { sanitizeName } from "./utils";
 import { InitOptions } from "../types";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+import { OnError, RbacMode } from "./enums";
 
 export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 
-export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string) {
+type peprPackageJSON = {
+  data: {
+    name: string;
+    version: string;
+    description: string;
+    keywords: string[];
+    engines: { node: string };
+    pepr: {
+      uuid: string;
+      onError: OnError;
+      webhookTimeout: number;
+      customLabels: { namespace: Record<string, string> };
+      alwaysIgnore: { namespaces: string[] };
+      includedFiles: string[];
+      env: object;
+      rbac?: PolicyRule[];
+      rbacMode?: RbacMode;
+    };
+    scripts: { "k3d-setup": string };
+    dependencies: { pepr: string; undici: string };
+    devDependencies: { typescript: string };
+  };
+  path: string;
+  print: string;
+};
+
+export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string): peprPackageJSON {
   // Generate a random UUID for the module based on the module name
   const uuid = uuidv5(opts.name, uuidv4());
   // Generate a name for the module based on the module name
@@ -72,7 +100,7 @@ export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string) {
   };
 }
 
-export function genPeprTS() {
+export function genPeprTS(): { path: string; data: string } {
   return {
     path: "pepr.ts",
     data: peprTS,

package/src/cli/init/utils.ts

@@ -9,7 +9,7 @@ import { promises as fs } from "fs";
  * @param name the user input name
  * @returns the sanitized name
  */
-export function sanitizeName(name: string) {
+export function sanitizeName(name: string): string {
   if (typeof name !== "string") {
     throw TypeError(
       `sanitizeName() was called with a non-string value. The value is: ${name} of type ${typeof name}`,
@@ -32,7 +32,7 @@ export function sanitizeName(name: string) {
  *
  * @param dir - The directory to create
  */
-export async function createDir(dir: string) {
+export async function createDir(dir: string): Promise<void> {
   try {
     await fs.mkdir(dir);
   } catch (err) {
@@ -51,7 +51,7 @@ export async function createDir(dir: string) {
  * @param data - The data to write
  * @returns A promise that resolves when the file has been written
  */
-export function write(path: string, data: unknown) {
+export function write(path: string, data: unknown): Promise<void> {
   // If the data is not a string, stringify it
   if (typeof data !== "string") {
     data = JSON.stringify(data, null, 2);

package/src/cli/init/walkthrough.ts

@@ -4,14 +4,15 @@
 import { promises as fs } from "fs";
 import prompt, { Answers, PromptObject } from "prompts";
 
-import { ErrorList, Errors } from "../../lib/errors";
 import { eslint, gitignore, prettier, readme, tsConfig } from "./templates";
 import { sanitizeName } from "./utils";
+import { OnError } from "./enums";
+import { ErrorList } from "../../lib/errors";
 
 export type PromptOptions = {
   name: string;
   description: string;
-  errorBehavior: "audit" | "ignore" | "reject";
+  errorBehavior: OnError;
 };
 
 export type PartialPromptOptions = Partial<PromptOptions>;
@@ -70,9 +71,7 @@ async function setDescription(description?: string): Promise<Answers<string>> {
   return prompt([askDescription]);
 }
 
-export async function setErrorBehavior(
-  errorBehavior?: "audit" | "ignore" | "reject",
-): Promise<Answers<string>> {
+export async function setErrorBehavior(errorBehavior?: OnError): Promise<Answers<string>> {
   const askErrorBehavior: PromptObject = {
     type: "select",
     name: "errorBehavior",
@@ -80,20 +79,20 @@ export async function setErrorBehavior(
     choices: [
       {
         title: "Reject the operation",
-        value: Errors.reject,
+        value: OnError.REJECT,
         description:
           "In the event that Pepr is down or other module errors occur, the operation will not be allowed to continue. (Recommended for production.)",
       },
       {
         title: "Ignore",
-        value: Errors.ignore,
+        value: OnError.IGNORE,
         description:
           "In the event that Pepr is down or other module errors occur, an entry will be generated in the Pepr Controller Log and the operation will be allowed to continue. (Recommended for development, not for production.)",
         selected: true,
       },
       {
         title: "Log an audit event",
-        value: Errors.audit,
+        value: OnError.AUDIT,
         description:
           "Pepr will continue processing and generate an entry in the Pepr Controller log as well as an audit event in the cluster.",
       },

package/src/cli/kfc.ts

@@ -6,7 +6,7 @@ import prompt from "prompts";
 
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   program
     .command("kfc [args...]")
     .description("Execute Kubernetes Fluent Client commands")

package/src/cli/root.ts

@@ -5,7 +5,7 @@ import { Command } from "commander";
 
 export class RootCmd extends Command {
   // eslint-disable-next-line class-methods-use-this
-  createCommand(name: string) {
+  createCommand(name: string): Command {
     const cmd = new Command(name);
     return cmd;
   }

package/src/cli/update.ts

@@ -17,7 +17,7 @@ import {
 import { write } from "./init/utils";
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   program
     .command("update")
     .description("Update this Pepr module. Not recommended for prod as it may change files.")

package/src/cli/uuid.ts

@@ -5,7 +5,7 @@ import { KubernetesListObject } from "@kubernetes/client-node";
 import { K8s, kind } from "kubernetes-fluent-client";
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   program
     .command("uuid [uuid]")
     .description("Module UUID(s) currently deployed in the cluster")

package/src/fixtures/loader.ts

@@ -14,11 +14,11 @@ export function AdmissionRequestCreatePod() {
   return cloneObject<kind.Pod>(admissionRequestCreatePod);
 }
 
-export function AdmissionRequestDeletePod() {
+export function AdmissionRequestDeletePod(): AdmissionRequest<kind.Pod> {
   return cloneObject<kind.Pod>(admissionRequestDeletePod);
 }
 
-export function AdmissionRequestCreateClusterRole() {
+export function AdmissionRequestCreateClusterRole(): AdmissionRequest<kind.ClusterRole> {
   return cloneObject<kind.ClusterRole>(admissionRequestCreateClusterRole);
 }
 

package/src/lib/assets/deploy.ts

@@ -15,7 +15,7 @@ import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
 import { CapabilityExport, ImagePullSecret } from "../types";
 
-export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string) {
+export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string): Promise<void> {
   try {
     await K8s(kind.Namespace).Get("pepr-system");
   } catch {
@@ -42,7 +42,7 @@ export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, na
     Log.error(e);
   }
 }
-export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number) {
+export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number): Promise<void> {
   Log.info("Establishing connection to Kubernetes");
 
   const { name, host, path } = assets;
@@ -95,7 +95,7 @@ async function setupRBAC(
   capabilities: CapabilityExport[],
   force: boolean,
   config: { rbacMode?: string; rbac?: PolicyRule[] },
-) {
+): Promise<void> {
   const { rbacMode, rbac } = config;
 
   Log.info("Applying cluster role binding");
@@ -119,7 +119,7 @@ async function setupRBAC(
   await K8s(kind.RoleBinding).Apply(roleBinding, { force });
 }
 
-async function setupController(assets: Assets, code: Buffer, hash: string, force: boolean) {
+async function setupController(assets: Assets, code: Buffer, hash: string, force: boolean): Promise<void> {
   const { name } = assets;
 
   Log.info("Applying module secret");
@@ -144,7 +144,7 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
 }
 
 // Setup the watcher deployment and service
-async function setupWatcher(assets: Assets, hash: string, force: boolean) {
+async function setupWatcher(assets: Assets, hash: string, force: boolean): Promise<void> {
   // If the module has a watcher, deploy it
   const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
   if (watchDeployment) {

package/src/lib/assets/index.ts

@@ -4,7 +4,7 @@
 import crypto from "crypto";
 import { dumpYaml } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
-import { ModuleConfig } from "../module";
+import { ModuleConfig } from "../core/module";
 import { TLSOut, genTLS } from "../tls";
 import { CapabilityExport } from "../types";
 import { WebhookIgnore } from "../k8s";

package/src/lib/assets/pods.ts

@@ -6,7 +6,7 @@ import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
 import { Assets } from ".";
-import { ModuleConfig } from "../module";
+import { ModuleConfig } from "../core/module";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */