pepr 0.42.1 → 0.42.2

package/src/lib/assets/webhooks.ts

@@ -11,6 +11,7 @@ import { concat, equals, uniqWith } from "ramda";
 
 import { Assets } from ".";
 import { Event } from "../enums";
+import { Binding } from "../types";
 
 const peprIgnoreLabel: V1LabelSelectorRequirement = {
   key: "pepr.dev",
@@ -20,57 +21,41 @@ const peprIgnoreLabel: V1LabelSelectorRequirement = {
 
 const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
+const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
+  const { event, kind, isMutate, isValidate } = binding;
+
+  // Skip invalid bindings based on webhook type
+  if ((isMutateWebhook && !isMutate) || (!isMutateWebhook && !isValidate)) {
+    return undefined;
+  }
+
+  // Translate event to operations
+  const operations = event === Event.CREATE_OR_UPDATE ? [Event.CREATE, Event.UPDATE] : [event];
+
+  // Use the plural property if it exists, otherwise use lowercase kind + s
+  const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+  const ruleObject: V1RuleWithOperations = {
+    apiGroups: [kind.group],
+    apiVersions: [kind.version || "*"],
+    operations,
+    resources: [resource, ...(resource === "pods" ? ["pods/ephemeralcontainers"] : [])],
+  };
+
+  return ruleObject;
+};
+
 export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise<V1RuleWithOperations[]> {
   const { config, capabilities } = assets;
-  const rules: V1RuleWithOperations[] = [];
 
-  // Iterate through the capabilities and generate the rules
-  for (const capability of capabilities) {
+  const rules = capabilities.flatMap(capability => {
     console.info(`Module ${config.uuid} has capability: ${capability.name}`);
 
-    // Read the bindings and generate the rules
-    for (const binding of capability.bindings) {
-      const { event, kind, isMutate, isValidate } = binding;
-
-      // If the module doesn't have a callback for the event, skip it
-      if (isMutateWebhook && !isMutate) {
-        continue;
-      }
-
-      if (!isMutateWebhook && !isValidate) {
-        continue;
-      }
-
-      const operations: string[] = [];
-
-      // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
-      if (event === Event.CREATE_OR_UPDATE) {
-        operations.push(Event.CREATE, Event.UPDATE);
-      } else {
-        operations.push(event);
-      }
-
-      // Use the plural property if it exists, otherwise use lowercase kind + s
-      const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
-
-      const ruleObject = {
-        apiGroups: [kind.group],
-        apiVersions: [kind.version || "*"],
-        operations,
-        resources: [resource],
-      };
-
-      // If the resource is pods, add ephemeralcontainers as well
-      if (resource === "pods") {
-        ruleObject.resources.push("pods/ephemeralcontainers");
-      }
-
-      // Add the rule to the rules array
-      rules.push(ruleObject);
-    }
-  }
+    return capability.bindings
+      .map(binding => validateRule(binding, isMutateWebhook))
+      .filter((rule): rule is V1RuleWithOperations => !!rule);
+  });
 
-  // Return the rules with duplicates removed
   return uniqWith(equals, rules);
 }
 

package/src/lib/controller/index.ts

@@ -5,13 +5,13 @@ import express, { NextFunction } from "express";
 import fs from "fs";
 import https from "https";
 
-import { Capability } from "../capability";
+import { Capability } from "../core/capability";
 import { MutateResponse, ValidateResponse } from "../k8s";
 import Log from "../telemetry/logger";
 import { metricsCollector, MetricsCollector } from "../telemetry/metrics";
-import { ModuleConfig, isWatchMode } from "../module";
-import { mutateProcessor } from "../mutate-processor";
-import { validateProcessor } from "../validate-processor";
+import { ModuleConfig, isWatchMode } from "../core/module";
+import { mutateProcessor } from "../processors/mutate-processor";
+import { validateProcessor } from "../processors/validate-processor";
 import { StoreController } from "./store";
 import { AdmissionRequest } from "../types";
 import { karForMutate, karForValidate, KubeAdmissionReview } from "./index.util";

package/src/lib/controller/store.ts

@@ -5,10 +5,10 @@ import { Operation } from "fast-json-patch";
 import { K8s } from "kubernetes-fluent-client";
 import { startsWith } from "ramda";
 
-import { Capability } from "../capability";
+import { Capability } from "../core/capability";
 import { Store } from "../k8s";
 import Log, { redactedPatch, redactedStore } from "../telemetry/logger";
-import { DataOp, DataSender, DataStore, Storage } from "../storage";
+import { DataOp, DataSender, DataStore, Storage } from "../core/storage";
 import { fillStoreCache, sendUpdatesAndFlushCache } from "./storeCache";
 
 const namespace = "pepr-system";

package/src/lib/controller/storeCache.ts

@@ -1,11 +1,15 @@
-import { DataOp } from "../storage";
+import { DataOp } from "../core/storage";
 import Log from "../telemetry/logger";
 import { K8s } from "kubernetes-fluent-client";
 import { Store } from "../k8s";
 import { StatusCodes } from "http-status-codes";
 import { Operation } from "fast-json-patch";
 
-export const sendUpdatesAndFlushCache = async (cache: Record<string, Operation>, namespace: string, name: string) => {
+export const sendUpdatesAndFlushCache = async (
+  cache: Record<string, Operation>,
+  namespace: string,
+  name: string,
+): Promise<Record<string, Operation>> => {
   const indexes = Object.keys(cache);
   const payload = Object.values(cache);
 

package/src/lib/{capability.ts → core/capability.ts}

@@ -3,11 +3,11 @@
 
 import { GenericClass, GroupVersionKind, modelToGroupVersionKind } from "kubernetes-fluent-client";
 import { pickBy } from "ramda";
-import Log from "./telemetry/logger";
+import Log from "../telemetry/logger";
 import { isBuildMode, isDevMode, isWatchMode } from "./module";
 import { PeprStore, Storage } from "./storage";
 import { OnSchedule, Schedule } from "./schedule";
-import { Event } from "./enums";
+import { Event } from "../enums";
 import {
   Binding,
   BindingFilter,
@@ -22,8 +22,8 @@ import {
   FinalizeAction,
   FinalizeActionChain,
   WhenSelector,
-} from "./types";
-import { addFinalizer } from "./finalizer";
+} from "../types";
+import { addFinalizer } from "../finalizer";
 
 const registerAdmission = isBuildMode() || !isWatchMode();
 const registerWatch = isBuildMode() || isWatchMode() || isDevMode();

package/src/lib/{module.ts → core/module.ts}

@@ -2,12 +2,12 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 import { clone } from "ramda";
 import { Capability } from "./capability";
-import { Controller } from "./controller";
-import { ValidateError } from "./errors";
-import { MutateResponse, ValidateResponse, WebhookIgnore } from "./k8s";
-import { CapabilityExport, AdmissionRequest } from "./types";
-import { setupWatch } from "./watch-processor";
-import { Log } from "../lib";
+import { Controller } from "../controller";
+import { ValidateError } from "../errors";
+import { MutateResponse, ValidateResponse, WebhookIgnore } from "../k8s";
+import { CapabilityExport, AdmissionRequest } from "../types";
+import { setupWatch } from "../processors/watch-processor";
+import { Log } from "../../lib";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 /** Custom Labels Type for package.json */
@@ -58,12 +58,12 @@ export type PeprModuleOptions = {
 };
 
 // Track if this is a watch mode controller
-export const isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
+export const isWatchMode = (): boolean => process.env.PEPR_WATCH_MODE === "true";
 
 // Track if Pepr is running in build mode
-export const isBuildMode = () => process.env.PEPR_MODE === "build";
+export const isBuildMode = (): boolean => process.env.PEPR_MODE === "build";
 
-export const isDevMode = () => process.env.PEPR_MODE === "dev";
+export const isDevMode = (): boolean => process.env.PEPR_MODE === "dev";
 
 export class PeprModule {
   #controller!: Controller;
@@ -135,7 +135,7 @@ export class PeprModule {
    *
    * @param port
    */
-  start = (port = 3000) => {
+  start = (port = 3000): void => {
     this.#controller.startServer(port);
   };
 }

package/src/lib/{queue.ts → core/queue.ts}

@@ -3,7 +3,7 @@
 import { KubernetesObject } from "@kubernetes/client-node";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
 import { randomBytes } from "node:crypto";
-import Log from "./telemetry/logger";
+import Log from "../telemetry/logger";
 
 type WatchCallback = (obj: KubernetesObject, phase: WatchPhase) => Promise<void>;
 

package/src/lib/deploymentChecks.ts

@@ -4,7 +4,7 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "./telemetry/logger";
 
 // returns true if all deployments are ready, false otherwise
-export async function checkDeploymentStatus(namespace: string) {
+export async function checkDeploymentStatus(namespace: string): Promise<boolean> {
   const deployments = await K8s(kind.Deployment).InNamespace(namespace).Get();
   let status = false;
   let readyCount = 0;
@@ -29,7 +29,7 @@ export async function checkDeploymentStatus(namespace: string) {
 }
 
 // wait for all deployments in the pepr-system namespace to be ready
-export async function namespaceDeploymentsReady(namespace: string = "pepr-system") {
+export async function namespaceDeploymentsReady(namespace: string = "pepr-system"): Promise<true | undefined> {
   Log.info(`Checking ${namespace} deployments status...`);
   let ready = false;
   while (!ready) {

package/src/lib/errors.ts

@@ -1,19 +1,14 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-export const Errors = {
-  audit: "audit",
-  ignore: "ignore",
-  reject: "reject",
-};
-
-export const ErrorList = Object.values(Errors);
+import { OnError } from "../cli/init/enums";
 
+export const ErrorList = Object.values(OnError) as string[];
 /**
  * Validate the error or throw an error
  * @param error
  */
-export function ValidateError(error = "") {
+export function ValidateError(error: string = ""): void {
   if (!ErrorList.includes(error)) {
     throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
   }

package/src/lib/filesystemService.ts

@@ -3,7 +3,7 @@
 
 import { promises } from "fs";
 
-export async function createDirectoryIfNotExists(path: string) {
+export async function createDirectoryIfNotExists(path: string): Promise<void> {
   try {
     await promises.access(path);
   } catch (error) {

package/src/lib/filter/adjudicators/adjudicators.ts

@@ -2,7 +2,7 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { Event, Operation } from "../../enums";
-import { AdmissionRequest, Binding } from "../../types";
+import { AdmissionRequest, Binding, FinalizeAction, WatchLogAction, MutateAction, ValidateAction } from "../../types";
 import {
   __,
   allPass,
@@ -19,7 +19,7 @@ import {
   nthArg,
   pipe,
 } from "ramda";
-import { KubernetesObject } from "kubernetes-fluent-client";
+import { GenericClass, KubernetesObject } from "kubernetes-fluent-client";
 
 /*
   Naming scheme:
@@ -77,6 +77,7 @@ export const carriedNamespace = pipe(
   (kubernetesObject: KubernetesObject): string | undefined => kubernetesObject?.metadata?.namespace,
   defaultTo(""),
 );
+
 export const carriesNamespace = pipe(carriedNamespace, equals(""), not);
 
 export const carriedAnnotations = pipe(
@@ -144,7 +145,7 @@ export const definesVersion = pipe(definedVersion, equals(""), not);
 export const definedKind = pipe((binding): string => binding?.kind?.kind, defaultTo(""));
 export const definesKind = pipe(definedKind, equals(""), not);
 
-export const definedCategory = (binding: Partial<Binding>) => {
+export const definedCategory = (binding: Partial<Binding>): string => {
   // Ordering matters, finalize is a "watch"
   // prettier-ignore
   return binding.isFinalize ? "Finalize" :
@@ -153,8 +154,15 @@ export const definedCategory = (binding: Partial<Binding>) => {
     binding.isValidate ? "Validate" :
     "";
 };
-
-export const definedCallback = (binding: Partial<Binding>) => {
+export type DefinedCallbackReturnType =
+  | FinalizeAction<GenericClass, InstanceType<GenericClass>>
+  | WatchLogAction<GenericClass, InstanceType<GenericClass>>
+  | MutateAction<GenericClass, InstanceType<GenericClass>>
+  | ValidateAction<GenericClass, InstanceType<GenericClass>>
+  | null
+  | undefined;
+
+export const definedCallback = (binding: Partial<Binding>): DefinedCallbackReturnType => {
   // Ordering matters, finalize is a "watch"
   // prettier-ignore
   return binding.isFinalize ? binding.finalizeCallback :
@@ -241,10 +249,21 @@ export const mismatchedLabels = allPass([
   pipe((binding, kubernetesObject) => metasMismatch(definedLabels(binding), carriedLabels(kubernetesObject))),
 ]);
 
+/*
+ * If the object does not have a namespace, and it is not a namespace,
+ * then we must return false because it cannot be uncarryable
+ */
 export const uncarryableNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
-  pipe(nthArg(1), carriesNamespace),
-  pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject)), not),
+  pipe((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+    return true;
+  }, not),
 ]);
 
 export const missingCarriableNamespace = allPass([
@@ -256,10 +275,22 @@ export const missingCarriableNamespace = allPass([
   ),
 ]);
 
+/*
+ * If the object does not have a namespace, and it is not a namespace,
+ * then we must return false because it cannot be ignored
+ */
 export const carriesIgnoredNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
-  pipe(nthArg(1), carriesNamespace),
-  pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject))),
+  pipe((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+
+    return false;
+  }),
 ]);
 
 export const unbindableNamespaces = allPass([