pepr 0.42.3 → 0.44.0-nightly.0

package/package.json

@@ -15,18 +15,21 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.42.3",
+  "version": "0.44.0-nightly.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
     "ci": "npm ci",
     "gen-data-json": "node hack/build-template-data.js",
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
-    "version": "node scripts/set-version.js",
     "build": "tsc && node build.mjs && npm pack",
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
+    "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
+    "test:integration": "npm run test:integration:prep && npm run test:integration:run",
+    "test:integration:prep": "./integration/prep.sh",
+    "test:integration:run": "jest --maxWorkers=4 integration",
     "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run",
     "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
     "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm",
@@ -46,7 +49,7 @@
     "follow-redirects": "1.15.9",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.3.7",
+    "kubernetes-fluent-client": "3.3.8",
     "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
@@ -85,4 +88,4 @@
     "typescript": "^5.3.3",
     "uuid": "11.0.3"
   }
-}
+}

package/src/cli/build.helpers.ts

@@ -8,6 +8,37 @@ import { BuildOptions, BuildResult, context, BuildContext } from "esbuild";
 import { Assets } from "../lib/assets/assets";
 import { resolve } from "path";
 import { promises as fs } from "fs";
+import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml";
+import { webhookConfigGenerator } from "../lib/assets/webhooks";
+import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml";
+
+interface ImageOptions {
+  customImage?: string;
+  registryInfo?: string;
+  peprVersion?: string;
+  registry?: string;
+}
+/**
+ * Assign image string
+ * @param imageOptions CLI options for image
+ * @returns image string
+ */
+export function assignImage(imageOptions: ImageOptions): string {
+  const { customImage, registryInfo, peprVersion, registry } = imageOptions;
+  if (customImage) {
+    return customImage;
+  }
+
+  if (registryInfo) {
+    return `${registryInfo}/custom-pepr-controller:${peprVersion}`;
+  }
+
+  if (registry) {
+    return checkIronBankImage(registry, "", peprVersion!);
+  }
+
+  return "";
+}
 
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 /**
@@ -89,24 +120,6 @@ export function validImagePullSecret(imagePullSecretName: string): void {
   }
 }
 
-/**
- * Constraint to majke sure customImage and registry are not both used
- * @param customImage
- * @param registry
- * @returns
- */
-export function handleCustomImage(customImage: string, registry: string): string {
-  let defaultImage = "";
-  if (customImage) {
-    if (registry) {
-      console.error(`Custom Image and registry cannot be used together.`);
-      process.exit(1);
-    }
-    defaultImage = customImage;
-  }
-  return defaultImage;
-}
-
 /**
  * Creates and pushes a custom image for WASM or any other included files
  * @param includedFiles
@@ -129,19 +142,6 @@ export async function handleCustomImageBuild(
   }
 }
 
-/**
- * Disables embedding of deployment files into output module
- * @param embed
- * @param path
- * @returns
- */
-export function handleEmbedding(embed: boolean, path: string): void {
-  if (!embed) {
-    console.info(`✅ Module built successfully at ${path}`);
-    return;
-  }
-}
-
 /**
  * Check if the capability names are valid
  * @param capabilities The capabilities to check
@@ -191,18 +191,18 @@ export async function generateYamlAndWriteToDisk(obj: {
   const yamlFile = `pepr-module-${uuid}.yaml`;
   const chartPath = `${uuid}-chart`;
   const yamlPath = resolve(outputDir, yamlFile);
-  const yaml = await assets.allYaml(imagePullSecret);
+  const yaml = await assets.allYaml(generateAllYaml, imagePullSecret);
   const zarfPath = resolve(outputDir, "zarf.yaml");
 
   let localZarf = "";
   if (zarf === "chart") {
-    localZarf = assets.zarfYamlChart(chartPath);
+    localZarf = assets.zarfYamlChart(generateZarfYamlGeneric, chartPath);
   } else {
-    localZarf = assets.zarfYaml(yamlFile);
+    localZarf = assets.zarfYaml(generateZarfYamlGeneric, yamlFile);
   }
   await fs.writeFile(yamlPath, yaml);
   await fs.writeFile(zarfPath, localZarf);
 
-  await assets.generateHelmChart(outputDir);
+  await assets.generateHelmChart(webhookConfigGenerator, outputDir);
   console.info(`✅ K8s resource for the module saved to ${yamlPath}`);
 }

package/src/cli/build.ts

@@ -2,7 +2,7 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { execFileSync } from "child_process";
-import { BuildOptions, BuildResult, analyzeMetafile } from "esbuild";
+import { BuildContext, BuildOptions, BuildResult, analyzeMetafile } from "esbuild";
 import { promises as fs } from "fs";
 import { basename, dirname, extname, resolve } from "path";
 import { Assets } from "../lib/assets/assets";
@@ -11,15 +11,14 @@ import { RootCmd } from "./root";
 import { Option } from "commander";
 import { parseTimeout } from "../lib/helpers";
 import { peprFormat } from "./format";
+import { ModuleConfig } from "../lib/core/module";
 import {
   watchForChanges,
   determineRbacMode,
-  handleEmbedding,
+  assignImage,
   handleCustomOutputDir,
   handleValidCapabilityNames,
-  handleCustomImage,
   handleCustomImageBuild,
-  checkIronBankImage,
   validImagePullSecret,
   generateYamlAndWriteToDisk,
 } from "./build.helpers";
@@ -27,6 +26,43 @@ import {
 const peprTS = "pepr.ts";
 let outputDir: string = "dist";
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
+export type PeprNestedFields = Pick<
+  ModuleConfig,
+  | "uuid"
+  | "onError"
+  | "webhookTimeout"
+  | "customLabels"
+  | "alwaysIgnore"
+  | "env"
+  | "rbac"
+  | "rbacMode"
+> & {
+  peprVersion: string;
+};
+
+export type PeprConfig = Omit<ModuleConfig, keyof PeprNestedFields> & {
+  pepr: PeprNestedFields & {
+    includedFiles: string[];
+  };
+  description: string;
+  version: string;
+};
+
+type LoadModuleReturn = {
+  cfg: PeprConfig;
+  entryPointPath: string;
+  modulePath: string;
+  name: string;
+  path: string;
+  uuid: string;
+};
+
+type BuildModuleReturn = {
+  ctx: BuildContext<BuildOptions>;
+  path: string;
+  cfg: PeprConfig;
+  uuid: string;
+};
 
 export default function (program: RootCmd): void {
   program
@@ -37,34 +73,44 @@ export default function (program: RootCmd): void {
       "-n, --no-embed",
       "Disables embedding of deployment files into output module.  Useful when creating library modules intended solely for reuse/distribution via NPM.",
     )
-    .option(
-      "-i, --custom-image <custom-image>",
-      "Custom Image: Use custom image for Admission and Watch Deployments.",
+    .addOption(
+      new Option(
+        "-i, --custom-image <custom-image>",
+        "Specify a custom image (including version) for Admission and Watch Deployments. Example: 'docker.io/username/custom-pepr-controller:v1.0.0'",
+      ).conflicts(["version", "registryInfo", "registry"]),
     )
-    .option(
-      "-r, --registry-info [<registry>/<username>]",
-      "Registry Info: Image registry and username. Note: You must be signed into the registry",
+    .addOption(
+      new Option(
+        "-r, --registry-info [<registry>/<username>]",
+        "Provide the image registry and username for building and pushing a custom WASM container. Requires authentication. Builds and pushes 'registry/username/custom-pepr-controller:<current-version>'.",
+      ).conflicts(["customImage", "version", "registry"]),
     )
+
     .option("-o, --output-dir <output directory>", "Define where to place build output")
     .option(
       "--timeout <timeout>",
       "How long the API server should wait for a webhook to respond before treating the call as a failure",
       parseTimeout,
     )
-    .option(
-      "-v, --version <version>. Example: '0.27.3'",
-      "The version of the Pepr image to use in the deployment manifests.",
+    .addOption(
+      new Option(
+        "-v, --version <version>",
+        "The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'.",
+      ).conflicts(["customImage", "registryInfo"]),
     )
     .option(
       "--withPullSecret <imagePullSecret>",
       "Image Pull Secret: Use image pull secret for controller Deployment.",
+      "",
     )
 
     .addOption(
       new Option(
         "--registry <GitHub|Iron Bank>",
         "Container registry: Choose container registry for deployment manifests. Can't be used with --custom-image.",
-      ).choices(["GitHub", "Iron Bank"]),
+      )
+        .conflicts(["customImage", "registryInfo"])
+        .choices(["GitHub", "Iron Bank"]),
     )
 
     .addOption(
@@ -86,64 +132,70 @@ export default function (program: RootCmd): void {
 
       // Build the module
       const buildModuleResult = await buildModule(undefined, opts.entryPoint, opts.embed);
-      if (buildModuleResult?.cfg && buildModuleResult.path && buildModuleResult.uuid) {
-        const { cfg, path, uuid } = buildModuleResult;
-        // Files to include in controller image for WASM support
-        const { includedFiles } = cfg.pepr;
-
-        let image = handleCustomImage(opts.customImage, opts.registry);
-
-        // Check if there is a custom timeout defined
-        if (opts.timeout !== undefined) {
-          cfg.pepr.webhookTimeout = opts.timeout;
-        }
-
-        if (opts.registryInfo !== undefined) {
-          console.info(`Including ${includedFiles.length} files in controller image.`);
-
-          // for journey test to make sure the image is built
-          image = `${opts.registryInfo}/custom-pepr-controller:${cfg.pepr.peprVersion}`;
-
-          // only actually build/push if there are files to include
-          await handleCustomImageBuild(includedFiles, cfg.pepr.peprVersion, cfg.description, image);
-        }
-
-        // If building without embedding, exit after building
-        handleEmbedding(opts.embed, path);
-
-        // set the image version if provided
-        opts.version ? (cfg.pepr.peprVersion = opts.version) : null;
-
-        // Generate a secret for the module
-        const assets = new Assets(
-          {
-            ...cfg.pepr,
-            appVersion: cfg.version,
-            description: cfg.description,
-            // Can override the rbacMode with the CLI option
-            rbacMode: determineRbacMode(opts, cfg),
-          },
-          path,
-        );
 
-        // If registry is set to Iron Bank, use Iron Bank image
-        image = checkIronBankImage(opts.registry, image, cfg.pepr.peprVersion);
+      const { cfg, path, uuid } = buildModuleResult!;
+      const image = assignImage({
+        customImage: opts.customImage,
+        registryInfo: opts.registryInfo,
+        peprVersion: cfg.pepr.peprVersion,
+        registry: opts.registry,
+      });
+
+      // Check if there is a custom timeout defined
+      if (opts.timeout !== undefined) {
+        cfg.pepr.webhookTimeout = opts.timeout;
+      }
 
-        // if image is a custom image, use that instead of the default
-        image !== "" ? (assets.image = image) : null;
+      if (opts.registryInfo !== undefined) {
+        console.info(`Including ${cfg.pepr.includedFiles.length} files in controller image.`);
+        // for journey test to make sure the image is built
 
-        // Ensure imagePullSecret is valid
-        validImagePullSecret(opts.withPullSecret);
+        // only actually build/push if there are files to include
+        await handleCustomImageBuild(
+          cfg.pepr.includedFiles,
+          cfg.pepr.peprVersion,
+          cfg.description,
+          image,
+        );
+      }
 
-        handleValidCapabilityNames(assets.capabilities);
-        await generateYamlAndWriteToDisk({
-          uuid,
-          outputDir,
-          imagePullSecret: opts.withPullSecret,
-          zarf: opts.zarf,
-          assets,
-        });
+      // If building without embedding, exit after building
+      if (!opts.embed) {
+        console.info(`✅ Module built successfully at ${path}`);
+        return;
       }
+      // set the image version if provided
+      opts.version ? (cfg.pepr.peprVersion = opts.version) : null;
+
+      // Generate a secret for the module
+      const assets = new Assets(
+        {
+          ...cfg.pepr,
+          appVersion: cfg.version,
+          description: cfg.description,
+          alwaysIgnore: {
+            namespaces: cfg.pepr.alwaysIgnore?.namespaces,
+          },
+          // Can override the rbacMode with the CLI option
+          rbacMode: determineRbacMode(opts, cfg),
+        },
+        path,
+        opts.withPullSecret === "" ? [] : [opts.withPullSecret],
+      );
+
+      image !== "" ? (assets.image = image) : null;
+
+      // Ensure imagePullSecret is valid
+      validImagePullSecret(opts.withPullSecret);
+
+      handleValidCapabilityNames(assets.capabilities);
+      await generateYamlAndWriteToDisk({
+        uuid,
+        outputDir,
+        imagePullSecret: opts.withPullSecret,
+        zarf: opts.zarf,
+        assets,
+      });
     });
 }
 
@@ -156,7 +208,7 @@ externalLibs.push("pepr");
 // Add the kubernetes client to the list of external libraries as it is pulled in by kubernetes-fluent-client
 externalLibs.push("@kubernetes/client-node");
 
-export async function loadModule(entryPoint = peprTS) {
+export async function loadModule(entryPoint = peprTS): Promise<LoadModuleReturn> {
   // Resolve path to the module / files
   const entryPointPath = resolve(".", entryPoint);
   const modulePath = dirname(entryPointPath);
@@ -197,7 +249,11 @@ export async function loadModule(entryPoint = peprTS) {
   };
 }
 
-export async function buildModule(reloader?: Reloader, entryPoint = peprTS, embed = true) {
+export async function buildModule(
+  reloader?: Reloader,
+  entryPoint = peprTS,
+  embed = true,
+): Promise<BuildModuleReturn | void> {
   try {
     const { cfg, modulePath, path, uuid } = await loadModule(entryPoint);
 
@@ -314,7 +370,7 @@ function handleModuleBuildError(e: BuildModuleResult): void {
   }
 }
 
-export async function checkFormat() {
+export async function checkFormat(): Promise<void> {
   const validFormat = await peprFormat(true);
 
   if (!validFormat) {

package/src/cli/deploy.ts

@@ -4,13 +4,13 @@
 import prompt from "prompts";
 
 import { Assets } from "../lib/assets/assets";
-import { buildModule } from "./build";
-import { RootCmd } from "./root";
-import { validateCapabilityNames } from "../lib/helpers";
 import { ImagePullSecret } from "../lib/types";
-import { sanitizeName } from "./init/utils";
-import { deployImagePullSecret } from "../lib/assets/deploy";
+import { RootCmd } from "./root";
+import { buildModule } from "./build";
+import { deployImagePullSecret, deployWebhook } from "../lib/assets/deploy";
 import { namespaceDeploymentsReady } from "../lib/deploymentChecks";
+import { sanitizeName } from "./init/utils";
+import { validateCapabilityNames } from "../lib/helpers";
 
 export interface ImagePullSecretDetails {
   pullSecret?: string;
@@ -128,11 +128,12 @@ export default function (program: RootCmd): void {
       const webhook = new Assets(
         { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
         builtModule.path,
+        [],
       );
       webhook.image = opts.image ?? webhook.image;
 
       try {
-        await webhook.deploy(opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
+        await webhook.deploy(deployWebhook, opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
 
         // wait for capabilities to be loaded and test names
         validateCapabilityNames(webhook.capabilities);

package/src/cli/dev.ts

@@ -1,15 +1,17 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { ChildProcess, fork } from "child_process";
-import { promises as fs } from "fs";
 import prompt from "prompts";
-import { validateCapabilityNames } from "../lib/helpers";
 import { Assets } from "../lib/assets/assets";
-import { buildModule, loadModule } from "./build";
-import { RootCmd } from "./root";
+import { ChildProcess, fork } from "child_process";
 import { K8s, kind } from "kubernetes-fluent-client";
+import { RootCmd } from "./root";
 import { Store } from "../lib/k8s";
+import { buildModule, loadModule } from "./build";
+import { deployWebhook } from "../lib/assets/deploy";
+import { promises as fs } from "fs";
+import { validateCapabilityNames } from "../lib/helpers";
+
 export default function (program: RootCmd): void {
   program
     .command("dev")
@@ -41,6 +43,7 @@ export default function (program: RootCmd): void {
           description: cfg.description,
         },
         path,
+        [],
         opts.host,
       );
 
@@ -59,7 +62,7 @@ export default function (program: RootCmd): void {
           console.info(`Running module ${path}`);
 
           // Deploy the webhook with a 30 second timeout for debugging, don't force
-          await webhook.deploy(false, 30);
+          await webhook.deploy(deployWebhook, false, 30);
 
           try {
             // wait for capabilities to be loaded and test names

package/src/cli/init/templates.ts

@@ -6,16 +6,17 @@ import { inspect } from "util";
 import { v4 as uuidv4, v5 as uuidv5 } from "uuid";
 
 import eslintJSON from "../../templates/.eslintrc.template.json";
+import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import prettierJSON from "../../templates/.prettierrc.json";
 import samplesJSON from "../../templates/capabilities/hello-pepr.samples.json";
-import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
-import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import settingsJSON from "../../templates/settings.json";
 import tsConfigJSON from "../../templates/tsconfig.module.json";
-import { sanitizeName } from "./utils";
+import { CustomLabels } from "../../lib/core/module";
 import { InitOptions } from "../types";
-import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { OnError, RbacMode } from "./enums";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
+import { sanitizeName } from "./utils";
 
 export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 
@@ -30,7 +31,7 @@ type peprPackageJSON = {
       uuid: string;
       onError: OnError;
       webhookTimeout: number;
-      customLabels: { namespace: Record<string, string> };
+      customLabels: CustomLabels;
       alwaysIgnore: { namespaces: string[] };
       includedFiles: string[];
       env: object;

package/src/fixtures/loader.ts

@@ -6,11 +6,11 @@ import admissionRequestDeletePod from "./data/admission-delete-pod.json";
 import admissionRequestCreateClusterRole from "./data/admission-create-clusterrole.json";
 import admissionRequestCreateDeployment from "./data/admission-create-deployment.json";
 
-export function AdmissionRequestCreateDeployment() {
+export function AdmissionRequestCreateDeployment(): AdmissionRequest<kind.Deployment> {
   return cloneObject<kind.Deployment>(admissionRequestCreateDeployment);
 }
 
-export function AdmissionRequestCreatePod() {
+export function AdmissionRequestCreatePod(): AdmissionRequest<kind.Pod> {
   return cloneObject<kind.Pod>(admissionRequestCreatePod);
 }