pepr 0.43.0 → 0.44.0-nightly.1

package/package.json

@@ -15,16 +15,16 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.43.0",
+  "version": "0.44.0-nightly.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
     "ci": "npm ci",
     "gen-data-json": "node hack/build-template-data.js",
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
-    "version": "node scripts/set-version.js",
     "build": "tsc && node build.mjs && npm pack",
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
+    "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",
@@ -88,4 +88,4 @@
     "typescript": "^5.3.3",
     "uuid": "11.0.3"
   }
-}
+}

package/src/cli/build.helpers.ts

@@ -12,6 +12,34 @@ import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml";
 import { webhookConfigGenerator } from "../lib/assets/webhooks";
 import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml";
 
+interface ImageOptions {
+  customImage?: string;
+  registryInfo?: string;
+  peprVersion?: string;
+  registry?: string;
+}
+/**
+ * Assign image string
+ * @param imageOptions CLI options for image
+ * @returns image string
+ */
+export function assignImage(imageOptions: ImageOptions): string {
+  const { customImage, registryInfo, peprVersion, registry } = imageOptions;
+  if (customImage) {
+    return customImage;
+  }
+
+  if (registryInfo) {
+    return `${registryInfo}/custom-pepr-controller:${peprVersion}`;
+  }
+
+  if (registry) {
+    return checkIronBankImage(registry, "", peprVersion!);
+  }
+
+  return "";
+}
+
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 /**
  * Determine the RBAC mode based on the CLI options and the module's config
@@ -114,19 +142,6 @@ export async function handleCustomImageBuild(
   }
 }
 
-/**
- * Disables embedding of deployment files into output module
- * @param embed
- * @param path
- * @returns
- */
-export function handleEmbedding(embed: boolean, path: string): void {
-  if (!embed) {
-    console.info(`✅ Module built successfully at ${path}`);
-    return;
-  }
-}
-
 /**
  * Check if the capability names are valid
  * @param capabilities The capabilities to check

package/src/cli/build.ts

@@ -11,23 +11,21 @@ import { RootCmd } from "./root";
 import { Option } from "commander";
 import { parseTimeout } from "../lib/helpers";
 import { peprFormat } from "./format";
+import { ModuleConfig } from "../lib/core/module";
 import {
   watchForChanges,
   determineRbacMode,
-  handleEmbedding,
+  assignImage,
   handleCustomOutputDir,
   handleValidCapabilityNames,
   handleCustomImageBuild,
-  checkIronBankImage,
   validImagePullSecret,
   generateYamlAndWriteToDisk,
 } from "./build.helpers";
-import { ModuleConfig } from "../lib/core/module";
 
 const peprTS = "pepr.ts";
 let outputDir: string = "dist";
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
-
 export type PeprNestedFields = Pick<
   ModuleConfig,
   | "uuid"
@@ -64,7 +62,7 @@ type BuildModuleReturn = {
   path: string;
   cfg: PeprConfig;
   uuid: string;
-} | void;
+};
 
 export default function (program: RootCmd): void {
   program
@@ -134,68 +132,70 @@ export default function (program: RootCmd): void {
 
       // Build the module
       const buildModuleResult = await buildModule(undefined, opts.entryPoint, opts.embed);
-      if (buildModuleResult?.cfg && buildModuleResult.path && buildModuleResult.uuid) {
-        const { cfg, path, uuid } = buildModuleResult;
-        // Files to include in controller image for WASM support
-        const { includedFiles } = cfg.pepr;
-
-        let image = opts.customImage || "";
-
-        // Check if there is a custom timeout defined
-        if (opts.timeout !== undefined) {
-          cfg.pepr.webhookTimeout = opts.timeout;
-        }
-
-        if (opts.registryInfo !== undefined) {
-          console.info(`Including ${includedFiles.length} files in controller image.`);
-
-          // for journey test to make sure the image is built
-          image = `${opts.registryInfo}/custom-pepr-controller:${cfg.pepr.peprVersion}`;
-
-          // only actually build/push if there are files to include
-          await handleCustomImageBuild(includedFiles, cfg.pepr.peprVersion, cfg.description, image);
-        }
-
-        // If building without embedding, exit after building
-        handleEmbedding(opts.embed, path);
-
-        // set the image version if provided
-        opts.version ? (cfg.pepr.peprVersion = opts.version) : null;
-
-        // Generate a secret for the module
-        const assets = new Assets(
-          {
-            ...cfg.pepr,
-            appVersion: cfg.version,
-            description: cfg.description,
-            alwaysIgnore: {
-              namespaces: cfg.pepr.alwaysIgnore?.namespaces,
-            },
-            // Can override the rbacMode with the CLI option
-            rbacMode: determineRbacMode(opts, cfg),
-          },
-          path,
-          opts.withPullSecret === "" ? [] : [opts.withPullSecret],
-        );
 
-        // If registry is set to Iron Bank, use Iron Bank image
-        image = checkIronBankImage(opts.registry, image, cfg.pepr.peprVersion);
+      const { cfg, path, uuid } = buildModuleResult!;
+      const image = assignImage({
+        customImage: opts.customImage,
+        registryInfo: opts.registryInfo,
+        peprVersion: cfg.pepr.peprVersion,
+        registry: opts.registry,
+      });
+
+      // Check if there is a custom timeout defined
+      if (opts.timeout !== undefined) {
+        cfg.pepr.webhookTimeout = opts.timeout;
+      }
 
-        // if image is a custom image, use that instead of the default
-        image !== "" ? (assets.image = image) : null;
+      if (opts.registryInfo !== undefined) {
+        console.info(`Including ${cfg.pepr.includedFiles.length} files in controller image.`);
+        // for journey test to make sure the image is built
 
-        // Ensure imagePullSecret is valid
-        validImagePullSecret(opts.withPullSecret);
+        // only actually build/push if there are files to include
+        await handleCustomImageBuild(
+          cfg.pepr.includedFiles,
+          cfg.pepr.peprVersion,
+          cfg.description,
+          image,
+        );
+      }
 
-        handleValidCapabilityNames(assets.capabilities);
-        await generateYamlAndWriteToDisk({
-          uuid,
-          outputDir,
-          imagePullSecret: opts.withPullSecret,
-          zarf: opts.zarf,
-          assets,
-        });
+      // If building without embedding, exit after building
+      if (!opts.embed) {
+        console.info(`✅ Module built successfully at ${path}`);
+        return;
       }
+      // set the image version if provided
+      opts.version ? (cfg.pepr.peprVersion = opts.version) : null;
+
+      // Generate a secret for the module
+      const assets = new Assets(
+        {
+          ...cfg.pepr,
+          appVersion: cfg.version,
+          description: cfg.description,
+          alwaysIgnore: {
+            namespaces: cfg.pepr.alwaysIgnore?.namespaces,
+          },
+          // Can override the rbacMode with the CLI option
+          rbacMode: determineRbacMode(opts, cfg),
+        },
+        path,
+        opts.withPullSecret === "" ? [] : [opts.withPullSecret],
+      );
+
+      image !== "" ? (assets.image = image) : null;
+
+      // Ensure imagePullSecret is valid
+      validImagePullSecret(opts.withPullSecret);
+
+      handleValidCapabilityNames(assets.capabilities);
+      await generateYamlAndWriteToDisk({
+        uuid,
+        outputDir,
+        imagePullSecret: opts.withPullSecret,
+        zarf: opts.zarf,
+        assets,
+      });
     });
 }
 
@@ -253,7 +253,7 @@ export async function buildModule(
   reloader?: Reloader,
   entryPoint = peprTS,
   embed = true,
-): Promise<BuildModuleReturn> {
+): Promise<BuildModuleReturn | void> {
   try {
     const { cfg, modulePath, path, uuid } = await loadModule(entryPoint);
 

package/src/cli/dev.ts

@@ -11,6 +11,7 @@ import { buildModule, loadModule } from "./build";
 import { deployWebhook } from "../lib/assets/deploy";
 import { promises as fs } from "fs";
 import { validateCapabilityNames } from "../lib/helpers";
+
 export default function (program: RootCmd): void {
   program
     .command("dev")
@@ -42,6 +43,7 @@ export default function (program: RootCmd): void {
           description: cfg.description,
         },
         path,
+        [],
         opts.host,
       );
 

package/src/cli/init/templates.ts

@@ -6,16 +6,17 @@ import { inspect } from "util";
 import { v4 as uuidv4, v5 as uuidv5 } from "uuid";
 
 import eslintJSON from "../../templates/.eslintrc.template.json";
+import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import prettierJSON from "../../templates/.prettierrc.json";
 import samplesJSON from "../../templates/capabilities/hello-pepr.samples.json";
-import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
-import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import settingsJSON from "../../templates/settings.json";
 import tsConfigJSON from "../../templates/tsconfig.module.json";
-import { sanitizeName } from "./utils";
+import { CustomLabels } from "../../lib/core/module";
 import { InitOptions } from "../types";
-import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { OnError, RbacMode } from "./enums";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
+import { sanitizeName } from "./utils";
 
 export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 
@@ -30,7 +31,7 @@ type peprPackageJSON = {
       uuid: string;
       onError: OnError;
       webhookTimeout: number;
-      customLabels: { namespace: Record<string, string> };
+      customLabels: CustomLabels;
       alwaysIgnore: { namespaces: string[] };
       includedFiles: string[];
       env: object;

package/src/lib/core/module.ts

@@ -12,37 +12,41 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { resolveIgnoreNamespaces } from "../assets/webhooks";
 
 /** Custom Labels Type for package.json */
-export interface CustomLabels {
-  namespace?: Record<string, string>;
-}
-/** Global configuration for the Pepr runtime. */
-export type ModuleConfig = {
+
+export type CustomLabels = { namespace: Record<string, string> } | Record<string, never>;
+
+/** Configuration that MAY be set a Pepr module's package.json. */
+export type ModuleConfigOptions = {
   /** The Pepr version this module uses */
-  peprVersion?: string;
+  peprVersion: string;
   /** The user-defined version of the module */
-  appVersion?: string;
-  /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */
-  uuid: string;
+  appVersion: string;
   /** A description of the Pepr module and what it does. */
-  description?: string;
+  description: string;
   /** The webhookTimeout */
-  webhookTimeout?: number;
+  webhookTimeout: number;
   /** Reject K8s resource AdmissionRequests on error. */
-  onError?: string;
-  /** Configure global exclusions that will never be processed by Pepr. */
-  alwaysIgnore: WebhookIgnore;
+  onError: string;
   /** Define the log level for the in-cluster controllers */
-  logLevel?: string;
+  logLevel: string;
   /** Propagate env variables to in-cluster controllers */
-  env?: Record<string, string>;
-  /** Custom Labels for Kubernetes Objects */
-  customLabels?: CustomLabels;
+  env: Record<string, string>;
   /** Custom RBAC rules */
-  rbac?: PolicyRule[];
+  rbac: PolicyRule[];
   /** The RBAC mode; if "scoped", generates scoped rules, otherwise uses wildcard rules. */
-  rbacMode?: string;
+  rbacMode: string;
+  /** Custom Labels for Kubernetes Objects */
+  customLabels: CustomLabels;
 };
 
+/** Global configuration for the Pepr runtime. */
+export type ModuleConfig = {
+  /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */
+  uuid: string;
+  /** Configure global exclusions that will never be processed by Pepr. */
+  alwaysIgnore: WebhookIgnore;
+} & Partial<ModuleConfigOptions>;
+
 export type PackageJSON = {
   description: string;
   pepr: ModuleConfig;

package/src/lib/processors/mutate-processor.ts

@@ -4,7 +4,7 @@
 import jsonPatch from "fast-json-patch";
 import { kind, KubernetesObject } from "kubernetes-fluent-client";
 import { clone } from "ramda";
-
+import { MeasureWebhookTimeout } from "../telemetry/webhookTimeouts";
 import { Capability } from "../core/capability";
 import { shouldSkipRequest } from "../filter/filter";
 import { MutateResponse } from "../k8s";
@@ -15,7 +15,8 @@ import { PeprMutateRequest } from "../mutate-request";
 import { base64Encode, convertFromBase64Map, convertToBase64Map } from "../utils";
 import { OnError } from "../../cli/init/enums";
 import { resolveIgnoreNamespaces } from "../assets/webhooks";
-
+import { Operation } from "fast-json-patch";
+import { WebhookType } from "../enums";
 export interface Bindable {
   req: AdmissionRequest;
   config: ModuleConfig;
@@ -139,6 +140,8 @@ export async function mutateProcessor(
   req: AdmissionRequest,
   reqMetadata: Record<string, string>,
 ): Promise<MutateResponse> {
+  const webhookTimer = new MeasureWebhookTimeout(WebhookType.MUTATE);
+  webhookTimer.start(config.webhookTimeout);
   let response: MutateResponse = {
     uid: req.uid,
     warnings: [],
@@ -207,6 +210,14 @@ export async function mutateProcessor(
   // Compare the original request to the modified request to get the patches
   const patches = jsonPatch.compare(req.object, transformed);
 
+  updateResponsePatchAndWarnings(patches, response);
+
+  Log.debug({ ...reqMetadata, patches }, `Patches generated`);
+  webhookTimer.stop();
+  return response;
+}
+
+export function updateResponsePatchAndWarnings(patches: Operation[], response: MutateResponse): void {
   // Only add the patch if there are patches to apply
   if (patches.length > 0) {
     response.patchType = "JSONPatch";
@@ -219,8 +230,4 @@ export async function mutateProcessor(
   if (response.warnings && response.warnings.length < 1) {
     delete response.warnings;
   }
-
-  Log.debug({ ...reqMetadata, patches }, `Patches generated`);
-
-  return response;
 }

package/src/lib/processors/validate-processor.ts

@@ -11,6 +11,8 @@ import { convertFromBase64Map } from "../utils";
 import { PeprValidateRequest } from "../validate-request";
 import { ModuleConfig } from "../core/module";
 import { resolveIgnoreNamespaces } from "../assets/webhooks";
+import { MeasureWebhookTimeout } from "../telemetry/webhookTimeouts";
+import { WebhookType } from "../enums";
 
 export async function processRequest(
   binding: Binding,
@@ -58,12 +60,13 @@ export async function validateProcessor(
   req: AdmissionRequest,
   reqMetadata: Record<string, string>,
 ): Promise<ValidateResponse[]> {
+  const webhookTimer = new MeasureWebhookTimeout(WebhookType.VALIDATE);
+  webhookTimer.start(config.webhookTimeout);
   const wrapped = new PeprValidateRequest(req);
   const response: ValidateResponse[] = [];
 
   // If the resource is a secret, decode the data
-  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
-  if (isSecret) {
+  if (req.kind.version === "v1" && req.kind.kind === "Secret") {
     convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
   }
 
@@ -94,6 +97,6 @@ export async function validateProcessor(
       response.push(resp);
     }
   }
-
+  webhookTimer.stop();
   return response;
 }

package/src/lib/telemetry/timeUtils.ts

@@ -0,0 +1 @@
+export const getNow = (): number => performance.now();

package/src/lib/telemetry/webhookTimeouts.ts

@@ -0,0 +1,34 @@
+import { metricsCollector } from "./metrics";
+import { getNow } from "./timeUtils";
+import Log from "./logger";
+import { WebhookType } from "../enums";
+export class MeasureWebhookTimeout {
+  #startTime: number | null = null;
+  #webhookType: string;
+  timeout: number = 0;
+
+  constructor(webhookType: WebhookType) {
+    this.#webhookType = webhookType;
+    metricsCollector.addCounter(`${webhookType}_timeouts`, `Number of ${webhookType} webhook timeouts`);
+  }
+
+  start(timeout: number = 10): void {
+    this.#startTime = getNow();
+    this.timeout = timeout;
+    Log.info(`Starting timer at ${this.#startTime}`);
+  }
+
+  stop(): void {
+    if (this.#startTime === null) {
+      throw new Error("Timer was not started before calling stop.");
+    }
+
+    const elapsedTime = getNow() - this.#startTime;
+    Log.info(`Webhook ${this.#startTime} took ${elapsedTime}ms`);
+    this.#startTime = null;
+
+    if (elapsedTime > this.timeout) {
+      metricsCollector.incCounter(`${this.#webhookType}_timeouts`);
+    }
+  }
+}