pepr 0.44.0 → 0.45.0-nightly.1

package/package.json

@@ -15,27 +15,26 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.44.0",
+  "version": "0.45.0-nightly.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
     "ci": "npm ci",
     "gen-data-json": "node hack/build-template-data.js",
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
-    "version": "node scripts/set-version.js",
     "build": "tsc && node build.mjs && npm pack",
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
+    "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",
     "test:integration:prep": "./integration/prep.sh",
     "test:integration:run": "jest --maxWorkers=4 integration",
     "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run",
-    "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
     "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm",
     "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
-    "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade",
+    "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:upgrade",
     "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts",
     "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts",
     "format:check": "eslint src && prettier src --check",
@@ -57,8 +56,8 @@
     "sigstore": "3.0.0"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.6.1",
-    "@commitlint/config-conventional": "19.6.0",
+    "@commitlint/cli": "19.7.1",
+    "@commitlint/config-conventional": "19.7.1",
     "@fast-check/jest": "^2.0.1",
     "@jest/globals": "29.7.0",
     "@types/eslint": "9.6.1",
@@ -72,20 +71,24 @@
     "husky": "^9.1.6",
     "jest": "29.7.0",
     "js-yaml": "^4.1.0",
+    "shellcheck": "^3.0.0",
     "ts-jest": "29.2.5",
     "undici": "^7.0.1"
   },
+  "overrides": {
+    "glob": "^9.0.0"
+  },
   "peerDependencies": {
-    "@typescript-eslint/eslint-plugin": "7.18.0",
-    "@typescript-eslint/parser": "7.18.0",
     "@types/prompts": "2.4.9",
+    "@typescript-eslint/eslint-plugin": "8.23.0",
+    "@typescript-eslint/parser": "8.23.0",
+    "commander": "13.1.0",
+    "esbuild": "0.24.2",
     "eslint": "8.57.0",
-    "commander": "12.1.0",
-    "esbuild": "0.24.0",
     "node-forge": "1.3.1",
     "prettier": "3.4.2",
     "prompts": "2.4.2",
-    "typescript": "^5.3.3",
-    "uuid": "11.0.3"
+    "typescript": "5.7.3",
+    "uuid": "11.0.5"
   }
-}
+}

package/src/cli/build.helpers.ts

@@ -12,6 +12,34 @@ import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml";
 import { webhookConfigGenerator } from "../lib/assets/webhooks";
 import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml";
 
+interface ImageOptions {
+  customImage?: string;
+  registryInfo?: string;
+  peprVersion?: string;
+  registry?: string;
+}
+/**
+ * Assign image string
+ * @param imageOptions CLI options for image
+ * @returns image string
+ */
+export function assignImage(imageOptions: ImageOptions): string {
+  const { customImage, registryInfo, peprVersion, registry } = imageOptions;
+  if (customImage) {
+    return customImage;
+  }
+
+  if (registryInfo) {
+    return `${registryInfo}/custom-pepr-controller:${peprVersion}`;
+  }
+
+  if (registry) {
+    return checkIronBankImage(registry, "", peprVersion!);
+  }
+
+  return "";
+}
+
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 /**
  * Determine the RBAC mode based on the CLI options and the module's config
@@ -114,19 +142,6 @@ export async function handleCustomImageBuild(
   }
 }
 
-/**
- * Disables embedding of deployment files into output module
- * @param embed
- * @param path
- * @returns
- */
-export function handleEmbedding(embed: boolean, path: string): void {
-  if (!embed) {
-    console.info(`✅ Module built successfully at ${path}`);
-    return;
-  }
-}
-
 /**
  * Check if the capability names are valid
  * @param capabilities The capabilities to check

package/src/cli/build.ts

@@ -11,23 +11,21 @@ import { RootCmd } from "./root";
 import { Option } from "commander";
 import { parseTimeout } from "../lib/helpers";
 import { peprFormat } from "./format";
+import { ModuleConfig } from "../lib/types";
 import {
   watchForChanges,
   determineRbacMode,
-  handleEmbedding,
+  assignImage,
   handleCustomOutputDir,
   handleValidCapabilityNames,
   handleCustomImageBuild,
-  checkIronBankImage,
   validImagePullSecret,
   generateYamlAndWriteToDisk,
 } from "./build.helpers";
-import { ModuleConfig } from "../lib/core/module";
 
 const peprTS = "pepr.ts";
 let outputDir: string = "dist";
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
-
 export type PeprNestedFields = Pick<
   ModuleConfig,
   | "uuid"
@@ -64,7 +62,7 @@ type BuildModuleReturn = {
   path: string;
   cfg: PeprConfig;
   uuid: string;
-} | void;
+};
 
 export default function (program: RootCmd): void {
   program
@@ -97,7 +95,7 @@ export default function (program: RootCmd): void {
     .addOption(
       new Option(
         "-v, --version <version>",
-        "The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'.",
+        "DEPRECATED: The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'.",
       ).conflicts(["customImage", "registryInfo"]),
     )
     .option(
@@ -134,68 +132,70 @@ export default function (program: RootCmd): void {
 
       // Build the module
       const buildModuleResult = await buildModule(undefined, opts.entryPoint, opts.embed);
-      if (buildModuleResult?.cfg && buildModuleResult.path && buildModuleResult.uuid) {
-        const { cfg, path, uuid } = buildModuleResult;
-        // Files to include in controller image for WASM support
-        const { includedFiles } = cfg.pepr;
-
-        let image = opts.customImage || "";
-
-        // Check if there is a custom timeout defined
-        if (opts.timeout !== undefined) {
-          cfg.pepr.webhookTimeout = opts.timeout;
-        }
-
-        if (opts.registryInfo !== undefined) {
-          console.info(`Including ${includedFiles.length} files in controller image.`);
-
-          // for journey test to make sure the image is built
-          image = `${opts.registryInfo}/custom-pepr-controller:${cfg.pepr.peprVersion}`;
-
-          // only actually build/push if there are files to include
-          await handleCustomImageBuild(includedFiles, cfg.pepr.peprVersion, cfg.description, image);
-        }
-
-        // If building without embedding, exit after building
-        handleEmbedding(opts.embed, path);
-
-        // set the image version if provided
-        opts.version ? (cfg.pepr.peprVersion = opts.version) : null;
-
-        // Generate a secret for the module
-        const assets = new Assets(
-          {
-            ...cfg.pepr,
-            appVersion: cfg.version,
-            description: cfg.description,
-            alwaysIgnore: {
-              namespaces: cfg.pepr.alwaysIgnore?.namespaces,
-            },
-            // Can override the rbacMode with the CLI option
-            rbacMode: determineRbacMode(opts, cfg),
-          },
-          path,
-          opts.withPullSecret === "" ? [] : [opts.withPullSecret],
-        );
 
-        // If registry is set to Iron Bank, use Iron Bank image
-        image = checkIronBankImage(opts.registry, image, cfg.pepr.peprVersion);
+      const { cfg, path, uuid } = buildModuleResult!;
+      const image = assignImage({
+        customImage: opts.customImage,
+        registryInfo: opts.registryInfo,
+        peprVersion: cfg.pepr.peprVersion,
+        registry: opts.registry,
+      });
+
+      // Check if there is a custom timeout defined
+      if (opts.timeout !== undefined) {
+        cfg.pepr.webhookTimeout = opts.timeout;
+      }
 
-        // if image is a custom image, use that instead of the default
-        image !== "" ? (assets.image = image) : null;
+      if (opts.registryInfo !== undefined) {
+        console.info(`Including ${cfg.pepr.includedFiles.length} files in controller image.`);
+        // for journey test to make sure the image is built
 
-        // Ensure imagePullSecret is valid
-        validImagePullSecret(opts.withPullSecret);
+        // only actually build/push if there are files to include
+        await handleCustomImageBuild(
+          cfg.pepr.includedFiles,
+          cfg.pepr.peprVersion,
+          cfg.description,
+          image,
+        );
+      }
 
-        handleValidCapabilityNames(assets.capabilities);
-        await generateYamlAndWriteToDisk({
-          uuid,
-          outputDir,
-          imagePullSecret: opts.withPullSecret,
-          zarf: opts.zarf,
-          assets,
-        });
+      // If building without embedding, exit after building
+      if (!opts.embed) {
+        console.info(`✅ Module built successfully at ${path}`);
+        return;
       }
+      // set the image version if provided -- DEPRECATED
+      if (opts.version) cfg.pepr.peprVersion = opts.version;
+
+      // Generate a secret for the module
+      const assets = new Assets(
+        {
+          ...cfg.pepr,
+          appVersion: cfg.version,
+          description: cfg.description,
+          alwaysIgnore: {
+            namespaces: cfg.pepr.alwaysIgnore?.namespaces,
+          },
+          // Can override the rbacMode with the CLI option
+          rbacMode: determineRbacMode(opts, cfg),
+        },
+        path,
+        opts.withPullSecret === "" ? [] : [opts.withPullSecret],
+      );
+
+      if (image !== "") assets.image = image;
+
+      // Ensure imagePullSecret is valid
+      validImagePullSecret(opts.withPullSecret);
+
+      handleValidCapabilityNames(assets.capabilities);
+      await generateYamlAndWriteToDisk({
+        uuid,
+        outputDir,
+        imagePullSecret: opts.withPullSecret,
+        zarf: opts.zarf,
+        assets,
+      });
     });
 }
 
@@ -218,7 +218,7 @@ export async function loadModule(entryPoint = peprTS): Promise<LoadModuleReturn>
   try {
     await fs.access(cfgPath);
     await fs.access(entryPointPath);
-  } catch (e) {
+  } catch {
     console.error(
       `Could not find ${cfgPath} or ${entryPointPath} in the current directory. Please run this command from the root of your module's directory.`,
     );
@@ -253,7 +253,7 @@ export async function buildModule(
   reloader?: Reloader,
   entryPoint = peprTS,
   embed = true,
-): Promise<BuildModuleReturn> {
+): Promise<BuildModuleReturn | void> {
   try {
     const { cfg, modulePath, path, uuid } = await loadModule(entryPoint);
 

package/src/cli/deploy.ts

@@ -93,6 +93,35 @@ export async function getUserConfirmation(opts: { confirm: boolean }): Promise<b
   return confirm.confirm ? true : false;
 }
 
+async function buildAndDeployModule(image: string, force: boolean): Promise<void> {
+  const builtModule = await buildModule();
+  if (!builtModule) {
+    return;
+  }
+
+  // Generate a secret for the module
+  const webhook = new Assets(
+    { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
+    builtModule.path,
+    [],
+  );
+  webhook.image = image ?? webhook.image;
+
+  try {
+    await webhook.deploy(deployWebhook, force, builtModule.cfg.pepr.webhookTimeout ?? 10);
+
+    // wait for capabilities to be loaded and test names
+    validateCapabilityNames(webhook.capabilities);
+
+    // Wait for the pepr-system resources to be fully up
+    await namespaceDeploymentsReady();
+    console.info(`✅ Module deployed successfully`);
+  } catch (e) {
+    console.error(`Error deploying module:`, e);
+    process.exit(1);
+  }
+}
+
 export default function (program: RootCmd): void {
   program
     .command("deploy")
@@ -117,33 +146,10 @@ export default function (program: RootCmd): void {
         return;
       }
 
-      (await getUserConfirmation(opts)) || process.exit(0);
-
-      const builtModule = await buildModule();
-      if (!builtModule) {
-        return;
+      if (!(await getUserConfirmation(opts))) {
+        process.exit(0);
       }
 
-      // Generate a secret for the module
-      const webhook = new Assets(
-        { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
-        builtModule.path,
-        [],
-      );
-      webhook.image = opts.image ?? webhook.image;
-
-      try {
-        await webhook.deploy(deployWebhook, opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
-
-        // wait for capabilities to be loaded and test names
-        validateCapabilityNames(webhook.capabilities);
-
-        // Wait for the pepr-system resources to be fully up
-        await namespaceDeploymentsReady();
-        console.info(`✅ Module deployed successfully`);
-      } catch (e) {
-        console.error(`Error deploying module:`, e);
-        process.exit(1);
-      }
+      await buildAndDeployModule(opts.image, opts.force);
     });
 }

package/src/cli/init/index.ts

@@ -107,7 +107,7 @@ const doPostInitActions = (dirName: string): void => {
     execSync("code .", {
       stdio: "inherit",
     });
-  } catch (e) {
-    // vscode not found, do nothing
+  } catch {
+    console.warn("VSCode was not found, IDE will not automatically open.");
   }
 };

package/src/cli/init/templates.ts

@@ -6,16 +6,17 @@ import { inspect } from "util";
 import { v4 as uuidv4, v5 as uuidv5 } from "uuid";
 
 import eslintJSON from "../../templates/.eslintrc.template.json";
+import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import prettierJSON from "../../templates/.prettierrc.json";
 import samplesJSON from "../../templates/capabilities/hello-pepr.samples.json";
-import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
-import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import settingsJSON from "../../templates/settings.json";
 import tsConfigJSON from "../../templates/tsconfig.module.json";
-import { sanitizeName } from "./utils";
+import { CustomLabels } from "../../lib/types";
 import { InitOptions } from "../types";
-import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { OnError, RbacMode } from "./enums";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
+import { sanitizeName } from "./utils";
 
 export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 
@@ -30,7 +31,7 @@ type peprPackageJSON = {
       uuid: string;
       onError: OnError;
       webhookTimeout: number;
-      customLabels: { namespace: Record<string, string> };
+      customLabels: CustomLabels;
       alwaysIgnore: { namespaces: string[] };
       includedFiles: string[];
       env: object;

package/src/cli/init/walkthrough.ts

@@ -38,7 +38,7 @@ export async function setName(name?: string): Promise<Answers<string>> {
         await fs.access(name, fs.constants.F_OK);
 
         return "A directory with this name already exists";
-      } catch (e) {
+      } catch {
         return val.length > 2 || "The name must be at least 3 characters long";
       }
     },

package/src/lib/assets/assets.ts

@@ -1,6 +1,6 @@
 import crypto from "crypto";
 import { CapabilityExport } from "../types";
-import { ModuleConfig } from "../core/module";
+import { ModuleConfig } from "../types";
 import { TLSOut, genTLS } from "../tls";
 import { WebhookIgnore } from "../k8s";
 import {
@@ -81,7 +81,7 @@ export class Assets {
 
   allYaml = async (
     yamlGenerationFunction: (
-      assyts: Assets,
+      assets: Assets,
       deployments: { default: V1Deployment; watch: V1Deployment | null },
     ) => Promise<string>,
     imagePullSecret?: string,

package/src/lib/assets/index.ts

@@ -5,14 +5,13 @@ import { dumpYaml } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { replaceString } from "../helpers";
 import { resolve } from "path";
-import { ModuleConfig } from "../core/module";
+import { ModuleConfig } from "../types";
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export function toYaml(obj: any): string {
   return dumpYaml(obj, { noRefs: true });
 }
 
-// Unit Test Me!!
 export function createWebhookYaml(
   name: string,
   config: ModuleConfig,

package/src/lib/assets/pods.ts

@@ -6,7 +6,7 @@ import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
 import { Assets } from "./assets";
-import { ModuleConfig } from "../core/module";
+import { ModuleConfig } from "../types";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */

package/src/lib/assets/rbac.ts

@@ -24,8 +24,7 @@ export function clusterRole(
   const rbacMap = createRBACMap(capabilities);
   // Generate scoped rules from rbacMap
   const scopedRules = Object.keys(rbacMap).map(key => {
-    let group: string;
-    key.split("/").length < 3 ? (group = "") : (group = key.split("/")[0]);
+    const group: string = key.split("/").length < 3 ? "" : key.split("/")[0];
 
     return {
       apiGroups: [group],

package/src/lib/assets/webhooks.ts

@@ -15,7 +15,7 @@ import { Binding } from "../types";
 
 export const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
-const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
+export const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
   const { event, kind, isMutate, isValidate } = binding;
 
   // Skip invalid bindings based on webhook type

package/src/lib/assets/yaml/overridesFile.ts

@@ -1,21 +1,19 @@
 import { genEnv } from "../pods";
-import { ModuleConfig } from "../../core/module";
+import { ModuleConfig } from "../../types";
 import { CapabilityExport } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
 
-type CommonOverrideValues = {
+type ChartOverrides = {
   apiToken: string;
   capabilities: CapabilityExport[];
   config: ModuleConfig;
   hash: string;
   name: string;
-};
-
-type ChartOverrides = CommonOverrideValues & {
   image: string;
 };
+
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile(
   { hash, name, image, config, apiToken, capabilities }: ChartOverrides,
@@ -34,7 +32,7 @@ export async function overridesFile(
     hash,
     namespace: {
       annotations: {},
-      labels: {
+      labels: config.customLabels?.namespace ?? {
         "pepr.dev": "",
       },
     },

package/src/lib/controller/index.ts

@@ -9,13 +9,20 @@ import { Capability } from "../core/capability";
 import { MutateResponse, ValidateResponse } from "../k8s";
 import Log from "../telemetry/logger";
 import { metricsCollector, MetricsCollector } from "../telemetry/metrics";
-import { ModuleConfig, isWatchMode } from "../core/module";
+import { isWatchMode } from "../core/envChecks";
+import { ModuleConfig } from "../types";
 import { mutateProcessor } from "../processors/mutate-processor";
 import { validateProcessor } from "../processors/validate-processor";
 import { StoreController } from "./store";
 import { AdmissionRequest } from "../types";
 import { karForMutate, karForValidate, KubeAdmissionReview } from "./index.util";
 
+export interface ControllerHooks {
+  beforeHook?: (req: AdmissionRequest) => void;
+  afterHook?: (res: MutateResponse | ValidateResponse) => void;
+  onReady?: () => void;
+}
+
 if (!process.env.PEPR_NODE_WARNINGS) {
   process.removeAllListeners("warning");
 }
@@ -39,20 +46,17 @@ export class Controller {
   readonly #beforeHook?: (req: AdmissionRequest) => void;
   readonly #afterHook?: (res: MutateResponse | ValidateResponse) => void;
 
-  constructor(
-    config: ModuleConfig,
-    capabilities: Capability[],
-    beforeHook?: (req: AdmissionRequest) => void,
-    afterHook?: (res: MutateResponse | ValidateResponse) => void,
-    onReady?: () => void,
-  ) {
+  constructor(config: ModuleConfig, capabilities: Capability[], hooks: ControllerHooks = {}) {
+    const { beforeHook, afterHook, onReady } = hooks;
     this.#config = config;
     this.#capabilities = capabilities;
 
     // Initialize the Pepr store for each capability
     new StoreController(capabilities, `pepr-${config.uuid}-store`, () => {
       this.#bindEndpoints();
-      onReady && onReady();
+      if (typeof onReady === "function") {
+        onReady();
+      }
       Log.info("✅ Controller startup complete");
       // Initialize the schedule store for each capability
       new StoreController(capabilities, `pepr-${config.uuid}-schedule`, () => {
@@ -223,7 +227,9 @@ export class Controller {
         Log.debug({ ...reqMetadata, request }, "Incoming request body");
 
         // Run the before hook if it exists
-        this.#beforeHook && this.#beforeHook(request || {});
+        if (typeof this.#beforeHook === "function") {
+          this.#beforeHook(request || {});
+        }
 
         // Process the request
         const response: MutateResponse | ValidateResponse[] =
@@ -233,7 +239,9 @@ export class Controller {
 
         // Run the after hook if it exists
         [response].flat().map(res => {
-          this.#afterHook && this.#afterHook(res);
+          if (typeof this.#afterHook === "function") {
+            this.#afterHook(res);
+          }
           Log.info({ ...reqMetadata, res }, "Check response");
         });
 

package/src/lib/core/capability.ts

@@ -4,7 +4,7 @@
 import { GenericClass, GroupVersionKind, modelToGroupVersionKind } from "kubernetes-fluent-client";
 import { pickBy } from "ramda";
 import Log from "../telemetry/logger";
-import { isBuildMode, isDevMode, isWatchMode } from "./module";
+import { isBuildMode, isDevMode, isWatchMode } from "./envChecks";
 import { PeprStore, Storage } from "./storage";
 import { OnSchedule, Schedule } from "./schedule";
 import { Event } from "../enums";

package/src/lib/core/envChecks.ts

@@ -0,0 +1,6 @@
+export const isWatchMode = (): boolean => process.env.PEPR_WATCH_MODE === "true";
+// Track if Pepr is running in build mode
+
+export const isBuildMode = (): boolean => process.env.PEPR_MODE === "build";
+
+export const isDevMode = (): boolean => process.env.PEPR_MODE === "dev";