pepr 0.44.0 → 0.45.0

package/package.json

@@ -15,16 +15,16 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.44.0",
+  "version": "0.45.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
     "ci": "npm ci",
     "gen-data-json": "node hack/build-template-data.js",
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
-    "version": "node scripts/set-version.js",
     "build": "tsc && node build.mjs && npm pack",
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
+    "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",
@@ -57,8 +57,8 @@
     "sigstore": "3.0.0"
   },
   "devDependencies": {
-    "@commitlint/cli": "19.6.1",
-    "@commitlint/config-conventional": "19.6.0",
+    "@commitlint/cli": "19.7.1",
+    "@commitlint/config-conventional": "19.7.1",
     "@fast-check/jest": "^2.0.1",
     "@jest/globals": "29.7.0",
     "@types/eslint": "9.6.1",
@@ -72,20 +72,24 @@
     "husky": "^9.1.6",
     "jest": "29.7.0",
     "js-yaml": "^4.1.0",
+    "shellcheck": "^3.0.0",
     "ts-jest": "29.2.5",
     "undici": "^7.0.1"
   },
+  "overrides": {
+    "glob": "^9.0.0"
+  },
   "peerDependencies": {
-    "@typescript-eslint/eslint-plugin": "7.18.0",
-    "@typescript-eslint/parser": "7.18.0",
     "@types/prompts": "2.4.9",
+    "@typescript-eslint/eslint-plugin": "8.23.0",
+    "@typescript-eslint/parser": "8.23.0",
+    "commander": "13.1.0",
+    "esbuild": "0.24.2",
     "eslint": "8.57.0",
-    "commander": "12.1.0",
-    "esbuild": "0.24.0",
     "node-forge": "1.3.1",
     "prettier": "3.4.2",
     "prompts": "2.4.2",
-    "typescript": "^5.3.3",
-    "uuid": "11.0.3"
+    "typescript": "5.7.3",
+    "uuid": "11.0.5"
   }
 }

package/src/cli/build.helpers.ts

@@ -12,6 +12,34 @@ import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml";
 import { webhookConfigGenerator } from "../lib/assets/webhooks";
 import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml";
 
+interface ImageOptions {
+  customImage?: string;
+  registryInfo?: string;
+  peprVersion?: string;
+  registry?: string;
+}
+/**
+ * Assign image string
+ * @param imageOptions CLI options for image
+ * @returns image string
+ */
+export function assignImage(imageOptions: ImageOptions): string {
+  const { customImage, registryInfo, peprVersion, registry } = imageOptions;
+  if (customImage) {
+    return customImage;
+  }
+
+  if (registryInfo) {
+    return `${registryInfo}/custom-pepr-controller:${peprVersion}`;
+  }
+
+  if (registry) {
+    return checkIronBankImage(registry, "", peprVersion!);
+  }
+
+  return "";
+}
+
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 /**
  * Determine the RBAC mode based on the CLI options and the module's config
@@ -114,19 +142,6 @@ export async function handleCustomImageBuild(
   }
 }
 
-/**
- * Disables embedding of deployment files into output module
- * @param embed
- * @param path
- * @returns
- */
-export function handleEmbedding(embed: boolean, path: string): void {
-  if (!embed) {
-    console.info(`✅ Module built successfully at ${path}`);
-    return;
-  }
-}
-
 /**
  * Check if the capability names are valid
  * @param capabilities The capabilities to check

package/src/cli/build.ts

@@ -11,23 +11,21 @@ import { RootCmd } from "./root";
 import { Option } from "commander";
 import { parseTimeout } from "../lib/helpers";
 import { peprFormat } from "./format";
+import { ModuleConfig } from "../lib/core/module";
 import {
   watchForChanges,
   determineRbacMode,
-  handleEmbedding,
+  assignImage,
   handleCustomOutputDir,
   handleValidCapabilityNames,
   handleCustomImageBuild,
-  checkIronBankImage,
   validImagePullSecret,
   generateYamlAndWriteToDisk,
 } from "./build.helpers";
-import { ModuleConfig } from "../lib/core/module";
 
 const peprTS = "pepr.ts";
 let outputDir: string = "dist";
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
-
 export type PeprNestedFields = Pick<
   ModuleConfig,
   | "uuid"
@@ -64,7 +62,7 @@ type BuildModuleReturn = {
   path: string;
   cfg: PeprConfig;
   uuid: string;
-} | void;
+};
 
 export default function (program: RootCmd): void {
   program
@@ -134,68 +132,70 @@ export default function (program: RootCmd): void {
 
       // Build the module
       const buildModuleResult = await buildModule(undefined, opts.entryPoint, opts.embed);
-      if (buildModuleResult?.cfg && buildModuleResult.path && buildModuleResult.uuid) {
-        const { cfg, path, uuid } = buildModuleResult;
-        // Files to include in controller image for WASM support
-        const { includedFiles } = cfg.pepr;
-
-        let image = opts.customImage || "";
-
-        // Check if there is a custom timeout defined
-        if (opts.timeout !== undefined) {
-          cfg.pepr.webhookTimeout = opts.timeout;
-        }
-
-        if (opts.registryInfo !== undefined) {
-          console.info(`Including ${includedFiles.length} files in controller image.`);
-
-          // for journey test to make sure the image is built
-          image = `${opts.registryInfo}/custom-pepr-controller:${cfg.pepr.peprVersion}`;
-
-          // only actually build/push if there are files to include
-          await handleCustomImageBuild(includedFiles, cfg.pepr.peprVersion, cfg.description, image);
-        }
-
-        // If building without embedding, exit after building
-        handleEmbedding(opts.embed, path);
-
-        // set the image version if provided
-        opts.version ? (cfg.pepr.peprVersion = opts.version) : null;
-
-        // Generate a secret for the module
-        const assets = new Assets(
-          {
-            ...cfg.pepr,
-            appVersion: cfg.version,
-            description: cfg.description,
-            alwaysIgnore: {
-              namespaces: cfg.pepr.alwaysIgnore?.namespaces,
-            },
-            // Can override the rbacMode with the CLI option
-            rbacMode: determineRbacMode(opts, cfg),
-          },
-          path,
-          opts.withPullSecret === "" ? [] : [opts.withPullSecret],
-        );
 
-        // If registry is set to Iron Bank, use Iron Bank image
-        image = checkIronBankImage(opts.registry, image, cfg.pepr.peprVersion);
+      const { cfg, path, uuid } = buildModuleResult!;
+      const image = assignImage({
+        customImage: opts.customImage,
+        registryInfo: opts.registryInfo,
+        peprVersion: cfg.pepr.peprVersion,
+        registry: opts.registry,
+      });
+
+      // Check if there is a custom timeout defined
+      if (opts.timeout !== undefined) {
+        cfg.pepr.webhookTimeout = opts.timeout;
+      }
 
-        // if image is a custom image, use that instead of the default
-        image !== "" ? (assets.image = image) : null;
+      if (opts.registryInfo !== undefined) {
+        console.info(`Including ${cfg.pepr.includedFiles.length} files in controller image.`);
+        // for journey test to make sure the image is built
 
-        // Ensure imagePullSecret is valid
-        validImagePullSecret(opts.withPullSecret);
+        // only actually build/push if there are files to include
+        await handleCustomImageBuild(
+          cfg.pepr.includedFiles,
+          cfg.pepr.peprVersion,
+          cfg.description,
+          image,
+        );
+      }
 
-        handleValidCapabilityNames(assets.capabilities);
-        await generateYamlAndWriteToDisk({
-          uuid,
-          outputDir,
-          imagePullSecret: opts.withPullSecret,
-          zarf: opts.zarf,
-          assets,
-        });
+      // If building without embedding, exit after building
+      if (!opts.embed) {
+        console.info(`✅ Module built successfully at ${path}`);
+        return;
       }
+      // set the image version if provided
+      if (opts.version) cfg.pepr.peprVersion = opts.version;
+
+      // Generate a secret for the module
+      const assets = new Assets(
+        {
+          ...cfg.pepr,
+          appVersion: cfg.version,
+          description: cfg.description,
+          alwaysIgnore: {
+            namespaces: cfg.pepr.alwaysIgnore?.namespaces,
+          },
+          // Can override the rbacMode with the CLI option
+          rbacMode: determineRbacMode(opts, cfg),
+        },
+        path,
+        opts.withPullSecret === "" ? [] : [opts.withPullSecret],
+      );
+
+      if (image !== "") assets.image = image;
+
+      // Ensure imagePullSecret is valid
+      validImagePullSecret(opts.withPullSecret);
+
+      handleValidCapabilityNames(assets.capabilities);
+      await generateYamlAndWriteToDisk({
+        uuid,
+        outputDir,
+        imagePullSecret: opts.withPullSecret,
+        zarf: opts.zarf,
+        assets,
+      });
     });
 }
 
@@ -218,7 +218,7 @@ export async function loadModule(entryPoint = peprTS): Promise<LoadModuleReturn>
   try {
     await fs.access(cfgPath);
     await fs.access(entryPointPath);
-  } catch (e) {
+  } catch {
     console.error(
       `Could not find ${cfgPath} or ${entryPointPath} in the current directory. Please run this command from the root of your module's directory.`,
     );
@@ -253,7 +253,7 @@ export async function buildModule(
   reloader?: Reloader,
   entryPoint = peprTS,
   embed = true,
-): Promise<BuildModuleReturn> {
+): Promise<BuildModuleReturn | void> {
   try {
     const { cfg, modulePath, path, uuid } = await loadModule(entryPoint);
 

package/src/cli/deploy.ts

@@ -93,6 +93,35 @@ export async function getUserConfirmation(opts: { confirm: boolean }): Promise<b
   return confirm.confirm ? true : false;
 }
 
+async function buildAndDeployModule(image: string, force: boolean): Promise<void> {
+  const builtModule = await buildModule();
+  if (!builtModule) {
+    return;
+  }
+
+  // Generate a secret for the module
+  const webhook = new Assets(
+    { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
+    builtModule.path,
+    [],
+  );
+  webhook.image = image ?? webhook.image;
+
+  try {
+    await webhook.deploy(deployWebhook, force, builtModule.cfg.pepr.webhookTimeout ?? 10);
+
+    // wait for capabilities to be loaded and test names
+    validateCapabilityNames(webhook.capabilities);
+
+    // Wait for the pepr-system resources to be fully up
+    await namespaceDeploymentsReady();
+    console.info(`✅ Module deployed successfully`);
+  } catch (e) {
+    console.error(`Error deploying module:`, e);
+    process.exit(1);
+  }
+}
+
 export default function (program: RootCmd): void {
   program
     .command("deploy")
@@ -117,33 +146,10 @@ export default function (program: RootCmd): void {
         return;
       }
 
-      (await getUserConfirmation(opts)) || process.exit(0);
-
-      const builtModule = await buildModule();
-      if (!builtModule) {
-        return;
+      if (!(await getUserConfirmation(opts))) {
+        process.exit(0);
       }
 
-      // Generate a secret for the module
-      const webhook = new Assets(
-        { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
-        builtModule.path,
-        [],
-      );
-      webhook.image = opts.image ?? webhook.image;
-
-      try {
-        await webhook.deploy(deployWebhook, opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
-
-        // wait for capabilities to be loaded and test names
-        validateCapabilityNames(webhook.capabilities);
-
-        // Wait for the pepr-system resources to be fully up
-        await namespaceDeploymentsReady();
-        console.info(`✅ Module deployed successfully`);
-      } catch (e) {
-        console.error(`Error deploying module:`, e);
-        process.exit(1);
-      }
+      await buildAndDeployModule(opts.image, opts.force);
     });
 }

package/src/cli/init/index.ts

@@ -107,7 +107,7 @@ const doPostInitActions = (dirName: string): void => {
     execSync("code .", {
       stdio: "inherit",
     });
-  } catch (e) {
-    // vscode not found, do nothing
+  } catch {
+    console.warn("VSCode was not found, IDE will not automatically open.");
   }
 };

package/src/cli/init/templates.ts

@@ -6,16 +6,17 @@ import { inspect } from "util";
 import { v4 as uuidv4, v5 as uuidv5 } from "uuid";
 
 import eslintJSON from "../../templates/.eslintrc.template.json";
+import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import prettierJSON from "../../templates/.prettierrc.json";
 import samplesJSON from "../../templates/capabilities/hello-pepr.samples.json";
-import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
-import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
 import settingsJSON from "../../templates/settings.json";
 import tsConfigJSON from "../../templates/tsconfig.module.json";
-import { sanitizeName } from "./utils";
+import { CustomLabels } from "../../lib/core/module";
 import { InitOptions } from "../types";
-import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { OnError, RbacMode } from "./enums";
+import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json";
+import { sanitizeName } from "./utils";
 
 export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 
@@ -30,7 +31,7 @@ type peprPackageJSON = {
       uuid: string;
       onError: OnError;
       webhookTimeout: number;
-      customLabels: { namespace: Record<string, string> };
+      customLabels: CustomLabels;
       alwaysIgnore: { namespaces: string[] };
       includedFiles: string[];
       env: object;

package/src/cli/init/walkthrough.ts

@@ -38,7 +38,7 @@ export async function setName(name?: string): Promise<Answers<string>> {
         await fs.access(name, fs.constants.F_OK);
 
         return "A directory with this name already exists";
-      } catch (e) {
+      } catch {
         return val.length > 2 || "The name must be at least 3 characters long";
       }
     },

package/src/lib/assets/rbac.ts

@@ -24,8 +24,7 @@ export function clusterRole(
   const rbacMap = createRBACMap(capabilities);
   // Generate scoped rules from rbacMap
   const scopedRules = Object.keys(rbacMap).map(key => {
-    let group: string;
-    key.split("/").length < 3 ? (group = "") : (group = key.split("/")[0]);
+    const group: string = key.split("/").length < 3 ? "" : key.split("/")[0];
 
     return {
       apiGroups: [group],

package/src/lib/assets/webhooks.ts

@@ -15,7 +15,7 @@ import { Binding } from "../types";
 
 export const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
-const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
+export const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
   const { event, kind, isMutate, isValidate } = binding;
 
   // Skip invalid bindings based on webhook type

package/src/lib/assets/yaml/overridesFile.ts

@@ -5,17 +5,15 @@ import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
 
-type CommonOverrideValues = {
+type ChartOverrides = {
   apiToken: string;
   capabilities: CapabilityExport[];
   config: ModuleConfig;
   hash: string;
   name: string;
-};
-
-type ChartOverrides = CommonOverrideValues & {
   image: string;
 };
+
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile(
   { hash, name, image, config, apiToken, capabilities }: ChartOverrides,
@@ -34,7 +32,7 @@ export async function overridesFile(
     hash,
     namespace: {
       annotations: {},
-      labels: {
+      labels: config.customLabels?.namespace ?? {
         "pepr.dev": "",
       },
     },

package/src/lib/controller/index.ts

@@ -16,6 +16,12 @@ import { StoreController } from "./store";
 import { AdmissionRequest } from "../types";
 import { karForMutate, karForValidate, KubeAdmissionReview } from "./index.util";
 
+export interface ControllerHooks {
+  beforeHook?: (req: AdmissionRequest) => void;
+  afterHook?: (res: MutateResponse | ValidateResponse) => void;
+  onReady?: () => void;
+}
+
 if (!process.env.PEPR_NODE_WARNINGS) {
   process.removeAllListeners("warning");
 }
@@ -39,20 +45,17 @@ export class Controller {
   readonly #beforeHook?: (req: AdmissionRequest) => void;
   readonly #afterHook?: (res: MutateResponse | ValidateResponse) => void;
 
-  constructor(
-    config: ModuleConfig,
-    capabilities: Capability[],
-    beforeHook?: (req: AdmissionRequest) => void,
-    afterHook?: (res: MutateResponse | ValidateResponse) => void,
-    onReady?: () => void,
-  ) {
+  constructor(config: ModuleConfig, capabilities: Capability[], hooks: ControllerHooks = {}) {
+    const { beforeHook, afterHook, onReady } = hooks;
     this.#config = config;
     this.#capabilities = capabilities;
 
     // Initialize the Pepr store for each capability
     new StoreController(capabilities, `pepr-${config.uuid}-store`, () => {
       this.#bindEndpoints();
-      onReady && onReady();
+      if (typeof onReady === "function") {
+        onReady();
+      }
       Log.info("✅ Controller startup complete");
       // Initialize the schedule store for each capability
       new StoreController(capabilities, `pepr-${config.uuid}-schedule`, () => {
@@ -223,7 +226,9 @@ export class Controller {
         Log.debug({ ...reqMetadata, request }, "Incoming request body");
 
         // Run the before hook if it exists
-        this.#beforeHook && this.#beforeHook(request || {});
+        if (typeof this.#beforeHook === "function") {
+          this.#beforeHook(request || {});
+        }
 
         // Process the request
         const response: MutateResponse | ValidateResponse[] =
@@ -233,7 +238,9 @@ export class Controller {
 
         // Run the after hook if it exists
         [response].flat().map(res => {
-          this.#afterHook && this.#afterHook(res);
+          if (typeof this.#afterHook === "function") {
+            this.#afterHook(res);
+          }
           Log.info({ ...reqMetadata, res }, "Check response");
         });
 

package/src/lib/core/module.ts

@@ -2,7 +2,7 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 import { clone } from "ramda";
 import { Capability } from "./capability";
-import { Controller } from "../controller";
+import { Controller, ControllerHooks } from "../controller";
 import { ValidateError } from "../errors";
 import { MutateResponse, ValidateResponse, WebhookIgnore } from "../k8s";
 import { CapabilityExport, AdmissionRequest } from "../types";
@@ -12,37 +12,41 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { resolveIgnoreNamespaces } from "../assets/webhooks";
 
 /** Custom Labels Type for package.json */
-export interface CustomLabels {
-  namespace?: Record<string, string>;
-}
-/** Global configuration for the Pepr runtime. */
-export type ModuleConfig = {
+
+export type CustomLabels = { namespace: Record<string, string> } | Record<string, never>;
+
+/** Configuration that MAY be set a Pepr module's package.json. */
+export type ModuleConfigOptions = {
   /** The Pepr version this module uses */
-  peprVersion?: string;
+  peprVersion: string;
   /** The user-defined version of the module */
-  appVersion?: string;
-  /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */
-  uuid: string;
+  appVersion: string;
   /** A description of the Pepr module and what it does. */
-  description?: string;
+  description: string;
   /** The webhookTimeout */
-  webhookTimeout?: number;
+  webhookTimeout: number;
   /** Reject K8s resource AdmissionRequests on error. */
-  onError?: string;
-  /** Configure global exclusions that will never be processed by Pepr. */
-  alwaysIgnore: WebhookIgnore;
+  onError: string;
   /** Define the log level for the in-cluster controllers */
-  logLevel?: string;
+  logLevel: string;
   /** Propagate env variables to in-cluster controllers */
-  env?: Record<string, string>;
-  /** Custom Labels for Kubernetes Objects */
-  customLabels?: CustomLabels;
+  env: Record<string, string>;
   /** Custom RBAC rules */
-  rbac?: PolicyRule[];
+  rbac: PolicyRule[];
   /** The RBAC mode; if "scoped", generates scoped rules, otherwise uses wildcard rules. */
-  rbacMode?: string;
+  rbacMode: string;
+  /** Custom Labels for Kubernetes Objects */
+  customLabels: CustomLabels;
 };
 
+/** Global configuration for the Pepr runtime. */
+export type ModuleConfig = {
+  /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */
+  uuid: string;
+  /** Configure global exclusions that will never be processed by Pepr. */
+  alwaysIgnore: WebhookIgnore;
+} & Partial<ModuleConfigOptions>;
+
 export type PackageJSON = {
   description: string;
   pepr: ModuleConfig;
@@ -110,17 +114,23 @@ export class PeprModule {
       return;
     }
 
-    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
-      // Wait for the controller to be ready before setting up watches
-      if (isWatchMode() || isDevMode()) {
-        try {
-          setupWatch(capabilities, resolveIgnoreNamespaces(pepr?.alwaysIgnore?.namespaces));
-        } catch (e) {
-          Log.error(e, "Error setting up watch");
-          process.exit(1);
+    const controllerHooks: ControllerHooks = {
+      beforeHook: opts.beforeHook,
+      afterHook: opts.afterHook,
+      onReady: (): void => {
+        // Wait for the controller to be ready before setting up watches
+        if (isWatchMode() || isDevMode()) {
+          try {
+            setupWatch(capabilities, resolveIgnoreNamespaces(pepr?.alwaysIgnore?.namespaces));
+          } catch (e) {
+            Log.error(e, "Error setting up watch");
+            process.exit(1);
+          }
         }
-      }
-    });
+      },
+    };
+
+    this.#controller = new Controller(config, capabilities, controllerHooks);
 
     // Stop processing if deferStart is set to true
     if (opts.deferStart) {

package/src/lib/core/schedule.ts

@@ -91,7 +91,7 @@ export class OnSchedule implements Schedule {
       lastTimestamp: new Date(),
       name: this.name,
     };
-    this.store && this.store.setItem(this.name, JSON.stringify(schedule));
+    if (this.store) this.store.setItem(this.name, JSON.stringify(schedule));
   }
 
   /**
@@ -170,6 +170,6 @@ export class OnSchedule implements Schedule {
       clearInterval(this.intervalId);
       this.intervalId = null;
     }
-    this.store && this.store.removeItem(this.name);
+    if (this.store) this.store.removeItem(this.name);
   }
 }

package/src/lib/core/storage.ts

@@ -110,11 +110,12 @@ export class Storage implements PeprStore {
   };
 
   clear = (): void => {
-    Object.keys(this.#store).length > 0 &&
+    if (Object.keys(this.#store).length > 0) {
       this.#dispatchUpdate(
         "remove",
         Object.keys(this.#store).map(key => pointer.escape(key)),
       );
+    }
   };
 
   removeItem = (key: string): void => {