pepr 0.45.1 → 0.46.0-nightly.1

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.45.1",
+  "version": "0.46.0-nightly.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -24,6 +24,7 @@
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
     "build": "tsc && node build.mjs && npm pack",
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
+    "build:image:unicorn": "npm run build && docker buildx build -f Dockerfile.unicorn --output type=docker --tag pepr:dev .",
     "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey && npm run test:journey-wasm",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
@@ -31,9 +32,12 @@
     "test:integration:prep": "./integration/prep.sh",
     "test:integration:run": "jest --maxWorkers=4 integration",
     "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run",
+    "test:journey:unicorn": "npm run test:journey:k3d && npm run build && npm run test:journey:image:unicorn && npm run test:journey:run",
     "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm",
+    "test:journey-wasm:unicorn": "npm run test:journey:k3d && npm run build && npm run test:journey:image:unicorn && npm run test:journey:run-wasm",
     "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
+    "test:journey:image:unicorn": "docker buildx build -f Dockerfile.unicorn --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
     "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:upgrade",
     "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts",
     "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts",
@@ -76,7 +80,8 @@
     "undici": "^7.0.1"
   },
   "overrides": {
-    "glob": "^9.0.0"
+    "glob": "^9.0.0",
+    "jsonpath-plus": "^10.3.0"
   },
   "peerDependencies": {
     "@types/prompts": "2.4.9",
@@ -91,4 +96,4 @@
     "typescript": "5.7.3",
     "uuid": "11.0.5"
   }
-}
+}

package/src/cli/build.helpers.ts

@@ -94,7 +94,7 @@ export async function handleCustomOutputDir(outputDir: string): Promise<string>
  * Check if the image is from Iron Bank and return the correct image
  * @param registry The registry of the image
  * @param image The image to check
- * @param peprVersion The version of the PEPR controller
+ * @param peprVersion The version of the Pepr controller
  * @returns The image string
  * @example
  */

package/src/cli/build.ts

@@ -77,13 +77,13 @@ export default function (program: RootCmd): void {
       new Option(
         "-i, --custom-image <custom-image>",
         "Specify a custom image (including version) for Admission and Watch Deployments. Example: 'docker.io/username/custom-pepr-controller:v1.0.0'",
-      ).conflicts(["version", "registryInfo", "registry"]),
+      ).conflicts(["registryInfo", "registry"]),
     )
     .addOption(
       new Option(
         "-r, --registry-info [<registry>/<username>]",
         "Provide the image registry and username for building and pushing a custom WASM container. Requires authentication. Builds and pushes 'registry/username/custom-pepr-controller:<current-version>'.",
-      ).conflicts(["customImage", "version", "registry"]),
+      ).conflicts(["customImage", "registry"]),
     )
 
     .option("-o, --output-dir <output directory>", "Define where to place build output")
@@ -92,12 +92,6 @@ export default function (program: RootCmd): void {
       "How long the API server should wait for a webhook to respond before treating the call as a failure",
       parseTimeout,
     )
-    .addOption(
-      new Option(
-        "-v, --version <version>",
-        "DEPRECATED: The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'.",
-      ).conflicts(["customImage", "registryInfo"]),
-    )
     .option(
       "--withPullSecret <imagePullSecret>",
       "Image Pull Secret: Use image pull secret for controller Deployment.",
@@ -164,8 +158,6 @@ export default function (program: RootCmd): void {
         console.info(`✅ Module built successfully at ${path}`);
         return;
       }
-      // set the image version if provided -- DEPRECATED
-      if (opts.version) cfg.pepr.peprVersion = opts.version;
 
       // Generate a secret for the module
       const assets = new Assets(

package/src/cli/dev.ts

@@ -77,7 +77,7 @@ export default function (program: RootCmd): void {
               ...process.env,
               LOG_LEVEL: "debug",
               PEPR_MODE: "dev",
-              PEPR_API_TOKEN: webhook.apiToken,
+              PEPR_API_PATH: webhook.apiPath,
               PEPR_PRETTY_LOGS: "true",
               SSL_KEY_PATH: "insecure-tls.key",
               SSL_CERT_PATH: "insecure-tls.crt",

package/src/lib/assets/assets.ts

@@ -24,13 +24,13 @@ import { loadCapabilities } from "./loader";
 import { namespaceComplianceValidator, dedent } from "../helpers";
 import { promises as fs } from "fs";
 import { storeRole, storeRoleBinding, clusterRoleBinding, serviceAccount } from "./rbac";
-import { watcherService, service, tlsSecret, apiTokenSecret } from "./networking";
+import { watcherService, service, tlsSecret, apiPathSecret } from "./networking";
 import { WebhookType } from "../enums";
 
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
-  readonly apiToken: string;
+  readonly apiPath: string;
   readonly config: ModuleConfig;
   readonly path: string;
   readonly alwaysIgnore!: WebhookIgnore;
@@ -53,8 +53,8 @@ export class Assets {
     // Generate the ephemeral tls things
     this.tls = genTLS(host || `${this.name}.pepr-system.svc`);
 
-    // Generate the api token for the controller / webhook
-    this.apiToken = crypto.randomBytes(32).toString("hex");
+    // Generate the api path for the controller / webhook
+    this.apiPath = crypto.randomBytes(32).toString("hex");
   }
 
   async deploy(
@@ -149,7 +149,7 @@ export class Assets {
         [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
         [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
         [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
-        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.apiPathSecretYaml, (): string => toYaml(apiPathSecret(this.name, this.apiPath))],
         [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
         [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
         [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
@@ -164,7 +164,7 @@ export class Assets {
         name: this.name,
         image: this.image,
         config: this.config,
-        apiToken: this.apiToken,
+        apiPath: this.apiPath,
         capabilities: this.capabilities,
       };
       await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets);

package/src/lib/assets/deploy.ts

@@ -8,7 +8,7 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 import { Assets } from "./assets";
 import Log from "../telemetry/logger";
-import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
+import { apiPathSecret, service, tlsSecret, watcherService } from "./networking";
 import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
@@ -136,9 +136,9 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   const tls = tlsSecret(name, assets.tls);
   await K8s(kind.Secret).Apply(tls, { force });
 
-  Log.info("Applying API token secret");
-  const apiToken = apiTokenSecret(name, assets.apiToken);
-  await K8s(kind.Secret).Apply(apiToken, { force });
+  Log.info("Applying API path secret");
+  const apiPath = apiPathSecret(name, assets.apiPath);
+  await K8s(kind.Secret).Apply(apiPath, { force });
 
   Log.info("Applying deployment");
   const dep = getDeployment(assets, hash, assets.buildTimestamp);

package/src/lib/assets/destroy.ts

@@ -25,7 +25,7 @@ export async function destroyModule(name: string): Promise<void> {
     K8s(kind.Secret, { namespace }).Delete(`${name}-module`),
     K8s(kind.Service, { namespace }).Delete(name),
     K8s(kind.Secret, { namespace }).Delete(`${name}-tls`),
-    K8s(kind.Secret, { namespace }).Delete(`${name}-api-token`),
+    K8s(kind.Secret, { namespace }).Delete(`${name}-api-path`),
     K8s(kind.Deployment, { namespace }).Delete(name),
     K8s(kind.Deployment, { namespace }).Delete(`${name}-watcher`),
     K8s(kind.Service, { namespace }).Delete(`${name}-watcher`),

package/src/lib/assets/helm.ts

@@ -221,8 +221,8 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
                   - name: tls-certs
                     mountPath: /etc/certs
                     readOnly: true
-                  - name: api-token
-                    mountPath: /app/api-token
+                  - name: api-path
+                    mountPath: /app/api-path
                     readOnly: true
                   - name: module
                     mountPath: /app/load
@@ -234,9 +234,9 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
               - name: tls-certs
                 secret:
                   secretName: {{ .Values.uuid }}-tls
-              - name: api-token
+              - name: api-path
                 secret:
-                  secretName: {{ .Values.uuid }}-api-token
+                  secretName: {{ .Values.uuid }}-api-path
               - name: module
                 secret:
                   secretName: {{ .Values.uuid }}-module  

package/src/lib/assets/index.ts

@@ -80,7 +80,7 @@ export function helmLayout(basePath: string, unique: string): Record<string, Rec
     watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
     watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
     tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
-    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
+    apiPathSecretYaml: `${helm.dirs.tmpls}/api-path-secret.yaml`,
     moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
     storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
     storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,

package/src/lib/assets/networking.ts

@@ -5,17 +5,17 @@ import { kind } from "kubernetes-fluent-client";
 
 import { TLSOut } from "../tls";
 
-export function apiTokenSecret(name: string, apiToken: string): kind.Secret {
+export function apiPathSecret(name: string, apiPath: string): kind.Secret {
   return {
     apiVersion: "v1",
     kind: "Secret",
     metadata: {
-      name: `${name}-api-token`,
+      name: `${name}-api-path`,
       namespace: "pepr-system",
     },
     type: "Opaque",
     data: {
-      value: Buffer.from(apiToken).toString("base64"),
+      value: Buffer.from(apiPath).toString("base64"),
     },
   };
 }

package/src/lib/assets/pods.ts

@@ -297,8 +297,8 @@ export function getDeployment(
                   readOnly: true,
                 },
                 {
-                  name: "api-token",
-                  mountPath: "/app/api-token",
+                  name: "api-path",
+                  mountPath: "/app/api-path",
                   readOnly: true,
                 },
                 {
@@ -317,9 +317,9 @@ export function getDeployment(
               },
             },
             {
-              name: "api-token",
+              name: "api-path",
               secret: {
-                secretName: `${name}-api-token`,
+                secretName: `${name}-api-path`,
               },
             },
             {

package/src/lib/assets/webhooks.ts

@@ -75,7 +75,7 @@ export async function webhookConfigGenerator(
 ): Promise<kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration | null> {
   const ignore: V1LabelSelectorRequirement[] = [];
 
-  const { name, tls, config, apiToken, host } = assets;
+  const { name, tls, config, apiPath, host } = assets;
   const ignoreNS = concat(peprIgnoreNamespaces, resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces));
 
   // Add any namespaces to ignore
@@ -91,18 +91,18 @@ export async function webhookConfigGenerator(
     caBundle: tls.ca,
   };
 
-  // The URL must include the API Token
-  const apiPath = `/${mutateOrValidate}/${apiToken}`;
+  // The URL must include the API Path
+  const fullApiPath = `/${mutateOrValidate}/${apiPath}`;
 
   // If a host is specified, use that with a port of 3000
   if (host) {
-    clientConfig.url = `https://${host}:3000${apiPath}`;
+    clientConfig.url = `https://${host}:3000${fullApiPath}`;
   } else {
     // Otherwise, use the service
     clientConfig.service = {
       name: name,
       namespace: "pepr-system",
-      path: apiPath,
+      path: fullApiPath,
     };
   }
 

package/src/lib/assets/yaml/generateAllYaml.ts

@@ -4,7 +4,7 @@
 import crypto from "crypto";
 import { Assets } from "../assets";
 import { WebhookType } from "../../enums";
-import { apiTokenSecret, service, tlsSecret, watcherService } from "../networking";
+import { apiPathSecret, service, tlsSecret, watcherService } from "../networking";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "../rbac";
 import { dumpYaml, V1Deployment } from "@kubernetes/client-node";
 import { getModuleSecret, getNamespace } from "../pods";
@@ -14,7 +14,7 @@ import { webhookConfigGenerator } from "../webhooks";
 type deployments = { default: V1Deployment; watch: V1Deployment | null };
 
 export async function generateAllYaml(assets: Assets, deployments: deployments): Promise<string> {
-  const { name, tls, apiToken, path, config } = assets;
+  const { name, tls, apiPath, path, config } = assets;
   const code = await fs.readFile(path);
   const hash = crypto.createHash("sha256").update(code).digest("hex");
 
@@ -23,7 +23,7 @@ export async function generateAllYaml(assets: Assets, deployments: deployments):
     clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
     clusterRoleBinding(name),
     serviceAccount(name),
-    apiTokenSecret(name, apiToken),
+    apiPathSecret(name, apiPath),
     tlsSecret(name, tls),
     deployments.default,
     service(name),

package/src/lib/assets/yaml/overridesFile.ts

@@ -6,7 +6,7 @@ import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
 
 type ChartOverrides = {
-  apiToken: string;
+  apiPath: string;
   capabilities: CapabilityExport[];
   config: ModuleConfig;
   hash: string;
@@ -16,7 +16,7 @@ type ChartOverrides = {
 
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile(
-  { hash, name, image, config, apiToken, capabilities }: ChartOverrides,
+  { hash, name, image, config, apiPath, capabilities }: ChartOverrides,
   path: string,
   imagePullSecrets: string[],
 ): Promise<void> {
@@ -27,7 +27,7 @@ export async function overridesFile(
     additionalIgnoredNamespaces: [],
     rbac: rbacOverrides,
     secrets: {
-      apiToken: Buffer.from(apiToken).toString("base64"),
+      apiPath: Buffer.from(apiPath).toString("base64"),
     },
     hash,
     namespace: {

package/src/lib/controller/index.ts

@@ -34,8 +34,8 @@ export class Controller {
   // Metrics collector
   #metricsCollector = metricsCollector;
 
-  // The token used to authenticate requests
-  #token = "";
+  // The path used to authenticate requests
+  #path = "";
 
   // The express app instance
   readonly #app = express();
@@ -93,14 +93,14 @@ export class Controller {
       cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
     };
 
-    // Get the API token if not in watch mode
+    // Get the API path if not in watch mode
     if (!isWatchMode()) {
-      // Get the API token from the environment variable or the mounted secret
-      this.#token = process.env.PEPR_API_TOKEN || fs.readFileSync("/app/api-token/value").toString().trim();
-      Log.info(`Using API token: ${this.#token}`);
+      // Get the API path from the environment variable or the mounted secret
+      this.#path = process.env.PEPR_API_PATH || fs.readFileSync("/app/api-path/value").toString().trim();
+      Log.info(`Using API path: ${this.#path}`);
 
-      if (!this.#token) {
-        throw new Error("API token not found");
+      if (!this.#path) {
+        throw new Error("API path not found");
       }
     }
 
@@ -149,35 +149,35 @@ export class Controller {
     }
 
     // Require auth for webhook endpoints
-    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
+    this.#app.use(["/mutate/:path", "/validate/:path"], this.#validatepath);
 
     // Mutate endpoint
-    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
+    this.#app.post("/mutate/:path", this.#admissionReq("Mutate"));
 
     // Validate endpoint
-    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
+    this.#app.post("/validate/:path", this.#admissionReq("Validate"));
   };
 
   /**
-   * Validate the token in the request path
+   * Validate the path in the request path
    *
    * @param req The incoming request
    * @param res The outgoing response
    * @param next The next middleware function
    * @returns
    */
-  #validateToken = (req: express.Request, res: express.Response, next: NextFunction): void => {
-    // Validate the token
-    const { token } = req.params;
-    if (token !== this.#token) {
-      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
+  #validatepath = (req: express.Request, res: express.Response, next: NextFunction): void => {
+    // Validate the path
+    const { path } = req.params;
+    if (path !== this.#path) {
+      const err = `Unauthorized: invalid path '${path.replace(/[^\w]/g, "_")}'`;
       Log.info(err);
       res.status(401).send(err);
       this.#metricsCollector.alert();
       return;
     }
 
-    // Token is valid, continue
+    // path is valid, continue
     next();
   };
 

package/src/lib/telemetry/metrics.ts

@@ -54,7 +54,7 @@ export class MetricsCollector {
     this.#registry = new Registry();
     this.#prefix = prefix;
     this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
-    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
+    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api path received");
     this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
     this.addSummary(this.#metricNames.validate, "Validation operation summary");
     this.addGauge(this.#metricNames.cacheMiss, "Number of cache misses per window", ["window"]);