pepr 0.46.2-nightly.0 → 0.46.2-nightly.2

package/src/lib/processors/watch-processor.ts

@@ -4,7 +4,13 @@ import Log from "../telemetry/logger";
 import { Binding } from "../types";
 import { Capability } from "../core/capability";
 import { Event } from "../enums";
-import { K8s, KubernetesObject, WatchCfg, WatchEvent, GenericClass } from "kubernetes-fluent-client";
+import {
+  K8s,
+  KubernetesObject,
+  WatchCfg,
+  WatchEvent,
+  GenericClass,
+} from "kubernetes-fluent-client";
 import { Queue } from "../core/queue";
 import { WatchPhase, WatcherType } from "kubernetes-fluent-client/dist/fluent/types";
 import { KubernetesListObject } from "kubernetes-fluent-client/dist/types";
@@ -51,8 +57,12 @@ export function getOrCreateQueue(obj: KubernetesObject): Queue<KubernetesObject>
 
 // Watch configuration
 const watchCfg: WatchCfg = {
-  resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
-  resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) : 5,
+  resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX
+    ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10)
+    : 5,
+  resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS
+    ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10)
+    : 5,
   lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS
     ? parseInt(process.env.PEPR_LAST_SEEN_LIMIT_SECONDS, 10)
     : 300,
@@ -79,7 +89,9 @@ export function setupWatch(capabilities: Capability[], ignoredNamespaces?: strin
   capabilities.map(capability =>
     capability.bindings
       .filter(binding => binding.isWatch)
-      .forEach(bindingElement => runBinding(bindingElement, capability.namespaces, ignoredNamespaces)),
+      .forEach(bindingElement =>
+        runBinding(bindingElement, capability.namespaces, ignoredNamespaces),
+      ),
   );
 }
 
@@ -100,12 +112,20 @@ async function runBinding(
   // The watch callback is run when an object is received or dequeued
   Log.debug({ watchCfg }, "Effective WatchConfig");
 
-  const watchCallback = async (kubernetesObject: KubernetesObject, phase: WatchPhase): Promise<void> => {
+  const watchCallback = async (
+    kubernetesObject: KubernetesObject,
+    phase: WatchPhase,
+  ): Promise<void> => {
     // First, filter the object based on the phase
     if (phaseMatch.includes(phase)) {
       try {
         // Then, check if the object matches the filter
-        const filterMatch = filterNoMatchReason(binding, kubernetesObject, capabilityNamespaces, ignoredNamespaces);
+        const filterMatch = filterNoMatchReason(
+          binding,
+          kubernetesObject,
+          capabilityNamespaces,
+          ignoredNamespaces,
+        );
         if (filterMatch !== "") {
           Log.debug(filterMatch);
           return;
@@ -139,7 +159,10 @@ async function runBinding(
       // [ true, void, undefined ] SHOULD remove finalizer
       // [ false ] should NOT remove finalizer
       if (shouldRemoveFinalizer === false) {
-        Log.debug({ obj: kubernetesObject }, `Skipping removal of finalizer '${peprFinal}' from '${resource}'`);
+        Log.debug(
+          { obj: kubernetesObject },
+          `Skipping removal of finalizer '${peprFinal}' from '${resource}'`,
+        );
       } else {
         await removeFinalizer(binding, kubernetesObject);
       }
@@ -147,16 +170,19 @@ async function runBinding(
   };
 
   // Setup the resource watch
-  const watcher = K8s(binding.model, { ...binding.filters, kindOverride: binding.kind }).Watch(async (obj, phase) => {
-    Log.debug(obj, `Watch event ${phase} received`);
-
-    if (binding.isQueue) {
-      const queue = getOrCreateQueue(obj);
-      await queue.enqueue(obj, phase, watchCallback);
-    } else {
-      await watchCallback(obj, phase);
-    }
-  }, watchCfg);
+  const watcher = K8s(binding.model, { ...binding.filters, kindOverride: binding.kind }).Watch(
+    async (obj, phase) => {
+      Log.debug(obj, `Watch event ${phase} received`);
+
+      if (binding.isQueue) {
+        const queue = getOrCreateQueue(obj);
+        await queue.enqueue(obj, phase, watchCallback);
+      } else {
+        await watchCallback(obj, phase);
+      }
+    },
+    watchCfg,
+  );
 
   // Register event handlers
   registerWatchEventHandlers(watcher, logEvent, metricsCollector);
@@ -214,10 +240,14 @@ export function registerWatchEventHandlers(
     [WatchEvent.CONNECT]: url => logEvent(WatchEvent.CONNECT, url),
     [WatchEvent.DATA_ERROR]: err => logEvent(WatchEvent.DATA_ERROR, err.message),
     [WatchEvent.RECONNECT]: retryCount =>
-      logEvent(WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`),
+      logEvent(
+        WatchEvent.RECONNECT,
+        `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`,
+      ),
     [WatchEvent.RECONNECT_PENDING]: () => logEvent(WatchEvent.RECONNECT_PENDING),
     [WatchEvent.ABORT]: err => logEvent(WatchEvent.ABORT, err.message),
-    [WatchEvent.OLD_RESOURCE_VERSION]: errMessage => logEvent(WatchEvent.OLD_RESOURCE_VERSION, errMessage),
+    [WatchEvent.OLD_RESOURCE_VERSION]: errMessage =>
+      logEvent(WatchEvent.OLD_RESOURCE_VERSION, errMessage),
     [WatchEvent.NETWORK_ERROR]: err => logEvent(WatchEvent.NETWORK_ERROR, err.message),
     [WatchEvent.LIST_ERROR]: err => logEvent(WatchEvent.LIST_ERROR, err.message),
     [WatchEvent.LIST]: list => logEvent(WatchEvent.LIST, JSON.stringify(list, undefined, 2)),

package/src/lib/telemetry/metrics.ts

@@ -56,7 +56,9 @@ export class MetricsCollector {
     this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
     this.addSummary(this.#metricNames.validate, "Validation operation summary");
     this.addGauge(this.#metricNames.cacheMiss, "Number of cache misses per window", ["window"]);
-    this.addGauge(this.#metricNames.resyncFailureCount, "Number of failures per resync operation", ["count"]);
+    this.addGauge(this.#metricNames.resyncFailureCount, "Number of failures per resync operation", [
+      "count",
+    ]);
   }
 
   #getMetricName = (name: string): string => `${this.#prefix}_${name}`;
@@ -173,7 +175,9 @@ export class MetricsCollector {
       if (firstKey !== undefined) {
         this.#cacheMissWindows.delete(firstKey);
       }
-      this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.remove({ window: firstKey });
+      this.#gauges
+        .get(this.#getMetricName(this.#metricNames.cacheMiss))
+        ?.remove({ window: firstKey });
     }
   };
 }

package/src/lib/telemetry/webhookTimeouts.ts

@@ -9,7 +9,10 @@ export class MeasureWebhookTimeout {
 
   constructor(webhookType: WebhookType) {
     this.#webhookType = webhookType;
-    metricsCollector.addCounter(`${webhookType}_timeouts`, `Number of ${webhookType} webhook timeouts`);
+    metricsCollector.addCounter(
+      `${webhookType}_timeouts`,
+      `Number of ${webhookType} webhook timeouts`,
+    );
   }
 
   start(timeout: number = 10): void {

package/src/templates/.prettierrc.json

@@ -4,10 +4,11 @@
   "bracketSpacing": true,
   "embeddedLanguageFormatting": "auto",
   "insertPragma": false,
-  "printWidth": 80,
+  "printWidth": 100,
   "quoteProps": "as-needed",
   "requirePragma": false,
   "semi": true,
   "tabWidth": 2,
-  "useTabs": false
+  "useTabs": false,
+  "vueIndentScriptAndStyle": false
 }

package/src/templates/capabilities/hello-pepr.ts

@@ -89,9 +89,7 @@ When(a.ConfigMap)
   .IsCreated()
   .WithName("example-1")
   .Mutate(request => {
-    request
-      .SetLabel("pepr", "was-here")
-      .SetAnnotation("pepr.dev", "annotations-work-too");
+    request.SetLabel("pepr", "was-here").SetAnnotation("pepr.dev", "annotations-work-too");
 
     // Use the Store to persist data between requests and Pepr controller pods
     Store.setItem("example-1", "was-here");
@@ -228,11 +226,7 @@ function example4Cb(cm: PeprMutateRequest<a.ConfigMap>) {
  * Note because the Capability defines namespaces, the namespace specified here must be one of those.
  * Alternatively, you can remove the namespace from the Capability definition and specify it here.
  */
-When(a.ConfigMap)
-  .IsCreated()
-  .InNamespace("pepr-demo-2")
-  .WithName("example-4a")
-  .Mutate(example4Cb);
+When(a.ConfigMap).IsCreated().InNamespace("pepr-demo-2").WithName("example-4a").Mutate(example4Cb);
 
 /**
  * ---------------------------------------------------------------------------------------------------

package/dist/src/sdk/cosign.d.ts

@@ -1,18 +0,0 @@
-export declare enum MediaTypeDockerV2 {
-    Manifest = "application/vnd.docker.distribution.manifest.v2+json"
-}
-export declare enum MediaTypeOciV1 {
-    Manifest = "application/vnd.oci.image.manifest.v1+json",
-    Index = "application/vnd.oci.image.index.v1+json"
-}
-export declare function head(rawUrl: string, mediaType: string, optsParam?: Record<string, any>): Promise<any>;
-export declare function get(rawUrl: string, mediaType: string, optsParam?: Record<string, any>): Promise<any>;
-export declare function download(rawUrl: string, localPath: string, optsParam?: Record<string, any>): Promise<void>;
-/**
- * Returns all containers in a pod
- * @param {string} iref image reference
- * @param {array} pubkeys list of paths to node crypto code signing pubkeys
- * @returns {boolean} whether the iref was signed by a key in the pubkeys
- */
-export declare function verifyImage(iref: string, pubkeys: string[], tlsCrts?: string[]): Promise<boolean>;
-//# sourceMappingURL=cosign.d.ts.map

package/dist/src/sdk/cosign.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"cosign.d.ts","sourceRoot":"","sources":["../../../src/sdk/cosign.ts"],"names":[],"mappings":"AAWA,oBAAY,iBAAiB;IAC3B,QAAQ,yDAAyD;CAClE;AAED,oBAAY,cAAc;IACxB,QAAQ,+CAA+C;IACvD,KAAK,4CAA4C;CAClD;AAGD,wBAAsB,IAAI,CACxB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM,GAClC,OAAO,CAAC,GAAG,CAAC,CAwCd;AAGD,wBAAsB,GAAG,CACvB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM,GAClC,OAAO,CAAC,GAAG,CAAC,CAmDd;AAGD,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM,GAClC,OAAO,CAAC,IAAI,CAAC,CA8Cf;AAMD;;;;;GAKG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EAAE,EACjB,OAAO,CAAC,EAAE,MAAM,EAAE,GACjB,OAAO,CAAC,OAAO,CAAC,CAsIlB"}

package/src/lib/.prettierrc

@@ -1,14 +0,0 @@
-{
-  "arrowParens": "avoid",
-  "bracketSameLine": false,
-  "bracketSpacing": true,
-  "embeddedLanguageFormatting": "auto",
-  "insertPragma": false,
-  "printWidth": 120,
-  "quoteProps": "as-needed",
-  "requirePragma": false,
-  "semi": true,
-  "useTabs": false,
-  "vueIndentScriptAndStyle": false,
-  "tabWidth": 2
-}

package/src/sdk/cosign.ts

@@ -1,327 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import { https } from "follow-redirects";
-import { readFile, unlink } from "node:fs/promises";
-import { createWriteStream } from "node:fs";
-import * as crypto from "node:crypto";
-import { PublicKeyDetails, TrustedRoot } from "@sigstore/protobuf-specs";
-import { bundleFromJSON } from "@sigstore/bundle";
-import { toSignedEntity, toTrustMaterial, Verifier } from "@sigstore/verify";
-
-export enum MediaTypeDockerV2 {
-  Manifest = "application/vnd.docker.distribution.manifest.v2+json",
-}
-
-export enum MediaTypeOciV1 {
-  Manifest = "application/vnd.oci.image.manifest.v1+json",
-  Index = "application/vnd.oci.image.index.v1+json",
-}
-
-/* eslint-disable  @typescript-eslint/no-explicit-any */
-export async function head(
-  rawUrl: string,
-  mediaType: string,
-  optsParam: Record<string, any> = {},
-): Promise<any> {
-  const url = new URL(rawUrl);
-
-  return new Promise((resolve, reject) => {
-    const opts = {
-      protocol: url.protocol,
-      hostname: url.hostname,
-      port: url.port,
-      path: url.pathname,
-      method: "HEAD",
-      headers: { Accept: mediaType },
-      ...optsParam,
-    };
-
-    https
-      .request(opts, resp => {
-        const { statusCode } = resp;
-
-        let error;
-        if (!statusCode?.toString().startsWith("2") && !statusCode?.toString().startsWith("3")) {
-          reject(new Error(`err: status code: ${statusCode}: expected 2xx|3xx`));
-          error = true;
-        }
-
-        if (error) {
-          resp.resume();
-          return;
-        }
-
-        resp.setEncoding("utf8");
-
-        resp.on("data", () => {});
-
-        resp.on("end", () => {
-          resolve(resp.headers);
-        });
-      })
-      .on("error", e => reject(e))
-      .end();
-  });
-}
-
-/* eslint-disable  @typescript-eslint/no-explicit-any */
-export async function get(
-  rawUrl: string,
-  mediaType: string,
-  optsParam: Record<string, any> = {},
-): Promise<any> {
-  const url = new URL(rawUrl);
-
-  return new Promise((resolve, reject) => {
-    const opts = {
-      protocol: url.protocol,
-      hostname: url.hostname,
-      port: url.port,
-      path: url.pathname,
-      method: "GET",
-      headers: {
-        "User-Agent": "node",
-        Accept: mediaType,
-      },
-      ...optsParam,
-    };
-
-    https
-      .request(opts, resp => {
-        const { statusCode } = resp;
-
-        let error;
-
-        if (!statusCode?.toString().startsWith("2") && !statusCode?.toString().startsWith("3")) {
-          console.log(resp.headers);
-          reject(new Error(`err: status code: ${statusCode}: expected 2xx`));
-          error = true;
-        }
-
-        if (error) {
-          resp.resume();
-          return;
-        }
-
-        resp.setEncoding("utf8");
-
-        let raw = "";
-        resp.on("data", chunk => {
-          raw += chunk;
-        });
-        resp.on("end", () => {
-          try {
-            resolve({ head: resp.headers, body: raw });
-          } catch (e) {
-            reject(e);
-          }
-        });
-      })
-      .on("error", e => reject(e))
-      .end();
-  });
-}
-
-/* eslint-disable  @typescript-eslint/no-explicit-any */
-export async function download(
-  rawUrl: string,
-  localPath: string,
-  optsParam: Record<string, any> = {},
-): Promise<void> {
-  const url = new URL(rawUrl);
-
-  return new Promise((resolve, reject) => {
-    const opts = {
-      protocol: url.protocol,
-      hostname: url.hostname,
-      port: url.port,
-      path: url.pathname,
-      method: "GET",
-      headers: {
-        "User-Agent": "node",
-        Accept: "application/octet-stream",
-      },
-      ...optsParam,
-    };
-
-    https
-      .request(opts, resp => {
-        const { statusCode } = resp;
-
-        let error;
-
-        if (!statusCode?.toString().startsWith("2") && !statusCode?.toString().startsWith("3")) {
-          console.log(resp.headers);
-          reject(new Error(`err: status code: ${statusCode}: expected 2xx`));
-          error = true;
-        }
-
-        if (error) {
-          resp.resume();
-          return;
-        }
-
-        const ws = createWriteStream(localPath).on("finish", () => {
-          ws.close(() => resolve());
-        });
-
-        resp.pipe(ws);
-      })
-      .on("error", async err => {
-        await unlink(localPath);
-        reject(err);
-      })
-      .end();
-  });
-}
-
-//
-// TODO: should support using certs too
-//
-
-/**
- * Returns all containers in a pod
- * @param {string} iref image reference
- * @param {array} pubkeys list of paths to node crypto code signing pubkeys
- * @returns {boolean} whether the iref was signed by a key in the pubkeys
- */
-export async function verifyImage(
-  iref: string,
-  pubkeys: string[],
-  tlsCrts?: string[],
-): Promise<boolean> {
-  const X: Record<string, any> = {};
-
-  // <host---> / <image----------------------->
-  //           / <name---------------> : <tag->
-  // docker.io / library / hello-world : latest
-  //
-  // <host> / <image------------------------------------->
-  //        / <name------------------------------> : <tag>
-  // ttl.sh / 5dad3c9b-7ccc-4115-be27-c9244e7c0e06 : 2000m
-
-  X.iref = {};
-  X.iref.raw = iref;
-  X.iref.host = iref.split("/")[0];
-  X.iref.image = iref.replace(`${X.iref.host}/`, "");
-  X.iref.tag = X.iref.image.split(":").at(-1);
-  X.iref.name = X.iref.image.replace(`:${X.iref.tag}`, "");
-
-  X.manifest = {
-    url: `https://${X.iref.host}/v2/${X.iref.name}/manifests/${X.iref.tag}`,
-  };
-
-  const supportsMediaType = async (url: string, mediaType: string): Promise<boolean> => {
-    return (await head(url, mediaType, { ca: tlsCrts }))["content-type"] === mediaType;
-  };
-
-  const canOciV1Manifest = async (manifestUrl: string): Promise<boolean> => {
-    return supportsMediaType(manifestUrl, MediaTypeOciV1.Manifest);
-  };
-
-  const canDockerV2Manifest = async (manifestUrl: string): Promise<boolean> => {
-    return supportsMediaType(manifestUrl, MediaTypeDockerV2.Manifest);
-  };
-
-  // prettier-ignore
-  const manifestResp =
-    await canOciV1Manifest(X.manifest.url) ? await get(X.manifest.url, MediaTypeOciV1.Manifest, {ca: tlsCrts}) :
-    await canDockerV2Manifest(X.manifest.url) ? await get(X.manifest.url, MediaTypeDockerV2.Manifest, {ca: tlsCrts}) :
-    (():never => { throw "Can't pull image manifest with supported MediaType." })();
-  X.manifest.content = manifestResp.body;
-
-  X.manifest.digest = `sha256:${crypto
-    .createHash("sha256")
-    .update(X.manifest.content)
-    .digest("hex")
-    .toString()}`;
-
-  X.sig = {};
-  X.sig.tag = `${X.manifest.digest.replace(":", "-")}.sig`;
-  X.sig.triangulated = `${X.iref.host}/${X.iref.name}:${X.sig.tag}`;
-  X.sig.url = `https://${X.iref.host}/v2/${X.iref.name}/manifests/${X.sig.tag}`;
-
-  const sigManifestResp = await get(X.sig.url, MediaTypeOciV1.Manifest, { ca: tlsCrts });
-  X.sig.manifest = sigManifestResp.body;
-
-  const cosignSigLayer = JSON.parse(X.sig.manifest).layers.filter((f: any) =>
-    Object.hasOwn(f?.annotations, "dev.cosignproject.cosign/signature"),
-  )[0];
-
-  X.sig.blob = {};
-  X.sig.blob.digest = cosignSigLayer.digest;
-  X.sig.blob.signature = cosignSigLayer.annotations["dev.cosignproject.cosign/signature"];
-  X.sig.blob.url = `https://${X.iref.host}/v2/${X.iref.name}/blobs/${X.sig.blob.digest}`;
-
-  const sigBlobResp = await get(X.sig.blob.url, "application/octet-stream", { ca: tlsCrts });
-  X.sig.blob.content = sigBlobResp.body;
-
-  let verified = false;
-
-  for (const pubkey of pubkeys) {
-    // https://github.com/sigstore/sigstore-js/blob/main/packages/verify/src/__tests__/verifier.test.ts
-    const pubKeyRaw = await readFile(`${pubkey}`, { encoding: "utf8" });
-    const pubKey = crypto.createPublicKey({
-      key: pubKeyRaw,
-      format: "pem",
-      encoding: "utf-8",
-    });
-
-    const trustedRoot = {
-      tlogs: [],
-      ctlogs: [],
-      timestampAuthorities: [],
-      certificateAuthorities: [],
-    } as unknown as TrustedRoot;
-
-    const keys = {
-      hint: {
-        rawBytes: pubKey.export({ type: "spki", format: "der" }),
-        keyDetails: PublicKeyDetails.PKIX_ECDSA_P256_SHA_256,
-      },
-    };
-    const trustMaterial = toTrustMaterial(trustedRoot, keys);
-
-    const subject = new Verifier(trustMaterial, {
-      ctlogThreshold: 0,
-      tlogThreshold: 0,
-      tsaThreshold: 0,
-    });
-
-    const bundle = bundleFromJSON({
-      mediaType: "application/vnd.dev.sigstore.bundle+json;version=0.1",
-      verificationMaterial: {
-        publicKey: {
-          hint: "hint",
-        },
-        tlogEntries: [],
-        timestampVerificationData: {
-          rfc3161Timestamps: [],
-        },
-      },
-      messageSignature: {
-        messageDigest: {
-          algorithm: "SHA2_256",
-          digest: crypto.createHash("sha256").update(X.sig.blob.content).digest().toString(),
-        },
-        signature: X.sig.blob.signature,
-      },
-    });
-
-    const signedEntity = toSignedEntity(bundle, Buffer.from(X.sig.blob.content));
-
-    try {
-      subject.verify(signedEntity);
-      verified = true;
-      break;
-    } catch (e) {
-      if (e.message.includes("signature verification failed")) {
-        continue;
-      }
-      throw e;
-    }
-  }
-
-  return verified;
-}