pepr 0.46.3 → 0.47.0

package/package.json

@@ -13,9 +13,10 @@
     "/dist",
     "/src",
     "!src/**/*.test.ts",
+    "!src/fixtures/**",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.46.3",
+  "version": "0.47.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -27,32 +28,33 @@
     "build:image:unicorn": "npm run build && docker buildx build --output type=docker --tag pepr:dev $(node scripts/read-unicorn-build-args.mjs) .",
     "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey && npm run test:journey-wasm",
-    "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
+    "test:artifacts": "npm run build && jest src/build-artifact.test.ts",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",
     "test:integration:prep": "./integration/prep.sh",
     "test:integration:run": "jest --maxWorkers=4 integration",
     "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run",
-    "test:journey:unicorn": "npm run test:journey:k3d && npm run build && npm run test:journey:image:unicorn && npm run test:journey:run",
     "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm",
     "test:journey-wasm:unicorn": "npm run test:journey:k3d && npm run build && npm run test:journey:image:unicorn && npm run test:journey:run-wasm",
-    "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
     "test:journey:image:unicorn": "docker buildx build --output type=docker --tag pepr:dev $(node scripts/read-unicorn-build-args.mjs) . && k3d image import pepr:dev -c pepr-dev",
+    "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:upgrade",
     "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts",
+    "test:journey:unicorn": "npm run test:journey:k3d && npm run build && npm run test:journey:image:unicorn && npm run test:journey:run",
     "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts",
+    "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='build-artifact.test.ts'",
     "format:check": "eslint src && prettier --config .prettierrc src --check",
     "format:fix": "eslint src --fix && prettier --config .prettierrc src --write",
     "prepare": "if [ \"$NODE_ENV\" != 'production' ]; then husky; fi"
   },
   "dependencies": {
     "@types/ramda": "0.30.2",
-    "express": "4.21.2",
+    "express": "5.1.0",
     "fast-json-patch": "3.1.1",
     "heredoc": "^1.3.1",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.4.5",
+    "kubernetes-fluent-client": "3.4.6",
     "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
@@ -76,7 +78,7 @@
     "jest": "29.7.0",
     "js-yaml": "^4.1.0",
     "shellcheck": "^3.0.0",
-    "ts-jest": "29.2.6",
+    "ts-jest": "29.3.1",
     "undici": "^7.0.1"
   },
   "overrides": {

package/src/cli/build.helpers.ts

@@ -11,6 +11,7 @@ import { promises as fs } from "fs";
 import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml";
 import { webhookConfigGenerator } from "../lib/assets/webhooks";
 import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml";
+import { getDeployment, getModuleSecret, getWatcher } from "../lib/assets/pods";
 
 interface ImageOptions {
   customImage?: string;
@@ -191,7 +192,7 @@ export async function generateYamlAndWriteToDisk(obj: {
   const yamlFile = `pepr-module-${uuid}.yaml`;
   const chartPath = `${uuid}-chart`;
   const yamlPath = resolve(outputDir, yamlFile);
-  const yaml = await assets.allYaml(generateAllYaml, imagePullSecret);
+  const yaml = await assets.allYaml(generateAllYaml, getDeployment, getWatcher, imagePullSecret);
   const zarfPath = resolve(outputDir, "zarf.yaml");
 
   let localZarf = "";
@@ -203,6 +204,6 @@ export async function generateYamlAndWriteToDisk(obj: {
   await fs.writeFile(yamlPath, yaml);
   await fs.writeFile(zarfPath, localZarf);
 
-  await assets.generateHelmChart(webhookConfigGenerator, outputDir);
+  await assets.generateHelmChart(webhookConfigGenerator, getWatcher, getModuleSecret, outputDir);
   console.info(`✅ K8s resource for the module saved to ${yamlPath}`);
 }

package/src/cli/init/index.ts

@@ -23,7 +23,6 @@ import {
 import { createDir, sanitizeName, write } from "./utils";
 import { confirm, PromptOptions, walkthrough } from "./walkthrough";
 import { ErrorList } from "../../lib/errors";
-import { OnError } from "./enums";
 
 export default function (program: RootCmd): void {
   let response = {} as PromptOptions;
@@ -35,12 +34,30 @@ export default function (program: RootCmd): void {
     .option("--description <string>", "Explain the purpose of the new module.")
     .option("--name <string>", "Set the name of the new module.")
     .option("--skip-post-init", "Skip npm install, git init, and VSCode launch.")
-    .option(`--errorBehavior <${ErrorList.join("|")}>`, "Set an errorBehavior.", OnError.REJECT)
+    .option(`--errorBehavior <${ErrorList.join("|")}>`, "Set an errorBehavior.")
+    .option(
+      "--uuid [string]",
+      "Unique identifier for your module with a max length of 32 characters.",
+      (uuid: string): string => {
+        const uuidLengthLimit = 36;
+        // length of generated uuid
+        if (uuid.length > uuidLengthLimit) {
+          throw new Error("The UUID must be 36 characters or fewer.");
+        }
+        return uuid.toLocaleLowerCase();
+      },
+    )
     .hook("preAction", async thisCommand => {
       // TODO: Overrides for testing. Don't be so gross with Node CLI testing
       // TODO: See pepr/#1140
       if (process.env.TEST_MODE === "true") {
-        prompts.inject(["pepr-test-module", "A test module for Pepr", "ignore", "y"]);
+        prompts.inject([
+          "pepr-test-module",
+          "A test module for Pepr",
+          "ignore",
+          "static-test",
+          "y",
+        ]);
         pkgOverride = "file:../pepr-0.0.0-development.tgz";
         response = await walkthrough();
       } else {

package/src/cli/init/templates.ts

@@ -3,7 +3,7 @@
 
 import { dumpYaml } from "@kubernetes/client-node";
 import { inspect } from "util";
-import { v4 as uuidv4, v5 as uuidv5 } from "uuid";
+import { v4 as uuidv4 } from "uuid";
 
 import eslintJSON from "../../templates/.eslintrc.template.json";
 import peprSnippetsJSON from "../../templates/pepr.code-snippets.json";
@@ -47,8 +47,8 @@ export type peprPackageJSON = {
 };
 
 export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string): peprPackageJSON {
-  // Generate a random UUID for the module based on the module name
-  const uuid = uuidv5(opts.name, uuidv4());
+  // Generate a random UUID for the module based on the module name if it is not provided
+  const uuid = !opts.uuid ? uuidv4() : opts.uuid;
   // Generate a name for the module based on the module name
   const name = sanitizeName(opts.name);
   // Make typescript a dev dependency

package/src/cli/init/walkthrough.ts

@@ -13,6 +13,7 @@ export type PromptOptions = {
   name: string;
   description: string;
   errorBehavior: OnError;
+  uuid: string;
 };
 
 export type PartialPromptOptions = Partial<PromptOptions>;
@@ -22,10 +23,29 @@ export async function walkthrough(opts?: PartialPromptOptions): Promise<PromptOp
     ...(await setName(opts?.name)),
     ...(await setDescription(opts?.description)),
     ...(await setErrorBehavior(opts?.errorBehavior)),
+    ...(await setUUID(opts?.uuid)),
   };
   return result as PromptOptions;
 }
+async function setUUID(uuid?: string): Promise<Answers<string>> {
+  const askUUID: PromptObject = {
+    type: "text",
+    name: "uuid",
+    message: "Enter a unique identifier for the new Pepr module.\n",
+    validate: (val: string) => {
+      const uuidLengthLimit = 36;
+      return (
+        val.length <= uuidLengthLimit || `The UUID must be ${uuidLengthLimit} characters or fewer.`
+      );
+    },
+  };
 
+  if (uuid !== undefined) {
+    return { uuid };
+  }
+
+  return prompt([askUUID]);
+}
 export async function setName(name?: string): Promise<Answers<string>> {
   const askName: PromptObject = {
     type: "text",

package/src/cli/types.ts

@@ -1,3 +1,3 @@
 import { Answers } from "prompts";
 
-export type InitOptions = Answers<"name" | "description" | "errorBehavior">;
+export type InitOptions = Answers<"name" | "description" | "errorBehavior" | "uuid">;

package/src/lib/assets/assets.ts

@@ -18,7 +18,6 @@ import {
 } from "@kubernetes/client-node/dist/gen";
 import { createDirectoryIfNotExists } from "../filesystemService";
 import { overridesFile } from "./yaml/overridesFile";
-import { getDeployment, getModuleSecret, getWatcher } from "./pods";
 import { helmLayout, createWebhookYaml, toYaml } from "./index";
 import { loadCapabilities } from "./loader";
 import { namespaceComplianceValidator, dedent } from "../helpers";
@@ -26,6 +25,7 @@ import { promises as fs } from "fs";
 import { storeRole, storeRoleBinding, clusterRoleBinding, serviceAccount } from "./rbac";
 import { watcherService, service, tlsSecret, apiPathSecret } from "./networking";
 import { WebhookType } from "../enums";
+import { kind } from "kubernetes-fluent-client";
 
 export class Assets {
   readonly name: string;
@@ -84,6 +84,18 @@ export class Assets {
       assets: Assets,
       deployments: { default: V1Deployment; watch: V1Deployment | null },
     ) => Promise<string>,
+    getDeploymentFunction: (
+      assets: Assets,
+      hash: string,
+      buildTimestamp: string,
+      imagePullSecret?: string,
+    ) => kind.Deployment,
+    getWatcherFunction: (
+      assets: Assets,
+      hash: string,
+      buildTimestamp: string,
+      imagePullSecret?: string,
+    ) => kind.Deployment | null,
     imagePullSecret?: string,
   ): Promise<string> => {
     this.capabilities = await loadCapabilities(this.path);
@@ -97,8 +109,8 @@ export class Assets {
     const moduleHash = crypto.createHash("sha256").update(code).digest("hex");
 
     const deployments = {
-      default: getDeployment(this, moduleHash, this.buildTimestamp, imagePullSecret),
-      watch: getWatcher(this, moduleHash, this.buildTimestamp, imagePullSecret),
+      default: getDeploymentFunction(this, moduleHash, this.buildTimestamp, imagePullSecret),
+      watch: getWatcherFunction(this, moduleHash, this.buildTimestamp, imagePullSecret),
     };
 
     return yamlGenerationFunction(this, deployments);
@@ -141,6 +153,13 @@ export class Assets {
       mutateOrValidate: WebhookType,
       timeoutSeconds: number | undefined,
     ) => Promise<V1MutatingWebhookConfiguration | V1ValidatingWebhookConfiguration | null>,
+    getWatcherFunction: (
+      assets: Assets,
+      hash: string,
+      buildTimestamp: string,
+      imagePullSecret?: string,
+    ) => kind.Deployment | null,
+    getModuleSecretFunction: (name: string, data: Buffer, hash: string) => kind.Secret,
     basePath: string,
   ): Promise<void> => {
     const helm = helmLayout(basePath, this.config.uuid);
@@ -175,7 +194,7 @@ export class Assets {
         [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
         [
           helm.files.moduleSecretYaml,
-          (): string => toYaml(getModuleSecret(this.name, code, moduleHash)),
+          (): string => toYaml(getModuleSecretFunction(this.name, code, moduleHash)),
         ],
       ];
       await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
@@ -205,7 +224,7 @@ export class Assets {
 
       await this.writeWebhookFiles(webhooks.validate, webhooks.mutate, helm);
 
-      const watchDeployment = getWatcher(this, moduleHash, this.buildTimestamp);
+      const watchDeployment = getWatcherFunction(this, moduleHash, this.buildTimestamp);
       if (watchDeployment) {
         await fs.writeFile(
           helm.files.watcherDeploymentYaml,

package/src/lib/assets/envrionment.ts

@@ -0,0 +1,26 @@
+import { V1EnvVar } from "@kubernetes/client-node";
+import { ModuleConfig } from "../types";
+
+export function genEnv(
+  config: ModuleConfig,
+  watchMode = false,
+  ignoreWatchMode = false,
+): V1EnvVar[] {
+  const noWatchDef = {
+    PEPR_PRETTY_LOG: "false",
+    LOG_LEVEL: config.logLevel || "info",
+  };
+
+  const def = {
+    PEPR_WATCH_MODE: watchMode ? "true" : "false",
+    ...noWatchDef,
+  };
+
+  if (config.env && config.env["PEPR_WATCH_MODE"]) {
+    delete config.env["PEPR_WATCH_MODE"];
+  }
+  const cfg = config.env || {};
+  return ignoreWatchMode
+    ? Object.entries({ ...noWatchDef, ...cfg }).map(([name, value]) => ({ name, value }))
+    : Object.entries({ ...def, ...cfg }).map(([name, value]) => ({ name, value }));
+}

package/src/lib/assets/pods.ts

@@ -1,13 +1,13 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { KubernetesObject, V1EnvVar } from "@kubernetes/client-node";
+import { KubernetesObject } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
 import { Assets } from "./assets";
-import { ModuleConfig } from "../types";
 import { Binding } from "../types";
+import { genEnv } from "./envrionment";
 
 /** Generate the pepr-system namespace */
 export function getNamespace(namespaceLabels?: Record<string, string>): KubernetesObject {
@@ -365,27 +365,3 @@ export function getModuleSecret(name: string, data: Buffer, hash: string): kind.
     };
   }
 }
-
-export function genEnv(
-  config: ModuleConfig,
-  watchMode = false,
-  ignoreWatchMode = false,
-): V1EnvVar[] {
-  const noWatchDef = {
-    PEPR_PRETTY_LOG: "false",
-    LOG_LEVEL: config.logLevel || "info",
-  };
-
-  const def = {
-    PEPR_WATCH_MODE: watchMode ? "true" : "false",
-    ...noWatchDef,
-  };
-
-  if (config.env && config.env["PEPR_WATCH_MODE"]) {
-    delete config.env["PEPR_WATCH_MODE"];
-  }
-  const cfg = config.env || {};
-  return ignoreWatchMode
-    ? Object.entries({ ...noWatchDef, ...cfg }).map(([name, value]) => ({ name, value }))
-    : Object.entries({ ...def, ...cfg }).map(([name, value]) => ({ name, value }));
-}

package/src/lib/assets/yaml/overridesFile.ts

@@ -1,6 +1,5 @@
-import { genEnv } from "../pods";
-import { ModuleConfig } from "../../types";
-import { CapabilityExport } from "../../types";
+import { genEnv } from "../envrionment";
+import { CapabilityExport, ModuleConfig } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";

package/src/lib/filter/adjudication.ts

@@ -0,0 +1,196 @@
+import { KubernetesObject } from "kubernetes-fluent-client";
+import { AdmissionRequest } from "../common-types";
+import { Binding } from "../types";
+import {
+  declaredOperation,
+  declaredGroup,
+  declaredVersion,
+  declaredKind,
+} from "./adjudicators/admissionRequest";
+import {
+  definedEvent,
+  definedName,
+  definedGroup,
+  definedVersion,
+  definedKind,
+  definedNamespaces,
+  definedLabels,
+  definedAnnotations,
+  definedNamespaceRegexes,
+  definedNameRegex,
+} from "./adjudicators/binding";
+import {
+  carriedName,
+  carriedNamespace,
+  carriedLabels,
+  carriedAnnotations,
+} from "./adjudicators/kubernetesObject";
+import {
+  mismatchedDeletionTimestamp,
+  mismatchedEvent,
+  mismatchedName,
+  mismatchedGroup,
+  mismatchedVersion,
+  mismatchedKind,
+  mismatchedNamespace,
+  mismatchedLabels,
+  mismatchedAnnotations,
+  mismatchedNamespaceRegex,
+  mismatchedNameRegex,
+} from "./adjudicators/mismatch";
+import {
+  misboundNamespace,
+  misboundDeleteWithDeletionTimestamp,
+  unbindableNamespaces,
+  uncarryableNamespace,
+  carriesIgnoredNamespace,
+  missingCarriableNamespace,
+} from "./adjudicators/postCollection";
+import { AdjudicationResult } from "../types";
+
+export function adjudicateMisboundNamespace(binding: Binding): AdjudicationResult {
+  return misboundNamespace(binding) ? "Cannot use namespace filter on a namespace object." : null;
+}
+
+export function adjudicateMisboundDeleteWithDeletionTimestamp(
+  binding: Binding,
+): AdjudicationResult {
+  return misboundDeleteWithDeletionTimestamp(binding)
+    ? "Cannot use deletionTimestamp filter on a DELETE operation."
+    : null;
+}
+
+export function adjudicateMismatchedDeletionTimestamp(
+  binding: Binding,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return mismatchedDeletionTimestamp(binding, obj)
+    ? "Binding defines deletionTimestamp but Object does not carry it."
+    : null;
+}
+
+export function adjudicateMismatchedEvent(
+  binding: Binding,
+  req: AdmissionRequest,
+): AdjudicationResult {
+  return mismatchedEvent(binding, req)
+    ? `Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedName(
+  binding: Binding,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return mismatchedName(binding, obj)
+    ? `Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedGroup(
+  binding: Binding,
+  req: AdmissionRequest,
+): AdjudicationResult {
+  return mismatchedGroup(binding, req)
+    ? `Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedVersion(
+  binding: Binding,
+  req: AdmissionRequest,
+): AdjudicationResult {
+  return mismatchedVersion(binding, req)
+    ? `Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedKind(
+  binding: Binding,
+  req: AdmissionRequest,
+): AdjudicationResult {
+  return mismatchedKind(binding, req)
+    ? `Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.`
+    : null;
+}
+
+export function adjudicateUnbindableNamespaces(
+  capabilityNamespaces: string[],
+  binding: Binding,
+): AdjudicationResult {
+  return unbindableNamespaces(capabilityNamespaces, binding)
+    ? `Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+    : null;
+}
+
+export function adjudicateUncarryableNamespace(
+  capabilityNamespaces: string[],
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return uncarryableNamespace(capabilityNamespaces, obj)
+    ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedNamespace(
+  binding: Binding,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return mismatchedNamespace(binding, obj)
+    ? `Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedLabels(
+  binding: Binding,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return mismatchedLabels(binding, obj)
+    ? `Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.`
+    : null;
+}
+
+export function adjudicateMismatchedAnnotations(
+  binding: Binding,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return mismatchedAnnotations(binding, obj)
+    ? `Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.`
+    : null;
+}
+
+export function adjudicateMismatchedNamespaceRegex(
+  binding: Binding,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return mismatchedNamespaceRegex(binding, obj)
+    ? `Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.`
+    : null;
+}
+
+export function adjudicateMismatchedNameRegex(
+  binding: Binding,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return mismatchedNameRegex(binding, obj)
+    ? `Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.`
+    : null;
+}
+
+export function adjudicateCarriesIgnoredNamespace(
+  ignoredNamespaces: string[] | undefined,
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return carriesIgnoredNamespace(ignoredNamespaces, obj)
+    ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
+    : null;
+}
+
+export function adjudicateMissingCarriableNamespace(
+  capabilityNamespaces: string[],
+  obj: KubernetesObject,
+): AdjudicationResult {
+  return missingCarriableNamespace(capabilityNamespaces, obj)
+    ? `Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+    : null;
+}