pepr 0.49.0-nightly.4 → 0.49.0-nightly.6

package/dist/sdk/sdk.d.ts

@@ -38,6 +38,8 @@ export declare function getOwnerRefFrom(customResource: GenericKind, blockOwnerD
  *
  * @param name the name of the resource to sanitize
  * @returns the sanitized resource name
+ *
+ * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
  */
 export declare function sanitizeResourceName(name: string): string;
 //# sourceMappingURL=sdk.d.ts.map

package/dist/sdk/sdk.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GACtE,WAAW,EAAE,CAef;AAED;;;;;;;;;GASG;AAEH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,OAAO,EAAE;IACP,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;CAC3B,GACA,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAYzD"}
+{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GACtE,WAAW,EAAE,CAef;AAED;;;;;;;;;GASG;AAEH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,OAAO,EAAE;IACP,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;CAC3B,GACA,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAazD"}

package/package.json

@@ -17,7 +17,7 @@
     "!dist/**/*.test.d.ts*",
     "!src/cli/docs/**"
   ],
-  "version": "0.49.0-nightly.4",
+  "version": "0.49.0-nightly.6",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -30,6 +30,7 @@
     "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey && npm run test:journey-wasm",
     "test:artifacts": "npm run build && jest src/build-artifact.test.ts",
+    "test:docs": "jest --verbose src/cli/docs/*.test.ts",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",
     "test:integration:prep": "./integration/prep.sh",
     "test:integration:run": "jest --maxWorkers=4 integration",
@@ -43,7 +44,7 @@
     "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts",
     "test:journey:unicorn": "npm run test:journey:k3d && npm run test:journey:image:unicorn && npm run test:journey:run",
     "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts",
-    "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='build-artifact.test.ts'",
+    "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns=\"build-artifact.test.ts|src/cli/docs/.*\\.test\\.ts\"",
     "format:check": "eslint src && prettier --config .prettierrc src --check",
     "format:fix": "eslint src --fix && prettier --config .prettierrc src --write",
     "prepare": "if [ \"$NODE_ENV\" != 'production' ]; then husky; fi"

package/src/cli/build.ts

@@ -71,7 +71,7 @@ export default function (program: RootCmd): void {
     .option("-e, --entry-point [file]", "Specify the entry point file to build with.", peprTS)
     .option(
       "-n, --no-embed",
-      "Disables embedding of deployment files into output module.  Useful when creating library modules intended solely for reuse/distribution via NPM.",
+      "Disables embedding of deployment files into output module. Useful when creating library modules intended solely for reuse/distribution via NPM.",
     )
     .addOption(
       new Option(

package/src/cli/deploy.ts

@@ -11,7 +11,8 @@ import { deployImagePullSecret, deployWebhook } from "../lib/assets/deploy";
 import { namespaceDeploymentsReady } from "../lib/deploymentChecks";
 import { sanitizeName } from "./init/utils";
 import { validateCapabilityNames } from "../lib/helpers";
-
+import { namespaceComplianceValidator } from "../lib/helpers";
+import { loadCapabilities } from "../lib/assets/loader";
 export interface ImagePullSecretDetails {
   pullSecret?: string;
   dockerServer?: string;
@@ -106,7 +107,16 @@ async function buildAndDeployModule(image: string, force: boolean): Promise<void
     [],
   );
   webhook.image = image ?? webhook.image;
-
+  const capabilities = await loadCapabilities(webhook.path);
+  for (const capability of capabilities) {
+    namespaceComplianceValidator(capability, webhook.alwaysIgnore?.namespaces);
+    namespaceComplianceValidator(
+      capability,
+      webhook.config.admission?.alwaysIgnore?.namespaces,
+      false,
+    );
+    namespaceComplianceValidator(capability, webhook.config.watch?.alwaysIgnore?.namespaces, true);
+  }
   try {
     await webhook.deploy(deployWebhook, force, builtModule.cfg.pepr.webhookTimeout ?? 10);
 

package/src/cli/format.ts

@@ -10,7 +10,7 @@ export default function (program: RootCmd): void {
   program
     .command("format")
     .description("Lint and format this Pepr module")
-    .option("-v, --validate-only", "Do not modify files, only validate formatting")
+    .option("-v, --validate-only", "Do not modify files, only validate formatting.")
     .action(async opts => {
       const success = await peprFormat(opts.validateOnly);
 

package/src/cli/init/templates.ts

@@ -33,6 +33,8 @@ export type peprPackageJSON = {
       webhookTimeout: number;
       customLabels: CustomLabels;
       alwaysIgnore: { namespaces: string[] };
+      admission: { alwaysIgnore: { namespaces: string[] } };
+      watch: { alwaysIgnore: { namespaces: string[] } };
       includedFiles: string[];
       env: object;
       rbac?: PolicyRule[];
@@ -79,6 +81,16 @@ export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string): peprPack
       alwaysIgnore: {
         namespaces: [],
       },
+      admission: {
+        alwaysIgnore: {
+          namespaces: [],
+        },
+      },
+      watch: {
+        alwaysIgnore: {
+          namespaces: [],
+        },
+      },
       includedFiles: [],
       env: pgkVerOverride ? testEnv : {},
     },

package/src/lib/assets/assets.ts

@@ -101,7 +101,14 @@ export class Assets {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
+      // until deployment, Pepr does not distinguish between watch and admission
       namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
+      namespaceComplianceValidator(
+        capability,
+        this.config.admission?.alwaysIgnore?.namespaces,
+        false,
+      );
+      namespaceComplianceValidator(capability, this.config.watch?.alwaysIgnore?.namespaces, true);
     }
 
     const code = await fs.readFile(this.path);

package/src/lib/assets/ignoredNamespaces.ts

@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+export function resolveIgnoreNamespaces(ignoredNSConfig: string[] = []): string[] {
+  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
+  if (!ignoredNSEnv) {
+    return ignoredNSConfig;
+  }
+
+  const namespaces = ignoredNSEnv.split(",").map(ns => ns.trim());
+
+  // add alwaysIgnore.namespaces to the list
+  if (ignoredNSConfig) {
+    namespaces.push(...ignoredNSConfig);
+  }
+  return namespaces.filter(ns => ns.length > 0);
+}

package/src/lib/assets/webhooks.ts

@@ -8,7 +8,7 @@ import {
 } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { concat, equals, uniqWith } from "ramda";
-
+import { resolveIgnoreNamespaces } from "./ignoredNamespaces";
 import { Assets } from "./assets";
 import { Event, WebhookType } from "../enums";
 import { Binding } from "../types";
@@ -42,21 +42,6 @@ export const validateRule = (
   return ruleObject;
 };
 
-export function resolveIgnoreNamespaces(ignoredNSConfig: string[] = []): string[] {
-  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
-  if (!ignoredNSEnv) {
-    return ignoredNSConfig;
-  }
-
-  const namespaces = ignoredNSEnv.split(",").map(ns => ns.trim());
-
-  // add alwaysIgnore.namespaces to the list
-  if (ignoredNSConfig) {
-    namespaces.push(...ignoredNSConfig);
-  }
-  return namespaces.filter(ns => ns.length > 0);
-}
-
 export async function generateWebhookRules(
   assets: Assets,
   isMutateWebhook: boolean,
@@ -84,7 +69,11 @@ export async function webhookConfigGenerator(
   const { name, tls, config, apiPath, host } = assets;
   const ignoreNS = concat(
     peprIgnoreNamespaces,
-    resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces),
+    resolveIgnoreNamespaces(
+      config?.alwaysIgnore?.namespaces?.length
+        ? config?.alwaysIgnore?.namespaces
+        : config?.admission?.alwaysIgnore?.namespaces,
+    ),
   );
 
   // Add any namespaces to ignore

package/src/lib/assets/yaml/overridesFile.ts

@@ -3,7 +3,7 @@ import { CapabilityExport, ModuleConfig } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
-
+import { resolveIgnoreNamespaces } from "../ignoredNamespaces";
 export type ChartOverrides = {
   apiPath: string;
   capabilities: CapabilityExport[];
@@ -23,7 +23,11 @@ export async function overridesFile(
 
   const overrides = {
     imagePullSecrets,
-    additionalIgnoredNamespaces: [],
+    additionalIgnoredNamespaces: resolveIgnoreNamespaces(
+      config?.alwaysIgnore?.namespaces?.length
+        ? config?.alwaysIgnore?.namespaces
+        : config?.admission?.alwaysIgnore?.namespaces,
+    ),
     rbac: rbacOverrides,
     secrets: {
       apiPath: Buffer.from(apiPath).toString("base64"),

package/src/lib/controller/createHooks.ts

@@ -1,5 +1,5 @@
 import { ControllerHooks } from ".";
-import { resolveIgnoreNamespaces } from "../assets/webhooks";
+import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { Capability } from "../core/capability";
 import { isWatchMode, isDevMode } from "../core/envChecks";
 import { setupWatch } from "../processors/watch-processor";

package/src/lib/core/module.ts

@@ -60,7 +60,9 @@ export class PeprModule {
     const controllerHooks = createControllerHooks(
       opts,
       capabilities,
-      pepr?.alwaysIgnore?.namespaces,
+      pepr?.alwaysIgnore?.namespaces?.length
+        ? pepr.alwaysIgnore.namespaces
+        : config?.watch?.alwaysIgnore?.namespaces,
     );
 
     this.#controller = new Controller(config, capabilities, controllerHooks);

package/src/lib/helpers.ts

@@ -138,20 +138,30 @@ export function generateWatchNamespaceError(
 export function namespaceComplianceValidator(
   capability: CapabilityExport,
   ignoredNamespaces?: string[],
+  watch?: boolean,
 ): void {
   const { namespaces: capabilityNamespaces, bindings, name } = capability;
-  const bindingNamespaces: string[] = bindings.flatMap(
-    (binding: Binding) => binding.filters.namespaces,
+
+  const shouldInclude = (binding: Binding): boolean => {
+    if (watch === true) return !!binding.isWatch;
+    if (watch === false) return !!binding.isMutate;
+    return true;
+  };
+
+  const bindingNamespaces: string[] = bindings.flatMap(binding =>
+    shouldInclude(binding) ? binding.filters.namespaces || [] : [],
   );
-  const bindingRegexNamespaces: string[] = bindings.flatMap(
-    (binding: Binding) => binding.filters.regexNamespaces || [],
+
+  const bindingRegexNamespaces: string[] = bindings.flatMap(binding =>
+    shouldInclude(binding) ? binding.filters.regexNamespaces || [] : [],
   );
 
   const namespaceError = generateWatchNamespaceError(
-    ignoredNamespaces ? ignoredNamespaces : [],
+    ignoredNamespaces ?? [],
     bindingNamespaces,
-    capabilityNamespaces ? capabilityNamespaces : [],
+    capabilityNamespaces ?? [],
   );
+
   if (namespaceError !== "") {
     throw new Error(
       `Error in ${name} capability. A binding violates namespace rules. Please check ignoredNamespaces and capability namespaces: ${namespaceError}`,

package/src/lib/processors/mutate-processor.ts

@@ -13,7 +13,7 @@ import { ModuleConfig } from "../types";
 import { PeprMutateRequest } from "../mutate-request";
 import { base64Encode } from "../utils";
 import { OnError } from "../../cli/init/enums";
-import { resolveIgnoreNamespaces } from "../assets/webhooks";
+import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { Operation } from "fast-json-patch";
 import { WebhookType } from "../enums";
 
@@ -149,7 +149,11 @@ export async function mutateProcessor(
         bind.binding,
         bind.req,
         bind.namespaces,
-        resolveIgnoreNamespaces(bind.config?.alwaysIgnore?.namespaces),
+        resolveIgnoreNamespaces(
+          bind?.config?.alwaysIgnore?.namespaces?.length
+            ? bind.config?.alwaysIgnore?.namespaces
+            : bind.config?.admission?.alwaysIgnore?.namespaces,
+        ),
       );
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);

package/src/lib/processors/validate-processor.ts

@@ -10,7 +10,7 @@ import Log from "../telemetry/logger";
 import { convertFromBase64Map } from "../utils";
 import { PeprValidateRequest } from "../validate-request";
 import { ModuleConfig } from "../types";
-import { resolveIgnoreNamespaces } from "../assets/webhooks";
+import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { MeasureWebhookTimeout } from "../telemetry/webhookTimeouts";
 import { WebhookType } from "../enums";
 import { AdmissionRequest } from "../common-types";
@@ -95,7 +95,11 @@ export async function validateProcessor(
         binding,
         req,
         namespaces,
-        resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces),
+        resolveIgnoreNamespaces(
+          config?.alwaysIgnore?.namespaces?.length
+            ? config?.alwaysIgnore?.namespaces
+            : config?.admission?.alwaysIgnore?.namespaces,
+        ),
       );
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);

package/src/lib/types.ts

@@ -292,6 +292,14 @@ export type ModuleConfig = {
   uuid: string;
   /** Configure global exclusions that will never be processed by Pepr. */
   alwaysIgnore: WebhookIgnore;
+  /** admission specific ignore */
+  admission?: {
+    alwaysIgnore: WebhookIgnore;
+  };
+  /** watch specific ignore */
+  watch?: {
+    alwaysIgnore: WebhookIgnore;
+  };
 } & Partial<ModuleConfigOptions>;
 
 export type PackageJSON = {

package/src/sdk/sdk.ts

@@ -109,17 +109,20 @@ export function getOwnerRefFrom(
  *
  * @param name the name of the resource to sanitize
  * @returns the sanitized resource name
+ *
+ * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
  */
 export function sanitizeResourceName(name: string): string {
   return (
     name
-      // The name must be lowercase
       .toLowerCase()
-      // Replace sequences of non-alphanumeric characters with a single '-'
-      .replace(/[^a-z0-9]+/g, "-")
-      // Truncate the name to 250 characters
-      .slice(0, 250)
-      // Remove leading and trailing non-letter characters
-      .replace(/^[^a-z]+|[^a-z]+$/g, "")
+      // Replace invalid characters (anything not a-z, 0-9, or '-') with '-'
+      .replace(/[^a-z0-9-]+/g, "-")
+      // Trim to 63 characters (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#rfc-1035-label-names)
+      .slice(0, 63)
+      // Remove leading non-alphanumeric characters
+      .replace(/^[^a-z0-9]+/, "")
+      // Remove trailing non-alphanumeric characters
+      .replace(/[^a-z0-9]+$/, "")
   );
 }

package/src/templates/package.json

@@ -15,6 +15,16 @@
     "alwaysIgnore": {
       "namespaces": []
     },
+    "admission": {
+      "alwaysIgnore": {
+        "namespaces": []
+      }
+    },
+    "watcher": {
+      "alwaysIgnore": {
+        "namespaces": []
+      }
+    },
     "includedFiles": []
   }
 }