pepr 0.51.6-nightly.4 → 0.51.6-nightly.6

package/src/lib/assets/assets.ts

@@ -8,6 +8,7 @@ import {
   namespaceTemplate,
   clusterRoleTemplate,
   admissionDeployTemplate,
+  serviceTemplate,
   serviceMonitorTemplate,
   watcherDeployTemplate,
 } from "./helm";
@@ -23,10 +24,39 @@ import { loadCapabilities } from "./loader";
 import { namespaceComplianceValidator, dedent } from "../helpers";
 import { promises as fs } from "fs";
 import { storeRole, storeRoleBinding, clusterRoleBinding, serviceAccount } from "./rbac";
-import { watcherService, service, tlsSecret, apiPathSecret } from "./networking";
+import { tlsSecret, apiPathSecret } from "./networking";
 import { WebhookType } from "../enums";
 import { kind } from "kubernetes-fluent-client";
 
+export function norWatchOrAdmission(capabilities: CapabilityExport[]): boolean {
+  return !isAdmission(capabilities) && !isWatcher(capabilities);
+}
+export function isAdmission(capabilities: CapabilityExport[]): boolean {
+  for (const capability of capabilities) {
+    const admissionBindings = capability.bindings.filter(
+      binding => binding.isFinalize || binding.isMutate || binding.isValidate,
+    );
+    if (admissionBindings.length > 0) {
+      return true;
+    }
+  }
+  return false;
+}
+export function isWatcher(capabilities: CapabilityExport[]): boolean {
+  for (const capability of capabilities) {
+    if (capability.hasSchedule) {
+      return true;
+    }
+    const watcherBindings = capability.bindings.filter(
+      binding => binding.isFinalize || binding.isWatch || binding.isQueue,
+    );
+    if (watcherBindings.length > 0) {
+      return true;
+    }
+  }
+  return false;
+}
+
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
@@ -82,20 +112,25 @@ export class Assets {
   allYaml = async (
     yamlGenerationFunction: (
       assets: Assets,
-      deployments: { default: V1Deployment; watch: V1Deployment | null },
+      deployments: { admission: V1Deployment | null; watch: V1Deployment | null },
+      services: { admission: kind.Service | null; watch: kind.Service | null },
     ) => Promise<string>,
-    getDeploymentFunction: (
-      assets: Assets,
-      hash: string,
-      buildTimestamp: string,
-      imagePullSecret?: string,
-    ) => kind.Deployment,
-    getWatcherFunction: (
-      assets: Assets,
-      hash: string,
-      buildTimestamp: string,
-      imagePullSecret?: string,
-    ) => kind.Deployment | null,
+    getControllerManifests: {
+      getDeploymentFunction: (
+        assets: Assets,
+        hash: string,
+        buildTimestamp: string,
+        imagePullSecret?: string,
+      ) => kind.Deployment | null;
+      getWatcherFunction: (
+        assets: Assets,
+        hash: string,
+        buildTimestamp: string,
+        imagePullSecret?: string,
+      ) => kind.Deployment | null;
+      getServiceFunction: (name: string, assets: Assets) => kind.Service | null;
+      getWatcherServiceFunction: (name: string, assets: Assets) => kind.Service | null;
+    },
     imagePullSecret?: string,
   ): Promise<string> => {
     this.capabilities = await loadCapabilities(this.path);
@@ -116,11 +151,26 @@ export class Assets {
     const moduleHash = crypto.createHash("sha256").update(code).digest("hex");
 
     const deployments = {
-      default: getDeploymentFunction(this, moduleHash, this.buildTimestamp, imagePullSecret),
-      watch: getWatcherFunction(this, moduleHash, this.buildTimestamp, imagePullSecret),
+      admission: getControllerManifests.getDeploymentFunction(
+        this,
+        moduleHash,
+        this.buildTimestamp,
+        imagePullSecret,
+      ),
+      watch: getControllerManifests.getWatcherFunction(
+        this,
+        moduleHash,
+        this.buildTimestamp,
+        imagePullSecret,
+      ),
     };
 
-    return yamlGenerationFunction(this, deployments);
+    const services = {
+      admission: getControllerManifests.getServiceFunction(this.name, this),
+      watch: getControllerManifests.getWatcherServiceFunction(this.name, this),
+    };
+
+    return yamlGenerationFunction(this, deployments, services);
   };
 
   writeWebhookFiles = async (
@@ -131,7 +181,7 @@ export class Assets {
     if (validateWebhook || mutateWebhook) {
       await fs.writeFile(
         helm.files.admissionDeploymentYaml,
-        dedent(admissionDeployTemplate(this.buildTimestamp)),
+        dedent(admissionDeployTemplate(this.buildTimestamp, "admission")),
       );
       await fs.writeFile(
         helm.files.admissionServiceMonitorYaml,
@@ -194,8 +244,14 @@ export class Assets {
           (): string => dedent(chartYaml(this.config.uuid, this.config.description || "")),
         ],
         [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())],
-        [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
-        [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
+        [
+          helm.files.watcherServiceYaml,
+          (): string => dedent(serviceTemplate(this.name, "watcher")),
+        ],
+        [
+          helm.files.admissionServiceYaml,
+          (): string => dedent(serviceTemplate(this.name, "admission")),
+        ],
         [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
         [
           helm.files.apiPathSecretYaml,
@@ -221,7 +277,10 @@ export class Assets {
         apiPath: this.apiPath,
         capabilities: this.capabilities,
       };
-      await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets);
+      await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets, {
+        admission: isAdmission(this.capabilities) || norWatchOrAdmission(this.capabilities),
+        watcher: isWatcher(this.capabilities),
+      });
 
       const webhooks = {
         mutate: await webhookGeneratorFunction(
@@ -242,7 +301,7 @@ export class Assets {
       if (watchDeployment) {
         await fs.writeFile(
           helm.files.watcherDeploymentYaml,
-          dedent(watcherDeployTemplate(this.buildTimestamp)),
+          dedent(watcherDeployTemplate(this.buildTimestamp, "watcher")),
         );
         await fs.writeFile(
           helm.files.watcherServiceMonitorYaml,

package/src/lib/assets/deploy.ts

@@ -6,10 +6,17 @@ import { promises as fs } from "fs";
 import { K8s, kind } from "kubernetes-fluent-client";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
-import { Assets } from "./assets";
+import { Assets, isAdmission, norWatchOrAdmission } from "./assets";
 import Log from "../telemetry/logger";
-import { apiPathSecret, service, tlsSecret, watcherService } from "./networking";
-import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
+import { apiPathSecret, tlsSecret } from "./networking";
+import {
+  getDeployment,
+  service,
+  watcherService,
+  getModuleSecret,
+  getNamespace,
+  getWatcher,
+} from "./k8sObjects";
 import {
   clusterRole,
   clusterRoleBinding,
@@ -148,9 +155,19 @@ async function setupController(
   const mod = getModuleSecret(name, code, hash);
   await K8s(kind.Secret).Apply(mod, { force });
 
-  Log.info("Applying controller service");
-  const svc = service(name);
-  await K8s(kind.Service).Apply(svc, { force });
+  if (isAdmission(assets.capabilities) || norWatchOrAdmission(assets.capabilities)) {
+    const svc = service(name, assets);
+    if (svc) {
+      Log.info("Applying controller service");
+      await K8s(kind.Service).Apply(svc, { force });
+    }
+
+    const dep = getDeployment(assets, hash, assets.buildTimestamp);
+    if (dep) {
+      Log.info("Applying deployment");
+      await K8s(kind.Deployment).Apply(dep, { force });
+    }
+  }
 
   Log.info("Applying TLS secret");
   const tls = tlsSecret(name, assets.tls);
@@ -159,10 +176,6 @@ async function setupController(
   Log.info("Applying API path secret");
   const apiPath = apiPathSecret(name, assets.apiPath);
   await K8s(kind.Secret).Apply(apiPath, { force });
-
-  Log.info("Applying deployment");
-  const dep = getDeployment(assets, hash, assets.buildTimestamp);
-  await K8s(kind.Deployment).Apply(dep, { force });
 }
 
 // Setup the watcher deployment and service
@@ -172,9 +185,10 @@ async function setupWatcher(assets: Assets, hash: string, force: boolean): Promi
   if (watchDeployment) {
     Log.info("Applying watcher deployment");
     await K8s(kind.Deployment).Apply(watchDeployment, { force });
-
+  }
+  const watchSvc = watcherService(assets.name, assets);
+  if (watchSvc) {
     Log.info("Applying watcher service");
-    const watchSvc = watcherService(assets.name);
     await K8s(kind.Service).Apply(watchSvc, { force });
   }
 }

package/src/lib/assets/helm.ts

@@ -1,6 +1,8 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+type ControllerType = "admission" | "watcher";
+
 export function clusterRoleTemplate(): string {
   return `
     apiVersion: rbac.authorization.k8s.io/v1
@@ -61,8 +63,9 @@ export function chartYaml(name: string, description?: string): string {
 `;
 }
 
-export function watcherDeployTemplate(buildTimestamp: string): string {
+export function watcherDeployTemplate(buildTimestamp: string, type: ControllerType): string {
   return `
+      {{- if .Values.${type}.enabled }}
       apiVersion: apps/v1
       kind: Deployment
       metadata:
@@ -154,11 +157,13 @@ export function watcherDeployTemplate(buildTimestamp: string): string {
               {{- if .Values.watcher.extraVolumes }}
               {{- toYaml .Values.watcher.extraVolumes | nindent 8 }}
               {{- end }}
+      {{- end }}
     `;
 }
 
-export function admissionDeployTemplate(buildTimestamp: string): string {
+export function admissionDeployTemplate(buildTimestamp: string, type: ControllerType): string {
   return `
+      {{- if .Values.${type}.enabled }}
       apiVersion: apps/v1
       kind: Deployment
       metadata:
@@ -270,9 +275,10 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
               {{- if .Values.admission.extraVolumes }}
               {{- toYaml .Values.admission.extraVolumes | nindent 8 }}
               {{- end }}
+      {{- end }}
     `;
 }
-type ControllerType = "admission" | "watcher";
+
 export function serviceMonitorTemplate(name: string, type: ControllerType): string {
   return `
       {{- if .Values.${type}.serviceMonitor.enabled }}
@@ -300,3 +306,25 @@ export function serviceMonitorTemplate(name: string, type: ControllerType): stri
       {{- end }}
     `;
 }
+
+export function serviceTemplate(name: string, type: ControllerType): string {
+  const svcName = type === "admission" ? name : `${name}-${type}`;
+  return `
+      {{- if .Values.${type}.enabled }}
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: ${svcName}
+        namespace: pepr-system
+        labels:
+          pepr.dev/controller: ${type}
+      spec:
+        selector:
+          app: ${svcName}
+          pepr.dev/controller: ${type}
+        ports:
+        - port: 443
+          targetPort: 3000
+      {{- end }}
+    `;
+}

package/src/lib/assets/{pods.ts → k8sObjects.ts}

@@ -5,9 +5,8 @@ import { KubernetesObject } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
-import { Assets } from "./assets";
-import { Binding } from "../types";
-import { genEnv } from "./envrionment";
+import { Assets, isAdmission, isWatcher, norWatchOrAdmission } from "./assets";
+import { genEnv } from "./environment";
 
 /** Generate the pepr-system namespace */
 export function getNamespace(namespaceLabels?: Record<string, string>): KubernetesObject {
@@ -37,27 +36,13 @@ export function getWatcher(
   buildTimestamp: string,
   imagePullSecret?: string,
 ): kind.Deployment | null {
-  const { name, image, capabilities, config } = assets;
-
-  let hasSchedule = false;
-
-  // Append the watcher suffix
-  const app = `${name}-watcher`;
-  const bindings: Binding[] = [];
-
-  // Loop through the capabilities and find any Watch Actions
-  for (const capability of capabilities) {
-    if (capability.hasSchedule) {
-      hasSchedule = true;
-    }
-    const watchers = capability.bindings.filter(binding => binding.isWatch);
-    bindings.push(...watchers);
-  }
+  const { name, image, config } = assets;
 
-  // If there are no watchers, don't deploy the watcher
-  if (bindings.length < 1 && !hasSchedule) {
+  if (!isWatcher(assets.capabilities)) {
     return null;
   }
+  // Append the watcher suffix
+  const app = `${name}-watcher`;
 
   const deploy: kind.Deployment = {
     apiVersion: "apps/v1",
@@ -196,10 +181,14 @@ export function getDeployment(
   hash: string,
   buildTimestamp: string,
   imagePullSecret?: string,
-): kind.Deployment {
+): kind.Deployment | null {
   const { name, image, config } = assets;
   const app = name;
 
+  if (!isAdmission(assets.capabilities) && !norWatchOrAdmission(assets.capabilities)) {
+    return null;
+  }
+
   const deploy: kind.Deployment = {
     apiVersion: "apps/v1",
     kind: "Deployment",
@@ -364,3 +353,61 @@ export function getModuleSecret(name: string, data: Buffer, hash: string): kind.
     };
   }
 }
+
+export function service(name: string, assets: Assets): kind.Service | null {
+  if (!isAdmission(assets.capabilities) && !norWatchOrAdmission(assets.capabilities)) {
+    return null;
+  }
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "admission",
+      },
+    },
+    spec: {
+      selector: {
+        app: name,
+        "pepr.dev/controller": "admission",
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3000,
+        },
+      ],
+    },
+  };
+}
+
+export function watcherService(name: string, assets: Assets): kind.Service | null {
+  if (!isWatcher(assets.capabilities)) {
+    return null;
+  }
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name: `${name}-watcher`,
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "watcher",
+      },
+    },
+    spec: {
+      selector: {
+        app: `${name}-watcher`,
+        "pepr.dev/controller": "watcher",
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3000,
+        },
+      ],
+    },
+  };
+}

package/src/lib/assets/networking.ts

@@ -35,55 +35,3 @@ export function tlsSecret(name: string, tls: TLSOut): kind.Secret {
     },
   };
 }
-
-export function service(name: string): kind.Service {
-  return {
-    apiVersion: "v1",
-    kind: "Service",
-    metadata: {
-      name,
-      namespace: "pepr-system",
-      labels: {
-        "pepr.dev/controller": "admission",
-      },
-    },
-    spec: {
-      selector: {
-        app: name,
-        "pepr.dev/controller": "admission",
-      },
-      ports: [
-        {
-          port: 443,
-          targetPort: 3000,
-        },
-      ],
-    },
-  };
-}
-
-export function watcherService(name: string): kind.Service {
-  return {
-    apiVersion: "v1",
-    kind: "Service",
-    metadata: {
-      name: `${name}-watcher`,
-      namespace: "pepr-system",
-      labels: {
-        "pepr.dev/controller": "watcher",
-      },
-    },
-    spec: {
-      selector: {
-        app: `${name}-watcher`,
-        "pepr.dev/controller": "watcher",
-      },
-      ports: [
-        {
-          port: 443,
-          targetPort: 3000,
-        },
-      ],
-    },
-  };
-}

package/src/lib/assets/yaml/generateAllYaml.ts

@@ -4,7 +4,7 @@
 import crypto from "crypto";
 import { Assets } from "../assets";
 import { WebhookType } from "../../enums";
-import { apiPathSecret, service, tlsSecret, watcherService } from "../networking";
+import { apiPathSecret, tlsSecret } from "../networking";
 import {
   clusterRole,
   clusterRoleBinding,
@@ -12,33 +12,60 @@ import {
   storeRole,
   storeRoleBinding,
 } from "../rbac";
-import { dumpYaml, V1Deployment } from "@kubernetes/client-node";
-import { getModuleSecret, getNamespace } from "../pods";
+import { dumpYaml, V1Deployment, V1Service, KubernetesObject } from "@kubernetes/client-node";
+import { getModuleSecret, getNamespace } from "../k8sObjects";
 import { promises as fs } from "fs";
 import { webhookConfigGenerator } from "../webhooks";
 
-type deployments = { default: V1Deployment; watch: V1Deployment | null };
+type deployments = { admission: V1Deployment | null; watch: V1Deployment | null };
+type services = {
+  admission: V1Service | null;
+  watch: V1Service | null;
+};
 
-export async function generateAllYaml(assets: Assets, deployments: deployments): Promise<string> {
+export function pushControllerManifests(
+  resources: KubernetesObject[],
+  deployments: deployments,
+  services: services,
+): KubernetesObject[] {
+  if (deployments.watch) {
+    resources.push(deployments.watch);
+  }
+  if (deployments.admission) {
+    resources.push(deployments.admission);
+  }
+  if (services.admission) {
+    resources.push(services.admission);
+  }
+  if (services.watch) {
+    resources.push(services.watch);
+  }
+  return resources;
+}
+
+export async function generateAllYaml(
+  assets: Assets,
+  deployments: deployments,
+  services: services,
+): Promise<string> {
   const { name, tls, apiPath, path, config } = assets;
   const code = await fs.readFile(path);
   const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-  const resources = [
+  let resources = [
     getNamespace(assets.config.customLabels?.namespace),
     clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
     clusterRoleBinding(name),
     serviceAccount(name),
     apiPathSecret(name, apiPath),
     tlsSecret(name, tls),
-    deployments.default,
-    service(name),
-    watcherService(name),
     getModuleSecret(name, code, hash),
     storeRole(name),
     storeRoleBinding(name),
   ];
 
+  resources = pushControllerManifests(resources, deployments, services);
+
   const webhooks = {
     mutate: await webhookConfigGenerator(assets, WebhookType.MUTATE, assets.config.webhookTimeout),
     validate: await webhookConfigGenerator(
@@ -48,8 +75,8 @@ export async function generateAllYaml(assets: Assets, deployments: deployments):
     ),
   };
 
-  // Add webhooks and watch deployment if they exist
-  const additionalResources = [webhooks.mutate, webhooks.validate, deployments.watch].filter(
+  // Add webhooks if they exist
+  const additionalResources = [webhooks.mutate, webhooks.validate].filter(
     resource => resource !== null && resource !== undefined,
   );
 

package/src/lib/assets/yaml/overridesFile.ts

@@ -1,4 +1,4 @@
-import { genEnv } from "../envrionment";
+import { genEnv } from "../environment";
 import { CapabilityExport, ModuleConfig } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
@@ -18,6 +18,7 @@ export async function overridesFile(
   { hash, name, image, config, apiPath, capabilities }: ChartOverrides,
   path: string,
   imagePullSecrets: string[],
+  controllerType: { admission: boolean; watcher: boolean } = { admission: true, watcher: true },
 ): Promise<void> {
   const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules;
 
@@ -41,6 +42,7 @@ export async function overridesFile(
     },
     uuid: name,
     admission: {
+      enabled: controllerType.admission === true ? true : false,
       antiAffinity: false,
       terminationGracePeriodSeconds: 5,
       failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
@@ -110,6 +112,7 @@ export async function overridesFile(
       },
     },
     watcher: {
+      enabled: controllerType.watcher === true ? true : false,
       terminationGracePeriodSeconds: 5,
       env: genEnv(config, true, true),
       envFrom: [],

package/src/templates/tsconfig.module.json

@@ -6,8 +6,8 @@
     "emitDeclarationOnly": true,
     "esModuleInterop": true,
     "lib": ["ES2022"],
-    "module": "CommonJS",
-    "moduleResolution": "node",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
     "outDir": "dist",
     "resolveJsonModule": true,
     "rootDir": ".",

package/dist/lib/assets/envrionment.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"envrionment.d.ts","sourceRoot":"","sources":["../../../src/lib/assets/envrionment.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,wBAAgB,MAAM,CACpB,MAAM,EAAE,YAAY,EACpB,SAAS,UAAQ,EACjB,eAAe,UAAQ,GACtB,QAAQ,EAAE,CAkBZ"}

package/dist/lib/assets/pods.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"pods.d.ts","sourceRoot":"","sources":["../../../src/lib/assets/pods.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAGhD,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAIlC,yCAAyC;AACzC,wBAAgB,YAAY,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,gBAAgB,CAmBvF;AAED,wBAAgB,UAAU,CACxB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,cAAc,EAAE,MAAM,EACtB,eAAe,CAAC,EAAE,MAAM,GACvB,IAAI,CAAC,UAAU,GAAG,IAAI,CAyJxB;AAED,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,cAAc,EAAE,MAAM,EACtB,eAAe,CAAC,EAAE,MAAM,GACvB,IAAI,CAAC,UAAU,CA+IjB;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC,MAAM,CAsBrF"}