pepr 0.52.3 → 0.53.0-nightly.1

package/src/lib/assets/assets.ts

@@ -27,7 +27,7 @@ import { storeRole, storeRoleBinding, clusterRoleBinding, serviceAccount } from
 import { tlsSecret, apiPathSecret } from "./networking";
 import { WebhookType } from "../enums";
 import { kind } from "kubernetes-fluent-client";
-
+import Log from "../telemetry/logger";
 export function norWatchOrAdmission(capabilities: CapabilityExport[]): boolean {
   return !isAdmission(capabilities) && !isWatcher(capabilities);
 }
@@ -134,6 +134,10 @@ export class Assets {
     imagePullSecret?: string,
   ): Promise<string> => {
     this.capabilities = await loadCapabilities(this.path);
+    this.capabilities.flatMap(capability => {
+      Log.info(`Module ${this.config.uuid} has capability: ${capability.name}`);
+      Log.info(`Registered Pepr Capability "${capability.name}"`);
+    });
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
       // until deployment, Pepr does not distinguish between watch and admission

package/src/lib/assets/k8sObjects.ts

@@ -85,9 +85,9 @@ export function getWatcher(
           serviceAccountName: name,
           securityContext: {
             runAsUser: image.includes("private") ? 1000 : 65532,
-            runAsGroup: 65532,
+            runAsGroup: image.includes("private") ? 1000 : 65532,
             runAsNonRoot: true,
-            fsGroup: 65532,
+            fsGroup: image.includes("private") ? 1000 : 65532,
           },
           containers: [
             {
@@ -128,7 +128,7 @@ export function getWatcher(
               },
               securityContext: {
                 runAsUser: image.includes("private") ? 1000 : 65532,
-                runAsGroup: 65532,
+                runAsGroup: image.includes("private") ? 1000 : 65532,
                 runAsNonRoot: true,
                 allowPrivilegeEscalation: false,
                 capabilities: {
@@ -228,9 +228,9 @@ export function getDeployment(
           serviceAccountName: name,
           securityContext: {
             runAsUser: image.includes("private") ? 1000 : 65532,
-            runAsGroup: 65532,
+            runAsGroup: image.includes("private") ? 1000 : 65532,
             runAsNonRoot: true,
-            fsGroup: 65532,
+            fsGroup: image.includes("private") ? 1000 : 65532,
           },
           containers: [
             {
@@ -272,7 +272,7 @@ export function getDeployment(
               env: genEnv(config),
               securityContext: {
                 runAsUser: image.includes("private") ? 1000 : 65532,
-                runAsGroup: 65532,
+                runAsGroup: image.includes("private") ? 1000 : 65532,
                 runAsNonRoot: true,
                 allowPrivilegeEscalation: false,
                 capabilities: {

package/src/lib/assets/loader.ts

@@ -26,12 +26,6 @@ export function loadCapabilities(path: string): Promise<CapabilityExport[]> {
     program.on("message", message => {
       // Cast the message to the ModuleCapabilities type
       const capabilities = message.valueOf() as CapabilityExport[];
-
-      // Iterate through the capabilities and generate the rules
-      for (const capability of capabilities) {
-        console.debug(`Registered Pepr Capability "${capability.name}"`);
-      }
-
       resolve(capabilities);
     });
 

package/src/lib/assets/webhooks.ts

@@ -5,6 +5,8 @@ import {
   AdmissionregistrationV1WebhookClientConfig as AdmissionRegnV1WebhookClientCfg,
   V1LabelSelectorRequirement,
   V1RuleWithOperations,
+  V1MutatingWebhookConfiguration,
+  V1ValidatingWebhookConfiguration,
 } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { concat, equals, uniqWith } from "ramda";
@@ -12,7 +14,6 @@ import { resolveIgnoreNamespaces } from "./ignoredNamespaces";
 import { Assets } from "./assets";
 import { Event, WebhookType } from "../enums";
 import { Binding } from "../types";
-import Log from "../telemetry/logger";
 
 export const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
@@ -47,15 +48,13 @@ export async function generateWebhookRules(
   assets: Assets,
   isMutateWebhook: boolean,
 ): Promise<V1RuleWithOperations[]> {
-  const { config, capabilities } = assets;
+  const { capabilities } = assets;
 
-  const rules = capabilities.flatMap(capability => {
-    Log.info(`Module ${config.uuid} has capability: ${capability.name}`);
-
-    return capability.bindings
+  const rules = capabilities.flatMap(capability =>
+    capability.bindings
       .map(binding => validateRule(binding, isMutateWebhook))
-      .filter((rule): rule is V1RuleWithOperations => !!rule);
-  });
+      .filter((rule): rule is V1RuleWithOperations => !!rule),
+  );
 
   return uniqWith(equals, rules);
 }
@@ -113,7 +112,7 @@ export async function webhookConfigGenerator(
     return null;
   }
 
-  return {
+  const webhookConfig = {
     apiVersion: "admissionregistration.k8s.io/v1",
     kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
     metadata: { name },
@@ -134,4 +133,54 @@ export async function webhookConfigGenerator(
       },
     ],
   };
+
+  // If additional webhooks are specified, add them to the config
+  if (config.additionalWebhooks) {
+    return configureAdditionalWebhooks(webhookConfig, config.additionalWebhooks);
+  }
+
+  return webhookConfig;
+}
+
+export function configureAdditionalWebhooks(
+  webhookConfig: V1MutatingWebhookConfiguration | V1ValidatingWebhookConfiguration,
+  additionalWebhooks: {
+    failurePolicy: "Fail" | "Ignore";
+    namespace: string;
+  }[],
+): V1MutatingWebhookConfiguration | V1ValidatingWebhookConfiguration {
+  if (!additionalWebhooks || additionalWebhooks.length === 0) {
+    return webhookConfig;
+  }
+  // set the ignored namespace to the additional webhook namespaces
+  const webhooks = webhookConfig.webhooks ?? [];
+  if (webhooks.length === 0) {
+    return webhookConfig;
+  }
+  const expr = webhooks[0]!.namespaceSelector!.matchExpressions![0]!;
+  expr.values!.push(...additionalWebhooks.map(w => w.namespace));
+
+  additionalWebhooks.forEach(additionalWebhook => {
+    webhooks.push({
+      name: `${webhookConfig.metadata!.name}-${additionalWebhook.namespace}.pepr.dev`,
+      admissionReviewVersions: ["v1", "v1beta1"],
+      clientConfig: webhooks[0]!.clientConfig,
+      failurePolicy: additionalWebhook.failurePolicy,
+      matchPolicy: "Equivalent",
+      timeoutSeconds: webhooks[0]!.timeoutSeconds,
+      namespaceSelector: {
+        matchExpressions: [
+          {
+            key: "kubernetes.io/metadata.name",
+            operator: "In",
+            values: [additionalWebhook.namespace],
+          },
+        ],
+      },
+      rules: webhooks[0].rules,
+      sideEffects: "None",
+    });
+  });
+
+  return webhookConfig;
 }

package/src/lib/assets/yaml/overridesFile.ts

@@ -4,6 +4,8 @@ import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
 import { resolveIgnoreNamespaces } from "../ignoredNamespaces";
+import { quicktype, InputData, jsonInputForTargetLanguage } from "quicktype-core";
+
 export type ChartOverrides = {
   apiPath: string;
   capabilities: CapabilityExport[];
@@ -60,9 +62,9 @@ export async function overridesFile(
       },
       securityContext: {
         runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: 65532,
+        runAsGroup: image.includes("private") ? 1000 : 65532,
         runAsNonRoot: true,
-        fsGroup: 65532,
+        fsGroup: image.includes("private") ? 1000 : 65532,
       },
       readinessProbe: {
         httpGet: {
@@ -92,7 +94,7 @@ export async function overridesFile(
       },
       containerSecurityContext: {
         runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: 65532,
+        runAsGroup: image.includes("private") ? 1000 : 65532,
         runAsNonRoot: true,
         allowPrivilegeEscalation: false,
         capabilities: {
@@ -128,9 +130,9 @@ export async function overridesFile(
       },
       securityContext: {
         runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: 65532,
+        runAsGroup: image.includes("private") ? 1000 : 65532,
         runAsNonRoot: true,
-        fsGroup: 65532,
+        fsGroup: image.includes("private") ? 1000 : 65532,
       },
       readinessProbe: {
         httpGet: {
@@ -160,7 +162,7 @@ export async function overridesFile(
       },
       containerSecurityContext: {
         runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: 65532,
+        runAsGroup: image.includes("private") ? 1000 : 65532,
         runAsNonRoot: true,
         allowPrivilegeEscalation: false,
         capabilities: {
@@ -181,6 +183,26 @@ export async function overridesFile(
       },
     },
   };
-
+  /** write values.schema.yaml */
+  await writeSchemaYamlFromObject(JSON.stringify(overrides, null, 2), path);
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }
+
+export async function writeSchemaYamlFromObject(
+  valuesString: string,
+  valuesFilePath: string,
+): Promise<void> {
+  const schemaPath = valuesFilePath.replace(/\.yaml$/, ".schema.json");
+  const jsonInput = jsonInputForTargetLanguage("schema");
+  await jsonInput.addSource({ name: "Values", samples: [valuesString] });
+
+  const inputData = new InputData();
+  inputData.addInput(jsonInput);
+
+  const { lines } = await quicktype({ inputData, lang: "schema" });
+
+  const schemaJson = lines.join("\n");
+  const schemaObj = JSON.parse(schemaJson);
+
+  await fs.writeFile(schemaPath, JSON.stringify(schemaObj, null, 2), "utf8");
+}

package/src/lib/controller/index.ts

@@ -50,6 +50,7 @@ export class Controller {
     const { beforeHook, afterHook, onReady } = hooks;
     this.#config = config;
     this.#capabilities = capabilities;
+    Log.info({ config }, "Controller configuration");
 
     // Initialize the Pepr store for each capability
     new StoreController(capabilities, `pepr-${config.uuid}-store`, () => {

package/src/lib/types.ts

@@ -296,6 +296,13 @@ export type ModuleConfig = {
   watch?: {
     alwaysIgnore: WebhookIgnore;
   };
+  /** Additional webhooks config to be used by the module */
+  additionalWebhooks?: [
+    {
+      failurePolicy: "Fail" | "Ignore";
+      namespace: string;
+    },
+  ];
 } & Partial<ModuleConfigOptions>;
 
 export type PackageJSON = {

package/dist/cli/deploy.d.ts

@@ -1,21 +0,0 @@
-import { CapabilityExport } from "../lib/types";
-import { Assets } from "../lib/assets/assets";
-import { Command } from "commander";
-interface ImagePullSecretDetails {
-    pullSecret?: string;
-    dockerServer?: string;
-    dockerUsername?: string;
-    dockerEmail?: string;
-    dockerPassword?: string;
-}
-export declare function validateImagePullSecretDetails(details: ImagePullSecretDetails): {
-    valid: boolean;
-    error?: string;
-};
-export declare function getUserConfirmation(opts: {
-    yes: boolean;
-}): Promise<boolean>;
-export default function (program: Command): void;
-export declare function validateNamespaces(capability: CapabilityExport, webhook: Assets): void;
-export {};
-//# sourceMappingURL=deploy.d.ts.map

package/dist/cli/deploy.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"deploy.d.ts","sourceRoot":"","sources":["../../src/cli/deploy.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAE9C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASpC,UAAU,sBAAsB;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,8BAA8B,CAAC,OAAO,EAAE,sBAAsB,GAAG;IAC/E,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAmCA;AAoBD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE;IAAE,GAAG,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,OAAO,CAAC,CAalF;AAkCD,MAAM,CAAC,OAAO,WAAW,OAAO,EAAE,OAAO,GAAG,IAAI,CA8B/C;AAED,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAQtF"}

package/src/cli/deploy.ts

@@ -1,170 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import prompt from "prompts";
-import { CapabilityExport } from "../lib/types";
-import { Assets } from "../lib/assets/assets";
-import { ImagePullSecret } from "../lib/types";
-import { Command } from "commander";
-import { buildModule } from "./build/buildModule";
-import { deployImagePullSecret, deployWebhook } from "../lib/assets/deploy";
-import { namespaceDeploymentsReady } from "../lib/deploymentChecks";
-import { sanitizeName } from "./init/utils";
-import { validateCapabilityNames } from "../lib/helpers";
-import { namespaceComplianceValidator } from "../lib/helpers";
-import { loadCapabilities } from "../lib/assets/loader";
-
-interface ImagePullSecretDetails {
-  pullSecret?: string;
-  dockerServer?: string;
-  dockerUsername?: string;
-  dockerEmail?: string;
-  dockerPassword?: string;
-}
-
-export function validateImagePullSecretDetails(details: ImagePullSecretDetails): {
-  valid: boolean;
-  error?: string;
-} {
-  if (!details.pullSecret) {
-    return { valid: true };
-  }
-
-  // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
-  if (details.pullSecret !== sanitizeName(details.pullSecret)) {
-    return {
-      valid: false,
-      error: `Invalid --pullSecret. Must be valid name as defined in RFC 1123.`,
-    };
-  }
-
-  const missing: string[] = [];
-  if (!details.dockerEmail) {
-    missing.push("--docker-email");
-  }
-  if (!details.dockerServer) {
-    missing.push("--docker-server");
-  }
-  if (!details.dockerUsername) {
-    missing.push("--docker-username");
-  }
-  if (!details.dockerPassword) {
-    missing.push("--docker-password");
-  }
-
-  if (missing.length > 0) {
-    return {
-      valid: false,
-      error: `Error: Must provide ${missing.join(", ")} when providing --pull-secret`,
-    };
-  }
-
-  return { valid: true };
-}
-
-type ValidatedImagePullSecretDetails = Required<ImagePullSecretDetails>;
-
-function generateImagePullSecret(details: ValidatedImagePullSecretDetails): ImagePullSecret {
-  const auth = Buffer.from(`${details.dockerUsername}:${details.dockerPassword}`).toString(
-    "base64",
-  );
-  return {
-    auths: {
-      [details.dockerServer]: {
-        username: details.dockerUsername,
-        password: details.dockerPassword,
-        email: details.dockerEmail,
-        auth,
-      },
-    },
-  };
-}
-
-export async function getUserConfirmation(opts: { yes: boolean }): Promise<boolean> {
-  if (opts.yes) {
-    return true;
-  }
-
-  // Prompt the user to confirm
-  const confirmation = await prompt({
-    type: "confirm",
-    name: "yes",
-    message: "This will remove and redeploy the module. Continue?",
-  });
-
-  return confirmation.yes ? true : false;
-}
-
-async function buildAndDeployModule(image: string, force: boolean): Promise<void> {
-  const builtModule = await buildModule("dist");
-  if (!builtModule) {
-    return;
-  }
-
-  // Generate a secret for the module
-  const webhook = new Assets(
-    { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
-    builtModule.path,
-    [],
-  );
-  webhook.image = image ?? webhook.image;
-  const capabilities = await loadCapabilities(webhook.path);
-  for (const capability of capabilities) {
-    validateNamespaces(capability, webhook);
-  }
-  try {
-    await webhook.deploy(deployWebhook, force, builtModule.cfg.pepr.webhookTimeout ?? 10);
-
-    // wait for capabilities to be loaded and test names
-    validateCapabilityNames(webhook.capabilities);
-
-    // Wait for the pepr-system resources to be fully up
-    await namespaceDeploymentsReady();
-    console.info(`✅ Module deployed successfully`);
-  } catch (e) {
-    console.error(`Error deploying module:`, e);
-    process.exit(1);
-  }
-}
-
-export default function (program: Command): void {
-  program
-    .command("deploy")
-    .description("Deploy a Pepr Module")
-    .option("-E, --docker-email <email>", "Email for Docker registry.")
-    .option("-P, --docker-password <password>", "Password for Docker registry.")
-    .option("-S, --docker-server <server>", "Docker server address.")
-    .option("-U, --docker-username <username>", "Docker registry username.")
-    .option("-f, --force", "Force deploy the module, override manager field.")
-    .option("-i, --image <image>", "Override the image tag.")
-    .option("-p, --pull-secret <name>", "Deploy imagePullSecret for Controller private registry.")
-    .option("-y, --yes", "Skip confirmation prompts.")
-    .action(async opts => {
-      const valResp = validateImagePullSecretDetails(opts);
-      if (!valResp.valid) {
-        console.error(valResp.error);
-        process.exit(1);
-      }
-
-      if (opts.pullSecret) {
-        await deployImagePullSecret(generateImagePullSecret(opts), opts.pullSecret);
-        return;
-      }
-
-      if (!(await getUserConfirmation(opts))) {
-        process.exit(0);
-      }
-
-      await buildAndDeployModule(opts.image, opts.force);
-    });
-}
-
-export function validateNamespaces(capability: CapabilityExport, webhook: Assets): void {
-  namespaceComplianceValidator(capability, webhook.alwaysIgnore?.namespaces);
-  namespaceComplianceValidator(
-    capability,
-    webhook.config.admission?.alwaysIgnore?.namespaces,
-    false,
-  );
-  namespaceComplianceValidator(capability, webhook.config.watch?.alwaysIgnore?.namespaces, true);
-}