pepr 0.55.6-nightly.0 → 0.55.6-nightly.10

package/package.json

@@ -16,7 +16,7 @@
     "!src/fixtures/**",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.55.6-nightly.0",
+  "version": "0.55.6-nightly.10",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -51,7 +51,7 @@
   "dependencies": {
     "@types/ramda": "0.31.1",
     "command-line-args": "^6.0.1",
-    "commander": "14.0.1",
+    "commander": "14.0.2",
     "express": "5.1.0",
     "fast-json-patch": "3.1.1",
     "heredoc": "^1.3.1",
@@ -68,14 +68,13 @@
   "devDependencies": {
     "@commitlint/cli": "20.1.0",
     "@commitlint/config-conventional": "20.0.0",
-    "@fast-check/vitest": "^0.2.1",
     "@semantic-release/commit-analyzer": "^13.0.1",
     "@semantic-release/git": "^10.0.1",
     "@semantic-release/npm": "^13.0.0",
     "@semantic-release/release-notes-generator": "^14.1.0",
     "@types/command-line-args": "^5.2.3",
     "@types/eslint": "9.6.1",
-    "@types/express": "5.0.3",
+    "@types/express": "5.0.5",
     "@types/json-pointer": "^1.0.34",
     "@types/json-schema": "^7.0.15",
     "@types/node": "24.x.x",
@@ -83,7 +82,7 @@
     "@types/readable-stream": "^4.0.21",
     "@types/urijs": "^1.19.25",
     "@types/ws": "^8.18.1",
-    "@vitest/coverage-v8": "^3.2.3",
+    "@vitest/coverage-v8": "^4.0.4",
     "fast-check": "^4.0.0",
     "globals": "^16.0.0",
     "husky": "^9.1.6",
@@ -91,7 +90,7 @@
     "shellcheck": "^4.1.0",
     "tsx": "^4.20.3",
     "undici": "^7.0.1",
-    "vitest": "^3.2.3"
+    "vitest": "^4.0.4"
   },
   "overrides": {
     "glob": "^9.0.0"

package/src/lib/assets/ignoredNamespaces.ts

@@ -1,5 +1,14 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import { ModuleConfig } from "../types";
+
+export function getIgnoreNamespaces(config?: ModuleConfig): string[] {
+  const fromConfig = config?.alwaysIgnore?.namespaces?.length
+    ? config.alwaysIgnore.namespaces
+    : config?.admission?.alwaysIgnore?.namespaces;
+
+  return resolveIgnoreNamespaces(fromConfig);
+}
 
 export function resolveIgnoreNamespaces(ignoredNSConfig: string[] = []): string[] {
   const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;

package/src/lib/assets/webhooks.ts

@@ -10,7 +10,7 @@ import {
 } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { concat, equals, uniqWith } from "ramda";
-import { resolveIgnoreNamespaces } from "./ignoredNamespaces";
+import { getIgnoreNamespaces } from "./ignoredNamespaces";
 import { Assets } from "./assets";
 import { Event, WebhookType } from "../enums";
 import { Binding, AdditionalWebhook } from "../types";
@@ -46,9 +46,10 @@ export const validateRule = (
 
 export async function generateWebhookRules(
   assets: Assets,
-  isMutateWebhook: boolean,
+  webhookType: WebhookType,
 ): Promise<V1RuleWithOperations[]> {
   const { capabilities } = assets;
+  const isMutateWebhook = webhookType === WebhookType.MUTATE;
 
   const rules = capabilities.flatMap(capability =>
     capability.bindings
@@ -61,20 +62,13 @@ export async function generateWebhookRules(
 
 export async function webhookConfigGenerator(
   assets: Assets,
-  mutateOrValidate: WebhookType,
+  webhookType: WebhookType,
   timeoutSeconds = 10,
 ): Promise<kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration | null> {
   const ignore: V1LabelSelectorRequirement[] = [];
 
   const { name, tls, config, apiPath, host } = assets;
-  const ignoreNS = concat(
-    peprIgnoreNamespaces,
-    resolveIgnoreNamespaces(
-      config?.alwaysIgnore?.namespaces?.length
-        ? config?.alwaysIgnore?.namespaces
-        : config?.admission?.alwaysIgnore?.namespaces,
-    ),
-  );
+  const ignoreNS = concat(peprIgnoreNamespaces, getIgnoreNamespaces(config));
 
   // Add any namespaces to ignore
   if (ignoreNS) {
@@ -90,7 +84,7 @@ export async function webhookConfigGenerator(
   };
 
   // The URL must include the API Path
-  const fullApiPath = `/${mutateOrValidate}/${apiPath}`;
+  const fullApiPath = `/${webhookType}/${apiPath}`;
 
   // If a host is specified, use that with a port of 3000
   if (host) {
@@ -104,8 +98,7 @@ export async function webhookConfigGenerator(
     };
   }
 
-  const isMutate = mutateOrValidate === WebhookType.MUTATE;
-  const rules = await generateWebhookRules(assets, isMutate);
+  const rules = await generateWebhookRules(assets, webhookType);
 
   // If there are no rules, return null
   if (rules.length < 1) {
@@ -114,7 +107,10 @@ export async function webhookConfigGenerator(
 
   const webhookConfig = {
     apiVersion: "admissionregistration.k8s.io/v1",
-    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
+    kind:
+      webhookType === WebhookType.MUTATE
+        ? "MutatingWebhookConfiguration"
+        : "ValidatingWebhookConfiguration",
     metadata: { name },
     webhooks: [
       {

package/src/lib/assets/yaml/overridesFile.ts

@@ -3,7 +3,7 @@ import { CapabilityExport, ModuleConfig } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
-import { resolveIgnoreNamespaces } from "../ignoredNamespaces";
+import { getIgnoreNamespaces } from "../ignoredNamespaces";
 import { quicktype, InputData, jsonInputForTargetLanguage } from "quicktype-core";
 
 export type ChartOverrides = {
@@ -14,6 +14,33 @@ export type ChartOverrides = {
   name: string;
   image: string;
 };
+type Probes = {
+  readinessProbe: {
+    httpGet: { path: string; port: number; scheme: "HTTPS" };
+    initialDelaySeconds: number;
+  };
+  livenessProbe: {
+    httpGet: { path: string; port: number; scheme: "HTTPS" };
+    initialDelaySeconds: number;
+  };
+};
+type Resources = {
+  requests: { memory: string; cpu: string };
+  limits: { memory: string; cpu: string };
+};
+type PodSecurityContext = {
+  runAsUser: number;
+  runAsGroup: number;
+  runAsNonRoot: true;
+  fsGroup: number;
+};
+type ContainerSecurityContext = {
+  runAsUser: number;
+  runAsGroup: number;
+  runAsNonRoot: true;
+  allowPrivilegeEscalation: false;
+  capabilities: { drop: ["ALL"] };
+};
 
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile(
@@ -26,25 +53,14 @@ export async function overridesFile(
 
   const overrides = {
     imagePullSecrets,
-    additionalIgnoredNamespaces: resolveIgnoreNamespaces(
-      config?.alwaysIgnore?.namespaces?.length
-        ? config?.alwaysIgnore?.namespaces
-        : config?.admission?.alwaysIgnore?.namespaces,
-    ),
+    additionalIgnoredNamespaces: getIgnoreNamespaces(config),
     rbac: rbacOverrides,
-    secrets: {
-      apiPath: Buffer.from(apiPath).toString("base64"),
-    },
+    secrets: { apiPath: Buffer.from(apiPath).toString("base64") },
     hash,
-    namespace: {
-      annotations: {},
-      labels: config.customLabels?.namespace ?? {
-        "pepr.dev": "",
-      },
-    },
+    namespace: namespaceBlock(config),
     uuid: name,
     admission: {
-      enabled: controllerType.admission === true ? true : false,
+      enabled: controllerType.admission === true,
       antiAffinity: false,
       terminationGracePeriodSeconds: 5,
       failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
@@ -52,55 +68,12 @@ export async function overridesFile(
       env: genEnv(config, false, true),
       envFrom: [],
       image,
-      annotations: {
-        "pepr.dev/description": `${config.description}` || "",
-      },
-      labels: {
-        app: name,
-        "pepr.dev/controller": "admission",
-        "pepr.dev/uuid": config.uuid,
-      },
-      securityContext: {
-        runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: image.includes("private") ? 1000 : 65532,
-        runAsNonRoot: true,
-        fsGroup: image.includes("private") ? 1000 : 65532,
-      },
-      readinessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3000,
-          scheme: "HTTPS",
-        },
-        initialDelaySeconds: 10,
-      },
-      livenessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3000,
-          scheme: "HTTPS",
-        },
-        initialDelaySeconds: 10,
-      },
-      resources: {
-        requests: {
-          memory: "256Mi",
-          cpu: "200m",
-        },
-        limits: {
-          memory: "512Mi",
-          cpu: "500m",
-        },
-      },
-      containerSecurityContext: {
-        runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: image.includes("private") ? 1000 : 65532,
-        runAsNonRoot: true,
-        allowPrivilegeEscalation: false,
-        capabilities: {
-          drop: ["ALL"],
-        },
-      },
+      annotations: controllerAnnotations(config.description),
+      labels: controllerLabels(name, config.uuid, "admission"),
+      securityContext: podSecurityContext(image),
+      ...commonProbes(),
+      resources: commonResources(),
+      containerSecurityContext: containerSecurityContext(image),
       podAnnotations: {},
       podLabels: {},
       nodeSelector: {},
@@ -115,60 +88,17 @@ export async function overridesFile(
       },
     },
     watcher: {
-      enabled: controllerType.watcher === true ? true : false,
+      enabled: controllerType.watcher === true,
       terminationGracePeriodSeconds: 5,
       env: genEnv(config, true, true),
       envFrom: [],
       image,
-      annotations: {
-        "pepr.dev/description": `${config.description}` || "",
-      },
-      labels: {
-        app: `${name}-watcher`,
-        "pepr.dev/controller": "watcher",
-        "pepr.dev/uuid": config.uuid,
-      },
-      securityContext: {
-        runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: image.includes("private") ? 1000 : 65532,
-        runAsNonRoot: true,
-        fsGroup: image.includes("private") ? 1000 : 65532,
-      },
-      readinessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3000,
-          scheme: "HTTPS",
-        },
-        initialDelaySeconds: 10,
-      },
-      livenessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3000,
-          scheme: "HTTPS",
-        },
-        initialDelaySeconds: 10,
-      },
-      resources: {
-        requests: {
-          memory: "256Mi",
-          cpu: "200m",
-        },
-        limits: {
-          memory: "512Mi",
-          cpu: "500m",
-        },
-      },
-      containerSecurityContext: {
-        runAsUser: image.includes("private") ? 1000 : 65532,
-        runAsGroup: image.includes("private") ? 1000 : 65532,
-        runAsNonRoot: true,
-        allowPrivilegeEscalation: false,
-        capabilities: {
-          drop: ["ALL"],
-        },
-      },
+      annotations: controllerAnnotations(config.description),
+      labels: controllerLabels(name, config.uuid, "watcher"),
+      securityContext: podSecurityContext(image),
+      ...commonProbes(),
+      resources: commonResources(),
+      containerSecurityContext: containerSecurityContext(image),
       nodeSelector: {},
       tolerations: [],
       extraVolumeMounts: [],
@@ -183,7 +113,6 @@ export async function overridesFile(
       },
     },
   };
-  /** write values.schema.yaml */
   await writeSchemaYamlFromObject(JSON.stringify(overrides, null, 2), path);
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }
@@ -206,3 +135,75 @@ export async function writeSchemaYamlFromObject(
 
   await fs.writeFile(schemaPath, JSON.stringify(schemaObj, null, 2), "utf8");
 }
+
+function runIdsForImage(image: string): { uid: number; gid: number; fsGroup: number } {
+  const id = image.includes("private") ? 1000 : 65532;
+  return { uid: id, gid: id, fsGroup: id };
+}
+
+function commonProbes(): Probes {
+  return {
+    readinessProbe: {
+      httpGet: { path: "/healthz", port: 3000, scheme: "HTTPS" },
+      initialDelaySeconds: 10,
+    },
+    livenessProbe: {
+      httpGet: { path: "/healthz", port: 3000, scheme: "HTTPS" },
+      initialDelaySeconds: 10,
+    },
+  };
+}
+
+function commonResources(): Resources {
+  return {
+    requests: { memory: "256Mi", cpu: "200m" },
+    limits: { memory: "512Mi", cpu: "500m" },
+  };
+}
+
+function podSecurityContext(image: string): PodSecurityContext {
+  const ids = runIdsForImage(image);
+  return {
+    runAsUser: ids.uid,
+    runAsGroup: ids.gid,
+    runAsNonRoot: true,
+    fsGroup: ids.fsGroup,
+  };
+}
+
+function containerSecurityContext(image: string): ContainerSecurityContext {
+  const ids = runIdsForImage(image);
+  return {
+    runAsUser: ids.uid,
+    runAsGroup: ids.gid,
+    runAsNonRoot: true,
+    allowPrivilegeEscalation: false,
+    capabilities: { drop: ["ALL"] },
+  };
+}
+
+function controllerLabels(
+  name: string,
+  uuid: string,
+  kind: "admission" | "watcher",
+): Record<string, string> {
+  return {
+    app: kind === "admission" ? name : `${name}-watcher`,
+    "pepr.dev/controller": kind,
+    "pepr.dev/uuid": uuid,
+  };
+}
+
+function controllerAnnotations(description?: string): Record<string, string> {
+  return { "pepr.dev/description": `${description ?? ""}` };
+}
+
+function namespaceBlock(config: ModuleConfig): {
+  annotations: Record<string, string>;
+  labels: Record<string, string>;
+} {
+  return {
+    annotations: {},
+    labels: config.customLabels?.namespace ?? { "pepr.dev": "" },
+  };
+}

package/src/lib/controller/index.ts

@@ -17,6 +17,7 @@ import { StoreController } from "./store";
 import { karForMutate, karForValidate, KubeAdmissionReview } from "./index.util";
 import { AdmissionRequest } from "../common-types";
 import { featureFlagStore } from "../features/store";
+import { GroupVersionKind } from "kubernetes-fluent-client";
 
 export interface ControllerHooks {
   beforeHook?: (req: AdmissionRequest) => void;
@@ -228,11 +229,7 @@ export class Controller {
         // Get the request from the body or create an empty request
         const request: AdmissionRequest = req.body?.request || ({} as AdmissionRequest);
 
-        const { name, namespace, gvk } = {
-          name: request?.name ? `/${request.name}` : "",
-          namespace: request?.namespace || "",
-          gvk: request?.kind || { group: "", version: "", kind: "" },
-        };
+        const { name, namespace, gvk } = getRequestValues(request);
 
         const reqMetadata = { uid: request.uid, namespace, name };
         Log.info(
@@ -322,3 +319,15 @@ export class Controller {
     }
   }
 }
+
+function getRequestValues(request: AdmissionRequest): {
+  name: string;
+  namespace: string;
+  gvk: GroupVersionKind;
+} {
+  return {
+    name: request?.name ? `/${request.name}` : "",
+    namespace: request?.namespace || "",
+    gvk: request?.kind || { group: "", version: "", kind: "" },
+  };
+}

package/src/lib/core/capability.ts

@@ -180,6 +180,9 @@ export class Capability implements CapabilityExport {
    * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
    * @returns
    */
+  // This method intentionally defines a fluent, closure-based DSL for chaining capability actions.
+  // Multiple inline helper functions are required to preserve runtime behavior and readability.
+  // eslint-disable-next-line max-statements
   When = <T extends GenericClass>(model: T, kind?: GroupVersionKind): WhenSelector<T> => {
     const matchedKind = modelToGroupVersionKind(model.name);
 

package/src/lib/core/module.ts

@@ -4,82 +4,87 @@ import { clone } from "ramda";
 import { Capability } from "./capability";
 import { Controller } from "../controller";
 import { ValidateError } from "../errors";
-import { CapabilityExport } from "../types";
+import { CapabilityExport, PackageJSON, PeprModuleOptions, ModuleConfig } from "../types";
 import { isBuildMode } from "./envChecks";
-import { PackageJSON, PeprModuleOptions, ModuleConfig } from "../types";
 import { createControllerHooks } from "../controller/createHooks";
 
 export class PeprModule {
   #controller!: Controller;
 
   /**
-   * Create a new Pepr runtime
+   * Initialize a new Pepr runtime module.
    *
-   * @param config The configuration for the Pepr runtime
-   * @param capabilities The capabilities to be loaded into the Pepr runtime
-   * @param opts Options for the Pepr runtime
+   * @param pkg The package.json data containing Pepr configuration.
+   * @param capabilities The list of capabilities to load.
+   * @param opts Options for the Pepr runtime settings (e.g., deferStart).
    */
+
   constructor(
     { description, pepr }: PackageJSON,
     capabilities: Capability[] = [],
     opts: PeprModuleOptions = {},
   ) {
-    const config: ModuleConfig = clone(pepr);
-    config.description = description;
+    const config = PeprModule.#initializeConfig(description, pepr);
+    PeprModule.#validateConfig(config);
 
-    // Need to validate at runtime since TS gets sad about parsing the package.json
-    ValidateError(config.onError);
-
-    // Handle build mode
     if (isBuildMode()) {
-      // Fail if process.send is not defined
-      if (!process.send) {
-        throw new Error("process.send is not defined");
-      }
-
-      const exportedCapabilities: CapabilityExport[] = [];
-
-      // Send capability map to parent process
-      for (const capability of capabilities) {
-        // Convert the capability to a capability config
-        exportedCapabilities.push({
-          name: capability.name,
-          description: capability.description,
-          namespaces: capability.namespaces,
-          bindings: capability.bindings,
-          hasSchedule: capability.hasSchedule,
-        });
-      }
+      PeprModule.#handleBuildMode(capabilities);
+      return;
+    }
 
-      // Send the capabilities back to the parent process
-      process.send(exportedCapabilities);
+    const controllerHooks = PeprModule.#createHooks(opts, capabilities, pepr, config);
+    this.#controller = new Controller(config, capabilities, controllerHooks);
 
-      return;
+    if (!opts.deferStart) {
+      this.start();
     }
+  }
 
-    const controllerHooks = createControllerHooks(
-      opts,
-      capabilities,
-      pepr?.alwaysIgnore?.namespaces?.length
-        ? pepr.alwaysIgnore.namespaces
-        : config?.watch?.alwaysIgnore?.namespaces,
-    );
+  static #initializeConfig(description: string, pepr: PackageJSON["pepr"]): ModuleConfig {
+    const config: ModuleConfig = clone(pepr);
+    config.description = description;
+    return config;
+  }
 
-    this.#controller = new Controller(config, capabilities, controllerHooks);
+  static #validateConfig(config: ModuleConfig): void {
+    ValidateError(config.onError);
+  }
 
-    // Stop processing if deferStart is set to true
-    if (opts.deferStart) {
-      return;
+  static #handleBuildMode(capabilities: Capability[]): void {
+    if (!process.send) {
+      throw new Error("process.send is not defined");
     }
 
-    this.start();
+    const exportedCapabilities: CapabilityExport[] = capabilities.map(cap => ({
+      name: cap.name,
+      description: cap.description,
+      namespaces: cap.namespaces,
+      bindings: cap.bindings,
+      hasSchedule: cap.hasSchedule,
+    }));
+
+    process.send(exportedCapabilities);
   }
 
+  static #createHooks(
+    opts: PeprModuleOptions,
+    capabilities: Capability[],
+    pepr: PackageJSON["pepr"],
+    config: ModuleConfig,
+  ): ReturnType<typeof createControllerHooks> {
+    const ignored = pepr?.alwaysIgnore?.namespaces?.length
+      ? pepr.alwaysIgnore.namespaces
+      : config?.watch?.alwaysIgnore?.namespaces;
+
+    return createControllerHooks(opts, capabilities, ignored);
+  }
   /**
-   * Start the Pepr runtime manually.
-   * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
+   * Starts the Pepr runtime manually.
+   *
+   * Normally this is called automatically when the Pepr module is instantiated,
+   * but it can be invoked manually if `deferStart` is set to `true` in the constructor.
    *
-   * @param port
+   * @param port - The port number to start the server on (default: 3000).
    */
   start = (port = 3000): void => {
     this.#controller.startServer(port);

package/src/lib/processors/mutate-processor.ts

@@ -13,7 +13,7 @@ import { ModuleConfig } from "../types";
 import { PeprMutateRequest } from "../mutate-request";
 import { base64Encode } from "../utils";
 import { OnError } from "../../cli/init/enums";
-import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
+import { getIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { Operation } from "fast-json-patch";
 import { WebhookType } from "../enums";
 
@@ -149,11 +149,7 @@ export async function mutateProcessor(
         bind.binding,
         bind.req,
         bind.namespaces,
-        resolveIgnoreNamespaces(
-          bind?.config?.alwaysIgnore?.namespaces?.length
-            ? bind.config?.alwaysIgnore?.namespaces
-            : bind.config?.admission?.alwaysIgnore?.namespaces,
-        ),
+        getIgnoreNamespaces(config),
       );
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);

package/src/lib/processors/validate-processor.ts

@@ -10,7 +10,7 @@ import Log from "../telemetry/logger";
 import { convertFromBase64Map } from "../utils";
 import { PeprValidateRequest } from "../validate-request";
 import { ModuleConfig } from "../types";
-import { resolveIgnoreNamespaces } from "../assets/ignoredNamespaces";
+import { getIgnoreNamespaces } from "../assets/ignoredNamespaces";
 import { MeasureWebhookTimeout } from "../telemetry/webhookTimeouts";
 import { WebhookType } from "../enums";
 import { AdmissionRequest } from "../common-types";
@@ -93,16 +93,7 @@ export async function validateProcessor(
       }
 
       // Continue to the next action without doing anything if this one should be skipped
-      const shouldSkip = shouldSkipRequest(
-        binding,
-        req,
-        namespaces,
-        resolveIgnoreNamespaces(
-          config?.alwaysIgnore?.namespaces?.length
-            ? config?.alwaysIgnore?.namespaces
-            : config?.admission?.alwaysIgnore?.namespaces,
-        ),
-      );
+      const shouldSkip = shouldSkipRequest(binding, req, namespaces, getIgnoreNamespaces(config));
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);
         continue;

package/src/lib/processors/watch-processor.ts

@@ -89,7 +89,7 @@ const eventToPhaseMap = {
 export function setupWatch(capabilities: Capability[], ignoredNamespaces?: string[]): void {
   for (const capability of capabilities) {
     for (const binding of capability.bindings.filter(b => b.isWatch)) {
-      runBinding(binding, capability.namespaces, ignoredNamespaces);
+      void runBinding(binding, capability.namespaces, ignoredNamespaces);
     }
   }
 }