pepr 0.6.0 → 0.7.0

package/src/lib/k8s/webhook.ts

@@ -2,8 +2,8 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import {
-  AdmissionregistrationV1Api,
-  AdmissionregistrationV1WebhookClientConfig,
+  AdmissionregistrationV1Api as AdmissionRegV1API,
+  AdmissionregistrationV1WebhookClientConfig as AdmissionRegnV1WebhookClientCfg,
   AppsV1Api,
   CoreV1Api,
   HttpError,
@@ -17,15 +17,20 @@ import {
   V1MutatingWebhookConfiguration,
   V1Namespace,
   V1NetworkPolicy,
+  V1RuleWithOperations,
   V1Secret,
   V1Service,
   V1ServiceAccount,
   dumpYaml,
 } from "@kubernetes/client-node";
+import { fork } from "child_process";
 import crypto from "crypto";
+import { promises as fs } from "fs";
+import { equals, uniqWith } from "ramda";
 import { gzipSync } from "zlib";
+
 import Log from "../logger";
-import { ModuleConfig } from "../types";
+import { Binding, Event, HookPhase, ModuleConfig } from "../types";
 import { TLSOut, genTLS } from "./tls";
 
 const peprIgnore: V1LabelSelectorRequirement = {
@@ -132,7 +137,95 @@ export class Webhook {
     };
   }
 
-  mutatingWebhook(timeoutSeconds = 10): V1MutatingWebhookConfiguration {
+  generateWebhookRules(path: string): Promise<V1RuleWithOperations[]> {
+    return new Promise((resolve, reject) => {
+      const rules: V1RuleWithOperations[] = [];
+
+      // Add a default rule that allows all resources as a fallback
+      const defaultRule = {
+        apiGroups: ["*"],
+        apiVersions: ["*"],
+        operations: ["CREATE", "UPDATE", "DELETE"],
+        resources: ["*/*"],
+      };
+
+      // Fork is needed with the PEPR_MODE env var to ensure the module is loaded in build mode and will send back the capabilities
+      const program = fork(path, {
+        env: {
+          ...process.env,
+          LOG_LEVEL: "warn",
+          PEPR_MODE: "build",
+        },
+      });
+
+      // We are receiving javscript so the private fields are now public
+      interface ModuleCapabilities {
+        capabilities: {
+          _name: string;
+          _description: string;
+          _namespaces: string[];
+          _mutateOrValidate: HookPhase;
+          _bindings: Binding[];
+        }[];
+      }
+
+      // Wait for the module to send back the capabilities
+      program.on("message", message => {
+        // Cast the message to the ModuleCapabilities type
+        const { capabilities } = message.valueOf() as ModuleCapabilities;
+
+        for (const capability of capabilities) {
+          Log.info(`Module ${this.config.uuid} has capability: ${capability._name}`);
+
+          const { _bindings } = capability;
+
+          // Read the bindings and generate the rules
+          for (const binding of _bindings) {
+            const { event, kind } = binding;
+
+            const operations: string[] = [];
+
+            // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
+            if (event === Event.CreateOrUpdate) {
+              operations.push(Event.Create, Event.Update);
+            } else {
+              operations.push(event);
+            }
+
+            // Use the plural property if it exists, otherwise use lowercase kind + s
+            const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+            rules.push({
+              apiGroups: [kind.group],
+              apiVersions: [kind.version || "*"],
+              operations,
+              resources: [resource],
+            });
+          }
+        }
+      });
+
+      program.on("exit", code => {
+        if (code !== 0) {
+          reject(new Error(`Child process exited with code ${code}`));
+        } else {
+          // If there are no rules, add a catch-all
+          if (rules.length < 1) {
+            resolve([defaultRule]);
+          } else {
+            const reducedRules = uniqWith(equals, rules);
+            resolve(reducedRules);
+          }
+        }
+      });
+
+      program.on("error", error => {
+        reject(error);
+      });
+    });
+  }
+
+  async mutatingWebhook(path: string, timeoutSeconds = 10): Promise<V1MutatingWebhookConfiguration> {
     const { name } = this;
     const ignore = [peprIgnore];
 
@@ -145,7 +238,7 @@ export class Webhook {
       });
     }
 
-    const clientConfig: AdmissionregistrationV1WebhookClientConfig = {
+    const clientConfig: AdmissionRegnV1WebhookClientCfg = {
       caBundle: this._tls.ca,
     };
 
@@ -161,6 +254,8 @@ export class Webhook {
       };
     }
 
+    const rules = await this.generateWebhookRules(path);
+
     return {
       apiVersion: "admissionregistration.k8s.io/v1",
       kind: "MutatingWebhookConfiguration",
@@ -179,15 +274,7 @@ export class Webhook {
           objectSelector: {
             matchExpressions: ignore,
           },
-          // @todo: make this configurable
-          rules: [
-            {
-              apiGroups: ["*"],
-              apiVersions: ["*"],
-              operations: ["CREATE", "UPDATE", "DELETE"],
-              resources: ["*/*"],
-            },
-          ],
+          rules,
           // @todo: track side effects state
           sideEffects: "None",
         },
@@ -390,10 +477,14 @@ export class Webhook {
     return dumpYaml(zarfCfg, { noRefs: true });
   }
 
-  allYaml(code: Buffer) {
+  async allYaml(path: string) {
+    const code = await fs.readFile(path);
+
     // Generate a hash of the code
     const hash = crypto.createHash("sha256").update(code).digest("hex");
 
+    const webhook = await this.mutatingWebhook(path);
+
     const resources = [
       this.namespace(),
       this.networkPolicy(),
@@ -401,7 +492,7 @@ export class Webhook {
       this.clusterRoleBinding(),
       this.serviceAccount(),
       this.tlsSecret(),
-      this.mutatingWebhook(),
+      webhook,
       this.deployment(hash),
       this.service(),
       this.moduleSecret(code, hash),
@@ -411,7 +502,7 @@ export class Webhook {
     return resources.map(r => dumpYaml(r, { noRefs: true })).join("---\n");
   }
 
-  async deploy(code?: Buffer, webhookTimeout?: number) {
+  async deploy(path: string, webhookTimeout?: number) {
     Log.info("Establishing connection to Kubernetes");
 
     const namespace = "pepr-system";
@@ -421,10 +512,7 @@ export class Webhook {
     kubeConfig.loadFromDefault();
 
     const coreV1Api = kubeConfig.makeApiClient(CoreV1Api);
-    const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
-    const appsApi = kubeConfig.makeApiClient(AppsV1Api);
-    const admissionApi = kubeConfig.makeApiClient(AdmissionregistrationV1Api);
-    const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
+    const admissionApi = kubeConfig.makeApiClient(AdmissionRegV1API);
 
     const ns = this.namespace();
     try {
@@ -436,7 +524,7 @@ export class Webhook {
       await coreV1Api.createNamespace(ns);
     }
 
-    const wh = this.mutatingWebhook(webhookTimeout);
+    const wh = await this.mutatingWebhook(path, webhookTimeout);
     try {
       Log.info("Creating mutating webhook");
       await admissionApi.createMutatingWebhookConfiguration(wh);
@@ -452,20 +540,26 @@ export class Webhook {
       return;
     }
 
-    if (!code) {
+    if (!path) {
       throw new Error("No code provided");
     }
 
+    const code = await fs.readFile(path);
+
     const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-    const netpol = this.networkPolicy();
+    const appsApi = kubeConfig.makeApiClient(AppsV1Api);
+    const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
+    const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
+
+    const networkPolicy = this.networkPolicy();
     try {
       Log.info("Checking for network policy");
-      await networkApi.readNamespacedNetworkPolicy(netpol.metadata?.name ?? "", namespace);
+      await networkApi.readNamespacedNetworkPolicy(networkPolicy.metadata?.name ?? "", namespace);
     } catch (e) {
       Log.debug(e instanceof HttpError ? e.body : e);
       Log.info("Creating network policy");
-      await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
+      await networkApi.createNamespacedNetworkPolicy(namespace, networkPolicy);
     }
 
     const crb = this.clusterRoleBinding();

package/src/lib/module.ts

@@ -29,7 +29,7 @@ export type PeprModuleOptions = {
 };
 
 export class PeprModule {
-  private _controller: Controller;
+  private _controller!: Controller;
 
   /**
    * Create a new Pepr runtime
@@ -42,6 +42,12 @@ export class PeprModule {
     const config: ModuleConfig = mergeDeepWith(concat, pepr, alwaysIgnore);
     config.description = description;
 
+    // Handle build mode
+    if (process.env.PEPR_MODE === "build") {
+      process.send?.({ capabilities });
+      return;
+    }
+
     this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
 
     // Stop processing if deferStart is set to true

package/src/lib/processor.ts

@@ -7,11 +7,17 @@ import { Capability } from "./capability";
 import { shouldSkipRequest } from "./filter";
 import { Request, Response } from "./k8s/types";
 import { Secret } from "./k8s/upstream";
-import logger from "./logger";
-import { PeprRequest, convertToBase64Map } from "./request";
+import Log from "./logger";
+import { PeprRequest } from "./request";
 import { ModuleConfig } from "./types";
-
-export async function processor(config: ModuleConfig, capabilities: Capability[], req: Request): Promise<Response> {
+import { convertFromBase64Map, convertToBase64Map } from "./utils";
+
+export async function processor(
+  config: ModuleConfig,
+  capabilities: Capability[],
+  req: Request,
+  parentPrefix: string
+): Promise<Response> {
   const wrapped = new PeprRequest(req);
   const response: Response = {
     uid: req.uid,
@@ -19,11 +25,22 @@ export async function processor(config: ModuleConfig, capabilities: Capability[]
     allowed: false,
   };
 
-  logger.info(`Processing '${req.uid}' for '${req.kind.kind}' '${req.name}'`);
+  // Track whether any capability matched the request
+  let matchedCapabilityAction = false;
+
+  // Track data fields that should be skipped during decoding
+  let skipDecode: string[] = [];
+
+  // If the resource is a secret, decode the data
+  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  if (isSecret) {
+    skipDecode = convertFromBase64Map(wrapped.Raw as unknown as Secret);
+  }
+
+  Log.info(`Processing request`, parentPrefix);
 
   for (const { name, bindings } of capabilities) {
-    const prefix = `${req.uid} ${req.name}: ${name}`;
-    logger.info(`Processing capability ${name}`, prefix);
+    const prefix = `${parentPrefix} ${name}:`;
 
     for (const action of bindings) {
       // Continue to the next action without doing anything if this one should be skipped
@@ -31,7 +48,10 @@ export async function processor(config: ModuleConfig, capabilities: Capability[]
         continue;
       }
 
-      logger.info(`Processing matched action ${action.kind.kind}`, prefix);
+      const label = action.callback.name;
+      Log.info(`Processing matched action ${label}`, prefix);
+
+      matchedCapabilityAction = true;
 
       // Add annotations to the request to indicate that the capability started processing
       // this will allow tracking of failed mutations that were permitted to continue
@@ -53,7 +73,7 @@ export async function processor(config: ModuleConfig, capabilities: Capability[]
         // Run the action
         await action.callback(wrapped);
 
-        logger.info(`Action succeeded`, prefix);
+        Log.info(`Action succeeded`, prefix);
 
         // Add annotations to the request to indicate that the capability succeeded
         updateStatus("succeeded");
@@ -64,11 +84,11 @@ export async function processor(config: ModuleConfig, capabilities: Capability[]
 
         // If errors are not allowed, note the failure in the Response
         if (config.onError) {
-          logger.error(`Action failed: ${e}`, prefix);
+          Log.error(`Action failed: ${e}`, prefix);
           response.result = "Pepr module configured to reject on error";
           return response;
         } else {
-          logger.warn(`Action failed: ${e}`, prefix);
+          Log.warn(`Action failed: ${e}`, prefix);
           updateStatus("warning");
         }
       }
@@ -78,11 +98,17 @@ export async function processor(config: ModuleConfig, capabilities: Capability[]
   // If we've made it this far, the request is allowed
   response.allowed = true;
 
+  // If no capability matched the request, exit early
+  if (!matchedCapabilityAction) {
+    Log.info(`No matching capability action found`, parentPrefix);
+    return response;
+  }
+
   const transformed = wrapped.Raw;
 
   // Post-process the Secret requests to convert it back to the original format
-  if (req.kind.version == "v1" && req.kind.kind == "Secret") {
-    convertToBase64Map(transformed as unknown as Secret);
+  if (isSecret) {
+    convertToBase64Map(transformed as unknown as Secret, skipDecode);
   }
 
   // Compare the original request to the modified request to get the patches
@@ -101,7 +127,7 @@ export async function processor(config: ModuleConfig, capabilities: Capability[]
     delete response.warnings;
   }
 
-  logger.debug(patches);
+  Log.debug(patches, parentPrefix);
 
   return response;
 }

package/src/lib/request.ts

@@ -4,7 +4,6 @@
 import { clone, mergeDeepRight } from "ramda";
 
 import { KubernetesObject, Request } from "./k8s/types";
-import { Secret } from "./k8s/upstream";
 import { DeepPartial } from "./types";
 
 /**
@@ -49,11 +48,6 @@ export class PeprRequest<T extends KubernetesObject> {
   constructor(private _input: Request<T>) {
     // Deep clone the object to prevent mutation of the original object
     this.Raw = clone(_input.object);
-
-    // If the resource is a secret, decode the data
-    if (_input.kind.version == "v1" && _input.kind.kind == "Secret") {
-      convertFromBase64Map(this.Raw as unknown as Secret);
-    }
   }
 
   /**
@@ -141,17 +135,3 @@ export class PeprRequest<T extends KubernetesObject> {
     return this.Raw?.metadata?.annotations?.[key] !== undefined;
   }
 }
-
-export function convertToBase64Map(obj: { data?: Record<string, string> }) {
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    obj.data[key] = Buffer.from(obj.data[key]).toString("base64");
-  }
-}
-
-export function convertFromBase64Map(obj: { data?: Record<string, string> }) {
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    obj.data[key] = Buffer.from(obj.data[key], "base64").toString("utf-8");
-  }
-}

package/src/lib/types.ts

@@ -44,6 +44,7 @@ export enum Event {
   Update = "UPDATE",
   Delete = "DELETE",
   CreateOrUpdate = "CREATEORUPDATE",
+  Any = "*",
 }
 
 export interface CapabilityCfg {
@@ -123,7 +124,7 @@ export type WhenSelector<T extends GenericClass> = {
 };
 
 export type Binding = {
-  event?: Event;
+  event: Event;
   readonly kind: GroupVersionKind;
   readonly filters: {
     name: string;

package/src/lib/utils.ts

@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import Log from "./logger";
+
+/** Test if a string is ascii or not */
+export const isAscii = /^[\s\x20-\x7E]*$/;
+
+/**
+ * Encode all ascii values in a map to base64
+ * @param obj The object to encode
+ * @param skip A list of keys to skip encoding
+ */
+export function convertToBase64Map(obj: { data?: Record<string, string> }, skip: string[]) {
+  obj.data = obj.data ?? {};
+  for (const key in obj.data) {
+    const value = obj.data[key];
+    // Only encode ascii values
+    obj.data[key] = skip.includes(key) ? value : base64Encode(value);
+  }
+}
+
+/**
+ * Decode all ascii values in a map from base64 to utf-8
+ * @param obj The object to decode
+ * @returns A list of keys that were skipped
+ */
+export function convertFromBase64Map(obj: { data?: Record<string, string> }) {
+  const skip: string[] = [];
+
+  obj.data = obj.data ?? {};
+  for (const key in obj.data) {
+    const decoded = base64Decode(obj.data[key]);
+    if (isAscii.test(decoded)) {
+      // Only decode ascii values
+      obj.data[key] = decoded;
+    } else {
+      skip.push(key);
+    }
+  }
+
+  Log.debug(`Non-ascii data detected in keys: ${skip}, skipping automatic base64 decoding`);
+
+  return skip;
+}
+
+/** Decode a base64 string */
+export function base64Decode(data: string) {
+  return Buffer.from(data, "base64").toString("utf-8");
+}
+
+/** Encode a string to base64 */
+export function base64Encode(data: string) {
+  return Buffer.from(data).toString("base64");
+}

package/src/lib.ts

@@ -7,6 +7,7 @@ import { RegisterKind, a } from "./lib/k8s/index";
 import Log from "./lib/logger";
 import { PeprModule } from "./lib/module";
 import { PeprRequest } from "./lib/request";
+import * as PeprUtils from "./lib/utils";
 
 // Import type information for external packages
 import type * as KubernetesClientNode from "@kubernetes/client-node";
@@ -17,6 +18,7 @@ export {
   /** PeprModule is used to setup a complete Pepr Module: `new PeprModule(cfg, {...capabilities})` */
   PeprModule,
   PeprRequest,
+  PeprUtils,
   RegisterKind,
   Capability,
   Log,