pepr 0.6.1 → 0.7.0

package/src/lib/k8s/webhook.ts

@@ -2,8 +2,8 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import {
-  AdmissionregistrationV1Api,
-  AdmissionregistrationV1WebhookClientConfig,
+  AdmissionregistrationV1Api as AdmissionRegV1API,
+  AdmissionregistrationV1WebhookClientConfig as AdmissionRegnV1WebhookClientCfg,
   AppsV1Api,
   CoreV1Api,
   HttpError,
@@ -17,15 +17,20 @@ import {
   V1MutatingWebhookConfiguration,
   V1Namespace,
   V1NetworkPolicy,
+  V1RuleWithOperations,
   V1Secret,
   V1Service,
   V1ServiceAccount,
   dumpYaml,
 } from "@kubernetes/client-node";
+import { fork } from "child_process";
 import crypto from "crypto";
+import { promises as fs } from "fs";
+import { equals, uniqWith } from "ramda";
 import { gzipSync } from "zlib";
+
 import Log from "../logger";
-import { ModuleConfig } from "../types";
+import { Binding, Event, HookPhase, ModuleConfig } from "../types";
 import { TLSOut, genTLS } from "./tls";
 
 const peprIgnore: V1LabelSelectorRequirement = {
@@ -132,7 +137,95 @@ export class Webhook {
     };
   }
 
-  mutatingWebhook(timeoutSeconds = 10): V1MutatingWebhookConfiguration {
+  generateWebhookRules(path: string): Promise<V1RuleWithOperations[]> {
+    return new Promise((resolve, reject) => {
+      const rules: V1RuleWithOperations[] = [];
+
+      // Add a default rule that allows all resources as a fallback
+      const defaultRule = {
+        apiGroups: ["*"],
+        apiVersions: ["*"],
+        operations: ["CREATE", "UPDATE", "DELETE"],
+        resources: ["*/*"],
+      };
+
+      // Fork is needed with the PEPR_MODE env var to ensure the module is loaded in build mode and will send back the capabilities
+      const program = fork(path, {
+        env: {
+          ...process.env,
+          LOG_LEVEL: "warn",
+          PEPR_MODE: "build",
+        },
+      });
+
+      // We are receiving javscript so the private fields are now public
+      interface ModuleCapabilities {
+        capabilities: {
+          _name: string;
+          _description: string;
+          _namespaces: string[];
+          _mutateOrValidate: HookPhase;
+          _bindings: Binding[];
+        }[];
+      }
+
+      // Wait for the module to send back the capabilities
+      program.on("message", message => {
+        // Cast the message to the ModuleCapabilities type
+        const { capabilities } = message.valueOf() as ModuleCapabilities;
+
+        for (const capability of capabilities) {
+          Log.info(`Module ${this.config.uuid} has capability: ${capability._name}`);
+
+          const { _bindings } = capability;
+
+          // Read the bindings and generate the rules
+          for (const binding of _bindings) {
+            const { event, kind } = binding;
+
+            const operations: string[] = [];
+
+            // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
+            if (event === Event.CreateOrUpdate) {
+              operations.push(Event.Create, Event.Update);
+            } else {
+              operations.push(event);
+            }
+
+            // Use the plural property if it exists, otherwise use lowercase kind + s
+            const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+            rules.push({
+              apiGroups: [kind.group],
+              apiVersions: [kind.version || "*"],
+              operations,
+              resources: [resource],
+            });
+          }
+        }
+      });
+
+      program.on("exit", code => {
+        if (code !== 0) {
+          reject(new Error(`Child process exited with code ${code}`));
+        } else {
+          // If there are no rules, add a catch-all
+          if (rules.length < 1) {
+            resolve([defaultRule]);
+          } else {
+            const reducedRules = uniqWith(equals, rules);
+            resolve(reducedRules);
+          }
+        }
+      });
+
+      program.on("error", error => {
+        reject(error);
+      });
+    });
+  }
+
+  async mutatingWebhook(path: string, timeoutSeconds = 10): Promise<V1MutatingWebhookConfiguration> {
     const { name } = this;
     const ignore = [peprIgnore];
 
@@ -145,7 +238,7 @@ export class Webhook {
       });
     }
 
-    const clientConfig: AdmissionregistrationV1WebhookClientConfig = {
+    const clientConfig: AdmissionRegnV1WebhookClientCfg = {
       caBundle: this._tls.ca,
     };
 
@@ -161,6 +254,8 @@ export class Webhook {
       };
     }
 
+    const rules = await this.generateWebhookRules(path);
+
     return {
       apiVersion: "admissionregistration.k8s.io/v1",
       kind: "MutatingWebhookConfiguration",
@@ -179,15 +274,7 @@ export class Webhook {
           objectSelector: {
             matchExpressions: ignore,
           },
-          // @todo: make this configurable
-          rules: [
-            {
-              apiGroups: ["*"],
-              apiVersions: ["*"],
-              operations: ["CREATE", "UPDATE", "DELETE"],
-              resources: ["*/*"],
-            },
-          ],
+          rules,
           // @todo: track side effects state
           sideEffects: "None",
         },
@@ -390,10 +477,14 @@ export class Webhook {
     return dumpYaml(zarfCfg, { noRefs: true });
   }
 
-  allYaml(code: Buffer) {
+  async allYaml(path: string) {
+    const code = await fs.readFile(path);
+
     // Generate a hash of the code
     const hash = crypto.createHash("sha256").update(code).digest("hex");
 
+    const webhook = await this.mutatingWebhook(path);
+
     const resources = [
       this.namespace(),
       this.networkPolicy(),
@@ -401,7 +492,7 @@ export class Webhook {
       this.clusterRoleBinding(),
       this.serviceAccount(),
       this.tlsSecret(),
-      this.mutatingWebhook(),
+      webhook,
       this.deployment(hash),
       this.service(),
       this.moduleSecret(code, hash),
@@ -411,7 +502,7 @@ export class Webhook {
     return resources.map(r => dumpYaml(r, { noRefs: true })).join("---\n");
   }
 
-  async deploy(code?: Buffer, webhookTimeout?: number) {
+  async deploy(path: string, webhookTimeout?: number) {
     Log.info("Establishing connection to Kubernetes");
 
     const namespace = "pepr-system";
@@ -421,10 +512,7 @@ export class Webhook {
     kubeConfig.loadFromDefault();
 
     const coreV1Api = kubeConfig.makeApiClient(CoreV1Api);
-    const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
-    const appsApi = kubeConfig.makeApiClient(AppsV1Api);
-    const admissionApi = kubeConfig.makeApiClient(AdmissionregistrationV1Api);
-    const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
+    const admissionApi = kubeConfig.makeApiClient(AdmissionRegV1API);
 
     const ns = this.namespace();
     try {
@@ -436,7 +524,7 @@ export class Webhook {
       await coreV1Api.createNamespace(ns);
     }
 
-    const wh = this.mutatingWebhook(webhookTimeout);
+    const wh = await this.mutatingWebhook(path, webhookTimeout);
     try {
       Log.info("Creating mutating webhook");
       await admissionApi.createMutatingWebhookConfiguration(wh);
@@ -452,20 +540,26 @@ export class Webhook {
       return;
     }
 
-    if (!code) {
+    if (!path) {
       throw new Error("No code provided");
     }
 
+    const code = await fs.readFile(path);
+
     const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-    const netpol = this.networkPolicy();
+    const appsApi = kubeConfig.makeApiClient(AppsV1Api);
+    const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
+    const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
+
+    const networkPolicy = this.networkPolicy();
     try {
       Log.info("Checking for network policy");
-      await networkApi.readNamespacedNetworkPolicy(netpol.metadata?.name ?? "", namespace);
+      await networkApi.readNamespacedNetworkPolicy(networkPolicy.metadata?.name ?? "", namespace);
     } catch (e) {
       Log.debug(e instanceof HttpError ? e.body : e);
       Log.info("Creating network policy");
-      await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
+      await networkApi.createNamespacedNetworkPolicy(namespace, networkPolicy);
     }
 
     const crb = this.clusterRoleBinding();

package/src/lib/module.ts

@@ -29,7 +29,7 @@ export type PeprModuleOptions = {
 };
 
 export class PeprModule {
-  private _controller: Controller;
+  private _controller!: Controller;
 
   /**
    * Create a new Pepr runtime
@@ -42,6 +42,12 @@ export class PeprModule {
     const config: ModuleConfig = mergeDeepWith(concat, pepr, alwaysIgnore);
     config.description = description;
 
+    // Handle build mode
+    if (process.env.PEPR_MODE === "build") {
+      process.send?.({ capabilities });
+      return;
+    }
+
     this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
 
     // Stop processing if deferStart is set to true

package/src/lib/types.ts

@@ -44,6 +44,7 @@ export enum Event {
   Update = "UPDATE",
   Delete = "DELETE",
   CreateOrUpdate = "CREATEORUPDATE",
+  Any = "*",
 }
 
 export interface CapabilityCfg {
@@ -123,7 +124,7 @@ export type WhenSelector<T extends GenericClass> = {
 };
 
 export type Binding = {
-  event?: Event;
+  event: Event;
   readonly kind: GroupVersionKind;
   readonly filters: {
     name: string;