pepr 0.6.1 → 0.7.1

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.6.1",
+  "version": "0.7.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -34,14 +34,14 @@
     "ramda": "0.29.0"
   },
   "devDependencies": {
-    "@types/eslint": "8.40.0",
+    "@types/eslint": "8.40.2",
     "@types/express": "4.17.17",
     "@types/node-fetch": "2.6.4",
     "@types/node-forge": "1.3.2",
     "@types/prettier": "2.7.3",
     "@types/prompts": "2.4.4",
     "@types/ramda": "0.29.2",
-    "@types/uuid": "9.0.1",
+    "@types/uuid": "9.0.2",
     "ava": "5.3.0",
     "nock": "13.3.1"
   },

package/src/cli.ts

@@ -12,6 +12,7 @@ import init from "./cli/init/index";
 import { version } from "./cli/init/templates";
 import { RootCmd } from "./cli/root";
 import update from "./cli/update";
+import { Log } from "./lib";
 
 const program = new RootCmd();
 
@@ -22,6 +23,10 @@ program
     if (program.args.length < 1) {
       console.log(banner);
       program.help();
+    } else {
+      Log.error(`Invalid command '${program.args.join(" ")}'\n`);
+      program.outputHelp();
+      process.exitCode = 1;
     }
   });
 

package/src/lib/capability.ts

@@ -79,6 +79,7 @@ export class Capability implements CapabilityCfg {
     const binding: Binding = {
       // If the kind is not specified, use the matched kind from the model
       kind: kind || matchedKind,
+      event: Event.Any,
       filters: {
         name: "",
         namespaces: [],

package/src/lib/controller.ts

@@ -10,12 +10,6 @@ import { processor } from "./processor";
 import { ModuleConfig } from "./types";
 import Log from "./logger";
 
-// Load SSL certificate and key
-const options = {
-  key: fs.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
-  cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
-};
-
 export class Controller {
   private readonly app = express();
   private running = false;
@@ -53,6 +47,12 @@ export class Controller {
       throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
     }
 
+    // Load SSL certificate and key
+    const options = {
+      key: fs.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
+      cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
+    };
+
     // Create HTTPS server
     const server = https.createServer(options, this.app).listen(port);
 
@@ -66,7 +66,9 @@ export class Controller {
     // Handle EADDRINUSE errors
     server.on("error", (e: { code: string }) => {
       if (e.code === "EADDRINUSE") {
-        console.log("Address in use, retrying...");
+        console.log(
+          `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
+        );
         setTimeout(() => {
           server.close();
           server.listen(port);

package/src/lib/filter.ts

@@ -3,7 +3,7 @@
 
 import { Request } from "./k8s/types";
 import logger from "./logger";
-import { Binding } from "./types";
+import { Binding, Event } from "./types";
 
 /**
  * shouldSkipRequest determines if a request should be skipped based on the binding filters.
@@ -18,7 +18,7 @@ export function shouldSkipRequest(binding: Binding, req: Request) {
   const { metadata } = req.object || {};
 
   // Test for matching operation
-  if (binding.event && !binding.event.includes(req.operation)) {
+  if (!binding.event.includes(req.operation) && !binding.event.includes(Event.Any)) {
     return true;
   }
 

package/src/lib/k8s/kinds.ts

@@ -25,6 +25,7 @@ export const gvkMap: Record<string, GroupVersionKind> = {
     kind: "Endpoints",
     version: "v1",
     group: "",
+    plural: "endpoints",
   },
 
   /**
@@ -386,6 +387,7 @@ export const gvkMap: Record<string, GroupVersionKind> = {
     kind: "Ingress",
     version: "v1",
     group: "networking.k8s.io",
+    plural: "ingresses",
   },
 
   /**

package/src/lib/k8s/types.ts

@@ -44,6 +44,8 @@ export interface GroupVersionKind {
   readonly kind: string;
   readonly group: string;
   readonly version?: string;
+  /** Optional, override the plural name for use in Webhook rules generation */
+  readonly plural?: string;
 }
 
 /**

package/src/lib/k8s/webhook.ts

@@ -2,8 +2,8 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import {
-  AdmissionregistrationV1Api,
-  AdmissionregistrationV1WebhookClientConfig,
+  AdmissionregistrationV1Api as AdmissionRegV1API,
+  AdmissionregistrationV1WebhookClientConfig as AdmissionRegnV1WebhookClientCfg,
   AppsV1Api,
   CoreV1Api,
   HttpError,
@@ -17,15 +17,20 @@ import {
   V1MutatingWebhookConfiguration,
   V1Namespace,
   V1NetworkPolicy,
+  V1RuleWithOperations,
   V1Secret,
   V1Service,
   V1ServiceAccount,
   dumpYaml,
 } from "@kubernetes/client-node";
+import { fork } from "child_process";
 import crypto from "crypto";
+import { promises as fs } from "fs";
+import { equals, uniqWith } from "ramda";
 import { gzipSync } from "zlib";
+
 import Log from "../logger";
-import { ModuleConfig } from "../types";
+import { Binding, Event, HookPhase, ModuleConfig } from "../types";
 import { TLSOut, genTLS } from "./tls";
 
 const peprIgnore: V1LabelSelectorRequirement = {
@@ -132,7 +137,95 @@ export class Webhook {
     };
   }
 
-  mutatingWebhook(timeoutSeconds = 10): V1MutatingWebhookConfiguration {
+  generateWebhookRules(path: string): Promise<V1RuleWithOperations[]> {
+    return new Promise((resolve, reject) => {
+      const rules: V1RuleWithOperations[] = [];
+
+      // Add a default rule that allows all resources as a fallback
+      const defaultRule = {
+        apiGroups: ["*"],
+        apiVersions: ["*"],
+        operations: ["CREATE", "UPDATE", "DELETE"],
+        resources: ["*/*"],
+      };
+
+      // Fork is needed with the PEPR_MODE env var to ensure the module is loaded in build mode and will send back the capabilities
+      const program = fork(path, {
+        env: {
+          ...process.env,
+          LOG_LEVEL: "warn",
+          PEPR_MODE: "build",
+        },
+      });
+
+      // We are receiving javscript so the private fields are now public
+      interface ModuleCapabilities {
+        capabilities: {
+          _name: string;
+          _description: string;
+          _namespaces: string[];
+          _mutateOrValidate: HookPhase;
+          _bindings: Binding[];
+        }[];
+      }
+
+      // Wait for the module to send back the capabilities
+      program.on("message", message => {
+        // Cast the message to the ModuleCapabilities type
+        const { capabilities } = message.valueOf() as ModuleCapabilities;
+
+        for (const capability of capabilities) {
+          Log.info(`Module ${this.config.uuid} has capability: ${capability._name}`);
+
+          const { _bindings } = capability;
+
+          // Read the bindings and generate the rules
+          for (const binding of _bindings) {
+            const { event, kind } = binding;
+
+            const operations: string[] = [];
+
+            // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
+            if (event === Event.CreateOrUpdate) {
+              operations.push(Event.Create, Event.Update);
+            } else {
+              operations.push(event);
+            }
+
+            // Use the plural property if it exists, otherwise use lowercase kind + s
+            const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+            rules.push({
+              apiGroups: [kind.group],
+              apiVersions: [kind.version || "*"],
+              operations,
+              resources: [resource],
+            });
+          }
+        }
+      });
+
+      program.on("exit", code => {
+        if (code !== 0) {
+          reject(new Error(`Child process exited with code ${code}`));
+        } else {
+          // If there are no rules, add a catch-all
+          if (rules.length < 1) {
+            resolve([defaultRule]);
+          } else {
+            const reducedRules = uniqWith(equals, rules);
+            resolve(reducedRules);
+          }
+        }
+      });
+
+      program.on("error", error => {
+        reject(error);
+      });
+    });
+  }
+
+  async mutatingWebhook(path: string, timeoutSeconds = 10): Promise<V1MutatingWebhookConfiguration> {
     const { name } = this;
     const ignore = [peprIgnore];
 
@@ -145,7 +238,7 @@ export class Webhook {
       });
     }
 
-    const clientConfig: AdmissionregistrationV1WebhookClientConfig = {
+    const clientConfig: AdmissionRegnV1WebhookClientCfg = {
       caBundle: this._tls.ca,
     };
 
@@ -161,6 +254,8 @@ export class Webhook {
       };
     }
 
+    const rules = await this.generateWebhookRules(path);
+
     return {
       apiVersion: "admissionregistration.k8s.io/v1",
       kind: "MutatingWebhookConfiguration",
@@ -179,15 +274,7 @@ export class Webhook {
           objectSelector: {
             matchExpressions: ignore,
           },
-          // @todo: make this configurable
-          rules: [
-            {
-              apiGroups: ["*"],
-              apiVersions: ["*"],
-              operations: ["CREATE", "UPDATE", "DELETE"],
-              resources: ["*/*"],
-            },
-          ],
+          rules,
           // @todo: track side effects state
           sideEffects: "None",
         },
@@ -390,10 +477,14 @@ export class Webhook {
     return dumpYaml(zarfCfg, { noRefs: true });
   }
 
-  allYaml(code: Buffer) {
+  async allYaml(path: string) {
+    const code = await fs.readFile(path);
+
     // Generate a hash of the code
     const hash = crypto.createHash("sha256").update(code).digest("hex");
 
+    const webhook = await this.mutatingWebhook(path);
+
     const resources = [
       this.namespace(),
       this.networkPolicy(),
@@ -401,7 +492,7 @@ export class Webhook {
       this.clusterRoleBinding(),
       this.serviceAccount(),
       this.tlsSecret(),
-      this.mutatingWebhook(),
+      webhook,
       this.deployment(hash),
       this.service(),
       this.moduleSecret(code, hash),
@@ -411,7 +502,7 @@ export class Webhook {
     return resources.map(r => dumpYaml(r, { noRefs: true })).join("---\n");
   }
 
-  async deploy(code?: Buffer, webhookTimeout?: number) {
+  async deploy(path: string, webhookTimeout?: number) {
     Log.info("Establishing connection to Kubernetes");
 
     const namespace = "pepr-system";
@@ -421,10 +512,7 @@ export class Webhook {
     kubeConfig.loadFromDefault();
 
     const coreV1Api = kubeConfig.makeApiClient(CoreV1Api);
-    const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
-    const appsApi = kubeConfig.makeApiClient(AppsV1Api);
-    const admissionApi = kubeConfig.makeApiClient(AdmissionregistrationV1Api);
-    const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
+    const admissionApi = kubeConfig.makeApiClient(AdmissionRegV1API);
 
     const ns = this.namespace();
     try {
@@ -436,7 +524,7 @@ export class Webhook {
       await coreV1Api.createNamespace(ns);
     }
 
-    const wh = this.mutatingWebhook(webhookTimeout);
+    const wh = await this.mutatingWebhook(path, webhookTimeout);
     try {
       Log.info("Creating mutating webhook");
       await admissionApi.createMutatingWebhookConfiguration(wh);
@@ -452,20 +540,26 @@ export class Webhook {
       return;
     }
 
-    if (!code) {
+    if (!path) {
       throw new Error("No code provided");
     }
 
+    const code = await fs.readFile(path);
+
     const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-    const netpol = this.networkPolicy();
+    const appsApi = kubeConfig.makeApiClient(AppsV1Api);
+    const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
+    const networkApi = kubeConfig.makeApiClient(NetworkingV1Api);
+
+    const networkPolicy = this.networkPolicy();
     try {
       Log.info("Checking for network policy");
-      await networkApi.readNamespacedNetworkPolicy(netpol.metadata?.name ?? "", namespace);
+      await networkApi.readNamespacedNetworkPolicy(networkPolicy.metadata?.name ?? "", namespace);
     } catch (e) {
       Log.debug(e instanceof HttpError ? e.body : e);
       Log.info("Creating network policy");
-      await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
+      await networkApi.createNamespacedNetworkPolicy(namespace, networkPolicy);
     }
 
     const crb = this.clusterRoleBinding();

package/src/lib/module.ts

@@ -29,7 +29,7 @@ export type PeprModuleOptions = {
 };
 
 export class PeprModule {
-  private _controller: Controller;
+  private _controller!: Controller;
 
   /**
    * Create a new Pepr runtime
@@ -42,6 +42,12 @@ export class PeprModule {
     const config: ModuleConfig = mergeDeepWith(concat, pepr, alwaysIgnore);
     config.description = description;
 
+    // Handle build mode
+    if (process.env.PEPR_MODE === "build") {
+      process.send?.({ capabilities });
+      return;
+    }
+
     this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
 
     // Stop processing if deferStart is set to true

package/src/lib/types.ts

@@ -44,6 +44,7 @@ export enum Event {
   Update = "UPDATE",
   Delete = "DELETE",
   CreateOrUpdate = "CREATEORUPDATE",
+  Any = "*",
 }
 
 export interface CapabilityCfg {
@@ -123,7 +124,7 @@ export type WhenSelector<T extends GenericClass> = {
 };
 
 export type Binding = {
-  event?: Event;
+  event: Event;
   readonly kind: GroupVersionKind;
   readonly filters: {
     name: string;