Merge branch 'main' into 1147

defenseunicorns · Sep 20, 2024 · f829a66 · f829a66
2 parents 74bca7f + 8dd111e
commit f829a66
Show file tree

Hide file tree

Showing 22 changed files with 570 additions and 27 deletions.
diff --git a/.github/workflows/cli-tests.yml b/.github/workflows/cli-tests.yml
@@ -27,7 +27,7 @@ jobs:
         run: echo "PEPR=${GITHUB_WORKSPACE}/pepr" >> "$GITHUB_ENV"
 
       - name: setup node
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           cache-dependency-path: pepr

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -40,17 +40,17 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           languages: ${{ matrix.language }}
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           category: "/language:${{matrix.language}}"
 
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
 
       - name: Install commitlint
         run: npm install --save-dev @commitlint/{config-conventional,cli}

diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Use Node.js latest
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: latest
           cache: "npm"
@@ -30,7 +30,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
@@ -46,7 +46,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Use Node.js latest
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: latest
           cache: "npm"

diff --git a/.github/workflows/pepr-excellent-examples.yml b/.github/workflows/pepr-excellent-examples.yml
@@ -30,7 +30,7 @@ jobs:
         run: echo "PEPR=${GITHUB_WORKSPACE}/pepr" >> "$GITHUB_ENV"
 
       - name: setup node
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           cache: "npm"
@@ -91,7 +91,7 @@ jobs:
         run: echo "PEXEX=${GITHUB_WORKSPACE}/pepr-excellent-examples" >> "$GITHUB_ENV"
 
       - name: setup node
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           cache: "npm"
@@ -146,7 +146,7 @@ jobs:
         run: echo "PEXEX=${GITHUB_WORKSPACE}/pepr-excellent-examples" >> "$GITHUB_ENV"
 
       - name: setup node
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           cache: "npm"

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,7 +27,7 @@ jobs:
       - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
 
       - name: Use Node.js 20
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           registry-url: "https://registry.npmjs.org"
@@ -67,7 +67,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Node registry authentication
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           registry-url: "https://registry.npmjs.org"

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v2.2.4
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v2.2.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/soak.yaml b/.github/workflows/soak.yaml
@@ -69,7 +69,7 @@ jobs:
         run: echo "PEPR=${GITHUB_WORKSPACE}/pepr" >> "$GITHUB_ENV"
 
       - name: setup node
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           cache: "npm"

diff --git a/.github/workflows/uds.yml b/.github/workflows/uds.yml
@@ -0,0 +1,122 @@
+name: UDS - Smoke Test
+
+permissions: read-all
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 4 * * *' # 12AM EST/9PM PST
+
+jobs:
+  pepr-build:
+    name: pepr build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - name: clone pepr
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          repository: defenseunicorns/pepr
+          path: pepr
+
+      - name: "set env: PEPR"
+        run: echo "PEPR=${GITHUB_WORKSPACE}/pepr" >> "$GITHUB_ENV"
+
+      - name: setup node
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: pepr
+
+      - name: install pepr deps
+        run: |
+          cd "$PEPR"
+          npm ci
+
+      - name: build pepr image
+        run: |
+          cd "$PEPR"
+          npm run build:image
+
+      - name: tar pepr image
+        run: |
+          PEPR_TAR="${GITHUB_WORKSPACE}/pepr-img.tar"
+          echo "PEPR_TAR=${PEPR_TAR}" >> "$GITHUB_ENV"
+          docker image save --output "$PEPR_TAR" pepr:dev
+
+      - name: upload image tar artifact
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: pepr-img.tar
+          path: pepr-img.tar
+          retention-days: 1
+
+  uds-run:
+    name: uds run
+    runs-on: ubuntu-latest
+    needs:
+      - pepr-build
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - name: "install k3d"
+        run: "curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash"
+        shell: bash
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          repository: defenseunicorns/uds-core
+          path: uds-core
+
+      - name: "set env: UDS_CORE"
+        run: echo "UDS_CORE=${GITHUB_WORKSPACE}/uds-core" >> "$GITHUB_ENV"
+
+      - name: setup node
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: uds-core
+
+      - name: install uds cli
+        run: |
+          LATEST_URL="https://api.github.com/repos/defenseunicorns/uds-cli/releases/latest"
+          REMOTE_URL=$(
+            curl --silent "$LATEST_URL" \
+              | grep 'browser_download_url.*_Linux_amd64"' \
+              | cut -d : -f 2,3 \
+              | tr -d \" \
+              | tr -d " "
+          )
+          BINS="$HOME/.local/bin"
+          mkdir -p "$BINS"
+          UDS_CLI="$BINS/uds"
+          curl --location --output "$UDS_CLI" "$REMOTE_URL"
+          chmod +x "$UDS_CLI"
+
+          uds version
+
+      - name: dowload image tar artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: pepr-img.tar
+          path: ${{ github.workspace }}
+
+      - name: "set env: PEPR_IMG"
+        run: echo "PEPR_IMG=${GITHUB_WORKSPACE}/pepr-img.tar" >> "$GITHUB_ENV"
+
+      - name: import docker image from pepr tar
+        run: |
+          docker image load --input "$PEPR_IMG"
+
+      - name: uds run
+        run: |
+          cd "$UDS_CORE"
+          PEPR_CUSTOM_IMAGE="pepr:dev" uds run slim-dev
diff --git a/.github/workflows/vulnerability-scan.yaml b/.github/workflows/vulnerability-scan.yaml
@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Use Node.js latest
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
           cache: "npm"

diff --git a/Dockerfile b/Dockerfile
@@ -6,7 +6,7 @@
 # Any other changes to Dockerfile should be reflected in Publish
 
 # crane digest cgr.dev/chainguard/node-lts:latest-dev
-FROM cgr.dev/chainguard/node:latest-dev@sha256:31749fcbb39ad3f428992758958075d6bc3bfc1e4138e8ea7458483fddb44efb AS build
+FROM cgr.dev/chainguard/node:latest-dev@sha256:22e112faf22403b8af3d15a6c0d910345636f4e317c950973823041b86d74ea8 AS build
 
 WORKDIR /app
 
@@ -38,7 +38,7 @@ RUN npm run build && \
 ##### DELIVER #####
 
 # crane digest cgr.dev/chainguard/node-lts:latest
-FROM cgr.dev/chainguard/node:latest@sha256:9b39ee31665469c51b76516cf08d46380797bcd7e8418cb1f16e5fad7b6f6c48
+FROM cgr.dev/chainguard/node:latest@sha256:7d2170d090ad459647aff186ae85f79520832a35310d71ab2882719623921619
 
 WORKDIR /app
 

diff --git a/docs/030_user-guide/030_actions/050_finalize.md b/docs/030_user-guide/030_actions/050_finalize.md
@@ -0,0 +1,11 @@
+# Finalize
+
+A specialized combination of Pepr's [Mutate](./010_mutate.md) & [Watch](./040_watch.md) functionalities that allow a module author to run logic while Kubernetes is [Finalizing](https://kubernetes.io/docs/concepts/overview/working-with-objects/finalizers/) a resource (i.e. cleaning up related resources _after_ a deleteion request has been accepted).
+
+This method will:
+
+1. Inject a finalizer into the `metadata.finalizers` field of the requested resource during the mutation phase of the admission.
+
+1. Watch appropriate resource lifecycle events & invoke the given callback.
+
+1. Remove the injected finalizer from the `metadata.finalizers` field of the requested resource.
diff --git a/docs/030_user-guide/030_actions/README.md b/docs/030_user-guide/030_actions/README.md
@@ -6,7 +6,7 @@ An action is a discrete set of behaviors defined in a single function that acts
 
 For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources.
 
-Actions are `Mutate()`, `Validate()`, `Watch()`, or `Reconcile()`. Both Mutate and Validate actions run during the admission controller lifecycle, while Watch and Reconcile actions run in a separate controller that tracks changes to resources, including existing resources.
+Actions are `Mutate()`, `Validate()`, `Watch()`, `Reconcile()`, and `Finalize()`. Both Mutate and Validate actions run during the admission controller lifecycle, while Watch and Reconcile actions run in a separate controller that tracks changes to resources, including existing resource; the Finalize action spans both the admission & afterward.
 
 Let's look at some example actions that are included in the `HelloPepr` capability that is created for you when you [`npx pepr init`](./010_pepr-cli.md#pepr-init):
 

diff --git a/package.json b/package.json
@@ -22,15 +22,15 @@
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
     "version": "node scripts/set-version.js",
     "build": "tsc && node build.mjs",
-    "build:image": "npm run build && docker buildx build --tag pepr:dev .",
+    "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage",
     "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run",
     "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
     "test:journey-wasm": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run-wasm",
     "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:build": "npm run build && npm pack",
-    "test:journey:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
+    "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
     "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade",
     "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts",
     "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts",

diff --git a/src/lib/capability.ts b/src/lib/capability.ts
@@ -20,8 +20,11 @@ import {
   MutateActionChain,
   ValidateAction,
   ValidateActionChain,
+  FinalizeAction,
+  FinalizeActionChain,
   WhenSelector,
 } from "./types";
+import { addFinalizer } from "./finalizer";
 
 const registerAdmission = isBuildMode() || !isWatchMode();
 const registerWatch = isBuildMode() || isWatchMode() || isDevMode();
@@ -247,7 +250,7 @@ export class Capability implements CapabilityExport {
       return { Watch, Validate, Reconcile };
     }
 
-    function Watch(watchCallback: WatchAction<T>) {
+    function Watch(watchCallback: WatchAction<T>): FinalizeActionChain<T> {
       if (registerWatch) {
         log("Watch Action", watchCallback.toString());
 
@@ -257,9 +260,11 @@ export class Capability implements CapabilityExport {
           watchCallback,
         });
       }
+
+      return { Finalize };
     }
 
-    function Reconcile(watchCallback: WatchAction<T>) {
+    function Reconcile(watchCallback: WatchAction<T>): FinalizeActionChain<T> {
       if (registerWatch) {
         log("Reconcile Action", watchCallback.toString());
 
@@ -270,6 +275,38 @@ export class Capability implements CapabilityExport {
           watchCallback,
         });
       }
+
+      return { Finalize };
+    }
+
+    function Finalize(finalizeCallback: FinalizeAction<T>) {
+      log("Finalize Action", finalizeCallback.toString());
+
+      // add binding to inject pepr finalizer during admission (Mutate)
+      if (registerAdmission) {
+        const mutateBinding = {
+          ...binding,
+          isMutate: true,
+          isFinalize: true,
+          event: Event.Any,
+          mutateCallback: addFinalizer,
+        };
+        bindings.push(mutateBinding);
+      }
+
+      // add binding to process finalizer callback / remove pepr finalizer (Watch)
+      if (registerWatch) {
+        const watchBinding = {
+          ...binding,
+          isWatch: true,
+          isFinalize: true,
+          event: Event.Update,
+          finalizeCallback,
+        };
+        bindings.push(watchBinding);
+      }
+
+      return { Finalize };
     }
 
     function InNamespace(...namespaces: string[]): BindingWithName<T> {