From b69b58d43f45f8c79dc09cf9579178bd991c98ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Dec 2024 22:27:48 +0000 Subject: [PATCH 1/3] chore: bump trufflesecurity/trufflehog from 3.85.0 to 3.86.0 (#1559) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.85.0 to 3.86.0.
Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.86.0

What's Changed

New Contributors

Full Changelog: https://github.com/trufflesecurity/trufflehog/compare/v3.85.0...v3.86.0

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=trufflesecurity/trufflehog&package-manager=github_actions&previous-version=3.85.0&new-version=3.86.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/secret-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 5bf94cf77..da2e4771a 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -23,6 +23,6 @@ jobs: with: fetch-depth: 0 - name: Default Secret Scanning - uses: trufflesecurity/trufflehog@710d09ba85a0b34cea5592f3a42aae7db5d1a279 # main + uses: trufflesecurity/trufflehog@f726d02330dbcec836fa17f79fa7711fdb3a5cc8 # main with: extra_args: --debug --no-verification # Warn on potential violations From 94b5833cd8e5427da472763846f4d1290b318744 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Dec 2024 22:27:50 +0000 Subject: [PATCH 2/3] chore: bump github/codeql-action from 3.27.6 to 3.27.7 (#1558) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.6 to 3.27.7.
Release notes

Sourced from github/codeql-action's releases.

v3.27.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.7 - 10 Dec 2024

  • We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. #2631
  • Update default CodeQL bundle version to 2.20.0. #2636

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

[UNRELEASED]

No user facing changes.

3.27.7 - 10 Dec 2024

  • We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. #2631
  • Update default CodeQL bundle version to 2.20.0. #2636

3.27.6 - 03 Dec 2024

  • Update default CodeQL bundle version to 2.19.4. #2626

3.27.5 - 19 Nov 2024

No user facing changes.

3.27.4 - 14 Nov 2024

No user facing changes.

3.27.3 - 12 Nov 2024

No user facing changes.

3.27.2 - 12 Nov 2024

  • Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". #2590

3.27.1 - 08 Nov 2024

  • The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. #2573
  • Update default CodeQL bundle version to 2.19.3. #2576

3.27.0 - 22 Oct 2024

  • Bump the minimum CodeQL bundle version to 2.14.6. #2549
  • Fix an issue where the upload-sarif Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the upload-sarif Action. #2557
  • Update default CodeQL bundle version to 2.19.2. #2552

3.26.13 - 14 Oct 2024

No user facing changes.

... (truncated)

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.27.6&new-version=3.27.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1f0352c52..271b0d75a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,17 +44,17 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 + uses: github/codeql-action/init@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7 with: languages: ${{ matrix.language }} # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 + uses: github/codeql-action/autobuild@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 + uses: github/codeql-action/analyze@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7b95c5405..89f460138 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v2.2.4 + uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v2.2.4 with: sarif_file: results.sarif From a7989f79d35aca0e83e6303bd662ddbf7254c44c Mon Sep 17 00:00:00 2001 From: Sam Mayer Date: Wed, 11 Dec 2024 08:13:48 -0600 Subject: [PATCH 3/3] chore: add return types to untyped functions (#1560) ## Description Adds typing to untyped functions End to End Test: (See [Pepr Excellent Examples](https://github.com/defenseunicorns/pepr-excellent-examples)) ## Related Issue Fixes #1551 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed --- src/lib/assets/deploy.ts | 12 ++++++------ src/lib/assets/destroy.ts | 2 +- src/lib/assets/helm.test.ts | 10 ++++++++-- src/lib/assets/helm.ts | 12 ++++++------ src/lib/assets/index.ts | 10 +++++----- src/lib/assets/pods.test.ts | 24 ++++++++++++------------ src/lib/assets/pods.ts | 15 ++++++++++----- src/lib/assets/webhooks.ts | 2 +- src/lib/assets/yaml.ts | 21 ++++++++++++--------- 9 files changed, 61 insertions(+), 47 deletions(-) diff --git a/src/lib/assets/deploy.ts b/src/lib/assets/deploy.ts index 3f933b482..884d07988 100644 --- a/src/lib/assets/deploy.ts +++ b/src/lib/assets/deploy.ts @@ -9,7 +9,7 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node"; import { Assets } from "."; import Log from "../telemetry/logger"; import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking"; -import { deployment, moduleSecret, namespace, watcher } from "./pods"; +import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods"; import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac"; import { peprStoreCRD } from "./store"; import { webhookConfig } from "./webhooks"; @@ -19,7 +19,7 @@ export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, na try { await K8s(kind.Namespace).Get("pepr-system"); } catch { - await K8s(kind.Namespace).Apply(namespace()); + await K8s(kind.Namespace).Apply(getNamespace()); } try { @@ -48,7 +48,7 @@ export async function deploy(assets: Assets, force: boolean, webhookTimeout?: nu const { name, host, path } = assets; Log.info("Applying pepr-system namespace"); - await K8s(kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace)); + await K8s(kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace)); // Create the mutating webhook configuration if it is needed const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout); @@ -123,7 +123,7 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force const { name } = assets; Log.info("Applying module secret"); - const mod = moduleSecret(name, code, hash); + const mod = getModuleSecret(name, code, hash); await K8s(kind.Secret).Apply(mod, { force }); Log.info("Applying controller service"); @@ -139,14 +139,14 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force await K8s(kind.Secret).Apply(apiToken, { force }); Log.info("Applying deployment"); - const dep = deployment(assets, hash, assets.buildTimestamp); + const dep = getDeployment(assets, hash, assets.buildTimestamp); await K8s(kind.Deployment).Apply(dep, { force }); } // Setup the watcher deployment and service async function setupWatcher(assets: Assets, hash: string, force: boolean) { // If the module has a watcher, deploy it - const watchDeployment = watcher(assets, hash, assets.buildTimestamp); + const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp); if (watchDeployment) { Log.info("Applying watcher deployment"); await K8s(kind.Deployment).Apply(watchDeployment, { force }); diff --git a/src/lib/assets/destroy.ts b/src/lib/assets/destroy.ts index 6d4a80960..e528e70ff 100644 --- a/src/lib/assets/destroy.ts +++ b/src/lib/assets/destroy.ts @@ -6,7 +6,7 @@ import { K8s, kind } from "kubernetes-fluent-client"; import Log from "../telemetry/logger"; import { peprStoreCRD } from "./store"; -export async function destroyModule(name: string) { +export async function destroyModule(name: string): Promise { const namespace = "pepr-system"; Log.info("Destroying Pepr module"); diff --git a/src/lib/assets/helm.test.ts b/src/lib/assets/helm.test.ts index 172cbcf41..386982e8d 100644 --- a/src/lib/assets/helm.test.ts +++ b/src/lib/assets/helm.test.ts @@ -1,12 +1,18 @@ // SPDX-License-Identifier: Apache-2.0 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors -import { nsTemplate, chartYaml, watcherDeployTemplate, admissionDeployTemplate, serviceMonitorTemplate } from "./helm"; +import { + namespaceTemplate, + chartYaml, + watcherDeployTemplate, + admissionDeployTemplate, + serviceMonitorTemplate, +} from "./helm"; import { expect, describe, test } from "@jest/globals"; describe("Kubernetes Template Generators", () => { describe("nsTemplate", () => { test("should generate a Namespace template correctly", () => { - const result = nsTemplate(); + const result = namespaceTemplate(); expect(result).toContain("apiVersion: v1"); expect(result).toContain("kind: Namespace"); expect(result).toContain("name: pepr-system"); diff --git a/src/lib/assets/helm.ts b/src/lib/assets/helm.ts index 3f7124aa2..2b65f368a 100644 --- a/src/lib/assets/helm.ts +++ b/src/lib/assets/helm.ts @@ -1,7 +1,7 @@ // SPDX-License-Identifier: Apache-2.0 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors -export function clusterRoleTemplate() { +export function clusterRoleTemplate(): string { return ` apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -15,7 +15,7 @@ export function clusterRoleTemplate() { `; } -export function nsTemplate() { +export function namespaceTemplate(): string { return ` apiVersion: v1 kind: Namespace @@ -32,7 +32,7 @@ export function nsTemplate() { `; } -export function chartYaml(name: string, description?: string) { +export function chartYaml(name: string, description?: string): string { return ` apiVersion: v2 name: ${name} @@ -61,7 +61,7 @@ export function chartYaml(name: string, description?: string) { `; } -export function watcherDeployTemplate(buildTimestamp: string) { +export function watcherDeployTemplate(buildTimestamp: string): string { return ` apiVersion: apps/v1 kind: Deployment @@ -142,7 +142,7 @@ export function watcherDeployTemplate(buildTimestamp: string) { `; } -export function admissionDeployTemplate(buildTimestamp: string) { +export function admissionDeployTemplate(buildTimestamp: string): string { return ` apiVersion: apps/v1 kind: Deployment @@ -228,7 +228,7 @@ export function admissionDeployTemplate(buildTimestamp: string) { `; } -export function serviceMonitorTemplate(name: string) { +export function serviceMonitorTemplate(name: string): string { return ` {{- if .Values.${name}.serviceMonitor.enabled }} apiVersion: monitoring.coreos.com/v1 diff --git a/src/lib/assets/index.ts b/src/lib/assets/index.ts index 78d0947d8..b72df1254 100644 --- a/src/lib/assets/index.ts +++ b/src/lib/assets/index.ts @@ -16,7 +16,7 @@ import { dedent } from "../helpers"; import { resolve } from "path"; import { chartYaml, - nsTemplate, + namespaceTemplate, admissionDeployTemplate, watcherDeployTemplate, clusterRoleTemplate, @@ -25,7 +25,7 @@ import { import { promises as fs } from "fs"; import { webhookConfig } from "./webhooks"; import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking"; -import { watcher, moduleSecret } from "./pods"; +import { getWatcher, getModuleSecret } from "./pods"; import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac"; import { createDirectoryIfNotExists } from "../filesystemService"; @@ -157,7 +157,7 @@ export class Assets { const pairs: [string, () => string][] = [ [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))], - [helm.files.namespaceYaml, (): string => dedent(nsTemplate())], + [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())], [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))], [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))], [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))], @@ -167,7 +167,7 @@ export class Assets { [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())], [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))], [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))], - [helm.files.moduleSecretYaml, (): string => toYaml(moduleSecret(this.name, code, this.hash))], + [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))], ]; await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content()))); @@ -191,7 +191,7 @@ export class Assets { await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook)); } - const watchDeployment = watcher(this, this.hash, this.buildTimestamp); + const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp); if (watchDeployment) { await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp))); await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher"))); diff --git a/src/lib/assets/pods.test.ts b/src/lib/assets/pods.test.ts index a21b4882e..aba42161c 100644 --- a/src/lib/assets/pods.test.ts +++ b/src/lib/assets/pods.test.ts @@ -1,4 +1,4 @@ -import { namespace, watcher, deployment, moduleSecret, genEnv } from "./pods"; +import { getNamespace, getWatcher, getDeployment, getModuleSecret, genEnv } from "./pods"; import { expect, describe, test, jest, afterEach } from "@jest/globals"; import { Assets } from "."; import { ModuleConfig } from "../module"; @@ -296,7 +296,7 @@ const assets: Assets = JSON.parse(`{ }`); describe("namespace function", () => { test("should create a namespace object without labels if none are provided", () => { - const result = namespace(); + const result = getNamespace(); expect(result).toEqual({ apiVersion: "v1", kind: "Namespace", @@ -304,7 +304,7 @@ describe("namespace function", () => { name: "pepr-system", }, }); - const result1 = namespace({ one: "two" }); + const result1 = getNamespace({ one: "two" }); expect(result1).toEqual({ apiVersion: "v1", kind: "Namespace", @@ -318,20 +318,20 @@ describe("namespace function", () => { }); test("should create a namespace object with empty labels if an empty object is provided", () => { - const result = namespace({}); - expect(result.metadata.labels).toEqual({}); + const result = getNamespace({}); + expect(result.metadata?.labels).toEqual({}); }); test("should create a namespace object with provided labels", () => { const labels = { "pepr.dev/controller": "admission", "istio-injection": "enabled" }; - const result = namespace(labels); - expect(result.metadata.labels).toEqual(labels); + const result = getNamespace(labels); + expect(result.metadata?.labels).toEqual(labels); }); }); describe("watcher function", () => { test("watcher with bindings", () => { - const result = watcher(assets, "test-hash", "test-timestamp"); + const result = getWatcher(assets, "test-hash", "test-timestamp"); expect(result).toBeTruthy(); expect(result!.metadata!.name).toBe("pepr-static-test-watcher"); @@ -339,14 +339,14 @@ describe("watcher function", () => { test("watcher without bindings", () => { assets.capabilities = []; - const result = watcher(assets, "test-hash", "test-timestamp"); + const result = getWatcher(assets, "test-hash", "test-timestamp"); expect(result).toBeNull(); }); }); describe("deployment function", () => { test("deployment", () => { - const result = deployment(assets, "test-hash", "test-timestamp"); + const result = getDeployment(assets, "test-hash", "test-timestamp"); expect(result).toBeTruthy(); expect(result!.metadata!.name).toBe("pepr-static-test"); @@ -368,7 +368,7 @@ describe("moduleSecret function", () => { // eslint-disable-next-line @typescript-eslint/no-var-requires jest.spyOn(require("../helpers"), "secretOverLimit").mockReturnValue(false); - const result = moduleSecret(name, data, hash); + const result = getModuleSecret(name, data, hash); expect(result).toEqual({ apiVersion: "v1", @@ -399,7 +399,7 @@ describe("moduleSecret function", () => { throw new Error("process.exit"); }); - expect(() => moduleSecret(name, data, hash)).toThrow("process.exit"); + expect(() => getModuleSecret(name, data, hash)).toThrow("process.exit"); expect(consoleErrorMock).toHaveBeenCalledWith( "Uncaught Exception:", diff --git a/src/lib/assets/pods.ts b/src/lib/assets/pods.ts index 803127b8f..247d95cbb 100644 --- a/src/lib/assets/pods.ts +++ b/src/lib/assets/pods.ts @@ -1,7 +1,7 @@ // SPDX-License-Identifier: Apache-2.0 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors -import { V1EnvVar } from "@kubernetes/client-node"; +import { KubernetesObject, V1EnvVar } from "@kubernetes/client-node"; import { kind } from "kubernetes-fluent-client"; import { gzipSync } from "zlib"; import { secretOverLimit } from "../helpers"; @@ -10,7 +10,7 @@ import { ModuleConfig } from "../module"; import { Binding } from "../types"; /** Generate the pepr-system namespace */ -export function namespace(namespaceLabels?: Record) { +export function getNamespace(namespaceLabels?: Record): KubernetesObject { if (namespaceLabels) { return { apiVersion: "v1", @@ -31,7 +31,12 @@ export function namespace(namespaceLabels?: Record) { } } -export function watcher(assets: Assets, hash: string, buildTimestamp: string, imagePullSecret?: string) { +export function getWatcher( + assets: Assets, + hash: string, + buildTimestamp: string, + imagePullSecret?: string, +): kind.Deployment | null { const { name, image, capabilities, config } = assets; let hasSchedule = false; @@ -186,7 +191,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string, im return deploy; } -export function deployment( +export function getDeployment( assets: Assets, hash: string, buildTimestamp: string, @@ -336,7 +341,7 @@ export function deployment( return deploy; } -export function moduleSecret(name: string, data: Buffer, hash: string): kind.Secret { +export function getModuleSecret(name: string, data: Buffer, hash: string): kind.Secret { // Compress the data const compressed = gzipSync(data); const path = `module-${hash}.js.gz`; diff --git a/src/lib/assets/webhooks.ts b/src/lib/assets/webhooks.ts index 3d8d45915..3a3187340 100644 --- a/src/lib/assets/webhooks.ts +++ b/src/lib/assets/webhooks.ts @@ -20,7 +20,7 @@ const peprIgnoreLabel: V1LabelSelectorRequirement = { const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"]; -export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean) { +export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise { const { config, capabilities } = assets; const rules: V1RuleWithOperations[] = []; diff --git a/src/lib/assets/yaml.ts b/src/lib/assets/yaml.ts index e1faffc0a..2a66a4a7f 100644 --- a/src/lib/assets/yaml.ts +++ b/src/lib/assets/yaml.ts @@ -6,13 +6,16 @@ import crypto from "crypto"; import { promises as fs } from "fs"; import { Assets } from "."; import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking"; -import { deployment, moduleSecret, namespace, watcher } from "./pods"; +import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods"; import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac"; import { webhookConfig } from "./webhooks"; import { genEnv } from "./pods"; // Helm Chart overrides file (values.yaml) generated from assets -export async function overridesFile({ hash, name, image, config, apiToken, capabilities }: Assets, path: string) { +export async function overridesFile( + { hash, name, image, config, apiToken, capabilities }: Assets, + path: string, +): Promise { const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules; const overrides = { @@ -166,7 +169,7 @@ export async function overridesFile({ hash, name, image, config, apiToken, capab await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true })); } -export function zarfYaml({ name, image, config }: Assets, path: string) { +export function zarfYaml({ name, image, config }: Assets, path: string): string { const zarfCfg = { kind: "ZarfPackageConfig", metadata: { @@ -194,7 +197,7 @@ export function zarfYaml({ name, image, config }: Assets, path: string) { return dumpYaml(zarfCfg, { noRefs: true }); } -export function zarfYamlChart({ name, image, config }: Assets, path: string) { +export function zarfYamlChart({ name, image, config }: Assets, path: string): string { const zarfCfg = { kind: "ZarfPackageConfig", metadata: { @@ -223,7 +226,7 @@ export function zarfYamlChart({ name, image, config }: Assets, path: string) { return dumpYaml(zarfCfg, { noRefs: true }); } -export async function allYaml(assets: Assets, imagePullSecret?: string) { +export async function allYaml(assets: Assets, imagePullSecret?: string): Promise { const { name, tls, apiToken, path, config } = assets; const code = await fs.readFile(path); @@ -232,19 +235,19 @@ export async function allYaml(assets: Assets, imagePullSecret?: string) { const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout); const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout); - const watchDeployment = watcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret); + const watchDeployment = getWatcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret); const resources = [ - namespace(assets.config.customLabels?.namespace), + getNamespace(assets.config.customLabels?.namespace), clusterRole(name, assets.capabilities, config.rbacMode, config.rbac), clusterRoleBinding(name), serviceAccount(name), apiTokenSecret(name, apiToken), tlsSecret(name, tls), - deployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret), + getDeployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret), service(name), watcherService(name), - moduleSecret(name, code, assets.hash), + getModuleSecret(name, code, assets.hash), storeRole(name), storeRoleBinding(name), ];