Merge branch 'main' into 1485

defenseunicorns · Dec 11, 2024 · b27cf24 · b27cf24
2 parents 071a687 + 0e50003
commit b27cf24
Show file tree

Hide file tree

Showing 17 changed files with 621 additions and 208 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -44,17 +44,17 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/init@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
         with:
           languages: ${{ matrix.language }}
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/autobuild@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/analyze@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
         with:
           category: "/language:${{matrix.language}}"
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v2.2.4
+        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v2.2.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
@@ -23,6 +23,6 @@ jobs:
       with:
         fetch-depth: 0
     - name: Default Secret Scanning
-      uses: trufflesecurity/trufflehog@710d09ba85a0b34cea5592f3a42aae7db5d1a279 # main
+      uses: trufflesecurity/trufflehog@f726d02330dbcec836fa17f79fa7711fdb3a5cc8 # main
       with:
         extra_args: --debug --no-verification # Warn on potential violations
diff --git a/src/cli/build.helpers.ts b/src/cli/build.helpers.ts
@@ -1,3 +1,15 @@
+import { createDirectoryIfNotExists } from "../lib/filesystemService";
+import { sanitizeResourceName } from "../sdk/sdk";
+import { createDockerfile } from "../lib/included-files";
+import { execSync } from "child_process";
+import { CapabilityExport } from "../lib/types";
+import { validateCapabilityNames } from "../lib/helpers";
+import { BuildOptions, BuildResult, context, BuildContext } from "esbuild";
+import { Assets } from "../lib/assets";
+import { resolve } from "path";
+import { promises as fs } from "fs";
+
+export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 /**
  * Determine the RBAC mode based on the CLI options and the module's config
  * @param opts CLI options
@@ -26,3 +38,171 @@ export function determineRbacMode(
   // if nothing is defined return admin, else return scoped
   return cfg.pepr.rbacMode || "admin";
 }
+
+/**
+ * Handle the custom output directory
+ * @param outputDir the desired output directory
+ * @returns The desired output directory or the default one
+ */
+
+export async function handleCustomOutputDir(outputDir: string): Promise<string> {
+  const defaultOutputDir = "dist";
+  if (outputDir) {
+    try {
+      await createDirectoryIfNotExists(outputDir);
+      return outputDir;
+    } catch (error) {
+      console.error(`Error creating output directory: ${error.message}`);
+      process.exit(1);
+    }
+  }
+  return defaultOutputDir;
+}
+
+/**
+ * Check if the image is from Iron Bank and return the correct image
+ * @param registry The registry of the image
+ * @param image The image to check
+ * @param peprVersion The version of the PEPR controller
+ * @returns The image string
+ * @example
+ */
+export function checkIronBankImage(registry: string, image: string, peprVersion: string): string {
+  return registry === "Iron Bank"
+    ? `registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v${peprVersion}`
+    : image;
+}
+
+/**
+ * Check if the image pull secret is a valid Kubernetes name
+ * @param imagePullSecret
+ * @returns boolean
+ */
+export function validImagePullSecret(imagePullSecretName: string): void {
+  if (imagePullSecretName) {
+    const error = "Invalid imagePullSecret. Please provide a valid name as defined in RFC 1123.";
+    if (sanitizeResourceName(imagePullSecretName) !== imagePullSecretName) {
+      // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+      console.error(error);
+      process.exit(1);
+    }
+  }
+}
+
+/**
+ * Constraint to majke sure customImage and registry are not both used
+ * @param customImage
+ * @param registry
+ * @returns
+ */
+export function handleCustomImage(customImage: string, registry: string): string {
+  let defaultImage = "";
+  if (customImage) {
+    if (registry) {
+      console.error(`Custom Image and registry cannot be used together.`);
+      process.exit(1);
+    }
+    defaultImage = customImage;
+  }
+  return defaultImage;
+}
+
+/**
+ * Creates and pushes a custom image for WASM or any other included files
+ * @param includedFiles
+ * @param peprVersion
+ * @param description
+ * @param image
+ */
+export async function handleCustomImageBuild(
+  includedFiles: string[],
+  peprVersion: string,
+  description: string,
+  image: string,
+): Promise<void> {
+  if (includedFiles.length > 0) {
+    await createDockerfile(peprVersion, description, includedFiles);
+    execSync(`docker build --tag ${image} -f Dockerfile.controller .`, {
+      stdio: "inherit",
+    });
+    execSync(`docker push ${image}`, { stdio: "inherit" });
+  }
+}
+
+/**
+ * Disables embedding of deployment files into output module
+ * @param embed
+ * @param path
+ * @returns
+ */
+export function handleEmbedding(embed: boolean, path: string): void {
+  if (!embed) {
+    console.info(`✅ Module built successfully at ${path}`);
+    return;
+  }
+}
+
+/**
+ * Check if the capability names are valid
+ * @param capabilities The capabilities to check
+ */
+export function handleValidCapabilityNames(capabilities: CapabilityExport[]): void {
+  try {
+    // wait for capabilities to be loaded and test names
+    validateCapabilityNames(capabilities);
+  } catch (e) {
+    console.error(`Error loading capability:`, e);
+    process.exit(1);
+  }
+}
+
+/**
+ * Watch for changes in the module
+ * @param ctxCfg The build options
+ * @param reloader The reloader function
+ * @returns The build context
+ */
+export async function watchForChanges(
+  ctxCfg: BuildOptions,
+  reloader: Reloader | undefined,
+): Promise<BuildContext<BuildOptions>> {
+  const ctx = await context(ctxCfg);
+
+  // If the reloader function is defined, watch the module for changes
+  if (reloader) {
+    await ctx.watch();
+  } else {
+    // Otherwise, just build the module once
+    await ctx.rebuild();
+    await ctx.dispose();
+  }
+
+  return ctx;
+}
+
+export async function generateYamlAndWriteToDisk(obj: {
+  uuid: string;
+  imagePullSecret: string;
+  outputDir: string;
+  assets: Assets;
+  zarf: string;
+}): Promise<void> {
+  const { uuid, imagePullSecret, outputDir, assets, zarf } = obj;
+  const yamlFile = `pepr-module-${uuid}.yaml`;
+  const chartPath = `${uuid}-chart`;
+  const yamlPath = resolve(outputDir, yamlFile);
+  const yaml = await assets.allYaml(imagePullSecret);
+  const zarfPath = resolve(outputDir, "zarf.yaml");
+
+  let localZarf = "";
+  if (zarf === "chart") {
+    localZarf = assets.zarfYamlChart(chartPath);
+  } else {
+    localZarf = assets.zarfYaml(yamlFile);
+  }
+  await fs.writeFile(yamlPath, yaml);
+  await fs.writeFile(zarfPath, localZarf);
+
+  await assets.generateHelmChart(outputDir);
+  console.info(`✅ K8s resource for the module saved to ${yamlPath}`);
+}