diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c4207bdc1..313371402 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -57,6 +57,8 @@ jobs: HUGO_NEW=$(realpath "$WORK/hugo.yaml") CONT_OLD=$(realpath "$SITE/content/en") CONT_NEW=$(realpath "$WORK/content/en") + STAT_OLD=$(realpath "$SITE/static") + STAT_NEW=$(realpath "$WORK/static") rm "$HUGO_OLD" cp "$HUGO_NEW" "$HUGO_OLD" @@ -64,6 +66,9 @@ jobs: rm --recursive --force "$CONT_OLD" cp --recursive "$CONT_NEW" "$CONT_OLD" + rm --recursive --force "$STAT_OLD" + cp --recursive "$STAT_NEW" "$STAT_OLD" + cd "$DOCS" git config user.name "docs.yml" git config user.email "<>" diff --git a/site/content/en/v0.22.0/OnSchedule.md b/site/content/en/v0.22.0/OnSchedule.md deleted file mode 100644 index c663f24d9..000000000 --- a/site/content/en/v0.22.0/OnSchedule.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: OnSchedule -weight: ---- - - -The `OnSchedule` feature allows you to schedule and automate the execution of specific code at predefined intervals or schedules. This feature is designed to simplify recurring tasks and can serve as an alternative to traditional CronJobs. This code is designed to be run at the top level on a Capability, not within a function like `When`. - -> **Note -** To use this feature in dev mode you MUST set `PEPR_WATCH_MODE="true"`. This is because the scheduler only runs on the watch controller and the watch controller is not started by default in dev mode. - -For example: `PEPR_WATCH_MODE="true" npx pepr dev` - -## Best Practices - -`OnSchedule` is designed for targeting intervals equal to or larger than 30 seconds due to the storage mechanism used to archive schedule info. - -## Usage - -Create a recurring task execution by calling the OnSchedule function with the following parameters: - -**name** - The unique name of the schedule. - -**every** - An integer that represents the frequency of the schedule in number of _units_. - -**unit** - A string specifying the time unit for the schedule (e.g., `seconds`, `minute`, `minutes`, `hour`, `hours`). - -**startTime** - (Optional) A UTC timestamp indicating when the schedule should start. All date times must be provided in GMT. If not specified the schedule will start when the schedule store reports ready. - -**run** - A function that contains the code you want to execute on the defined schedule. - -**completions** - (Optional) An integer indicating the maximum number of times the schedule should run to completion. If not specified the schedule will run indefinitely. - - -## Examples - -Update a ConfigMap every 30 seconds: - -```typescript -OnSchedule({ - name: "hello-interval", - every: 30, - unit: "seconds", - run: async () => { - Log.info("Wait 30 seconds and create/update a ConfigMap"); - - try { - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "last-updated", - namespace: "default", - }, - data: { - count: `${new Date()}`, - }, - }); - - } catch (error) { - Log.error(error, "Failed to apply ConfigMap using server-side apply."); - } - }, - }); -``` - -Refresh an AWSToken every 24 hours, with a delayed start of 30 seconds, running a total of 3 times: - -```typescript - -OnSchedule({ - name: "refresh-aws-token", - every: 24, - unit: "hours", - startTime: new Date(new Date().getTime() + 1000 * 30), - run: async () => { - await RefreshAWSToken(); - }, - completions: 3, -}); -``` - -## Advantages - -- Simplifies scheduling recurring tasks without the need for complex CronJob configurations. -- Provides flexibility to define schedules in a human-readable format. -- Allows you to execute code with precision at specified intervals. -- Supports limiting the number of schedule completions for finite tasks. diff --git a/site/content/en/v0.22.0/_index.md b/site/content/en/v0.22.0/_index.md deleted file mode 100644 index 6fd0fa420..000000000 --- a/site/content/en/v0.22.0/_index.md +++ /dev/null @@ -1,157 +0,0 @@ ---- -title: v0.22.0 -cascade: - type: docs -aliases: [] ---- -# Pepr - -[![Pepr Documentation](https://img.shields.io/badge/docs--d25ba1)](./README/) -[![Npm package license](https://badgen.net/npm/license/pepr)](https://npmjs.com/package/pepr) -[![Known Vulnerabilities](https://snyk.io/test/npm/pepr/badge.svg)](https://snyk.io/advisor/npm-package/pepr) -[![Npm package version](https://badgen.net/npm/v/pepr)](https://npmjs.com/package/pepr) -[![Npm package total downloads](https://badgen.net/npm/dt/pepr)](https://npmjs.com/package/pepr) - -#### **_Type safe Kubernetes middleware for humans_** - - - -Pepr is on a mission to save Kubernetes from the tyranny of YAML, intimidating glue code, bash scripts, and other makeshift solutions. As a Kubernetes controller, Pepr empowers you to define Kubernetes transformations using TypeScript, without software development expertise thanks to plain-english configurations. Pepr transforms a patchwork of forks, scripts, overlays, and other chaos into a cohesive, well-structured, and maintainable system. With Pepr, you can seamlessly transition IT ops tribal knowledge into code, simplifying documentation, testing, validation, and coordination of changes for a more predictable outcome. - -#### _Note: Pepr is still in active development so breaking changes may occur, but will be documented in release notes._ - -## Features - -- Zero-config K8s webhook mutations and validations -- Automatic leader-elected K8s resource watching -- Lightweight async key-value store backed by K8s for stateful operations with the [Pepr Store](./store/) -- Human-readable fluent API for generating [Pepr Capabilities](#capability) -- A fluent API for creating/modifying/watching and server-side applying K8s resources via [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) -- Generate new K8s resources based off of cluster resource changes -- Perform other exec/API calls based off of cluster resources changes or any other arbitrary schedule -- Out of the box airgap support with [Zarf](https://zarf.dev) -- Entire NPM ecosystem available for advanced operations -- Realtime K8s debugging system for testing/reacting to cluster changes -- Controller network isolation and tamper-resistent module execution -- Least-privilege [RBAC](https://github.com/defenseunicorns/pepr/blob/main/docs/rbac/) generation -- AMD64 and ARM64 support - -## Example Pepr Action - -This quick sample shows how to react to a ConfigMap being created or updated in the cluster. It adds a label and annotation to the ConfigMap and adds some data to the ConfigMap. It also creates a Validating Webhook to make sure the "pepr" label still exists. Finally, after the ConfigMap is created, it logs a message to the Pepr controller and creates or updates a separate ConfigMap with the [kubernetes-fluent-client](https://github.com/defenseunicorns/kubernetes-fluent-client) using server-side apply. For more details see [actions](./actions/) section. - -```ts -When(a.ConfigMap) - .IsCreatedOrUpdated() - .InNamespace("pepr-demo") - .WithLabel("unicorn", "rainbow") - // Create a Mutate Action for the ConfigMap - .Mutate(request => { - // Add a label and annotation to the ConfigMap - request.SetLabel("pepr", "was-here").SetAnnotation("pepr.dev", "annotations-work-too"); - - // Add some data to the ConfigMap - request.Raw.data["doug-says"] = "Pepr is awesome!"; - - // Log a message to the Pepr controller logs - Log.info("A 🦄 ConfigMap was created or updated:"); - }) - // Create a Validate Action for the ConfigMap - .Validate(request => { - // Validate the ConfigMap has a specific label - if (request.HasLabel("pepr")) { - return request.Approve(); - } - - // Reject the ConfigMap if it doesn't have the label - return request.Deny("ConfigMap must have a unicorn label"); - }) - // Watch behaves like controller-runtime's Manager.Watch() - .Watch(async (cm, phase) => { - Log.info(cm, `ConfigMap was ${phase}.`); - - // Apply a ConfigMap using K8s server-side apply (will create or update) - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "pepr-ssa-demo", - namespace: "pepr-demo-2", - }, - data: { - uid: cm.metadata.uid, - }, - }); - }); -``` - -## Prerequisites - -- [Node.js](https://nodejs.org/en/) v18.0.0+ (even-numbered releases only) - - To ensure compatability and optimal performance, it is recommended to use even-numbered releases of Node.js as they are stable releases and receive long-term support for three years. Odd-numbered releases are experimental and may not be supported by certain libraries utilized in Pepr. - -- [npm](https://www.npmjs.com/) v10.1.0+ - -- Recommended (optional) tools: - - [Visual Studio Code](https://code.visualstudio.com/) for inline debugging and [Pepr Capabilities](#capability) creation. - - A Kubernetes cluster for `npx pepr dev`. Pepr modules include `npm run k3d-setup` if you want to test locally with [K3d](https://k3d.io/) and [Docker](https://www.docker.com/). - -## Wow too many words! tl;dr; - -```bash -# Create a new Pepr Module -npx pepr init - -# If you already have a Kind or K3d cluster you want to use, skip this step -npm run k3d-setup - -# Start playing with Pepr now -# If using another local K8s distro instead of k3d, run `npx pepr dev --host host.docker.internal` -npx pepr dev -kubectl apply -f capabilities/hello-pepr.samples.yaml - -# Be amazed and ⭐️ this repo -``` - - - -## Concepts - -### Module - -A module is the top-level collection of capabilities. It is a single, complete TypeScript project that includes an entry point to load all the configuration and capabilities, along with their actions. During the Pepr build process, each module produces a unique Kubernetes MutatingWebhookConfiguration and ValidatingWebhookConfiguration, along with a secret containing the transpiled and compressed TypeScript code. The webhooks and secret are deployed into the Kubernetes cluster with their own isolated controller. - -See [Module](./module/) for more details. - -### Capability - -A capability is set of related actions that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -See [Capabilities](./capabilities/) for more details. - -### Action - -Action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in from Kubernetes. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -There are both `Mutate()` and `Validate()` Actions that can be used to modify or validate Kubernetes resources within the admission controller lifecycle. There is also a `Watch()` Action that can be used to watch for changes to Kubernetes resources that already exist. - -See [actions](./actions/) for more details. - -## Logical Pepr Flow - -![Arch Diagram](./_images/pepr-arch.svg) -[Source Diagram](_images/pepr-arch.svg) - -## TypeScript - -[TypeScript](https://www.typescriptlang.org/) is a strongly typed, object-oriented programming language built on top of JavaScript. It provides optional static typing and a rich type system, allowing developers to write more robust code. TypeScript is transpiled to JavaScript, enabling it to run in any environment that supports JavaScript. Pepr allows you to use JavaScript or TypeScript to write capabilities, but TypeScript is recommended for its type safety and rich type system. You can learn more about TypeScript [here](https://www.typescriptlang.org/docs/handbook/typescript-from-scratch.html). - -## Community - -To join our channel go to [Kubernetes Slack](https://communityinviter.com/apps/kubernetes/community) and join the `#pepr` channel. - - - - - -Made with [contrib.rocks](https://contrib.rocks). diff --git a/site/content/en/v0.22.0/actions.md b/site/content/en/v0.22.0/actions.md deleted file mode 100644 index 52b76cc44..000000000 --- a/site/content/en/v0.22.0/actions.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Actions -weight: ---- - - -An action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in during the admission controller lifecycle. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -Actions are `Mutate()`, `Validate()`, or `Watch()`. Both Mutate and Validate actions run during the admission controller lifecycle, while Watch actions run in a separate controller that tracks changes to resources, including existing resources. - -Let's look at some example actions that are included in the `HelloPepr` capability that is created for you when you [`pepr init`](../cli#pepr-init): - ---- - -In this first example, Pepr is adding a label and annotation to a ConfigMap with tne name `example-1` when it is created. Comments are added to each line to explain in more detail what is happening. - -```ts -// When(a.) filters which GroupVersionKind (GVK) this action should act on. -When(a.ConfigMap) - // This limits the action to only act on new resources. - .IsCreated() - // This limits the action to only act on resources with the name "example-1". - .WithName("example-1") - // Mutate() is where we define the actual behavior of this action. - .Mutate(request => { - // The request object is a wrapper around the K8s resource that Pepr is acting on. - request - // Here we are adding a label to the ConfigMap. - .SetLabel("pepr", "was-here") - // And here we are adding an annotation. - .SetAnnotation("pepr.dev", "annotations-work-too"); - - // Note that we are not returning anything here. This is because Pepr is tracking the changes in each action automatically. - }); -``` - ---- - -In this example, a Validate action rejects any ConfigMap in the `pepr-demo` namespace that has no data. - -```ts -When(a.ConfigMap) - .IsCreated() - .InNamespace("pepr-demo") - // Validate() is where we define the actual behavior of this action. - .Validate(request => { - // If data exists, approve the request. - if (request.Raw.data) { - return request.Approve(); - } - - // Otherwise, reject the request with a message and optional code. - return request.Deny("ConfigMap must have data"); - }); -``` - ---- - -In this example, a Watch action on the name and phase of any ConfigMap.Watch actions run in a separate controller that tracks changes to resources, including existing resources so that you can react to changes in real-time. It is important to note that Watch actions are not run during the admission controller lifecycle, so they cannot be used to modify or validate resources. They also may run multiple times for the same resource, so it is important to make sure that your Watch actions are idempotent. In a future release, Pepr will provide a better way to control when a Watch action is run to avoid this issue. - -```ts -When(a.ConfigMap) - // Watch() is where we define the actual behavior of this action. - .Watch((cm, phase) => { - Log.info(cm, `ConfigMap ${cm.metadata.name} was ${phase}`); - }); -``` - -``` -There are many more examples in the `HelloPepr` capability that you can use as a reference when creating your own actions. Note that each time you run [`pepr update`](../cli#pepr-update), Pepr will automatically update the `HelloPepr` capability with the latest examples and best practices for you to reference and test directly in your Pepr Module. -``` - diff --git a/site/content/en/v0.22.0/capabilities.md b/site/content/en/v0.22.0/capabilities.md deleted file mode 100644 index 22862ad13..000000000 --- a/site/content/en/v0.22.0/capabilities.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Capabilities -weight: ---- - - -A capability is set of related [actions](../actions/) that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -When you [`pepr init`](../cli#pepr-init), a `capabilities` directory is created for you. This directory is where you will define your capabilities. You can create as many capabilities as you need, and each capability can contain one or more actions. Pepr also automatically creates a `HelloPepr` capability with a number of example actions to help you get started. - -## Creating a Capability - -Defining a new capability can be done via a [VSCode Snippet](https://code.visualstudio.com/docs/editor/userdefinedsnippets) generated during [`pepr init`](../cli#pepr-init). - -1. Create a new file in the `capabilities` directory with the name of your capability. For example, `capabilities/my-capability.ts`. - -1. Open the new file in VSCode and type `create` in the file. A suggestion should prompt you to generate the content from there. - - - -_If you prefer not to use VSCode, you can also modify or copy the `HelloPepr` capability to meet your needs instead._ - - -## Reusable Capabilities - -Pepr has an NPM org managed by Defense Unicorns, `@pepr`, where capabilities are published for reuse in other Pepr Modules. You can find a list of published capabilities [here](https://www.npmjs.com/search?q=@pepr). - -You also can publish your own Pepr capabilities to NPM and import them. A couple of things you'll want to be aware of when publishing your own capabilities: - -- Reuseable capability versions should use the format `0.x.x` or `0.12.x` as examples to determine compatibility with other reusable capabilities. Before `1.x.x`, we recommend binding to `0.x.x` if you can for maximum compatibility. - -- `pepr.ts` will still be used for local development, but you'll also need to publish an `index.ts` that exports your capabilities. When you build & publish the capability to NPM, you can use `npx pepr build -e index.ts` to generate the code needed for reuse by other Pepr modules. - -- See [Pepr Istio](https://github.com/defenseunicorns/pepr-istio) for an example of a reusable capability. diff --git a/site/content/en/v0.22.0/cli.md b/site/content/en/v0.22.0/cli.md deleted file mode 100644 index 7edef9724..000000000 --- a/site/content/en/v0.22.0/cli.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Pepr CLI -weight: ---- - - -## `pepr init` - -Initialize a new Pepr Module. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-post-init` - Skip npm install, git init and VSCode launch - ---- - -## `pepr update` - -Update the current Pepr Module to the latest SDK version and update the global Pepr CLI to the same version. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-template-update` - Skip updating the template files - ---- - -## `pepr dev` - -Connect a local cluster to a local version of the Pepr Controller to do real-time debugging of your module. Note -the `pepr dev` assumes a K3d cluster is running by default. If you are working with Kind or another docker-based -K8s distro, you will need to pass the `--host host.docker.internal` option to `pepr dev`. If working with a remote -cluster you will have to give Pepr a host path to your machine that is reachable from the K8s cluster. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --host [host]` - Host to listen on (default: "host.k3d.internal") -- `--confirm` - Skip confirmation prompt - ---- - -## `pepr deploy` - -Deploy the current module into a Kubernetes cluster, useful for CI systems. Not recommended for production use. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-i, --image [image]` - Override the image tag -- `--confirm` - Skip confirmation prompt - ---- - -## pepr monitor - -Monitor Validations for a given Pepr Module. - -Usage: -```bash -npx pepr monitor [options] -``` - -**Options:** -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --help` - Display help for command - ---- -## `pepr build` - -Create a [zarf.yaml](https://zarf.dev) and K8s manifest for the current module. This includes everything needed to deploy Pepr and the current module into production environments. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-e, --entry-point [file]` - Specify the entry point file to build with. (default: "pepr.ts") -- `-n, --no-embed` - Disables embedding of deployment files into output module. Useful when creating library modules intended solely for reuse/distribution via NPM -- `-r, --registry-info [/]` - Registry Info: Image registry and username. Note: You must be signed into the registry -- `-o, --output-dir [output directory]` - Define where to place build output -- `--rbac-mode [admin|scoped]` - Rbac Mode: admin, scoped (default: admin) (choices: "admin", "scoped", default: "admin") diff --git a/site/content/en/v0.22.0/customresources.md b/site/content/en/v0.22.0/customresources.md deleted file mode 100644 index c78a93178..000000000 --- a/site/content/en/v0.22.0/customresources.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Importing Custom Resources -weight: ---- - - - -The [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) supports the creation of TypeScript typings directly from Kubernetes Custom Resource Definitions (CRDs). The files it generates can be directly incorporated into Pepr capabilities and provide a way to work with strongly-typed CRDs. - -For example (below), Istio CRDs can be imported and used as though they were intrinsic Kubernetes resources. - - -## Generating TypeScript Types from CRDs - -Using the kubernetes-fluent-client to produce a new type looks like this: - -```bash -npx kubernetes-fluent-client crd [source] [directory] -``` - -The `crd` command expects a `[source]`, which can be a URL or local file containing the `CustomResourceDefinition(s)`, and a `[directory]` where the generated code will live. - -The following example creates types for the Istio CRDs: - -```bash -user@workstation$ npx kubernetes-fluent-client crd https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml crds - -Attempting to load https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml as a URL - -- Generating extensions.istio.io/v1alpha1 types for WasmPlugin -- Generating networking.istio.io/v1alpha3 types for DestinationRule -- Generating networking.istio.io/v1beta1 types for DestinationRule -- Generating networking.istio.io/v1alpha3 types for EnvoyFilter -- Generating networking.istio.io/v1alpha3 types for Gateway -- Generating networking.istio.io/v1beta1 types for Gateway -- Generating networking.istio.io/v1beta1 types for ProxyConfig -- Generating networking.istio.io/v1alpha3 types for ServiceEntry -- Generating networking.istio.io/v1beta1 types for ServiceEntry -- Generating networking.istio.io/v1alpha3 types for Sidecar -- Generating networking.istio.io/v1beta1 types for Sidecar -- Generating networking.istio.io/v1alpha3 types for VirtualService -- Generating networking.istio.io/v1beta1 types for VirtualService -- Generating networking.istio.io/v1alpha3 types for WorkloadEntry -- Generating networking.istio.io/v1beta1 types for WorkloadEntry -- Generating networking.istio.io/v1alpha3 types for WorkloadGroup -- Generating networking.istio.io/v1beta1 types for WorkloadGroup -- Generating security.istio.io/v1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for PeerAuthentication -- Generating security.istio.io/v1 types for RequestAuthentication -- Generating security.istio.io/v1beta1 types for RequestAuthentication -- Generating telemetry.istio.io/v1alpha1 types for Telemetry - -✅ Generated 23 files in the istio directory -``` - -Observe that the `kubernetes-fluent-client` has produced the TypeScript types within the `crds` directory. These types can now be utilized in the Pepr module. - -```typescript -user@workstation$ cat crds/proxyconfig-v1beta1.ts -// This file is auto-generated by kubernetes-fluent-client, do not edit manually - -import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; - -export class ProxyConfig extends GenericKind { - /** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ - spec?: Spec; - status?: { [key: string]: any }; -} - -/** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ -export interface Spec { - /** - * The number of worker threads to run. - */ - concurrency?: number; - /** - * Additional environment variables for the proxy. - */ - environmentVariables?: { [key: string]: string }; - /** - * Specifies the details of the proxy image. - */ - image?: Image; - /** - * Optional. - */ - selector?: Selector; -} - -/** - * Specifies the details of the proxy image. - */ -export interface Image { - /** - * The image type of the image. - */ - imageType?: string; -} - -/** - * Optional. - */ -export interface Selector { - /** - * One or more labels that indicate a specific set of pods/VMs on which a policy should be - * applied. - */ - matchLabels?: { [key: string]: string }; -} - -RegisterKind(ProxyConfig, { - group: "networking.istio.io", - version: "v1beta1", - kind: "ProxyConfig", -}); -``` - -## Using new types - -The generated types can be imported into Pepr directly, _there is no additional logic needed to make them to work_. - -```typescript -import { Capability, K8s, Log, a, kind } from "pepr"; - -import { Gateway } from "../crds/gateway-v1beta1"; -import { - PurpleDestination, - VirtualService, -} from "../crds/virtualservice-v1beta1"; - -export const IstioVirtualService = new Capability({ - name: "istio-virtual-service", - description: "Generate Istio VirtualService resources", -}); - -// Use the 'When' function to create a new action -const { When, Store } = IstioVirtualService; - -// Define the configuration keys -enum config { - Gateway = "uds/istio-gateway", - Host = "uds/istio-host", - Port = "uds/istio-port", - Domain = "uds/istio-domain", -} - -// Define the valid gateway names -const validGateway = ["admin", "tenant", "passthrough"]; - -// Watch Gateways to get the HTTPS domain for each gateway -When(Gateway) - .IsCreatedOrUpdated() - .WithLabel(config.Domain) - .Watch(vs => { - // Store the domain for the gateway - Store.setItem(vs.metadata.name, vs.metadata.labels[config.Domain]); - }); -``` diff --git a/site/content/en/v0.22.0/metrics.md b/site/content/en/v0.22.0/metrics.md deleted file mode 100644 index e91699726..000000000 --- a/site/content/en/v0.22.0/metrics.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: /metrics Endpoint Documentation -weight: ---- - - -The `/metrics` endpoint provides metrics for the application that are collected via the `MetricsCollector` class. It uses the `prom-client` library and performance hooks from Node.js to gather and expose the metrics data in a format that can be scraped by Prometheus. - -## Metrics Exposed - -The `MetricsCollector` exposes the following metrics: - -- `pepr_errors`: A counter that increments when an error event occurs in the application. -- `pepr_alerts`: A counter that increments when an alert event is triggered in the application. -- `pepr_Mutate`: A summary that provides the observed durations of mutation events in the application. -- `pepr_Validate`: A summary that provides the observed durations of validation events in the application. - -## API Details - -**Method:** GET - -**URL:** `/metrics` - -**Response Type:** text/plain - -**Status Codes:** -- 200 OK: On success, returns the current metrics from the application. - -**Response Body:** -The response body is a plain text representation of the metrics data, according to the Prometheus exposition formats. It includes the metrics mentioned above. - -## Examples - -### Request - -```plaintext -GET /metrics -``` - -### Response -```plaintext - `# HELP pepr_errors Mutation/Validate errors encountered - # TYPE pepr_errors counter - pepr_errors 5 - - # HELP pepr_alerts Mutation/Validate bad api token received - # TYPE pepr_alerts counter - pepr_alerts 10 - - # HELP pepr_Mutate Mutation operation summary - # TYPE pepr_Mutate summary - pepr_Mutate{quantile="0.01"} 100.60707900021225 - pepr_Mutate{quantile="0.05"} 100.60707900021225 - pepr_Mutate{quantile="0.5"} 100.60707900021225 - pepr_Mutate{quantile="0.9"} 100.60707900021225 - pepr_Mutate{quantile="0.95"} 100.60707900021225 - pepr_Mutate{quantile="0.99"} 100.60707900021225 - pepr_Mutate{quantile="0.999"} 100.60707900021225 - pepr_Mutate_sum 100.60707900021225 - pepr_Mutate_count 1 - - # HELP pepr_Validate Validation operation summary - # TYPE pepr_Validate summary - pepr_Validate{quantile="0.01"} 201.19413900002837 - pepr_Validate{quantile="0.05"} 201.19413900002837 - pepr_Validate{quantile="0.5"} 201.2137690000236 - pepr_Validate{quantile="0.9"} 201.23339900001884 - pepr_Validate{quantile="0.95"} 201.23339900001884 - pepr_Validate{quantile="0.99"} 201.23339900001884 - pepr_Validate{quantile="0.999"} 201.23339900001884 - pepr_Validate_sum 402.4275380000472 - pepr_Validate_count 2 -``` - -## Prometheus Operator - -If using the Prometheus Operator, the following `ServiceMonitor` example manifests can be used to scrape the `/metrics` endpoint for the `admission` and `watcher` controllers. - -```yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: admission -spec: - selector: - matchLabels: - pepr.dev/controller: admission - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: watcher -spec: - selector: - matchLabels: - pepr.dev/controller: watcher - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true -``` diff --git a/site/content/en/v0.22.0/module.md b/site/content/en/v0.22.0/module.md deleted file mode 100644 index 9cc1204be..000000000 --- a/site/content/en/v0.22.0/module.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Pepr Module -weight: ---- - - -Each Pepr Module is it's own Typescript project, produced by [`pepr init`](../cli#pepr-init). Typically a module is maintained by a unique group or system. For example, a module for internal [Zarf](https://zarf.dev/) mutations would be different from a module for [Big Bang](https://p1.dso.mil/products/big-bang). An important idea with modules is that they are _wholly independent of one another_. This means that 2 different modules can be on completely different versions of Pepr and any other dependencies; their only interaction is through the standard K8s interfaces like any other webhook or controller. - -## Module development lifecycle - -1. **Create the module**: - - Use [`pepr init`](../cli#pepr-init) to generate a new module. - -1. **Quickly validate system setup**: - - Every new module includes a sample Pepr Capability called `HelloPepr`. By default, - this capability is deployed and monitoring the `pepr-demo` namespace. There is a sample - yaml also included you can use to see Pepr in your cluster. Here's the quick steps to do - that after `pepr init`: - - ```bash - # cd to the newly-created Pepr module folder - cd my-module-name - - # If you don't already have a local K8s cluster, you can set one up with k3d - npm run k3d-setup - - # Launch pepr dev mode - # If using another local K8s distro instead of k3d, use `pepr dev --host host.docker.internal` - pepr dev - - # From another terminal, apply the sample yaml - kubectl apply -f capabilities/hello-pepr.samples.yaml - - # Verify the configmaps were transformed using kubectl, k9s or another tool - ``` - -1. **Create your custom Pepr Capabilities** - - Now that you have confirmed Pepr is working, you can now create new [capabilities](../capabilities/). You'll also want to disable the `HelloPepr` capability in your module (`pepr.ts`) before pushing to production. You can disable by commenting out or deleting the `HelloPepr` variable below: - - ```typescript - new PeprModule(cfg, [ - // Remove or comment the line below to disable the HelloPepr capability - HelloPepr, - - // Your additional capabilities go here - ]); - ``` - - _Note: if you also delete the `capabilities/hello-pepr.ts` file, it will be added again on the next [`pepr update`](../cli#pepr-update) so you have the latest examples usages from the Pepr SDK. Therefore, it is sufficient to remove the entry from your `pepr.ts` module - config._ - -1. **Build and deploy the Pepr Module** - - Most of the time, you'll likely be iterating on a module with `pepr dev` for real-time feedback and validation Once you are ready to move beyond the local dev environment, Pepr provides deployment and build tools you can use. - - `pepr deploy` - you can use this command to build your module and deploy it into any K8s cluster your current `kubecontext` has access to. This setup is ideal for CI systems during testing, but is not recommended for production use. See [`pepr deploy`](../cli#pepr-deploy) for more info. - -## Advanced Module Configuration - -By default, when you run `pepr init`, the module is not configured with any additional options. Currently, there are 3 options you can configure: - -- `deferStart` - if set to `true`, the module will not start automatically. You will need to call `start()` manually. This is useful if you want to do some additional setup before the module controller starts. You can also use this to change the default port that the controller listens on. - -- `beforeHook` - an optional callback that will be called before every request is processed. This is useful if you want to do some additional logging or validation before the request is processed. - -- `afterHook` - an optional callback that will be called after every request is processed. This is useful if you want to do some additional logging or validation after the request is processed. - -You can configure each of these by modifying the `pepr.ts` file in your module. Here's an example of how you would configure each of these options: - -```typescript -const module = new PeprModule( - cfg, - [ - // Your capabilities go here - ], - { - deferStart: true, - - beforeHook: req => { - // Any actions you want to perform before the request is processed, including modifying the request. - }, - - afterHook: res => { - // Any actions you want to perform after the request is processed, including modifying the response. - }, - } -); - -// Do any additional setup before starting the controller -module.start(); -``` diff --git a/site/content/en/v0.22.0/rbac.md b/site/content/en/v0.22.0/rbac.md deleted file mode 100644 index 004eccf89..000000000 --- a/site/content/en/v0.22.0/rbac.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: RBAC Modes -weight: ---- - - -During the build phase of Pepr (`npx pepr build --rbac-mode [admin|scoped]`), you have the option to specify the desired RBAC mode through specific flags. This allows fine-tuning the level of access granted based on requirements and preferences. - -## Modes - -**admin** - -```bash -npx pepr build --rbac-mode admin -``` - -**Description:** The service account is given cluster-admin permissions, granting it full, unrestricted access across the entire cluster. This can be useful for administrative tasks where broad permissions are necessary. However, use this mode with caution, as it can pose security risks if misused. This is the default mode. - -**scoped** - -```bash -npx pepr build --rbac-mode scoped -``` - -**Description:** The service account is provided just enough permissions to perform its required tasks, and no more. This mode is recommended for most use cases as it limits potential attack vectors and aligns with best practices in security. _The admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. See how in [Updating the ClusterRole](#updating-the-clusterrole)._ - -## Debugging RBAC Issues - -If encountering unexpected behaviors in Pepr while running in scoped mode, check to see if they are related to RBAC. - -1. Check Deployment logs for RBAC errors: - -```bash -kubectl logs -n pepr-system -l app | jq - -# example output -{ - "level": 50, - "time": 1697983053758, - "pid": 16, - "hostname": "pepr-static-test-watcher-745d65857d-pndg7", - "data": { - "kind": "Status", - "apiVersion": "v1", - "metadata": {}, - "status": "Failure", - "message": "configmaps \"pepr-ssa-demo\" is forbidden: User \"system:serviceaccount:pepr-system:pepr-static-test\" cannot patch resource \"configmaps\" in API group \"\" in the namespace \"pepr-demo-2\"", - "reason": "Forbidden", - "details": { - "name": "pepr-ssa-demo", - "kind": "configmaps" - }, - "code": 403 - }, - "ok": false, - "status": 403, - "statusText": "Forbidden", - "msg": "Dooes the ServiceAccount permissions to CREATE and PATCH this ConfigMap?" -} -``` - -2. Verify ServiceAccount Permissions with `kubectl auth can-i` - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -# Can i create configmaps as the service account in pepr-demo-2? -kubectl auth can-i create cm --as=system:serviceaccount:pepr-system:$SA -n pepr-demo-2 - -# example output: no -``` - -3. Describe the ClusterRole - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -kubectl describe clusterrole $SA - -# example output: -Name: pepr-static-test -Labels: -Annotations: -PolicyRule: - Resources Non-Resource URLs Resource Names Verbs - --------- ----------------- -------------- ----- - peprstores.pepr.dev [] [] [create delete get list patch update watch] - configmaps [] [] [watch] - namespaces [] [] [watch] -``` - -## Updating the ClusterRole - -As discussed in the [Modes](#modes) section, the admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. - -Step 1: Figure out the desired permissions. (`kubectl create clusterrole --help` is a good place to start figuring out the syntax) - -```bash - kubectl create clusterrole configMapApplier --verb=create,patch --resource=configmap --dry-run=client -oyaml - - # example output -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: configMapApplier -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - patch -``` - -Step 2: Update the ClusterRole in the `dist` folder. - -```yaml -... -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pepr-static-test -rules: - - apiGroups: - - pepr.dev - resources: - - peprstores - verbs: - - create - - get - - patch - - watch - - apiGroups: - - '' - resources: - - namespaces - verbs: - - watch - - apiGroups: - - '' - resources: - - configmaps - verbs: - - watch - - create # New - - patch # New -... -``` - -Step 3: Apply the updated configuration diff --git a/site/content/en/v0.22.0/store.md b/site/content/en/v0.22.0/store.md deleted file mode 100644 index 2f975cb49..000000000 --- a/site/content/en/v0.22.0/store.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Pepr Store A Lightweight Key-Value Store for Pepr Modules -weight: ---- - - -The nature of admission controllers and general watch operations (the `Mutate`, `Validate` and `Watch` actions in Pepr) make some types of complex and long-running operations difficult. There are also times when you need to share data between different actions. While you could manually create your own K8s resources and manage their cleanup, this can be very hard to track and keep performant at scale. - -The Pepr Store solves this by exposing a simple, [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage)-compatible mechanism for use within capabilities. Additionally, as Pepr runs multiple replicas of the admission controller along with a watch controller, the Pepr Store provides a unique way to share data between these different instances automatically. - -Each Pepr Capability has a `Store` instance that can be used to get, set and delete data as well as subscribe to any changes to the Store. Behind the scenes, all capability store instances in a single Pepr Module are stored within a single CRD in the cluster. This CRD is automatically created when the Pepr Module is deployed. Care is taken to make the read and write operations as efficient as possible by using K8s watches, batch processing and patch operations for writes. - -## Key Features - -- **Asynchronous Key-Value Store**: Provides an asynchronous interface for storing small amounts of data, making it ideal for sharing information between various actions and capabilities. -- **Web Storage API Compatibility**: The store's API is aligned with the standard [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage), simplifying the learning curve. -- **Real-time Updates**: The `.subscribe()` and `onReady()` methods enable real-time updates, allowing you to react to changes in the data store instantaneously. - -- **Automatic CRD Management**: Each Pepr Module has its data stored within a single Custom Resource Definition (CRD) that is automatically created upon deployment. -- **Efficient Operations**: Pepr Store uses Kubernetes watches, batch processing, and patch operations to make read and write operations as efficient as possible. - -## Quick Start - -```typescript -// Example usage for Pepr Store -Store.setItem("example-1", "was-here"); -Store.setItem("example-1-data", JSON.stringify(request.Raw.data)); -Store.onReady(data => { - Log.info(data, "Pepr Store Ready"); -}); -const unsubscribe = Store.subscribe(data => { - Log.info(data, "Pepr Store Updated"); - unsubscribe(); -}); -``` - -## API Reference - -### Methods - -- `getItem(key: string)`: Retrieves a value by its key. Returns `null` if the key doesn't exist. -- `setItem(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. -- `setItemAndWait(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. Returns a promise when the new key and value show up in the store. Should only be used on a `Watch` to avoid [timeouts](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts). -- `removeItem(key: string)`: Deletes a key-value pair by its key. -- `clear()`: Clears all key-value pairs from the store. -- `subscribe(listener: DataReceiver)`: Subscribes to store updates. -- `onReady(callback: DataReceiver)`: Executes a callback when the store is ready. diff --git a/site/content/en/v0.22.0/webassembly.md b/site/content/en/v0.22.0/webassembly.md deleted file mode 100644 index b36671e82..000000000 --- a/site/content/en/v0.22.0/webassembly.md +++ /dev/null @@ -1,188 +0,0 @@ ---- -title: WASM Support Running WebAssembly in Pepr Guide -weight: ---- - - -Pepr fully supports WebAssembly. Depending on the language used to generate the WASM, certain files can be too large to fit into a `Secret` or `ConfigMap`. Due to this limitation, users have the ability to incorporate `*.wasm` and any other essential files during the build phase, which are then embedded into the Pepr Controller container. This is achieved through adding an array of files to the `includedFiles` section under `pepr` in the `package.json`. - -> **NOTE -** In order to instantiate the WebAsembly module in TypeScript, you need the WebAssembly type. This is accomplished through add the "DOM" to the `lib` array in the `compilerOptions` section of the `tsconfig.json`. Ex: `"lib": ["ES2022", "DOM"]`. Be aware that adding the DOM will add a lot of extra types to your project and your developer experience will be impacted in terms of the intellisense. - - -## High-Level Overview - -WASM support is achieved through adding files as layers atop the Pepr controller image, these files are then able to be read by the individual capabilities. The key components of WASM support are: - -- Add files to the **base** of the Pepr module. -- Reference the files in the `includedFiles` section of the `pepr` block of the `package.json` -- Run `npx pepr build` with the `-r ` option specifying registry info. Ex: `npx pepr build -r docker.io/cmwylie19` -- Pepr builds and pushes a custom image that is used in the `Deployment`. - -## Using WASM Support - -### Creating a WASM Module in Go - -Create a simple Go function that you want to call from your Pepr module - -```go -package main - -import ( - "fmt" - "syscall/js" -) - -func concats(this js.Value, args []js.Value) interface{} { - fmt.Println("PeprWASM!") - stringOne := args[0].String() - stringTwo := args[1].String() - return fmt.Sprintf("%s%s", stringOne, stringTwo) -} - -func main() { - done := make(chan struct{}, 0) - js.Global().Set("concats", js.FuncOf(concats)) - <-done -} -``` - -Compile it to a wasm target and move it to your Pepr module - -```bash -GOOS=js GOARCH=wasm go build -o main.wasm -cp main.wasm $YOUR_PEPR_MODULE/ -``` - -Copy the `wasm_exec.js` from `GOROOT` to your Pepr Module - -```bash -cp "$(go env GOROOT)/misc/wasm/wasm_exec.js" $YOUR_PEPR_MODULE/ -``` - -Update the polyfill to add `globalThis.crypto` in the `wasm_exec.js` since we are not running in the browser. This is needed directly under: `(() => {` - - -```javascript -// Initialize the polyfill -if (typeof globalThis.crypto === 'undefined') { - globalThis.crypto = { - getRandomValues: (array) => { - for (let i = 0; i < array.length; i++) { - array[i] = Math.floor(Math.random() * 256); - } - }, - }; -} -``` - - -### Configure Pepr to use WASM - -After adding the files to the root of the Pepr module, reference those files in the `package.json`: - -```json -{ - "name": "pepr-test-module", - "version": "0.0.1", - "description": "A test module for Pepr", - "keywords": [ - "pepr", - "k8s", - "policy-engine", - "pepr-module", - "security" - ], - "engines": { - "node": ">=18.0.0" - }, - "pepr": { - "name": "pepr-test-module", - "uuid": "static-test", - "onError": "ignore", - "alwaysIgnore": { - "namespaces": [], - "labels": [] - }, - "includedFiles":[ - "main.wasm", - "wasm_exec.js" - ] - }, - ... -} -``` - -Update the `tsconfig.json` to add "DOM" to the `compilerOptions` lib: - -```json -{ - "compilerOptions": { - "allowSyntheticDefaultImports": true, - "declaration": true, - "declarationMap": true, - "emitDeclarationOnly": true, - "esModuleInterop": true, - "lib": [ - "ES2022", - "DOM" // <- Add this - ], - "module": "CommonJS", - "moduleResolution": "node", - "outDir": "dist", - "resolveJsonModule": true, - "rootDir": ".", - "strict": false, - "target": "ES2022", - "useUnknownInCatchVariables": false - }, - "include": [ - "**/*.ts" - ] -} -``` - -### Call WASM functions from TypeScript - -Import the `wasm_exec.js` in the `pepr.ts` - -```javascript -import "./wasm_exec.js"; -``` - -Create a helper function to load the wasm file in a capability and call it during an event of your choice - -```typescript -async function callWASM(a,b) { - const go = new globalThis.Go(); - - const wasmData = readFileSync("main.wasm"); - var concated: string; - - await WebAssembly.instantiate(wasmData, go.importObject).then(wasmModule => { - go.run(wasmModule.instance); - - concated = global.concats(a,b); - }); - return concated; -} - -When(a.Pod) -.IsCreated() -.Mutate(async pod => { - try { - let label_value = await callWASM("loves","wasm") - pod.SetLabel("pepr",label_value) - } - catch(err) { - Log.error(err); - } -}); -``` - -### Run Pepr Build - -Build your Pepr module with the registry specified. - -```bash -npx pepr build -r docker.io/defenseunicorns -``` diff --git a/site/content/en/v0.22.1/OnSchedule.md b/site/content/en/v0.22.1/OnSchedule.md deleted file mode 100644 index c663f24d9..000000000 --- a/site/content/en/v0.22.1/OnSchedule.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: OnSchedule -weight: ---- - - -The `OnSchedule` feature allows you to schedule and automate the execution of specific code at predefined intervals or schedules. This feature is designed to simplify recurring tasks and can serve as an alternative to traditional CronJobs. This code is designed to be run at the top level on a Capability, not within a function like `When`. - -> **Note -** To use this feature in dev mode you MUST set `PEPR_WATCH_MODE="true"`. This is because the scheduler only runs on the watch controller and the watch controller is not started by default in dev mode. - -For example: `PEPR_WATCH_MODE="true" npx pepr dev` - -## Best Practices - -`OnSchedule` is designed for targeting intervals equal to or larger than 30 seconds due to the storage mechanism used to archive schedule info. - -## Usage - -Create a recurring task execution by calling the OnSchedule function with the following parameters: - -**name** - The unique name of the schedule. - -**every** - An integer that represents the frequency of the schedule in number of _units_. - -**unit** - A string specifying the time unit for the schedule (e.g., `seconds`, `minute`, `minutes`, `hour`, `hours`). - -**startTime** - (Optional) A UTC timestamp indicating when the schedule should start. All date times must be provided in GMT. If not specified the schedule will start when the schedule store reports ready. - -**run** - A function that contains the code you want to execute on the defined schedule. - -**completions** - (Optional) An integer indicating the maximum number of times the schedule should run to completion. If not specified the schedule will run indefinitely. - - -## Examples - -Update a ConfigMap every 30 seconds: - -```typescript -OnSchedule({ - name: "hello-interval", - every: 30, - unit: "seconds", - run: async () => { - Log.info("Wait 30 seconds and create/update a ConfigMap"); - - try { - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "last-updated", - namespace: "default", - }, - data: { - count: `${new Date()}`, - }, - }); - - } catch (error) { - Log.error(error, "Failed to apply ConfigMap using server-side apply."); - } - }, - }); -``` - -Refresh an AWSToken every 24 hours, with a delayed start of 30 seconds, running a total of 3 times: - -```typescript - -OnSchedule({ - name: "refresh-aws-token", - every: 24, - unit: "hours", - startTime: new Date(new Date().getTime() + 1000 * 30), - run: async () => { - await RefreshAWSToken(); - }, - completions: 3, -}); -``` - -## Advantages - -- Simplifies scheduling recurring tasks without the need for complex CronJob configurations. -- Provides flexibility to define schedules in a human-readable format. -- Allows you to execute code with precision at specified intervals. -- Supports limiting the number of schedule completions for finite tasks. diff --git a/site/content/en/v0.22.1/_index.md b/site/content/en/v0.22.1/_index.md deleted file mode 100644 index eb7ab70c6..000000000 --- a/site/content/en/v0.22.1/_index.md +++ /dev/null @@ -1,157 +0,0 @@ ---- -title: v0.22.1 -cascade: - type: docs -aliases: [] ---- -# Pepr - -[![Pepr Documentation](https://img.shields.io/badge/docs--d25ba1)](./README/) -[![Npm package license](https://badgen.net/npm/license/pepr)](https://npmjs.com/package/pepr) -[![Known Vulnerabilities](https://snyk.io/test/npm/pepr/badge.svg)](https://snyk.io/advisor/npm-package/pepr) -[![Npm package version](https://badgen.net/npm/v/pepr)](https://npmjs.com/package/pepr) -[![Npm package total downloads](https://badgen.net/npm/dt/pepr)](https://npmjs.com/package/pepr) - -#### **_Type safe Kubernetes middleware for humans_** - - - -Pepr is on a mission to save Kubernetes from the tyranny of YAML, intimidating glue code, bash scripts, and other makeshift solutions. As a Kubernetes controller, Pepr empowers you to define Kubernetes transformations using TypeScript, without software development expertise thanks to plain-english configurations. Pepr transforms a patchwork of forks, scripts, overlays, and other chaos into a cohesive, well-structured, and maintainable system. With Pepr, you can seamlessly transition IT ops tribal knowledge into code, simplifying documentation, testing, validation, and coordination of changes for a more predictable outcome. - -#### _Note: Pepr is still in active development so breaking changes may occur, but will be documented in release notes._ - -## Features - -- Zero-config K8s webhook mutations and validations -- Automatic leader-elected K8s resource watching -- Lightweight async key-value store backed by K8s for stateful operations with the [Pepr Store](./store/) -- Human-readable fluent API for generating [Pepr Capabilities](#capability) -- A fluent API for creating/modifying/watching and server-side applying K8s resources via [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) -- Generate new K8s resources based off of cluster resource changes -- Perform other exec/API calls based off of cluster resources changes or any other arbitrary schedule -- Out of the box airgap support with [Zarf](https://zarf.dev) -- Entire NPM ecosystem available for advanced operations -- Realtime K8s debugging system for testing/reacting to cluster changes -- Controller network isolation and tamper-resistent module execution -- Least-privilege [RBAC](https://github.com/defenseunicorns/pepr/blob/main/docs/rbac/) generation -- AMD64 and ARM64 support - -## Example Pepr Action - -This quick sample shows how to react to a ConfigMap being created or updated in the cluster. It adds a label and annotation to the ConfigMap and adds some data to the ConfigMap. It also creates a Validating Webhook to make sure the "pepr" label still exists. Finally, after the ConfigMap is created, it logs a message to the Pepr controller and creates or updates a separate ConfigMap with the [kubernetes-fluent-client](https://github.com/defenseunicorns/kubernetes-fluent-client) using server-side apply. For more details see [actions](./actions/) section. - -```ts -When(a.ConfigMap) - .IsCreatedOrUpdated() - .InNamespace("pepr-demo") - .WithLabel("unicorn", "rainbow") - // Create a Mutate Action for the ConfigMap - .Mutate(request => { - // Add a label and annotation to the ConfigMap - request.SetLabel("pepr", "was-here").SetAnnotation("pepr.dev", "annotations-work-too"); - - // Add some data to the ConfigMap - request.Raw.data["doug-says"] = "Pepr is awesome!"; - - // Log a message to the Pepr controller logs - Log.info("A 🦄 ConfigMap was created or updated:"); - }) - // Create a Validate Action for the ConfigMap - .Validate(request => { - // Validate the ConfigMap has a specific label - if (request.HasLabel("pepr")) { - return request.Approve(); - } - - // Reject the ConfigMap if it doesn't have the label - return request.Deny("ConfigMap must have a unicorn label"); - }) - // Watch behaves like controller-runtime's Manager.Watch() - .Watch(async (cm, phase) => { - Log.info(cm, `ConfigMap was ${phase}.`); - - // Apply a ConfigMap using K8s server-side apply (will create or update) - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "pepr-ssa-demo", - namespace: "pepr-demo-2", - }, - data: { - uid: cm.metadata.uid, - }, - }); - }); -``` - -## Prerequisites - -- [Node.js](https://nodejs.org/en/) v18.0.0+ (even-numbered releases only) - - To ensure compatability and optimal performance, it is recommended to use even-numbered releases of Node.js as they are stable releases and receive long-term support for three years. Odd-numbered releases are experimental and may not be supported by certain libraries utilized in Pepr. - -- [npm](https://www.npmjs.com/) v10.1.0+ - -- Recommended (optional) tools: - - [Visual Studio Code](https://code.visualstudio.com/) for inline debugging and [Pepr Capabilities](#capability) creation. - - A Kubernetes cluster for `npx pepr dev`. Pepr modules include `npm run k3d-setup` if you want to test locally with [K3d](https://k3d.io/) and [Docker](https://www.docker.com/). - -## Wow too many words! tl;dr; - -```bash -# Create a new Pepr Module -npx pepr init - -# If you already have a Kind or K3d cluster you want to use, skip this step -npm run k3d-setup - -# Start playing with Pepr now -# If using another local K8s distro instead of k3d, run `npx pepr dev --host host.docker.internal` -npx pepr dev -kubectl apply -f capabilities/hello-pepr.samples.yaml - -# Be amazed and ⭐️ this repo -``` - - - -## Concepts - -### Module - -A module is the top-level collection of capabilities. It is a single, complete TypeScript project that includes an entry point to load all the configuration and capabilities, along with their actions. During the Pepr build process, each module produces a unique Kubernetes MutatingWebhookConfiguration and ValidatingWebhookConfiguration, along with a secret containing the transpiled and compressed TypeScript code. The webhooks and secret are deployed into the Kubernetes cluster with their own isolated controller. - -See [Module](./module/) for more details. - -### Capability - -A capability is set of related actions that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -See [Capabilities](./capabilities/) for more details. - -### Action - -Action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in from Kubernetes. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -There are both `Mutate()` and `Validate()` Actions that can be used to modify or validate Kubernetes resources within the admission controller lifecycle. There is also a `Watch()` Action that can be used to watch for changes to Kubernetes resources that already exist. - -See [actions](./actions/) for more details. - -## Logical Pepr Flow - -![Arch Diagram](./_images/pepr-arch.svg) -[Source Diagram](_images/pepr-arch.svg) - -## TypeScript - -[TypeScript](https://www.typescriptlang.org/) is a strongly typed, object-oriented programming language built on top of JavaScript. It provides optional static typing and a rich type system, allowing developers to write more robust code. TypeScript is transpiled to JavaScript, enabling it to run in any environment that supports JavaScript. Pepr allows you to use JavaScript or TypeScript to write capabilities, but TypeScript is recommended for its type safety and rich type system. You can learn more about TypeScript [here](https://www.typescriptlang.org/docs/handbook/typescript-from-scratch.html). - -## Community - -To join our channel go to [Kubernetes Slack](https://communityinviter.com/apps/kubernetes/community) and join the `#pepr` channel. - - - - - -Made with [contrib.rocks](https://contrib.rocks). diff --git a/site/content/en/v0.22.1/actions.md b/site/content/en/v0.22.1/actions.md deleted file mode 100644 index 52b76cc44..000000000 --- a/site/content/en/v0.22.1/actions.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Actions -weight: ---- - - -An action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in during the admission controller lifecycle. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -Actions are `Mutate()`, `Validate()`, or `Watch()`. Both Mutate and Validate actions run during the admission controller lifecycle, while Watch actions run in a separate controller that tracks changes to resources, including existing resources. - -Let's look at some example actions that are included in the `HelloPepr` capability that is created for you when you [`pepr init`](../cli#pepr-init): - ---- - -In this first example, Pepr is adding a label and annotation to a ConfigMap with tne name `example-1` when it is created. Comments are added to each line to explain in more detail what is happening. - -```ts -// When(a.) filters which GroupVersionKind (GVK) this action should act on. -When(a.ConfigMap) - // This limits the action to only act on new resources. - .IsCreated() - // This limits the action to only act on resources with the name "example-1". - .WithName("example-1") - // Mutate() is where we define the actual behavior of this action. - .Mutate(request => { - // The request object is a wrapper around the K8s resource that Pepr is acting on. - request - // Here we are adding a label to the ConfigMap. - .SetLabel("pepr", "was-here") - // And here we are adding an annotation. - .SetAnnotation("pepr.dev", "annotations-work-too"); - - // Note that we are not returning anything here. This is because Pepr is tracking the changes in each action automatically. - }); -``` - ---- - -In this example, a Validate action rejects any ConfigMap in the `pepr-demo` namespace that has no data. - -```ts -When(a.ConfigMap) - .IsCreated() - .InNamespace("pepr-demo") - // Validate() is where we define the actual behavior of this action. - .Validate(request => { - // If data exists, approve the request. - if (request.Raw.data) { - return request.Approve(); - } - - // Otherwise, reject the request with a message and optional code. - return request.Deny("ConfigMap must have data"); - }); -``` - ---- - -In this example, a Watch action on the name and phase of any ConfigMap.Watch actions run in a separate controller that tracks changes to resources, including existing resources so that you can react to changes in real-time. It is important to note that Watch actions are not run during the admission controller lifecycle, so they cannot be used to modify or validate resources. They also may run multiple times for the same resource, so it is important to make sure that your Watch actions are idempotent. In a future release, Pepr will provide a better way to control when a Watch action is run to avoid this issue. - -```ts -When(a.ConfigMap) - // Watch() is where we define the actual behavior of this action. - .Watch((cm, phase) => { - Log.info(cm, `ConfigMap ${cm.metadata.name} was ${phase}`); - }); -``` - -``` -There are many more examples in the `HelloPepr` capability that you can use as a reference when creating your own actions. Note that each time you run [`pepr update`](../cli#pepr-update), Pepr will automatically update the `HelloPepr` capability with the latest examples and best practices for you to reference and test directly in your Pepr Module. -``` - diff --git a/site/content/en/v0.22.1/capabilities.md b/site/content/en/v0.22.1/capabilities.md deleted file mode 100644 index 22862ad13..000000000 --- a/site/content/en/v0.22.1/capabilities.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Capabilities -weight: ---- - - -A capability is set of related [actions](../actions/) that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -When you [`pepr init`](../cli#pepr-init), a `capabilities` directory is created for you. This directory is where you will define your capabilities. You can create as many capabilities as you need, and each capability can contain one or more actions. Pepr also automatically creates a `HelloPepr` capability with a number of example actions to help you get started. - -## Creating a Capability - -Defining a new capability can be done via a [VSCode Snippet](https://code.visualstudio.com/docs/editor/userdefinedsnippets) generated during [`pepr init`](../cli#pepr-init). - -1. Create a new file in the `capabilities` directory with the name of your capability. For example, `capabilities/my-capability.ts`. - -1. Open the new file in VSCode and type `create` in the file. A suggestion should prompt you to generate the content from there. - - - -_If you prefer not to use VSCode, you can also modify or copy the `HelloPepr` capability to meet your needs instead._ - - -## Reusable Capabilities - -Pepr has an NPM org managed by Defense Unicorns, `@pepr`, where capabilities are published for reuse in other Pepr Modules. You can find a list of published capabilities [here](https://www.npmjs.com/search?q=@pepr). - -You also can publish your own Pepr capabilities to NPM and import them. A couple of things you'll want to be aware of when publishing your own capabilities: - -- Reuseable capability versions should use the format `0.x.x` or `0.12.x` as examples to determine compatibility with other reusable capabilities. Before `1.x.x`, we recommend binding to `0.x.x` if you can for maximum compatibility. - -- `pepr.ts` will still be used for local development, but you'll also need to publish an `index.ts` that exports your capabilities. When you build & publish the capability to NPM, you can use `npx pepr build -e index.ts` to generate the code needed for reuse by other Pepr modules. - -- See [Pepr Istio](https://github.com/defenseunicorns/pepr-istio) for an example of a reusable capability. diff --git a/site/content/en/v0.22.1/cli.md b/site/content/en/v0.22.1/cli.md deleted file mode 100644 index 7edef9724..000000000 --- a/site/content/en/v0.22.1/cli.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Pepr CLI -weight: ---- - - -## `pepr init` - -Initialize a new Pepr Module. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-post-init` - Skip npm install, git init and VSCode launch - ---- - -## `pepr update` - -Update the current Pepr Module to the latest SDK version and update the global Pepr CLI to the same version. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-template-update` - Skip updating the template files - ---- - -## `pepr dev` - -Connect a local cluster to a local version of the Pepr Controller to do real-time debugging of your module. Note -the `pepr dev` assumes a K3d cluster is running by default. If you are working with Kind or another docker-based -K8s distro, you will need to pass the `--host host.docker.internal` option to `pepr dev`. If working with a remote -cluster you will have to give Pepr a host path to your machine that is reachable from the K8s cluster. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --host [host]` - Host to listen on (default: "host.k3d.internal") -- `--confirm` - Skip confirmation prompt - ---- - -## `pepr deploy` - -Deploy the current module into a Kubernetes cluster, useful for CI systems. Not recommended for production use. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-i, --image [image]` - Override the image tag -- `--confirm` - Skip confirmation prompt - ---- - -## pepr monitor - -Monitor Validations for a given Pepr Module. - -Usage: -```bash -npx pepr monitor [options] -``` - -**Options:** -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --help` - Display help for command - ---- -## `pepr build` - -Create a [zarf.yaml](https://zarf.dev) and K8s manifest for the current module. This includes everything needed to deploy Pepr and the current module into production environments. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-e, --entry-point [file]` - Specify the entry point file to build with. (default: "pepr.ts") -- `-n, --no-embed` - Disables embedding of deployment files into output module. Useful when creating library modules intended solely for reuse/distribution via NPM -- `-r, --registry-info [/]` - Registry Info: Image registry and username. Note: You must be signed into the registry -- `-o, --output-dir [output directory]` - Define where to place build output -- `--rbac-mode [admin|scoped]` - Rbac Mode: admin, scoped (default: admin) (choices: "admin", "scoped", default: "admin") diff --git a/site/content/en/v0.22.1/customresources.md b/site/content/en/v0.22.1/customresources.md deleted file mode 100644 index c78a93178..000000000 --- a/site/content/en/v0.22.1/customresources.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Importing Custom Resources -weight: ---- - - - -The [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) supports the creation of TypeScript typings directly from Kubernetes Custom Resource Definitions (CRDs). The files it generates can be directly incorporated into Pepr capabilities and provide a way to work with strongly-typed CRDs. - -For example (below), Istio CRDs can be imported and used as though they were intrinsic Kubernetes resources. - - -## Generating TypeScript Types from CRDs - -Using the kubernetes-fluent-client to produce a new type looks like this: - -```bash -npx kubernetes-fluent-client crd [source] [directory] -``` - -The `crd` command expects a `[source]`, which can be a URL or local file containing the `CustomResourceDefinition(s)`, and a `[directory]` where the generated code will live. - -The following example creates types for the Istio CRDs: - -```bash -user@workstation$ npx kubernetes-fluent-client crd https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml crds - -Attempting to load https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml as a URL - -- Generating extensions.istio.io/v1alpha1 types for WasmPlugin -- Generating networking.istio.io/v1alpha3 types for DestinationRule -- Generating networking.istio.io/v1beta1 types for DestinationRule -- Generating networking.istio.io/v1alpha3 types for EnvoyFilter -- Generating networking.istio.io/v1alpha3 types for Gateway -- Generating networking.istio.io/v1beta1 types for Gateway -- Generating networking.istio.io/v1beta1 types for ProxyConfig -- Generating networking.istio.io/v1alpha3 types for ServiceEntry -- Generating networking.istio.io/v1beta1 types for ServiceEntry -- Generating networking.istio.io/v1alpha3 types for Sidecar -- Generating networking.istio.io/v1beta1 types for Sidecar -- Generating networking.istio.io/v1alpha3 types for VirtualService -- Generating networking.istio.io/v1beta1 types for VirtualService -- Generating networking.istio.io/v1alpha3 types for WorkloadEntry -- Generating networking.istio.io/v1beta1 types for WorkloadEntry -- Generating networking.istio.io/v1alpha3 types for WorkloadGroup -- Generating networking.istio.io/v1beta1 types for WorkloadGroup -- Generating security.istio.io/v1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for PeerAuthentication -- Generating security.istio.io/v1 types for RequestAuthentication -- Generating security.istio.io/v1beta1 types for RequestAuthentication -- Generating telemetry.istio.io/v1alpha1 types for Telemetry - -✅ Generated 23 files in the istio directory -``` - -Observe that the `kubernetes-fluent-client` has produced the TypeScript types within the `crds` directory. These types can now be utilized in the Pepr module. - -```typescript -user@workstation$ cat crds/proxyconfig-v1beta1.ts -// This file is auto-generated by kubernetes-fluent-client, do not edit manually - -import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; - -export class ProxyConfig extends GenericKind { - /** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ - spec?: Spec; - status?: { [key: string]: any }; -} - -/** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ -export interface Spec { - /** - * The number of worker threads to run. - */ - concurrency?: number; - /** - * Additional environment variables for the proxy. - */ - environmentVariables?: { [key: string]: string }; - /** - * Specifies the details of the proxy image. - */ - image?: Image; - /** - * Optional. - */ - selector?: Selector; -} - -/** - * Specifies the details of the proxy image. - */ -export interface Image { - /** - * The image type of the image. - */ - imageType?: string; -} - -/** - * Optional. - */ -export interface Selector { - /** - * One or more labels that indicate a specific set of pods/VMs on which a policy should be - * applied. - */ - matchLabels?: { [key: string]: string }; -} - -RegisterKind(ProxyConfig, { - group: "networking.istio.io", - version: "v1beta1", - kind: "ProxyConfig", -}); -``` - -## Using new types - -The generated types can be imported into Pepr directly, _there is no additional logic needed to make them to work_. - -```typescript -import { Capability, K8s, Log, a, kind } from "pepr"; - -import { Gateway } from "../crds/gateway-v1beta1"; -import { - PurpleDestination, - VirtualService, -} from "../crds/virtualservice-v1beta1"; - -export const IstioVirtualService = new Capability({ - name: "istio-virtual-service", - description: "Generate Istio VirtualService resources", -}); - -// Use the 'When' function to create a new action -const { When, Store } = IstioVirtualService; - -// Define the configuration keys -enum config { - Gateway = "uds/istio-gateway", - Host = "uds/istio-host", - Port = "uds/istio-port", - Domain = "uds/istio-domain", -} - -// Define the valid gateway names -const validGateway = ["admin", "tenant", "passthrough"]; - -// Watch Gateways to get the HTTPS domain for each gateway -When(Gateway) - .IsCreatedOrUpdated() - .WithLabel(config.Domain) - .Watch(vs => { - // Store the domain for the gateway - Store.setItem(vs.metadata.name, vs.metadata.labels[config.Domain]); - }); -``` diff --git a/site/content/en/v0.22.1/metrics.md b/site/content/en/v0.22.1/metrics.md deleted file mode 100644 index e91699726..000000000 --- a/site/content/en/v0.22.1/metrics.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: /metrics Endpoint Documentation -weight: ---- - - -The `/metrics` endpoint provides metrics for the application that are collected via the `MetricsCollector` class. It uses the `prom-client` library and performance hooks from Node.js to gather and expose the metrics data in a format that can be scraped by Prometheus. - -## Metrics Exposed - -The `MetricsCollector` exposes the following metrics: - -- `pepr_errors`: A counter that increments when an error event occurs in the application. -- `pepr_alerts`: A counter that increments when an alert event is triggered in the application. -- `pepr_Mutate`: A summary that provides the observed durations of mutation events in the application. -- `pepr_Validate`: A summary that provides the observed durations of validation events in the application. - -## API Details - -**Method:** GET - -**URL:** `/metrics` - -**Response Type:** text/plain - -**Status Codes:** -- 200 OK: On success, returns the current metrics from the application. - -**Response Body:** -The response body is a plain text representation of the metrics data, according to the Prometheus exposition formats. It includes the metrics mentioned above. - -## Examples - -### Request - -```plaintext -GET /metrics -``` - -### Response -```plaintext - `# HELP pepr_errors Mutation/Validate errors encountered - # TYPE pepr_errors counter - pepr_errors 5 - - # HELP pepr_alerts Mutation/Validate bad api token received - # TYPE pepr_alerts counter - pepr_alerts 10 - - # HELP pepr_Mutate Mutation operation summary - # TYPE pepr_Mutate summary - pepr_Mutate{quantile="0.01"} 100.60707900021225 - pepr_Mutate{quantile="0.05"} 100.60707900021225 - pepr_Mutate{quantile="0.5"} 100.60707900021225 - pepr_Mutate{quantile="0.9"} 100.60707900021225 - pepr_Mutate{quantile="0.95"} 100.60707900021225 - pepr_Mutate{quantile="0.99"} 100.60707900021225 - pepr_Mutate{quantile="0.999"} 100.60707900021225 - pepr_Mutate_sum 100.60707900021225 - pepr_Mutate_count 1 - - # HELP pepr_Validate Validation operation summary - # TYPE pepr_Validate summary - pepr_Validate{quantile="0.01"} 201.19413900002837 - pepr_Validate{quantile="0.05"} 201.19413900002837 - pepr_Validate{quantile="0.5"} 201.2137690000236 - pepr_Validate{quantile="0.9"} 201.23339900001884 - pepr_Validate{quantile="0.95"} 201.23339900001884 - pepr_Validate{quantile="0.99"} 201.23339900001884 - pepr_Validate{quantile="0.999"} 201.23339900001884 - pepr_Validate_sum 402.4275380000472 - pepr_Validate_count 2 -``` - -## Prometheus Operator - -If using the Prometheus Operator, the following `ServiceMonitor` example manifests can be used to scrape the `/metrics` endpoint for the `admission` and `watcher` controllers. - -```yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: admission -spec: - selector: - matchLabels: - pepr.dev/controller: admission - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: watcher -spec: - selector: - matchLabels: - pepr.dev/controller: watcher - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true -``` diff --git a/site/content/en/v0.22.1/module.md b/site/content/en/v0.22.1/module.md deleted file mode 100644 index 9cc1204be..000000000 --- a/site/content/en/v0.22.1/module.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Pepr Module -weight: ---- - - -Each Pepr Module is it's own Typescript project, produced by [`pepr init`](../cli#pepr-init). Typically a module is maintained by a unique group or system. For example, a module for internal [Zarf](https://zarf.dev/) mutations would be different from a module for [Big Bang](https://p1.dso.mil/products/big-bang). An important idea with modules is that they are _wholly independent of one another_. This means that 2 different modules can be on completely different versions of Pepr and any other dependencies; their only interaction is through the standard K8s interfaces like any other webhook or controller. - -## Module development lifecycle - -1. **Create the module**: - - Use [`pepr init`](../cli#pepr-init) to generate a new module. - -1. **Quickly validate system setup**: - - Every new module includes a sample Pepr Capability called `HelloPepr`. By default, - this capability is deployed and monitoring the `pepr-demo` namespace. There is a sample - yaml also included you can use to see Pepr in your cluster. Here's the quick steps to do - that after `pepr init`: - - ```bash - # cd to the newly-created Pepr module folder - cd my-module-name - - # If you don't already have a local K8s cluster, you can set one up with k3d - npm run k3d-setup - - # Launch pepr dev mode - # If using another local K8s distro instead of k3d, use `pepr dev --host host.docker.internal` - pepr dev - - # From another terminal, apply the sample yaml - kubectl apply -f capabilities/hello-pepr.samples.yaml - - # Verify the configmaps were transformed using kubectl, k9s or another tool - ``` - -1. **Create your custom Pepr Capabilities** - - Now that you have confirmed Pepr is working, you can now create new [capabilities](../capabilities/). You'll also want to disable the `HelloPepr` capability in your module (`pepr.ts`) before pushing to production. You can disable by commenting out or deleting the `HelloPepr` variable below: - - ```typescript - new PeprModule(cfg, [ - // Remove or comment the line below to disable the HelloPepr capability - HelloPepr, - - // Your additional capabilities go here - ]); - ``` - - _Note: if you also delete the `capabilities/hello-pepr.ts` file, it will be added again on the next [`pepr update`](../cli#pepr-update) so you have the latest examples usages from the Pepr SDK. Therefore, it is sufficient to remove the entry from your `pepr.ts` module - config._ - -1. **Build and deploy the Pepr Module** - - Most of the time, you'll likely be iterating on a module with `pepr dev` for real-time feedback and validation Once you are ready to move beyond the local dev environment, Pepr provides deployment and build tools you can use. - - `pepr deploy` - you can use this command to build your module and deploy it into any K8s cluster your current `kubecontext` has access to. This setup is ideal for CI systems during testing, but is not recommended for production use. See [`pepr deploy`](../cli#pepr-deploy) for more info. - -## Advanced Module Configuration - -By default, when you run `pepr init`, the module is not configured with any additional options. Currently, there are 3 options you can configure: - -- `deferStart` - if set to `true`, the module will not start automatically. You will need to call `start()` manually. This is useful if you want to do some additional setup before the module controller starts. You can also use this to change the default port that the controller listens on. - -- `beforeHook` - an optional callback that will be called before every request is processed. This is useful if you want to do some additional logging or validation before the request is processed. - -- `afterHook` - an optional callback that will be called after every request is processed. This is useful if you want to do some additional logging or validation after the request is processed. - -You can configure each of these by modifying the `pepr.ts` file in your module. Here's an example of how you would configure each of these options: - -```typescript -const module = new PeprModule( - cfg, - [ - // Your capabilities go here - ], - { - deferStart: true, - - beforeHook: req => { - // Any actions you want to perform before the request is processed, including modifying the request. - }, - - afterHook: res => { - // Any actions you want to perform after the request is processed, including modifying the response. - }, - } -); - -// Do any additional setup before starting the controller -module.start(); -``` diff --git a/site/content/en/v0.22.1/rbac.md b/site/content/en/v0.22.1/rbac.md deleted file mode 100644 index 004eccf89..000000000 --- a/site/content/en/v0.22.1/rbac.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: RBAC Modes -weight: ---- - - -During the build phase of Pepr (`npx pepr build --rbac-mode [admin|scoped]`), you have the option to specify the desired RBAC mode through specific flags. This allows fine-tuning the level of access granted based on requirements and preferences. - -## Modes - -**admin** - -```bash -npx pepr build --rbac-mode admin -``` - -**Description:** The service account is given cluster-admin permissions, granting it full, unrestricted access across the entire cluster. This can be useful for administrative tasks where broad permissions are necessary. However, use this mode with caution, as it can pose security risks if misused. This is the default mode. - -**scoped** - -```bash -npx pepr build --rbac-mode scoped -``` - -**Description:** The service account is provided just enough permissions to perform its required tasks, and no more. This mode is recommended for most use cases as it limits potential attack vectors and aligns with best practices in security. _The admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. See how in [Updating the ClusterRole](#updating-the-clusterrole)._ - -## Debugging RBAC Issues - -If encountering unexpected behaviors in Pepr while running in scoped mode, check to see if they are related to RBAC. - -1. Check Deployment logs for RBAC errors: - -```bash -kubectl logs -n pepr-system -l app | jq - -# example output -{ - "level": 50, - "time": 1697983053758, - "pid": 16, - "hostname": "pepr-static-test-watcher-745d65857d-pndg7", - "data": { - "kind": "Status", - "apiVersion": "v1", - "metadata": {}, - "status": "Failure", - "message": "configmaps \"pepr-ssa-demo\" is forbidden: User \"system:serviceaccount:pepr-system:pepr-static-test\" cannot patch resource \"configmaps\" in API group \"\" in the namespace \"pepr-demo-2\"", - "reason": "Forbidden", - "details": { - "name": "pepr-ssa-demo", - "kind": "configmaps" - }, - "code": 403 - }, - "ok": false, - "status": 403, - "statusText": "Forbidden", - "msg": "Dooes the ServiceAccount permissions to CREATE and PATCH this ConfigMap?" -} -``` - -2. Verify ServiceAccount Permissions with `kubectl auth can-i` - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -# Can i create configmaps as the service account in pepr-demo-2? -kubectl auth can-i create cm --as=system:serviceaccount:pepr-system:$SA -n pepr-demo-2 - -# example output: no -``` - -3. Describe the ClusterRole - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -kubectl describe clusterrole $SA - -# example output: -Name: pepr-static-test -Labels: -Annotations: -PolicyRule: - Resources Non-Resource URLs Resource Names Verbs - --------- ----------------- -------------- ----- - peprstores.pepr.dev [] [] [create delete get list patch update watch] - configmaps [] [] [watch] - namespaces [] [] [watch] -``` - -## Updating the ClusterRole - -As discussed in the [Modes](#modes) section, the admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. - -Step 1: Figure out the desired permissions. (`kubectl create clusterrole --help` is a good place to start figuring out the syntax) - -```bash - kubectl create clusterrole configMapApplier --verb=create,patch --resource=configmap --dry-run=client -oyaml - - # example output -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: configMapApplier -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - patch -``` - -Step 2: Update the ClusterRole in the `dist` folder. - -```yaml -... -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pepr-static-test -rules: - - apiGroups: - - pepr.dev - resources: - - peprstores - verbs: - - create - - get - - patch - - watch - - apiGroups: - - '' - resources: - - namespaces - verbs: - - watch - - apiGroups: - - '' - resources: - - configmaps - verbs: - - watch - - create # New - - patch # New -... -``` - -Step 3: Apply the updated configuration diff --git a/site/content/en/v0.22.1/store.md b/site/content/en/v0.22.1/store.md deleted file mode 100644 index 2f975cb49..000000000 --- a/site/content/en/v0.22.1/store.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Pepr Store A Lightweight Key-Value Store for Pepr Modules -weight: ---- - - -The nature of admission controllers and general watch operations (the `Mutate`, `Validate` and `Watch` actions in Pepr) make some types of complex and long-running operations difficult. There are also times when you need to share data between different actions. While you could manually create your own K8s resources and manage their cleanup, this can be very hard to track and keep performant at scale. - -The Pepr Store solves this by exposing a simple, [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage)-compatible mechanism for use within capabilities. Additionally, as Pepr runs multiple replicas of the admission controller along with a watch controller, the Pepr Store provides a unique way to share data between these different instances automatically. - -Each Pepr Capability has a `Store` instance that can be used to get, set and delete data as well as subscribe to any changes to the Store. Behind the scenes, all capability store instances in a single Pepr Module are stored within a single CRD in the cluster. This CRD is automatically created when the Pepr Module is deployed. Care is taken to make the read and write operations as efficient as possible by using K8s watches, batch processing and patch operations for writes. - -## Key Features - -- **Asynchronous Key-Value Store**: Provides an asynchronous interface for storing small amounts of data, making it ideal for sharing information between various actions and capabilities. -- **Web Storage API Compatibility**: The store's API is aligned with the standard [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage), simplifying the learning curve. -- **Real-time Updates**: The `.subscribe()` and `onReady()` methods enable real-time updates, allowing you to react to changes in the data store instantaneously. - -- **Automatic CRD Management**: Each Pepr Module has its data stored within a single Custom Resource Definition (CRD) that is automatically created upon deployment. -- **Efficient Operations**: Pepr Store uses Kubernetes watches, batch processing, and patch operations to make read and write operations as efficient as possible. - -## Quick Start - -```typescript -// Example usage for Pepr Store -Store.setItem("example-1", "was-here"); -Store.setItem("example-1-data", JSON.stringify(request.Raw.data)); -Store.onReady(data => { - Log.info(data, "Pepr Store Ready"); -}); -const unsubscribe = Store.subscribe(data => { - Log.info(data, "Pepr Store Updated"); - unsubscribe(); -}); -``` - -## API Reference - -### Methods - -- `getItem(key: string)`: Retrieves a value by its key. Returns `null` if the key doesn't exist. -- `setItem(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. -- `setItemAndWait(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. Returns a promise when the new key and value show up in the store. Should only be used on a `Watch` to avoid [timeouts](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts). -- `removeItem(key: string)`: Deletes a key-value pair by its key. -- `clear()`: Clears all key-value pairs from the store. -- `subscribe(listener: DataReceiver)`: Subscribes to store updates. -- `onReady(callback: DataReceiver)`: Executes a callback when the store is ready. diff --git a/site/content/en/v0.22.1/webassembly.md b/site/content/en/v0.22.1/webassembly.md deleted file mode 100644 index b36671e82..000000000 --- a/site/content/en/v0.22.1/webassembly.md +++ /dev/null @@ -1,188 +0,0 @@ ---- -title: WASM Support Running WebAssembly in Pepr Guide -weight: ---- - - -Pepr fully supports WebAssembly. Depending on the language used to generate the WASM, certain files can be too large to fit into a `Secret` or `ConfigMap`. Due to this limitation, users have the ability to incorporate `*.wasm` and any other essential files during the build phase, which are then embedded into the Pepr Controller container. This is achieved through adding an array of files to the `includedFiles` section under `pepr` in the `package.json`. - -> **NOTE -** In order to instantiate the WebAsembly module in TypeScript, you need the WebAssembly type. This is accomplished through add the "DOM" to the `lib` array in the `compilerOptions` section of the `tsconfig.json`. Ex: `"lib": ["ES2022", "DOM"]`. Be aware that adding the DOM will add a lot of extra types to your project and your developer experience will be impacted in terms of the intellisense. - - -## High-Level Overview - -WASM support is achieved through adding files as layers atop the Pepr controller image, these files are then able to be read by the individual capabilities. The key components of WASM support are: - -- Add files to the **base** of the Pepr module. -- Reference the files in the `includedFiles` section of the `pepr` block of the `package.json` -- Run `npx pepr build` with the `-r ` option specifying registry info. Ex: `npx pepr build -r docker.io/cmwylie19` -- Pepr builds and pushes a custom image that is used in the `Deployment`. - -## Using WASM Support - -### Creating a WASM Module in Go - -Create a simple Go function that you want to call from your Pepr module - -```go -package main - -import ( - "fmt" - "syscall/js" -) - -func concats(this js.Value, args []js.Value) interface{} { - fmt.Println("PeprWASM!") - stringOne := args[0].String() - stringTwo := args[1].String() - return fmt.Sprintf("%s%s", stringOne, stringTwo) -} - -func main() { - done := make(chan struct{}, 0) - js.Global().Set("concats", js.FuncOf(concats)) - <-done -} -``` - -Compile it to a wasm target and move it to your Pepr module - -```bash -GOOS=js GOARCH=wasm go build -o main.wasm -cp main.wasm $YOUR_PEPR_MODULE/ -``` - -Copy the `wasm_exec.js` from `GOROOT` to your Pepr Module - -```bash -cp "$(go env GOROOT)/misc/wasm/wasm_exec.js" $YOUR_PEPR_MODULE/ -``` - -Update the polyfill to add `globalThis.crypto` in the `wasm_exec.js` since we are not running in the browser. This is needed directly under: `(() => {` - - -```javascript -// Initialize the polyfill -if (typeof globalThis.crypto === 'undefined') { - globalThis.crypto = { - getRandomValues: (array) => { - for (let i = 0; i < array.length; i++) { - array[i] = Math.floor(Math.random() * 256); - } - }, - }; -} -``` - - -### Configure Pepr to use WASM - -After adding the files to the root of the Pepr module, reference those files in the `package.json`: - -```json -{ - "name": "pepr-test-module", - "version": "0.0.1", - "description": "A test module for Pepr", - "keywords": [ - "pepr", - "k8s", - "policy-engine", - "pepr-module", - "security" - ], - "engines": { - "node": ">=18.0.0" - }, - "pepr": { - "name": "pepr-test-module", - "uuid": "static-test", - "onError": "ignore", - "alwaysIgnore": { - "namespaces": [], - "labels": [] - }, - "includedFiles":[ - "main.wasm", - "wasm_exec.js" - ] - }, - ... -} -``` - -Update the `tsconfig.json` to add "DOM" to the `compilerOptions` lib: - -```json -{ - "compilerOptions": { - "allowSyntheticDefaultImports": true, - "declaration": true, - "declarationMap": true, - "emitDeclarationOnly": true, - "esModuleInterop": true, - "lib": [ - "ES2022", - "DOM" // <- Add this - ], - "module": "CommonJS", - "moduleResolution": "node", - "outDir": "dist", - "resolveJsonModule": true, - "rootDir": ".", - "strict": false, - "target": "ES2022", - "useUnknownInCatchVariables": false - }, - "include": [ - "**/*.ts" - ] -} -``` - -### Call WASM functions from TypeScript - -Import the `wasm_exec.js` in the `pepr.ts` - -```javascript -import "./wasm_exec.js"; -``` - -Create a helper function to load the wasm file in a capability and call it during an event of your choice - -```typescript -async function callWASM(a,b) { - const go = new globalThis.Go(); - - const wasmData = readFileSync("main.wasm"); - var concated: string; - - await WebAssembly.instantiate(wasmData, go.importObject).then(wasmModule => { - go.run(wasmModule.instance); - - concated = global.concats(a,b); - }); - return concated; -} - -When(a.Pod) -.IsCreated() -.Mutate(async pod => { - try { - let label_value = await callWASM("loves","wasm") - pod.SetLabel("pepr",label_value) - } - catch(err) { - Log.error(err); - } -}); -``` - -### Run Pepr Build - -Build your Pepr module with the registry specified. - -```bash -npx pepr build -r docker.io/defenseunicorns -``` diff --git a/site/content/en/v0.22.2/OnSchedule.md b/site/content/en/v0.22.2/OnSchedule.md deleted file mode 100644 index c663f24d9..000000000 --- a/site/content/en/v0.22.2/OnSchedule.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: OnSchedule -weight: ---- - - -The `OnSchedule` feature allows you to schedule and automate the execution of specific code at predefined intervals or schedules. This feature is designed to simplify recurring tasks and can serve as an alternative to traditional CronJobs. This code is designed to be run at the top level on a Capability, not within a function like `When`. - -> **Note -** To use this feature in dev mode you MUST set `PEPR_WATCH_MODE="true"`. This is because the scheduler only runs on the watch controller and the watch controller is not started by default in dev mode. - -For example: `PEPR_WATCH_MODE="true" npx pepr dev` - -## Best Practices - -`OnSchedule` is designed for targeting intervals equal to or larger than 30 seconds due to the storage mechanism used to archive schedule info. - -## Usage - -Create a recurring task execution by calling the OnSchedule function with the following parameters: - -**name** - The unique name of the schedule. - -**every** - An integer that represents the frequency of the schedule in number of _units_. - -**unit** - A string specifying the time unit for the schedule (e.g., `seconds`, `minute`, `minutes`, `hour`, `hours`). - -**startTime** - (Optional) A UTC timestamp indicating when the schedule should start. All date times must be provided in GMT. If not specified the schedule will start when the schedule store reports ready. - -**run** - A function that contains the code you want to execute on the defined schedule. - -**completions** - (Optional) An integer indicating the maximum number of times the schedule should run to completion. If not specified the schedule will run indefinitely. - - -## Examples - -Update a ConfigMap every 30 seconds: - -```typescript -OnSchedule({ - name: "hello-interval", - every: 30, - unit: "seconds", - run: async () => { - Log.info("Wait 30 seconds and create/update a ConfigMap"); - - try { - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "last-updated", - namespace: "default", - }, - data: { - count: `${new Date()}`, - }, - }); - - } catch (error) { - Log.error(error, "Failed to apply ConfigMap using server-side apply."); - } - }, - }); -``` - -Refresh an AWSToken every 24 hours, with a delayed start of 30 seconds, running a total of 3 times: - -```typescript - -OnSchedule({ - name: "refresh-aws-token", - every: 24, - unit: "hours", - startTime: new Date(new Date().getTime() + 1000 * 30), - run: async () => { - await RefreshAWSToken(); - }, - completions: 3, -}); -``` - -## Advantages - -- Simplifies scheduling recurring tasks without the need for complex CronJob configurations. -- Provides flexibility to define schedules in a human-readable format. -- Allows you to execute code with precision at specified intervals. -- Supports limiting the number of schedule completions for finite tasks. diff --git a/site/content/en/v0.22.2/_index.md b/site/content/en/v0.22.2/_index.md deleted file mode 100644 index 8a2608bd7..000000000 --- a/site/content/en/v0.22.2/_index.md +++ /dev/null @@ -1,157 +0,0 @@ ---- -title: v0.22.2 -cascade: - type: docs -aliases: ["/current/"] ---- -# Pepr - -[![Pepr Documentation](https://img.shields.io/badge/docs--d25ba1)](./README/) -[![Npm package license](https://badgen.net/npm/license/pepr)](https://npmjs.com/package/pepr) -[![Known Vulnerabilities](https://snyk.io/test/npm/pepr/badge.svg)](https://snyk.io/advisor/npm-package/pepr) -[![Npm package version](https://badgen.net/npm/v/pepr)](https://npmjs.com/package/pepr) -[![Npm package total downloads](https://badgen.net/npm/dt/pepr)](https://npmjs.com/package/pepr) - -#### **_Type safe Kubernetes middleware for humans_** - - - -Pepr is on a mission to save Kubernetes from the tyranny of YAML, intimidating glue code, bash scripts, and other makeshift solutions. As a Kubernetes controller, Pepr empowers you to define Kubernetes transformations using TypeScript, without software development expertise thanks to plain-english configurations. Pepr transforms a patchwork of forks, scripts, overlays, and other chaos into a cohesive, well-structured, and maintainable system. With Pepr, you can seamlessly transition IT ops tribal knowledge into code, simplifying documentation, testing, validation, and coordination of changes for a more predictable outcome. - -#### _Note: Pepr is still in active development so breaking changes may occur, but will be documented in release notes._ - -## Features - -- Zero-config K8s webhook mutations and validations -- Automatic leader-elected K8s resource watching -- Lightweight async key-value store backed by K8s for stateful operations with the [Pepr Store](./store/) -- Human-readable fluent API for generating [Pepr Capabilities](#capability) -- A fluent API for creating/modifying/watching and server-side applying K8s resources via [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) -- Generate new K8s resources based off of cluster resource changes -- Perform other exec/API calls based off of cluster resources changes or any other arbitrary schedule -- Out of the box airgap support with [Zarf](https://zarf.dev) -- Entire NPM ecosystem available for advanced operations -- Realtime K8s debugging system for testing/reacting to cluster changes -- Controller network isolation and tamper-resistent module execution -- Least-privilege [RBAC](https://github.com/defenseunicorns/pepr/blob/main/docs/rbac/) generation -- AMD64 and ARM64 support - -## Example Pepr Action - -This quick sample shows how to react to a ConfigMap being created or updated in the cluster. It adds a label and annotation to the ConfigMap and adds some data to the ConfigMap. It also creates a Validating Webhook to make sure the "pepr" label still exists. Finally, after the ConfigMap is created, it logs a message to the Pepr controller and creates or updates a separate ConfigMap with the [kubernetes-fluent-client](https://github.com/defenseunicorns/kubernetes-fluent-client) using server-side apply. For more details see [actions](./actions/) section. - -```ts -When(a.ConfigMap) - .IsCreatedOrUpdated() - .InNamespace("pepr-demo") - .WithLabel("unicorn", "rainbow") - // Create a Mutate Action for the ConfigMap - .Mutate(request => { - // Add a label and annotation to the ConfigMap - request.SetLabel("pepr", "was-here").SetAnnotation("pepr.dev", "annotations-work-too"); - - // Add some data to the ConfigMap - request.Raw.data["doug-says"] = "Pepr is awesome!"; - - // Log a message to the Pepr controller logs - Log.info("A 🦄 ConfigMap was created or updated:"); - }) - // Create a Validate Action for the ConfigMap - .Validate(request => { - // Validate the ConfigMap has a specific label - if (request.HasLabel("pepr")) { - return request.Approve(); - } - - // Reject the ConfigMap if it doesn't have the label - return request.Deny("ConfigMap must have a unicorn label"); - }) - // Watch behaves like controller-runtime's Manager.Watch() - .Watch(async (cm, phase) => { - Log.info(cm, `ConfigMap was ${phase}.`); - - // Apply a ConfigMap using K8s server-side apply (will create or update) - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "pepr-ssa-demo", - namespace: "pepr-demo-2", - }, - data: { - uid: cm.metadata.uid, - }, - }); - }); -``` - -## Prerequisites - -- [Node.js](https://nodejs.org/en/) v18.0.0+ (even-numbered releases only) - - To ensure compatability and optimal performance, it is recommended to use even-numbered releases of Node.js as they are stable releases and receive long-term support for three years. Odd-numbered releases are experimental and may not be supported by certain libraries utilized in Pepr. - -- [npm](https://www.npmjs.com/) v10.1.0+ - -- Recommended (optional) tools: - - [Visual Studio Code](https://code.visualstudio.com/) for inline debugging and [Pepr Capabilities](#capability) creation. - - A Kubernetes cluster for `npx pepr dev`. Pepr modules include `npm run k3d-setup` if you want to test locally with [K3d](https://k3d.io/) and [Docker](https://www.docker.com/). - -## Wow too many words! tl;dr; - -```bash -# Create a new Pepr Module -npx pepr init - -# If you already have a Kind or K3d cluster you want to use, skip this step -npm run k3d-setup - -# Start playing with Pepr now -# If using another local K8s distro instead of k3d, run `npx pepr dev --host host.docker.internal` -npx pepr dev -kubectl apply -f capabilities/hello-pepr.samples.yaml - -# Be amazed and ⭐️ this repo -``` - - - -## Concepts - -### Module - -A module is the top-level collection of capabilities. It is a single, complete TypeScript project that includes an entry point to load all the configuration and capabilities, along with their actions. During the Pepr build process, each module produces a unique Kubernetes MutatingWebhookConfiguration and ValidatingWebhookConfiguration, along with a secret containing the transpiled and compressed TypeScript code. The webhooks and secret are deployed into the Kubernetes cluster with their own isolated controller. - -See [Module](./module/) for more details. - -### Capability - -A capability is set of related actions that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -See [Capabilities](./capabilities/) for more details. - -### Action - -Action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in from Kubernetes. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -There are both `Mutate()` and `Validate()` Actions that can be used to modify or validate Kubernetes resources within the admission controller lifecycle. There is also a `Watch()` Action that can be used to watch for changes to Kubernetes resources that already exist. - -See [actions](./actions/) for more details. - -## Logical Pepr Flow - -![Arch Diagram](./_images/pepr-arch.svg) -[Source Diagram](_images/pepr-arch.svg) - -## TypeScript - -[TypeScript](https://www.typescriptlang.org/) is a strongly typed, object-oriented programming language built on top of JavaScript. It provides optional static typing and a rich type system, allowing developers to write more robust code. TypeScript is transpiled to JavaScript, enabling it to run in any environment that supports JavaScript. Pepr allows you to use JavaScript or TypeScript to write capabilities, but TypeScript is recommended for its type safety and rich type system. You can learn more about TypeScript [here](https://www.typescriptlang.org/docs/handbook/typescript-from-scratch.html). - -## Community - -To join our channel go to [Kubernetes Slack](https://communityinviter.com/apps/kubernetes/community) and join the `#pepr` channel. - - - - - -Made with [contrib.rocks](https://contrib.rocks). diff --git a/site/content/en/v0.22.2/actions.md b/site/content/en/v0.22.2/actions.md deleted file mode 100644 index 52b76cc44..000000000 --- a/site/content/en/v0.22.2/actions.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Actions -weight: ---- - - -An action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in during the admission controller lifecycle. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -Actions are `Mutate()`, `Validate()`, or `Watch()`. Both Mutate and Validate actions run during the admission controller lifecycle, while Watch actions run in a separate controller that tracks changes to resources, including existing resources. - -Let's look at some example actions that are included in the `HelloPepr` capability that is created for you when you [`pepr init`](../cli#pepr-init): - ---- - -In this first example, Pepr is adding a label and annotation to a ConfigMap with tne name `example-1` when it is created. Comments are added to each line to explain in more detail what is happening. - -```ts -// When(a.) filters which GroupVersionKind (GVK) this action should act on. -When(a.ConfigMap) - // This limits the action to only act on new resources. - .IsCreated() - // This limits the action to only act on resources with the name "example-1". - .WithName("example-1") - // Mutate() is where we define the actual behavior of this action. - .Mutate(request => { - // The request object is a wrapper around the K8s resource that Pepr is acting on. - request - // Here we are adding a label to the ConfigMap. - .SetLabel("pepr", "was-here") - // And here we are adding an annotation. - .SetAnnotation("pepr.dev", "annotations-work-too"); - - // Note that we are not returning anything here. This is because Pepr is tracking the changes in each action automatically. - }); -``` - ---- - -In this example, a Validate action rejects any ConfigMap in the `pepr-demo` namespace that has no data. - -```ts -When(a.ConfigMap) - .IsCreated() - .InNamespace("pepr-demo") - // Validate() is where we define the actual behavior of this action. - .Validate(request => { - // If data exists, approve the request. - if (request.Raw.data) { - return request.Approve(); - } - - // Otherwise, reject the request with a message and optional code. - return request.Deny("ConfigMap must have data"); - }); -``` - ---- - -In this example, a Watch action on the name and phase of any ConfigMap.Watch actions run in a separate controller that tracks changes to resources, including existing resources so that you can react to changes in real-time. It is important to note that Watch actions are not run during the admission controller lifecycle, so they cannot be used to modify or validate resources. They also may run multiple times for the same resource, so it is important to make sure that your Watch actions are idempotent. In a future release, Pepr will provide a better way to control when a Watch action is run to avoid this issue. - -```ts -When(a.ConfigMap) - // Watch() is where we define the actual behavior of this action. - .Watch((cm, phase) => { - Log.info(cm, `ConfigMap ${cm.metadata.name} was ${phase}`); - }); -``` - -``` -There are many more examples in the `HelloPepr` capability that you can use as a reference when creating your own actions. Note that each time you run [`pepr update`](../cli#pepr-update), Pepr will automatically update the `HelloPepr` capability with the latest examples and best practices for you to reference and test directly in your Pepr Module. -``` - diff --git a/site/content/en/v0.22.2/capabilities.md b/site/content/en/v0.22.2/capabilities.md deleted file mode 100644 index 22862ad13..000000000 --- a/site/content/en/v0.22.2/capabilities.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Capabilities -weight: ---- - - -A capability is set of related [actions](../actions/) that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -When you [`pepr init`](../cli#pepr-init), a `capabilities` directory is created for you. This directory is where you will define your capabilities. You can create as many capabilities as you need, and each capability can contain one or more actions. Pepr also automatically creates a `HelloPepr` capability with a number of example actions to help you get started. - -## Creating a Capability - -Defining a new capability can be done via a [VSCode Snippet](https://code.visualstudio.com/docs/editor/userdefinedsnippets) generated during [`pepr init`](../cli#pepr-init). - -1. Create a new file in the `capabilities` directory with the name of your capability. For example, `capabilities/my-capability.ts`. - -1. Open the new file in VSCode and type `create` in the file. A suggestion should prompt you to generate the content from there. - - - -_If you prefer not to use VSCode, you can also modify or copy the `HelloPepr` capability to meet your needs instead._ - - -## Reusable Capabilities - -Pepr has an NPM org managed by Defense Unicorns, `@pepr`, where capabilities are published for reuse in other Pepr Modules. You can find a list of published capabilities [here](https://www.npmjs.com/search?q=@pepr). - -You also can publish your own Pepr capabilities to NPM and import them. A couple of things you'll want to be aware of when publishing your own capabilities: - -- Reuseable capability versions should use the format `0.x.x` or `0.12.x` as examples to determine compatibility with other reusable capabilities. Before `1.x.x`, we recommend binding to `0.x.x` if you can for maximum compatibility. - -- `pepr.ts` will still be used for local development, but you'll also need to publish an `index.ts` that exports your capabilities. When you build & publish the capability to NPM, you can use `npx pepr build -e index.ts` to generate the code needed for reuse by other Pepr modules. - -- See [Pepr Istio](https://github.com/defenseunicorns/pepr-istio) for an example of a reusable capability. diff --git a/site/content/en/v0.22.2/cli.md b/site/content/en/v0.22.2/cli.md deleted file mode 100644 index 7edef9724..000000000 --- a/site/content/en/v0.22.2/cli.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Pepr CLI -weight: ---- - - -## `pepr init` - -Initialize a new Pepr Module. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-post-init` - Skip npm install, git init and VSCode launch - ---- - -## `pepr update` - -Update the current Pepr Module to the latest SDK version and update the global Pepr CLI to the same version. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-template-update` - Skip updating the template files - ---- - -## `pepr dev` - -Connect a local cluster to a local version of the Pepr Controller to do real-time debugging of your module. Note -the `pepr dev` assumes a K3d cluster is running by default. If you are working with Kind or another docker-based -K8s distro, you will need to pass the `--host host.docker.internal` option to `pepr dev`. If working with a remote -cluster you will have to give Pepr a host path to your machine that is reachable from the K8s cluster. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --host [host]` - Host to listen on (default: "host.k3d.internal") -- `--confirm` - Skip confirmation prompt - ---- - -## `pepr deploy` - -Deploy the current module into a Kubernetes cluster, useful for CI systems. Not recommended for production use. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-i, --image [image]` - Override the image tag -- `--confirm` - Skip confirmation prompt - ---- - -## pepr monitor - -Monitor Validations for a given Pepr Module. - -Usage: -```bash -npx pepr monitor [options] -``` - -**Options:** -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --help` - Display help for command - ---- -## `pepr build` - -Create a [zarf.yaml](https://zarf.dev) and K8s manifest for the current module. This includes everything needed to deploy Pepr and the current module into production environments. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-e, --entry-point [file]` - Specify the entry point file to build with. (default: "pepr.ts") -- `-n, --no-embed` - Disables embedding of deployment files into output module. Useful when creating library modules intended solely for reuse/distribution via NPM -- `-r, --registry-info [/]` - Registry Info: Image registry and username. Note: You must be signed into the registry -- `-o, --output-dir [output directory]` - Define where to place build output -- `--rbac-mode [admin|scoped]` - Rbac Mode: admin, scoped (default: admin) (choices: "admin", "scoped", default: "admin") diff --git a/site/content/en/v0.22.2/customresources.md b/site/content/en/v0.22.2/customresources.md deleted file mode 100644 index c78a93178..000000000 --- a/site/content/en/v0.22.2/customresources.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Importing Custom Resources -weight: ---- - - - -The [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) supports the creation of TypeScript typings directly from Kubernetes Custom Resource Definitions (CRDs). The files it generates can be directly incorporated into Pepr capabilities and provide a way to work with strongly-typed CRDs. - -For example (below), Istio CRDs can be imported and used as though they were intrinsic Kubernetes resources. - - -## Generating TypeScript Types from CRDs - -Using the kubernetes-fluent-client to produce a new type looks like this: - -```bash -npx kubernetes-fluent-client crd [source] [directory] -``` - -The `crd` command expects a `[source]`, which can be a URL or local file containing the `CustomResourceDefinition(s)`, and a `[directory]` where the generated code will live. - -The following example creates types for the Istio CRDs: - -```bash -user@workstation$ npx kubernetes-fluent-client crd https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml crds - -Attempting to load https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml as a URL - -- Generating extensions.istio.io/v1alpha1 types for WasmPlugin -- Generating networking.istio.io/v1alpha3 types for DestinationRule -- Generating networking.istio.io/v1beta1 types for DestinationRule -- Generating networking.istio.io/v1alpha3 types for EnvoyFilter -- Generating networking.istio.io/v1alpha3 types for Gateway -- Generating networking.istio.io/v1beta1 types for Gateway -- Generating networking.istio.io/v1beta1 types for ProxyConfig -- Generating networking.istio.io/v1alpha3 types for ServiceEntry -- Generating networking.istio.io/v1beta1 types for ServiceEntry -- Generating networking.istio.io/v1alpha3 types for Sidecar -- Generating networking.istio.io/v1beta1 types for Sidecar -- Generating networking.istio.io/v1alpha3 types for VirtualService -- Generating networking.istio.io/v1beta1 types for VirtualService -- Generating networking.istio.io/v1alpha3 types for WorkloadEntry -- Generating networking.istio.io/v1beta1 types for WorkloadEntry -- Generating networking.istio.io/v1alpha3 types for WorkloadGroup -- Generating networking.istio.io/v1beta1 types for WorkloadGroup -- Generating security.istio.io/v1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for PeerAuthentication -- Generating security.istio.io/v1 types for RequestAuthentication -- Generating security.istio.io/v1beta1 types for RequestAuthentication -- Generating telemetry.istio.io/v1alpha1 types for Telemetry - -✅ Generated 23 files in the istio directory -``` - -Observe that the `kubernetes-fluent-client` has produced the TypeScript types within the `crds` directory. These types can now be utilized in the Pepr module. - -```typescript -user@workstation$ cat crds/proxyconfig-v1beta1.ts -// This file is auto-generated by kubernetes-fluent-client, do not edit manually - -import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; - -export class ProxyConfig extends GenericKind { - /** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ - spec?: Spec; - status?: { [key: string]: any }; -} - -/** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ -export interface Spec { - /** - * The number of worker threads to run. - */ - concurrency?: number; - /** - * Additional environment variables for the proxy. - */ - environmentVariables?: { [key: string]: string }; - /** - * Specifies the details of the proxy image. - */ - image?: Image; - /** - * Optional. - */ - selector?: Selector; -} - -/** - * Specifies the details of the proxy image. - */ -export interface Image { - /** - * The image type of the image. - */ - imageType?: string; -} - -/** - * Optional. - */ -export interface Selector { - /** - * One or more labels that indicate a specific set of pods/VMs on which a policy should be - * applied. - */ - matchLabels?: { [key: string]: string }; -} - -RegisterKind(ProxyConfig, { - group: "networking.istio.io", - version: "v1beta1", - kind: "ProxyConfig", -}); -``` - -## Using new types - -The generated types can be imported into Pepr directly, _there is no additional logic needed to make them to work_. - -```typescript -import { Capability, K8s, Log, a, kind } from "pepr"; - -import { Gateway } from "../crds/gateway-v1beta1"; -import { - PurpleDestination, - VirtualService, -} from "../crds/virtualservice-v1beta1"; - -export const IstioVirtualService = new Capability({ - name: "istio-virtual-service", - description: "Generate Istio VirtualService resources", -}); - -// Use the 'When' function to create a new action -const { When, Store } = IstioVirtualService; - -// Define the configuration keys -enum config { - Gateway = "uds/istio-gateway", - Host = "uds/istio-host", - Port = "uds/istio-port", - Domain = "uds/istio-domain", -} - -// Define the valid gateway names -const validGateway = ["admin", "tenant", "passthrough"]; - -// Watch Gateways to get the HTTPS domain for each gateway -When(Gateway) - .IsCreatedOrUpdated() - .WithLabel(config.Domain) - .Watch(vs => { - // Store the domain for the gateway - Store.setItem(vs.metadata.name, vs.metadata.labels[config.Domain]); - }); -``` diff --git a/site/content/en/v0.22.2/metrics.md b/site/content/en/v0.22.2/metrics.md deleted file mode 100644 index e91699726..000000000 --- a/site/content/en/v0.22.2/metrics.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: /metrics Endpoint Documentation -weight: ---- - - -The `/metrics` endpoint provides metrics for the application that are collected via the `MetricsCollector` class. It uses the `prom-client` library and performance hooks from Node.js to gather and expose the metrics data in a format that can be scraped by Prometheus. - -## Metrics Exposed - -The `MetricsCollector` exposes the following metrics: - -- `pepr_errors`: A counter that increments when an error event occurs in the application. -- `pepr_alerts`: A counter that increments when an alert event is triggered in the application. -- `pepr_Mutate`: A summary that provides the observed durations of mutation events in the application. -- `pepr_Validate`: A summary that provides the observed durations of validation events in the application. - -## API Details - -**Method:** GET - -**URL:** `/metrics` - -**Response Type:** text/plain - -**Status Codes:** -- 200 OK: On success, returns the current metrics from the application. - -**Response Body:** -The response body is a plain text representation of the metrics data, according to the Prometheus exposition formats. It includes the metrics mentioned above. - -## Examples - -### Request - -```plaintext -GET /metrics -``` - -### Response -```plaintext - `# HELP pepr_errors Mutation/Validate errors encountered - # TYPE pepr_errors counter - pepr_errors 5 - - # HELP pepr_alerts Mutation/Validate bad api token received - # TYPE pepr_alerts counter - pepr_alerts 10 - - # HELP pepr_Mutate Mutation operation summary - # TYPE pepr_Mutate summary - pepr_Mutate{quantile="0.01"} 100.60707900021225 - pepr_Mutate{quantile="0.05"} 100.60707900021225 - pepr_Mutate{quantile="0.5"} 100.60707900021225 - pepr_Mutate{quantile="0.9"} 100.60707900021225 - pepr_Mutate{quantile="0.95"} 100.60707900021225 - pepr_Mutate{quantile="0.99"} 100.60707900021225 - pepr_Mutate{quantile="0.999"} 100.60707900021225 - pepr_Mutate_sum 100.60707900021225 - pepr_Mutate_count 1 - - # HELP pepr_Validate Validation operation summary - # TYPE pepr_Validate summary - pepr_Validate{quantile="0.01"} 201.19413900002837 - pepr_Validate{quantile="0.05"} 201.19413900002837 - pepr_Validate{quantile="0.5"} 201.2137690000236 - pepr_Validate{quantile="0.9"} 201.23339900001884 - pepr_Validate{quantile="0.95"} 201.23339900001884 - pepr_Validate{quantile="0.99"} 201.23339900001884 - pepr_Validate{quantile="0.999"} 201.23339900001884 - pepr_Validate_sum 402.4275380000472 - pepr_Validate_count 2 -``` - -## Prometheus Operator - -If using the Prometheus Operator, the following `ServiceMonitor` example manifests can be used to scrape the `/metrics` endpoint for the `admission` and `watcher` controllers. - -```yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: admission -spec: - selector: - matchLabels: - pepr.dev/controller: admission - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: watcher -spec: - selector: - matchLabels: - pepr.dev/controller: watcher - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true -``` diff --git a/site/content/en/v0.22.2/module.md b/site/content/en/v0.22.2/module.md deleted file mode 100644 index 9cc1204be..000000000 --- a/site/content/en/v0.22.2/module.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Pepr Module -weight: ---- - - -Each Pepr Module is it's own Typescript project, produced by [`pepr init`](../cli#pepr-init). Typically a module is maintained by a unique group or system. For example, a module for internal [Zarf](https://zarf.dev/) mutations would be different from a module for [Big Bang](https://p1.dso.mil/products/big-bang). An important idea with modules is that they are _wholly independent of one another_. This means that 2 different modules can be on completely different versions of Pepr and any other dependencies; their only interaction is through the standard K8s interfaces like any other webhook or controller. - -## Module development lifecycle - -1. **Create the module**: - - Use [`pepr init`](../cli#pepr-init) to generate a new module. - -1. **Quickly validate system setup**: - - Every new module includes a sample Pepr Capability called `HelloPepr`. By default, - this capability is deployed and monitoring the `pepr-demo` namespace. There is a sample - yaml also included you can use to see Pepr in your cluster. Here's the quick steps to do - that after `pepr init`: - - ```bash - # cd to the newly-created Pepr module folder - cd my-module-name - - # If you don't already have a local K8s cluster, you can set one up with k3d - npm run k3d-setup - - # Launch pepr dev mode - # If using another local K8s distro instead of k3d, use `pepr dev --host host.docker.internal` - pepr dev - - # From another terminal, apply the sample yaml - kubectl apply -f capabilities/hello-pepr.samples.yaml - - # Verify the configmaps were transformed using kubectl, k9s or another tool - ``` - -1. **Create your custom Pepr Capabilities** - - Now that you have confirmed Pepr is working, you can now create new [capabilities](../capabilities/). You'll also want to disable the `HelloPepr` capability in your module (`pepr.ts`) before pushing to production. You can disable by commenting out or deleting the `HelloPepr` variable below: - - ```typescript - new PeprModule(cfg, [ - // Remove or comment the line below to disable the HelloPepr capability - HelloPepr, - - // Your additional capabilities go here - ]); - ``` - - _Note: if you also delete the `capabilities/hello-pepr.ts` file, it will be added again on the next [`pepr update`](../cli#pepr-update) so you have the latest examples usages from the Pepr SDK. Therefore, it is sufficient to remove the entry from your `pepr.ts` module - config._ - -1. **Build and deploy the Pepr Module** - - Most of the time, you'll likely be iterating on a module with `pepr dev` for real-time feedback and validation Once you are ready to move beyond the local dev environment, Pepr provides deployment and build tools you can use. - - `pepr deploy` - you can use this command to build your module and deploy it into any K8s cluster your current `kubecontext` has access to. This setup is ideal for CI systems during testing, but is not recommended for production use. See [`pepr deploy`](../cli#pepr-deploy) for more info. - -## Advanced Module Configuration - -By default, when you run `pepr init`, the module is not configured with any additional options. Currently, there are 3 options you can configure: - -- `deferStart` - if set to `true`, the module will not start automatically. You will need to call `start()` manually. This is useful if you want to do some additional setup before the module controller starts. You can also use this to change the default port that the controller listens on. - -- `beforeHook` - an optional callback that will be called before every request is processed. This is useful if you want to do some additional logging or validation before the request is processed. - -- `afterHook` - an optional callback that will be called after every request is processed. This is useful if you want to do some additional logging or validation after the request is processed. - -You can configure each of these by modifying the `pepr.ts` file in your module. Here's an example of how you would configure each of these options: - -```typescript -const module = new PeprModule( - cfg, - [ - // Your capabilities go here - ], - { - deferStart: true, - - beforeHook: req => { - // Any actions you want to perform before the request is processed, including modifying the request. - }, - - afterHook: res => { - // Any actions you want to perform after the request is processed, including modifying the response. - }, - } -); - -// Do any additional setup before starting the controller -module.start(); -``` diff --git a/site/content/en/v0.22.2/rbac.md b/site/content/en/v0.22.2/rbac.md deleted file mode 100644 index 004eccf89..000000000 --- a/site/content/en/v0.22.2/rbac.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: RBAC Modes -weight: ---- - - -During the build phase of Pepr (`npx pepr build --rbac-mode [admin|scoped]`), you have the option to specify the desired RBAC mode through specific flags. This allows fine-tuning the level of access granted based on requirements and preferences. - -## Modes - -**admin** - -```bash -npx pepr build --rbac-mode admin -``` - -**Description:** The service account is given cluster-admin permissions, granting it full, unrestricted access across the entire cluster. This can be useful for administrative tasks where broad permissions are necessary. However, use this mode with caution, as it can pose security risks if misused. This is the default mode. - -**scoped** - -```bash -npx pepr build --rbac-mode scoped -``` - -**Description:** The service account is provided just enough permissions to perform its required tasks, and no more. This mode is recommended for most use cases as it limits potential attack vectors and aligns with best practices in security. _The admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. See how in [Updating the ClusterRole](#updating-the-clusterrole)._ - -## Debugging RBAC Issues - -If encountering unexpected behaviors in Pepr while running in scoped mode, check to see if they are related to RBAC. - -1. Check Deployment logs for RBAC errors: - -```bash -kubectl logs -n pepr-system -l app | jq - -# example output -{ - "level": 50, - "time": 1697983053758, - "pid": 16, - "hostname": "pepr-static-test-watcher-745d65857d-pndg7", - "data": { - "kind": "Status", - "apiVersion": "v1", - "metadata": {}, - "status": "Failure", - "message": "configmaps \"pepr-ssa-demo\" is forbidden: User \"system:serviceaccount:pepr-system:pepr-static-test\" cannot patch resource \"configmaps\" in API group \"\" in the namespace \"pepr-demo-2\"", - "reason": "Forbidden", - "details": { - "name": "pepr-ssa-demo", - "kind": "configmaps" - }, - "code": 403 - }, - "ok": false, - "status": 403, - "statusText": "Forbidden", - "msg": "Dooes the ServiceAccount permissions to CREATE and PATCH this ConfigMap?" -} -``` - -2. Verify ServiceAccount Permissions with `kubectl auth can-i` - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -# Can i create configmaps as the service account in pepr-demo-2? -kubectl auth can-i create cm --as=system:serviceaccount:pepr-system:$SA -n pepr-demo-2 - -# example output: no -``` - -3. Describe the ClusterRole - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -kubectl describe clusterrole $SA - -# example output: -Name: pepr-static-test -Labels: -Annotations: -PolicyRule: - Resources Non-Resource URLs Resource Names Verbs - --------- ----------------- -------------- ----- - peprstores.pepr.dev [] [] [create delete get list patch update watch] - configmaps [] [] [watch] - namespaces [] [] [watch] -``` - -## Updating the ClusterRole - -As discussed in the [Modes](#modes) section, the admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. - -Step 1: Figure out the desired permissions. (`kubectl create clusterrole --help` is a good place to start figuring out the syntax) - -```bash - kubectl create clusterrole configMapApplier --verb=create,patch --resource=configmap --dry-run=client -oyaml - - # example output -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: configMapApplier -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - patch -``` - -Step 2: Update the ClusterRole in the `dist` folder. - -```yaml -... -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pepr-static-test -rules: - - apiGroups: - - pepr.dev - resources: - - peprstores - verbs: - - create - - get - - patch - - watch - - apiGroups: - - '' - resources: - - namespaces - verbs: - - watch - - apiGroups: - - '' - resources: - - configmaps - verbs: - - watch - - create # New - - patch # New -... -``` - -Step 3: Apply the updated configuration diff --git a/site/content/en/v0.22.2/store.md b/site/content/en/v0.22.2/store.md deleted file mode 100644 index 2f975cb49..000000000 --- a/site/content/en/v0.22.2/store.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Pepr Store A Lightweight Key-Value Store for Pepr Modules -weight: ---- - - -The nature of admission controllers and general watch operations (the `Mutate`, `Validate` and `Watch` actions in Pepr) make some types of complex and long-running operations difficult. There are also times when you need to share data between different actions. While you could manually create your own K8s resources and manage their cleanup, this can be very hard to track and keep performant at scale. - -The Pepr Store solves this by exposing a simple, [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage)-compatible mechanism for use within capabilities. Additionally, as Pepr runs multiple replicas of the admission controller along with a watch controller, the Pepr Store provides a unique way to share data between these different instances automatically. - -Each Pepr Capability has a `Store` instance that can be used to get, set and delete data as well as subscribe to any changes to the Store. Behind the scenes, all capability store instances in a single Pepr Module are stored within a single CRD in the cluster. This CRD is automatically created when the Pepr Module is deployed. Care is taken to make the read and write operations as efficient as possible by using K8s watches, batch processing and patch operations for writes. - -## Key Features - -- **Asynchronous Key-Value Store**: Provides an asynchronous interface for storing small amounts of data, making it ideal for sharing information between various actions and capabilities. -- **Web Storage API Compatibility**: The store's API is aligned with the standard [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage), simplifying the learning curve. -- **Real-time Updates**: The `.subscribe()` and `onReady()` methods enable real-time updates, allowing you to react to changes in the data store instantaneously. - -- **Automatic CRD Management**: Each Pepr Module has its data stored within a single Custom Resource Definition (CRD) that is automatically created upon deployment. -- **Efficient Operations**: Pepr Store uses Kubernetes watches, batch processing, and patch operations to make read and write operations as efficient as possible. - -## Quick Start - -```typescript -// Example usage for Pepr Store -Store.setItem("example-1", "was-here"); -Store.setItem("example-1-data", JSON.stringify(request.Raw.data)); -Store.onReady(data => { - Log.info(data, "Pepr Store Ready"); -}); -const unsubscribe = Store.subscribe(data => { - Log.info(data, "Pepr Store Updated"); - unsubscribe(); -}); -``` - -## API Reference - -### Methods - -- `getItem(key: string)`: Retrieves a value by its key. Returns `null` if the key doesn't exist. -- `setItem(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. -- `setItemAndWait(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. Returns a promise when the new key and value show up in the store. Should only be used on a `Watch` to avoid [timeouts](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts). -- `removeItem(key: string)`: Deletes a key-value pair by its key. -- `clear()`: Clears all key-value pairs from the store. -- `subscribe(listener: DataReceiver)`: Subscribes to store updates. -- `onReady(callback: DataReceiver)`: Executes a callback when the store is ready. diff --git a/site/content/en/v0.22.2/webassembly.md b/site/content/en/v0.22.2/webassembly.md deleted file mode 100644 index b36671e82..000000000 --- a/site/content/en/v0.22.2/webassembly.md +++ /dev/null @@ -1,188 +0,0 @@ ---- -title: WASM Support Running WebAssembly in Pepr Guide -weight: ---- - - -Pepr fully supports WebAssembly. Depending on the language used to generate the WASM, certain files can be too large to fit into a `Secret` or `ConfigMap`. Due to this limitation, users have the ability to incorporate `*.wasm` and any other essential files during the build phase, which are then embedded into the Pepr Controller container. This is achieved through adding an array of files to the `includedFiles` section under `pepr` in the `package.json`. - -> **NOTE -** In order to instantiate the WebAsembly module in TypeScript, you need the WebAssembly type. This is accomplished through add the "DOM" to the `lib` array in the `compilerOptions` section of the `tsconfig.json`. Ex: `"lib": ["ES2022", "DOM"]`. Be aware that adding the DOM will add a lot of extra types to your project and your developer experience will be impacted in terms of the intellisense. - - -## High-Level Overview - -WASM support is achieved through adding files as layers atop the Pepr controller image, these files are then able to be read by the individual capabilities. The key components of WASM support are: - -- Add files to the **base** of the Pepr module. -- Reference the files in the `includedFiles` section of the `pepr` block of the `package.json` -- Run `npx pepr build` with the `-r ` option specifying registry info. Ex: `npx pepr build -r docker.io/cmwylie19` -- Pepr builds and pushes a custom image that is used in the `Deployment`. - -## Using WASM Support - -### Creating a WASM Module in Go - -Create a simple Go function that you want to call from your Pepr module - -```go -package main - -import ( - "fmt" - "syscall/js" -) - -func concats(this js.Value, args []js.Value) interface{} { - fmt.Println("PeprWASM!") - stringOne := args[0].String() - stringTwo := args[1].String() - return fmt.Sprintf("%s%s", stringOne, stringTwo) -} - -func main() { - done := make(chan struct{}, 0) - js.Global().Set("concats", js.FuncOf(concats)) - <-done -} -``` - -Compile it to a wasm target and move it to your Pepr module - -```bash -GOOS=js GOARCH=wasm go build -o main.wasm -cp main.wasm $YOUR_PEPR_MODULE/ -``` - -Copy the `wasm_exec.js` from `GOROOT` to your Pepr Module - -```bash -cp "$(go env GOROOT)/misc/wasm/wasm_exec.js" $YOUR_PEPR_MODULE/ -``` - -Update the polyfill to add `globalThis.crypto` in the `wasm_exec.js` since we are not running in the browser. This is needed directly under: `(() => {` - - -```javascript -// Initialize the polyfill -if (typeof globalThis.crypto === 'undefined') { - globalThis.crypto = { - getRandomValues: (array) => { - for (let i = 0; i < array.length; i++) { - array[i] = Math.floor(Math.random() * 256); - } - }, - }; -} -``` - - -### Configure Pepr to use WASM - -After adding the files to the root of the Pepr module, reference those files in the `package.json`: - -```json -{ - "name": "pepr-test-module", - "version": "0.0.1", - "description": "A test module for Pepr", - "keywords": [ - "pepr", - "k8s", - "policy-engine", - "pepr-module", - "security" - ], - "engines": { - "node": ">=18.0.0" - }, - "pepr": { - "name": "pepr-test-module", - "uuid": "static-test", - "onError": "ignore", - "alwaysIgnore": { - "namespaces": [], - "labels": [] - }, - "includedFiles":[ - "main.wasm", - "wasm_exec.js" - ] - }, - ... -} -``` - -Update the `tsconfig.json` to add "DOM" to the `compilerOptions` lib: - -```json -{ - "compilerOptions": { - "allowSyntheticDefaultImports": true, - "declaration": true, - "declarationMap": true, - "emitDeclarationOnly": true, - "esModuleInterop": true, - "lib": [ - "ES2022", - "DOM" // <- Add this - ], - "module": "CommonJS", - "moduleResolution": "node", - "outDir": "dist", - "resolveJsonModule": true, - "rootDir": ".", - "strict": false, - "target": "ES2022", - "useUnknownInCatchVariables": false - }, - "include": [ - "**/*.ts" - ] -} -``` - -### Call WASM functions from TypeScript - -Import the `wasm_exec.js` in the `pepr.ts` - -```javascript -import "./wasm_exec.js"; -``` - -Create a helper function to load the wasm file in a capability and call it during an event of your choice - -```typescript -async function callWASM(a,b) { - const go = new globalThis.Go(); - - const wasmData = readFileSync("main.wasm"); - var concated: string; - - await WebAssembly.instantiate(wasmData, go.importObject).then(wasmModule => { - go.run(wasmModule.instance); - - concated = global.concats(a,b); - }); - return concated; -} - -When(a.Pod) -.IsCreated() -.Mutate(async pod => { - try { - let label_value = await callWASM("loves","wasm") - pod.SetLabel("pepr",label_value) - } - catch(err) { - Log.error(err); - } -}); -``` - -### Run Pepr Build - -Build your Pepr module with the registry specified. - -```bash -npx pepr build -r docker.io/defenseunicorns -``` diff --git a/site/content/en/v0.22.3-alpha/OnSchedule.md b/site/content/en/v0.22.3-alpha/OnSchedule.md deleted file mode 100644 index c663f24d9..000000000 --- a/site/content/en/v0.22.3-alpha/OnSchedule.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: OnSchedule -weight: ---- - - -The `OnSchedule` feature allows you to schedule and automate the execution of specific code at predefined intervals or schedules. This feature is designed to simplify recurring tasks and can serve as an alternative to traditional CronJobs. This code is designed to be run at the top level on a Capability, not within a function like `When`. - -> **Note -** To use this feature in dev mode you MUST set `PEPR_WATCH_MODE="true"`. This is because the scheduler only runs on the watch controller and the watch controller is not started by default in dev mode. - -For example: `PEPR_WATCH_MODE="true" npx pepr dev` - -## Best Practices - -`OnSchedule` is designed for targeting intervals equal to or larger than 30 seconds due to the storage mechanism used to archive schedule info. - -## Usage - -Create a recurring task execution by calling the OnSchedule function with the following parameters: - -**name** - The unique name of the schedule. - -**every** - An integer that represents the frequency of the schedule in number of _units_. - -**unit** - A string specifying the time unit for the schedule (e.g., `seconds`, `minute`, `minutes`, `hour`, `hours`). - -**startTime** - (Optional) A UTC timestamp indicating when the schedule should start. All date times must be provided in GMT. If not specified the schedule will start when the schedule store reports ready. - -**run** - A function that contains the code you want to execute on the defined schedule. - -**completions** - (Optional) An integer indicating the maximum number of times the schedule should run to completion. If not specified the schedule will run indefinitely. - - -## Examples - -Update a ConfigMap every 30 seconds: - -```typescript -OnSchedule({ - name: "hello-interval", - every: 30, - unit: "seconds", - run: async () => { - Log.info("Wait 30 seconds and create/update a ConfigMap"); - - try { - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "last-updated", - namespace: "default", - }, - data: { - count: `${new Date()}`, - }, - }); - - } catch (error) { - Log.error(error, "Failed to apply ConfigMap using server-side apply."); - } - }, - }); -``` - -Refresh an AWSToken every 24 hours, with a delayed start of 30 seconds, running a total of 3 times: - -```typescript - -OnSchedule({ - name: "refresh-aws-token", - every: 24, - unit: "hours", - startTime: new Date(new Date().getTime() + 1000 * 30), - run: async () => { - await RefreshAWSToken(); - }, - completions: 3, -}); -``` - -## Advantages - -- Simplifies scheduling recurring tasks without the need for complex CronJob configurations. -- Provides flexibility to define schedules in a human-readable format. -- Allows you to execute code with precision at specified intervals. -- Supports limiting the number of schedule completions for finite tasks. diff --git a/site/content/en/v0.22.3-alpha/_index.md b/site/content/en/v0.22.3-alpha/_index.md deleted file mode 100644 index c4c658408..000000000 --- a/site/content/en/v0.22.3-alpha/_index.md +++ /dev/null @@ -1,157 +0,0 @@ ---- -title: v0.22.3-alpha -cascade: - type: docs -aliases: [] ---- -# Pepr - -[![Pepr Documentation](https://img.shields.io/badge/docs--d25ba1)](./README/) -[![Npm package license](https://badgen.net/npm/license/pepr)](https://npmjs.com/package/pepr) -[![Known Vulnerabilities](https://snyk.io/test/npm/pepr/badge.svg)](https://snyk.io/advisor/npm-package/pepr) -[![Npm package version](https://badgen.net/npm/v/pepr)](https://npmjs.com/package/pepr) -[![Npm package total downloads](https://badgen.net/npm/dt/pepr)](https://npmjs.com/package/pepr) - -#### **_Type safe Kubernetes middleware for humans_** - - - -Pepr is on a mission to save Kubernetes from the tyranny of YAML, intimidating glue code, bash scripts, and other makeshift solutions. As a Kubernetes controller, Pepr empowers you to define Kubernetes transformations using TypeScript, without software development expertise thanks to plain-english configurations. Pepr transforms a patchwork of forks, scripts, overlays, and other chaos into a cohesive, well-structured, and maintainable system. With Pepr, you can seamlessly transition IT ops tribal knowledge into code, simplifying documentation, testing, validation, and coordination of changes for a more predictable outcome. - -#### _Note: Pepr is still in active development so breaking changes may occur, but will be documented in release notes._ - -## Features - -- Zero-config K8s webhook mutations and validations -- Automatic leader-elected K8s resource watching -- Lightweight async key-value store backed by K8s for stateful operations with the [Pepr Store](./store/) -- Human-readable fluent API for generating [Pepr Capabilities](#capability) -- A fluent API for creating/modifying/watching and server-side applying K8s resources via [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) -- Generate new K8s resources based off of cluster resource changes -- Perform other exec/API calls based off of cluster resources changes or any other arbitrary schedule -- Out of the box airgap support with [Zarf](https://zarf.dev) -- Entire NPM ecosystem available for advanced operations -- Realtime K8s debugging system for testing/reacting to cluster changes -- Controller network isolation and tamper-resistent module execution -- Least-privilege [RBAC](https://github.com/defenseunicorns/pepr/blob/main/docs/rbac/) generation -- AMD64 and ARM64 support - -## Example Pepr Action - -This quick sample shows how to react to a ConfigMap being created or updated in the cluster. It adds a label and annotation to the ConfigMap and adds some data to the ConfigMap. It also creates a Validating Webhook to make sure the "pepr" label still exists. Finally, after the ConfigMap is created, it logs a message to the Pepr controller and creates or updates a separate ConfigMap with the [kubernetes-fluent-client](https://github.com/defenseunicorns/kubernetes-fluent-client) using server-side apply. For more details see [actions](./actions/) section. - -```ts -When(a.ConfigMap) - .IsCreatedOrUpdated() - .InNamespace("pepr-demo") - .WithLabel("unicorn", "rainbow") - // Create a Mutate Action for the ConfigMap - .Mutate(request => { - // Add a label and annotation to the ConfigMap - request.SetLabel("pepr", "was-here").SetAnnotation("pepr.dev", "annotations-work-too"); - - // Add some data to the ConfigMap - request.Raw.data["doug-says"] = "Pepr is awesome!"; - - // Log a message to the Pepr controller logs - Log.info("A 🦄 ConfigMap was created or updated:"); - }) - // Create a Validate Action for the ConfigMap - .Validate(request => { - // Validate the ConfigMap has a specific label - if (request.HasLabel("pepr")) { - return request.Approve(); - } - - // Reject the ConfigMap if it doesn't have the label - return request.Deny("ConfigMap must have a unicorn label"); - }) - // Watch behaves like controller-runtime's Manager.Watch() - .Watch(async (cm, phase) => { - Log.info(cm, `ConfigMap was ${phase}.`); - - // Apply a ConfigMap using K8s server-side apply (will create or update) - await K8s(kind.ConfigMap).Apply({ - metadata: { - name: "pepr-ssa-demo", - namespace: "pepr-demo-2", - }, - data: { - uid: cm.metadata.uid, - }, - }); - }); -``` - -## Prerequisites - -- [Node.js](https://nodejs.org/en/) v18.0.0+ (even-numbered releases only) - - To ensure compatability and optimal performance, it is recommended to use even-numbered releases of Node.js as they are stable releases and receive long-term support for three years. Odd-numbered releases are experimental and may not be supported by certain libraries utilized in Pepr. - -- [npm](https://www.npmjs.com/) v10.1.0+ - -- Recommended (optional) tools: - - [Visual Studio Code](https://code.visualstudio.com/) for inline debugging and [Pepr Capabilities](#capability) creation. - - A Kubernetes cluster for `npx pepr dev`. Pepr modules include `npm run k3d-setup` if you want to test locally with [K3d](https://k3d.io/) and [Docker](https://www.docker.com/). - -## Wow too many words! tl;dr; - -```bash -# Create a new Pepr Module -npx pepr init - -# If you already have a Kind or K3d cluster you want to use, skip this step -npm run k3d-setup - -# Start playing with Pepr now -# If using another local K8s distro instead of k3d, run `npx pepr dev --host host.docker.internal` -npx pepr dev -kubectl apply -f capabilities/hello-pepr.samples.yaml - -# Be amazed and ⭐️ this repo -``` - - - -## Concepts - -### Module - -A module is the top-level collection of capabilities. It is a single, complete TypeScript project that includes an entry point to load all the configuration and capabilities, along with their actions. During the Pepr build process, each module produces a unique Kubernetes MutatingWebhookConfiguration and ValidatingWebhookConfiguration, along with a secret containing the transpiled and compressed TypeScript code. The webhooks and secret are deployed into the Kubernetes cluster with their own isolated controller. - -See [Module](./module/) for more details. - -### Capability - -A capability is set of related actions that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -See [Capabilities](./capabilities/) for more details. - -### Action - -Action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in from Kubernetes. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -There are both `Mutate()` and `Validate()` Actions that can be used to modify or validate Kubernetes resources within the admission controller lifecycle. There is also a `Watch()` Action that can be used to watch for changes to Kubernetes resources that already exist. - -See [actions](./actions/) for more details. - -## Logical Pepr Flow - -![Arch Diagram](./_images/pepr-arch.svg) -[Source Diagram](_images/pepr-arch.svg) - -## TypeScript - -[TypeScript](https://www.typescriptlang.org/) is a strongly typed, object-oriented programming language built on top of JavaScript. It provides optional static typing and a rich type system, allowing developers to write more robust code. TypeScript is transpiled to JavaScript, enabling it to run in any environment that supports JavaScript. Pepr allows you to use JavaScript or TypeScript to write capabilities, but TypeScript is recommended for its type safety and rich type system. You can learn more about TypeScript [here](https://www.typescriptlang.org/docs/handbook/typescript-from-scratch.html). - -## Community - -To join our channel go to [Kubernetes Slack](https://communityinviter.com/apps/kubernetes/community) and join the `#pepr` channel. - - - - - -Made with [contrib.rocks](https://contrib.rocks). diff --git a/site/content/en/v0.22.3-alpha/actions.md b/site/content/en/v0.22.3-alpha/actions.md deleted file mode 100644 index 52b76cc44..000000000 --- a/site/content/en/v0.22.3-alpha/actions.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Actions -weight: ---- - - -An action is a discrete set of behaviors defined in a single function that acts on a given Kubernetes GroupVersionKind (GVK) passed in during the admission controller lifecycle. Actions are the atomic operations that are performed on Kubernetes resources by Pepr. - -For example, an action could be responsible for adding a specific label to a Kubernetes resource, or for modifying a specific field in a resource's metadata. Actions can be grouped together within a Capability to provide a more comprehensive set of operations that can be performed on Kubernetes resources. - -Actions are `Mutate()`, `Validate()`, or `Watch()`. Both Mutate and Validate actions run during the admission controller lifecycle, while Watch actions run in a separate controller that tracks changes to resources, including existing resources. - -Let's look at some example actions that are included in the `HelloPepr` capability that is created for you when you [`pepr init`](../cli#pepr-init): - ---- - -In this first example, Pepr is adding a label and annotation to a ConfigMap with tne name `example-1` when it is created. Comments are added to each line to explain in more detail what is happening. - -```ts -// When(a.) filters which GroupVersionKind (GVK) this action should act on. -When(a.ConfigMap) - // This limits the action to only act on new resources. - .IsCreated() - // This limits the action to only act on resources with the name "example-1". - .WithName("example-1") - // Mutate() is where we define the actual behavior of this action. - .Mutate(request => { - // The request object is a wrapper around the K8s resource that Pepr is acting on. - request - // Here we are adding a label to the ConfigMap. - .SetLabel("pepr", "was-here") - // And here we are adding an annotation. - .SetAnnotation("pepr.dev", "annotations-work-too"); - - // Note that we are not returning anything here. This is because Pepr is tracking the changes in each action automatically. - }); -``` - ---- - -In this example, a Validate action rejects any ConfigMap in the `pepr-demo` namespace that has no data. - -```ts -When(a.ConfigMap) - .IsCreated() - .InNamespace("pepr-demo") - // Validate() is where we define the actual behavior of this action. - .Validate(request => { - // If data exists, approve the request. - if (request.Raw.data) { - return request.Approve(); - } - - // Otherwise, reject the request with a message and optional code. - return request.Deny("ConfigMap must have data"); - }); -``` - ---- - -In this example, a Watch action on the name and phase of any ConfigMap.Watch actions run in a separate controller that tracks changes to resources, including existing resources so that you can react to changes in real-time. It is important to note that Watch actions are not run during the admission controller lifecycle, so they cannot be used to modify or validate resources. They also may run multiple times for the same resource, so it is important to make sure that your Watch actions are idempotent. In a future release, Pepr will provide a better way to control when a Watch action is run to avoid this issue. - -```ts -When(a.ConfigMap) - // Watch() is where we define the actual behavior of this action. - .Watch((cm, phase) => { - Log.info(cm, `ConfigMap ${cm.metadata.name} was ${phase}`); - }); -``` - -``` -There are many more examples in the `HelloPepr` capability that you can use as a reference when creating your own actions. Note that each time you run [`pepr update`](../cli#pepr-update), Pepr will automatically update the `HelloPepr` capability with the latest examples and best practices for you to reference and test directly in your Pepr Module. -``` - diff --git a/site/content/en/v0.22.3-alpha/capabilities.md b/site/content/en/v0.22.3-alpha/capabilities.md deleted file mode 100644 index 22862ad13..000000000 --- a/site/content/en/v0.22.3-alpha/capabilities.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Capabilities -weight: ---- - - -A capability is set of related [actions](../actions/) that work together to achieve a specific transformation or operation on Kubernetes resources. Capabilities are user-defined and can include one or more actions. They are defined within a Pepr module and can be used in both MutatingWebhookConfigurations and ValidatingWebhookConfigurations. A Capability can have a specific scope, such as mutating or validating, and can be reused in multiple Pepr modules. - -When you [`pepr init`](../cli#pepr-init), a `capabilities` directory is created for you. This directory is where you will define your capabilities. You can create as many capabilities as you need, and each capability can contain one or more actions. Pepr also automatically creates a `HelloPepr` capability with a number of example actions to help you get started. - -## Creating a Capability - -Defining a new capability can be done via a [VSCode Snippet](https://code.visualstudio.com/docs/editor/userdefinedsnippets) generated during [`pepr init`](../cli#pepr-init). - -1. Create a new file in the `capabilities` directory with the name of your capability. For example, `capabilities/my-capability.ts`. - -1. Open the new file in VSCode and type `create` in the file. A suggestion should prompt you to generate the content from there. - - - -_If you prefer not to use VSCode, you can also modify or copy the `HelloPepr` capability to meet your needs instead._ - - -## Reusable Capabilities - -Pepr has an NPM org managed by Defense Unicorns, `@pepr`, where capabilities are published for reuse in other Pepr Modules. You can find a list of published capabilities [here](https://www.npmjs.com/search?q=@pepr). - -You also can publish your own Pepr capabilities to NPM and import them. A couple of things you'll want to be aware of when publishing your own capabilities: - -- Reuseable capability versions should use the format `0.x.x` or `0.12.x` as examples to determine compatibility with other reusable capabilities. Before `1.x.x`, we recommend binding to `0.x.x` if you can for maximum compatibility. - -- `pepr.ts` will still be used for local development, but you'll also need to publish an `index.ts` that exports your capabilities. When you build & publish the capability to NPM, you can use `npx pepr build -e index.ts` to generate the code needed for reuse by other Pepr modules. - -- See [Pepr Istio](https://github.com/defenseunicorns/pepr-istio) for an example of a reusable capability. diff --git a/site/content/en/v0.22.3-alpha/cli.md b/site/content/en/v0.22.3-alpha/cli.md deleted file mode 100644 index 7edef9724..000000000 --- a/site/content/en/v0.22.3-alpha/cli.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Pepr CLI -weight: ---- - - -## `pepr init` - -Initialize a new Pepr Module. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-post-init` - Skip npm install, git init and VSCode launch - ---- - -## `pepr update` - -Update the current Pepr Module to the latest SDK version and update the global Pepr CLI to the same version. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `--skip-template-update` - Skip updating the template files - ---- - -## `pepr dev` - -Connect a local cluster to a local version of the Pepr Controller to do real-time debugging of your module. Note -the `pepr dev` assumes a K3d cluster is running by default. If you are working with Kind or another docker-based -K8s distro, you will need to pass the `--host host.docker.internal` option to `pepr dev`. If working with a remote -cluster you will have to give Pepr a host path to your machine that is reachable from the K8s cluster. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --host [host]` - Host to listen on (default: "host.k3d.internal") -- `--confirm` - Skip confirmation prompt - ---- - -## `pepr deploy` - -Deploy the current module into a Kubernetes cluster, useful for CI systems. Not recommended for production use. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-i, --image [image]` - Override the image tag -- `--confirm` - Skip confirmation prompt - ---- - -## pepr monitor - -Monitor Validations for a given Pepr Module. - -Usage: -```bash -npx pepr monitor [options] -``` - -**Options:** -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-h, --help` - Display help for command - ---- -## `pepr build` - -Create a [zarf.yaml](https://zarf.dev) and K8s manifest for the current module. This includes everything needed to deploy Pepr and the current module into production environments. - -**Options:** - -- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info") -- `-e, --entry-point [file]` - Specify the entry point file to build with. (default: "pepr.ts") -- `-n, --no-embed` - Disables embedding of deployment files into output module. Useful when creating library modules intended solely for reuse/distribution via NPM -- `-r, --registry-info [/]` - Registry Info: Image registry and username. Note: You must be signed into the registry -- `-o, --output-dir [output directory]` - Define where to place build output -- `--rbac-mode [admin|scoped]` - Rbac Mode: admin, scoped (default: admin) (choices: "admin", "scoped", default: "admin") diff --git a/site/content/en/v0.22.3-alpha/customresources.md b/site/content/en/v0.22.3-alpha/customresources.md deleted file mode 100644 index c78a93178..000000000 --- a/site/content/en/v0.22.3-alpha/customresources.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Importing Custom Resources -weight: ---- - - - -The [Kubernetes Fluent Client](https://github.com/defenseunicorns/kubernetes-fluent-client) supports the creation of TypeScript typings directly from Kubernetes Custom Resource Definitions (CRDs). The files it generates can be directly incorporated into Pepr capabilities and provide a way to work with strongly-typed CRDs. - -For example (below), Istio CRDs can be imported and used as though they were intrinsic Kubernetes resources. - - -## Generating TypeScript Types from CRDs - -Using the kubernetes-fluent-client to produce a new type looks like this: - -```bash -npx kubernetes-fluent-client crd [source] [directory] -``` - -The `crd` command expects a `[source]`, which can be a URL or local file containing the `CustomResourceDefinition(s)`, and a `[directory]` where the generated code will live. - -The following example creates types for the Istio CRDs: - -```bash -user@workstation$ npx kubernetes-fluent-client crd https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml crds - -Attempting to load https://raw.githubusercontent.com/istio/istio/master/manifests/charts/base/crds/crd-all.gen.yaml as a URL - -- Generating extensions.istio.io/v1alpha1 types for WasmPlugin -- Generating networking.istio.io/v1alpha3 types for DestinationRule -- Generating networking.istio.io/v1beta1 types for DestinationRule -- Generating networking.istio.io/v1alpha3 types for EnvoyFilter -- Generating networking.istio.io/v1alpha3 types for Gateway -- Generating networking.istio.io/v1beta1 types for Gateway -- Generating networking.istio.io/v1beta1 types for ProxyConfig -- Generating networking.istio.io/v1alpha3 types for ServiceEntry -- Generating networking.istio.io/v1beta1 types for ServiceEntry -- Generating networking.istio.io/v1alpha3 types for Sidecar -- Generating networking.istio.io/v1beta1 types for Sidecar -- Generating networking.istio.io/v1alpha3 types for VirtualService -- Generating networking.istio.io/v1beta1 types for VirtualService -- Generating networking.istio.io/v1alpha3 types for WorkloadEntry -- Generating networking.istio.io/v1beta1 types for WorkloadEntry -- Generating networking.istio.io/v1alpha3 types for WorkloadGroup -- Generating networking.istio.io/v1beta1 types for WorkloadGroup -- Generating security.istio.io/v1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for AuthorizationPolicy -- Generating security.istio.io/v1beta1 types for PeerAuthentication -- Generating security.istio.io/v1 types for RequestAuthentication -- Generating security.istio.io/v1beta1 types for RequestAuthentication -- Generating telemetry.istio.io/v1alpha1 types for Telemetry - -✅ Generated 23 files in the istio directory -``` - -Observe that the `kubernetes-fluent-client` has produced the TypeScript types within the `crds` directory. These types can now be utilized in the Pepr module. - -```typescript -user@workstation$ cat crds/proxyconfig-v1beta1.ts -// This file is auto-generated by kubernetes-fluent-client, do not edit manually - -import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; - -export class ProxyConfig extends GenericKind { - /** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ - spec?: Spec; - status?: { [key: string]: any }; -} - -/** - * Provides configuration for individual workloads. See more details at: - * https://istio.io/docs/reference/config/networking/proxy-config.html - */ -export interface Spec { - /** - * The number of worker threads to run. - */ - concurrency?: number; - /** - * Additional environment variables for the proxy. - */ - environmentVariables?: { [key: string]: string }; - /** - * Specifies the details of the proxy image. - */ - image?: Image; - /** - * Optional. - */ - selector?: Selector; -} - -/** - * Specifies the details of the proxy image. - */ -export interface Image { - /** - * The image type of the image. - */ - imageType?: string; -} - -/** - * Optional. - */ -export interface Selector { - /** - * One or more labels that indicate a specific set of pods/VMs on which a policy should be - * applied. - */ - matchLabels?: { [key: string]: string }; -} - -RegisterKind(ProxyConfig, { - group: "networking.istio.io", - version: "v1beta1", - kind: "ProxyConfig", -}); -``` - -## Using new types - -The generated types can be imported into Pepr directly, _there is no additional logic needed to make them to work_. - -```typescript -import { Capability, K8s, Log, a, kind } from "pepr"; - -import { Gateway } from "../crds/gateway-v1beta1"; -import { - PurpleDestination, - VirtualService, -} from "../crds/virtualservice-v1beta1"; - -export const IstioVirtualService = new Capability({ - name: "istio-virtual-service", - description: "Generate Istio VirtualService resources", -}); - -// Use the 'When' function to create a new action -const { When, Store } = IstioVirtualService; - -// Define the configuration keys -enum config { - Gateway = "uds/istio-gateway", - Host = "uds/istio-host", - Port = "uds/istio-port", - Domain = "uds/istio-domain", -} - -// Define the valid gateway names -const validGateway = ["admin", "tenant", "passthrough"]; - -// Watch Gateways to get the HTTPS domain for each gateway -When(Gateway) - .IsCreatedOrUpdated() - .WithLabel(config.Domain) - .Watch(vs => { - // Store the domain for the gateway - Store.setItem(vs.metadata.name, vs.metadata.labels[config.Domain]); - }); -``` diff --git a/site/content/en/v0.22.3-alpha/metrics.md b/site/content/en/v0.22.3-alpha/metrics.md deleted file mode 100644 index e91699726..000000000 --- a/site/content/en/v0.22.3-alpha/metrics.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: /metrics Endpoint Documentation -weight: ---- - - -The `/metrics` endpoint provides metrics for the application that are collected via the `MetricsCollector` class. It uses the `prom-client` library and performance hooks from Node.js to gather and expose the metrics data in a format that can be scraped by Prometheus. - -## Metrics Exposed - -The `MetricsCollector` exposes the following metrics: - -- `pepr_errors`: A counter that increments when an error event occurs in the application. -- `pepr_alerts`: A counter that increments when an alert event is triggered in the application. -- `pepr_Mutate`: A summary that provides the observed durations of mutation events in the application. -- `pepr_Validate`: A summary that provides the observed durations of validation events in the application. - -## API Details - -**Method:** GET - -**URL:** `/metrics` - -**Response Type:** text/plain - -**Status Codes:** -- 200 OK: On success, returns the current metrics from the application. - -**Response Body:** -The response body is a plain text representation of the metrics data, according to the Prometheus exposition formats. It includes the metrics mentioned above. - -## Examples - -### Request - -```plaintext -GET /metrics -``` - -### Response -```plaintext - `# HELP pepr_errors Mutation/Validate errors encountered - # TYPE pepr_errors counter - pepr_errors 5 - - # HELP pepr_alerts Mutation/Validate bad api token received - # TYPE pepr_alerts counter - pepr_alerts 10 - - # HELP pepr_Mutate Mutation operation summary - # TYPE pepr_Mutate summary - pepr_Mutate{quantile="0.01"} 100.60707900021225 - pepr_Mutate{quantile="0.05"} 100.60707900021225 - pepr_Mutate{quantile="0.5"} 100.60707900021225 - pepr_Mutate{quantile="0.9"} 100.60707900021225 - pepr_Mutate{quantile="0.95"} 100.60707900021225 - pepr_Mutate{quantile="0.99"} 100.60707900021225 - pepr_Mutate{quantile="0.999"} 100.60707900021225 - pepr_Mutate_sum 100.60707900021225 - pepr_Mutate_count 1 - - # HELP pepr_Validate Validation operation summary - # TYPE pepr_Validate summary - pepr_Validate{quantile="0.01"} 201.19413900002837 - pepr_Validate{quantile="0.05"} 201.19413900002837 - pepr_Validate{quantile="0.5"} 201.2137690000236 - pepr_Validate{quantile="0.9"} 201.23339900001884 - pepr_Validate{quantile="0.95"} 201.23339900001884 - pepr_Validate{quantile="0.99"} 201.23339900001884 - pepr_Validate{quantile="0.999"} 201.23339900001884 - pepr_Validate_sum 402.4275380000472 - pepr_Validate_count 2 -``` - -## Prometheus Operator - -If using the Prometheus Operator, the following `ServiceMonitor` example manifests can be used to scrape the `/metrics` endpoint for the `admission` and `watcher` controllers. - -```yaml -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: admission -spec: - selector: - matchLabels: - pepr.dev/controller: admission - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: watcher -spec: - selector: - matchLabels: - pepr.dev/controller: watcher - namespaceSelector: - matchNames: - - pepr-system - endpoints: - - targetPort: 3000 - scheme: https - tlsConfig: - insecureSkipVerify: true -``` diff --git a/site/content/en/v0.22.3-alpha/module.md b/site/content/en/v0.22.3-alpha/module.md deleted file mode 100644 index 9cc1204be..000000000 --- a/site/content/en/v0.22.3-alpha/module.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Pepr Module -weight: ---- - - -Each Pepr Module is it's own Typescript project, produced by [`pepr init`](../cli#pepr-init). Typically a module is maintained by a unique group or system. For example, a module for internal [Zarf](https://zarf.dev/) mutations would be different from a module for [Big Bang](https://p1.dso.mil/products/big-bang). An important idea with modules is that they are _wholly independent of one another_. This means that 2 different modules can be on completely different versions of Pepr and any other dependencies; their only interaction is through the standard K8s interfaces like any other webhook or controller. - -## Module development lifecycle - -1. **Create the module**: - - Use [`pepr init`](../cli#pepr-init) to generate a new module. - -1. **Quickly validate system setup**: - - Every new module includes a sample Pepr Capability called `HelloPepr`. By default, - this capability is deployed and monitoring the `pepr-demo` namespace. There is a sample - yaml also included you can use to see Pepr in your cluster. Here's the quick steps to do - that after `pepr init`: - - ```bash - # cd to the newly-created Pepr module folder - cd my-module-name - - # If you don't already have a local K8s cluster, you can set one up with k3d - npm run k3d-setup - - # Launch pepr dev mode - # If using another local K8s distro instead of k3d, use `pepr dev --host host.docker.internal` - pepr dev - - # From another terminal, apply the sample yaml - kubectl apply -f capabilities/hello-pepr.samples.yaml - - # Verify the configmaps were transformed using kubectl, k9s or another tool - ``` - -1. **Create your custom Pepr Capabilities** - - Now that you have confirmed Pepr is working, you can now create new [capabilities](../capabilities/). You'll also want to disable the `HelloPepr` capability in your module (`pepr.ts`) before pushing to production. You can disable by commenting out or deleting the `HelloPepr` variable below: - - ```typescript - new PeprModule(cfg, [ - // Remove or comment the line below to disable the HelloPepr capability - HelloPepr, - - // Your additional capabilities go here - ]); - ``` - - _Note: if you also delete the `capabilities/hello-pepr.ts` file, it will be added again on the next [`pepr update`](../cli#pepr-update) so you have the latest examples usages from the Pepr SDK. Therefore, it is sufficient to remove the entry from your `pepr.ts` module - config._ - -1. **Build and deploy the Pepr Module** - - Most of the time, you'll likely be iterating on a module with `pepr dev` for real-time feedback and validation Once you are ready to move beyond the local dev environment, Pepr provides deployment and build tools you can use. - - `pepr deploy` - you can use this command to build your module and deploy it into any K8s cluster your current `kubecontext` has access to. This setup is ideal for CI systems during testing, but is not recommended for production use. See [`pepr deploy`](../cli#pepr-deploy) for more info. - -## Advanced Module Configuration - -By default, when you run `pepr init`, the module is not configured with any additional options. Currently, there are 3 options you can configure: - -- `deferStart` - if set to `true`, the module will not start automatically. You will need to call `start()` manually. This is useful if you want to do some additional setup before the module controller starts. You can also use this to change the default port that the controller listens on. - -- `beforeHook` - an optional callback that will be called before every request is processed. This is useful if you want to do some additional logging or validation before the request is processed. - -- `afterHook` - an optional callback that will be called after every request is processed. This is useful if you want to do some additional logging or validation after the request is processed. - -You can configure each of these by modifying the `pepr.ts` file in your module. Here's an example of how you would configure each of these options: - -```typescript -const module = new PeprModule( - cfg, - [ - // Your capabilities go here - ], - { - deferStart: true, - - beforeHook: req => { - // Any actions you want to perform before the request is processed, including modifying the request. - }, - - afterHook: res => { - // Any actions you want to perform after the request is processed, including modifying the response. - }, - } -); - -// Do any additional setup before starting the controller -module.start(); -``` diff --git a/site/content/en/v0.22.3-alpha/rbac.md b/site/content/en/v0.22.3-alpha/rbac.md deleted file mode 100644 index 004eccf89..000000000 --- a/site/content/en/v0.22.3-alpha/rbac.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: RBAC Modes -weight: ---- - - -During the build phase of Pepr (`npx pepr build --rbac-mode [admin|scoped]`), you have the option to specify the desired RBAC mode through specific flags. This allows fine-tuning the level of access granted based on requirements and preferences. - -## Modes - -**admin** - -```bash -npx pepr build --rbac-mode admin -``` - -**Description:** The service account is given cluster-admin permissions, granting it full, unrestricted access across the entire cluster. This can be useful for administrative tasks where broad permissions are necessary. However, use this mode with caution, as it can pose security risks if misused. This is the default mode. - -**scoped** - -```bash -npx pepr build --rbac-mode scoped -``` - -**Description:** The service account is provided just enough permissions to perform its required tasks, and no more. This mode is recommended for most use cases as it limits potential attack vectors and aligns with best practices in security. _The admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. See how in [Updating the ClusterRole](#updating-the-clusterrole)._ - -## Debugging RBAC Issues - -If encountering unexpected behaviors in Pepr while running in scoped mode, check to see if they are related to RBAC. - -1. Check Deployment logs for RBAC errors: - -```bash -kubectl logs -n pepr-system -l app | jq - -# example output -{ - "level": 50, - "time": 1697983053758, - "pid": 16, - "hostname": "pepr-static-test-watcher-745d65857d-pndg7", - "data": { - "kind": "Status", - "apiVersion": "v1", - "metadata": {}, - "status": "Failure", - "message": "configmaps \"pepr-ssa-demo\" is forbidden: User \"system:serviceaccount:pepr-system:pepr-static-test\" cannot patch resource \"configmaps\" in API group \"\" in the namespace \"pepr-demo-2\"", - "reason": "Forbidden", - "details": { - "name": "pepr-ssa-demo", - "kind": "configmaps" - }, - "code": 403 - }, - "ok": false, - "status": 403, - "statusText": "Forbidden", - "msg": "Dooes the ServiceAccount permissions to CREATE and PATCH this ConfigMap?" -} -``` - -2. Verify ServiceAccount Permissions with `kubectl auth can-i` - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -# Can i create configmaps as the service account in pepr-demo-2? -kubectl auth can-i create cm --as=system:serviceaccount:pepr-system:$SA -n pepr-demo-2 - -# example output: no -``` - -3. Describe the ClusterRole - -```bash -SA=$(kubectl get deploy -n pepr-system -o=jsonpath='{range .items[0]}{.spec.template.spec.serviceAccountName}{"\n"}{end}') - -kubectl describe clusterrole $SA - -# example output: -Name: pepr-static-test -Labels: -Annotations: -PolicyRule: - Resources Non-Resource URLs Resource Names Verbs - --------- ----------------- -------------- ----- - peprstores.pepr.dev [] [] [create delete get list patch update watch] - configmaps [] [] [watch] - namespaces [] [] [watch] -``` - -## Updating the ClusterRole - -As discussed in the [Modes](#modes) section, the admission controller's primary mutating or validating action doesn't require a ClusterRole (as the request is not persisted or executed while passing through admission control), if you have a use case where the admission controller's logic involves reading other Kubernetes resources or taking additional actions beyond just validating, mutating, or watching the incoming request, appropriate RBAC settings should be reflected in the ClusterRole. - -Step 1: Figure out the desired permissions. (`kubectl create clusterrole --help` is a good place to start figuring out the syntax) - -```bash - kubectl create clusterrole configMapApplier --verb=create,patch --resource=configmap --dry-run=client -oyaml - - # example output -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: configMapApplier -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - patch -``` - -Step 2: Update the ClusterRole in the `dist` folder. - -```yaml -... -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: pepr-static-test -rules: - - apiGroups: - - pepr.dev - resources: - - peprstores - verbs: - - create - - get - - patch - - watch - - apiGroups: - - '' - resources: - - namespaces - verbs: - - watch - - apiGroups: - - '' - resources: - - configmaps - verbs: - - watch - - create # New - - patch # New -... -``` - -Step 3: Apply the updated configuration diff --git a/site/content/en/v0.22.3-alpha/store.md b/site/content/en/v0.22.3-alpha/store.md deleted file mode 100644 index 2f975cb49..000000000 --- a/site/content/en/v0.22.3-alpha/store.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Pepr Store A Lightweight Key-Value Store for Pepr Modules -weight: ---- - - -The nature of admission controllers and general watch operations (the `Mutate`, `Validate` and `Watch` actions in Pepr) make some types of complex and long-running operations difficult. There are also times when you need to share data between different actions. While you could manually create your own K8s resources and manage their cleanup, this can be very hard to track and keep performant at scale. - -The Pepr Store solves this by exposing a simple, [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage)-compatible mechanism for use within capabilities. Additionally, as Pepr runs multiple replicas of the admission controller along with a watch controller, the Pepr Store provides a unique way to share data between these different instances automatically. - -Each Pepr Capability has a `Store` instance that can be used to get, set and delete data as well as subscribe to any changes to the Store. Behind the scenes, all capability store instances in a single Pepr Module are stored within a single CRD in the cluster. This CRD is automatically created when the Pepr Module is deployed. Care is taken to make the read and write operations as efficient as possible by using K8s watches, batch processing and patch operations for writes. - -## Key Features - -- **Asynchronous Key-Value Store**: Provides an asynchronous interface for storing small amounts of data, making it ideal for sharing information between various actions and capabilities. -- **Web Storage API Compatibility**: The store's API is aligned with the standard [Web Storage API](https://developer.mozilla.org/en-US/docs/Web/API/Storage), simplifying the learning curve. -- **Real-time Updates**: The `.subscribe()` and `onReady()` methods enable real-time updates, allowing you to react to changes in the data store instantaneously. - -- **Automatic CRD Management**: Each Pepr Module has its data stored within a single Custom Resource Definition (CRD) that is automatically created upon deployment. -- **Efficient Operations**: Pepr Store uses Kubernetes watches, batch processing, and patch operations to make read and write operations as efficient as possible. - -## Quick Start - -```typescript -// Example usage for Pepr Store -Store.setItem("example-1", "was-here"); -Store.setItem("example-1-data", JSON.stringify(request.Raw.data)); -Store.onReady(data => { - Log.info(data, "Pepr Store Ready"); -}); -const unsubscribe = Store.subscribe(data => { - Log.info(data, "Pepr Store Updated"); - unsubscribe(); -}); -``` - -## API Reference - -### Methods - -- `getItem(key: string)`: Retrieves a value by its key. Returns `null` if the key doesn't exist. -- `setItem(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. -- `setItemAndWait(key: string, value: string)`: Sets a value for a given key. Creates a new key-value pair if the key doesn't exist. Returns a promise when the new key and value show up in the store. Should only be used on a `Watch` to avoid [timeouts](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts). -- `removeItem(key: string)`: Deletes a key-value pair by its key. -- `clear()`: Clears all key-value pairs from the store. -- `subscribe(listener: DataReceiver)`: Subscribes to store updates. -- `onReady(callback: DataReceiver)`: Executes a callback when the store is ready. diff --git a/site/content/en/v0.22.3-alpha/webassembly.md b/site/content/en/v0.22.3-alpha/webassembly.md deleted file mode 100644 index b36671e82..000000000 --- a/site/content/en/v0.22.3-alpha/webassembly.md +++ /dev/null @@ -1,188 +0,0 @@ ---- -title: WASM Support Running WebAssembly in Pepr Guide -weight: ---- - - -Pepr fully supports WebAssembly. Depending on the language used to generate the WASM, certain files can be too large to fit into a `Secret` or `ConfigMap`. Due to this limitation, users have the ability to incorporate `*.wasm` and any other essential files during the build phase, which are then embedded into the Pepr Controller container. This is achieved through adding an array of files to the `includedFiles` section under `pepr` in the `package.json`. - -> **NOTE -** In order to instantiate the WebAsembly module in TypeScript, you need the WebAssembly type. This is accomplished through add the "DOM" to the `lib` array in the `compilerOptions` section of the `tsconfig.json`. Ex: `"lib": ["ES2022", "DOM"]`. Be aware that adding the DOM will add a lot of extra types to your project and your developer experience will be impacted in terms of the intellisense. - - -## High-Level Overview - -WASM support is achieved through adding files as layers atop the Pepr controller image, these files are then able to be read by the individual capabilities. The key components of WASM support are: - -- Add files to the **base** of the Pepr module. -- Reference the files in the `includedFiles` section of the `pepr` block of the `package.json` -- Run `npx pepr build` with the `-r ` option specifying registry info. Ex: `npx pepr build -r docker.io/cmwylie19` -- Pepr builds and pushes a custom image that is used in the `Deployment`. - -## Using WASM Support - -### Creating a WASM Module in Go - -Create a simple Go function that you want to call from your Pepr module - -```go -package main - -import ( - "fmt" - "syscall/js" -) - -func concats(this js.Value, args []js.Value) interface{} { - fmt.Println("PeprWASM!") - stringOne := args[0].String() - stringTwo := args[1].String() - return fmt.Sprintf("%s%s", stringOne, stringTwo) -} - -func main() { - done := make(chan struct{}, 0) - js.Global().Set("concats", js.FuncOf(concats)) - <-done -} -``` - -Compile it to a wasm target and move it to your Pepr module - -```bash -GOOS=js GOARCH=wasm go build -o main.wasm -cp main.wasm $YOUR_PEPR_MODULE/ -``` - -Copy the `wasm_exec.js` from `GOROOT` to your Pepr Module - -```bash -cp "$(go env GOROOT)/misc/wasm/wasm_exec.js" $YOUR_PEPR_MODULE/ -``` - -Update the polyfill to add `globalThis.crypto` in the `wasm_exec.js` since we are not running in the browser. This is needed directly under: `(() => {` - - -```javascript -// Initialize the polyfill -if (typeof globalThis.crypto === 'undefined') { - globalThis.crypto = { - getRandomValues: (array) => { - for (let i = 0; i < array.length; i++) { - array[i] = Math.floor(Math.random() * 256); - } - }, - }; -} -``` - - -### Configure Pepr to use WASM - -After adding the files to the root of the Pepr module, reference those files in the `package.json`: - -```json -{ - "name": "pepr-test-module", - "version": "0.0.1", - "description": "A test module for Pepr", - "keywords": [ - "pepr", - "k8s", - "policy-engine", - "pepr-module", - "security" - ], - "engines": { - "node": ">=18.0.0" - }, - "pepr": { - "name": "pepr-test-module", - "uuid": "static-test", - "onError": "ignore", - "alwaysIgnore": { - "namespaces": [], - "labels": [] - }, - "includedFiles":[ - "main.wasm", - "wasm_exec.js" - ] - }, - ... -} -``` - -Update the `tsconfig.json` to add "DOM" to the `compilerOptions` lib: - -```json -{ - "compilerOptions": { - "allowSyntheticDefaultImports": true, - "declaration": true, - "declarationMap": true, - "emitDeclarationOnly": true, - "esModuleInterop": true, - "lib": [ - "ES2022", - "DOM" // <- Add this - ], - "module": "CommonJS", - "moduleResolution": "node", - "outDir": "dist", - "resolveJsonModule": true, - "rootDir": ".", - "strict": false, - "target": "ES2022", - "useUnknownInCatchVariables": false - }, - "include": [ - "**/*.ts" - ] -} -``` - -### Call WASM functions from TypeScript - -Import the `wasm_exec.js` in the `pepr.ts` - -```javascript -import "./wasm_exec.js"; -``` - -Create a helper function to load the wasm file in a capability and call it during an event of your choice - -```typescript -async function callWASM(a,b) { - const go = new globalThis.Go(); - - const wasmData = readFileSync("main.wasm"); - var concated: string; - - await WebAssembly.instantiate(wasmData, go.importObject).then(wasmModule => { - go.run(wasmModule.instance); - - concated = global.concats(a,b); - }); - return concated; -} - -When(a.Pod) -.IsCreated() -.Mutate(async pod => { - try { - let label_value = await callWASM("loves","wasm") - pod.SetLabel("pepr",label_value) - } - catch(err) { - Log.error(err); - } -}); -``` - -### Run Pepr Build - -Build your Pepr module with the registry specified. - -```bash -npx pepr build -r docker.io/defenseunicorns -```