defenseunicorns · Dec 5, 2023 · Dec 5, 2023 · Dec 5, 2023 · Dec 6, 2023 · Dec 6, 2023
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Version Releaes
+name: Version Release
 
 on:
   release:

diff --git a/docs/cli.md b/docs/cli.md
@@ -49,6 +49,20 @@ Deploy the current module into a Kubernetes cluster, useful for CI systems. Not
 
 ---
 
+## pepr monitor
+
+Monitor Validations for a given Pepr Module.
+
+Usage: 
+```bash
+npx pepr monitor [options] <module-uuid>
+```
+
+**Options:**
+- `-l, --log-level [level]` - Log level: debug, info, warn, error (default: "info")
+- `-h, --help` - Display help for command
+
+---
 ## `pepr build`
 
 Create a [zarf.yaml](https://zarf.dev) and K8s manifest for the current module. This includes everything needed to deploy Pepr and the current module into production environments.
@@ -60,4 +74,4 @@ Create a [zarf.yaml](https://zarf.dev) and K8s manifest for the current module.
 - `-n, --no-embed` - Disables embedding of deployment files into output module. Useful when creating library modules intended solely for reuse/distribution via NPM
 - `-r, --registry-info [<registry>/<username>]` - Registry Info: Image registry and username. Note: You must be signed into the registry
 - `-o, --output-dir [output directory]` - Define where to place build output
-- `--rbac-mode [admin|scoped]` - Rbac Mode: admin, scoped (default: admin) (choices: "admin", "scoped", default: "admin")
+- `--rbac-mode [admin|scoped]` - Rbac Mode: admin, scoped (default: admin) (choices: "admin", "scoped", default: "admin")
diff --git a/src/cli.ts b/src/cli.ts
@@ -8,6 +8,7 @@ import build from "./cli/build";
 import deploy from "./cli/deploy";
 import dev from "./cli/dev";
 import format from "./cli/format";
+import monitor from "./cli/monitor";
 import init from "./cli/init/index";
 import { version } from "./cli/init/templates";
 import { RootCmd } from "./cli/root";
@@ -39,5 +40,6 @@ deploy(program);
 dev(program);
 update(program);
 format(program);
+monitor(program);
 
 program.parse();
diff --git a/src/cli/monitor.ts b/src/cli/monitor.ts
@@ -0,0 +1,87 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { Log as K8sLog, KubeConfig } from "@kubernetes/client-node";
+import { K8s, kind } from "kubernetes-fluent-client";
+import stream from "stream";
+import { ResponseItem } from "../lib/types";
+import { RootCmd } from "./root";
+
+export default function (program: RootCmd) {
+  program
+    .command("monitor <module-uuid>")
+    .description("Monitor a Pepr Module")
+    .action(async uuid => {
+      if (!uuid) {
+        console.error("Module UUID is required");
+        process.exit(1);
+      }
+
+      // Get the logs for the `app=pepr-${module}` pod selector
+      const pods = await K8s(kind.Pod)
+        .InNamespace("pepr-system")
+        .WithLabel("app", `pepr-${uuid}`)
+        .Get();
+
+      const podNames = pods.items.flatMap(pod => pod.metadata!.name) as string[];
+
+      if (podNames.length < 1) {
+        console.error(`No pods found for module ${uuid}`);
+        process.exit(1);
+      }
+
+      const kc = new KubeConfig();
+      kc.loadFromDefault();
+
+      const log = new K8sLog(kc);
+
+      const logStream = new stream.PassThrough();
+
+      logStream.on("data", chunk => {
+        const respMsg = `"msg":"Check response"`;
+        // Split the chunk into lines
+        const lines = chunk.toString().split("\n");
+
+        for (const line of lines) {
+          // Check for `"msg":"Hello Pepr"`
+          if (line.includes(respMsg)) {
+            try {
+              const payload = JSON.parse(line);
+              const isMutate = payload.res.patchType || payload.res.warnings;
+
+              const name = `${payload.namespace}${payload.name}`;
+              const uid = payload.uid;
+
+              if (isMutate) {
+                const allowOrDeny = payload.res.allowed ? "✅" : "❌";
+                console.log(`\n${allowOrDeny}  MUTATE     ${name} (${uid})`);
+              } else {
+                const failures = Array.isArray(payload.res) ? payload.res : [payload.res];
+
+                const filteredFailures = failures
+                  .filter((r: ResponseItem) => !r.allowed)
+                  .map((r: ResponseItem) => r.status.message);
+                // console.log(`${name} (${uid}) | VALIDATE | ${allow ? "ALLOW" : "DENY"}`);
+                if (filteredFailures.length > 0) {
+                  console.log(`\n❌  VALIDATE   ${name} (${uid})`);
+                  console.debug(filteredFailures);
+                } else {
+                  console.log(`\n✅  VALIDATE   ${name} (${uid})`);
+                }
+              }
+            } catch {
+              console.warn(`\nIGNORED - Unable to parse line: ${line}.`);
+            }
+          }
+        }
+      });
+
+      for (const podName of podNames) {
+        await log.log("pepr-system", podName, "server", logStream, {
+          follow: true,
+          pretty: false,
+          timestamps: false,
+        });
+      }
+    });
+}
diff --git a/src/lib.ts b/src/lib.ts
@@ -7,6 +7,7 @@ import { PeprModule } from "./lib/module";
 import { PeprMutateRequest } from "./lib/mutate-request";
 import * as PeprUtils from "./lib/utils";
 import { PeprValidateRequest } from "./lib/validate-request";
+import { containers } from "./lib/module-helpers";
 
 export {
   Capability,
@@ -22,4 +23,5 @@ export {
   fetch,
   fetchStatus,
   kind,
+  containers,
 };
diff --git a/src/lib/assets/index.ts b/src/lib/assets/index.ts
@@ -6,15 +6,19 @@ import crypto from "crypto";
 import { ModuleConfig } from "../module";
 import { TLSOut, genTLS } from "../tls";
 import { CapabilityExport } from "../types";
+import { WebhookIgnore } from "../k8s";
 import { deploy } from "./deploy";
 import { loadCapabilities } from "./loader";
 import { allYaml, zarfYaml } from "./yaml";
+import { namespaceComplianceValidator } from "../helpers";
 
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
   readonly apiToken: string;
+  readonly alwaysIgnore!: WebhookIgnore;
   capabilities!: CapabilityExport[];
+
   image: string;
 
   constructor(
@@ -23,7 +27,7 @@ export class Assets {
     readonly host?: string,
   ) {
     this.name = `pepr-${config.uuid}`;
-
+    this.alwaysIgnore = config.alwaysIgnore;
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
 
     // Generate the ephemeral tls things
@@ -42,6 +46,11 @@ export class Assets {
 
   allYaml = async (rbacMode: string) => {
     this.capabilities = await loadCapabilities(this.path);
+    // give error if namespaces are not respected
+    for (const capability of this.capabilities) {
+      namespaceComplianceValidator(capability, this.alwaysIgnore.namespaces);
+    }
+
     return allYaml(this, rbacMode);
   };
 }
diff --git a/src/lib/controller/index.ts b/src/lib/controller/index.ts
@@ -13,6 +13,7 @@ import { ModuleConfig, isWatchMode } from "../module";
 import { mutateProcessor } from "../mutate-processor";
 import { validateProcessor } from "../validate-processor";
 import { PeprControllerStore } from "./store";
+import { ResponseItem } from "../types";
 
 export class Controller {
   // Track whether the server is running
@@ -233,34 +234,40 @@ export class Controller {
         const responseList: ValidateResponse[] | MutateResponse[] = Array.isArray(response) ? response : [response];
         responseList.map(res => {
           this.#afterHook && this.#afterHook(res);
+          // Log the response
+          Log.debug({ ...reqMetadata, res }, "Check response");
         });
 
-        // Log the response
-        Log.debug({ ...reqMetadata, response }, "Outgoing response");
+        let kubeAdmissionResponse: ValidateResponse[] | MutateResponse | ResponseItem;
 
         if (admissionKind === "Mutate") {
+          kubeAdmissionResponse = response;
+          Log.debug({ ...reqMetadata, response }, "Outgoing response");
           res.send({
             apiVersion: "admission.k8s.io/v1",
             kind: "AdmissionReview",
-            response,
+            response: kubeAdmissionResponse,
           });
         } else {
+          kubeAdmissionResponse = {
+            uid: responseList[0].uid,
+            allowed: responseList.filter(r => !r.allowed).length === 0,
+            status: {
+              message: (responseList as ValidateResponse[])
+                .filter(rl => !rl.allowed)
+                .map(curr => curr.status?.message)
+                .join("; "),
+            },
+          };
           res.send({
             apiVersion: "admission.k8s.io/v1",
             kind: "AdmissionReview",
-            response: {
-              uid: responseList[0].uid,
-              allowed: responseList.filter(r => !r.allowed).length === 0,
-              status: {
-                message: (responseList as ValidateResponse[])
-                  .filter(rl => !rl.allowed)
-                  .map(curr => curr.status?.message)
-                  .join("; "),
-              },
-            },
+            response: kubeAdmissionResponse,
           });
         }
 
+        Log.debug({ ...reqMetadata, kubeAdmissionResponse }, "Outgoing response");
+
         this.#metricsCollector.observeEnd(startTime, admissionKind);
       } catch (err) {
         Log.error(err);

diff --git a/src/lib/controller/store.ts b/src/lib/controller/store.ts
@@ -31,7 +31,7 @@ export class PeprControllerStore {
       for (const { name, registerScheduleStore, hasSchedule } of capabilities) {
         // Guard Clause to exit  early
         if (hasSchedule !== true) {
-          return;
+          continue;
         }
         // Register the scheduleStore with the capability
         const { scheduleStore } = registerScheduleStore();