import { GenericClass, GroupVersionKind, KubernetesObject } from "kubernetes-fluent-client"; import { Event } from "./enums"; import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/shared-types"; import { Logger } from "pino"; import { PeprMutateRequest } from "./mutate-request"; import { PeprValidateRequest } from "./validate-request"; import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node"; import { WebhookIgnore, MutateResponse, ValidateResponse } from "./k8s"; import { AdmissionRequest, ValidateActionResponse } from "./common-types"; /** * Specifically for deploying images with a private registry */ export interface ImagePullSecret { auths: { [server: string]: { username: string; password: string; email: string; auth: string; }; }; } /** * Specifically for parsing logs in monitor mode */ export interface ResponseItem { uid?: string; allowed: boolean; status: { message: string; }; } export interface CapabilityCfg { /** * The name of the capability. This should be unique. */ name: string; /** * A description of the capability and what it does. */ description: string; /** * List of namespaces that this capability applies to, if empty, applies to all namespaces (cluster-wide). * This does not supersede the `alwaysIgnore` global configuration. */ namespaces?: string[]; } export interface CapabilityExport extends CapabilityCfg { bindings: Binding[]; hasSchedule: boolean; rbac?: PolicyRule[]; } export type WhenSelector = { /** Register an action to be executed when a Kubernetes resource is created or updated. */ IsCreatedOrUpdated: () => BindingAll; /** Register an action to be executed when a Kubernetes resource is created. */ IsCreated: () => BindingAll; /** Register ann action to be executed when a Kubernetes resource is updated. */ IsUpdated: () => BindingAll; /** Register an action to be executed when a Kubernetes resource is deleted. */ IsDeleted: () => BindingAll; }; export type Filters = { annotations: Record; deletionTimestamp: boolean; labels: Record; name: string; namespaces: string[]; regexName: string; regexNamespaces: string[]; }; export type Binding = { event: Event; isMutate?: boolean; isValidate?: boolean; isWatch?: boolean; isQueue?: boolean; isFinalize?: boolean; readonly model: GenericClass; readonly kind: GroupVersionKind; readonly filters: Filters; alias?: string; readonly mutateCallback?: MutateAction>; readonly validateCallback?: ValidateAction>; readonly watchCallback?: WatchLogAction>; readonly finalizeCallback?: FinalizeAction>; }; export type BindingFilter = CommonActionChain & { /** * Only apply the action if the resource has the specified label. If no value is specified, the label must exist. * Note multiple calls to this method will result in an AND condition. e.g. * * ```ts * When(a.Deployment) * .IsCreated() * .WithLabel("foo", "bar") * .WithLabel("baz", "qux") * .Mutate(...) * ``` * * Will only apply the action if the resource has both the `foo=bar` and `baz=qux` labels. * * @param key * @param value */ WithLabel: (key: string, value?: string) => BindingFilter; /** * Only apply the action if the resource has the specified annotation. If no value is specified, the annotation must exist. * Note multiple calls to this method will result in an AND condition. e.g. * * ```ts * When(a.Deployment) * .IsCreated() * .WithAnnotation("foo", "bar") * .WithAnnotation("baz", "qux") * .Mutate(...) * ``` * * Will only apply the action if the resource has both the `foo=bar` and `baz=qux` annotations. * * @param key * @param value */ WithAnnotation: (key: string, value?: string) => BindingFilter; /** Only apply the action if the resource has a deletionTimestamp. */ WithDeletionTimestamp: () => BindingFilter; }; export type BindingWithName = BindingFilter & { /** Only apply the action if the resource name matches the specified name. */ WithName: (name: string) => BindingFilter; /** Only apply the action if the resource name matches the specified regex name. */ WithNameRegex: (name: RegExp) => BindingFilter; }; export type BindingAll = BindingWithName & { /** Only apply the action if the resource is in one of the specified namespaces.*/ InNamespace: (...namespaces: string[]) => BindingWithName; /** Only apply the action if the resource is in one of the specified regex namespaces.*/ InNamespaceRegex: (...namespaces: RegExp[]) => BindingWithName; }; export type CommonActionChain = MutateActionChain & { /** * Create a new MUTATE action with the specified callback function and previously specified * filters. * * @since 0.13.0 * * @param action The action to be executed when the Kubernetes resource is processed by the AdmissionController. */ Mutate: (action: MutateAction>) => MutateActionChain; Alias: (alias: string) => BindingFilter; }; export type ValidateActionChain = { /** * Establish a watcher for the specified resource. The callback function will be executed after the admission controller has * processed the resource and the request has been persisted to the cluster. * * **Beta Function**: This method is still in early testing and edge cases may still exist. * * @since 0.14.0 * * @param action * @returns */ Watch: (action: WatchLogAction>) => FinalizeActionChain; /** * Establish a reconcile for the specified resource. The callback function will be executed after the admission controller has * processed the resource and the request has been persisted to the cluster. * * **Beta Function**: This method is still in early testing and edge cases may still exist. * * @since 0.14.0 * * @param action * @returns */ Reconcile: (action: WatchLogAction>) => FinalizeActionChain; }; export type MutateActionChain = ValidateActionChain & { /** * Create a new VALIDATE action with the specified callback function and previously specified * filters. Return the `request.Approve()` or `Request.Deny()` methods to approve or deny the request: * * @since 0.13.0 * * @example * ```ts * When(a.Deployment) * .IsCreated() * .Validate(request => { * if (request.HasLabel("foo")) { * return request.Approve(); * } * * return request.Deny("Deployment must have label foo"); * }); * ``` * * @param action The action to be executed when the Kubernetes resource is processed by the AdmissionController. */ Validate: (action: ValidateAction>) => ValidateActionChain; }; export type MutateAction> = (req: PeprMutateRequest, logger?: Logger) => Promise | void | Promise> | PeprMutateRequest; export type ValidateAction> = (req: PeprValidateRequest, logger?: Logger) => Promise | ValidateActionResponse; export type WatchLogAction> = (update: K, phase: WatchPhase, logger?: Logger) => Promise | void; export type FinalizeAction> = (update: K, logger?: Logger) => Promise | boolean | void; export type FinalizeActionChain = { /** * Establish a finalizer for the specified resource. The callback given will be executed by the watch * controller after it has received notification of an update adding a deletionTimestamp. * * **Beta Function**: This method is still in early testing and edge cases may still exist. * * @since 0.35.0 * * @param action * @returns */ Finalize: (action: FinalizeAction>) => void; }; /** Custom Labels Type for package.json */ export type CustomLabels = { namespace: Record; } | Record; /** Configuration that MAY be set a Pepr module's package.json. */ export type ModuleConfigOptions = { /** The Pepr version this module uses */ peprVersion: string; /** The user-defined version of the module */ appVersion: string; /** A description of the Pepr module and what it does. */ description: string; /** The webhookTimeout */ webhookTimeout: number; /** Reject K8s resource AdmissionRequests on error. */ onError: string; /** Define the log level for the in-cluster controllers */ logLevel: string; /** Propagate env variables to in-cluster controllers */ env: Record; /** Custom RBAC rules */ rbac: PolicyRule[]; /** The RBAC mode; if "scoped", generates scoped rules, otherwise uses wildcard rules. */ rbacMode: string; /** Custom Labels for Kubernetes Objects */ customLabels: CustomLabels; }; export type AdditionalWebhook = { failurePolicy: string; namespace: string; }; /** Global configuration for the Pepr runtime. */ export type ModuleConfig = { /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */ uuid: string; /** Configure global exclusions that will never be processed by Pepr. */ alwaysIgnore: WebhookIgnore; /** admission specific ignore */ admission?: { alwaysIgnore: WebhookIgnore; }; /** watch specific ignore */ watch?: { alwaysIgnore: WebhookIgnore; }; /** Additional webhooks config to be used by the module */ additionalWebhooks?: AdditionalWebhook[]; } & Partial; export type PackageJSON = { description: string; pepr: ModuleConfig; }; export type PeprModuleOptions = { deferStart?: boolean; /** A user-defined callback to pre-process or intercept a Pepr request from K8s immediately before it is processed */ beforeHook?: (req: AdmissionRequest) => void; /** A user-defined callback to post-process or intercept a Pepr response just before it is returned to K8s */ afterHook?: (res: MutateResponse | ValidateResponse) => void; }; export type AdjudicationResult = string | null; //# sourceMappingURL=types.d.ts.map