From c3534396cf63890db26ac4a17217e538f9030e15 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Tue, 7 Jan 2025 12:27:56 -0500 Subject: [PATCH 1/7] chore: need unit tests Signed-off-by: Case Wylie --- src/lib/assets/index.ts | 69 ++++++++++++++++++++++++++++++++++------- src/lib/assets/yaml.ts | 1 + 2 files changed, 59 insertions(+), 11 deletions(-) diff --git a/src/lib/assets/index.ts b/src/lib/assets/index.ts index 827a448e1..79f906c0d 100644 --- a/src/lib/assets/index.ts +++ b/src/lib/assets/index.ts @@ -35,20 +35,67 @@ function toYaml(obj: any): string { return dumpYaml(obj, { noRefs: true }); } -function createWebhookYaml( +// Create a unit test for this function +export function removeIgnoredNamespacesFromWebhook( + webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration, +): kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration { + if ( + webhookConfiguration.webhooks && + webhookConfiguration.webhooks[0] && + webhookConfiguration.webhooks[0].namespaceSelector && + webhookConfiguration.webhooks[0].namespaceSelector.matchExpressions && + webhookConfiguration.webhooks[0].namespaceSelector.matchExpressions[1] + ) { + webhookConfiguration.webhooks[0].namespaceSelector.matchExpressions[1].values = []; + } + if ( + webhookConfiguration.webhooks && + webhookConfiguration.webhooks[0] && + webhookConfiguration.webhooks[0].objectSelector && + webhookConfiguration.webhooks[0].objectSelector.matchExpressions && + webhookConfiguration.webhooks[0].objectSelector.matchExpressions[1] + ) { + webhookConfiguration.webhooks[0].objectSelector.matchExpressions[1].values = []; + } + return webhookConfiguration; +} + +// Create a unit test for this function +export function createWebhookYaml( assets: Assets, webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration, ): string { - const yaml = toYaml(webhookConfiguration); - return replaceString( - replaceString( - replaceString(yaml, assets.name, "{{ .Values.uuid }}"), - assets.config.onError === "reject" ? "Fail" : "Ignore", - "{{ .Values.admission.failurePolicy }}", - ), - `${assets.config.webhookTimeout}` || "10", - "{{ .Values.admission.webhookTimeout }}", - ); + const yaml = toYaml(removeIgnoredNamespacesFromWebhook(webhookConfiguration)); + const replacements = [ + { search: assets.name, replace: "{{ .Values.uuid }}" }, + { + search: assets.config.onError === "reject" ? "Fail" : "Ignore", + replace: "{{ .Values.admission.failurePolicy }}", + }, + { + search: `${assets.config.webhookTimeout}` || "10", + replace: "{{ .Values.admission.webhookTimeout }}", + }, + { + search: ` + - key: kubernetes.io/metadata.name + operator: NotIn + values: [] +`, + replace: ` + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - pepr-system + {{- range .Values.additionalIgnoredNamespaces }} + - {{ . }} + {{- end }} +`, + }, + ]; + + return replacements.reduce((updatedYaml, { search, replace }) => replaceString(updatedYaml, search, replace), yaml); } function helmLayout(basePath: string, unique: string): Record> { diff --git a/src/lib/assets/yaml.ts b/src/lib/assets/yaml.ts index 2a66a4a7f..30a908de2 100644 --- a/src/lib/assets/yaml.ts +++ b/src/lib/assets/yaml.ts @@ -19,6 +19,7 @@ export async function overridesFile( const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules; const overrides = { + additionalIgnoredNamespaces: config.alwaysIgnore.namespaces || [], rbac: rbacOverrides, secrets: { apiToken: Buffer.from(apiToken).toString("base64"), From 74920c3f8c80d4010bd1e49c067bb3e28f692136 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 8 Jan 2025 08:40:40 -0500 Subject: [PATCH 2/7] chore: helm templated parts Signed-off-by: Case Wylie --- src/lib/assets/helm.ts | 8 ++++++++ src/lib/assets/index.ts | 6 ++++-- src/lib/assets/webhooks.ts | 1 + src/lib/assets/yaml.ts | 2 +- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/lib/assets/helm.ts b/src/lib/assets/helm.ts index 2b65f368a..58ad0f585 100644 --- a/src/lib/assets/helm.ts +++ b/src/lib/assets/helm.ts @@ -115,6 +115,10 @@ export function watcherDeployTemplate(buildTimestamp: string): string { {{- toYaml .Values.watcher.env | nindent 12 }} - name: PEPR_WATCH_MODE value: "true" + {{- if .Values.additionalIgnoredNamespaces }} + - name: PEPR_IGNORED_NAMESPACES + value: "{{ join ", " .Values.additionalIgnoredNamespaces }}" + {{- end }} envFrom: {{- toYaml .Values.watcher.envFrom | nindent 12 }} securityContext: @@ -195,6 +199,10 @@ export function admissionDeployTemplate(buildTimestamp: string): string { {{- toYaml .Values.admission.env | nindent 12 }} - name: PEPR_WATCH_MODE value: "false" + {{- if .Values.additionalIgnoredNamespaces }} + - name: PEPR_IGNORED_NAMESPACES + value: "{{ join ", " .Values.additionalIgnoredNamespaces }}" + {{- end }} envFrom: {{- toYaml .Values.admission.envFrom | nindent 12 }} securityContext: diff --git a/src/lib/assets/index.ts b/src/lib/assets/index.ts index 79f906c0d..8c33be78d 100644 --- a/src/lib/assets/index.ts +++ b/src/lib/assets/index.ts @@ -65,7 +65,7 @@ export function createWebhookYaml( assets: Assets, webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration, ): string { - const yaml = toYaml(removeIgnoredNamespacesFromWebhook(webhookConfiguration)); + const yaml = toYaml(webhookConfiguration); const replacements = [ { search: assets.name, replace: "{{ .Values.uuid }}" }, { @@ -80,7 +80,9 @@ export function createWebhookYaml( search: ` - key: kubernetes.io/metadata.name operator: NotIn - values: [] + values: + - kube-system + - pepr-system `, replace: ` - key: kubernetes.io/metadata.name diff --git a/src/lib/assets/webhooks.ts b/src/lib/assets/webhooks.ts index 4ac1025d7..e0c565ce8 100644 --- a/src/lib/assets/webhooks.ts +++ b/src/lib/assets/webhooks.ts @@ -19,6 +19,7 @@ const peprIgnoreLabel: V1LabelSelectorRequirement = { values: ["ignore"], }; +// Order matters for helm template, kube-system, then pepr-system const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"]; const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => { diff --git a/src/lib/assets/yaml.ts b/src/lib/assets/yaml.ts index 30a908de2..76d4c962f 100644 --- a/src/lib/assets/yaml.ts +++ b/src/lib/assets/yaml.ts @@ -19,7 +19,7 @@ export async function overridesFile( const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules; const overrides = { - additionalIgnoredNamespaces: config.alwaysIgnore.namespaces || [], + additionalIgnoredNamespaces: [], rbac: rbacOverrides, secrets: { apiToken: Buffer.from(apiToken).toString("base64"), From 0a9051de36b16eae34a9a25176c6f7849ad8cb0a Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 8 Jan 2025 08:51:01 -0500 Subject: [PATCH 3/7] chore: remove unneeded function Signed-off-by: Case Wylie --- src/lib/assets/index.ts | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/src/lib/assets/index.ts b/src/lib/assets/index.ts index 8c33be78d..8fb8dbdc5 100644 --- a/src/lib/assets/index.ts +++ b/src/lib/assets/index.ts @@ -35,32 +35,6 @@ function toYaml(obj: any): string { return dumpYaml(obj, { noRefs: true }); } -// Create a unit test for this function -export function removeIgnoredNamespacesFromWebhook( - webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration, -): kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration { - if ( - webhookConfiguration.webhooks && - webhookConfiguration.webhooks[0] && - webhookConfiguration.webhooks[0].namespaceSelector && - webhookConfiguration.webhooks[0].namespaceSelector.matchExpressions && - webhookConfiguration.webhooks[0].namespaceSelector.matchExpressions[1] - ) { - webhookConfiguration.webhooks[0].namespaceSelector.matchExpressions[1].values = []; - } - if ( - webhookConfiguration.webhooks && - webhookConfiguration.webhooks[0] && - webhookConfiguration.webhooks[0].objectSelector && - webhookConfiguration.webhooks[0].objectSelector.matchExpressions && - webhookConfiguration.webhooks[0].objectSelector.matchExpressions[1] - ) { - webhookConfiguration.webhooks[0].objectSelector.matchExpressions[1].values = []; - } - return webhookConfiguration; -} - -// Create a unit test for this function export function createWebhookYaml( assets: Assets, webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration, From fb69b89ab61196516e12fb57c0331a6cebe38839 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 8 Jan 2025 09:14:07 -0500 Subject: [PATCH 4/7] chore: updates - now read env Signed-off-by: Case Wylie --- HOLD.txt | 1 + src/lib/assets/helm.ts | 4 ++-- src/lib/assets/index.ts | 10 ++++++---- 3 files changed, 9 insertions(+), 6 deletions(-) create mode 100644 HOLD.txt diff --git a/HOLD.txt b/HOLD.txt new file mode 100644 index 000000000..d5e61eb67 --- /dev/null +++ b/HOLD.txt @@ -0,0 +1 @@ +Ignoring Watch Callback: Object carries namespace '' but ignored namespaces include '["pepr-demo-2"]'. diff --git a/src/lib/assets/helm.ts b/src/lib/assets/helm.ts index 58ad0f585..e73574f9f 100644 --- a/src/lib/assets/helm.ts +++ b/src/lib/assets/helm.ts @@ -116,7 +116,7 @@ export function watcherDeployTemplate(buildTimestamp: string): string { - name: PEPR_WATCH_MODE value: "true" {{- if .Values.additionalIgnoredNamespaces }} - - name: PEPR_IGNORED_NAMESPACES + - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES value: "{{ join ", " .Values.additionalIgnoredNamespaces }}" {{- end }} envFrom: @@ -200,7 +200,7 @@ export function admissionDeployTemplate(buildTimestamp: string): string { - name: PEPR_WATCH_MODE value: "false" {{- if .Values.additionalIgnoredNamespaces }} - - name: PEPR_IGNORED_NAMESPACES + - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES value: "{{ join ", " .Values.additionalIgnoredNamespaces }}" {{- end }} envFrom: diff --git a/src/lib/assets/index.ts b/src/lib/assets/index.ts index 7af66410e..c91a98432 100644 --- a/src/lib/assets/index.ts +++ b/src/lib/assets/index.ts @@ -12,19 +12,21 @@ export function toYaml(obj: any): string { return dumpYaml(obj, { noRefs: true }); } +// Unit Test Me!! export function createWebhookYaml( - assets: Assets, + name: string, + config: ModuleConfig, webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration, ): string { const yaml = toYaml(webhookConfiguration); const replacements = [ - { search: assets.name, replace: "{{ .Values.uuid }}" }, + { search: name, replace: "{{ .Values.uuid }}" }, { - search: assets.config.onError === "reject" ? "Fail" : "Ignore", + search: config.onError === "reject" ? "Fail" : "Ignore", replace: "{{ .Values.admission.failurePolicy }}", }, { - search: `${assets.config.webhookTimeout}` || "10", + search: `${config.webhookTimeout}` || "10", replace: "{{ .Values.admission.webhookTimeout }}", }, { From 3a74d7bc8c4a49109e7b9c514a7909cfa191a32f Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 8 Jan 2025 09:14:25 -0500 Subject: [PATCH 5/7] chore: updates - now read env Signed-off-by: Case Wylie --- HOLD.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 HOLD.txt diff --git a/HOLD.txt b/HOLD.txt deleted file mode 100644 index d5e61eb67..000000000 --- a/HOLD.txt +++ /dev/null @@ -1 +0,0 @@ -Ignoring Watch Callback: Object carries namespace '' but ignored namespaces include '["pepr-demo-2"]'. From e9f213a0868c0dc68adddc8bf19600a956caa38c Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 8 Jan 2025 12:03:09 -0500 Subject: [PATCH 6/7] chore: finish up Signed-off-by: Case Wylie --- src/lib/assets/index.test.ts | 61 ++++++++++++++++++++++++ src/lib/assets/webhooks.test.ts | 22 +++++++++ src/lib/assets/webhooks.ts | 18 ++++++- src/lib/core/module.ts | 3 +- src/lib/processors/mutate-processor.ts | 3 +- src/lib/processors/validate-processor.ts | 8 +++- 6 files changed, 111 insertions(+), 4 deletions(-) create mode 100644 src/lib/assets/index.test.ts create mode 100644 src/lib/assets/webhooks.test.ts diff --git a/src/lib/assets/index.test.ts b/src/lib/assets/index.test.ts new file mode 100644 index 000000000..0d21faf53 --- /dev/null +++ b/src/lib/assets/index.test.ts @@ -0,0 +1,61 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2023-Present The Pepr Authors +import { it, describe, expect } from "@jest/globals"; +import { createWebhookYaml } from "./index"; +import { kind } from "kubernetes-fluent-client"; + +describe("createWebhookYaml", () => { + const webhookConfiguration = new kind.MutatingWebhookConfiguration(); + webhookConfiguration.apiVersion = "admissionregistration.k8s.io/v1"; + webhookConfiguration.kind = "MutatingWebhookConfiguration"; + webhookConfiguration.metadata = { name: "pepr-static-test" }; + webhookConfiguration.webhooks = [ + { + name: "pepr-static-test.pepr.dev", + admissionReviewVersions: ["v1", "v1beta1"], + clientConfig: { + caBundle: "", + service: { + name: "pepr-static-test", + namespace: "pepr-system", + path: "", + }, + }, + failurePolicy: "Fail", + matchPolicy: "Equivalent", + timeoutSeconds: 15, + namespaceSelector: { + matchExpressions: [ + { + key: "kubernetes.io/metadata.name", + operator: "NotIn", + values: ["kube-system", "pepr-system", "something"], + }, + ], + }, + sideEffects: "None", + }, + ]; + + const moduleConfig = { + onError: "reject", + webhookTimeout: 15, + uuid: "some-uuid", + alwaysIgnore: { + namespaces: ["kube-system", "pepr-system"], + }, + }; + + it("replaces placeholders in the YAML correctly", () => { + const result = createWebhookYaml("pepr-static-test", moduleConfig, webhookConfiguration); + console.log(result); + expect(result).toContain("{{ .Values.uuid }}"); + expect(result).toContain("{{ .Values.admission.failurePolicy }}"); + expect(result).toContain("{{ .Values.admission.webhookTimeout }}"); + expect(result).toContain("- pepr-system"); + expect(result).toContain("- kube-system"); + expect(result).toContain("{{- range .Values.additionalIgnoredNamespaces }}"); + expect(result).toContain("{{ . }}"); + expect(result).toContain("{{- end }}"); + }); +}); diff --git a/src/lib/assets/webhooks.test.ts b/src/lib/assets/webhooks.test.ts new file mode 100644 index 000000000..83491493b --- /dev/null +++ b/src/lib/assets/webhooks.test.ts @@ -0,0 +1,22 @@ +// SPDX-License-Identifier: Apache-2.0 +// SPDX-FileCopyrightText: 2023-Present The Pepr Authors +import { it, describe, expect } from "@jest/globals"; +import { resolveIgnoreNamespaces } from "./webhooks"; + +describe("resolveIgnoreNamespaces", () => { + it("should default to empty array ig config is empty", () => { + const result = resolveIgnoreNamespaces(); + expect(result).toEqual([]); + }); + + it("should return the config ignore namespaces if not provided PEPR_ADDITIONAL_IGNORED_NAMESPACES is not provided", () => { + const result = resolveIgnoreNamespaces(["payments", "istio-system"]); + expect(result).toEqual(["payments", "istio-system"]); + }); + + it("should include additionalIgnoredNamespaces when PEPR_ADDITIONAL_IGNORED_NAMESPACES is provided", () => { + process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES = "uds, project-fox"; + const result = resolveIgnoreNamespaces(["zarf", "lula"]); + expect(result).toEqual(["uds", "project-fox", "zarf", "lula"]); + }); +}); diff --git a/src/lib/assets/webhooks.ts b/src/lib/assets/webhooks.ts index a96ede649..e750a6361 100644 --- a/src/lib/assets/webhooks.ts +++ b/src/lib/assets/webhooks.ts @@ -13,6 +13,7 @@ import { Assets } from "./assets"; import { Event } from "../enums"; import { Binding } from "../types"; +// Order matters for helm template - must be kube-system, then pepr-system const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"]; const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => { @@ -39,6 +40,21 @@ const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOpe return ruleObject; }; +export function resolveIgnoreNamespaces(ignoredNSConfig: string[] = []): string[] { + const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES; + if (!ignoredNSEnv) { + return ignoredNSConfig; + } + + const namespaces = ignoredNSEnv.split(",").map(ns => ns.trim()); + + // add alwaysIgnore.namespaces to the list + if (ignoredNSConfig) { + namespaces.push(...ignoredNSConfig); + } + return namespaces.filter(ns => ns.length > 0); +} + export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise { const { config, capabilities } = assets; @@ -61,7 +77,7 @@ export async function webhookConfig( const ignore: V1LabelSelectorRequirement[] = []; const { name, tls, config, apiToken, host } = assets; - const ignoreNS = concat(peprIgnoreNamespaces, config?.alwaysIgnore?.namespaces || []); + const ignoreNS = concat(peprIgnoreNamespaces, resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces)); // Add any namespaces to ignore if (ignoreNS) { diff --git a/src/lib/core/module.ts b/src/lib/core/module.ts index 427261a55..dde53af81 100644 --- a/src/lib/core/module.ts +++ b/src/lib/core/module.ts @@ -9,6 +9,7 @@ import { CapabilityExport, AdmissionRequest } from "../types"; import { setupWatch } from "../processors/watch-processor"; import { Log } from "../../lib"; import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node"; +import { resolveIgnoreNamespaces } from "../assets/webhooks"; /** Custom Labels Type for package.json */ export interface CustomLabels { @@ -113,7 +114,7 @@ export class PeprModule { // Wait for the controller to be ready before setting up watches if (isWatchMode() || isDevMode()) { try { - setupWatch(capabilities, pepr?.alwaysIgnore?.namespaces); + setupWatch(capabilities, resolveIgnoreNamespaces(pepr?.alwaysIgnore?.namespaces)); } catch (e) { Log.error(e, "Error setting up watch"); process.exit(1); diff --git a/src/lib/processors/mutate-processor.ts b/src/lib/processors/mutate-processor.ts index bf1ad044c..5cc9f52a0 100644 --- a/src/lib/processors/mutate-processor.ts +++ b/src/lib/processors/mutate-processor.ts @@ -14,6 +14,7 @@ import { ModuleConfig } from "../core/module"; import { PeprMutateRequest } from "../mutate-request"; import { base64Encode, convertFromBase64Map, convertToBase64Map } from "../utils"; import { OnError } from "../../cli/init/enums"; +import { resolveIgnoreNamespaces } from "../assets/webhooks"; export interface Bindable { req: AdmissionRequest; @@ -169,7 +170,7 @@ export async function mutateProcessor( bind.binding, bind.req, bind.namespaces, - bind.config?.alwaysIgnore?.namespaces, + resolveIgnoreNamespaces(bind.config?.alwaysIgnore?.namespaces), ); if (shouldSkip !== "") { Log.debug(shouldSkip); diff --git a/src/lib/processors/validate-processor.ts b/src/lib/processors/validate-processor.ts index ebb98efb9..1fbd7372f 100644 --- a/src/lib/processors/validate-processor.ts +++ b/src/lib/processors/validate-processor.ts @@ -10,6 +10,7 @@ import Log from "../telemetry/logger"; import { convertFromBase64Map } from "../utils"; import { PeprValidateRequest } from "../validate-request"; import { ModuleConfig } from "../core/module"; +import { resolveIgnoreNamespaces } from "../assets/webhooks"; export async function processRequest( binding: Binding, @@ -78,7 +79,12 @@ export async function validateProcessor( } // Continue to the next action without doing anything if this one should be skipped - const shouldSkip = shouldSkipRequest(binding, req, namespaces, config?.alwaysIgnore?.namespaces); + const shouldSkip = shouldSkipRequest( + binding, + req, + namespaces, + resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces), + ); if (shouldSkip !== "") { Log.debug(shouldSkip); continue; From 2e28cf6910602b509e54d5daa46557826a1e5ccd Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 8 Jan 2025 13:19:28 -0500 Subject: [PATCH 7/7] chore: updates from review Signed-off-by: Case Wylie --- docs/030_user-guide/120_customization.md | 1 + src/lib/assets/webhooks.test.ts | 10 +++++++++- src/lib/assets/webhooks.ts | 3 +-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/030_user-guide/120_customization.md b/docs/030_user-guide/120_customization.md index e8576f98c..94126c679 100644 --- a/docs/030_user-guide/120_customization.md +++ b/docs/030_user-guide/120_customization.md @@ -86,6 +86,7 @@ Below are the available Helm override configurations after you have built your P | Parameter | Description | Example Values | |---------------------------------|-------------------------------------------|------------------------------------------------| +| `additionalIgnoredNamespaces` | Namespaces to ignore in addition to alwaysIgnore.namespaces from Pepr config in `package.json`. | `- pepr-playground` | | `secrets.apiToken` | Kube API-Server Token. | `Buffer.from(apiToken).toString("base64")` | | `hash` | Unique hash for deployment. Do not change.| `` | | `namespace.annotations` | Namespace annotations | `{}` | diff --git a/src/lib/assets/webhooks.test.ts b/src/lib/assets/webhooks.test.ts index 83491493b..5872d98be 100644 --- a/src/lib/assets/webhooks.test.ts +++ b/src/lib/assets/webhooks.test.ts @@ -1,7 +1,15 @@ // SPDX-License-Identifier: Apache-2.0 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors import { it, describe, expect } from "@jest/globals"; -import { resolveIgnoreNamespaces } from "./webhooks"; +import { resolveIgnoreNamespaces, peprIgnoreNamespaces } from "./webhooks"; + +describe("peprIgnoreNamespaces", () => { + it("should have order of kube-system, then pepr-system for the helm templating", () => { + expect(peprIgnoreNamespaces).toEqual(["kube-system", "pepr-system"]); + expect(peprIgnoreNamespaces[0]).toEqual("kube-system"); + expect(peprIgnoreNamespaces[1]).toEqual("pepr-system"); + }); +}); describe("resolveIgnoreNamespaces", () => { it("should default to empty array ig config is empty", () => { diff --git a/src/lib/assets/webhooks.ts b/src/lib/assets/webhooks.ts index e750a6361..1443293dd 100644 --- a/src/lib/assets/webhooks.ts +++ b/src/lib/assets/webhooks.ts @@ -13,8 +13,7 @@ import { Assets } from "./assets"; import { Event } from "../enums"; import { Binding } from "../types"; -// Order matters for helm template - must be kube-system, then pepr-system -const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"]; +export const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"]; const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => { const { event, kind, isMutate, isValidate } = binding;