chore: address pr comments

Signed-off-by: Case Wylie <cmwylie19@defenseunicorns.com>

docs/030_user-guide/120_customization.md

@@ -127,13 +127,13 @@ Below are the available configurations through `package.json`.
 |------------------|----------------------------------------|---------------------------------|
 | `uuid`           | Unique identifier for the module       | `hub-operator`                  |
 | `onError`        | Behavior of the webhook failure policy | `reject`, `ignore`              |
-| `rbacMode`       | Configures module to build binding RBAC with principal of least privilege | `scoped`, `admin` |
 | `webhookTimeout` | Webhook timeout in seconds             | `1` - `30`                      |
 | `customLabels`   | Custom labels for namespaces           | `{namespace: {}}`               |
-| `alwaysIgnore`   | Conditions to always ignore            | `{namespaces: []}`  |
+| `alwaysIgnore`   | Conditions to always ignore            | `{namespaces: []}`              |
 | `includedFiles`  | For working with WebAssembly           | ["main.wasm", "wasm_exec.js"]   |
 | `env`            | Environment variables for the container| `{LOG_LEVEL: "warn"}`           |
-| `rbac`          | Custom RBAC rules                    | `{"rbac": [{"apiGroups": ["<apiGroups>"], "resources": ["<resources>"], "verbs": ["<verbs>"]}]}` |
+| `rbac`           | Custom RBAC rules (requires building with `rbacMode: scoped`)            | `{"rbac": [{"apiGroups": ["<apiGroups>"], "resources": ["<resources>"], "verbs": ["<verbs>"]}]}` |
+| `rbacMode`       | Configures module to build binding RBAC with principal of least privilege | `scoped`, `admin` |
 
 These tables provide a comprehensive overview of the fields available for customization within the Helm overrides and the `package.json` file. Modify these according to your deployment requirements.
 

jest.config.json

@@ -3,5 +3,6 @@
   "testEnvironment": "node",
   "collectCoverage": true,
   "coverageReporters": ["json", "lcov", "text", "clover"],
+  "coveragePathIgnorePatterns": ["<rootDir>/src/cli/"],
   "forceExit": true
 }

journey/entrypoint-wasm.test.ts

@@ -1,16 +1,32 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import {  describe, jest } from "@jest/globals";
-
+import { beforeAll, describe, jest } from "@jest/globals";
+import { promises as fs } from "fs";
 import { peprBuild } from "./pepr-build-wasm";
-
+import { resolve } from "path";
+import { cwd } from "./entrypoint.test";
 
 // Unmock unit test things
 jest.deepUnmock("pino");
 
-
 // Allow 5 minutes for the tests to run
 jest.setTimeout(1000 * 60 * 5);
+export const outputDir = "dist/pepr-test-module/child/folder";
+beforeAll(async () => {
+  await fs.mkdir(outputDir, { recursive: true });
+  await addScopedRbacMode();
+});
+describe(
+  "Journey: `npx pepr build -r gchr.io/defenseunicorns -o dist/pepr-test-module/child/folder`",
+  peprBuild,
+);
 
-describe("Journey: `npx pepr build -r gchr.io/defenseunicorns --rbac-mode scoped -o dist/pepr-test-module/child/folder`", peprBuild);
+// Set rbacMode in the Pepr Module Config and write it back to disk
+async function addScopedRbacMode() {
+  const packageJson = await fs.readFile(resolve(cwd, "package.json"), "utf8");
+  const packageJsonObj = JSON.parse(packageJson);
+  console.log(JSON.stringify(packageJsonObj.pepr));
+  packageJsonObj.pepr.rbacMode = "scoped";
+  await fs.writeFile(resolve(cwd, "package.json"), JSON.stringify(packageJsonObj, null, 2));
+}

journey/pepr-build-wasm.ts

@@ -8,17 +8,10 @@ import { promises as fs } from "fs";
 import { resolve } from "path";
 import yaml from "js-yaml";
 import { cwd } from "./entrypoint.test";
+import { outputDir } from "./entrypoint-wasm.test";
 
-// test npx pepr build -o dst
-const outputDir = "dist/pepr-test-module/child/folder";
 export function peprBuild() {
-  it("should build artifacts in the dst folder", async () => {
-    await fs.mkdir(outputDir, { recursive: true });
-  });
-
   it("should successfully build the Pepr project with arguments and rbacMode scoped", async () => {
-    // Set rbacMode in the Pepr Module Config of the package.json.
-    await addScopedRbacMode();
     execSync(`npx pepr build -r gchr.io/defenseunicorns -o ${outputDir}`, {
       cwd: cwd,
       stdio: "inherit",
@@ -84,15 +77,6 @@ async function validateZarfYaml() {
   expect(actualZarfYaml).toEqual(expectedZarfYaml);
 }
 
-// Set rbacMode in the Pepr Module Config and write it back to disk
-async function addScopedRbacMode() {
-  const packageJson = await fs.readFile(resolve(cwd, "package.json"), "utf8");
-  const packageJsonObj = JSON.parse(packageJson);
-  console.log(JSON.stringify(packageJsonObj.pepr));
-  packageJsonObj.pepr.rbacMode = "scoped";
-  await fs.writeFile(resolve(cwd, "package.json"), JSON.stringify(packageJsonObj, null, 2));
-}
-
 async function validateClusterRoleYaml(validateChart: boolean = false) {
   // Read the generated yaml files
   const k8sYaml = await fs.readFile(

src/cli/build.ts

@@ -11,14 +11,9 @@ import { dependencies, version } from "./init/templates";
 import { RootCmd } from "./root";
 import { peprFormat } from "./format";
 import { Option } from "commander";
-import {
-  createDirectoryIfNotExists,
-  validateCapabilityNames,
-  parseTimeout,
-  determineRbacMode,
-} from "../lib/helpers";
+import { createDirectoryIfNotExists, validateCapabilityNames, parseTimeout } from "../lib/helpers";
 import { sanitizeResourceName } from "../sdk/sdk";
-
+import { determineRbacMode } from "../lib/cli-helpers/build";
 const peprTS = "pepr.ts";
 let outputDir: string = "dist";
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;

src/lib/cli-helpers/build.test.ts

@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { determineRbacMode } from "./build";
+
+import { expect, describe, test } from "@jest/globals";
+
+describe("determineRbacMode", () => {
+  test("should allow CLI options to overwrite module config", () => {
+    const opts = { rbacMode: "admin" };
+    const cfg = { pepr: { rbacMode: "scoped" } };
+    const result = determineRbacMode(opts, cfg);
+    expect(result).toBe("admin");
+  });
+
+  test('should return "admin" when cfg.pepr.rbacMode is provided and not "scoped"', () => {
+    const opts = {};
+    const cfg = { pepr: { rbacMode: "admin" } };
+    const result = determineRbacMode(opts, cfg);
+    expect(result).toBe("admin");
+  });
+
+  test('should return "scoped" when cfg.pepr.rbacMode is "scoped"', () => {
+    const opts = {};
+    const cfg = { pepr: { rbacMode: "scoped" } };
+    const result = determineRbacMode(opts, cfg);
+    expect(result).toBe("scoped");
+  });
+
+  test("should default to admin when neither option is provided", () => {
+    const opts = {};
+    const cfg = { pepr: {} };
+    const result = determineRbacMode(opts, cfg);
+    expect(result).toBe("admin");
+  });
+});

src/lib/cli-helpers/build.ts

@@ -0,0 +1,15 @@
+// determineRbacMode determines the RBAC mode to use based on the cli and the module's config
+export function determineRbacMode(opts: { rbacMode?: string }, cfg: { pepr: { rbacMode?: string } }): string {
+  // CLI overrides the module's config
+  if (opts.rbacMode) {
+    return opts.rbacMode;
+  }
+
+  // if rbacMode is defined and not scoped, return admin
+  if (cfg.pepr.rbacMode && cfg.pepr.rbacMode !== "scoped") {
+    return "admin";
+  }
+
+  // if nothing is defined return admin, else return scoped
+  return cfg.pepr.rbacMode || "admin";
+}

src/lib/helpers.test.ts

@@ -23,7 +23,6 @@ import {
   validateHash,
   validateCapabilityNames,
   ValidationError,
-  determineRbacMode,
 } from "./helpers";
 import { sanitizeResourceName } from "../sdk/sdk";
 import * as fc from "fast-check";
@@ -1485,33 +1484,3 @@ describe("matchesRegex", () => {
     expect(result).toBe(false);
   });
 });
-
-describe("determineRbacMode", () => {
-  test("should allow CLI options to overwrite module config", () => {
-    const opts = { rbacMode: "admin" };
-    const cfg = { pepr: { rbacMode: "scoped" } };
-    const result = determineRbacMode(opts, cfg);
-    expect(result).toBe("admin");
-  });
-
-  test('should return "admin" when cfg.pepr.rbacMode is provided and not "scoped"', () => {
-    const opts = {};
-    const cfg = { pepr: { rbacMode: "admin" } };
-    const result = determineRbacMode(opts, cfg);
-    expect(result).toBe("admin");
-  });
-
-  test('should return "scoped" when cfg.pepr.rbacMode is "scoped"', () => {
-    const opts = {};
-    const cfg = { pepr: { rbacMode: "scoped" } };
-    const result = determineRbacMode(opts, cfg);
-    expect(result).toBe("scoped");
-  });
-
-  test("should default to admin when neither option is provided", () => {
-    const opts = {};
-    const cfg = { pepr: {} };
-    const result = determineRbacMode(opts, cfg);
-    expect(result).toBe("admin");
-  });
-});

src/lib/helpers.ts

@@ -394,19 +394,3 @@ export function replaceString(str: string, stringA: string, stringB: string) {
   const regExp = new RegExp(escapedStringA, "g");
   return str.replace(regExp, stringB);
 }
-
-// determineRbacMode determines the RBAC mode to use based on the cli and the module's config
-export function determineRbacMode(opts: { rbacMode?: string }, cfg: { pepr: { rbacMode?: string } }): string {
-  // CLI overrides the module's config
-  if (opts.rbacMode) {
-    return opts.rbacMode;
-  }
-
-  // if rbacMode is defined and not scoped, return admin
-  if (cfg.pepr.rbacMode && cfg.pepr.rbacMode !== "scoped") {
-    return "admin";
-  }
-
-  // if nothing is defined return admin, else return scoped
-  return cfg.pepr.rbacMode || "admin";
-}