Customization

This document outlines how to customize the build output through Helm overrides and package.json configurations.

Redact Store Values from Logs

By default, the store values are displayed in logs, to redact them you can set the PEPR_STORE_REDACT_VALUES environment variable to true in the package.json file or directly on the Watcher or Admission Deployment. The default value is undefined.

{
  "env": {
    "PEPR_STORE_REDACT_VALUES": "true"
  }
}

Display Node Warnings

You can display warnings in the logs by setting the PEPR_NODE_WARNINGS environment variable to true in the package.json file or directly on the Watcher or Admission Deployment. The default value is undefined.

{
  "env": {
    "PEPR_NODE_WARNINGS": "true"
  }
}

Customizing Log Format

The log format can be customized by setting the PINO_TIME_STAMP environment variable in the package.json file or directly on the Watcher or Admission Deployment. The default value is a partial JSON timestamp string representation of the time. If set to iso, the timestamp is displayed in an ISO format.

Caution: attempting to format time in-process will significantly impact logging performance.

{
  "env": {
    "PINO_TIME_STAMP": "iso"
  }
}

With ISO:

{"level":30,"time":"2024-05-14T14:26:03.788Z","pid":16,"hostname":"pepr-static-test-7f4d54b6cc-9lxm6","method":"GET","url":"/healthz","status":200,"duration":"1 ms"}

Default (without):

{"level":30,"time":"1715696764106","pid":16,"hostname":"pepr-static-test-watcher-559d94447f-xkq2h","method":"GET","url":"/healthz","status":200,"duration":"1 ms"}

Customizing Watch Configuration

The Watch configuration is a part of the Pepr module that allows you to watch for specific resources in the Kubernetes cluster. The Watch configuration can be customized by specific enviroment variables of the Watcher Deployment and can be set in the field in the package.json or in the helm values.yaml file.

FieldDescriptionExample Values
PEPR_RESYNC_FAILURE_MAXThe maximum number of times to fail on a resync interval before re-establishing the watch URL and doing a relist.default: "5"
PEPR_RETRY_DELAY_SECONDSThe delay between retries in seconds.default: "10"
PEPR_LAST_SEEN_LIMIT_SECONDSMax seconds to go without receiving a watch event before re-establishing the watchdefault: "300" (5 mins)
PEPR_RELIST_INTERVAL_SECONDSAmount of seconds to wait before a relist of the watched resourcesdefault: "600" (10 mins)

Configuring Reconcile

The Reconcile Action allows you to maintain ordering of resource updates processed by a Pepr controller. The Reconcile configuration can be customized via enviroment variable on the Watcher Deployment, which can be set in the package.json or in the helm values.yaml file.

FieldDescriptionExample Values
PEPR_RECONCILE_STRATEGYHow Pepr should order resource updates being Reconcile()’d.default: "kind"
Available Options
kindseparate queues of events for Reconcile()’d resources of a kind
kindNsseparate queues of events for Reconcile()’d resources of a kind, within a namespace
kindNsNameseparate queues of events for Reconcile()’d resources of a kind, within a namespace, per name
globala single queue of events for all Reconcile()’d resources

Customizing with Helm

Below are the available Helm override configurations after you have built your Pepr module that you can put in the values.yaml.

Helm Overrides Table

ParameterDescriptionExample Values
secrets.apiTokenKube API-Server Token.Buffer.from(apiToken).toString("base64")
hashUnique hash for deployment. Do not change.<your_hash>
namespace.annotationsNamespace annotations{}
namespace.labelsNamespace labels{"pepr.dev": ""}
uuidUnique identifier for the modulehub-operator
admission.*Admission controller configurationsVarious, see subparameters below
watcher.*Watcher configurationsVarious, see subparameters below

Admission and Watcher Subparameters

SubparameterDescription
failurePolicyWebhook failure policy [Ignore, Fail]
webhookTimeoutTimeout seconds for webhooks [1 - 30]
envContainer environment variables
imageContainer image
annotationsDeployment annotations
labelsDeployment labels
securityContextPod security context
readinessProbePod readiness probe definition
livenessProbePod liveness probe definition
resourcesResource limits
containerSecurityContextContainer’s security context
nodeSelectorNode selection constraints
tolerationsTolerations to taints
affinityNode scheduling options
terminationGracePeriodSecondsOptional duration in seconds the pod needs to terminate gracefully

Note: Replace * within admission.* or watcher.* to apply settings specific to the desired subparameter (e.g. admission.failurePolicy).

Customizing with package.json

Below are the available configurations through package.json.

package.json Configurations Table

FieldDescriptionExample Values
uuidUnique identifier for the modulehub-operator
onErrorBehavior of the webhook failure policyaudit, ignore, reject
webhookTimeoutWebhook timeout in seconds1 - 30
customLabelsCustom labels for namespaces{namespace: {}}
alwaysIgnoreConditions to always ignore{namespaces: []}
includedFilesFor working with WebAssembly[“main.wasm”, “wasm_exec.js”]
envEnvironment variables for the container{LOG_LEVEL: "warn"}
rbacCustom RBAC rules (requires building with rbacMode: scoped){"rbac": [{"apiGroups": ["<apiGroups>"], "resources": ["<resources>"], "verbs": ["<verbs>"]}]}
rbacModeConfigures module to build binding RBAC with principal of least privilegescoped, admin

These tables provide a comprehensive overview of the fields available for customization within the Helm overrides and the package.json file. Modify these according to your deployment requirements.

Example Custom RBAC Rules

The following example demonstrates how to add custom RBAC rules to the Pepr module.

{
  "pepr": {
    "rbac": [
      {
        "apiGroups": ["pepr.dev"],
        "resources": ["customresources"],
        "verbs": ["get", "list"]
      },
      {
        "apiGroups": ["apps"],
        "resources": ["deployments"],
        "verbs": ["create", "delete"]
      }
    ]
  }
}