pepr 0.0.0-development

package/src/lib/assets/deploy.ts

@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import crypto from "crypto";
+import { promises as fs } from "fs";
+import { K8s, kind } from "kubernetes-fluent-client";
+
+import { Assets } from ".";
+import Log from "../logger";
+import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
+import { deployment, moduleSecret, namespace, watcher } from "./pods";
+import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
+import { peprStoreCRD } from "./store";
+import { webhookConfig } from "./webhooks";
+import { CapabilityExport } from "../types";
+
+export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number) {
+  Log.info("Establishing connection to Kubernetes");
+
+  const { name, host, path } = assets;
+
+  Log.info("Applying pepr-system namespace");
+  await K8s(kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace));
+
+  // Create the mutating webhook configuration if it is needed
+  const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
+  if (mutateWebhook) {
+    Log.info("Applying mutating webhook");
+    await K8s(kind.MutatingWebhookConfiguration).Apply(mutateWebhook, { force });
+  } else {
+    Log.info("Mutating webhook not needed, removing if it exists");
+    await K8s(kind.MutatingWebhookConfiguration).Delete(name);
+  }
+
+  // Create the validating webhook configuration if it is needed
+  const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
+  if (validateWebhook) {
+    Log.info("Applying validating webhook");
+    await K8s(kind.ValidatingWebhookConfiguration).Apply(validateWebhook, { force });
+  } else {
+    Log.info("Validating webhook not needed, removing if it exists");
+    await K8s(kind.ValidatingWebhookConfiguration).Delete(name);
+  }
+
+  Log.info("Applying the Pepr Store CRD if it doesn't exist");
+  await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
+
+  // If a host is specified, we don't need to deploy the rest of the resources
+  if (host) {
+    return;
+  }
+
+  const code = await fs.readFile(path);
+  const hash = crypto.createHash("sha256").update(code).digest("hex");
+
+  if (code.length < 1) {
+    throw new Error("No code provided");
+  }
+
+  await setupRBAC(name, assets.capabilities, force);
+  await setupController(assets, code, hash, force);
+  await setupWatcher(assets, hash, force);
+}
+
+async function setupRBAC(name: string, capabilities: CapabilityExport[], force: boolean) {
+  Log.info("Applying cluster role binding");
+  const crb = clusterRoleBinding(name);
+  await K8s(kind.ClusterRoleBinding).Apply(crb, { force });
+
+  Log.info("Applying cluster role");
+  const cr = clusterRole(name, capabilities);
+  await K8s(kind.ClusterRole).Apply(cr, { force });
+
+  Log.info("Applying service account");
+  const sa = serviceAccount(name);
+  await K8s(kind.ServiceAccount).Apply(sa, { force });
+
+  Log.info("Applying store role");
+  const role = storeRole(name);
+  await K8s(kind.Role).Apply(role, { force });
+
+  Log.info("Applying store role binding");
+  const roleBinding = storeRoleBinding(name);
+  await K8s(kind.RoleBinding).Apply(roleBinding, { force });
+}
+
+async function setupController(assets: Assets, code: Buffer, hash: string, force: boolean) {
+  const { name } = assets;
+
+  Log.info("Applying module secret");
+  const mod = moduleSecret(name, code, hash);
+  await K8s(kind.Secret).Apply(mod, { force });
+
+  Log.info("Applying controller service");
+  const svc = service(name);
+  await K8s(kind.Service).Apply(svc, { force });
+
+  Log.info("Applying TLS secret");
+  const tls = tlsSecret(name, assets.tls);
+  await K8s(kind.Secret).Apply(tls, { force });
+
+  Log.info("Applying API token secret");
+  const apiToken = apiTokenSecret(name, assets.apiToken);
+  await K8s(kind.Secret).Apply(apiToken, { force });
+
+  Log.info("Applying deployment");
+  const dep = deployment(assets, hash, assets.buildTimestamp);
+  await K8s(kind.Deployment).Apply(dep, { force });
+}
+
+async function setupWatcher(assets: Assets, hash: string, force: boolean) {
+  // If the module has a watcher, deploy it
+  const watchDeployment = watcher(assets, hash, assets.buildTimestamp);
+  if (watchDeployment) {
+    Log.info("Applying watcher deployment");
+    await K8s(kind.Deployment).Apply(watchDeployment, { force });
+
+    Log.info("Applying watcher service");
+    const watchSvc = watcherService(assets.name);
+    await K8s(kind.Service).Apply(watchSvc, { force });
+  }
+}

package/src/lib/assets/destroy.ts

@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { K8s, kind } from "kubernetes-fluent-client";
+
+import Log from "../logger";
+import { peprStoreCRD } from "./store";
+
+export async function destroyModule(name: string) {
+  const namespace = "pepr-system";
+
+  Log.info("Destroying Pepr module");
+
+  await Promise.all([
+    K8s(kind.MutatingWebhookConfiguration).Delete(name),
+    K8s(kind.ValidatingWebhookConfiguration).Delete(name),
+
+    K8s(kind.CustomResourceDefinition).Delete(peprStoreCRD),
+    K8s(kind.ClusterRoleBinding).Delete(name),
+    K8s(kind.ClusterRole).Delete(name),
+    K8s(kind.ServiceAccount, { namespace }).Delete(name),
+    K8s(kind.Role, { namespace }).Delete(name),
+    K8s(kind.RoleBinding, { namespace }).Delete(`${name}-store`),
+
+    K8s(kind.Secret, { namespace }).Delete(`${name}-module`),
+    K8s(kind.Service, { namespace }).Delete(name),
+    K8s(kind.Secret, { namespace }).Delete(`${name}-tls`),
+    K8s(kind.Secret, { namespace }).Delete(`${name}-api-token`),
+    K8s(kind.Deployment, { namespace }).Delete(name),
+    K8s(kind.Deployment, { namespace }).Delete(`${name}-watcher`),
+    K8s(kind.Service, { namespace }).Delete(`${name}-watcher`),
+  ]);
+}

package/src/lib/assets/helm.ts

@@ -0,0 +1,219 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+export function nsTemplate() {
+  return `
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+        name: pepr-system
+        {{- if .Values.namespace.annotations }}
+        annotations:
+            {{- toYaml .Values.namespace.annotations | nindent 6 }}
+        {{- end }}
+        {{- if .Values.namespace.labels }}
+        labels:
+            {{- toYaml .Values.namespace.labels | nindent 6 }}
+        {{- end }}
+    `;
+}
+
+export function chartYaml(name: string, description?: string) {
+  return `
+    apiVersion: v2
+    name: ${name}
+    description: ${description || ""}
+
+    # A chart can be either an 'application' or a 'library' chart.
+    #
+    # Application charts are a collection of templates that can be packaged into versioned archives
+    # to be deployed.
+    #
+    # Library charts provide useful utilities or functions for the chart developer. They're included as
+    # a dependency of application charts to inject those utilities and functions into the rendering
+    # pipeline. Library charts do not define any templates and therefore cannot be deployed.
+    type: application
+
+    # This is the chart version. This version number should be incremented each time you make changes
+    # to the chart and its templates, including the app version.
+    # Versions are expected to follow Semantic Versioning (https://semver.org/)
+    version: 0.1.0
+
+    # This is the version number of the application being deployed. This version number should be
+    # incremented each time you make changes to the application. Versions are not expected to
+    # follow Semantic Versioning. They should reflect the version the application is using.
+    # It is recommended to use it with quotes.
+    appVersion: "1.16.0"
+`;
+}
+
+export function watcherDeployTemplate(buildTimestamp: string) {
+  return `
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: {{ .Values.uuid }}-watcher
+        namespace: pepr-system
+        annotations:
+          {{- toYaml .Values.watcher.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.watcher.labels | nindent 4 }}
+      spec:
+        replicas: 1
+        strategy:
+          type: Recreate
+        selector:
+          matchLabels:
+            app: {{ .Values.uuid }}-watcher
+            pepr.dev/controller: watcher
+        template:
+          metadata:
+            annotations: 
+              buildTimestamp: "${buildTimestamp}"
+              {{- if .Values.watcher.podAnnotations }}
+              {{- toYaml .Values.watcher.podAnnotations | nindent 8 }}
+              {{- end }}
+            labels:
+              app: {{ .Values.uuid }}-watcher
+              pepr.dev/controller: watcher
+          spec:
+            terminationGracePeriodSeconds: {{ .Values.watcher.terminationGracePeriodSeconds }}
+            serviceAccountName: {{ .Values.uuid }}
+            securityContext:
+              {{- toYaml .Values.admission.securityContext | nindent 8 }}
+            containers:
+              - name: watcher
+                image: {{ .Values.watcher.image }}
+                imagePullPolicy: IfNotPresent
+                command:
+                  - node
+                  - /app/node_modules/pepr/dist/controller.js
+                  - {{ .Values.hash }}
+                readinessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                livenessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                ports:
+                  - containerPort: 3000
+                resources:
+                  {{- toYaml .Values.watcher.resources | nindent 12 }}
+                env:
+                  {{- toYaml .Values.watcher.env | nindent 12 }}
+                securityContext:
+                  {{- toYaml .Values.watcher.containerSecurityContext | nindent 12 }}
+                volumeMounts:
+                  - name: tls-certs
+                    mountPath: /etc/certs
+                    readOnly: true
+                  - name: module
+                    mountPath: /app/load
+                    readOnly: true
+                  {{- if .Values.watcher.extraVolumeMounts }}
+                  {{- toYaml .Values.watcher.extraVolumeMounts | nindent 12 }}
+                  {{- end }}
+            volumes:
+              - name: tls-certs
+                secret:
+                  secretName: {{ .Values.uuid }}-tls
+              - name: module
+                secret:
+                  secretName: {{ .Values.uuid }}-module
+              {{- if .Values.watcher.extraVolumes }}
+              {{- toYaml .Values.watcher.extraVolumes | nindent 8 }}
+              {{- end }}
+    `;
+}
+
+export function admissionDeployTemplate(buildTimestamp: string) {
+  return `
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: {{ .Values.uuid }}
+        namespace: pepr-system
+        annotations:
+          {{- toYaml .Values.admission.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.admission.labels | nindent 4 }}
+      spec:
+        replicas: 2
+        selector:
+          matchLabels:
+            app: {{ .Values.uuid }}
+            pepr.dev/controller: admission
+        template:
+          metadata:
+            annotations:
+              buildTimestamp: "${buildTimestamp}"
+              {{- if .Values.admission.podAnnotations }}
+              {{- toYaml .Values.admission.podAnnotations | nindent 8 }}
+              {{- end }}
+            labels:
+              app: {{ .Values.uuid }}
+              pepr.dev/controller: admission
+          spec:
+            terminationGracePeriodSeconds: {{ .Values.admission.terminationGracePeriodSeconds }}
+            priorityClassName: system-node-critical
+            serviceAccountName: {{ .Values.uuid }}
+            securityContext:
+              {{- toYaml .Values.admission.securityContext | nindent 8 }}
+            containers:
+              - name: server
+                image: {{ .Values.admission.image }}
+                imagePullPolicy: IfNotPresent
+                command:
+                  - node
+                  - /app/node_modules/pepr/dist/controller.js
+                  - {{ .Values.hash }}
+                readinessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                livenessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                ports:
+                  - containerPort: 3000
+                resources:
+                  {{- toYaml .Values.admission.resources | nindent 12 }}
+                env:
+                  {{- toYaml .Values.admission.env | nindent 12 }}
+                securityContext:
+                  {{- toYaml .Values.admission.containerSecurityContext | nindent 12 }}
+                volumeMounts:
+                  - name: tls-certs
+                    mountPath: /etc/certs
+                    readOnly: true
+                  - name: api-token
+                    mountPath: /app/api-token
+                    readOnly: true
+                  - name: module
+                    mountPath: /app/load
+                    readOnly: true
+                  {{- if .Values.admission.extraVolumeMounts }}
+                  {{- toYaml .Values.admission.extraVolumeMounts | nindent 12 }}
+                  {{- end }}
+            volumes:
+              - name: tls-certs
+                secret:
+                  secretName: {{ .Values.uuid }}-tls
+              - name: api-token
+                secret:
+                  secretName: {{ .Values.uuid }}-api-token
+              - name: module
+                secret:
+                  secretName: {{ .Values.uuid }}-module  
+              {{- if .Values.admission.extraVolumes }}
+              {{- toYaml .Values.admission.extraVolumes | nindent 8 }}
+              {{- end }}
+    `;
+}

package/src/lib/assets/index.ts

@@ -0,0 +1,175 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import crypto from "crypto";
+import { dumpYaml } from "@kubernetes/client-node";
+import { ModuleConfig } from "../module";
+import { TLSOut, genTLS } from "../tls";
+import { CapabilityExport } from "../types";
+import { WebhookIgnore } from "../k8s";
+import { deploy } from "./deploy";
+import { loadCapabilities } from "./loader";
+import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
+import { namespaceComplianceValidator, replaceString } from "../helpers";
+import { createDirectoryIfNotExists, dedent } from "../helpers";
+import { resolve } from "path";
+import { chartYaml, nsTemplate, admissionDeployTemplate, watcherDeployTemplate } from "./helm";
+import { promises as fs } from "fs";
+import { webhookConfig } from "./webhooks";
+import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
+import { watcher, moduleSecret } from "./pods";
+
+import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
+export class Assets {
+  readonly name: string;
+  readonly tls: TLSOut;
+  readonly apiToken: string;
+  readonly alwaysIgnore!: WebhookIgnore;
+  capabilities!: CapabilityExport[];
+
+  image: string;
+  buildTimestamp: string;
+  hash: string;
+
+  constructor(
+    readonly config: ModuleConfig,
+    readonly path: string,
+    readonly host?: string,
+  ) {
+    this.name = `pepr-${config.uuid}`;
+    this.buildTimestamp = `${Date.now()}`;
+    this.alwaysIgnore = config.alwaysIgnore;
+    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
+    this.hash = "";
+    // Generate the ephemeral tls things
+    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
+
+    // Generate the api token for the controller / webhook
+    this.apiToken = crypto.randomBytes(32).toString("hex");
+  }
+
+  setHash = (hash: string) => {
+    this.hash = hash;
+  };
+
+  deploy = async (force: boolean, webhookTimeout?: number) => {
+    this.capabilities = await loadCapabilities(this.path);
+    await deploy(this, force, webhookTimeout);
+  };
+
+  zarfYaml = (path: string) => zarfYaml(this, path);
+
+  zarfYamlChart = (path: string) => zarfYamlChart(this, path);
+
+  allYaml = async (rbacMode: string) => {
+    this.capabilities = await loadCapabilities(this.path);
+    // give error if namespaces are not respected
+    for (const capability of this.capabilities) {
+      namespaceComplianceValidator(capability, this.alwaysIgnore.namespaces);
+    }
+
+    return allYaml(this, rbacMode);
+  };
+
+  generateHelmChart = async (basePath: string) => {
+    const CHART_DIR = `${basePath}/${this.config.uuid}-chart`;
+    const CHAR_TEMPLATES_DIR = `${CHART_DIR}/templates`;
+    const valuesPath = resolve(CHART_DIR, `values.yaml`);
+    const chartPath = resolve(CHART_DIR, `Chart.yaml`);
+    const nsPath = resolve(CHAR_TEMPLATES_DIR, `namespace.yaml`);
+    const watcherSVCPath = resolve(CHAR_TEMPLATES_DIR, `watcher-service.yaml`);
+    const admissionSVCPath = resolve(CHAR_TEMPLATES_DIR, `admission-service.yaml`);
+    const mutationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `mutation-webhook.yaml`);
+    const validationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `validation-webhook.yaml`);
+    const admissionDeployPath = resolve(CHAR_TEMPLATES_DIR, `admission-deployment.yaml`);
+    const watcherDeployPath = resolve(CHAR_TEMPLATES_DIR, `watcher-deployment.yaml`);
+    const tlsSecretPath = resolve(CHAR_TEMPLATES_DIR, `tls-secret.yaml`);
+    const apiTokenSecretPath = resolve(CHAR_TEMPLATES_DIR, `api-token-secret.yaml`);
+    const moduleSecretPath = resolve(CHAR_TEMPLATES_DIR, `module-secret.yaml`);
+    const storeRolePath = resolve(CHAR_TEMPLATES_DIR, `store-role.yaml`);
+    const storeRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `store-role-binding.yaml`);
+    const clusterRolePath = resolve(CHAR_TEMPLATES_DIR, `cluster-role.yaml`);
+    const clusterRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `cluster-role-binding.yaml`);
+    const serviceAccountPath = resolve(CHAR_TEMPLATES_DIR, `service-account.yaml`);
+
+    // create helm chart
+    try {
+      // create chart dir
+      await createDirectoryIfNotExists(CHART_DIR);
+
+      // create charts dir
+      await createDirectoryIfNotExists(`${CHART_DIR}/charts`);
+
+      // create templates dir
+      await createDirectoryIfNotExists(`${CHAR_TEMPLATES_DIR}`);
+
+      // create values file
+      await overridesFile(this, valuesPath);
+
+      // create the chart.yaml
+      await fs.writeFile(chartPath, dedent(chartYaml(this.config.uuid, this.config.description || "")));
+
+      // create the namespace.yaml in templates
+      await fs.writeFile(nsPath, dedent(nsTemplate()));
+
+      const code = await fs.readFile(this.path);
+
+      await fs.writeFile(watcherSVCPath, dumpYaml(watcherService(this.name), { noRefs: true }));
+      await fs.writeFile(admissionSVCPath, dumpYaml(service(this.name), { noRefs: true }));
+      await fs.writeFile(tlsSecretPath, dumpYaml(tlsSecret(this.name, this.tls), { noRefs: true }));
+      await fs.writeFile(apiTokenSecretPath, dumpYaml(apiTokenSecret(this.name, this.apiToken), { noRefs: true }));
+      await fs.writeFile(moduleSecretPath, dumpYaml(moduleSecret(this.name, code, this.hash), { noRefs: true }));
+      await fs.writeFile(storeRolePath, dumpYaml(storeRole(this.name), { noRefs: true }));
+      await fs.writeFile(storeRoleBindingPath, dumpYaml(storeRoleBinding(this.name), { noRefs: true }));
+      await fs.writeFile(
+        clusterRolePath,
+        dumpYaml(clusterRole(this.name, this.capabilities, "rbac"), { noRefs: true }),
+      );
+      await fs.writeFile(clusterRoleBindingPath, dumpYaml(clusterRoleBinding(this.name), { noRefs: true }));
+      await fs.writeFile(serviceAccountPath, dumpYaml(serviceAccount(this.name), { noRefs: true }));
+
+      const mutateWebhook = await webhookConfig(this, "mutate", this.config.webhookTimeout);
+      const validateWebhook = await webhookConfig(this, "validate", this.config.webhookTimeout);
+      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
+
+      if (validateWebhook || mutateWebhook) {
+        await fs.writeFile(admissionDeployPath, dedent(admissionDeployTemplate(this.buildTimestamp)));
+      }
+
+      if (mutateWebhook) {
+        const yamlMutateWebhook = dumpYaml(mutateWebhook, { noRefs: true });
+        const mutateWebhookTemplate = replaceString(
+          replaceString(
+            replaceString(yamlMutateWebhook, this.name, "{{ .Values.uuid }}"),
+            this.config.onError === "reject" ? "Fail" : "Ignore",
+            "{{ .Values.admission.failurePolicy }}",
+          ),
+          `${this.config.webhookTimeout}` || "10",
+          "{{ .Values.admission.webhookTimeout }}",
+        );
+        await fs.writeFile(mutationWebhookPath, mutateWebhookTemplate);
+      }
+
+      if (validateWebhook) {
+        const yamlValidateWebhook = dumpYaml(validateWebhook, { noRefs: true });
+        const validateWebhookTemplate = replaceString(
+          replaceString(
+            replaceString(yamlValidateWebhook, this.name, "{{ .Values.uuid }}"),
+            this.config.onError === "reject" ? "Fail" : "Ignore",
+            "{{ .Values.admission.failurePolicy }}",
+          ),
+          `${this.config.webhookTimeout}` || "10",
+          "{{ .Values.admission.webhookTimeout }}",
+        );
+        await fs.writeFile(validationWebhookPath, validateWebhookTemplate);
+      }
+
+      if (watchDeployment) {
+        await fs.writeFile(watcherDeployPath, dedent(watcherDeployTemplate(this.buildTimestamp)));
+      }
+    } catch (err) {
+      console.error(`Error generating helm chart: ${err.message}`);
+      process.exit(1);
+    }
+  };
+}

package/src/lib/assets/loader.ts

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { fork } from "child_process";
+
+import { CapabilityExport } from "../types";
+
+/**
+ * Read the capabilities from the module by running it in build mode
+ * @param path
+ * @returns
+ */
+export function loadCapabilities(path: string): Promise<CapabilityExport[]> {
+  return new Promise((resolve, reject) => {
+    // Fork is needed with the PEPR_MODE env var to ensure the module is loaded in build mode and will send back the capabilities
+    const program = fork(path, {
+      env: {
+        ...process.env,
+        LOG_LEVEL: "warn",
+        PEPR_MODE: "build",
+      },
+    });
+
+    // Wait for the module to send back the capabilities
+    program.on("message", message => {
+      // Cast the message to the ModuleCapabilities type
+      const capabilities = message.valueOf() as CapabilityExport[];
+
+      // Iterate through the capabilities and generate the rules
+      for (const capability of capabilities) {
+        console.info(`Registered Pepr Capability "${capability.name}"`);
+      }
+
+      resolve(capabilities);
+    });
+
+    program.on("error", error => {
+      reject(error);
+    });
+  });
+}

package/src/lib/assets/networking.ts

@@ -0,0 +1,89 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { kind } from "kubernetes-fluent-client";
+
+import { TLSOut } from "../tls";
+
+export function apiTokenSecret(name: string, apiToken: string): kind.Secret {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-api-token`,
+      namespace: "pepr-system",
+    },
+    type: "Opaque",
+    data: {
+      value: Buffer.from(apiToken).toString("base64"),
+    },
+  };
+}
+
+export function tlsSecret(name: string, tls: TLSOut): kind.Secret {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name}-tls`,
+      namespace: "pepr-system",
+    },
+    type: "kubernetes.io/tls",
+    data: {
+      "tls.crt": tls.crt,
+      "tls.key": tls.key,
+    },
+  };
+}
+
+export function service(name: string): kind.Service {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name,
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "admission",
+      },
+    },
+    spec: {
+      selector: {
+        app: name,
+        "pepr.dev/controller": "admission",
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3000,
+        },
+      ],
+    },
+  };
+}
+
+export function watcherService(name: string): kind.Service {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name: `${name}-watcher`,
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "watcher",
+      },
+    },
+    spec: {
+      selector: {
+        app: `${name}-watcher`,
+        "pepr.dev/controller": "watcher",
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3000,
+        },
+      ],
+    },
+  };
+}