pepr 0.1.27 → 0.1.28

package/dist/{pepr-cli.js → src/cli/banner.js}

@@ -1,28 +1,6 @@
-#!/usr/bin/env node
-'use strict';
-
-var json = require('@rollup/plugin-json');
-var nodeResolve = require('@rollup/plugin-node-resolve');
-var typescript = require('@rollup/plugin-typescript');
-var fs = require('fs');
-var path = require('path');
-var rollup = require('rollup');
-var types = require('./types-1709b44f.js');
-var clientNode = require('@kubernetes/client-node');
-var zlib = require('zlib');
-var forge = require('node-forge');
-var prompt = require('prompts');
-var child_process = require('child_process');
-var chokidar = require('chokidar');
-var util = require('util');
-var uuid = require('uuid');
-var commander = require('commander');
-
-var version = "0.1.27";
-
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-const banner = `                                                                                                                                            
+export const banner = `                                                                                                                                            
                                                                                                                                                 
                                                                                                                                                 
                                                                                                                                                 
@@ -87,1231 +65,3 @@ const banner = `    [38;5;
                                                                                                                                                 
                                                                                                                                                 
     `;
-
-const caName = "Pepr Ephemeral CA";
-/**
- * Generates a self-signed CA and server certificate with Subject Alternative Names (SANs) for the K8s webhook.
- *
- * @param {string} name - The name to use for the server certificate's Common Name and SAN DNS entry.
- * @returns {TLSOut} - An object containing the Base64-encoded CA, server certificate, and server private key.
- */
-function genTLS(name) {
-    // Generate a new CA key pair and create a self-signed CA certificate
-    const caKeys = forge.pki.rsa.generateKeyPair(2048);
-    const caCert = genCert(caKeys, caName, [{ name: "commonName", value: caName }]);
-    caCert.setExtensions([
-        {
-            name: "basicConstraints",
-            cA: true,
-        },
-        {
-            name: "keyUsage",
-            keyCertSign: true,
-            digitalSignature: true,
-            nonRepudiation: true,
-            keyEncipherment: true,
-            dataEncipherment: true,
-        },
-    ]);
-    // Generate a new server key pair and create a server certificate signed by the CA
-    const serverKeys = forge.pki.rsa.generateKeyPair(2048);
-    const serverCert = genCert(serverKeys, name, caCert.subject.attributes);
-    // Sign both certificates with the CA private key
-    caCert.sign(caKeys.privateKey, forge.md.sha256.create());
-    serverCert.sign(caKeys.privateKey, forge.md.sha256.create());
-    // Convert the keys and certificates to PEM format
-    const pem = {
-        ca: forge.pki.certificateToPem(caCert),
-        crt: forge.pki.certificateToPem(serverCert),
-        key: forge.pki.privateKeyToPem(serverKeys.privateKey),
-    };
-    // Base64-encode the PEM strings
-    const ca = Buffer.from(pem.ca).toString("base64");
-    const key = Buffer.from(pem.key).toString("base64");
-    const crt = Buffer.from(pem.crt).toString("base64");
-    return { ca, key, crt, pem };
-}
-function genCert(key, name, issuer) {
-    const crt = forge.pki.createCertificate();
-    crt.publicKey = key.publicKey;
-    crt.serialNumber = "01";
-    crt.validity.notBefore = new Date();
-    crt.validity.notAfter = new Date();
-    crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 1);
-    // Add SANs to the server certificate
-    crt.setExtensions([
-        {
-            name: "subjectAltName",
-            altNames: [
-                {
-                    type: 2,
-                    value: name,
-                },
-            ],
-        },
-    ]);
-    // Set the server certificate's issuer to the CA
-    crt.setIssuer(issuer);
-    return crt;
-}
-
-// SPDX-License-Identifier: Apache-2.0
-const peprIgnore = {
-    key: "pepr.dev",
-    operator: "NotIn",
-    values: ["ignore"],
-};
-class Webhook {
-    get tls() {
-        return this._tls;
-    }
-    constructor(config, host) {
-        this.config = config;
-        this.host = host;
-        this.name = `pepr-${config.uuid}`;
-        this.image = `ghcr.io/defenseunicorns/pepr/controller:${config.version}`;
-        // Generate the ephemeral tls things
-        this._tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
-    }
-    /** Generate the pepr-system namespace */
-    namespace() {
-        return {
-            apiVersion: "v1",
-            kind: "Namespace",
-            metadata: { name: "pepr-system" },
-        };
-    }
-    /**
-     * Grants the controller access to cluster resources beyond the mutating webhook.
-     *
-     * @todo: should dynamically generate this based on resources used by the module. will also need to explore how this should work for multiple modules.
-     * @returns
-     */
-    clusterRole() {
-        return {
-            apiVersion: "rbac.authorization.k8s.io/v1",
-            kind: "ClusterRole",
-            metadata: { name: this.name },
-            rules: [
-                {
-                    // @todo: make this configurable
-                    apiGroups: ["*"],
-                    resources: ["*"],
-                    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"],
-                },
-            ],
-        };
-    }
-    clusterRoleBinding() {
-        const name = this.name;
-        return {
-            apiVersion: "rbac.authorization.k8s.io/v1",
-            kind: "ClusterRoleBinding",
-            metadata: { name },
-            roleRef: {
-                apiGroup: "rbac.authorization.k8s.io",
-                kind: "ClusterRole",
-                name,
-            },
-            subjects: [
-                {
-                    kind: "ServiceAccount",
-                    name,
-                    namespace: "pepr-system",
-                },
-            ],
-        };
-    }
-    serviceAccount() {
-        return {
-            apiVersion: "v1",
-            kind: "ServiceAccount",
-            metadata: {
-                name: this.name,
-                namespace: "pepr-system",
-            },
-        };
-    }
-    tlsSecret() {
-        return {
-            apiVersion: "v1",
-            kind: "Secret",
-            metadata: {
-                name: `${this.name}-tls`,
-                namespace: "pepr-system",
-            },
-            type: "kubernetes.io/tls",
-            data: {
-                "tls.crt": this._tls.crt,
-                "tls.key": this._tls.key,
-            },
-        };
-    }
-    mutatingWebhook() {
-        const { name } = this;
-        const ignore = [peprIgnore];
-        // Add any namespaces to ignore
-        if (this.config.alwaysIgnore.namespaces.length > 0) {
-            ignore.push({
-                key: "kubernetes.io/metadata.name",
-                operator: "NotIn",
-                values: this.config.alwaysIgnore.namespaces,
-            });
-        }
-        const clientConfig = {
-            caBundle: this._tls.ca,
-        };
-        // If a host is specified, use that with a port of 3000
-        if (this.host) {
-            clientConfig.url = `https://${this.host}:3000/mutate`;
-        }
-        else {
-            // Otherwise, use the service
-            clientConfig.service = {
-                name: this.name,
-                namespace: "pepr-system",
-                path: "/mutate",
-            };
-        }
-        return {
-            apiVersion: "admissionregistration.k8s.io/v1",
-            kind: "MutatingWebhookConfiguration",
-            metadata: { name },
-            webhooks: [
-                {
-                    name: `${name}.pepr.dev`,
-                    admissionReviewVersions: ["v1", "v1beta1"],
-                    clientConfig,
-                    failurePolicy: "Ignore",
-                    matchPolicy: "Equivalent",
-                    timeoutSeconds: 15,
-                    namespaceSelector: {
-                        matchExpressions: ignore,
-                    },
-                    objectSelector: {
-                        matchExpressions: ignore,
-                    },
-                    // @todo: make this configurable
-                    rules: [
-                        {
-                            apiGroups: ["*"],
-                            apiVersions: ["*"],
-                            operations: ["CREATE", "UPDATE", "DELETE"],
-                            resources: ["*/*"],
-                        },
-                    ],
-                    // @todo: track side effects state
-                    sideEffects: "None",
-                },
-            ],
-        };
-    }
-    deployment() {
-        return {
-            apiVersion: "apps/v1",
-            kind: "Deployment",
-            metadata: {
-                name: this.name,
-                namespace: "pepr-system",
-                labels: {
-                    app: this.name,
-                },
-            },
-            spec: {
-                replicas: 2,
-                selector: {
-                    matchLabels: {
-                        app: this.name,
-                    },
-                },
-                template: {
-                    metadata: {
-                        labels: {
-                            app: this.name,
-                        },
-                    },
-                    spec: {
-                        priorityClassName: "system-node-critical",
-                        serviceAccountName: this.name,
-                        containers: [
-                            {
-                                name: "server",
-                                image: this.image,
-                                imagePullPolicy: "IfNotPresent",
-                                livenessProbe: {
-                                    httpGet: {
-                                        path: "/healthz",
-                                        port: 3000,
-                                        scheme: "HTTPS",
-                                    },
-                                },
-                                ports: [
-                                    {
-                                        containerPort: 3000,
-                                    },
-                                ],
-                                resources: {
-                                    requests: {
-                                        memory: "64Mi",
-                                        cpu: "100m",
-                                    },
-                                    limits: {
-                                        memory: "256Mi",
-                                        cpu: "500m",
-                                    },
-                                },
-                                volumeMounts: [
-                                    {
-                                        name: "tls-certs",
-                                        mountPath: "/etc/certs",
-                                        readOnly: true,
-                                    },
-                                    {
-                                        name: "module",
-                                        mountPath: "/app/module.js.gz",
-                                        readOnly: true,
-                                    },
-                                ],
-                            },
-                        ],
-                        volumes: [
-                            {
-                                name: "tls-certs",
-                                secret: {
-                                    secretName: `${this.name}-tls`,
-                                },
-                            },
-                            {
-                                name: "module",
-                                secret: {
-                                    secretName: `${this.name}-module`,
-                                },
-                            },
-                        ],
-                    },
-                },
-            },
-        };
-    }
-    /** Only permit the  */
-    networkPolicy() {
-        return {
-            apiVersion: "networking.k8s.io/v1",
-            kind: "NetworkPolicy",
-            metadata: {
-                name: this.name,
-                namespace: "pepr-system",
-            },
-            spec: {
-                podSelector: {
-                    matchLabels: {
-                        app: this.name,
-                    },
-                },
-                policyTypes: ["Ingress"],
-                ingress: [
-                    {
-                        from: [
-                            {
-                                namespaceSelector: {
-                                    matchLabels: {
-                                        "kubernetes.io/metadata.name": "kube-system",
-                                    },
-                                },
-                            },
-                        ],
-                        ports: [
-                            {
-                                protocol: "TCP",
-                                port: 443,
-                            },
-                        ],
-                    },
-                ],
-            },
-        };
-    }
-    service() {
-        return {
-            apiVersion: "v1",
-            kind: "Service",
-            metadata: {
-                name: this.name,
-                namespace: "pepr-system",
-            },
-            spec: {
-                selector: {
-                    app: this.name,
-                },
-                ports: [
-                    {
-                        port: 443,
-                        targetPort: 3000,
-                    },
-                ],
-            },
-        };
-    }
-    moduleSecret(data) {
-        // Compress the data
-        const compressed = zlib.gzipSync(data);
-        return {
-            apiVersion: "v1",
-            kind: "Secret",
-            metadata: {
-                name: `${this.name}-module`,
-                namespace: "pepr-system",
-            },
-            type: "Opaque",
-            data: {
-                module: compressed.toString("base64"),
-            },
-        };
-    }
-    zarfYaml(path) {
-        const zarfCfg = {
-            kind: "ZarfPackageConfig",
-            metadata: {
-                name: this.name,
-                description: `Pepr Module: ${this.config.description}`,
-                url: "https://github.com/defenseunicorns/pepr",
-                version: this.config.version,
-            },
-            components: [
-                {
-                    name: "module",
-                    required: true,
-                    manifests: [
-                        {
-                            name: "module",
-                            namespace: "pepr-system",
-                            files: [path],
-                        },
-                    ],
-                    images: [this.image],
-                },
-            ],
-        };
-        return clientNode.dumpYaml(zarfCfg, { noRefs: true });
-    }
-    allYaml(code) {
-        const resources = [
-            this.namespace(),
-            this.networkPolicy(),
-            this.clusterRole(),
-            this.clusterRoleBinding(),
-            this.serviceAccount(),
-            this.tlsSecret(),
-            this.mutatingWebhook(),
-            this.deployment(),
-            this.service(),
-            this.moduleSecret(code),
-        ];
-        // Convert the resources to a single YAML string
-        return resources.map(r => clientNode.dumpYaml(r, { noRefs: true })).join("---\n");
-    }
-    async deploy(code) {
-        types.logger.info("Establishing connection to Kubernetes");
-        const namespace = "pepr-system";
-        // Deploy the resources using the k8s API
-        const kubeConfig = new clientNode.KubeConfig();
-        kubeConfig.loadFromDefault();
-        const coreV1Api = kubeConfig.makeApiClient(clientNode.CoreV1Api);
-        const rbacApi = kubeConfig.makeApiClient(clientNode.RbacAuthorizationV1Api);
-        const appsApi = kubeConfig.makeApiClient(clientNode.AppsV1Api);
-        const admissionApi = kubeConfig.makeApiClient(clientNode.AdmissionregistrationV1Api);
-        const networkApi = kubeConfig.makeApiClient(clientNode.NetworkingV1Api);
-        const ns = this.namespace();
-        try {
-            types.logger.info("Checking for namespace");
-            await coreV1Api.readNamespace(namespace);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Creating namespace");
-            await coreV1Api.createNamespace(ns);
-        }
-        const netpol = this.networkPolicy();
-        try {
-            types.logger.info("Checking for network policy");
-            await networkApi.readNamespacedNetworkPolicy(netpol.metadata.name, namespace);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Creating network policy");
-            await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
-        }
-        const wh = this.mutatingWebhook();
-        try {
-            types.logger.info("Creating mutating webhook");
-            await admissionApi.createMutatingWebhookConfiguration(wh);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating mutating webhook");
-            await admissionApi.deleteMutatingWebhookConfiguration(wh.metadata.name);
-            await admissionApi.createMutatingWebhookConfiguration(wh);
-        }
-        const crb = this.clusterRoleBinding();
-        try {
-            types.logger.info("Creating cluster role binding");
-            await rbacApi.createClusterRoleBinding(crb);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating cluster role binding");
-            await rbacApi.deleteClusterRoleBinding(crb.metadata.name);
-            await rbacApi.createClusterRoleBinding(crb);
-        }
-        const cr = this.clusterRole();
-        try {
-            types.logger.info("Creating cluster role");
-            await rbacApi.createClusterRole(cr);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating  the cluster role");
-            try {
-                await rbacApi.deleteClusterRole(cr.metadata.name);
-                await rbacApi.createClusterRole(cr);
-            }
-            catch (e) {
-                types.logger.debug(e.body);
-            }
-        }
-        const sa = this.serviceAccount();
-        try {
-            types.logger.info("Creating service account");
-            await coreV1Api.createNamespacedServiceAccount(namespace, sa);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating service account");
-            await coreV1Api.deleteNamespacedServiceAccount(sa.metadata.name, namespace);
-            await coreV1Api.createNamespacedServiceAccount(namespace, sa);
-        }
-        // If a host is specified, we don't need to deploy the rest of the resources
-        if (this.host) {
-            return;
-        }
-        const mod = this.moduleSecret(code);
-        try {
-            types.logger.info("Creating module secret");
-            await coreV1Api.createNamespacedSecret(namespace, mod);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating module secret");
-            await coreV1Api.deleteNamespacedSecret(mod.metadata.name, namespace);
-            await coreV1Api.createNamespacedSecret(namespace, mod);
-        }
-        const svc = this.service();
-        try {
-            types.logger.info("Creating service");
-            await coreV1Api.createNamespacedService(namespace, svc);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating service");
-            await coreV1Api.deleteNamespacedService(svc.metadata.name, namespace);
-            await coreV1Api.createNamespacedService(namespace, svc);
-        }
-        const tls = this.tlsSecret();
-        try {
-            types.logger.info("Creating TLS secret");
-            await coreV1Api.createNamespacedSecret(namespace, tls);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating TLS secret");
-            await coreV1Api.deleteNamespacedSecret(tls.metadata.name, namespace);
-            await coreV1Api.createNamespacedSecret(namespace, tls);
-        }
-        const dep = this.deployment();
-        try {
-            types.logger.info("Creating deployment");
-            await appsApi.createNamespacedDeployment(namespace, dep);
-        }
-        catch (e) {
-            types.logger.debug(e.body);
-            types.logger.info("Removing and re-creating deployment");
-            await appsApi.deleteNamespacedDeployment(dep.metadata.name, namespace);
-            await appsApi.createNamespacedDeployment(namespace, dep);
-        }
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-function build (program) {
-    program
-        .command("build")
-        .description("Build a Pepr Module for deployment")
-        .option("-d, --dir [directory]", "Pepr module directory", ".")
-        .action(async (opts) => {
-        // Build the module
-        const { cfg, path: path$1, uuid } = await buildModule(opts.dir);
-        // Read the compiled module code
-        const code = await fs.promises.readFile(path$1, { encoding: "utf-8" });
-        // Generate a secret for the module
-        const webhook = new Webhook({
-            ...cfg.pepr,
-            description: cfg.description,
-        });
-        const yamlFile = `pepr-module-${uuid}.yaml`;
-        const yamlPath = path.resolve("dist", yamlFile);
-        const yaml = webhook.allYaml(code);
-        const zarfPath = path.resolve("dist", "zarf.yaml");
-        const zarf = webhook.zarfYaml(yamlFile);
-        await fs.promises.writeFile(yamlPath, yaml);
-        await fs.promises.writeFile(zarfPath, zarf);
-        types.logger.debug(`Module compiled successfully at ${path$1}`);
-        types.logger.info(`K8s resource for the module saved to ${yamlPath}`);
-    });
-}
-const externalLibs = [
-    /@kubernetes\/client-node(\/.*)?/,
-    "commander",
-    "express",
-    "fast-json-patch",
-    "pepr",
-    "ramda",
-];
-async function buildModule(moduleDir) {
-    try {
-        // Resolve the path to the module's package.json file
-        const cfgPath = path.resolve(moduleDir, "package.json");
-        const input = path.resolve(moduleDir, "pepr.ts");
-        // Read the module's UUID from the package.json filel
-        const moduleText = await fs.promises.readFile(cfgPath, { encoding: "utf-8" });
-        const cfg = JSON.parse(moduleText);
-        const { uuid } = cfg.pepr;
-        const name = `pepr-${uuid}.js`;
-        // Exit if the module's UUID could not be found
-        if (!uuid) {
-            throw new Error("Could not load the uuid in package.json");
-        }
-        const plugins = [
-            nodeResolve({
-                preferBuiltins: true,
-            }),
-            json(),
-            typescript({
-                tsconfig: "./tsconfig.json",
-                declaration: false,
-                removeComments: true,
-                sourceMap: false,
-                include: ["**/*.ts", "node_modules/pepr/**/*.ts"],
-            }),
-        ];
-        // Build the module using Rollup
-        const bundle = await rollup.rollup({
-            plugins,
-            external: externalLibs,
-            treeshake: true,
-            input,
-        });
-        // Write the module to the dist directory
-        await bundle.write({
-            dir: "dist",
-            format: "cjs",
-            entryFileNames: name,
-        });
-        return {
-            path: path.resolve("dist", name),
-            cfg,
-            uuid,
-        };
-    }
-    catch (e) {
-        // On any other error, exit with a non-zero exit code
-        types.logger.debug(e);
-        types.logger.error(e.message);
-        process.exit(1);
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-function capability (program) {
-    program
-        .command("new")
-        .description("Create a new Pepr Capability")
-        .option("-d, --dir [directory]", "Pepr module directory", ".")
-        .action(() => {
-        // TODO: Create a new capability
-        console.log("new");
-    });
-}
-
-// SPDX-License-Identifier: Apache-2.0
-function deploy (program) {
-    program
-        .command("deploy")
-        .description("Deploy a Pepr Module")
-        .option("-d, --dir [directory]", "Pepr module directory", ".")
-        .option("-i, --image [image]", "Override the image tag")
-        .option("-f, --force", "Force redeployment")
-        .action(async (opts) => {
-        if (!opts.force) {
-            // Prompt the user to confirm
-            const confirm = await prompt.prompt({
-                type: "confirm",
-                name: "confirm",
-                message: "This will remove and redeploy the module. Continue?",
-            });
-            // Exit if the user doesn't confirm
-            if (!confirm.confirm) {
-                process.exit(0);
-            }
-        }
-        // Build the module
-        const { cfg, path } = await buildModule(opts.dir);
-        // Read the compiled module code
-        const code = await fs.promises.readFile(path, { encoding: "utf-8" });
-        // Generate a secret for the module
-        const webhook = new Webhook({
-            ...cfg.pepr,
-            description: cfg.description,
-        });
-        if (opts.image) {
-            webhook.image = opts.image;
-        }
-        try {
-            await webhook.deploy(code);
-            types.logger.info(`Module deployed successfully`);
-        }
-        catch (e) {
-            types.logger.error(`Error deploying module: ${e}`);
-            process.exit(1);
-        }
-    });
-}
-
-// SPDX-License-Identifier: Apache-2.0
-function dev (program) {
-    program
-        .command("dev")
-        .description("Setup a local webhook development environment")
-        .option("-d, --dir [directory]", "Pepr module directory", ".")
-        .option("-h, --host [host]", "Host to listen on", "host.docker.internal")
-        .action(async (opts) => {
-        // Prompt the user to confirm
-        const confirm = await prompt.prompt({
-            type: "confirm",
-            name: "confirm",
-            message: "This will remove and redeploy the module. Continue?",
-        });
-        // Exit if the user doesn't confirm
-        if (!confirm.confirm) {
-            process.exit(0);
-        }
-        // Build the module
-        const { cfg, path: path$1 } = await buildModule(opts.dir);
-        // Read the compiled module code
-        const code = await fs.promises.readFile(path$1, { encoding: "utf-8" });
-        // Generate a secret for the module
-        const webhook = new Webhook({
-            ...cfg.pepr,
-            description: cfg.description,
-        }, opts.host);
-        // Write the TLS cert and key to disk
-        await fs.promises.writeFile("insecure-tls.crt", webhook.tls.pem.crt);
-        await fs.promises.writeFile("insecure-tls.key", webhook.tls.pem.key);
-        try {
-            await webhook.deploy(code);
-            types.logger.info(`Module deployed successfully`);
-            const moduleFiles = path.resolve(opts.dir, "**", "*.ts");
-            const watcher = chokidar.watch(moduleFiles);
-            const peprTS = path.resolve(opts.dir, "pepr.ts");
-            let program;
-            // Run the module once to start the server
-            runDev(peprTS);
-            // Watch for changes
-            watcher.on("ready", () => {
-                types.logger.info(`Watching for changes in ${moduleFiles}`);
-                watcher.on("all", async (event, path) => {
-                    types.logger.debug({ event, path }, "File changed");
-                    // Kill the running process
-                    if (program) {
-                        program.kill("SIGKILL");
-                    }
-                    // Start the process again
-                    program = runDev(peprTS);
-                });
-            });
-        }
-        catch (e) {
-            types.logger.error(`Error deploying module: ${e}`);
-            process.exit(1);
-        }
-    });
-}
-function runDev(path) {
-    try {
-        const program = child_process.spawn("./node_modules/.bin/ts-node", [path], {
-            env: {
-                ...process.env,
-                SSL_KEY_PATH: "insecure-tls.key",
-                SSL_CERT_PATH: "insecure-tls.crt",
-            },
-        });
-        program.stdout.on("data", data => console.log(data.toString()));
-        program.stderr.on("data", data => console.error(data.toString()));
-        program.on("close", code => {
-            types.logger.info(`Process exited with code ${code}`);
-        });
-        return program;
-    }
-    catch (e) {
-        types.logger.debug(e);
-        types.logger.error(`Error running module: ${e}`);
-        process.exit(1);
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-/**
- * Sanitize a user input name to be used as a pepr module directory name
- *
- * @param name the user input name
- * @returns the sanitized name
- */
-function sanitizeName(name) {
-    // Replace any characters outside of [^a-z0-9-] with "-"
-    let sanitized = name.toLowerCase().replace(/[^a-z0-9-]+/gi, "-");
-    // Remove any leading or trailing hyphens
-    sanitized = sanitized.replace(/^-+|-+$/g, "");
-    // Replace multiple hyphens with a single hyphen
-    sanitized = sanitized.replace(/--+/g, "-");
-    return sanitized;
-}
-/**
- * Creates a directory and throws an error if it already exists
- *
- * @param dir - The directory to create
- */
-async function createDir(dir) {
-    try {
-        await fs.promises.mkdir(dir);
-    }
-    catch (err) {
-        // The directory already exists
-        if (err.code === "EEXIST") {
-            throw new Error(`Directory ${dir} already exists`);
-        }
-        else {
-            throw err;
-        }
-    }
-}
-/**
- * Write data to a file on disk
- * @param path - The path to the file
- * @param data - The data to write
- * @returns A promise that resolves when the file has been written
- */
-function write(path, data) {
-    // If the data is not a string, stringify it
-    if (typeof data !== "string") {
-        data = JSON.stringify(data, null, 2);
-    }
-    return fs.promises.writeFile(path, data);
-}
-
-// SPDX-License-Identifier: Apache-2.0
-function genPeprTS() {
-    return {
-        path: "pepr.ts",
-        data: `import { PeprModule } from "pepr";
-import cfg from "./package.json";
-import { HelloPepr } from "./capabilities/hello-pepr";
-
-/**
- * This is the main entrypoint for the Pepr module. It is the file that is run when the module is started.
- * This is where you register your configurations and capabilities with the module.
- */
-new PeprModule(cfg, [
-  // "HelloPepr" is a demo capability that is included with Pepr. You can remove it if you want.
-  HelloPepr,
-
-  // Your additional capabilities go here
-]);    
-`,
-    };
-}
-function genPkgJSON(opts) {
-    // Generate a random UUID for the module based on the module name
-    const uuid$1 = uuid.v5(opts.name, uuid.v4());
-    // Generate a name for the module based on the module name
-    const name = sanitizeName(opts.name);
-    const data = {
-        name,
-        version: "0.0.1",
-        description: opts.description,
-        keywords: ["pepr", "k8s", "policy-engine", "pepr-module", "security"],
-        pepr: {
-            name: opts.name.trim(),
-            version,
-            uuid: uuid$1,
-            onError: opts.errorBehavior,
-            alwaysIgnore: {
-                namespaces: [],
-                labels: [],
-            },
-        },
-        scripts: {
-            build: "pepr build",
-            start: "pepr test",
-        },
-        dependencies: {
-            pepr: `^${version}`,
-        },
-    };
-    return {
-        data,
-        path: "package.json",
-        print: util.inspect(data, false, 5, true),
-    };
-}
-const tsConfig = {
-    path: "tsconfig.json",
-    data: {
-        compilerOptions: {
-            esModuleInterop: true,
-            lib: ["ES2020"],
-            moduleResolution: "node",
-            resolveJsonModule: true,
-            rootDir: ".",
-            strict: false,
-            target: "ES2020",
-        },
-        include: ["**/*.ts", "node_modules/pepr/**/*.ts"],
-    },
-};
-const gitIgnore = {
-    path: ".gitignore",
-    data: `# Ignore node_modules
-  node_modules
-  dist
-`,
-};
-const prettierRC = {
-    path: ".prettierrc",
-    data: {
-        arrowParens: "avoid",
-        bracketSameLine: false,
-        bracketSpacing: true,
-        embeddedLanguageFormatting: "auto",
-        insertPragma: false,
-        printWidth: 80,
-        quoteProps: "as-needed",
-        requirePragma: false,
-        semi: true,
-        tabWidth: 2,
-        useTabs: false,
-    },
-};
-const readme = {
-    path: "README.md",
-    data: `# Pepr Module
-
-This is a Pepr module. It is a module that can be used with the [Pepr]() framework.
-
-The \`capabilities\` directory contains all the capabilities for this module. By default, 
-a capability is a single typescript file in the format of \`capability-name.ts\` that is 
-imported in the root \`pepr.ts\` file as \`import { HelloPepr } from "./capabilities/hello-pepr";\`. 
-Because this is typescript, you can organize this however you choose, e.g. creating a sub-folder 
-per-capability or common logic in shared files or folders.
-
-Example Structure:
-
-\`\`\`
-Module Root
-├── package.json
-├── pepr.ts
-└── capabilities
-    ├── example-one.ts
-    ├── example-three.ts
-    └── example-two.ts
-\`\`\`
-`,
-};
-const capabilityHelloPeprTS = {
-    path: "hello-pepr.ts",
-    data: `import { Capability, a } from "pepr";
-
-export const HelloPepr = new Capability({
-  name: "hello-pepr",
-  description: "A simple example capability to show how things work.",
-  namespaces: ["pepr-demo"],
-});
-
-// Use the 'When' function to create a new Capability Action
-const { When } = HelloPepr;
-  
-/**
- * This is a single Capability Action. They can be in the same file or put imported from other files.
- * In this exmaple, when a ConfigMap is created with the name \`example-1\`, then add a label and annotation.
- *
- * Equivelant to manually running:
- * \`kubectl label configmap example-1 pepr=was-here\`
- * \`kubectl annotate configmap example-1 pepr.dev=annotations-work-too\`
- */
-When(a.ConfigMap)
-  .IsCreated()
-  .WithName("example-1")
-  .Then(request =>
-    request
-      .SetLabel("pepr", "was-here")
-      .SetAnnotation("pepr.dev", "annotations-work-too")
-  );
-
-/**
- * This Capabiility Action does the exact same changes for example-2, except this time it uses the \`.ThenSet()\` feature.
- * You can stack multiple \`.Then()\` calls, but only a single \`.ThenSet()\`
- */
-When(a.ConfigMap)
-  .IsCreated()
-  .WithName("example-2")
-  .ThenSet({
-    metadata: {
-      labels: {
-        pepr: "was-here",
-      },
-      annotations: {
-        "pepr.dev": "annotations-work-too",
-      },
-    },
-  });
-
-/**
- * This Capability Action combines different styles. Unlike the previous actions, this one will look for any ConfigMap
- * in the \`pepr-demo\` namespace that has the label \`change=by-label\`. Note that all conditions added such as \`WithName()\`,
- * \`WithLabel()\`, \`InNamespace()\`, are ANDs so all conditions must be true for the request to be procssed.
- */
-When(a.ConfigMap)
-  .IsCreated()
-  .WithLabel("change", "by-label")
-  .Then(request => {
-    // The K8s object e are going to mutate
-    const cm = request.Raw;
-
-    // Get the username and uid of the K8s reuest
-    const { username, uid } = request.Request.userInfo;
-
-    // Store some data about the request in the configmap
-    cm.data["username"] = username;
-    cm.data["uid"] = uid;
-
-    // You can still mix other ways of making changes too
-    request.SetAnnotation("pepr.dev", "making-waves");
-  });    
-`,
-};
-const capabilitySnippet = {
-    path: "pepr.code-snippets",
-    data: `{
-  "Create a new Pepr capability": {
-    "prefix": "create pepr capability",
-    "body": [
-      "import { Capability, a } from 'pepr';",
-      "",
-      "export const $\{TM_FILENAME_BASE/(.*)/$\{1:/pascalcase}/} = new Capability({",
-      "\\tname: '$\{TM_FILENAME_BASE}',",
-      "\\tdescription: '$\{1:A brief description of this capability.}',",
-      "\\tnamespaces: [$\{2:}],",
-      "});",
-      "",
-      "// Use the 'When' function to create a new Capability Action",
-      "const { When } = $\{TM_FILENAME_BASE/(.*)/$\{1:/pascalcase}/};",
-      "",
-      "// When(a.<Kind>).Is<Event>().Then(change => change.<changes>",
-      "When($\{3:})"
-    ],
-    "description": "Creates a new Pepr capability with a specified description, and optional namespaces, and adds a When statement for the specified value."
-  }
-}`,
-};
-
-// SPDX-License-Identifier: Apache-2.0
-function walkthrough() {
-    const askName = {
-        type: "text",
-        name: "name",
-        message: "Enter a name for the new Pepr module. This will create a new directory based on the name.\n",
-        validate: async (val) => {
-            try {
-                const name = sanitizeName(val);
-                await fs.promises.access(name, fs.promises.constants.F_OK);
-                return "A directory with this name already exists";
-            }
-            catch (e) {
-                return val.length > 2 || "The name must be at least 3 characters long";
-            }
-        },
-    };
-    const askDescription = {
-        type: "text",
-        name: "description",
-        message: "(Recommended) Enter a description for the new Pepr module.\n",
-    };
-    const askErrorBehavior = {
-        type: "select",
-        name: "errorBehavior",
-        validate: val => types.ErrorBehavior[val],
-        message: "How do you want Pepr to handle errors encountered during K8s operations?",
-        choices: [
-            {
-                title: "Ignore",
-                value: types.ErrorBehavior.ignore,
-                description: "Pepr will continue processing and generate an entry in the Pepr Controller log.",
-                selected: true,
-            },
-            {
-                title: "Log an audit event",
-                value: types.ErrorBehavior.audit,
-                description: "Pepr will continue processing and generate an entry in the Pepr Controller log as well as an audit event in the cluster.",
-            },
-            {
-                title: "Reject the operation",
-                value: types.ErrorBehavior.reject,
-                description: "Pepr will reject the operation and return an error to the client.",
-            },
-        ],
-    };
-    return prompt([askName, askDescription, askErrorBehavior]);
-}
-async function confirm(dirName, packageJSON, peprTSPath) {
-    console.log(`
-  To be generated:
-
-    \x1b[1m${dirName}\x1b[0m
-    ├── \x1b[1m${gitIgnore.path}\x1b[0m
-    ├── \x1b[1m${prettierRC.path}\x1b[0m
-    ├── \x1b[1mcapabilties\x1b[0m
-    |   └── \x1b[1mhello-pepr.ts\x1b[0m     
-    ├── \x1b[1m${packageJSON.path}\x1b[0m
-${packageJSON.print.replace(/^/gm, "    │   ")}
-    ├── \x1b[1m${peprTSPath}\x1b[0m
-    ├── \x1b[1m${readme.path}\x1b[0m
-    └── \x1b[1m${tsConfig.path}\x1b[0m
-      `);
-    const confirm = await prompt({
-        type: "confirm",
-        name: "confirm",
-        message: "Create the new Pepr module?",
-    });
-    return confirm.confirm;
-}
-
-// SPDX-License-Identifier: Apache-2.0
-function init (program) {
-    program
-        .command("init")
-        .description("Initialize a new Pepr Module")
-        .action(async () => {
-        const response = await walkthrough();
-        const dirName = sanitizeName(response.name);
-        const packageJSON = genPkgJSON(response);
-        const peprTS = genPeprTS();
-        const confirmed = await confirm(dirName, packageJSON, peprTS.path);
-        if (confirmed) {
-            console.log("Creating new Pepr module...");
-            try {
-                await createDir(dirName);
-                await createDir(path.resolve(dirName, ".vscode"));
-                await createDir(path.resolve(dirName, "capabilities"));
-                await write(path.resolve(dirName, gitIgnore.path), gitIgnore.data);
-                await write(path.resolve(dirName, prettierRC.path), prettierRC.data);
-                await write(path.resolve(dirName, packageJSON.path), packageJSON.data);
-                await write(path.resolve(dirName, readme.path), readme.data);
-                await write(path.resolve(dirName, tsConfig.path), tsConfig.data);
-                await write(path.resolve(dirName, peprTS.path), peprTS.data);
-                await write(path.resolve(dirName, ".vscode", capabilitySnippet.path), capabilitySnippet.data);
-                await write(path.resolve(dirName, "capabilities", capabilityHelloPeprTS.path), capabilityHelloPeprTS.data);
-                // run npm install from the new directory
-                process.chdir(dirName);
-                child_process.execSync("npm install", {
-                    stdio: "inherit",
-                });
-                console.log(`New Pepr module created at ${dirName}`);
-                console.log(`Open VSCode or your editor of choice in ${dirName} to get started!`);
-            }
-            catch (e) {
-                types.logger.debug(e);
-                types.logger.error(e.message);
-                process.exit(1);
-            }
-        }
-    });
-}
-
-// SPDX-License-Identifier: Apache-2.0
-class RootCmd extends commander.Command {
-    createCommand(name) {
-        const cmd = new commander.Command(name);
-        cmd.option("-l, --log-level [level]", "Log level: debug, info, warn, error", "info");
-        cmd.hook("preAction", run => {
-            types.logger.SetLogLevel(run.opts().logLevel);
-        });
-        return cmd;
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-const exec = util.promisify(child_process.exec);
-function test (program) {
-    program
-        .command("test")
-        .description("Test a Pepr Module locally")
-        .option("-d, --dir [directory]", "Pepr module directory", ".")
-        .option("-w, --watch", "Watch for changes and re-run the test")
-        .action(async (opts) => {
-        types.logger.info("Test Module");
-        await buildAndTest(opts.dir);
-        if (opts.watch) {
-            const moduleFiles = path.resolve(opts.dir, "**", "*.ts");
-            const watcher = chokidar.watch(moduleFiles);
-            watcher.on("ready", () => {
-                types.logger.info(`Watching for changes in ${moduleFiles}`);
-                watcher.on("all", async (event, path) => {
-                    types.logger.debug({ event, path }, "File changed");
-                    await buildAndTest(opts.dir);
-                });
-            });
-        }
-    });
-}
-async function buildAndTest(dir) {
-    const { path } = await buildModule(dir);
-    types.logger.info(`Module built successfully at ${path}`);
-    try {
-        const { stdout, stderr } = await exec(`node ${path}`);
-        console.log(stdout);
-        console.log(stderr);
-    }
-    catch (e) {
-        types.logger.debug(e);
-        types.logger.error(`Error running module: ${e}`);
-        process.exit(1);
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-const program = new RootCmd();
-program
-    .version(version)
-    .description(`Pepr Kubernetes Thingy (v${version})`)
-    .action(() => {
-    if (program.args.length < 1) {
-        console.log(banner);
-        program.help();
-    }
-});
-init(program);
-build(program);
-capability(program);
-test(program);
-deploy(program);
-dev(program);
-program.parse();