pepr 0.1.27 → 0.1.28

package/dist/src/lib/k8s/kinds.js

@@ -0,0 +1,427 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+export const gvkMap = {
+    /**
+     * Represents a K8s ConfigMap resource.
+     * ConfigMap holds configuration data for pods to consume.
+     * @see {@link https://kubernetes.io/docs/concepts/configuration/configmap/}
+     */
+    V1ConfigMap: {
+        kind: "ConfigMap",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s Endpoints resource.
+     * Endpoints expose a service's IP addresses and ports to other resources.
+     * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/#endpoints}
+     */
+    V1Endpoint: {
+        kind: "Endpoints",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s LimitRange resource.
+     * LimitRange enforces constraints on the resource consumption of objects in a namespace.
+     * @see {@link https://kubernetes.io/docs/concepts/policy/limit-range/}
+     */
+    V1LimitRange: {
+        kind: "LimitRange",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s Namespace resource.
+     * Namespace is a way to divide cluster resources between multiple users.
+     * @see {@link https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/}
+     */
+    V1Namespace: {
+        kind: "Namespace",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s Node resource.
+     * Node is a worker machine in Kubernetes.
+     * @see {@link https://kubernetes.io/docs/concepts/architecture/nodes/}
+     */
+    V1Node: {
+        kind: "Node",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s PersistentVolumeClaim resource.
+     * PersistentVolumeClaim is a user's request for and claim to a persistent volume.
+     * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims}
+     */
+    V1PersistentVolumeClaim: {
+        kind: "PersistentVolumeClaim",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s PersistentVolume resource.
+     * PersistentVolume is a piece of storage in the cluster that has been provisioned by an administrator.
+     * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/}
+     */
+    V1PersistentVolume: {
+        kind: "PersistentVolume",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s Pod resource.
+     * Pod is the smallest and simplest unit in the Kubernetes object model.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/}
+     */
+    V1Pod: {
+        kind: "Pod",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s PodTemplate resource.
+     * PodTemplate is an object that describes the pod that will be created from a higher level abstraction.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/#pod-template}
+     */
+    V1PodTemplate: {
+        kind: "PodTemplate",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s ReplicationController resource.
+     * ReplicationController ensures that a specified number of pod replicas are running at any given time.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/}
+     */
+    V1ReplicationController: {
+        kind: "ReplicationController",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s ResourceQuota resource.
+     * ResourceQuota provides constraints that limit resource consumption per namespace.
+     * @see {@link https://kubernetes.io/docs/concepts/policy/resource-quotas/}
+     */
+    V1ResourceQuota: {
+        kind: "ResourceQuota",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s Secret resource.
+     * Secret holds secret data of a certain type.
+     * @see {@link https://kubernetes.io/docs/concepts/configuration/secret/}
+     */
+    V1Secret: {
+        kind: "Secret",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s ServiceAccount resource.
+     * ServiceAccount is an identity that processes in a pod can use to access the Kubernetes API.
+     * @see {@link https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/}
+     */
+    V1ServiceAccount: {
+        kind: "ServiceAccount",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s Service resource.
+     * Service is an abstraction which defines a logical set of Pods and a policy by which to access them.
+     * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/}
+     */
+    V1Service: {
+        kind: "Service",
+        version: "v1",
+        group: "",
+    },
+    /**
+     * Represents a K8s MutatingWebhookConfiguration resource.
+     * MutatingWebhookConfiguration configures a mutating admission webhook.
+     * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
+     */
+    V1MutatingWebhookConfiguration: {
+        kind: "MutatingWebhookConfiguration",
+        version: "v1",
+        group: "admissionregistration.k8s.io",
+    },
+    /**
+     * Represents a K8s ValidatingWebhookConfiguration resource.
+     * ValidatingWebhookConfiguration configures a validating admission webhook.
+     * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
+     */
+    V1ValidatingWebhookConfiguration: {
+        kind: "ValidatingWebhookConfiguration",
+        version: "v1",
+        group: "admissionregistration.k8s.io",
+    },
+    /**
+     * Represents a K8s CustomResourceDefinition resource.
+     * CustomResourceDefinition is a custom resource in a Kubernetes cluster.
+     * @see {@link https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/}
+     */
+    V1CustomResourceDefinition: {
+        kind: "CustomResourceDefinition",
+        version: "v1",
+        group: "apiextensions.k8s.io",
+    },
+    /**
+     * Represents a K8s APIService resource.
+     * APIService represents a server for a particular API version and group.
+     * @see {@link https://kubernetes.io/docs/tasks/access-kubernetes-api/setup-extension-api-server/}
+     */
+    V1APIService: {
+        kind: "APIService",
+        version: "v1",
+        group: "apiregistration.k8s.io",
+    },
+    /**
+     * Represents a K8s ControllerRevision resource.
+     * ControllerRevision is used to manage the history of a StatefulSet or DaemonSet.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#revision-history}
+     */
+    V1ControllerRevision: {
+        kind: "ControllerRevision",
+        version: "v1",
+        group: "apps",
+    },
+    /**
+     * Represents a K8s DaemonSet resource.
+     * DaemonSet ensures that all (or some) nodes run a copy of a Pod.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/}
+     */
+    V1DaemonSet: {
+        kind: "DaemonSet",
+        version: "v1",
+        group: "apps",
+    },
+    /**
+     * Represents a K8s Deployment resource.
+     * Deployment provides declarative updates for Pods and ReplicaSets.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/deployment/}
+     */
+    V1Deployment: {
+        kind: "Deployment",
+        version: "v1",
+        group: "apps",
+    },
+    /**
+     * Represents a K8s ReplicaSet resource.
+     * ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/}
+     */
+    V1ReplicaSet: {
+        kind: "ReplicaSet",
+        version: "v1",
+        group: "apps",
+    },
+    /**
+     * Represents a K8s StatefulSet resource.
+     * StatefulSet is used to manage stateful applications.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/}
+     */
+    V1StatefulSet: {
+        kind: "StatefulSet",
+        version: "v1",
+        group: "apps",
+    },
+    /**
+     * Represents a K8s TokenReview resource.
+     * TokenReview attempts to authenticate a token to a known user.
+     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#tokenreview-v1-authentication-k8s-io}
+     */
+    V1TokenReview: {
+        kind: "TokenReview",
+        version: "v1",
+        group: "authentication.k8s.io",
+    },
+    /**
+     * Represents a K8s LocalSubjectAccessReview resource.
+     * LocalSubjectAccessReview checks whether a specific user can perform a specific action in a specific namespace.
+     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#localsubjectaccessreview-v1-authorization-k8s-io}
+     */
+    V1LocalSubjectAccessReview: {
+        kind: "LocalSubjectAccessReview",
+        version: "v1",
+        group: "authorization.k8s.io",
+    },
+    /**
+     * Represents a K8s SelfSubjectAccessReview resource.
+     * SelfSubjectAccessReview checks whether the current user can perform a specific action.
+     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectaccessreview-v1-authorization-k8s-io}
+     */
+    V1SelfSubjectAccessReview: {
+        kind: "SelfSubjectAccessReview",
+        version: "v1",
+        group: "authorization.k8s.io",
+    },
+    /**
+     * Represents a K8s SelfSubjectRulesReview resource.
+     * SelfSubjectRulesReview lists the permissions a specific user has within a namespace.
+     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectrulesreview-v1-authorization-k8s-io}
+     */
+    V1SelfSubjectRulesReview: {
+        kind: "SelfSubjectRulesReview",
+        version: "v1",
+        group: "authorization.k8s.io",
+    },
+    /**
+     * Represents a K8s SubjectAccessReview resource.
+     * SubjectAccessReview checks whether a specific user can perform a specific action.
+     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#subjectaccessreview-v1-authorization-k8s-io}
+     */
+    V1SubjectAccessReview: {
+        kind: "SubjectAccessReview",
+        version: "v1",
+        group: "authorization.k8s.io",
+    },
+    /**
+     * Represents a K8s HorizontalPodAutoscaler resource.
+     * HorizontalPodAutoscaler automatically scales the number of Pods in a replication controller, deployment, or replica set.
+     * @see {@link https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/}
+     */
+    V1HorizontalPodAutoscaler: {
+        kind: "HorizontalPodAutoscaler",
+        version: "v2",
+        group: "autoscaling",
+    },
+    /**
+     * Represents a K8s CronJob resource.
+     * CronJob manages time-based jobs, specifically those that run periodically and complete after a successful execution.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/}
+     */
+    V1CronJob: {
+        kind: "CronJob",
+        version: "v1",
+        group: "batch",
+    },
+    /**
+     * Represents a K8s Job resource.
+     * Job represents the configuration of a single job.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/job/}
+     */
+    V1Job: {
+        kind: "Job",
+        version: "v1",
+        group: "batch",
+    },
+    /**
+     * Represents a K8s CertificateSigningRequest resource.
+     * CertificateSigningRequest represents a certificate signing request.
+     * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/}
+     */
+    V1CertificateSigningRequest: {
+        kind: "CertificateSigningRequest",
+        version: "v1",
+        group: "certificates.k8s.io",
+    },
+    /**
+     * Represents a K8s EndpointSlice resource.
+     * EndpointSlice represents a scalable set of network endpoints for a Kubernetes Service.
+     * @see {@link https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/}
+     */
+    V1EndpointSlice: {
+        kind: "EndpointSlice",
+        version: "v1",
+        group: "discovery.k8s.io",
+    },
+    /**
+     * Represents a K8s IngressClass resource.
+     * IngressClass represents the class of the Ingress, referenced by the Ingress spec.
+     * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
+     */
+    V1IngressClass: {
+        kind: "IngressClass",
+        version: "v1",
+        group: "networking.k8s.io",
+    },
+    /**
+     * Represents a K8s Ingress resource.
+     * Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
+     * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
+     */
+    V1Ingress: {
+        kind: "Ingress",
+        version: "v1",
+        group: "networking.k8s.io",
+    },
+    /**
+     * Represents a K8s NetworkPolicy resource.
+     * NetworkPolicy defines a set of rules for how pods communicate with each other.
+     * @see {@link https://kubernetes.io/docs/concepts/services-networking/network-policies/}
+     */
+    V1NetworkPolicy: {
+        kind: "NetworkPolicy",
+        version: "v1",
+        group: "networking.k8s.io",
+    },
+    /**
+     * Represents a K8s RuntimeClass resource.
+     * RuntimeClass is a cluster-scoped resource that surfaces container runtime properties to the control plane.
+     * @see {@link https://kubernetes.io/docs/concepts/containers/runtime-class/}
+     */
+    V1RuntimeClass: {
+        kind: "RuntimeClass",
+        version: "v1",
+        group: "node.k8s.io",
+    },
+    /**
+     * Represents a K8s PodDisruptionBudget resource.
+     * PodDisruptionBudget is an API object that limits the number of pods of a replicated application that are down simultaneously.
+     * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/disruptions/}
+     */
+    V1PodDisruptionBudget: {
+        kind: "PodDisruptionBudget",
+        version: "v1",
+        group: "policy",
+    },
+    /**
+     * Represents a K8s VolumeAttachment resource.
+     * VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.
+     * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
+     */
+    V1VolumeAttachment: {
+        kind: "VolumeAttachment",
+        version: "v1",
+        group: "storage.k8s.io",
+    },
+    /**
+     * Represents a K8s CSIDriver resource.
+     * CSIDriver captures information about a Container Storage Interface (CSI) volume driver.
+     * @see {@link https://kubernetes.io/docs/concepts/storage/volumes/}
+     */
+    V1CSIDriver: {
+        kind: "CSIDriver",
+        version: "v1",
+        group: "storage.k8s.io",
+    },
+    /**
+     * Represents a K8s CSIStorageCapacity resource.
+     * CSIStorageCapacity stores the reported storage capacity of a CSI node or storage class.
+     * @see {@link https://kubernetes.io/docs/concepts/storage/csi/}
+     */
+    V1CSIStorageCapacity: {
+        kind: "CSIStorageCapacity",
+        version: "v1",
+        group: "storage.k8s.io",
+    },
+    /**
+     * Represents a K8s StorageClass resource.
+     * StorageClass is a cluster-scoped resource that provides a way for administrators to describe the classes of storage they offer.
+     * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
+     */
+    V1StorageClass: {
+        kind: "StorageClass",
+        version: "v1",
+        group: "storage.k8s.io",
+    },
+};
+export function modelToGroupVersionKind(key) {
+    return gvkMap[key];
+}

package/dist/src/lib/k8s/tls.d.ts

@@ -0,0 +1,17 @@
+export interface TLSOut {
+    ca: string;
+    crt: string;
+    key: string;
+    pem: {
+        ca: string;
+        crt: string;
+        key: string;
+    };
+}
+/**
+ * Generates a self-signed CA and server certificate with Subject Alternative Names (SANs) for the K8s webhook.
+ *
+ * @param {string} name - The name to use for the server certificate's Common Name and SAN DNS entry.
+ * @returns {TLSOut} - An object containing the Base64-encoded CA, server certificate, and server private key.
+ */
+export declare function genTLS(name: string): TLSOut;

package/dist/src/lib/k8s/tls.js

@@ -0,0 +1,67 @@
+import forge from "node-forge";
+const caName = "Pepr Ephemeral CA";
+/**
+ * Generates a self-signed CA and server certificate with Subject Alternative Names (SANs) for the K8s webhook.
+ *
+ * @param {string} name - The name to use for the server certificate's Common Name and SAN DNS entry.
+ * @returns {TLSOut} - An object containing the Base64-encoded CA, server certificate, and server private key.
+ */
+export function genTLS(name) {
+    // Generate a new CA key pair and create a self-signed CA certificate
+    const caKeys = forge.pki.rsa.generateKeyPair(2048);
+    const caCert = genCert(caKeys, caName, [{ name: "commonName", value: caName }]);
+    caCert.setExtensions([
+        {
+            name: "basicConstraints",
+            cA: true,
+        },
+        {
+            name: "keyUsage",
+            keyCertSign: true,
+            digitalSignature: true,
+            nonRepudiation: true,
+            keyEncipherment: true,
+            dataEncipherment: true,
+        },
+    ]);
+    // Generate a new server key pair and create a server certificate signed by the CA
+    const serverKeys = forge.pki.rsa.generateKeyPair(2048);
+    const serverCert = genCert(serverKeys, name, caCert.subject.attributes);
+    // Sign both certificates with the CA private key
+    caCert.sign(caKeys.privateKey, forge.md.sha256.create());
+    serverCert.sign(caKeys.privateKey, forge.md.sha256.create());
+    // Convert the keys and certificates to PEM format
+    const pem = {
+        ca: forge.pki.certificateToPem(caCert),
+        crt: forge.pki.certificateToPem(serverCert),
+        key: forge.pki.privateKeyToPem(serverKeys.privateKey),
+    };
+    // Base64-encode the PEM strings
+    const ca = Buffer.from(pem.ca).toString("base64");
+    const key = Buffer.from(pem.key).toString("base64");
+    const crt = Buffer.from(pem.crt).toString("base64");
+    return { ca, key, crt, pem };
+}
+function genCert(key, name, issuer) {
+    const crt = forge.pki.createCertificate();
+    crt.publicKey = key.publicKey;
+    crt.serialNumber = "01";
+    crt.validity.notBefore = new Date();
+    crt.validity.notAfter = new Date();
+    crt.validity.notAfter.setFullYear(crt.validity.notBefore.getFullYear() + 1);
+    // Add SANs to the server certificate
+    crt.setExtensions([
+        {
+            name: "subjectAltName",
+            altNames: [
+                {
+                    type: 2,
+                    value: name,
+                },
+            ],
+        },
+    ]);
+    // Set the server certificate's issuer to the CA
+    crt.setIssuer(issuer);
+    return crt;
+}

package/dist/src/lib/k8s/types.d.ts

@@ -0,0 +1,136 @@
+import { V1ListMeta, V1ObjectMeta } from "@kubernetes/client-node";
+export declare enum Operation {
+    CREATE = "CREATE",
+    UPDATE = "UPDATE",
+    DELETE = "DELETE",
+    CONNECT = "CONNECT"
+}
+export interface KubernetesObject {
+    apiVersion?: string;
+    kind?: string;
+    metadata?: V1ObjectMeta;
+}
+export interface KubernetesListObject<T extends KubernetesObject> {
+    apiVersion?: string;
+    kind?: string;
+    metadata?: V1ListMeta;
+    items: T[];
+}
+/**
+ *  GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+ * to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+ **/
+export interface GroupVersionKind {
+    /** The K8s resource kind, e..g "Pod". */
+    readonly kind: string;
+    readonly group: string;
+    readonly version?: string;
+}
+/**
+ * GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+ * to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+ */
+export interface GroupVersionResource {
+    readonly group: string;
+    readonly version: string;
+    readonly resource: string;
+}
+/**
+ * A Kubernetes admission request to be processed by a capability.
+ */
+export interface Request<T = KubernetesObject> {
+    /** UID is an identifier for the individual request/response. */
+    readonly uid: string;
+    /** Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) */
+    readonly kind: GroupVersionKind;
+    /** Resource is the fully-qualified resource being requested (for example, v1.pods) */
+    readonly resource: GroupVersionResource;
+    /** SubResource is the subresource being requested, if any (for example, "status" or "scale") */
+    readonly subResource?: string;
+    /** RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). */
+    readonly requestKind?: GroupVersionKind;
+    /** RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). */
+    readonly requestResource?: GroupVersionResource;
+    /** RequestSubResource is the subresource of the original API request, if any (for example, "status" or "scale"). */
+    readonly requestSubResource?: string;
+    /**
+     * Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and
+     * rely on the server to generate the name. If that is the case, this method will return the empty string.
+     */
+    readonly name: string;
+    /** Namespace is the namespace associated with the request (if any). */
+    readonly namespace?: string;
+    /**
+     * Operation is the operation being performed. This may be different than the operation
+     * requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+     */
+    readonly operation: Operation;
+    /** UserInfo is information about the requesting user */
+    readonly userInfo: {
+        /** The name that uniquely identifies this user among all active users. */
+        username?: string;
+        /**
+         * A unique value that identifies this user across time. If this user is deleted
+         * and another user by the same name is added, they will have different UIDs.
+         */
+        uid?: string;
+        /** The names of groups this user is a part of. */
+        groups?: string[];
+        /** Any additional information provided by the authenticator. */
+        extra?: {
+            [key: string]: string[];
+        };
+    };
+    /** Object is the object from the incoming request prior to default values being applied */
+    readonly object: T;
+    /** OldObject is the existing object. Only populated for UPDATE requests. */
+    readonly oldObject?: T;
+    /** DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false. */
+    readonly dryRun?: boolean;
+    /**
+     * Options contains the options for the operation being performed.
+     * e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+     * different than the options the caller provided. e.g. for a patch request the performed
+     * Operation might be a CREATE, in which case the Options will a
+     * `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+     */
+    readonly options?: any;
+}
+export interface Response {
+    /** UID is an identifier for the individual request/response. This must be copied over from the corresponding AdmissionRequest. */
+    uid: string;
+    /** Allowed indicates whether or not the admission request was permitted. */
+    allowed: boolean;
+    /** Result contains extra details into why an admission request was denied. This field IS NOT consulted in any way if "Allowed" is "true". */
+    result?: string;
+    /** The patch body. Currently we only support "JSONPatch" which implements RFC 6902. */
+    patch?: string;
+    /** The type of Patch. Currently we only allow "JSONPatch". */
+    patchType?: "JSONPatch";
+    /** AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). */
+    auditAnnotations?: {
+        [key: string]: string;
+    };
+    /** warnings is a list of warning messages to return to the requesting API client. */
+    warnings?: string[];
+}
+export type WebhookIgnore = {
+    /**
+     * List of Kubernetes namespaces to always ignore.
+     * Any resources in these namespaces will be ignored by Pepr.
+     *
+     * Note: `kube-system` and `pepr-system` are always ignored.
+     */
+    namespaces?: string[];
+    /**
+     * List of Kubernetes labels to always ignore.
+     * Any resources with these labels will be ignored by Pepr.
+     *
+     * The example below will ignore any resources with the label `my-label=ulta-secret`:
+     * ```
+     * alwaysIgnore:
+     *   labels: [{ "my-label": "ultra-secret" }]
+     * ```
+     */
+    labels?: Record<string, string>[];
+};

package/dist/src/lib/k8s/types.js

@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+export var Operation;
+(function (Operation) {
+    Operation["CREATE"] = "CREATE";
+    Operation["UPDATE"] = "UPDATE";
+    Operation["DELETE"] = "DELETE";
+    Operation["CONNECT"] = "CONNECT";
+})(Operation || (Operation = {}));

package/dist/src/lib/k8s/upstream.d.ts

@@ -0,0 +1 @@
+export { V1APIService as APIService, V1CertificateSigningRequest as CertificateSigningRequest, V1ConfigMap as ConfigMap, V1ControllerRevision as ControllerRevision, V1CronJob as CronJob, V1CSIDriver as CSIDriver, V1CSIStorageCapacity as CSIStorageCapacity, V1CustomResourceDefinition as CustomResourceDefinition, V1DaemonSet as DaemonSet, V1Deployment as Deployment, V1EndpointSlice as EndpointSlice, V1HorizontalPodAutoscaler as HorizontalPodAutoscaler, V1Ingress as Ingress, V1IngressClass as IngressClass, V1Job as Job, V1LimitRange as LimitRange, V1LocalSubjectAccessReview as LocalSubjectAccessReview, V1MutatingWebhookConfiguration as MutatingWebhookConfiguration, V1Namespace as Namespace, V1NetworkPolicy as NetworkPolicy, V1Node as Node, V1PersistentVolume as PersistentVolume, V1PersistentVolumeClaim as PersistentVolumeClaim, V1Pod as Pod, V1PodDisruptionBudget as PodDisruptionBudget, V1PodTemplate as PodTemplate, V1ReplicaSet as ReplicaSet, V1ReplicationController as ReplicationController, V1ResourceQuota as ResourceQuota, V1RuntimeClass as RuntimeClass, V1Secret as Secret, V1SelfSubjectAccessReview as SelfSubjectAccessReview, V1SelfSubjectRulesReview as SelfSubjectRulesReview, V1Service as Service, V1ServiceAccount as ServiceAccount, V1StatefulSet as StatefulSet, V1StorageClass as StorageClass, V1SubjectAccessReview as SubjectAccessReview, V1TokenReview as TokenReview, V1ValidatingWebhookConfiguration as ValidatingWebhookConfiguration, V1VolumeAttachment as VolumeAttachment, } from "@kubernetes/client-node/dist";

package/dist/src/lib/k8s/upstream.js

@@ -0,0 +1,3 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+export { V1APIService as APIService, V1CertificateSigningRequest as CertificateSigningRequest, V1ConfigMap as ConfigMap, V1ControllerRevision as ControllerRevision, V1CronJob as CronJob, V1CSIDriver as CSIDriver, V1CSIStorageCapacity as CSIStorageCapacity, V1CustomResourceDefinition as CustomResourceDefinition, V1DaemonSet as DaemonSet, V1Deployment as Deployment, V1EndpointSlice as EndpointSlice, V1HorizontalPodAutoscaler as HorizontalPodAutoscaler, V1Ingress as Ingress, V1IngressClass as IngressClass, V1Job as Job, V1LimitRange as LimitRange, V1LocalSubjectAccessReview as LocalSubjectAccessReview, V1MutatingWebhookConfiguration as MutatingWebhookConfiguration, V1Namespace as Namespace, V1NetworkPolicy as NetworkPolicy, V1Node as Node, V1PersistentVolume as PersistentVolume, V1PersistentVolumeClaim as PersistentVolumeClaim, V1Pod as Pod, V1PodDisruptionBudget as PodDisruptionBudget, V1PodTemplate as PodTemplate, V1ReplicaSet as ReplicaSet, V1ReplicationController as ReplicationController, V1ResourceQuota as ResourceQuota, V1RuntimeClass as RuntimeClass, V1Secret as Secret, V1SelfSubjectAccessReview as SelfSubjectAccessReview, V1SelfSubjectRulesReview as SelfSubjectRulesReview, V1Service as Service, V1ServiceAccount as ServiceAccount, V1StatefulSet as StatefulSet, V1StorageClass as StorageClass, V1SubjectAccessReview as SubjectAccessReview, V1TokenReview as TokenReview, V1ValidatingWebhookConfiguration as ValidatingWebhookConfiguration, V1VolumeAttachment as VolumeAttachment, } from "@kubernetes/client-node/dist";