pepr 0.1.27 → 0.1.29

package/dist/pepr-core.js

@@ -1,949 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-var dist = require('@kubernetes/client-node/dist');
-var types = require('./types-1709b44f.js');
-var R = require('ramda');
-var express = require('express');
-var fs = require('fs');
-var https = require('https');
-var fastJsonPatch = require('fast-json-patch');
-
-function _interopNamespaceDefault(e) {
-    var n = Object.create(null);
-    if (e) {
-        Object.keys(e).forEach(function (k) {
-            if (k !== 'default') {
-                var d = Object.getOwnPropertyDescriptor(e, k);
-                Object.defineProperty(n, k, d.get ? d : {
-                    enumerable: true,
-                    get: function () { return e[k]; }
-                });
-            }
-        });
-    }
-    n.default = e;
-    return Object.freeze(n);
-}
-
-var R__namespace = /*#__PURE__*/_interopNamespaceDefault(R);
-
-// SPDX-License-Identifier: Apache-2.0
-
-var upstream = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    APIService: dist.V1APIService,
-    CSIDriver: dist.V1CSIDriver,
-    CSIStorageCapacity: dist.V1CSIStorageCapacity,
-    CertificateSigningRequest: dist.V1CertificateSigningRequest,
-    ConfigMap: dist.V1ConfigMap,
-    ControllerRevision: dist.V1ControllerRevision,
-    CronJob: dist.V1CronJob,
-    CustomResourceDefinition: dist.V1CustomResourceDefinition,
-    DaemonSet: dist.V1DaemonSet,
-    Deployment: dist.V1Deployment,
-    EndpointSlice: dist.V1EndpointSlice,
-    HorizontalPodAutoscaler: dist.V1HorizontalPodAutoscaler,
-    Ingress: dist.V1Ingress,
-    IngressClass: dist.V1IngressClass,
-    Job: dist.V1Job,
-    LimitRange: dist.V1LimitRange,
-    LocalSubjectAccessReview: dist.V1LocalSubjectAccessReview,
-    MutatingWebhookConfiguration: dist.V1MutatingWebhookConfiguration,
-    Namespace: dist.V1Namespace,
-    NetworkPolicy: dist.V1NetworkPolicy,
-    Node: dist.V1Node,
-    PersistentVolume: dist.V1PersistentVolume,
-    PersistentVolumeClaim: dist.V1PersistentVolumeClaim,
-    Pod: dist.V1Pod,
-    PodDisruptionBudget: dist.V1PodDisruptionBudget,
-    PodTemplate: dist.V1PodTemplate,
-    ReplicaSet: dist.V1ReplicaSet,
-    ReplicationController: dist.V1ReplicationController,
-    ResourceQuota: dist.V1ResourceQuota,
-    RuntimeClass: dist.V1RuntimeClass,
-    Secret: dist.V1Secret,
-    SelfSubjectAccessReview: dist.V1SelfSubjectAccessReview,
-    SelfSubjectRulesReview: dist.V1SelfSubjectRulesReview,
-    Service: dist.V1Service,
-    ServiceAccount: dist.V1ServiceAccount,
-    StatefulSet: dist.V1StatefulSet,
-    StorageClass: dist.V1StorageClass,
-    SubjectAccessReview: dist.V1SubjectAccessReview,
-    TokenReview: dist.V1TokenReview,
-    ValidatingWebhookConfiguration: dist.V1ValidatingWebhookConfiguration,
-    VolumeAttachment: dist.V1VolumeAttachment
-});
-
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-const gvkMap = {
-    /**
-     * Represents a K8s ConfigMap resource.
-     * ConfigMap holds configuration data for pods to consume.
-     * @see {@link https://kubernetes.io/docs/concepts/configuration/configmap/}
-     */
-    V1ConfigMap: {
-        kind: "ConfigMap",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s Endpoints resource.
-     * Endpoints expose a service's IP addresses and ports to other resources.
-     * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/#endpoints}
-     */
-    V1Endpoint: {
-        kind: "Endpoints",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s LimitRange resource.
-     * LimitRange enforces constraints on the resource consumption of objects in a namespace.
-     * @see {@link https://kubernetes.io/docs/concepts/policy/limit-range/}
-     */
-    V1LimitRange: {
-        kind: "LimitRange",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s Namespace resource.
-     * Namespace is a way to divide cluster resources between multiple users.
-     * @see {@link https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/}
-     */
-    V1Namespace: {
-        kind: "Namespace",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s Node resource.
-     * Node is a worker machine in Kubernetes.
-     * @see {@link https://kubernetes.io/docs/concepts/architecture/nodes/}
-     */
-    V1Node: {
-        kind: "Node",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s PersistentVolumeClaim resource.
-     * PersistentVolumeClaim is a user's request for and claim to a persistent volume.
-     * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims}
-     */
-    V1PersistentVolumeClaim: {
-        kind: "PersistentVolumeClaim",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s PersistentVolume resource.
-     * PersistentVolume is a piece of storage in the cluster that has been provisioned by an administrator.
-     * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/}
-     */
-    V1PersistentVolume: {
-        kind: "PersistentVolume",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s Pod resource.
-     * Pod is the smallest and simplest unit in the Kubernetes object model.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/}
-     */
-    V1Pod: {
-        kind: "Pod",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s PodTemplate resource.
-     * PodTemplate is an object that describes the pod that will be created from a higher level abstraction.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/#pod-template}
-     */
-    V1PodTemplate: {
-        kind: "PodTemplate",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s ReplicationController resource.
-     * ReplicationController ensures that a specified number of pod replicas are running at any given time.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/}
-     */
-    V1ReplicationController: {
-        kind: "ReplicationController",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s ResourceQuota resource.
-     * ResourceQuota provides constraints that limit resource consumption per namespace.
-     * @see {@link https://kubernetes.io/docs/concepts/policy/resource-quotas/}
-     */
-    V1ResourceQuota: {
-        kind: "ResourceQuota",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s Secret resource.
-     * Secret holds secret data of a certain type.
-     * @see {@link https://kubernetes.io/docs/concepts/configuration/secret/}
-     */
-    V1Secret: {
-        kind: "Secret",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s ServiceAccount resource.
-     * ServiceAccount is an identity that processes in a pod can use to access the Kubernetes API.
-     * @see {@link https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/}
-     */
-    V1ServiceAccount: {
-        kind: "ServiceAccount",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s Service resource.
-     * Service is an abstraction which defines a logical set of Pods and a policy by which to access them.
-     * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/}
-     */
-    V1Service: {
-        kind: "Service",
-        version: "v1",
-        group: "",
-    },
-    /**
-     * Represents a K8s MutatingWebhookConfiguration resource.
-     * MutatingWebhookConfiguration configures a mutating admission webhook.
-     * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
-     */
-    V1MutatingWebhookConfiguration: {
-        kind: "MutatingWebhookConfiguration",
-        version: "v1",
-        group: "admissionregistration.k8s.io",
-    },
-    /**
-     * Represents a K8s ValidatingWebhookConfiguration resource.
-     * ValidatingWebhookConfiguration configures a validating admission webhook.
-     * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
-     */
-    V1ValidatingWebhookConfiguration: {
-        kind: "ValidatingWebhookConfiguration",
-        version: "v1",
-        group: "admissionregistration.k8s.io",
-    },
-    /**
-     * Represents a K8s CustomResourceDefinition resource.
-     * CustomResourceDefinition is a custom resource in a Kubernetes cluster.
-     * @see {@link https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/}
-     */
-    V1CustomResourceDefinition: {
-        kind: "CustomResourceDefinition",
-        version: "v1",
-        group: "apiextensions.k8s.io",
-    },
-    /**
-     * Represents a K8s APIService resource.
-     * APIService represents a server for a particular API version and group.
-     * @see {@link https://kubernetes.io/docs/tasks/access-kubernetes-api/setup-extension-api-server/}
-     */
-    V1APIService: {
-        kind: "APIService",
-        version: "v1",
-        group: "apiregistration.k8s.io",
-    },
-    /**
-     * Represents a K8s ControllerRevision resource.
-     * ControllerRevision is used to manage the history of a StatefulSet or DaemonSet.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#revision-history}
-     */
-    V1ControllerRevision: {
-        kind: "ControllerRevision",
-        version: "v1",
-        group: "apps",
-    },
-    /**
-     * Represents a K8s DaemonSet resource.
-     * DaemonSet ensures that all (or some) nodes run a copy of a Pod.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/}
-     */
-    V1DaemonSet: {
-        kind: "DaemonSet",
-        version: "v1",
-        group: "apps",
-    },
-    /**
-     * Represents a K8s Deployment resource.
-     * Deployment provides declarative updates for Pods and ReplicaSets.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/deployment/}
-     */
-    V1Deployment: {
-        kind: "Deployment",
-        version: "v1",
-        group: "apps",
-    },
-    /**
-     * Represents a K8s ReplicaSet resource.
-     * ReplicaSet ensures that a specified number of pod replicas are running at any given time.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/}
-     */
-    V1ReplicaSet: {
-        kind: "ReplicaSet",
-        version: "v1",
-        group: "apps",
-    },
-    /**
-     * Represents a K8s StatefulSet resource.
-     * StatefulSet is used to manage stateful applications.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/}
-     */
-    V1StatefulSet: {
-        kind: "StatefulSet",
-        version: "v1",
-        group: "apps",
-    },
-    /**
-     * Represents a K8s TokenReview resource.
-     * TokenReview attempts to authenticate a token to a known user.
-     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#tokenreview-v1-authentication-k8s-io}
-     */
-    V1TokenReview: {
-        kind: "TokenReview",
-        version: "v1",
-        group: "authentication.k8s.io",
-    },
-    /**
-     * Represents a K8s LocalSubjectAccessReview resource.
-     * LocalSubjectAccessReview checks whether a specific user can perform a specific action in a specific namespace.
-     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#localsubjectaccessreview-v1-authorization-k8s-io}
-     */
-    V1LocalSubjectAccessReview: {
-        kind: "LocalSubjectAccessReview",
-        version: "v1",
-        group: "authorization.k8s.io",
-    },
-    /**
-     * Represents a K8s SelfSubjectAccessReview resource.
-     * SelfSubjectAccessReview checks whether the current user can perform a specific action.
-     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectaccessreview-v1-authorization-k8s-io}
-     */
-    V1SelfSubjectAccessReview: {
-        kind: "SelfSubjectAccessReview",
-        version: "v1",
-        group: "authorization.k8s.io",
-    },
-    /**
-     * Represents a K8s SelfSubjectRulesReview resource.
-     * SelfSubjectRulesReview lists the permissions a specific user has within a namespace.
-     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectrulesreview-v1-authorization-k8s-io}
-     */
-    V1SelfSubjectRulesReview: {
-        kind: "SelfSubjectRulesReview",
-        version: "v1",
-        group: "authorization.k8s.io",
-    },
-    /**
-     * Represents a K8s SubjectAccessReview resource.
-     * SubjectAccessReview checks whether a specific user can perform a specific action.
-     * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#subjectaccessreview-v1-authorization-k8s-io}
-     */
-    V1SubjectAccessReview: {
-        kind: "SubjectAccessReview",
-        version: "v1",
-        group: "authorization.k8s.io",
-    },
-    /**
-     * Represents a K8s HorizontalPodAutoscaler resource.
-     * HorizontalPodAutoscaler automatically scales the number of Pods in a replication controller, deployment, or replica set.
-     * @see {@link https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/}
-     */
-    V1HorizontalPodAutoscaler: {
-        kind: "HorizontalPodAutoscaler",
-        version: "v2",
-        group: "autoscaling",
-    },
-    /**
-     * Represents a K8s CronJob resource.
-     * CronJob manages time-based jobs, specifically those that run periodically and complete after a successful execution.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/}
-     */
-    V1CronJob: {
-        kind: "CronJob",
-        version: "v1",
-        group: "batch",
-    },
-    /**
-     * Represents a K8s Job resource.
-     * Job represents the configuration of a single job.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/job/}
-     */
-    V1Job: {
-        kind: "Job",
-        version: "v1",
-        group: "batch",
-    },
-    /**
-     * Represents a K8s CertificateSigningRequest resource.
-     * CertificateSigningRequest represents a certificate signing request.
-     * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/}
-     */
-    V1CertificateSigningRequest: {
-        kind: "CertificateSigningRequest",
-        version: "v1",
-        group: "certificates.k8s.io",
-    },
-    /**
-     * Represents a K8s EndpointSlice resource.
-     * EndpointSlice represents a scalable set of network endpoints for a Kubernetes Service.
-     * @see {@link https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/}
-     */
-    V1EndpointSlice: {
-        kind: "EndpointSlice",
-        version: "v1",
-        group: "discovery.k8s.io",
-    },
-    /**
-     * Represents a K8s IngressClass resource.
-     * IngressClass represents the class of the Ingress, referenced by the Ingress spec.
-     * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
-     */
-    V1IngressClass: {
-        kind: "IngressClass",
-        version: "v1",
-        group: "networking.k8s.io",
-    },
-    /**
-     * Represents a K8s Ingress resource.
-     * Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
-     * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
-     */
-    V1Ingress: {
-        kind: "Ingress",
-        version: "v1",
-        group: "networking.k8s.io",
-    },
-    /**
-     * Represents a K8s NetworkPolicy resource.
-     * NetworkPolicy defines a set of rules for how pods communicate with each other.
-     * @see {@link https://kubernetes.io/docs/concepts/services-networking/network-policies/}
-     */
-    V1NetworkPolicy: {
-        kind: "NetworkPolicy",
-        version: "v1",
-        group: "networking.k8s.io",
-    },
-    /**
-     * Represents a K8s RuntimeClass resource.
-     * RuntimeClass is a cluster-scoped resource that surfaces container runtime properties to the control plane.
-     * @see {@link https://kubernetes.io/docs/concepts/containers/runtime-class/}
-     */
-    V1RuntimeClass: {
-        kind: "RuntimeClass",
-        version: "v1",
-        group: "node.k8s.io",
-    },
-    /**
-     * Represents a K8s PodDisruptionBudget resource.
-     * PodDisruptionBudget is an API object that limits the number of pods of a replicated application that are down simultaneously.
-     * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/disruptions/}
-     */
-    V1PodDisruptionBudget: {
-        kind: "PodDisruptionBudget",
-        version: "v1",
-        group: "policy",
-    },
-    /**
-     * Represents a K8s VolumeAttachment resource.
-     * VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.
-     * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
-     */
-    V1VolumeAttachment: {
-        kind: "VolumeAttachment",
-        version: "v1",
-        group: "storage.k8s.io",
-    },
-    /**
-     * Represents a K8s CSIDriver resource.
-     * CSIDriver captures information about a Container Storage Interface (CSI) volume driver.
-     * @see {@link https://kubernetes.io/docs/concepts/storage/volumes/}
-     */
-    V1CSIDriver: {
-        kind: "CSIDriver",
-        version: "v1",
-        group: "storage.k8s.io",
-    },
-    /**
-     * Represents a K8s CSIStorageCapacity resource.
-     * CSIStorageCapacity stores the reported storage capacity of a CSI node or storage class.
-     * @see {@link https://kubernetes.io/docs/concepts/storage/csi/}
-     */
-    V1CSIStorageCapacity: {
-        kind: "CSIStorageCapacity",
-        version: "v1",
-        group: "storage.k8s.io",
-    },
-    /**
-     * Represents a K8s StorageClass resource.
-     * StorageClass is a cluster-scoped resource that provides a way for administrators to describe the classes of storage they offer.
-     * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
-     */
-    V1StorageClass: {
-        kind: "StorageClass",
-        version: "v1",
-        group: "storage.k8s.io",
-    },
-};
-function modelToGroupVersionKind(key) {
-    return gvkMap[key];
-}
-
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-var Operation;
-(function (Operation) {
-    Operation["CREATE"] = "CREATE";
-    Operation["UPDATE"] = "UPDATE";
-    Operation["DELETE"] = "DELETE";
-    Operation["CONNECT"] = "CONNECT";
-})(Operation || (Operation = {}));
-
-// SPDX-License-Identifier: Apache-2.0
-/**
- * A capability is a unit of functionality that can be registered with the Pepr runtime.
- */
-class Capability {
-    get bindings() {
-        return this._bindings;
-    }
-    get name() {
-        return this._name;
-    }
-    get description() {
-        return this._description;
-    }
-    get namespaces() {
-        return this._namespaces || [];
-    }
-    get mutateOrValidate() {
-        return this._mutateOrValidate;
-    }
-    constructor(cfg) {
-        // Currently everything is considered a mutation
-        this._mutateOrValidate = types.HookPhase.mutate;
-        this._bindings = [];
-        /**
-         * The When method is used to register a capability action to be executed when a Kubernetes resource is
-         * processed by Pepr. The action will be executed if the resource matches the specified kind and any
-         * filters that are applied.
-         *
-         * @param model if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
-         * @returns
-         */
-        this.When = (model) => {
-            const binding = {
-                // If the kind is not specified, use the default KubernetesObject
-                kind: modelToGroupVersionKind(model.name),
-                filters: {
-                    name: "",
-                    namespaces: [],
-                    labels: {},
-                    annotations: {},
-                },
-                callback: () => null,
-            };
-            const prefix = `${this._name}: ${model.name}`;
-            types.logger.info(`Binding created`, prefix);
-            const Then = (cb) => {
-                types.logger.info(`Binding action created`, prefix);
-                types.logger.debug(cb.toString(), prefix);
-                // Push the binding to the list of bindings for this capability as a new BindingAction
-                // with the callback function to preserve
-                this._bindings.push({
-                    ...binding,
-                    callback: cb,
-                });
-                // Now only allow adding actions to the same binding
-                return { Then };
-            };
-            const ThenSet = (merge) => {
-                // Add the new action to the binding
-                Then(req => req.Merge(merge));
-                return { Then };
-            };
-            function InNamespace(...namespaces) {
-                types.logger.debug(`Add namespaces filter ${namespaces}`, prefix);
-                binding.filters.namespaces.push(...namespaces);
-                return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
-            }
-            function WithName(name) {
-                types.logger.debug(`Add name filter ${name}`, prefix);
-                binding.filters.name = name;
-                return { WithLabel, WithAnnotation, Then, ThenSet };
-            }
-            function WithLabel(key, value = "") {
-                types.logger.debug(`Add label filter ${key}=${value}`, prefix);
-                binding.filters.labels[key] = value;
-                return { WithLabel, WithAnnotation, Then, ThenSet };
-            }
-            const WithAnnotation = (key, value = "") => {
-                types.logger.debug(`Add annotation filter ${key}=${value}`, prefix);
-                binding.filters.annotations[key] = value;
-                return { WithLabel, WithAnnotation, Then, ThenSet };
-            };
-            const bindEvent = (event) => {
-                binding.event = event;
-                return {
-                    InNamespace,
-                    Then,
-                    ThenSet,
-                    WithAnnotation,
-                    WithLabel,
-                    WithName,
-                };
-            };
-            return {
-                IsCreatedOrUpdated: () => bindEvent(types.Event.CreateOrUpdate),
-                IsCreated: () => bindEvent(types.Event.Create),
-                IsUpdated: () => bindEvent(types.Event.Update),
-                IsDeleted: () => bindEvent(types.Event.Delete),
-            };
-        };
-        this._name = cfg.name;
-        this._description = cfg.description;
-        this._namespaces = cfg.namespaces;
-        types.logger.info(`Capability ${this._name} registered`);
-        types.logger.debug(cfg);
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-/**
- * shouldSkipRequest determines if a request should be skipped based on the binding filters.
- *
- * @param binding the capability action binding
- * @param req the incoming request
- * @returns
- */
-function shouldSkipRequest(binding, req) {
-    const { group, kind, version } = binding.kind;
-    const { namespaces, labels, annotations } = binding.filters;
-    const { metadata } = req.object;
-    if (kind !== req.kind.kind) {
-        return true;
-    }
-    if (group && group !== req.kind.group) {
-        return true;
-    }
-    if (version && version !== req.kind.version) {
-        return true;
-    }
-    if (namespaces.length && !namespaces.includes(req.namespace || "")) {
-        types.logger.debug("Namespace does not match");
-        return true;
-    }
-    for (const [key, value] of Object.entries(labels)) {
-        if (metadata?.labels?.[key] !== value) {
-            types.logger.debug(`${metadata?.labels?.[key]} does not match ${value}`);
-            return true;
-        }
-    }
-    for (const [key, value] of Object.entries(annotations)) {
-        if (metadata?.annotations?.[key] !== value) {
-            types.logger.debug(`${metadata?.annotations?.[key]} does not match ${value}`);
-            return true;
-        }
-    }
-    return false;
-}
-
-// SPDX-License-Identifier: Apache-2.0
-/**
- * The RequestWrapper class provides methods to modify Kubernetes objects in the context
- * of a mutating webhook request.
- */
-class RequestWrapper {
-    get PermitSideEffects() {
-        return !this._input.dryRun;
-    }
-    /**
-     * Indicates whether the request is a dry run.
-     * @returns true if the request is a dry run, false otherwise.
-     */
-    get IsDryRun() {
-        return this._input.dryRun;
-    }
-    /**
-     * Provides access to the old resource in the request if available.
-     * @returns The old Kubernetes resource object or null if not available.
-     */
-    get OldResource() {
-        return this._input.oldObject;
-    }
-    /**
-     * Provides access to the request object.
-     * @returns The request object containing the Kubernetes resource.
-     */
-    get Request() {
-        return this._input;
-    }
-    /**
-     * Creates a new instance of the Action class.
-     * @param input - The request object containing the Kubernetes resource to modify.
-     */
-    constructor(input) {
-        // Deep clone the object to prevent mutation of the original object
-        this.Raw = R__namespace.clone(input.object);
-        // Store the input
-        this._input = input;
-    }
-    /**
-     * Deep merges the provided object with the current resource.
-     *
-     * @param obj - The object to merge with the current resource.
-     */
-    Merge(obj) {
-        this.Raw = R__namespace.mergeDeepRight(this.Raw, obj);
-    }
-    /**
-     * Updates a label on the Kubernetes resource.
-     * @param key - The key of the label to update.
-     * @param value - The value of the label.
-     * @returns The current Action instance for method chaining.
-     */
-    SetLabel(key, value) {
-        const ref = this.Raw;
-        ref.metadata = ref.metadata ?? {};
-        ref.metadata.labels = ref.metadata.labels ?? {};
-        ref.metadata.labels[key] = value;
-        return this;
-    }
-    /**
-     * Updates an annotation on the Kubernetes resource.
-     * @param key - The key of the annotation to update.
-     * @param value - The value of the annotation.
-     * @returns The current Action instance for method chaining.
-     */
-    SetAnnotation(key, value) {
-        const ref = this.Raw;
-        ref.metadata = ref.metadata ?? {};
-        ref.metadata.annotations = ref.metadata.annotations ?? {};
-        ref.metadata.annotations[key] = value;
-        return this;
-    }
-    /**
-     * Removes a label from the Kubernetes resource.
-     * @param key - The key of the label to remove.
-     * @returns The current Action instance for method chaining.
-     */
-    RemoveLabel(key) {
-        if (this.Raw.metadata?.labels?.[key]) {
-            delete this.Raw.metadata.labels[key];
-        }
-        return this;
-    }
-    /**
-     * Removes an annotation from the Kubernetes resource.
-     * @param key - The key of the annotation to remove.
-     * @returns The current Action instance for method chaining.
-     */
-    RemoveAnnotation(key) {
-        if (this.Raw.metadata?.annotations?.[key]) {
-            delete this.Raw.metadata.annotations[key];
-        }
-        return this;
-    }
-    /**
-     * Check if a label exists on the Kubernetes resource.
-     *
-     * @param key the label key to check
-     * @returns
-     */
-    HasLabel(key) {
-        return this.Raw?.metadata?.labels?.[key] !== undefined;
-    }
-    /**
-     * Check if an annotation exists on the Kubernetes resource.
-     *
-     * @param key the annotation key to check
-     * @returns
-     */
-    HasAnnotation(key) {
-        return this.Raw?.metadata?.annotations?.[key] !== undefined;
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-function processor(config, capabilities, req) {
-    const wrapped = new RequestWrapper(req);
-    const response = {
-        uid: req.uid,
-        patchType: "JSONPatch",
-        warnings: [],
-        allowed: false,
-    };
-    types.logger.info(`Processing '${req.uid}' for '${req.kind.kind}' '${req.name}'`);
-    for (const { name, bindings } of capabilities) {
-        const prefix = `${req.uid} ${req.name}: ${name}`;
-        types.logger.info(`Processing capability ${name}`, prefix);
-        for (const action of bindings) {
-            // Continue to the next action without doing anything if this one should be skipped
-            if (shouldSkipRequest(action, req)) {
-                continue;
-            }
-            types.logger.info(`Processing matched action ${action.kind.kind}`, prefix);
-            // Add annotations to the request to indicate that the capability started processing
-            // this will allow tracking of failed mutations that were permitted to continue
-            const { metadata } = wrapped.Raw;
-            const identifier = `pepr.dev/${config.uuid}/${name}`;
-            metadata.annotations = metadata.annotations || {};
-            metadata.annotations[identifier] = "started";
-            try {
-                // Run the action
-                action.callback(wrapped);
-                // Add annotations to the request to indicate that the capability succeeded
-                metadata.annotations[identifier] = "succeeded";
-            }
-            catch (e) {
-                response.warnings.push(`Action failed: ${e}`);
-                // If errors are not allowed, note the failure in the Reponse
-                if (config.onError) {
-                    types.logger.error(`Action failed: ${e}`, prefix);
-                    response.result = "Pepr module configured to reject on error";
-                    return response;
-                }
-                else {
-                    types.logger.warn(`Action failed: ${e}`, prefix);
-                    metadata.annotations[identifier] = "warning";
-                }
-            }
-        }
-    }
-    // If we've made it this far, the request is allowed
-    response.allowed = true;
-    // Compare the original request to the modified request to get the patches
-    const patches = fastJsonPatch.compare(req.object, wrapped.Raw);
-    // Only add the patch if there are patches to apply
-    if (patches.length > 0) {
-        response.patch = JSON.stringify(patches);
-    }
-    // Remove the warnings array if it's empty
-    if (response.warnings.length < 1) {
-        delete response.warnings;
-    }
-    types.logger.debug(patches);
-    return response;
-}
-
-// SPDX-License-Identifier: Apache-2.0
-// Load SSL certificate and key
-const options = {
-    key: fs.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
-    cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
-};
-class Controller {
-    constructor(config, capabilities) {
-        this.config = config;
-        this.capabilities = capabilities;
-        this.app = express();
-        /** Start the webhook server */
-        this.startServer = (port) => {
-            // Create HTTPS server
-            https.createServer(options, this.app).listen(port, () => {
-                console.log(`Server listening on port ${port}`);
-            });
-        };
-        this.logger = (req, res, next) => {
-            const startTime = Date.now();
-            res.on("finish", () => {
-                const now = new Date().toISOString();
-                const elapsedTime = Date.now() - startTime;
-                const message = `[${now}] ${req.method} ${req.originalUrl} - ${res.statusCode} - ${elapsedTime} ms\n`;
-                res.statusCode >= 400 ? console.error(message) : console.info(message);
-            });
-            next();
-        };
-        this.healthz = (req, res) => {
-            try {
-                res.send("OK");
-            }
-            catch (err) {
-                console.error(err);
-                res.status(500).send("Internal Server Error");
-            }
-        };
-        this.mutate = (req, res) => {
-            try {
-                const name = req.body?.request?.name || "";
-                const namespace = req.body?.request?.namespace || "";
-                const gvk = req.body?.request?.kind || { group: "", version: "", kind: "" };
-                console.log(`Mutate request: ${gvk.group}/${gvk.version}/${gvk.kind}`);
-                name && console.log(`                ${namespace}/${name}\n`);
-                // @todo: make this actually do something
-                const response = processor(this.config, this.capabilities, req.body.request);
-                console.debug(response);
-                // Send a no prob bob response
-                res.send({
-                    apiVersion: "admission.k8s.io/v1",
-                    kind: "AdmissionReview",
-                    response: {
-                        uid: req.body.request.uid,
-                        allowed: true,
-                    },
-                });
-            }
-            catch (err) {
-                console.error(err);
-                res.status(500).send("Internal Server Error");
-            }
-        };
-        // Middleware for logging requests
-        this.app.use(this.logger);
-        // Middleware for parsing JSON
-        this.app.use(express.json());
-        // Health check endpoint
-        this.app.get("/healthz", this.healthz);
-        // Mutate endpoint
-        this.app.post("/mutate", this.mutate);
-    }
-}
-
-// SPDX-License-Identifier: Apache-2.0
-const alwaysIgnore = {
-    namespaces: ["kube-system", "pepr-system"],
-    labels: [{ "pepr.dev": "ignore" }],
-};
-class PeprModule {
-    /**
-     * Create a new Pepr runtime
-     *
-     * @param config The configuration for the Pepr runtime
-     */
-    constructor({ description, pepr }, capabilities = [], deferStart = false) {
-        const config = R.mergeDeepWith(R.concat, pepr, alwaysIgnore);
-        config.description = description;
-        this._controller = new Controller(config, capabilities);
-        if (!deferStart) {
-            this.start();
-        }
-    }
-    /**
-     * Start the Pepr runtime manually.
-     * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
-     *
-     * @param port
-     */
-    start(port = 3000) {
-        this._controller.startServer(port);
-    }
-}
-
-exports.Log = types.logger;
-exports.Capability = Capability;
-exports.PeprModule = PeprModule;
-exports.a = upstream;