pepr 0.12.2 → 0.13.1

package/journey/pepr-build.ts

@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { expect, it } from "@jest/globals";
+import { loadYaml } from "@kubernetes/client-node";
+import { execSync } from "child_process";
+import { promises as fs } from "fs";
+import { resolve } from "path";
+
+import { cwd } from "./entrypoint.test";
+
+export function peprBuild() {
+  it("should successfully build the Pepr project", async () => {
+    execSync("npx pepr build", { cwd: cwd, stdio: "inherit" });
+  });
+
+  it("should generate produce the K8s yaml file", async () => {
+    await fs.access(resolve(cwd, "dist", "pepr-module-static-test.yaml"));
+  });
+
+  it("should generate the zarf.yaml f", async () => {
+    await fs.access(resolve(cwd, "dist", "zarf.yaml"));
+    await validateZarfYaml();
+  });
+}
+
+async function validateZarfYaml() {
+  // Get the version of the pepr binary
+  const peprVer = execSync("npx pepr --version", { cwd }).toString().trim();
+
+  // Read the generated yaml files
+  const k8sYaml = await fs.readFile(resolve(cwd, "dist", "pepr-module-static-test.yaml"), "utf8");
+  const zarfYAML = await fs.readFile(resolve(cwd, "dist", "zarf.yaml"), "utf8");
+
+  // The expected image name
+  const expectedImage = `ghcr.io/defenseunicorns/pepr/controller:v${peprVer}`;
+
+  // The expected zarf yaml contents
+  const expectedZarfYaml = {
+    kind: "ZarfPackageConfig",
+    metadata: {
+      name: "pepr-static-test",
+      description: "Pepr Module: A test module for Pepr",
+      url: "https://github.com/defenseunicorns/pepr",
+      version: "0.0.1",
+    },
+    components: [
+      {
+        name: "module",
+        required: true,
+        manifests: [
+          {
+            name: "module",
+            namespace: "pepr-system",
+            files: ["pepr-module-static-test.yaml"],
+          },
+        ],
+        images: [expectedImage],
+      },
+    ],
+  };
+
+  // Check the generated zarf yaml
+  const actualZarfYaml = loadYaml(zarfYAML);
+  expect(actualZarfYaml).toEqual(expectedZarfYaml);
+
+  // Check the generated k8s yaml
+  expect(k8sYaml).toMatch(`image: ${expectedImage}`);
+}

package/journey/pepr-deploy.ts

@@ -0,0 +1,133 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { describe, expect, it } from "@jest/globals";
+import { execSync, spawnSync } from "child_process";
+import { resolve } from "path";
+
+import { cwd } from "./entrypoint.test";
+import { waitForConfigMap, waitForDeploymentReady, waitForNamespace, waitForSecret } from "./k8s";
+
+export function peprDeploy() {
+  it("should deploy the Pepr controller into the test cluster", async () => {
+    execSync("npx pepr deploy -i pepr:dev --confirm", { cwd, stdio: "inherit" });
+
+    // Wait for the deployment to be ready
+    await waitForDeploymentReady("pepr-system", "pepr-static-test");
+  });
+
+  cleanupSamples();
+
+  it("should perform validation of resources applied to the test cluster", testValidate);
+
+  describe("should perform mutation of resources applied to the test cluster", testMutate);
+
+  cleanupSamples();
+}
+
+function cleanupSamples() {
+  try {
+    // Remove the sample yaml for the HelloPepr capability
+    execSync("kubectl delete -f hello-pepr.samples.yaml --ignore-not-found", {
+      cwd: resolve(cwd, "capabilities"),
+      stdio: "inherit",
+    });
+  } catch (e) {
+    // Ignore errors
+  }
+}
+
+async function testValidate() {
+  // Apply the sample yaml for the HelloPepr capability
+  const applyOut = spawnSync("kubectl apply -f hello-pepr.samples.yaml", {
+    shell: true, // Run command in a shell
+    encoding: "utf-8", // Encode result as string
+    cwd: resolve(cwd, "capabilities"),
+  });
+
+  const { stderr, status } = applyOut;
+
+  // Validation should return an error
+  expect(status).toBe(1);
+
+  // Check if the expected lines are in the output
+  const expected = [
+    `Error from server: error when creating "hello-pepr.samples.yaml": `,
+    `admission webhook "pepr-static-test.pepr.dev" denied the request: `,
+    `No evil CM annotations allowed.\n`,
+  ].join("");
+  expect(stderr).toBe(expected);
+}
+
+function testMutate() {
+  it("should mutate the namespace", async () => {
+    // Wait for the namespace to be created
+    const ns = await waitForNamespace("pepr-demo");
+
+    // Check if the namespace has the correct labels and annotations
+    expect(ns.metadata?.labels).toEqual({
+      "keep-me": "please",
+      "kubernetes.io/metadata.name": "pepr-demo",
+    });
+    expect(ns.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+  });
+
+  it("should mutate example-1", async () => {
+    const cm1 = await waitForConfigMap("pepr-demo", "example-1");
+    expect(cm1.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm1.metadata?.annotations?.["pepr.dev"]).toBe("annotations-work-too");
+    expect(cm1.metadata?.labels?.["pepr"]).toBe("was-here");
+  });
+
+  it("should mutate example-2", async () => {
+    const cm2 = await waitForConfigMap("pepr-demo", "example-2");
+    expect(cm2.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm2.metadata?.annotations?.["pepr.dev"]).toBe("annotations-work-too");
+    expect(cm2.metadata?.labels?.["pepr"]).toBe("was-here");
+  });
+
+  it("should mutate example-3", async () => {
+    const cm3 = await waitForConfigMap("pepr-demo", "example-3");
+
+    expect(cm3.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm3.metadata?.annotations?.["pepr.dev"]).toBe("making-waves");
+    expect(cm3.data).toEqual({ key: "ex-3-val", username: "system:admin" });
+  });
+
+  it("should mutate example-4", async () => {
+    const cm4 = await waitForConfigMap("pepr-demo", "example-4");
+    expect(cm4.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm4.metadata?.labels?.["pepr.dev/first"]).toBe("true");
+    expect(cm4.metadata?.labels?.["pepr.dev/second"]).toBe("true");
+    expect(cm4.metadata?.labels?.["pepr.dev/third"]).toBe("true");
+  });
+
+  it("should mutate example-4a", async () => {
+    const cm4a = await waitForConfigMap("pepr-demo-2", "example-4a");
+    expect(cm4a.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm4a.metadata?.labels?.["pepr.dev/first"]).toBe("true");
+    expect(cm4a.metadata?.labels?.["pepr.dev/second"]).toBe("true");
+    expect(cm4a.metadata?.labels?.["pepr.dev/third"]).toBe("true");
+  });
+
+  it("should mutate example-5", async () => {
+    const cm5 = await waitForConfigMap("pepr-demo", "example-5");
+
+    expect(cm5.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(cm5.data?.["chuck-says"]).toBeTruthy();
+  });
+
+  it("should mutate secret-1", async () => {
+    const s1 = await waitForSecret("pepr-demo", "secret-1");
+
+    expect(s1.metadata?.annotations?.["static-test.pepr.dev/hello-pepr"]).toBe("succeeded");
+    expect(s1.data?.["example"]).toBe("dW5pY29ybiBtYWdpYyAtIG1vZGlmaWVkIGJ5IFBlcHI=");
+    expect(s1.data?.["magic"]).toBe("Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc=");
+    expect(s1.data?.["binary-data"]).toBe(
+      "iCZQUg8xYucNUqD+8lyl2YcKjYYygvTtiDSEV9b9WKUkxSSLFJTgIWMJ9GcFFYs4T9JCdda51u74jfq8yHzRuEASl60EdTS/NfWgIIFTGqcNRfqMw+vgpyTMmCyJVaJEDFq6AA==",
+    );
+    expect(s1.data?.["ascii-with-white-space"]).toBe(
+      "VGhpcyBpcyBzb21lIHJhbmRvbSB0ZXh0OgoKICAgIC0gd2l0aCBsaW5lIGJyZWFrcwogICAgLSBhbmQgdGFicw==",
+    );
+  });
+}

package/journey/pepr-dev.ts

@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { afterAll, expect, it } from "@jest/globals";
+import { KubeConfig } from "@kubernetes/client-node";
+import { ChildProcessWithoutNullStreams, spawn } from "child_process";
+import { Agent } from "https";
+import { RequestInit } from "node-fetch";
+
+import { fetch } from "../src/lib/fetch";
+import { cwd } from "./entrypoint.test";
+
+const kc = new KubeConfig();
+kc.loadFromDefault();
+
+let expectedLines = [
+  "Establishing connection to Kubernetes",
+  "Capability hello-pepr registered",
+  "Mutate Action configured for CREATE",
+  "Validate Action configured for CREATE",
+  "Server listening on port 3000",
+];
+
+export function peprDev() {
+  let cmd: ChildProcessWithoutNullStreams;
+  let success = false;
+
+  it("should start the Pepr dev server", () => {
+    cmd = spawn("npx", ["pepr", "dev", "--confirm"], { cwd });
+
+    // This command should not exit on its own
+    cmd.on("close", code => {
+      if (!success) {
+        throw new Error(`Command exited with code ${code}`);
+      }
+    });
+
+    // Log stderr
+    cmd.stderr.on("data", data => {
+      if (!success) {
+        console.error(`stderr: ${data}`);
+      }
+    });
+
+    // Reject on error
+    cmd.on("error", error => {
+      if (!success) {
+        throw error;
+      }
+    });
+  });
+
+  it("should be properly configured by the test module", done => {
+    cmd.stdout.on("data", (data: Buffer) => {
+      if (success) {
+        return;
+      }
+
+      // Convert buffer to string
+      const strData = data.toString();
+      console.log(strData);
+
+      // Check if any expected lines are found
+      expectedLines = expectedLines.filter(expectedLine => {
+        // Check if the expected line is found in the output, ignoring whitespace
+        return !strData.replace(/\s+/g, " ").includes(expectedLine);
+      });
+
+      // If all expected lines are found, resolve the promise
+      if (expectedLines.length < 1) {
+        // Abort all further processing
+        success = true;
+
+        // Finish the test
+        done();
+      }
+    });
+  });
+
+  it("should protect the controller endpoint with an API token", async () => {
+    await validateAPIKey();
+  });
+
+  it("should expose Prometheus metrics", async () => {
+    const metrics = await validateMetrics();
+    expect(metrics).toMatch("pepr_Validate");
+    expect(metrics).toMatch("pepr_Mutate");
+    expect(metrics).toMatch("pepr_errors");
+    expect(metrics).toMatch("pepr_alerts");
+  });
+
+  afterAll(() => {
+    // Close or destroy the streams
+    if (cmd.stdin) {
+      cmd.stdin.end();
+    }
+    if (cmd.stdout) {
+      cmd.stdout.destroy();
+    }
+    if (cmd.stderr) {
+      cmd.stderr.destroy();
+    }
+
+    // Remove the event listeners
+    cmd.removeAllListeners("close");
+    cmd.removeAllListeners("error");
+
+    // Kill the process
+    cmd.kill(9);
+  });
+}
+
+async function validateAPIKey() {
+  const base = "https://localhost:3000/mutate/";
+
+  const fetchOpts: RequestInit = {
+    agent: new Agent({
+      // Avoid tls issues for self-signed certs
+      rejectUnauthorized: false,
+    }),
+    method: "POST",
+  };
+
+  // Test api token validation
+  const evilToken = await fetch(`${base}evil-token`, fetchOpts);
+
+  // Test for empty api token
+  const emptyToken = await fetch(base, fetchOpts);
+
+  if (evilToken.status !== 401) {
+    throw new Error("Expected evil token to return 401");
+  }
+
+  if (emptyToken.status !== 404) {
+    throw new Error("Expected empty token to return 404");
+  }
+}
+
+async function validateMetrics() {
+  const metricsEndpoint = "https://localhost:3000/metrics";
+
+  const fetchOpts: RequestInit = {
+    agent: new Agent({
+      // Avoid tls issues for self-signed certs
+      rejectUnauthorized: false,
+    }),
+  };
+  const metricsOk = await fetch<string>(metricsEndpoint, fetchOpts);
+
+  if (metricsOk.status !== 200) {
+    throw new Error("Expected metrics ok to return a 200");
+  }
+
+  return metricsOk.data;
+}

package/journey/pepr-format.ts

@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { it } from "@jest/globals";
+import { execSync } from "child_process";
+
+import { cwd } from "./entrypoint.test";
+
+export function peprFormat() {
+  it("should format the Pepr project", () => {
+    execSync("npx pepr format", { cwd, stdio: "inherit" });
+  });
+}

package/journey/pepr-init.ts

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { it } from "@jest/globals";
+import { execSync } from "child_process";
+
+export function peprInit() {
+  it("should create a new Pepr project", () => {
+    const peprAlias = "file:pepr-0.0.0-development.tgz";
+    execSync(`TEST_MODE=true npx --yes ${peprAlias} init`, { stdio: "inherit" });
+  });
+}

package/package.json

@@ -9,19 +9,20 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.12.2",
+  "version": "0.13.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
-    "prebuild": "rm -fr dist/* && node hack/build-template-data.js",
+    "gen-data-json": "node hack/build-template-data.js",
+    "prebuild": "rm -fr dist/* && npm run gen-data-json",
     "build": "tsc && node build.mjs",
-    "test": "npm run test:unit && npm run test:e2e",
-    "test:unit": "npm run build && tsc -p tsconfig.tests.json && ava dist/**/*.test.js",
-    "test:e2e": "npm run test:e2e:k3d && npm run test:e2e:build && npm run test:e2e:image && npm run test:e2e:run",
-    "test:e2e:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'",
-    "test:e2e:build": "npm run build && npm pack",
-    "test:e2e:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
-    "test:e2e:run": "ava hack/e2e.test.mjs --sequential --timeout=2m",
+    "test": "npm run test:unit && npm run test:journey",
+    "test:unit": "npm run gen-data-json && jest src --coverage",
+    "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run",
+    "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'",
+    "test:journey:build": "npm run build && npm pack",
+    "test:journey:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
+    "test:journey:run": "jest journey/entrypoint.test.ts",
     "format:check": "eslint src && prettier src --check",
     "format:fix": "eslint src --fix && prettier src --write"
   },
@@ -30,36 +31,37 @@
     "express": "4.18.2",
     "fast-json-patch": "3.1.1",
     "http-status-codes": "2.2.0",
-    "node-fetch": "2.6.12",
-    "prom-client": "^14.2.0",
+    "node-fetch": "2.7.0",
+    "pino": "8.15.0",
+    "pino-pretty": "10.2.0",
+    "prom-client": "14.2.0",
     "ramda": "0.29.0"
   },
   "devDependencies": {
-    "@types/eslint": "8.44.1",
+    "@jest/globals": "29.6.4",
+    "@types/eslint": "8.44.2",
     "@types/express": "4.17.17",
+    "@types/node": "18.x.x",
     "@types/node-fetch": "2.6.4",
     "@types/node-forge": "1.3.4",
-    "@types/prettier": "2.7.3",
+    "@types/prettier": "3.0.0",
     "@types/prompts": "2.4.4",
     "@types/ramda": "0.29.3",
-    "@types/uuid": "9.0.2",
-    "ava": "5.3.1",
-    "nock": "13.3.2"
+    "@types/uuid": "9.0.3",
+    "jest": "29.6.4",
+    "nock": "13.3.3",
+    "ts-jest": "29.1.1"
   },
   "peerDependencies": {
-    "@typescript-eslint/eslint-plugin": "5.59.7",
-    "@typescript-eslint/parser": "5.59.7",
-    "commander": "10.0.1",
-    "esbuild": "0.17.19",
-    "eslint": "8.41.0",
+    "@typescript-eslint/eslint-plugin": "6.5.0",
+    "@typescript-eslint/parser": "6.5.0",
+    "commander": "11.0.0",
+    "esbuild": "0.19.2",
+    "eslint": "8.48.0",
     "node-forge": "1.3.1",
-    "prettier": "2.8.8",
+    "prettier": "3.0.3",
     "prompts": "2.4.2",
-    "typescript": "5.0.4",
+    "typescript": "5.2.2",
     "uuid": "9.0.0"
-  },
-  "ava": {
-    "failFast": true,
-    "verbose": true
   }
 }

package/src/cli.ts

@@ -12,14 +12,9 @@ import init from "./cli/init/index";
 import { version } from "./cli/init/templates";
 import { RootCmd } from "./cli/root";
 import update from "./cli/update";
-import { Log } from "./lib";
 
 if (process.env.npm_lifecycle_event !== "npx") {
-  Log.error(
-    "Pepr should be run via `npx pepr <command>` instead of `pepr <command>`.",
-    "npx required"
-  );
-  process.exit(1);
+  console.warn("Pepr should be run via `npx pepr <command>` instead of `pepr <command>`.");
 }
 
 const program = new RootCmd();
@@ -32,7 +27,7 @@ program
       console.log(banner);
       program.help();
     } else {
-      Log.error(`Invalid command '${program.args.join(" ")}'\n`);
+      console.error(`Invalid command '${program.args.join(" ")}'\n`);
       program.outputHelp();
       process.exitCode = 1;
     }
@@ -45,8 +40,4 @@ dev(program);
 update(program);
 format(program);
 
-// @todo: finish/re-evaluate these commands
-// test(program);
-// capability(program);
-
 program.parse();

package/src/lib/assets/deploy.ts

@@ -0,0 +1,179 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import {
+  AdmissionregistrationV1Api as AdmissionRegV1API,
+  AppsV1Api,
+  CoreV1Api,
+  HttpError,
+  KubeConfig,
+  RbacAuthorizationV1Api,
+} from "@kubernetes/client-node";
+import crypto from "crypto";
+import { promises as fs } from "fs";
+
+import { Assets } from ".";
+import Log from "../logger";
+import { apiTokenSecret, service, tlsSecret } from "./networking";
+import { deployment, moduleSecret, namespace } from "./pods";
+import { clusterRole, clusterRoleBinding, serviceAccount } from "./rbac";
+import { webhookConfig } from "./webhooks";
+
+export async function deploy(assets: Assets, webhookTimeout?: number) {
+  Log.info("Establishing connection to Kubernetes");
+
+  const peprNS = "pepr-system";
+  const { name, host, path } = assets;
+
+  // Deploy the resources using the k8s API
+  const kubeConfig = new KubeConfig();
+  kubeConfig.loadFromDefault();
+
+  const coreV1Api = kubeConfig.makeApiClient(CoreV1Api);
+  const admissionApi = kubeConfig.makeApiClient(AdmissionRegV1API);
+
+  try {
+    Log.info("Checking for namespace");
+    await coreV1Api.readNamespace(peprNS);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Creating namespace");
+    await coreV1Api.createNamespace(namespace);
+  }
+
+  // Create the mutating webhook configuration if it is needed
+  const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
+  if (mutateWebhook) {
+    try {
+      Log.info("Creating mutating webhook");
+      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
+    } catch (e) {
+      Log.debug(e instanceof HttpError ? e.body : e);
+      Log.info("Removing and re-creating mutating webhook");
+      await admissionApi.deleteMutatingWebhookConfiguration(mutateWebhook.metadata?.name ?? "");
+      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
+    }
+  }
+
+  // Create the validating webhook configuration if it is needed
+  const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
+  if (validateWebhook) {
+    try {
+      Log.info("Creating validating webhook");
+      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
+    } catch (e) {
+      Log.debug(e instanceof HttpError ? e.body : e);
+      Log.info("Removing and re-creating validating webhook");
+      await admissionApi.deleteValidatingWebhookConfiguration(validateWebhook.metadata?.name ?? "");
+      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
+    }
+  }
+
+  // If a host is specified, we don't need to deploy the rest of the resources
+  if (host) {
+    return;
+  }
+
+  if (!path) {
+    throw new Error("No code provided");
+  }
+
+  const code = await fs.readFile(path);
+
+  const hash = crypto.createHash("sha256").update(code).digest("hex");
+
+  const appsApi = kubeConfig.makeApiClient(AppsV1Api);
+  const rbacApi = kubeConfig.makeApiClient(RbacAuthorizationV1Api);
+
+  const crb = clusterRoleBinding(name);
+  try {
+    Log.info("Creating cluster role binding");
+    await rbacApi.createClusterRoleBinding(crb);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating cluster role binding");
+    await rbacApi.deleteClusterRoleBinding(crb.metadata?.name ?? "");
+    await rbacApi.createClusterRoleBinding(crb);
+  }
+
+  const cr = clusterRole(name);
+  try {
+    Log.info("Creating cluster role");
+    await rbacApi.createClusterRole(cr);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating  the cluster role");
+    try {
+      await rbacApi.deleteClusterRole(cr.metadata?.name ?? "");
+      await rbacApi.createClusterRole(cr);
+    } catch (e) {
+      Log.debug(e instanceof HttpError ? e.body : e);
+    }
+  }
+
+  const sa = serviceAccount(name);
+  try {
+    Log.info("Creating service account");
+    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating service account");
+    await coreV1Api.deleteNamespacedServiceAccount(sa.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
+  }
+
+  const mod = moduleSecret(name, code, hash);
+  try {
+    Log.info("Creating module secret");
+    await coreV1Api.createNamespacedSecret(peprNS, mod);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating module secret");
+    await coreV1Api.deleteNamespacedSecret(mod.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedSecret(peprNS, mod);
+  }
+
+  const svc = service(name);
+  try {
+    Log.info("Creating service");
+    await coreV1Api.createNamespacedService(peprNS, svc);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating service");
+    await coreV1Api.deleteNamespacedService(svc.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedService(peprNS, svc);
+  }
+
+  const tls = tlsSecret(name, assets.tls);
+  try {
+    Log.info("Creating TLS secret");
+    await coreV1Api.createNamespacedSecret(peprNS, tls);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating TLS secret");
+    await coreV1Api.deleteNamespacedSecret(tls.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedSecret(peprNS, tls);
+  }
+
+  const apiToken = apiTokenSecret(name, assets.apiToken);
+  try {
+    Log.info("Creating API token secret");
+    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating API token secret");
+    await coreV1Api.deleteNamespacedSecret(apiToken.metadata?.name ?? "", peprNS);
+    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
+  }
+
+  const dep = deployment(assets, hash);
+  try {
+    Log.info("Creating deployment");
+    await appsApi.createNamespacedDeployment(peprNS, dep);
+  } catch (e) {
+    Log.debug(e instanceof HttpError ? e.body : e);
+    Log.info("Removing and re-creating deployment");
+    await appsApi.deleteNamespacedDeployment(dep.metadata?.name ?? "", peprNS);
+    await appsApi.createNamespacedDeployment(peprNS, dep);
+  }
+}