pepr 0.13.4 → 0.14.0

package/dist/cli.js

@@ -112,10 +112,10 @@ var import_path = require("path");
 // src/lib/assets/index.ts
 var import_crypto3 = __toESM(require("crypto"));
 
-// src/lib/k8s/tls.ts
+// src/lib/tls.ts
 var import_node_forge = __toESM(require("node-forge"));
 var caName = "Pepr Ephemeral CA";
-function genTLS(name) {
+function genTLS(name2) {
   const caKeys = import_node_forge.default.pki.rsa.generateKeyPair(2048);
   const caCert = genCert(caKeys, caName, [{ name: "commonName", value: caName }]);
   caCert.setExtensions([
@@ -133,7 +133,7 @@ function genTLS(name) {
     }
   ]);
   const serverKeys = import_node_forge.default.pki.rsa.generateKeyPair(2048);
-  const serverCert = genCert(serverKeys, name, caCert.subject.attributes);
+  const serverCert = genCert(serverKeys, name2, caCert.subject.attributes);
   caCert.sign(caKeys.privateKey, import_node_forge.default.md.sha256.create());
   serverCert.sign(caKeys.privateKey, import_node_forge.default.md.sha256.create());
   const pem = {
@@ -146,7 +146,7 @@ function genTLS(name) {
   const crt = Buffer.from(pem.crt).toString("base64");
   return { ca, key, crt, pem };
 }
-function genCert(key, name, issuer) {
+function genCert(key, name2, issuer) {
   const crt = import_node_forge.default.pki.createCertificate();
   crt.publicKey = key.publicKey;
   crt.serialNumber = "01";
@@ -160,7 +160,7 @@ function genCert(key, name, issuer) {
         {
           type: 2,
           // DNS
-          value: name
+          value: name2
         }
       ]
     }
@@ -170,9 +170,9 @@ function genCert(key, name, issuer) {
 }
 
 // src/lib/assets/deploy.ts
-var import_client_node = require("@kubernetes/client-node");
 var import_crypto = __toESM(require("crypto"));
 var import_fs = require("fs");
+var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
 
 // src/lib/logger.ts
 var import_pino = require("pino");
@@ -193,12 +193,12 @@ if (process.env.LOG_LEVEL) {
 var logger_default = Log;
 
 // src/lib/assets/networking.ts
-function apiTokenSecret(name, apiToken) {
+function apiTokenSecret(name2, apiToken) {
   return {
     apiVersion: "v1",
     kind: "Secret",
     metadata: {
-      name: `${name}-api-token`,
+      name: `${name2}-api-token`,
       namespace: "pepr-system"
     },
     type: "Opaque",
@@ -207,12 +207,12 @@ function apiTokenSecret(name, apiToken) {
     }
   };
 }
-function tlsSecret(name, tls) {
+function tlsSecret(name2, tls) {
   return {
     apiVersion: "v1",
     kind: "Secret",
     metadata: {
-      name: `${name}-tls`,
+      name: `${name2}-tls`,
       namespace: "pepr-system"
     },
     type: "kubernetes.io/tls",
@@ -222,17 +222,38 @@ function tlsSecret(name, tls) {
     }
   };
 }
-function service(name) {
+function service(name2) {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name: name2,
+      namespace: "pepr-system"
+    },
+    spec: {
+      selector: {
+        app: name2
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3e3
+        }
+      ]
+    }
+  };
+}
+function watcherService(name2) {
   return {
     apiVersion: "v1",
     kind: "Service",
     metadata: {
-      name,
+      name: `${name2}-watcher`,
       namespace: "pepr-system"
     },
     spec: {
       selector: {
-        app: name
+        app: `${name2}-watcher`
       },
       ports: [
         {
@@ -251,21 +272,32 @@ var namespace = {
   kind: "Namespace",
   metadata: { name: "pepr-system" }
 };
-function deployment(assets, hash) {
-  const { name, image } = assets;
-  const app = name;
+function watcher(assets, hash) {
+  const { name: name2, image, capabilities, config } = assets;
+  const app = `${name2}-watcher`;
+  const bindings = [];
+  for (const capability of capabilities) {
+    const watchers = capability.bindings.filter((binding) => binding.isWatch);
+    bindings.push(...watchers);
+  }
+  if (bindings.length < 1) {
+    return null;
+  }
   return {
     apiVersion: "apps/v1",
     kind: "Deployment",
     metadata: {
-      name,
+      name: app,
       namespace: "pepr-system",
       labels: {
         app
       }
     },
     spec: {
-      replicas: 2,
+      replicas: 1,
+      strategy: {
+        type: "Recreate"
+      },
       selector: {
         matchLabels: {
           app
@@ -278,11 +310,10 @@ function deployment(assets, hash) {
           }
         },
         spec: {
-          priorityClassName: "system-node-critical",
-          serviceAccountName: name,
+          serviceAccountName: name2,
           containers: [
             {
-              name: "server",
+              name: "watcher",
               image,
               imagePullPolicy: "IfNotPresent",
               command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
@@ -305,10 +336,106 @@ function deployment(assets, hash) {
                   containerPort: 3e3
                 }
               ],
+              resources: {
+                requests: {
+                  memory: "64Mi",
+                  cpu: "100m"
+                },
+                limits: {
+                  memory: "256Mi",
+                  cpu: "500m"
+                }
+              },
+              volumeMounts: [
+                {
+                  name: "tls-certs",
+                  mountPath: "/etc/certs",
+                  readOnly: true
+                },
+                {
+                  name: "module",
+                  mountPath: `/app/load`,
+                  readOnly: true
+                }
+              ],
               env: [
+                { name: "PEPR_WATCH_MODE", value: "true" },
+                { name: "PEPR_PRETTY_LOG", value: "false" },
+                { name: "LOG_LEVEL", value: config.logLevel || "debug" }
+              ]
+            }
+          ],
+          volumes: [
+            {
+              name: "tls-certs",
+              secret: {
+                secretName: `${name2}-tls`
+              }
+            },
+            {
+              name: "module",
+              secret: {
+                secretName: `${name2}-module`
+              }
+            }
+          ]
+        }
+      }
+    }
+  };
+}
+function deployment(assets, hash) {
+  const { name: name2, image, config } = assets;
+  const app = name2;
+  return {
+    apiVersion: "apps/v1",
+    kind: "Deployment",
+    metadata: {
+      name: name2,
+      namespace: "pepr-system",
+      labels: {
+        app
+      }
+    },
+    spec: {
+      replicas: 2,
+      selector: {
+        matchLabels: {
+          app
+        }
+      },
+      template: {
+        metadata: {
+          labels: {
+            app
+          }
+        },
+        spec: {
+          priorityClassName: "system-node-critical",
+          serviceAccountName: name2,
+          containers: [
+            {
+              name: "server",
+              image,
+              imagePullPolicy: "IfNotPresent",
+              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              readinessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3e3,
+                  scheme: "HTTPS"
+                }
+              },
+              livenessProbe: {
+                httpGet: {
+                  path: "/healthz",
+                  port: 3e3,
+                  scheme: "HTTPS"
+                }
+              },
+              ports: [
                 {
-                  name: "PEPR_PRETTY_LOG",
-                  value: "false"
+                  containerPort: 3e3
                 }
               ],
               resources: {
@@ -321,6 +448,10 @@ function deployment(assets, hash) {
                   cpu: "500m"
                 }
               },
+              env: [
+                { name: "PEPR_PRETTY_LOG", value: "false" },
+                { name: "LOG_LEVEL", value: config.logLevel || "debug" }
+              ],
               volumeMounts: [
                 {
                   name: "tls-certs",
@@ -344,19 +475,19 @@ function deployment(assets, hash) {
             {
               name: "tls-certs",
               secret: {
-                secretName: `${name}-tls`
+                secretName: `${name2}-tls`
               }
             },
             {
               name: "api-token",
               secret: {
-                secretName: `${name}-api-token`
+                secretName: `${name2}-api-token`
               }
             },
             {
               name: "module",
               secret: {
-                secretName: `${name}-module`
+                secretName: `${name2}-module`
               }
             }
           ]
@@ -365,14 +496,14 @@ function deployment(assets, hash) {
     }
   };
 }
-function moduleSecret(name, data, hash) {
+function moduleSecret(name2, data, hash) {
   const compressed = (0, import_zlib.gzipSync)(data);
   const path = `module-${hash}.js.gz`;
   return {
     apiVersion: "v1",
     kind: "Secret",
     metadata: {
-      name: `${name}-module`,
+      name: `${name2}-module`,
       namespace: "pepr-system"
     },
     type: "Opaque",
@@ -383,11 +514,11 @@ function moduleSecret(name, data, hash) {
 }
 
 // src/lib/assets/rbac.ts
-function clusterRole(name) {
+function clusterRole(name2) {
   return {
     apiVersion: "rbac.authorization.k8s.io/v1",
     kind: "ClusterRole",
-    metadata: { name },
+    metadata: { name: name2 },
     rules: [
       {
         // @todo: make this configurable
@@ -398,35 +529,125 @@ function clusterRole(name) {
     ]
   };
 }
-function clusterRoleBinding(name) {
+function clusterRoleBinding(name2) {
   return {
     apiVersion: "rbac.authorization.k8s.io/v1",
     kind: "ClusterRoleBinding",
-    metadata: { name },
+    metadata: { name: name2 },
     roleRef: {
       apiGroup: "rbac.authorization.k8s.io",
       kind: "ClusterRole",
-      name
+      name: name2
     },
     subjects: [
       {
         kind: "ServiceAccount",
-        name,
+        name: name2,
         namespace: "pepr-system"
       }
     ]
   };
 }
-function serviceAccount(name) {
+function serviceAccount(name2) {
   return {
     apiVersion: "v1",
     kind: "ServiceAccount",
     metadata: {
-      name,
+      name: name2,
       namespace: "pepr-system"
     }
   };
 }
+function storeRole(name2) {
+  name2 = `${name2}-store`;
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "Role",
+    metadata: { name: name2, namespace: "pepr-system" },
+    rules: [
+      {
+        apiGroups: ["pepr.dev/*"],
+        resources: ["peprstores"],
+        resourceNames: [""],
+        verbs: ["create", "get", "patch", "watch"]
+      }
+    ]
+  };
+}
+function storeRoleBinding(name2) {
+  name2 = `${name2}-store`;
+  return {
+    apiVersion: "rbac.authorization.k8s.io/v1",
+    kind: "RoleBinding",
+    metadata: { name: name2, namespace: "pepr-system" },
+    roleRef: {
+      apiGroup: "rbac.authorization.k8s.io",
+      kind: "Role",
+      name: name2
+    },
+    subjects: [
+      {
+        kind: "ServiceAccount",
+        name: name2,
+        namespace: "pepr-system"
+      }
+    ]
+  };
+}
+
+// src/lib/k8s.ts
+var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
+var PeprStore = class extends import_kubernetes_fluent_client.GenericKind {
+};
+var peprStoreGVK = {
+  kind: "PeprStore",
+  version: "v1",
+  group: "pepr.dev"
+};
+(0, import_kubernetes_fluent_client.RegisterKind)(PeprStore, peprStoreGVK);
+
+// src/lib/assets/store.ts
+var { group, version, kind } = peprStoreGVK;
+var singular = kind.toLocaleLowerCase();
+var plural = `${singular}s`;
+var name = `${plural}.${group}`;
+var peprStoreCRD = {
+  apiVersion: "apiextensions.k8s.io/v1",
+  kind: "CustomResourceDefinition",
+  metadata: {
+    name
+  },
+  spec: {
+    group,
+    versions: [
+      {
+        // typescript doesn't know this is really already set, which is kind of annoying
+        name: version || "v1",
+        served: true,
+        storage: true,
+        schema: {
+          openAPIV3Schema: {
+            type: "object",
+            properties: {
+              data: {
+                type: "object",
+                additionalProperties: {
+                  type: "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    ],
+    scope: "Namespaced",
+    names: {
+      plural,
+      singular,
+      kind
+    }
+  }
+};
 
 // src/lib/assets/webhooks.ts
 var import_ramda = require("ramda");
@@ -442,7 +663,7 @@ async function generateWebhookRules(assets, isMutateWebhook) {
   for (const capability of capabilities) {
     console.info(`Module ${config.uuid} has capability: ${capability.name}`);
     for (const binding of capability.bindings) {
-      const { event, kind, isMutate, isValidate } = binding;
+      const { event, kind: kind3, isMutate, isValidate } = binding;
       if (isMutateWebhook && !isMutate) {
         continue;
       }
@@ -455,10 +676,10 @@ async function generateWebhookRules(assets, isMutateWebhook) {
       } else {
         operations.push(event);
       }
-      const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+      const resource = kind3.plural || `${kind3.kind.toLowerCase()}s`;
       rules.push({
-        apiGroups: [kind.group],
-        apiVersions: [kind.version || "*"],
+        apiGroups: [kind3.group],
+        apiVersions: [kind3.version || "*"],
         operations,
         resources: [resource]
       });
@@ -468,7 +689,7 @@ async function generateWebhookRules(assets, isMutateWebhook) {
 }
 async function webhookConfig(assets, mutateOrValidate, timeoutSeconds = 10) {
   const ignore = [peprIgnoreLabel];
-  const { name, tls, config, apiToken, host } = assets;
+  const { name: name2, tls, config, apiToken, host } = assets;
   const ignoreNS = (0, import_ramda.concat)(peprIgnoreNamespaces, config.alwaysIgnore.namespaces || []);
   if (ignoreNS) {
     ignore.push({
@@ -485,7 +706,7 @@ async function webhookConfig(assets, mutateOrValidate, timeoutSeconds = 10) {
     clientConfig.url = `https://${host}:3000${apiPath}`;
   } else {
     clientConfig.service = {
-      name,
+      name: name2,
       namespace: "pepr-system",
       path: apiPath
     };
@@ -498,10 +719,10 @@ async function webhookConfig(assets, mutateOrValidate, timeoutSeconds = 10) {
   return {
     apiVersion: "admissionregistration.k8s.io/v1",
     kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
-    metadata: { name },
+    metadata: { name: name2 },
     webhooks: [
       {
-        name: `${name}.pepr.dev`,
+        name: `${name2}.pepr.dev`,
         admissionReviewVersions: ["v1", "v1beta1"],
         clientConfig,
         failurePolicy: "Ignore",
@@ -524,137 +745,82 @@ async function webhookConfig(assets, mutateOrValidate, timeoutSeconds = 10) {
 // src/lib/assets/deploy.ts
 async function deploy(assets, webhookTimeout) {
   logger_default.info("Establishing connection to Kubernetes");
-  const peprNS = "pepr-system";
-  const { name, host, path } = assets;
-  const kubeConfig = new import_client_node.KubeConfig();
-  kubeConfig.loadFromDefault();
-  const coreV1Api = kubeConfig.makeApiClient(import_client_node.CoreV1Api);
-  const admissionApi = kubeConfig.makeApiClient(import_client_node.AdmissionregistrationV1Api);
-  try {
-    logger_default.info("Checking for namespace");
-    await coreV1Api.readNamespace(peprNS);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Creating namespace");
-    await coreV1Api.createNamespace(namespace);
-  }
+  const { name: name2, host, path } = assets;
+  logger_default.info("Applying pepr-system namespace");
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Namespace).Apply(namespace);
   const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
   if (mutateWebhook) {
-    try {
-      logger_default.info("Creating mutating webhook");
-      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
-    } catch (e) {
-      logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-      logger_default.info("Removing and re-creating mutating webhook");
-      await admissionApi.deleteMutatingWebhookConfiguration(mutateWebhook.metadata?.name ?? "");
-      await admissionApi.createMutatingWebhookConfiguration(mutateWebhook);
-    }
+    logger_default.info("Applying mutating webhook");
+    await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.MutatingWebhookConfiguration).Apply(mutateWebhook);
+  } else {
+    logger_default.info("Mutating webhook not needed, removing if it exists");
+    await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.MutatingWebhookConfiguration).Delete(name2);
   }
   const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
   if (validateWebhook) {
-    try {
-      logger_default.info("Creating validating webhook");
-      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
-    } catch (e) {
-      logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-      logger_default.info("Removing and re-creating validating webhook");
-      await admissionApi.deleteValidatingWebhookConfiguration(validateWebhook.metadata?.name ?? "");
-      await admissionApi.createValidatingWebhookConfiguration(validateWebhook);
-    }
+    logger_default.info("Applying validating webhook");
+    await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.ValidatingWebhookConfiguration).Apply(validateWebhook);
+  } else {
+    logger_default.info("Validating webhook not needed, removing if it exists");
+    await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.ValidatingWebhookConfiguration).Delete(name2);
   }
+  logger_default.info("Applying the Pepr Store CRD if it doesn't exist");
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.CustomResourceDefinition).Apply(peprStoreCRD);
   if (host) {
     return;
   }
-  if (!path) {
-    throw new Error("No code provided");
-  }
   const code = await import_fs.promises.readFile(path);
   const hash = import_crypto.default.createHash("sha256").update(code).digest("hex");
-  const appsApi = kubeConfig.makeApiClient(import_client_node.AppsV1Api);
-  const rbacApi = kubeConfig.makeApiClient(import_client_node.RbacAuthorizationV1Api);
-  const crb = clusterRoleBinding(name);
-  try {
-    logger_default.info("Creating cluster role binding");
-    await rbacApi.createClusterRoleBinding(crb);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating cluster role binding");
-    await rbacApi.deleteClusterRoleBinding(crb.metadata?.name ?? "");
-    await rbacApi.createClusterRoleBinding(crb);
-  }
-  const cr = clusterRole(name);
-  try {
-    logger_default.info("Creating cluster role");
-    await rbacApi.createClusterRole(cr);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating  the cluster role");
-    try {
-      await rbacApi.deleteClusterRole(cr.metadata?.name ?? "");
-      await rbacApi.createClusterRole(cr);
-    } catch (e2) {
-      logger_default.debug(e2 instanceof import_client_node.HttpError ? e2.body : e2);
-    }
-  }
-  const sa = serviceAccount(name);
-  try {
-    logger_default.info("Creating service account");
-    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating service account");
-    await coreV1Api.deleteNamespacedServiceAccount(sa.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedServiceAccount(peprNS, sa);
-  }
-  const mod = moduleSecret(name, code, hash);
-  try {
-    logger_default.info("Creating module secret");
-    await coreV1Api.createNamespacedSecret(peprNS, mod);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating module secret");
-    await coreV1Api.deleteNamespacedSecret(mod.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedSecret(peprNS, mod);
-  }
-  const svc = service(name);
-  try {
-    logger_default.info("Creating service");
-    await coreV1Api.createNamespacedService(peprNS, svc);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating service");
-    await coreV1Api.deleteNamespacedService(svc.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedService(peprNS, svc);
-  }
-  const tls = tlsSecret(name, assets.tls);
-  try {
-    logger_default.info("Creating TLS secret");
-    await coreV1Api.createNamespacedSecret(peprNS, tls);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating TLS secret");
-    await coreV1Api.deleteNamespacedSecret(tls.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedSecret(peprNS, tls);
-  }
-  const apiToken = apiTokenSecret(name, assets.apiToken);
-  try {
-    logger_default.info("Creating API token secret");
-    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating API token secret");
-    await coreV1Api.deleteNamespacedSecret(apiToken.metadata?.name ?? "", peprNS);
-    await coreV1Api.createNamespacedSecret(peprNS, apiToken);
+  if (code.length < 1) {
+    throw new Error("No code provided");
   }
+  await setupRBAC(name2);
+  await setupController(assets, code, hash);
+  await setupWatcher(assets, hash);
+}
+async function setupRBAC(name2) {
+  logger_default.info("Applying cluster role binding");
+  const crb = clusterRoleBinding(name2);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.ClusterRoleBinding).Apply(crb);
+  logger_default.info("Applying cluster role");
+  const cr = clusterRole(name2);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.ClusterRole).Apply(cr);
+  logger_default.info("Applying service account");
+  const sa = serviceAccount(name2);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.ServiceAccount).Apply(sa);
+  logger_default.info("Applying store role");
+  const role = storeRole(name2);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Role).Apply(role);
+  logger_default.info("Applying store role binding");
+  const roleBinding = storeRoleBinding(name2);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.RoleBinding).Apply(roleBinding);
+}
+async function setupController(assets, code, hash) {
+  const { name: name2 } = assets;
+  logger_default.info("Applying module secret");
+  const mod = moduleSecret(name2, code, hash);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Secret).Apply(mod);
+  logger_default.info("Applying controller service");
+  const svc = service(name2);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Service).Apply(svc);
+  logger_default.info("Applying TLS secret");
+  const tls = tlsSecret(name2, assets.tls);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Secret).Apply(tls);
+  logger_default.info("Applying API token secret");
+  const apiToken = apiTokenSecret(name2, assets.apiToken);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Secret).Apply(apiToken);
+  logger_default.info("Applying deployment");
   const dep = deployment(assets, hash);
-  try {
-    logger_default.info("Creating deployment");
-    await appsApi.createNamespacedDeployment(peprNS, dep);
-  } catch (e) {
-    logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
-    logger_default.info("Removing and re-creating deployment");
-    await appsApi.deleteNamespacedDeployment(dep.metadata?.name ?? "", peprNS);
-    await appsApi.createNamespacedDeployment(peprNS, dep);
+  await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Deployment).Apply(dep);
+}
+async function setupWatcher(assets, hash) {
+  const watchDeployment = watcher(assets, hash);
+  if (watchDeployment) {
+    logger_default.info("Applying watcher deployment");
+    await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Deployment).Apply(watchDeployment);
+    logger_default.info("Applying watcher service");
+    const watchSvc = watcherService(assets.name);
+    await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Service).Apply(watchSvc);
   }
 }
 
@@ -683,14 +849,14 @@ function loadCapabilities(path) {
 }
 
 // src/lib/assets/yaml.ts
-var import_client_node2 = require("@kubernetes/client-node");
+var import_client_node = require("@kubernetes/client-node");
 var import_crypto2 = __toESM(require("crypto"));
 var import_fs2 = require("fs");
-function zarfYaml({ name, image, config }, path) {
+function zarfYaml({ name: name2, image, config }, path) {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
     metadata: {
-      name,
+      name: name2,
       description: `Pepr Module: ${config.description}`,
       url: "https://github.com/defenseunicorns/pepr",
       version: `${config.appVersion || "0.0.1"}`
@@ -710,24 +876,29 @@ function zarfYaml({ name, image, config }, path) {
       }
     ]
   };
-  return (0, import_client_node2.dumpYaml)(zarfCfg, { noRefs: true });
+  return (0, import_client_node.dumpYaml)(zarfCfg, { noRefs: true });
 }
 async function allYaml(assets) {
-  const { name, tls, apiToken, path } = assets;
+  const { name: name2, tls, apiToken, path } = assets;
   const code = await import_fs2.promises.readFile(path);
   const hash = import_crypto2.default.createHash("sha256").update(code).digest("hex");
   const mutateWebhook = await webhookConfig(assets, "mutate");
   const validateWebhook = await webhookConfig(assets, "validate");
+  const watchDeployment = watcher(assets, hash);
   const resources = [
     namespace,
-    clusterRole(name),
-    clusterRoleBinding(name),
-    serviceAccount(name),
-    apiTokenSecret(name, apiToken),
-    tlsSecret(name, tls),
+    clusterRole(name2),
+    clusterRoleBinding(name2),
+    serviceAccount(name2),
+    apiTokenSecret(name2, apiToken),
+    tlsSecret(name2, tls),
     deployment(assets, hash),
-    service(name),
-    moduleSecret(name, code, hash)
+    service(name2),
+    watcherService(name2),
+    moduleSecret(name2, code, hash),
+    peprStoreCRD,
+    storeRole(name2),
+    storeRoleBinding(name2)
   ];
   if (mutateWebhook) {
     resources.push(mutateWebhook);
@@ -735,7 +906,10 @@ async function allYaml(assets) {
   if (validateWebhook) {
     resources.push(validateWebhook);
   }
-  return resources.map((r) => (0, import_client_node2.dumpYaml)(r, { noRefs: true })).join("---\n");
+  if (watchDeployment) {
+    resources.push(watchDeployment);
+  }
+  return resources.map((r) => (0, import_client_node.dumpYaml)(r, { noRefs: true })).join("---\n");
 }
 
 // src/lib/assets/index.ts
@@ -744,9 +918,6 @@ var Assets = class {
     this.config = config;
     this.path = path;
     this.host = host;
-    this.deploy = this.deploy.bind(this);
-    this.zarfYaml = this.zarfYaml.bind(this);
-    this.allYaml = this.allYaml.bind(this);
     this.name = `pepr-${config.uuid}`;
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
     this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
@@ -757,21 +928,19 @@ var Assets = class {
   apiToken;
   capabilities;
   image;
-  async deploy(webhookTimeout) {
+  deploy = async (webhookTimeout) => {
     this.capabilities = await loadCapabilities(this.path);
     await deploy(this, webhookTimeout);
-  }
-  zarfYaml(path) {
-    return zarfYaml(this, path);
-  }
-  async allYaml() {
+  };
+  zarfYaml = (path) => zarfYaml(this, path);
+  allYaml = async () => {
     this.capabilities = await loadCapabilities(this.path);
     return allYaml(this);
-  }
+  };
 };
 
 // src/cli/init/templates.ts
-var import_client_node3 = require("@kubernetes/client-node");
+var import_client_node2 = require("@kubernetes/client-node");
 var import_util = require("util");
 var import_uuid = require("uuid");
 
@@ -976,8 +1145,8 @@ var hello_pepr_samples_default = [
 var gitIgnore = "# Ignore node_modules and Pepr build artifacts\nnode_modules\ndist\ninsecure*\n";
 var readmeMd = '# Pepr Module\n\nThis is a Pepr Module. [Pepr](https://github.com/defenseunicorns/pepr) is a type-safe Kubernetes middleware system.\n\nThe `capabilities` directory contains all the capabilities for this module. By default,\na capability is a single typescript file in the format of `capability-name.ts` that is\nimported in the root `pepr.ts` file as `import { HelloPepr } from "./capabilities/hello-pepr";`.\nBecause this is typescript, you can organize this however you choose, e.g. creating a sub-folder\nper-capability or common logic in shared files or folders.\n\nExample Structure:\n\n```\nModule Root\n\u251C\u2500\u2500 package.json\n\u251C\u2500\u2500 pepr.ts\n\u2514\u2500\u2500 capabilities\n    \u251C\u2500\u2500 example-one.ts\n    \u251C\u2500\u2500 example-three.ts\n    \u2514\u2500\u2500 example-two.ts\n```\n';
 var peprTS = 'import { PeprModule } from "pepr";\n// cfg loads your pepr configuration from package.json\nimport cfg from "./package.json";\n\n// HelloPepr is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\nimport { HelloPepr } from "./capabilities/hello-pepr";\n\n/**\n * This is the main entrypoint for this Pepr module. It is run when the module is started.\n * This is where you register your Pepr configurations and capabilities.\n */\nnew PeprModule(cfg, [\n  // "HelloPepr" is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\n  HelloPepr,\n\n  // Your additional capabilities go here\n]);\n';
-var helloPeprTS = 'import {\n  Capability,\n  Log,\n  PeprMutateRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n} from "pepr";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you run `pepr dev`and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new Action\nconst { When } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Mutate(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate & Validate Actions (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This combines 2 different types of actions: \'Mutate\', and \'Validate\'. The order\n * of the actions is required, but each action is optional. In this example, when a ConfigMap is created\n * with the name `example-2`, then add a label and annotation and finally validate that the ConfigMap has the label\n * `pepr`.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    // This Mutate Action will mutate the request before it is persisted to the cluster\n\n    // Use `request.Merge()` to merge the new data with the existing data\n    request.Merge({\n      metadata: {\n        labels: {\n          pepr: "was-here",\n        },\n        annotations: {\n          "pepr.dev": "annotations-work-too",\n        },\n      },\n    });\n  })\n  .Validate(request => {\n    // This Validate Action will validate the request before it is persisted to the cluster\n\n    // Approve the request if the ConfigMap has the label \'pepr\'\n    if (request.HasLabel("pepr")) {\n      return request.Approve();\n    }\n\n    // Otherwise, deny the request with an error message (optional)\n    return request.Deny("ConfigMap must have label \'pepr\'");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 2a)                               *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action shows a simple validation that will deny any ConfigMap that has the\n * annotation `evil`. Note that the `Deny()` function takes an optional second parameter that is a\n * user-defined status code to return.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .Validate(request => {\n    if (request.HasAnnotation("evil")) {\n      return request.Deny("No evil CM annotations allowed.", 400);\n    }\n\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Mutate(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n// This action validates the label `change=by-label` is deleted\nWhen(a.ConfigMap)\n  .IsDeleted()\n  .WithLabel("change", "by-label")\n  .Validate(request => {\n    // Log and then always approve the request\n    Log.info("CM with label \'change=by-label\' was deleted.");\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action show how you can use the `Mutate()` function without an inline function.\n * This is useful if you want to keep your actions small and focused on a single task,\n * or if you want to reuse the same function in multiple actions.\n */\nWhen(a.ConfigMap).IsCreated().WithName("example-4").Mutate(example4Cb);\n\n// This function uses the complete type definition, but is not required.\nfunction example4Cb(cm: PeprMutateRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/first", "true");\n  cm.SetLabel("pepr.dev/second", "true");\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Mutate(example4Cb);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://api.chucknorris.io/jokes/random?category=dev");\n * const joke = await fetch("https://api.chucknorris.io/jokes/random?category=dev") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://api.chucknorris.io/jokes/random?category=dev")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  icon_url: string;\n  id: string;\n  url: string;\n  value: string;\n}\n\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithLabel("chuck-norris")\n  .Mutate(async change => {\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(\n      "https://api.chucknorris.io/jokes/random?category=dev",\n    );\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      // Add the Chuck Norris joke to the configmap\n      change.Raw.data["chuck-says"] = response.data.value;\n      return;\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Mutate(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr without type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all actions, but we are putting it here for demonstration purposes.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr with type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n';
-var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, version: "0.13.4", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", build: "tsc && node build.mjs", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage", "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'", "test:journey:build": "npm run build && npm pack", "test:journey:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest journey/entrypoint.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write" }, dependencies: { "@kubernetes/client-node": "0.19.0", express: "4.18.2", "fast-json-patch": "3.1.1", "http-status-codes": "2.2.0", "node-fetch": "2.7.0", pino: "8.15.1", "pino-pretty": "10.2.0", "prom-client": "14.2.0", ramda: "0.29.0" }, devDependencies: { "@jest/globals": "29.7.0", "@types/eslint": "8.44.2", "@types/express": "4.17.17", "@types/node": "18.x.x", "@types/node-fetch": "2.6.4", "@types/node-forge": "1.3.5", "@types/prettier": "3.0.0", "@types/prompts": "2.4.4", "@types/ramda": "0.29.4", "@types/uuid": "9.0.4", jest: "29.7.0", nock: "13.3.3", "ts-jest": "29.1.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "6.5.0", "@typescript-eslint/parser": "6.5.0", commander: "11.0.0", esbuild: "0.19.2", eslint: "8.48.0", "node-forge": "1.3.1", prettier: "3.0.3", prompts: "2.4.2", typescript: "5.2.2", uuid: "9.0.0" } };
+var helloPeprTS = 'import {\n  Capability,\n  K8s,\n  Log,\n  PeprMutateRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n  kind,\n} from "pepr";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you run `pepr dev`and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new action, use \'Store\' to persist data\nconst { When, Store } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Mutate(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Watch Action with K8s SSA (Namespace)                           *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action watches for the `pepr-demo-2` namespace to be created, then creates a ConfigMap with\n * the name `pepr-ssa-demo` and adds the namespace UID to the ConfigMap data. Because Pepr uses\n * server-side apply for this operation, the ConfigMap will be created or updated if it already exists.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .WithName("pepr-demo-2")\n  .Watch(async ns => {\n    Log.info("Namespace pepr-demo-2 was created.");\n\n    // You can share data between actions using the Store, including between different types of actions\n    Store.setItem("watch-data", "This data was stored by a Watch Action.");\n\n    // Apply the ConfigMap using K8s server-side apply\n    await K8s(kind.ConfigMap).Apply({\n      metadata: {\n        name: "pepr-ssa-demo",\n        namespace: "pepr-demo-2",\n      },\n      data: {\n        "ns-uid": ns.metadata.uid,\n      },\n    });\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too");\n\n    // Use the Store to persist data between requests and Pepr controller pods\n    Store.setItem("example-1", "was-here");\n\n    // This data is written asynchronously and can be read back via `Store.getItem()` or `Store.subscribe()`\n    Store.setItem("example-1-data", JSON.stringify(request.Raw.data));\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate & Validate Actions (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This combines 3 different types of actions: \'Mutate\', \'Validate\', and \'Watch\'. The order\n * of the actions is required, but each action is optional. In this example, when a ConfigMap is created\n * with the name `example-2`, then add a label and annotation, validate that the ConfigMap has the label\n * `pepr`, and log the request.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    // This Mutate Action will mutate the request before it is persisted to the cluster\n\n    // Use `request.Merge()` to merge the new data with the existing data\n    request.Merge({\n      metadata: {\n        labels: {\n          pepr: "was-here",\n        },\n        annotations: {\n          "pepr.dev": "annotations-work-too",\n        },\n      },\n    });\n  })\n  .Validate(request => {\n    // This Validate Action will validate the request before it is persisted to the cluster\n\n    // Approve the request if the ConfigMap has the label \'pepr\'\n    if (request.HasLabel("pepr")) {\n      return request.Approve();\n    }\n\n    // Otherwise, deny the request with an error message (optional)\n    return request.Deny("ConfigMap must have label \'pepr\'");\n  })\n  .Watch((cm, phase) => {\n    // This Watch Action will watch the ConfigMap after it has been persisted to the cluster\n    Log.info(cm, `ConfigMap was ${phase} with the name example-2`);\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 2a)                               *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action shows a simple validation that will deny any ConfigMap that has the\n * annotation `evil`. Note that the `Deny()` function takes an optional second parameter that is a\n * user-defined status code to return.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .Validate(request => {\n    if (request.HasAnnotation("evil")) {\n      return request.Deny("No evil CM annotations allowed.", 400);\n    }\n\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Mutate(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n// This action validates the label `change=by-label` is deleted\nWhen(a.ConfigMap)\n  .IsDeleted()\n  .WithLabel("change", "by-label")\n  .Validate(request => {\n    // Log and then always approve the request\n    Log.info("CM with label \'change=by-label\' was deleted.");\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action show how you can use the `Mutate()` function without an inline function.\n * This is useful if you want to keep your actions small and focused on a single task,\n * or if you want to reuse the same function in multiple actions.\n */\nWhen(a.ConfigMap).IsCreated().WithName("example-4").Mutate(example4Cb);\n\n// This function uses the complete type definition, but is not required.\nfunction example4Cb(cm: PeprMutateRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/first", "true");\n  cm.SetLabel("pepr.dev/second", "true");\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Mutate(example4Cb);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://api.chucknorris.io/jokes/random?category=dev");\n * const joke = await fetch("https://api.chucknorris.io/jokes/random?category=dev") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://api.chucknorris.io/jokes/random?category=dev")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  icon_url: string;\n  id: string;\n  url: string;\n  value: string;\n}\n\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithLabel("chuck-norris")\n  .Mutate(async change => {\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(\n      "https://api.chucknorris.io/jokes/random?category=dev",\n    );\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      // Add the Chuck Norris joke to the configmap\n      change.Raw.data["chuck-says"] = response.data.value;\n      return;\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Mutate(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr without type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all actions, but we are putting it here for demonstration purposes.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr with type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * A callback function that is called once the Pepr Store is fully loaded.\n */\nStore.onReady(data => {\n  Log.info(data, "Pepr Store Ready");\n});\n';
+var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, version: "0.14.0", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", build: "tsc && node build.mjs", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage", "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'", "test:journey:build": "npm run build && npm pack", "test:journey:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest journey/entrypoint.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write" }, dependencies: { express: "4.18.2", "fast-json-patch": "3.1.1", "kubernetes-fluent-client": "1.4.1", pino: "8.15.3", "pino-pretty": "10.2.0", "prom-client": "14.2.0", ramda: "0.29.0" }, devDependencies: { "@jest/globals": "29.7.0", "@types/eslint": "8.44.3", "@types/express": "4.17.18", "@types/node": "18.x.x", "@types/node-forge": "1.3.6", "@types/prompts": "2.4.5", "@types/ramda": "0.29.5", "@types/uuid": "9.0.4", jest: "29.7.0", nock: "13.3.3", "ts-jest": "29.1.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "6.7.3", "@typescript-eslint/parser": "6.7.3", commander: "11.0.0", esbuild: "0.19.4", eslint: "8.50.0", "node-forge": "1.3.1", prettier: "3.0.3", prompts: "2.4.2", typescript: "5.2.2", uuid: "9.0.1" } };
 
 // src/templates/pepr.code-snippets.json
 var pepr_code_snippets_default = {
@@ -1036,8 +1205,8 @@ var tsconfig_module_default = {
 
 // src/cli/init/utils.ts
 var import_fs3 = require("fs");
-function sanitizeName(name) {
-  let sanitized = name.toLowerCase().replace(/[^a-z0-9-]+/gi, "-");
+function sanitizeName(name2) {
+  let sanitized = name2.toLowerCase().replace(/[^a-z0-9-]+/gi, "-");
   sanitized = sanitized.replace(/^-+|-+$/g, "");
   sanitized = sanitized.replace(/--+/g, "-");
   return sanitized;
@@ -1061,13 +1230,13 @@ function write(path, data) {
 }
 
 // src/cli/init/templates.ts
-var { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
+var { dependencies, devDependencies, peerDependencies, scripts, version: version2 } = packageJSON;
 function genPkgJSON(opts, pgkVerOverride) {
   const uuid = (0, import_uuid.v5)(opts.name, (0, import_uuid.v4)());
-  const name = sanitizeName(opts.name);
+  const name2 = sanitizeName(opts.name);
   const { typescript } = peerDependencies;
   const data = {
-    name,
+    name: name2,
     version: "0.0.1",
     description: opts.description,
     keywords: ["pepr", "k8s", "policy-engine", "pepr-module", "security"],
@@ -1087,7 +1256,7 @@ function genPkgJSON(opts, pgkVerOverride) {
       "k3d-setup": scripts["test:journey:k3d"]
     },
     dependencies: {
-      pepr: pgkVerOverride || version
+      pepr: pgkVerOverride || version2
     },
     devDependencies: {
       typescript
@@ -1119,7 +1288,7 @@ var gitignore = {
 };
 var samplesYaml = {
   path: "hello-pepr.samples.yaml",
-  data: hello_pepr_samples_default.map((r) => (0, import_client_node3.dumpYaml)(r, { noRefs: true })).join("---\n")
+  data: hello_pepr_samples_default.map((r) => (0, import_client_node2.dumpYaml)(r, { noRefs: true })).join("---\n")
 };
 var snippet = {
   path: "pepr.code-snippets",
@@ -1230,6 +1399,7 @@ function build_default(program2) {
 }
 var externalLibs = Object.keys(dependencies);
 externalLibs.push("pepr");
+externalLibs.push("@kubernetes/client-node");
 async function loadModule(entryPoint = peprTS2) {
   const cfgPath = (0, import_path.resolve)(".", "package.json");
   const input = (0, import_path.resolve)(".", entryPoint);
@@ -1245,16 +1415,16 @@ async function loadModule(entryPoint = peprTS2) {
   const moduleText = await import_fs5.promises.readFile(cfgPath, { encoding: "utf-8" });
   const cfg = JSON.parse(moduleText);
   const { uuid } = cfg.pepr;
-  const name = `pepr-${uuid}.js`;
-  cfg.pepr.peprVersion = version;
+  const name2 = `pepr-${uuid}.js`;
+  cfg.pepr.peprVersion = version2;
   if (!uuid) {
     throw new Error("Could not load the uuid in package.json");
   }
   return {
     cfg,
     input,
-    name,
-    path: (0, import_path.resolve)("dist", name),
+    name: name2,
+    path: (0, import_path.resolve)("dist", name2),
     uuid
   };
 }
@@ -1419,6 +1589,7 @@ function dev_default(program2) {
           env: {
             ...process.env,
             LOG_LEVEL: "debug",
+            PEPR_MODE: "dev",
             PEPR_API_TOKEN: webhook.apiToken,
             PEPR_PRETTY_LOGS: "true",
             SSL_KEY_PATH: "insecure-tls.key",
@@ -1471,8 +1642,8 @@ function walkthrough() {
     message: "Enter a name for the new Pepr module. This will create a new directory based on the name.\n",
     validate: async (val) => {
       try {
-        const name = sanitizeName(val);
-        await import_fs7.promises.access(name, import_fs7.promises.constants.F_OK);
+        const name2 = sanitizeName(val);
+        await import_fs7.promises.access(name2, import_fs7.promises.constants.F_OK);
         return "A directory with this name already exists";
       } catch (e) {
         return val.length > 2 || "The name must be at least 3 characters long";
@@ -1595,8 +1766,8 @@ function init_default(program2) {
 var import_commander = require("commander");
 var RootCmd = class extends import_commander.Command {
   // eslint-disable-next-line class-methods-use-this
-  createCommand(name) {
-    const cmd = new import_commander.Command(name);
+  createCommand(name2) {
+    const cmd = new import_commander.Command(name2);
     cmd.option("-l, --log-level [level]", "Log level: debug, info, warn, error", "info");
     cmd.hook("preAction", (run) => {
       logger_default.level = run.opts().logLevel;
@@ -1668,7 +1839,7 @@ if (process.env.npm_lifecycle_event !== "npx") {
   console.warn("Pepr should be run via `npx pepr <command>` instead of `pepr <command>`.");
 }
 var program = new RootCmd();
-program.version(version).description(`Pepr (v${version}) - Type safe K8s middleware for humans`).action(() => {
+program.version(version2).description(`Pepr (v${version2}) - Type safe K8s middleware for humans`).action(() => {
   if (program.args.length < 1) {
     console.log(banner);
     program.help();