pepr 0.26.2 → 0.28.0

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.26.2",
+  "version": "0.28.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -19,7 +19,7 @@
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage",
     "test:journey": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run",
-    "test:journey:prep": "git clone https://github.com/defenseunicorns/pepr-upgrade-test.git",
+    "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
     "test:journey-wasm": "npm run test:journey:k3d && npm run test:journey:build && npm run test:journey:image && npm run test:journey:run-wasm",
     "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:build": "npm run build && npm pack",
@@ -31,27 +31,27 @@
     "format:fix": "eslint src --fix && prettier src --write"
   },
   "dependencies": {
-    "@types/ramda": "0.29.10",
-    "express": "4.18.2",
+    "@types/ramda": "0.29.11",
+    "express": "4.18.3",
     "fast-json-patch": "3.1.1",
-    "kubernetes-fluent-client": "2.2.0",
+    "kubernetes-fluent-client": "2.2.2",
     "pino": "8.19.0",
     "pino-pretty": "10.3.1",
     "prom-client": "15.1.0",
     "ramda": "0.29.1"
   },
   "devDependencies": {
-    "@commitlint/cli": "18.6.1",
-    "@commitlint/config-conventional": "18.6.2",
+    "@commitlint/cli": "19.0.3",
+    "@commitlint/config-conventional": "19.0.3",
     "@jest/globals": "29.7.0",
-    "@types/eslint": "8.56.2",
+    "@types/eslint": "8.56.5",
     "@types/express": "4.17.21",
     "@types/node": "18.x.x",
     "@types/node-forge": "1.3.11",
     "@types/prompts": "2.4.9",
     "@types/uuid": "9.0.8",
     "jest": "29.7.0",
-    "nock": "13.5.3",
+    "nock": "13.5.4",
     "ts-jest": "29.1.2"
   },
   "peerDependencies": {

package/src/cli.ts

@@ -14,6 +14,7 @@ import uuid from "./cli/uuid";
 import { version } from "./cli/init/templates";
 import { RootCmd } from "./cli/root";
 import update from "./cli/update";
+import kfc from "./cli/kfc";
 
 if (process.env.npm_lifecycle_event !== "npx") {
   console.warn("Pepr should be run via `npx pepr <command>` instead of `pepr <command>`.");
@@ -43,4 +44,5 @@ update(program);
 format(program);
 monitor(program);
 uuid(program);
+kfc(program);
 program.parse();

package/src/lib/assets/deploy.ts

@@ -104,13 +104,13 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   await K8s(kind.Secret).Apply(apiToken, { force });
 
   Log.info("Applying deployment");
-  const dep = deployment(assets, hash);
+  const dep = deployment(assets, hash, assets.buildTimestamp);
   await K8s(kind.Deployment).Apply(dep, { force });
 }
 
 async function setupWatcher(assets: Assets, hash: string, force: boolean) {
   // If the module has a watcher, deploy it
-  const watchDeployment = watcher(assets, hash);
+  const watchDeployment = watcher(assets, hash, assets.buildTimestamp);
   if (watchDeployment) {
     Log.info("Applying watcher deployment");
     await K8s(kind.Deployment).Apply(watchDeployment, { force });

package/src/lib/assets/helm.ts

@@ -0,0 +1,199 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+export function nsTemplate() {
+  return `
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+        name: pepr-system
+        {{- if .Values.namespace.annotations }}
+        annotations:
+            {{- toYaml .Values.namespace.annotations | nindent 6 }}
+        {{- end }}
+        {{- if .Values.namespace.labels }}
+        labels:
+            {{- toYaml .Values.namespace.labels | nindent 6 }}
+        {{- end }}
+    `;
+}
+
+export function chartYaml(name: string, description?: string) {
+  return `
+    apiVersion: v2
+    name: ${name}
+    description: ${description || ""}
+
+    # A chart can be either an 'application' or a 'library' chart.
+    #
+    # Application charts are a collection of templates that can be packaged into versioned archives
+    # to be deployed.
+    #
+    # Library charts provide useful utilities or functions for the chart developer. They're included as
+    # a dependency of application charts to inject those utilities and functions into the rendering
+    # pipeline. Library charts do not define any templates and therefore cannot be deployed.
+    type: application
+
+    # This is the chart version. This version number should be incremented each time you make changes
+    # to the chart and its templates, including the app version.
+    # Versions are expected to follow Semantic Versioning (https://semver.org/)
+    version: 0.1.0
+
+    # This is the version number of the application being deployed. This version number should be
+    # incremented each time you make changes to the application. Versions are not expected to
+    # follow Semantic Versioning. They should reflect the version the application is using.
+    # It is recommended to use it with quotes.
+    appVersion: "1.16.0"
+`;
+}
+
+export function watcherDeployTemplate(buildTimestamp: string) {
+  return `
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: {{ .Values.uuid }}-watcher
+        namespace: pepr-system
+        annotations:
+          {{- toYaml .Values.watcher.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.watcher.labels | nindent 4 }}
+      spec:
+        replicas: 1
+        strategy:
+          type: Recreate
+        selector:
+          matchLabels:
+            app: {{ .Values.uuid }}-watcher
+            pepr.dev/controller: watcher
+        template:
+          metadata:
+            annotations: 
+              buildTimestamp: "${buildTimestamp}"
+            labels:
+              app: {{ .Values.uuid }}-watcher
+              pepr.dev/controller: watcher
+          spec:
+            serviceAccountName: {{ .Values.uuid }}
+            securityContext:
+              {{- toYaml .Values.admission.securityContext | nindent 8 }}
+            containers:
+              - name: watcher
+                image: {{ .Values.watcher.image }}
+                imagePullPolicy: IfNotPresent
+                command:
+                  - node
+                  - /app/node_modules/pepr/dist/controller.js
+                  - {{ .Values.hash }}
+                readinessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                livenessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                ports:
+                  - containerPort: 3000
+                resources:
+                  {{- toYaml .Values.watcher.resources | nindent 12 }}
+                env:
+                  {{- toYaml .Values.watcher.env | nindent 12 }}
+                securityContext:
+                  {{- toYaml .Values.watcher.containerSecurityContext | nindent 12 }}
+                volumeMounts:
+                  - name: tls-certs
+                    mountPath: /etc/certs
+                    readOnly: true
+                  - name: module
+                    mountPath: /app/load
+                    readOnly: true
+            volumes:
+              - name: tls-certs
+                secret:
+                  secretName: {{ .Values.uuid }}-tls
+              - name: module
+                secret:
+                  secretName: {{ .Values.uuid }}-module
+    `;
+}
+
+export function admissionDeployTemplate(buildTimestamp: string) {
+  return `
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: {{ .Values.uuid }}
+        namespace: pepr-system
+        annotations:
+          {{- toYaml .Values.admission.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.admission.labels | nindent 4 }}
+      spec:
+        replicas: 2
+        selector:
+          matchLabels:
+            app: {{ .Values.uuid }}
+            pepr.dev/controller: admission
+        template:
+          metadata:
+            annotations:
+              buildTimestamp: "${buildTimestamp}"
+            labels:
+              app: {{ .Values.uuid }}
+              pepr.dev/controller: admission
+          spec:
+            priorityClassName: system-node-critical
+            serviceAccountName: {{ .Values.uuid }}
+            securityContext:
+              {{- toYaml .Values.admission.securityContext | nindent 8 }}
+            containers:
+              - name: server
+                image: {{ .Values.admission.image }}
+                imagePullPolicy: IfNotPresent
+                command:
+                  - node
+                  - /app/node_modules/pepr/dist/controller.js
+                  - {{ .Values.hash }}
+                readinessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                livenessProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 3000
+                    scheme: HTTPS
+                ports:
+                  - containerPort: 3000
+                resources:
+                  {{- toYaml .Values.admission.resources | nindent 12 }}
+                env:
+                  {{- toYaml .Values.admission.env | nindent 12 }}
+                securityContext:
+                  {{- toYaml .Values.admission.containerSecurityContext | nindent 12 }}
+                volumeMounts:
+                  - name: tls-certs
+                    mountPath: /etc/certs
+                    readOnly: true
+                  - name: api-token
+                    mountPath: /app/api-token
+                    readOnly: true
+                  - name: module
+                    mountPath: /app/load
+                    readOnly: true
+            volumes:
+              - name: tls-certs
+                secret:
+                  secretName: {{ .Values.uuid }}-tls
+              - name: api-token
+                secret:
+                  secretName: {{ .Values.uuid }}-api-token
+              - name: module
+                secret:
+                  secretName: {{ .Values.uuid }}-module  
+    `;
+}

package/src/lib/assets/index.ts

@@ -2,16 +2,24 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import crypto from "crypto";
-
+import { dumpYaml } from "@kubernetes/client-node";
 import { ModuleConfig } from "../module";
 import { TLSOut, genTLS } from "../tls";
 import { CapabilityExport } from "../types";
 import { WebhookIgnore } from "../k8s";
 import { deploy } from "./deploy";
 import { loadCapabilities } from "./loader";
-import { allYaml, zarfYaml } from "./yaml";
-import { namespaceComplianceValidator } from "../helpers";
+import { allYaml, zarfYaml, overridesFile } from "./yaml";
+import { namespaceComplianceValidator, replaceString } from "../helpers";
+import { createDirectoryIfNotExists, dedent } from "../helpers";
+import { resolve } from "path";
+import { chartYaml, nsTemplate, admissionDeployTemplate, watcherDeployTemplate } from "./helm";
+import { promises as fs } from "fs";
+import { webhookConfig } from "./webhooks";
+import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
+import { watcher, moduleSecret } from "./pods";
 
+import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
@@ -20,6 +28,8 @@ export class Assets {
   capabilities!: CapabilityExport[];
 
   image: string;
+  buildTimestamp: string;
+  hash: string;
 
   constructor(
     readonly config: ModuleConfig,
@@ -27,9 +37,10 @@ export class Assets {
     readonly host?: string,
   ) {
     this.name = `pepr-${config.uuid}`;
+    this.buildTimestamp = `${Date.now()}`;
     this.alwaysIgnore = config.alwaysIgnore;
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
-
+    this.hash = "";
     // Generate the ephemeral tls things
     this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
 
@@ -37,6 +48,10 @@ export class Assets {
     this.apiToken = crypto.randomBytes(32).toString("hex");
   }
 
+  setHash = (hash: string) => {
+    this.hash = hash;
+  };
+
   deploy = async (force: boolean, webhookTimeout?: number) => {
     this.capabilities = await loadCapabilities(this.path);
     await deploy(this, force, webhookTimeout);
@@ -53,4 +68,106 @@ export class Assets {
 
     return allYaml(this, rbacMode);
   };
+
+  generateHelmChart = async (basePath: string) => {
+    const CHART_DIR = `${basePath}/${this.config.uuid}-chart`;
+    const CHAR_TEMPLATES_DIR = `${CHART_DIR}/templates`;
+    const valuesPath = resolve(CHART_DIR, `values.yaml`);
+    const chartPath = resolve(CHART_DIR, `Chart.yaml`);
+    const nsPath = resolve(CHAR_TEMPLATES_DIR, `namespace.yaml`);
+    const watcherSVCPath = resolve(CHAR_TEMPLATES_DIR, `watcher-service.yaml`);
+    const admissionSVCPath = resolve(CHAR_TEMPLATES_DIR, `admission-service.yaml`);
+    const mutationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `mutation-webhook.yaml`);
+    const validationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `validation-webhook.yaml`);
+    const admissionDeployPath = resolve(CHAR_TEMPLATES_DIR, `admission-deployment.yaml`);
+    const watcherDeployPath = resolve(CHAR_TEMPLATES_DIR, `watcher-deployment.yaml`);
+    const tlsSecretPath = resolve(CHAR_TEMPLATES_DIR, `tls-secret.yaml`);
+    const apiTokenSecretPath = resolve(CHAR_TEMPLATES_DIR, `api-token-secret.yaml`);
+    const moduleSecretPath = resolve(CHAR_TEMPLATES_DIR, `module-secret.yaml`);
+    const storeRolePath = resolve(CHAR_TEMPLATES_DIR, `store-role.yaml`);
+    const storeRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `store-role-binding.yaml`);
+    const clusterRolePath = resolve(CHAR_TEMPLATES_DIR, `cluster-role.yaml`);
+    const clusterRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `cluster-role-binding.yaml`);
+    const serviceAccountPath = resolve(CHAR_TEMPLATES_DIR, `service-account.yaml`);
+
+    // create helm chart
+    try {
+      // create chart dir
+      await createDirectoryIfNotExists(CHART_DIR);
+
+      // create charts dir
+      await createDirectoryIfNotExists(`${CHART_DIR}/charts`);
+
+      // create templates dir
+      await createDirectoryIfNotExists(`${CHAR_TEMPLATES_DIR}`);
+
+      // create values file
+      await overridesFile(this, valuesPath);
+
+      // create the chart.yaml
+      await fs.writeFile(chartPath, dedent(chartYaml(this.config.uuid, this.config.description || "")));
+
+      // create the namespace.yaml in templates
+      await fs.writeFile(nsPath, dedent(nsTemplate()));
+
+      const code = await fs.readFile(this.path);
+
+      await fs.writeFile(watcherSVCPath, dumpYaml(watcherService(this.name), { noRefs: true }));
+      await fs.writeFile(admissionSVCPath, dumpYaml(service(this.name), { noRefs: true }));
+      await fs.writeFile(tlsSecretPath, dumpYaml(tlsSecret(this.name, this.tls), { noRefs: true }));
+      await fs.writeFile(apiTokenSecretPath, dumpYaml(apiTokenSecret(this.name, this.apiToken), { noRefs: true }));
+      await fs.writeFile(moduleSecretPath, dumpYaml(moduleSecret(this.name, code, this.hash), { noRefs: true }));
+      await fs.writeFile(storeRolePath, dumpYaml(storeRole(this.name), { noRefs: true }));
+      await fs.writeFile(storeRoleBindingPath, dumpYaml(storeRoleBinding(this.name), { noRefs: true }));
+      await fs.writeFile(
+        clusterRolePath,
+        dumpYaml(clusterRole(this.name, this.capabilities, "rbac"), { noRefs: true }),
+      );
+      await fs.writeFile(clusterRoleBindingPath, dumpYaml(clusterRoleBinding(this.name), { noRefs: true }));
+      await fs.writeFile(serviceAccountPath, dumpYaml(serviceAccount(this.name), { noRefs: true }));
+
+      const mutateWebhook = await webhookConfig(this, "mutate", this.config.webhookTimeout);
+      const validateWebhook = await webhookConfig(this, "validate", this.config.webhookTimeout);
+      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
+
+      if (validateWebhook || mutateWebhook) {
+        await fs.writeFile(admissionDeployPath, dedent(admissionDeployTemplate(this.buildTimestamp)));
+      }
+
+      if (mutateWebhook) {
+        const yamlMutateWebhook = dumpYaml(mutateWebhook, { noRefs: true });
+        const mutateWebhookTemplate = replaceString(
+          replaceString(
+            replaceString(yamlMutateWebhook, this.name, "{{ .Values.uuid }}"),
+            this.config.onError === "reject" ? "Fail" : "Ignore",
+            "{{ .Values.admission.failurePolicy }}",
+          ),
+          `${this.config.webhookTimeout}` || "10",
+          "{{ .Values.admission.webhookTimeout }}",
+        );
+        await fs.writeFile(mutationWebhookPath, mutateWebhookTemplate);
+      }
+
+      if (validateWebhook) {
+        const yamlValidateWebhook = dumpYaml(validateWebhook, { noRefs: true });
+        const validateWebhookTemplate = replaceString(
+          replaceString(
+            replaceString(yamlValidateWebhook, this.name, "{{ .Values.uuid }}"),
+            this.config.onError === "reject" ? "Fail" : "Ignore",
+            "{{ .Values.admission.failurePolicy }}",
+          ),
+          `${this.config.webhookTimeout}` || "10",
+          "{{ .Values.admission.webhookTimeout }}",
+        );
+        await fs.writeFile(validationWebhookPath, validateWebhookTemplate);
+      }
+
+      if (watchDeployment) {
+        await fs.writeFile(watcherDeployPath, dedent(watcherDeployTemplate(this.buildTimestamp)));
+      }
+    } catch (err) {
+      console.error(`Error generating helm chart: ${err.message}`);
+      process.exit(1);
+    }
+  };
 }

package/src/lib/assets/pods.ts

@@ -11,17 +11,27 @@ import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
 export function namespace(namespaceLabels?: Record<string, string>) {
-  return {
-    apiVersion: "v1",
-    kind: "Namespace",
-    metadata: {
-      name: "pepr-system",
-      labels: namespaceLabels ?? {},
-    },
-  };
+  if (namespaceLabels) {
+    return {
+      apiVersion: "v1",
+      kind: "Namespace",
+      metadata: {
+        name: "pepr-system",
+        labels: namespaceLabels ?? {},
+      },
+    };
+  } else {
+    return {
+      apiVersion: "v1",
+      kind: "Namespace",
+      metadata: {
+        name: "pepr-system",
+      },
+    };
+  }
 }
 
-export function watcher(assets: Assets, hash: string) {
+export function watcher(assets: Assets, hash: string, buildTimestamp: string) {
   const { name, image, capabilities, config } = assets;
 
   let hasSchedule = false;
@@ -73,7 +83,7 @@ export function watcher(assets: Assets, hash: string) {
       template: {
         metadata: {
           annotations: {
-            buildTimestamp: `${Date.now()}`,
+            buildTimestamp: `${buildTimestamp}`,
           },
           labels: {
             app,
@@ -167,7 +177,7 @@ export function watcher(assets: Assets, hash: string) {
   };
 }
 
-export function deployment(assets: Assets, hash: string): kind.Deployment {
+export function deployment(assets: Assets, hash: string, buildTimestamp: string): kind.Deployment {
   const { name, image, config } = assets;
   const app = name;
 
@@ -197,7 +207,7 @@ export function deployment(assets: Assets, hash: string): kind.Deployment {
       template: {
         metadata: {
           annotations: {
-            buildTimestamp: `${Date.now()}`,
+            buildTimestamp: `${buildTimestamp}`,
           },
           labels: {
             app,

package/src/lib/assets/yaml.ts

@@ -11,6 +11,118 @@ import { deployment, moduleSecret, namespace, watcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { webhookConfig } from "./webhooks";
 
+// Helm Chart overrides file (values.yaml) generated from assets
+export async function overridesFile({ hash, name, image, config, apiToken }: Assets, path: string) {
+  const overrides = {
+    secrets: {
+      apiToken: Buffer.from(apiToken).toString("base64"),
+    },
+    hash,
+    namespace: {
+      annotations: {},
+      labels: {
+        "pepr.dev": "",
+      },
+    },
+    uuid: name,
+    admission: {
+      failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
+      webhookTimeout: config.webhookTimeout,
+      env: [
+        { name: "PEPR_WATCH_MODE", value: "false" },
+        { name: "PEPR_PRETTY_LOG", value: "false" },
+        { name: "LOG_LEVEL", value: "debug" },
+        process.env.PEPR_MODE === "dev" && { name: "MY_CUSTOM_VAR", value: "example-value" },
+        process.env.PEPR_MODE === "dev" && { name: "ZARF_VAR", value: "###ZARF_VAR_THING###" },
+      ],
+      image,
+      annotations: {
+        "pepr.dev/description": `${config.description}` || "",
+      },
+      labels: {
+        app: name,
+        "pepr.dev/controller": "admission",
+        "pepr.dev/uuid": config.uuid,
+      },
+      securityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        fsGroup: 65532,
+      },
+      resources: {
+        requests: {
+          memory: "64Mi",
+          cpu: "100m",
+        },
+        limits: {
+          memory: "256Mi",
+          cpu: "500m",
+        },
+      },
+      containerSecurityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: {
+          drop: ["ALL"],
+        },
+      },
+      nodeSelector: {},
+      tolerations: [],
+      affinity: {},
+    },
+    watcher: {
+      env: [
+        { name: "PEPR_WATCH_MODE", value: "true" },
+        { name: "PEPR_PRETTY_LOG", value: "false" },
+        { name: "LOG_LEVEL", value: "debug" },
+        process.env.PEPR_MODE === "dev" && { name: "MY_CUSTOM_VAR", value: "example-value" },
+        process.env.PEPR_MODE === "dev" && { name: "ZARF_VAR", value: "###ZARF_VAR_THING###" },
+      ],
+      image,
+      annotations: {
+        "pepr.dev/description": `${config.description}` || "",
+      },
+      labels: {
+        app: `${name}-watcher`,
+        "pepr.dev/controller": "watcher",
+        "pepr.dev/uuid": config.uuid,
+      },
+      securityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        fsGroup: 65532,
+      },
+      resources: {
+        requests: {
+          memory: "64Mi",
+          cpu: "100m",
+        },
+        limits: {
+          memory: "256Mi",
+          cpu: "500m",
+        },
+      },
+      containerSecurityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: {
+          drop: ["ALL"],
+        },
+      },
+      nodeSelector: {},
+      tolerations: [],
+      affinity: {},
+    },
+  };
+
+  await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
+}
 export function zarfYaml({ name, image, config }: Assets, path: string) {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
@@ -45,11 +157,11 @@ export async function allYaml(assets: Assets, rbacMode: string) {
   const code = await fs.readFile(path);
 
   // Generate a hash of the code
-  const hash = crypto.createHash("sha256").update(code).digest("hex");
+  assets.hash = crypto.createHash("sha256").update(code).digest("hex");
 
   const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
   const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
-  const watchDeployment = watcher(assets, hash);
+  const watchDeployment = watcher(assets, assets.hash, assets.buildTimestamp);
 
   const resources = [
     namespace(assets.config.customLabels?.namespace),
@@ -58,10 +170,10 @@ export async function allYaml(assets: Assets, rbacMode: string) {
     serviceAccount(name),
     apiTokenSecret(name, apiToken),
     tlsSecret(name, tls),
-    deployment(assets, hash),
+    deployment(assets, assets.hash, assets.buildTimestamp),
     service(name),
     watcherService(name),
-    moduleSecret(name, code, hash),
+    moduleSecret(name, code, assets.hash),
     storeRole(name),
     storeRoleBinding(name),
   ];

package/src/lib/filter.ts

@@ -47,7 +47,10 @@ export function shouldSkipRequest(binding: Binding, req: AdmissionRequest, capab
   }
 
   // Test for matching namespaces
-  if (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "")) {
+  if (
+    (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "")) ||
+    (!namespaces.includes(req.namespace || "") && capabilityNamespaces.length !== 0 && namespaces.length !== 0)
+  ) {
     logger.debug("Namespace does not match");
     return true;
   }