pepr 0.3.1 → 0.4.0

package/dist/lib.js

@@ -0,0 +1,1150 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/lib.ts
+var lib_exports = {};
+__export(lib_exports, {
+  Capability: () => Capability,
+  Log: () => logger_default,
+  PeprModule: () => PeprModule,
+  PeprRequest: () => PeprRequest,
+  RegisterKind: () => RegisterKind,
+  a: () => upstream_exports,
+  fetch: () => fetch,
+  fetchRaw: () => fetchRaw,
+  fetchStatus: () => import_http_status_codes2.StatusCodes,
+  k8s: () => import_client_node2.default,
+  utils: () => utils
+});
+module.exports = __toCommonJS(lib_exports);
+var import_client_node2 = __toESM(require("@kubernetes/client-node"));
+var import_http_status_codes2 = require("http-status-codes");
+var utils = __toESM(require("ramda"));
+
+// src/lib/k8s/upstream.ts
+var upstream_exports = {};
+__export(upstream_exports, {
+  APIService: () => import_client_node.V1APIService,
+  CSIDriver: () => import_client_node.V1CSIDriver,
+  CSIStorageCapacity: () => import_client_node.V1CSIStorageCapacity,
+  CertificateSigningRequest: () => import_client_node.V1CertificateSigningRequest,
+  ConfigMap: () => import_client_node.V1ConfigMap,
+  ControllerRevision: () => import_client_node.V1ControllerRevision,
+  CronJob: () => import_client_node.V1CronJob,
+  CustomResourceDefinition: () => import_client_node.V1CustomResourceDefinition,
+  DaemonSet: () => import_client_node.V1DaemonSet,
+  Deployment: () => import_client_node.V1Deployment,
+  EndpointSlice: () => import_client_node.V1EndpointSlice,
+  GenericKind: () => GenericKind,
+  HorizontalPodAutoscaler: () => import_client_node.V1HorizontalPodAutoscaler,
+  Ingress: () => import_client_node.V1Ingress,
+  IngressClass: () => import_client_node.V1IngressClass,
+  Job: () => import_client_node.V1Job,
+  LimitRange: () => import_client_node.V1LimitRange,
+  LocalSubjectAccessReview: () => import_client_node.V1LocalSubjectAccessReview,
+  MutatingWebhookConfiguration: () => import_client_node.V1MutatingWebhookConfiguration,
+  Namespace: () => import_client_node.V1Namespace,
+  NetworkPolicy: () => import_client_node.V1NetworkPolicy,
+  Node: () => import_client_node.V1Node,
+  PersistentVolume: () => import_client_node.V1PersistentVolume,
+  PersistentVolumeClaim: () => import_client_node.V1PersistentVolumeClaim,
+  Pod: () => import_client_node.V1Pod,
+  PodDisruptionBudget: () => import_client_node.V1PodDisruptionBudget,
+  PodTemplate: () => import_client_node.V1PodTemplate,
+  ReplicaSet: () => import_client_node.V1ReplicaSet,
+  ReplicationController: () => import_client_node.V1ReplicationController,
+  ResourceQuota: () => import_client_node.V1ResourceQuota,
+  RuntimeClass: () => import_client_node.V1RuntimeClass,
+  Secret: () => import_client_node.V1Secret,
+  SelfSubjectAccessReview: () => import_client_node.V1SelfSubjectAccessReview,
+  SelfSubjectRulesReview: () => import_client_node.V1SelfSubjectRulesReview,
+  Service: () => import_client_node.V1Service,
+  ServiceAccount: () => import_client_node.V1ServiceAccount,
+  StatefulSet: () => import_client_node.V1StatefulSet,
+  StorageClass: () => import_client_node.V1StorageClass,
+  SubjectAccessReview: () => import_client_node.V1SubjectAccessReview,
+  TokenReview: () => import_client_node.V1TokenReview,
+  ValidatingWebhookConfiguration: () => import_client_node.V1ValidatingWebhookConfiguration,
+  VolumeAttachment: () => import_client_node.V1VolumeAttachment
+});
+var import_client_node = require("@kubernetes/client-node");
+
+// src/lib/k8s/types.ts
+var GenericKind = class {
+  apiVersion;
+  kind;
+  metadata;
+};
+
+// src/lib/k8s/kinds.ts
+var gvkMap = {
+  /**
+   * Represents a K8s ConfigMap resource.
+   * ConfigMap holds configuration data for pods to consume.
+   * @see {@link https://kubernetes.io/docs/concepts/configuration/configmap/}
+   */
+  V1ConfigMap: {
+    kind: "ConfigMap",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s Endpoints resource.
+   * Endpoints expose a service's IP addresses and ports to other resources.
+   * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/#endpoints}
+   */
+  V1Endpoint: {
+    kind: "Endpoints",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s LimitRange resource.
+   * LimitRange enforces constraints on the resource consumption of objects in a namespace.
+   * @see {@link https://kubernetes.io/docs/concepts/policy/limit-range/}
+   */
+  V1LimitRange: {
+    kind: "LimitRange",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s Namespace resource.
+   * Namespace is a way to divide cluster resources between multiple users.
+   * @see {@link https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/}
+   */
+  V1Namespace: {
+    kind: "Namespace",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s Node resource.
+   * Node is a worker machine in Kubernetes.
+   * @see {@link https://kubernetes.io/docs/concepts/architecture/nodes/}
+   */
+  V1Node: {
+    kind: "Node",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s PersistentVolumeClaim resource.
+   * PersistentVolumeClaim is a user's request for and claim to a persistent volume.
+   * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims}
+   */
+  V1PersistentVolumeClaim: {
+    kind: "PersistentVolumeClaim",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s PersistentVolume resource.
+   * PersistentVolume is a piece of storage in the cluster that has been provisioned by an administrator.
+   * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/}
+   */
+  V1PersistentVolume: {
+    kind: "PersistentVolume",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s Pod resource.
+   * Pod is the smallest and simplest unit in the Kubernetes object model.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/}
+   */
+  V1Pod: {
+    kind: "Pod",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s PodTemplate resource.
+   * PodTemplate is an object that describes the pod that will be created from a higher level abstraction.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/#pod-template}
+   */
+  V1PodTemplate: {
+    kind: "PodTemplate",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s ReplicationController resource.
+   * ReplicationController ensures that a specified number of pod replicas are running at any given time.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/}
+   */
+  V1ReplicationController: {
+    kind: "ReplicationController",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s ResourceQuota resource.
+   * ResourceQuota provides constraints that limit resource consumption per namespace.
+   * @see {@link https://kubernetes.io/docs/concepts/policy/resource-quotas/}
+   */
+  V1ResourceQuota: {
+    kind: "ResourceQuota",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s Secret resource.
+   * Secret holds secret data of a certain type.
+   * @see {@link https://kubernetes.io/docs/concepts/configuration/secret/}
+   */
+  V1Secret: {
+    kind: "Secret",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s ServiceAccount resource.
+   * ServiceAccount is an identity that processes in a pod can use to access the Kubernetes API.
+   * @see {@link https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/}
+   */
+  V1ServiceAccount: {
+    kind: "ServiceAccount",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s Service resource.
+   * Service is an abstraction which defines a logical set of Pods and a policy by which to access them.
+   * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/}
+   */
+  V1Service: {
+    kind: "Service",
+    version: "v1",
+    group: ""
+  },
+  /**
+   * Represents a K8s MutatingWebhookConfiguration resource.
+   * MutatingWebhookConfiguration configures a mutating admission webhook.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
+   */
+  V1MutatingWebhookConfiguration: {
+    kind: "MutatingWebhookConfiguration",
+    version: "v1",
+    group: "admissionregistration.k8s.io"
+  },
+  /**
+   * Represents a K8s ValidatingWebhookConfiguration resource.
+   * ValidatingWebhookConfiguration configures a validating admission webhook.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
+   */
+  V1ValidatingWebhookConfiguration: {
+    kind: "ValidatingWebhookConfiguration",
+    version: "v1",
+    group: "admissionregistration.k8s.io"
+  },
+  /**
+   * Represents a K8s CustomResourceDefinition resource.
+   * CustomResourceDefinition is a custom resource in a Kubernetes cluster.
+   * @see {@link https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/}
+   */
+  V1CustomResourceDefinition: {
+    kind: "CustomResourceDefinition",
+    version: "v1",
+    group: "apiextensions.k8s.io"
+  },
+  /**
+   * Represents a K8s APIService resource.
+   * APIService represents a server for a particular API version and group.
+   * @see {@link https://kubernetes.io/docs/tasks/access-kubernetes-api/setup-extension-api-server/}
+   */
+  V1APIService: {
+    kind: "APIService",
+    version: "v1",
+    group: "apiregistration.k8s.io"
+  },
+  /**
+   * Represents a K8s ControllerRevision resource.
+   * ControllerRevision is used to manage the history of a StatefulSet or DaemonSet.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#revision-history}
+   */
+  V1ControllerRevision: {
+    kind: "ControllerRevision",
+    version: "v1",
+    group: "apps"
+  },
+  /**
+   * Represents a K8s DaemonSet resource.
+   * DaemonSet ensures that all (or some) nodes run a copy of a Pod.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/}
+   */
+  V1DaemonSet: {
+    kind: "DaemonSet",
+    version: "v1",
+    group: "apps"
+  },
+  /**
+   * Represents a K8s Deployment resource.
+   * Deployment provides declarative updates for Pods and ReplicaSets.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/deployment/}
+   */
+  V1Deployment: {
+    kind: "Deployment",
+    version: "v1",
+    group: "apps"
+  },
+  /**
+   * Represents a K8s ReplicaSet resource.
+   * ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/}
+   */
+  V1ReplicaSet: {
+    kind: "ReplicaSet",
+    version: "v1",
+    group: "apps"
+  },
+  /**
+   * Represents a K8s StatefulSet resource.
+   * StatefulSet is used to manage stateful applications.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/}
+   */
+  V1StatefulSet: {
+    kind: "StatefulSet",
+    version: "v1",
+    group: "apps"
+  },
+  /**
+   * Represents a K8s TokenReview resource.
+   * TokenReview attempts to authenticate a token to a known user.
+   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#tokenreview-v1-authentication-k8s-io}
+   */
+  V1TokenReview: {
+    kind: "TokenReview",
+    version: "v1",
+    group: "authentication.k8s.io"
+  },
+  /**
+   * Represents a K8s LocalSubjectAccessReview resource.
+   * LocalSubjectAccessReview checks whether a specific user can perform a specific action in a specific namespace.
+   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#localsubjectaccessreview-v1-authorization-k8s-io}
+   */
+  V1LocalSubjectAccessReview: {
+    kind: "LocalSubjectAccessReview",
+    version: "v1",
+    group: "authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s SelfSubjectAccessReview resource.
+   * SelfSubjectAccessReview checks whether the current user can perform a specific action.
+   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectaccessreview-v1-authorization-k8s-io}
+   */
+  V1SelfSubjectAccessReview: {
+    kind: "SelfSubjectAccessReview",
+    version: "v1",
+    group: "authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s SelfSubjectRulesReview resource.
+   * SelfSubjectRulesReview lists the permissions a specific user has within a namespace.
+   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectrulesreview-v1-authorization-k8s-io}
+   */
+  V1SelfSubjectRulesReview: {
+    kind: "SelfSubjectRulesReview",
+    version: "v1",
+    group: "authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s SubjectAccessReview resource.
+   * SubjectAccessReview checks whether a specific user can perform a specific action.
+   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#subjectaccessreview-v1-authorization-k8s-io}
+   */
+  V1SubjectAccessReview: {
+    kind: "SubjectAccessReview",
+    version: "v1",
+    group: "authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s HorizontalPodAutoscaler resource.
+   * HorizontalPodAutoscaler automatically scales the number of Pods in a replication controller, deployment, or replica set.
+   * @see {@link https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/}
+   */
+  V1HorizontalPodAutoscaler: {
+    kind: "HorizontalPodAutoscaler",
+    version: "v2",
+    group: "autoscaling"
+  },
+  /**
+   * Represents a K8s CronJob resource.
+   * CronJob manages time-based jobs, specifically those that run periodically and complete after a successful execution.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/}
+   */
+  V1CronJob: {
+    kind: "CronJob",
+    version: "v1",
+    group: "batch"
+  },
+  /**
+   * Represents a K8s Job resource.
+   * Job represents the configuration of a single job.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/job/}
+   */
+  V1Job: {
+    kind: "Job",
+    version: "v1",
+    group: "batch"
+  },
+  /**
+   * Represents a K8s CertificateSigningRequest resource.
+   * CertificateSigningRequest represents a certificate signing request.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/}
+   */
+  V1CertificateSigningRequest: {
+    kind: "CertificateSigningRequest",
+    version: "v1",
+    group: "certificates.k8s.io"
+  },
+  /**
+   * Represents a K8s EndpointSlice resource.
+   * EndpointSlice represents a scalable set of network endpoints for a Kubernetes Service.
+   * @see {@link https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/}
+   */
+  V1EndpointSlice: {
+    kind: "EndpointSlice",
+    version: "v1",
+    group: "discovery.k8s.io"
+  },
+  /**
+   * Represents a K8s IngressClass resource.
+   * IngressClass represents the class of the Ingress, referenced by the Ingress spec.
+   * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
+   */
+  V1IngressClass: {
+    kind: "IngressClass",
+    version: "v1",
+    group: "networking.k8s.io"
+  },
+  /**
+   * Represents a K8s Ingress resource.
+   * Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
+   * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
+   */
+  V1Ingress: {
+    kind: "Ingress",
+    version: "v1",
+    group: "networking.k8s.io"
+  },
+  /**
+   * Represents a K8s NetworkPolicy resource.
+   * NetworkPolicy defines a set of rules for how pods communicate with each other.
+   * @see {@link https://kubernetes.io/docs/concepts/services-networking/network-policies/}
+   */
+  V1NetworkPolicy: {
+    kind: "NetworkPolicy",
+    version: "v1",
+    group: "networking.k8s.io"
+  },
+  /**
+   * Represents a K8s RuntimeClass resource.
+   * RuntimeClass is a cluster-scoped resource that surfaces container runtime properties to the control plane.
+   * @see {@link https://kubernetes.io/docs/concepts/containers/runtime-class/}
+   */
+  V1RuntimeClass: {
+    kind: "RuntimeClass",
+    version: "v1",
+    group: "node.k8s.io"
+  },
+  /**
+   * Represents a K8s PodDisruptionBudget resource.
+   * PodDisruptionBudget is an API object that limits the number of pods of a replicated application that are down simultaneously.
+   * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/disruptions/}
+   */
+  V1PodDisruptionBudget: {
+    kind: "PodDisruptionBudget",
+    version: "v1",
+    group: "policy"
+  },
+  /**
+   * Represents a K8s VolumeAttachment resource.
+   * VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.
+   * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
+   */
+  V1VolumeAttachment: {
+    kind: "VolumeAttachment",
+    version: "v1",
+    group: "storage.k8s.io"
+  },
+  /**
+   * Represents a K8s CSIDriver resource.
+   * CSIDriver captures information about a Container Storage Interface (CSI) volume driver.
+   * @see {@link https://kubernetes.io/docs/concepts/storage/volumes/}
+   */
+  V1CSIDriver: {
+    kind: "CSIDriver",
+    version: "v1",
+    group: "storage.k8s.io"
+  },
+  /**
+   * Represents a K8s CSIStorageCapacity resource.
+   * CSIStorageCapacity stores the reported storage capacity of a CSI node or storage class.
+   * @see {@link https://kubernetes.io/docs/concepts/storage/csi/}
+   */
+  V1CSIStorageCapacity: {
+    kind: "CSIStorageCapacity",
+    version: "v1",
+    group: "storage.k8s.io"
+  },
+  /**
+   * Represents a K8s StorageClass resource.
+   * StorageClass is a cluster-scoped resource that provides a way for administrators to describe the classes of storage they offer.
+   * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
+   */
+  V1StorageClass: {
+    kind: "StorageClass",
+    version: "v1",
+    group: "storage.k8s.io"
+  }
+};
+function modelToGroupVersionKind(key) {
+  return gvkMap[key];
+}
+var RegisterKind = (model, groupVersionKind) => {
+  const name = model.name;
+  if (gvkMap[name]) {
+    throw new Error(`GVK ${name} already registered`);
+  }
+  gvkMap[name] = groupVersionKind;
+};
+
+// src/lib/logger.ts
+var LogLevel = /* @__PURE__ */ ((LogLevel2) => {
+  LogLevel2[LogLevel2["debug"] = 0] = "debug";
+  LogLevel2[LogLevel2["info"] = 1] = "info";
+  LogLevel2[LogLevel2["warn"] = 2] = "warn";
+  LogLevel2[LogLevel2["error"] = 3] = "error";
+  return LogLevel2;
+})(LogLevel || {});
+var Logger = class {
+  _logLevel;
+  /**
+   * Create a new logger instance.
+   * @param logLevel - The minimum log level to log messages for.
+   */
+  constructor(logLevel) {
+    this._logLevel = logLevel;
+  }
+  /**
+   * Change the log level of the logger.
+   * @param logLevel - The log level to log the message at.
+   */
+  SetLogLevel(logLevel) {
+    this._logLevel = LogLevel[logLevel];
+    this.debug(`Log level set to ${logLevel}`);
+  }
+  /**
+   * Log a debug message.
+   * @param message - The message to log.
+   */
+  debug(message, prefix) {
+    this.log(0 /* debug */, message, prefix);
+  }
+  /**
+   * Log an info message.
+   * @param message - The message to log.
+   */
+  info(message, prefix) {
+    this.log(1 /* info */, message, prefix);
+  }
+  /**
+   * Log a warning message.
+   * @param message - The message to log.
+   */
+  warn(message, prefix) {
+    this.log(2 /* warn */, message, prefix);
+  }
+  /**
+   * Log an error message.
+   * @param message - The message to log.
+   */
+  error(message, prefix) {
+    this.log(3 /* error */, message, prefix);
+  }
+  /**
+   * Log a message at the specified log level.
+   * @param logLevel - The log level of the message.
+   * @param message - The message to log.
+   */
+  log(logLevel, message, callerPrefix = "") {
+    const color = {
+      [0 /* debug */]: "\x1B[30m" /* FgBlack */,
+      [1 /* info */]: "\x1B[36m" /* FgCyan */,
+      [2 /* warn */]: "\x1B[33m" /* FgYellow */,
+      [3 /* error */]: "\x1B[31m" /* FgRed */
+    };
+    if (logLevel >= this._logLevel) {
+      let prefix = "[" + LogLevel[logLevel] + "]	" + callerPrefix;
+      prefix = this.colorize(prefix, color[logLevel]);
+      if (typeof message !== "string") {
+        console.log(prefix);
+        console.debug("%o", message);
+      } else {
+        console.log(prefix + "	" + message);
+      }
+    }
+  }
+  colorize(text, color) {
+    return color + text + "\x1B[0m" /* Reset */;
+  }
+};
+var Log = new Logger(1 /* info */);
+if (process.env.LOG_LEVEL) {
+  Log.SetLogLevel(process.env.LOG_LEVEL);
+}
+var logger_default = Log;
+
+// src/lib/capability.ts
+var Capability = class {
+  _name;
+  _description;
+  _namespaces;
+  // Currently everything is considered a mutation
+  _mutateOrValidate = "mutate" /* mutate */;
+  _bindings = [];
+  get bindings() {
+    return this._bindings;
+  }
+  get name() {
+    return this._name;
+  }
+  get description() {
+    return this._description;
+  }
+  get namespaces() {
+    return this._namespaces || [];
+  }
+  get mutateOrValidate() {
+    return this._mutateOrValidate;
+  }
+  constructor(cfg) {
+    this._name = cfg.name;
+    this._description = cfg.description;
+    this._namespaces = cfg.namespaces;
+    logger_default.info(`Capability ${this._name} registered`);
+    logger_default.debug(cfg);
+  }
+  /**
+   * The When method is used to register a capability action to be executed when a Kubernetes resource is
+   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
+   * filters that are applied.
+   *
+   * @param model the KubernetesObject model to match
+   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
+   * @returns
+   */
+  When = (model, kind) => {
+    const matchedKind = modelToGroupVersionKind(model.name);
+    if (!matchedKind && !kind) {
+      throw new Error(`Kind not specified for ${model.name}`);
+    }
+    const binding = {
+      // If the kind is not specified, use the matched kind from the model
+      kind: kind || matchedKind,
+      filters: {
+        name: "",
+        namespaces: [],
+        labels: {},
+        annotations: {}
+      },
+      callback: () => void 0
+    };
+    const prefix = `${this._name}: ${model.name}`;
+    logger_default.info(`Binding created`, prefix);
+    const Then = (cb) => {
+      logger_default.info(`Binding action created`, prefix);
+      logger_default.debug(cb.toString(), prefix);
+      this._bindings.push({
+        ...binding,
+        callback: cb
+      });
+      return { Then };
+    };
+    const ThenSet = (merge) => {
+      Then((req) => req.Merge(merge));
+      return { Then };
+    };
+    function InNamespace(...namespaces) {
+      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
+      binding.filters.namespaces.push(...namespaces);
+      return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
+    }
+    function WithName(name) {
+      logger_default.debug(`Add name filter ${name}`, prefix);
+      binding.filters.name = name;
+      return { WithLabel, WithAnnotation, Then, ThenSet };
+    }
+    function WithLabel(key, value = "") {
+      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
+      binding.filters.labels[key] = value;
+      return { WithLabel, WithAnnotation, Then, ThenSet };
+    }
+    const WithAnnotation = (key, value = "") => {
+      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
+      binding.filters.annotations[key] = value;
+      return { WithLabel, WithAnnotation, Then, ThenSet };
+    };
+    const bindEvent = (event) => {
+      binding.event = event;
+      return {
+        InNamespace,
+        Then,
+        ThenSet,
+        WithAnnotation,
+        WithLabel,
+        WithName
+      };
+    };
+    return {
+      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
+      IsCreated: () => bindEvent("CREATE" /* Create */),
+      IsUpdated: () => bindEvent("UPDATE" /* Update */),
+      IsDeleted: () => bindEvent("DELETE" /* Delete */)
+    };
+  };
+};
+
+// src/lib/fetch.ts
+var import_http_status_codes = require("http-status-codes");
+var import_node_fetch = __toESM(require("node-fetch"));
+var fetchRaw = import_node_fetch.default;
+async function fetch(url, init) {
+  let data = void 0;
+  try {
+    logger_default.debug(`Fetching ${url}`);
+    const resp = await fetchRaw(url, init);
+    const contentType = resp.headers.get("content-type") || "";
+    if (resp.ok) {
+      if (contentType.includes("application/json")) {
+        data = await resp.json();
+      } else {
+        data = await resp.text();
+      }
+    }
+    return {
+      data,
+      ok: resp.ok,
+      status: resp.status,
+      statusText: resp.statusText
+    };
+  } catch (e) {
+    if (e instanceof import_node_fetch.FetchError) {
+      logger_default.debug(`Fetch failed: ${e instanceof Error ? e.message : e}`);
+      const status = parseInt(e.code || "400");
+      return {
+        data,
+        ok: false,
+        status,
+        statusText: e.message
+      };
+    }
+    return {
+      data,
+      ok: false,
+      status: import_http_status_codes.StatusCodes.BAD_REQUEST,
+      statusText: "Unknown error"
+    };
+  }
+}
+
+// src/lib/module.ts
+var import_ramda2 = require("ramda");
+
+// src/lib/controller.ts
+var import_express = __toESM(require("express"));
+var import_fs = __toESM(require("fs"));
+var import_https = __toESM(require("https"));
+
+// src/lib/processor.ts
+var import_fast_json_patch = __toESM(require("fast-json-patch"));
+
+// src/lib/filter.ts
+function shouldSkipRequest(binding, req) {
+  const { group, kind, version } = binding.kind || {};
+  const { namespaces, labels, annotations, name } = binding.filters || {};
+  const { metadata } = req.object || {};
+  if (binding.event && !binding.event.includes(req.operation)) {
+    return true;
+  }
+  if (name && name !== req.name) {
+    return true;
+  }
+  if (kind !== req.kind.kind) {
+    return true;
+  }
+  if (group && group !== req.kind.group) {
+    return true;
+  }
+  if (version && version !== req.kind.version) {
+    return true;
+  }
+  if (namespaces.length && !namespaces.includes(req.namespace || "")) {
+    logger_default.debug("Namespace does not match");
+    return true;
+  }
+  for (const [key, value] of Object.entries(labels)) {
+    const testKey = metadata?.labels?.[key];
+    if (!testKey) {
+      logger_default.debug(`Label ${key} does not exist`);
+      return true;
+    }
+    if (value && testKey !== value) {
+      logger_default.debug(`${testKey} does not match ${value}`);
+      return true;
+    }
+  }
+  for (const [key, value] of Object.entries(annotations)) {
+    const testKey = metadata?.annotations?.[key];
+    if (!testKey) {
+      logger_default.debug(`Annotation ${key} does not exist`);
+      return true;
+    }
+    if (value && testKey !== value) {
+      logger_default.debug(`${testKey} does not match ${value}`);
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/lib/request.ts
+var import_ramda = require("ramda");
+var PeprRequest = class {
+  _input;
+  Raw;
+  get PermitSideEffects() {
+    return !this._input.dryRun;
+  }
+  /**
+   * Indicates whether the request is a dry run.
+   * @returns true if the request is a dry run, false otherwise.
+   */
+  get IsDryRun() {
+    return this._input.dryRun;
+  }
+  /**
+   * Provides access to the old resource in the request if available.
+   * @returns The old Kubernetes resource object or null if not available.
+   */
+  get OldResource() {
+    return this._input.oldObject;
+  }
+  /**
+   * Provides access to the request object.
+   * @returns The request object containing the Kubernetes resource.
+   */
+  get Request() {
+    return this._input;
+  }
+  /**
+   * Creates a new instance of the Action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
+   */
+  constructor(input) {
+    this.Raw = (0, import_ramda.clone)(input.object);
+    this._input = input;
+  }
+  /**
+   * Deep merges the provided object with the current resource.
+   *
+   * @param obj - The object to merge with the current resource.
+   */
+  Merge(obj) {
+    this.Raw = (0, import_ramda.mergeDeepRight)(this.Raw, obj);
+  }
+  /**
+   * Updates a label on the Kubernetes resource.
+   * @param key - The key of the label to update.
+   * @param value - The value of the label.
+   * @returns The current Action instance for method chaining.
+   */
+  SetLabel(key, value) {
+    const ref = this.Raw;
+    ref.metadata = ref.metadata ?? {};
+    ref.metadata.labels = ref.metadata.labels ?? {};
+    ref.metadata.labels[key] = value;
+    return this;
+  }
+  /**
+   * Updates an annotation on the Kubernetes resource.
+   * @param key - The key of the annotation to update.
+   * @param value - The value of the annotation.
+   * @returns The current Action instance for method chaining.
+   */
+  SetAnnotation(key, value) {
+    const ref = this.Raw;
+    ref.metadata = ref.metadata ?? {};
+    ref.metadata.annotations = ref.metadata.annotations ?? {};
+    ref.metadata.annotations[key] = value;
+    return this;
+  }
+  /**
+   * Removes a label from the Kubernetes resource.
+   * @param key - The key of the label to remove.
+   * @returns The current Action instance for method chaining.
+   */
+  RemoveLabel(key) {
+    if (this.Raw.metadata?.labels?.[key]) {
+      delete this.Raw.metadata.labels[key];
+    }
+    return this;
+  }
+  /**
+   * Removes an annotation from the Kubernetes resource.
+   * @param key - The key of the annotation to remove.
+   * @returns The current Action instance for method chaining.
+   */
+  RemoveAnnotation(key) {
+    if (this.Raw.metadata?.annotations?.[key]) {
+      delete this.Raw.metadata.annotations[key];
+    }
+    return this;
+  }
+  /**
+   * Check if a label exists on the Kubernetes resource.
+   *
+   * @param key the label key to check
+   * @returns
+   */
+  HasLabel(key) {
+    return this.Raw?.metadata?.labels?.[key] !== void 0;
+  }
+  /**
+   * Check if an annotation exists on the Kubernetes resource.
+   *
+   * @param key the annotation key to check
+   * @returns
+   */
+  HasAnnotation(key) {
+    return this.Raw?.metadata?.annotations?.[key] !== void 0;
+  }
+};
+
+// src/lib/processor.ts
+async function processor(config, capabilities, req) {
+  const wrapped = new PeprRequest(req);
+  const response = {
+    uid: req.uid,
+    warnings: [],
+    allowed: false
+  };
+  logger_default.info(`Processing '${req.uid}' for '${req.kind.kind}' '${req.name}'`);
+  for (const { name, bindings } of capabilities) {
+    const prefix = `${req.uid} ${req.name}: ${name}`;
+    logger_default.info(`Processing capability ${name}`, prefix);
+    for (const action of bindings) {
+      if (shouldSkipRequest(action, req)) {
+        continue;
+      }
+      logger_default.info(`Processing matched action ${action.kind.kind}`, prefix);
+      const updateStatus = (status) => {
+        if (req.operation == "DELETE") {
+          return;
+        }
+        const identifier = `${config.uuid}.pepr.dev/${name}`;
+        wrapped.Raw.metadata = wrapped.Raw.metadata || {};
+        wrapped.Raw.metadata.annotations = wrapped.Raw.metadata.annotations || {};
+        wrapped.Raw.metadata.annotations[identifier] = status;
+      };
+      updateStatus("started");
+      try {
+        await action.callback(wrapped);
+        logger_default.info(`Action succeeded`, prefix);
+        updateStatus("succeeded");
+      } catch (e) {
+        response.warnings = response.warnings || [];
+        response.warnings.push(`Action failed: ${e}`);
+        if (config.onError) {
+          logger_default.error(`Action failed: ${e}`, prefix);
+          response.result = "Pepr module configured to reject on error";
+          return response;
+        } else {
+          logger_default.warn(`Action failed: ${e}`, prefix);
+          updateStatus("warning");
+        }
+      }
+    }
+  }
+  response.allowed = true;
+  const patches = import_fast_json_patch.default.compare(req.object, wrapped.Raw);
+  if (patches.length > 0) {
+    response.patchType = "JSONPatch";
+    response.patch = Buffer.from(JSON.stringify(patches)).toString("base64");
+  }
+  if (response.warnings && response.warnings.length < 1) {
+    delete response.warnings;
+  }
+  logger_default.debug(patches);
+  return response;
+}
+
+// src/lib/controller.ts
+var options = {
+  key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
+  cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
+};
+var Controller = class {
+  constructor(config, capabilities, beforeHook, afterHook) {
+    this.config = config;
+    this.capabilities = capabilities;
+    this.beforeHook = beforeHook;
+    this.afterHook = afterHook;
+    this.app.use(this.logger);
+    this.app.use(import_express.default.json());
+    this.app.get("/healthz", this.healthz);
+    this.app.post("/mutate", this.mutate);
+    if (beforeHook) {
+      console.info(`Using beforeHook: ${beforeHook}`);
+    }
+    if (afterHook) {
+      console.info(`Using afterHook: ${afterHook}`);
+    }
+  }
+  app = (0, import_express.default)();
+  running = false;
+  /** Start the webhook server */
+  startServer = (port) => {
+    if (this.running) {
+      throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
+    }
+    const server = import_https.default.createServer(options, this.app).listen(port);
+    server.on("listening", () => {
+      console.log(`Server listening on port ${port}`);
+      this.running = true;
+    });
+    server.on("error", (e) => {
+      if (e.code === "EADDRINUSE") {
+        console.log("Address in use, retrying...");
+        setTimeout(() => {
+          server.close();
+          server.listen(port);
+        }, 2e3);
+      }
+    });
+    process.on("SIGTERM", () => {
+      console.log("Received SIGTERM, closing server");
+      server.close(() => {
+        console.log("Server closed");
+        process.exit(0);
+      });
+    });
+  };
+  logger = (req, res, next) => {
+    const startTime = Date.now();
+    res.on("finish", () => {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const elapsedTime = Date.now() - startTime;
+      const message = `[${now}] ${req.method} ${req.originalUrl} - ${res.statusCode} - ${elapsedTime} ms
+`;
+      res.statusCode >= 400 ? console.error(message) : console.info(message);
+    });
+    next();
+  };
+  healthz = (req, res) => {
+    try {
+      res.send("OK");
+    } catch (err) {
+      console.error(err);
+      res.status(500).send("Internal Server Error");
+    }
+  };
+  mutate = async (req, res) => {
+    try {
+      this.beforeHook && this.beforeHook(req.body?.request || {});
+      const name = req.body?.request?.name || "";
+      const namespace = req.body?.request?.namespace || "";
+      const gvk = req.body?.request?.kind || { group: "", version: "", kind: "" };
+      console.log(`Mutate request: ${gvk.group}/${gvk.version}/${gvk.kind}`);
+      name && console.log(`                ${namespace}/${name}
+`);
+      const response = await processor(this.config, this.capabilities, req.body.request);
+      this.afterHook && this.afterHook(response);
+      console.debug(response);
+      res.send({
+        apiVersion: "admission.k8s.io/v1",
+        kind: "AdmissionReview",
+        response
+      });
+    } catch (err) {
+      console.error(err);
+      res.status(500).send("Internal Server Error");
+    }
+  };
+};
+
+// src/lib/module.ts
+var alwaysIgnore = {
+  namespaces: ["kube-system", "pepr-system"],
+  labels: [{ "pepr.dev": "ignore" }]
+};
+var PeprModule = class {
+  _controller;
+  /**
+   * Create a new Pepr runtime
+   *
+   * @param config The configuration for the Pepr runtime
+   * @param capabilities The capabilities to be loaded into the Pepr runtime
+   * @param _deferStart (optional) If set to `true`, the Pepr runtime will not be started automatically. This can be used to start the Pepr runtime manually with `start()`.
+   */
+  constructor({ description, pepr }, capabilities = [], opts = {}) {
+    const config = (0, import_ramda2.mergeDeepWith)(import_ramda2.concat, pepr, alwaysIgnore);
+    config.description = description;
+    this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
+    if (opts.deferStart) {
+      return;
+    }
+    this.start();
+  }
+  /**
+   * Start the Pepr runtime manually.
+   * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
+   *
+   * @param port
+   */
+  start(port = 3e3) {
+    this._controller.startServer(port);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  Capability,
+  Log,
+  PeprModule,
+  PeprRequest,
+  RegisterKind,
+  a,
+  fetch,
+  fetchRaw,
+  fetchStatus,
+  k8s,
+  utils
+});
+//# sourceMappingURL=lib.js.map