pepr 0.40.1 → 0.42.0

package/dist/sdk/sdk.d.ts

@@ -1,15 +1,14 @@
 import { PeprValidateRequest } from "../lib/validate-request";
 import { PeprMutateRequest } from "../lib/mutate-request";
-import { V1OwnerReference } from "@kubernetes/client-node";
-import { GenericKind } from "kubernetes-fluent-client";
-import { kind } from "kubernetes-fluent-client";
+import { V1OwnerReference, V1Container } from "@kubernetes/client-node";
+import { GenericKind, kind } from "kubernetes-fluent-client";
 /**
  * Returns all containers in a pod
  * @param request the request/pod to get the containers from
  * @param containerType the type of container to get
  * @returns the list of containers in the pod
  */
-export declare function containers(request: PeprValidateRequest<kind.Pod> | PeprMutateRequest<kind.Pod>, containerType?: "containers" | "initContainers" | "ephemeralContainers"): import("@kubernetes/client-node").V1Container[];
+export declare function containers(request: PeprValidateRequest<kind.Pod> | PeprMutateRequest<kind.Pod>, containerType?: "containers" | "initContainers" | "ephemeralContainers"): V1Container[];
 /**
  * Write a K8s event for a CRD
  *

package/dist/sdk/sdk.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAGrD;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,mDAgBxE;AAED;;;;;;;;;GASG;AACH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,iBAwB1B;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,UAYhD"}
+{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GACtE,WAAW,EAAE,CAef;AAED;;;;;;;;;GASG;AAEH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,IAAI,CAAC,CAqBf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAYzD"}

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.40.1",
+  "version": "0.42.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -41,12 +41,12 @@
   },
   "dependencies": {
     "@types/ramda": "0.30.2",
-    "express": "4.21.1",
+    "express": "4.21.2",
     "fast-json-patch": "3.1.1",
     "follow-redirects": "1.15.9",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.3.4",
+    "kubernetes-fluent-client": "3.3.7",
     "pino": "9.5.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
@@ -69,8 +69,8 @@
     "husky": "^9.1.6",
     "jest": "29.7.0",
     "js-yaml": "^4.1.0",
-    "nock": "^13.5.4",
-    "ts-jest": "29.2.5"
+    "ts-jest": "29.2.5",
+    "undici": "^7.0.1"
   },
   "peerDependencies": {
     "@types/prompts": "2.4.9",

package/src/cli/build.ts

@@ -11,9 +11,10 @@ import { dependencies, version } from "./init/templates";
 import { RootCmd } from "./root";
 import { peprFormat } from "./format";
 import { Option } from "commander";
-import { createDirectoryIfNotExists, validateCapabilityNames, parseTimeout } from "../lib/helpers";
+import { validateCapabilityNames, parseTimeout } from "../lib/helpers";
 import { sanitizeResourceName } from "../sdk/sdk";
 import { determineRbacMode } from "./build.helpers";
+import { createDirectoryIfNotExists } from "../lib/filesystemService";
 const peprTS = "pepr.ts";
 let outputDir: string = "dist";
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;

package/src/cli/deploy.ts

@@ -6,10 +6,11 @@ import prompt from "prompts";
 import { Assets } from "../lib/assets";
 import { buildModule } from "./build";
 import { RootCmd } from "./root";
-import { validateCapabilityNames, namespaceDeploymentsReady } from "../lib/helpers";
+import { validateCapabilityNames } from "../lib/helpers";
 import { ImagePullSecret } from "../lib/types";
 import { sanitizeName } from "./init/utils";
 import { deployImagePullSecret } from "../lib/assets/deploy";
+import { namespaceDeploymentsReady } from "../lib/deploymentChecks";
 
 export default function (program: RootCmd) {
   program

package/src/cli/init/templates.ts

@@ -58,7 +58,7 @@ export function genPkgJSON(opts: InitOptions, pgkVerOverride?: string) {
     },
     dependencies: {
       pepr: pgkVerOverride || version,
-      nock: "13.5.4",
+      undici: "^7.0.1",
     },
     devDependencies: {
       typescript,

package/src/lib/assets/deploy.ts

@@ -7,7 +7,7 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 import { Assets } from ".";
-import Log from "../logger";
+import Log from "../telemetry/logger";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
 import { deployment, moduleSecret, namespace, watcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";

package/src/lib/assets/destroy.ts

@@ -3,7 +3,7 @@
 
 import { K8s, kind } from "kubernetes-fluent-client";
 
-import Log from "../logger";
+import Log from "../telemetry/logger";
 import { peprStoreCRD } from "./store";
 
 export async function destroyModule(name: string) {

package/src/lib/assets/index.ts

@@ -3,6 +3,7 @@
 
 import crypto from "crypto";
 import { dumpYaml } from "@kubernetes/client-node";
+import { kind } from "kubernetes-fluent-client";
 import { ModuleConfig } from "../module";
 import { TLSOut, genTLS } from "../tls";
 import { CapabilityExport } from "../types";
@@ -11,7 +12,7 @@ import { deploy } from "./deploy";
 import { loadCapabilities } from "./loader";
 import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
 import { namespaceComplianceValidator, replaceString } from "../helpers";
-import { createDirectoryIfNotExists, dedent } from "../helpers";
+import { dedent } from "../helpers";
 import { resolve } from "path";
 import {
   chartYaml,
@@ -27,6 +28,69 @@ import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking
 import { watcher, moduleSecret } from "./pods";
 
 import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
+import { createDirectoryIfNotExists } from "../filesystemService";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function toYaml(obj: any): string {
+  return dumpYaml(obj, { noRefs: true });
+}
+
+function createWebhookYaml(
+  assets: Assets,
+  webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration,
+): string {
+  const yaml = toYaml(webhookConfiguration);
+  return replaceString(
+    replaceString(
+      replaceString(yaml, assets.name, "{{ .Values.uuid }}"),
+      assets.config.onError === "reject" ? "Fail" : "Ignore",
+      "{{ .Values.admission.failurePolicy }}",
+    ),
+    `${assets.config.webhookTimeout}` || "10",
+    "{{ .Values.admission.webhookTimeout }}",
+  );
+}
+
+function helmLayout(basePath: string, unique: string) {
+  const helm: Record<string, Record<string, string>> = {
+    dirs: {
+      chart: resolve(`${basePath}/${unique}-chart`),
+    },
+    files: {},
+  };
+
+  helm.dirs = {
+    ...helm.dirs,
+    charts: `${helm.dirs.chart}/charts`,
+    tmpls: `${helm.dirs.chart}/templates`,
+  };
+
+  helm.files = {
+    ...helm.files,
+    valuesYaml: `${helm.dirs.chart}/values.yaml`,
+    chartYaml: `${helm.dirs.chart}/Chart.yaml`,
+    namespaceYaml: `${helm.dirs.tmpls}/namespace.yaml`,
+    watcherServiceYaml: `${helm.dirs.tmpls}/watcher-service.yaml`,
+    admissionServiceYaml: `${helm.dirs.tmpls}/admission-service.yaml`,
+    mutationWebhookYaml: `${helm.dirs.tmpls}/mutation-webhook.yaml`,
+    validationWebhookYaml: `${helm.dirs.tmpls}/validation-webhook.yaml`,
+    admissionDeploymentYaml: `${helm.dirs.tmpls}/admission-deployment.yaml`,
+    admissionServiceMonitorYaml: `${helm.dirs.tmpls}/admission-service-monitor.yaml`,
+    watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
+    watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
+    tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
+    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
+    moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
+    storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
+    storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,
+    clusterRoleYaml: `${helm.dirs.tmpls}/cluster-role.yaml`,
+    clusterRoleBindingYaml: `${helm.dirs.tmpls}/cluster-role-binding.yaml`,
+    serviceAccountYaml: `${helm.dirs.tmpls}/service-account.yaml`,
+  };
+
+  return helm;
+}
+
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
@@ -78,102 +142,59 @@ export class Assets {
     return allYaml(this, imagePullSecret);
   };
 
+  /* eslint max-statements: ["warn", 21] */
   generateHelmChart = async (basePath: string) => {
-    const CHART_DIR = `${basePath}/${this.config.uuid}-chart`;
-    const CHAR_TEMPLATES_DIR = `${CHART_DIR}/templates`;
-    const valuesPath = resolve(CHART_DIR, `values.yaml`);
-    const chartPath = resolve(CHART_DIR, `Chart.yaml`);
-    const nsPath = resolve(CHAR_TEMPLATES_DIR, `namespace.yaml`);
-    const watcherSVCPath = resolve(CHAR_TEMPLATES_DIR, `watcher-service.yaml`);
-    const admissionSVCPath = resolve(CHAR_TEMPLATES_DIR, `admission-service.yaml`);
-    const mutationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `mutation-webhook.yaml`);
-    const validationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `validation-webhook.yaml`);
-    const admissionDeployPath = resolve(CHAR_TEMPLATES_DIR, `admission-deployment.yaml`);
-    const admissionServiceMonitorPath = resolve(CHAR_TEMPLATES_DIR, `admission-service-monitor.yaml`);
-    const watcherDeployPath = resolve(CHAR_TEMPLATES_DIR, `watcher-deployment.yaml`);
-    const watcherServiceMonitorPath = resolve(CHAR_TEMPLATES_DIR, `watcher-service-monitor.yaml`);
-    const tlsSecretPath = resolve(CHAR_TEMPLATES_DIR, `tls-secret.yaml`);
-    const apiTokenSecretPath = resolve(CHAR_TEMPLATES_DIR, `api-token-secret.yaml`);
-    const moduleSecretPath = resolve(CHAR_TEMPLATES_DIR, `module-secret.yaml`);
-    const storeRolePath = resolve(CHAR_TEMPLATES_DIR, `store-role.yaml`);
-    const storeRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `store-role-binding.yaml`);
-    const clusterRolePath = resolve(CHAR_TEMPLATES_DIR, `cluster-role.yaml`);
-    const clusterRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `cluster-role-binding.yaml`);
-    const serviceAccountPath = resolve(CHAR_TEMPLATES_DIR, `service-account.yaml`);
-
-    // create helm chart
-    try {
-      // create chart dir
-      await createDirectoryIfNotExists(CHART_DIR);
-
-      // create charts dir
-      await createDirectoryIfNotExists(`${CHART_DIR}/charts`);
-
-      // create templates dir
-      await createDirectoryIfNotExists(`${CHAR_TEMPLATES_DIR}`);
+    const helm = helmLayout(basePath, this.config.uuid);
 
-      // create values file
-      await overridesFile(this, valuesPath);
-
-      // create the chart.yaml
-      await fs.writeFile(chartPath, dedent(chartYaml(this.config.uuid, this.config.description || "")));
-
-      // create the namespace.yaml in templates
-      await fs.writeFile(nsPath, dedent(nsTemplate()));
+    try {
+      await Promise.all(
+        Object.values(helm.dirs)
+          .sort((l, r) => l.split("/").length - r.split("/").length)
+          .map(async dir => await createDirectoryIfNotExists(dir)),
+      );
 
       const code = await fs.readFile(this.path);
 
-      await fs.writeFile(watcherSVCPath, dumpYaml(watcherService(this.name), { noRefs: true }));
-      await fs.writeFile(admissionSVCPath, dumpYaml(service(this.name), { noRefs: true }));
-      await fs.writeFile(tlsSecretPath, dumpYaml(tlsSecret(this.name, this.tls), { noRefs: true }));
-      await fs.writeFile(apiTokenSecretPath, dumpYaml(apiTokenSecret(this.name, this.apiToken), { noRefs: true }));
-      await fs.writeFile(moduleSecretPath, dumpYaml(moduleSecret(this.name, code, this.hash), { noRefs: true }));
-      await fs.writeFile(storeRolePath, dumpYaml(storeRole(this.name), { noRefs: true }));
-      await fs.writeFile(storeRoleBindingPath, dumpYaml(storeRoleBinding(this.name), { noRefs: true }));
-      await fs.writeFile(clusterRolePath, dedent(clusterRoleTemplate()));
-      await fs.writeFile(clusterRoleBindingPath, dumpYaml(clusterRoleBinding(this.name), { noRefs: true }));
-      await fs.writeFile(serviceAccountPath, dumpYaml(serviceAccount(this.name), { noRefs: true }));
-
-      const mutateWebhook = await webhookConfig(this, "mutate", this.config.webhookTimeout);
-      const validateWebhook = await webhookConfig(this, "validate", this.config.webhookTimeout);
-      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
+      const pairs: [string, () => string][] = [
+        [helm.files.chartYaml, () => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
+        [helm.files.namespaceYaml, () => dedent(nsTemplate())],
+        [helm.files.watcherServiceYaml, () => toYaml(watcherService(this.name))],
+        [helm.files.admissionServiceYaml, () => toYaml(service(this.name))],
+        [helm.files.tlsSecretYaml, () => toYaml(tlsSecret(this.name, this.tls))],
+        [helm.files.apiTokenSecretYaml, () => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.storeRoleYaml, () => toYaml(storeRole(this.name))],
+        [helm.files.storeRoleBindingYaml, () => toYaml(storeRoleBinding(this.name))],
+        [helm.files.clusterRoleYaml, () => dedent(clusterRoleTemplate())],
+        [helm.files.clusterRoleBindingYaml, () => toYaml(clusterRoleBinding(this.name))],
+        [helm.files.serviceAccountYaml, () => toYaml(serviceAccount(this.name))],
+        [helm.files.moduleSecretYaml, () => toYaml(moduleSecret(this.name, code, this.hash))],
+      ];
+      await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
+
+      await overridesFile(this, helm.files.valuesYaml);
+
+      const [mutateWebhook, validateWebhook] = await Promise.all([
+        webhookConfig(this, "mutate", this.config.webhookTimeout),
+        webhookConfig(this, "validate", this.config.webhookTimeout),
+      ]);
 
       if (validateWebhook || mutateWebhook) {
-        await fs.writeFile(admissionDeployPath, dedent(admissionDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(admissionServiceMonitorPath, dedent(serviceMonitorTemplate("admission")));
+        await fs.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
+        await fs.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
       }
 
       if (mutateWebhook) {
-        const yamlMutateWebhook = dumpYaml(mutateWebhook, { noRefs: true });
-        const mutateWebhookTemplate = replaceString(
-          replaceString(
-            replaceString(yamlMutateWebhook, this.name, "{{ .Values.uuid }}"),
-            this.config.onError === "reject" ? "Fail" : "Ignore",
-            "{{ .Values.admission.failurePolicy }}",
-          ),
-          `${this.config.webhookTimeout}` || "10",
-          "{{ .Values.admission.webhookTimeout }}",
-        );
-        await fs.writeFile(mutationWebhookPath, mutateWebhookTemplate);
+        await fs.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this, mutateWebhook));
       }
 
       if (validateWebhook) {
-        const yamlValidateWebhook = dumpYaml(validateWebhook, { noRefs: true });
-        const validateWebhookTemplate = replaceString(
-          replaceString(
-            replaceString(yamlValidateWebhook, this.name, "{{ .Values.uuid }}"),
-            this.config.onError === "reject" ? "Fail" : "Ignore",
-            "{{ .Values.admission.failurePolicy }}",
-          ),
-          `${this.config.webhookTimeout}` || "10",
-          "{{ .Values.admission.webhookTimeout }}",
-        );
-        await fs.writeFile(validationWebhookPath, validateWebhookTemplate);
+        await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
       }
 
+      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
       if (watchDeployment) {
-        await fs.writeFile(watcherDeployPath, dedent(watcherDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(watcherServiceMonitorPath, dedent(serviceMonitorTemplate("watcher")));
+        await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
+        await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
       }
     } catch (err) {
       console.error(`Error generating helm chart: ${err.message}`);

package/src/lib/assets/webhooks.ts

@@ -44,8 +44,8 @@ export async function generateWebhookRules(assets: Assets, isMutateWebhook: bool
       const operations: string[] = [];
 
       // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
-      if (event === Event.CreateOrUpdate) {
-        operations.push(Event.Create, Event.Update);
+      if (event === Event.CREATE_OR_UPDATE) {
+        operations.push(Event.CREATE, Event.UPDATE);
       } else {
         operations.push(event);
       }

package/src/lib/capability.ts

@@ -1,10 +1,9 @@
-/* eslint-disable max-statements */
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { GenericClass, GroupVersionKind, modelToGroupVersionKind } from "kubernetes-fluent-client";
 import { pickBy } from "ramda";
-import Log from "./logger";
+import Log from "./telemetry/logger";
 import { isBuildMode, isDevMode, isWatchMode } from "./module";
 import { PeprStore, Storage } from "./storage";
 import { OnSchedule, Schedule } from "./schedule";
@@ -193,7 +192,7 @@ export class Capability implements CapabilityExport {
       model,
       // If the kind is not specified, use the matched kind from the model
       kind: kind || matchedKind,
-      event: Event.Any,
+      event: Event.ANY,
       filters: {
         name: "",
         namespaces: [],
@@ -317,7 +316,7 @@ export class Capability implements CapabilityExport {
           ...binding,
           isMutate: true,
           isFinalize: true,
-          event: Event.Any,
+          event: Event.ANY,
           mutateCallback: addFinalizer,
         };
         bindings.push(mutateBinding);
@@ -329,7 +328,7 @@ export class Capability implements CapabilityExport {
           ...binding,
           isWatch: true,
           isFinalize: true,
-          event: Event.Update,
+          event: Event.UPDATE,
           finalizeCallback: async (update: InstanceType<T>, logger = aliasLogger) => {
             Log.info(`Executing finalize action with alias: ${binding.alias || "no alias provided"}`);
             return await finalizeCallback(update, logger);
@@ -401,10 +400,10 @@ export class Capability implements CapabilityExport {
     }
 
     return {
-      IsCreatedOrUpdated: () => bindEvent(Event.CreateOrUpdate),
-      IsCreated: () => bindEvent(Event.Create),
-      IsUpdated: () => bindEvent(Event.Update),
-      IsDeleted: () => bindEvent(Event.Delete),
+      IsCreatedOrUpdated: () => bindEvent(Event.CREATE_OR_UPDATE),
+      IsCreated: () => bindEvent(Event.CREATE),
+      IsUpdated: () => bindEvent(Event.UPDATE),
+      IsDeleted: () => bindEvent(Event.DELETE),
     };
   };
 }

package/src/lib/controller/index.ts

@@ -7,17 +7,19 @@ import https from "https";
 
 import { Capability } from "../capability";
 import { MutateResponse, ValidateResponse } from "../k8s";
-import Log from "../logger";
-import { metricsCollector, MetricsCollector } from "../metrics";
+import Log from "../telemetry/logger";
+import { metricsCollector, MetricsCollector } from "../telemetry/metrics";
 import { ModuleConfig, isWatchMode } from "../module";
 import { mutateProcessor } from "../mutate-processor";
 import { validateProcessor } from "../validate-processor";
 import { StoreController } from "./store";
-import { ResponseItem, AdmissionRequest } from "../types";
+import { AdmissionRequest } from "../types";
+import { karForMutate, karForValidate, KubeAdmissionReview } from "./index.util";
 
 if (!process.env.PEPR_NODE_WARNINGS) {
   process.removeAllListeners("warning");
 }
+
 export class Controller {
   // Track whether the server is running
   #running = false;
@@ -183,6 +185,8 @@ export class Controller {
    */
   #metrics = async (req: express.Request, res: express.Response) => {
     try {
+      // https://github.com/prometheus/docs/blob/main/content/docs/instrumenting/exposition_formats.md#basic-info
+      res.set("Content-Type", "text/plain; version=0.0.4");
       res.send(await this.#metricsCollector.getMetrics());
     } catch (err) {
       Log.error(err, `Error getting metrics`);
@@ -206,77 +210,38 @@ export class Controller {
         // Get the request from the body or create an empty request
         const request: AdmissionRequest = req.body?.request || ({} as AdmissionRequest);
 
-        // Run the before hook if it exists
-        this.#beforeHook && this.#beforeHook(request || {});
-
-        // Setup identifiers for logging
-        const name = request?.name ? `/${request.name}` : "";
-        const namespace = request?.namespace || "";
-        const gvk = request?.kind || { group: "", version: "", kind: "" };
-
-        const reqMetadata = {
-          uid: request.uid,
-          namespace,
-          name,
+        const { name, namespace, gvk } = {
+          name: request?.name ? `/${request.name}` : "",
+          namespace: request?.namespace || "",
+          gvk: request?.kind || { group: "", version: "", kind: "" },
         };
 
+        const reqMetadata = { uid: request.uid, namespace, name };
         Log.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
         Log.debug({ ...reqMetadata, request }, "Incoming request body");
 
-        // Process the request
-        let response: MutateResponse | ValidateResponse[];
+        // Run the before hook if it exists
+        this.#beforeHook && this.#beforeHook(request || {});
 
-        // Call mutate or validate based on the admission kind
-        if (admissionKind === "Mutate") {
-          response = await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata);
-        } else {
-          response = await validateProcessor(this.#config, this.#capabilities, request, reqMetadata);
-        }
+        // Process the request
+        const response: MutateResponse | ValidateResponse[] =
+          admissionKind === "Mutate"
+            ? await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata)
+            : await validateProcessor(this.#config, this.#capabilities, request, reqMetadata);
 
         // Run the after hook if it exists
-        const responseList: ValidateResponse[] | MutateResponse[] = Array.isArray(response) ? response : [response];
-        responseList.map(res => {
+        [response].flat().map(res => {
           this.#afterHook && this.#afterHook(res);
-          // Log the response
           Log.info({ ...reqMetadata, res }, "Check response");
         });
 
-        let kubeAdmissionResponse: ValidateResponse[] | MutateResponse | ResponseItem;
-
-        if (admissionKind === "Mutate") {
-          kubeAdmissionResponse = response;
-          Log.debug({ ...reqMetadata, response }, "Outgoing response");
-          res.send({
-            apiVersion: "admission.k8s.io/v1",
-            kind: "AdmissionReview",
-            response: kubeAdmissionResponse,
-          });
-        } else {
-          kubeAdmissionResponse =
-            responseList.length === 0
-              ? {
-                  uid: request.uid,
-                  allowed: true,
-                  status: { message: "no in-scope validations -- allowed!" },
-                }
-              : {
-                  uid: responseList[0].uid,
-                  allowed: responseList.filter(r => !r.allowed).length === 0,
-                  status: {
-                    message: (responseList as ValidateResponse[])
-                      .filter(rl => !rl.allowed)
-                      .map(curr => curr.status?.message)
-                      .join("; "),
-                  },
-                };
-          res.send({
-            apiVersion: "admission.k8s.io/v1",
-            kind: "AdmissionReview",
-            response: kubeAdmissionResponse,
-          });
-        }
-
-        Log.debug({ ...reqMetadata, kubeAdmissionResponse }, "Outgoing response");
+        const kar: KubeAdmissionReview =
+          admissionKind === "Mutate"
+            ? karForMutate(response as MutateResponse)
+            : karForValidate(request, response as ValidateResponse[]);
+
+        Log.debug({ ...reqMetadata, kubeAdmissionResponse: kar.response }, "Outgoing response");
+        res.send(kar);
 
         this.#metricsCollector.observeEnd(startTime, admissionKind);
       } catch (err) {
@@ -298,6 +263,11 @@ export class Controller {
     const startTime = Date.now();
 
     res.on("finish", () => {
+      const excludedRoutes = ["/healthz", "/metrics"];
+      if (excludedRoutes.includes(req.originalUrl)) {
+        return;
+      }
+
       const elapsedTime = Date.now() - startTime;
       const message = {
         uid: req.body?.request?.uid,

package/src/lib/controller/index.util.ts

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { MutateResponse, ValidateResponse } from "../k8s";
+import { ResponseItem, AdmissionRequest } from "../types";
+
+export interface KubeAdmissionReview {
+  apiVersion: string;
+  kind: string;
+  response: ValidateResponse[] | MutateResponse | ResponseItem;
+}
+
+export function karForMutate(mr: MutateResponse): KubeAdmissionReview {
+  return {
+    apiVersion: "admission.k8s.io/v1",
+    kind: "AdmissionReview",
+    response: mr,
+  };
+}
+
+export function karForValidate(ar: AdmissionRequest, vr: ValidateResponse[]): KubeAdmissionReview {
+  const isAllowed = vr.filter(r => !r.allowed).length === 0;
+
+  const resp: ValidateResponse =
+    vr.length === 0
+      ? {
+          uid: ar.uid,
+          allowed: true,
+          status: { code: 200, message: "no in-scope validations -- allowed!" },
+        }
+      : {
+          uid: vr[0].uid,
+          allowed: isAllowed,
+          status: {
+            code: isAllowed ? 200 : 422,
+            message: vr
+              .filter(rl => !rl.allowed)
+              .map(curr => curr.status?.message)
+              .join("; "),
+          },
+        };
+  return {
+    apiVersion: "admission.k8s.io/v1",
+    kind: "AdmissionReview",
+    response: resp,
+  };
+}

package/src/lib/controller/store.ts

@@ -7,12 +7,12 @@ import { startsWith } from "ramda";
 
 import { Capability } from "../capability";
 import { Store } from "../k8s";
-import Log, { redactedPatch, redactedStore } from "../logger";
+import Log, { redactedPatch, redactedStore } from "../telemetry/logger";
 import { DataOp, DataSender, DataStore, Storage } from "../storage";
 import { fillStoreCache, sendUpdatesAndFlushCache } from "./storeCache";
 
 const namespace = "pepr-system";
-export const debounceBackoff = 5000;
+export const debounceBackoff = 1000;
 
 export class StoreController {
   #name: string;

package/src/lib/controller/storeCache.ts

@@ -1,5 +1,5 @@
 import { DataOp } from "../storage";
-import Log from "../logger";
+import Log from "../telemetry/logger";
 import { K8s } from "kubernetes-fluent-client";
 import { Store } from "../k8s";
 import { StatusCodes } from "http-status-codes";