pepr 0.40.1 → 0.42.1

package/src/cli/monitor.ts

@@ -1,92 +1,51 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { Log as K8sLog, KubeConfig } from "@kubernetes/client-node";
+import { Log as K8sLog, KubeConfig, KubernetesListObject } from "@kubernetes/client-node";
 import { K8s, kind } from "kubernetes-fluent-client";
 import stream from "stream";
 import { ResponseItem } from "../lib/types";
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+interface LogPayload {
+  namespace: string;
+  name: string;
+  res: {
+    uid: string;
+    allowed?: boolean;
+    patch?: string;
+    patchType?: string;
+    warnings?: string;
+    status?: {
+      message: string;
+    };
+  };
+}
+
+export default function (program: RootCmd): void {
   program
     .command("monitor [module-uuid]")
     .description("Monitor a Pepr Module")
     .action(async uuid => {
-      let labels: string[];
-      let errorMessage: string;
-
-      if (!uuid) {
-        labels = ["pepr.dev/controller", "admission"];
-        errorMessage = `No pods found with admission labels`;
-      } else {
-        labels = ["app", `pepr-${uuid}`];
-        errorMessage = `No pods found for module ${uuid}`;
-      }
+      const { labels, errorMessage } = getLabelsAndErrorMessage(uuid);
 
       // Get the logs for the `app=pepr-${module}` or `pepr.dev/controller=admission` pod selector
-      const pods = await K8s(kind.Pod)
+      const pods: KubernetesListObject<kind.Pod> = await K8s(kind.Pod)
         .InNamespace("pepr-system")
         .WithLabel(labels[0], labels[1])
         .Get();
 
-      const podNames = pods.items.flatMap(pod => pod.metadata!.name) as string[];
+      // Pods will ways have a metadata and name fields
+      const podNames: string[] = pods.items.flatMap(pod => pod.metadata!.name || "");
 
       if (podNames.length < 1) {
         console.error(errorMessage);
         process.exit(1);
       }
 
-      const kc = new KubeConfig();
-      kc.loadFromDefault();
-
-      const log = new K8sLog(kc);
-
-      const logStream = new stream.PassThrough();
-      logStream.on("data", async chunk => {
-        const respMsg = `"msg":"Check response"`;
-        // Split the chunk into lines
-        const lines = await chunk.toString().split("\n");
-
-        for (const line of lines) {
-          // Check for `"msg":"Hello Pepr"`
-          if (!line.includes(respMsg)) continue;
-          try {
-            const payload = JSON.parse(line.trim());
-            const isMutate = payload.res.patchType || payload.res.warnings;
-
-            const name = `${payload.namespace}${payload.name}`;
-            const uid = payload.res.uid;
-
-            if (isMutate) {
-              const plainPatch =
-                payload.res?.patch !== undefined && payload.res?.patch !== null
-                  ? atob(payload.res.patch)
-                  : "";
-
-              const patch = plainPatch !== "" && JSON.stringify(JSON.parse(plainPatch), null, 2);
-              const patchType = payload.res.patchType || payload.res.warnings || "";
-              const allowOrDeny = payload.res.allowed ? "🔀" : "🚫";
-              console.log(`\n${allowOrDeny}  MUTATE     ${name} (${uid})`);
-              patchType.length > 0 && console.log(`\n\u001b[1;34m${patch}\u001b[0m`);
-            } else {
-              const failures = Array.isArray(payload.res) ? payload.res : [payload.res];
-
-              const filteredFailures = failures
-                .filter((r: ResponseItem) => !r.allowed)
-                .map((r: ResponseItem) => r.status.message);
-
-              console.log(
-                `\n${filteredFailures.length > 0 ? "❌" : "✅"}  VALIDATE   ${name} (${uid})`,
-              );
-              console.log(
-                filteredFailures.length > 0 ? `\u001b[1;31m${filteredFailures}\u001b[0m` : "",
-              );
-            }
-          } catch {
-            // Do nothing
-          }
-        }
-      });
+      const log = getK8sLogFromKubeConfig();
+
+      const logStream = createLogStream();
 
       for (const podName of podNames) {
         await log.log("pepr-system", podName, "server", logStream, {
@@ -97,3 +56,87 @@ export default function (program: RootCmd) {
       }
     });
 }
+
+export function getLabelsAndErrorMessage(uuid?: string): {
+  labels: string[];
+  errorMessage: string;
+} {
+  let labels: string[];
+  let errorMessage: string;
+
+  if (!uuid) {
+    labels = ["pepr.dev/controller", "admission"];
+    errorMessage = `No pods found with admission labels`;
+  } else {
+    labels = ["app", `pepr-${uuid}`];
+    errorMessage = `No pods found for module ${uuid}`;
+  }
+
+  return { labels, errorMessage };
+}
+
+export function getK8sLogFromKubeConfig(): K8sLog {
+  const kc = new KubeConfig();
+  kc.loadFromDefault();
+  return new K8sLog(kc);
+}
+
+function createLogStream(): stream.PassThrough {
+  const logStream = new stream.PassThrough();
+
+  logStream.on("data", async chunk => {
+    const lines = chunk.toString().split("\n");
+    const respMsg = `"msg":"Check response"`;
+
+    for (const line of lines) {
+      if (!line.includes(respMsg)) continue;
+      processLogLine(line);
+    }
+  });
+
+  return logStream;
+}
+
+function processLogLine(line: string): void {
+  try {
+    const payload: LogPayload = JSON.parse(line.trim());
+    const isMutate = payload.res.patchType || payload.res.warnings;
+    const name = `${payload.namespace}${payload.name}`;
+    const uid = payload.res.uid;
+
+    if (isMutate) {
+      processMutateLog(payload, name, uid);
+    } else {
+      processValidateLog(payload, name, uid);
+    }
+  } catch {
+    // Do nothing
+  }
+}
+
+export function processMutateLog(payload: LogPayload, name: string, uid: string): void {
+  const plainPatch =
+    payload.res.patch !== undefined && payload.res.patch !== null ? atob(payload.res.patch) : "";
+
+  const patch = plainPatch !== "" && JSON.stringify(JSON.parse(plainPatch), null, 2);
+  const patchType = payload.res.patchType || payload.res.warnings || "";
+  const allowOrDeny = payload.res.allowed ? "🔀" : "🚫";
+
+  console.log(`\n${allowOrDeny}  MUTATE     ${name} (${uid})`);
+  if (patchType.length > 0) {
+    console.log(`\n\u001b[1;34m${patch}\u001b[0m`);
+  }
+}
+
+export function processValidateLog(payload: LogPayload, name: string, uid: string): void {
+  const failures = Array.isArray(payload.res) ? payload.res : [payload.res];
+
+  const filteredFailures = failures
+    .filter((r: ResponseItem) => !r.allowed)
+    .map((r: ResponseItem) => r.status?.message || "");
+
+  console.log(`\n${filteredFailures.length > 0 ? "❌" : "✅"}  VALIDATE   ${name} (${uid})`);
+  if (filteredFailures.length > 0) {
+    console.log(`\u001b[1;31m${filteredFailures}\u001b[0m`);
+  }
+}

package/src/lib/assets/deploy.ts

@@ -7,9 +7,9 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 import { Assets } from ".";
-import Log from "../logger";
+import Log from "../telemetry/logger";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { deployment, moduleSecret, namespace, watcher } from "./pods";
+import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
@@ -19,7 +19,7 @@ export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, na
   try {
     await K8s(kind.Namespace).Get("pepr-system");
   } catch {
-    await K8s(kind.Namespace).Apply(namespace());
+    await K8s(kind.Namespace).Apply(getNamespace());
   }
 
   try {
@@ -48,7 +48,7 @@ export async function deploy(assets: Assets, force: boolean, webhookTimeout?: nu
   const { name, host, path } = assets;
 
   Log.info("Applying pepr-system namespace");
-  await K8s(kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace));
+  await K8s(kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
 
   // Create the mutating webhook configuration if it is needed
   const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
@@ -123,7 +123,7 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   const { name } = assets;
 
   Log.info("Applying module secret");
-  const mod = moduleSecret(name, code, hash);
+  const mod = getModuleSecret(name, code, hash);
   await K8s(kind.Secret).Apply(mod, { force });
 
   Log.info("Applying controller service");
@@ -139,14 +139,14 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   await K8s(kind.Secret).Apply(apiToken, { force });
 
   Log.info("Applying deployment");
-  const dep = deployment(assets, hash, assets.buildTimestamp);
+  const dep = getDeployment(assets, hash, assets.buildTimestamp);
   await K8s(kind.Deployment).Apply(dep, { force });
 }
 
 // Setup the watcher deployment and service
 async function setupWatcher(assets: Assets, hash: string, force: boolean) {
   // If the module has a watcher, deploy it
-  const watchDeployment = watcher(assets, hash, assets.buildTimestamp);
+  const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
   if (watchDeployment) {
     Log.info("Applying watcher deployment");
     await K8s(kind.Deployment).Apply(watchDeployment, { force });

package/src/lib/assets/destroy.ts

@@ -3,10 +3,10 @@
 
 import { K8s, kind } from "kubernetes-fluent-client";
 
-import Log from "../logger";
+import Log from "../telemetry/logger";
 import { peprStoreCRD } from "./store";
 
-export async function destroyModule(name: string) {
+export async function destroyModule(name: string): Promise<void> {
   const namespace = "pepr-system";
 
   Log.info("Destroying Pepr module");

package/src/lib/assets/helm.ts

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-export function clusterRoleTemplate() {
+export function clusterRoleTemplate(): string {
   return `
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
@@ -15,7 +15,7 @@ export function clusterRoleTemplate() {
   `;
 }
 
-export function nsTemplate() {
+export function namespaceTemplate(): string {
   return `
     apiVersion: v1
     kind: Namespace
@@ -32,7 +32,7 @@ export function nsTemplate() {
     `;
 }
 
-export function chartYaml(name: string, description?: string) {
+export function chartYaml(name: string, description?: string): string {
   return `
     apiVersion: v2
     name: ${name}
@@ -61,7 +61,7 @@ export function chartYaml(name: string, description?: string) {
 `;
 }
 
-export function watcherDeployTemplate(buildTimestamp: string) {
+export function watcherDeployTemplate(buildTimestamp: string): string {
   return `
       apiVersion: apps/v1
       kind: Deployment
@@ -142,7 +142,7 @@ export function watcherDeployTemplate(buildTimestamp: string) {
     `;
 }
 
-export function admissionDeployTemplate(buildTimestamp: string) {
+export function admissionDeployTemplate(buildTimestamp: string): string {
   return `
       apiVersion: apps/v1
       kind: Deployment
@@ -228,7 +228,7 @@ export function admissionDeployTemplate(buildTimestamp: string) {
     `;
 }
 
-export function serviceMonitorTemplate(name: string) {
+export function serviceMonitorTemplate(name: string): string {
   return `
       {{- if .Values.${name}.serviceMonitor.enabled }}
       apiVersion: monitoring.coreos.com/v1

package/src/lib/assets/index.ts

@@ -3,6 +3,7 @@
 
 import crypto from "crypto";
 import { dumpYaml } from "@kubernetes/client-node";
+import { kind } from "kubernetes-fluent-client";
 import { ModuleConfig } from "../module";
 import { TLSOut, genTLS } from "../tls";
 import { CapabilityExport } from "../types";
@@ -11,11 +12,11 @@ import { deploy } from "./deploy";
 import { loadCapabilities } from "./loader";
 import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
 import { namespaceComplianceValidator, replaceString } from "../helpers";
-import { createDirectoryIfNotExists, dedent } from "../helpers";
+import { dedent } from "../helpers";
 import { resolve } from "path";
 import {
   chartYaml,
-  nsTemplate,
+  namespaceTemplate,
   admissionDeployTemplate,
   watcherDeployTemplate,
   clusterRoleTemplate,
@@ -24,9 +25,72 @@ import {
 import { promises as fs } from "fs";
 import { webhookConfig } from "./webhooks";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { watcher, moduleSecret } from "./pods";
+import { getWatcher, getModuleSecret } from "./pods";
 
 import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
+import { createDirectoryIfNotExists } from "../filesystemService";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function toYaml(obj: any): string {
+  return dumpYaml(obj, { noRefs: true });
+}
+
+function createWebhookYaml(
+  assets: Assets,
+  webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration,
+): string {
+  const yaml = toYaml(webhookConfiguration);
+  return replaceString(
+    replaceString(
+      replaceString(yaml, assets.name, "{{ .Values.uuid }}"),
+      assets.config.onError === "reject" ? "Fail" : "Ignore",
+      "{{ .Values.admission.failurePolicy }}",
+    ),
+    `${assets.config.webhookTimeout}` || "10",
+    "{{ .Values.admission.webhookTimeout }}",
+  );
+}
+
+function helmLayout(basePath: string, unique: string): Record<string, Record<string, string>> {
+  const helm: Record<string, Record<string, string>> = {
+    dirs: {
+      chart: resolve(`${basePath}/${unique}-chart`),
+    },
+    files: {},
+  };
+
+  helm.dirs = {
+    ...helm.dirs,
+    charts: `${helm.dirs.chart}/charts`,
+    tmpls: `${helm.dirs.chart}/templates`,
+  };
+
+  helm.files = {
+    ...helm.files,
+    valuesYaml: `${helm.dirs.chart}/values.yaml`,
+    chartYaml: `${helm.dirs.chart}/Chart.yaml`,
+    namespaceYaml: `${helm.dirs.tmpls}/namespace.yaml`,
+    watcherServiceYaml: `${helm.dirs.tmpls}/watcher-service.yaml`,
+    admissionServiceYaml: `${helm.dirs.tmpls}/admission-service.yaml`,
+    mutationWebhookYaml: `${helm.dirs.tmpls}/mutation-webhook.yaml`,
+    validationWebhookYaml: `${helm.dirs.tmpls}/validation-webhook.yaml`,
+    admissionDeploymentYaml: `${helm.dirs.tmpls}/admission-deployment.yaml`,
+    admissionServiceMonitorYaml: `${helm.dirs.tmpls}/admission-service-monitor.yaml`,
+    watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
+    watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
+    tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
+    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
+    moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
+    storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
+    storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,
+    clusterRoleYaml: `${helm.dirs.tmpls}/cluster-role.yaml`,
+    clusterRoleBindingYaml: `${helm.dirs.tmpls}/cluster-role-binding.yaml`,
+    serviceAccountYaml: `${helm.dirs.tmpls}/service-account.yaml`,
+  };
+
+  return helm;
+}
+
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
@@ -55,20 +119,20 @@ export class Assets {
     this.apiToken = crypto.randomBytes(32).toString("hex");
   }
 
-  setHash = (hash: string) => {
+  setHash = (hash: string): void => {
     this.hash = hash;
   };
 
-  deploy = async (force: boolean, webhookTimeout?: number) => {
+  deploy = async (force: boolean, webhookTimeout?: number): Promise<void> => {
     this.capabilities = await loadCapabilities(this.path);
     await deploy(this, force, webhookTimeout);
   };
 
-  zarfYaml = (path: string) => zarfYaml(this, path);
+  zarfYaml = (path: string): string => zarfYaml(this, path);
 
-  zarfYamlChart = (path: string) => zarfYamlChart(this, path);
+  zarfYamlChart = (path: string): string => zarfYamlChart(this, path);
 
-  allYaml = async (imagePullSecret?: string) => {
+  allYaml = async (imagePullSecret?: string): Promise<string> => {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
@@ -78,102 +142,59 @@ export class Assets {
     return allYaml(this, imagePullSecret);
   };
 
-  generateHelmChart = async (basePath: string) => {
-    const CHART_DIR = `${basePath}/${this.config.uuid}-chart`;
-    const CHAR_TEMPLATES_DIR = `${CHART_DIR}/templates`;
-    const valuesPath = resolve(CHART_DIR, `values.yaml`);
-    const chartPath = resolve(CHART_DIR, `Chart.yaml`);
-    const nsPath = resolve(CHAR_TEMPLATES_DIR, `namespace.yaml`);
-    const watcherSVCPath = resolve(CHAR_TEMPLATES_DIR, `watcher-service.yaml`);
-    const admissionSVCPath = resolve(CHAR_TEMPLATES_DIR, `admission-service.yaml`);
-    const mutationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `mutation-webhook.yaml`);
-    const validationWebhookPath = resolve(CHAR_TEMPLATES_DIR, `validation-webhook.yaml`);
-    const admissionDeployPath = resolve(CHAR_TEMPLATES_DIR, `admission-deployment.yaml`);
-    const admissionServiceMonitorPath = resolve(CHAR_TEMPLATES_DIR, `admission-service-monitor.yaml`);
-    const watcherDeployPath = resolve(CHAR_TEMPLATES_DIR, `watcher-deployment.yaml`);
-    const watcherServiceMonitorPath = resolve(CHAR_TEMPLATES_DIR, `watcher-service-monitor.yaml`);
-    const tlsSecretPath = resolve(CHAR_TEMPLATES_DIR, `tls-secret.yaml`);
-    const apiTokenSecretPath = resolve(CHAR_TEMPLATES_DIR, `api-token-secret.yaml`);
-    const moduleSecretPath = resolve(CHAR_TEMPLATES_DIR, `module-secret.yaml`);
-    const storeRolePath = resolve(CHAR_TEMPLATES_DIR, `store-role.yaml`);
-    const storeRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `store-role-binding.yaml`);
-    const clusterRolePath = resolve(CHAR_TEMPLATES_DIR, `cluster-role.yaml`);
-    const clusterRoleBindingPath = resolve(CHAR_TEMPLATES_DIR, `cluster-role-binding.yaml`);
-    const serviceAccountPath = resolve(CHAR_TEMPLATES_DIR, `service-account.yaml`);
-
-    // create helm chart
-    try {
-      // create chart dir
-      await createDirectoryIfNotExists(CHART_DIR);
-
-      // create charts dir
-      await createDirectoryIfNotExists(`${CHART_DIR}/charts`);
+  /* eslint max-statements: ["warn", 21] */
+  generateHelmChart = async (basePath: string): Promise<void> => {
+    const helm = helmLayout(basePath, this.config.uuid);
 
-      // create templates dir
-      await createDirectoryIfNotExists(`${CHAR_TEMPLATES_DIR}`);
-
-      // create values file
-      await overridesFile(this, valuesPath);
-
-      // create the chart.yaml
-      await fs.writeFile(chartPath, dedent(chartYaml(this.config.uuid, this.config.description || "")));
-
-      // create the namespace.yaml in templates
-      await fs.writeFile(nsPath, dedent(nsTemplate()));
+    try {
+      await Promise.all(
+        Object.values(helm.dirs)
+          .sort((l, r) => l.split("/").length - r.split("/").length)
+          .map(async dir => await createDirectoryIfNotExists(dir)),
+      );
 
       const code = await fs.readFile(this.path);
 
-      await fs.writeFile(watcherSVCPath, dumpYaml(watcherService(this.name), { noRefs: true }));
-      await fs.writeFile(admissionSVCPath, dumpYaml(service(this.name), { noRefs: true }));
-      await fs.writeFile(tlsSecretPath, dumpYaml(tlsSecret(this.name, this.tls), { noRefs: true }));
-      await fs.writeFile(apiTokenSecretPath, dumpYaml(apiTokenSecret(this.name, this.apiToken), { noRefs: true }));
-      await fs.writeFile(moduleSecretPath, dumpYaml(moduleSecret(this.name, code, this.hash), { noRefs: true }));
-      await fs.writeFile(storeRolePath, dumpYaml(storeRole(this.name), { noRefs: true }));
-      await fs.writeFile(storeRoleBindingPath, dumpYaml(storeRoleBinding(this.name), { noRefs: true }));
-      await fs.writeFile(clusterRolePath, dedent(clusterRoleTemplate()));
-      await fs.writeFile(clusterRoleBindingPath, dumpYaml(clusterRoleBinding(this.name), { noRefs: true }));
-      await fs.writeFile(serviceAccountPath, dumpYaml(serviceAccount(this.name), { noRefs: true }));
-
-      const mutateWebhook = await webhookConfig(this, "mutate", this.config.webhookTimeout);
-      const validateWebhook = await webhookConfig(this, "validate", this.config.webhookTimeout);
-      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
+      const pairs: [string, () => string][] = [
+        [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
+        [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())],
+        [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
+        [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
+        [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
+        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
+        [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
+        [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
+        [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))],
+        [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
+        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))],
+      ];
+      await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
+
+      await overridesFile(this, helm.files.valuesYaml);
+
+      const [mutateWebhook, validateWebhook] = await Promise.all([
+        webhookConfig(this, "mutate", this.config.webhookTimeout),
+        webhookConfig(this, "validate", this.config.webhookTimeout),
+      ]);
 
       if (validateWebhook || mutateWebhook) {
-        await fs.writeFile(admissionDeployPath, dedent(admissionDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(admissionServiceMonitorPath, dedent(serviceMonitorTemplate("admission")));
+        await fs.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
+        await fs.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
       }
 
       if (mutateWebhook) {
-        const yamlMutateWebhook = dumpYaml(mutateWebhook, { noRefs: true });
-        const mutateWebhookTemplate = replaceString(
-          replaceString(
-            replaceString(yamlMutateWebhook, this.name, "{{ .Values.uuid }}"),
-            this.config.onError === "reject" ? "Fail" : "Ignore",
-            "{{ .Values.admission.failurePolicy }}",
-          ),
-          `${this.config.webhookTimeout}` || "10",
-          "{{ .Values.admission.webhookTimeout }}",
-        );
-        await fs.writeFile(mutationWebhookPath, mutateWebhookTemplate);
+        await fs.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this, mutateWebhook));
       }
 
       if (validateWebhook) {
-        const yamlValidateWebhook = dumpYaml(validateWebhook, { noRefs: true });
-        const validateWebhookTemplate = replaceString(
-          replaceString(
-            replaceString(yamlValidateWebhook, this.name, "{{ .Values.uuid }}"),
-            this.config.onError === "reject" ? "Fail" : "Ignore",
-            "{{ .Values.admission.failurePolicy }}",
-          ),
-          `${this.config.webhookTimeout}` || "10",
-          "{{ .Values.admission.webhookTimeout }}",
-        );
-        await fs.writeFile(validationWebhookPath, validateWebhookTemplate);
+        await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
       }
 
+      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
       if (watchDeployment) {
-        await fs.writeFile(watcherDeployPath, dedent(watcherDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(watcherServiceMonitorPath, dedent(serviceMonitorTemplate("watcher")));
+        await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
+        await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
       }
     } catch (err) {
       console.error(`Error generating helm chart: ${err.message}`);

package/src/lib/assets/pods.ts

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { V1EnvVar } from "@kubernetes/client-node";
+import { KubernetesObject, V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
@@ -10,7 +10,7 @@ import { ModuleConfig } from "../module";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
-export function namespace(namespaceLabels?: Record<string, string>) {
+export function getNamespace(namespaceLabels?: Record<string, string>): KubernetesObject {
   if (namespaceLabels) {
     return {
       apiVersion: "v1",
@@ -31,7 +31,12 @@ export function namespace(namespaceLabels?: Record<string, string>) {
   }
 }
 
-export function watcher(assets: Assets, hash: string, buildTimestamp: string, imagePullSecret?: string) {
+export function getWatcher(
+  assets: Assets,
+  hash: string,
+  buildTimestamp: string,
+  imagePullSecret?: string,
+): kind.Deployment | null {
   const { name, image, capabilities, config } = assets;
 
   let hasSchedule = false;
@@ -186,7 +191,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string, im
   return deploy;
 }
 
-export function deployment(
+export function getDeployment(
   assets: Assets,
   hash: string,
   buildTimestamp: string,
@@ -336,7 +341,7 @@ export function deployment(
   return deploy;
 }
 
-export function moduleSecret(name: string, data: Buffer, hash: string): kind.Secret {
+export function getModuleSecret(name: string, data: Buffer, hash: string): kind.Secret {
   // Compress the data
   const compressed = gzipSync(data);
   const path = `module-${hash}.js.gz`;

package/src/lib/assets/webhooks.ts

@@ -20,7 +20,7 @@ const peprIgnoreLabel: V1LabelSelectorRequirement = {
 
 const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
-export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean) {
+export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise<V1RuleWithOperations[]> {
   const { config, capabilities } = assets;
   const rules: V1RuleWithOperations[] = [];
 
@@ -44,8 +44,8 @@ export async function generateWebhookRules(assets: Assets, isMutateWebhook: bool
       const operations: string[] = [];
 
       // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
-      if (event === Event.CreateOrUpdate) {
-        operations.push(Event.Create, Event.Update);
+      if (event === Event.CREATE_OR_UPDATE) {
+        operations.push(Event.CREATE, Event.UPDATE);
       } else {
         operations.push(event);
       }