pepr 0.42.0 → 0.42.1

package/src/cli/monitor.ts

@@ -1,92 +1,51 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { Log as K8sLog, KubeConfig } from "@kubernetes/client-node";
+import { Log as K8sLog, KubeConfig, KubernetesListObject } from "@kubernetes/client-node";
 import { K8s, kind } from "kubernetes-fluent-client";
 import stream from "stream";
 import { ResponseItem } from "../lib/types";
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+interface LogPayload {
+  namespace: string;
+  name: string;
+  res: {
+    uid: string;
+    allowed?: boolean;
+    patch?: string;
+    patchType?: string;
+    warnings?: string;
+    status?: {
+      message: string;
+    };
+  };
+}
+
+export default function (program: RootCmd): void {
   program
     .command("monitor [module-uuid]")
     .description("Monitor a Pepr Module")
     .action(async uuid => {
-      let labels: string[];
-      let errorMessage: string;
-
-      if (!uuid) {
-        labels = ["pepr.dev/controller", "admission"];
-        errorMessage = `No pods found with admission labels`;
-      } else {
-        labels = ["app", `pepr-${uuid}`];
-        errorMessage = `No pods found for module ${uuid}`;
-      }
+      const { labels, errorMessage } = getLabelsAndErrorMessage(uuid);
 
       // Get the logs for the `app=pepr-${module}` or `pepr.dev/controller=admission` pod selector
-      const pods = await K8s(kind.Pod)
+      const pods: KubernetesListObject<kind.Pod> = await K8s(kind.Pod)
         .InNamespace("pepr-system")
         .WithLabel(labels[0], labels[1])
         .Get();
 
-      const podNames = pods.items.flatMap(pod => pod.metadata!.name) as string[];
+      // Pods will ways have a metadata and name fields
+      const podNames: string[] = pods.items.flatMap(pod => pod.metadata!.name || "");
 
       if (podNames.length < 1) {
         console.error(errorMessage);
         process.exit(1);
       }
 
-      const kc = new KubeConfig();
-      kc.loadFromDefault();
-
-      const log = new K8sLog(kc);
-
-      const logStream = new stream.PassThrough();
-      logStream.on("data", async chunk => {
-        const respMsg = `"msg":"Check response"`;
-        // Split the chunk into lines
-        const lines = await chunk.toString().split("\n");
-
-        for (const line of lines) {
-          // Check for `"msg":"Hello Pepr"`
-          if (!line.includes(respMsg)) continue;
-          try {
-            const payload = JSON.parse(line.trim());
-            const isMutate = payload.res.patchType || payload.res.warnings;
-
-            const name = `${payload.namespace}${payload.name}`;
-            const uid = payload.res.uid;
-
-            if (isMutate) {
-              const plainPatch =
-                payload.res?.patch !== undefined && payload.res?.patch !== null
-                  ? atob(payload.res.patch)
-                  : "";
-
-              const patch = plainPatch !== "" && JSON.stringify(JSON.parse(plainPatch), null, 2);
-              const patchType = payload.res.patchType || payload.res.warnings || "";
-              const allowOrDeny = payload.res.allowed ? "🔀" : "🚫";
-              console.log(`\n${allowOrDeny}  MUTATE     ${name} (${uid})`);
-              patchType.length > 0 && console.log(`\n\u001b[1;34m${patch}\u001b[0m`);
-            } else {
-              const failures = Array.isArray(payload.res) ? payload.res : [payload.res];
-
-              const filteredFailures = failures
-                .filter((r: ResponseItem) => !r.allowed)
-                .map((r: ResponseItem) => r.status.message);
-
-              console.log(
-                `\n${filteredFailures.length > 0 ? "❌" : "✅"}  VALIDATE   ${name} (${uid})`,
-              );
-              console.log(
-                filteredFailures.length > 0 ? `\u001b[1;31m${filteredFailures}\u001b[0m` : "",
-              );
-            }
-          } catch {
-            // Do nothing
-          }
-        }
-      });
+      const log = getK8sLogFromKubeConfig();
+
+      const logStream = createLogStream();
 
       for (const podName of podNames) {
         await log.log("pepr-system", podName, "server", logStream, {
@@ -97,3 +56,87 @@ export default function (program: RootCmd) {
       }
     });
 }
+
+export function getLabelsAndErrorMessage(uuid?: string): {
+  labels: string[];
+  errorMessage: string;
+} {
+  let labels: string[];
+  let errorMessage: string;
+
+  if (!uuid) {
+    labels = ["pepr.dev/controller", "admission"];
+    errorMessage = `No pods found with admission labels`;
+  } else {
+    labels = ["app", `pepr-${uuid}`];
+    errorMessage = `No pods found for module ${uuid}`;
+  }
+
+  return { labels, errorMessage };
+}
+
+export function getK8sLogFromKubeConfig(): K8sLog {
+  const kc = new KubeConfig();
+  kc.loadFromDefault();
+  return new K8sLog(kc);
+}
+
+function createLogStream(): stream.PassThrough {
+  const logStream = new stream.PassThrough();
+
+  logStream.on("data", async chunk => {
+    const lines = chunk.toString().split("\n");
+    const respMsg = `"msg":"Check response"`;
+
+    for (const line of lines) {
+      if (!line.includes(respMsg)) continue;
+      processLogLine(line);
+    }
+  });
+
+  return logStream;
+}
+
+function processLogLine(line: string): void {
+  try {
+    const payload: LogPayload = JSON.parse(line.trim());
+    const isMutate = payload.res.patchType || payload.res.warnings;
+    const name = `${payload.namespace}${payload.name}`;
+    const uid = payload.res.uid;
+
+    if (isMutate) {
+      processMutateLog(payload, name, uid);
+    } else {
+      processValidateLog(payload, name, uid);
+    }
+  } catch {
+    // Do nothing
+  }
+}
+
+export function processMutateLog(payload: LogPayload, name: string, uid: string): void {
+  const plainPatch =
+    payload.res.patch !== undefined && payload.res.patch !== null ? atob(payload.res.patch) : "";
+
+  const patch = plainPatch !== "" && JSON.stringify(JSON.parse(plainPatch), null, 2);
+  const patchType = payload.res.patchType || payload.res.warnings || "";
+  const allowOrDeny = payload.res.allowed ? "🔀" : "🚫";
+
+  console.log(`\n${allowOrDeny}  MUTATE     ${name} (${uid})`);
+  if (patchType.length > 0) {
+    console.log(`\n\u001b[1;34m${patch}\u001b[0m`);
+  }
+}
+
+export function processValidateLog(payload: LogPayload, name: string, uid: string): void {
+  const failures = Array.isArray(payload.res) ? payload.res : [payload.res];
+
+  const filteredFailures = failures
+    .filter((r: ResponseItem) => !r.allowed)
+    .map((r: ResponseItem) => r.status?.message || "");
+
+  console.log(`\n${filteredFailures.length > 0 ? "❌" : "✅"}  VALIDATE   ${name} (${uid})`);
+  if (filteredFailures.length > 0) {
+    console.log(`\u001b[1;31m${filteredFailures}\u001b[0m`);
+  }
+}

package/src/lib/assets/deploy.ts

@@ -9,7 +9,7 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { Assets } from ".";
 import Log from "../telemetry/logger";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { deployment, moduleSecret, namespace, watcher } from "./pods";
+import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
@@ -19,7 +19,7 @@ export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, na
   try {
     await K8s(kind.Namespace).Get("pepr-system");
   } catch {
-    await K8s(kind.Namespace).Apply(namespace());
+    await K8s(kind.Namespace).Apply(getNamespace());
   }
 
   try {
@@ -48,7 +48,7 @@ export async function deploy(assets: Assets, force: boolean, webhookTimeout?: nu
   const { name, host, path } = assets;
 
   Log.info("Applying pepr-system namespace");
-  await K8s(kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace));
+  await K8s(kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
 
   // Create the mutating webhook configuration if it is needed
   const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
@@ -123,7 +123,7 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   const { name } = assets;
 
   Log.info("Applying module secret");
-  const mod = moduleSecret(name, code, hash);
+  const mod = getModuleSecret(name, code, hash);
   await K8s(kind.Secret).Apply(mod, { force });
 
   Log.info("Applying controller service");
@@ -139,14 +139,14 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   await K8s(kind.Secret).Apply(apiToken, { force });
 
   Log.info("Applying deployment");
-  const dep = deployment(assets, hash, assets.buildTimestamp);
+  const dep = getDeployment(assets, hash, assets.buildTimestamp);
   await K8s(kind.Deployment).Apply(dep, { force });
 }
 
 // Setup the watcher deployment and service
 async function setupWatcher(assets: Assets, hash: string, force: boolean) {
   // If the module has a watcher, deploy it
-  const watchDeployment = watcher(assets, hash, assets.buildTimestamp);
+  const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
   if (watchDeployment) {
     Log.info("Applying watcher deployment");
     await K8s(kind.Deployment).Apply(watchDeployment, { force });

package/src/lib/assets/destroy.ts

@@ -6,7 +6,7 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "../telemetry/logger";
 import { peprStoreCRD } from "./store";
 
-export async function destroyModule(name: string) {
+export async function destroyModule(name: string): Promise<void> {
   const namespace = "pepr-system";
 
   Log.info("Destroying Pepr module");

package/src/lib/assets/helm.ts

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-export function clusterRoleTemplate() {
+export function clusterRoleTemplate(): string {
   return `
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
@@ -15,7 +15,7 @@ export function clusterRoleTemplate() {
   `;
 }
 
-export function nsTemplate() {
+export function namespaceTemplate(): string {
   return `
     apiVersion: v1
     kind: Namespace
@@ -32,7 +32,7 @@ export function nsTemplate() {
     `;
 }
 
-export function chartYaml(name: string, description?: string) {
+export function chartYaml(name: string, description?: string): string {
   return `
     apiVersion: v2
     name: ${name}
@@ -61,7 +61,7 @@ export function chartYaml(name: string, description?: string) {
 `;
 }
 
-export function watcherDeployTemplate(buildTimestamp: string) {
+export function watcherDeployTemplate(buildTimestamp: string): string {
   return `
       apiVersion: apps/v1
       kind: Deployment
@@ -142,7 +142,7 @@ export function watcherDeployTemplate(buildTimestamp: string) {
     `;
 }
 
-export function admissionDeployTemplate(buildTimestamp: string) {
+export function admissionDeployTemplate(buildTimestamp: string): string {
   return `
       apiVersion: apps/v1
       kind: Deployment
@@ -228,7 +228,7 @@ export function admissionDeployTemplate(buildTimestamp: string) {
     `;
 }
 
-export function serviceMonitorTemplate(name: string) {
+export function serviceMonitorTemplate(name: string): string {
   return `
       {{- if .Values.${name}.serviceMonitor.enabled }}
       apiVersion: monitoring.coreos.com/v1

package/src/lib/assets/index.ts

@@ -16,7 +16,7 @@ import { dedent } from "../helpers";
 import { resolve } from "path";
 import {
   chartYaml,
-  nsTemplate,
+  namespaceTemplate,
   admissionDeployTemplate,
   watcherDeployTemplate,
   clusterRoleTemplate,
@@ -25,7 +25,7 @@ import {
 import { promises as fs } from "fs";
 import { webhookConfig } from "./webhooks";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { watcher, moduleSecret } from "./pods";
+import { getWatcher, getModuleSecret } from "./pods";
 
 import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { createDirectoryIfNotExists } from "../filesystemService";
@@ -51,7 +51,7 @@ function createWebhookYaml(
   );
 }
 
-function helmLayout(basePath: string, unique: string) {
+function helmLayout(basePath: string, unique: string): Record<string, Record<string, string>> {
   const helm: Record<string, Record<string, string>> = {
     dirs: {
       chart: resolve(`${basePath}/${unique}-chart`),
@@ -119,20 +119,20 @@ export class Assets {
     this.apiToken = crypto.randomBytes(32).toString("hex");
   }
 
-  setHash = (hash: string) => {
+  setHash = (hash: string): void => {
     this.hash = hash;
   };
 
-  deploy = async (force: boolean, webhookTimeout?: number) => {
+  deploy = async (force: boolean, webhookTimeout?: number): Promise<void> => {
     this.capabilities = await loadCapabilities(this.path);
     await deploy(this, force, webhookTimeout);
   };
 
-  zarfYaml = (path: string) => zarfYaml(this, path);
+  zarfYaml = (path: string): string => zarfYaml(this, path);
 
-  zarfYamlChart = (path: string) => zarfYamlChart(this, path);
+  zarfYamlChart = (path: string): string => zarfYamlChart(this, path);
 
-  allYaml = async (imagePullSecret?: string) => {
+  allYaml = async (imagePullSecret?: string): Promise<string> => {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
@@ -143,7 +143,7 @@ export class Assets {
   };
 
   /* eslint max-statements: ["warn", 21] */
-  generateHelmChart = async (basePath: string) => {
+  generateHelmChart = async (basePath: string): Promise<void> => {
     const helm = helmLayout(basePath, this.config.uuid);
 
     try {
@@ -156,18 +156,18 @@ export class Assets {
       const code = await fs.readFile(this.path);
 
       const pairs: [string, () => string][] = [
-        [helm.files.chartYaml, () => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
-        [helm.files.namespaceYaml, () => dedent(nsTemplate())],
-        [helm.files.watcherServiceYaml, () => toYaml(watcherService(this.name))],
-        [helm.files.admissionServiceYaml, () => toYaml(service(this.name))],
-        [helm.files.tlsSecretYaml, () => toYaml(tlsSecret(this.name, this.tls))],
-        [helm.files.apiTokenSecretYaml, () => toYaml(apiTokenSecret(this.name, this.apiToken))],
-        [helm.files.storeRoleYaml, () => toYaml(storeRole(this.name))],
-        [helm.files.storeRoleBindingYaml, () => toYaml(storeRoleBinding(this.name))],
-        [helm.files.clusterRoleYaml, () => dedent(clusterRoleTemplate())],
-        [helm.files.clusterRoleBindingYaml, () => toYaml(clusterRoleBinding(this.name))],
-        [helm.files.serviceAccountYaml, () => toYaml(serviceAccount(this.name))],
-        [helm.files.moduleSecretYaml, () => toYaml(moduleSecret(this.name, code, this.hash))],
+        [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
+        [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())],
+        [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
+        [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
+        [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
+        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
+        [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
+        [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
+        [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))],
+        [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
+        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))],
       ];
       await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
 
@@ -191,7 +191,7 @@ export class Assets {
         await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
       }
 
-      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
+      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
       if (watchDeployment) {
         await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
         await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));

package/src/lib/assets/pods.ts

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { V1EnvVar } from "@kubernetes/client-node";
+import { KubernetesObject, V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
@@ -10,7 +10,7 @@ import { ModuleConfig } from "../module";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
-export function namespace(namespaceLabels?: Record<string, string>) {
+export function getNamespace(namespaceLabels?: Record<string, string>): KubernetesObject {
   if (namespaceLabels) {
     return {
       apiVersion: "v1",
@@ -31,7 +31,12 @@ export function namespace(namespaceLabels?: Record<string, string>) {
   }
 }
 
-export function watcher(assets: Assets, hash: string, buildTimestamp: string, imagePullSecret?: string) {
+export function getWatcher(
+  assets: Assets,
+  hash: string,
+  buildTimestamp: string,
+  imagePullSecret?: string,
+): kind.Deployment | null {
   const { name, image, capabilities, config } = assets;
 
   let hasSchedule = false;
@@ -186,7 +191,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string, im
   return deploy;
 }
 
-export function deployment(
+export function getDeployment(
   assets: Assets,
   hash: string,
   buildTimestamp: string,
@@ -336,7 +341,7 @@ export function deployment(
   return deploy;
 }
 
-export function moduleSecret(name: string, data: Buffer, hash: string): kind.Secret {
+export function getModuleSecret(name: string, data: Buffer, hash: string): kind.Secret {
   // Compress the data
   const compressed = gzipSync(data);
   const path = `module-${hash}.js.gz`;

package/src/lib/assets/webhooks.ts

@@ -20,7 +20,7 @@ const peprIgnoreLabel: V1LabelSelectorRequirement = {
 
 const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
-export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean) {
+export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise<V1RuleWithOperations[]> {
   const { config, capabilities } = assets;
   const rules: V1RuleWithOperations[] = [];
 

package/src/lib/assets/yaml.ts

@@ -6,13 +6,16 @@ import crypto from "crypto";
 import { promises as fs } from "fs";
 import { Assets } from ".";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { deployment, moduleSecret, namespace, watcher } from "./pods";
+import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { webhookConfig } from "./webhooks";
 import { genEnv } from "./pods";
 
 // Helm Chart overrides file (values.yaml) generated from assets
-export async function overridesFile({ hash, name, image, config, apiToken, capabilities }: Assets, path: string) {
+export async function overridesFile(
+  { hash, name, image, config, apiToken, capabilities }: Assets,
+  path: string,
+): Promise<void> {
   const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules;
 
   const overrides = {
@@ -166,7 +169,7 @@ export async function overridesFile({ hash, name, image, config, apiToken, capab
 
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }
-export function zarfYaml({ name, image, config }: Assets, path: string) {
+export function zarfYaml({ name, image, config }: Assets, path: string): string {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
     metadata: {
@@ -194,7 +197,7 @@ export function zarfYaml({ name, image, config }: Assets, path: string) {
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
-export function zarfYamlChart({ name, image, config }: Assets, path: string) {
+export function zarfYamlChart({ name, image, config }: Assets, path: string): string {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
     metadata: {
@@ -223,7 +226,7 @@ export function zarfYamlChart({ name, image, config }: Assets, path: string) {
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
-export async function allYaml(assets: Assets, imagePullSecret?: string) {
+export async function allYaml(assets: Assets, imagePullSecret?: string): Promise<string> {
   const { name, tls, apiToken, path, config } = assets;
   const code = await fs.readFile(path);
 
@@ -232,19 +235,19 @@ export async function allYaml(assets: Assets, imagePullSecret?: string) {
 
   const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
   const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
-  const watchDeployment = watcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret);
+  const watchDeployment = getWatcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret);
 
   const resources = [
-    namespace(assets.config.customLabels?.namespace),
+    getNamespace(assets.config.customLabels?.namespace),
     clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
     clusterRoleBinding(name),
     serviceAccount(name),
     apiTokenSecret(name, apiToken),
     tlsSecret(name, tls),
-    deployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret),
+    getDeployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret),
     service(name),
     watcherService(name),
-    moduleSecret(name, code, assets.hash),
+    getModuleSecret(name, code, assets.hash),
     storeRole(name),
     storeRoleBinding(name),
   ];

package/src/lib/capability.ts

@@ -71,7 +71,7 @@ export class Capability implements CapabilityExport {
     }
   };
 
-  public getScheduleStore() {
+  public getScheduleStore(): Storage {
     return this.#scheduleStore;
   }
 
@@ -111,19 +111,19 @@ export class Capability implements CapabilityExport {
     onReady: this.#scheduleStore.onReady,
   };
 
-  get bindings() {
+  get bindings(): Binding[] {
     return this.#bindings;
   }
 
-  get name() {
+  get name(): string {
     return this.#name;
   }
 
-  get description() {
+  get description(): string {
     return this.#description;
   }
 
-  get namespaces() {
+  get namespaces(): string[] {
     return this.#namespaces || [];
   }
 
@@ -207,8 +207,19 @@ export class Capability implements CapabilityExport {
     const bindings = this.#bindings;
     const prefix = `${this.#name}: ${model.name}`;
     const commonChain = { WithLabel, WithAnnotation, WithDeletionTimestamp, Mutate, Validate, Watch, Reconcile, Alias };
-    const isNotEmpty = (value: object) => Object.keys(value).length > 0;
-    const log = (message: string, cbString: string) => {
+
+    type CommonChainType = typeof commonChain;
+    type ExtendedCommonChainType = CommonChainType & {
+      Alias: (alias: string) => CommonChainType;
+      InNamespace: (...namespaces: string[]) => BindingWithName<T>;
+      InNamespaceRegex: (...namespaces: RegExp[]) => BindingWithName<T>;
+      WithName: (name: string) => BindingFilter<T>;
+      WithNameRegex: (regexName: RegExp) => BindingFilter<T>;
+      WithDeletionTimestamp: () => BindingFilter<T>;
+    };
+
+    const isNotEmpty = (value: object): boolean => Object.keys(value).length > 0;
+    const log = (message: string, cbString: string): void => {
       const filteredObj = pickBy(isNotEmpty, binding.filters);
 
       Log.info(`${message} configured for ${binding.event}`, prefix);
@@ -329,7 +340,7 @@ export class Capability implements CapabilityExport {
           isWatch: true,
           isFinalize: true,
           event: Event.UPDATE,
-          finalizeCallback: async (update: InstanceType<T>, logger = aliasLogger) => {
+          finalizeCallback: async (update: InstanceType<T>, logger = aliasLogger): Promise<boolean | void> => {
             Log.info(`Executing finalize action with alias: ${binding.alias || "no alias provided"}`);
             return await finalizeCallback(update, logger);
           },
@@ -380,13 +391,13 @@ export class Capability implements CapabilityExport {
       return commonChain;
     }
 
-    function Alias(alias: string) {
+    function Alias(alias: string): CommonChainType {
       Log.debug(`Adding prefix alias ${alias}`, prefix);
       binding.alias = alias;
       return commonChain;
     }
 
-    function bindEvent(event: Event) {
+    function bindEvent(event: Event): ExtendedCommonChainType {
       binding.event = event;
       return {
         ...commonChain,