pepr 0.42.0 → 0.42.2

package/src/lib/mutate-request.ts

@@ -11,19 +11,19 @@ export class PeprMutateRequest<T extends KubernetesObject> {
   Raw: T;
   #input: AdmissionRequest<T>;
 
-  get PermitSideEffects() {
+  get PermitSideEffects(): boolean {
     return !this.#input.dryRun;
   }
 
-  get IsDryRun() {
+  get IsDryRun(): boolean | undefined {
     return this.#input.dryRun;
   }
 
-  get OldResource() {
+  get OldResource(): KubernetesObject | undefined {
     return this.#input.oldObject;
   }
 
-  get Request() {
+  get Request(): AdmissionRequest<KubernetesObject> {
     return this.#input;
   }
 
@@ -42,11 +42,11 @@ export class PeprMutateRequest<T extends KubernetesObject> {
     }
   }
 
-  Merge = (obj: DeepPartial<T>) => {
+  Merge = (obj: DeepPartial<T>): void => {
     this.Raw = mergeDeepRight(this.Raw, obj) as unknown as T;
   };
 
-  SetLabel = (key: string, value: string) => {
+  SetLabel = (key: string, value: string): this => {
     const ref = this.Raw;
     ref.metadata = ref.metadata ?? {};
     ref.metadata.labels = ref.metadata.labels ?? {};
@@ -54,7 +54,7 @@ export class PeprMutateRequest<T extends KubernetesObject> {
     return this;
   };
 
-  SetAnnotation = (key: string, value: string) => {
+  SetAnnotation = (key: string, value: string): this => {
     const ref = this.Raw;
     ref.metadata = ref.metadata ?? {};
     ref.metadata.annotations = ref.metadata.annotations ?? {};
@@ -62,25 +62,25 @@ export class PeprMutateRequest<T extends KubernetesObject> {
     return this;
   };
 
-  RemoveLabel = (key: string) => {
+  RemoveLabel = (key: string): this => {
     if (this.Raw.metadata?.labels?.[key]) {
       delete this.Raw.metadata.labels[key];
     }
     return this;
   };
 
-  RemoveAnnotation = (key: string) => {
+  RemoveAnnotation = (key: string): this => {
     if (this.Raw.metadata?.annotations?.[key]) {
       delete this.Raw.metadata.annotations[key];
     }
     return this;
   };
 
-  HasLabel = (key: string) => {
+  HasLabel = (key: string): boolean => {
     return this.Raw.metadata?.labels?.[key] !== undefined;
   };
 
-  HasAnnotation = (key: string) => {
+  HasAnnotation = (key: string): boolean => {
     return this.Raw.metadata?.annotations?.[key] !== undefined;
   };
 }

package/src/lib/processors/mutate-processor.ts

@@ -0,0 +1,225 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import jsonPatch from "fast-json-patch";
+import { kind, KubernetesObject } from "kubernetes-fluent-client";
+import { clone } from "ramda";
+
+import { Capability } from "../core/capability";
+import { shouldSkipRequest } from "../filter/filter";
+import { MutateResponse } from "../k8s";
+import { AdmissionRequest, Binding } from "../types";
+import Log from "../telemetry/logger";
+import { ModuleConfig } from "../core/module";
+import { PeprMutateRequest } from "../mutate-request";
+import { base64Encode, convertFromBase64Map, convertToBase64Map } from "../utils";
+import { OnError } from "../../cli/init/enums";
+
+export interface Bindable {
+  req: AdmissionRequest;
+  config: ModuleConfig;
+  name: string;
+  namespaces: string[];
+  binding: Binding;
+  actMeta: Record<string, string>;
+}
+
+export interface Result {
+  wrapped: PeprMutateRequest<KubernetesObject>;
+  response: MutateResponse;
+}
+
+// Add annotations to the request to indicate that the capability started processing
+// this will allow tracking of failed mutations that were permitted to continue
+export function updateStatus(
+  config: ModuleConfig,
+  name: string,
+  wrapped: PeprMutateRequest<KubernetesObject>,
+  status: string,
+): PeprMutateRequest<KubernetesObject> {
+  // Only update the status if the request is a CREATE or UPDATE (we don't use CONNECT)
+  if (wrapped.Request.operation === "DELETE") {
+    return wrapped;
+  }
+  wrapped.SetAnnotation(`${config.uuid}.pepr.dev/${name}`, status);
+
+  return wrapped;
+}
+
+export function logMutateErrorMessage(e: Error): string {
+  try {
+    if (e.message && e.message !== "[object Object]") {
+      return e.message;
+    } else {
+      throw new Error("An error occurred in the mutate action.");
+    }
+  } catch (e) {
+    return "An error occurred with the mutate action.";
+  }
+}
+
+export function decodeData(wrapped: PeprMutateRequest<KubernetesObject>): {
+  skipped: string[];
+  wrapped: PeprMutateRequest<KubernetesObject>;
+} {
+  let skipped: string[] = [];
+
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    // convertFromBase64Map modifies it's arg rather than returing a mod'ed copy (ye olde side-effect special, blerg)
+    skipped = convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
+  }
+
+  return { skipped, wrapped };
+}
+
+export function reencodeData(wrapped: PeprMutateRequest<KubernetesObject>, skipped: string[]): KubernetesObject {
+  const transformed = clone(wrapped.Raw);
+
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    // convertToBase64Map modifies it's arg rather than returing a mod'ed copy (ye olde side-effect special, blerg)
+    convertToBase64Map(transformed as unknown as kind.Secret, skipped);
+  }
+
+  return transformed;
+}
+
+export async function processRequest(
+  bindable: Bindable,
+  wrapped: PeprMutateRequest<KubernetesObject>,
+  response: MutateResponse,
+): Promise<Result> {
+  const { binding, actMeta, name, config } = bindable;
+
+  const label = binding.mutateCallback!.name;
+  Log.info(actMeta, `Processing mutation action (${label})`);
+
+  wrapped = updateStatus(config, name, wrapped, "started");
+
+  try {
+    // Run the action
+    await binding.mutateCallback!(wrapped);
+
+    // Log on success
+    Log.info(actMeta, `Mutation action succeeded (${label})`);
+
+    // Add annotations to the request to indicate that the capability succeeded
+    wrapped = updateStatus(config, name, wrapped, "succeeded");
+  } catch (e) {
+    wrapped = updateStatus(config, name, wrapped, "warning");
+    response.warnings = response.warnings || [];
+
+    const errorMessage = logMutateErrorMessage(e);
+
+    // Log on failure
+    Log.error(actMeta, `Action failed: ${errorMessage}`);
+    response.warnings.push(`Action failed: ${errorMessage}`);
+
+    switch (config.onError) {
+      case OnError.REJECT:
+        response.result = "Pepr module configured to reject on error";
+        break;
+
+      case OnError.AUDIT:
+        response.auditAnnotations = response.auditAnnotations || {};
+        response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
+        break;
+    }
+  }
+
+  return { wrapped, response };
+}
+
+/* eslint max-statements: ["warn", 25] */
+export async function mutateProcessor(
+  config: ModuleConfig,
+  capabilities: Capability[],
+  req: AdmissionRequest,
+  reqMetadata: Record<string, string>,
+): Promise<MutateResponse> {
+  let response: MutateResponse = {
+    uid: req.uid,
+    warnings: [],
+    allowed: false,
+  };
+
+  const decoded = decodeData(new PeprMutateRequest(req));
+  let wrapped = decoded.wrapped;
+
+  Log.info(reqMetadata, `Processing request`);
+
+  let bindables: Bindable[] = capabilities.flatMap(capa =>
+    capa.bindings.map(bind => ({
+      req,
+      config,
+      name: capa.name,
+      namespaces: capa.namespaces,
+      binding: bind,
+      actMeta: { ...reqMetadata, name: capa.name },
+    })),
+  );
+
+  bindables = bindables.filter(bind => {
+    if (!bind.binding.mutateCallback) {
+      return false;
+    }
+
+    const shouldSkip = shouldSkipRequest(
+      bind.binding,
+      bind.req,
+      bind.namespaces,
+      bind.config?.alwaysIgnore?.namespaces,
+    );
+    if (shouldSkip !== "") {
+      Log.debug(shouldSkip);
+      return false;
+    }
+
+    return true;
+  });
+
+  for (const bindable of bindables) {
+    ({ wrapped, response } = await processRequest(bindable, wrapped, response));
+    if (config.onError === OnError.REJECT && response?.warnings!.length > 0) {
+      return response;
+    }
+  }
+
+  // If we've made it this far, the request is allowed
+  response.allowed = true;
+
+  // If no capability matched the request, exit early
+  if (bindables.length === 0) {
+    Log.info(reqMetadata, `No matching actions found`);
+    return response;
+  }
+
+  // delete operations can't be mutate, just return before the transformation
+  if (req.operation === "DELETE") {
+    return response;
+  }
+
+  // unskip base64-encoded data fields that were skipDecode'd
+  const transformed = reencodeData(wrapped, decoded.skipped);
+
+  // Compare the original request to the modified request to get the patches
+  const patches = jsonPatch.compare(req.object, transformed);
+
+  // Only add the patch if there are patches to apply
+  if (patches.length > 0) {
+    response.patchType = "JSONPatch";
+    // Webhook must be base64-encoded
+    // https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response
+    response.patch = base64Encode(JSON.stringify(patches));
+  }
+
+  // Remove the warnings array if it's empty
+  if (response.warnings && response.warnings.length < 1) {
+    delete response.warnings;
+  }
+
+  Log.debug({ ...reqMetadata, patches }, `Patches generated`);
+
+  return response;
+}

package/src/lib/processors/validate-processor.ts

@@ -0,0 +1,93 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { kind, KubernetesObject } from "kubernetes-fluent-client";
+import { Capability } from "../core/capability";
+import { shouldSkipRequest } from "../filter/filter";
+import { ValidateResponse } from "../k8s";
+import { AdmissionRequest, Binding } from "../types";
+import Log from "../telemetry/logger";
+import { convertFromBase64Map } from "../utils";
+import { PeprValidateRequest } from "../validate-request";
+import { ModuleConfig } from "../core/module";
+
+export async function processRequest(
+  binding: Binding,
+  actionMetadata: Record<string, string>,
+  peprValidateRequest: PeprValidateRequest<KubernetesObject>,
+): Promise<ValidateResponse> {
+  const label = binding.validateCallback!.name;
+  Log.info(actionMetadata, `Processing validation action (${label})`);
+
+  const valResp: ValidateResponse = {
+    uid: peprValidateRequest.Request.uid,
+    allowed: true, // Assume it's allowed until a validation check fails
+  };
+
+  try {
+    // Run the validation callback, if it fails set allowed to false
+    const callbackResp = await binding.validateCallback!(peprValidateRequest);
+    valResp.allowed = callbackResp.allowed;
+
+    // If the validation callback returned a status code or message, set it in the Response
+    if (callbackResp.statusCode || callbackResp.statusMessage) {
+      valResp.status = {
+        code: callbackResp.statusCode || 400,
+        message: callbackResp.statusMessage || `Validation failed for ${name}`,
+      };
+    }
+
+    Log.info(actionMetadata, `Validation action complete (${label}): ${callbackResp.allowed ? "allowed" : "denied"}`);
+    return valResp;
+  } catch (e) {
+    // If any validation throws an error, note the failure in the Response
+    Log.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
+    valResp.allowed = false;
+    valResp.status = {
+      code: 500,
+      message: `Action failed with error: ${JSON.stringify(e)}`,
+    };
+    return valResp;
+  }
+}
+
+export async function validateProcessor(
+  config: ModuleConfig,
+  capabilities: Capability[],
+  req: AdmissionRequest,
+  reqMetadata: Record<string, string>,
+): Promise<ValidateResponse[]> {
+  const wrapped = new PeprValidateRequest(req);
+  const response: ValidateResponse[] = [];
+
+  // If the resource is a secret, decode the data
+  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
+  if (isSecret) {
+    convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
+  }
+
+  Log.info(reqMetadata, `Processing validation request`);
+
+  for (const { name, bindings, namespaces } of capabilities) {
+    const actionMetadata = { ...reqMetadata, name };
+
+    for (const binding of bindings) {
+      // Skip this action if it's not a validation action
+      if (!binding.validateCallback) {
+        continue;
+      }
+
+      // Continue to the next action without doing anything if this one should be skipped
+      const shouldSkip = shouldSkipRequest(binding, req, namespaces, config?.alwaysIgnore?.namespaces);
+      if (shouldSkip !== "") {
+        Log.debug(shouldSkip);
+        continue;
+      }
+
+      const resp = await processRequest(binding, actionMetadata, wrapped);
+      response.push(resp);
+    }
+  }
+
+  return response;
+}

package/src/lib/{watch-processor.ts → processors/watch-processor.ts}

@@ -1,15 +1,15 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import Log from "../telemetry/logger";
+import { Binding } from "../types";
+import { Capability } from "../core/capability";
+import { Event } from "../enums";
 import { K8s, KubernetesObject, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
+import { Queue } from "../core/queue";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
-import { Capability } from "./capability";
-import { filterNoMatchReason } from "./helpers";
-import { removeFinalizer } from "./finalizer";
-import Log from "./telemetry/logger";
-import { Queue } from "./queue";
-import { Binding } from "./types";
-import { Event } from "./enums";
-import { metricsCollector } from "./telemetry/metrics";
+import { filterNoMatchReason } from "../filter/filter";
+import { metricsCollector } from "../telemetry/metrics";
+import { removeFinalizer } from "../finalizer";
 
 // stores Queue instances
 const queues: Record<string, Queue<KubernetesObject>> = {};
@@ -20,7 +20,7 @@ const queues: Record<string, Queue<KubernetesObject>> = {};
  * @param obj The object to derive a key from
  * @returns The key to a Queue in the list of queues
  */
-export function queueKey(obj: KubernetesObject) {
+export function queueKey(obj: KubernetesObject): string {
   const options = ["kind", "kindNs", "kindNsName", "global"];
   const d3fault = "kind";
 
@@ -40,7 +40,7 @@ export function queueKey(obj: KubernetesObject) {
   return lookup[strat];
 }
 
-export function getOrCreateQueue(obj: KubernetesObject) {
+export function getOrCreateQueue(obj: KubernetesObject): Queue<KubernetesObject> {
   const key = queueKey(obj);
   if (!queues[key]) {
     queues[key] = new Queue<KubernetesObject>(key);
@@ -74,7 +74,7 @@ const eventToPhaseMap = {
  *
  * @param capabilities The capabilities to load watches for
  */
-export function setupWatch(capabilities: Capability[], ignoredNamespaces?: string[]) {
+export function setupWatch(capabilities: Capability[], ignoredNamespaces?: string[]): void {
   capabilities.map(capability =>
     capability.bindings
       .filter(binding => binding.isWatch)
@@ -88,14 +88,18 @@ export function setupWatch(capabilities: Capability[], ignoredNamespaces?: strin
  * @param binding the binding to watch
  * @param capabilityNamespaces list of namespaces to filter on
  */
-async function runBinding(binding: Binding, capabilityNamespaces: string[], ignoredNamespaces?: string[]) {
+async function runBinding(
+  binding: Binding,
+  capabilityNamespaces: string[],
+  ignoredNamespaces?: string[],
+): Promise<void> {
   // Get the phases to match, fallback to any
   const phaseMatch: WatchPhase[] = eventToPhaseMap[binding.event] || eventToPhaseMap[Event.ANY];
 
   // The watch callback is run when an object is received or dequeued
   Log.debug({ watchCfg }, "Effective WatchConfig");
 
-  const watchCallback = async (kubernetesObject: KubernetesObject, phase: WatchPhase) => {
+  const watchCallback = async (kubernetesObject: KubernetesObject, phase: WatchPhase): Promise<void> => {
     // First, filter the object based on the phase
     if (phaseMatch.includes(phase)) {
       try {
@@ -117,7 +121,7 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[], igno
     }
   };
 
-  const handleFinalizerRemoval = async (kubernetesObject: KubernetesObject) => {
+  const handleFinalizerRemoval = async (kubernetesObject: KubernetesObject): Promise<void> => {
     if (!kubernetesObject.metadata?.deletionTimestamp) {
       return;
     }
@@ -191,7 +195,7 @@ async function runBinding(binding: Binding, capabilityNamespaces: string[], igno
   }
 }
 
-export function logEvent(event: WatchEvent, message: string = "", obj?: KubernetesObject) {
+export function logEvent(event: WatchEvent, message: string = "", obj?: KubernetesObject): void {
   const logMessage = `Watch event ${event} received${message ? `. ${message}.` : "."}`;
   if (obj) {
     Log.debug(obj, logMessage);

package/src/lib/telemetry/logger.ts

@@ -18,7 +18,9 @@ const pretty = {
 const transport = isPrettyLog ? pretty : undefined;
 // epochTime is the pino default
 const pinoTimeFunction =
-  process.env.PINO_TIME_STAMP === "iso" ? () => stdTimeFunctions.isoTime() : () => stdTimeFunctions.epochTime();
+  process.env.PINO_TIME_STAMP === "iso"
+    ? (): string => stdTimeFunctions.isoTime()
+    : (): string => stdTimeFunctions.epochTime();
 const Log = pino({
   transport,
   timestamp: pinoTimeFunction,

package/src/lib/tls.ts

@@ -62,7 +62,11 @@ export function genTLS(name: string): TLSOut {
   return { ca, key, crt, pem };
 }
 
-function genCert(key: forge.pki.rsa.KeyPair, name: string, issuer: forge.pki.CertificateField[]) {
+function genCert(
+  key: forge.pki.rsa.KeyPair,
+  name: string,
+  issuer: forge.pki.CertificateField[],
+): forge.pki.Certificate {
   const crt = forge.pki.createCertificate();
   crt.publicKey = key.publicKey;
   crt.serialNumber = "01";

package/src/lib/utils.ts

@@ -4,14 +4,14 @@
 import Log from "./telemetry/logger";
 
 /** Test if a string is ascii or not */
-export const isAscii = /^[\s\x20-\x7E]*$/;
+export const isAscii: RegExp = /^[\s\x20-\x7E]*$/;
 
 /**
  * Encode all ascii values in a map to base64
  * @param obj The object to encode
  * @param skip A list of keys to skip encoding
  */
-export function convertToBase64Map(obj: { data?: Record<string, string> }, skip: string[]) {
+export function convertToBase64Map(obj: { data?: Record<string, string> }, skip: string[]): void {
   obj.data = obj.data ?? {};
   for (const key in obj.data) {
     const value = obj.data[key];
@@ -25,7 +25,7 @@ export function convertToBase64Map(obj: { data?: Record<string, string> }, skip:
  * @param obj The object to decode
  * @returns A list of keys that were skipped
  */
-export function convertFromBase64Map(obj: { data?: Record<string, string> }) {
+export function convertFromBase64Map(obj: { data?: Record<string, string> }): string[] {
   const skip: string[] = [];
 
   obj.data = obj.data ?? {};
@@ -47,11 +47,11 @@ export function convertFromBase64Map(obj: { data?: Record<string, string> }) {
 }
 
 /** Decode a base64 string */
-export function base64Decode(data: string) {
+export function base64Decode(data: string): string {
   return Buffer.from(data, "base64").toString("utf-8");
 }
 
 /** Encode a string to base64 */
-export function base64Encode(data: string) {
+export function base64Encode(data: string): string {
   return Buffer.from(data).toString("base64");
 }

package/src/lib/validate-request.ts

@@ -23,7 +23,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * Provides access to the old resource in the request if available.
    * @returns The old Kubernetes resource object or null if not available.
    */
-  get OldResource() {
+  get OldResource(): KubernetesObject | undefined {
     return this.#input.oldObject;
   }
 
@@ -31,7 +31,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * Provides access to the request object.
    * @returns The request object containing the Kubernetes resource.
    */
-  get Request() {
+  get Request(): AdmissionRequest<KubernetesObject> {
     return this.#input;
   }
 
@@ -61,7 +61,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * @param key the label key to check
    * @returns
    */
-  HasLabel = (key: string) => {
+  HasLabel = (key: string): boolean => {
     return this.Raw.metadata?.labels?.[key] !== undefined;
   };
 
@@ -71,7 +71,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * @param key the annotation key to check
    * @returns
    */
-  HasAnnotation = (key: string) => {
+  HasAnnotation = (key: string): boolean => {
     return this.Raw.metadata?.annotations?.[key] !== undefined;
   };
 

package/src/lib.ts

@@ -1,9 +1,9 @@
 import { K8s, RegisterKind, kind as a, fetch, fetchStatus, kind } from "kubernetes-fluent-client";
 import * as R from "ramda";
 
-import { Capability } from "./lib/capability";
+import { Capability } from "./lib/core/capability";
 import Log from "./lib/telemetry/logger";
-import { PeprModule } from "./lib/module";
+import { PeprModule } from "./lib/core/module";
 import { PeprMutateRequest } from "./lib/mutate-request";
 import * as PeprUtils from "./lib/utils";
 import { PeprValidateRequest } from "./lib/validate-request";

package/src/runtime/controller.ts

@@ -14,7 +14,7 @@ import { peprStoreCRD } from "../lib/assets/store";
 import { validateHash } from "../lib/helpers";
 const { version } = packageJSON;
 
-function runModule(expectedHash: string) {
+function runModule(expectedHash: string): void {
   const gzPath = `/app/load/module-${expectedHash}.js.gz`;
   const jsPath = `/app/module-${expectedHash}.js`;
 
@@ -59,7 +59,7 @@ Log.info(`Pepr Controller (v${version})`);
 
 const hash = process.argv[2];
 
-const startup = async () => {
+const startup = async (): Promise<void> => {
   try {
     Log.info("Applying the Pepr Store CRD if it doesn't exist");
     await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD, { force: true });

package/src/sdk/cosign.ts

@@ -212,15 +212,15 @@ export async function verifyImage(
     url: `https://${X.iref.host}/v2/${X.iref.name}/manifests/${X.iref.tag}`,
   };
 
-  const supportsMediaType = async (url: string, mediaType: string) => {
+  const supportsMediaType = async (url: string, mediaType: string): Promise<boolean> => {
     return (await head(url, mediaType, { ca: tlsCrts }))["content-type"] === mediaType;
   };
 
-  const canOciV1Manifest = async (manifestUrl: string) => {
+  const canOciV1Manifest = async (manifestUrl: string): Promise<boolean> => {
     return supportsMediaType(manifestUrl, MediaTypeOciV1.Manifest);
   };
 
-  const canDockerV2Manifest = async (manifestUrl: string) => {
+  const canDockerV2Manifest = async (manifestUrl: string): Promise<boolean> => {
     return supportsMediaType(manifestUrl, MediaTypeDockerV2.Manifest);
   };
 
@@ -228,7 +228,7 @@ export async function verifyImage(
   const manifestResp =
     await canOciV1Manifest(X.manifest.url) ? await get(X.manifest.url, MediaTypeOciV1.Manifest, {ca: tlsCrts}) :
     await canDockerV2Manifest(X.manifest.url) ? await get(X.manifest.url, MediaTypeDockerV2.Manifest, {ca: tlsCrts}) :
-    (() => { throw "Can't pull image manifest with supported MediaType." })();
+    (():never => { throw "Can't pull image manifest with supported MediaType." })();
   X.manifest.content = manifestResp.body;
 
   X.manifest.digest = `sha256:${crypto

package/src/sdk/heredoc.ts

@@ -1,7 +1,7 @@
 // Refs:
 // - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#tagged_templates
 
-export function heredoc(strings: TemplateStringsArray, ...values: string[]) {
+export function heredoc(strings: TemplateStringsArray, ...values: string[]): string {
   // shuffle strings & expression values back together
   const zipped = strings
     .reduce((acc: string[], cur, idx) => {

package/dist/lib/capability.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"capability.d.ts","sourceRoot":"","sources":["../../src/lib/capability.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAA2B,MAAM,0BAA0B,CAAC;AAInG,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAc,QAAQ,EAAE,MAAM,YAAY,CAAC;AAElD,OAAO,EACL,OAAO,EAGP,aAAa,EACb,gBAAgB,EAQhB,YAAY,EACb,MAAM,SAAS,CAAC;AAMjB;;GAEG;AACH,qBAAa,UAAW,YAAW,gBAAgB;;IASjD,WAAW,EAAE,OAAO,CAAC;IAErB;;;;;OAKG;IACH,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,KAAK,IAAI,CAqBtC;IAEK,gBAAgB;IAIvB;;;;;;OAMG;IACH,KAAK,EAAE,SAAS,CASd;IAEF;;;;;;OAMG;IACH,aAAa,EAAE,SAAS,CAStB;IAEF,IAAI,QAAQ,cAEX;IAED,IAAI,IAAI,WAEP;IAED,IAAI,WAAW,WAEd;IAED,IAAI,UAAU,aAEb;gBAEW,GAAG,EAAE,aAAa;IAU9B;;OAEG;IACH,qBAAqB,QAAO,OAAO,CAWjC;IAEF;;;;OAIG;IACH,aAAa,QAAO,OAAO,CAWzB;IAEF;;;;;;;;OAQG;IACH,IAAI,4CAA6C,gBAAgB,qBAiO/D;CACH"}

package/dist/lib/module.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../../src/lib/module.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AACxE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAG7D,OAAO,EAAE,YAAY,IAAI,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAErE,0CAA0C;AAC1C,MAAM,WAAW,YAAY;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AACD,iDAAiD;AACjD,MAAM,MAAM,YAAY,GAAG;IACzB,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,IAAI,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yBAAyB;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wEAAwE;IACxE,YAAY,EAAE,aAAa,CAAC;IAC5B,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wDAAwD;IACxD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,2CAA2C;IAC3C,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,wBAAwB;IACxB,IAAI,CAAC,EAAE,UAAU,EAAE,CAAC;IACpB,yFAAyF;IACzF,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,qHAAqH;IACrH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAE7C,6GAA6G;IAC7G,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,cAAc,GAAG,gBAAgB,KAAK,IAAI,CAAC;CAC9D,CAAC;AAGF,eAAO,MAAM,WAAW,eAA+C,CAAC;AAGxE,eAAO,MAAM,WAAW,eAA0C,CAAC;AAEnE,eAAO,MAAM,SAAS,eAAwC,CAAC;AAE/D,qBAAa,UAAU;;IAGrB;;;;;;OAMG;gBACS,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,YAAY,GAAE,UAAU,EAAO,EAAE,IAAI,GAAE,iBAAsB;IAsD7G;;;;;OAKG;IACH,KAAK,0BAEH;CACH"}

package/dist/lib/mutate-processor.d.ts

@@ -1,6 +0,0 @@
-import { Capability } from "./capability";
-import { MutateResponse } from "./k8s";
-import { AdmissionRequest } from "./types";
-import { ModuleConfig } from "./module";
-export declare function mutateProcessor(config: ModuleConfig, capabilities: Capability[], req: AdmissionRequest, reqMetadata: Record<string, string>): Promise<MutateResponse>;
-//# sourceMappingURL=mutate-processor.d.ts.map

package/dist/lib/mutate-processor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mutate-processor.d.ts","sourceRoot":"","sources":["../../src/lib/mutate-processor.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAE3C,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAIxC,wBAAsB,eAAe,CACnC,MAAM,EAAE,YAAY,EACpB,YAAY,EAAE,UAAU,EAAE,EAC1B,GAAG,EAAE,gBAAgB,EACrB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAClC,OAAO,CAAC,cAAc,CAAC,CAmIzB"}