pepr 0.42.0 → 0.42.2

package/src/cli/root.ts

@@ -5,7 +5,7 @@ import { Command } from "commander";
 
 export class RootCmd extends Command {
   // eslint-disable-next-line class-methods-use-this
-  createCommand(name: string) {
+  createCommand(name: string): Command {
     const cmd = new Command(name);
     return cmd;
   }

package/src/cli/update.ts

@@ -17,7 +17,7 @@ import {
 import { write } from "./init/utils";
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   program
     .command("update")
     .description("Update this Pepr module. Not recommended for prod as it may change files.")

package/src/cli/uuid.ts

@@ -5,7 +5,7 @@ import { KubernetesListObject } from "@kubernetes/client-node";
 import { K8s, kind } from "kubernetes-fluent-client";
 import { RootCmd } from "./root";
 
-export default function (program: RootCmd) {
+export default function (program: RootCmd): void {
   program
     .command("uuid [uuid]")
     .description("Module UUID(s) currently deployed in the cluster")

package/src/fixtures/loader.ts

@@ -14,11 +14,11 @@ export function AdmissionRequestCreatePod() {
   return cloneObject<kind.Pod>(admissionRequestCreatePod);
 }
 
-export function AdmissionRequestDeletePod() {
+export function AdmissionRequestDeletePod(): AdmissionRequest<kind.Pod> {
   return cloneObject<kind.Pod>(admissionRequestDeletePod);
 }
 
-export function AdmissionRequestCreateClusterRole() {
+export function AdmissionRequestCreateClusterRole(): AdmissionRequest<kind.ClusterRole> {
   return cloneObject<kind.ClusterRole>(admissionRequestCreateClusterRole);
 }
 

package/src/lib/assets/deploy.ts

@@ -9,17 +9,17 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { Assets } from ".";
 import Log from "../telemetry/logger";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { deployment, moduleSecret, namespace, watcher } from "./pods";
+import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
 import { CapabilityExport, ImagePullSecret } from "../types";
 
-export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string) {
+export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string): Promise<void> {
   try {
     await K8s(kind.Namespace).Get("pepr-system");
   } catch {
-    await K8s(kind.Namespace).Apply(namespace());
+    await K8s(kind.Namespace).Apply(getNamespace());
   }
 
   try {
@@ -42,13 +42,13 @@ export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, na
     Log.error(e);
   }
 }
-export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number) {
+export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number): Promise<void> {
   Log.info("Establishing connection to Kubernetes");
 
   const { name, host, path } = assets;
 
   Log.info("Applying pepr-system namespace");
-  await K8s(kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace));
+  await K8s(kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
 
   // Create the mutating webhook configuration if it is needed
   const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
@@ -95,7 +95,7 @@ async function setupRBAC(
   capabilities: CapabilityExport[],
   force: boolean,
   config: { rbacMode?: string; rbac?: PolicyRule[] },
-) {
+): Promise<void> {
   const { rbacMode, rbac } = config;
 
   Log.info("Applying cluster role binding");
@@ -119,11 +119,11 @@ async function setupRBAC(
   await K8s(kind.RoleBinding).Apply(roleBinding, { force });
 }
 
-async function setupController(assets: Assets, code: Buffer, hash: string, force: boolean) {
+async function setupController(assets: Assets, code: Buffer, hash: string, force: boolean): Promise<void> {
   const { name } = assets;
 
   Log.info("Applying module secret");
-  const mod = moduleSecret(name, code, hash);
+  const mod = getModuleSecret(name, code, hash);
   await K8s(kind.Secret).Apply(mod, { force });
 
   Log.info("Applying controller service");
@@ -139,14 +139,14 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   await K8s(kind.Secret).Apply(apiToken, { force });
 
   Log.info("Applying deployment");
-  const dep = deployment(assets, hash, assets.buildTimestamp);
+  const dep = getDeployment(assets, hash, assets.buildTimestamp);
   await K8s(kind.Deployment).Apply(dep, { force });
 }
 
 // Setup the watcher deployment and service
-async function setupWatcher(assets: Assets, hash: string, force: boolean) {
+async function setupWatcher(assets: Assets, hash: string, force: boolean): Promise<void> {
   // If the module has a watcher, deploy it
-  const watchDeployment = watcher(assets, hash, assets.buildTimestamp);
+  const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
   if (watchDeployment) {
     Log.info("Applying watcher deployment");
     await K8s(kind.Deployment).Apply(watchDeployment, { force });

package/src/lib/assets/destroy.ts

@@ -6,7 +6,7 @@ import { K8s, kind } from "kubernetes-fluent-client";
 import Log from "../telemetry/logger";
 import { peprStoreCRD } from "./store";
 
-export async function destroyModule(name: string) {
+export async function destroyModule(name: string): Promise<void> {
   const namespace = "pepr-system";
 
   Log.info("Destroying Pepr module");

package/src/lib/assets/helm.ts

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-export function clusterRoleTemplate() {
+export function clusterRoleTemplate(): string {
   return `
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
@@ -15,7 +15,7 @@ export function clusterRoleTemplate() {
   `;
 }
 
-export function nsTemplate() {
+export function namespaceTemplate(): string {
   return `
     apiVersion: v1
     kind: Namespace
@@ -32,7 +32,7 @@ export function nsTemplate() {
     `;
 }
 
-export function chartYaml(name: string, description?: string) {
+export function chartYaml(name: string, description?: string): string {
   return `
     apiVersion: v2
     name: ${name}
@@ -61,7 +61,7 @@ export function chartYaml(name: string, description?: string) {
 `;
 }
 
-export function watcherDeployTemplate(buildTimestamp: string) {
+export function watcherDeployTemplate(buildTimestamp: string): string {
   return `
       apiVersion: apps/v1
       kind: Deployment
@@ -142,7 +142,7 @@ export function watcherDeployTemplate(buildTimestamp: string) {
     `;
 }
 
-export function admissionDeployTemplate(buildTimestamp: string) {
+export function admissionDeployTemplate(buildTimestamp: string): string {
   return `
       apiVersion: apps/v1
       kind: Deployment
@@ -228,7 +228,7 @@ export function admissionDeployTemplate(buildTimestamp: string) {
     `;
 }
 
-export function serviceMonitorTemplate(name: string) {
+export function serviceMonitorTemplate(name: string): string {
   return `
       {{- if .Values.${name}.serviceMonitor.enabled }}
       apiVersion: monitoring.coreos.com/v1

package/src/lib/assets/index.ts

@@ -4,7 +4,7 @@
 import crypto from "crypto";
 import { dumpYaml } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
-import { ModuleConfig } from "../module";
+import { ModuleConfig } from "../core/module";
 import { TLSOut, genTLS } from "../tls";
 import { CapabilityExport } from "../types";
 import { WebhookIgnore } from "../k8s";
@@ -16,7 +16,7 @@ import { dedent } from "../helpers";
 import { resolve } from "path";
 import {
   chartYaml,
-  nsTemplate,
+  namespaceTemplate,
   admissionDeployTemplate,
   watcherDeployTemplate,
   clusterRoleTemplate,
@@ -25,7 +25,7 @@ import {
 import { promises as fs } from "fs";
 import { webhookConfig } from "./webhooks";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { watcher, moduleSecret } from "./pods";
+import { getWatcher, getModuleSecret } from "./pods";
 
 import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { createDirectoryIfNotExists } from "../filesystemService";
@@ -51,7 +51,7 @@ function createWebhookYaml(
   );
 }
 
-function helmLayout(basePath: string, unique: string) {
+function helmLayout(basePath: string, unique: string): Record<string, Record<string, string>> {
   const helm: Record<string, Record<string, string>> = {
     dirs: {
       chart: resolve(`${basePath}/${unique}-chart`),
@@ -119,20 +119,20 @@ export class Assets {
     this.apiToken = crypto.randomBytes(32).toString("hex");
   }
 
-  setHash = (hash: string) => {
+  setHash = (hash: string): void => {
     this.hash = hash;
   };
 
-  deploy = async (force: boolean, webhookTimeout?: number) => {
+  deploy = async (force: boolean, webhookTimeout?: number): Promise<void> => {
     this.capabilities = await loadCapabilities(this.path);
     await deploy(this, force, webhookTimeout);
   };
 
-  zarfYaml = (path: string) => zarfYaml(this, path);
+  zarfYaml = (path: string): string => zarfYaml(this, path);
 
-  zarfYamlChart = (path: string) => zarfYamlChart(this, path);
+  zarfYamlChart = (path: string): string => zarfYamlChart(this, path);
 
-  allYaml = async (imagePullSecret?: string) => {
+  allYaml = async (imagePullSecret?: string): Promise<string> => {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
@@ -143,7 +143,7 @@ export class Assets {
   };
 
   /* eslint max-statements: ["warn", 21] */
-  generateHelmChart = async (basePath: string) => {
+  generateHelmChart = async (basePath: string): Promise<void> => {
     const helm = helmLayout(basePath, this.config.uuid);
 
     try {
@@ -156,18 +156,18 @@ export class Assets {
       const code = await fs.readFile(this.path);
 
       const pairs: [string, () => string][] = [
-        [helm.files.chartYaml, () => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
-        [helm.files.namespaceYaml, () => dedent(nsTemplate())],
-        [helm.files.watcherServiceYaml, () => toYaml(watcherService(this.name))],
-        [helm.files.admissionServiceYaml, () => toYaml(service(this.name))],
-        [helm.files.tlsSecretYaml, () => toYaml(tlsSecret(this.name, this.tls))],
-        [helm.files.apiTokenSecretYaml, () => toYaml(apiTokenSecret(this.name, this.apiToken))],
-        [helm.files.storeRoleYaml, () => toYaml(storeRole(this.name))],
-        [helm.files.storeRoleBindingYaml, () => toYaml(storeRoleBinding(this.name))],
-        [helm.files.clusterRoleYaml, () => dedent(clusterRoleTemplate())],
-        [helm.files.clusterRoleBindingYaml, () => toYaml(clusterRoleBinding(this.name))],
-        [helm.files.serviceAccountYaml, () => toYaml(serviceAccount(this.name))],
-        [helm.files.moduleSecretYaml, () => toYaml(moduleSecret(this.name, code, this.hash))],
+        [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
+        [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())],
+        [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
+        [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
+        [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
+        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
+        [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
+        [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
+        [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))],
+        [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
+        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))],
       ];
       await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
 
@@ -191,7 +191,7 @@ export class Assets {
         await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
       }
 
-      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
+      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
       if (watchDeployment) {
         await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
         await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));

package/src/lib/assets/pods.ts

@@ -1,16 +1,16 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { V1EnvVar } from "@kubernetes/client-node";
+import { KubernetesObject, V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
 import { Assets } from ".";
-import { ModuleConfig } from "../module";
+import { ModuleConfig } from "../core/module";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
-export function namespace(namespaceLabels?: Record<string, string>) {
+export function getNamespace(namespaceLabels?: Record<string, string>): KubernetesObject {
   if (namespaceLabels) {
     return {
       apiVersion: "v1",
@@ -31,7 +31,12 @@ export function namespace(namespaceLabels?: Record<string, string>) {
   }
 }
 
-export function watcher(assets: Assets, hash: string, buildTimestamp: string, imagePullSecret?: string) {
+export function getWatcher(
+  assets: Assets,
+  hash: string,
+  buildTimestamp: string,
+  imagePullSecret?: string,
+): kind.Deployment | null {
   const { name, image, capabilities, config } = assets;
 
   let hasSchedule = false;
@@ -186,7 +191,7 @@ export function watcher(assets: Assets, hash: string, buildTimestamp: string, im
   return deploy;
 }
 
-export function deployment(
+export function getDeployment(
   assets: Assets,
   hash: string,
   buildTimestamp: string,
@@ -336,7 +341,7 @@ export function deployment(
   return deploy;
 }
 
-export function moduleSecret(name: string, data: Buffer, hash: string): kind.Secret {
+export function getModuleSecret(name: string, data: Buffer, hash: string): kind.Secret {
   // Compress the data
   const compressed = gzipSync(data);
   const path = `module-${hash}.js.gz`;

package/src/lib/assets/webhooks.ts

@@ -11,6 +11,7 @@ import { concat, equals, uniqWith } from "ramda";
 
 import { Assets } from ".";
 import { Event } from "../enums";
+import { Binding } from "../types";
 
 const peprIgnoreLabel: V1LabelSelectorRequirement = {
   key: "pepr.dev",
@@ -20,57 +21,41 @@ const peprIgnoreLabel: V1LabelSelectorRequirement = {
 
 const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
-export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean) {
+const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
+  const { event, kind, isMutate, isValidate } = binding;
+
+  // Skip invalid bindings based on webhook type
+  if ((isMutateWebhook && !isMutate) || (!isMutateWebhook && !isValidate)) {
+    return undefined;
+  }
+
+  // Translate event to operations
+  const operations = event === Event.CREATE_OR_UPDATE ? [Event.CREATE, Event.UPDATE] : [event];
+
+  // Use the plural property if it exists, otherwise use lowercase kind + s
+  const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+  const ruleObject: V1RuleWithOperations = {
+    apiGroups: [kind.group],
+    apiVersions: [kind.version || "*"],
+    operations,
+    resources: [resource, ...(resource === "pods" ? ["pods/ephemeralcontainers"] : [])],
+  };
+
+  return ruleObject;
+};
+
+export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise<V1RuleWithOperations[]> {
   const { config, capabilities } = assets;
-  const rules: V1RuleWithOperations[] = [];
 
-  // Iterate through the capabilities and generate the rules
-  for (const capability of capabilities) {
+  const rules = capabilities.flatMap(capability => {
     console.info(`Module ${config.uuid} has capability: ${capability.name}`);
 
-    // Read the bindings and generate the rules
-    for (const binding of capability.bindings) {
-      const { event, kind, isMutate, isValidate } = binding;
-
-      // If the module doesn't have a callback for the event, skip it
-      if (isMutateWebhook && !isMutate) {
-        continue;
-      }
-
-      if (!isMutateWebhook && !isValidate) {
-        continue;
-      }
-
-      const operations: string[] = [];
-
-      // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
-      if (event === Event.CREATE_OR_UPDATE) {
-        operations.push(Event.CREATE, Event.UPDATE);
-      } else {
-        operations.push(event);
-      }
-
-      // Use the plural property if it exists, otherwise use lowercase kind + s
-      const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
-
-      const ruleObject = {
-        apiGroups: [kind.group],
-        apiVersions: [kind.version || "*"],
-        operations,
-        resources: [resource],
-      };
-
-      // If the resource is pods, add ephemeralcontainers as well
-      if (resource === "pods") {
-        ruleObject.resources.push("pods/ephemeralcontainers");
-      }
-
-      // Add the rule to the rules array
-      rules.push(ruleObject);
-    }
-  }
+    return capability.bindings
+      .map(binding => validateRule(binding, isMutateWebhook))
+      .filter((rule): rule is V1RuleWithOperations => !!rule);
+  });
 
-  // Return the rules with duplicates removed
   return uniqWith(equals, rules);
 }
 

package/src/lib/assets/yaml.ts

@@ -6,13 +6,16 @@ import crypto from "crypto";
 import { promises as fs } from "fs";
 import { Assets } from ".";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { deployment, moduleSecret, namespace, watcher } from "./pods";
+import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { webhookConfig } from "./webhooks";
 import { genEnv } from "./pods";
 
 // Helm Chart overrides file (values.yaml) generated from assets
-export async function overridesFile({ hash, name, image, config, apiToken, capabilities }: Assets, path: string) {
+export async function overridesFile(
+  { hash, name, image, config, apiToken, capabilities }: Assets,
+  path: string,
+): Promise<void> {
   const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules;
 
   const overrides = {
@@ -166,7 +169,7 @@ export async function overridesFile({ hash, name, image, config, apiToken, capab
 
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }
-export function zarfYaml({ name, image, config }: Assets, path: string) {
+export function zarfYaml({ name, image, config }: Assets, path: string): string {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
     metadata: {
@@ -194,7 +197,7 @@ export function zarfYaml({ name, image, config }: Assets, path: string) {
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
-export function zarfYamlChart({ name, image, config }: Assets, path: string) {
+export function zarfYamlChart({ name, image, config }: Assets, path: string): string {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
     metadata: {
@@ -223,7 +226,7 @@ export function zarfYamlChart({ name, image, config }: Assets, path: string) {
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
-export async function allYaml(assets: Assets, imagePullSecret?: string) {
+export async function allYaml(assets: Assets, imagePullSecret?: string): Promise<string> {
   const { name, tls, apiToken, path, config } = assets;
   const code = await fs.readFile(path);
 
@@ -232,19 +235,19 @@ export async function allYaml(assets: Assets, imagePullSecret?: string) {
 
   const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
   const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
-  const watchDeployment = watcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret);
+  const watchDeployment = getWatcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret);
 
   const resources = [
-    namespace(assets.config.customLabels?.namespace),
+    getNamespace(assets.config.customLabels?.namespace),
     clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
     clusterRoleBinding(name),
     serviceAccount(name),
     apiTokenSecret(name, apiToken),
     tlsSecret(name, tls),
-    deployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret),
+    getDeployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret),
     service(name),
     watcherService(name),
-    moduleSecret(name, code, assets.hash),
+    getModuleSecret(name, code, assets.hash),
     storeRole(name),
     storeRoleBinding(name),
   ];

package/src/lib/controller/index.ts

@@ -5,13 +5,13 @@ import express, { NextFunction } from "express";
 import fs from "fs";
 import https from "https";
 
-import { Capability } from "../capability";
+import { Capability } from "../core/capability";
 import { MutateResponse, ValidateResponse } from "../k8s";
 import Log from "../telemetry/logger";
 import { metricsCollector, MetricsCollector } from "../telemetry/metrics";
-import { ModuleConfig, isWatchMode } from "../module";
-import { mutateProcessor } from "../mutate-processor";
-import { validateProcessor } from "../validate-processor";
+import { ModuleConfig, isWatchMode } from "../core/module";
+import { mutateProcessor } from "../processors/mutate-processor";
+import { validateProcessor } from "../processors/validate-processor";
 import { StoreController } from "./store";
 import { AdmissionRequest } from "../types";
 import { karForMutate, karForValidate, KubeAdmissionReview } from "./index.util";
@@ -78,7 +78,7 @@ export class Controller {
   }
 
   /** Start the webhook server */
-  startServer = (port: number) => {
+  startServer = (port: number): void => {
     if (this.#running) {
       throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
     }
@@ -133,7 +133,7 @@ export class Controller {
     });
   };
 
-  #bindEndpoints = () => {
+  #bindEndpoints = (): void => {
     // Health check endpoint
     this.#app.get("/healthz", Controller.#healthz);
 
@@ -162,7 +162,7 @@ export class Controller {
    * @param next The next middleware function
    * @returns
    */
-  #validateToken = (req: express.Request, res: express.Response, next: NextFunction) => {
+  #validateToken = (req: express.Request, res: express.Response, next: NextFunction): void => {
     // Validate the token
     const { token } = req.params;
     if (token !== this.#token) {
@@ -183,7 +183,7 @@ export class Controller {
    * @param req the incoming request
    * @param res the outgoing response
    */
-  #metrics = async (req: express.Request, res: express.Response) => {
+  #metrics = async (req: express.Request, res: express.Response): Promise<void> => {
     try {
       // https://github.com/prometheus/docs/blob/main/content/docs/instrumenting/exposition_formats.md#basic-info
       res.set("Content-Type", "text/plain; version=0.0.4");
@@ -200,7 +200,9 @@ export class Controller {
    * @param admissionKind the type of admission request
    * @returns the request handler
    */
-  #admissionReq = (admissionKind: "Mutate" | "Validate") => {
+  #admissionReq = (
+    admissionKind: "Mutate" | "Validate",
+  ): ((req: express.Request, res: express.Response) => Promise<void>) => {
     // Create the admission request handler
     return async (req: express.Request, res: express.Response) => {
       // Start the metrics timer
@@ -259,7 +261,7 @@ export class Controller {
    * @param res the outgoing response
    * @param next the next middleware function
    */
-  static #logger(req: express.Request, res: express.Response, next: express.NextFunction) {
+  static #logger(req: express.Request, res: express.Response, next: express.NextFunction): void {
     const startTime = Date.now();
 
     res.on("finish", () => {
@@ -288,7 +290,7 @@ export class Controller {
    * @param req the incoming request
    * @param res the outgoing response
    */
-  static #healthz(req: express.Request, res: express.Response) {
+  static #healthz(req: express.Request, res: express.Response): void {
     try {
       res.send("OK");
     } catch (err) {