pepr 0.42.1 → 0.42.2

package/src/lib/processors/mutate-processor.ts

@@ -0,0 +1,225 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import jsonPatch from "fast-json-patch";
+import { kind, KubernetesObject } from "kubernetes-fluent-client";
+import { clone } from "ramda";
+
+import { Capability } from "../core/capability";
+import { shouldSkipRequest } from "../filter/filter";
+import { MutateResponse } from "../k8s";
+import { AdmissionRequest, Binding } from "../types";
+import Log from "../telemetry/logger";
+import { ModuleConfig } from "../core/module";
+import { PeprMutateRequest } from "../mutate-request";
+import { base64Encode, convertFromBase64Map, convertToBase64Map } from "../utils";
+import { OnError } from "../../cli/init/enums";
+
+export interface Bindable {
+  req: AdmissionRequest;
+  config: ModuleConfig;
+  name: string;
+  namespaces: string[];
+  binding: Binding;
+  actMeta: Record<string, string>;
+}
+
+export interface Result {
+  wrapped: PeprMutateRequest<KubernetesObject>;
+  response: MutateResponse;
+}
+
+// Add annotations to the request to indicate that the capability started processing
+// this will allow tracking of failed mutations that were permitted to continue
+export function updateStatus(
+  config: ModuleConfig,
+  name: string,
+  wrapped: PeprMutateRequest<KubernetesObject>,
+  status: string,
+): PeprMutateRequest<KubernetesObject> {
+  // Only update the status if the request is a CREATE or UPDATE (we don't use CONNECT)
+  if (wrapped.Request.operation === "DELETE") {
+    return wrapped;
+  }
+  wrapped.SetAnnotation(`${config.uuid}.pepr.dev/${name}`, status);
+
+  return wrapped;
+}
+
+export function logMutateErrorMessage(e: Error): string {
+  try {
+    if (e.message && e.message !== "[object Object]") {
+      return e.message;
+    } else {
+      throw new Error("An error occurred in the mutate action.");
+    }
+  } catch (e) {
+    return "An error occurred with the mutate action.";
+  }
+}
+
+export function decodeData(wrapped: PeprMutateRequest<KubernetesObject>): {
+  skipped: string[];
+  wrapped: PeprMutateRequest<KubernetesObject>;
+} {
+  let skipped: string[] = [];
+
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    // convertFromBase64Map modifies it's arg rather than returing a mod'ed copy (ye olde side-effect special, blerg)
+    skipped = convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
+  }
+
+  return { skipped, wrapped };
+}
+
+export function reencodeData(wrapped: PeprMutateRequest<KubernetesObject>, skipped: string[]): KubernetesObject {
+  const transformed = clone(wrapped.Raw);
+
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    // convertToBase64Map modifies it's arg rather than returing a mod'ed copy (ye olde side-effect special, blerg)
+    convertToBase64Map(transformed as unknown as kind.Secret, skipped);
+  }
+
+  return transformed;
+}
+
+export async function processRequest(
+  bindable: Bindable,
+  wrapped: PeprMutateRequest<KubernetesObject>,
+  response: MutateResponse,
+): Promise<Result> {
+  const { binding, actMeta, name, config } = bindable;
+
+  const label = binding.mutateCallback!.name;
+  Log.info(actMeta, `Processing mutation action (${label})`);
+
+  wrapped = updateStatus(config, name, wrapped, "started");
+
+  try {
+    // Run the action
+    await binding.mutateCallback!(wrapped);
+
+    // Log on success
+    Log.info(actMeta, `Mutation action succeeded (${label})`);
+
+    // Add annotations to the request to indicate that the capability succeeded
+    wrapped = updateStatus(config, name, wrapped, "succeeded");
+  } catch (e) {
+    wrapped = updateStatus(config, name, wrapped, "warning");
+    response.warnings = response.warnings || [];
+
+    const errorMessage = logMutateErrorMessage(e);
+
+    // Log on failure
+    Log.error(actMeta, `Action failed: ${errorMessage}`);
+    response.warnings.push(`Action failed: ${errorMessage}`);
+
+    switch (config.onError) {
+      case OnError.REJECT:
+        response.result = "Pepr module configured to reject on error";
+        break;
+
+      case OnError.AUDIT:
+        response.auditAnnotations = response.auditAnnotations || {};
+        response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
+        break;
+    }
+  }
+
+  return { wrapped, response };
+}
+
+/* eslint max-statements: ["warn", 25] */
+export async function mutateProcessor(
+  config: ModuleConfig,
+  capabilities: Capability[],
+  req: AdmissionRequest,
+  reqMetadata: Record<string, string>,
+): Promise<MutateResponse> {
+  let response: MutateResponse = {
+    uid: req.uid,
+    warnings: [],
+    allowed: false,
+  };
+
+  const decoded = decodeData(new PeprMutateRequest(req));
+  let wrapped = decoded.wrapped;
+
+  Log.info(reqMetadata, `Processing request`);
+
+  let bindables: Bindable[] = capabilities.flatMap(capa =>
+    capa.bindings.map(bind => ({
+      req,
+      config,
+      name: capa.name,
+      namespaces: capa.namespaces,
+      binding: bind,
+      actMeta: { ...reqMetadata, name: capa.name },
+    })),
+  );
+
+  bindables = bindables.filter(bind => {
+    if (!bind.binding.mutateCallback) {
+      return false;
+    }
+
+    const shouldSkip = shouldSkipRequest(
+      bind.binding,
+      bind.req,
+      bind.namespaces,
+      bind.config?.alwaysIgnore?.namespaces,
+    );
+    if (shouldSkip !== "") {
+      Log.debug(shouldSkip);
+      return false;
+    }
+
+    return true;
+  });
+
+  for (const bindable of bindables) {
+    ({ wrapped, response } = await processRequest(bindable, wrapped, response));
+    if (config.onError === OnError.REJECT && response?.warnings!.length > 0) {
+      return response;
+    }
+  }
+
+  // If we've made it this far, the request is allowed
+  response.allowed = true;
+
+  // If no capability matched the request, exit early
+  if (bindables.length === 0) {
+    Log.info(reqMetadata, `No matching actions found`);
+    return response;
+  }
+
+  // delete operations can't be mutate, just return before the transformation
+  if (req.operation === "DELETE") {
+    return response;
+  }
+
+  // unskip base64-encoded data fields that were skipDecode'd
+  const transformed = reencodeData(wrapped, decoded.skipped);
+
+  // Compare the original request to the modified request to get the patches
+  const patches = jsonPatch.compare(req.object, transformed);
+
+  // Only add the patch if there are patches to apply
+  if (patches.length > 0) {
+    response.patchType = "JSONPatch";
+    // Webhook must be base64-encoded
+    // https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response
+    response.patch = base64Encode(JSON.stringify(patches));
+  }
+
+  // Remove the warnings array if it's empty
+  if (response.warnings && response.warnings.length < 1) {
+    delete response.warnings;
+  }
+
+  Log.debug({ ...reqMetadata, patches }, `Patches generated`);
+
+  return response;
+}

package/src/lib/{validate-processor.ts → processors/validate-processor.ts}

@@ -2,14 +2,14 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { kind, KubernetesObject } from "kubernetes-fluent-client";
-import { Capability } from "./capability";
-import { shouldSkipRequest } from "./filter/filter";
-import { ValidateResponse } from "./k8s";
-import { AdmissionRequest, Binding } from "./types";
-import Log from "./telemetry/logger";
-import { convertFromBase64Map } from "./utils";
-import { PeprValidateRequest } from "./validate-request";
-import { ModuleConfig } from "./module";
+import { Capability } from "../core/capability";
+import { shouldSkipRequest } from "../filter/filter";
+import { ValidateResponse } from "../k8s";
+import { AdmissionRequest, Binding } from "../types";
+import Log from "../telemetry/logger";
+import { convertFromBase64Map } from "../utils";
+import { PeprValidateRequest } from "../validate-request";
+import { ModuleConfig } from "../core/module";
 
 export async function processRequest(
   binding: Binding,

package/src/lib/{watch-processor.ts → processors/watch-processor.ts}

@@ -1,15 +1,15 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+import Log from "../telemetry/logger";
+import { Binding } from "../types";
+import { Capability } from "../core/capability";
+import { Event } from "../enums";
 import { K8s, KubernetesObject, WatchCfg, WatchEvent } from "kubernetes-fluent-client";
+import { Queue } from "../core/queue";
 import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types";
-import { Capability } from "./capability";
-import { filterNoMatchReason } from "./helpers";
-import { removeFinalizer } from "./finalizer";
-import Log from "./telemetry/logger";
-import { Queue } from "./queue";
-import { Binding } from "./types";
-import { Event } from "./enums";
-import { metricsCollector } from "./telemetry/metrics";
+import { filterNoMatchReason } from "../filter/filter";
+import { metricsCollector } from "../telemetry/metrics";
+import { removeFinalizer } from "../finalizer";
 
 // stores Queue instances
 const queues: Record<string, Queue<KubernetesObject>> = {};

package/src/lib/telemetry/logger.ts

@@ -18,7 +18,9 @@ const pretty = {
 const transport = isPrettyLog ? pretty : undefined;
 // epochTime is the pino default
 const pinoTimeFunction =
-  process.env.PINO_TIME_STAMP === "iso" ? () => stdTimeFunctions.isoTime() : () => stdTimeFunctions.epochTime();
+  process.env.PINO_TIME_STAMP === "iso"
+    ? (): string => stdTimeFunctions.isoTime()
+    : (): string => stdTimeFunctions.epochTime();
 const Log = pino({
   transport,
   timestamp: pinoTimeFunction,

package/src/lib/tls.ts

@@ -62,7 +62,11 @@ export function genTLS(name: string): TLSOut {
   return { ca, key, crt, pem };
 }
 
-function genCert(key: forge.pki.rsa.KeyPair, name: string, issuer: forge.pki.CertificateField[]) {
+function genCert(
+  key: forge.pki.rsa.KeyPair,
+  name: string,
+  issuer: forge.pki.CertificateField[],
+): forge.pki.Certificate {
   const crt = forge.pki.createCertificate();
   crt.publicKey = key.publicKey;
   crt.serialNumber = "01";

package/src/lib/validate-request.ts

@@ -23,7 +23,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * Provides access to the old resource in the request if available.
    * @returns The old Kubernetes resource object or null if not available.
    */
-  get OldResource() {
+  get OldResource(): KubernetesObject | undefined {
     return this.#input.oldObject;
   }
 
@@ -31,7 +31,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * Provides access to the request object.
    * @returns The request object containing the Kubernetes resource.
    */
-  get Request() {
+  get Request(): AdmissionRequest<KubernetesObject> {
     return this.#input;
   }
 
@@ -61,7 +61,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * @param key the label key to check
    * @returns
    */
-  HasLabel = (key: string) => {
+  HasLabel = (key: string): boolean => {
     return this.Raw.metadata?.labels?.[key] !== undefined;
   };
 
@@ -71,7 +71,7 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * @param key the annotation key to check
    * @returns
    */
-  HasAnnotation = (key: string) => {
+  HasAnnotation = (key: string): boolean => {
     return this.Raw.metadata?.annotations?.[key] !== undefined;
   };
 

package/src/lib.ts

@@ -1,9 +1,9 @@
 import { K8s, RegisterKind, kind as a, fetch, fetchStatus, kind } from "kubernetes-fluent-client";
 import * as R from "ramda";
 
-import { Capability } from "./lib/capability";
+import { Capability } from "./lib/core/capability";
 import Log from "./lib/telemetry/logger";
-import { PeprModule } from "./lib/module";
+import { PeprModule } from "./lib/core/module";
 import { PeprMutateRequest } from "./lib/mutate-request";
 import * as PeprUtils from "./lib/utils";
 import { PeprValidateRequest } from "./lib/validate-request";

package/src/runtime/controller.ts

@@ -14,7 +14,7 @@ import { peprStoreCRD } from "../lib/assets/store";
 import { validateHash } from "../lib/helpers";
 const { version } = packageJSON;
 
-function runModule(expectedHash: string) {
+function runModule(expectedHash: string): void {
   const gzPath = `/app/load/module-${expectedHash}.js.gz`;
   const jsPath = `/app/module-${expectedHash}.js`;
 
@@ -59,7 +59,7 @@ Log.info(`Pepr Controller (v${version})`);
 
 const hash = process.argv[2];
 
-const startup = async () => {
+const startup = async (): Promise<void> => {
   try {
     Log.info("Applying the Pepr Store CRD if it doesn't exist");
     await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD, { force: true });

package/src/sdk/heredoc.ts

@@ -1,7 +1,7 @@
 // Refs:
 // - https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#tagged_templates
 
-export function heredoc(strings: TemplateStringsArray, ...values: string[]) {
+export function heredoc(strings: TemplateStringsArray, ...values: string[]): string {
   // shuffle strings & expression values back together
   const zipped = strings
     .reduce((acc: string[], cur, idx) => {

package/dist/lib/capability.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"capability.d.ts","sourceRoot":"","sources":["../../src/lib/capability.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAA2B,MAAM,0BAA0B,CAAC;AAInG,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAc,QAAQ,EAAE,MAAM,YAAY,CAAC;AAElD,OAAO,EACL,OAAO,EAGP,aAAa,EACb,gBAAgB,EAQhB,YAAY,EACb,MAAM,SAAS,CAAC;AAMjB;;GAEG;AACH,qBAAa,UAAW,YAAW,gBAAgB;;IASjD,WAAW,EAAE,OAAO,CAAC;IAErB;;;;;OAKG;IACH,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,KAAK,IAAI,CAqBtC;IAEK,gBAAgB,IAAI,OAAO;IAIlC;;;;;;OAMG;IACH,KAAK,EAAE,SAAS,CASd;IAEF;;;;;;OAMG;IACH,aAAa,EAAE,SAAS,CAStB;IAEF,IAAI,QAAQ,IAAI,OAAO,EAAE,CAExB;IAED,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,IAAI,UAAU,IAAI,MAAM,EAAE,CAEzB;gBAEW,GAAG,EAAE,aAAa;IAU9B;;OAEG;IACH,qBAAqB,QAAO,OAAO,CAWjC;IAEF;;;;OAIG;IACH,aAAa,QAAO,OAAO,CAWzB;IAEF;;;;;;;;OAQG;IACH,IAAI,4CAA6C,gBAAgB,qBA4O/D;CACH"}

package/dist/lib/module.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../../src/lib/module.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AACxE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAG7D,OAAO,EAAE,YAAY,IAAI,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAErE,0CAA0C;AAC1C,MAAM,WAAW,YAAY;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AACD,iDAAiD;AACjD,MAAM,MAAM,YAAY,GAAG;IACzB,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yFAAyF;IACzF,IAAI,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yBAAyB;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wEAAwE;IACxE,YAAY,EAAE,aAAa,CAAC;IAC5B,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wDAAwD;IACxD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,2CAA2C;IAC3C,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,wBAAwB;IACxB,IAAI,CAAC,EAAE,UAAU,EAAE,CAAC;IACpB,yFAAyF;IACzF,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,YAAY,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,qHAAqH;IACrH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAE7C,6GAA6G;IAC7G,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,cAAc,GAAG,gBAAgB,KAAK,IAAI,CAAC;CAC9D,CAAC;AAGF,eAAO,MAAM,WAAW,eAA+C,CAAC;AAGxE,eAAO,MAAM,WAAW,eAA0C,CAAC;AAEnE,eAAO,MAAM,SAAS,eAAwC,CAAC;AAE/D,qBAAa,UAAU;;IAGrB;;;;;;OAMG;gBACS,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,YAAY,GAAE,UAAU,EAAO,EAAE,IAAI,GAAE,iBAAsB;IAsD7G;;;;;OAKG;IACH,KAAK,0BAEH;CACH"}

package/dist/lib/mutate-processor.d.ts

@@ -1,6 +0,0 @@
-import { Capability } from "./capability";
-import { MutateResponse } from "./k8s";
-import { AdmissionRequest } from "./types";
-import { ModuleConfig } from "./module";
-export declare function mutateProcessor(config: ModuleConfig, capabilities: Capability[], req: AdmissionRequest, reqMetadata: Record<string, string>): Promise<MutateResponse>;
-//# sourceMappingURL=mutate-processor.d.ts.map

package/dist/lib/mutate-processor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"mutate-processor.d.ts","sourceRoot":"","sources":["../../src/lib/mutate-processor.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAE3C,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAIxC,wBAAsB,eAAe,CACnC,MAAM,EAAE,YAAY,EACpB,YAAY,EAAE,UAAU,EAAE,EAC1B,GAAG,EAAE,gBAAgB,EACrB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAClC,OAAO,CAAC,cAAc,CAAC,CAmIzB"}

package/dist/lib/queue.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"queue.d.ts","sourceRoot":"","sources":["../../src/lib/queue.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,UAAU,EAAE,MAAM,4CAA4C,CAAC;AAIxE,KAAK,aAAa,GAAG,CAAC,GAAG,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAUjF;;GAEG;AACH,qBAAa,KAAK,CAAC,CAAC,SAAS,gBAAgB;;gBAM/B,IAAI,EAAE,MAAM;IAKxB,KAAK,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE;IAItC,KAAK,IAAI;QACP,KAAK,EAAE;YACL,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;SACb,CAAC;QACF,KAAK,EAAE;YACL,MAAM,EAAE,MAAM,CAAC;SAChB,CAAC;KACH;IASD;;;;;;;;OAQG;IACH,OAAO,CAAC,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;CAsE7E"}

package/dist/lib/schedule.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"schedule.d.ts","sourceRoot":"","sources":["../../src/lib/schedule.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,MAAM,IAAI,GAAG,SAAS,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,GAAG,MAAM,CAAC;AAElF,MAAM,WAAW,QAAQ;IACvB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,IAAI,EAAE,IAAI,CAAC;IACX;;OAEG;IACH,GAAG,EAAE,MAAM,IAAI,CAAC;IAChB;;OAEG;IACH,SAAS,CAAC,EAAE,IAAI,GAAG,SAAS,CAAC;IAE7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC;CAC7B;AAED,qBAAa,UAAW,YAAW,QAAQ;IACzC,UAAU,EAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAQ;IACzC,KAAK,EAAE,SAAS,GAAG,SAAS,CAAC;IAC7B,IAAI,EAAG,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,IAAI,CAAC;IACX,GAAG,EAAG,MAAM,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,GAAG,SAAS,CAAC;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,aAAa,EAAE,IAAI,GAAG,SAAS,CAAC;gBAEpB,QAAQ,EAAE,QAAQ;IAQ9B,QAAQ,CAAC,KAAK,EAAE,SAAS,GAAG,IAAI;IAIhC,aAAa,IAAI,IAAI;IAKrB;;;OAGG;IACH,UAAU,IAAI,IAAI;IAUlB;;;OAGG;IACH,WAAW,IAAI,IAAI;IAUnB;;OAEG;IACH,WAAW,IAAI,IAAI;IAmBnB;;OAEG;IACH,aAAa,IAAI,IAAI;IAwBrB;;OAEG;IACH,KAAK,IAAI,IAAI;IAgBb;;OAEG;IACH,IAAI,IAAI,IAAI;CAOb"}

package/dist/lib/storage.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/lib/storage.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;AACtC,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAC/C,MAAM,MAAM,UAAU,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;AAC9E,MAAM,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,CAAC;AACrD,MAAM,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC;AAUrC,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEvD;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEjD;AACD,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IACpC;;OAEG;IACH,KAAK,IAAI,IAAI,CAAC;IACd;;OAEG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B;;OAEG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1C;;;;;OAKG;IACH,SAAS,CAAC,QAAQ,EAAE,YAAY,GAAG,WAAW,CAAC;IAE/C;;OAEG;IACH,OAAO,CAAC,QAAQ,EAAE,YAAY,GAAG,IAAI,CAAC;IAEtC;;;OAGG;IACH,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE5D;;;OAGG;IACH,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACjD;AAED;;;;GAIG;AAEH,qBAAa,OAAQ,YAAW,SAAS;;IAOvC,cAAc,SAAU,UAAU,KAAG,IAAI,CAEvC;IAEF,OAAO,SAAU,SAAS,KAAG,IAAI,CAU/B;IAEF,OAAO,QAAS,MAAM,KAAG,MAAM,GAAG,IAAI,CAMpC;IAEF,KAAK,QAAO,IAAI,CAMd;IAEF,UAAU,QAAS,MAAM,KAAG,IAAI,CAE9B;IAEF,OAAO,QAAS,MAAM,SAAS,MAAM,KAAG,IAAI,CAE1C;IAEF;;;;;;;OAOG;IACH,cAAc,QAAS,MAAM,SAAS,MAAM,KAAG,QAAQ,MAAM,CAAC,CAmB5D;IAEF;;;;;;OAMG;IACH,iBAAiB,QAAS,MAAM,KAAG,QAAQ,MAAM,CAAC,CAkBhD;IAEF,SAAS,eAAgB,YAAY,KAAG,CAAC,MAAM,IAAI,CAAC,CAIlD;IAEF,OAAO,aAAc,YAAY,KAAG,IAAI,CAEtC;IAEF;;;OAGG;IACH,WAAW,QAAS,MAAM,KAAG,IAAI,CAE/B;CAqBH"}

package/dist/lib/validate-processor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"validate-processor.d.ts","sourceRoot":"","sources":["../../src/lib/validate-processor.ts"],"names":[],"mappings":"AAGA,OAAO,EAAQ,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAGpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,wBAAsB,cAAc,CAClC,OAAO,EAAE,OAAO,EAChB,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACtC,mBAAmB,EAAE,mBAAmB,CAAC,gBAAgB,CAAC,GACzD,OAAO,CAAC,gBAAgB,CAAC,CAkC3B;AAED,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,YAAY,EACpB,YAAY,EAAE,UAAU,EAAE,EAC1B,GAAG,EAAE,gBAAgB,EACrB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAClC,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAkC7B"}

package/dist/lib/watch-processor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"watch-processor.d.ts","sourceRoot":"","sources":["../../src/lib/watch-processor.ts"],"names":[],"mappings":"AAEA,OAAO,EAAO,gBAAgB,EAAY,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAEvF,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI1C,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAQhC;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,MAAM,CAkBtD;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC,CAM/E;AAuBD;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,YAAY,EAAE,UAAU,EAAE,EAAE,iBAAiB,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAMzF;AAmHD,wBAAgB,QAAQ,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,GAAE,MAAW,EAAE,GAAG,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAO9F"}

package/src/lib/mutate-processor.ts

@@ -1,165 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
-import jsonPatch from "fast-json-patch";
-import { kind } from "kubernetes-fluent-client";
-
-import { Capability } from "./capability";
-import { Errors } from "./errors";
-import { shouldSkipRequest } from "./filter/filter";
-import { MutateResponse } from "./k8s";
-import { AdmissionRequest } from "./types";
-import Log from "./telemetry/logger";
-import { ModuleConfig } from "./module";
-import { PeprMutateRequest } from "./mutate-request";
-import { base64Encode, convertFromBase64Map, convertToBase64Map } from "./utils";
-
-export async function mutateProcessor(
-  config: ModuleConfig,
-  capabilities: Capability[],
-  req: AdmissionRequest,
-  reqMetadata: Record<string, string>,
-): Promise<MutateResponse> {
-  const wrapped = new PeprMutateRequest(req);
-  const response: MutateResponse = {
-    uid: req.uid,
-    warnings: [],
-    allowed: false,
-  };
-
-  // Track whether any capability matched the request
-  let matchedAction = false;
-
-  // Track data fields that should be skipped during decoding
-  let skipDecode: string[] = [];
-
-  // If the resource is a secret, decode the data
-  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
-  if (isSecret) {
-    skipDecode = convertFromBase64Map(wrapped.Raw as unknown as kind.Secret);
-  }
-
-  Log.info(reqMetadata, `Processing request`);
-
-  for (const { name, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name };
-    for (const action of bindings) {
-      // Skip this action if it's not a mutate action
-      if (!action.mutateCallback) {
-        continue;
-      }
-
-      // Continue to the next action without doing anything if this one should be skipped
-      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
-      if (shouldSkip !== "") {
-        Log.debug(shouldSkip);
-        continue;
-      }
-
-      const label = action.mutateCallback.name;
-      Log.info(actionMetadata, `Processing mutation action (${label})`);
-      matchedAction = true;
-
-      // Add annotations to the request to indicate that the capability started processing
-      // this will allow tracking of failed mutations that were permitted to continue
-      const updateStatus = (status: string) => {
-        // Only update the status if the request is a CREATE or UPDATE (we don't use CONNECT)
-        if (req.operation === "DELETE") {
-          return;
-        }
-
-        const identifier = `${config.uuid}.pepr.dev/${name}`;
-        wrapped.Raw.metadata = wrapped.Raw.metadata || {};
-        wrapped.Raw.metadata.annotations = wrapped.Raw.metadata.annotations || {};
-        wrapped.Raw.metadata.annotations[identifier] = status;
-      };
-
-      updateStatus("started");
-
-      try {
-        // Run the action
-        await action.mutateCallback(wrapped);
-
-        // Log on success
-        Log.info(actionMetadata, `Mutation action succeeded (${label})`);
-
-        // Add annotations to the request to indicate that the capability succeeded
-        updateStatus("succeeded");
-      } catch (e) {
-        updateStatus("warning");
-        response.warnings = response.warnings || [];
-
-        const errorMessage = logMutateErrorMessage(e);
-
-        // Log on failure
-        Log.error(actionMetadata, `Action failed: ${errorMessage}`);
-        response.warnings.push(`Action failed: ${errorMessage}`);
-
-        switch (config.onError) {
-          case Errors.reject:
-            Log.error(actionMetadata, `Action failed: ${errorMessage}`);
-            response.result = "Pepr module configured to reject on error";
-            return response;
-
-          case Errors.audit:
-            response.auditAnnotations = response.auditAnnotations || {};
-            response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
-            break;
-        }
-      }
-    }
-  }
-
-  // If we've made it this far, the request is allowed
-  response.allowed = true;
-
-  // If no capability matched the request, exit early
-  if (!matchedAction) {
-    Log.info(reqMetadata, `No matching actions found`);
-    return response;
-  }
-
-  // delete operations can't be mutate, just return before the transformation
-  if (req.operation === "DELETE") {
-    return response;
-  }
-
-  const transformed = wrapped.Raw;
-
-  // Post-process the Secret requests to convert it back to the original format
-  if (isSecret) {
-    convertToBase64Map(transformed as unknown as kind.Secret, skipDecode);
-  }
-
-  // Compare the original request to the modified request to get the patches
-  const patches = jsonPatch.compare(req.object, transformed);
-
-  // Only add the patch if there are patches to apply
-  if (patches.length > 0) {
-    response.patchType = "JSONPatch";
-    // Webhook must be base64-encoded
-    // https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response
-    response.patch = base64Encode(JSON.stringify(patches));
-  }
-
-  // Remove the warnings array if it's empty
-  if (response.warnings && response.warnings.length < 1) {
-    delete response.warnings;
-  }
-
-  Log.debug({ ...reqMetadata, patches }, `Patches generated`);
-
-  return response;
-}
-
-const logMutateErrorMessage = (e: Error): string => {
-  try {
-    if (e.message && e.message !== "[object Object]") {
-      return e.message;
-    } else {
-      throw new Error("An error occurred in the mutate action.");
-    }
-  } catch (e) {
-    return "An error occurred with the mutate action.";
-  }
-};