pepr 0.42.1 → 0.42.3

package/src/lib/assets/assets.ts

@@ -0,0 +1,176 @@
+import crypto from "crypto";
+import { CapabilityExport } from "../types";
+import { ModuleConfig } from "../core/module";
+import { TLSOut, genTLS } from "../tls";
+import { WebhookIgnore } from "../k8s";
+import {
+  chartYaml,
+  namespaceTemplate,
+  clusterRoleTemplate,
+  admissionDeployTemplate,
+  serviceMonitorTemplate,
+  watcherDeployTemplate,
+} from "./helm";
+import { createDirectoryIfNotExists } from "../filesystemService";
+import { deploy } from "./deploy";
+import { getDeployment, getModuleSecret, getWatcher } from "./pods";
+import { helmLayout, createWebhookYaml, toYaml } from "./index";
+import { loadCapabilities } from "./loader";
+import { namespaceComplianceValidator, dedent } from "../helpers";
+import { storeRole, storeRoleBinding, clusterRoleBinding, serviceAccount } from "./rbac";
+import { watcherService, service, tlsSecret, apiTokenSecret } from "./networking";
+import { webhookConfig } from "./webhooks";
+import { generateZarfYaml, generateZarfYamlChart, generateAllYaml, overridesFile } from "./yaml";
+import { promises as fs } from "fs";
+import { V1MutatingWebhookConfiguration, V1ValidatingWebhookConfiguration } from "@kubernetes/client-node/dist/gen";
+
+export class Assets {
+  readonly name: string;
+  readonly tls: TLSOut;
+  readonly apiToken: string;
+  readonly alwaysIgnore!: WebhookIgnore;
+  capabilities!: CapabilityExport[];
+
+  image: string;
+  buildTimestamp: string;
+  hash: string;
+
+  constructor(
+    readonly config: ModuleConfig,
+    readonly path: string,
+    readonly host?: string,
+  ) {
+    this.name = `pepr-${config.uuid}`;
+    this.buildTimestamp = `${Date.now()}`;
+    this.alwaysIgnore = config.alwaysIgnore;
+    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
+    this.hash = "";
+    // Generate the ephemeral tls things
+    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
+
+    // Generate the api token for the controller / webhook
+    this.apiToken = crypto.randomBytes(32).toString("hex");
+  }
+
+  setHash = (hash: string): void => {
+    this.hash = hash;
+  };
+
+  deploy = async (force: boolean, webhookTimeout?: number): Promise<void> => {
+    this.capabilities = await loadCapabilities(this.path);
+    await deploy(this, force, webhookTimeout);
+  };
+
+  zarfYaml = (path: string): string => generateZarfYaml(this.name, this.image, this.config, path);
+
+  zarfYamlChart = (path: string): string => generateZarfYamlChart(this.name, this.image, this.config, path);
+
+  allYaml = async (imagePullSecret?: string): Promise<string> => {
+    this.capabilities = await loadCapabilities(this.path);
+    // give error if namespaces are not respected
+    for (const capability of this.capabilities) {
+      namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
+    }
+
+    const webhooks = {
+      mutate: await webhookConfig(this, "mutate", this.config.webhookTimeout),
+      validate: await webhookConfig(this, "validate", this.config.webhookTimeout),
+    };
+
+    const code = await fs.readFile(this.path);
+
+    // Generate a hash of the code
+    this.hash = crypto.createHash("sha256").update(code).digest("hex");
+
+    const deployments = {
+      default: getDeployment(this, this.hash, this.buildTimestamp, imagePullSecret),
+      watch: getWatcher(this, this.hash, this.buildTimestamp, imagePullSecret),
+    };
+
+    const assetsInputs = {
+      apiToken: this.apiToken,
+      capabilities: this.capabilities,
+      config: this.config,
+      hash: this.hash,
+      name: this.name,
+      path: this.path,
+      tls: this.tls,
+    };
+    return generateAllYaml(webhooks, deployments, assetsInputs);
+  };
+
+  writeWebhookFiles = async (
+    validateWebhook: V1MutatingWebhookConfiguration | V1ValidatingWebhookConfiguration | null,
+    mutateWebhook: V1MutatingWebhookConfiguration | V1ValidatingWebhookConfiguration | null,
+    helm: Record<string, Record<string, string>>,
+  ): Promise<void> => {
+    if (validateWebhook || mutateWebhook) {
+      await fs.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
+      await fs.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
+    }
+
+    if (mutateWebhook) {
+      await fs.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this.name, this.config, mutateWebhook));
+    }
+
+    if (validateWebhook) {
+      await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this.name, this.config, validateWebhook));
+    }
+  };
+
+  generateHelmChart = async (basePath: string): Promise<void> => {
+    const helm = helmLayout(basePath, this.config.uuid);
+
+    try {
+      await Promise.all(
+        Object.values(helm.dirs)
+          .sort((l, r) => l.split("/").length - r.split("/").length)
+          .map(async dir => await createDirectoryIfNotExists(dir)),
+      );
+
+      const code = await fs.readFile(this.path);
+
+      const pairs: [string, () => string][] = [
+        [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
+        [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())],
+        [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
+        [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
+        [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
+        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
+        [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
+        [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
+        [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))],
+        [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
+        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))],
+      ];
+      await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
+
+      const overrideData = {
+        hash: this.hash,
+        name: this.name,
+        image: this.image,
+        config: this.config,
+        apiToken: this.apiToken,
+        capabilities: this.capabilities,
+      };
+      await overridesFile(overrideData, helm.files.valuesYaml);
+
+      const [mutateWebhook, validateWebhook] = await Promise.all([
+        webhookConfig(this, "mutate", this.config.webhookTimeout),
+        webhookConfig(this, "validate", this.config.webhookTimeout),
+      ]);
+
+      await this.writeWebhookFiles(validateWebhook, mutateWebhook, helm);
+
+      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
+      if (watchDeployment) {
+        await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
+        await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
+      }
+    } catch (err) {
+      console.error(`Error generating helm chart: ${err.message}`);
+      process.exit(1);
+    }
+  };
+}

package/src/lib/assets/deploy.ts

@@ -6,7 +6,7 @@ import { promises as fs } from "fs";
 import { K8s, kind } from "kubernetes-fluent-client";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
-import { Assets } from ".";
+import { Assets } from "./assets";
 import Log from "../telemetry/logger";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
 import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
@@ -15,7 +15,7 @@ import { peprStoreCRD } from "./store";
 import { webhookConfig } from "./webhooks";
 import { CapabilityExport, ImagePullSecret } from "../types";
 
-export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string) {
+export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string): Promise<void> {
   try {
     await K8s(kind.Namespace).Get("pepr-system");
   } catch {
@@ -42,7 +42,7 @@ export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, na
     Log.error(e);
   }
 }
-export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number) {
+export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number): Promise<void> {
   Log.info("Establishing connection to Kubernetes");
 
   const { name, host, path } = assets;
@@ -95,7 +95,7 @@ async function setupRBAC(
   capabilities: CapabilityExport[],
   force: boolean,
   config: { rbacMode?: string; rbac?: PolicyRule[] },
-) {
+): Promise<void> {
   const { rbacMode, rbac } = config;
 
   Log.info("Applying cluster role binding");
@@ -119,7 +119,7 @@ async function setupRBAC(
   await K8s(kind.RoleBinding).Apply(roleBinding, { force });
 }
 
-async function setupController(assets: Assets, code: Buffer, hash: string, force: boolean) {
+async function setupController(assets: Assets, code: Buffer, hash: string, force: boolean): Promise<void> {
   const { name } = assets;
 
   Log.info("Applying module secret");
@@ -144,7 +144,7 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
 }
 
 // Setup the watcher deployment and service
-async function setupWatcher(assets: Assets, hash: string, force: boolean) {
+async function setupWatcher(assets: Assets, hash: string, force: boolean): Promise<void> {
   // If the module has a watcher, deploy it
   const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
   if (watchDeployment) {

package/src/lib/assets/index.ts

@@ -1,57 +1,35 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import crypto from "crypto";
 import { dumpYaml } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
-import { ModuleConfig } from "../module";
-import { TLSOut, genTLS } from "../tls";
-import { CapabilityExport } from "../types";
-import { WebhookIgnore } from "../k8s";
-import { deploy } from "./deploy";
-import { loadCapabilities } from "./loader";
-import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
-import { namespaceComplianceValidator, replaceString } from "../helpers";
-import { dedent } from "../helpers";
+import { replaceString } from "../helpers";
 import { resolve } from "path";
-import {
-  chartYaml,
-  namespaceTemplate,
-  admissionDeployTemplate,
-  watcherDeployTemplate,
-  clusterRoleTemplate,
-  serviceMonitorTemplate,
-} from "./helm";
-import { promises as fs } from "fs";
-import { webhookConfig } from "./webhooks";
-import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { getWatcher, getModuleSecret } from "./pods";
-
-import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
-import { createDirectoryIfNotExists } from "../filesystemService";
+import { ModuleConfig } from "../core/module";
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-function toYaml(obj: any): string {
+export function toYaml(obj: any): string {
   return dumpYaml(obj, { noRefs: true });
 }
 
-function createWebhookYaml(
-  assets: Assets,
+export function createWebhookYaml(
+  name: string,
+  config: ModuleConfig,
   webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration,
 ): string {
   const yaml = toYaml(webhookConfiguration);
   return replaceString(
     replaceString(
-      replaceString(yaml, assets.name, "{{ .Values.uuid }}"),
-      assets.config.onError === "reject" ? "Fail" : "Ignore",
+      replaceString(yaml, name, "{{ .Values.uuid }}"),
+      config.onError === "reject" ? "Fail" : "Ignore",
       "{{ .Values.admission.failurePolicy }}",
     ),
-    `${assets.config.webhookTimeout}` || "10",
+    `${config.webhookTimeout}` || "10",
     "{{ .Values.admission.webhookTimeout }}",
   );
 }
 
-function helmLayout(basePath: string, unique: string): Record<string, Record<string, string>> {
+export function helmLayout(basePath: string, unique: string): Record<string, Record<string, string>> {
   const helm: Record<string, Record<string, string>> = {
     dirs: {
       chart: resolve(`${basePath}/${unique}-chart`),
@@ -90,115 +68,3 @@ function helmLayout(basePath: string, unique: string): Record<string, Record<str
 
   return helm;
 }
-
-export class Assets {
-  readonly name: string;
-  readonly tls: TLSOut;
-  readonly apiToken: string;
-  readonly alwaysIgnore!: WebhookIgnore;
-  capabilities!: CapabilityExport[];
-
-  image: string;
-  buildTimestamp: string;
-  hash: string;
-
-  constructor(
-    readonly config: ModuleConfig,
-    readonly path: string,
-    readonly host?: string,
-  ) {
-    this.name = `pepr-${config.uuid}`;
-    this.buildTimestamp = `${Date.now()}`;
-    this.alwaysIgnore = config.alwaysIgnore;
-    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
-    this.hash = "";
-    // Generate the ephemeral tls things
-    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
-
-    // Generate the api token for the controller / webhook
-    this.apiToken = crypto.randomBytes(32).toString("hex");
-  }
-
-  setHash = (hash: string): void => {
-    this.hash = hash;
-  };
-
-  deploy = async (force: boolean, webhookTimeout?: number): Promise<void> => {
-    this.capabilities = await loadCapabilities(this.path);
-    await deploy(this, force, webhookTimeout);
-  };
-
-  zarfYaml = (path: string): string => zarfYaml(this, path);
-
-  zarfYamlChart = (path: string): string => zarfYamlChart(this, path);
-
-  allYaml = async (imagePullSecret?: string): Promise<string> => {
-    this.capabilities = await loadCapabilities(this.path);
-    // give error if namespaces are not respected
-    for (const capability of this.capabilities) {
-      namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
-    }
-
-    return allYaml(this, imagePullSecret);
-  };
-
-  /* eslint max-statements: ["warn", 21] */
-  generateHelmChart = async (basePath: string): Promise<void> => {
-    const helm = helmLayout(basePath, this.config.uuid);
-
-    try {
-      await Promise.all(
-        Object.values(helm.dirs)
-          .sort((l, r) => l.split("/").length - r.split("/").length)
-          .map(async dir => await createDirectoryIfNotExists(dir)),
-      );
-
-      const code = await fs.readFile(this.path);
-
-      const pairs: [string, () => string][] = [
-        [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
-        [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())],
-        [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
-        [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
-        [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
-        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
-        [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
-        [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
-        [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
-        [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))],
-        [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
-        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))],
-      ];
-      await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
-
-      await overridesFile(this, helm.files.valuesYaml);
-
-      const [mutateWebhook, validateWebhook] = await Promise.all([
-        webhookConfig(this, "mutate", this.config.webhookTimeout),
-        webhookConfig(this, "validate", this.config.webhookTimeout),
-      ]);
-
-      if (validateWebhook || mutateWebhook) {
-        await fs.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
-      }
-
-      if (mutateWebhook) {
-        await fs.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this, mutateWebhook));
-      }
-
-      if (validateWebhook) {
-        await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
-      }
-
-      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
-      if (watchDeployment) {
-        await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
-      }
-    } catch (err) {
-      console.error(`Error generating helm chart: ${err.message}`);
-      process.exit(1);
-    }
-  };
-}

package/src/lib/assets/pods.ts

@@ -5,8 +5,8 @@ import { KubernetesObject, V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
-import { Assets } from ".";
-import { ModuleConfig } from "../module";
+import { Assets } from "./assets";
+import { ModuleConfig } from "../core/module";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */

package/src/lib/assets/webhooks.ts

@@ -9,68 +9,47 @@ import {
 import { kind } from "kubernetes-fluent-client";
 import { concat, equals, uniqWith } from "ramda";
 
-import { Assets } from ".";
+import { Assets } from "./assets";
 import { Event } from "../enums";
-
-const peprIgnoreLabel: V1LabelSelectorRequirement = {
-  key: "pepr.dev",
-  operator: "NotIn",
-  values: ["ignore"],
-};
+import { Binding } from "../types";
 
 const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
+const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
+  const { event, kind, isMutate, isValidate } = binding;
+
+  // Skip invalid bindings based on webhook type
+  if ((isMutateWebhook && !isMutate) || (!isMutateWebhook && !isValidate)) {
+    return undefined;
+  }
+
+  // Translate event to operations
+  const operations = event === Event.CREATE_OR_UPDATE ? [Event.CREATE, Event.UPDATE] : [event];
+
+  // Use the plural property if it exists, otherwise use lowercase kind + s
+  const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+
+  const ruleObject: V1RuleWithOperations = {
+    apiGroups: [kind.group],
+    apiVersions: [kind.version || "*"],
+    operations,
+    resources: [resource, ...(resource === "pods" ? ["pods/ephemeralcontainers"] : [])],
+  };
+
+  return ruleObject;
+};
+
 export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise<V1RuleWithOperations[]> {
   const { config, capabilities } = assets;
-  const rules: V1RuleWithOperations[] = [];
 
-  // Iterate through the capabilities and generate the rules
-  for (const capability of capabilities) {
+  const rules = capabilities.flatMap(capability => {
     console.info(`Module ${config.uuid} has capability: ${capability.name}`);
 
-    // Read the bindings and generate the rules
-    for (const binding of capability.bindings) {
-      const { event, kind, isMutate, isValidate } = binding;
-
-      // If the module doesn't have a callback for the event, skip it
-      if (isMutateWebhook && !isMutate) {
-        continue;
-      }
-
-      if (!isMutateWebhook && !isValidate) {
-        continue;
-      }
-
-      const operations: string[] = [];
-
-      // CreateOrUpdate is a Pepr-specific event that is translated to Create and Update
-      if (event === Event.CREATE_OR_UPDATE) {
-        operations.push(Event.CREATE, Event.UPDATE);
-      } else {
-        operations.push(event);
-      }
-
-      // Use the plural property if it exists, otherwise use lowercase kind + s
-      const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
-
-      const ruleObject = {
-        apiGroups: [kind.group],
-        apiVersions: [kind.version || "*"],
-        operations,
-        resources: [resource],
-      };
-
-      // If the resource is pods, add ephemeralcontainers as well
-      if (resource === "pods") {
-        ruleObject.resources.push("pods/ephemeralcontainers");
-      }
-
-      // Add the rule to the rules array
-      rules.push(ruleObject);
-    }
-  }
+    return capability.bindings
+      .map(binding => validateRule(binding, isMutateWebhook))
+      .filter((rule): rule is V1RuleWithOperations => !!rule);
+  });
 
-  // Return the rules with duplicates removed
   return uniqWith(equals, rules);
 }
 
@@ -79,7 +58,7 @@ export async function webhookConfig(
   mutateOrValidate: "mutate" | "validate",
   timeoutSeconds = 10,
 ): Promise<kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration | null> {
-  const ignore = [peprIgnoreLabel];
+  const ignore: V1LabelSelectorRequirement[] = [];
 
   const { name, tls, config, apiToken, host } = assets;
   const ignoreNS = concat(peprIgnoreNamespaces, config?.alwaysIgnore?.namespaces || []);
@@ -135,9 +114,6 @@ export async function webhookConfig(
         namespaceSelector: {
           matchExpressions: ignore,
         },
-        objectSelector: {
-          matchExpressions: ignore,
-        },
         rules,
         // @todo: track side effects state
         sideEffects: "None",

package/src/lib/assets/yaml.ts

@@ -1,19 +1,41 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { dumpYaml } from "@kubernetes/client-node";
-import crypto from "crypto";
+import {
+  dumpYaml,
+  V1Deployment,
+  V1MutatingWebhookConfiguration,
+  V1ValidatingWebhookConfiguration,
+} from "@kubernetes/client-node";
 import { promises as fs } from "fs";
-import { Assets } from ".";
 import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
+import { getModuleSecret, getNamespace } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
-import { webhookConfig } from "./webhooks";
 import { genEnv } from "./pods";
+import { ModuleConfig } from "../core/module";
+import { CapabilityExport } from "../types";
+import { TLSOut } from "../tls";
+
+type CommonOverrideValues = {
+  apiToken: string;
+  capabilities: CapabilityExport[];
+  config: ModuleConfig;
+  hash: string;
+  name: string;
+};
+
+type ChartOverrides = CommonOverrideValues & {
+  image: string;
+};
+
+type ResourceOverrides = CommonOverrideValues & {
+  path: string;
+  tls: TLSOut;
+};
 
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile(
-  { hash, name, image, config, apiToken, capabilities }: Assets,
+  { hash, name, image, config, apiToken, capabilities }: ChartOverrides,
   path: string,
 ): Promise<void> {
   const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules;
@@ -169,7 +191,7 @@ export async function overridesFile(
 
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }
-export function zarfYaml({ name, image, config }: Assets, path: string): string {
+export function generateZarfYaml(name: string, image: string, config: ModuleConfig, path: string): string {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
     metadata: {
@@ -197,7 +219,7 @@ export function zarfYaml({ name, image, config }: Assets, path: string): string
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
-export function zarfYamlChart({ name, image, config }: Assets, path: string): string {
+export function generateZarfYamlChart(name: string, image: string, config: ModuleConfig, path: string): string {
   const zarfCfg = {
     kind: "ZarfPackageConfig",
     metadata: {
@@ -226,16 +248,16 @@ export function zarfYamlChart({ name, image, config }: Assets, path: string): st
   return dumpYaml(zarfCfg, { noRefs: true });
 }
 
-export async function allYaml(assets: Assets, imagePullSecret?: string): Promise<string> {
-  const { name, tls, apiToken, path, config } = assets;
-  const code = await fs.readFile(path);
-
-  // Generate a hash of the code
-  assets.hash = crypto.createHash("sha256").update(code).digest("hex");
+type webhooks = { validate: V1ValidatingWebhookConfiguration | null; mutate: V1MutatingWebhookConfiguration | null };
+type deployments = { default: V1Deployment; watch: V1Deployment | null };
 
-  const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
-  const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
-  const watchDeployment = getWatcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret);
+export async function generateAllYaml(
+  webhooks: webhooks,
+  deployments: deployments,
+  assets: ResourceOverrides,
+): Promise<string> {
+  const { name, tls, hash, apiToken, path, config } = assets;
+  const code = await fs.readFile(path);
 
   const resources = [
     getNamespace(assets.config.customLabels?.namespace),
@@ -244,24 +266,24 @@ export async function allYaml(assets: Assets, imagePullSecret?: string): Promise
     serviceAccount(name),
     apiTokenSecret(name, apiToken),
     tlsSecret(name, tls),
-    getDeployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret),
+    deployments.default,
     service(name),
     watcherService(name),
-    getModuleSecret(name, code, assets.hash),
+    getModuleSecret(name, code, hash),
     storeRole(name),
     storeRoleBinding(name),
   ];
 
-  if (mutateWebhook) {
-    resources.push(mutateWebhook);
+  if (webhooks.mutate) {
+    resources.push(webhooks.mutate);
   }
 
-  if (validateWebhook) {
-    resources.push(validateWebhook);
+  if (webhooks.validate) {
+    resources.push(webhooks.validate);
   }
 
-  if (watchDeployment) {
-    resources.push(watchDeployment);
+  if (deployments.watch) {
+    resources.push(deployments.watch);
   }
 
   // Convert the resources to a single YAML string