pepr 0.42.2 → 0.43.0

package/dist/cli.js

@@ -91,9 +91,8 @@ var import_esbuild2 = require("esbuild");
 var import_fs9 = require("fs");
 var import_path3 = require("path");
 
-// src/lib/assets/index.ts
-var import_crypto3 = __toESM(require("crypto"));
-var import_client_node2 = require("@kubernetes/client-node");
+// src/lib/assets/assets.ts
+var import_crypto = __toESM(require("crypto"));
 
 // src/lib/tls.ts
 var import_node_forge = __toESM(require("node-forge"));
@@ -152,264 +151,460 @@ function genCert(key, name2, issuer) {
   return crt;
 }
 
-// src/lib/assets/deploy.ts
-var import_crypto = __toESM(require("crypto"));
-var import_fs = require("fs");
-var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
-
-// src/lib/telemetry/logger.ts
-var import_pino = require("pino");
-var isPrettyLog = true;
-var pretty = {
-  target: "pino-pretty",
-  options: {
-    colorize: true
-  }
-};
-var transport = isPrettyLog ? pretty : void 0;
-var pinoTimeFunction = process.env.PINO_TIME_STAMP === "iso" ? () => import_pino.stdTimeFunctions.isoTime() : () => import_pino.stdTimeFunctions.epochTime();
-var Log = (0, import_pino.pino)({
-  transport,
-  timestamp: pinoTimeFunction
-});
-if (process.env.LOG_LEVEL) {
-  Log.level = process.env.LOG_LEVEL;
-}
-var logger_default = Log;
-
-// src/lib/assets/networking.ts
-function apiTokenSecret(name2, apiToken) {
-  return {
-    apiVersion: "v1",
-    kind: "Secret",
-    metadata: {
-      name: `${name2}-api-token`,
-      namespace: "pepr-system"
-    },
-    type: "Opaque",
-    data: {
-      value: Buffer.from(apiToken).toString("base64")
-    }
-  };
-}
-function tlsSecret(name2, tls) {
-  return {
-    apiVersion: "v1",
-    kind: "Secret",
-    metadata: {
-      name: `${name2}-tls`,
-      namespace: "pepr-system"
-    },
-    type: "kubernetes.io/tls",
-    data: {
-      "tls.crt": tls.crt,
-      "tls.key": tls.key
-    }
-  };
-}
-function service(name2) {
-  return {
-    apiVersion: "v1",
-    kind: "Service",
-    metadata: {
-      name: name2,
-      namespace: "pepr-system",
-      labels: {
-        "pepr.dev/controller": "admission"
-      }
-    },
-    spec: {
-      selector: {
-        app: name2,
-        "pepr.dev/controller": "admission"
-      },
-      ports: [
-        {
-          port: 443,
-          targetPort: 3e3
-        }
-      ]
-    }
-  };
+// src/lib/assets/helm.ts
+function clusterRoleTemplate() {
+  return `
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: {{ .Values.uuid }}
+      namespace: pepr-system
+    rules: 
+      {{- if .Values.rbac }}
+      {{- toYaml .Values.rbac | nindent 2 }}
+      {{- end }}
+  `;
 }
-function watcherService(name2) {
-  return {
-    apiVersion: "v1",
-    kind: "Service",
-    metadata: {
-      name: `${name2}-watcher`,
-      namespace: "pepr-system",
-      labels: {
-        "pepr.dev/controller": "watcher"
-      }
-    },
-    spec: {
-      selector: {
-        app: `${name2}-watcher`,
-        "pepr.dev/controller": "watcher"
-      },
-      ports: [
-        {
-          port: 443,
-          targetPort: 3e3
-        }
-      ]
-    }
-  };
+function namespaceTemplate() {
+  return `
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+        name: pepr-system
+        {{- if .Values.namespace.annotations }}
+        annotations:
+            {{- toYaml .Values.namespace.annotations | nindent 6 }}
+        {{- end }}
+        {{- if .Values.namespace.labels }}
+        labels:
+            {{- toYaml .Values.namespace.labels | nindent 6 }}
+        {{- end }}
+    `;
 }
+function chartYaml(name2, description) {
+  return `
+    apiVersion: v2
+    name: ${name2}
+    description: ${description || ""}
 
-// src/lib/assets/pods.ts
-var import_zlib = require("zlib");
+    # A chart can be either an 'application' or a 'library' chart.
+    #
+    # Application charts are a collection of templates that can be packaged into versioned archives
+    # to be deployed.
+    #
+    # Library charts provide useful utilities or functions for the chart developer. They're included as
+    # a dependency of application charts to inject those utilities and functions into the rendering
+    # pipeline. Library charts do not define any templates and therefore cannot be deployed.
+    type: application
 
-// src/sdk/sdk.ts
-var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
-function sanitizeResourceName(name2) {
-  return name2.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
-}
+    # This is the chart version. This version number should be incremented each time you make changes
+    # to the chart and its templates, including the app version.
+    # Versions are expected to follow Semantic Versioning (https://semver.org/)
+    version: 0.1.0
 
-// src/lib/helpers.ts
-function matchesRegex(pattern, testString) {
-  return new RegExp(pattern).test(testString);
-}
-var ValidationError = class extends Error {
-};
-function validateCapabilityNames(capabilities) {
-  if (capabilities && capabilities.length > 0) {
-    for (let i = 0; i < capabilities.length; i++) {
-      if (capabilities[i].name !== sanitizeResourceName(capabilities[i].name)) {
-        throw new ValidationError(`Capability name is not a valid Kubernetes resource name: ${capabilities[i].name}`);
-      }
-    }
-  }
-}
-function createRBACMap(capabilities) {
-  return capabilities.reduce((acc, capability) => {
-    capability.bindings.forEach((binding) => {
-      const key = `${binding.kind.group}/${binding.kind.version}/${binding.kind.kind}`;
-      acc["pepr.dev/v1/peprstore"] = {
-        verbs: ["create", "get", "patch", "watch"],
-        plural: "peprstores"
-      };
-      acc["apiextensions.k8s.io/v1/customresourcedefinition"] = {
-        verbs: ["patch", "create"],
-        plural: "customresourcedefinitions"
-      };
-      if (!acc[key] && binding.isWatch) {
-        acc[key] = {
-          verbs: ["watch"],
-          plural: binding.kind.plural || `${binding.kind.kind.toLowerCase()}s`
-        };
-      }
-      if (binding.isFinalize) {
-        acc[key] = {
-          verbs: ["patch"],
-          plural: binding.kind.plural || `${binding.kind.kind.toLowerCase()}s`
-        };
-      }
-    });
-    return acc;
-  }, {});
-}
-function hasEveryOverlap(array1, array2) {
-  if (!Array.isArray(array1) || !Array.isArray(array2)) {
-    return false;
-  }
-  return array1.every((element) => array2.includes(element));
-}
-function hasAnyOverlap(array1, array2) {
-  if (!Array.isArray(array1) || !Array.isArray(array2)) {
-    return false;
-  }
-  return array1.some((element) => array2.includes(element));
-}
-function ignoredNamespaceConflict(ignoreNamespaces, bindingNamespaces) {
-  return hasAnyOverlap(bindingNamespaces, ignoreNamespaces);
-}
-function bindingAndCapabilityNSConflict(bindingNamespaces, capabilityNamespaces) {
-  if (!capabilityNamespaces) {
-    return false;
-  }
-  return capabilityNamespaces.length !== 0 && !hasEveryOverlap(bindingNamespaces, capabilityNamespaces);
-}
-function generateWatchNamespaceError(ignoredNamespaces, bindingNamespaces, capabilityNamespaces) {
-  let err = "";
-  if (ignoredNamespaceConflict(ignoredNamespaces, bindingNamespaces)) {
-    err += `Binding uses a Pepr ignored namespace: ignoredNamespaces: [${ignoredNamespaces.join(
-      ", "
-    )}] bindingNamespaces: [${bindingNamespaces.join(", ")}].`;
-  }
-  if (bindingAndCapabilityNSConflict(bindingNamespaces, capabilityNamespaces)) {
-    err += `Binding uses namespace not governed by capability: bindingNamespaces: [${bindingNamespaces.join(
-      ", "
-    )}] capabilityNamespaces: [${capabilityNamespaces.join(", ")}].`;
-  }
-  return err.replace(/\.([^ ])/g, ". $1");
+    # This is the version number of the application being deployed. This version number should be
+    # incremented each time you make changes to the application. Versions are not expected to
+    # follow Semantic Versioning. They should reflect the version the application is using.
+    # It is recommended to use it with quotes.
+    appVersion: "1.16.0"
+`;
 }
-function namespaceComplianceValidator(capability, ignoredNamespaces) {
-  const { namespaces: capabilityNamespaces, bindings, name: name2 } = capability;
-  const bindingNamespaces = bindings.flatMap((binding) => binding.filters.namespaces);
-  const bindingRegexNamespaces = bindings.flatMap(
-    (binding) => binding.filters.regexNamespaces || []
-  );
-  const namespaceError = generateWatchNamespaceError(
-    ignoredNamespaces ? ignoredNamespaces : [],
-    bindingNamespaces,
-    capabilityNamespaces ? capabilityNamespaces : []
-  );
-  if (namespaceError !== "") {
-    throw new Error(
-      `Error in ${name2} capability. A binding violates namespace rules. Please check ignoredNamespaces and capability namespaces: ${namespaceError}`
-    );
-  }
-  matchRegexToCapababilityNamespace(bindingRegexNamespaces, capabilityNamespaces);
-  checkRegexNamespaces(bindingRegexNamespaces, ignoredNamespaces);
+function watcherDeployTemplate(buildTimestamp) {
+  return `
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: {{ .Values.uuid }}-watcher
+        namespace: pepr-system
+        annotations:
+          {{- toYaml .Values.watcher.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.watcher.labels | nindent 4 }}
+      spec:
+        replicas: 1
+        strategy:
+          type: Recreate
+        selector:
+          matchLabels:
+            app: {{ .Values.uuid }}-watcher
+            pepr.dev/controller: watcher
+        template:
+          metadata:
+            annotations: 
+              buildTimestamp: "${buildTimestamp}"
+              {{- if .Values.watcher.podAnnotations }}
+              {{- toYaml .Values.watcher.podAnnotations | nindent 8 }}
+              {{- end }}
+            labels:
+              app: {{ .Values.uuid }}-watcher
+              pepr.dev/controller: watcher
+          spec:
+            terminationGracePeriodSeconds: {{ .Values.watcher.terminationGracePeriodSeconds }}
+            serviceAccountName: {{ .Values.uuid }}
+            securityContext:
+              {{- toYaml .Values.admission.securityContext | nindent 8 }}
+            containers:
+              - name: watcher
+                image: {{ .Values.watcher.image }}
+                imagePullPolicy: IfNotPresent
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
+                args:
+                  - /app/node_modules/pepr/dist/controller.js
+                  - {{ .Values.hash }}
+                readinessProbe:
+                  {{- toYaml .Values.watcher.readinessProbe | nindent 12 }}
+                livenessProbe:
+                  {{- toYaml .Values.watcher.livenessProbe | nindent 12 }}
+                ports:
+                  - containerPort: 3000
+                resources:
+                  {{- toYaml .Values.watcher.resources | nindent 12 }}
+                env:
+                  {{- toYaml .Values.watcher.env | nindent 12 }}
+                  - name: PEPR_WATCH_MODE
+                    value: "true"
+                  {{- if .Values.additionalIgnoredNamespaces }}
+                  - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES
+                    value: "{{ join ", " .Values.additionalIgnoredNamespaces }}"
+                  {{- end }}
+                envFrom:
+                  {{- toYaml .Values.watcher.envFrom | nindent 12 }}
+                securityContext:
+                  {{- toYaml .Values.watcher.containerSecurityContext | nindent 12 }}
+                volumeMounts:
+                  - name: tls-certs
+                    mountPath: /etc/certs
+                    readOnly: true
+                  - name: module
+                    mountPath: /app/load
+                    readOnly: true
+                  {{- if .Values.watcher.extraVolumeMounts }}
+                  {{- toYaml .Values.watcher.extraVolumeMounts | nindent 12 }}
+                  {{- end }}
+            volumes:
+              - name: tls-certs
+                secret:
+                  secretName: {{ .Values.uuid }}-tls
+              - name: module
+                secret:
+                  secretName: {{ .Values.uuid }}-module
+              {{- if .Values.watcher.extraVolumes }}
+              {{- toYaml .Values.watcher.extraVolumes | nindent 8 }}
+              {{- end }}
+    `;
 }
-var matchRegexToCapababilityNamespace = (bindingRegexNamespaces, capabilityNamespaces) => {
-  if (bindingRegexNamespaces.length > 0 && capabilityNamespaces && capabilityNamespaces.length > 0) {
-    for (const regexNamespace of bindingRegexNamespaces) {
-      let matches = false;
-      matches = regexNamespace !== "" && capabilityNamespaces.some((capabilityNamespace) => matchesRegex(regexNamespace, capabilityNamespace));
-      if (!matches) {
-        throw new Error(
-          `Ignoring Watch Callback: Object namespace does not match any capability namespace with regex ${regexNamespace}.`
-        );
-      }
-    }
-  }
-};
-var checkRegexNamespaces = (bindingRegexNamespaces, ignoredNamespaces) => {
-  if (bindingRegexNamespaces.length > 0 && ignoredNamespaces && ignoredNamespaces.length > 0) {
-    for (const regexNamespace of bindingRegexNamespaces) {
-      const matchedNS = ignoredNamespaces.find((ignoredNS) => matchesRegex(regexNamespace, ignoredNS));
-      if (matchedNS) {
-        throw new Error(
-          `Ignoring Watch Callback: Regex namespace: ${regexNamespace}, is an ignored namespace: ${matchedNS}.`
-        );
-      }
+function admissionDeployTemplate(buildTimestamp) {
+  return `
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: {{ .Values.uuid }}
+        namespace: pepr-system
+        annotations:
+          {{- toYaml .Values.admission.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.admission.labels | nindent 4 }}
+      spec:
+        replicas: 2
+        selector:
+          matchLabels:
+            app: {{ .Values.uuid }}
+            pepr.dev/controller: admission
+        template:
+          metadata:
+            annotations:
+              buildTimestamp: "${buildTimestamp}"
+              {{- if .Values.admission.podAnnotations }}
+              {{- toYaml .Values.admission.podAnnotations | nindent 8 }}
+              {{- end }}
+            labels:
+              app: {{ .Values.uuid }}
+              pepr.dev/controller: admission
+          spec:
+            terminationGracePeriodSeconds: {{ .Values.admission.terminationGracePeriodSeconds }}
+            priorityClassName: system-node-critical
+            serviceAccountName: {{ .Values.uuid }}
+            securityContext:
+              {{- toYaml .Values.admission.securityContext | nindent 8 }}
+            containers:
+              - name: server
+                image: {{ .Values.admission.image }}
+                imagePullPolicy: IfNotPresent
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
+                args:
+                  - /app/node_modules/pepr/dist/controller.js
+                  - {{ .Values.hash }}
+                readinessProbe:
+                  {{- toYaml .Values.admission.readinessProbe | nindent 12 }}
+                livenessProbe:
+                  {{- toYaml .Values.admission.livenessProbe | nindent 12 }}
+                ports:
+                  - containerPort: 3000
+                resources:
+                  {{- toYaml .Values.admission.resources | nindent 12 }}
+                env:
+                  {{- toYaml .Values.admission.env | nindent 12 }}
+                  - name: PEPR_WATCH_MODE
+                    value: "false"
+                  {{- if .Values.additionalIgnoredNamespaces }}
+                  - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES
+                    value: "{{ join ", " .Values.additionalIgnoredNamespaces }}"
+                  {{- end }}
+                envFrom:
+                  {{- toYaml .Values.admission.envFrom | nindent 12 }}
+                securityContext:
+                  {{- toYaml .Values.admission.containerSecurityContext | nindent 12 }}
+                volumeMounts:
+                  - name: tls-certs
+                    mountPath: /etc/certs
+                    readOnly: true
+                  - name: api-token
+                    mountPath: /app/api-token
+                    readOnly: true
+                  - name: module
+                    mountPath: /app/load
+                    readOnly: true
+                  {{- if .Values.admission.extraVolumeMounts }}
+                  {{- toYaml .Values.admission.extraVolumeMounts | nindent 12 }}
+                  {{- end }}
+            volumes:
+              - name: tls-certs
+                secret:
+                  secretName: {{ .Values.uuid }}-tls
+              - name: api-token
+                secret:
+                  secretName: {{ .Values.uuid }}-api-token
+              - name: module
+                secret:
+                  secretName: {{ .Values.uuid }}-module  
+              {{- if .Values.admission.extraVolumes }}
+              {{- toYaml .Values.admission.extraVolumes | nindent 8 }}
+              {{- end }}
+    `;
+}
+function serviceMonitorTemplate(name2) {
+  return `
+      {{- if .Values.${name2}.serviceMonitor.enabled }}
+      apiVersion: monitoring.coreos.com/v1
+      kind: ServiceMonitor
+      metadata:
+        name: ${name2}
+        annotations:
+          {{- toYaml .Values.${name2}.serviceMonitor.annotations | nindent 4 }}
+        labels:
+          {{- toYaml .Values.${name2}.serviceMonitor.labels | nindent 4 }}
+      spec:
+        selector:
+          matchLabels:
+            pepr.dev/controller: ${name2}
+        namespaceSelector:
+          matchNames:
+            - pepr-system
+        endpoints:
+          - targetPort: 3000
+            scheme: https
+            tlsConfig:
+              insecureSkipVerify: true
+      {{- end }}
+    `;
+}
+
+// src/lib/filesystemService.ts
+var import_fs = require("fs");
+async function createDirectoryIfNotExists(path) {
+  try {
+    await import_fs.promises.access(path);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      await import_fs.promises.mkdir(path, { recursive: true });
+    } else {
+      throw error;
     }
   }
-};
-function secretOverLimit(str) {
-  const encoder = new TextEncoder();
-  const encoded = encoder.encode(str);
-  const sizeInBytes = encoded.length;
-  const oneMiBInBytes = 1048576;
-  return sizeInBytes > oneMiBInBytes;
 }
-var parseTimeout = (value) => {
-  const parsedValue = parseInt(value, 10);
-  const floatValue = parseFloat(value);
-  if (isNaN(parsedValue)) {
-    throw new Error("Not a number.");
-  } else if (parsedValue !== floatValue) {
-    throw new Error("Value must be an integer.");
-  } else if (parsedValue < 1 || parsedValue > 30) {
-    throw new Error("Number must be between 1 and 30.");
+
+// src/lib/assets/pods.ts
+var import_zlib = require("zlib");
+
+// src/lib/telemetry/logger.ts
+var import_pino = require("pino");
+var isPrettyLog = true;
+var pretty = {
+  target: "pino-pretty",
+  options: {
+    colorize: true
   }
-  return parsedValue;
 };
-function dedent(file) {
-  const lines = file.split("\n");
+var transport = isPrettyLog ? pretty : void 0;
+var pinoTimeFunction = process.env.PINO_TIME_STAMP === "iso" ? () => import_pino.stdTimeFunctions.isoTime() : () => import_pino.stdTimeFunctions.epochTime();
+var Log = (0, import_pino.pino)({
+  transport,
+  timestamp: pinoTimeFunction
+});
+if (process.env.LOG_LEVEL) {
+  Log.level = process.env.LOG_LEVEL;
+}
+var logger_default = Log;
+
+// src/sdk/sdk.ts
+var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
+function sanitizeResourceName(name2) {
+  return name2.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
+}
+
+// src/lib/helpers.ts
+function matchesRegex(pattern, testString) {
+  return new RegExp(pattern).test(testString);
+}
+var ValidationError = class extends Error {
+};
+function validateCapabilityNames(capabilities) {
+  if (capabilities && capabilities.length > 0) {
+    for (let i = 0; i < capabilities.length; i++) {
+      if (capabilities[i].name !== sanitizeResourceName(capabilities[i].name)) {
+        throw new ValidationError(`Capability name is not a valid Kubernetes resource name: ${capabilities[i].name}`);
+      }
+    }
+  }
+}
+function createRBACMap(capabilities) {
+  return capabilities.reduce((acc, capability) => {
+    capability.bindings.forEach((binding) => {
+      const key = `${binding.kind.group}/${binding.kind.version}/${binding.kind.kind}`;
+      acc["pepr.dev/v1/peprstore"] = {
+        verbs: ["create", "get", "patch", "watch"],
+        plural: "peprstores"
+      };
+      acc["apiextensions.k8s.io/v1/customresourcedefinition"] = {
+        verbs: ["patch", "create"],
+        plural: "customresourcedefinitions"
+      };
+      if (!acc[key] && binding.isWatch) {
+        acc[key] = {
+          verbs: ["watch"],
+          plural: binding.kind.plural || `${binding.kind.kind.toLowerCase()}s`
+        };
+      }
+      if (binding.isFinalize) {
+        acc[key] = {
+          verbs: ["patch"],
+          plural: binding.kind.plural || `${binding.kind.kind.toLowerCase()}s`
+        };
+      }
+    });
+    return acc;
+  }, {});
+}
+function hasEveryOverlap(array1, array2) {
+  if (!Array.isArray(array1) || !Array.isArray(array2)) {
+    return false;
+  }
+  return array1.every((element) => array2.includes(element));
+}
+function hasAnyOverlap(array1, array2) {
+  if (!Array.isArray(array1) || !Array.isArray(array2)) {
+    return false;
+  }
+  return array1.some((element) => array2.includes(element));
+}
+function ignoredNamespaceConflict(ignoreNamespaces, bindingNamespaces) {
+  return hasAnyOverlap(bindingNamespaces, ignoreNamespaces);
+}
+function bindingAndCapabilityNSConflict(bindingNamespaces, capabilityNamespaces) {
+  if (!capabilityNamespaces) {
+    return false;
+  }
+  return capabilityNamespaces.length !== 0 && !hasEveryOverlap(bindingNamespaces, capabilityNamespaces);
+}
+function generateWatchNamespaceError(ignoredNamespaces, bindingNamespaces, capabilityNamespaces) {
+  let err = "";
+  if (ignoredNamespaceConflict(ignoredNamespaces, bindingNamespaces)) {
+    err += `Binding uses a Pepr ignored namespace: ignoredNamespaces: [${ignoredNamespaces.join(
+      ", "
+    )}] bindingNamespaces: [${bindingNamespaces.join(", ")}].`;
+  }
+  if (bindingAndCapabilityNSConflict(bindingNamespaces, capabilityNamespaces)) {
+    err += `Binding uses namespace not governed by capability: bindingNamespaces: [${bindingNamespaces.join(
+      ", "
+    )}] capabilityNamespaces: [${capabilityNamespaces.join(", ")}].`;
+  }
+  return err.replace(/\.([^ ])/g, ". $1");
+}
+function namespaceComplianceValidator(capability, ignoredNamespaces) {
+  const { namespaces: capabilityNamespaces, bindings, name: name2 } = capability;
+  const bindingNamespaces = bindings.flatMap((binding) => binding.filters.namespaces);
+  const bindingRegexNamespaces = bindings.flatMap(
+    (binding) => binding.filters.regexNamespaces || []
+  );
+  const namespaceError = generateWatchNamespaceError(
+    ignoredNamespaces ? ignoredNamespaces : [],
+    bindingNamespaces,
+    capabilityNamespaces ? capabilityNamespaces : []
+  );
+  if (namespaceError !== "") {
+    throw new Error(
+      `Error in ${name2} capability. A binding violates namespace rules. Please check ignoredNamespaces and capability namespaces: ${namespaceError}`
+    );
+  }
+  matchRegexToCapababilityNamespace(bindingRegexNamespaces, capabilityNamespaces);
+  checkRegexNamespaces(bindingRegexNamespaces, ignoredNamespaces);
+}
+var matchRegexToCapababilityNamespace = (bindingRegexNamespaces, capabilityNamespaces) => {
+  if (bindingRegexNamespaces.length > 0 && capabilityNamespaces && capabilityNamespaces.length > 0) {
+    for (const regexNamespace of bindingRegexNamespaces) {
+      let matches = false;
+      matches = regexNamespace !== "" && capabilityNamespaces.some((capabilityNamespace) => matchesRegex(regexNamespace, capabilityNamespace));
+      if (!matches) {
+        throw new Error(
+          `Ignoring Watch Callback: Object namespace does not match any capability namespace with regex ${regexNamespace}.`
+        );
+      }
+    }
+  }
+};
+var checkRegexNamespaces = (bindingRegexNamespaces, ignoredNamespaces) => {
+  if (bindingRegexNamespaces.length > 0 && ignoredNamespaces && ignoredNamespaces.length > 0) {
+    for (const regexNamespace of bindingRegexNamespaces) {
+      const matchedNS = ignoredNamespaces.find((ignoredNS) => matchesRegex(regexNamespace, ignoredNS));
+      if (matchedNS) {
+        throw new Error(
+          `Ignoring Watch Callback: Regex namespace: ${regexNamespace}, is an ignored namespace: ${matchedNS}.`
+        );
+      }
+    }
+  }
+};
+function secretOverLimit(str) {
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(str);
+  const sizeInBytes = encoded.length;
+  const oneMiBInBytes = 1048576;
+  return sizeInBytes > oneMiBInBytes;
+}
+var parseTimeout = (value) => {
+  const parsedValue = parseInt(value, 10);
+  const floatValue = parseFloat(value);
+  if (isNaN(parsedValue)) {
+    throw new Error("Not a number.");
+  } else if (parsedValue !== floatValue) {
+    throw new Error("Value must be an integer.");
+  } else if (parsedValue < 1 || parsedValue > 30) {
+    throw new Error("Number must be between 1 and 30.");
+  }
+  return parsedValue;
+};
+function dedent(file) {
+  const lines = file.split("\n");
   if (lines[0].trim() === "") {
     lines.shift();
     file = lines.join("\n");
@@ -464,7 +659,7 @@ function getWatcher(assets, hash, buildTimestamp, imagePullSecret) {
   if (bindings.length < 1 && !hasSchedule) {
     return null;
   }
-  const deploy2 = {
+  const deploy = {
     apiVersion: "apps/v1",
     kind: "Deployment",
     metadata: {
@@ -514,7 +709,7 @@ function getWatcher(assets, hash, buildTimestamp, imagePullSecret) {
               name: "watcher",
               image,
               imagePullPolicy: "IfNotPresent",
-              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              args: ["/app/node_modules/pepr/dist/controller.js", hash],
               readinessProbe: {
                 httpGet: {
                   path: "/healthz",
@@ -589,14 +784,14 @@ function getWatcher(assets, hash, buildTimestamp, imagePullSecret) {
     }
   };
   if (imagePullSecret) {
-    deploy2.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
+    deploy.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
   }
-  return deploy2;
+  return deploy;
 }
 function getDeployment(assets, hash, buildTimestamp, imagePullSecret) {
   const { name: name2, image, config } = assets;
   const app = name2;
-  const deploy2 = {
+  const deploy = {
     apiVersion: "apps/v1",
     kind: "Deployment",
     metadata: {
@@ -644,7 +839,7 @@ function getDeployment(assets, hash, buildTimestamp, imagePullSecret) {
               name: "server",
               image,
               imagePullPolicy: "IfNotPresent",
-              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              args: ["/app/node_modules/pepr/dist/controller.js", hash],
               readinessProbe: {
                 httpGet: {
                   path: "/healthz",
@@ -730,9 +925,9 @@ function getDeployment(assets, hash, buildTimestamp, imagePullSecret) {
     }
   };
   if (imagePullSecret) {
-    deploy2.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
+    deploy.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
   }
-  return deploy2;
+  return deploy;
 }
 function getModuleSecret(name2, data, hash) {
   const compressed = (0, import_zlib.gzipSync)(data);
@@ -773,6 +968,9 @@ function genEnv(config, watchMode = false, ignoreWatchMode = false) {
   return ignoreWatchMode ? Object.entries({ ...noWatchDef, ...cfg }).map(([name2, value]) => ({ name: name2, value })) : Object.entries({ ...def, ...cfg }).map(([name2, value]) => ({ name: name2, value }));
 }
 
+// src/lib/assets/yaml/overridesFile.ts
+var import_client_node = require("@kubernetes/client-node");
+
 // src/lib/assets/rbac.ts
 function clusterRole(name2, capabilities, rbacMode = "admin", customRbac) {
   const rbacMap = createRBACMap(capabilities);
@@ -867,897 +1065,422 @@ function storeRoleBinding(name2) {
     },
     subjects: [
       {
-        kind: "ServiceAccount",
-        name: name2,
-        namespace: "pepr-system"
-      }
-    ]
-  };
-}
-
-// src/lib/k8s.ts
-var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
-var Store = class extends import_kubernetes_fluent_client2.GenericKind {
-};
-var peprStoreGVK = {
-  kind: "PeprStore",
-  version: "v1",
-  group: "pepr.dev"
-};
-(0, import_kubernetes_fluent_client2.RegisterKind)(Store, peprStoreGVK);
-
-// src/lib/assets/store.ts
-var { group, version, kind: kind2 } = peprStoreGVK;
-var singular = kind2.toLocaleLowerCase();
-var plural = `${singular}s`;
-var name = `${plural}.${group}`;
-var peprStoreCRD = {
-  apiVersion: "apiextensions.k8s.io/v1",
-  kind: "CustomResourceDefinition",
-  metadata: {
-    name
-  },
-  spec: {
-    group,
-    versions: [
-      {
-        // typescript doesn't know this is really already set, which is kind of annoying
-        name: version || "v1",
-        served: true,
-        storage: true,
-        schema: {
-          openAPIV3Schema: {
-            type: "object",
-            properties: {
-              data: {
-                type: "object",
-                additionalProperties: {
-                  type: "string"
-                }
-              }
-            }
-          }
-        }
-      }
-    ],
-    scope: "Namespaced",
-    names: {
-      plural,
-      singular,
-      kind: kind2
-    }
-  }
-};
-
-// src/lib/assets/webhooks.ts
-var import_ramda = require("ramda");
-var peprIgnoreLabel = {
-  key: "pepr.dev",
-  operator: "NotIn",
-  values: ["ignore"]
-};
-var peprIgnoreNamespaces = ["kube-system", "pepr-system"];
-var validateRule = (binding, isMutateWebhook) => {
-  const { event, kind: kind8, isMutate, isValidate } = binding;
-  if (isMutateWebhook && !isMutate || !isMutateWebhook && !isValidate) {
-    return void 0;
-  }
-  const operations = event === "CREATEORUPDATE" /* CREATE_OR_UPDATE */ ? ["CREATE" /* CREATE */, "UPDATE" /* UPDATE */] : [event];
-  const resource = kind8.plural || `${kind8.kind.toLowerCase()}s`;
-  const ruleObject = {
-    apiGroups: [kind8.group],
-    apiVersions: [kind8.version || "*"],
-    operations,
-    resources: [resource, ...resource === "pods" ? ["pods/ephemeralcontainers"] : []]
-  };
-  return ruleObject;
-};
-async function generateWebhookRules(assets, isMutateWebhook) {
-  const { config, capabilities } = assets;
-  const rules = capabilities.flatMap((capability) => {
-    console.info(`Module ${config.uuid} has capability: ${capability.name}`);
-    return capability.bindings.map((binding) => validateRule(binding, isMutateWebhook)).filter((rule) => !!rule);
-  });
-  return (0, import_ramda.uniqWith)(import_ramda.equals, rules);
-}
-async function webhookConfig(assets, mutateOrValidate, timeoutSeconds = 10) {
-  const ignore = [peprIgnoreLabel];
-  const { name: name2, tls, config, apiToken, host } = assets;
-  const ignoreNS = (0, import_ramda.concat)(peprIgnoreNamespaces, config?.alwaysIgnore?.namespaces || []);
-  if (ignoreNS) {
-    ignore.push({
-      key: "kubernetes.io/metadata.name",
-      operator: "NotIn",
-      values: ignoreNS
-    });
-  }
-  const clientConfig = {
-    caBundle: tls.ca
-  };
-  const apiPath = `/${mutateOrValidate}/${apiToken}`;
-  if (host) {
-    clientConfig.url = `https://${host}:3000${apiPath}`;
-  } else {
-    clientConfig.service = {
-      name: name2,
-      namespace: "pepr-system",
-      path: apiPath
-    };
-  }
-  const isMutate = mutateOrValidate === "mutate";
-  const rules = await generateWebhookRules(assets, isMutate);
-  if (rules.length < 1) {
-    return null;
-  }
-  return {
-    apiVersion: "admissionregistration.k8s.io/v1",
-    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
-    metadata: { name: name2 },
-    webhooks: [
-      {
-        name: `${name2}.pepr.dev`,
-        admissionReviewVersions: ["v1", "v1beta1"],
-        clientConfig,
-        failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
-        matchPolicy: "Equivalent",
-        timeoutSeconds,
-        namespaceSelector: {
-          matchExpressions: ignore
-        },
-        objectSelector: {
-          matchExpressions: ignore
-        },
-        rules,
-        // @todo: track side effects state
-        sideEffects: "None"
-      }
-    ]
-  };
-}
-
-// src/lib/assets/deploy.ts
-async function deployImagePullSecret(imagePullSecret, name2) {
-  try {
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Get("pepr-system");
-  } catch {
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace());
-  }
-  try {
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(
-      {
-        apiVersion: "v1",
-        kind: "Secret",
-        metadata: {
-          name: name2,
-          namespace: "pepr-system"
-        },
-        type: "kubernetes.io/dockerconfigjson",
-        data: {
-          ".dockerconfigjson": Buffer.from(JSON.stringify(imagePullSecret)).toString("base64")
-        }
-      },
-      { force: true }
-    );
-  } catch (e) {
-    logger_default.error(e);
-  }
-}
-async function deploy(assets, force, webhookTimeout) {
-  logger_default.info("Establishing connection to Kubernetes");
-  const { name: name2, host, path } = assets;
-  logger_default.info("Applying pepr-system namespace");
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
-  const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
-  if (mutateWebhook) {
-    logger_default.info("Applying mutating webhook");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration).Apply(mutateWebhook, { force });
-  } else {
-    logger_default.info("Mutating webhook not needed, removing if it exists");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration).Delete(name2);
-  }
-  const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
-  if (validateWebhook) {
-    logger_default.info("Applying validating webhook");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration).Apply(validateWebhook, { force });
-  } else {
-    logger_default.info("Validating webhook not needed, removing if it exists");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration).Delete(name2);
-  }
-  logger_default.info("Applying the Pepr Store CRD if it doesn't exist");
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
-  if (host) {
-    return;
-  }
-  const code = await import_fs.promises.readFile(path);
-  const hash = import_crypto.default.createHash("sha256").update(code).digest("hex");
-  if (code.length < 1) {
-    throw new Error("No code provided");
-  }
-  await setupRBAC(name2, assets.capabilities, force, assets.config);
-  await setupController(assets, code, hash, force);
-  await setupWatcher(assets, hash, force);
-}
-async function setupRBAC(name2, capabilities, force, config) {
-  const { rbacMode, rbac } = config;
-  logger_default.info("Applying cluster role binding");
-  const crb = clusterRoleBinding(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRoleBinding).Apply(crb, { force });
-  logger_default.info("Applying cluster role");
-  const cr = clusterRole(name2, capabilities, rbacMode, rbac);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRole).Apply(cr, { force });
-  logger_default.info("Applying service account");
-  const sa = serviceAccount(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ServiceAccount).Apply(sa, { force });
-  logger_default.info("Applying store role");
-  const role = storeRole(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Role).Apply(role, { force });
-  logger_default.info("Applying store role binding");
-  const roleBinding = storeRoleBinding(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.RoleBinding).Apply(roleBinding, { force });
-}
-async function setupController(assets, code, hash, force) {
-  const { name: name2 } = assets;
-  logger_default.info("Applying module secret");
-  const mod = getModuleSecret(name2, code, hash);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(mod, { force });
-  logger_default.info("Applying controller service");
-  const svc = service(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(svc, { force });
-  logger_default.info("Applying TLS secret");
-  const tls = tlsSecret(name2, assets.tls);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(tls, { force });
-  logger_default.info("Applying API token secret");
-  const apiToken = apiTokenSecret(name2, assets.apiToken);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(apiToken, { force });
-  logger_default.info("Applying deployment");
-  const dep = getDeployment(assets, hash, assets.buildTimestamp);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(dep, { force });
-}
-async function setupWatcher(assets, hash, force) {
-  const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
-  if (watchDeployment) {
-    logger_default.info("Applying watcher deployment");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(watchDeployment, { force });
-    logger_default.info("Applying watcher service");
-    const watchSvc = watcherService(assets.name);
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(watchSvc, { force });
-  }
-}
-
-// src/lib/assets/loader.ts
-var import_child_process = require("child_process");
-function loadCapabilities(path) {
-  return new Promise((resolve6, reject) => {
-    const program2 = (0, import_child_process.fork)(path, {
-      env: {
-        ...process.env,
-        LOG_LEVEL: "warn",
-        PEPR_MODE: "build",
-        NODE_OPTIONS: "--disable-warning=DEP0040"
-      }
-    });
-    program2.on("message", (message) => {
-      const capabilities = message.valueOf();
-      for (const capability of capabilities) {
-        console.info(`Registered Pepr Capability "${capability.name}"`);
-      }
-      resolve6(capabilities);
-    });
-    program2.on("error", (error) => {
-      reject(error);
-    });
-  });
-}
-
-// src/lib/assets/yaml.ts
-var import_client_node = require("@kubernetes/client-node");
-var import_crypto2 = __toESM(require("crypto"));
-var import_fs2 = require("fs");
-async function overridesFile({ hash, name: name2, image, config, apiToken, capabilities }, path) {
-  const rbacOverrides = clusterRole(name2, capabilities, config.rbacMode, config.rbac).rules;
-  const overrides = {
-    rbac: rbacOverrides,
-    secrets: {
-      apiToken: Buffer.from(apiToken).toString("base64")
-    },
-    hash,
-    namespace: {
-      annotations: {},
-      labels: {
-        "pepr.dev": ""
-      }
-    },
-    uuid: name2,
-    admission: {
-      terminationGracePeriodSeconds: 5,
-      failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
-      webhookTimeout: config.webhookTimeout,
-      env: genEnv(config, false, true),
-      envFrom: [],
-      image,
-      annotations: {
-        "pepr.dev/description": `${config.description}` || ""
-      },
-      labels: {
-        app: name2,
-        "pepr.dev/controller": "admission",
-        "pepr.dev/uuid": config.uuid
-      },
-      securityContext: {
-        runAsUser: 65532,
-        runAsGroup: 65532,
-        runAsNonRoot: true,
-        fsGroup: 65532
-      },
-      readinessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3e3,
-          scheme: "HTTPS"
-        },
-        initialDelaySeconds: 10
-      },
-      livenessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3e3,
-          scheme: "HTTPS"
-        },
-        initialDelaySeconds: 10
-      },
-      resources: {
-        requests: {
-          memory: "256Mi",
-          cpu: "200m"
-        },
-        limits: {
-          memory: "512Mi",
-          cpu: "500m"
-        }
-      },
-      containerSecurityContext: {
-        runAsUser: 65532,
-        runAsGroup: 65532,
-        runAsNonRoot: true,
-        allowPrivilegeEscalation: false,
-        capabilities: {
-          drop: ["ALL"]
-        }
-      },
-      podAnnotations: {},
-      nodeSelector: {},
-      tolerations: [],
-      extraVolumeMounts: [],
-      extraVolumes: [],
-      affinity: {},
-      serviceMonitor: {
-        enabled: false,
-        labels: {},
-        annotations: {}
-      }
-    },
-    watcher: {
-      terminationGracePeriodSeconds: 5,
-      env: genEnv(config, true, true),
-      envFrom: [],
-      image,
-      annotations: {
-        "pepr.dev/description": `${config.description}` || ""
-      },
-      labels: {
-        app: `${name2}-watcher`,
-        "pepr.dev/controller": "watcher",
-        "pepr.dev/uuid": config.uuid
-      },
-      securityContext: {
-        runAsUser: 65532,
-        runAsGroup: 65532,
-        runAsNonRoot: true,
-        fsGroup: 65532
-      },
-      readinessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3e3,
-          scheme: "HTTPS"
-        },
-        initialDelaySeconds: 10
-      },
-      livenessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3e3,
-          scheme: "HTTPS"
-        },
-        initialDelaySeconds: 10
-      },
-      resources: {
-        requests: {
-          memory: "256Mi",
-          cpu: "200m"
-        },
-        limits: {
-          memory: "512Mi",
-          cpu: "500m"
-        }
-      },
-      containerSecurityContext: {
-        runAsUser: 65532,
-        runAsGroup: 65532,
-        runAsNonRoot: true,
-        allowPrivilegeEscalation: false,
-        capabilities: {
-          drop: ["ALL"]
-        }
-      },
-      nodeSelector: {},
-      tolerations: [],
-      extraVolumeMounts: [],
-      extraVolumes: [],
-      affinity: {},
-      podAnnotations: {},
-      serviceMonitor: {
-        enabled: false,
-        labels: {},
-        annotations: {}
-      }
-    }
-  };
-  await import_fs2.promises.writeFile(path, (0, import_client_node.dumpYaml)(overrides, { noRefs: true, forceQuotes: true }));
-}
-function zarfYaml({ name: name2, image, config }, path) {
-  const zarfCfg = {
-    kind: "ZarfPackageConfig",
-    metadata: {
-      name: name2,
-      description: `Pepr Module: ${config.description}`,
-      url: "https://github.com/defenseunicorns/pepr",
-      version: `${config.appVersion || "0.0.1"}`
-    },
-    components: [
-      {
-        name: "module",
-        required: true,
-        manifests: [
-          {
-            name: "module",
-            namespace: "pepr-system",
-            files: [path]
-          }
-        ],
-        images: [image]
-      }
-    ]
-  };
-  return (0, import_client_node.dumpYaml)(zarfCfg, { noRefs: true });
-}
-function zarfYamlChart({ name: name2, image, config }, path) {
-  const zarfCfg = {
-    kind: "ZarfPackageConfig",
-    metadata: {
-      name: name2,
-      description: `Pepr Module: ${config.description}`,
-      url: "https://github.com/defenseunicorns/pepr",
-      version: `${config.appVersion || "0.0.1"}`
-    },
-    components: [
-      {
-        name: "module",
-        required: true,
-        charts: [
-          {
-            name: "module",
-            namespace: "pepr-system",
-            version: `${config.appVersion || "0.0.1"}`,
-            localPath: path
-          }
-        ],
-        images: [image]
-      }
-    ]
-  };
-  return (0, import_client_node.dumpYaml)(zarfCfg, { noRefs: true });
-}
-async function allYaml(assets, imagePullSecret) {
-  const { name: name2, tls, apiToken, path, config } = assets;
-  const code = await import_fs2.promises.readFile(path);
-  assets.hash = import_crypto2.default.createHash("sha256").update(code).digest("hex");
-  const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
-  const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
-  const watchDeployment = getWatcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret);
-  const resources = [
-    getNamespace(assets.config.customLabels?.namespace),
-    clusterRole(name2, assets.capabilities, config.rbacMode, config.rbac),
-    clusterRoleBinding(name2),
-    serviceAccount(name2),
-    apiTokenSecret(name2, apiToken),
-    tlsSecret(name2, tls),
-    getDeployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret),
-    service(name2),
-    watcherService(name2),
-    getModuleSecret(name2, code, assets.hash),
-    storeRole(name2),
-    storeRoleBinding(name2)
-  ];
-  if (mutateWebhook) {
-    resources.push(mutateWebhook);
-  }
-  if (validateWebhook) {
-    resources.push(validateWebhook);
-  }
-  if (watchDeployment) {
-    resources.push(watchDeployment);
-  }
-  return resources.map((r) => (0, import_client_node.dumpYaml)(r, { noRefs: true })).join("---\n");
-}
-
-// src/lib/assets/index.ts
-var import_path = require("path");
-
-// src/lib/assets/helm.ts
-function clusterRoleTemplate() {
-  return `
-    apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
-    metadata:
-      name: {{ .Values.uuid }}
-      namespace: pepr-system
-    rules: 
-      {{- if .Values.rbac }}
-      {{- toYaml .Values.rbac | nindent 2 }}
-      {{- end }}
-  `;
-}
-function namespaceTemplate() {
-  return `
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-        name: pepr-system
-        {{- if .Values.namespace.annotations }}
-        annotations:
-            {{- toYaml .Values.namespace.annotations | nindent 6 }}
-        {{- end }}
-        {{- if .Values.namespace.labels }}
-        labels:
-            {{- toYaml .Values.namespace.labels | nindent 6 }}
-        {{- end }}
-    `;
-}
-function chartYaml(name2, description) {
-  return `
-    apiVersion: v2
-    name: ${name2}
-    description: ${description || ""}
-
-    # A chart can be either an 'application' or a 'library' chart.
-    #
-    # Application charts are a collection of templates that can be packaged into versioned archives
-    # to be deployed.
-    #
-    # Library charts provide useful utilities or functions for the chart developer. They're included as
-    # a dependency of application charts to inject those utilities and functions into the rendering
-    # pipeline. Library charts do not define any templates and therefore cannot be deployed.
-    type: application
-
-    # This is the chart version. This version number should be incremented each time you make changes
-    # to the chart and its templates, including the app version.
-    # Versions are expected to follow Semantic Versioning (https://semver.org/)
-    version: 0.1.0
-
-    # This is the version number of the application being deployed. This version number should be
-    # incremented each time you make changes to the application. Versions are not expected to
-    # follow Semantic Versioning. They should reflect the version the application is using.
-    # It is recommended to use it with quotes.
-    appVersion: "1.16.0"
-`;
-}
-function watcherDeployTemplate(buildTimestamp) {
-  return `
-      apiVersion: apps/v1
-      kind: Deployment
-      metadata:
-        name: {{ .Values.uuid }}-watcher
-        namespace: pepr-system
-        annotations:
-          {{- toYaml .Values.watcher.annotations | nindent 4 }}
-        labels:
-          {{- toYaml .Values.watcher.labels | nindent 4 }}
-      spec:
-        replicas: 1
-        strategy:
-          type: Recreate
-        selector:
-          matchLabels:
-            app: {{ .Values.uuid }}-watcher
-            pepr.dev/controller: watcher
-        template:
-          metadata:
-            annotations: 
-              buildTimestamp: "${buildTimestamp}"
-              {{- if .Values.watcher.podAnnotations }}
-              {{- toYaml .Values.watcher.podAnnotations | nindent 8 }}
-              {{- end }}
-            labels:
-              app: {{ .Values.uuid }}-watcher
-              pepr.dev/controller: watcher
-          spec:
-            terminationGracePeriodSeconds: {{ .Values.watcher.terminationGracePeriodSeconds }}
-            serviceAccountName: {{ .Values.uuid }}
-            securityContext:
-              {{- toYaml .Values.admission.securityContext | nindent 8 }}
-            containers:
-              - name: watcher
-                image: {{ .Values.watcher.image }}
-                imagePullPolicy: IfNotPresent
-                command:
-                  - node
-                  - /app/node_modules/pepr/dist/controller.js
-                  - {{ .Values.hash }}
-                readinessProbe:
-                  {{- toYaml .Values.watcher.readinessProbe | nindent 12 }}
-                livenessProbe:
-                  {{- toYaml .Values.watcher.livenessProbe | nindent 12 }}
-                ports:
-                  - containerPort: 3000
-                resources:
-                  {{- toYaml .Values.watcher.resources | nindent 12 }}
-                env:
-                  {{- toYaml .Values.watcher.env | nindent 12 }}
-                  - name: PEPR_WATCH_MODE
-                    value: "true"
-                envFrom:
-                  {{- toYaml .Values.watcher.envFrom | nindent 12 }}
-                securityContext:
-                  {{- toYaml .Values.watcher.containerSecurityContext | nindent 12 }}
-                volumeMounts:
-                  - name: tls-certs
-                    mountPath: /etc/certs
-                    readOnly: true
-                  - name: module
-                    mountPath: /app/load
-                    readOnly: true
-                  {{- if .Values.watcher.extraVolumeMounts }}
-                  {{- toYaml .Values.watcher.extraVolumeMounts | nindent 12 }}
-                  {{- end }}
-            volumes:
-              - name: tls-certs
-                secret:
-                  secretName: {{ .Values.uuid }}-tls
-              - name: module
-                secret:
-                  secretName: {{ .Values.uuid }}-module
-              {{- if .Values.watcher.extraVolumes }}
-              {{- toYaml .Values.watcher.extraVolumes | nindent 8 }}
-              {{- end }}
-    `;
-}
-function admissionDeployTemplate(buildTimestamp) {
-  return `
-      apiVersion: apps/v1
-      kind: Deployment
-      metadata:
-        name: {{ .Values.uuid }}
-        namespace: pepr-system
-        annotations:
-          {{- toYaml .Values.admission.annotations | nindent 4 }}
-        labels:
-          {{- toYaml .Values.admission.labels | nindent 4 }}
-      spec:
-        replicas: 2
-        selector:
-          matchLabels:
-            app: {{ .Values.uuid }}
-            pepr.dev/controller: admission
-        template:
-          metadata:
-            annotations:
-              buildTimestamp: "${buildTimestamp}"
-              {{- if .Values.admission.podAnnotations }}
-              {{- toYaml .Values.admission.podAnnotations | nindent 8 }}
-              {{- end }}
-            labels:
-              app: {{ .Values.uuid }}
-              pepr.dev/controller: admission
-          spec:
-            terminationGracePeriodSeconds: {{ .Values.admission.terminationGracePeriodSeconds }}
-            priorityClassName: system-node-critical
-            serviceAccountName: {{ .Values.uuid }}
-            securityContext:
-              {{- toYaml .Values.admission.securityContext | nindent 8 }}
-            containers:
-              - name: server
-                image: {{ .Values.admission.image }}
-                imagePullPolicy: IfNotPresent
-                command:
-                  - node
-                  - /app/node_modules/pepr/dist/controller.js
-                  - {{ .Values.hash }}
-                readinessProbe:
-                  {{- toYaml .Values.admission.readinessProbe | nindent 12 }}
-                livenessProbe:
-                  {{- toYaml .Values.admission.livenessProbe | nindent 12 }}
-                ports:
-                  - containerPort: 3000
-                resources:
-                  {{- toYaml .Values.admission.resources | nindent 12 }}
-                env:
-                  {{- toYaml .Values.admission.env | nindent 12 }}
-                  - name: PEPR_WATCH_MODE
-                    value: "false"
-                envFrom:
-                  {{- toYaml .Values.admission.envFrom | nindent 12 }}
-                securityContext:
-                  {{- toYaml .Values.admission.containerSecurityContext | nindent 12 }}
-                volumeMounts:
-                  - name: tls-certs
-                    mountPath: /etc/certs
-                    readOnly: true
-                  - name: api-token
-                    mountPath: /app/api-token
-                    readOnly: true
-                  - name: module
-                    mountPath: /app/load
-                    readOnly: true
-                  {{- if .Values.admission.extraVolumeMounts }}
-                  {{- toYaml .Values.admission.extraVolumeMounts | nindent 12 }}
-                  {{- end }}
-            volumes:
-              - name: tls-certs
-                secret:
-                  secretName: {{ .Values.uuid }}-tls
-              - name: api-token
-                secret:
-                  secretName: {{ .Values.uuid }}-api-token
-              - name: module
-                secret:
-                  secretName: {{ .Values.uuid }}-module  
-              {{- if .Values.admission.extraVolumes }}
-              {{- toYaml .Values.admission.extraVolumes | nindent 8 }}
-              {{- end }}
-    `;
-}
-function serviceMonitorTemplate(name2) {
-  return `
-      {{- if .Values.${name2}.serviceMonitor.enabled }}
-      apiVersion: monitoring.coreos.com/v1
-      kind: ServiceMonitor
-      metadata:
-        name: ${name2}
-        annotations:
-          {{- toYaml .Values.${name2}.serviceMonitor.annotations | nindent 4 }}
-        labels:
-          {{- toYaml .Values.${name2}.serviceMonitor.labels | nindent 4 }}
-      spec:
-        selector:
-          matchLabels:
-            pepr.dev/controller: ${name2}
-        namespaceSelector:
-          matchNames:
-            - pepr-system
-        endpoints:
-          - targetPort: 3000
-            scheme: https
-            tlsConfig:
-              insecureSkipVerify: true
-      {{- end }}
-    `;
+        kind: "ServiceAccount",
+        name: name2,
+        namespace: "pepr-system"
+      }
+    ]
+  };
 }
 
-// src/lib/assets/index.ts
-var import_fs4 = require("fs");
-
-// src/lib/filesystemService.ts
-var import_fs3 = require("fs");
-async function createDirectoryIfNotExists(path) {
-  try {
-    await import_fs3.promises.access(path);
-  } catch (error) {
-    if (error.code === "ENOENT") {
-      await import_fs3.promises.mkdir(path, { recursive: true });
-    } else {
-      throw error;
+// src/lib/assets/yaml/overridesFile.ts
+var import_fs2 = require("fs");
+async function overridesFile({ hash, name: name2, image, config, apiToken, capabilities }, path, imagePullSecrets) {
+  const rbacOverrides = clusterRole(name2, capabilities, config.rbacMode, config.rbac).rules;
+  const overrides = {
+    imagePullSecrets,
+    additionalIgnoredNamespaces: [],
+    rbac: rbacOverrides,
+    secrets: {
+      apiToken: Buffer.from(apiToken).toString("base64")
+    },
+    hash,
+    namespace: {
+      annotations: {},
+      labels: {
+        "pepr.dev": ""
+      }
+    },
+    uuid: name2,
+    admission: {
+      terminationGracePeriodSeconds: 5,
+      failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
+      webhookTimeout: config.webhookTimeout,
+      env: genEnv(config, false, true),
+      envFrom: [],
+      image,
+      annotations: {
+        "pepr.dev/description": `${config.description}` || ""
+      },
+      labels: {
+        app: name2,
+        "pepr.dev/controller": "admission",
+        "pepr.dev/uuid": config.uuid
+      },
+      securityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        fsGroup: 65532
+      },
+      readinessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3e3,
+          scheme: "HTTPS"
+        },
+        initialDelaySeconds: 10
+      },
+      livenessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3e3,
+          scheme: "HTTPS"
+        },
+        initialDelaySeconds: 10
+      },
+      resources: {
+        requests: {
+          memory: "256Mi",
+          cpu: "200m"
+        },
+        limits: {
+          memory: "512Mi",
+          cpu: "500m"
+        }
+      },
+      containerSecurityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: {
+          drop: ["ALL"]
+        }
+      },
+      podAnnotations: {},
+      nodeSelector: {},
+      tolerations: [],
+      extraVolumeMounts: [],
+      extraVolumes: [],
+      affinity: {},
+      serviceMonitor: {
+        enabled: false,
+        labels: {},
+        annotations: {}
+      }
+    },
+    watcher: {
+      terminationGracePeriodSeconds: 5,
+      env: genEnv(config, true, true),
+      envFrom: [],
+      image,
+      annotations: {
+        "pepr.dev/description": `${config.description}` || ""
+      },
+      labels: {
+        app: `${name2}-watcher`,
+        "pepr.dev/controller": "watcher",
+        "pepr.dev/uuid": config.uuid
+      },
+      securityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        fsGroup: 65532
+      },
+      readinessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3e3,
+          scheme: "HTTPS"
+        },
+        initialDelaySeconds: 10
+      },
+      livenessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3e3,
+          scheme: "HTTPS"
+        },
+        initialDelaySeconds: 10
+      },
+      resources: {
+        requests: {
+          memory: "256Mi",
+          cpu: "200m"
+        },
+        limits: {
+          memory: "512Mi",
+          cpu: "500m"
+        }
+      },
+      containerSecurityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        allowPrivilegeEscalation: false,
+        capabilities: {
+          drop: ["ALL"]
+        }
+      },
+      nodeSelector: {},
+      tolerations: [],
+      extraVolumeMounts: [],
+      extraVolumes: [],
+      affinity: {},
+      podAnnotations: {},
+      serviceMonitor: {
+        enabled: false,
+        labels: {},
+        annotations: {}
+      }
     }
-  }
+  };
+  await import_fs2.promises.writeFile(path, (0, import_client_node.dumpYaml)(overrides, { noRefs: true, forceQuotes: true }));
 }
 
 // src/lib/assets/index.ts
+var import_client_node2 = require("@kubernetes/client-node");
+var import_path = require("path");
 function toYaml(obj) {
   return (0, import_client_node2.dumpYaml)(obj, { noRefs: true });
 }
-function createWebhookYaml(assets, webhookConfiguration) {
+function createWebhookYaml(name2, config, webhookConfiguration) {
   const yaml = toYaml(webhookConfiguration);
-  return replaceString(
-    replaceString(
-      replaceString(yaml, assets.name, "{{ .Values.uuid }}"),
-      assets.config.onError === "reject" ? "Fail" : "Ignore",
-      "{{ .Values.admission.failurePolicy }}"
-    ),
-    `${assets.config.webhookTimeout}` || "10",
-    "{{ .Values.admission.webhookTimeout }}"
-  );
+  const replacements = [
+    { search: name2, replace: "{{ .Values.uuid }}" },
+    {
+      search: config.onError === "reject" ? "Fail" : "Ignore",
+      replace: "{{ .Values.admission.failurePolicy }}"
+    },
+    {
+      search: `${config.webhookTimeout}` || "10",
+      replace: "{{ .Values.admission.webhookTimeout }}"
+    },
+    {
+      search: `
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
+            - pepr-system
+`,
+      replace: `
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
+            - pepr-system
+            {{- range .Values.additionalIgnoredNamespaces }}
+            - {{ . }}
+            {{- end }}
+`
+    }
+  ];
+  return replacements.reduce((updatedYaml, { search, replace }) => replaceString(updatedYaml, search, replace), yaml);
+}
+function helmLayout(basePath, unique) {
+  const helm = {
+    dirs: {
+      chart: (0, import_path.resolve)(`${basePath}/${unique}-chart`)
+    },
+    files: {}
+  };
+  helm.dirs = {
+    ...helm.dirs,
+    charts: `${helm.dirs.chart}/charts`,
+    tmpls: `${helm.dirs.chart}/templates`
+  };
+  helm.files = {
+    ...helm.files,
+    valuesYaml: `${helm.dirs.chart}/values.yaml`,
+    chartYaml: `${helm.dirs.chart}/Chart.yaml`,
+    namespaceYaml: `${helm.dirs.tmpls}/namespace.yaml`,
+    watcherServiceYaml: `${helm.dirs.tmpls}/watcher-service.yaml`,
+    admissionServiceYaml: `${helm.dirs.tmpls}/admission-service.yaml`,
+    mutationWebhookYaml: `${helm.dirs.tmpls}/mutation-webhook.yaml`,
+    validationWebhookYaml: `${helm.dirs.tmpls}/validation-webhook.yaml`,
+    admissionDeploymentYaml: `${helm.dirs.tmpls}/admission-deployment.yaml`,
+    admissionServiceMonitorYaml: `${helm.dirs.tmpls}/admission-service-monitor.yaml`,
+    watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
+    watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
+    tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
+    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
+    moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
+    storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
+    storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,
+    clusterRoleYaml: `${helm.dirs.tmpls}/cluster-role.yaml`,
+    clusterRoleBindingYaml: `${helm.dirs.tmpls}/cluster-role-binding.yaml`,
+    serviceAccountYaml: `${helm.dirs.tmpls}/service-account.yaml`
+  };
+  return helm;
+}
+
+// src/lib/assets/loader.ts
+var import_child_process = require("child_process");
+function loadCapabilities(path) {
+  return new Promise((resolve6, reject) => {
+    const program2 = (0, import_child_process.fork)(path, {
+      env: {
+        ...process.env,
+        LOG_LEVEL: "warn",
+        PEPR_MODE: "build",
+        NODE_OPTIONS: "--disable-warning=DEP0040"
+      }
+    });
+    program2.on("message", (message) => {
+      const capabilities = message.valueOf();
+      for (const capability of capabilities) {
+        console.info(`Registered Pepr Capability "${capability.name}"`);
+      }
+      resolve6(capabilities);
+    });
+    program2.on("error", (error) => {
+      reject(error);
+    });
+  });
+}
+
+// src/lib/assets/assets.ts
+var import_fs3 = require("fs");
+
+// src/lib/assets/networking.ts
+function apiTokenSecret(name2, apiToken) {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name2}-api-token`,
+      namespace: "pepr-system"
+    },
+    type: "Opaque",
+    data: {
+      value: Buffer.from(apiToken).toString("base64")
+    }
+  };
 }
-function helmLayout(basePath, unique) {
-  const helm = {
-    dirs: {
-      chart: (0, import_path.resolve)(`${basePath}/${unique}-chart`)
+function tlsSecret(name2, tls) {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name2}-tls`,
+      namespace: "pepr-system"
     },
-    files: {}
+    type: "kubernetes.io/tls",
+    data: {
+      "tls.crt": tls.crt,
+      "tls.key": tls.key
+    }
   };
-  helm.dirs = {
-    ...helm.dirs,
-    charts: `${helm.dirs.chart}/charts`,
-    tmpls: `${helm.dirs.chart}/templates`
+}
+function service(name2) {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name: name2,
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "admission"
+      }
+    },
+    spec: {
+      selector: {
+        app: name2,
+        "pepr.dev/controller": "admission"
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3e3
+        }
+      ]
+    }
   };
-  helm.files = {
-    ...helm.files,
-    valuesYaml: `${helm.dirs.chart}/values.yaml`,
-    chartYaml: `${helm.dirs.chart}/Chart.yaml`,
-    namespaceYaml: `${helm.dirs.tmpls}/namespace.yaml`,
-    watcherServiceYaml: `${helm.dirs.tmpls}/watcher-service.yaml`,
-    admissionServiceYaml: `${helm.dirs.tmpls}/admission-service.yaml`,
-    mutationWebhookYaml: `${helm.dirs.tmpls}/mutation-webhook.yaml`,
-    validationWebhookYaml: `${helm.dirs.tmpls}/validation-webhook.yaml`,
-    admissionDeploymentYaml: `${helm.dirs.tmpls}/admission-deployment.yaml`,
-    admissionServiceMonitorYaml: `${helm.dirs.tmpls}/admission-service-monitor.yaml`,
-    watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
-    watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
-    tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
-    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
-    moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
-    storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
-    storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,
-    clusterRoleYaml: `${helm.dirs.tmpls}/cluster-role.yaml`,
-    clusterRoleBindingYaml: `${helm.dirs.tmpls}/cluster-role-binding.yaml`,
-    serviceAccountYaml: `${helm.dirs.tmpls}/service-account.yaml`
+}
+function watcherService(name2) {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name: `${name2}-watcher`,
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "watcher"
+      }
+    },
+    spec: {
+      selector: {
+        app: `${name2}-watcher`,
+        "pepr.dev/controller": "watcher"
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3e3
+        }
+      ]
+    }
   };
-  return helm;
 }
+
+// src/lib/assets/assets.ts
 var Assets = class {
-  constructor(config, path, host) {
-    this.config = config;
-    this.path = path;
-    this.host = host;
-    this.name = `pepr-${config.uuid}`;
-    this.buildTimestamp = `${Date.now()}`;
-    this.alwaysIgnore = config.alwaysIgnore;
-    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
-    this.hash = "";
-    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
-    this.apiToken = import_crypto3.default.randomBytes(32).toString("hex");
-  }
   name;
   tls;
   apiToken;
+  config;
+  path;
   alwaysIgnore;
+  imagePullSecrets;
   capabilities;
   image;
   buildTimestamp;
-  hash;
-  setHash = (hash) => {
-    this.hash = hash;
-  };
-  deploy = async (force, webhookTimeout) => {
+  host;
+  constructor(config, path, imagePullSecrets, host) {
+    this.name = `pepr-${config.uuid}`;
+    this.imagePullSecrets = imagePullSecrets;
+    this.buildTimestamp = `${Date.now()}`;
+    this.config = config;
+    this.path = path;
+    this.host = host;
+    this.alwaysIgnore = config.alwaysIgnore;
+    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
+    this.tls = genTLS(host || `${this.name}.pepr-system.svc`);
+    this.apiToken = import_crypto.default.randomBytes(32).toString("hex");
+  }
+  async deploy(deployFunction, force, webhookTimeout) {
     this.capabilities = await loadCapabilities(this.path);
-    await deploy(this, force, webhookTimeout);
-  };
-  zarfYaml = (path) => zarfYaml(this, path);
-  zarfYamlChart = (path) => zarfYamlChart(this, path);
-  allYaml = async (imagePullSecret) => {
+    const timeout = typeof webhookTimeout === "number" ? webhookTimeout : 10;
+    await deployFunction(this, force, timeout);
+  }
+  zarfYaml = (zarfYamlGenerator, path) => zarfYamlGenerator(this, path, "manifests");
+  zarfYamlChart = (zarfYamlGenerator, path) => zarfYamlGenerator(this, path, "charts");
+  allYaml = async (yamlGenerationFunction, imagePullSecret) => {
     this.capabilities = await loadCapabilities(this.path);
     for (const capability of this.capabilities) {
       namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
     }
-    return allYaml(this, imagePullSecret);
+    const code = await import_fs3.promises.readFile(this.path);
+    const moduleHash = import_crypto.default.createHash("sha256").update(code).digest("hex");
+    const deployments = {
+      default: getDeployment(this, moduleHash, this.buildTimestamp, imagePullSecret),
+      watch: getWatcher(this, moduleHash, this.buildTimestamp, imagePullSecret)
+    };
+    return yamlGenerationFunction(this, deployments);
+  };
+  writeWebhookFiles = async (validateWebhook, mutateWebhook, helm) => {
+    if (validateWebhook || mutateWebhook) {
+      await import_fs3.promises.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
+      await import_fs3.promises.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
+    }
+    if (mutateWebhook) {
+      await import_fs3.promises.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this.name, this.config, mutateWebhook));
+    }
+    if (validateWebhook) {
+      await import_fs3.promises.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this.name, this.config, validateWebhook));
+    }
   };
-  /* eslint max-statements: ["warn", 21] */
-  generateHelmChart = async (basePath) => {
+  generateHelmChart = async (webhookGeneratorFunction, basePath) => {
     const helm = helmLayout(basePath, this.config.uuid);
     try {
       await Promise.all(
         Object.values(helm.dirs).sort((l, r) => l.split("/").length - r.split("/").length).map(async (dir) => await createDirectoryIfNotExists(dir))
       );
-      const code = await import_fs4.promises.readFile(this.path);
+      const code = await import_fs3.promises.readFile(this.path);
+      const moduleHash = import_crypto.default.createHash("sha256").update(code).digest("hex");
       const pairs = [
         [helm.files.chartYaml, () => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
         [helm.files.namespaceYaml, () => dedent(namespaceTemplate())],
@@ -1770,28 +1493,27 @@ var Assets = class {
         [helm.files.clusterRoleYaml, () => dedent(clusterRoleTemplate())],
         [helm.files.clusterRoleBindingYaml, () => toYaml(clusterRoleBinding(this.name))],
         [helm.files.serviceAccountYaml, () => toYaml(serviceAccount(this.name))],
-        [helm.files.moduleSecretYaml, () => toYaml(getModuleSecret(this.name, code, this.hash))]
+        [helm.files.moduleSecretYaml, () => toYaml(getModuleSecret(this.name, code, moduleHash))]
       ];
-      await Promise.all(pairs.map(async ([file, content]) => await import_fs4.promises.writeFile(file, content())));
-      await overridesFile(this, helm.files.valuesYaml);
-      const [mutateWebhook, validateWebhook] = await Promise.all([
-        webhookConfig(this, "mutate", this.config.webhookTimeout),
-        webhookConfig(this, "validate", this.config.webhookTimeout)
-      ]);
-      if (validateWebhook || mutateWebhook) {
-        await import_fs4.promises.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
-        await import_fs4.promises.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
-      }
-      if (mutateWebhook) {
-        await import_fs4.promises.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this, mutateWebhook));
-      }
-      if (validateWebhook) {
-        await import_fs4.promises.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
-      }
-      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
+      await Promise.all(pairs.map(async ([file, content]) => await import_fs3.promises.writeFile(file, content())));
+      const overrideData = {
+        hash: moduleHash,
+        name: this.name,
+        image: this.image,
+        config: this.config,
+        apiToken: this.apiToken,
+        capabilities: this.capabilities
+      };
+      await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets);
+      const webhooks = {
+        mutate: await webhookGeneratorFunction(this, "mutate" /* MUTATE */, this.config.webhookTimeout),
+        validate: await webhookGeneratorFunction(this, "validate" /* VALIDATE */, this.config.webhookTimeout)
+      };
+      await this.writeWebhookFiles(webhooks.validate, webhooks.mutate, helm);
+      const watchDeployment = getWatcher(this, moduleHash, this.buildTimestamp);
       if (watchDeployment) {
-        await import_fs4.promises.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
-        await import_fs4.promises.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
+        await import_fs3.promises.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
+        await import_fs3.promises.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
       }
     } catch (err) {
       console.error(`Error generating helm chart: ${err.message}`);
@@ -2007,7 +1729,7 @@ var gitIgnore = "# Ignore node_modules and Pepr build artifacts\nnode_modules\nd
 var readmeMd = '# Pepr Module\n\nThis is a Pepr Module. [Pepr](https://github.com/defenseunicorns/pepr) is a type-safe Kubernetes middleware system.\n\nThe `capabilities` directory contains all the capabilities for this module. By default,\na capability is a single typescript file in the format of `capability-name.ts` that is\nimported in the root `pepr.ts` file as `import { HelloPepr } from "./capabilities/hello-pepr";`.\nBecause this is typescript, you can organize this however you choose, e.g. creating a sub-folder\nper-capability or common logic in shared files or folders.\n\nExample Structure:\n\n```\nModule Root\n\u251C\u2500\u2500 package.json\n\u251C\u2500\u2500 pepr.ts\n\u2514\u2500\u2500 capabilities\n    \u251C\u2500\u2500 example-one.ts\n    \u251C\u2500\u2500 example-three.ts\n    \u2514\u2500\u2500 example-two.ts\n```\n';
 var peprTS = 'import { PeprModule } from "pepr";\n// cfg loads your pepr configuration from package.json\nimport cfg from "./package.json";\n\n// HelloPepr is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\nimport { HelloPepr } from "./capabilities/hello-pepr";\n\n/**\n * This is the main entrypoint for this Pepr module. It is run when the module is started.\n * This is where you register your Pepr configurations and capabilities.\n */\nnew PeprModule(cfg, [\n  // "HelloPepr" is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\n  HelloPepr,\n\n  // Your additional capabilities go here\n]);\n';
 var helloPeprTS = 'import {\n  Capability,\n  K8s,\n  Log,\n  PeprMutateRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n  kind,\n} from "pepr";\nimport { MockAgent, setGlobalDispatcher } from "undici";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you run `pepr dev`and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new action, use \'Store\' to persist data\nconst { When, Store } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Mutate(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Watch Action with K8s SSA (Namespace)                           *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action watches for the `pepr-demo-2` namespace to be created, then creates a ConfigMap with\n * the name `pepr-ssa-demo` and adds the namespace UID to the ConfigMap data. Because Pepr uses\n * server-side apply for this operation, the ConfigMap will be created or updated if it already exists.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .WithName("pepr-demo-2")\n  .Watch(async ns => {\n    Log.info("Namespace pepr-demo-2 was created.");\n\n    try {\n      // Apply the ConfigMap using K8s server-side apply\n      await K8s(kind.ConfigMap).Apply({\n        metadata: {\n          name: "pepr-ssa-demo",\n          namespace: "pepr-demo-2",\n        },\n        data: {\n          "ns-uid": ns.metadata.uid,\n        },\n      });\n    } catch (error) {\n      // You can use the Log object to log messages to the Pepr controller pod\n      Log.error(error, "Failed to apply ConfigMap using server-side apply.");\n    }\n\n    // You can share data between actions using the Store, including between different types of actions\n    Store.setItem("watch-data", "This data was stored by a Watch Action.");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too");\n\n    // Use the Store to persist data between requests and Pepr controller pods\n    Store.setItem("example-1", "was-here");\n\n    // This data is written asynchronously and can be read back via `Store.getItem()` or `Store.subscribe()`\n    Store.setItem("example-1-data", JSON.stringify(request.Raw.data));\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate & Validate Actions (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This combines 3 different types of actions: \'Mutate\', \'Validate\', and \'Watch\'. The order\n * of the actions is required, but each action is optional. In this example, when a ConfigMap is created\n * with the name `example-2`, then add a label and annotation, validate that the ConfigMap has the label\n * `pepr`, and log the request.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    // This Mutate Action will mutate the request before it is persisted to the cluster\n\n    // Use `request.Merge()` to merge the new data with the existing data\n    request.Merge({\n      metadata: {\n        labels: {\n          pepr: "was-here",\n        },\n        annotations: {\n          "pepr.dev": "annotations-work-too",\n        },\n      },\n    });\n  })\n  .Validate(request => {\n    // This Validate Action will validate the request before it is persisted to the cluster\n\n    // Approve the request if the ConfigMap has the label \'pepr\'\n    if (request.HasLabel("pepr")) {\n      return request.Approve();\n    }\n\n    // Otherwise, deny the request with an error message (optional)\n    return request.Deny("ConfigMap must have label \'pepr\'");\n  })\n  .Watch((cm, phase) => {\n    // This Watch Action will watch the ConfigMap after it has been persisted to the cluster\n    Log.info(cm, `ConfigMap was ${phase} with the name example-2`);\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 2a)                               *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action shows a simple validation that will deny any ConfigMap that has the\n * annotation `evil`. Note that the `Deny()` function takes an optional second parameter that is a\n * user-defined status code to return.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .Validate(request => {\n    if (request.HasAnnotation("evil")) {\n      return request.Deny("No evil CM annotations allowed.", 400);\n    }\n\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Mutate(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n// This action validates the label `change=by-label` is deleted\nWhen(a.ConfigMap)\n  .IsDeleted()\n  .WithLabel("change", "by-label")\n  .Validate(request => {\n    // Log and then always approve the request\n    Log.info("CM with label \'change=by-label\' was deleted.");\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action show how you can use the `Mutate()` function without an inline function.\n * This is useful if you want to keep your actions small and focused on a single task,\n * or if you want to reuse the same function in multiple actions.\n */\nWhen(a.ConfigMap).IsCreated().WithName("example-4").Mutate(example4Cb);\n\n// This function uses the complete type definition, but is not required.\nfunction example4Cb(cm: PeprMutateRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/first", "true");\n  cm.SetLabel("pepr.dev/second", "true");\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Mutate(example4Cb);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://icanhazdadjoke.com/");\n * const joke = await fetch("https://icanhazdadjoke.com/") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://icanhazdadjoke.com")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  id: string;\n  joke: string;\n  status: number;\n}\n\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("chuck-norris")\n  .Mutate(cm => cm.SetLabel("got-jokes", "true"))\n  .Watch(async cm => {\n    const jokeURL = "https://icanhazdadjoke.com";\n\n    const mockAgent: MockAgent = new MockAgent();\n    setGlobalDispatcher(mockAgent);\n    const mockClient = mockAgent.get(jokeURL);\n    mockClient.intercept({ path: "/", method: "GET" }).reply(\n      200,\n      {\n        id: "R7UfaahVfFd",\n        joke: "Funny joke goes here.",\n        status: 200,\n      },\n      {\n        headers: {\n          "Content-Type": "application/json; charset=utf-8",\n        },\n      },\n    );\n\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(jokeURL, {\n      headers: {\n        Accept: "application/json",\n      },\n    });\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      const { joke } = response.data;\n      // Add Joke to the Store\n      await Store.setItemAndWait(jokeURL, joke);\n      // Add the Chuck Norris joke to the configmap\n      try {\n        await K8s(kind.ConfigMap).Apply({\n          metadata: {\n            name: cm.metadata.name,\n            namespace: cm.metadata.namespace,\n          },\n          data: {\n            "chuck-says": Store.getItem(jokeURL),\n          },\n        });\n      } catch (error) {\n        Log.error(error, "Failed to apply ConfigMap using server-side apply.", {\n          cm,\n        });\n      }\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Mutate(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr without type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all actions, but we are putting it here for demonstration purposes.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr with type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * A callback function that is called once the Pepr Store is fully loaded.\n */\nStore.onReady(data => {\n  Log.info(data, "Pepr Store Ready");\n});\n';
-var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, files: ["/dist", "/src", "!src/**/*.test.ts", "!dist/**/*.test.d.ts*"], version: "0.42.2", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { ci: "npm ci", "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", version: "node scripts/set-version.js", build: "tsc && node build.mjs && npm pack", "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'", "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run", "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi", "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system", "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade", "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts", "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write", prepare: `if [ "$NODE_ENV" != 'production' ]; then husky; fi` }, dependencies: { "@types/ramda": "0.30.2", express: "4.21.2", "fast-json-patch": "3.1.1", "follow-redirects": "1.15.9", "http-status-codes": "^2.3.0", "json-pointer": "^0.6.2", "kubernetes-fluent-client": "3.3.7", pino: "9.6.0", "pino-pretty": "13.0.0", "prom-client": "15.1.3", ramda: "0.30.1", sigstore: "3.0.0" }, devDependencies: { "@commitlint/cli": "19.6.1", "@commitlint/config-conventional": "19.6.0", "@fast-check/jest": "^2.0.1", "@jest/globals": "29.7.0", "@types/eslint": "9.6.1", "@types/express": "5.0.0", "@types/follow-redirects": "1.14.4", "@types/json-pointer": "^1.0.34", "@types/node": "22.x.x", "@types/node-forge": "1.3.11", "@types/uuid": "10.0.0", "fast-check": "^3.19.0", husky: "^9.1.6", jest: "29.7.0", "js-yaml": "^4.1.0", "ts-jest": "29.2.5", undici: "^7.0.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", "@types/prompts": "2.4.9", eslint: "8.57.0", commander: "12.1.0", esbuild: "0.24.0", "node-forge": "1.3.1", prettier: "3.4.2", prompts: "2.4.2", typescript: "^5.3.3", uuid: "11.0.3" } };
+var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, files: ["/dist", "/src", "!src/**/*.test.ts", "!dist/**/*.test.d.ts*"], version: "0.43.0", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { ci: "npm ci", "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", version: "node scripts/set-version.js", build: "tsc && node build.mjs && npm pack", "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'", "test:integration": "npm run test:integration:prep && npm run test:integration:run", "test:integration:prep": "./integration/prep.sh", "test:integration:run": "jest --maxWorkers=4 integration", "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run", "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi", "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system", "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade", "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts", "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write", prepare: `if [ "$NODE_ENV" != 'production' ]; then husky; fi` }, dependencies: { "@types/ramda": "0.30.2", express: "4.21.2", "fast-json-patch": "3.1.1", "follow-redirects": "1.15.9", "http-status-codes": "^2.3.0", "json-pointer": "^0.6.2", "kubernetes-fluent-client": "3.3.8", pino: "9.6.0", "pino-pretty": "13.0.0", "prom-client": "15.1.3", ramda: "0.30.1", sigstore: "3.0.0" }, devDependencies: { "@commitlint/cli": "19.6.1", "@commitlint/config-conventional": "19.6.0", "@fast-check/jest": "^2.0.1", "@jest/globals": "29.7.0", "@types/eslint": "9.6.1", "@types/express": "5.0.0", "@types/follow-redirects": "1.14.4", "@types/json-pointer": "^1.0.34", "@types/node": "22.x.x", "@types/node-forge": "1.3.11", "@types/uuid": "10.0.0", "fast-check": "^3.19.0", husky: "^9.1.6", jest: "29.7.0", "js-yaml": "^4.1.0", "ts-jest": "29.2.5", undici: "^7.0.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", "@types/prompts": "2.4.9", eslint: "8.57.0", commander: "12.1.0", esbuild: "0.24.0", "node-forge": "1.3.1", prettier: "3.4.2", prompts: "2.4.2", typescript: "^5.3.3", uuid: "11.0.3" } };
 
 // src/templates/pepr.code-snippets.json
 var pepr_code_snippets_default = {
@@ -2066,7 +1788,7 @@ var tsconfig_module_default = {
 };
 
 // src/cli/init/utils.ts
-var import_fs5 = require("fs");
+var import_fs4 = require("fs");
 function sanitizeName(name2) {
   if (typeof name2 !== "string") {
     throw TypeError(
@@ -2080,7 +1802,7 @@ function sanitizeName(name2) {
 }
 async function createDir(dir) {
   try {
-    await import_fs5.promises.mkdir(dir);
+    await import_fs4.promises.mkdir(dir);
   } catch (err) {
     if (err && err.code === "EEXIST") {
       throw new Error(`Directory ${dir} already exists`);
@@ -2093,11 +1815,11 @@ function write(path, data) {
   if (typeof data !== "string") {
     data = JSON.stringify(data, null, 2);
   }
-  return import_fs5.promises.writeFile(path, data);
+  return import_fs4.promises.writeFile(path, data);
 }
 
 // src/cli/init/templates.ts
-var { dependencies, devDependencies, peerDependencies, scripts, version: version2 } = packageJSON;
+var { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 function genPkgJSON(opts, pgkVerOverride) {
   const uuid = (0, import_uuid.v5)(opts.name, (0, import_uuid.v4)());
   const name2 = sanitizeName(opts.name);
@@ -2133,7 +1855,7 @@ function genPkgJSON(opts, pgkVerOverride) {
       "k3d-setup": scripts["test:journey:k3d"]
     },
     dependencies: {
-      pepr: pgkVerOverride || version2,
+      pepr: pgkVerOverride || version,
       undici: "^7.0.1"
     },
     devDependencies: {
@@ -2196,85 +1918,244 @@ var import_commander = require("commander");
 var import_eslint = require("eslint");
 
 // src/cli/format.helpers.ts
-var import_fs6 = require("fs");
+var import_fs5 = require("fs");
 var import_prettier = require("prettier");
 async function formatWithPrettier(results, validateOnly) {
   let hasFailure = false;
   for (const { filePath } of results) {
-    const content = await import_fs6.promises.readFile(filePath, "utf8");
+    const content = await import_fs5.promises.readFile(filePath, "utf8");
     const cfg = await (0, import_prettier.resolveConfig)(filePath);
     const formatted = await (0, import_prettier.format)(content, { filepath: filePath, ...cfg });
     if (validateOnly && formatted !== content) {
       hasFailure = true;
       console.error(`File ${filePath} is not formatted correctly`);
     } else {
-      await import_fs6.promises.writeFile(filePath, formatted);
+      await import_fs5.promises.writeFile(filePath, formatted);
     }
   }
   return hasFailure;
 }
 
-// src/cli/format.ts
-function format_default(program2) {
-  program2.command("format").description("Lint and format this Pepr module").option("-v, --validate-only", "Do not modify files, only validate formatting").action(async (opts) => {
-    const success = await peprFormat(opts.validateOnly);
-    if (success) {
-      console.info("\u2705 Module formatted");
-    } else {
-      process.exit(1);
-    }
-  });
-}
-async function peprFormat(validateOnly) {
-  {
-    try {
-      const eslint2 = new import_eslint.ESLint();
-      const results = await eslint2.lintFiles(["./**/*.ts"]);
-      let hasFailure = false;
-      results.forEach(async (result) => {
-        const errorCount = result.fatalErrorCount + result.errorCount;
-        if (errorCount > 0) {
-          hasFailure = true;
-        }
-      });
-      const formatter = await eslint2.loadFormatter("stylish");
-      const resultText = await formatter.format(results, {});
-      if (resultText) {
-        console.log(resultText);
-      }
-      if (!validateOnly) {
-        await import_eslint.ESLint.outputFixes(results);
-      }
-      hasFailure = await formatWithPrettier(results, validateOnly);
-      return !hasFailure;
-    } catch (e) {
-      console.error(`Error formatting module:`, e);
-      return false;
-    }
-  }
+// src/cli/format.ts
+function format_default(program2) {
+  program2.command("format").description("Lint and format this Pepr module").option("-v, --validate-only", "Do not modify files, only validate formatting").action(async (opts) => {
+    const success = await peprFormat(opts.validateOnly);
+    if (success) {
+      console.info("\u2705 Module formatted");
+    } else {
+      process.exit(1);
+    }
+  });
+}
+async function peprFormat(validateOnly) {
+  {
+    try {
+      const eslint2 = new import_eslint.ESLint();
+      const results = await eslint2.lintFiles(["./**/*.ts"]);
+      let hasFailure = false;
+      results.forEach(async (result) => {
+        const errorCount = result.fatalErrorCount + result.errorCount;
+        if (errorCount > 0) {
+          hasFailure = true;
+        }
+      });
+      const formatter = await eslint2.loadFormatter("stylish");
+      const resultText = await formatter.format(results, {});
+      if (resultText) {
+        console.log(resultText);
+      }
+      if (!validateOnly) {
+        await import_eslint.ESLint.outputFixes(results);
+      }
+      hasFailure = await formatWithPrettier(results, validateOnly);
+      return !hasFailure;
+    } catch (e) {
+      console.error(`Error formatting module:`, e);
+      return false;
+    }
+  }
+}
+
+// src/lib/included-files.ts
+var import_fs6 = require("fs");
+async function createDockerfile(version3, description, includedFiles) {
+  const file = `
+    # Use an official Node.js runtime as the base image
+    FROM ghcr.io/defenseunicorns/pepr/controller:v${version3}
+  
+    LABEL description="${description}"
+    
+    # Add the included files to the image
+    ${includedFiles.map((f) => `ADD ${f} ${f}`).join("\n")}
+  
+    `;
+  await import_fs6.promises.writeFile("Dockerfile.controller", file, { encoding: "utf-8" });
+}
+
+// src/cli/build.helpers.ts
+var import_child_process2 = require("child_process");
+var import_esbuild = require("esbuild");
+var import_path2 = require("path");
+var import_fs8 = require("fs");
+
+// src/lib/assets/yaml/generateAllYaml.ts
+var import_crypto2 = __toESM(require("crypto"));
+var import_client_node4 = require("@kubernetes/client-node");
+var import_fs7 = require("fs");
+
+// src/lib/assets/webhooks.ts
+var import_ramda = require("ramda");
+var peprIgnoreNamespaces = ["kube-system", "pepr-system"];
+var validateRule = (binding, isMutateWebhook) => {
+  const { event, kind: kind8, isMutate, isValidate } = binding;
+  if (isMutateWebhook && !isMutate || !isMutateWebhook && !isValidate) {
+    return void 0;
+  }
+  const operations = event === "CREATEORUPDATE" /* CREATE_OR_UPDATE */ ? ["CREATE" /* CREATE */, "UPDATE" /* UPDATE */] : [event];
+  const resource = kind8.plural || `${kind8.kind.toLowerCase()}s`;
+  const ruleObject = {
+    apiGroups: [kind8.group],
+    apiVersions: [kind8.version || "*"],
+    operations,
+    resources: [resource, ...resource === "pods" ? ["pods/ephemeralcontainers"] : []]
+  };
+  return ruleObject;
+};
+function resolveIgnoreNamespaces(ignoredNSConfig = []) {
+  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
+  if (!ignoredNSEnv) {
+    return ignoredNSConfig;
+  }
+  const namespaces = ignoredNSEnv.split(",").map((ns) => ns.trim());
+  if (ignoredNSConfig) {
+    namespaces.push(...ignoredNSConfig);
+  }
+  return namespaces.filter((ns) => ns.length > 0);
+}
+async function generateWebhookRules(assets, isMutateWebhook) {
+  const { config, capabilities } = assets;
+  const rules = capabilities.flatMap((capability) => {
+    console.info(`Module ${config.uuid} has capability: ${capability.name}`);
+    return capability.bindings.map((binding) => validateRule(binding, isMutateWebhook)).filter((rule) => !!rule);
+  });
+  return (0, import_ramda.uniqWith)(import_ramda.equals, rules);
+}
+async function webhookConfigGenerator(assets, mutateOrValidate, timeoutSeconds = 10) {
+  const ignore = [];
+  const { name: name2, tls, config, apiToken, host } = assets;
+  const ignoreNS = (0, import_ramda.concat)(peprIgnoreNamespaces, resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces));
+  if (ignoreNS) {
+    ignore.push({
+      key: "kubernetes.io/metadata.name",
+      operator: "NotIn",
+      values: ignoreNS
+    });
+  }
+  const clientConfig = {
+    caBundle: tls.ca
+  };
+  const apiPath = `/${mutateOrValidate}/${apiToken}`;
+  if (host) {
+    clientConfig.url = `https://${host}:3000${apiPath}`;
+  } else {
+    clientConfig.service = {
+      name: name2,
+      namespace: "pepr-system",
+      path: apiPath
+    };
+  }
+  const isMutate = mutateOrValidate === "mutate" /* MUTATE */;
+  const rules = await generateWebhookRules(assets, isMutate);
+  if (rules.length < 1) {
+    return null;
+  }
+  return {
+    apiVersion: "admissionregistration.k8s.io/v1",
+    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
+    metadata: { name: name2 },
+    webhooks: [
+      {
+        name: `${name2}.pepr.dev`,
+        admissionReviewVersions: ["v1", "v1beta1"],
+        clientConfig,
+        failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
+        matchPolicy: "Equivalent",
+        timeoutSeconds,
+        namespaceSelector: {
+          matchExpressions: ignore
+        },
+        rules,
+        // @todo: track side effects state
+        sideEffects: "None"
+      }
+    ]
+  };
+}
+
+// src/lib/assets/yaml/generateAllYaml.ts
+async function generateAllYaml(assets, deployments) {
+  const { name: name2, tls, apiToken, path, config } = assets;
+  const code = await import_fs7.promises.readFile(path);
+  const hash = import_crypto2.default.createHash("sha256").update(code).digest("hex");
+  const resources = [
+    getNamespace(assets.config.customLabels?.namespace),
+    clusterRole(name2, assets.capabilities, config.rbacMode, config.rbac),
+    clusterRoleBinding(name2),
+    serviceAccount(name2),
+    apiTokenSecret(name2, apiToken),
+    tlsSecret(name2, tls),
+    deployments.default,
+    service(name2),
+    watcherService(name2),
+    getModuleSecret(name2, code, hash),
+    storeRole(name2),
+    storeRoleBinding(name2)
+  ];
+  const webhooks = {
+    mutate: await webhookConfigGenerator(assets, "mutate" /* MUTATE */, assets.config.webhookTimeout),
+    validate: await webhookConfigGenerator(assets, "validate" /* VALIDATE */, assets.config.webhookTimeout)
+  };
+  const additionalResources = [webhooks.mutate, webhooks.validate, deployments.watch].filter(
+    (resource) => resource !== null && resource !== void 0
+  );
+  resources.push(...additionalResources);
+  return resources.map((resource) => (0, import_client_node4.dumpYaml)(resource, { noRefs: true })).join("---\n");
 }
 
-// src/lib/included-files.ts
-var import_fs7 = require("fs");
-async function createDockerfile(version3, description, includedFiles) {
-  const file = `
-    # Use an official Node.js runtime as the base image
-    FROM ghcr.io/defenseunicorns/pepr/controller:v${version3}
-  
-    LABEL description="${description}"
-    
-    # Add the included files to the image
-    ${includedFiles.map((f) => `ADD ${f} ${f}`).join("\n")}
-  
-    `;
-  await import_fs7.promises.writeFile("Dockerfile.controller", file, { encoding: "utf-8" });
+// src/lib/assets/yaml/generateZarfYaml.ts
+var import_client_node5 = require("@kubernetes/client-node");
+function generateZarfYamlGeneric(assets, path, type) {
+  const manifestSettings = {
+    name: "module",
+    namespace: "pepr-system",
+    files: [path]
+  };
+  const chartSettings = {
+    name: "module",
+    namespace: "pepr-system",
+    version: `${assets.config.appVersion || "0.0.1"}`,
+    localPath: path
+  };
+  const component = {
+    name: "module",
+    required: true,
+    images: [assets.image],
+    [type]: [type === "manifests" ? manifestSettings : chartSettings]
+  };
+  const zarfCfg = {
+    kind: "ZarfPackageConfig",
+    metadata: {
+      name: assets.name,
+      description: `Pepr Module: ${assets.config.description}`,
+      url: "https://github.com/defenseunicorns/pepr",
+      version: `${assets.config.appVersion || "0.0.1"}`
+    },
+    components: [component]
+  };
+  return (0, import_client_node5.dumpYaml)(zarfCfg, { noRefs: true });
 }
 
 // src/cli/build.helpers.ts
-var import_child_process2 = require("child_process");
-var import_esbuild = require("esbuild");
-var import_path2 = require("path");
-var import_fs8 = require("fs");
 function determineRbacMode(opts, cfg) {
   if (opts.rbacMode) {
     return opts.rbacMode;
@@ -2309,17 +2190,6 @@ function validImagePullSecret(imagePullSecretName) {
     }
   }
 }
-function handleCustomImage(customImage, registry) {
-  let defaultImage = "";
-  if (customImage) {
-    if (registry) {
-      console.error(`Custom Image and registry cannot be used together.`);
-      process.exit(1);
-    }
-    defaultImage = customImage;
-  }
-  return defaultImage;
-}
 async function handleCustomImageBuild(includedFiles, peprVersion, description, image) {
   if (includedFiles.length > 0) {
     await createDockerfile(peprVersion, description, includedFiles);
@@ -2358,17 +2228,17 @@ async function generateYamlAndWriteToDisk(obj) {
   const yamlFile = `pepr-module-${uuid}.yaml`;
   const chartPath = `${uuid}-chart`;
   const yamlPath = (0, import_path2.resolve)(outputDir2, yamlFile);
-  const yaml = await assets.allYaml(imagePullSecret);
+  const yaml = await assets.allYaml(generateAllYaml, imagePullSecret);
   const zarfPath = (0, import_path2.resolve)(outputDir2, "zarf.yaml");
   let localZarf = "";
   if (zarf === "chart") {
-    localZarf = assets.zarfYamlChart(chartPath);
+    localZarf = assets.zarfYamlChart(generateZarfYamlGeneric, chartPath);
   } else {
-    localZarf = assets.zarfYaml(yamlFile);
+    localZarf = assets.zarfYaml(generateZarfYamlGeneric, yamlFile);
   }
   await import_fs8.promises.writeFile(yamlPath, yaml);
   await import_fs8.promises.writeFile(zarfPath, localZarf);
-  await assets.generateHelmChart(outputDir2);
+  await assets.generateHelmChart(webhookConfigGenerator, outputDir2);
   console.info(`\u2705 K8s resource for the module saved to ${yamlPath}`);
 }
 
@@ -2379,27 +2249,34 @@ function build_default(program2) {
   program2.command("build").description("Build a Pepr Module for deployment").option("-e, --entry-point [file]", "Specify the entry point file to build with.", peprTS2).option(
     "-n, --no-embed",
     "Disables embedding of deployment files into output module.  Useful when creating library modules intended solely for reuse/distribution via NPM."
-  ).option(
-    "-i, --custom-image <custom-image>",
-    "Custom Image: Use custom image for Admission and Watch Deployments."
-  ).option(
-    "-r, --registry-info [<registry>/<username>]",
-    "Registry Info: Image registry and username. Note: You must be signed into the registry"
+  ).addOption(
+    new import_commander.Option(
+      "-i, --custom-image <custom-image>",
+      "Specify a custom image (including version) for Admission and Watch Deployments. Example: 'docker.io/username/custom-pepr-controller:v1.0.0'"
+    ).conflicts(["version", "registryInfo", "registry"])
+  ).addOption(
+    new import_commander.Option(
+      "-r, --registry-info [<registry>/<username>]",
+      "Provide the image registry and username for building and pushing a custom WASM container. Requires authentication. Builds and pushes 'registry/username/custom-pepr-controller:<current-version>'."
+    ).conflicts(["customImage", "version", "registry"])
   ).option("-o, --output-dir <output directory>", "Define where to place build output").option(
     "--timeout <timeout>",
     "How long the API server should wait for a webhook to respond before treating the call as a failure",
     parseTimeout
-  ).option(
-    "-v, --version <version>. Example: '0.27.3'",
-    "The version of the Pepr image to use in the deployment manifests."
+  ).addOption(
+    new import_commander.Option(
+      "-v, --version <version>",
+      "The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'."
+    ).conflicts(["customImage", "registryInfo"])
   ).option(
     "--withPullSecret <imagePullSecret>",
-    "Image Pull Secret: Use image pull secret for controller Deployment."
+    "Image Pull Secret: Use image pull secret for controller Deployment.",
+    ""
   ).addOption(
     new import_commander.Option(
       "--registry <GitHub|Iron Bank>",
       "Container registry: Choose container registry for deployment manifests. Can't be used with --custom-image."
-    ).choices(["GitHub", "Iron Bank"])
+    ).conflicts(["customImage", "registryInfo"]).choices(["GitHub", "Iron Bank"])
   ).addOption(
     new import_commander.Option(
       "-z, --zarf [manifest|chart]",
@@ -2415,7 +2292,7 @@ function build_default(program2) {
     if (buildModuleResult?.cfg && buildModuleResult.path && buildModuleResult.uuid) {
       const { cfg, path, uuid } = buildModuleResult;
       const { includedFiles } = cfg.pepr;
-      let image = handleCustomImage(opts.customImage, opts.registry);
+      let image = opts.customImage || "";
       if (opts.timeout !== void 0) {
         cfg.pepr.webhookTimeout = opts.timeout;
       }
@@ -2431,10 +2308,14 @@ function build_default(program2) {
           ...cfg.pepr,
           appVersion: cfg.version,
           description: cfg.description,
+          alwaysIgnore: {
+            namespaces: cfg.pepr.alwaysIgnore?.namespaces
+          },
           // Can override the rbacMode with the CLI option
           rbacMode: determineRbacMode(opts, cfg)
         },
-        path
+        path,
+        opts.withPullSecret === "" ? [] : [opts.withPullSecret]
       );
       image = checkIronBankImage(opts.registry, image, cfg.pepr.peprVersion);
       image !== "" ? assets.image = image : null;
@@ -2470,7 +2351,7 @@ async function loadModule(entryPoint = peprTS2) {
   const cfg = JSON.parse(moduleText);
   const { uuid } = cfg.pepr;
   const name2 = `pepr-${uuid}.js`;
-  cfg.pepr.peprVersion = version2;
+  cfg.pepr.peprVersion = version;
   if (!uuid) {
     throw new Error("Could not load the uuid in package.json");
   }
@@ -2576,6 +2457,169 @@ async function checkFormat() {
 // src/cli/deploy.ts
 var import_prompts = __toESM(require("prompts"));
 
+// src/lib/assets/deploy.ts
+var import_crypto3 = __toESM(require("crypto"));
+var import_fs10 = require("fs");
+var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
+
+// src/lib/k8s.ts
+var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
+var Store = class extends import_kubernetes_fluent_client2.GenericKind {
+};
+var peprStoreGVK = {
+  kind: "PeprStore",
+  version: "v1",
+  group: "pepr.dev"
+};
+(0, import_kubernetes_fluent_client2.RegisterKind)(Store, peprStoreGVK);
+
+// src/lib/assets/store.ts
+var { group, version: version2, kind: kind2 } = peprStoreGVK;
+var singular = kind2.toLocaleLowerCase();
+var plural = `${singular}s`;
+var name = `${plural}.${group}`;
+var peprStoreCRD = {
+  apiVersion: "apiextensions.k8s.io/v1",
+  kind: "CustomResourceDefinition",
+  metadata: {
+    name
+  },
+  spec: {
+    group,
+    versions: [
+      {
+        // typescript doesn't know this is really already set, which is kind of annoying
+        name: version2 || "v1",
+        served: true,
+        storage: true,
+        schema: {
+          openAPIV3Schema: {
+            type: "object",
+            properties: {
+              data: {
+                type: "object",
+                additionalProperties: {
+                  type: "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    ],
+    scope: "Namespaced",
+    names: {
+      plural,
+      singular,
+      kind: kind2
+    }
+  }
+};
+
+// src/lib/assets/deploy.ts
+async function deployImagePullSecret(imagePullSecret, name2) {
+  try {
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Get("pepr-system");
+  } catch {
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace());
+  }
+  try {
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: name2,
+          namespace: "pepr-system"
+        },
+        type: "kubernetes.io/dockerconfigjson",
+        data: {
+          ".dockerconfigjson": Buffer.from(JSON.stringify(imagePullSecret)).toString("base64")
+        }
+      },
+      { force: true }
+    );
+  } catch (e) {
+    logger_default.error(e);
+  }
+}
+async function handleWebhookConfiguration(assets, type, webhookTimeout, force) {
+  const kindMap = {
+    mutate: import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration,
+    validate: import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration
+  };
+  const webhookConfig = await webhookConfigGenerator(assets, type, webhookTimeout);
+  if (webhookConfig) {
+    logger_default.info(`Applying ${type} webhook`);
+    await (0, import_kubernetes_fluent_client3.K8s)(kindMap[type]).Apply(webhookConfig, { force });
+  } else {
+    logger_default.info(`${type.charAt(0).toUpperCase() + type.slice(1)} webhook not needed, removing if it exists`);
+    await (0, import_kubernetes_fluent_client3.K8s)(kindMap[type]).Delete(assets.name);
+  }
+}
+async function deployWebhook(assets, force, webhookTimeout) {
+  logger_default.info("Establishing connection to Kubernetes");
+  logger_default.info("Applying pepr-system namespace");
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
+  await handleWebhookConfiguration(assets, "mutate" /* MUTATE */, webhookTimeout, force);
+  await handleWebhookConfiguration(assets, "validate" /* VALIDATE */, webhookTimeout, force);
+  logger_default.info("Applying the Pepr Store CRD if it doesn't exist");
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
+  if (assets.host) return;
+  const code = await import_fs10.promises.readFile(assets.path);
+  if (!code.length) throw new Error("No code provided");
+  const hash = import_crypto3.default.createHash("sha256").update(code).digest("hex");
+  await setupRBAC(assets.name, assets.capabilities, force, assets.config);
+  await setupController(assets, code, hash, force);
+  await setupWatcher(assets, hash, force);
+}
+async function setupRBAC(name2, capabilities, force, config) {
+  const { rbacMode, rbac } = config;
+  logger_default.info("Applying cluster role binding");
+  const crb = clusterRoleBinding(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRoleBinding).Apply(crb, { force });
+  logger_default.info("Applying cluster role");
+  const cr = clusterRole(name2, capabilities, rbacMode, rbac);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRole).Apply(cr, { force });
+  logger_default.info("Applying service account");
+  const sa = serviceAccount(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ServiceAccount).Apply(sa, { force });
+  logger_default.info("Applying store role");
+  const role = storeRole(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Role).Apply(role, { force });
+  logger_default.info("Applying store role binding");
+  const roleBinding = storeRoleBinding(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.RoleBinding).Apply(roleBinding, { force });
+}
+async function setupController(assets, code, hash, force) {
+  const { name: name2 } = assets;
+  logger_default.info("Applying module secret");
+  const mod = getModuleSecret(name2, code, hash);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(mod, { force });
+  logger_default.info("Applying controller service");
+  const svc = service(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(svc, { force });
+  logger_default.info("Applying TLS secret");
+  const tls = tlsSecret(name2, assets.tls);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(tls, { force });
+  logger_default.info("Applying API token secret");
+  const apiToken = apiTokenSecret(name2, assets.apiToken);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(apiToken, { force });
+  logger_default.info("Applying deployment");
+  const dep = getDeployment(assets, hash, assets.buildTimestamp);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(dep, { force });
+}
+async function setupWatcher(assets, hash, force) {
+  const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
+  if (watchDeployment) {
+    logger_default.info("Applying watcher deployment");
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(watchDeployment, { force });
+    logger_default.info("Applying watcher service");
+    const watchSvc = watcherService(assets.name);
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(watchSvc, { force });
+  }
+}
+
 // src/lib/deploymentChecks.ts
 var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
 async function checkDeploymentStatus(namespace) {
@@ -2689,11 +2733,12 @@ function deploy_default(program2) {
     }
     const webhook = new Assets(
       { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
-      builtModule.path
+      builtModule.path,
+      []
     );
     webhook.image = opts.image ?? webhook.image;
     try {
-      await webhook.deploy(opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
+      await webhook.deploy(deployWebhook, opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
       validateCapabilityNames(webhook.capabilities);
       await namespaceDeploymentsReady();
       console.info(`\u2705 Module deployed successfully`);
@@ -2705,10 +2750,10 @@ function deploy_default(program2) {
 }
 
 // src/cli/dev.ts
-var import_child_process4 = require("child_process");
-var import_fs10 = require("fs");
 var import_prompts2 = __toESM(require("prompts"));
+var import_child_process4 = require("child_process");
 var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
+var import_fs11 = require("fs");
 function dev_default(program2) {
   program2.command("dev").description("Setup a local webhook development environment").option("-h, --host [host]", "Host to listen on", "host.k3d.internal").option("--confirm", "Skip confirmation prompt").action(async (opts) => {
     if (!opts.confirm) {
@@ -2730,8 +2775,8 @@ function dev_default(program2) {
       path,
       opts.host
     );
-    await import_fs10.promises.writeFile("insecure-tls.crt", webhook.tls.pem.crt);
-    await import_fs10.promises.writeFile("insecure-tls.key", webhook.tls.pem.key);
+    await import_fs11.promises.writeFile("insecure-tls.crt", webhook.tls.pem.crt);
+    await import_fs11.promises.writeFile("insecure-tls.key", webhook.tls.pem.key);
     try {
       let program3;
       const name2 = `pepr-${cfg.pepr.uuid}`;
@@ -2739,7 +2784,7 @@ function dev_default(program2) {
       const store = `pepr-${cfg.pepr.uuid}-store`;
       const runFork = async () => {
         console.info(`Running module ${path}`);
-        await webhook.deploy(false, 30);
+        await webhook.deploy(deployWebhook, false, 30);
         try {
           validateCapabilityNames(webhook.capabilities);
         } catch (e) {
@@ -2790,7 +2835,7 @@ function dev_default(program2) {
 }
 
 // src/cli/monitor.ts
-var import_client_node4 = require("@kubernetes/client-node");
+var import_client_node6 = require("@kubernetes/client-node");
 var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
 var import_stream = __toESM(require("stream"));
 function monitor_default(program2) {
@@ -2826,9 +2871,9 @@ function getLabelsAndErrorMessage(uuid) {
   return { labels, errorMessage };
 }
 function getK8sLogFromKubeConfig() {
-  const kc = new import_client_node4.KubeConfig();
+  const kc = new import_client_node6.KubeConfig();
   kc.loadFromDefault();
-  return new import_client_node4.Log(kc);
+  return new import_client_node6.Log(kc);
 }
 function createLogStream() {
   const logStream = new import_stream.default.PassThrough();
@@ -2884,7 +2929,7 @@ var import_path4 = require("path");
 var import_prompts4 = __toESM(require("prompts"));
 
 // src/cli/init/walkthrough.ts
-var import_fs11 = require("fs");
+var import_fs12 = require("fs");
 var import_prompts3 = __toESM(require("prompts"));
 
 // src/cli/init/enums.ts
@@ -2915,7 +2960,7 @@ async function setName(name2) {
     validate: async (val) => {
       try {
         const name3 = sanitizeName(val);
-        await import_fs11.promises.access(name3, import_fs11.promises.constants.F_OK);
+        await import_fs12.promises.access(name3, import_fs12.promises.constants.F_OK);
         return "A directory with this name already exists";
       } catch (e) {
         return val.length > 2 || "The name must be at least 3 characters long";
@@ -3083,9 +3128,9 @@ function uuid_default(program2) {
     } else {
       deployments = await (0, import_kubernetes_fluent_client7.K8s)(import_kubernetes_fluent_client7.kind.Deployment).InNamespace("pepr-system").WithLabel("pepr.dev/uuid", uuid).Get();
     }
-    deployments.items.map((deploy2) => {
-      const uuid2 = deploy2.metadata?.labels?.["pepr.dev/uuid"] || "";
-      const description = deploy2.metadata?.annotations?.["pepr.dev/description"] || "";
+    deployments.items.map((deploy) => {
+      const uuid2 = deploy.metadata?.labels?.["pepr.dev/uuid"] || "";
+      const description = deploy.metadata?.annotations?.["pepr.dev/description"] || "";
       if (uuid2 !== "") {
         uuidTable[uuid2] = description;
       }
@@ -3110,7 +3155,7 @@ var RootCmd = class extends import_commander2.Command {
 
 // src/cli/update.ts
 var import_child_process6 = require("child_process");
-var import_fs12 = __toESM(require("fs"));
+var import_fs13 = __toESM(require("fs"));
 var import_path5 = require("path");
 var import_prompts5 = __toESM(require("prompts"));
 function update_default(program2) {
@@ -3150,12 +3195,12 @@ function update_default(program2) {
         await write((0, import_path5.resolve)(".vscode", snippet.path), snippet.data);
         await write((0, import_path5.resolve)(".vscode", codeSettings.path), codeSettings.data);
         const samplePath = (0, import_path5.resolve)("capabilities", samplesYaml.path);
-        if (import_fs12.default.existsSync(samplePath)) {
-          import_fs12.default.unlinkSync(samplePath);
+        if (import_fs13.default.existsSync(samplePath)) {
+          import_fs13.default.unlinkSync(samplePath);
           await write(samplePath, samplesYaml.data);
         }
         const tsPath = (0, import_path5.resolve)("capabilities", helloPepr.path);
-        if (import_fs12.default.existsSync(tsPath)) {
+        if (import_fs13.default.existsSync(tsPath)) {
           await write(tsPath, helloPepr.data);
         }
       }
@@ -3202,7 +3247,7 @@ var program = new RootCmd();
 if (!process.env.PEPR_NODE_WARNINGS) {
   process.removeAllListeners("warning");
 }
-program.version(version2).description(`Pepr (v${version2}) - Type safe K8s middleware for humans`).action(() => {
+program.version(version).description(`Pepr (v${version}) - Type safe K8s middleware for humans`).action(() => {
   if (program.args.length < 1) {
     console.log(banner);
     program.help();