pepr 0.42.2 → 0.43.0

package/src/lib/assets/helm.ts

@@ -99,8 +99,13 @@ export function watcherDeployTemplate(buildTimestamp: string): string {
               - name: watcher
                 image: {{ .Values.watcher.image }}
                 imagePullPolicy: IfNotPresent
-                command:
-                  - node
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
+                args:
                   - /app/node_modules/pepr/dist/controller.js
                   - {{ .Values.hash }}
                 readinessProbe:
@@ -115,6 +120,10 @@ export function watcherDeployTemplate(buildTimestamp: string): string {
                   {{- toYaml .Values.watcher.env | nindent 12 }}
                   - name: PEPR_WATCH_MODE
                     value: "true"
+                  {{- if .Values.additionalIgnoredNamespaces }}
+                  - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES
+                    value: "{{ join ", " .Values.additionalIgnoredNamespaces }}"
+                  {{- end }}
                 envFrom:
                   {{- toYaml .Values.watcher.envFrom | nindent 12 }}
                 securityContext:
@@ -179,8 +188,13 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
               - name: server
                 image: {{ .Values.admission.image }}
                 imagePullPolicy: IfNotPresent
-                command:
-                  - node
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
+                args:
                   - /app/node_modules/pepr/dist/controller.js
                   - {{ .Values.hash }}
                 readinessProbe:
@@ -195,6 +209,10 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
                   {{- toYaml .Values.admission.env | nindent 12 }}
                   - name: PEPR_WATCH_MODE
                     value: "false"
+                  {{- if .Values.additionalIgnoredNamespaces }}
+                  - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES
+                    value: "{{ join ", " .Values.additionalIgnoredNamespaces }}"
+                  {{- end }}
                 envFrom:
                   {{- toYaml .Values.admission.envFrom | nindent 12 }}
                 securityContext:

package/src/lib/assets/index.ts

@@ -1,57 +1,59 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import crypto from "crypto";
 import { dumpYaml } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
-import { ModuleConfig } from "../core/module";
-import { TLSOut, genTLS } from "../tls";
-import { CapabilityExport } from "../types";
-import { WebhookIgnore } from "../k8s";
-import { deploy } from "./deploy";
-import { loadCapabilities } from "./loader";
-import { allYaml, zarfYaml, overridesFile, zarfYamlChart } from "./yaml";
-import { namespaceComplianceValidator, replaceString } from "../helpers";
-import { dedent } from "../helpers";
+import { replaceString } from "../helpers";
 import { resolve } from "path";
-import {
-  chartYaml,
-  namespaceTemplate,
-  admissionDeployTemplate,
-  watcherDeployTemplate,
-  clusterRoleTemplate,
-  serviceMonitorTemplate,
-} from "./helm";
-import { promises as fs } from "fs";
-import { webhookConfig } from "./webhooks";
-import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { getWatcher, getModuleSecret } from "./pods";
-
-import { clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
-import { createDirectoryIfNotExists } from "../filesystemService";
+import { ModuleConfig } from "../core/module";
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
-function toYaml(obj: any): string {
+export function toYaml(obj: any): string {
   return dumpYaml(obj, { noRefs: true });
 }
 
-function createWebhookYaml(
-  assets: Assets,
+// Unit Test Me!!
+export function createWebhookYaml(
+  name: string,
+  config: ModuleConfig,
   webhookConfiguration: kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration,
 ): string {
   const yaml = toYaml(webhookConfiguration);
-  return replaceString(
-    replaceString(
-      replaceString(yaml, assets.name, "{{ .Values.uuid }}"),
-      assets.config.onError === "reject" ? "Fail" : "Ignore",
-      "{{ .Values.admission.failurePolicy }}",
-    ),
-    `${assets.config.webhookTimeout}` || "10",
-    "{{ .Values.admission.webhookTimeout }}",
-  );
+  const replacements = [
+    { search: name, replace: "{{ .Values.uuid }}" },
+    {
+      search: config.onError === "reject" ? "Fail" : "Ignore",
+      replace: "{{ .Values.admission.failurePolicy }}",
+    },
+    {
+      search: `${config.webhookTimeout}` || "10",
+      replace: "{{ .Values.admission.webhookTimeout }}",
+    },
+    {
+      search: `
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
+            - pepr-system
+`,
+      replace: `
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
+            - pepr-system
+            {{- range .Values.additionalIgnoredNamespaces }}
+            - {{ . }}
+            {{- end }}
+`,
+    },
+  ];
+
+  return replacements.reduce((updatedYaml, { search, replace }) => replaceString(updatedYaml, search, replace), yaml);
 }
 
-function helmLayout(basePath: string, unique: string): Record<string, Record<string, string>> {
+export function helmLayout(basePath: string, unique: string): Record<string, Record<string, string>> {
   const helm: Record<string, Record<string, string>> = {
     dirs: {
       chart: resolve(`${basePath}/${unique}-chart`),
@@ -90,115 +92,3 @@ function helmLayout(basePath: string, unique: string): Record<string, Record<str
 
   return helm;
 }
-
-export class Assets {
-  readonly name: string;
-  readonly tls: TLSOut;
-  readonly apiToken: string;
-  readonly alwaysIgnore!: WebhookIgnore;
-  capabilities!: CapabilityExport[];
-
-  image: string;
-  buildTimestamp: string;
-  hash: string;
-
-  constructor(
-    readonly config: ModuleConfig,
-    readonly path: string,
-    readonly host?: string,
-  ) {
-    this.name = `pepr-${config.uuid}`;
-    this.buildTimestamp = `${Date.now()}`;
-    this.alwaysIgnore = config.alwaysIgnore;
-    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
-    this.hash = "";
-    // Generate the ephemeral tls things
-    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
-
-    // Generate the api token for the controller / webhook
-    this.apiToken = crypto.randomBytes(32).toString("hex");
-  }
-
-  setHash = (hash: string): void => {
-    this.hash = hash;
-  };
-
-  deploy = async (force: boolean, webhookTimeout?: number): Promise<void> => {
-    this.capabilities = await loadCapabilities(this.path);
-    await deploy(this, force, webhookTimeout);
-  };
-
-  zarfYaml = (path: string): string => zarfYaml(this, path);
-
-  zarfYamlChart = (path: string): string => zarfYamlChart(this, path);
-
-  allYaml = async (imagePullSecret?: string): Promise<string> => {
-    this.capabilities = await loadCapabilities(this.path);
-    // give error if namespaces are not respected
-    for (const capability of this.capabilities) {
-      namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
-    }
-
-    return allYaml(this, imagePullSecret);
-  };
-
-  /* eslint max-statements: ["warn", 21] */
-  generateHelmChart = async (basePath: string): Promise<void> => {
-    const helm = helmLayout(basePath, this.config.uuid);
-
-    try {
-      await Promise.all(
-        Object.values(helm.dirs)
-          .sort((l, r) => l.split("/").length - r.split("/").length)
-          .map(async dir => await createDirectoryIfNotExists(dir)),
-      );
-
-      const code = await fs.readFile(this.path);
-
-      const pairs: [string, () => string][] = [
-        [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
-        [helm.files.namespaceYaml, (): string => dedent(namespaceTemplate())],
-        [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
-        [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
-        [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
-        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
-        [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
-        [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
-        [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
-        [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))],
-        [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
-        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))],
-      ];
-      await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
-
-      await overridesFile(this, helm.files.valuesYaml);
-
-      const [mutateWebhook, validateWebhook] = await Promise.all([
-        webhookConfig(this, "mutate", this.config.webhookTimeout),
-        webhookConfig(this, "validate", this.config.webhookTimeout),
-      ]);
-
-      if (validateWebhook || mutateWebhook) {
-        await fs.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
-      }
-
-      if (mutateWebhook) {
-        await fs.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this, mutateWebhook));
-      }
-
-      if (validateWebhook) {
-        await fs.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
-      }
-
-      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
-      if (watchDeployment) {
-        await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
-        await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
-      }
-    } catch (err) {
-      console.error(`Error generating helm chart: ${err.message}`);
-      process.exit(1);
-    }
-  };
-}

package/src/lib/assets/pods.ts

@@ -5,7 +5,7 @@ import { KubernetesObject, V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
-import { Assets } from ".";
+import { Assets } from "./assets";
 import { ModuleConfig } from "../core/module";
 import { Binding } from "../types";
 
@@ -109,7 +109,7 @@ export function getWatcher(
               name: "watcher",
               image,
               imagePullPolicy: "IfNotPresent",
-              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              args: ["/app/node_modules/pepr/dist/controller.js", hash],
               readinessProbe: {
                 httpGet: {
                   path: "/healthz",
@@ -248,7 +248,7 @@ export function getDeployment(
               name: "server",
               image,
               imagePullPolicy: "IfNotPresent",
-              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              args: ["/app/node_modules/pepr/dist/controller.js", hash],
               readinessProbe: {
                 httpGet: {
                   path: "/healthz",

package/src/lib/assets/webhooks.ts

@@ -9,17 +9,11 @@ import {
 import { kind } from "kubernetes-fluent-client";
 import { concat, equals, uniqWith } from "ramda";
 
-import { Assets } from ".";
-import { Event } from "../enums";
+import { Assets } from "./assets";
+import { Event, WebhookType } from "../enums";
 import { Binding } from "../types";
 
-const peprIgnoreLabel: V1LabelSelectorRequirement = {
-  key: "pepr.dev",
-  operator: "NotIn",
-  values: ["ignore"],
-};
-
-const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
+export const peprIgnoreNamespaces: string[] = ["kube-system", "pepr-system"];
 
 const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOperations | undefined => {
   const { event, kind, isMutate, isValidate } = binding;
@@ -45,6 +39,21 @@ const validateRule = (binding: Binding, isMutateWebhook: boolean): V1RuleWithOpe
   return ruleObject;
 };
 
+export function resolveIgnoreNamespaces(ignoredNSConfig: string[] = []): string[] {
+  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
+  if (!ignoredNSEnv) {
+    return ignoredNSConfig;
+  }
+
+  const namespaces = ignoredNSEnv.split(",").map(ns => ns.trim());
+
+  // add alwaysIgnore.namespaces to the list
+  if (ignoredNSConfig) {
+    namespaces.push(...ignoredNSConfig);
+  }
+  return namespaces.filter(ns => ns.length > 0);
+}
+
 export async function generateWebhookRules(assets: Assets, isMutateWebhook: boolean): Promise<V1RuleWithOperations[]> {
   const { config, capabilities } = assets;
 
@@ -59,15 +68,15 @@ export async function generateWebhookRules(assets: Assets, isMutateWebhook: bool
   return uniqWith(equals, rules);
 }
 
-export async function webhookConfig(
+export async function webhookConfigGenerator(
   assets: Assets,
-  mutateOrValidate: "mutate" | "validate",
+  mutateOrValidate: WebhookType,
   timeoutSeconds = 10,
 ): Promise<kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration | null> {
-  const ignore = [peprIgnoreLabel];
+  const ignore: V1LabelSelectorRequirement[] = [];
 
   const { name, tls, config, apiToken, host } = assets;
-  const ignoreNS = concat(peprIgnoreNamespaces, config?.alwaysIgnore?.namespaces || []);
+  const ignoreNS = concat(peprIgnoreNamespaces, resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces));
 
   // Add any namespaces to ignore
   if (ignoreNS) {
@@ -97,7 +106,7 @@ export async function webhookConfig(
     };
   }
 
-  const isMutate = mutateOrValidate === "mutate";
+  const isMutate = mutateOrValidate === WebhookType.MUTATE;
   const rules = await generateWebhookRules(assets, isMutate);
 
   // If there are no rules, return null
@@ -120,9 +129,6 @@ export async function webhookConfig(
         namespaceSelector: {
           matchExpressions: ignore,
         },
-        objectSelector: {
-          matchExpressions: ignore,
-        },
         rules,
         // @todo: track side effects state
         sideEffects: "None",

package/src/lib/assets/yaml/generateAllYaml.ts

@@ -0,0 +1,50 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import crypto from "crypto";
+import { Assets } from "../assets";
+import { WebhookType } from "../../enums";
+import { apiTokenSecret, service, tlsSecret, watcherService } from "../networking";
+import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "../rbac";
+import { dumpYaml, V1Deployment } from "@kubernetes/client-node";
+import { getModuleSecret, getNamespace } from "../pods";
+import { promises as fs } from "fs";
+import { webhookConfigGenerator } from "../webhooks";
+
+type deployments = { default: V1Deployment; watch: V1Deployment | null };
+
+export async function generateAllYaml(assets: Assets, deployments: deployments): Promise<string> {
+  const { name, tls, apiToken, path, config } = assets;
+  const code = await fs.readFile(path);
+  const hash = crypto.createHash("sha256").update(code).digest("hex");
+
+  const resources = [
+    getNamespace(assets.config.customLabels?.namespace),
+    clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
+    clusterRoleBinding(name),
+    serviceAccount(name),
+    apiTokenSecret(name, apiToken),
+    tlsSecret(name, tls),
+    deployments.default,
+    service(name),
+    watcherService(name),
+    getModuleSecret(name, code, hash),
+    storeRole(name),
+    storeRoleBinding(name),
+  ];
+
+  const webhooks = {
+    mutate: await webhookConfigGenerator(assets, WebhookType.MUTATE, assets.config.webhookTimeout),
+    validate: await webhookConfigGenerator(assets, WebhookType.VALIDATE, assets.config.webhookTimeout),
+  };
+
+  // Add webhooks and watch deployment if they exist
+  const additionalResources = [webhooks.mutate, webhooks.validate, deployments.watch].filter(
+    resource => resource !== null && resource !== undefined,
+  );
+
+  resources.push(...additionalResources);
+
+  // Convert the resources to a single YAML string
+  return resources.map(resource => dumpYaml(resource, { noRefs: true })).join("---\n");
+}

package/src/lib/assets/yaml/generateZarfYaml.ts

@@ -0,0 +1,38 @@
+import { dumpYaml } from "@kubernetes/client-node";
+import { Assets } from "../assets";
+
+type ConfigType = "manifests" | "charts";
+
+export function generateZarfYamlGeneric(assets: Assets, path: string, type: ConfigType): string {
+  const manifestSettings = {
+    name: "module",
+    namespace: "pepr-system",
+    files: [path],
+  };
+  const chartSettings = {
+    name: "module",
+    namespace: "pepr-system",
+    version: `${assets.config.appVersion || "0.0.1"}`,
+    localPath: path,
+  };
+
+  const component = {
+    name: "module",
+    required: true,
+    images: [assets.image],
+    [type]: [type === "manifests" ? manifestSettings : chartSettings],
+  };
+
+  const zarfCfg = {
+    kind: "ZarfPackageConfig",
+    metadata: {
+      name: assets.name,
+      description: `Pepr Module: ${assets.config.description}`,
+      url: "https://github.com/defenseunicorns/pepr",
+      version: `${assets.config.appVersion || "0.0.1"}`,
+    },
+    components: [component],
+  };
+
+  return dumpYaml(zarfCfg, { noRefs: true });
+}

package/src/lib/assets/{yaml.ts → yaml/overridesFile.ts}

@@ -1,24 +1,32 @@
-// SPDX-License-Identifier: Apache-2.0
-// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
-
+import { genEnv } from "../pods";
+import { ModuleConfig } from "../../core/module";
+import { CapabilityExport } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
-import crypto from "crypto";
+import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
-import { Assets } from ".";
-import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
-import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
-import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
-import { webhookConfig } from "./webhooks";
-import { genEnv } from "./pods";
 
+type CommonOverrideValues = {
+  apiToken: string;
+  capabilities: CapabilityExport[];
+  config: ModuleConfig;
+  hash: string;
+  name: string;
+};
+
+type ChartOverrides = CommonOverrideValues & {
+  image: string;
+};
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile(
-  { hash, name, image, config, apiToken, capabilities }: Assets,
+  { hash, name, image, config, apiToken, capabilities }: ChartOverrides,
   path: string,
+  imagePullSecrets: string[],
 ): Promise<void> {
   const rbacOverrides = clusterRole(name, capabilities, config.rbacMode, config.rbac).rules;
 
   const overrides = {
+    imagePullSecrets,
+    additionalIgnoredNamespaces: [],
     rbac: rbacOverrides,
     secrets: {
       apiToken: Buffer.from(apiToken).toString("base64"),
@@ -169,101 +177,3 @@ export async function overridesFile(
 
   await fs.writeFile(path, dumpYaml(overrides, { noRefs: true, forceQuotes: true }));
 }
-export function zarfYaml({ name, image, config }: Assets, path: string): string {
-  const zarfCfg = {
-    kind: "ZarfPackageConfig",
-    metadata: {
-      name,
-      description: `Pepr Module: ${config.description}`,
-      url: "https://github.com/defenseunicorns/pepr",
-      version: `${config.appVersion || "0.0.1"}`,
-    },
-    components: [
-      {
-        name: "module",
-        required: true,
-        manifests: [
-          {
-            name: "module",
-            namespace: "pepr-system",
-            files: [path],
-          },
-        ],
-        images: [image],
-      },
-    ],
-  };
-
-  return dumpYaml(zarfCfg, { noRefs: true });
-}
-
-export function zarfYamlChart({ name, image, config }: Assets, path: string): string {
-  const zarfCfg = {
-    kind: "ZarfPackageConfig",
-    metadata: {
-      name,
-      description: `Pepr Module: ${config.description}`,
-      url: "https://github.com/defenseunicorns/pepr",
-      version: `${config.appVersion || "0.0.1"}`,
-    },
-    components: [
-      {
-        name: "module",
-        required: true,
-        charts: [
-          {
-            name: "module",
-            namespace: "pepr-system",
-            version: `${config.appVersion || "0.0.1"}`,
-            localPath: path,
-          },
-        ],
-        images: [image],
-      },
-    ],
-  };
-
-  return dumpYaml(zarfCfg, { noRefs: true });
-}
-
-export async function allYaml(assets: Assets, imagePullSecret?: string): Promise<string> {
-  const { name, tls, apiToken, path, config } = assets;
-  const code = await fs.readFile(path);
-
-  // Generate a hash of the code
-  assets.hash = crypto.createHash("sha256").update(code).digest("hex");
-
-  const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
-  const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
-  const watchDeployment = getWatcher(assets, assets.hash, assets.buildTimestamp, imagePullSecret);
-
-  const resources = [
-    getNamespace(assets.config.customLabels?.namespace),
-    clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
-    clusterRoleBinding(name),
-    serviceAccount(name),
-    apiTokenSecret(name, apiToken),
-    tlsSecret(name, tls),
-    getDeployment(assets, assets.hash, assets.buildTimestamp, imagePullSecret),
-    service(name),
-    watcherService(name),
-    getModuleSecret(name, code, assets.hash),
-    storeRole(name),
-    storeRoleBinding(name),
-  ];
-
-  if (mutateWebhook) {
-    resources.push(mutateWebhook);
-  }
-
-  if (validateWebhook) {
-    resources.push(validateWebhook);
-  }
-
-  if (watchDeployment) {
-    resources.push(watchDeployment);
-  }
-
-  // Convert the resources to a single YAML string
-  return resources.map(r => dumpYaml(r, { noRefs: true })).join("---\n");
-}

package/src/lib/core/module.ts

@@ -9,6 +9,7 @@ import { CapabilityExport, AdmissionRequest } from "../types";
 import { setupWatch } from "../processors/watch-processor";
 import { Log } from "../../lib";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
+import { resolveIgnoreNamespaces } from "../assets/webhooks";
 
 /** Custom Labels Type for package.json */
 export interface CustomLabels {
@@ -113,7 +114,7 @@ export class PeprModule {
       // Wait for the controller to be ready before setting up watches
       if (isWatchMode() || isDevMode()) {
         try {
-          setupWatch(capabilities, pepr?.alwaysIgnore?.namespaces);
+          setupWatch(capabilities, resolveIgnoreNamespaces(pepr?.alwaysIgnore?.namespaces));
         } catch (e) {
           Log.error(e, "Error setting up watch");
           process.exit(1);

package/src/lib/enums.ts

@@ -19,3 +19,9 @@ export enum Event {
   CREATE_OR_UPDATE = "CREATEORUPDATE",
   ANY = "*",
 }
+
+// Supported webhook types for @kubernetes/client-node's V1MutatingWebhookConfiguration
+export enum WebhookType {
+  MUTATE = "mutate",
+  VALIDATE = "validate",
+}

package/src/lib/processors/mutate-processor.ts

@@ -14,6 +14,7 @@ import { ModuleConfig } from "../core/module";
 import { PeprMutateRequest } from "../mutate-request";
 import { base64Encode, convertFromBase64Map, convertToBase64Map } from "../utils";
 import { OnError } from "../../cli/init/enums";
+import { resolveIgnoreNamespaces } from "../assets/webhooks";
 
 export interface Bindable {
   req: AdmissionRequest;
@@ -169,7 +170,7 @@ export async function mutateProcessor(
       bind.binding,
       bind.req,
       bind.namespaces,
-      bind.config?.alwaysIgnore?.namespaces,
+      resolveIgnoreNamespaces(bind.config?.alwaysIgnore?.namespaces),
     );
     if (shouldSkip !== "") {
       Log.debug(shouldSkip);

package/src/lib/processors/validate-processor.ts

@@ -10,6 +10,7 @@ import Log from "../telemetry/logger";
 import { convertFromBase64Map } from "../utils";
 import { PeprValidateRequest } from "../validate-request";
 import { ModuleConfig } from "../core/module";
+import { resolveIgnoreNamespaces } from "../assets/webhooks";
 
 export async function processRequest(
   binding: Binding,
@@ -78,7 +79,12 @@ export async function validateProcessor(
       }
 
       // Continue to the next action without doing anything if this one should be skipped
-      const shouldSkip = shouldSkipRequest(binding, req, namespaces, config?.alwaysIgnore?.namespaces);
+      const shouldSkip = shouldSkipRequest(
+        binding,
+        req,
+        namespaces,
+        resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces),
+      );
       if (shouldSkip !== "") {
         Log.debug(shouldSkip);
         continue;