pepr 0.42.3 → 0.44.0

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.42.3",
+  "version": "0.44.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -27,6 +27,9 @@
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
+    "test:integration": "npm run test:integration:prep && npm run test:integration:run",
+    "test:integration:prep": "./integration/prep.sh",
+    "test:integration:run": "jest --maxWorkers=4 integration",
     "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run",
     "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
     "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm",
@@ -46,7 +49,7 @@
     "follow-redirects": "1.15.9",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.3.7",
+    "kubernetes-fluent-client": "3.3.8",
     "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",

package/src/cli/build.helpers.ts

@@ -8,6 +8,9 @@ import { BuildOptions, BuildResult, context, BuildContext } from "esbuild";
 import { Assets } from "../lib/assets/assets";
 import { resolve } from "path";
 import { promises as fs } from "fs";
+import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml";
+import { webhookConfigGenerator } from "../lib/assets/webhooks";
+import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml";
 
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 /**
@@ -89,24 +92,6 @@ export function validImagePullSecret(imagePullSecretName: string): void {
   }
 }
 
-/**
- * Constraint to majke sure customImage and registry are not both used
- * @param customImage
- * @param registry
- * @returns
- */
-export function handleCustomImage(customImage: string, registry: string): string {
-  let defaultImage = "";
-  if (customImage) {
-    if (registry) {
-      console.error(`Custom Image and registry cannot be used together.`);
-      process.exit(1);
-    }
-    defaultImage = customImage;
-  }
-  return defaultImage;
-}
-
 /**
  * Creates and pushes a custom image for WASM or any other included files
  * @param includedFiles
@@ -191,18 +176,18 @@ export async function generateYamlAndWriteToDisk(obj: {
   const yamlFile = `pepr-module-${uuid}.yaml`;
   const chartPath = `${uuid}-chart`;
   const yamlPath = resolve(outputDir, yamlFile);
-  const yaml = await assets.allYaml(imagePullSecret);
+  const yaml = await assets.allYaml(generateAllYaml, imagePullSecret);
   const zarfPath = resolve(outputDir, "zarf.yaml");
 
   let localZarf = "";
   if (zarf === "chart") {
-    localZarf = assets.zarfYamlChart(chartPath);
+    localZarf = assets.zarfYamlChart(generateZarfYamlGeneric, chartPath);
   } else {
-    localZarf = assets.zarfYaml(yamlFile);
+    localZarf = assets.zarfYaml(generateZarfYamlGeneric, yamlFile);
   }
   await fs.writeFile(yamlPath, yaml);
   await fs.writeFile(zarfPath, localZarf);
 
-  await assets.generateHelmChart(outputDir);
+  await assets.generateHelmChart(webhookConfigGenerator, outputDir);
   console.info(`✅ K8s resource for the module saved to ${yamlPath}`);
 }

package/src/cli/build.ts

@@ -2,7 +2,7 @@
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
 import { execFileSync } from "child_process";
-import { BuildOptions, BuildResult, analyzeMetafile } from "esbuild";
+import { BuildContext, BuildOptions, BuildResult, analyzeMetafile } from "esbuild";
 import { promises as fs } from "fs";
 import { basename, dirname, extname, resolve } from "path";
 import { Assets } from "../lib/assets/assets";
@@ -17,17 +17,55 @@ import {
   handleEmbedding,
   handleCustomOutputDir,
   handleValidCapabilityNames,
-  handleCustomImage,
   handleCustomImageBuild,
   checkIronBankImage,
   validImagePullSecret,
   generateYamlAndWriteToDisk,
 } from "./build.helpers";
+import { ModuleConfig } from "../lib/core/module";
 
 const peprTS = "pepr.ts";
 let outputDir: string = "dist";
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 
+export type PeprNestedFields = Pick<
+  ModuleConfig,
+  | "uuid"
+  | "onError"
+  | "webhookTimeout"
+  | "customLabels"
+  | "alwaysIgnore"
+  | "env"
+  | "rbac"
+  | "rbacMode"
+> & {
+  peprVersion: string;
+};
+
+export type PeprConfig = Omit<ModuleConfig, keyof PeprNestedFields> & {
+  pepr: PeprNestedFields & {
+    includedFiles: string[];
+  };
+  description: string;
+  version: string;
+};
+
+type LoadModuleReturn = {
+  cfg: PeprConfig;
+  entryPointPath: string;
+  modulePath: string;
+  name: string;
+  path: string;
+  uuid: string;
+};
+
+type BuildModuleReturn = {
+  ctx: BuildContext<BuildOptions>;
+  path: string;
+  cfg: PeprConfig;
+  uuid: string;
+} | void;
+
 export default function (program: RootCmd): void {
   program
     .command("build")
@@ -37,34 +75,44 @@ export default function (program: RootCmd): void {
       "-n, --no-embed",
       "Disables embedding of deployment files into output module.  Useful when creating library modules intended solely for reuse/distribution via NPM.",
     )
-    .option(
-      "-i, --custom-image <custom-image>",
-      "Custom Image: Use custom image for Admission and Watch Deployments.",
+    .addOption(
+      new Option(
+        "-i, --custom-image <custom-image>",
+        "Specify a custom image (including version) for Admission and Watch Deployments. Example: 'docker.io/username/custom-pepr-controller:v1.0.0'",
+      ).conflicts(["version", "registryInfo", "registry"]),
     )
-    .option(
-      "-r, --registry-info [<registry>/<username>]",
-      "Registry Info: Image registry and username. Note: You must be signed into the registry",
+    .addOption(
+      new Option(
+        "-r, --registry-info [<registry>/<username>]",
+        "Provide the image registry and username for building and pushing a custom WASM container. Requires authentication. Builds and pushes 'registry/username/custom-pepr-controller:<current-version>'.",
+      ).conflicts(["customImage", "version", "registry"]),
     )
+
     .option("-o, --output-dir <output directory>", "Define where to place build output")
     .option(
       "--timeout <timeout>",
       "How long the API server should wait for a webhook to respond before treating the call as a failure",
       parseTimeout,
     )
-    .option(
-      "-v, --version <version>. Example: '0.27.3'",
-      "The version of the Pepr image to use in the deployment manifests.",
+    .addOption(
+      new Option(
+        "-v, --version <version>",
+        "The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'.",
+      ).conflicts(["customImage", "registryInfo"]),
     )
     .option(
       "--withPullSecret <imagePullSecret>",
       "Image Pull Secret: Use image pull secret for controller Deployment.",
+      "",
     )
 
     .addOption(
       new Option(
         "--registry <GitHub|Iron Bank>",
         "Container registry: Choose container registry for deployment manifests. Can't be used with --custom-image.",
-      ).choices(["GitHub", "Iron Bank"]),
+      )
+        .conflicts(["customImage", "registryInfo"])
+        .choices(["GitHub", "Iron Bank"]),
     )
 
     .addOption(
@@ -91,7 +139,7 @@ export default function (program: RootCmd): void {
         // Files to include in controller image for WASM support
         const { includedFiles } = cfg.pepr;
 
-        let image = handleCustomImage(opts.customImage, opts.registry);
+        let image = opts.customImage || "";
 
         // Check if there is a custom timeout defined
         if (opts.timeout !== undefined) {
@@ -120,10 +168,14 @@ export default function (program: RootCmd): void {
             ...cfg.pepr,
             appVersion: cfg.version,
             description: cfg.description,
+            alwaysIgnore: {
+              namespaces: cfg.pepr.alwaysIgnore?.namespaces,
+            },
             // Can override the rbacMode with the CLI option
             rbacMode: determineRbacMode(opts, cfg),
           },
           path,
+          opts.withPullSecret === "" ? [] : [opts.withPullSecret],
         );
 
         // If registry is set to Iron Bank, use Iron Bank image
@@ -156,7 +208,7 @@ externalLibs.push("pepr");
 // Add the kubernetes client to the list of external libraries as it is pulled in by kubernetes-fluent-client
 externalLibs.push("@kubernetes/client-node");
 
-export async function loadModule(entryPoint = peprTS) {
+export async function loadModule(entryPoint = peprTS): Promise<LoadModuleReturn> {
   // Resolve path to the module / files
   const entryPointPath = resolve(".", entryPoint);
   const modulePath = dirname(entryPointPath);
@@ -197,7 +249,11 @@ export async function loadModule(entryPoint = peprTS) {
   };
 }
 
-export async function buildModule(reloader?: Reloader, entryPoint = peprTS, embed = true) {
+export async function buildModule(
+  reloader?: Reloader,
+  entryPoint = peprTS,
+  embed = true,
+): Promise<BuildModuleReturn> {
   try {
     const { cfg, modulePath, path, uuid } = await loadModule(entryPoint);
 
@@ -314,7 +370,7 @@ function handleModuleBuildError(e: BuildModuleResult): void {
   }
 }
 
-export async function checkFormat() {
+export async function checkFormat(): Promise<void> {
   const validFormat = await peprFormat(true);
 
   if (!validFormat) {

package/src/cli/deploy.ts

@@ -4,13 +4,13 @@
 import prompt from "prompts";
 
 import { Assets } from "../lib/assets/assets";
-import { buildModule } from "./build";
-import { RootCmd } from "./root";
-import { validateCapabilityNames } from "../lib/helpers";
 import { ImagePullSecret } from "../lib/types";
-import { sanitizeName } from "./init/utils";
-import { deployImagePullSecret } from "../lib/assets/deploy";
+import { RootCmd } from "./root";
+import { buildModule } from "./build";
+import { deployImagePullSecret, deployWebhook } from "../lib/assets/deploy";
 import { namespaceDeploymentsReady } from "../lib/deploymentChecks";
+import { sanitizeName } from "./init/utils";
+import { validateCapabilityNames } from "../lib/helpers";
 
 export interface ImagePullSecretDetails {
   pullSecret?: string;
@@ -128,11 +128,12 @@ export default function (program: RootCmd): void {
       const webhook = new Assets(
         { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
         builtModule.path,
+        [],
       );
       webhook.image = opts.image ?? webhook.image;
 
       try {
-        await webhook.deploy(opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
+        await webhook.deploy(deployWebhook, opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
 
         // wait for capabilities to be loaded and test names
         validateCapabilityNames(webhook.capabilities);

package/src/cli/dev.ts

@@ -1,15 +1,17 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { ChildProcess, fork } from "child_process";
-import { promises as fs } from "fs";
 import prompt from "prompts";
-import { validateCapabilityNames } from "../lib/helpers";
 import { Assets } from "../lib/assets/assets";
-import { buildModule, loadModule } from "./build";
-import { RootCmd } from "./root";
+import { ChildProcess, fork } from "child_process";
 import { K8s, kind } from "kubernetes-fluent-client";
+import { RootCmd } from "./root";
 import { Store } from "../lib/k8s";
+import { buildModule, loadModule } from "./build";
+import { deployWebhook } from "../lib/assets/deploy";
+import { promises as fs } from "fs";
+import { validateCapabilityNames } from "../lib/helpers";
+
 export default function (program: RootCmd): void {
   program
     .command("dev")
@@ -41,6 +43,7 @@ export default function (program: RootCmd): void {
           description: cfg.description,
         },
         path,
+        [],
         opts.host,
       );
 
@@ -59,7 +62,7 @@ export default function (program: RootCmd): void {
           console.info(`Running module ${path}`);
 
           // Deploy the webhook with a 30 second timeout for debugging, don't force
-          await webhook.deploy(false, 30);
+          await webhook.deploy(deployWebhook, false, 30);
 
           try {
             // wait for capabilities to be loaded and test names

package/src/fixtures/loader.ts

@@ -6,11 +6,11 @@ import admissionRequestDeletePod from "./data/admission-delete-pod.json";
 import admissionRequestCreateClusterRole from "./data/admission-create-clusterrole.json";
 import admissionRequestCreateDeployment from "./data/admission-create-deployment.json";
 
-export function AdmissionRequestCreateDeployment() {
+export function AdmissionRequestCreateDeployment(): AdmissionRequest<kind.Deployment> {
   return cloneObject<kind.Deployment>(admissionRequestCreateDeployment);
 }
 
-export function AdmissionRequestCreatePod() {
+export function AdmissionRequestCreatePod(): AdmissionRequest<kind.Pod> {
   return cloneObject<kind.Pod>(admissionRequestCreatePod);
 }
 

package/src/lib/assets/assets.ts

@@ -11,92 +11,97 @@ import {
   serviceMonitorTemplate,
   watcherDeployTemplate,
 } from "./helm";
+import {
+  V1Deployment,
+  V1MutatingWebhookConfiguration,
+  V1ValidatingWebhookConfiguration,
+} from "@kubernetes/client-node/dist/gen";
 import { createDirectoryIfNotExists } from "../filesystemService";
-import { deploy } from "./deploy";
+import { overridesFile } from "./yaml/overridesFile";
 import { getDeployment, getModuleSecret, getWatcher } from "./pods";
 import { helmLayout, createWebhookYaml, toYaml } from "./index";
 import { loadCapabilities } from "./loader";
 import { namespaceComplianceValidator, dedent } from "../helpers";
+import { promises as fs } from "fs";
 import { storeRole, storeRoleBinding, clusterRoleBinding, serviceAccount } from "./rbac";
 import { watcherService, service, tlsSecret, apiTokenSecret } from "./networking";
-import { webhookConfig } from "./webhooks";
-import { generateZarfYaml, generateZarfYamlChart, generateAllYaml, overridesFile } from "./yaml";
-import { promises as fs } from "fs";
-import { V1MutatingWebhookConfiguration, V1ValidatingWebhookConfiguration } from "@kubernetes/client-node/dist/gen";
+import { WebhookType } from "../enums";
 
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
   readonly apiToken: string;
+  readonly config: ModuleConfig;
+  readonly path: string;
   readonly alwaysIgnore!: WebhookIgnore;
+  readonly imagePullSecrets: string[];
   capabilities!: CapabilityExport[];
-
   image: string;
   buildTimestamp: string;
-  hash: string;
+  readonly host?: string;
 
-  constructor(
-    readonly config: ModuleConfig,
-    readonly path: string,
-    readonly host?: string,
-  ) {
+  constructor(config: ModuleConfig, path: string, imagePullSecrets: string[], host?: string) {
     this.name = `pepr-${config.uuid}`;
+    this.imagePullSecrets = imagePullSecrets;
     this.buildTimestamp = `${Date.now()}`;
+    this.config = config;
+    this.path = path;
+    this.host = host;
     this.alwaysIgnore = config.alwaysIgnore;
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
-    this.hash = "";
+
     // Generate the ephemeral tls things
-    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
+    this.tls = genTLS(host || `${this.name}.pepr-system.svc`);
 
     // Generate the api token for the controller / webhook
     this.apiToken = crypto.randomBytes(32).toString("hex");
   }
 
-  setHash = (hash: string): void => {
-    this.hash = hash;
-  };
-
-  deploy = async (force: boolean, webhookTimeout?: number): Promise<void> => {
+  async deploy(
+    deployFunction: (assets: Assets, force: boolean, webhookTimeout: number) => Promise<void>,
+    force: boolean,
+    webhookTimeout?: number,
+  ): Promise<void> {
     this.capabilities = await loadCapabilities(this.path);
-    await deploy(this, force, webhookTimeout);
-  };
 
-  zarfYaml = (path: string): string => generateZarfYaml(this.name, this.image, this.config, path);
+    const timeout = typeof webhookTimeout === "number" ? webhookTimeout : 10;
 
-  zarfYamlChart = (path: string): string => generateZarfYamlChart(this.name, this.image, this.config, path);
+    await deployFunction(this, force, timeout);
+  }
 
-  allYaml = async (imagePullSecret?: string): Promise<string> => {
+  zarfYaml = (
+    zarfYamlGenerator: (assets: Assets, path: string, type: "manifests" | "charts") => string,
+    path: string,
+  ): string => zarfYamlGenerator(this, path, "manifests");
+
+  zarfYamlChart = (
+    zarfYamlGenerator: (assets: Assets, path: string, type: "manifests" | "charts") => string,
+    path: string,
+  ): string => zarfYamlGenerator(this, path, "charts");
+
+  allYaml = async (
+    yamlGenerationFunction: (
+      assyts: Assets,
+      deployments: { default: V1Deployment; watch: V1Deployment | null },
+    ) => Promise<string>,
+    imagePullSecret?: string,
+  ): Promise<string> => {
     this.capabilities = await loadCapabilities(this.path);
     // give error if namespaces are not respected
     for (const capability of this.capabilities) {
       namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
     }
 
-    const webhooks = {
-      mutate: await webhookConfig(this, "mutate", this.config.webhookTimeout),
-      validate: await webhookConfig(this, "validate", this.config.webhookTimeout),
-    };
-
     const code = await fs.readFile(this.path);
 
-    // Generate a hash of the code
-    this.hash = crypto.createHash("sha256").update(code).digest("hex");
+    const moduleHash = crypto.createHash("sha256").update(code).digest("hex");
 
     const deployments = {
-      default: getDeployment(this, this.hash, this.buildTimestamp, imagePullSecret),
-      watch: getWatcher(this, this.hash, this.buildTimestamp, imagePullSecret),
+      default: getDeployment(this, moduleHash, this.buildTimestamp, imagePullSecret),
+      watch: getWatcher(this, moduleHash, this.buildTimestamp, imagePullSecret),
     };
 
-    const assetsInputs = {
-      apiToken: this.apiToken,
-      capabilities: this.capabilities,
-      config: this.config,
-      hash: this.hash,
-      name: this.name,
-      path: this.path,
-      tls: this.tls,
-    };
-    return generateAllYaml(webhooks, deployments, assetsInputs);
+    return yamlGenerationFunction(this, deployments);
   };
 
   writeWebhookFiles = async (
@@ -118,7 +123,14 @@ export class Assets {
     }
   };
 
-  generateHelmChart = async (basePath: string): Promise<void> => {
+  generateHelmChart = async (
+    webhookGeneratorFunction: (
+      assets: Assets,
+      mutateOrValidate: WebhookType,
+      timeoutSeconds: number | undefined,
+    ) => Promise<V1MutatingWebhookConfiguration | V1ValidatingWebhookConfiguration | null>,
+    basePath: string,
+  ): Promise<void> => {
     const helm = helmLayout(basePath, this.config.uuid);
 
     try {
@@ -129,6 +141,7 @@ export class Assets {
       );
 
       const code = await fs.readFile(this.path);
+      const moduleHash = crypto.createHash("sha256").update(code).digest("hex");
 
       const pairs: [string, () => string][] = [
         [helm.files.chartYaml, (): string => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
@@ -142,28 +155,28 @@ export class Assets {
         [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
         [helm.files.clusterRoleBindingYaml, (): string => toYaml(clusterRoleBinding(this.name))],
         [helm.files.serviceAccountYaml, (): string => toYaml(serviceAccount(this.name))],
-        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, this.hash))],
+        [helm.files.moduleSecretYaml, (): string => toYaml(getModuleSecret(this.name, code, moduleHash))],
       ];
       await Promise.all(pairs.map(async ([file, content]) => await fs.writeFile(file, content())));
 
       const overrideData = {
-        hash: this.hash,
+        hash: moduleHash,
         name: this.name,
         image: this.image,
         config: this.config,
         apiToken: this.apiToken,
         capabilities: this.capabilities,
       };
-      await overridesFile(overrideData, helm.files.valuesYaml);
+      await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets);
 
-      const [mutateWebhook, validateWebhook] = await Promise.all([
-        webhookConfig(this, "mutate", this.config.webhookTimeout),
-        webhookConfig(this, "validate", this.config.webhookTimeout),
-      ]);
+      const webhooks = {
+        mutate: await webhookGeneratorFunction(this, WebhookType.MUTATE, this.config.webhookTimeout),
+        validate: await webhookGeneratorFunction(this, WebhookType.VALIDATE, this.config.webhookTimeout),
+      };
 
-      await this.writeWebhookFiles(validateWebhook, mutateWebhook, helm);
+      await this.writeWebhookFiles(webhooks.validate, webhooks.mutate, helm);
 
-      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
+      const watchDeployment = getWatcher(this, moduleHash, this.buildTimestamp);
       if (watchDeployment) {
         await fs.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
         await fs.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));

package/src/lib/assets/deploy.ts

@@ -12,8 +12,9 @@ import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking
 import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
-import { webhookConfig } from "./webhooks";
+import { webhookConfigGenerator } from "./webhooks";
 import { CapabilityExport, ImagePullSecret } from "../types";
+import { WebhookType } from "../enums";
 
 export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, name: string): Promise<void> {
   try {
@@ -42,50 +43,51 @@ export async function deployImagePullSecret(imagePullSecret: ImagePullSecret, na
     Log.error(e);
   }
 }
-export async function deploy(assets: Assets, force: boolean, webhookTimeout?: number): Promise<void> {
-  Log.info("Establishing connection to Kubernetes");
 
-  const { name, host, path } = assets;
+async function handleWebhookConfiguration(
+  assets: Assets,
+  type: WebhookType,
+  webhookTimeout: number,
+  force: boolean,
+): Promise<void> {
+  const kindMap = {
+    mutate: kind.MutatingWebhookConfiguration,
+    validate: kind.ValidatingWebhookConfiguration,
+  };
+
+  const webhookConfig = await webhookConfigGenerator(assets, type, webhookTimeout);
+
+  if (webhookConfig) {
+    Log.info(`Applying ${type} webhook`);
+    await K8s(kindMap[type]).Apply(webhookConfig, { force });
+  } else {
+    Log.info(`${type.charAt(0).toUpperCase() + type.slice(1)} webhook not needed, removing if it exists`);
+    await K8s(kindMap[type]).Delete(assets.name);
+  }
+}
+
+export async function deployWebhook(assets: Assets, force: boolean, webhookTimeout: number): Promise<void> {
+  Log.info("Establishing connection to Kubernetes");
 
   Log.info("Applying pepr-system namespace");
   await K8s(kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
 
   // Create the mutating webhook configuration if it is needed
-  const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
-  if (mutateWebhook) {
-    Log.info("Applying mutating webhook");
-    await K8s(kind.MutatingWebhookConfiguration).Apply(mutateWebhook, { force });
-  } else {
-    Log.info("Mutating webhook not needed, removing if it exists");
-    await K8s(kind.MutatingWebhookConfiguration).Delete(name);
-  }
+  await handleWebhookConfiguration(assets, WebhookType.MUTATE, webhookTimeout, force);
 
   // Create the validating webhook configuration if it is needed
-  const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
-  if (validateWebhook) {
-    Log.info("Applying validating webhook");
-    await K8s(kind.ValidatingWebhookConfiguration).Apply(validateWebhook, { force });
-  } else {
-    Log.info("Validating webhook not needed, removing if it exists");
-    await K8s(kind.ValidatingWebhookConfiguration).Delete(name);
-  }
+  await handleWebhookConfiguration(assets, WebhookType.VALIDATE, webhookTimeout, force);
 
   Log.info("Applying the Pepr Store CRD if it doesn't exist");
   await K8s(kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
 
-  // If a host is specified, we don't need to deploy the rest of the resources
-  if (host) {
-    return;
-  }
+  if (assets.host) return; // Skip resource deployment if a host is already specified
 
-  const code = await fs.readFile(path);
+  const code = await fs.readFile(assets.path);
+  if (!code.length) throw new Error("No code provided");
   const hash = crypto.createHash("sha256").update(code).digest("hex");
 
-  if (code.length < 1) {
-    throw new Error("No code provided");
-  }
-
-  await setupRBAC(name, assets.capabilities, force, assets.config);
+  await setupRBAC(assets.name, assets.capabilities, force, assets.config);
   await setupController(assets, code, hash, force);
   await setupWatcher(assets, hash, force);
 }