pepr 0.45.0 → 0.45.1-nightly.0

package/dist/sdk/sdk.d.ts

@@ -19,7 +19,12 @@ export declare function containers(request: PeprValidateRequest<kind.Pod> | Pepr
  * @param reportingComponent The component that is reporting the event, for example "uds.dev/operator"
  * @param reportingInstance The instance of the component that is reporting the event, for example process.env.HOSTNAME
  */
-export declare function writeEvent(cr: GenericKind, event: Partial<kind.CoreEvent>, eventType: string, eventReason: string, reportingComponent: string, reportingInstance: string): Promise<void>;
+export declare function writeEvent(cr: GenericKind, event: Partial<kind.CoreEvent>, options: {
+    eventType: string;
+    eventReason: string;
+    reportingComponent: string;
+    reportingInstance: string;
+}): Promise<void>;
 /**
  * Get the owner reference for a custom resource
  * @param customResource the custom resource to get the owner reference for

package/dist/sdk/sdk.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GACtE,WAAW,EAAE,CAef;AAED;;;;;;;;;GASG;AAEH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC,IAAI,CAAC,CAqBf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAYzD"}
+{"version":3,"file":"sdk.d.ts","sourceRoot":"","sources":["../../src/sdk/sdk.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAO,IAAI,EAAE,MAAM,0BAA0B,CAAC;AAElE;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EACpE,aAAa,CAAC,EAAE,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GACtE,WAAW,EAAE,CAef;AAED;;;;;;;;;GASG;AAEH,wBAAsB,UAAU,CAC9B,EAAE,EAAE,WAAW,EACf,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAC9B,OAAO,EAAE;IACP,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;CAC3B,GACA,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,cAAc,EAAE,WAAW,EAC3B,kBAAkB,CAAC,EAAE,OAAO,EAC5B,UAAU,CAAC,EAAE,OAAO,GACnB,gBAAgB,EAAE,CAcpB;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAYzD"}

package/package.json

@@ -15,7 +15,7 @@
     "!src/**/*.test.ts",
     "!dist/**/*.test.d.ts*"
   ],
-  "version": "0.45.0",
+  "version": "0.45.1-nightly.0",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -24,18 +24,21 @@
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
     "build": "tsc && node build.mjs && npm pack",
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
+    "build:image:unicorn": "npm run build && docker buildx build -f Dockerfile.unicorn --output type=docker --tag pepr:dev .",
     "set:version": "node scripts/set-version.js",
-    "test": "npm run test:unit && npm run test:journey",
+    "test": "npm run test:unit && npm run test:journey && npm run test:journey-wasm",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",
     "test:integration:prep": "./integration/prep.sh",
     "test:integration:run": "jest --maxWorkers=4 integration",
     "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run",
-    "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi",
+    "test:journey:unicorn": "npm run test:journey:k3d && npm run build && npm run test:journey:image:unicorn && npm run test:journey:run",
     "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm",
+    "test:journey-wasm:unicorn": "npm run test:journey:k3d && npm run build && npm run test:journey:image:unicorn && npm run test:journey:run-wasm",
     "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system",
     "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
-    "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade",
+    "test:journey:image:unicorn": "docker buildx build -f Dockerfile.unicorn --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev",
+    "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:upgrade",
     "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts",
     "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts",
     "format:check": "eslint src && prettier src --check",
@@ -49,12 +52,12 @@
     "follow-redirects": "1.15.9",
     "http-status-codes": "^2.3.0",
     "json-pointer": "^0.6.2",
-    "kubernetes-fluent-client": "3.3.8",
+    "kubernetes-fluent-client": "3.4.0",
     "pino": "9.6.0",
     "pino-pretty": "13.0.0",
     "prom-client": "15.1.3",
     "ramda": "0.30.1",
-    "sigstore": "3.0.0"
+    "sigstore": "3.1.0"
   },
   "devDependencies": {
     "@commitlint/cli": "19.7.1",
@@ -84,7 +87,7 @@
     "@typescript-eslint/eslint-plugin": "8.23.0",
     "@typescript-eslint/parser": "8.23.0",
     "commander": "13.1.0",
-    "esbuild": "0.24.2",
+    "esbuild": "0.25.0",
     "eslint": "8.57.0",
     "node-forge": "1.3.1",
     "prettier": "3.4.2",
@@ -92,4 +95,4 @@
     "typescript": "5.7.3",
     "uuid": "11.0.5"
   }
-}
+}

package/src/cli/build.helpers.ts

@@ -94,7 +94,7 @@ export async function handleCustomOutputDir(outputDir: string): Promise<string>
  * Check if the image is from Iron Bank and return the correct image
  * @param registry The registry of the image
  * @param image The image to check
- * @param peprVersion The version of the PEPR controller
+ * @param peprVersion The version of the Pepr controller
  * @returns The image string
  * @example
  */

package/src/cli/build.ts

@@ -11,7 +11,7 @@ import { RootCmd } from "./root";
 import { Option } from "commander";
 import { parseTimeout } from "../lib/helpers";
 import { peprFormat } from "./format";
-import { ModuleConfig } from "../lib/core/module";
+import { ModuleConfig } from "../lib/types";
 import {
   watchForChanges,
   determineRbacMode,
@@ -77,13 +77,13 @@ export default function (program: RootCmd): void {
       new Option(
         "-i, --custom-image <custom-image>",
         "Specify a custom image (including version) for Admission and Watch Deployments. Example: 'docker.io/username/custom-pepr-controller:v1.0.0'",
-      ).conflicts(["version", "registryInfo", "registry"]),
+      ).conflicts(["registryInfo", "registry"]),
     )
     .addOption(
       new Option(
         "-r, --registry-info [<registry>/<username>]",
         "Provide the image registry and username for building and pushing a custom WASM container. Requires authentication. Builds and pushes 'registry/username/custom-pepr-controller:<current-version>'.",
-      ).conflicts(["customImage", "version", "registry"]),
+      ).conflicts(["customImage", "registry"]),
     )
 
     .option("-o, --output-dir <output directory>", "Define where to place build output")
@@ -92,12 +92,6 @@ export default function (program: RootCmd): void {
       "How long the API server should wait for a webhook to respond before treating the call as a failure",
       parseTimeout,
     )
-    .addOption(
-      new Option(
-        "-v, --version <version>",
-        "The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'.",
-      ).conflicts(["customImage", "registryInfo"]),
-    )
     .option(
       "--withPullSecret <imagePullSecret>",
       "Image Pull Secret: Use image pull secret for controller Deployment.",
@@ -164,8 +158,6 @@ export default function (program: RootCmd): void {
         console.info(`✅ Module built successfully at ${path}`);
         return;
       }
-      // set the image version if provided
-      if (opts.version) cfg.pepr.peprVersion = opts.version;
 
       // Generate a secret for the module
       const assets = new Assets(

package/src/cli/dev.ts

@@ -77,7 +77,7 @@ export default function (program: RootCmd): void {
               ...process.env,
               LOG_LEVEL: "debug",
               PEPR_MODE: "dev",
-              PEPR_API_TOKEN: webhook.apiToken,
+              PEPR_API_PATH: webhook.apiPath,
               PEPR_PRETTY_LOGS: "true",
               SSL_KEY_PATH: "insecure-tls.key",
               SSL_CERT_PATH: "insecure-tls.crt",

package/src/cli/init/templates.ts

@@ -11,7 +11,7 @@ import prettierJSON from "../../templates/.prettierrc.json";
 import samplesJSON from "../../templates/capabilities/hello-pepr.samples.json";
 import settingsJSON from "../../templates/settings.json";
 import tsConfigJSON from "../../templates/tsconfig.module.json";
-import { CustomLabels } from "../../lib/core/module";
+import { CustomLabels } from "../../lib/types";
 import { InitOptions } from "../types";
 import { OnError, RbacMode } from "./enums";
 import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";

package/src/lib/assets/assets.ts

@@ -1,6 +1,6 @@
 import crypto from "crypto";
 import { CapabilityExport } from "../types";
-import { ModuleConfig } from "../core/module";
+import { ModuleConfig } from "../types";
 import { TLSOut, genTLS } from "../tls";
 import { WebhookIgnore } from "../k8s";
 import {
@@ -24,13 +24,13 @@ import { loadCapabilities } from "./loader";
 import { namespaceComplianceValidator, dedent } from "../helpers";
 import { promises as fs } from "fs";
 import { storeRole, storeRoleBinding, clusterRoleBinding, serviceAccount } from "./rbac";
-import { watcherService, service, tlsSecret, apiTokenSecret } from "./networking";
+import { watcherService, service, tlsSecret, apiPathSecret } from "./networking";
 import { WebhookType } from "../enums";
 
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
-  readonly apiToken: string;
+  readonly apiPath: string;
   readonly config: ModuleConfig;
   readonly path: string;
   readonly alwaysIgnore!: WebhookIgnore;
@@ -53,8 +53,8 @@ export class Assets {
     // Generate the ephemeral tls things
     this.tls = genTLS(host || `${this.name}.pepr-system.svc`);
 
-    // Generate the api token for the controller / webhook
-    this.apiToken = crypto.randomBytes(32).toString("hex");
+    // Generate the api path for the controller / webhook
+    this.apiPath = crypto.randomBytes(32).toString("hex");
   }
 
   async deploy(
@@ -81,7 +81,7 @@ export class Assets {
 
   allYaml = async (
     yamlGenerationFunction: (
-      assyts: Assets,
+      assets: Assets,
       deployments: { default: V1Deployment; watch: V1Deployment | null },
     ) => Promise<string>,
     imagePullSecret?: string,
@@ -149,7 +149,7 @@ export class Assets {
         [helm.files.watcherServiceYaml, (): string => toYaml(watcherService(this.name))],
         [helm.files.admissionServiceYaml, (): string => toYaml(service(this.name))],
         [helm.files.tlsSecretYaml, (): string => toYaml(tlsSecret(this.name, this.tls))],
-        [helm.files.apiTokenSecretYaml, (): string => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.apiPathSecretYaml, (): string => toYaml(apiPathSecret(this.name, this.apiPath))],
         [helm.files.storeRoleYaml, (): string => toYaml(storeRole(this.name))],
         [helm.files.storeRoleBindingYaml, (): string => toYaml(storeRoleBinding(this.name))],
         [helm.files.clusterRoleYaml, (): string => dedent(clusterRoleTemplate())],
@@ -164,7 +164,7 @@ export class Assets {
         name: this.name,
         image: this.image,
         config: this.config,
-        apiToken: this.apiToken,
+        apiPath: this.apiPath,
         capabilities: this.capabilities,
       };
       await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets);

package/src/lib/assets/deploy.ts

@@ -8,7 +8,7 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 
 import { Assets } from "./assets";
 import Log from "../telemetry/logger";
-import { apiTokenSecret, service, tlsSecret, watcherService } from "./networking";
+import { apiPathSecret, service, tlsSecret, watcherService } from "./networking";
 import { getDeployment, getModuleSecret, getNamespace, getWatcher } from "./pods";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "./rbac";
 import { peprStoreCRD } from "./store";
@@ -136,9 +136,9 @@ async function setupController(assets: Assets, code: Buffer, hash: string, force
   const tls = tlsSecret(name, assets.tls);
   await K8s(kind.Secret).Apply(tls, { force });
 
-  Log.info("Applying API token secret");
-  const apiToken = apiTokenSecret(name, assets.apiToken);
-  await K8s(kind.Secret).Apply(apiToken, { force });
+  Log.info("Applying API path secret");
+  const apiPath = apiPathSecret(name, assets.apiPath);
+  await K8s(kind.Secret).Apply(apiPath, { force });
 
   Log.info("Applying deployment");
   const dep = getDeployment(assets, hash, assets.buildTimestamp);

package/src/lib/assets/destroy.ts

@@ -25,7 +25,7 @@ export async function destroyModule(name: string): Promise<void> {
     K8s(kind.Secret, { namespace }).Delete(`${name}-module`),
     K8s(kind.Service, { namespace }).Delete(name),
     K8s(kind.Secret, { namespace }).Delete(`${name}-tls`),
-    K8s(kind.Secret, { namespace }).Delete(`${name}-api-token`),
+    K8s(kind.Secret, { namespace }).Delete(`${name}-api-path`),
     K8s(kind.Deployment, { namespace }).Delete(name),
     K8s(kind.Deployment, { namespace }).Delete(`${name}-watcher`),
     K8s(kind.Service, { namespace }).Delete(`${name}-watcher`),

package/src/lib/assets/helm.ts

@@ -221,8 +221,8 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
                   - name: tls-certs
                     mountPath: /etc/certs
                     readOnly: true
-                  - name: api-token
-                    mountPath: /app/api-token
+                  - name: api-path
+                    mountPath: /app/api-path
                     readOnly: true
                   - name: module
                     mountPath: /app/load
@@ -234,9 +234,9 @@ export function admissionDeployTemplate(buildTimestamp: string): string {
               - name: tls-certs
                 secret:
                   secretName: {{ .Values.uuid }}-tls
-              - name: api-token
+              - name: api-path
                 secret:
-                  secretName: {{ .Values.uuid }}-api-token
+                  secretName: {{ .Values.uuid }}-api-path
               - name: module
                 secret:
                   secretName: {{ .Values.uuid }}-module  

package/src/lib/assets/index.ts

@@ -5,14 +5,13 @@ import { dumpYaml } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { replaceString } from "../helpers";
 import { resolve } from "path";
-import { ModuleConfig } from "../core/module";
+import { ModuleConfig } from "../types";
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export function toYaml(obj: any): string {
   return dumpYaml(obj, { noRefs: true });
 }
 
-// Unit Test Me!!
 export function createWebhookYaml(
   name: string,
   config: ModuleConfig,
@@ -81,7 +80,7 @@ export function helmLayout(basePath: string, unique: string): Record<string, Rec
     watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
     watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
     tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
-    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
+    apiPathSecretYaml: `${helm.dirs.tmpls}/api-path-secret.yaml`,
     moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
     storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
     storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,

package/src/lib/assets/networking.ts

@@ -5,17 +5,17 @@ import { kind } from "kubernetes-fluent-client";
 
 import { TLSOut } from "../tls";
 
-export function apiTokenSecret(name: string, apiToken: string): kind.Secret {
+export function apiPathSecret(name: string, apiPath: string): kind.Secret {
   return {
     apiVersion: "v1",
     kind: "Secret",
     metadata: {
-      name: `${name}-api-token`,
+      name: `${name}-api-path`,
       namespace: "pepr-system",
     },
     type: "Opaque",
     data: {
-      value: Buffer.from(apiToken).toString("base64"),
+      value: Buffer.from(apiPath).toString("base64"),
     },
   };
 }

package/src/lib/assets/pods.ts

@@ -6,7 +6,7 @@ import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 import { secretOverLimit } from "../helpers";
 import { Assets } from "./assets";
-import { ModuleConfig } from "../core/module";
+import { ModuleConfig } from "../types";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
@@ -297,8 +297,8 @@ export function getDeployment(
                   readOnly: true,
                 },
                 {
-                  name: "api-token",
-                  mountPath: "/app/api-token",
+                  name: "api-path",
+                  mountPath: "/app/api-path",
                   readOnly: true,
                 },
                 {
@@ -317,9 +317,9 @@ export function getDeployment(
               },
             },
             {
-              name: "api-token",
+              name: "api-path",
               secret: {
-                secretName: `${name}-api-token`,
+                secretName: `${name}-api-path`,
               },
             },
             {

package/src/lib/assets/webhooks.ts

@@ -75,7 +75,7 @@ export async function webhookConfigGenerator(
 ): Promise<kind.MutatingWebhookConfiguration | kind.ValidatingWebhookConfiguration | null> {
   const ignore: V1LabelSelectorRequirement[] = [];
 
-  const { name, tls, config, apiToken, host } = assets;
+  const { name, tls, config, apiPath, host } = assets;
   const ignoreNS = concat(peprIgnoreNamespaces, resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces));
 
   // Add any namespaces to ignore
@@ -91,18 +91,18 @@ export async function webhookConfigGenerator(
     caBundle: tls.ca,
   };
 
-  // The URL must include the API Token
-  const apiPath = `/${mutateOrValidate}/${apiToken}`;
+  // The URL must include the API Path
+  const fullApiPath = `/${mutateOrValidate}/${apiPath}`;
 
   // If a host is specified, use that with a port of 3000
   if (host) {
-    clientConfig.url = `https://${host}:3000${apiPath}`;
+    clientConfig.url = `https://${host}:3000${fullApiPath}`;
   } else {
     // Otherwise, use the service
     clientConfig.service = {
       name: name,
       namespace: "pepr-system",
-      path: apiPath,
+      path: fullApiPath,
     };
   }
 

package/src/lib/assets/yaml/generateAllYaml.ts

@@ -4,7 +4,7 @@
 import crypto from "crypto";
 import { Assets } from "../assets";
 import { WebhookType } from "../../enums";
-import { apiTokenSecret, service, tlsSecret, watcherService } from "../networking";
+import { apiPathSecret, service, tlsSecret, watcherService } from "../networking";
 import { clusterRole, clusterRoleBinding, serviceAccount, storeRole, storeRoleBinding } from "../rbac";
 import { dumpYaml, V1Deployment } from "@kubernetes/client-node";
 import { getModuleSecret, getNamespace } from "../pods";
@@ -14,7 +14,7 @@ import { webhookConfigGenerator } from "../webhooks";
 type deployments = { default: V1Deployment; watch: V1Deployment | null };
 
 export async function generateAllYaml(assets: Assets, deployments: deployments): Promise<string> {
-  const { name, tls, apiToken, path, config } = assets;
+  const { name, tls, apiPath, path, config } = assets;
   const code = await fs.readFile(path);
   const hash = crypto.createHash("sha256").update(code).digest("hex");
 
@@ -23,7 +23,7 @@ export async function generateAllYaml(assets: Assets, deployments: deployments):
     clusterRole(name, assets.capabilities, config.rbacMode, config.rbac),
     clusterRoleBinding(name),
     serviceAccount(name),
-    apiTokenSecret(name, apiToken),
+    apiPathSecret(name, apiPath),
     tlsSecret(name, tls),
     deployments.default,
     service(name),

package/src/lib/assets/yaml/overridesFile.ts

@@ -1,12 +1,12 @@
 import { genEnv } from "../pods";
-import { ModuleConfig } from "../../core/module";
+import { ModuleConfig } from "../../types";
 import { CapabilityExport } from "../../types";
 import { dumpYaml } from "@kubernetes/client-node";
 import { clusterRole } from "../rbac";
 import { promises as fs } from "fs";
 
 type ChartOverrides = {
-  apiToken: string;
+  apiPath: string;
   capabilities: CapabilityExport[];
   config: ModuleConfig;
   hash: string;
@@ -16,7 +16,7 @@ type ChartOverrides = {
 
 // Helm Chart overrides file (values.yaml) generated from assets
 export async function overridesFile(
-  { hash, name, image, config, apiToken, capabilities }: ChartOverrides,
+  { hash, name, image, config, apiPath, capabilities }: ChartOverrides,
   path: string,
   imagePullSecrets: string[],
 ): Promise<void> {
@@ -27,7 +27,7 @@ export async function overridesFile(
     additionalIgnoredNamespaces: [],
     rbac: rbacOverrides,
     secrets: {
-      apiToken: Buffer.from(apiToken).toString("base64"),
+      apiPath: Buffer.from(apiPath).toString("base64"),
     },
     hash,
     namespace: {

package/src/lib/controller/index.ts

@@ -9,7 +9,8 @@ import { Capability } from "../core/capability";
 import { MutateResponse, ValidateResponse } from "../k8s";
 import Log from "../telemetry/logger";
 import { metricsCollector, MetricsCollector } from "../telemetry/metrics";
-import { ModuleConfig, isWatchMode } from "../core/module";
+import { isWatchMode } from "../core/envChecks";
+import { ModuleConfig } from "../types";
 import { mutateProcessor } from "../processors/mutate-processor";
 import { validateProcessor } from "../processors/validate-processor";
 import { StoreController } from "./store";
@@ -33,8 +34,8 @@ export class Controller {
   // Metrics collector
   #metricsCollector = metricsCollector;
 
-  // The token used to authenticate requests
-  #token = "";
+  // The path used to authenticate requests
+  #path = "";
 
   // The express app instance
   readonly #app = express();
@@ -92,14 +93,14 @@ export class Controller {
       cert: fs.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt"),
     };
 
-    // Get the API token if not in watch mode
+    // Get the API path if not in watch mode
     if (!isWatchMode()) {
-      // Get the API token from the environment variable or the mounted secret
-      this.#token = process.env.PEPR_API_TOKEN || fs.readFileSync("/app/api-token/value").toString().trim();
-      Log.info(`Using API token: ${this.#token}`);
+      // Get the API path from the environment variable or the mounted secret
+      this.#path = process.env.PEPR_API_PATH || fs.readFileSync("/app/api-path/value").toString().trim();
+      Log.info(`Using API path: ${this.#path}`);
 
-      if (!this.#token) {
-        throw new Error("API token not found");
+      if (!this.#path) {
+        throw new Error("API path not found");
       }
     }
 
@@ -148,35 +149,35 @@ export class Controller {
     }
 
     // Require auth for webhook endpoints
-    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
+    this.#app.use(["/mutate/:path", "/validate/:path"], this.#validatepath);
 
     // Mutate endpoint
-    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
+    this.#app.post("/mutate/:path", this.#admissionReq("Mutate"));
 
     // Validate endpoint
-    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
+    this.#app.post("/validate/:path", this.#admissionReq("Validate"));
   };
 
   /**
-   * Validate the token in the request path
+   * Validate the path in the request path
    *
    * @param req The incoming request
    * @param res The outgoing response
    * @param next The next middleware function
    * @returns
    */
-  #validateToken = (req: express.Request, res: express.Response, next: NextFunction): void => {
-    // Validate the token
-    const { token } = req.params;
-    if (token !== this.#token) {
-      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
+  #validatepath = (req: express.Request, res: express.Response, next: NextFunction): void => {
+    // Validate the path
+    const { path } = req.params;
+    if (path !== this.#path) {
+      const err = `Unauthorized: invalid path '${path.replace(/[^\w]/g, "_")}'`;
       Log.info(err);
       res.status(401).send(err);
       this.#metricsCollector.alert();
       return;
     }
 
-    // Token is valid, continue
+    // path is valid, continue
     next();
   };
 

package/src/lib/core/capability.ts

@@ -4,7 +4,7 @@
 import { GenericClass, GroupVersionKind, modelToGroupVersionKind } from "kubernetes-fluent-client";
 import { pickBy } from "ramda";
 import Log from "../telemetry/logger";
-import { isBuildMode, isDevMode, isWatchMode } from "./module";
+import { isBuildMode, isDevMode, isWatchMode } from "./envChecks";
 import { PeprStore, Storage } from "./storage";
 import { OnSchedule, Schedule } from "./schedule";
 import { Event } from "../enums";

package/src/lib/core/envChecks.ts

@@ -0,0 +1,6 @@
+export const isWatchMode = (): boolean => process.env.PEPR_WATCH_MODE === "true";
+// Track if Pepr is running in build mode
+
+export const isBuildMode = (): boolean => process.env.PEPR_MODE === "build";
+
+export const isDevMode = (): boolean => process.env.PEPR_MODE === "dev";

package/src/lib/core/module.ts

@@ -4,71 +4,12 @@ import { clone } from "ramda";
 import { Capability } from "./capability";
 import { Controller, ControllerHooks } from "../controller";
 import { ValidateError } from "../errors";
-import { MutateResponse, ValidateResponse, WebhookIgnore } from "../k8s";
-import { CapabilityExport, AdmissionRequest } from "../types";
+import { CapabilityExport } from "../types";
 import { setupWatch } from "../processors/watch-processor";
 import { Log } from "../../lib";
-import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node";
 import { resolveIgnoreNamespaces } from "../assets/webhooks";
-
-/** Custom Labels Type for package.json */
-
-export type CustomLabels = { namespace: Record<string, string> } | Record<string, never>;
-
-/** Configuration that MAY be set a Pepr module's package.json. */
-export type ModuleConfigOptions = {
-  /** The Pepr version this module uses */
-  peprVersion: string;
-  /** The user-defined version of the module */
-  appVersion: string;
-  /** A description of the Pepr module and what it does. */
-  description: string;
-  /** The webhookTimeout */
-  webhookTimeout: number;
-  /** Reject K8s resource AdmissionRequests on error. */
-  onError: string;
-  /** Define the log level for the in-cluster controllers */
-  logLevel: string;
-  /** Propagate env variables to in-cluster controllers */
-  env: Record<string, string>;
-  /** Custom RBAC rules */
-  rbac: PolicyRule[];
-  /** The RBAC mode; if "scoped", generates scoped rules, otherwise uses wildcard rules. */
-  rbacMode: string;
-  /** Custom Labels for Kubernetes Objects */
-  customLabels: CustomLabels;
-};
-
-/** Global configuration for the Pepr runtime. */
-export type ModuleConfig = {
-  /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */
-  uuid: string;
-  /** Configure global exclusions that will never be processed by Pepr. */
-  alwaysIgnore: WebhookIgnore;
-} & Partial<ModuleConfigOptions>;
-
-export type PackageJSON = {
-  description: string;
-  pepr: ModuleConfig;
-};
-
-export type PeprModuleOptions = {
-  deferStart?: boolean;
-
-  /** A user-defined callback to pre-process or intercept a Pepr request from K8s immediately before it is processed */
-  beforeHook?: (req: AdmissionRequest) => void;
-
-  /** A user-defined callback to post-process or intercept a Pepr response just before it is returned to K8s */
-  afterHook?: (res: MutateResponse | ValidateResponse) => void;
-};
-
-// Track if this is a watch mode controller
-export const isWatchMode = (): boolean => process.env.PEPR_WATCH_MODE === "true";
-
-// Track if Pepr is running in build mode
-export const isBuildMode = (): boolean => process.env.PEPR_MODE === "build";
-
-export const isDevMode = (): boolean => process.env.PEPR_MODE === "dev";
+import { isBuildMode, isDevMode, isWatchMode } from "./envChecks";
+import { PackageJSON, PeprModuleOptions, ModuleConfig } from "../types";
 
 export class PeprModule {
   #controller!: Controller;