Kubewarden admission controller single helm chart#1745
Open
jvanz wants to merge 22 commits into
Open
Conversation
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
jvanz
force-pushed
the
rfc-0026-unified-chart
branch
4 times, most recently
from
21ee575 to
866d668
Compare
Move all controller-specific Helm templates from the top-level templates/ directory into a templates/controller/ subdirectory. This restructuring prepares the chart for the upcoming merge of the kubewarden-crds and kubewarden-defaults charts, which will each get their own subdirectory under templates/. The webhook service name is now derived from the release name through a dedicated webhookServiceName helper, replacing the previously hardcoded value. All helm unit test references have been updated to reflect the new template paths. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Bring all Kubewarden CRD templates and the OpenReports dependency chart into the kubewarden-controller chart. This is part of merging the three separate Helm charts into one unified chart. The CRD templates include all five Kubewarden policy CRDs plus the PolicyReport and ClusterPolicyReport CRDs. The OpenReports chart is added as a conditional dependency controlled by the reportCRDs.installOpenReportsCRDs value. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Remove the standalone kubewarden-crds Helm chart. Its CRD templates and OpenReports dependency have been integrated into the unified kubewarden-controller chart in the previous commit. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Introduce a new DefaultsApplierReconciler that watches a ConfigMap and applies default Kubewarden resources (PolicyServer, recommended policies) to the cluster. This replaces the old approach of having a separate kubewarden-defaults Helm chart manage these resources directly. The reconciler decodes YAML from ConfigMap data keys, creates or patches the corresponding resources with ownership labels, and automatically cleans up stale managed resources when they are removed from the ConfigMap. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Add the defaults templates and related helper functions to the kubewarden-controller chart. The defaults are now delivered through a ConfigMap that gets reconciled by the DefaultsApplierReconciler added in the previous commit. The templates include the PolicyServer definition, recommended security policies (privilege escalation, capabilities, host namespaces, host paths, pod privileges, user/group), and the PolicyServer RBAC resources. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Remove the standalone kubewarden-defaults Helm chart. Its templates have been integrated into the unified kubewarden-controller chart through a ConfigMap-based approach, and its values have been merged into the controller chart configuration. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Bump the chart version to 6.0.0-alpha.1 and appVersion to v2.0.0-alpha.1 to reflect the major restructuring. Remove the auto-install annotation for kubewarden-crds since CRDs are now managed within this chart. Merge values, schema, and questions from the former kubewarden-crds and kubewarden-defaults charts into the unified configuration. This includes the reportCRDs, policyServer, and recommendedPolicies sections. The README has been rewritten to document the unified chart and provide migration guidance. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Adapt all build tooling, development environment, and test infrastructure for the single-chart deployment model. The Makefile now generates CRDs and RBAC into the new template subdirectories and runs helm-unittest against the unified chart only. The Tiltfile deploys a single Helm release instead of separate installs for CRDs, controller, and defaults. All shell scripts have been updated to reference the unified chart paths. The e2e tests install a single Helm release with policyServer configuration. The controller test suite loads CRDs programmatically from the chart templates and sets up the DefaultsApplierReconciler. Go module dependencies have been updated accordingly. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Replace typed ObjectList with extractItems type-switch by UnstructuredList for generic resource listing in cleanupStale. Remove the .yaml key suffix filter from ConfigMap data iteration since keys are now bare names. Rewrite tests to use factory builders and sigs.k8s.io/yaml for YAML serialization instead of inline string literals, use DeleteAllOf for cleanup, and replace time.Sleep with Consistently. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
The pre-delete job was using -A (all namespaces) for kubectl delete of managed defaults resources. Scope it to the release namespace with -n to avoid deleting resources from other installations. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
…templates When the kubewarden-defaults chart templates were migrated into the unified chart as ConfigMap-embedded YAML, several pieces were lost: standard Kubernetes labels (app.kubernetes.io/part-of, component, managed-by), additionalAnnotations passthrough, correct PolicyServer affinity resolution via policyServer.affinity, the crdVersion values field, and the CREATE-only operation constraint on the allow-privilege-escalation policy. This restores all of them to match the behavior of the old chart. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Wrap individual policy checks inside an outer if .Values.recommendedPolicies.enabled block instead of repeating the and condition on every entry. No behavior change. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
The unified chart NOTES.txt was missing content from the old kubewarden-crds and kubewarden-defaults charts. Add CRD listing, PolicyServer confirmation, recommended policies summary, monitor mode note, and documentation links so users see all relevant information after a single helm install. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Verify labels, annotations, affinity precedence, crdVersion usage, operations constraints, and the recommendedPolicies.enabled gate on the defaults ConfigMap. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Remove trailing blank line flagged by goimports and rename cap parameter to policy to avoid shadowing the predeclared cap identifier. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
The repeated "policies.kubewarden.io" string in cleanupStale triggered a goconst lint violation. Move it to constants.KubewardenPoliciesGroup and reference that from the GVK list. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
The unified chart changed the deployment name to kubewarden-kubewarden-controller and moved the default PolicyServer into the defaults ConfigMap instead of rendering it directly. Update the k8s_resource references, add report CRDs to the kubewarden-crds group, point restart_policy_server at the controller dependency, and suppress the unused policy-server image warning since Tilt cannot see the dynamically created PolicyServer. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
jvanz
force-pushed
the
rfc-0026-unified-chart
branch
from
491d128 to
eee75e3
Compare
github-project-automation
Bot
moved this to Pending review
in Kubewarden Admission Controller
Contributor
There was a problem hiding this comment.
Pull request overview
This PR consolidates the Kubewarden installation into a single “unified” Helm chart (per RFC 0026), moving CRDs and default resources into the kubewarden-controller chart and adding a controller-side “defaults applier” reconciler to materialize default PolicyServer / recommended policies from a ConfigMap. It also updates local dev tooling, CI helper scripts, and e2e/integration tests to use the unified chart flow, while removing the legacy kubewarden-crds and kubewarden-defaults charts.
Changes:
- Replace the multi-chart install flow with a unified
charts/kubewarden-controllerchart that contains CRDs, controller manifests, and “defaults” rendering via a ConfigMap. - Add
DefaultsApplierReconcilerto apply/cleanup default Kubewarden resources from a watched ConfigMap; extend integration tests accordingly. - Update Tilt + scripts + e2e harness to install/upgrade only the unified chart; remove legacy chart files and related script logic.
Reviewed changes
Copilot reviewed 79 out of 96 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| Tiltfile | Switch Tilt install flow to the unified chart and adjust deps/resource naming. |
| scripts/validate-hauler-manifest.sh | Update hauler validation to reflect unified chart ownership; adjust chart dependency checks. |
| scripts/test-sigstore-e2e.sh | Update sigstore e2e install/upgrade flow to use the unified chart. |
| scripts/charts-generate-changelog-files.sh | Stop generating changelogs for removed legacy charts. |
| scripts/charts-extract-images.sh | Include all chart dirs with values.yaml now that legacy CRD chart filtering is obsolete. |
| scripts/charts-check-common-values.sh | Remove common-values checks for the deleted defaults chart. |
| Makefile | Generate CRDs/RBAC into the unified chart layout and add CRD keep annotations. |
| internal/controller/utils_test.go | Minor test type modernization (any). |
| internal/controller/suite_test.go | Load CRDs from the unified chart path and register the defaults applier reconciler for envtest. |
| internal/controller/defaults_applier.go | Add new controller reconciler that applies default resources from a ConfigMap and cleans up stale managed resources. |
| internal/controller/defaults_applier_test.go | Add envtest coverage for defaults application, updates, cleanup, and malformed entries. |
| internal/constants/constants.go | Add constants for defaults ConfigMap name and managed-by label keys/values. |
| cmd/controller/main.go | Add --defaults-configmap-name flag and register the DefaultsApplierReconciler. |
| api/policies/v1/factories.go | Add WithoutFinalizers() options to factories used by tests. |
| e2e/main_test.go | Update e2e harness to install a single unified chart release and wait on the new deployment name. |
| go.mod | Add direct deps needed by new test code (apiextensions + sigs yaml). |
| go.sum | Prune sums corresponding to removed/pinned versions after module graph changes. |
| .gitignore | Ignore generated/vendored charts directory for a chart path introduced by the new layout. |
| charts/kubewarden-defaults/values.yaml | Remove legacy defaults chart values (chart deleted). |
| charts/kubewarden-defaults/values.schema.json | Remove legacy defaults chart schema (chart deleted). |
| charts/kubewarden-defaults/tests/priorityClassName_test.yaml | Remove legacy defaults chart helm-unittest tests (chart deleted). |
| charts/kubewarden-defaults/tests/namespacedPoliciesCapabilities_test.yaml | Remove legacy defaults chart helm-unittest tests (chart deleted). |
| charts/kubewarden-defaults/tests/host_network_test.yaml | Remove legacy defaults chart helm-unittest tests (chart deleted). |
| charts/kubewarden-defaults/tests/failure_policy_test.yaml | Remove legacy defaults chart helm-unittest tests (chart deleted). |
| charts/kubewarden-defaults/templates/host-path-policy.yaml | Remove legacy defaults chart templates (chart deleted). |
| charts/kubewarden-defaults/templates/host-namespace-policy.yaml | Remove legacy defaults chart templates (chart deleted). |
| charts/kubewarden-defaults/templates/capabilities-policy.yaml | Remove legacy defaults chart templates (chart deleted). |
| charts/kubewarden-defaults/templates/_helpers.tpl | Remove legacy defaults chart helpers (chart deleted). |
| charts/kubewarden-defaults/README.md | Remove legacy defaults chart docs (chart deleted). |
| charts/kubewarden-defaults/questions.yaml | Remove legacy defaults chart Rancher questions (chart deleted). |
| charts/kubewarden-defaults/Chart.yaml | Remove legacy defaults chart metadata (chart deleted). |
| charts/kubewarden-defaults/app-readme.md | Remove legacy defaults chart app readme (chart deleted). |
| charts/kubewarden-defaults/.helmignore | Remove legacy defaults chart helmignore (chart deleted). |
| charts/kubewarden-crds/values.yaml | Remove legacy CRDs chart values (chart deleted). |
| charts/kubewarden-crds/values.schema.json | Remove legacy CRDs chart schema (chart deleted). |
| charts/kubewarden-crds/tests/crds_test.yaml | Remove legacy CRDs chart helm-unittest tests (chart deleted). |
| charts/kubewarden-crds/templates/NOTES.txt | Remove legacy CRDs chart notes (chart deleted). |
| charts/kubewarden-crds/README.md | Remove legacy CRDs chart docs (chart deleted). |
| charts/kubewarden-crds/Chart.yaml | Remove legacy CRDs chart metadata (chart deleted). |
| charts/kubewarden-crds/Chart.lock | Remove legacy CRDs chart lockfile (chart deleted). |
| charts/kubewarden-crds/.helmignore | Remove legacy CRDs chart helmignore (chart deleted). |
| charts/kubewarden-controller/values.yaml | Add unified-chart values for CRD toggles, defaults ConfigMap name, default PolicyServer, and recommended policies. |
| charts/kubewarden-controller/values.schema.json | Extend schema for new unified-chart values (CRDs/defaults/policy server/recommended policies). |
| charts/kubewarden-controller/tests/* | Update helm-unittest templates paths for new layout; add tests for defaults ConfigMap rendering. |
| charts/kubewarden-controller/templates/crds/*.yaml | Add helm.sh/resource-policy: keep to CRDs now shipped in the unified chart. |
| charts/kubewarden-controller/templates/defaults/defaults-configmap.yaml | Add template that renders the defaults ConfigMap containing default resources YAML. |
| charts/kubewarden-controller/templates/defaults/policies/*.tpl | Move/define defaults policy and PolicyServer templates used to populate the defaults ConfigMap. |
| charts/kubewarden-controller/templates/defaults/policy-server-rbac.yaml | Add RBAC objects for the default PolicyServer. |
| charts/kubewarden-controller/templates/controller/* | Restructure controller templates under templates/controller/ and adjust webhook/service naming. |
| charts/kubewarden-controller/templates/_helpers.tpl | Add helper for stable webhook service naming and defaults helpers migrated from removed chart(s). |
| charts/kubewarden-controller/README.md | Rewrite chart README for unified-chart install/migration/uninstall guidance. |
| charts/kubewarden-controller/questions.yaml | Extend Rancher questions for CRD toggles and defaults configuration. |
| charts/kubewarden-controller/charts/openreports-0.2.1.tgz | Vendor openreports dependency as part of unified chart dependencies. |
| charts/kubewarden-controller/Chart.yaml | Bump chart/app versions; add openreports dependency; remove auto-install annotation for legacy CRDs chart. |
| charts/kubewarden-controller/Chart.lock | Update lockfile for added dependency. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+401
to
406
| echo -e "${GREEN} Installing kubewarden-controller (unified chart)...${NC}" | ||
| helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ | ||
| -n "$KUBEWARDEN_NAMESPACE" \ | ||
| --set replicas=1 \ | ||
| --set controller.replicas=1 \ | ||
| --wait | ||
|
|
Comment on lines
412
to
419
| function build_image_flags() { | ||
| # Populates the IMAGE_FLAGS array with helm --set args for a custom | ||
| # policy-server image when POLICY_SERVER_IMAGE is set. | ||
| IMAGE_FLAGS=() | ||
| if [[ -n "${POLICY_SERVER_IMAGE}" ]]; then | ||
| IMAGE_FLAGS+=(--set "policyServer.image.repository=${POLICY_SERVER_IMAGE%:*}") | ||
| IMAGE_FLAGS+=(--set "policyServer.image.tag=${POLICY_SERVER_IMAGE##*:}") | ||
| IMAGE_FLAGS+=(--set "defaults.policyServer.image.repository=${POLICY_SERVER_IMAGE%:*}") | ||
| IMAGE_FLAGS+=(--set "defaults.policyServer.image.tag=${POLICY_SERVER_IMAGE##*:}") | ||
| fi |
Comment on lines
+442
to
+452
| helm upgrade --install kubewarden-controller ./charts/kubewarden-controller \ | ||
| -n "$KUBEWARDEN_NAMESPACE" \ | ||
| --set policyServer.sigstoreTrustConfig="$SIGSTORE_TRUST_CONFIGMAP" \ | ||
| --set policyServer.verificationConfig="$VERIFICATION_CONFIGMAP" \ | ||
| --set 'policyServer.insecureSources[0]=registry.local:5001' \ | ||
| --set 'policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ | ||
| --set 'policyServer.env[0].value=info' \ | ||
| --set 'policyServer.env[1].name=RUST_BACKTRACE' \ | ||
| --set 'policyServer.env[1].value=1' \ | ||
| --set controller.replicas=1 \ | ||
| --set defaults.enabled=true \ | ||
| --set 'defaults.policyServer.sigstoreTrustConfig'="$SIGSTORE_TRUST_CONFIGMAP" \ | ||
| --set 'defaults.policyServer.verificationConfig'="$VERIFICATION_CONFIGMAP" \ | ||
| --set 'defaults.policyServer.insecureSources[0]=registry.local:5001' \ | ||
| --set 'defaults.policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL' \ | ||
| --set 'defaults.policyServer.env[0].value=info' \ | ||
| --set 'defaults.policyServer.env[1].name=RUST_BACKTRACE' \ | ||
| --set 'defaults.policyServer.env[1].value=1' \ |
Comment on lines
85
to
+88
| # Validate policy-server image | ||
| POLICY_SERVER_CHART_VERSION=$(yq eval '.policyServer.image.tag' "$DEFAULTS_VALUES") | ||
| POLICY_SERVER_CHART_VERSION=$(yq eval '.defaults.policyServer.image.tag' "$CONTROLLER_VALUES") | ||
| POLICY_SERVER_HAULER_VERSION=$(get_hauler_image_version "adm-controller/policy-server") | ||
| compare_version "policy-server" "$POLICY_SERVER_CHART_VERSION" "$POLICY_SERVER_HAULER_VERSION" "$DEFAULTS_VALUES" | ||
| compare_version "policy-server" "$POLICY_SERVER_CHART_VERSION" "$POLICY_SERVER_HAULER_VERSION" "$CONTROLLER_VALUES" |
Comment on lines
126
to
+134
| # Validate allow-privilege-escalation-psp policy | ||
| POLICY_VERSION=$(yq eval '.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag' "$DEFAULTS_VALUES") | ||
| POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag' "$CONTROLLER_VALUES") | ||
| HAULER_VERSION=$(get_hauler_image_version "policies/allow-privilege-escalation-psp") | ||
| compare_version "allow-privilege-escalation-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" | ||
| compare_version "allow-privilege-escalation-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" | ||
|
|
||
| # Validate capabilities-psp policy | ||
| POLICY_VERSION=$(yq eval '.recommendedPolicies.capabilitiesPolicy.module.tag' "$DEFAULTS_VALUES") | ||
| POLICY_VERSION=$(yq eval '.defaults.recommendedPolicies.capabilitiesPolicy.module.tag' "$CONTROLLER_VALUES") | ||
| HAULER_VERSION=$(get_hauler_image_version "policies/capabilities-psp") | ||
| compare_version "capabilities-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$DEFAULTS_VALUES" | ||
| compare_version "capabilities-psp" "$POLICY_VERSION" "$HAULER_VERSION" "$CONTROLLER_VALUES" |
Comment on lines
172
to
175
| # Validate policy-reporter chart (from kubewarden-controller dependencies) | ||
| CHART_VERSION=$(yq eval '.dependencies[0].version' "$CONTROLLER_CHART") | ||
| CHART_VERSION=$(yq eval '.dependencies[] | select(.name == "policy-reporter") | .version' "$CONTROLLER_CHART") | ||
| HAULER_VERSION=$(get_hauler_chart_version "policy-reporter") | ||
| compare_version "policy-reporter chart" "$CHART_VERSION" "$HAULER_VERSION" "$CONTROLLER_CHART dependencies" |
Comment on lines
+118
to
+128
| _, err := controllerutil.CreateOrPatch(ctx, r.Client, desired, func() error { | ||
| // Restore the spec from the decoded YAML | ||
| copySpec(desiredCopy, desired) | ||
|
|
||
| // Inject the ownership label | ||
| labels := desired.GetLabels() | ||
| if labels == nil { | ||
| labels = make(map[string]string) | ||
| } | ||
| labels[constants.DefaultsManagedByLabelKey] = constants.DefaultsManagedByLabelValue | ||
| desired.SetLabels(labels) |
Comment on lines
+140
to
+163
| // copySpec copies the Spec field from src to dst for all supported resource types. | ||
| func copySpec(src, dst client.Object) { | ||
| switch d := dst.(type) { | ||
| case *policiesv1.PolicyServer: | ||
| if s, ok := src.(*policiesv1.PolicyServer); ok { | ||
| d.Spec = s.Spec | ||
| } | ||
| case *policiesv1.ClusterAdmissionPolicy: | ||
| if s, ok := src.(*policiesv1.ClusterAdmissionPolicy); ok { | ||
| d.Spec = s.Spec | ||
| } | ||
| case *policiesv1.AdmissionPolicy: | ||
| if s, ok := src.(*policiesv1.AdmissionPolicy); ok { | ||
| d.Spec = s.Spec | ||
| } | ||
| case *policiesv1.ClusterAdmissionPolicyGroup: | ||
| if s, ok := src.(*policiesv1.ClusterAdmissionPolicyGroup); ok { | ||
| d.Spec = s.Spec | ||
| } | ||
| case *policiesv1.AdmissionPolicyGroup: | ||
| if s, ok := src.(*policiesv1.AdmissionPolicyGroup); ok { | ||
| d.Spec = s.Spec | ||
| } | ||
| } |
The default PolicyServer is already enabled by default in the unified chart values. Setting it explicitly in the e2e test setup is unnecessary. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
The unified chart flattened the values hierarchy: defaults.policyServer.* became policyServer.*, defaults.recommendedPolicies.* became recommendedPolicies.*, and controller.replicas became replicas. The deployment name changed to kubewarden-kubewarden-controller via the fullname template. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
With a single helm chart there is no need to iterate over chart directories or validate common values across charts. Simplify the image and policy extraction scripts to operate on the chart path directly, remove the common-values check script and its CI step, and update the Makefile targets. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
The hauler manifest still referenced the old kubewarden-crds and kubewarden-defaults charts which no longer exist after merging into a single unified chart. Remove those entries and update the kubewarden-controller chart version to 6.0.0-alpha.1. Also fix the policy-reporter dependency version extraction in the validation script to use a name-based selector instead of a hardcoded array index, since the dependency order changed when openreports became the first entry. Assisted-by: Claude Code Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Single Kubewarden Helm chart following RFC 26 specification.
@kubewarden/kubewarden-developers, I think the easiest way to review this PR is per commit. The Helm charts e2e test will fail until we adapt them to the single helm chart installation process.