Kubewarden admission controller single helm chart

.github/workflows/ci.yml

@@ -424,8 +424,6 @@ jobs:
       # Disable plugin verification until the following issue is addressed https://github.com/helm-unittest/helm-unittest/issues/777
       - name: Install Helm-unittest
         run: helm plugin install https://github.com/helm-unittest/helm-unittest --verify=false
-      - name: Verify common values
-        run: make charts-check-common-values
       - name: helm unit tests
         run: make helm-unittest
 

.gitignore

@@ -46,3 +46,4 @@ fulcio.pem
 rekor.pub
 tsa.pem
 ctfe.pub
+charts/kubewarden-admission-controller/charts/

Makefile

@@ -46,9 +46,7 @@ test-rust:
 
 .PHONY: helm-unittest
 helm-unittest:
-	helm unittest charts/kubewarden-crds --file "tests/**/*_test.yaml"
 	helm unittest charts/kubewarden-controller --file "tests/**/*_test.yaml"
-	helm unittest charts/kubewarden-defaults --file "tests/**/*_test.yaml"
 
 .PHONY: test-e2e
 test-e2e: controller-image audit-scanner-image policy-server-image
@@ -162,13 +160,14 @@ manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefin
 	$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=kubewarden-controller-manager,fileName=controller-rbac-roles.yaml crd webhook \
 			paths="./api/policies/v1" paths="./api/policies/v1alpha2" \
 			paths="./internal/controller" paths="./cmd/controller" \
-			output:crd:artifacts:config=charts/kubewarden-crds/templates/crds \
-			output:rbac:artifacts:config=charts/kubewarden-controller/templates \
+			output:crd:artifacts:config=charts/kubewarden-controller/templates/crds \
+			output:rbac:artifacts:config=charts/kubewarden-controller/templates/controller \
 			output:webhook:artifacts:config=charts
+	sed -i '/controller-gen.kubebuilder.io\/version:/a\    helm.sh/resource-policy: keep' charts/kubewarden-controller/templates/crds/policies.kubewarden.io_*.yaml
 	echo "# to be merged manually into kubewarden-controller/templates/webhooks.yaml" | cat - charts/manifests.yaml > temp && mv temp charts/manifests.yaml
 	mv charts/manifests.yaml charts/generated-webhooks-manifests.yaml
-	sed -i '/^metadata:/a\  labels:\n    {{- include "kubewarden-controller.labels" . | nindent 4 }}\n  annotations:\n    {{- include "kubewarden-controller.annotations" . | nindent 4 }}' charts/kubewarden-controller/templates/controller-rbac-roles.yaml
-	sed -i 's/  namespace: kubewarden/  namespace: {{ .Release.Namespace }}/' charts/kubewarden-controller/templates/controller-rbac-roles.yaml
+	sed -i '/^metadata:/a\  labels:\n    {{- include "kubewarden-controller.labels" . | nindent 4 }}\n  annotations:\n    {{- include "kubewarden-controller.annotations" . | nindent 4 }}' charts/kubewarden-controller/templates/controller/controller-rbac-roles.yaml
+	sed -i 's/  namespace: kubewarden/  namespace: {{ .Release.Namespace }}/' charts/kubewarden-controller/templates/controller/controller-rbac-roles.yaml
 
 .PHONY: generate-chart
 generate-chart: ## Generate Helm chart values schema.
@@ -178,17 +177,13 @@ generate-chart: ## Generate Helm chart values schema.
 check-generate: generate
 	@./hack/check-for-auto-generated-changes.sh
 
-.PHONY: charts-check-common-values
-charts-check-common-values:
-	@./scripts/charts-check-common-values.sh
-
 .PHONY: charts-generate-images-file
 charts-generate-images-file:
-	@./scripts/charts-extract-images.sh ./charts
+	@./scripts/charts-extract-images.sh ./charts/kubewarden-controller
 
 .PHONY: charts-generate-policies-file
 charts-generate-policies-file:
-	@./scripts/charts-extract-policies.sh ./charts
+	@./scripts/charts-extract-policies.sh ./charts/kubewarden-controller
 
 .PHONY: charts-generate-changelog-files
 charts-generate-changelog-files:

Tiltfile

@@ -1,41 +1,25 @@
 tilt_settings_file = "./tilt-settings.yaml"
 settings = read_yaml(tilt_settings_file)
 
-update_settings(k8s_upsert_timeout_secs=300)
-
 # Create the kubewarden namespace
 # This is required since the helm() function doesn't support the create_namespace flag
 load("ext://namespace", "namespace_create")
 namespace_create("kubewarden")
 
-# Install the CRDs Helm chart first
-crds_yaml = helm(
-    "./charts/kubewarden-crds",
-    name="kubewarden-crds",
-    namespace="kubewarden",
-)
-k8s_yaml(crds_yaml)
-
-# Group all CRDs under a single resource name for dependency tracking
-k8s_resource(
-    new_name='kubewarden-crds',
-    objects=[
-        'policyservers.policies.kubewarden.io:CustomResourceDefinition',
-        'admissionpolicies.policies.kubewarden.io:CustomResourceDefinition',
-        'clusteradmissionpolicies.policies.kubewarden.io:CustomResourceDefinition',
-        'admissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition',
-        'clusteradmissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition',
-    ],
-)
-
+# Install the unified Kubewarden admission controller chart
 registry = settings.get("registry")
 controller_image = settings.get("controller").get("image")
 audit_scanner_image = settings.get("audit-scanner").get("image")
 policy_server_image = settings.get("policy-server").get("image")
 
-kubewarden_controller_yaml = helm(
+update_settings(
+    k8s_upsert_timeout_secs=300,
+    suppress_unused_image_warnings=[registry + "/" + policy_server_image],
+)
+
+kubewarden_yaml = helm(
     "./charts/kubewarden-controller",
-    name="kubewarden-controller",
+    name="kubewarden",
     namespace="kubewarden",
     set=[
         "global.cattle.systemDefaultRegistry=null",
@@ -45,35 +29,36 @@ kubewarden_controller_yaml = helm(
         "podSecurityContext=null",
         "containerSecurityContext=null",
         "auditScanner.image.repository=" + registry + "/" + audit_scanner_image,
-        "auditScanner.logLevel=debug", 
+        "auditScanner.logLevel=debug",
+        "policyServer.enabled=true",
+        "policyServer.image.repository=" + registry + "/" + policy_server_image,
+        "policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL",
+        "policyServer.env[0].value=debug",
     ],
 )
-k8s_yaml(kubewarden_controller_yaml)
+k8s_yaml(kubewarden_yaml)
 
-# Wait for kubewarden-controller deployment to be ready before applying defaults
-# This ensures the webhook is running before PolicyServer resources are created
+# Group all CRDs under a single resource name for dependency tracking
 k8s_resource(
-    'kubewarden-controller:deployment',
-    new_name='kubewarden-controller',
-    resource_deps=['kubewarden-crds'],
-)
-
-kubewarden_defaults_yaml = helm(
-    "./charts/kubewarden-defaults",
-    name="kubewarden-defaults",
-    namespace="kubewarden",
-    set=[
-        "global.cattle.systemDefaultRegistry=null",
-        "policyServer.image.repository=" + registry + "/" + policy_server_image,
-        "policyServer.env[0].name=KUBEWARDEN_LOG_LEVEL",
-        "policyServer.env[0].value=debug",
+    new_name='kubewarden-crds',
+    objects=[
+        'policyservers.policies.kubewarden.io:CustomResourceDefinition',
+        'admissionpolicies.policies.kubewarden.io:CustomResourceDefinition',
+        'clusteradmissionpolicies.policies.kubewarden.io:CustomResourceDefinition',
+        'admissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition',
+        'clusteradmissionpolicygroups.policies.kubewarden.io:CustomResourceDefinition',
+        'clusterreports.openreports.io:CustomResourceDefinition',
+        'reports.openreports.io:CustomResourceDefinition',
+        'clusterpolicyreports.wgpolicyk8s.io:CustomResourceDefinition',
+        'policyreports.wgpolicyk8s.io:CustomResourceDefinition',
     ],
 )
-k8s_yaml(kubewarden_defaults_yaml)
 
+# Wait for controller deployment to be ready
 k8s_resource(
-    'default',
-    resource_deps=['kubewarden-controller', 'policy_server_tilt'],
+    'kubewarden-kubewarden-controller',
+    new_name='kubewarden-controller',
+    resource_deps=['kubewarden-crds'],
 )
 
 # Tell tilt about the image used by the PolicyServer CRD
@@ -174,10 +159,11 @@ docker_build(
 )
 
 # Trigger PolicyServer pod restart by updating annotations when image changes
-# Runs automatically whenever the policy-server image is rebuilt
+# The default PolicyServer is created by the controller from the defaults ConfigMap,
+# so we depend on the controller being ready before patching.
 local_resource(
     "restart_policy_server",
     "kubectl get policyserver default >/dev/null 2>&1 && kubectl patch policyserver default --type=merge -p '{\"spec\":{\"annotations\":{\"restart\":\"'$(date +%s)'\"}}}'  || true",
-    resource_deps=["default"],
+    resource_deps=["kubewarden-controller"],
     trigger_mode=TRIGGER_MODE_AUTO,
 )

api/policies/v1/factories.go

@@ -145,6 +145,7 @@ type ClusterAdmissionPolicyFactory struct {
 	mode                  PolicyMode
 	timeoutSeconds        *int32
 	timeoutEvalSeconds    *int32
+	withoutFinalizers     bool
 }
 
 func NewClusterAdmissionPolicyFactory() *ClusterAdmissionPolicyFactory {
@@ -219,19 +220,28 @@ func (f *ClusterAdmissionPolicyFactory) WithTimeoutEvalSeconds(timeout *int32) *
 	return f
 }
 
+func (f *ClusterAdmissionPolicyFactory) WithoutFinalizers() *ClusterAdmissionPolicyFactory {
+	f.withoutFinalizers = true
+	return f
+}
+
 func (f *ClusterAdmissionPolicyFactory) Build() *ClusterAdmissionPolicy {
+	var finalizers []string
+	if !f.withoutFinalizers {
+		finalizers = []string{
+			// On a real cluster the Kubewarden finalizer is added by our mutating
+			// webhook. This is not running now, hence we have to manually add the finalizer
+			constants.KubewardenFinalizer,
+			// By adding this finalizer automatically, we ensure that when
+			// testing removal of finalizers on deleted objects, that they will
+			// exist at all times
+			integrationTestsFinalizer,
+		}
+	}
 	clusterAdmissionPolicy := ClusterAdmissionPolicy{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: f.name,
-			Finalizers: []string{
-				// On a real cluster the Kubewarden finalizer is added by our mutating
-				// webhook. This is not running now, hence we have to manually add the finalizer
-				constants.KubewardenFinalizer,
-				// By adding this finalizer automatically, we ensure that when
-				// testing removal of finalizers on deleted objects, that they will
-				// exist at all times
-				integrationTestsFinalizer,
-			},
+			Name:       f.name,
+			Finalizers: finalizers,
 		},
 		Spec: ClusterAdmissionPolicySpec{
 			ContextAwareResources: f.contextAwareResources,
@@ -494,6 +504,7 @@ type PolicyServerBuilder struct {
 	webhookPort                    *int32
 	readinessProbePort             *int32
 	metricsPort                    *int32
+	withoutFinalizers              bool
 }
 
 func NewPolicyServerFactory() *PolicyServerBuilder {
@@ -557,19 +568,28 @@ func (f *PolicyServerBuilder) WithMetricsPort(port int32) *PolicyServerBuilder {
 	return f
 }
 
+func (f *PolicyServerBuilder) WithoutFinalizers() *PolicyServerBuilder {
+	f.withoutFinalizers = true
+	return f
+}
+
 func (f *PolicyServerBuilder) Build() *PolicyServer {
+	var finalizers []string
+	if !f.withoutFinalizers {
+		finalizers = []string{
+			// On a real cluster the Kubewarden finalizer is added by our mutating
+			// webhook. This is not running now, hence we have to manually add the finalizer
+			constants.KubewardenFinalizer,
+			// By adding this finalizer automatically, we ensure that when
+			// testing removal of finalizers on deleted objects, that they will
+			// exist at all times
+			integrationTestsFinalizer,
+		}
+	}
 	policyServer := PolicyServer{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: f.name,
-			Finalizers: []string{
-				// On a real cluster the Kubewarden finalizer is added by our mutating
-				// webhook. This is not running now, hence we have to manually add the finalizer
-				constants.KubewardenFinalizer,
-				// By adding this finalizer automatically, we ensure that when
-				// testing removal of finalizers on deleted objects, that they will
-				// exist at all times
-				integrationTestsFinalizer,
-			},
+			Name:       f.name,
+			Finalizers: finalizers,
 		},
 		Spec: PolicyServerSpec{
 			Image:                          policyServerRepository() + ":" + policyServerVersion(),