feat(helm): add hostNetwork and port configuration to charts

The kubewarden-controller chart gains a hostNetwork toggle and a ports
block (webhook, healthProbe, metrics) that feed into both the Deployment
template and the Service definitions, so every port is configurable from
values.yaml rather than hardcoded. A new
"kubewarden-controller.effectiveAffinity" helper injects a required
podAntiAffinity rule that prevents two controller replicas from landing
on the same node when hostNetwork is enabled, avoiding port collisions
on the host interface. When the user supplies their own affinity the
helper uses it verbatim, preserving full operator control.

The kubewarden-defaults chart is extended in the same way: the default
PolicyServer template now passes webhookPort, readinessProbePort, and
metricsPort through to the CRD when set, and its values.yaml documents
the fields with commented-out examples and their defaults. Both charts
include JSON schema additions and Helm unit tests covering the new
values, hostNetwork toggling, anti-affinity injection, and service port
rendering.

Assisted-by: Github Copilot
Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

charts/kubewarden-controller/templates/_helpers.tpl

@@ -181,3 +181,42 @@ are configured.
 - {{ .Values.auditScanner.reportCRDsKind }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Compute the effective affinity for the controller deployment.
+When hostNetwork is enabled, a required podAntiAffinity rule is injected to
+forbid multiple controller pods from being scheduled on the same node, avoiding
+host-port conflicts between controller replicas. The rule matches only
+controller pods using the chart's selector labels.
+
+PolicyServer anti-affinity (same-PS replicas, cross-PS conflicts, and
+controller-PS port overlap) is managed separately by the controller reconciler
+at runtime, not by this helper.
+
+When global.affinity is provided by the user:
+  - podAntiAffinity fully replaces the auto-generated rule.
+  - podAffinity and nodeAffinity are carried through unchanged.
+When hostNetwork is disabled, global.affinity is passed through as-is.
+*/}}
+{{- define "kubewarden-controller.effectiveAffinity" -}}
+{{- if .Values.hostNetwork -}}
+  {{- $matchLabels := (include "kubewarden-controller.selectorLabels" . | fromYaml) -}}
+  {{- $affinityTerm := dict "labelSelector" (dict "matchLabels" $matchLabels) "topologyKey" "kubernetes.io/hostname" -}}
+  {{- $autoAntiAffinity := dict "requiredDuringSchedulingIgnoredDuringExecution" (list $affinityTerm) -}}
+  {{- $affinity := dict "podAntiAffinity" $autoAntiAffinity -}}
+  {{- if .Values.global.affinity -}}
+    {{- if hasKey .Values.global.affinity "podAntiAffinity" -}}
+      {{- $_ := set $affinity "podAntiAffinity" .Values.global.affinity.podAntiAffinity -}}
+    {{- end -}}
+    {{- if hasKey .Values.global.affinity "podAffinity" -}}
+      {{- $_ := set $affinity "podAffinity" .Values.global.affinity.podAffinity -}}
+    {{- end -}}
+    {{- if hasKey .Values.global.affinity "nodeAffinity" -}}
+      {{- $_ := set $affinity "nodeAffinity" .Values.global.affinity.nodeAffinity -}}
+    {{- end -}}
+  {{- end -}}
+  {{- toYaml $affinity -}}
+{{- else if .Values.global.affinity -}}
+  {{- toYaml .Values.global.affinity -}}
+{{- end -}}
+{{- end -}}

charts/kubewarden-controller/templates/deployment.yaml

@@ -32,8 +32,9 @@ spec:
       {{- include "imagePullSecrets" .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kubewarden-controller.serviceAccountName" . }}
-      {{- if .Values.global.affinity }}
-      affinity: {{ .Values.global.affinity | toYaml | nindent 8 }}
+      {{- $effectiveAffinity := include "kubewarden-controller.effectiveAffinity" . }}
+      {{- if $effectiveAffinity }}
+      affinity: {{ $effectiveAffinity | nindent 8 }}
       {{- end }}
       {{- if .Values.global.tolerations }}
       tolerations: {{ .Values.global.tolerations | toYaml | nindent 8 }}
@@ -45,12 +46,19 @@ spec:
       {{- if .Values.global.priorityClassName }}
       priorityClassName: {{ .Values.global.priorityClassName | toYaml | nindent 8 }}
       {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
       containers:
       - name: controller
         args:
         - --leader-elect
         - --deployments-namespace={{ .Release.Namespace }}
         - --webhook-service-name={{ include "kubewarden-controller.fullname" . }}-webhook-service
+        - --webhook-server-port={{ .Values.ports.webhook }}
+        - --health-probe-bind-address=:{{ .Values.ports.healthProbe }}
+        - --metrics-bind-address=:{{ .Values.ports.metrics }}
         {{- if .Values.alwaysAcceptAdmissionReviewsOnDeploymentsNamespace }}
         - --always-accept-admission-reviews-on-deployments-namespace
         {{- end }}
@@ -62,6 +70,9 @@ spec:
        {{- if $imagePullSecretNames }}
         - --image-pull-secrets={{ $imagePullSecretNames }}
        {{- end }}
+       {{- if .Values.hostNetwork }}
+        - --host-network
+       {{- end }}
        {{- if or .Values.telemetry.metrics .Values.telemetry.tracing }}
        {{- if eq .Values.telemetry.mode "sidecar" }}
         - --enable-otel-sidecar
@@ -117,13 +128,13 @@ spec:
         livenessProbe:
           httpGet:
             path: /healthz
-            port: 8081
+            port: {{ .Values.ports.healthProbe }}
           initialDelaySeconds: 15
           periodSeconds: 20
         readinessProbe:
           httpGet:
             path: /readyz
-            port: 8081
+            port: {{ .Values.ports.healthProbe }}
           initialDelaySeconds: 5
           periodSeconds: 10
         {{- if and .Values.resources .Values.resources.controller }}
@@ -154,7 +165,7 @@ spec:
           readOnly: true
         {{- end }}
         ports:
-        - containerPort: 9443
+        - containerPort: {{ .Values.ports.webhook }}
           name: webhook-server
           protocol: TCP
       volumes:

charts/kubewarden-controller/templates/service.yaml

@@ -13,11 +13,11 @@ spec:
   {{- if .Values.telemetry.metrics }}
   - name: metrics
     port: 8080
-    targetPort: 8080
+    targetPort: {{ .Values.ports.metrics }}
   {{- end}}
   - name: https
     port: 8443
-    targetPort: https
+    targetPort: {{ .Values.ports.webhook }}
   selector:
     {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }}
 ---
@@ -33,6 +33,6 @@ metadata:
 spec:
   ports:
   - port: 443
-    targetPort: 9443
+    targetPort: {{ .Values.ports.webhook }}
   selector:
 {{- include "kubewarden-controller.selectorLabels" . | nindent 4 }}

charts/kubewarden-controller/tests/host_network_test.yaml

@@ -0,0 +1,74 @@
+suite: host-network configuration
+templates:
+  - deployment.yaml
+tests:
+  - it: "should not set hostNetwork and should not pass --host-network flag by default"
+    asserts:
+      - notExists:
+          path: spec.template.spec.hostNetwork
+      - notExists:
+          path: spec.template.spec.dnsPolicy
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--host-network"
+          any: true
+
+  - it: "should set hostNetwork, dnsPolicy and pass --host-network flag when hostNetwork is true"
+    set:
+      hostNetwork: true
+    asserts:
+      - equal:
+          path: spec.template.spec.hostNetwork
+          value: true
+      - equal:
+          path: spec.template.spec.dnsPolicy
+          value: ClusterFirstWithHostNet
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--host-network"
+
+  - it: "should inject required podAntiAffinity using controller selector labels when hostNetwork is true"
+    set:
+      hostNetwork: true
+    asserts:
+      - equal:
+          path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey
+          value: kubernetes.io/hostname
+      - equal:
+          path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels["app.kubernetes.io/name"]
+          value: kubewarden-controller
+      - exists:
+          path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels["app.kubernetes.io/instance"]
+
+  - it: "should not inject podAntiAffinity when hostNetwork is false and no affinity is set"
+    asserts:
+      - notExists:
+          path: spec.template.spec.affinity
+
+  - it: "should use custom ports when overridden in values"
+    set:
+      ports.webhook: 10443
+      ports.healthProbe: 10081
+      ports.metrics: 10088
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 10443
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe.httpGet.port
+          value: 10081
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe.httpGet.port
+          value: 10081
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content:
+            --webhook-server-port=10443
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content:
+            --health-probe-bind-address=:10081
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content:
+            --metrics-bind-address=:10088

charts/kubewarden-controller/tests/service_ports_test.yaml

@@ -0,0 +1,75 @@
+suite: service ports configuration
+templates:
+  - service.yaml
+tests:
+  - it: "should use default ports in services"
+    set:
+      telemetry.metrics: true
+    asserts:
+      # Webhook service
+      - equal:
+          path: spec.ports[0].port
+          value: 443
+        documentIndex: 1
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+        documentIndex: 1
+      # Metrics service - metrics port
+      - equal:
+          path: spec.ports[0].port
+          value: 8080
+        documentIndex: 0
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 8088
+        documentIndex: 0
+      # Metrics service - https port
+      - equal:
+          path: spec.ports[1].port
+          value: 8443
+        documentIndex: 0
+      - equal:
+          path: spec.ports[1].targetPort
+          value: 9443
+        documentIndex: 0
+
+  - it: "should use custom webhook port in both webhook and metrics services"
+    set:
+      ports.webhook: 10443
+      telemetry.metrics: true
+    asserts:
+      # Webhook service
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 10443
+        documentIndex: 1
+      # Metrics service - https port
+      - equal:
+          path: spec.ports[1].targetPort
+          value: 10443
+        documentIndex: 0
+
+  - it: "should use custom metrics port in metrics service"
+    set:
+      ports.metrics: 10088
+      telemetry.metrics: true
+    asserts:
+      # Metrics service - metrics port
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 10088
+        documentIndex: 0
+
+  - it: "should not include metrics port when telemetry is disabled"
+    set:
+      telemetry.metrics: false
+    asserts:
+      - equal:
+          path: spec.ports[0].name
+          value: https
+        documentIndex: 0
+      - equal:
+          path: spec.ports[0].port
+          value: 8443
+        documentIndex: 0

charts/kubewarden-controller/values.schema.json

@@ -108,6 +108,34 @@
         "fullnameOverride": {
             "type": "string"
         },
+        "hostNetwork": {
+            "type": "boolean",
+            "description": "Enables host network mode for the controller pod and all PolicyServer pods. WARNING: increases attack surface."
+        },
+        "ports": {
+            "type": "object",
+            "description": "Network ports used by the controller pod. Override these when hostNetwork is enabled to avoid conflicts with other workloads.",
+            "properties": {
+                "webhook": {
+                    "type": "integer",
+                    "minimum": 1,
+                    "maximum": 65535,
+                    "description": "Port the controller webhook server listens on."
+                },
+                "healthProbe": {
+                    "type": "integer",
+                    "minimum": 1,
+                    "maximum": 65535,
+                    "description": "Port for liveness and readiness probes."
+                },
+                "metrics": {
+                    "type": "integer",
+                    "minimum": 1,
+                    "maximum": 65535,
+                    "description": "Port for the Prometheus metrics endpoint."
+                }
+            }
+        },
         "global": {
             "type": "object",
             "properties": {

charts/kubewarden-controller/values.yaml

@@ -151,6 +151,23 @@ preDeleteHook:
 # evaluations that could interfere with the Kubewarden stack running in the
 # admission controller namespace.
 alwaysAcceptAdmissionReviewsOnDeploymentsNamespace: true
+# hostNetwork enables host network mode for the controller pod and all
+# PolicyServer pods managed by this controller.
+# WARNING: enabling this increases the attack surface by exposing webhook
+# endpoints on the host network and giving pods visibility of all node network
+# interfaces. Use only when the Kubernetes API server cannot reach pod-network
+# webhook endpoints (e.g. clusters using a non-VPC CNI with NAT).
+hostNetwork: false
+# ports configures the network ports used by the controller pod.
+# These are especially important when hostNetwork is enabled, because each port
+# is bound on the host network interface and must not clash with other workloads.
+ports:
+  # Port the controller webhook server listens on.
+  webhook: 9443
+  # Port for the controller liveness and readiness probes.
+  healthProbe: 8081
+  # Port for the controller Prometheus metrics endpoint.
+  metrics: 8088
 # Verbosity of logging. Can be one of 'debug', 'info', 'error'.
 logLevel: info
 # open-telemetry options

charts/kubewarden-defaults/templates/policyserver-default.yaml

@@ -77,4 +77,13 @@ spec:
   {{- if .Values.policyServer.securityContexts }}
   securityContexts: {{ toYaml .Values.policyServer.securityContexts | nindent 4 }}
   {{- end }}
+  {{- if .Values.policyServer.webhookPort }}
+  webhookPort: {{ .Values.policyServer.webhookPort }}
+  {{- end }}
+  {{- if .Values.policyServer.readinessProbePort }}
+  readinessProbePort: {{ .Values.policyServer.readinessProbePort }}
+  {{- end }}
+  {{- if .Values.policyServer.metricsPort }}
+  metricsPort: {{ .Values.policyServer.metricsPort }}
+  {{- end }}
 {{- end }}