refactor: add adm-controller prefix to built container image refs

jvanz · jvanz · commit 9422c6b24cd3 · 2026-04-30T12:38:54.000-03:00
Update all references to the 3 container images built by this repository
to use the new adm-controller path prefix, matching the images published
by CI with repository-prefix: adm-controller:

  ghcr.io/kubewarden/controller  → ghcr.io/kubewarden/adm-controller/controller
  ghcr.io/kubewarden/audit-scanner → ghcr.io/kubewarden/adm-controller/audit-scanner
  ghcr.io/kubewarden/policy-server → ghcr.io/kubewarden/adm-controller/policy-server

Policy and test images (ghcr.io/kubewarden/policies/*, tests/*) are not
built here and are left unchanged.

Assisted-by: Github Copilot
Signed-off-by: José Guilherme Vanz &lt;jguilhermevanz@suse.com&gt;
diff --git a/Makefile b/Makefile
@@ -13,7 +13,7 @@ GO_BUILD_ENV := CGO_ENABLED=0 GOOS=linux GOARCH=amd64
 ENVTEST_DIR ?= $(shell pwd)/.envtest
 
 REGISTRY ?= ghcr.io
-REPO ?= kubewarden
+REPO ?= kubewarden/adm-controller
 TAG ?= dev
 
 # Detect architecture for Rust builds
diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ To verify the attestation manifest and its layer signatures:
 ```shell
 cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \
     --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@<TAG TO VERIFY>" \
-    ghcr.io/kubewarden/controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e
+    ghcr.io/kubewarden/adm-controller/controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e
 ```
 
 > [!NOTE]
@@ -89,7 +89,7 @@ like `crane`. For example, the following command will show you all the
 attestation manifests of the `latest` tag:
 
 ```shell
-crane manifest  ghcr.io/kubewarden/controller:latest | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest")'
+crane manifest  ghcr.io/kubewarden/adm-controller/controller:latest | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest")'
 {
   "mediaType": "application/vnd.oci.image.manifest.v1+json",
   "digest": "sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8",
@@ -124,9 +124,9 @@ layers signatures.
 ```shell
 cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \
     --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@<TAG TO VERIFY>" \
-    ghcr.io/kubewarden/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
+    ghcr.io/kubewarden/adm-controller/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
 
-crane manifest  ghcr.io/kubewarden/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
+crane manifest  ghcr.io/kubewarden/adm-controller/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
 {
   "schemaVersion": 2,
   "mediaType": "application/vnd.oci.image.manifest.v1+json",
@@ -181,7 +181,7 @@ crane manifest  ghcr.io/kubewarden/controller@sha256:fc01fa6c82cffeffd23b737c7e6
 
 cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \
     --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@<TAG TO VERIFY>" \
-    ghcr.io/kubewarden/controller@sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d
+    ghcr.io/kubewarden/adm-controller/controller@sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d
 ```
 
 Note that each attestation manifest (for each architecture) has its own layers.
@@ -190,7 +190,7 @@ Buildx during the multi stage build process. You can also use `crane` to
 download the attestation file:
 
 ```shell
-crane blob ghcr.io/kubewarden/controller@sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca
+crane blob ghcr.io/kubewarden/adm-controller/controller@sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca
 ```
 
 ## Security disclosure
diff --git a/api/policies/v1/factories.go b/api/policies/v1/factories.go
@@ -15,7 +15,7 @@ import (
 
 const (
 	integrationTestsFinalizer          = "kubewarden.io/integration-tests-safety-net-finalizer"
-	defaultKubewardenRepository        = "ghcr.io/kubewarden/policy-server"
+	defaultKubewardenRepository        = "ghcr.io/kubewarden/adm-controller/policy-server"
 	maxNameSuffixLength                = 8
 	defaultPolicyGroupRejectionMessage = "policy group default rejection message"
 )
diff --git a/charts/hauler_manifest.yaml b/charts/hauler_manifest.yaml
@@ -12,11 +12,11 @@ metadata:
     hauler.dev/certificate-oidc-issuer: https://token.actions.githubusercontent.com
 spec:
   images:
-    - name: ghcr.io/kubewarden/audit-scanner:v1.35.0
+    - name: ghcr.io/kubewarden/adm-controller/audit-scanner:v1.35.0
       certificate-identity-regexp: https://github.com/kubewarden/adm-controller/.github/workflows/release.yml@refs/tags/v1.35.0
-    - name: ghcr.io/kubewarden/controller:v1.35.0
+    - name: ghcr.io/kubewarden/adm-controller/controller:v1.35.0
       certificate-identity-regexp: https://github.com/kubewarden/adm-controller/.github/workflows/release.yml@refs/tags/v1.35.0
-    - name: ghcr.io/kubewarden/policy-server:v1.35.0
+    - name: ghcr.io/kubewarden/adm-controller/policy-server:v1.35.0
       certificate-identity-regexp: https://github.com/kubewarden/adm-controller/.github/workflows/release.yml@refs/tags/v1.35.0
 ---
 # The policies are in a separated definition just to allow a better keyless validation
diff --git a/charts/kubewarden-controller/README.md b/charts/kubewarden-controller/README.md
@@ -75,7 +75,7 @@ To verify the attestation manifest and its layer signatures:
 ```shell
 cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \
     --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@<TAG TO VERIFY>" \
-    ghcr.io/kubewarden/controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e
+    ghcr.io/kubewarden/adm-controller/controller@sha256:1abc0944378d9f3ee2963123fe84d045248d320d76325f4c2d4eb201304d4c4e
 ```
 
 > [!NOTE]
@@ -89,7 +89,7 @@ like `crane`. For example, the following command will show you all the
 attestation manifests of the `latest` tag:
 
 ```shell
-crane manifest  ghcr.io/kubewarden/controller:latest | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest")'
+crane manifest  ghcr.io/kubewarden/adm-controller/controller:latest | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest")'
 {
   "mediaType": "application/vnd.oci.image.manifest.v1+json",
   "digest": "sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8",
@@ -124,9 +124,9 @@ layers signatures.
 ```shell
 cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \
     --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@<TAG TO VERIFY>" \
-    ghcr.io/kubewarden/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
+    ghcr.io/kubewarden/adm-controller/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
 
-crane manifest  ghcr.io/kubewarden/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
+crane manifest  ghcr.io/kubewarden/adm-controller/controller@sha256:fc01fa6c82cffeffd23b737c7e6b153357d1e499295818dad0c7d207f64e6ee8
 {
   "schemaVersion": 2,
   "mediaType": "application/vnd.oci.image.manifest.v1+json",
@@ -181,7 +181,7 @@ crane manifest  ghcr.io/kubewarden/controller@sha256:fc01fa6c82cffeffd23b737c7e6
 
 cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \
     --certificate-identity="https://github.com/kubewarden/adm-controller/.github/workflows/attestation.yml@<TAG TO VERIFY>" \
-    ghcr.io/kubewarden/controller@sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d
+    ghcr.io/kubewarden/adm-controller/controller@sha256:594da3e8bd8c6ee2682b0db35857933f9558fd98ec092344a6c1e31398082f4d
 ```
 
 Note that each attestation manifest (for each architecture) has its own layers.
@@ -190,7 +190,7 @@ Buildx during the multi stage build process. You can also use `crane` to
 download the attestation file:
 
 ```shell
-crane blob ghcr.io/kubewarden/controller@sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca
+crane blob ghcr.io/kubewarden/adm-controller/controller@sha256:7738d8d506c6482aaaef1d22ed920468ffaf4975afd28f49bb50dba2c20bf2ca
 ```
 
 ## Security disclosure
diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml
@@ -217,7 +217,7 @@ telemetry:
 image:
   # The registry is defined in the global.cattle.systemDefaultRegistry value
   # controller image to be used
-  repository: "kubewarden/controller"
+  repository: "kubewarden/adm-controller/controller"
   # image tag
   tag: v1.35.0
   pullPolicy: IfNotPresent
@@ -295,7 +295,7 @@ auditScanner:
   image:
     # The registry is defined in the common.cattle.systemDefaultRegistry value
     # kubectl image to be used in the pre-delete helm hook
-    repository: "kubewarden/audit-scanner"
+    repository: "kubewarden/adm-controller/audit-scanner"
     tag: v1.35.0
     pullPolicy: IfNotPresent
   cronJob:
diff --git a/e2e/main_test.go b/e2e/main_test.go
@@ -24,9 +24,9 @@ var (
 	testenv           env.Environment
 	kindClusterName   string
 	namespace         = "kubewarden"
-	controllerImage   = "ghcr.io/kubewarden/controller:dev"
-	auditScannerImage = "ghcr.io/kubewarden/audit-scanner:dev"
-	policyServerImage = "ghcr.io/kubewarden/policy-server:dev"
+	controllerImage   = "ghcr.io/kubewarden/adm-controller/controller:dev"
+	auditScannerImage = "ghcr.io/kubewarden/adm-controller/audit-scanner:dev"
+	policyServerImage = "ghcr.io/kubewarden/adm-controller/policy-server:dev"
 )
 
 func TestMain(m *testing.M) {
diff --git a/scripts/test-sigstore-e2e.sh b/scripts/test-sigstore-e2e.sh
@@ -29,7 +29,7 @@
 #                         configuration. Skips policy deployment and webhook evaluation.
 #   --policy-server-image Full image reference (repository:tag) for the policy-server.
 #                         Overrides the default image in charts/kubewarden-defaults.
-#                         Example: --policy-server-image ghcr.io/kubewarden/policy-server:dev
+#                         Example: --policy-server-image ghcr.io/kubewarden/adm-controller/policy-server:dev
 #
 # Tools required (per stage):
 #   All stages:  kubectl, jq
diff --git a/updatecli/values/artifacts.yaml b/updatecli/values/artifacts.yaml
@@ -13,17 +13,17 @@ ociArtifacts:
   # image defined in the release process
   - file: "charts/kubewarden-controller/values.yaml"
     key: "$.image.tag"
-    image: "ghcr.io/kubewarden/controller"
+    image: "ghcr.io/kubewarden/adm-controller/controller"
     workflowUrl: "https://github.com/kubewarden/adm-controller/.github/workflows/release.yml@refs/tags"
     skipVersionFromRegistry: true
   - file: "charts/kubewarden-controller/values.yaml"
     key: "$.auditScanner.image.tag"
-    image: "ghcr.io/kubewarden/audit-scanner"
+    image: "ghcr.io/kubewarden/adm-controller/audit-scanner"
     workflowUrl: "https://github.com/kubewarden/adm-controller/.github/workflows/release.yml@refs/tags"
     skipVersionFromRegistry: true
   - file: "charts/kubewarden-defaults/values.yaml"
     key: "$.policyServer.image.tag"
-    image: "ghcr.io/kubewarden/policy-server"
+    image: "ghcr.io/kubewarden/adm-controller/policy-server"
     workflowUrl: "https://github.com/kubewarden/adm-controller/.github/workflows/release.yml@refs/tags"
     skipVersionFromRegistry: true
   # Policies
@@ -75,15 +75,15 @@ kubewardenContainerImage:
   - name: "controller"
     file: "charts/kubewarden-controller/values.yaml"
     key: "$.image.tag"
-    image: "ghcr.io/kubewarden/controller"
+    image: "ghcr.io/kubewarden/adm-controller/controller"
     workflowUrl: "https://github.com/kubewarden/adm-controller/.github/workflows/release.yml@refs/tags"
   - name: "auditScanner"
     file: "charts/kubewarden-controller/values.yaml"
     key: "$.auditScanner.image.tag"
-    image: "ghcr.io/kubewarden/audit-scanner"
+    image: "ghcr.io/kubewarden/adm-controller/audit-scanner"
     workflowUrl: "https://github.com/kubewarden/audit-scanner/.github/workflows/release.yml@refs/tags"
   - name: "policyServer"
     file: "charts/kubewarden-defaults/values.yaml"
     key: "$.policyServer.image.tag"
-    image: "ghcr.io/kubewarden/policy-server"
+    image: "ghcr.io/kubewarden/adm-controller/policy-server"
     workflowUrl: "https://github.com/kubewarden/policy-server/.github/workflows/release.yml@refs/tags"

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ import (`
`15`	`15`
`16`	`16`	`const (`
`17`	`17`	`integrationTestsFinalizer = "kubewarden.io/integration-tests-safety-net-finalizer"`
`18`		`- defaultKubewardenRepository = "ghcr.io/kubewarden/policy-server"`
	`18`	`+ defaultKubewardenRepository = "ghcr.io/kubewarden/adm-controller/policy-server"`
`19`	`19`	`maxNameSuffixLength = 8`
`20`	`20`	`defaultPolicyGroupRejectionMessage = "policy group default rejection message"`
`21`	`21`	`)`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`# configuration. Skips policy deployment and webhook evaluation.`
`30`	`30`	`# --policy-server-image Full image reference (repository:tag) for the policy-server.`
`31`	`31`	`# Overrides the default image in charts/kubewarden-defaults.`
`32`		`-# Example: --policy-server-image ghcr.io/kubewarden/policy-server:dev`
	`32`	`+# Example: --policy-server-image ghcr.io/kubewarden/adm-controller/policy-server:dev`
`33`	`33`	`#`
`34`	`34`	`# Tools required (per stage):`
`35`	`35`	`# All stages: kubectl, jq`