chore(charts): automate CRD and RBAC manifest post-processing

Add scripts/post-generate-manifests.sh to post-process controller-gen
output. It renames CRD files from the default
policies.kubewarden.io_RESOURCE.yaml format to RESOURCE.yaml directly
into charts/kubewarden-crds/templates/. Also it injects Helm template
labels and annotations into each resource in controller-rbac-roles.yaml
to match the conventions used by the rest of the chart.

Update the Makefile manifests target to output CRDs directly into
charts/kubewarden-crds/templates/ and invoke the post-processing script
automatically.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

Makefile

@@ -145,11 +145,12 @@ generate-controller: manifests  ## Generate code containing DeepCopy, DeepCopyIn
 	$(GO_BUILD_ENV) $(CONTROLLER_GEN) object paths="./api/policies/v1"
 
 .PHONY: manifests
-manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. We use yq to modify the generated files to match our naming and labels conventions.
-	$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=controller-role,fileName=controller-rbac-roles.yaml,roleName=kubewarden-controller-manager crd webhook \
+manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=kubewarden-controller-manager,fileName=controller-rbac-roles.yaml crd webhook \
 			paths="./api/policies/v1"  paths="./internal/controller" paths="./cmd/controller" \
-			output:crd:artifacts:config=config/crd/bases \
-			output:rbac:artifacts:config=charts/kubewarden-controller/templates \
+			output:crd:artifacts:config=charts/kubewarden-crds/templates \
+			output:rbac:artifacts:config=charts/kubewarden-controller/templates
+	./scripts/post-generate-manifests.sh
 
 .PHONY: generate-chart
 generate-chart: ## Generate Helm chart values schema.

charts/kubewarden-controller/templates/NOTES.txt

@@ -4,6 +4,24 @@ You can now start defining admission policies by using the cluster-wide
 
 For more information check out https://docs.kubewarden.io.
 
+{{- if (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "kubewarden-controller-manager-cluster-role") }}
+⚠️  **Upgrade notice: RBAC resource consolidation**
+
+Starting with this release, all controller RBAC permissions have been
+consolidated into a single ClusterRole and a single Role, simplifying the
+permission model. The following resources from previous versions are no longer
+used and should be manually deleted after a successful upgrade:
+
+  kubectl delete clusterrole kubewarden-controller-manager-cluster-role
+  kubectl delete clusterrole kubewarden-controller-proxy-role
+  kubectl delete clusterrolebinding kubewarden-controller-manager-cluster-role
+  kubectl delete clusterrolebinding kubewarden-controller-proxy-rolebinding
+  kubectl delete rolebinding kubewarden-controller-leader-election-rolebinding -n {{ .Release.Namespace }}
+  kubectl delete rolebinding kubewarden-controller-manager-namespaced-rolebinding -n {{ .Release.Namespace }}
+  kubectl delete role kubewarden-controller-leader-election-role -n {{ .Release.Namespace }}
+  kubectl delete role kubewarden-controller-manager-namespaced-role -n {{ .Release.Namespace }}
+{{- end }}
+
 
 🚀 **Kubewarden is applying to become a CNCF incubation project!** 🚀  
 

charts/kubewarden-controller/templates/controller-rbac-extras.yaml

@@ -1,3 +1,39 @@
+# This ClusterRole grants read access to the /metrics endpoint.
+# It is not generated by controller-gen because nonResourceURLs cannot be
+# expressed via kubebuilder RBAC markers in a way that keeps it in a separate
+# ClusterRole. It is maintained manually to preserve a dedicated role for
+# metrics scraping (e.g., by Prometheus).
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubewarden-controller-manager-metrics-reader
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubewarden-controller-metrics-reader
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubewarden-controller-manager-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubewarden-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -19,7 +55,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kubewarden-controller-manager-cluster-role
+  name: kubewarden-controller-manager
   labels:
     {{- include "kubewarden-controller.labels" . | nindent 4 }}
   annotations:

charts/kubewarden-controller/templates/controller-rbac-roles.yaml

@@ -3,6 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: kubewarden-controller-manager
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
 rules:
 - apiGroups:
   - admissionregistration.k8s.io
@@ -70,12 +74,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: kubewarden-controller-manager
-  namespace: kubewarden
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
 rules:
 - apiGroups:
   - ""
   resources:
-  - configmap
   - configmaps
   - secrets
   - services
@@ -90,7 +97,7 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - event
+  - events
   verbs:
   - create
   - patch

charts/kubewarden-crds/templates/admissionpolicies.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:

charts/kubewarden-crds/templates/admissionpolicygroups.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:

charts/kubewarden-crds/templates/policyservers.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -1641,7 +1642,7 @@ spec:
                   Name of SigstoreTrustConfig configmap in the kubewarden namespace (same
                   namespace as the controller deployment), containing Sigstore trust
                   configuration (ClientTrustConfig JSON). The configuration must be under a
-                  key named sigstore-trust-config in the Configmap. This is used to configure
+                  key named sigstore-trust-config in the ConfigMap. This is used to configure
                   a custom Sigstore instance instead of the default public Sigstore infrastructure.
                   WARNING: This feature requires strict access control. Users with write access
                   to this ConfigMap can influence policy signature verification.

scripts/post-generate-manifests.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Post-processing script for controller-gen output.
+#
+# This script:
+# 1. Renames CRD files generated by controller-gen from the default
+#    "policies.kubewarden.io_RESOURCE.yaml" format to "RESOURCE.yaml",
+#    as expected by the charts/kubewarden-crds Helm chart.
+# 2. Injects Helm template labels and annotations into each resource in
+#    controller-rbac-roles.yaml to match the rest of the chart templates.
+#
+# Usage: called automatically from "make manifests"
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+CRD_CHART_DIR="${REPO_ROOT}/charts/kubewarden-crds/templates"
+RBAC_FILE="${REPO_ROOT}/charts/kubewarden-controller/templates/controller-rbac-roles.yaml"
+
+# ── 1. Rename CRD files ──────────────────────────────────────────────────────
+echo "Renaming CRD files in ${CRD_CHART_DIR}..."
+for src in "${CRD_CHART_DIR}"/policies.kubewarden.io_*.yaml; do
+    [[ -e "${src}" ]] || continue
+    filename="$(basename "${src}")"
+    dest="${CRD_CHART_DIR}/${filename#policies.kubewarden.io_}"
+    mv "${src}" "${dest}"
+    echo "  ${filename} -> $(basename "${dest}")"
+done
+
+# ── 2. Inject Helm labels/annotations into controller-rbac-roles.yaml ────────
+# Guard: skip injection if labels are already present (idempotency)
+if grep -q 'kubewarden-controller.labels' "${RBAC_FILE}"; then
+    echo "Labels already present in ${RBAC_FILE}, skipping injection."
+else
+echo "Injecting Helm labels and annotations into ${RBAC_FILE}..."
+
+# Use awk to insert labels/annotations after each "  name: ..." line that
+# appears inside a metadata block. We detect a metadata block by looking for
+# the line "^metadata:" and then find the "  name:" line within it.
+# If a "  namespace:" line follows name, it is emitted before labels.
+awk '
+/^metadata:$/ { in_metadata = 1 }
+!in_metadata  { print; next }
+/^  name:/    {
+    name_line = $0
+    in_name = 1
+    next
+}
+in_name && /^  namespace:/ {
+    print name_line
+    print
+    print "  labels:"
+    print "    {{- include \"kubewarden-controller.labels\" . | nindent 4 }}"
+    print "  annotations:"
+    print "    {{- include \"kubewarden-controller.annotations\" . | nindent 4 }}"
+    in_metadata = 0
+    in_name = 0
+    next
+}
+in_name {
+    print name_line
+    print "  labels:"
+    print "    {{- include \"kubewarden-controller.labels\" . | nindent 4 }}"
+    print "  annotations:"
+    print "    {{- include \"kubewarden-controller.annotations\" . | nindent 4 }}"
+    in_metadata = 0
+    in_name = 0
+    print
+    next
+}
+{ print }
+' "${RBAC_FILE}" > "${RBAC_FILE}.tmp"
+
+mv "${RBAC_FILE}.tmp" "${RBAC_FILE}"
+
+# ── 3. Replace hardcoded namespace with Helm template expression ─────────────
+echo "Replacing hardcoded namespace in ${RBAC_FILE}..."
+sed -i 's/  namespace: kubewarden/  namespace: {{ .Release.Namespace }}/' "${RBAC_FILE}"
+echo "  Done."
+fi