chore(charts): controller-gen output file into charts.

Updates the controller-gen command used to generated the RBAC manifests
into the charts/kubewarden-controller directory. This commit also adds
the kubebuilder markers to add the missing permissions in the controller
roles that was added using manully created roles definitions.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

Makefile

@@ -146,7 +146,10 @@ generate-controller: manifests  ## Generate code containing DeepCopy, DeepCopyIn
 
 .PHONY: manifests
 manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. We use yq to modify the generated files to match our naming and labels conventions.
-	$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=controller-role crd webhook paths="./api/policies/v1"  paths="./internal/controller" output:crd:artifacts:config=config/crd/bases output:rbac:artifacts:config=config/rbac
+	$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=controller-role,fileName=controller-rbac-roles.yaml,roleName=kubewarden-controller-manager crd webhook \
+			paths="./api/policies/v1"  paths="./internal/controller" paths="./cmd/controller" \
+			output:crd:artifacts:config=config/crd/bases \
+			output:rbac:artifacts:config=charts/kubewarden-controller/templates \
 
 .PHONY: generate-chart
 generate-chart: ## Generate Helm chart values schema.

charts/kubewarden-controller/templates/controller-rbac-roles.yaml

@@ -3,10 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: kubewarden-controller-manager
-  labels:
-    {{- include "kubewarden-controller.labels" . | nindent 4 }}
-  annotations:
-    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
 rules:
 - apiGroups:
   - admissionregistration.k8s.io
@@ -74,11 +70,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: kubewarden-controller-manager
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "kubewarden-controller.labels" . | nindent 4 }}
-  annotations:
-    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+  namespace: kubewarden
 rules:
 - apiGroups:
   - ""

cmd/controller/main.go

@@ -53,6 +53,15 @@ import (
 	//+kubebuilder:scaffold:imports
 )
 
+// Kubewarden controller required permissiions
+//
+//+kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete,namespace="kubewarden"
+//+kubebuilder:rbac:groups="",resources=configmap,verbs=get;list;watch;create;update;patch;delete,namespace="kubewarden"
+//+kubebuilder:rbac:groups="",resources=event,verbs=create;patch,namespace="kubewarden"
+//+kubebuilder:rbac:groups="",resources=event,verbs=create;patch,namespace="kubewarden"
+//+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
+//+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
+
 //nolint:gochecknoglobals // Following the kubebuilder pattern
 var (
 	scheme   = runtime.NewScheme()