refactor(charts): Change generation of RBAC templates

[jvanz]

Description

Updates the controller-gen command used to generated the RBAC manifests into the charts/kubewarden-controller directory. This commit also adds the kubebuilder markers to add the missing permissions in the controller roles that was added using manully created roles definitions.

Fix #1483

[codecov]

Codecov Report

❌ Patch coverage is 14.28571% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.52%. Comparing base (300ffd9) to head (de6d5f6).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/controller/policyserver_controller.go	0.00%	4 Missing and 4 partials ⚠️
internal/controller/policy_subreconciler.go	33.33%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1520   +/-   ##
=======================================
  Coverage   75.52%   75.52%           
=======================================
  Files         170      170           
  Lines       20902    20898    -4     
=======================================
- Hits        15786    15783    -3     
+ Misses       4904     4902    -2     
- Partials      212      213    +1     

Flag	Coverage Δ
go-tests	57.49% <14.28%> (-0.04%)	⬇️
rust-tests	80.45% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[flavio]

Also, I got a bit confused by the names:

• charts/kubewarden-controller/templates/controller-rbac-roles.yaml: this holds all the roles (cluster and not)
• charts/kubewarden-controller/templates/controller-rbac-extras.yaml: this holds all the roles bindings and one ClusterRole
• charts/kubewarden-controller/templates/audit-scanner-rbac.yaml: contains roles and bindings

I would like, if possible, to end up with something like sbomscanner:

• a file with roles
• a file with rolebindings

In our case we would have 4 files:

• audit-scanner-role.yaml
• audit-scanner-rolebinding.yaml
• controller-role.yaml
• controller-rolebinding.yaml

[jvanz]

Also, I got a bit confused by the names:

* `charts/kubewarden-controller/templates/controller-rbac-roles.yaml`: this holds all the roles (cluster and not)

* `charts/kubewarden-controller/templates/controller-rbac-extras.yaml`: this holds all the roles bindings and one `ClusterRole`

* `charts/kubewarden-controller/templates/audit-scanner-rbac.yaml`: contains roles and bindings

I would like, if possible, to end up with something like sbomscanner:

* a file with [roles](https://github.com/kubewarden/sbomscanner/blob/main/charts/sbomscanner/templates/controller/role.yaml)

* a file with [rolebindings](https://github.com/kubewarden/sbomscanner/blob/main/charts/sbomscanner/templates/controller/rolebinding.yaml)

In our case we would have 4 files:

* `audit-scanner-role.yaml`

* `audit-scanner-rolebinding.yaml`

* `controller-role.yaml`

* `controller-rolebinding.yaml`

I'm fine splitting role and rolebindings. I actually did that while I was working on this PR. But I've changed that because I would like to avoid two role files. The controller-rbac-roles.yaml has the roles generated by the controller-gen. It's overwritten every time we run make manifests. Then, instead of having two role files, one for the controller-gen output and another to the "metrics-reader" role, I've decided to rename the file to controller-rbac-extras.yaml. Where it has all the rolebindings and one additional role. Therefore, I avoid more custom code to merge all the roles into a single file.

[Copilot]

Pull request overview

Copilot reviewed 26 out of 28 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 28 out of 30 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 31 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

make manifests now writes CRDs/RBAC into the Helm charts, but it no longer updates the existing kubebuilder/kustomize manifests under config/crd/bases and config/rbac (which are still referenced by config/**/kustomization.yaml). This can leave the kustomize install path stale/out-of-sync (e.g., config/rbac/role.yaml still lacks the webhook get verb). Either keep generating to config/ as well, or remove/deprecate the config/ kustomize overlays to avoid drift.

Suggested change

	paths="./api/policies/v1" paths="./internal/controller" paths="./cmd/controller" \
	output:crd:artifacts:config=charts/kubewarden-crds/templates \
	paths="./api/policies/v1" paths="./internal/controller" paths="./cmd/controller" \
	output:crd:artifacts:config=config/crd/bases \
	output:crd:artifacts:config=charts/kubewarden-crds/templates \
	output:rbac:artifacts:config=config/rbac \

[jvanz]

We plan to remove the config directory in the future. So, we can ignore this comment for now.

[viccuad]

LGTM!