refactor(charts): Change generation of RBAC templates

.github/workflows/autolabeler.yml

@@ -2,6 +2,7 @@ name: Auto label
 
 on:
   pull_request:
+    # Only following types are handled by the action, but one can default to all as well
     types: [opened, reopened, synchronize, edited]
 
 permissions: {}
@@ -11,8 +12,8 @@ jobs:
     # Skip fork PRs — the GITHUB_TOKEN is read-only and cannot add labels
     if: github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
     permissions:
-      pull-requests: write
       contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter/autolabeler@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1

.github/workflows/ci.yml

@@ -462,14 +462,31 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-
       - name: enable git long paths on Windows
         if: matrix.os == 'windows-latest'
         run: git config --global core.longpaths true
 
       - name: Run cargo check
         run: make -C crates/kwctl check
 
+  check-manifests:
+    name: Check if the controller-gen generated manifests are up to date
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version: "1.26"
+          check-latest: true
+      - run: |
+          make manifests
+          if ! git diff --quiet -- charts/; then
+            echo "Changes detected in charts/. Please run 'make manifests' and commit the changes."
+            exit 1
+          fi
+
   # Rollup job for branch protection - single stable job name that depends on all checks
   ci-success:
     name: CI Success
@@ -496,6 +513,7 @@ jobs:
       - validate-hauler-manifest
       - kwctl-docs
       - check-kwctl-cross-platform
+      - check-manifests
     runs-on: ubuntu-latest
     steps:
       - name: Check all jobs status

.github/workflows/e2e-tests.yml

@@ -102,7 +102,7 @@ jobs:
           persist-credentials: false
 
       - name: "Install kwctl"
-        uses: kubewarden/github-actions/kwctl-installer@f301a7874dd642510fff54a89e4329881bf871ef # v4.6.0
+        uses: kubewarden/github-actions/kwctl-installer@a03315e95ccf85c92e5d472824edeab0704f857b # v4.6.1
         with:
           KWCTL_VERSION: latest
 

Makefile

@@ -47,6 +47,7 @@ test-rust:
 .PHONY: helm-unittest
 helm-unittest:
 	helm unittest charts/kubewarden-controller --file "tests/**/*_test.yaml"
+	helm unittest charts/kubewarden-crds --file "tests/**/*_test.yaml"
 
 .PHONY: test-e2e
 test-e2e: controller-image audit-scanner-image policy-server-image
@@ -146,8 +147,13 @@ generate-controller: manifests  ## Generate code containing DeepCopy, DeepCopyIn
 	$(GO_BUILD_ENV) $(CONTROLLER_GEN) object paths="./api/policies/v1"
 
 .PHONY: manifests
-manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. We use yq to modify the generated files to match our naming and labels conventions.
-	$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=controller-role crd webhook paths="./api/policies/v1"  paths="./internal/controller" output:crd:artifacts:config=config/crd/bases output:rbac:artifacts:config=config/rbac
+manifests: ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
+	$(GO_BUILD_ENV) $(CONTROLLER_GEN) rbac:roleName=kubewarden-controller-manager,fileName=controller-rbac-roles.yaml crd webhook \
+			paths="./api/policies/v1"  paths="./internal/controller" paths="./cmd/controller" \
+			output:crd:artifacts:config=charts/kubewarden-crds/templates \
+			output:rbac:artifacts:config=charts/kubewarden-controller/templates
+	sed -i '/^metadata:/a\  labels:\n    {{- include "kubewarden-controller.labels" . | nindent 4 }}\n  annotations:\n    {{- include "kubewarden-controller.annotations" . | nindent 4 }}' charts/kubewarden-controller/templates/controller-rbac-roles.yaml
+	sed -i 's/  namespace: kubewarden/  namespace: {{ .Release.Namespace }}/' charts/kubewarden-controller/templates/controller-rbac-roles.yaml
 
 .PHONY: generate-chart
 generate-chart: ## Generate Helm chart values schema.

api/policies/v1/policyserver_types.go

@@ -91,7 +91,7 @@ type PolicyServerSpec struct {
 	// Name of VerificationConfig configmap in the kubewarden namespace (same
 	// namespace as the controller deployment), containing Sigstore verification
 	// configuration. The configuration must be under a key named
-	// verification-config in the Configmap.
+	// verification-config in the ConfigMap.
 	// +optional
 	VerificationConfig string `json:"verificationConfig,omitempty"`
 

charts/kubewarden-controller/templates/NOTES.txt

@@ -4,7 +4,6 @@ You can now start defining admission policies by using the cluster-wide
 
 For more information check out https://docs.kubewarden.io.
 
-
 🚀 **Kubewarden is applying to become a CNCF incubation project!** 🚀  
 
 If you'd like to support us, we'd love to hear from you as one of our adopters. 

charts/kubewarden-controller/templates/audit-scanner-role.yaml

@@ -0,0 +1,55 @@
+{{- if eq .Values.auditScanner.serviceAccountName  "audit-scanner" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: audit-scanner-cluster-role
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+rules:
+- apiGroups:
+  - policies.kubewarden.io
+  resources:
+  - clusteradmissionpolicies
+  - clusteradmissionpolicygroups
+  - admissionpolicies
+  - admissionpolicygroups
+  - clusteradmissionpolicies/status
+  - clusteradmissionpolicygroups/status
+  - admissionpolicies/status
+  - admissionpolicygroups/status
+  - policyservers
+  - policyservers/status
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+    - wgpolicyk8s.io
+  resources:
+    - policyreports
+    - clusterpolicyreports
+  verbs:
+    - create
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+- apiGroups:
+    - openreports.io
+  resources:
+    - reports
+    - clusterreports
+  verbs:
+    - create
+    - deletecollection
+    - get
+    - list
+    - patch
+    - update
+    - watch
+{{ end }}

charts/kubewarden-controller/templates/audit-scanner-rolebinding.yaml

@@ -0,0 +1,36 @@
+{{- if eq .Values.auditScanner.serviceAccountName  "audit-scanner" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: audit-scanner-cluster-role-viewer
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.auditScanner.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: audit-scanner-cluster-role
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: audit-scanner-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.auditScanner.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+{{ end }}

charts/kubewarden-controller/templates/controller-rbac-metrics-role.yaml

@@ -0,0 +1,18 @@
+# This ClusterRole grants read access to the /metrics endpoint.
+# It is not generated by controller-gen because nonResourceURLs cannot be
+# expressed via kubebuilder RBAC markers in a way that keeps it in a separate
+# ClusterRole. It is maintained manually to preserve a dedicated role for
+# metrics scraping (e.g., by Prometheus).
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubewarden-controller-metrics-reader
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

charts/kubewarden-controller/templates/controller-rbac-rolebinding.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubewarden-controller-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubewarden-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubewarden-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubewarden-controller-manager
+  labels:
+    {{- include "kubewarden-controller.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kubewarden-controller.annotations" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubewarden-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubewarden-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}