refactor: supress usage of kustomize in build (#5691)

* refactor: supress usage of kustomize in build (part 1)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* e2e

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* e2e

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* e2e

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* clean

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* labels

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* simplify templating flags

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

.github/workflows/e2e.yaml

@@ -32,23 +32,18 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-
       - name: Unshallow
         run: git fetch --prune --unshallow
-
       - name: Set up Go 
         uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ~1.18.6
-
       - name: Set up Helm
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
         with:
           version: v3.5.0
-
       - name: Set up chart-testing
         uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1
-
       - name: Cache Go modules
         uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3
         with:
@@ -58,22 +53,23 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-
+      - name: Create kind cluster
-      - name: Create dev images, kind cluster and setup kustomize
         run: |
           export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }}
-          make create-e2e-infrastructure
+          make kind-create-cluster
-
+      - name: Build and load dev images in kind cluster
-      - name: e2e testing
+        run: make kind-load-all
+      - name: Run e2e tests
         run: |
           echo ">>> Install Kyverno"
-          cat ${GITHUB_WORKSPACE}/config/install.yaml | \
+          make codegen-manifest-e2e
-          sed -e 's/imagePullPolicy:.*$/imagePullPolicy: IfNotPresent/g' | \
+          cat ${GITHUB_WORKSPACE}/.manifest/e2e.yaml \
-          kubectl create -f -
+            | sed -e 's/imagePullPolicy:.*$/imagePullPolicy: IfNotPresent/g' \
-          kubectl apply -f ${GITHUB_WORKSPACE}/config/github/rbac.yaml
+            | kubectl apply --server-side -f -
+          kubectl apply -f ${GITHUB_WORKSPACE}/config/e2e/rbac.yaml
+          echo ">>> Check kyverno"
           chmod a+x ${GITHUB_WORKSPACE}/scripts/verify-deployment.sh
           sleep 50
-          echo ">>> Check kyverno"
           kubectl get pods -n kyverno
           ${GITHUB_WORKSPACE}/scripts/verify-deployment.sh -n kyverno  kyverno
           sleep 20
@@ -81,8 +77,8 @@ jobs:
           kubectl port-forward svc/kyverno-svc-metrics -n kyverno 8000:8000 &
           echo ">>> Run Kyverno e2e test"
           make test-e2e
-          kubectl delete -f ${GITHUB_WORKSPACE}/config/install.yaml
+          echo ">>> Cleanup"
-
+          kubectl delete -f ${GITHUB_WORKSPACE}/.manifest/e2e.yaml
       - name: Debug failure
         if: failure()
         run: |

.github/workflows/release.yaml

@@ -135,13 +135,13 @@ jobs:
           cosign-release: 'v1.13.0'
 
       - name: Build yaml manifest
-        run: make codegen-release
+        run: make codegen-manifest-release
 
       - name: Upload yaml manifest
         uses: svenstaro/upload-release-action@133984371c30d34e38222a64855679a414cb7575 # pin@v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: config/.release/install.yaml
+          file: .manifest/release.yaml
           asset_name: install.yaml
           tag: ${{ github.ref }}
 
@@ -158,7 +158,7 @@ jobs:
         run: |
           set -e
           mkdir -p config/.release-manifests
-          cp config/.release/install.yaml config/.release-manifests/install.yaml
+          cp .manifest/release.yaml config/.release-manifests/install.yaml
           cd config/.release-manifests/ && \
           flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }} \
             --path="." \

.gitignore

@@ -15,3 +15,4 @@ cmd/cleanup-controller/cleanup-controller
 /config/.helm
 /config/.release
 .dist
+.manifest

Makefile

@@ -50,8 +50,6 @@ GEN_CRD_API_REFERENCE_DOCS         := $(TOOLS_DIR)/gen-crd-api-reference-docs
 GEN_CRD_API_REFERENCE_DOCS_VERSION := latest
 GO_ACC                             := $(TOOLS_DIR)/go-acc
 GO_ACC_VERSION                     := latest
-KUSTOMIZE                          := $(TOOLS_DIR)/kustomize
-KUSTOMIZE_VERSION                  := latest
 GOIMPORTS                          := $(TOOLS_DIR)/goimports
 GOIMPORTS_VERSION                  := latest
 HELM                               := $(TOOLS_DIR)/helm
@@ -62,7 +60,7 @@ KO                                 := $(TOOLS_DIR)/ko
 KO_VERSION                         := main #e93dbee8540f28c45ec9a2b8aec5ef8e43123966
 KUTTL                              := $(TOOLS_DIR)/kubectl-kuttl
 KUTTL_VERSION                      := v0.14.0
-TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(KUSTOMIZE) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
+TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
 ifeq ($(GOOS), darwin)
 SED                                := gsed
 else
@@ -101,10 +99,6 @@ $(GO_ACC):
 	@echo Install go-acc... >&2
 	@GOBIN=$(TOOLS_DIR) go install github.com/ory/go-acc@$(GO_ACC_VERSION)
 
-$(KUSTOMIZE):
-	@echo Install kustomize... >&2
-	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kustomize/kustomize/v4@$(KUSTOMIZE_VERSION)
-
 $(GOIMPORTS):
 	@echo Install goimports... >&2
 	@GOBIN=$(TOOLS_DIR) go install golang.org/x/tools/cmd/goimports@$(GOIMPORTS_VERSION)
@@ -315,6 +309,7 @@ INPUT_DIRS         := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1alpha2,
 CLIENTSET_PACKAGE  := $(OUT_PACKAGE)/clientset
 LISTERS_PACKAGE    := $(OUT_PACKAGE)/listers
 INFORMERS_PACKAGE  := $(OUT_PACKAGE)/informers
+CRDS_PATH          := ${PWD}/config/crds
 
 $(GOPATH_SHIM):
 	@echo Create gopath shim... >&2
@@ -353,12 +348,12 @@ codegen-client-all: codegen-client-clientset codegen-client-listers codegen-clie
 .PHONY: codegen-crds-kyverno
 codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
 	@echo Generate kyverno crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=./config/crds
+	@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
 
 .PHONY: codegen-crds-report
 codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
 	@echo Generate policy reports crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=./config/crds
+	@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
 
 .PHONY: codegen-crds-all
 codegen-crds-all: codegen-crds-kyverno codegen-crds-report ## Generate all CRDs
@@ -381,10 +376,10 @@ codegen-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) ## Generate API
 	@echo Generate api docs... >&2
 	@rm -rf docs/user/crd && mkdir -p docs/user/crd
 	@GOPATH=$(GOPATH_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) -v 4 \
-			-api-dir github.com/kyverno/kyverno/api \
+		-api-dir github.com/kyverno/kyverno/api \
-			-config docs/user/config.json \
+		-config docs/user/config.json \
-			-template-dir docs/user/template \
+		-template-dir docs/user/template \
-			-out-file docs/user/crd/index.html
+		-out-file docs/user/crd/index.html
 
 .PHONY: codegen-helm-docs
 codegen-helm-docs: ## Generate helm docs
@@ -392,41 +387,84 @@ codegen-helm-docs: ## Generate helm docs
 	@docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file
 
 .PHONY: codegen-helm-crds
-codegen-helm-crds: $(KUSTOMIZE) codegen-crds-all ## Generate helm CRDs
+codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
-	@echo Create temp folder for kustomization... >&2
-	@mkdir -p config/.helm
-	@echo Create kustomization... >&2
-	@VERSION='"{{.Chart.AppVersion}}"' TOP_PATH=".." envsubst < config/templates/helm-labels.yaml.envsubst > config/.helm/labels.yaml
-	@VERSION=dummy TOP_PATH=".." envsubst < config/templates/kustomization.yaml.envsubst > config/.helm/kustomization.yaml
 	@echo Generate helm crds... >&2
-	@$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' -e '/^  creationTimestamp: null/i \ \ \ \ {{- with .Values.crds.annotations }}{{ toYaml . | nindent 4 }}{{ end }}' > ./charts/kyverno/templates/crds.yaml
+	@cat $(CRDS_PATH)/* \
+		| $(SED) -e '1i{{- if .Values.installCRDs }}' \
+		| $(SED) -e '$$a{{- end }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- with .Values.crds.annotations }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- toYaml . | nindent 4 }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- end }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/a \ \ \ \ {{- include "kyverno.crdLabels" . | nindent 4 }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/a \ \ labels:' \
+ 		| $(SED) -e '/^  creationTimestamp: null/d' \
+ 		> ./charts/kyverno/templates/crds.yaml
 
 .PHONY: codegen-helm-all
 codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs
 
-.PHONY: codegen-install
+.PHONY: codegen-manifest-install
-codegen-install: $(KUSTOMIZE) ## Create install maifests
+codegen-manifest-install: $(HELM) ## Create install manifest
-	@echo Create kustomization... >&2
+	@echo Generate install manifest... >&2
-	@VERSION=latest TOP_PATH="." envsubst < config/templates/labels.yaml.envsubst > config/labels.yaml
+	@mkdir -p ./.manifest
-	@VERSION=latest TOP_PATH="." envsubst < config/templates/kustomization.yaml.envsubst > config/kustomization.yaml
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
-	@echo Generate install.yaml... >&2
+		--set templating.enabled=true \
-	@$(KUSTOMIZE) build ./config > ./config/install.yaml
+		--set templating.version=latest \
-	@echo Generate install_debug.yaml... >&2
+		--set cleanupController.image.tag=latest \
-	@$(KUSTOMIZE) build ./config/debug > ./config/install_debug.yaml
+		--set image.tag=latest \
+		--set initImage.tag=latest \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/install.yaml
+
+.PHONY: codegen-manifest-debug
+codegen-manifest-debug: $(HELM) ## Create debug manifest
+	@echo Generate debug manifest... >&2
+	@mkdir -p ./.manifest
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+		--set templating.enabled=true \
+		--set templating.version=latest \
+		--set templating.debug=true \
+		--set cleanupController.image.tag=latest \
+		--set image.tag=latest \
+		--set initImage.tag=latest \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/debug.yaml
 
 # guidance https://github.com/kyverno/kyverno/wiki/Generate-a-Release
-.PHONY: codegen-release
+.PHONY: codegen-manifest-release
-codegen-release: codegen-install $(KUSTOMIZE) ## Create release maifests
+codegen-manifest-release: $(HELM) ## Create release manifest
-	@echo Create release folder... >&2
+	@echo Generate release manifest... >&2
-	@mkdir -p config/.release
+	@mkdir -p ./.manifest
-	@echo Create kustomization... >&2
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
-	@VERSION=$(GIT_VERSION) TOP_PATH=".." envsubst < config/templates/labels.yaml.envsubst > config/.release/labels.yaml
+		--set templating.enabled=true \
-	@VERSION=$(GIT_VERSION) TOP_PATH=".." envsubst < config/templates/kustomization.yaml.envsubst > config/.release/kustomization.yaml
+		--set templating.version=$(GIT_VERSION) \
-	@echo Generate release manifests... >&2
+		--set cleanupController.image.tag=$(GIT_VERSION) \
-	@$(KUSTOMIZE) build ./config/.release > ./config/.release/install.yaml
+		--set image.tag=$(GIT_VERSION) \
+		--set initImage.tag=$(GIT_VERSION) \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/release.yaml
+
+.PHONY: codegen-manifest-e2e
+codegen-manifest-e2e: $(HELM) ## Create e2e manifest
+	@echo Create e2e manifest... >&2
+	@mkdir -p ./.manifest
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+		--set templating.enabled=true \
+		--set templating.version=$(IMAGE_TAG_DEV) \
+		--set cleanupController.image.repository=$(LOCAL_CLEANUP_IMAGE) \
+		--set cleanupController.image.tag=$(IMAGE_TAG_DEV) \
+		--set image.repository=$(LOCAL_KYVERNO_IMAGE) \
+		--set image.tag=$(IMAGE_TAG_DEV) \
+		--set initImage.repository=$(LOCAL_KYVERNOPRE_IMAGE) \
+		--set initImage.tag=$(IMAGE_TAG_DEV) \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/e2e.yaml
+
+.PHONY: codegen-manifest-all
+codegen-manifest-all: codegen-manifest-install codegen-manifest-debug codegen-manifest-release codegen-manifest-e2e ## Create all manifests
 
 .PHONY: codegen-quick
-codegen-quick: codegen-deepcopy-all codegen-crds-all codegen-api-docs codegen-helm-all codegen-install codegen-release ## Generate all generated code except client
+codegen-quick: codegen-deepcopy-all codegen-crds-all codegen-api-docs codegen-helm-all codegen-manifest-all ## Generate all generated code except client
 
 .PHONY: codegen-slow
 codegen-slow: codegen-client-all ## Generate client code
@@ -450,10 +488,10 @@ codegen-all: codegen-quick codegen-slow ## Generate all generated code
 .PHONY: verify-crds
 verify-crds: codegen-crds-all ## Check CRDs are up to date
 	@echo Checking crds are up to date... >&2
-	@git --no-pager diff config
+	@git --no-pager diff $(CRDS_PATH)
 	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-crds-all".' >&2
 	@echo 'To correct this, locally run "make codegen-crds-all", commit the changes, and re-run tests.' >&2
-	@git diff --quiet --exit-code config
+	@git diff --quiet --exit-code $(CRDS_PATH)
 
 .PHONY: verify-client
 verify-client: codegen-client-all ## Check client is up to date
@@ -578,33 +616,6 @@ test-cli-test-case-selector-flag: $(CLI_BIN)
 test-cli-registry: $(CLI_BIN)
 	@$(CLI_BIN) test ./test/cli/registry --registry
 
-##################################
-# Create e2e Infrastructure
-##################################
-
-.PHONY: kind-e2e-cluster
-kind-e2e-cluster: $(KIND) ## Create kind cluster for e2e tests
-	$(KIND) create cluster --image=$(KIND_IMAGE)
-
-# TODO(eddycharly): $(REPO) is wrong, it is always ghcr.io/kyverno in the source
-.PHONY: e2e-kustomize
-e2e-kustomize: $(KUSTOMIZE) ## Build kustomize manifests for e2e tests
-	cd config && \
-	$(KUSTOMIZE) edit set image $(REPO_KYVERNOPRE)=$(LOCAL_KYVERNOPRE_IMAGE):$(IMAGE_TAG_DEV) && \
-	$(KUSTOMIZE) edit set image $(REPO_KYVERNO)=$(LOCAL_KYVERNO_IMAGE):$(IMAGE_TAG_DEV)
-	$(KUSTOMIZE) build config/ -o config/install.yaml
-
-.PHONY: e2e-init-container
-e2e-init-container: kind-e2e-cluster | image-build-kyvernopre
-	$(KIND) load docker-image $(LOCAL_KYVERNOPRE_IMAGE):$(IMAGE_TAG_DEV)
-
-.PHONY: e2e-kyverno-container
-e2e-kyverno-container: kind-e2e-cluster | image-build-kyverno
-	$(KIND) load docker-image $(LOCAL_KYVERNO_IMAGE):$(IMAGE_TAG_DEV)
-
-.PHONY: create-e2e-infrastructure
-create-e2e-infrastructure: e2e-init-container e2e-kyverno-container e2e-kustomize | ## Setup infrastructure for e2e tests
-
 ##################################
 # Testing & Code-Coverage
 ##################################

charts/kyverno/templates/_helpers.tpl

@@ -28,14 +28,51 @@ If release name contains chart name it will be used as a full name.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/* Helm labels */}}
+{{- define "kyverno.helmLabels" -}}
+{{- if not .Values.templating.enabled -}}
+helm.sh/chart: {{ template "kyverno.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- end -}}
+
+{{/* Version labels */}}
+{{- define "kyverno.versionLabels" -}}
+{{- if .Values.templating.enabled -}}
+app.kubernetes.io/version: {{ required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" }}
+{{- else -}}
+app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" }}
+{{- end -}}
+{{- end -}}
+
+{{/* CRD labels */}}
+{{- define "kyverno.crdLabels" -}}
+app.kubernetes.io/component: kyverno
+{{- with (include "kyverno.helmLabels" .) }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.matchLabels" .) }}
+{{ . }}
+{{- end }}
+app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
+{{- with (include "kyverno.versionLabels" .) }}
+{{ . }}
+{{- end }}
+{{- end -}}
+
 {{/* Helm required labels */}}
 {{- define "kyverno.labels" -}}
-helm.sh/chart: {{ template "kyverno.chart" . }}
-{{ include "kyverno.matchLabels" . }}
 app.kubernetes.io/component: kyverno
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with (include "kyverno.helmLabels" .) }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.matchLabels" .) }}
+{{ . }}
+{{- end }}
 app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
+{{- with (include "kyverno.versionLabels" .) }}
+{{ . }}
+{{- end }}
 {{- if .Values.customLabels }}
 {{ toYaml .Values.customLabels }}
 {{- end }}
@@ -43,19 +80,24 @@ app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
 
 {{/* Helm required labels */}}
 {{- define "kyverno.test-labels" -}}
+{{- with (include "kyverno.helmLabels" .) }}
+{{ . }}
+{{- end }}
+app: kyverno
 app.kubernetes.io/component: kyverno
 app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: {{ template "kyverno.name" . }}-test
 app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
 app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
-helm.sh/chart: {{ template "kyverno.chart" . }}
 {{- end -}}
 
 {{/* matchLabels */}}
 {{- define "kyverno.matchLabels" -}}
+app: kyverno
 app.kubernetes.io/name: {{ template "kyverno.name" . }}
+{{- if not .Values.templating.enabled }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
 {{- end -}}
 
 {{/* Get the config map name. */}}

charts/kyverno/templates/aggregateroles.yaml

@@ -3,9 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:admin-policies
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
   - kyverno.io
@@ -24,10 +24,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
   name: {{ template "kyverno.fullname" . }}:admin-policyreport
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
   - apiGroups:
       - wgpolicyk8s.io
@@ -46,10 +46,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
   name: {{ template "kyverno.fullname" . }}:admin-reports
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
     - kyverno.io
@@ -70,10 +70,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
   name: {{ template "kyverno.fullname" . }}:admin-generaterequest
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
   - kyverno.io
@@ -91,10 +91,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
   name: {{ template "kyverno.fullname" . }}:admin-updaterequest
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
   - kyverno.io

charts/kyverno/templates/cleanup-controller/_helpers.tpl

@@ -5,11 +5,16 @@
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.labels" -}}
-{{- include "kyverno.cleanup-controller.matchLabels" . }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
+{{- with (include "kyverno.helmLabels" .) }}
-helm.sh/chart: {{ template "kyverno.chart" . }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.versionLabels" .) }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.cleanup-controller.matchLabels" .) }}
+{{ . }}
+{{- end }}
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.matchLabels" -}}

charts/kyverno/templates/cleanup-controller/deployment.yaml

@@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+{{- if not .Values.templating.debug -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -7,7 +8,9 @@ metadata:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
   namespace: {{ template "kyverno.namespace" . }}
 spec:
-  replicas: {{ .Values.cleanupController.replicas }}
+  {{- with .Values.cleanupController.replicas }}
+  replicas: {{ . }}
+  {{- end }}
   {{- with .Values.cleanupController.updateStrategy }}
   strategy:
     {{- toYaml . | nindent 4 }}
@@ -133,3 +136,4 @@ spec:
             {{- tpl (toYaml .) $ | nindent 12 }}
           {{- end }}
 {{- end -}}
+{{- end -}}

charts/kyverno/templates/clusterrole.yaml

@@ -3,8 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
@@ -14,26 +14,26 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:userinfo
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - "rbac.authorization.k8s.io"
+    - rbac.authorization.k8s.io
   resources:
-  - roles
+    - roles
-  - clusterroles
+    - clusterroles
-  - rolebindings
+    - rolebindings
-  - clusterrolebindings
+    - clusterrolebindings
   verbs:
-  - watch
+    - watch
-  - list
+    - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:policies
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
     - kyverno.io
@@ -60,29 +60,28 @@ rules:
     - watch
     - deletecollection
 - apiGroups:
-  - wgpolicyk8s.io
+    - wgpolicyk8s.io
   resources:
-  - policyreports
+    - policyreports
-  - policyreports/status
+    - policyreports/status
-  - clusterpolicyreports
+    - clusterpolicyreports
-  - clusterpolicyreports/status
+    - clusterpolicyreports/status
   verbs:
-  - create
+    - create
-  - delete
+    - delete
-  - get
+    - get
-  - list
+    - list
-  - patch
+    - patch
-  - update
+    - update
-  - watch
+    - watch
-  - deletecollection
+    - deletecollection
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:view
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
   - '*'
@@ -97,8 +96,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:generate
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
   - apiGroups:
       - networking.k8s.io
@@ -112,7 +111,7 @@ rules:
       - patch
       - delete
   - apiGroups:
-      - ""
+      - ''
     resources:
       - namespaces
       - configmaps
@@ -136,7 +135,7 @@ rules:
       - delete
   {{- if .Values.generatecontrollerExtraResources }}
   - apiGroups:
-      - "*"
+      - '*'
     resources:
     {{- range .Values.generatecontrollerExtraResources }}
       - {{ . }}
@@ -151,11 +150,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:events
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - "*"
+  - ''
+  - events.k8s.io
   resources:
   - events
   verbs:
@@ -168,11 +168,11 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "kyverno.fullname" . }}:webhook
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - 'admissionregistration.k8s.io'
+  - admissionregistration.k8s.io
   resources:
   - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
@@ -184,5 +184,4 @@ rules:
   - patch
   - update
   - watch
-
 {{- end }}

charts/kyverno/templates/clusterrolebinding.yaml

@@ -3,8 +3,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ template "kyverno.fullname" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

charts/kyverno/templates/configmap.yaml

@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   {{- with .Values.config.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/kyverno/templates/deployment.yaml

@@ -1,22 +1,26 @@
+{{- if not .Values.templating.debug -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "kyverno.fullname" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   namespace: {{ template "kyverno.namespace" . }}
 spec:
-  replicas: {{ .Values.replicaCount }}
+  {{- with .Values.replicaCount }}
+  replicas: {{ . }}
+  {{- end }}
   selector:
-    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+    matchLabels:
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
   {{- if .Values.updateStrategy }}
   strategy:
     {{ toYaml .Values.updateStrategy | nindent 4 | trim }}
   {{- end }}
   template:
     metadata:
-      labels: {{ include "kyverno.labels" . | nindent 8 }}
+      labels:
-        app: kyverno
+        {{- include "kyverno.labels" . | nindent 8 }}
         {{- range $key, $value := .Values.podLabels }}
         {{ $key }}: {{ $value }}
         {{- end }}
@@ -166,4 +170,5 @@ spec:
               name: sigstore
       volumes:
       - name: sigstore
-        emptyDir: {}
+        emptyDir: {}
+{{- end -}}

charts/kyverno/templates/helm-pre-delete-hook.yaml

@@ -3,8 +3,8 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: {{ template "kyverno.fullname" . }}-hook-pre-delete
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": pre-delete
     "helm.sh/hook-delete-policy": hook-succeeded,hook-failed

charts/kyverno/templates/imagepullsecret.yaml

@@ -3,10 +3,10 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  labels: {{ include "kyverno.labels" $ | nindent 4 }}
-    app: kyverno
   name: {{ $name }}
   namespace: {{ template "kyverno.namespace" $ }}
+  labels:
+    {{- include "kyverno.labels" $ | nindent 4 }}
 type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}

charts/kyverno/templates/metricsconfigmap.yaml

@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   {{- with .Values.config.metricsConfig.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/kyverno/templates/namespace.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.templating.enabled -}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
+  name: {{ template "kyverno.fullname" . }}
+{{- end -}}

charts/kyverno/templates/networkpolicy.yaml

@@ -2,14 +2,14 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   name: {{ template "kyverno.fullname" . }}
   namespace: {{ template "kyverno.namespace" . }}
 spec:
   podSelector:
     matchLabels:
-      app: kyverno
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
   policyTypes:
   - Ingress
   {{- if .Values.networkPolicy.ingressFrom }}

charts/kyverno/templates/poddisruptionbudget.yaml

@@ -9,11 +9,10 @@ metadata:
   name: {{ template "kyverno.fullname" . }}
   labels:
     {{- include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
   namespace: {{ template "kyverno.namespace" . }}
 spec:
   {{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }}
   selector:
-    matchLabels:  {{ include "kyverno.matchLabels" . | nindent 6 }}
+    matchLabels:
-      app: kyverno
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
 {{- end }}

charts/kyverno/templates/role.yaml

@@ -4,19 +4,19 @@ kind: Role
 metadata:
   name: {{ template "kyverno.fullname" . }}:leaderelection
   namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - coordination.k8s.io
+    - coordination.k8s.io
   resources:
-  - leases
+    - leases
   verbs:
-  - create
+    - create
-  - delete
+    - delete
-  - get
+    - get
-  - patch
+    - patch
-  - update
+    - update
 # Allow update of Kyverno deployment annotations
 - apiGroups:
     - apps

charts/kyverno/templates/rolebinding.yaml

@@ -4,8 +4,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ template "kyverno.fullname" . }}:leaderelection
   namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

charts/kyverno/templates/secret.yaml

@@ -7,8 +7,8 @@ kind: Secret
 metadata:
   name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
   namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 type: kubernetes.io/tls
 data:
   tls.key: {{ $ca.Key | b64enc }}
@@ -19,8 +19,8 @@ kind: Secret
 metadata:
   name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
   namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   annotations:
     self-signed-cert: "true"
 type: kubernetes.io/tls

charts/kyverno/templates/service.yaml

@@ -2,8 +2,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "kyverno.serviceName" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   namespace: {{ template "kyverno.namespace" . }}
   {{- with .Values.service.annotations }}
   annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@@ -17,8 +17,8 @@ spec:
     {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
     nodePort: {{ .Values.service.nodePort }}
     {{- end }}
-  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
+  selector:
-    app: kyverno
+    {{- include "kyverno.matchLabels" . | nindent 4 }}
   type: {{ .Values.service.type }}
 ---
 {{- if .Values.metricsService.create }}
@@ -26,8 +26,8 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "kyverno.serviceName" . }}-metrics
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   namespace: {{ template "kyverno.namespace" . }}
   {{- with .Values.metricsService.annotations }}
   annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@@ -41,7 +41,7 @@ spec:
     {{- if and (eq .Values.metricsService.type "NodePort") (not (empty .Values.metricsService.nodePort)) }}
     nodePort: {{ .Values.metricsService.nodePort }}
     {{- end }}
-  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
+  selector:
-    app: kyverno
+    {{- include "kyverno.matchLabels" . | nindent 4 }}
   type: {{ .Values.metricsService.type }}
-  {{- end -}}
+{{- end -}}

charts/kyverno/templates/serviceaccount.yaml

@@ -3,8 +3,8 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "kyverno.serviceAccountName" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
   {{- if .Values.rbac.serviceAccount.annotations }}
   annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
   {{- end }}

charts/kyverno/templates/servicemonitor.yaml

@@ -2,8 +2,8 @@
 apiVersion: "monitoring.coreos.com/v1"
 kind: ServiceMonitor
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 {{- if .Values.serviceMonitor.additionalLabels }}
 {{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
 {{- end }}
@@ -15,8 +15,8 @@ metadata:
 {{- end }}
 spec:
   selector:
-    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+    matchLabels:
-      app: kyverno
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
   namespaceSelector:
     matchNames:
     - {{ template "kyverno.namespace" . }}

charts/kyverno/values.yaml

@@ -1,3 +1,10 @@
+# -- Internal settings used with `helm template` to generate install manifest
+# @ignored
+templating:
+  enabled: false
+  debug: false
+  version:
+
 # -- Override the name of the chart
 nameOverride:
 

config/bundle/kustomization.yaml

@@ -1,13 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: kyverno
-
-transformers:
-  - labels.yaml
-
-resources:
-- ../crds/
-- ../manifest/
-- ../k8s-resource/
-- namespace.yaml

config/bundle/labels.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/component: kyverno
-  app.kubernetes.io/instance: kyverno
-  app.kubernetes.io/name: kyverno
-  app.kubernetes.io/part-of: kyverno
-fieldSpecs:
-- path: metadata/labels
-  create: true
-- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true

config/bundle/namespace.yaml

@@ -1,7 +0,0 @@
----
-kind: Namespace
-apiVersion: v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno

config/crds/kustomization.yaml

@@ -1,17 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- ./kyverno.io_admissionreports.yaml
-- ./kyverno.io_backgroundscanreports.yaml
-- ./kyverno.io_cleanuppolicies.yaml
-- ./kyverno.io_clusteradmissionreports.yaml
-- ./kyverno.io_clusterbackgroundscanreports.yaml
-- ./kyverno.io_clustercleanuppolicies.yaml
-- ./kyverno.io_clusterpolicies.yaml
-- ./kyverno.io_generaterequests.yaml
-- ./kyverno.io_policies.yaml
-- ./kyverno.io_policyexceptions.yaml
-- ./kyverno.io_updaterequests.yaml
-- ./wgpolicyk8s.io_clusterpolicyreports.yaml
-- ./wgpolicyk8s.io_policyreports.yaml

config/debug/kustomization.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: kyverno
-
-transformers:
-  - labels.yaml
-  
-resources:
-- ../crds/
-- ../k8s-resource/
-- namespace.yaml

config/debug/labels.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/component: kyverno
-  app.kubernetes.io/instance: kyverno
-  app.kubernetes.io/name: kyverno
-  app.kubernetes.io/part-of: kyverno
-fieldSpecs:
-- path: metadata/labels
-  create: true
-- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true

config/debug/namespace.yaml

@@ -1,7 +0,0 @@
----
-kind: Namespace
-apiVersion: v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno

config/dryrun/dryrun_config.yaml

@@ -1,87 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    app: kyverno
-    app.kubernetes.io/component: kyverno
-    app.kubernetes.io/instance: kyverno
-    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: latest
-  name: kyverno-dryrun
----
-# Additional permission is required to enable DryRun.
-# If using DryRun to validate yaml, please deploy this Role/RoleBinding.
-# If validating custom resources with DryRun, please add the resources to the role.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: manifest-verify-dry-run
-  namespace: kyverno-dryrun
-rules:
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  - rolebindings
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - bindings
-  - configmaps
-  - limitranges
-  - persistentvolumeclaims
-  - pods
-  - podtemplates
-  - replicationcontrollers
-  - resourcequotas
-  - secrets
-  - serviceaccounts
-  - services
-  verbs:
-  - create
-- apiGroups:
-  - apps
-  resources:
-  - controllerrevisions
-  - daemonsets
-  - deployments
-  - replicasets
-  - statefulsets
-  verbs:
-  - create 
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - networkpolicies
-  - ingresses
-  verbs:
-  - create
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - csistoragecapacities
-  verbs:
-  - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: manifest-verify-dry-run
-  namespace: kyverno-dryrun
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: manifest-verify-dry-run
-subjects:
-- kind: ServiceAccount
-  name: kyverno-service-account
-  namespace: kyverno

config/e2e/rbac.yaml

@@ -4,9 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: kyverno:test-e2e
+  labels:
+    app: kyverno
+    app.kubernetes.io/name: kyverno
 rules:
   - apiGroups:
-      - "*"
+      - '*'
     resources:
       - clusterroles
       - rolebindings
@@ -22,19 +25,3 @@ rules:
       - patch
       - update
       - watch
----
-# This role binding is required for e2e tests that generate and update a ClusterRole.
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:test-e2e
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kyverno:test-e2e
-subjects:
-  - kind: ServiceAccount
-    name: kyverno-service-account
-    namespace: kyverno

config/k8s-resource/aggregateroles.yaml

@@ -1,110 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-policies
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - policies
-  - clusterpolicies
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-policyreport
-rules:
-  - apiGroups:
-      - wgpolicyk8s.io
-    resources:
-      - policyreports
-      - clusterpolicyreports
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-reports
-rules:
-- apiGroups:
-    - kyverno.io
-  resources:
-    - admissionreports
-    - clusteradmissionreports
-    - backgroundscanreports
-    - clusterbackgroundscanreports
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-generaterequest
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - generaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-updaterequest
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - updaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch

config/k8s-resource/clusterrolebindings.yaml

@@ -1,14 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kyverno
-subjects:
-- kind: ServiceAccount
-  name: kyverno-service-account

config/k8s-resource/clusterroles.yaml

@@ -1,174 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kyverno
-  labels:
-    app: kyverno
-aggregationRule:
-  clusterRoleSelectors:
-  - matchLabels:
-      app: kyverno
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:policies
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - policies
-  - policies/status
-  - clusterpolicies
-  - clusterpolicies/status
-  - generaterequests
-  - generaterequests/status
-  - updaterequests
-  - updaterequests/status
-  - admissionreports
-  - clusteradmissionreports
-  - backgroundscanreports
-  - clusterbackgroundscanreports
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
-- apiGroups:
-  - wgpolicyk8s.io
-  resources:
-  - policyreports
-  - policyreports/status
-  - clusterpolicyreports
-  - clusterpolicyreports/status
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:view
-rules:
-- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:generate
-rules:
-- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  - ingressclasses
-  - networkpolicies
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - configmaps
-  - secrets
-  - resourcequotas
-  - limitranges
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - rolebindings
-  - roles
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:events
-rules:
-- apiGroups:
-  - ""
-  - events.k8s.io
-  resources:
-  - events
-  verbs:
-  - create
-  - update
-  - patch 
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:userinfo
-rules:
-- apiGroups:
-  - "rbac.authorization.k8s.io"
-  resources:
-  - roles
-  - clusterroles
-  - rolebindings
-  - clusterrolebindings
-  verbs:
-  - watch
-  - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:webhook
-rules:
-- apiGroups:
-  - 'admissionregistration.k8s.io'
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch

config/k8s-resource/configmap.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-data:
-  resourceFilters: >
-    [Event,*,*]
-    [*,kube-system,*]
-    [*,kube-public,*]
-    [*,kube-node-lease,*]
-    [*,kyverno,*]
-    [Node,*,*]
-    [APIService,*,*]
-    [TokenReview,*,*]
-    [SubjectAccessReview,*,*]
-    [SelfSubjectAccessReview,*,*]
-    [*,kyverno,kyverno*]
-    [Binding,*,*]
-    [ReplicaSet,*,*]
-    [AdmissionReport,*,*]
-    [ClusterAdmissionReport,*,*]
-    [BackgroundScanReport,*,*]
-    [ClusterBackgroundScanReport,*,*]
-    [PolicyReport,*,*]
-    [ClusterPolicyReport,*,*]
-  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
-  excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
-  generateSuccessEvents: 'false'
-kind: ConfigMap
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno

config/k8s-resource/kustomization.yaml

@@ -1,13 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- ./clusterroles.yaml
-- ./clusterrolebindings.yaml
-- ./roles.yaml
-- ./rolebindings.yaml
-- ./aggregateroles.yaml
-- ./configmap.yaml
-- ./metricsconfigmap.yaml
-- ./service.yaml
-- ./serviceaccount.yaml

config/k8s-resource/metricsconfigmap.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-data:
-  metricsRefreshInterval: 24h
-  namespaces: '{"exclude":[],"include":[]}'
-kind: ConfigMap
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-metrics
-  namespace: kyverno

config/k8s-resource/poddisruptionbudget.yaml

@@ -1,13 +0,0 @@
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: kyverno
-  labels:
-    app: kyverno
-spec:  
-  minAvailable: 0
-  selector:
-    matchLabels:  
-      app: kyverno
-      # do not remove
-      app.kubernetes.io/name: kyverno

config/k8s-resource/rolebindings.yaml

@@ -1,14 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kyverno:leaderelection
-  labels:
-    app: kyverno
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kyverno:leaderelection
-subjects:
-- kind: ServiceAccount
-  name: kyverno-service-account

config/k8s-resource/roles.yaml

@@ -1,30 +0,0 @@
----
-# Dynamic management of leader election leases
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: kyverno:leaderelection
-  labels:
-    app: kyverno
-rules:
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-# Allow update of Kyverno deployment annotations
-- apiGroups:
-    - apps
-  resources:
-    - deployments
-  verbs:
-    - get
-    - list
-    - patch
-    - update
-    - watch

config/k8s-resource/service.yaml

@@ -1,32 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-svc
-spec:
-  ports:
-  - port: 443
-    name: https
-    targetPort: https
-  selector:
-    app: kyverno
-    # do not remove
-    app.kubernetes.io/name: kyverno
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-svc-metrics
-spec:
-  ports:
-  - port: 8000
-    name: metrics-port
-    targetPort: metrics-port
-  selector:
-    app: kyverno
-    # do not remove
-    app.kubernetes.io/name: kyverno

config/k8s-resource/serviceaccount.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-service-account

config/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- ./bundle/
-
-transformers:
-- labels.yaml
-
-images:
-- name: ghcr.io/kyverno/kyverno
-  newTag: latest
-- name: ghcr.io/kyverno/kyvernopre
-  newTag: latest

config/labels.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/version: latest
-fieldSpecs:
-- path: metadata/labels
-  create: true
-- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true

config/manifest/deployment.yaml

@@ -1,162 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: kyverno
-    # do not remove
-    app.kubernetes.io/name: kyverno
-  name: kyverno
-spec:
-  selector:
-    matchLabels:
-      app: kyverno
-      # do not remove
-      app.kubernetes.io/name: kyverno
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: kyverno
-        # do not remove
-        app.kubernetes.io/name: kyverno
-    spec:
-      volumes:
-        - name: sigstore
-          emptyDir: {}
-      affinity:
-        podAntiAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                - key: app.kubernetes.io/name
-                  operator: In
-                  values:
-                  - kyverno
-              topologyKey: "kubernetes.io/hostname"
-      serviceAccountName: kyverno-service-account
-      securityContext:
-        runAsNonRoot: true
-      initContainers:
-        - name: kyverno-pre
-          image: ghcr.io/kyverno/kyvernopre:latest
-          imagePullPolicy: Always
-          resources:
-            limits:
-              cpu: 100m
-              memory: 256Mi
-            requests:
-              cpu: 10m
-              memory: 64Mi
-          securityContext:
-            runAsNonRoot: true
-            privileged: false
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
-            seccompProfile:
-              type: RuntimeDefault
-          env:
-            - name: METRICS_CONFIG
-              value: kyverno-metrics
-            - name: KYVERNO_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: KYVERNO_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-      containers:
-        - name: kyverno
-          image: ghcr.io/kyverno/kyverno:latest
-          imagePullPolicy: Always
-          args:
-          # customize webhook timeout
-          #- "--webhookTimeout=4"
-          # enable profiling
-          # - "--profile"
-          # configure the workers for generate controller
-          # - --genWorkers=20
-          - "-v=2"
-          ports:
-            - containerPort: 9443
-              name: https
-              protocol: TCP
-            - containerPort: 8000
-              name: metrics-port
-              protocol: TCP
-          env:
-            - name: INIT_CONFIG
-              value: kyverno
-            - name: METRICS_CONFIG
-              value: kyverno-metrics
-            - name: KYVERNO_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: KYVERNO_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: KYVERNO_SVC
-              value: kyverno-svc
-            - name: TUF_ROOT
-              value: /.sigstore
-          securityContext:
-            runAsNonRoot: true
-            privileged: false
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
-            seccompProfile:
-              type: RuntimeDefault
-          resources:
-            requests:
-              memory: 128Mi
-              cpu: 100m
-            limits:
-              memory: 384Mi
-          startupProbe:
-            httpGet:
-              path: /health/liveness
-              port: 9443
-              scheme: HTTPS
-            failureThreshold: 20
-            initialDelaySeconds: 2
-            periodSeconds: 6
-          livenessProbe:
-            httpGet:
-              path: /health/liveness
-              port: 9443
-              scheme: HTTPS
-            initialDelaySeconds: 15
-            periodSeconds: 30
-            timeoutSeconds: 5
-            failureThreshold: 2
-            successThreshold: 1
-          readinessProbe:
-            httpGet:
-              path: /health/readiness
-              port: 9443
-              scheme: HTTPS
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 4
-            successThreshold: 1
-          # Failing to provide a writable $TUF_ROOT can cause TUF client initialization to panic
-          volumeMounts:
-          - mountPath: /.sigstore
-            name: sigstore
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 40%
-      maxSurge: 1

config/manifest/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- ./deployment.yaml

config/templates/helm-labels.yaml.envsubst

@@ -1,14 +0,0 @@
----
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/instance: '{{ .Release.Name }}'
-  app.kubernetes.io/name: '{{ template "kyverno.name" . }}'
-  app.kubernetes.io/part-of: '{{ template "kyverno.name" . }}'
-  app.kubernetes.io/version: $VERSION
-fieldSpecs:
-- kind: CustomResourceDefinition
-  path: metadata/labels
-  create: true

config/templates/kustomization.yaml.envsubst

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- $TOP_PATH/bundle/
-
-transformers:
-- labels.yaml
-
-images:
-- name: ghcr.io/kyverno/kyverno
-  newTag: $VERSION
-- name: ghcr.io/kyverno/kyvernopre
-  newTag: $VERSION

config/templates/labels.yaml.envsubst

@@ -1,13 +0,0 @@
----
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/version: $VERSION
-fieldSpecs:
-- path: metadata/labels
-  create: true
-- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true

pkg/policy/generate/validate.go

@@ -85,7 +85,7 @@ func (g *Generate) Validate() (string, error) {
 	}
 
 	// Kyverno generate-controller create/update/deletes the resources specified in generate rule of policy
-	// kyverno uses SA 'kyverno-service-account' and has default ClusterRoles and ClusterRoleBindings
+	// kyverno uses SA 'kyverno' and has default ClusterRoles and ClusterRoleBindings
 	// instructions to modify the RBAC for kyverno are mentioned at https://github.com/kyverno/kyverno/blob/master/documentation/installation.md
 	// - operations required: create/update/delete/get
 	// If kind and namespace contain variables, then we cannot resolve then so we skip the processing

test/conformance/kuttl/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-manifests.yaml

@@ -25,6 +25,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
+    app: kyverno
     app.kubernetes.io/instance: kyverno
     app.kubernetes.io/name: kyverno
   name: kyverno:modify-nodes

test/e2e/generate/resources.go

@@ -170,7 +170,7 @@ spec:
             name: ns-cluster-role
           subjects:
           - kind: ServiceAccount
-            name: "kyverno-service-account"
+            name: "kyverno"
             namespace: "{{request.object.metadata.name}}"
 `)
 
@@ -211,7 +211,7 @@ roleRef:
   name: base-cluster-role
 subjects:
 - kind: ServiceAccount
-  name: kyverno-service-account
+  name: kyverno
   namespace: kyverno
 `)