chore(helm): Adding kyverno

Signed-off-by: rjshrjndrn <rjshrjndrn@gmail.com>

scripts/helmcharts/utilties/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

scripts/helmcharts/utilties/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: utilties
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

scripts/helmcharts/utilties/charts/kyverno/Chart.yaml

@@ -0,0 +1,29 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: changed
+      description: Exclude Kyverno namespace by default
+  artifacthub.io/links: |
+    - name: Documentation
+      url: https://kyverno.io/docs
+  artifacthub.io/operator: "false"
+  artifacthub.io/prerelease: "false"
+apiVersion: v2
+appVersion: v1.7.5
+description: Kubernetes Native Policy Management
+home: https://kyverno.io/
+icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
+keywords:
+- kubernetes
+- nirmata
+- policy agent
+- validating webhook
+- admissions controller
+kubeVersion: '>=1.16.0-0'
+maintainers:
+- name: Nirmata
+  url: https://kyverno.io/
+name: kyverno
+sources:
+- https://github.com/kyverno/kyverno
+type: application
+version: v2.5.5

scripts/helmcharts/utilties/charts/kyverno/README.md

@@ -0,0 +1,200 @@
+# kyverno
+
+Kubernetes Native Policy Management
+
+![Version: v2.5.5](https://img.shields.io/badge/Version-v2.5.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.5](https://img.shields.io/badge/AppVersion-v1.7.5-informational?style=flat-square)
+
+## About
+
+[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine.
+
+It allows you to:
+- Manage policies as Kubernetes resources (no new language required.)
+- Validate, mutate, and generate resource configurations.
+- Select resources based on labels and wildcards.
+- View policy enforcement as events.
+- Scan existing resources for violations.
+
+This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+Access the complete user documentation and guides at: https://kyverno.io.
+
+## Installing the Chart
+
+**Add the Kyverno Helm repository:**
+
+```console
+$ helm repo add kyverno https://kyverno.github.io/kyverno/
+```
+
+**Create a namespace:**
+
+You can install Kyverno in any namespace. The examples use `kyverno` as the namespace.
+
+```console
+$ kubectl create namespace kyverno
+```
+
+**Install the Kyverno chart:**
+
+```console
+$ helm install kyverno --namespace kyverno kyverno/kyverno
+```
+
+The command deploys Kyverno on the Kubernetes cluster with default configuration. The [installation](https://kyverno.io/docs/installation/) guide lists the parameters that can be configured during installation.
+
+The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`.
+Other ClusterRole/ClusterRoleBinding names are configurable.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `kyverno` deployment:
+
+```console
+$ helm delete -n kyverno kyverno
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| nameOverride | string | `nil` | Override the name of the chart |
+| fullnameOverride | string | `nil` | Override the expanded name of the chart |
+| namespace | string | `nil` | Namespace the chart deploys to |
+| customLabels | object | `{}` | Additional labels |
+| rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
+| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
+| rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
+| rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| image.repository | string | `"ghcr.io/kyverno/kyverno"` | Image repository |
+| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| image.pullSecrets | list | `[]` | Image pull secrets |
+| initImage.repository | string | `"ghcr.io/kyverno/kyvernopre"` | Image repository |
+| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
+| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
+| testImage.repository | string | `nil` | Image repository Defaults to `busybox` if omitted |
+| testImage.tag | string | `nil` | Image tag Defaults to `latest` if omitted |
+| testImage.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| replicaCount | int | `nil` | Desired number of pods |
+| podLabels | object | `{}` | Additional labels to add to each pod |
+| podAnnotations | object | `{}` | Additional annotations to add to each pod |
+| podSecurityContext | object | `{}` | Security context for the pod |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
+| antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
+| podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
+| podAffinity | object | `{}` | Pod affinity constraints. |
+| nodeAffinity | object | `{}` | Node affinity constraints. |
+| podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyverno disruptions. Cannot be used if `maxUnavailable` is set. |
+| podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if `minAvailable` is set. |
+| nodeSelector | object | `{}` | Node labels for pod assignment |
+| tolerations | list | `[]` | List of node taints to tolerate |
+| hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
+| envVarsInit | object | `{}` | Env variables for initContainers. |
+| envVars | object | `{}` | Env variables for containers. |
+| extraArgs | list | `["--autogenInternals=false"]` | Extra arguments to give to the binary. |
+| imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
+| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
+| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
+| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
+| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| generatecontrollerExtraResources | string | `nil` |  |
+| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
+| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
+| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
+| config.excludeGroupRole | string | `nil` | Exclude group role |
+| config.excludeUsername | string | `nil` | Exclude username |
+| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
+| config.generateSuccessEvents | bool | `false` | Generate success events. |
+| config.metricsConfig | object | `{"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
+| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
+| service.port | int | `443` | Service port. |
+| service.type | string | `"ClusterIP"` | Service type. |
+| service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. |
+| service.annotations | object | `{}` | Service annotations. |
+| topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| metricsService.create | bool | `true` | Create service. |
+| metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. |
+| metricsService.type | string | `"ClusterIP"` | Service type. |
+| metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
+| metricsService.annotations | object | `{}` | Service annotations. |
+| serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| serviceMonitor.additionalLabels | string | `nil` | Additional labels |
+| serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
+| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert.    In this case, you will need to create a certificate with a specific name and data structure.    As long as you follow the naming scheme, it will be automatically picked up.    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt)    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
+| installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
+| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
+| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
+| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization |
+
+## TLS Configuration
+
+If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
+
+If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
+
+## Default resource filters
+
+[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing.
+
+This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds:
+- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces
+- all resources in all namespaces for the following resource kinds:
+  - `Event`
+  - `Node`
+  - `APIService`
+  - `TokenReview`
+  - `SubjectAccessReview`
+  - `SelfSubjectAccessReview`
+  - `Binding`
+  - `ReplicaSet`
+  - `ReportChangeRequest`
+  - `ClusterReportChangeRequest`
+- all resources created by this chart itself
+
+Those default exclusions are there to prevent disruptions as much as possible.
+Under the hood, Kyverno installs an admission controller for critical cluster resources.
+A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster.
+
+You can however override the default resource filters by setting the `config.resourceFilters` stanza.
+It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map.
+
+Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.
+
+## High availability
+
+Running a highly-available Kyverno installation is crucial in a production environment.
+
+In order to run Kyverno in high availability mode, you should set `replicaCount` to `3` or more.
+You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones.
+
+Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations.
+
+## Source Code
+
+* <https://github.com/kyverno/kyverno>
+
+## Requirements
+
+Kubernetes: `>=1.16.0-0`
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Nirmata |  | https://kyverno.io/ |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0)

scripts/helmcharts/utilties/charts/kyverno/README.md.gotmpl

@@ -0,0 +1,110 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.badgesSection" . }}
+
+## About
+
+[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine.
+
+It allows you to:
+- Manage policies as Kubernetes resources (no new language required.)
+- Validate, mutate, and generate resource configurations.
+- Select resources based on labels and wildcards.
+- View policy enforcement as events.
+- Scan existing resources for violations.
+
+This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+Access the complete user documentation and guides at: https://kyverno.io.
+
+## Installing the Chart
+
+**Add the Kyverno Helm repository:**
+
+```console
+$ helm repo add kyverno https://kyverno.github.io/kyverno/
+```
+
+**Create a namespace:**
+
+You can install Kyverno in any namespace. The examples use `kyverno` as the namespace.
+
+```console
+$ kubectl create namespace kyverno
+```
+
+**Install the Kyverno chart:**
+
+```console
+$ helm install kyverno --namespace kyverno kyverno/kyverno
+```
+
+The command deploys Kyverno on the Kubernetes cluster with default configuration. The [installation](https://kyverno.io/docs/installation/) guide lists the parameters that can be configured during installation.
+
+The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`.
+Other ClusterRole/ClusterRoleBinding names are configurable.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `kyverno` deployment:
+
+```console
+$ helm delete -n kyverno kyverno
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+{{ template "chart.valuesSection" . }}
+
+## TLS Configuration
+
+If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
+
+If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
+
+## Default resource filters
+
+[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing.
+
+This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds:
+- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces
+- all resources in all namespaces for the following resource kinds:
+  - `Event`
+  - `Node`
+  - `APIService`
+  - `TokenReview`
+  - `SubjectAccessReview`
+  - `SelfSubjectAccessReview`
+  - `Binding`
+  - `ReplicaSet`
+  - `ReportChangeRequest`
+  - `ClusterReportChangeRequest`
+- all resources created by this chart itself
+
+Those default exclusions are there to prevent disruptions as much as possible.
+Under the hood, Kyverno installs an admission controller for critical cluster resources.
+A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster.
+
+You can however override the default resource filters by setting the `config.resourceFilters` stanza.
+It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map.
+
+Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.
+
+## High availability
+
+Running a highly-available Kyverno installation is crucial in a production environment.
+
+In order to run Kyverno in high availability mode, you should set `replicaCount` to `3` or more.
+You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones.
+
+Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations.
+
+{{ template "chart.sourcesSection" . }}
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}

scripts/helmcharts/utilties/charts/kyverno/ci/hooks-values.yaml

@@ -0,0 +1,3 @@
+---
+webhooksCleanup:
+  enable: true

scripts/helmcharts/utilties/charts/kyverno/ci/imagePullSecrets-values.yaml

@@ -0,0 +1,9 @@
+imagePullSecrets:
+  regcred:
+    registry: foo.example.com
+    username: foobar
+    password: secret
+  regcred2:
+    registry: bar.example.com
+    username: barbaz
+    password: secret2

scripts/helmcharts/utilties/charts/kyverno/ci/networkpolicy-values.yaml

@@ -0,0 +1,3 @@
+---
+networkPolicy:
+  enabled: true

scripts/helmcharts/utilties/charts/kyverno/templates/NOTES.txt

@@ -0,0 +1,16 @@
+Chart version: {{ .Chart.Version }}
+Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
+
+Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}.
+
+{{- if not .Values.replicaCount }}
+⚠️  WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
+{{- else if lt (int .Values.replicaCount) 3 }}
+⚠️  WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
+{{- end }}
+
+💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
+
+{{- if semverCompare "<1.21.0" .Capabilities.KubeVersion.Version }}
+⚠️  WARNING: The minimal Kubernetes version officially supported by Kyverno is 1.21. Earlier versions are untested and Kyverno is not guaranteed to work with Kubernetes {{ .Capabilities.KubeVersion.Version }}.
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/_helpers.tpl

@@ -0,0 +1,139 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* Expand the name of the chart. */}}
+{{- define "kyverno.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kyverno.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "kyverno.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Helm required labels */}}
+{{- define "kyverno.labels" -}}
+app.kubernetes.io/component: kyverno
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ template "kyverno.name" . }}
+app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
+app.kubernetes.io/version: "{{ .Chart.Version }}"
+helm.sh/chart: {{ template "kyverno.chart" . }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
+{{- end -}}
+
+{{/* Helm required labels */}}
+{{- define "kyverno.test-labels" -}}
+app.kubernetes.io/component: kyverno
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ template "kyverno.name" . }}-test
+app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
+app.kubernetes.io/version: "{{ .Chart.Version }}"
+helm.sh/chart: {{ template "kyverno.chart" . }}
+{{- end -}}
+
+{{/* matchLabels */}}
+{{- define "kyverno.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyverno.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/* Get the config map name. */}}
+{{- define "kyverno.configMapName" -}}
+{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
+{{- end -}}
+
+{{/* Get the metrics config map name. */}}
+{{- define "kyverno.metricsConfigMapName" -}}
+{{- printf "%s" (default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.config.existingMetricsConfig) -}}
+{{- end -}}
+
+{{/* Get the namespace name. */}}
+{{- define "kyverno.namespace" -}}
+{{- if .Values.namespace -}}
+    {{- .Values.namespace -}}
+{{- else -}}
+    {{- .Release.Namespace -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Create the name of the service to use */}}
+{{- define "kyverno.serviceName" -}}
+{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/* Create the name of the service account to use */}}
+{{- define "kyverno.serviceAccountName" -}}
+{{- if .Values.rbac.serviceAccount.create -}}
+    {{ default (include "kyverno.fullname" .) .Values.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/* Create the default PodDisruptionBudget to use */}}
+{{- define "podDisruptionBudget.spec" -}}
+{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
+{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
+{{- end }}
+{{- if not .Values.podDisruptionBudget.maxUnavailable }}
+minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
+{{- end }}
+{{- if .Values.podDisruptionBudget.maxUnavailable }}
+maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+{{- end }}
+{{- end }}
+
+{{- define "kyverno.securityContext" -}}
+{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
+{{ toYaml (omit .Values.securityContext "seccompProfile") }}
+{{- else }}
+{{ toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
+
+{{- define "kyverno.imagePullSecret" }}
+{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end }}
+
+
+{{- define "kyverno.resourceFilters" -}}
+{{- $resourceFilters := .Values.config.resourceFilters }}
+{{- if .Values.excludeKyvernoNamespace }}
+  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
+{{- end }}
+{{- tpl (join "" $resourceFilters) . }}
+{{- end }}
+
+{{- define "kyverno.webhooks" -}}
+{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
+{{- $newWebhook := list }}
+{{- range $webhook := .Values.config.webhooks }}
+  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
+  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
+  {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
+  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
+{{- end }}
+{{- $newWebhook | toJson }}
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/aggregateroles.yaml

@@ -0,0 +1,89 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:admin-policies
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app: kyverno
+rules:
+- apiGroups:
+  - kyverno.io
+  resources:
+  - policies
+  - clusterpolicies
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app: kyverno
+  name: {{ template "kyverno.fullname" . }}:admin-policyreport
+rules:
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreport
+      - clusterpolicyreport
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app: kyverno
+  name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest
+rules:
+- apiGroups:
+  - kyverno.io
+  resources:
+  - reportchangerequests
+  - clusterreportchangerequests
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app: kyverno
+  name: {{ template "kyverno.fullname" . }}:admin-generaterequest
+rules:
+- apiGroups:
+  - kyverno.io
+  resources:
+  - generaterequests
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/clusterrole.yaml

@@ -0,0 +1,177 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:userinfo
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+rules:
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - roles
+  - clusterroles
+  - rolebindings
+  - clusterrolebindings
+  verbs:
+  - watch
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:policies
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+rules:
+- apiGroups:
+    - kyverno.io
+  resources:
+    - policies
+    - policies/status
+    - clusterpolicies
+    - clusterpolicies/status
+    - generaterequests
+    - generaterequests/status
+    - updaterequests
+    - updaterequests/status
+    - reportchangerequests
+    - reportchangerequests/status
+    - clusterreportchangerequests
+    - clusterreportchangerequests/status
+  verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+    - deletecollection
+- apiGroups:
+  - wgpolicyk8s.io
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  - deletecollection
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:view
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:generate
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+rules:
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - ingressclasses
+      - networkpolicies
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - configmaps
+      - secrets
+      - resourcequotas
+      - limitranges
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+      - roles
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+  {{- if .Values.generatecontrollerExtraResources }}
+  - apiGroups:
+      - "*"
+    resources:
+    {{- range .Values.generatecontrollerExtraResources }}
+      - {{ . }}
+    {{- end }}
+    verbs:
+      - create
+      - update
+      - delete
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:events
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - events
+  verbs:
+  - create
+  - update
+  - patch
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:webhook
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+rules:
+- apiGroups:
+  - 'admissionregistration.k8s.io'
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/clusterrolebinding.yaml

@@ -0,0 +1,92 @@
+{{- if .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:userinfo
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:userinfo
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:policies
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:policies
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:view
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:view
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:generate
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:generate
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:events
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:events
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:webhook
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:webhook
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/configmap.yaml

@@ -0,0 +1,30 @@
+{{- if (not .Values.config.existingConfig) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  name: {{ template "kyverno.configMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+data:
+  # resource types to be skipped by kyverno policy engine
+  {{- if .Values.config.resourceFilters }}
+  resourceFilters: {{ include "kyverno.resourceFilters" . | quote }}
+  {{- end -}}
+  {{- if .Values.config.excludeGroupRole }}
+  excludeGroupRole: {{ join "," .Values.config.excludeGroupRole | quote }}
+  {{- end -}}
+  {{- if .Values.config.excludeUsername }}
+  excludeUsername: {{ join "," .Values.config.excludeUsername | quote }}
+  {{- end -}}
+  {{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
+  webhooks: {{ include "kyverno.webhooks" . | quote }}
+  {{- else if .Values.config.webhooks }}
+  webhooks: {{ .Values.config.webhooks | toJson | quote }}
+  {{- else if .Values.excludeKyvernoNamespace }}
+  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
+  {{- end -}}
+  {{- if .Values.config.generateSuccessEvents }}
+  generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
+  {{- end -}}
+{{- end -}}

scripts/helmcharts/utilties/charts/kyverno/templates/deployment.yaml

@@ -0,0 +1,148 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.fullname" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  namespace: {{ template "kyverno.namespace" . }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+  {{- if .Values.updateStrategy }}
+  strategy:
+    {{ toYaml .Values.updateStrategy | nindent 4 | trim }}
+  {{- end }}
+  template:
+    metadata:
+      labels: {{ include "kyverno.labels" . | nindent 8 }}
+        app: kyverno
+        {{- range $key, $value := .Values.podLabels }}
+        {{ $key }}: {{ $value }}
+        {{- end }}
+      {{- with .Values.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
+      affinity:
+        {{- if and .Values.antiAffinity.enable .Values.podAntiAffinity }}
+        podAntiAffinity:
+          {{- toYaml .Values.podAntiAffinity | nindent 10 }}
+        {{- end }}
+        {{- if .Values.podAffinity }}
+        podAffinity:
+          {{- toYaml .Values.podAffinity | nindent 10 }}
+        {{- end }}
+        {{- if .Values.nodeAffinity }}
+        nodeAffinity:
+          {{- toYaml .Values.nodeAffinity | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: {{ .Values.hostNetwork }}
+      {{- end }}
+      {{- if .Values.dnsPolicy }}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      {{- end }}
+      initContainers:
+        - name: kyverno-pre
+          image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
+          imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
+          {{- with .Values.initResources }}
+          resources: {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- if .Values.securityContext }}
+          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
+          {{- end }}
+          env:
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.metricsConfigMapName" . }}
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.fullname" . }}
+          {{- with .Values.envVarsInit }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+      containers:
+        - name: kyverno
+          image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if or .Values.extraArgs .Values.imagePullSecrets }}
+          args:
+            {{- if .Values.extraArgs -}}
+              {{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
+            {{- end }}
+            {{- if .Values.imagePullSecrets }}
+            - --imagePullSecrets={{ keys .Values.imagePullSecrets | join "," }}
+            {{- end }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources: {{ tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- if .Values.securityContext }}
+          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
+          {{- end }}
+          ports:
+          - containerPort: 9443
+            name: https
+            protocol: TCP
+          - containerPort: 8000
+            name: metrics-port
+            protocol: TCP
+          env:
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.metricsConfigMapName" . }}
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_SVC
+            value: {{ template "kyverno.serviceName" . }}
+          - name: TUF_ROOT
+            value: {{ .Values.tufRootMountPath }}
+          {{- with .Values.envVars }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.fullname" . }}
+        {{- with .Values.livenessProbe }}
+          livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
+        {{- end }}
+        {{- with .Values.readinessProbe }}
+          readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
+        {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.tufRootMountPath }}
+              name: sigstore
+      volumes:
+      - name: sigstore
+        emptyDir: {}

scripts/helmcharts/utilties/charts/kyverno/templates/helm-pre-delete-hook.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.webhooksCleanup.enable }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-hook-pre-delete
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+spec:
+  template:
+    spec:
+      serviceAccount: {{ template "kyverno.serviceAccountName" . }}
+      containers:
+        - name: kubectl
+          image: {{ .Values.webhooksCleanup.image }}
+          command:
+            - sh
+            - '-c'
+            - >-
+              kubectl delete validatingwebhookconfiguration kyverno-policy-validating-webhook-cfg;
+              kubectl delete validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg;
+              kubectl delete mutatingwebhookconfiguration kyverno-policy-mutating-webhook-cfg;
+              kubectl delete mutatingwebhookconfiguration kyverno-resource-mutating-webhook-cfg;
+              kubectl delete mutatingwebhookconfiguration kyverno-verify-mutating-webhook-cfg;
+      restartPolicy: Never
+  backoffLimit: 2
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/imagepullsecret.yaml

@@ -0,0 +1,13 @@
+{{ range $name, $secret := .Values.imagePullSecrets }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels: {{ include "kyverno.labels" $ | nindent 4 }}
+    app: kyverno
+  name: {{ $name }}
+  namespace: {{ template "kyverno.namespace" $ }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}
+{{ end }}

scripts/helmcharts/utilties/charts/kyverno/templates/metricsconfigmap.yaml

@@ -0,0 +1,22 @@
+{{- if (not .Values.config.existingMetricsConfig) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  name: {{ template "kyverno.metricsConfigMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- if .Values.config.metricsConfig }}
+data:
+  {{- if .Values.config.metricsConfig.namespaces }}
+  namespaces: {{ .Values.config.metricsConfig.namespaces | toJson | quote }}
+  {{- end -}}
+  {{- if .Values.config.metricsConfig.metricsRefreshInterval }}
+  metricsRefreshInterval: {{ .Values.config.metricsConfig.metricsRefreshInterval }}
+  {{- end -}}
+{{- else }}
+data:
+  namespaces: '{"include": [], "exclude": []}'
+  metricsRefreshInterval: 0s
+{{- end }}
+{{- end -}}

scripts/helmcharts/utilties/charts/kyverno/templates/networkpolicy.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  name: {{ template "kyverno.fullname" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+spec:
+  podSelector:
+    matchLabels:
+      app: kyverno
+  policyTypes:
+  - Ingress
+  {{- if .Values.networkPolicy.ingressFrom }}
+  ingress:
+  - from:
+    {{- with .Values.networkPolicy.ingressFrom }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+    ports:
+    - protocol: TCP
+      port: 9443 # webhook access
+  # Allow prometheus scrapes for metrics
+  {{- if .Values.metricsService.create }}
+    - protocol: TCP
+      port: {{ .Values.metricsService.port }}
+  {{- end }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/poddisruptionbudget.yaml

@@ -0,0 +1,18 @@
+{{- if (gt (int .Values.replicaCount) 1) }}
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kyverno.fullname" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  namespace: {{ template "kyverno.namespace" . }}
+spec:
+{{- include "podDisruptionBudget.spec" . | indent 2 }}
+  selector:
+    matchLabels:  {{ include "kyverno.matchLabels" . | nindent 6 }}
+      app: kyverno
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/role.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.fullname" . }}:leaderelection
+  namespace: {{ template "kyverno.namespace" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - delete
+  - get
+  - patch
+  - update
+# Allow update of Kyverno deployment annotations
+- apiGroups:
+    - apps
+  resources:
+    - deployments
+  verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/rolebinding.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:leaderelection
+  namespace: {{ template "kyverno.namespace" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.fullname" . }}:leaderelection
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/secret.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.createSelfSignedCert }}
+{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) nil nil 1024 $ca -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+data:
+  rootCA.crt: {{ $ca.Cert | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  annotations:
+    self-signed-cert: "true"
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+{{- end -}}

scripts/helmcharts/utilties/charts/kyverno/templates/service.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.serviceName" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- with .Values.service.annotations }}
+  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.service.port }}
+    targetPort: https
+    protocol: TCP
+    name: https
+    {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
+    nodePort: {{ .Values.service.nodePort }}
+    {{- end }}
+  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
+    app: kyverno
+  type: {{ .Values.service.type }}
+---
+{{- if .Values.metricsService.create }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.serviceName" . }}-metrics
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- with .Values.metricsService.annotations }}
+  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.metricsService.port }}
+    targetPort: 8000
+    protocol: TCP
+    name: metrics-port
+    {{- if and (eq .Values.metricsService.type "NodePort") (not (empty .Values.metricsService.nodePort)) }}
+    nodePort: {{ .Values.metricsService.nodePort }}
+    {{- end }}
+  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
+    app: kyverno
+  type: {{ .Values.metricsService.type }}
+  {{- end -}}

scripts/helmcharts/utilties/charts/kyverno/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.serviceAccountName" . }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+  {{- if .Values.rbac.serviceAccount.annotations }}
+  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
+  {{- end }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/servicemonitor.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
+{{- if .Values.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+  name: {{ template "kyverno.serviceName" . }}-service-monitor
+{{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+{{- else }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end }}
+spec:
+  selector:
+    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+      app: kyverno
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+  {{- if .Values.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/templates/tests/test.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ template "kyverno.fullname" . }}-test"
+  labels:
+    {{- include "kyverno.test-labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  restartPolicy: Never
+  containers:
+    - name: wget
+      image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
+      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
+      command:
+        - /bin/sh
+        - -c
+        - |
+          sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}:{{ .Values.service.port }}/health/liveness
+    - name: wget-metrics
+      image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
+      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
+      command:
+        - /bin/sh
+        - -c
+        - |
+          sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.serviceName" . }}-metrics:{{ .Values.metricsService.port }}/metrics

scripts/helmcharts/utilties/charts/kyverno/templates/validate.yaml

@@ -0,0 +1,9 @@
+{{- if hasKey .Values "mode" }}
+  {{ fail "mode is not supported anymore, please remove it from your release and use replicaCount instead." }}
+{{- end }}
+
+{{- if .Values.replicaCount }}
+  {{- if eq (int .Values.replicaCount) 2 }}
+    {{ fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." }}
+  {{- end }}
+{{- end }}

scripts/helmcharts/utilties/charts/kyverno/values.yaml

@@ -0,0 +1,383 @@
+# -- Override the name of the chart
+nameOverride:
+
+# -- Override the expanded name of the chart
+fullnameOverride:
+
+# -- Namespace the chart deploys to
+namespace:
+
+# -- Additional labels
+customLabels: {}
+
+rbac:
+  # -- Create ClusterRoles, ClusterRoleBindings, and ServiceAccount
+  create: true
+  serviceAccount:
+    # -- Create a ServiceAccount
+    create: true
+    # -- The ServiceAccount name
+    name:
+    # -- Annotations for the ServiceAccount
+    annotations: {}
+      # example.com/annotation: value
+
+image:
+  # -- Image repository
+  repository: ghcr.io/kyverno/kyverno
+  # -- Image tag
+  # Defaults to appVersion in Chart.yaml if omitted
+  tag:  # replaced in e2e tests
+  # -- Image pull policy
+  pullPolicy: IfNotPresent
+  # -- Image pull secrets
+  pullSecrets: []
+  # - secretName
+
+initImage:
+  # -- Image repository
+  repository: ghcr.io/kyverno/kyvernopre
+  # -- Image tag
+  # If initImage.tag is missing, defaults to image.tag
+  tag:  # replaced in e2e tests
+  # -- Image pull policy
+  # If initImage.pullPolicy is missing, defaults to image.pullPolicy
+  pullPolicy:
+
+testImage:
+  # -- Image repository
+  # Defaults to `busybox` if omitted
+  repository:
+  # -- Image tag
+  # Defaults to `latest` if omitted
+  tag:
+  # -- Image pull policy
+  # Defaults to image.pullPolicy if omitted
+  pullPolicy:
+
+# -- (int) Desired number of pods
+replicaCount: ~
+
+# -- Additional labels to add to each pod
+podLabels: {}
+  # example.com/label: foo
+
+# -- Additional annotations to add to each pod
+podAnnotations: {}
+  # example.com/annotation: foo
+
+# -- Security context for the pod
+podSecurityContext: {}
+
+# -- Security context for the containers
+securityContext:
+  runAsNonRoot: true
+  privileged: false
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
+
+# -- Optional priority class to be used for kyverno pods
+priorityClassName: ''
+
+antiAffinity:
+  # -- Pod antiAffinities toggle.
+  # Enabled by default but can be disabled if you want to schedule pods to the same node.
+  enable: true
+
+# -- Pod anti affinity constraints.
+# @default -- See [values.yaml](values.yaml)
+podAntiAffinity:
+  preferredDuringSchedulingIgnoredDuringExecution:
+    - weight: 1
+      podAffinityTerm:
+        labelSelector:
+          matchExpressions:
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+            - kyverno
+        topologyKey: kubernetes.io/hostname
+
+# -- Pod affinity constraints.
+podAffinity: {}
+
+# -- Node affinity constraints.
+nodeAffinity: {}
+
+podDisruptionBudget:
+  # -- Configures the minimum available pods for kyverno disruptions.
+  # Cannot be used if `maxUnavailable` is set.
+  minAvailable: 1
+  # -- Configures the maximum unavailable pods for kyverno disruptions.
+  # Cannot be used if `minAvailable` is set.
+  maxUnavailable:
+
+# -- Node labels for pod assignment
+nodeSelector: {}
+
+# -- List of node taints to tolerate
+tolerations: []
+
+# -- Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace.
+# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
+# Update the `dnsPolicy` accordingly as well to suit the host network mode.
+hostNetwork: false
+
+# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
+# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
+# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
+dnsPolicy: ClusterFirst
+
+# -- Env variables for initContainers.
+envVarsInit: {}
+
+# -- Env variables for containers.
+envVars: {}
+
+# -- Extra arguments to give to the binary.
+extraArgs:
+  - --autogenInternals=false
+
+# -- Image pull secrets for image verify and imageData policies.
+# This will define the `--imagePullSecrets` Kyverno argument.
+imagePullSecrets: {}
+  # Define two image pull secrets
+  # imagePullSecrets:
+  #   regcred:
+  #     registry: foo.example.com
+  #     username: foobar
+  #     password: secret
+  #   regcred2:
+  #     registry: bar.example.com
+  #     username: barbaz
+  #     password: secret2
+
+resources:
+  # -- Pod resource limits
+  limits:
+    memory: 384Mi
+  # -- Pod resource requests
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+initResources:
+  # -- Pod resource limits
+  limits:
+    cpu: 100m
+    memory: 256Mi
+  # -- Pod resource requests
+  requests:
+    cpu: 10m
+    memory: 64Mi
+
+# -- Liveness probe.
+# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+# @default -- See [values.yaml](values.yaml)
+livenessProbe:
+  httpGet:
+    path: /health/liveness
+    port: 9443
+    scheme: HTTPS
+  initialDelaySeconds: 15
+  periodSeconds: 30
+  timeoutSeconds: 5
+  failureThreshold: 2
+  successThreshold: 1
+
+# -- Readiness Probe.
+# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+# @default -- See [values.yaml](values.yaml)
+readinessProbe:
+  httpGet:
+    path: /health/readiness
+    port: 9443
+    scheme: HTTPS
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+# TODO(mbarrien): Should we just list all resources for the
+# generatecontroller in here rather than having defaults hard-coded?
+generatecontrollerExtraResources:
+# - ResourceA
+# - ResourceB
+
+# -- Exclude Kyverno namespace
+# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
+excludeKyvernoNamespace: true
+
+config:
+  # -- Resource types to be skipped by the Kyverno policy engine.
+  # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
+  # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
+  # @default -- See [values.yaml](values.yaml)
+  resourceFilters:
+  - '[Event,*,*]'
+  - '[*,kube-system,*]'
+  - '[*,kube-public,*]'
+  - '[*,kube-node-lease,*]'
+  - '[Node,*,*]'
+  - '[APIService,*,*]'
+  - '[TokenReview,*,*]'
+  - '[SubjectAccessReview,*,*]'
+  - '[SelfSubjectAccessReview,*,*]'
+  - '[Binding,*,*]'
+  - '[ReplicaSet,*,*]'
+  - '[ReportChangeRequest,*,*]'
+  - '[ClusterReportChangeRequest,*,*]'
+  # exclude resources from the chart
+  - '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
+  - '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
+  - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
+  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.configMapName" . }}]'
+  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.metricsConfigMapName" . }}]'
+  - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
+  - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
+  - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
+  - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
+  - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
+  - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
+  - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
+  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
+  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
+  - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
+  - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
+
+  # -- Name of an existing config map (ignores default/provided resourceFilters)
+  existingConfig: ''
+  # -- Exclude group role
+  excludeGroupRole:
+  # - ''
+  # -- Exclude username
+  excludeUsername:
+  # - ''
+  # -- Defines the `namespaceSelector` in the webhook configurations.
+  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
+  # will be forwarded to the webhook configurations.
+  # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
+  webhooks:
+    # Exclude namespaces
+    # - namespaceSelector:
+    #     matchExpressions:
+    #     - key: kubernetes.io/metadata.name
+    #       operator: NotIn
+    #       values:
+    #         - kube-system
+    #         - kyverno
+    # Exclude objects
+    # - objectSelector:
+    #     matchExpressions:
+    #     - key: webhooks.kyverno.io/exclude
+    #       operator: DoesNotExist
+
+  # -- Generate success events.
+  generateSuccessEvents: false
+  # -- Metrics config.
+  metricsConfig:
+    namespaces: {
+      "include": [],
+      "exclude": []
+    }
+    # 'namespaces.include': list of namespaces to capture metrics for. Default: metrics being captured for all namespaces except excludeNamespaces.
+    # 'namespaces.exclude': list of namespaces to NOT capture metrics for. Default: []
+
+    # metricsRefreshInterval: 24h
+    # rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
+
+  # Or provide an existing metrics config-map by uncommenting the below line
+  # existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
+# -- Deployment update strategy.
+# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+# @default -- See [values.yaml](values.yaml)
+updateStrategy:
+  rollingUpdate:
+    maxSurge: 1
+    maxUnavailable: 40%
+  type: RollingUpdate
+
+service:
+  # -- Service port.
+  port: 443
+  # -- Service type.
+  type: ClusterIP
+  # -- Service node port.
+  # Only used if `service.type` is `NodePort`.
+  nodePort:
+  # -- Service annotations.
+  annotations: {}
+
+# -- Topology spread constraints.
+topologySpreadConstraints: []
+
+metricsService:
+  # -- Create service.
+  create: true
+  # -- Service port.
+  # Kyverno's metrics server will be exposed at this port.
+  port: 8000
+  # -- Service type.
+  type: ClusterIP
+  # -- Service node port.
+  # Only used if `metricsService.type` is `NodePort`.
+  nodePort:
+  # -- Service annotations.
+  annotations: {}
+
+serviceMonitor:
+  # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+  enabled: false
+  # -- Additional labels
+  additionalLabels:
+    # key: value
+  # -- Override namespace (default is the same as kyverno)
+  namespace:
+  # --  Interval to scrape metrics
+  interval: 30s
+  # -- Timeout if metrics can't be retrieved in given time interval
+  scrapeTimeout: 25s
+  # -- Is TLS required for endpoint
+  secure: false
+  # -- TLS Configuration for endpoint
+  tlsConfig: {}
+
+# -- Kyverno requires a certificate key pair and corresponding certificate authority
+# to properly register its webhooks. This can be done in one of 3 ways:
+# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
+# 2) Provide your own CA and cert.
+#    In this case, you will need to create a certificate with a specific name and data structure.
+#    As long as you follow the naming scheme, it will be automatically picked up.
+#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt)
+#    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
+# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
+# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
+createSelfSignedCert: false
+
+# -- Whether to have Helm install the Kyverno CRDs.
+# If the CRDs are not installed by Helm, they must be added before policies can be created.
+installCRDs: true
+
+networkPolicy:
+  # -- When true, use a NetworkPolicy to allow ingress to the webhook
+  # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+  enabled: false
+  # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+  ingressFrom: []
+
+webhooksCleanup:
+  # -- Create a helm pre-delete hook to cleanup webhooks.
+  enable: false
+  # -- `kubectl` image to run commands for deleting webhooks.
+  image: bitnami/kubectl:latest
+
+# -- A writable volume to use for the TUF root initialization
+tufRootMountPath: /.sigstore

scripts/helmcharts/utilties/files/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuSUrc90YHUpXwB2E7Hu080K6z+Yc
+esqGVAEESg9lEjQUaxOUqRkW3nI/vXRQayLEfBs6ugPNqCH+DbuarI9Jkg==
+-----END PUBLIC KEY-----

scripts/helmcharts/utilties/templates/kyverno.yaml

@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: cosign
+spec:
+  validationFailureAction: enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail
+  rules:
+    - name: openreplay-image-signature
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+            - Deployment
+      verifyImages:
+      - imageReferences:
+        - "public.ecr.aws/p1t3u8a3/*"
+        attestors:
+        - count: 1
+          entries:
+          - keys:
+              publicKeys: |-
+                -----BEGIN PUBLIC KEY-----
+                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuSUrc90YHUpXwB2E7Hu080K6z+Yc
+                esqGVAEESg9lEjQUaxOUqRkW3nI/vXRQayLEfBs6ugPNqCH+DbuarI9Jkg==
+                -----END PUBLIC KEY-----