From c2713c1bb4c37101ddbf2b93aeda269ad63911b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez=20L=C3=B3pez?=
 <ereslibre@ereslibre.es>
Date: Tue, 20 Apr 2021 13:27:34 +0200
Subject: [PATCH 1/2] Add descriptive files for Rancher UI to show for this
 chart

---
 charts/kubewarden-controller/Chart.yaml    | 10 ++-
 charts/kubewarden-controller/README.md     | 82 ++++++++++++++++++++++
 charts/kubewarden-controller/app-readme.md | 12 ++++
 3 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 charts/kubewarden-controller/README.md
 create mode 100644 charts/kubewarden-controller/app-readme.md

diff --git a/charts/kubewarden-controller/Chart.yaml b/charts/kubewarden-controller/Chart.yaml
index 5988fd32..c47af956 100644
--- a/charts/kubewarden-controller/Chart.yaml
+++ b/charts/kubewarden-controller/Chart.yaml
@@ -1,13 +1,19 @@
 apiVersion: v2
 name: kubewarden-controller
 description: A Helm chart for deploying the Kubewarden stack
-
+icon: https://www.kubewarden.io/images/icon-kubewarden.svg
 type: application
+home: https://www.kubewarden.io/
+maintainers:
+- name: Flavio Castelli
+  email: fcastelli@suse.com
+- name: Rafael Fernández López
+  email: rfernandezlopez@suse.com
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.9
+version: 0.1.10
 
 # This is the version of kubewarden-controller container image to be used
 appVersion: "v0.1.4"
diff --git a/charts/kubewarden-controller/README.md b/charts/kubewarden-controller/README.md
new file mode 100644
index 00000000..3bdc36fc
--- /dev/null
+++ b/charts/kubewarden-controller/README.md
@@ -0,0 +1,82 @@
+Kubewarden is a Kubernetes Dynamic Admission Controller that uses policies written
+in WebAssembly.
+
+For more information refer to the [official Kubewarden website](https://kubewarden.io/).
+
+# kubewarden-controller
+
+`kubewarden-controller` is a Kubernetes controller that allows you to
+dynamically register Kubewarden admission policies.
+
+The `kubewarden-controller` will reconcile the admission policies you
+have registered against the Kubernetes webhooks of the cluster where
+it is deployed.
+
+## Installation
+
+The kubewarden-controller can be deployed using a helm chart:
+
+```shell
+$ helm repo add kubewarden https://charts.kubewarden.io
+$ helm install --create-namespace -n kubewarden kubewarden-controller kubewarden/kubewarden-controller
+```
+
+This will install kubewarden-controller on the Kubernetes cluster in the default
+configuration.
+
+The default configuration values should be good enough for the
+majority of deployments, all the options are documented
+[here](https://charts.kubewarden.io/#configuration).
+
+## Usage
+
+Once the kubewarden-controller is up and running, Kubewarden policies can be defined
+via the `ClusterAdmissionPolicy` resource.
+
+The documentation of this Custom Resource can be found
+[here](https://github.com/kubewarden/kubewarden-controller/blob/main/docs/crds/README.asciidoc)
+or on [docs.crds.dev](https://doc.crds.dev/github.com/kubewarden/kubewarden-controller).
+
+**Note well:** `ClusterAdmissionPolicy` resources are cluster-wide.
+
+### Deploy your first admission policy
+
+The following snippet defines a Kubewarden Policy based on the
+[pod-privileged](https://github.com/kubewarden/pod-privileged-policy)
+policy:
+
+```yaml
+apiVersion: policies.kubewarden.io/v1alpha1
+kind: ClusterAdmissionPolicy
+metadata:
+  name: privileged-pods
+spec:
+  module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.0
+  resources:
+  - pods
+  operations:
+  - CREATE
+  - UPDATE
+  settings:
+    trusted_users:
+    - alice
+  mutating: false
+```
+
+This `ClusterAdmissionPolicy` will evaluate all the `CREATE` and
+`UPDATE` operations performed against Pods. Only the user `alice` will
+be allowed to create privileged Pods.
+
+Creating the resource inside of Kubernetes is sufficient to enforce the policy:
+
+```shell
+$ kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-controller/main/config/samples/kubewarden_v1alpha1_clusteradmissionpolicy.yaml
+```
+
+### Remove your first admission policy
+
+You can delete the admission policy you just created:
+
+```
+$ kubectl delete clusteradmissionpolicy privileged-pod
+```
diff --git a/charts/kubewarden-controller/app-readme.md b/charts/kubewarden-controller/app-readme.md
new file mode 100644
index 00000000..f131c7e2
--- /dev/null
+++ b/charts/kubewarden-controller/app-readme.md
@@ -0,0 +1,12 @@
+# Kubewarden
+
+[Kubewarden](https://kubewarden.io) makes it very easy to write and
+distribute Kubernetes admission and mutation policies using your
+preferred languages and frameworks, as well-known distribution methods
+for policies.
+
+It is powered by [WebAssembly](https://webassembly.org/), so
+Kubewarden policies are processor, architecture and OS agnostic.
+
+Download policies or build your own once, and run it everywhere, no
+matter what the system is.

From 172715bfbd7ff8353d3dd81d7672bd17f622736c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez=20L=C3=B3pez?=
 <ereslibre@ereslibre.es>
Date: Tue, 20 Apr 2021 16:26:09 +0200
Subject: [PATCH 2/2] Update README.md with up to date examples

---
 charts/kubewarden-controller/README.md | 50 ++++++++++++++++++++------
 1 file changed, 40 insertions(+), 10 deletions(-)

diff --git a/charts/kubewarden-controller/README.md b/charts/kubewarden-controller/README.md
index 3bdc36fc..7f89259d 100644
--- a/charts/kubewarden-controller/README.md
+++ b/charts/kubewarden-controller/README.md
@@ -51,26 +51,56 @@ kind: ClusterAdmissionPolicy
 metadata:
   name: privileged-pods
 spec:
-  module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.0
+  module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.5
   resources:
   - pods
   operations:
   - CREATE
   - UPDATE
-  settings:
-    trusted_users:
-    - alice
   mutating: false
 ```
 
-This `ClusterAdmissionPolicy` will evaluate all the `CREATE` and
-`UPDATE` operations performed against Pods. Only the user `alice` will
-be allowed to create privileged Pods.
+Let's try to create a Pod with no privileged containers:
 
-Creating the resource inside of Kubernetes is sufficient to enforce the policy:
+```shell
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: unprivileged-pod
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
+EOF
+```
+
+This will produce the following output, which means the Pod was successfully
+created:
+
+`pod/unprivileged-pod created`
+
+Now, let's try to create a pod with at least one privileged container:
 
 ```shell
-$ kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-controller/main/config/samples/kubewarden_v1alpha1_clusteradmissionpolicy.yaml
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged-pod
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
+      securityContext:
+        privileged: true
+EOF
+```
+
+This time the creation of the Pod will be blocked, with the following message:
+
+```
+Error from server: error when creating "STDIN": admission webhook "privileged-pods.kubewarden.admission" denied the request: User 'minikube-user' cannot schedule privileged containers
 ```
 
 ### Remove your first admission policy
@@ -78,5 +108,5 @@ $ kubectl apply -f https://raw.githubusercontent.com/kubewarden/kubewarden-contr
 You can delete the admission policy you just created:
 
 ```
-$ kubectl delete clusteradmissionpolicy privileged-pod
+$ kubectl delete clusteradmissionpolicy privileged-pods
 ```