Another year rolls around, and Kubewarden is still growing like a well-watered houseplant! Kubewarden got a New Year’s resolution to tidy up and repot, and has gone full on with digital gardening. This release is a maintenance one, with big moves to monorepos and a refresh in release artifacts.

New Admission Controller monorepo

With the addition of SBOMscanner to the Kubewarden harvest, we saw a great opportunity for cleanup on the Admission Controller side.

Previously, we had several repositories for all the bits and pieces. Main repos such as kubewarden-controller, policy-server, audit-scanner, and kwctl. Also library repos such as policy-evaluator, policy-fetcher, context-aware-test-policy, and so on.

Now, all of those are included in our admission controller monorepo:

github.com/kubewarden/kubewarden-controller

This monorepo contains all the bits and libraries to build the Admission Controller and our kwctl CLI library.

To make this monorepo a reality, we tackled quite the list of tasks for each of those repositories: we moved to a Cargo workspace, added Go code for the Controller and Audit Scanner, refactored such codebases a bit, adapted CI/CD pipelines (including Updatecli pipelines), streamlined GitHub release and package automation, cleaned up legacy directories, and updated development documentation and contribution guidelines between others.

This turned out to be an epic effort, and we are happy with how it’s turning out. It ensures that every part of the Admission Controller, from code to releases, now lives and grows together, making development smoother and future improvements easier for everyone.

Developing with Tilt

Tilt is a developer tool that installs your local Helm charts, rebuilds your images and live-updates your development environment whenever you make changes to the code.

We have taken this opportunity to migrate our Tilt configs and institutionalize them inside the Admission Controller monorepo. With this, you are just one tilt up command away from having a nice development session of the Kubewarden admission controller and all its bits. You can then open the Tilt web interface to monitor how everything behaves, make your code changes, and see everything rebuilding and refreshing in real time.

Read our refreshed CONTRIBUTING.md to get up to speed.

New Policies monorepo

What better moment to keep folding repositories than this release. We have also herded our Rust, Go (WASI & WaPC), and Rego policy repositories into a general policy monorepo:

github.com/kubewarden/policies

This monorepo contains (at the time of writing) 55 policies that used to live each in their own repository.

The new policies monorepo has per-policy Makefiles, and a CI/CD that heavily reuses those local Make targets. Of course, with end-to-end tests, unit tests, format and linting. We also continue to have nice dependency and release automation with Updatecli and Renovate bot, and have a ton less GitHub notifications, which is a joy to maintain. We are happy to see that contributors find it easier to work with them too!

All these policies are released in artifacthub.io, and nothing has changed there. Thanks to the Artifact Hub maintainers collaboration, we were able to migrate all of them without a hiccup. Cheers to them!

This monorepo mirrors our already existing monorepo for Rego policies in kubewarden/rego-policies-library.

Changes to release artifacts

The kwctl CLI binary release artifacts are now found in the GitHub releases of our controller monorepo.

The GitHub releases under kubewarden/helm-charts no longer ship a <charts>_images.xt, and each of the Helm charts keeps including their own imagelist.txt and policylist.txt inside the charts to aid in air-gap installation. See our updated air-gap docs (we recommend using Hauler).

Changes to Cosign signature metadata

Cosign signatures of our artifacts have changed their CertificateIdentity with the change of repositories.

Container images, kwctl, and policies are now performed differently as their GitHub release workflow URI has changed:

• policy-server, audit-scanner images are now signed by the github.com/kubewarden/kubewarden-controller release.yml job
• kwctl artifacts are now signed by the github.com/kubewarden/kubewarden-controller release.yml job.
• Policies are now signed by the github.com/kubewarden/policies release.yml job.

For example, the policy-server image was previously produced by a GH release workflow under kubewarden/policy-server and is now generated from kubewarden/kubewarden-controller. This means that:

• Old policy-server:v1.31.0 CertificateIdentity used to have SAN value of: "https://github.com/kubewarden/policy-server/.github/workflows/release.yml@refs/tags/v1.31.0"
• New policy-server:v1.32.0 has now SAN value of: "https://github.com/kubewarden/kubewarden-controller/.github/workflows/release.yml@refs/tags/v1.32.0"

The slsactl utility has been updated for this change.

Simplifying versioning: patching together

Previously, our images and our kwctl CLI utility could get patch releases independently. For example, we could have a policy-server:1.32.0 image and kwctl in version 1.32.1.

From now on, we will release the Kubewarden Admission Controller stack in sync: if the policy-server container image gets a patch release, so will be the kubewarden-controller image and our kwctl utility. As usual, we have documented this in our RFC repo, as well as updated the docs.

Ongoing cleanup touches

There’s still some minor cleanups, reorg, and even further automation to perform for the benefit of developers. These cleanups will land in future versions.

Our docs at doc.kubewarden.io will also get expanded in the near future. Stay tuned!

Getting in touch

Join the conversation on Slack or GitHub discussions and let us know how you’re finding Kubewarden 1.32!