From c552d351cf27b01142f9c5a0e2e2918ff86ab42c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Thu, 13 Jul 2023 11:21:27 +0200
Subject: [PATCH 1/6] build: Don't ship chart-values.yaml in charts, only
 values.yaml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

chart-values.yaml is only used for concatenating together with
common-values.yaml, to form the end values.yaml.

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
---
 Makefile                                 | 2 ++
 charts/kubewarden-controller/.helmignore | 3 +++
 charts/kubewarden-crds/.helmignore       | 3 +++
 charts/kubewarden-defaults/.helmignore   | 3 +++
 4 files changed, 11 insertions(+)

diff --git a/Makefile b/Makefile
index 2f618798..a6728eda 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,8 @@ SHELL:=bash
 
 .PHONY: generate-values
 generate-values:
+# build values.yaml for each chart, from the common-values.yaml and their specific
+# chart-values.yaml
 	@echo "# This file was autogenerated." > charts/kubewarden-crds/values.yaml
 	@echo >> charts/kubewarden-crds/values.yaml
 	@cat charts/kubewarden-crds/chart-values.yaml >> charts/kubewarden-crds/values.yaml
diff --git a/charts/kubewarden-controller/.helmignore b/charts/kubewarden-controller/.helmignore
index 0e8a0eb3..b875eace 100644
--- a/charts/kubewarden-controller/.helmignore
+++ b/charts/kubewarden-controller/.helmignore
@@ -21,3 +21,6 @@
 .idea/
 *.tmproj
 .vscode/
+
+# dev files
+chart-values.yaml
diff --git a/charts/kubewarden-crds/.helmignore b/charts/kubewarden-crds/.helmignore
index 0e8a0eb3..b875eace 100644
--- a/charts/kubewarden-crds/.helmignore
+++ b/charts/kubewarden-crds/.helmignore
@@ -21,3 +21,6 @@
 .idea/
 *.tmproj
 .vscode/
+
+# dev files
+chart-values.yaml
diff --git a/charts/kubewarden-defaults/.helmignore b/charts/kubewarden-defaults/.helmignore
index 0e8a0eb3..b875eace 100644
--- a/charts/kubewarden-defaults/.helmignore
+++ b/charts/kubewarden-defaults/.helmignore
@@ -21,3 +21,6 @@
 .idea/
 *.tmproj
 .vscode/
+
+# dev files
+chart-values.yaml

From e9f2bad884358bb241fd8f9d77655d07e9447aeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Thu, 13 Jul 2023 11:38:58 +0200
Subject: [PATCH 2/6] ci: Update workflow for audit-scanner CRDs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add download CRDs audit-scanner for all possible updates.
Expand the detection of changed CRDs for all possible updates.
Update the install_crds.sh script so it includes the new CRDs.

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
---
 .github/workflows/update-charts.yml | 94 +++++++++++++++++++++++++----
 updatecli/scripts/install_crds.sh   |  8 ++-
 2 files changed, 89 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/update-charts.yml b/.github/workflows/update-charts.yml
index 1a7be522..196598c4 100644
--- a/.github/workflows/update-charts.yml
+++ b/.github/workflows/update-charts.yml
@@ -18,7 +18,10 @@ jobs:
         with:
           script: |
             let repository = context.payload.client_payload.repository
-            if (!repository.endsWith("kubewarden-controller") && !repository.endsWith("policy-server") && !repository.endsWith("kwctl")) {
+            if (!repository.endsWith("kubewarden-controller") && \
+                !repository.endsWith("policy-server") && \
+                !repository.endsWith("kwctl")) && \
+                !repository.endsWith("audit-scanner")) {
                     core.setFailed("Invalid repository")
             }
 
@@ -77,7 +80,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Download CRDS
+      - name: Download CRDS controller
         if: endsWith(github.event.client_payload.repository, 'kubewarden-controller')
         uses: actions/github-script@v6
         with:
@@ -94,21 +97,45 @@ jobs:
                               accept: "application/octet-stream"},
               })
               let fs = require('fs');
-              fs.writeFileSync("/tmp/crds.tar.gz", Buffer.from(asset.data))
+              fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
             }
 
-      - name: Update CRDS
-        if: endsWith(github.event.client_payload.repository, 'kubewarden-controller')
+      - name: Download CRDS audit-scanner
+        if: endsWith(github.event.client_payload.repository, 'audit-scanner')
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let repository = context.payload.client_payload.repository
+            if (repository.endsWith("audit-scanner")) {
+              let crds_asset_id = context.payload.client_payload.crds_asset_id
+              console.log(`Fetching asset ID: ${crds_asset_id}`)
+              let repository_split = context.payload.client_payload.repository.split("/")
+              let owner = repository_split[0]
+              let repository = repository_split[1]
+              let asset = await github.rest.repos.getReleaseAsset({
+                      owner: owner, repo: repository, asset_id: crds_asset_id, headers:{
+                              accept: "application/octet-stream"},
+              })
+              let fs = require('fs');
+              fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
+            }
+
+      - name: Update CRDs
+        if: endsWith(github.event.client_payload.repository, 'kubewarden-controller') || endsWith(github.event.client_payload.repository, 'audit-scanner')
         id: update_crds
         run: |
           # The next commands are use in the updatecli/scripts/install_crds.sh as well.
           # Here the commands are used to detect CRDs changes. In the script they are used
           # to install the CRDs
-          tar -xvf /tmp/crds.tar.gz
+          tar -xvf /tmp/crds-controller.tar.gz
           find . -maxdepth 1 -name "*_policyserver*" -exec  mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \;
           find . -maxdepth 1 -name "*_admissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \;
           find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;
 
+          tar -xvf /tmp/crds-audit-scanner.tar.gz
+          find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
+          find . -maxdepth 1 -name "*_policyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;
+
           set +e
           git diff --exit-code --no-patch charts/kubewarden-crds
           echo "must_update_crds_chart=$?" >> $GITHUB_OUTPUT
@@ -151,7 +178,7 @@ jobs:
             let repository_split = context.payload.client_payload.repository.split("/")
             let owner = repository_split[0]
             const version = context.payload.client_payload.version
-            let repos = ['kubewarden-controller', 'policy-server', 'kwctl']
+            let repos = ['kubewarden-controller', 'policy-server', 'kwctl', 'audit-scanner']
 
             for (const repo of repos) {
               try {
@@ -162,7 +189,7 @@ jobs:
             }
 
       - name: Check if CRD are available in the Kubewarden controller
-        id: download_crds
+        id: download_crds_controller
         uses: actions/github-script@v6
         with:
           script: |
@@ -196,24 +223,69 @@ jobs:
                               accept: "application/octet-stream"},
               })
               let fs = require('fs');
-              fs.writeFileSync("/tmp/crds.tar.gz", Buffer.from(asset.data))
+              fs.writeFileSync("/tmp/crds-controller.tar.gz", Buffer.from(asset.data))
               console.log(`${crds_tarball} downloaded successfully`)
             } else {
               core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the controller repository is still running. Otherwise, check why the release in the controller does not contains the CRDs tarball`)
               core.setFailed("No CRDs tarball found")
             }
 
+      - name: Check if CRD are available in the audit scanner
+        id: download_crds_audit_scanner
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let repository_split = context.payload.client_payload.repository.split("/")
+            let owner = repository_split[0]
+            let repository = repository_split[1]
+            let crds_asset_id = null
+            const audit_scanner_repo = "audit-scanner"
+            const version = context.payload.client_payload.version
+            const crds_tarball = "CRDS.tar.gz"
+
+            if (repository === audit_scanner_repo) {
+              crds_asset_id = context.payload.client_payload.crds_asset_id
+            } else {
+              crds_asset_id = await github.rest.repos.getReleaseByTag({owner: owner, repo:  audit_scanner_repo, tag: version,}).then((response) => {
+                  for (const file of response.data.assets) {
+                    if (file.name == crds_tarball) {
+                      return file.id;
+                    }
+                  }
+                  return null;
+              }, (failedResponse) => {
+                      consolog.log("FAILED")
+                      return null;
+              });
+            }
+            console.log(`Fetching asset ID: ${crds_asset_id}`)
+            if (typeof(crds_asset_id) === "number") {
+              let asset = await github.rest.repos.getReleaseAsset({
+                      owner: owner, repo: controller_repo, asset_id: crds_asset_id, headers:{
+                              accept: "application/octet-stream"},
+              })
+              let fs = require('fs');
+              fs.writeFileSync("/tmp/crds-audit-scanner.tar.gz", Buffer.from(asset.data))
+              console.log(`${crds_tarball} downloaded successfully`)
+            } else {
+              core.warning(`Aborting chart update: no ${crds_tarball} found. This is expected if the release process in the audit-scanner repository is still running. Otherwise, check why the release does not contains the CRDs tarball`)
+              core.setFailed("No CRDs tarball found")
+            }
+
       - name: Update CRDS
         id: update_crds
         run: |
-          # The next commands are use in the updatecli/scripts/install_crds.sh as well.
+          # The next commands are used in the updatecli/scripts/install_crds.sh as well.
           # Here the commands are used to detect CRDs changes. In the script they are used
           # to install the CRDs
-          tar -xvf /tmp/crds.tar.gz
+          tar -xvf /tmp/crds-controller.tar.gz
           find . -maxdepth 1 -name "*_policyserver*" -exec  mv \{\} charts/kubewarden-crds/templates/policyservers.yaml \;
           find . -maxdepth 1 -name "*_admissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/admissionpolicies.yaml \;
           find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec  mv \{\} charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;
 
+          tar -xvf /tmp/crds-audit-scanner.tar.gz
+          find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
+          find . -maxdepth 1 -name "*_policyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;
 
           set +e
           git diff --exit-code --no-patch charts/kubewarden-crds
diff --git a/updatecli/scripts/install_crds.sh b/updatecli/scripts/install_crds.sh
index 0eebd2ac..7d11da4e 100755
--- a/updatecli/scripts/install_crds.sh
+++ b/updatecli/scripts/install_crds.sh
@@ -1,9 +1,13 @@
 #!/bin/bash
 
-tar -xf /tmp/crds.tar.gz
+tar -xf /tmp/crds-controller.tar.gz
 find . -maxdepth 1 -name "*_policyserver*" -exec  mv \{\} /tmp/helm-charts/charts/kubewarden-crds/templates/policyservers.yaml \;
 find . -maxdepth 1 -name "*_admissionpolicies*" -exec  mv \{\} /tmp/helm-charts/charts/kubewarden-crds/templates/admissionpolicies.yaml \;
 find . -maxdepth 1 -name "*_clusteradmissionpolicies*" -exec  mv \{\} /tmp/helm-charts/charts/kubewarden-crds/templates/clusteradmissionpolicies.yaml \;
 
-# updatecli expects something in the stdout when a change happen.
+tar -xvf /tmp/crds-audit-scanner.tar.gz
+find . -maxdepth 1 -name "*_clusterpolicyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/clusterpolicyreports.yaml \;
+find . -maxdepth 1 -name "*_policyreports*" -exec  mv \{\} charts/kubewarden-crds/templates/policyreports.yaml \;
+
+# updatecli expects something in stdout when a change happened.
 echo "Changed!"

From 7a14e3466ae9d9a1acd1b4da02647a148f3219ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Thu, 13 Jul 2023 15:22:34 +0200
Subject: [PATCH 3/6] fix: Incorrect condition to update controller tag
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It was looking at the tag of policy-server, not the tag of
kubewarden-controller.

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
---
 .../updatecli.d/major-kubewarden-update-with-crd-update.yaml    | 2 +-
 updatecli/updatecli.d/major-kubewarden-update.yaml              | 2 +-
 .../prerelease-kubewarden-update-with-crd-update.yaml           | 2 +-
 updatecli/updatecli.d/prerelease-kubewarden-update.yaml         | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml b/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
index e94476a1..0e72474b 100644
--- a/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
+++ b/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
@@ -220,7 +220,7 @@ targets:
   controllerUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
-    sourceid: defaultChartValuesFile
+    sourceid: controllerImageChartValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
diff --git a/updatecli/updatecli.d/major-kubewarden-update.yaml b/updatecli/updatecli.d/major-kubewarden-update.yaml
index 0b8529f7..290bb4d1 100644
--- a/updatecli/updatecli.d/major-kubewarden-update.yaml
+++ b/updatecli/updatecli.d/major-kubewarden-update.yaml
@@ -145,7 +145,7 @@ targets:
   controllerUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
-    sourceid: defaultChartValuesFile
+    sourceid: controllerImageChartValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
diff --git a/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml b/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
index a5019ad8..aa5dc1e0 100644
--- a/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
+++ b/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
@@ -223,7 +223,7 @@ targets:
   controllerUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
-    sourceid: defaultChartValuesFile
+    sourceid: controllerImageChartValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
diff --git a/updatecli/updatecli.d/prerelease-kubewarden-update.yaml b/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
index 62fa593a..cc0bc3a1 100644
--- a/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
+++ b/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
@@ -147,7 +147,7 @@ targets:
   controllerUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
-    sourceid: defaultChartValuesFile
+    sourceid: controllerImageChartValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"

From 86aa82b4f8788c5614d3d8032c86c2f23f96aa1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Thu, 13 Jul 2023 15:22:14 +0200
Subject: [PATCH 4/6] refactor: Rename conds to make room for audit scanner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
---
 ...jor-kubewarden-update-with-crd-update.yaml | 12 +++++-----
 .../updatecli.d/major-kubewarden-update.yaml  | 24 +++++++++----------
 ...ubewarden-controller-with-crds-update.yaml | 12 +++++-----
 .../patch-kubewarden-controller.yaml          | 12 +++++-----
 ...ase-kubewarden-update-with-crd-update.yaml | 12 +++++-----
 .../prerelease-kubewarden-update.yaml         | 12 +++++-----
 6 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml b/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
index 0e72474b..d3d24662 100644
--- a/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
+++ b/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
@@ -49,13 +49,13 @@ sources:
       file: "file://charts/kubewarden-controller/Chart.yaml"
       key: "version"
 
-  controllerChartValuesFile:
+  controllerImageChartValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
 
-  controllerValuesFile:
+  controllerImageValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/values.yaml"
@@ -80,7 +80,7 @@ sources:
 
 
 conditions:
-  # All the major 3 components must have the same tag
+  # All the major components must have the same tag
   kwctlTag:
     name: Test if kwctl has the required tag
     disablesourceinput: true
@@ -217,7 +217,7 @@ targets:
       value: 'kubewarden-crds={{ source "crdChartVersion" }}'
 
 
-  controllerUpdateChartValuesFile:
+  controllerImageUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
     sourceid: controllerImageChartValuesFile
@@ -227,10 +227,10 @@ targets:
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
-  controllerUpdateValuesFile:
+  controllerImageUpdateValuesFile:
     kind: yaml
     name: "Update container image in the values.yaml file"
-    sourceid: controllerValuesFile
+    sourceid: controllerImageValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/values.yaml"
diff --git a/updatecli/updatecli.d/major-kubewarden-update.yaml b/updatecli/updatecli.d/major-kubewarden-update.yaml
index 290bb4d1..9fa83f2f 100644
--- a/updatecli/updatecli.d/major-kubewarden-update.yaml
+++ b/updatecli/updatecli.d/major-kubewarden-update.yaml
@@ -49,13 +49,13 @@ sources:
       file: "file://charts/kubewarden-controller/Chart.yaml"
       key: "version"
 
-  controllerChartValuesFile:
+  controllerImageChartValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
 
-  controllerValuesFile:
+  controllerImageValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/values.yaml"
@@ -63,7 +63,7 @@ sources:
 
 
 conditions:
-  # All the major 3 components must have the same tag
+  # All the major components must have the same tag
   kwctlTag:
     name: Test if kwctl has the required tag
     disablesourceinput: true
@@ -142,7 +142,7 @@ targets:
       value: '{{ requiredEnv .releaseVersion }}'
 
 
-  controllerUpdateChartValuesFile:
+  controllerImageUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
     sourceid: controllerImageChartValuesFile
@@ -152,10 +152,10 @@ targets:
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
-  controllerUpdateValuesFile:
+  controllerImageUpdateValuesFile:
     kind: yaml
     name: "Update container image in the values.yaml file"
-    sourceid: controllerValuesFile
+    sourceid: controllerImageValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/values.yaml"
@@ -227,15 +227,15 @@ scms:
   kwctlGit:
     kind: "git"
     spec:
-        url: "https://github.com/{{ requiredEnv .github.user }}/kwctl.git"
-        branch: "main"
+      url: "https://github.com/{{ requiredEnv .github.user }}/kwctl.git"
+      branch: "main"
   kubewardenControllerGit:
     kind: "git"
     spec:
-        url: "https://github.com/{{ requiredEnv .github.user }}/kubewarden-controller.git"
-        branch: "main"
+      url: "https://github.com/{{ requiredEnv .github.user }}/kubewarden-controller.git"
+      branch: "main"
   policyServerGit:
     kind: "git"
     spec:
-        url: "https://github.com/{{ requiredEnv .github.user }}/policy-server.git"
-        branch: "main"
+      url: "https://github.com/{{ requiredEnv .github.user }}/policy-server.git"
+      branch: "main"
diff --git a/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml b/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml
index fe5ec7e3..8a71b93b 100644
--- a/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml
+++ b/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml
@@ -13,12 +13,12 @@ sources:
     spec:
       file: "file://charts/kubewarden-defaults/Chart.yaml"
       key: "version"
-  controllerChartValuesFile:
+  controllerImageChartValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
-  controllerValuesFile:
+  controllerImageValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/values.yaml"
@@ -40,20 +40,20 @@ targets:
     spec:
       command: bash updatecli/scripts/install_crds.sh
 
-  updateChartValuesFile:
+  updateControllerImageChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
-    sourceid: controllerChartValuesFile
+    sourceid: controllerImageChartValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
       value: '{{ requiredEnv .releaseVersion }}'
 
-  updateValuesFile:
+  updateControllerImageValuesFile:
     kind: yaml
     name: "Update container image in the values.yaml file"
-    sourceid: controllerValuesFile
+    sourceid: controllerImageValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/values.yaml"
diff --git a/updatecli/updatecli.d/patch-kubewarden-controller.yaml b/updatecli/updatecli.d/patch-kubewarden-controller.yaml
index 3d6a7a92..234f015d 100644
--- a/updatecli/updatecli.d/patch-kubewarden-controller.yaml
+++ b/updatecli/updatecli.d/patch-kubewarden-controller.yaml
@@ -7,31 +7,31 @@ sources:
     spec:
       file: "file://charts/kubewarden-controller/Chart.yaml"
       key: "version"
-  controllerChartValuesFile:
+  controllerImageChartValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
-  controllerValuesFile:
+  controllerImageValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
 
 targets:
-  updateChartValuesFile:
+  updateControllerImageChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
-    sourceid: controllerChartValuesFile
+    sourceid: controllerImageChartValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
       value: '{{ requiredEnv .releaseVersion }}'
-  updateValuesFile:
+  updateControllerImageValuesFile:
     kind: yaml
     name: "Update container image in the values.yaml file"
-    sourceid: controllerValuesFile
+    sourceid: controllerImageValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/values.yaml"
diff --git a/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml b/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
index aa5dc1e0..e2e3bd14 100644
--- a/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
+++ b/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
@@ -51,13 +51,13 @@ sources:
       file: "file://charts/kubewarden-controller/Chart.yaml"
       key: "version"
 
-  controllerChartValuesFile:
+  controllerImageChartValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
 
-  controllerValuesFile:
+  controllerImageValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/values.yaml"
@@ -83,7 +83,7 @@ sources:
 
 
 conditions:
-  # All the major 3 components must have the same tag
+  # All the major components must have the same tag
   kwctlTag:
     name: Test if kwctl has the required tag
     disablesourceinput: true
@@ -220,7 +220,7 @@ targets:
       value: 'kubewarden-crds={{ source "crdChartVersion" }}'
 
 
-  controllerUpdateChartValuesFile:
+  controllerImageUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
     sourceid: controllerImageChartValuesFile
@@ -230,10 +230,10 @@ targets:
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
-  controllerUpdateValuesFile:
+  controllerImageUpdateValuesFile:
     kind: yaml
     name: "Update container image in the values.yaml file"
-    sourceid: controllerValuesFile
+    sourceid: controllerImageValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/values.yaml"
diff --git a/updatecli/updatecli.d/prerelease-kubewarden-update.yaml b/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
index cc0bc3a1..37aa3228 100644
--- a/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
+++ b/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
@@ -51,13 +51,13 @@ sources:
       file: "file://charts/kubewarden-controller/Chart.yaml"
       key: "version"
 
-  controllerChartValuesFile:
+  controllerImageChartValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/chart-values.yaml"
       key: "image.tag"
 
-  controllerValuesFile:
+  controllerImageValuesFile:
     kind: yaml
     spec:
       file: "charts/kubewarden-controller/values.yaml"
@@ -65,7 +65,7 @@ sources:
 
 
 conditions:
-  # All the major 3 components must have the same tag
+  # All the major components must have the same tag
   kwctlTag:
     name: Test if kwctl has the required tag
     disablesourceinput: true
@@ -144,7 +144,7 @@ targets:
       value: '{{ requiredEnv .releaseVersion }}'
 
 
-  controllerUpdateChartValuesFile:
+  controllerImageUpdateChartValuesFile:
     name: "Update container image in the chart-values.yaml file"
     kind: yaml
     sourceid: controllerImageChartValuesFile
@@ -154,10 +154,10 @@ targets:
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
-  controllerUpdateValuesFile:
+  controllerImageUpdateValuesFile:
     kind: yaml
     name: "Update container image in the values.yaml file"
-    sourceid: controllerValuesFile
+    sourceid: controllerImageValuesFile
     scmid: "default"
     spec:
       file: "charts/kubewarden-controller/values.yaml"

From 71212c74dadfd6c254286398cc977ec5b9bd4991 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Thu, 13 Jul 2023 15:24:09 +0200
Subject: [PATCH 5/6] feat: Check audit-scanner tag for major upd with crd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
---
 ...jor-kubewarden-update-with-crd-update.yaml | 46 +++++++++++++++++++
 .../updatecli.d/major-kubewarden-update.yaml  | 45 ++++++++++++++++++
 ...ubewarden-controller-with-crds-update.yaml | 30 ++++++++++++
 .../patch-kubewarden-controller.yaml          | 28 +++++++++++
 ...ase-kubewarden-update-with-crd-update.yaml | 46 +++++++++++++++++++
 .../prerelease-kubewarden-update.yaml         | 46 +++++++++++++++++++
 6 files changed, 241 insertions(+)

diff --git a/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml b/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
index d3d24662..46167ee3 100644
--- a/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
+++ b/updatecli/updatecli.d/major-kubewarden-update-with-crd-update.yaml
@@ -61,6 +61,18 @@ sources:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
 
+  auditScannerImageChartValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+
+  auditScannerImageValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
+
   crdChartVersion:
     kind: yaml
     transformers:
@@ -108,6 +120,15 @@ conditions:
       versionfilter:
         kind: "semver"
         pattern: '{{ requiredEnv .releaseVersion }}'
+  auditScannerTag:
+    name: Test if audit-scanner has the required tag
+    disablesourceinput: true
+    kind: gittag
+    scmid: auditScannerGit
+    spec:
+      versionfilter:
+        kind: "semver"
+        pattern: '{{ requiredEnv .releaseVersion }}'
 
 targets:
   installCRD:
@@ -237,6 +258,26 @@ targets:
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
+  auditScannerImageUpdateChartValuesFile:
+    name: "Update container image in the chart-values.yaml file"
+    kind: yaml
+    sourceid: auditScannerImageChartValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
+  auditScannerImageUpdateValuesFile:
+    kind: yaml
+    name: "Update container image in the values.yaml file"
+    sourceid: auditScannerImageValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
   controllerChartAppVersionUpdate:
     name: Bump controller chart app version
     kind: yaml
@@ -314,3 +355,8 @@ scms:
     spec:
         url: "https://github.com/{{ requiredEnv .github.user }}/policy-server.git"
         branch: "main"
+  auditScannerGit:
+    kind: "git"
+    spec:
+        url: "https://github.com/{{ requiredEnv .github.user }}/audit-scanner.git"
+        branch: "main"
diff --git a/updatecli/updatecli.d/major-kubewarden-update.yaml b/updatecli/updatecli.d/major-kubewarden-update.yaml
index 9fa83f2f..23b8d3ca 100644
--- a/updatecli/updatecli.d/major-kubewarden-update.yaml
+++ b/updatecli/updatecli.d/major-kubewarden-update.yaml
@@ -61,6 +61,17 @@ sources:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
 
+  auditScannerImageChartValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+
+  auditScannerImageValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
 
 conditions:
   # All the major components must have the same tag
@@ -91,6 +102,15 @@ conditions:
       versionfilter:
         kind: "semver"
         pattern: '{{ requiredEnv .releaseVersion }}'
+  auditScannerTag:
+    name: Test if audit-scanner has the required tag
+    disablesourceinput: true
+    kind: gittag
+    scmid: auditScannerGit
+    spec:
+      versionfilter:
+        kind: "semver"
+        pattern: "{{ requiredEnv .releaseVersion }}"
 
 targets:
   defaultUpdateChartValuesFile:
@@ -172,6 +192,26 @@ targets:
       key: "appVersion"
       value: '{{ requiredEnv .releaseVersion }}'
 
+  auditScannerImageUpdateChartValuesFile:
+    name: "Update container image in the chart-values.yaml file"
+    kind: yaml
+    sourceid: auditScannerImageChartValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+      value: "{{ requiredEnv .releaseVersion }}"
+
+  auditScannerImageUpdateValuesFile:
+    kind: yaml
+    name: "Update container image in the values.yaml file"
+    sourceid: auditScannerImageValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
+      value: "{{ requiredEnv .releaseVersion }}"
+
   controllerChartVersionUpdate:
     name: Bump controller chart version
     kind: yaml
@@ -239,3 +279,8 @@ scms:
     spec:
       url: "https://github.com/{{ requiredEnv .github.user }}/policy-server.git"
       branch: "main"
+  auditScannerGit:
+    kind: "git"
+    spec:
+      url: "https://github.com/{{ requiredEnv .github.user }}/audit-scanner.git"
+      branch: "main"
diff --git a/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml b/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml
index 8a71b93b..6e9bed16 100644
--- a/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml
+++ b/updatecli/updatecli.d/patch-kubewarden-controller-with-crds-update.yaml
@@ -23,6 +23,16 @@ sources:
     spec:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
+  auditScannerImageChartValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+  auditScannerImageValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
   crdChartVersion:
     kind: yaml
     transformers:
@@ -60,6 +70,26 @@ targets:
       key: "image.tag"
       value: '{{ requiredEnv .releaseVersion }}'
 
+  updateAuditScannerImageChartValuesFile:
+    name: "Update audit scanner image in the chart-values.yaml file"
+    kind: yaml
+    sourceid: auditScannerImageChartValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+      value: '{{ requiredEnv .releaseVersion }}'
+
+  updateAuditScannerImageValuesFile:
+    kind: yaml
+    name: "Update container image in the values.yaml file"
+    sourceid: auditScannerImageValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
+      value: '{{ requiredEnv .releaseVersion }}'
+
   chartPatchVersionUpdate:
     name: Bump chart patch version
     kind: yaml
diff --git a/updatecli/updatecli.d/patch-kubewarden-controller.yaml b/updatecli/updatecli.d/patch-kubewarden-controller.yaml
index 234f015d..d7206b87 100644
--- a/updatecli/updatecli.d/patch-kubewarden-controller.yaml
+++ b/updatecli/updatecli.d/patch-kubewarden-controller.yaml
@@ -17,6 +17,16 @@ sources:
     spec:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
+  auditScannerImageChartValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+  auditScannerImageValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
 
 targets:
   updateControllerImageChartValuesFile:
@@ -37,6 +47,24 @@ targets:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
       value: '{{ requiredEnv .releaseVersion }}'
+  updateAuditScannerImageChartValuesFile:
+    name: "Update container image in the chart-values.yaml file"
+    kind: yaml
+    sourceid: auditScannerImageChartValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+      value: '{{ requiredEnv .releaseVersion }}'
+  updateAuditScannerImageValuesFile:
+    kind: yaml
+    name: "Update container image in the values.yaml file"
+    sourceid: auditScannerImageValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
+      value: '{{ requiredEnv .releaseVersion }}'
   chartPatchVersionUpdate:
     name: Bump chart patch version
     kind: yaml
diff --git a/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml b/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
index e2e3bd14..5ee3cd01 100644
--- a/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
+++ b/updatecli/updatecli.d/prerelease-kubewarden-update-with-crd-update.yaml
@@ -63,6 +63,18 @@ sources:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
 
+  auditScannerImageChartValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+
+  auditScannerImageValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
+
   crdChartVersion:
     kind: yaml
     transformers:
@@ -111,6 +123,15 @@ conditions:
       versionfilter:
         kind: "semver"
         pattern: '{{ requiredEnv .releaseVersion }}'
+  AuditScannerTag:
+    name: Test if Audit Scanner has the required tag
+    disablesourceinput: true
+    kind: gittag
+    scmid: auditScannerGit
+    spec:
+      versionfilter:
+        kind: "semver"
+        pattern: '{{ requiredEnv .releaseVersion }}'
 
 targets:
   installCRD:
@@ -240,6 +261,26 @@ targets:
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
+  auditScannerImageUpdateChartValuesFile:
+    name: "Update audit scanner image in the chart-values.yaml file"
+    kind: yaml
+    sourceid: auditScannerImageChartValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
+  auditScannerUpdateValuesFile:
+    kind: yaml
+    name: "Update audit scanner image in the values.yaml file"
+    sourceid: auditScannerImageValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
   controllerChartAppVersionUpdate:
     name: Bump controller chart app version
     kind: yaml
@@ -317,3 +358,8 @@ scms:
     spec:
         url: "https://github.com/{{ requiredEnv .github.user }}/policy-server.git"
         branch: "main"
+  auditScannerGit:
+    kind: "git"
+    spec:
+        url: "https://github.com/{{ requiredEnv .github.user }}/audit-scanner.git"
+        branch: "main"
diff --git a/updatecli/updatecli.d/prerelease-kubewarden-update.yaml b/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
index 37aa3228..a27b0d09 100644
--- a/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
+++ b/updatecli/updatecli.d/prerelease-kubewarden-update.yaml
@@ -63,6 +63,18 @@ sources:
       file: "charts/kubewarden-controller/values.yaml"
       key: "image.tag"
 
+  auditScannerImageChartValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: "auditScanner.image.tag"
+
+  auditScannerImageValuesFile:
+    kind: yaml
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: "auditScanner.image.tag"
+
 
 conditions:
   # All the major components must have the same tag
@@ -93,6 +105,15 @@ conditions:
       versionfilter:
         kind: "semver"
         pattern: '{{ requiredEnv .releaseVersion }}'
+  auditScannerTag:
+    name: Test if Audit Scanner has the required tag
+    disablesourceinput: true
+    kind: gittag
+    scmid: auditScannerGit
+    spec:
+      versionfilter:
+        kind: "semver"
+        pattern: '{{ requiredEnv .releaseVersion }}'
 
 targets:
   defaultUpdateChartValuesFile:
@@ -164,6 +185,26 @@ targets:
       key: 'image.tag'
       value: '{{ requiredEnv .releaseVersion }}'
 
+  auditScannerImageUpdateChartValuesFile:
+    name: "Update container image in the chart-values.yaml file"
+    kind: yaml
+    sourceid: auditScannerImageChartValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/chart-values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
+  auditScannerImageUpdateValuesFile:
+    kind: yaml
+    name: "Update container image in the values.yaml file"
+    sourceid: auditScannerImageValuesFile
+    scmid: "default"
+    spec:
+      file: "charts/kubewarden-controller/values.yaml"
+      key: 'auditScanner.image.tag'
+      value: '{{ requiredEnv .releaseVersion }}'
+
   controllerChartAppVersionUpdate:
     name: Bump controller chart app version
     kind: yaml
@@ -241,3 +282,8 @@ scms:
     spec:
         url: "https://github.com/{{ requiredEnv .github.user }}/policy-server.git"
         branch: "main"
+  auditScannerGit:
+    kind: "git"
+    spec:
+        url: "https://github.com/{{ requiredEnv .github.user }}/audit-scanner.git"
+        branch: "main"

From 669116c8a1826bd98d9fc16d070eac3aa0d26815 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Thu, 13 Jul 2023 17:42:30 +0200
Subject: [PATCH 6/6] feat: Add severity, category annots to default policies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
---
 .../templates/allow-privileged-escalation-policy.yaml           | 2 ++
 charts/kubewarden-defaults/templates/capabilities-policy.yaml   | 2 ++
 charts/kubewarden-defaults/templates/host-namespace-policy.yaml | 2 ++
 charts/kubewarden-defaults/templates/host-path-policy.yaml      | 2 ++
 charts/kubewarden-defaults/templates/pod-privileged-policy.yaml | 2 ++
 charts/kubewarden-defaults/templates/user-group-policy.yaml     | 2 ++
 6 files changed, 12 insertions(+)

diff --git a/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml b/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml
index 89056c08..cce87d6c 100644
--- a/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml
+++ b/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml
@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.severity: medium
+    io.kubewarden.policy.category: PSP
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }}
 spec:
diff --git a/charts/kubewarden-defaults/templates/capabilities-policy.yaml b/charts/kubewarden-defaults/templates/capabilities-policy.yaml
index 38456781..1ba8afd1 100644
--- a/charts/kubewarden-defaults/templates/capabilities-policy.yaml
+++ b/charts/kubewarden-defaults/templates/capabilities-policy.yaml
@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.capabilitiesPolicy.name }}
 spec:
diff --git a/charts/kubewarden-defaults/templates/host-namespace-policy.yaml b/charts/kubewarden-defaults/templates/host-namespace-policy.yaml
index 1da70943..bb8edf1a 100644
--- a/charts/kubewarden-defaults/templates/host-namespace-policy.yaml
+++ b/charts/kubewarden-defaults/templates/host-namespace-policy.yaml
@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.hostNamespacePolicy.name }}
 spec:
diff --git a/charts/kubewarden-defaults/templates/host-path-policy.yaml b/charts/kubewarden-defaults/templates/host-path-policy.yaml
index 8ace25e3..2c132069 100644
--- a/charts/kubewarden-defaults/templates/host-path-policy.yaml
+++ b/charts/kubewarden-defaults/templates/host-path-policy.yaml
@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.hostPathsPolicy.name }}
 spec:
diff --git a/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml b/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml
index 4999c9d2..0bb47af1 100644
--- a/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml
+++ b/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml
@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.podPrivilegedPolicy.name }}
 spec:
diff --git a/charts/kubewarden-defaults/templates/user-group-policy.yaml b/charts/kubewarden-defaults/templates/user-group-policy.yaml
index 524be058..f707d669 100644
--- a/charts/kubewarden-defaults/templates/user-group-policy.yaml
+++ b/charts/kubewarden-defaults/templates/user-group-policy.yaml
@@ -6,6 +6,8 @@ metadata:
     {{- include "kubewarden-defaults.labels" . | nindent 4 }}
     app.kubernetes.io/component: policy
   annotations:
+    io.kubewarden.policy.category: PSP
+    io.kubewarden.policy.severity: medium
     {{- include "kubewarden-defaults.annotations" . | nindent 4 }}
   name: {{ $.Values.recommendedPolicies.userGroupPolicy.name }}
 spec: