Switching Helm CRDs back to kyverno chart and moving Policies to dedicated chart

[treydock]

Discussed in #2312

^{Originally posted by treydock August 25, 2021}
I'd like to propose a change to how Kyverno is deployed with Helm after the issues faced with recent 1.4.2 changes where the Kyverno CRDs were moved into a dedicated chart.

The change with 1.4.2 was to put the Kyverno CRDs into a dedicated Helm chart. The main benefit with this change is now it's possible to update and uninstall the Kyverno CRDs using Helm. This is done by moving the YAML for CRDs out of crds directory and into the templates directory so the CRDs are deployed like any other resource. The main reason this required a new chart is because you can't have CRDs as a template deployed in same chart as resources using those CRDs. So can't have CRDs and Kyverno policies deployed from same templates directory.

I'd like to propose that the CRDs are moved back into main kyverno Helm chart under the templates directory and move the Kyverno policies to a dedicated kyverno-policies Helm chart in this repo. This way a helm install kyverno .... will give someone a fully functional Kyverno deployment and then if they wish they can install additional policies via Helm as a second step.

What I've validated so far is doing this on main branch:

mv charts/kyverno/templates/policies ./
mv charts/kyverno-crds/templates/crds.yaml charts/kyverno/templates/
helm install kyverno charts/kyverno -n kyverno --create-namespace

I think some challenges that would need testing (assuming this change is made with 1.5.0)

• What's the upgrade path for people on 1.4.1 or earlier to 1.5.0
• What's the upgrade path for people on 1.4.2 to 1.5.0 where they have the CRDs chart deployed