Add container exclusions to non root policy

In the process of implementing https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/1276 we realized this policy did not support container exclusions. Some more background here. This policy required a new helper to support exclusions and not diverge from the original policy.

chart/templates/_helpers.tpl

@@ -69,6 +69,26 @@ webhookTimeoutSeconds: {{ $webhookTimeoutSeconds }}
     {{- end }}
 {{- end -}}
 
+{{/* excludeContainers values.  Expects name of policy in .name */}}
+{{- define "kyverno-policies.excludeNamedContainers" -}}
+  {{- $globalexcludeContainers := .Values.excludeContainers -}}
+  {{- $policyExcludeContainers := (dig .name "parameters" "excludeContainers" list .Values.policies) -}}
+  {{- $excludedContainers := concat $policyExcludeContainers $globalexcludeContainers -}}
+    {{- if $excludedContainers }}
+      (name): "!{{ join " & !" $excludedContainers -}}"
+    {{- end }}
+{{- end -}}
+
+{{/* excludeContainers values.  Expects name of policy in .name */}}
+{{- define "kyverno-policies.excludeNamedContainersAllow" -}}
+  {{- $globalexcludeContainers := .Values.excludeContainers -}}
+  {{- $policyExcludeContainers := (dig .name "parameters" "excludeContainers" list .Values.policies) -}}
+  {{- $excludedContainers := concat $policyExcludeContainers $globalexcludeContainers -}}
+    {{- if $excludedContainers }}
+      name: "{{ join " | " $excludedContainers -}}"
+    {{- end }}
+{{- end -}}
+
 {{/* Match key/value.  Expects name of policy in .name and default kind in .kind as a list */}}
 {{- define "kyverno-policies.match" -}}
   {{- $policyMatch := (dig .name "match" nil .Values.policies) -}}