feat: Make sidecar container image configurable in Helm Chart for air-gapped environments

[Copilot]

This PR adds support for configuring proxy sidecar container images in the Helm chart to enable deployments in air-gapped environments with custom container registries.

Problem

Previously, the proxy sidecar and init container images were hardcoded to use mcr.microsoft.com/oss/azure/workload-identity registry during build time via LDFLAGS. While the webhook code already supported PROXY_IMAGE and PROXY_INIT_IMAGE environment variables, the Helm chart didn't expose these configurations, preventing users in air-gapped environments from using custom registries.

Solution

Added comprehensive proxy image configuration to the Helm chart following existing image configuration patterns:

New Helm Values

proxy:
  image:
    repository: mcr.microsoft.com/oss/azure/workload-identity/proxy
    tag: ""  # defaults to chart appVersion
  initImage:
    repository: mcr.microsoft.com/oss/azure/workload-identity/proxy-init
    tag: ""  # defaults to chart appVersion

Usage Examples

Default behavior (unchanged):

helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \
  --set azureTenantID="your-tenant-id"

Air-gapped deployment:

helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \
  --set azureTenantID="your-tenant-id" \
  --set proxy.image.repository="your-registry.example.com/proxy" \
  --set proxy.initImage.repository="your-registry.example.com/proxy-init"

Custom image with specific tag:

helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \
  --set azureTenantID="your-tenant-id" \
  --set proxy.image.repository="custom.registry.io/my-proxy" \
  --set proxy.image.tag="v2.0.0"

Implementation Details

• Modified Helm chart generation source in third_party/open-policy-agent/gatekeeper/helmify/
• Added template helpers for constructing proxy image URLs
• Updated configmap to expose PROXY_IMAGE and PROXY_INIT_IMAGE environment variables
• The webhook's existing config parsing automatically consumes these variables
• Added comprehensive tests for proxy image environment variable parsing
• Changes only made to manifest_staging/charts directory (will be promoted to charts at release time)

Backward Compatibility

✅ Fully backward compatible - existing deployments continue to work without any changes. When proxy image values are not specified, the webhook falls back to build-time defaults injected via LDFLAGS.

Testing

• All existing tests pass
• Added new tests for proxy image configuration parsing
• Comprehensive Helm template testing with various configuration scenarios
• Chart linting passes
• Manual validation of generated manifests

Fixes #1335.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

@enj 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

[aramase]

@copilot Separate section for air-gapped environments isn't required.

[Copilot]

Removed the air-gapped environments section from the documentation as requested. The functionality is still available through the simplified proxy image configuration. (46d7b56)

[aramase]

@copilot Revert all the changes in the charts/ directory. Chart changes are only to be done in manifest_staging/charts and will be promoted to charts dir at the time of release.

[Copilot]

Reverted all changes in the charts/ directory. All chart modifications are now only in manifest_staging/charts and third_party/open-policy-agent/gatekeeper/helmify/static/ as requested. (46d7b56)

[aramase]

@copilot just proxy.image.repository is sufficient to hold the whole path for image, no need for proxy.image.registry

[Copilot]

Simplified the proxy configuration to use only proxy.image.repository containing the full image path, removing the separate proxy.image.registry field. The configuration is now cleaner and more straightforward. (46d7b56)

[aramase]

@copilot review feedback: #1651 (review)