feat: Make sidecar container image configurable in Helm Chart for air-gapped environments

manifest_staging/charts/workload-identity-webhook/README.md

@@ -56,6 +56,10 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
 | mutatingWebhookNamespaceSelector   | The namespace selector to further refine which namespaces will be selected by the webhook.                                        | `{}`                                                    |
 | podDisruptionBudget.minAvailable   | The minimum number of pods that must be available for the webhook to be considered available                                      | `1`                                                     |
 | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available                                     | `nil`                                                   |
+| proxy.image.repository             | The full image repository for the proxy sidecar image                                                                            | `mcr.microsoft.com/oss/azure/workload-identity/proxy`  |
+| proxy.image.tag                    | The tag for the proxy sidecar image (defaults to chart appVersion)                                                               | ``                                                      |
+| proxy.initImage.repository         | The full image repository for the proxy init image                                                                               | `mcr.microsoft.com/oss/azure/workload-identity/proxy-init` |
+| proxy.initImage.tag                | The tag for the proxy init image (defaults to chart appVersion)                                                                  | ``                                                      |
 | revisionHistoryLimit               | The number of old ReplicaSets to retain for the webhook deployment                                                                | `10`                                                    |
 
 ## Contributing Changes

manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl

@@ -58,3 +58,19 @@ Adds the pod labels.
 {{- toYaml .Values.podLabels | nindent 8 }}
 {{- end }}
 {{- end }}
+
+{{/*
+Proxy sidecar image
+*/}}
+{{- define "workload-identity-webhook.proxy.image" -}}
+{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}}
+{{- printf "%s:%s" .Values.proxy.image.repository $tag -}}
+{{- end }}
+
+{{/*
+Proxy init image
+*/}}
+{{- define "workload-identity-webhook.proxy.initImage" -}}
+{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}}
+{{- printf "%s:%s" .Values.proxy.initImage.repository $tag -}}
+{{- end }}

manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 data:
   AZURE_ENVIRONMENT: {{ .Values.azureEnvironment | default "AzurePublicCloud" }}
   AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}
+  PROXY_IMAGE: {{ include "workload-identity-webhook.proxy.image" . }}
+  PROXY_INIT_IMAGE: {{ include "workload-identity-webhook.proxy.initImage" . }}
 kind: ConfigMap
 metadata:
   labels:

manifest_staging/charts/workload-identity-webhook/values.yaml

@@ -8,6 +8,16 @@ image:
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   release: v1.5.1
+# Proxy sidecar image configuration  
+proxy:
+  image:
+    repository: mcr.microsoft.com/oss/azure/workload-identity/proxy
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+  initImage:
+    repository: mcr.microsoft.com/oss/azure/workload-identity/proxy-init
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
 imagePullSecrets: []
 nodeSelector:
   kubernetes.io/os: linux

pkg/config/config_test.go

@@ -60,3 +60,55 @@ func TestParseConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestParseConfigProxyImages(t *testing.T) {
+	tests := []struct {
+		name               string
+		tenantID           string
+		proxyImage         string
+		proxyInitImage     string
+		wantProxyImage     string
+		wantProxyInitImage string
+	}{
+		{
+			name:               "default empty proxy images",
+			tenantID:           "tenant-id",
+			proxyImage:         "",
+			proxyInitImage:     "",
+			wantProxyImage:     "",
+			wantProxyInitImage: "",
+		},
+		{
+			name:               "custom proxy images",
+			tenantID:           "tenant-id",
+			proxyImage:         "my-registry.com/proxy:v2.0.0",
+			proxyInitImage:     "my-registry.com/proxy-init:v2.0.0",
+			wantProxyImage:     "my-registry.com/proxy:v2.0.0",
+			wantProxyInitImage: "my-registry.com/proxy-init:v2.0.0",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			os.Setenv("AZURE_TENANT_ID", tt.tenantID)
+			os.Setenv("PROXY_IMAGE", tt.proxyImage)
+			os.Setenv("PROXY_INIT_IMAGE", tt.proxyInitImage)
+			defer func() {
+				os.Unsetenv("AZURE_TENANT_ID")
+				os.Unsetenv("PROXY_IMAGE")
+				os.Unsetenv("PROXY_INIT_IMAGE")
+			}()
+
+			c, err := ParseConfig()
+			if err != nil {
+				t.Fatalf("ParseConfig() error = %v", err)
+			}
+			if c.ProxyImage != tt.wantProxyImage {
+				t.Errorf("ParseConfig() ProxyImage = %v, want %v", c.ProxyImage, tt.wantProxyImage)
+			}
+			if c.ProxyInitImage != tt.wantProxyInitImage {
+				t.Errorf("ParseConfig() ProxyInitImage = %v, want %v", c.ProxyInitImage, tt.wantProxyInitImage)
+			}
+		})
+	}
+}

third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 data:
   AZURE_ENVIRONMENT: HELMSUBST_CONFIGMAP_AZURE_ENVIRONMENT
   AZURE_TENANT_ID: HELMSUBST_CONFIGMAP_AZURE_TENANT_ID
+  PROXY_IMAGE: HELMSUBST_CONFIGMAP_PROXY_IMAGE
+  PROXY_INIT_IMAGE: HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE
 kind: ConfigMap
 metadata:
   name: azure-wi-webhook-config

third_party/open-policy-agent/gatekeeper/helmify/replacements.go

@@ -21,6 +21,10 @@ var replacements = map[string]string{
 
 	"HELMSUBST_CONFIGMAP_AZURE_TENANT_ID": `{{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}`,
 
+	"HELMSUBST_CONFIGMAP_PROXY_IMAGE": `{{ include "workload-identity-webhook.proxy.image" . }}`,
+
+	"HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE": `{{ include "workload-identity-webhook.proxy.initImage" . }}`,
+
 	`HELMSUBST_SERVICE_TYPE: ""`: `{{- if .Values.service }}
   type: {{  .Values.service.type | default "ClusterIP" }}
   {{- end }}`,

third_party/open-policy-agent/gatekeeper/helmify/static/README.md

@@ -56,6 +56,10 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
 | mutatingWebhookNamespaceSelector   | The namespace selector to further refine which namespaces will be selected by the webhook.                                        | `{}`                                                    |
 | podDisruptionBudget.minAvailable   | The minimum number of pods that must be available for the webhook to be considered available                                      | `1`                                                     |
 | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available                                     | `nil`                                                   |
+| proxy.image.repository             | The full image repository for the proxy sidecar image                                                                            | `mcr.microsoft.com/oss/azure/workload-identity/proxy`  |
+| proxy.image.tag                    | The tag for the proxy sidecar image (defaults to chart appVersion)                                                               | ``                                                      |
+| proxy.initImage.repository         | The full image repository for the proxy init image                                                                               | `mcr.microsoft.com/oss/azure/workload-identity/proxy-init` |
+| proxy.initImage.tag                | The tag for the proxy init image (defaults to chart appVersion)                                                                  | ``                                                      |
 | revisionHistoryLimit               | The number of old ReplicaSets to retain for the webhook deployment                                                                | `10`                                                    |
 
 ## Contributing Changes

third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl

@@ -58,3 +58,19 @@ Adds the pod labels.
 {{- toYaml .Values.podLabels | nindent 8 }}
 {{- end }}
 {{- end }}
+
+{{/*
+Proxy sidecar image
+*/}}
+{{- define "workload-identity-webhook.proxy.image" -}}
+{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}}
+{{- printf "%s:%s" .Values.proxy.image.repository $tag -}}
+{{- end }}
+
+{{/*
+Proxy init image
+*/}}
+{{- define "workload-identity-webhook.proxy.initImage" -}}
+{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}}
+{{- printf "%s:%s" .Values.proxy.initImage.repository $tag -}}
+{{- end }}

third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml

@@ -8,6 +8,16 @@ image:
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
   release: v1.5.1
+# Proxy sidecar image configuration  
+proxy:
+  image:
+    repository: mcr.microsoft.com/oss/azure/workload-identity/proxy
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+  initImage:
+    repository: mcr.microsoft.com/oss/azure/workload-identity/proxy-init
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
 imagePullSecrets: []
 nodeSelector:
   kubernetes.io/os: linux