diff --git a/manifest_staging/charts/workload-identity-webhook/README.md b/manifest_staging/charts/workload-identity-webhook/README.md index b65cd8b4c..596be7ca3 100644 --- a/manifest_staging/charts/workload-identity-webhook/README.md +++ b/manifest_staging/charts/workload-identity-webhook/README.md @@ -56,6 +56,10 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | +| proxy.image.repository | The full image repository for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity/proxy` | +| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | +| proxy.initImage.repository | The full image repository for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity/proxy-init` | +| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | | revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | ## Contributing Changes diff --git a/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl index 90017db71..e2f6bb1a3 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl +++ b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl @@ -58,3 +58,19 @@ Adds the pod labels. {{- toYaml .Values.podLabels | nindent 8 }} {{- end }} {{- end }} + +{{/* +Proxy sidecar image +*/}} +{{- define "workload-identity-webhook.proxy.image" -}} +{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} +{{- printf "%s:%s" .Values.proxy.image.repository $tag -}} +{{- end }} + +{{/* +Proxy init image +*/}} +{{- define "workload-identity-webhook.proxy.initImage" -}} +{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} +{{- printf "%s:%s" .Values.proxy.initImage.repository $tag -}} +{{- end }} diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml index f4d7754c6..9258245e1 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: AZURE_ENVIRONMENT: {{ .Values.azureEnvironment | default "AzurePublicCloud" }} AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }} + PROXY_IMAGE: {{ include "workload-identity-webhook.proxy.image" . }} + PROXY_INIT_IMAGE: {{ include "workload-identity-webhook.proxy.initImage" . }} kind: ConfigMap metadata: labels: diff --git a/manifest_staging/charts/workload-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml index d3b70e465..36997282f 100644 --- a/manifest_staging/charts/workload-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -8,6 +8,16 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v1.5.1 +# Proxy sidecar image configuration +proxy: + image: + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy + # Overrides the image tag whose default is the chart appVersion. + tag: "" + initImage: + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy-init + # Overrides the image tag whose default is the chart appVersion. + tag: "" imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 2dc43c980..4f5f66d31 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -60,3 +60,55 @@ func TestParseConfig(t *testing.T) { }) } } + +func TestParseConfigProxyImages(t *testing.T) { + tests := []struct { + name string + tenantID string + proxyImage string + proxyInitImage string + wantProxyImage string + wantProxyInitImage string + }{ + { + name: "default empty proxy images", + tenantID: "tenant-id", + proxyImage: "", + proxyInitImage: "", + wantProxyImage: "", + wantProxyInitImage: "", + }, + { + name: "custom proxy images", + tenantID: "tenant-id", + proxyImage: "my-registry.com/proxy:v2.0.0", + proxyInitImage: "my-registry.com/proxy-init:v2.0.0", + wantProxyImage: "my-registry.com/proxy:v2.0.0", + wantProxyInitImage: "my-registry.com/proxy-init:v2.0.0", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + os.Setenv("AZURE_TENANT_ID", tt.tenantID) + os.Setenv("PROXY_IMAGE", tt.proxyImage) + os.Setenv("PROXY_INIT_IMAGE", tt.proxyInitImage) + defer func() { + os.Unsetenv("AZURE_TENANT_ID") + os.Unsetenv("PROXY_IMAGE") + os.Unsetenv("PROXY_INIT_IMAGE") + }() + + c, err := ParseConfig() + if err != nil { + t.Fatalf("ParseConfig() error = %v", err) + } + if c.ProxyImage != tt.wantProxyImage { + t.Errorf("ParseConfig() ProxyImage = %v, want %v", c.ProxyImage, tt.wantProxyImage) + } + if c.ProxyInitImage != tt.wantProxyInitImage { + t.Errorf("ParseConfig() ProxyInitImage = %v, want %v", c.ProxyInitImage, tt.wantProxyInitImage) + } + }) + } +} diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml index 41bc460a9..9f43987cf 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: AZURE_ENVIRONMENT: HELMSUBST_CONFIGMAP_AZURE_ENVIRONMENT AZURE_TENANT_ID: HELMSUBST_CONFIGMAP_AZURE_TENANT_ID + PROXY_IMAGE: HELMSUBST_CONFIGMAP_PROXY_IMAGE + PROXY_INIT_IMAGE: HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE kind: ConfigMap metadata: name: azure-wi-webhook-config diff --git a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go index 907019693..35556eaed 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go +++ b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go @@ -21,6 +21,10 @@ var replacements = map[string]string{ "HELMSUBST_CONFIGMAP_AZURE_TENANT_ID": `{{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}`, + "HELMSUBST_CONFIGMAP_PROXY_IMAGE": `{{ include "workload-identity-webhook.proxy.image" . }}`, + + "HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE": `{{ include "workload-identity-webhook.proxy.initImage" . }}`, + `HELMSUBST_SERVICE_TYPE: ""`: `{{- if .Values.service }} type: {{ .Values.service.type | default "ClusterIP" }} {{- end }}`, diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index b65cd8b4c..596be7ca3 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -56,6 +56,10 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | +| proxy.image.repository | The full image repository for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity/proxy` | +| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | +| proxy.initImage.repository | The full image repository for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity/proxy-init` | +| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | | revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | ## Contributing Changes diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl index 90017db71..e2f6bb1a3 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl @@ -58,3 +58,19 @@ Adds the pod labels. {{- toYaml .Values.podLabels | nindent 8 }} {{- end }} {{- end }} + +{{/* +Proxy sidecar image +*/}} +{{- define "workload-identity-webhook.proxy.image" -}} +{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} +{{- printf "%s:%s" .Values.proxy.image.repository $tag -}} +{{- end }} + +{{/* +Proxy init image +*/}} +{{- define "workload-identity-webhook.proxy.initImage" -}} +{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} +{{- printf "%s:%s" .Values.proxy.initImage.repository $tag -}} +{{- end }} diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index d3b70e465..36997282f 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -8,6 +8,16 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v1.5.1 +# Proxy sidecar image configuration +proxy: + image: + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy + # Overrides the image tag whose default is the chart appVersion. + tag: "" + initImage: + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy-init + # Overrides the image tag whose default is the chart appVersion. + tag: "" imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux