From 45ef271e6697eadc628e70cc1f4f6b770ed3507f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 19:18:19 +0000 Subject: [PATCH 1/3] Initial plan From 93e75503b33d5b00d84cd453d4377a7a6f0092b2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 20 Aug 2025 19:35:57 +0000 Subject: [PATCH 2/3] Add configurable proxy image support to Helm chart for air-gapped environments Co-authored-by: enj <7001223+enj@users.noreply.github.com> --- charts/workload-identity-webhook/README.md | 32 ++++++++++++ .../templates/_helpers.tpl | 16 ++++++ .../azure-wi-webhook-config-configmap.yaml | 2 + ...webhook-controller-manager-deployment.yaml | 5 ++ charts/workload-identity-webhook/values.yaml | 13 +++++ .../workload-identity-webhook/README.md | 30 +++++++++++ .../templates/_helpers.tpl | 16 ++++++ .../azure-wi-webhook-config-configmap.yaml | 2 + .../workload-identity-webhook/values.yaml | 12 +++++ pkg/config/config_test.go | 52 +++++++++++++++++++ .../helmify/kustomize-for-helm.yaml | 2 + .../gatekeeper/helmify/replacements.go | 4 ++ .../gatekeeper/helmify/static/README.md | 30 +++++++++++ .../helmify/static/templates/_helpers.tpl | 16 ++++++ .../gatekeeper/helmify/static/values.yaml | 12 +++++ 15 files changed, 244 insertions(+) diff --git a/charts/workload-identity-webhook/README.md b/charts/workload-identity-webhook/README.md index f9b537a83..a3a42de07 100644 --- a/charts/workload-identity-webhook/README.md +++ b/charts/workload-identity-webhook/README.md @@ -21,6 +21,30 @@ _See [parameters](#parameters) below._ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ +## Air-gapped Environments + +For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings: + +```console +# Install with custom registry for proxy images +helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ + --set azureTenantID="your-tenant-id" \ + --set proxy.image.registry="your-registry.example.com" \ + --set proxy.initImage.registry="your-registry.example.com" \ + --create-namespace + +# Or with completely custom image references +helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ + --set azureTenantID="your-tenant-id" \ + --set proxy.image.registry="your-registry.example.com" \ + --set proxy.image.repository="custom-proxy" \ + --set proxy.image.tag="v1.0.0" \ + --set proxy.initImage.registry="your-registry.example.com" \ + --set proxy.initImage.repository="custom-proxy-init" \ + --set proxy.initImage.tag="v1.0.0" \ + --create-namespace +``` + ## Upgrade Chart ```console @@ -39,6 +63,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | | affinity | The node affinity to use for pod scheduling | `{}` | +| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | | tolerations | The tolerations to use for pod scheduling | `[]` | | service.type | Service type | `ClusterIP` | | service.port | Service port | `443` | @@ -55,6 +80,13 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | +| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` | +| proxy.image.repository | The repository for the proxy sidecar image | `proxy` | +| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | +| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` | +| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` | +| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | +| revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | ## Contributing Changes diff --git a/charts/workload-identity-webhook/templates/_helpers.tpl b/charts/workload-identity-webhook/templates/_helpers.tpl index 90017db71..75f8397da 100644 --- a/charts/workload-identity-webhook/templates/_helpers.tpl +++ b/charts/workload-identity-webhook/templates/_helpers.tpl @@ -58,3 +58,19 @@ Adds the pod labels. {{- toYaml .Values.podLabels | nindent 8 }} {{- end }} {{- end }} + +{{/* +Proxy sidecar image +*/}} +{{- define "workload-identity-webhook.proxy.image" -}} +{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} +{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}} +{{- end }} + +{{/* +Proxy init image +*/}} +{{- define "workload-identity-webhook.proxy.initImage" -}} +{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} +{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}} +{{- end }} diff --git a/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml b/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml index f4d7754c6..9258245e1 100644 --- a/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml +++ b/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: AZURE_ENVIRONMENT: {{ .Values.azureEnvironment | default "AzurePublicCloud" }} AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }} + PROXY_IMAGE: {{ include "workload-identity-webhook.proxy.image" . }} + PROXY_INIT_IMAGE: {{ include "workload-identity-webhook.proxy.initImage" . }} kind: ConfigMap metadata: labels: diff --git a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index 09fab66b4..10a6222c6 100644 --- a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml +++ b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -9,6 +9,9 @@ metadata: name: azure-wi-webhook-controller-manager namespace: '{{ .Release.Namespace }}' spec: + {{- if .Values.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- end }} replicas: {{ .Values.replicaCount }} selector: matchLabels: @@ -94,6 +97,8 @@ spec: serviceAccountName: azure-wi-webhook-admin tolerations: {{- toYaml .Values.tolerations | nindent 8 }} + topologySpreadConstraints: + {{- toYaml .Values.topologySpreadConstraints | nindent 8 }} volumes: - name: cert secret: diff --git a/charts/workload-identity-webhook/values.yaml b/charts/workload-identity-webhook/values.yaml index 0da16171d..4f6cb99bb 100644 --- a/charts/workload-identity-webhook/values.yaml +++ b/charts/workload-identity-webhook/values.yaml @@ -8,6 +8,18 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v1.5.1 +# Proxy sidecar image configuration +proxy: + image: + registry: mcr.microsoft.com/oss/azure/workload-identity + repository: proxy + # Overrides the image tag whose default is the chart appVersion. + tag: "" + initImage: + registry: mcr.microsoft.com/oss/azure/workload-identity + repository: proxy-init + # Overrides the image tag whose default is the chart appVersion. + tag: "" imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux @@ -20,6 +32,7 @@ resources: memory: 20Mi tolerations: [] affinity: {} +topologySpreadConstraints: [] service: type: ClusterIP port: 443 diff --git a/manifest_staging/charts/workload-identity-webhook/README.md b/manifest_staging/charts/workload-identity-webhook/README.md index b65cd8b4c..a3a42de07 100644 --- a/manifest_staging/charts/workload-identity-webhook/README.md +++ b/manifest_staging/charts/workload-identity-webhook/README.md @@ -21,6 +21,30 @@ _See [parameters](#parameters) below._ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ +## Air-gapped Environments + +For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings: + +```console +# Install with custom registry for proxy images +helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ + --set azureTenantID="your-tenant-id" \ + --set proxy.image.registry="your-registry.example.com" \ + --set proxy.initImage.registry="your-registry.example.com" \ + --create-namespace + +# Or with completely custom image references +helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ + --set azureTenantID="your-tenant-id" \ + --set proxy.image.registry="your-registry.example.com" \ + --set proxy.image.repository="custom-proxy" \ + --set proxy.image.tag="v1.0.0" \ + --set proxy.initImage.registry="your-registry.example.com" \ + --set proxy.initImage.repository="custom-proxy-init" \ + --set proxy.initImage.tag="v1.0.0" \ + --create-namespace +``` + ## Upgrade Chart ```console @@ -56,6 +80,12 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | +| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` | +| proxy.image.repository | The repository for the proxy sidecar image | `proxy` | +| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | +| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` | +| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` | +| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | | revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | ## Contributing Changes diff --git a/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl index 90017db71..75f8397da 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl +++ b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl @@ -58,3 +58,19 @@ Adds the pod labels. {{- toYaml .Values.podLabels | nindent 8 }} {{- end }} {{- end }} + +{{/* +Proxy sidecar image +*/}} +{{- define "workload-identity-webhook.proxy.image" -}} +{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} +{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}} +{{- end }} + +{{/* +Proxy init image +*/}} +{{- define "workload-identity-webhook.proxy.initImage" -}} +{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} +{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}} +{{- end }} diff --git a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml index f4d7754c6..9258245e1 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml +++ b/manifest_staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: AZURE_ENVIRONMENT: {{ .Values.azureEnvironment | default "AzurePublicCloud" }} AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }} + PROXY_IMAGE: {{ include "workload-identity-webhook.proxy.image" . }} + PROXY_INIT_IMAGE: {{ include "workload-identity-webhook.proxy.initImage" . }} kind: ConfigMap metadata: labels: diff --git a/manifest_staging/charts/workload-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml index d3b70e465..4f6cb99bb 100644 --- a/manifest_staging/charts/workload-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -8,6 +8,18 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v1.5.1 +# Proxy sidecar image configuration +proxy: + image: + registry: mcr.microsoft.com/oss/azure/workload-identity + repository: proxy + # Overrides the image tag whose default is the chart appVersion. + tag: "" + initImage: + registry: mcr.microsoft.com/oss/azure/workload-identity + repository: proxy-init + # Overrides the image tag whose default is the chart appVersion. + tag: "" imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 2dc43c980..4f5f66d31 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -60,3 +60,55 @@ func TestParseConfig(t *testing.T) { }) } } + +func TestParseConfigProxyImages(t *testing.T) { + tests := []struct { + name string + tenantID string + proxyImage string + proxyInitImage string + wantProxyImage string + wantProxyInitImage string + }{ + { + name: "default empty proxy images", + tenantID: "tenant-id", + proxyImage: "", + proxyInitImage: "", + wantProxyImage: "", + wantProxyInitImage: "", + }, + { + name: "custom proxy images", + tenantID: "tenant-id", + proxyImage: "my-registry.com/proxy:v2.0.0", + proxyInitImage: "my-registry.com/proxy-init:v2.0.0", + wantProxyImage: "my-registry.com/proxy:v2.0.0", + wantProxyInitImage: "my-registry.com/proxy-init:v2.0.0", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + os.Setenv("AZURE_TENANT_ID", tt.tenantID) + os.Setenv("PROXY_IMAGE", tt.proxyImage) + os.Setenv("PROXY_INIT_IMAGE", tt.proxyInitImage) + defer func() { + os.Unsetenv("AZURE_TENANT_ID") + os.Unsetenv("PROXY_IMAGE") + os.Unsetenv("PROXY_INIT_IMAGE") + }() + + c, err := ParseConfig() + if err != nil { + t.Fatalf("ParseConfig() error = %v", err) + } + if c.ProxyImage != tt.wantProxyImage { + t.Errorf("ParseConfig() ProxyImage = %v, want %v", c.ProxyImage, tt.wantProxyImage) + } + if c.ProxyInitImage != tt.wantProxyInitImage { + t.Errorf("ParseConfig() ProxyInitImage = %v, want %v", c.ProxyInitImage, tt.wantProxyInitImage) + } + }) + } +} diff --git a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml index 41bc460a9..9f43987cf 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml @@ -2,6 +2,8 @@ apiVersion: v1 data: AZURE_ENVIRONMENT: HELMSUBST_CONFIGMAP_AZURE_ENVIRONMENT AZURE_TENANT_ID: HELMSUBST_CONFIGMAP_AZURE_TENANT_ID + PROXY_IMAGE: HELMSUBST_CONFIGMAP_PROXY_IMAGE + PROXY_INIT_IMAGE: HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE kind: ConfigMap metadata: name: azure-wi-webhook-config diff --git a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go index 907019693..35556eaed 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/replacements.go +++ b/third_party/open-policy-agent/gatekeeper/helmify/replacements.go @@ -21,6 +21,10 @@ var replacements = map[string]string{ "HELMSUBST_CONFIGMAP_AZURE_TENANT_ID": `{{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}`, + "HELMSUBST_CONFIGMAP_PROXY_IMAGE": `{{ include "workload-identity-webhook.proxy.image" . }}`, + + "HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE": `{{ include "workload-identity-webhook.proxy.initImage" . }}`, + `HELMSUBST_SERVICE_TYPE: ""`: `{{- if .Values.service }} type: {{ .Values.service.type | default "ClusterIP" }} {{- end }}`, diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index b65cd8b4c..a3a42de07 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -21,6 +21,30 @@ _See [parameters](#parameters) below._ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ +## Air-gapped Environments + +For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings: + +```console +# Install with custom registry for proxy images +helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ + --set azureTenantID="your-tenant-id" \ + --set proxy.image.registry="your-registry.example.com" \ + --set proxy.initImage.registry="your-registry.example.com" \ + --create-namespace + +# Or with completely custom image references +helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ + --set azureTenantID="your-tenant-id" \ + --set proxy.image.registry="your-registry.example.com" \ + --set proxy.image.repository="custom-proxy" \ + --set proxy.image.tag="v1.0.0" \ + --set proxy.initImage.registry="your-registry.example.com" \ + --set proxy.initImage.repository="custom-proxy-init" \ + --set proxy.initImage.tag="v1.0.0" \ + --create-namespace +``` + ## Upgrade Chart ```console @@ -56,6 +80,12 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | +| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` | +| proxy.image.repository | The repository for the proxy sidecar image | `proxy` | +| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | +| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` | +| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` | +| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | | revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | ## Contributing Changes diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl index 90017db71..75f8397da 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl @@ -58,3 +58,19 @@ Adds the pod labels. {{- toYaml .Values.podLabels | nindent 8 }} {{- end }} {{- end }} + +{{/* +Proxy sidecar image +*/}} +{{- define "workload-identity-webhook.proxy.image" -}} +{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} +{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}} +{{- end }} + +{{/* +Proxy init image +*/}} +{{- define "workload-identity-webhook.proxy.initImage" -}} +{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} +{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}} +{{- end }} diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index d3b70e465..4f6cb99bb 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -8,6 +8,18 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v1.5.1 +# Proxy sidecar image configuration +proxy: + image: + registry: mcr.microsoft.com/oss/azure/workload-identity + repository: proxy + # Overrides the image tag whose default is the chart appVersion. + tag: "" + initImage: + registry: mcr.microsoft.com/oss/azure/workload-identity + repository: proxy-init + # Overrides the image tag whose default is the chart appVersion. + tag: "" imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux From 46d7b569e27bd0838392d63cf6b792a359a3bc39 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 21 Aug 2025 18:20:12 +0000 Subject: [PATCH 3/3] Address review feedback: revert charts/ changes, simplify proxy config, remove air-gapped section Co-authored-by: aramase <10608509+aramase@users.noreply.github.com> --- charts/workload-identity-webhook/README.md | 32 ------------------- .../templates/_helpers.tpl | 16 ---------- .../azure-wi-webhook-config-configmap.yaml | 2 -- ...webhook-controller-manager-deployment.yaml | 5 --- charts/workload-identity-webhook/values.yaml | 13 -------- .../workload-identity-webhook/README.md | 30 ++--------------- .../templates/_helpers.tpl | 4 +-- .../workload-identity-webhook/values.yaml | 6 ++-- .../gatekeeper/helmify/static/README.md | 30 ++--------------- .../helmify/static/templates/_helpers.tpl | 4 +-- .../gatekeeper/helmify/static/values.yaml | 6 ++-- 11 files changed, 12 insertions(+), 136 deletions(-) diff --git a/charts/workload-identity-webhook/README.md b/charts/workload-identity-webhook/README.md index a3a42de07..f9b537a83 100644 --- a/charts/workload-identity-webhook/README.md +++ b/charts/workload-identity-webhook/README.md @@ -21,30 +21,6 @@ _See [parameters](#parameters) below._ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ -## Air-gapped Environments - -For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings: - -```console -# Install with custom registry for proxy images -helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ - --set azureTenantID="your-tenant-id" \ - --set proxy.image.registry="your-registry.example.com" \ - --set proxy.initImage.registry="your-registry.example.com" \ - --create-namespace - -# Or with completely custom image references -helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ - --set azureTenantID="your-tenant-id" \ - --set proxy.image.registry="your-registry.example.com" \ - --set proxy.image.repository="custom-proxy" \ - --set proxy.image.tag="v1.0.0" \ - --set proxy.initImage.registry="your-registry.example.com" \ - --set proxy.initImage.repository="custom-proxy-init" \ - --set proxy.initImage.tag="v1.0.0" \ - --create-namespace -``` - ## Upgrade Chart ```console @@ -63,7 +39,6 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | | resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi | | affinity | The node affinity to use for pod scheduling | `{}` | -| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | | tolerations | The tolerations to use for pod scheduling | `[]` | | service.type | Service type | `ClusterIP` | | service.port | Service port | `443` | @@ -80,13 +55,6 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | -| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` | -| proxy.image.repository | The repository for the proxy sidecar image | `proxy` | -| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | -| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` | -| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` | -| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | -| revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | ## Contributing Changes diff --git a/charts/workload-identity-webhook/templates/_helpers.tpl b/charts/workload-identity-webhook/templates/_helpers.tpl index 75f8397da..90017db71 100644 --- a/charts/workload-identity-webhook/templates/_helpers.tpl +++ b/charts/workload-identity-webhook/templates/_helpers.tpl @@ -58,19 +58,3 @@ Adds the pod labels. {{- toYaml .Values.podLabels | nindent 8 }} {{- end }} {{- end }} - -{{/* -Proxy sidecar image -*/}} -{{- define "workload-identity-webhook.proxy.image" -}} -{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} -{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}} -{{- end }} - -{{/* -Proxy init image -*/}} -{{- define "workload-identity-webhook.proxy.initImage" -}} -{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} -{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}} -{{- end }} diff --git a/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml b/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml index 9258245e1..f4d7754c6 100644 --- a/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml +++ b/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml @@ -2,8 +2,6 @@ apiVersion: v1 data: AZURE_ENVIRONMENT: {{ .Values.azureEnvironment | default "AzurePublicCloud" }} AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }} - PROXY_IMAGE: {{ include "workload-identity-webhook.proxy.image" . }} - PROXY_INIT_IMAGE: {{ include "workload-identity-webhook.proxy.initImage" . }} kind: ConfigMap metadata: labels: diff --git a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml index 10a6222c6..09fab66b4 100644 --- a/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml +++ b/charts/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml @@ -9,9 +9,6 @@ metadata: name: azure-wi-webhook-controller-manager namespace: '{{ .Release.Namespace }}' spec: - {{- if .Values.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - {{- end }} replicas: {{ .Values.replicaCount }} selector: matchLabels: @@ -97,8 +94,6 @@ spec: serviceAccountName: azure-wi-webhook-admin tolerations: {{- toYaml .Values.tolerations | nindent 8 }} - topologySpreadConstraints: - {{- toYaml .Values.topologySpreadConstraints | nindent 8 }} volumes: - name: cert secret: diff --git a/charts/workload-identity-webhook/values.yaml b/charts/workload-identity-webhook/values.yaml index 4f6cb99bb..0da16171d 100644 --- a/charts/workload-identity-webhook/values.yaml +++ b/charts/workload-identity-webhook/values.yaml @@ -8,18 +8,6 @@ image: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. release: v1.5.1 -# Proxy sidecar image configuration -proxy: - image: - registry: mcr.microsoft.com/oss/azure/workload-identity - repository: proxy - # Overrides the image tag whose default is the chart appVersion. - tag: "" - initImage: - registry: mcr.microsoft.com/oss/azure/workload-identity - repository: proxy-init - # Overrides the image tag whose default is the chart appVersion. - tag: "" imagePullSecrets: [] nodeSelector: kubernetes.io/os: linux @@ -32,7 +20,6 @@ resources: memory: 20Mi tolerations: [] affinity: {} -topologySpreadConstraints: [] service: type: ClusterIP port: 443 diff --git a/manifest_staging/charts/workload-identity-webhook/README.md b/manifest_staging/charts/workload-identity-webhook/README.md index a3a42de07..596be7ca3 100644 --- a/manifest_staging/charts/workload-identity-webhook/README.md +++ b/manifest_staging/charts/workload-identity-webhook/README.md @@ -21,30 +21,6 @@ _See [parameters](#parameters) below._ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ -## Air-gapped Environments - -For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings: - -```console -# Install with custom registry for proxy images -helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ - --set azureTenantID="your-tenant-id" \ - --set proxy.image.registry="your-registry.example.com" \ - --set proxy.initImage.registry="your-registry.example.com" \ - --create-namespace - -# Or with completely custom image references -helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ - --set azureTenantID="your-tenant-id" \ - --set proxy.image.registry="your-registry.example.com" \ - --set proxy.image.repository="custom-proxy" \ - --set proxy.image.tag="v1.0.0" \ - --set proxy.initImage.registry="your-registry.example.com" \ - --set proxy.initImage.repository="custom-proxy-init" \ - --set proxy.initImage.tag="v1.0.0" \ - --create-namespace -``` - ## Upgrade Chart ```console @@ -80,11 +56,9 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | -| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` | -| proxy.image.repository | The repository for the proxy sidecar image | `proxy` | +| proxy.image.repository | The full image repository for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity/proxy` | | proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | -| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` | -| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` | +| proxy.initImage.repository | The full image repository for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity/proxy-init` | | proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | | revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | diff --git a/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl index 75f8397da..e2f6bb1a3 100644 --- a/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl +++ b/manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl @@ -64,7 +64,7 @@ Proxy sidecar image */}} {{- define "workload-identity-webhook.proxy.image" -}} {{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} -{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}} +{{- printf "%s:%s" .Values.proxy.image.repository $tag -}} {{- end }} {{/* @@ -72,5 +72,5 @@ Proxy init image */}} {{- define "workload-identity-webhook.proxy.initImage" -}} {{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} -{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}} +{{- printf "%s:%s" .Values.proxy.initImage.repository $tag -}} {{- end }} diff --git a/manifest_staging/charts/workload-identity-webhook/values.yaml b/manifest_staging/charts/workload-identity-webhook/values.yaml index 4f6cb99bb..36997282f 100644 --- a/manifest_staging/charts/workload-identity-webhook/values.yaml +++ b/manifest_staging/charts/workload-identity-webhook/values.yaml @@ -11,13 +11,11 @@ image: # Proxy sidecar image configuration proxy: image: - registry: mcr.microsoft.com/oss/azure/workload-identity - repository: proxy + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy # Overrides the image tag whose default is the chart appVersion. tag: "" initImage: - registry: mcr.microsoft.com/oss/azure/workload-identity - repository: proxy-init + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy-init # Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md index a3a42de07..596be7ca3 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/README.md +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/README.md @@ -21,30 +21,6 @@ _See [parameters](#parameters) below._ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ -## Air-gapped Environments - -For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings: - -```console -# Install with custom registry for proxy images -helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ - --set azureTenantID="your-tenant-id" \ - --set proxy.image.registry="your-registry.example.com" \ - --set proxy.initImage.registry="your-registry.example.com" \ - --create-namespace - -# Or with completely custom image references -helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \ - --set azureTenantID="your-tenant-id" \ - --set proxy.image.registry="your-registry.example.com" \ - --set proxy.image.repository="custom-proxy" \ - --set proxy.image.tag="v1.0.0" \ - --set proxy.initImage.registry="your-registry.example.com" \ - --set proxy.initImage.repository="custom-proxy-init" \ - --set proxy.initImage.tag="v1.0.0" \ - --create-namespace -``` - ## Upgrade Chart ```console @@ -80,11 +56,9 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide | mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` | | podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` | | podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` | -| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` | -| proxy.image.repository | The repository for the proxy sidecar image | `proxy` | +| proxy.image.repository | The full image repository for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity/proxy` | | proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` | -| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` | -| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` | +| proxy.initImage.repository | The full image repository for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity/proxy-init` | | proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` | | revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` | diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl index 75f8397da..e2f6bb1a3 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl @@ -64,7 +64,7 @@ Proxy sidecar image */}} {{- define "workload-identity-webhook.proxy.image" -}} {{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}} -{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}} +{{- printf "%s:%s" .Values.proxy.image.repository $tag -}} {{- end }} {{/* @@ -72,5 +72,5 @@ Proxy init image */}} {{- define "workload-identity-webhook.proxy.initImage" -}} {{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}} -{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}} +{{- printf "%s:%s" .Values.proxy.initImage.repository $tag -}} {{- end }} diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 4f6cb99bb..36997282f 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -11,13 +11,11 @@ image: # Proxy sidecar image configuration proxy: image: - registry: mcr.microsoft.com/oss/azure/workload-identity - repository: proxy + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy # Overrides the image tag whose default is the chart appVersion. tag: "" initImage: - registry: mcr.microsoft.com/oss/azure/workload-identity - repository: proxy-init + repository: mcr.microsoft.com/oss/azure/workload-identity/proxy-init # Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: []