Skip to content

feat: Make sidecar container image configurable in Helm Chart for air-gapped environments #1651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: Make sidecar container image configurable in Helm Chart for air-gapped environments #1651

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
45ef271
Initial plan
Copilot Aug 20, 2025
93e7550
Add configurable proxy image support to Helm chart for air-gapped env…
Copilot Aug 20, 2025
46d7b56
Address review feedback: revert charts/ changes, simplify proxy confi…
Copilot Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions charts/workload-identity-webhook/README.md
View file
Open in desktop
Copy link
Member

@aramase aramase Aug 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Revert all the changes in the charts/ directory. Chart changes are only to be done in manifest_staging/charts and will be promoted to charts dir at the time of release.

Copy link
Author

Copilot AI Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted all changes in the charts/ directory. All chart modifications are now only in manifest_staging/charts and third_party/open-policy-agent/gatekeeper/helmify/static/ as requested. (46d7b56)

Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,30 @@ _See [parameters](#parameters) below._

_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._

## Air-gapped Environments
Copy link
Member

@aramase aramase Aug 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Separate section for air-gapped environments isn't required.

Copy link
Author

Copilot AI Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the air-gapped environments section from the documentation as requested. The functionality is still available through the simplified proxy image configuration. (46d7b56)


For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings:

```console
# Install with custom registry for proxy images
helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \
--set azureTenantID="your-tenant-id" \
--set proxy.image.registry="your-registry.example.com" \
--set proxy.initImage.registry="your-registry.example.com" \
--create-namespace

# Or with completely custom image references
helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \
--set azureTenantID="your-tenant-id" \
--set proxy.image.registry="your-registry.example.com" \
--set proxy.image.repository="custom-proxy" \
--set proxy.image.tag="v1.0.0" \
--set proxy.initImage.registry="your-registry.example.com" \
--set proxy.initImage.repository="custom-proxy-init" \
--set proxy.initImage.tag="v1.0.0" \
--create-namespace
```

## Upgrade Chart

```console
Expand All @@ -39,6 +63,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| resources | The resource request/limits for the container image | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi |
| affinity | The node affinity to use for pod scheduling | `{}` |
| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| service.type | Service type | `ClusterIP` |
| service.port | Service port | `443` |
Expand All @@ -55,6 +80,13 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` |
| podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` |
| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` |
| proxy.image.repository | The repository for the proxy sidecar image | `proxy` |
Copy link
Member

@aramase aramase Aug 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot just proxy.image.repository is sufficient to hold the whole path for image, no need for proxy.image.registry

Copy link
Author

Copilot AI Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simplified the proxy configuration to use only proxy.image.repository containing the full image path, removing the separate proxy.image.registry field. The configuration is now cleaner and more straightforward. (46d7b56)

| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` |
| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` |
| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` |
| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` |
| revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` |

## Contributing Changes

Expand Down
16 changes: 16 additions & 0 deletions charts/workload-identity-webhook/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,19 @@ Adds the pod labels.
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- end }}

{{/*
Proxy sidecar image
*/}}
{{- define "workload-identity-webhook.proxy.image" -}}
{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}}
{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}}
{{- end }}

{{/*
Proxy init image
*/}}
{{- define "workload-identity-webhook.proxy.initImage" -}}
{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}}
{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}}
{{- end }}
2 changes: 2 additions & 0 deletions charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: v1
data:
AZURE_ENVIRONMENT: {{ .Values.azureEnvironment | default "AzurePublicCloud" }}
AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}
PROXY_IMAGE: {{ include "workload-identity-webhook.proxy.image" . }}
PROXY_INIT_IMAGE: {{ include "workload-identity-webhook.proxy.initImage" . }}
kind: ConfigMap
metadata:
labels:
Expand Down
5 changes: 5 additions & 0 deletions ...s/workload-identity-webhook/templates/azure-wi-webhook-controller-manager-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ metadata:
name: azure-wi-webhook-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
{{- if .Values.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- end }}
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
Expand Down Expand Up @@ -94,6 +97,8 @@ spec:
serviceAccountName: azure-wi-webhook-admin
tolerations:
{{- toYaml .Values.tolerations | nindent 8 }}
topologySpreadConstraints:
{{- toYaml .Values.topologySpreadConstraints | nindent 8 }}
volumes:
- name: cert
secret:
Expand Down
13 changes: 13 additions & 0 deletions charts/workload-identity-webhook/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,18 @@ image:
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
release: v1.5.1
# Proxy sidecar image configuration
proxy:
image:
registry: mcr.microsoft.com/oss/azure/workload-identity
repository: proxy
# Overrides the image tag whose default is the chart appVersion.
tag: ""
initImage:
registry: mcr.microsoft.com/oss/azure/workload-identity
repository: proxy-init
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nodeSelector:
kubernetes.io/os: linux
Expand All @@ -20,6 +32,7 @@ resources:
memory: 20Mi
tolerations: []
affinity: {}
topologySpreadConstraints: []
service:
type: ClusterIP
port: 443
Expand Down
30 changes: 30 additions & 0 deletions manifest_staging/charts/workload-identity-webhook/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,30 @@ _See [parameters](#parameters) below._

_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._

## Air-gapped Environments

For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings:

```console
# Install with custom registry for proxy images
helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \
--set azureTenantID="your-tenant-id" \
--set proxy.image.registry="your-registry.example.com" \
--set proxy.initImage.registry="your-registry.example.com" \
--create-namespace

# Or with completely custom image references
helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \
--set azureTenantID="your-tenant-id" \
--set proxy.image.registry="your-registry.example.com" \
--set proxy.image.repository="custom-proxy" \
--set proxy.image.tag="v1.0.0" \
--set proxy.initImage.registry="your-registry.example.com" \
--set proxy.initImage.repository="custom-proxy-init" \
--set proxy.initImage.tag="v1.0.0" \
--create-namespace
```

## Upgrade Chart

```console
Expand Down Expand Up @@ -56,6 +80,12 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` |
| podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` |
| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` |
| proxy.image.repository | The repository for the proxy sidecar image | `proxy` |
| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` |
| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` |
| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` |
| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` |
| revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` |

## Contributing Changes
Expand Down
16 changes: 16 additions & 0 deletions manifest_staging/charts/workload-identity-webhook/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,19 @@ Adds the pod labels.
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- end }}

{{/*
Proxy sidecar image
*/}}
{{- define "workload-identity-webhook.proxy.image" -}}
{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}}
{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}}
{{- end }}

{{/*
Proxy init image
*/}}
{{- define "workload-identity-webhook.proxy.initImage" -}}
{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}}
{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}}
{{- end }}
2 changes: 2 additions & 0 deletions ...staging/charts/workload-identity-webhook/templates/azure-wi-webhook-config-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: v1
data:
AZURE_ENVIRONMENT: {{ .Values.azureEnvironment | default "AzurePublicCloud" }}
AZURE_TENANT_ID: {{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}
PROXY_IMAGE: {{ include "workload-identity-webhook.proxy.image" . }}
PROXY_INIT_IMAGE: {{ include "workload-identity-webhook.proxy.initImage" . }}
kind: ConfigMap
metadata:
labels:
Expand Down
12 changes: 12 additions & 0 deletions manifest_staging/charts/workload-identity-webhook/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,18 @@ image:
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
release: v1.5.1
# Proxy sidecar image configuration
proxy:
image:
registry: mcr.microsoft.com/oss/azure/workload-identity
repository: proxy
# Overrides the image tag whose default is the chart appVersion.
tag: ""
initImage:
registry: mcr.microsoft.com/oss/azure/workload-identity
repository: proxy-init
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nodeSelector:
kubernetes.io/os: linux
Expand Down
52 changes: 52 additions & 0 deletions pkg/config/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,55 @@ func TestParseConfig(t *testing.T) {
})
}
}

func TestParseConfigProxyImages(t *testing.T) {
tests := []struct {
name string
tenantID string
proxyImage string
proxyInitImage string
wantProxyImage string
wantProxyInitImage string
}{
{
name: "default empty proxy images",
tenantID: "tenant-id",
proxyImage: "",
proxyInitImage: "",
wantProxyImage: "",
wantProxyInitImage: "",
},
{
name: "custom proxy images",
tenantID: "tenant-id",
proxyImage: "my-registry.com/proxy:v2.0.0",
proxyInitImage: "my-registry.com/proxy-init:v2.0.0",
wantProxyImage: "my-registry.com/proxy:v2.0.0",
wantProxyInitImage: "my-registry.com/proxy-init:v2.0.0",
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
os.Setenv("AZURE_TENANT_ID", tt.tenantID)
os.Setenv("PROXY_IMAGE", tt.proxyImage)
os.Setenv("PROXY_INIT_IMAGE", tt.proxyInitImage)
defer func() {
os.Unsetenv("AZURE_TENANT_ID")
os.Unsetenv("PROXY_IMAGE")
os.Unsetenv("PROXY_INIT_IMAGE")
}()

c, err := ParseConfig()
if err != nil {
t.Fatalf("ParseConfig() error = %v", err)
}
if c.ProxyImage != tt.wantProxyImage {
t.Errorf("ParseConfig() ProxyImage = %v, want %v", c.ProxyImage, tt.wantProxyImage)
}
if c.ProxyInitImage != tt.wantProxyInitImage {
t.Errorf("ParseConfig() ProxyInitImage = %v, want %v", c.ProxyInitImage, tt.wantProxyInitImage)
}
})
}
}
2 changes: 2 additions & 0 deletions third_party/open-policy-agent/gatekeeper/helmify/kustomize-for-helm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: v1
data:
AZURE_ENVIRONMENT: HELMSUBST_CONFIGMAP_AZURE_ENVIRONMENT
AZURE_TENANT_ID: HELMSUBST_CONFIGMAP_AZURE_TENANT_ID
PROXY_IMAGE: HELMSUBST_CONFIGMAP_PROXY_IMAGE
PROXY_INIT_IMAGE: HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE
kind: ConfigMap
metadata:
name: azure-wi-webhook-config
Expand Down
4 changes: 4 additions & 0 deletions third_party/open-policy-agent/gatekeeper/helmify/replacements.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ var replacements = map[string]string{

"HELMSUBST_CONFIGMAP_AZURE_TENANT_ID": `{{ required "A valid .Values.azureTenantID entry required!" .Values.azureTenantID }}`,

"HELMSUBST_CONFIGMAP_PROXY_IMAGE": `{{ include "workload-identity-webhook.proxy.image" . }}`,

"HELMSUBST_CONFIGMAP_PROXY_INIT_IMAGE": `{{ include "workload-identity-webhook.proxy.initImage" . }}`,

`HELMSUBST_SERVICE_TYPE: ""`: `{{- if .Values.service }}
type: {{ .Values.service.type | default "ClusterIP" }}
{{- end }}`,
Expand Down
30 changes: 30 additions & 0 deletions third_party/open-policy-agent/gatekeeper/helmify/static/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,30 @@ _See [parameters](#parameters) below._

_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._

## Air-gapped Environments

For air-gapped environments where you need to use a custom registry for proxy sidecar containers, you can configure the proxy image settings:

```console
# Install with custom registry for proxy images
helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \
--set azureTenantID="your-tenant-id" \
--set proxy.image.registry="your-registry.example.com" \
--set proxy.initImage.registry="your-registry.example.com" \
--create-namespace

# Or with completely custom image references
helm install -n azure-workload-identity-system workload-identity-webhook azure-workload-identity/workload-identity-webhook \
--set azureTenantID="your-tenant-id" \
--set proxy.image.registry="your-registry.example.com" \
--set proxy.image.repository="custom-proxy" \
--set proxy.image.tag="v1.0.0" \
--set proxy.initImage.registry="your-registry.example.com" \
--set proxy.initImage.repository="custom-proxy-init" \
--set proxy.initImage.tag="v1.0.0" \
--create-namespace
```

## Upgrade Chart

```console
Expand Down Expand Up @@ -56,6 +80,12 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
| mutatingWebhookNamespaceSelector | The namespace selector to further refine which namespaces will be selected by the webhook. | `{}` |
| podDisruptionBudget.minAvailable | The minimum number of pods that must be available for the webhook to be considered available | `1` |
| podDisruptionBudget.maxUnavailable | The maximum number of pods that may be unavailable for the webhook to be considered available | `nil` |
| proxy.image.registry | The registry for the proxy sidecar image | `mcr.microsoft.com/oss/azure/workload-identity` |
| proxy.image.repository | The repository for the proxy sidecar image | `proxy` |
| proxy.image.tag | The tag for the proxy sidecar image (defaults to chart appVersion) | `` |
| proxy.initImage.registry | The registry for the proxy init image | `mcr.microsoft.com/oss/azure/workload-identity` |
| proxy.initImage.repository | The repository for the proxy init image | `proxy-init` |
| proxy.initImage.tag | The tag for the proxy init image (defaults to chart appVersion) | `` |
| revisionHistoryLimit | The number of old ReplicaSets to retain for the webhook deployment | `10` |

## Contributing Changes
Expand Down
16 changes: 16 additions & 0 deletions third_party/open-policy-agent/gatekeeper/helmify/static/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,19 @@ Adds the pod labels.
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- end }}

{{/*
Proxy sidecar image
*/}}
{{- define "workload-identity-webhook.proxy.image" -}}
{{- $tag := .Values.proxy.image.tag | default .Chart.AppVersion -}}
{{- printf "%s/%s:%s" .Values.proxy.image.registry .Values.proxy.image.repository $tag -}}
{{- end }}

{{/*
Proxy init image
*/}}
{{- define "workload-identity-webhook.proxy.initImage" -}}
{{- $tag := .Values.proxy.initImage.tag | default .Chart.AppVersion -}}
{{- printf "%s/%s:%s" .Values.proxy.initImage.registry .Values.proxy.initImage.repository $tag -}}
{{- end }}
Loading