Merge pull request #782 from jetstack/update-helm-secure

Add imageRegistry/imageNamespace to Helm chart image settings

Author: SgtCoDFish

deploy/charts/disco-agent/README.md

@@ -98,11 +98,54 @@ This will set the replicaset count more information can be found here: https://k
 > ```
 
 Must be set to indicate that you have read and accepted the CyberArk Terms of Service. If false, the helm chart will fail to install and will print a message with instructions on how to accept the TOS.
+#### **imageRegistry** ~ `string`
+> Default value:
+> ```yaml
+> quay.io
+> ```
+
+The container registry used for disco-agent images by default. This can include path prefixes (e.g. "artifactory.example.com/docker").
+
+#### **imageNamespace** ~ `string`
+> Default value:
+> ```yaml
+> jetstack
+> ```
+
+The repository namespace used for disco-agent images by default.  
+Examples:  
+- jetstack  
+- custom-namespace
+
+#### **image.registry** ~ `string`
+
+Deprecated: per-component registry prefix.  
+  
+If set, this value is *prepended* to the image repository that the chart would otherwise render. This applies both when `image.repository` is set and when the repository is computed from  
+`imageRegistry` + `imageNamespace` + `image.name`.  
+  
+This can produce "double registry" style references such as  
+`legacy.example.io/quay.io/jetstack/...`. Prefer using the global  
+`imageRegistry`/`imageNamespace` values.
+
 #### **image.repository** ~ `string`
 > Default value:
 > ```yaml
 > ""
 > ```
+
+Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `image.name`).  
+Example: quay.io/jetstack/disco-agent
+
+#### **image.name** ~ `string`
+> Default value:
+> ```yaml
+> disco-agent
+> ```
+
+The image name for the Discovery Agent.  
+This is used (together with `imageRegistry` and `imageNamespace`) to construct the full image reference.
+
 #### **image.pullPolicy** ~ `string`
 > Default value:
 > ```yaml
@@ -116,14 +159,14 @@ This sets the pull policy for images.
 > ""
 > ```
 
-Overrides the image tag whose default is the chart appVersion.
+Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
 #### **image.digest** ~ `string`
 > Default value:
 > ```yaml
 > ""
 > ```
 
-The image digest
+Override the image digest to deploy by setting this variable. If set together with `image.tag`, the rendered image will include both tag and digest.
 #### **imagePullSecrets** ~ `array`
 > Default value:
 > ```yaml
@@ -414,3 +457,5 @@ endpointAdditionalProperties:
    targetLabel: instance
 ```
 
+<!-- /AUTO-GENERATED -->
+

deploy/charts/disco-agent/templates/_helpers.tpl

@@ -60,3 +60,61 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Util function for generating the image URL based on the provided options.
+IMPORTANT: This function is standardized across all charts in the cert-manager GH organization.
+Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
+See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
+*/}}
+{{- define "image" -}}
+{{- /*
+Calling convention:
+- (tuple <imageValues> <imageRegistry> <imageNamespace> <defaultReference>)
+We intentionally pass imageRegistry/imageNamespace as explicit arguments rather than reading
+from `.Values` inside this helper, because `helm-tool lint` does not reliably track `.Values.*`
+usage through tuple/variable indirection.
+*/ -}}
+{{- if ne (len .) 4 -}}
+	{{- fail (printf "ERROR: template \"image\" expects (tuple <imageValues> <imageRegistry> <imageNamespace> <defaultReference>), got %d arguments" (len .)) -}}
+{{- end -}}
+{{- $image := index . 0 -}}
+{{- $imageRegistry := index . 1 | default "" -}}
+{{- $imageNamespace := index . 2 | default "" -}}
+{{- $defaultReference := index . 3 -}}
+{{- $repository := "" -}}
+{{- if $image.repository -}}
+	{{- $repository = $image.repository -}}
+	{{- /*
+		Backwards compatibility: if image.registry is set, additionally prefix the repository with this registry.
+	*/ -}}
+	{{- if $image.registry -}}
+		{{- $repository = printf "%s/%s" $image.registry $repository -}}
+	{{- end -}}
+{{- else -}}
+	{{- $name := required "ERROR: image.name must be set when image.repository is empty" $image.name -}}
+	{{- $repository = $name -}}
+	{{- if $imageNamespace -}}
+		{{- $repository = printf "%s/%s" $imageNamespace $repository -}}
+	{{- end -}}
+	{{- if $imageRegistry -}}
+		{{- $repository = printf "%s/%s" $imageRegistry $repository -}}
+	{{- end -}}
+	{{- /*
+		Backwards compatibility: if image.registry is set, additionally prefix the repository with this registry.
+	*/ -}}
+	{{- if $image.registry -}}
+		{{- $repository = printf "%s/%s" $image.registry $repository -}}
+	{{- end -}}
+{{- end -}}
+{{- $repository -}}
+{{- if and $image.tag $image.digest -}}
+	{{- printf ":%s@%s" $image.tag $image.digest -}}
+{{- else if $image.tag -}}
+	{{- printf ":%s" $image.tag -}}
+{{- else if $image.digest -}}
+	{{- printf "@%s" $image.digest -}}
+{{- else -}}
+	{{- printf "%s" $defaultReference -}}
+{{- end -}}
+{{- end }}

deploy/charts/disco-agent/templates/deployment.yaml

@@ -39,7 +39,7 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{- with .Values.image.digest }}@{{ . }}{{- end }}"
+          image: "{{ template "image" (tuple .Values.image .Values.imageRegistry .Values.imageNamespace (printf ":%s" .Chart.AppVersion)) }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
           - name: POD_NAMESPACE

deploy/charts/disco-agent/values.schema.json

@@ -33,9 +33,15 @@
         "image": {
           "$ref": "#/$defs/helm-values.image"
         },
+        "imageNamespace": {
+          "$ref": "#/$defs/helm-values.imageNamespace"
+        },
         "imagePullSecrets": {
           "$ref": "#/$defs/helm-values.imagePullSecrets"
         },
+        "imageRegistry": {
+          "$ref": "#/$defs/helm-values.imageRegistry"
+        },
         "metrics": {
           "$ref": "#/$defs/helm-values.metrics"
         },
@@ -191,9 +197,15 @@
         "digest": {
           "$ref": "#/$defs/helm-values.image.digest"
         },
+        "name": {
+          "$ref": "#/$defs/helm-values.image.name"
+        },
         "pullPolicy": {
           "$ref": "#/$defs/helm-values.image.pullPolicy"
         },
+        "registry": {
+          "$ref": "#/$defs/helm-values.image.registry"
+        },
         "repository": {
           "$ref": "#/$defs/helm-values.image.repository"
         },
@@ -205,21 +217,36 @@
     },
     "helm-values.image.digest": {
       "default": "",
-      "description": "The image digest",
+      "description": "Override the image digest to deploy by setting this variable. If set together with `image.tag`, the rendered image will include both tag and digest.",
+      "type": "string"
+    },
+    "helm-values.image.name": {
+      "default": "disco-agent",
+      "description": "The image name for the Discovery Agent.\nThis is used (together with `imageRegistry` and `imageNamespace`) to construct the full image reference.",
       "type": "string"
     },
     "helm-values.image.pullPolicy": {
       "default": "IfNotPresent",
       "description": "This sets the pull policy for images.",
       "type": "string"
     },
+    "helm-values.image.registry": {
+      "description": "Deprecated: per-component registry prefix.\n\nIf set, this value is *prepended* to the image repository that the chart would otherwise render. This applies both when `image.repository` is set and when the repository is computed from\n`imageRegistry` + `imageNamespace` + `image.name`.\n\nThis can produce \"double registry\" style references such as\n`legacy.example.io/quay.io/jetstack/...`. Prefer using the global\n`imageRegistry`/`imageNamespace` values.",
+      "type": "string"
+    },
     "helm-values.image.repository": {
       "default": "",
+      "description": "Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `image.name`).\nExample: quay.io/jetstack/disco-agent",
       "type": "string"
     },
     "helm-values.image.tag": {
       "default": "",
-      "description": "Overrides the image tag whose default is the chart appVersion.",
+      "description": "Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.",
+      "type": "string"
+    },
+    "helm-values.imageNamespace": {
+      "default": "jetstack",
+      "description": "The repository namespace used for disco-agent images by default.\nExamples:\n- jetstack\n- custom-namespace",
       "type": "string"
     },
     "helm-values.imagePullSecrets": {
@@ -228,6 +255,11 @@
       "items": {},
       "type": "array"
     },
+    "helm-values.imageRegistry": {
+      "default": "quay.io",
+      "description": "The container registry used for disco-agent images by default. This can include path prefixes (e.g. \"artifactory.example.com/docker\").",
+      "type": "string"
+    },
     "helm-values.metrics": {
       "additionalProperties": false,
       "properties": {

deploy/charts/disco-agent/values.yaml

@@ -8,14 +8,53 @@ replicaCount: 1
 # Must be set to indicate that you have read and accepted the CyberArk Terms of Service. If false, the helm chart will fail to install and will print a message with instructions on how to accept the TOS.
 acceptTerms: false
 
+# The container registry used for disco-agent images by default.
+# This can include path prefixes (e.g. "artifactory.example.com/docker").
+# +docs:property
+imageRegistry: "quay.io"
+
+# The repository namespace used for disco-agent images by default.
+# Examples:
+# - jetstack
+# - custom-namespace
+# +docs:property
+imageNamespace: "jetstack"
+
 # This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
 image:
+  # Deprecated: per-component registry prefix.
+  #
+  # If set, this value is *prepended* to the image repository that the chart would otherwise render.
+  # This applies both when `image.repository` is set and when the repository is computed from
+  # `imageRegistry` + `imageNamespace` + `image.name`.
+  #
+  # This can produce "double registry" style references such as
+  # `legacy.example.io/quay.io/jetstack/...`. Prefer using the global
+  # `imageRegistry`/`imageNamespace` values.
+  # +docs:property
+  # registry: quay.io
+
+  # Full repository override (takes precedence over `imageRegistry`, `imageNamespace`,
+  # and `image.name`).
+  # Example: quay.io/jetstack/disco-agent
+  # +docs:property
   repository: ""
+
+  # The image name for the Discovery Agent.
+  # This is used (together with `imageRegistry` and `imageNamespace`) to construct the full
+  # image reference.
+  # +docs:property
+  name: disco-agent
+
   # This sets the pull policy for images.
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+
+  # Override the image tag to deploy by setting this variable.
+  # If no value is set, the chart's appVersion is used.
   tag: ""
-  # The image digest
+
+  # Override the image digest to deploy by setting this variable.
+  # If set together with `image.tag`, the rendered image will include both tag and digest.
   digest: ""
 
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

deploy/charts/venafi-kubernetes-agent/README.md

@@ -99,13 +99,53 @@ endpointAdditionalProperties:
 > ```
 
 default replicas, do not scale up
+#### **imageRegistry** ~ `string`
+> Default value:
+> ```yaml
+> registry.venafi.cloud
+> ```
+
+The container registry used for venafi-kubernetes-agent images by default. This can include path prefixes (e.g. "artifactory.example.com/docker").
+
+#### **imageNamespace** ~ `string`
+> Default value:
+> ```yaml
+> venafi-agent
+> ```
+
+The repository namespace used for venafi-kubernetes-agent images by default.  
+Examples:  
+- venafi-agent  
+- custom-namespace
+
+#### **image.registry** ~ `string`
+
+Deprecated: per-component registry prefix.  
+  
+If set, this value is *prepended* to the image repository that the chart would otherwise render. This applies both when `image.repository` is set and when the repository is computed from  
+`imageRegistry` + `imageNamespace` + `image.name`.  
+  
+This can produce "double registry" style references such as  
+`legacy.example.io/registry.venafi.cloud/venafi-agent/...`. Prefer using the global  
+`imageRegistry`/`imageNamespace` values.
+
 #### **image.repository** ~ `string`
 > Default value:
 > ```yaml
-> registry.venafi.cloud/venafi-agent/venafi-agent
+> ""
 > ```
 
-The container image for the Discovery Agent.
+Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `image.name`). Example: registry.venafi.cloud/venafi-agent/venafi-agent
+
+#### **image.name** ~ `string`
+> Default value:
+> ```yaml
+> venafi-agent
+> ```
+
+The image name for the Discovery Agent.  
+This is used (together with `imageRegistry` and `imageNamespace`) to construct the full image reference.
+
 #### **image.pullPolicy** ~ `string`
 > Default value:
 > ```yaml
@@ -116,10 +156,17 @@ Kubernetes imagePullPolicy on Deployment.
 #### **image.tag** ~ `string`
 > Default value:
 > ```yaml
-> v0.0.0
+> ""
+> ```
+
+Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
+#### **image.digest** ~ `string`
+> Default value:
+> ```yaml
+> ""
 > ```
 
-Overrides the image tag whose default is the chart appVersion.
+Override the image digest to deploy by setting this variable. If set together with `image.tag`, the rendered image will include both tag and digest.
 #### **imagePullSecrets** ~ `array`
 > Default value:
 > ```yaml