Merge branch 'main' into extend-helm-chart-options

Makefile

@@ -2,7 +2,7 @@ REGISTRY ?= mcr.microsoft.com/oss/azure/workload-identity
 PROXY_IMAGE_NAME := proxy
 INIT_IMAGE_NAME := proxy-init
 WEBHOOK_IMAGE_NAME := webhook
-IMAGE_VERSION ?= v1.4.0
+IMAGE_VERSION ?= v1.4.1
 
 ORG_PATH := github.com/Azure
 PROJECT_NAME := azure-workload-identity

charts/workload-identity-webhook/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: workload-identity-webhook
 description: A Helm chart to install the azure-workload-identity webhook
 type: application
-version: 1.4.0
-appVersion: v1.4.0
+version: 1.4.1
+appVersion: v1.4.1
 home: https://github.com/Azure/azure-workload-identity
 sources:
   - https://github.com/Azure/azure-workload-identity

charts/workload-identity-webhook/README.md

@@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
 | replicaCount                       | The number of azure-workload-identity replicas to deploy for the webhook                                                          | `2`                                                     |
 | image.repository                   | Image repository                                                                                                                  | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
 | image.pullPolicy                   | Image pullPolicy                                                                                                                  | `IfNotPresent`                                          |
-| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.4.0`                       |
+| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.4.1`                       |
 | imagePullSecrets                   | Image pull secrets to use for retrieving images from private registries                                                           | `[]`                                                    |
 | nodeSelector                       | The node selector to use for pod scheduling                                                                                       | `kubernetes.io/os: linux`                               |
 | resources                          | The resource request/limits for the container image                                                                               | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi        |

charts/workload-identity-webhook/values.yaml

@@ -7,7 +7,7 @@ image:
   repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  release: v1.4.0
+  release: v1.4.1
 imagePullSecrets: []
 nodeSelector:
   kubernetes.io/os: linux

config/manager/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: manager
   newName: mcr.microsoft.com/oss/azure/workload-identity/webhook
-  newTag: v1.4.0
+  newTag: v1.4.1
 configMapGenerator:
 - literals:
   - AZURE_TENANT_ID="${AZURE_TENANT_ID}"

deploy/azure-wi-webhook.yaml

@@ -160,7 +160,7 @@ spec:
         envFrom:
         - configMapRef:
             name: azure-wi-webhook-config
-        image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0
+        image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 6

docker/proxy-init.Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${TARGETPLATFORM:-linux/amd64} registry.k8s.io/build-image/distroless-iptables:v0.6.6
+FROM --platform=${TARGETPLATFORM:-linux/amd64} registry.k8s.io/build-image/distroless-iptables:v0.7.0
 
 COPY ./init/init-iptables.sh /bin/
 RUN chmod +x /bin/init-iptables.sh

docs/book/src/installation/mutating-admission-webhook.md

@@ -73,7 +73,7 @@ The deployment YAML contains the environment variables we defined above and we r
 Install the webhook using the deployment YAML via `kubectl apply -f` and `envsubst`:
 
 ```bash
-curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.4.0/azure-wi-webhook.yaml | envsubst | kubectl apply -f -
+curl -sL https://github.com/Azure/azure-workload-identity/releases/download/v1.4.1/azure-wi-webhook.yaml | envsubst | kubectl apply -f -
 ```
 
 <details>

examples/migration/pod-with-proxy-init-and-proxy-sidecar.yaml

@@ -8,7 +8,7 @@ spec:
   serviceAccountName: workload-identity-sa
   initContainers:
   - name: init-networking
-    image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.4.0
+    image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v1.4.1
     securityContext:
       capabilities:
         add:
@@ -26,6 +26,6 @@ spec:
     ports:
     - containerPort: 80
   - name: proxy
-    image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.4.0
+    image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v1.4.1
     ports:
     - containerPort: 8000

go.mod

@@ -32,11 +32,12 @@ require (
 	k8s.io/client-go v0.31.4
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
 	monis.app/mlog v0.0.4
-	sigs.k8s.io/controller-runtime v0.19.3
+	sigs.k8s.io/controller-runtime v0.19.4
 )
 
 require (
 	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect

go.sum

@@ -52,6 +52,8 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -333,8 +335,8 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1
 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 monis.app/mlog v0.0.4 h1:YEzh5sguG4ApywaRWnBU+mGP6SA4WxOqiJ36u+KtoeE=
 monis.app/mlog v0.0.4/go.mod h1:LtOpnndFuRGqnLBwzBvpA1DaoKuud2/moLzYXIiNl1s=
-sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw=
-sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM=
+sigs.k8s.io/controller-runtime v0.19.4 h1:SUmheabttt0nx8uJtoII4oIP27BVVvAKFvdvGFwV/Qo=
+sigs.k8s.io/controller-runtime v0.19.4/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

manifest_staging/charts/workload-identity-webhook/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: workload-identity-webhook
 description: A Helm chart to install the azure-workload-identity webhook
 type: application
-version: 1.4.0
-appVersion: v1.4.0
+version: 1.4.1
+appVersion: v1.4.1
 home: https://github.com/Azure/azure-workload-identity
 sources:
   - https://github.com/Azure/azure-workload-identity

manifest_staging/charts/workload-identity-webhook/README.md

@@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
 | replicaCount                       | The number of azure-workload-identity replicas to deploy for the webhook                                                          | `2`                                                     |
 | image.repository                   | Image repository                                                                                                                  | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
 | image.pullPolicy                   | Image pullPolicy                                                                                                                  | `IfNotPresent`                                          |
-| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.4.0`                       |
+| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.4.1`                       |
 | imagePullSecrets                   | Image pull secrets to use for retrieving images from private registries                                                           | `[]`                                                    |
 | nodeSelector                       | The node selector to use for pod scheduling                                                                                       | `kubernetes.io/os: linux`                               |
 | resources                          | The resource request/limits for the container image                                                                               | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi        |

manifest_staging/charts/workload-identity-webhook/values.yaml

@@ -7,7 +7,7 @@ image:
   repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  release: v1.4.0
+  release: v1.4.1
 imagePullSecrets: []
 # Define if the service account can be used by default (automount property)
 serviceAccount:

manifest_staging/deploy/azure-wi-webhook.yaml

@@ -160,7 +160,7 @@ spec:
         envFrom:
         - configMapRef:
             name: azure-wi-webhook-config
-        image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.0
+        image: mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.4.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 6

pkg/cmd/podidentity/detect.go

@@ -35,7 +35,7 @@ var (
 
 const (
 	imageRepository = "mcr.microsoft.com/oss/azure/workload-identity"
-	imageTag        = "v1.4.0"
+	imageTag        = "v1.4.1"
 
 	proxyInitImageName     = "proxy-init"
 	proxyImageName         = "proxy"

third_party/open-policy-agent/gatekeeper/helmify/static/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: workload-identity-webhook
 description: A Helm chart to install the azure-workload-identity webhook
 type: application
-version: 1.4.0
-appVersion: v1.4.0
+version: 1.4.1
+appVersion: v1.4.1
 home: https://github.com/Azure/azure-workload-identity
 sources:
   - https://github.com/Azure/azure-workload-identity

third_party/open-policy-agent/gatekeeper/helmify/static/README.md

@@ -34,7 +34,7 @@ helm upgrade -n azure-workload-identity-system [RELEASE_NAME] azure-workload-ide
 | replicaCount                       | The number of azure-workload-identity replicas to deploy for the webhook                                                          | `2`                                                     |
 | image.repository                   | Image repository                                                                                                                  | `mcr.microsoft.com/oss/azure/workload-identity/webhook` |
 | image.pullPolicy                   | Image pullPolicy                                                                                                                  | `IfNotPresent`                                          |
-| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.4.0`                       |
+| image.release                      | The image release tag to use                                                                                                      | Current release version: `v1.4.1`                       |
 | imagePullSecrets                   | Image pull secrets to use for retrieving images from private registries                                                           | `[]`                                                    |
 | nodeSelector                       | The node selector to use for pod scheduling                                                                                       | `kubernetes.io/os: linux`                               |
 | resources                          | The resource request/limits for the container image                                                                               | limits: 100m CPU, 30Mi, requests: 100m CPU, 20Mi        |

third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml

@@ -7,7 +7,7 @@ image:
   repository: mcr.microsoft.com/oss/azure/workload-identity/webhook
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  release: v1.4.0
+  release: v1.4.1
 imagePullSecrets: []
 nodeSelector:
   kubernetes.io/os: linux