chart: optimize spire image for offline environment

[weizhoublue]

optimize the chart values for spire

• align the image definition map with other images, such as cilium operator and hubble, which decouple the repository and tag, and could better deploy in an offline environment

• prevent hardcode the busybox image in the yaml, which could help deploy cilium in an offline K8S cluster

Change the Helm values configuration for SPIRE to match other images in the Helm charts

[joestringer]

Heads up @mhofstetter this will have user-facing impact due to the change in the format for Helm values. Hence I've updated release-note/minor. This change should also be documented in the upgrade guide.

[weizhoublue]

Heads up @mhofstetter this will have user-facing impact due to the change in the format for Helm values. Hence I've updated release-note/minor. This change should also be documented in the upgrade guide.

Thanks for reminding

I will add 'Upgrade Notes' in the documentation/operations/upgrade.rst, right ?

[mhofstetter]

@weizhoublue thanks for the contribution! The change request itself looks reasonable.

But as@joestringer already pointed out - i have some questions about the breaking change (vs deprecation period) and the respective communication in the upgrade notes for the respective SIGs.

[zacharysarah]

LGTM

[mhofstetter]

/test

[mhofstetter]

LGTM - thanks again!

[joestringer]

Thanks for the submission! I had one question on the templates for something I don't understand, plus a request to make the image variables definitions to be lined up the same way as other external dependencies in the tree, using install/kubernetes/Makefile.values.

[tommyp1ckles]

The PR descriptions making this an "image" and "tag" value, similar to other components?

[weizhoublue]

yes
the common way of cilium images use "tag" and "repository" things to define the image
I think it conforms to best practices, especially for offline environment, the administrator could just set helm option --xx. repository=offline.io/cilium , and is not necessary to care about the "tag" for cilium v1.4 or v1.5, and just keep the best matched and recommended tag in the chart

Therefore, the original definition of spire image does not conform what other cilium image does, and that is what this PR want to optimize

[weizhoublue]

and why it is compatible with the string type here , is owing to comment

[joestringer]

Sorry, some of the confusion may be because I added the release note. I will say though that these settings should conform to the same configuration format that is exposed for components like hubble-ui.

[joestringer]

Docs look good and my earlier comments were resolved. I didn't take a fresh look at the Helm format, delegating review to @cilium/helm for that.

[joestringer]

/test

[weizhoublue]

the CI failed owing to some connectivity and ipam tests, which seems to have no bussiness with PR.
Should I retry to rebase main branch

[maintainer-s-little-helper]

Commit 84e93d63b865a59f366420a06e37c7293e8be146 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[joestringer]

/test

[joestringer]

the CI failed owing to some connectivity and ipam tests, which seems to have no bussiness with PR.

Known failures #27672 and #27318.

[aditighag]

@weizhoublue Hi, Could you rebase the PR as there is a conflict? Thanks!

[weizhoublue]

@weizhoublue Hi, Could you rebase the PR as there is a conflict? Thanks!

sure, thanks for reminding

[mhofstetter]

/test

[PhilipSchmid]

Can we please get this one backported to 1.14?

Edit: After some internal discussions, I now see why it's challenging to backport this without introducing a breaking change via 1.14 patch version. Also, affected enterprises that must override this image often already have a pipeline to implement a search-replace as a workaround until Cilium 1.15.