Add Helm chart as source for retrieving images in workflow

[superseb]

#437

Usage should be self explanatory from README.

It's not the cleanest solution as the initial design was to have an input for images and an input for tags and we would only add those tags to the images (so the same tags for the list of images). So for now I settled for wrapping the existing logic into a wrapper that takes a list of image + tag. This will help a lot of teams to not spend any more time on this (after initially adding the images for a first time).

This moves cilium images from the images and tags configuration to the new Helm configuration.

I tested this with quite a few Helm charts to make sure it won't break quickly:

{
  "cilium": {
    "versionSource": "helm-latest:https://helm.cilium.io",
    "imageDenylist": [
      "quay.io/cilium/operator",
      "quay.io/cilium/startup-script"
    ],
    "helmCharts": {
      "cilium": {
        "chartConfig": {
          "aws": {
            "values": [
              "eni.enabled=true"
            ],
            "kubeVersion": "1.24"
          },
          "azure":  {
            "values": [
              "azure.enabled=true"
            ]
          },
          "generic": {
            "values": [
              "clustermesh.useAPIServer=true",
              "envoy.enabled=true",
              "hubble.ui.enabled=true",
              "hubble.relay.enabled=true",
              "hubble.enabled=true"
            ]
          },
          "kubeversiononly": {
            "kubeVersion": "1.28"
          }
        }
      }
    }
  },
  "epinio": {
    "versionSource": "helm-latest:https://epinio.github.io/helm-charts",
    "helmCharts": {
      "epinio": {
        "chartConfig": {
          "generic": {
            "values": [
              "global.domain=myepiniodomain.org"
            ]
          }
        }
      }
    }
  },
  "kubewarden": {
    "versionSource": "helm-latest:https://charts.kubewarden.io",
    "helmCharts": {
      "kubewarden-controller": {},
      "kubewarden-defaults": {}
    }
  },
  "neuvector": {                                                                                                                                                                                                                                                                                                             
    "versionSource": "helm-latest:https://neuvector.github.io/neuvector-helm",
    "helmCharts": {
      "core": {}
    }
  },
  "elemental": {
    "versionSource": "helm-oci",
    "imageDenylist": [
      "registry.suse.com/rancher/elemental-teal-channel"
    ],
    "helmCharts": {
      "oci://registry.suse.com/rancher/elemental-operator-chart": {}
    }
  }
}

[superseb]

@rbrtbnfgl Is it okay to block the quay.io/cilium/operator image? I assumed as we are not using it currently, we don't want to add it now but it is being retrieved from the Helm chart.

The result of adding it as a Helm chart can be seen here and would currently add the image quay.io/cilium/startup-script:62093c5c233ea914bfa26a10ba41f8780d9b737f

[rbrtbnfgl]

we are using the cilium-operator image when we deploy cilium.
There is no operator image. The right image is operator-generic

[superseb]

@rbrtbnfgl Okay good, so having it blocked is the right way. Apparently the image exists but isn't used (https://quay.io/cilium/operator)

Can you review the config if that is enough to get all the required images from the cilium Helm chart?

[rbrtbnfgl]

We also can put the startup-script on the deny list. We removed it because it was only used on older K8s versions.

[brandond]

nits/suggestions. this is a great feature though, I think it'll see a lot of use!

[superseb]

@rbrtbnfgl Added to denylist

[superseb]

@garyduan @selvamt94 @fgiudici @andreas-kupries We now have the option to add the Helm chart as source so when new Helm charts are published, new images can be retrieved from the chart and a PR will be created with the new images. See README for examples since this PR has been merged.