fix(deploy): bump Envoy sidecar past stale-image gate, expose pod annotations (#357)

Signed-off-by: Tomas Pilar <thomas7pilar@gmail.com>

Author: pilartomas

deploy/helm/humr/templates/controller/deployment.yaml

@@ -67,6 +67,10 @@ spec:
             - name: AGENT_STORAGE_CLASS
               value: {{ . | quote }}
             {{- end }}
+            {{- with .Values.controller.agentPodAnnotations }}
+            - name: AGENT_POD_ANNOTATIONS
+              value: {{ toJson . | quote }}
+            {{- end }}
             - name: HUMR_API_SERVER_HOST
               value: "{{ include "humr.fullname" . }}-apiserver.{{ .Release.Namespace }}.svc.cluster.local"
             - name: HUMR_HARNESS_SERVER_URL
@@ -78,7 +82,7 @@ spec:
             - name: HUMR_TERMINATION_GRACE_PERIOD
               value: {{ .Values.controller.terminationGracePeriod | default 5 | quote }}
             - name: ENVOY_IMAGE
-              value: {{ .Values.controller.envoyImage | default "envoyproxy/envoy-distroless:v1.32.0" | quote }}
+              value: {{ .Values.controller.envoyImage | default "envoyproxy/envoy:distroless-v1.37.2" | quote }}
             - name: ENVOY_PORT
               value: {{ .Values.controller.envoyPort | default 10000 | quote }}
             - name: POD_NAME

deploy/helm/humr/values.yaml

@@ -262,14 +262,18 @@ controller:
   # impersonation). Empty = cluster default (which must itself support RWX).
   # Set to "humr-rwx" to use the bundled in-cluster NFS provisioner below.
   agentStorageClass: ""
+  # -- Extra annotations stamped on every agent pod. Useful for admission-webhook
+  # break-glass annotations (e.g. `admission.stackrox.io/break-glass: ticket-1234`)
+  # or for cluster-specific scheduling/observability hints.
+  agentPodAnnotations: {}
   replicas: 1
   # -- Idle timeout before auto-hibernating running instances (Go duration, 0 = disabled)
   idleTimeout: "1h"
   # -- Termination grace period in seconds for agent pods
   terminationGracePeriod: 5
   # -- Image for the experimental Envoy credential-injector sidecar (ADR-033). Renders
   # only on instances with `experimentalCredentialInjector: true`.
-  envoyImage: envoyproxy/envoy-distroless:v1.32.0
+  envoyImage: envoyproxy/envoy:distroless-v1.37.2
   # -- Port the Envoy sidecar listens on inside the agent pod (proxy on 127.0.0.1).
   envoyPort: 10000
   # -- TLS interception support for the experimental credential injector. When enabled,

packages/controller/pkg/config/config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"strconv"
@@ -22,8 +23,9 @@ type Config struct {
 	KeycloakClientSecret string // Confidential client secret
 	LeaseName        string // Leader election lease name
 	PodName          string // This pod's name (from downward API)
-	AgentImagePullPolicy      string        // ImagePullPolicy for agent pods (default: IfNotPresent)
-	AgentImagePullSecrets     []string      // Pull secret names for agent pods (comma-separated via env)
+	AgentImagePullPolicy      string            // ImagePullPolicy for agent pods (default: IfNotPresent)
+	AgentImagePullSecrets     []string          // Pull secret names for agent pods (comma-separated via env)
+	AgentPodAnnotations       map[string]string // Extra annotations stamped on every agent pod (e.g. admission webhook break-glass)
 	AgentStorageClass         string
 	IdleTimeout               time.Duration // Idle timeout before auto-hibernation (0 = disabled, default: 1h)
 	TerminationGracePeriod    int64         // Termination grace period in seconds for agent pods (default: 5)
@@ -79,10 +81,17 @@ func LoadFromEnv() (*Config, error) {
 			}
 		}
 	}
+	if v := os.Getenv("AGENT_POD_ANNOTATIONS"); v != "" {
+		ann := map[string]string{}
+		if err := json.Unmarshal([]byte(v), &ann); err != nil {
+			return nil, fmt.Errorf("AGENT_POD_ANNOTATIONS: invalid JSON: %w", err)
+		}
+		cfg.AgentPodAnnotations = ann
+	}
 	cfg.AgentStorageClass = os.Getenv("AGENT_STORAGE_CLASS")
 	cfg.IdleTimeout = envOrDefaultDuration("HUMR_IDLE_TIMEOUT", 1*time.Hour)
 	cfg.TerminationGracePeriod = int64(envOrDefaultInt("HUMR_TERMINATION_GRACE_PERIOD", 5))
-	cfg.EnvoyImage = envOrDefault("ENVOY_IMAGE", "envoyproxy/envoy-distroless:v1.32.0")
+	cfg.EnvoyImage = envOrDefault("ENVOY_IMAGE", "envoyproxy/envoy:distroless-v1.37.2")
 	cfg.EnvoyPort = envOrDefaultInt("ENVOY_PORT", 10000)
 	cfg.EnvoyMitmCAIssuer = envOrDefault("ENVOY_MITM_CA_ISSUER", "humr-mitm-ca-issuer")
 	cfg.EnvoyMitmLeafDuration = envOrDefaultDuration("ENVOY_MITM_LEAF_DURATION", 0)

packages/controller/pkg/reconciler/resources.go

@@ -249,9 +249,11 @@ func BuildStatefulSet(name string, instance *types.InstanceSpec, agentSpec *type
 	}}
 	var automountSAToken *bool
 	var shareProcessNS *bool
-	var podAnnotations map[string]string
+	podAnnotations := map[string]string{}
+	for k, v := range cfg.AgentPodAnnotations {
+		podAnnotations[k] = v
+	}
 	if instance.ExperimentalCredentialInjector {
-		podAnnotations = map[string]string{}
 		// Sidecar only — the agent container never sees credential mounts.
 		volumes = append(volumes, envoySidecarVolumes(name, credentialSecrets)...)
 		containers = append(containers, envoySidecarContainer(cfg, credentialSecrets))

packages/controller/pkg/reconciler/resources_test.go

@@ -285,7 +285,7 @@ func envToMap(envs []corev1.EnvVar) map[string]string {
 
 var testEnvoyConfig = func() *config.Config {
 	cfg := *testConfig
-	cfg.EnvoyImage = "envoyproxy/envoy-distroless:v1.32.0"
+	cfg.EnvoyImage = "envoyproxy/envoy:distroless-v1.37.2"
 	cfg.EnvoyPort = 10000
 	return &cfg
 }()
@@ -314,7 +314,7 @@ func TestBuildStatefulSet_FlagOn_AddsEnvoySidecar(t *testing.T) {
 	envoy := ss.Spec.Template.Spec.Containers[1]
 	assert.Equal(t, "agent", agent.Name)
 	assert.Equal(t, "envoy", envoy.Name)
-	assert.Equal(t, "envoyproxy/envoy-distroless:v1.32.0", envoy.Image)
+	assert.Equal(t, "envoyproxy/envoy:distroless-v1.37.2", envoy.Image)
 
 	envMap := envToMap(agent.Env)
 	assert.Equal(t, "http://127.0.0.1:10000", envMap["HTTP_PROXY"])