feat: add global.images registry, pullSecrets, and pullPolicy support to newrelic-infra-operator

[dpacheconr]

Summary

Add support for cascading registry, pullSecrets, and pullPolicy from global settings to newrelic-infra-operator.

Phase 1: Global.Images.Registry Support ✅

• Updated _helpers.tpl with newrelic-infra-operator.sidecar.image helper to check global.images.registry fallback
• Makes the infrastructure-k8s sidecar image respect global registry settings
• Updated configmap to use the new image helper for sidecar injection

Phase 2: Global.Images.PullSecrets Support ✅

• Added global.images.pullSecrets support to deployment and other manifests
• Helpers for both operator and admission webhooks patch job images
• Global and chart-level pullSecrets are concatenated together

Phase 3: Global.Images.PullPolicy Support ✅ (NEW)

• Added pullPolicy helpers to _helpers.tpl:
  • newrelic-infra-operator.imagePullPolicy for operator image
  • newrelic-infra-operator.admissionWebhooksPatchJob.imagePullPolicy for webhook patch job image
• Updated relevant manifests to use pullPolicy helpers
• Configuration respects hierarchy: global setting → chart-level setting → default (IfNotPresent)

Configuration Hierarchy

For Image Registry:

1. global.images.registry (if set AND repository matches default)
2. Explicit repository configuration (takes precedence)

For ImagePullSecrets:

1. global.images.pullSecrets (highest priority)
2. Chart-level image.pullSecrets
   Both sources are concatenated to support flexible secret management.

For ImagePullPolicy:

1. global.images.pullPolicy (highest priority)
2. Chart-level image.pullPolicy
3. Default: IfNotPresent

Implementation Details

• If global.images.registry is set AND repository matches the default, uses global registry
• If repository is explicitly set to custom value, that takes precedence
• Sidecar image now respects global registry settings
• PullPolicy hierarchy ensures global settings cascade down when no explicit chart configuration is provided

Backward Compatibility

✅ Fully backward compatible:

• Existing values.yaml configurations continue to work unchanged
• Explicit repository configurations override global settings
• Charts using nri-bundle with global image settings now work correctly

Test Plan

Phase 1 (Registry):

• ✓ Global registry is used when set: my.private.registry.com/newrelic/infrastructure-k8s:latest
• ✓ Defaults to standard image when global registry not configured
• ✓ Explicit repository configuration overrides global registry

Phase 2 (PullSecrets):

• ✓ No pullSecrets set → No imagePullSecrets section rendered
• ✓ Global pullSecrets only → Uses global
• ✓ Both global + chart pullSecrets → Uses both (global items first)

Phase 3 (PullPolicy):

• ✓ Global pullPolicy is used when set and no chart-level policy exists
• ✓ Defaults to IfNotPresent when neither global nor chart policy is set
• ✓ Explicit chart-level pullPolicy overrides global setting

Impact

Once merged, users can now configure image pull behavior globally:

```yaml
global:
images:
registry: "my.private.registry.com"
pullSecrets:
- name: my-registry-credentials
pullPolicy: Always
```

This is part of a broader effort to ensure all New Relic Helm charts in the nri-bundle support consistent private registry configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.80%. Comparing base (2dee293) to head (fbce187).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #603   +/-   ##
=======================================
  Coverage   89.80%   89.80%           
=======================================
  Files           7        7           
  Lines         451      451           
=======================================
  Hits          405      405           
  Misses         29       29           
  Partials       17       17           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.