refactor(gateway-helm-chart): only rewrite chart-default image repos

renuka-fernando · renuka-fernando · commit 290dc91a85e9 · 2026-05-26T10:00:27.000+05:30
Previously the subscription rewrite triggered for any repository value starting with `ghcr.io/wso2/api-platform/`, which silently re-mapped explicit overrides such as SHA-pinned or canary references that happen to keep the WSO2 namespace prefix (e.g. `gateway-controller-canary`). Tighten the gate from a prefix check to an exact-default match by passing each component's canonical default repository through a new `defaultRepository` parameter on the `componentImage` helper. Rewriting now happens only when the user has not overridden `image.repository`; any explicit value — including ones still under the WSO2 GHCR namespace — passes through verbatim. Addresses CodeRabbit review feedback on #2017.
diff --git a/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl b/kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl
@@ -63,19 +63,22 @@ app.kubernetes.io/component: {{ $component }}
 
 {{/*
 Render a component image reference, applying the WSO2 subscription registry rewrite
-when wso2.subscription.imagePullSecret is set AND the repository still matches the
-default upstream prefix `ghcr.io/wso2/api-platform/`. Explicit overrides pass through.
+only when wso2.subscription.imagePullSecret is set AND the repository value is
+exactly the chart-canonical default for this component. Any explicit override —
+including overrides that happen to stay under `ghcr.io/wso2/api-platform/` (e.g.
+SHA-pinned references, canary tags) — passes through unchanged.
 
-Args (dict): root, repository, tag
+Args (dict): root, repository, defaultRepository, tag
 */}}
 {{- define "gateway-operator.componentImage" -}}
 {{- $root := .root -}}
 {{- $repo := .repository -}}
+{{- $defaultRepo := .defaultRepository -}}
 {{- $tag := .tag -}}
 {{- $sub := $root.Values.wso2.subscription.imagePullSecret -}}
 {{- $defaultPrefix := "ghcr.io/wso2/api-platform/" -}}
 {{- $wso2Prefix := "registry.wso2.com/wso2-api-platform/" -}}
-{{- if and (ne $sub "") (hasPrefix $defaultPrefix $repo) -}}
+{{- if and (ne $sub "") (eq $repo $defaultRepo) (hasPrefix $defaultPrefix $repo) -}}
 {{- printf "%s%s:%s" $wso2Prefix (trimPrefix $defaultPrefix $repo) $tag -}}
 {{- else -}}
 {{- printf "%s:%s" $repo $tag -}}
diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
@@ -66,7 +66,7 @@ spec:
       {{- end }}
       containers:
         - name: gateway-controller
-          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $controller.image.repository "tag" $controller.image.tag) | quote }}
+          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $controller.image.repository "defaultRepository" "ghcr.io/wso2/api-platform/gateway-controller" "tag" $controller.image.tag) | quote }}
           imagePullPolicy: {{ $controller.image.pullPolicy }}
           {{- with $deployment.securityContext }}
           securityContext:
diff --git a/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml b/kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml
@@ -63,7 +63,7 @@ spec:
       {{- end }}
       containers:
         - name: gateway-runtime
-          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $unified.image.repository "tag" $unified.image.tag) | quote }}
+          image: {{ include "gateway-operator.componentImage" (dict "root" . "repository" $unified.image.repository "defaultRepository" "ghcr.io/wso2/api-platform/gateway-runtime" "tag" $unified.image.tag) | quote }}
           imagePullPolicy: {{ $unified.image.pullPolicy }}
           args: ["--pol.config", "/etc/policy-engine/config.toml"]
           {{- with $deployment.securityContext }}
