Add stackit-pod-identity-webhook image and configuration

[jastBytes]

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:
The changes introduce a new Pod Identity Webhook component for STACKIT cloud provider, adding a new chart for the webhook and its associated resources (Deployment, Service, RBAC, MutatingWebhookConfiguration). The webhook is configured to validate pod identities and enforce workload identity. The changes are integrated into the control plane and shoot system components, with proper configuration and error handling.

Special notes for your reviewer:

Breaking changes:

No breaking changes.

[ske-prow]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[ske-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xoxys for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[timebertt]

Oops, accidentally marked this PR as ready for review, sorry about that.

[timebertt]

Thanks for the PR, looking forward to this feature :)

[timebertt]

For the record (as discussed in chat): the stackit-pod-identity-webhook repository should be public and released before merging this integration PR in the extension.

[Copilot]

Pull request overview

This PR introduces a new STACKIT Pod Identity Webhook component and wires it into the extension’s seed control-plane and shoot system components charts/values so that workload identity can be enforced via a mutating admission webhook.

Changes:

• Add a new stackit-pod-identity-webhook image entry and image name constant.
• Add new Helm charts for the webhook (seed-controlplane: Deployment/Service/RBAC/PDB; shoot-system-components: MutatingWebhookConfiguration).
• Extend the controlplane values provider and tests to generate TLS/CA-related chart values and required secrets.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pkg/stackit/types.go	Adds a constant for the webhook name.
pkg/controller/controlplane/valuesprovider.go	Generates webhook TLS secret config and passes chart values for seed + shoot charts.
pkg/controller/controlplane/valuesprovider_test.go	Extends expected chart values and fake secrets for the new component.
imagevector/images.yaml	Adds the webhook image (repo/tag+digest).
imagevector/images.go	Adds ImageNameStackitPodIdentityWebhook.
charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/*	New shoot chart for MutatingWebhookConfiguration.
charts/internal/seed-controlplane/charts/stackit-pod-identity-webhook/*	New seed chart for webhook runtime resources (Deployment/Service/RBAC/PDB).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jastBytes]

Post review changes implemented and tested via ondemand. All working now. One question open from my point of view. See comment in code.

[jastBytes]

@MichaelEischer and me were not sure if this is necessary or what the expected default excludes should be here to not mess up things?