Switch kube-webhook-certgen from mutable tag to SHA digest

[hbhushan3]

https://issues.redhat.com/browse/AROSLSRE-492
Replaces #4178

Updates the kube-webhook-certgen (ingress-nginx admission webhook) image to be managed by the image-updater, pinning it by SHA digest instead of a mutable tag.

Changes

• tooling/image-updater/config.yaml — Added kube-webhook-certgen entry with correct jsonPaths targeting defaults.svc.prometheus and defaults.mgmt.prometheus
• config/config.yaml — Replaced tag field with sha for the admissionWebhook patch image in both svc and mgmt prometheus sections
• config/config.schema.json — Updated admissionWebhook patch image schema to use $ref: containerImageSha instead of an inline schema with tag
• observability/prometheus/values-svc.yaml — Changed template reference from .tag to .sha
• observability/prometheus/values-mgmt.yaml — Changed template reference from .tag to .sha
• Ran make -C config materialize as a sperate commit

[avollmer-redhat]

/lgtm

[avollmer-redhat]

/remove-lgtm

[avollmer-redhat]

If you use the acr path to look for new images, new versions will never be found to pull through to acr. Doesn't your image updater need to look at the latest upstream first, so the new image can be pulled through the pull through cache and into acr?

[avollmer-redhat]

/lgtm

[janboll]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: avollmer-redhat, hbhushan3, janboll

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• config/OWNERS [janboll]
• dev-infrastructure/OWNERS [janboll]
• observability/OWNERS [janboll]
• tooling/image-updater/OWNERS [janboll]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sajeelirkal]

/test integration

[hbhushan3]

/test e2e-parallel