What did you do exactly?

Install the RHDH operator (1.1) and apply the following: https://gist.github.com/rm3l/01d80e728d6ae38bc75a0869247320dd 

Context: https://redhat-internal.slack.com/archives/C05HGAR2DT5/p1710858032769609

User wanted to add an oauth2-proxy sidecar container to the RHDH Deployment (https://janus-idp.io/blog/2023/01/17/enabling-keycloak-authentication-in-backstage), since this is currently possible with the Helm Chart.

Suggested way is to add this sidecar container by redefining the deployment.yaml key  in a dedicated ConfigMap and then reference that CM in the CR `spec.rawRuntimeConfig.backstageConfig` field.

Actual behavior

The extra container is added to the Deployment created by the operator but the image has been changed by the operator:

$ kubectl get deployment backstage-backstage-with-sidecar -o yaml | yq -r '.spec.template.spec.containers[] | (.name + ": " + .image)'

backstage-backend: registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:3494d447cd81e798a65468615b8e2b4b75f491fa093e52f08381f2d45ad02dd6
oauth2-proxy: registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:3494d447cd81e798a65468615b8e2b4b75f491fa093e52f08381f2d45ad02dd6 

As a consequence, the sidecar container is not able to start properly.

Expected behavior

Currently, when the `RELATED_IMAGE_*` env vars are set in the operator environment, all images are replaced for all containers part of the Backstage Deployment: https://github.com/janus-idp/operator/blob/1.1.x/controllers/backstage_deployment.go#L196-L203 

We should instead use a placeholder and perform replacements only where the placeholder is used. I guess the same bug applies to the PostgreSQL StatefulSet as well.

We are doing something similar with the <POSTGRESQL_SECRET> secret name.

Any logs, error output, etc?

None