Don't add empty AZURE_CLIENT_ID

[weisdd]

Is your feature request related to a problem? Please describe.

When AZURE_CLIENT_ID env is imported into a pod using envFrom secretRef method (meaning no annotation is set on a ServiceAccount), the workload identity webhook adds an empty AZURE_CLIENT_ID to env section of a container spec.
Due to env section having higher precedence in Kubernetes, when a container starts it gets an empty AZURE_CLIENT_ID.

Describe the solution you'd like

Since having empty AZURE_CLIENT_ID is of no use, it would be better if webhook stops adding empty AZURE_CLIENT_ID.

Describe alternatives you've considered

env:
  - name: AZURE_CLIENT_ID
    valueFrom:
      secretKeyRef:
        name: postgresql-scripts-database-backups-kv
        key: AZURE_CLIENT_ID

The issue with this approach is that not every helm chart offers a way to pass secretKeyRef, sometimes only envFrom secretRef is available.

Additional context

In our environment, terraform is used to generate a managed identity and to save a client ID into an Azure Key Vault.

Then, external-secrets operator fetches the client ID (along with other secrets) from the Key Vault and saves it into a k8s secret with a key AZURE_CLIENT_ID.

Pods have the following in their spec to populate environment variables:

envFrom:
  - secretRef:
      name: <name>