zarf-dev · a1994sc · Oct 31, 2024 · Nov 7, 2024 · Nov 8, 2024 · Nov 9, 2024
diff --git a/src/internal/agent/hooks/argocd-application_test.go b/src/internal/agent/hooks/argocd-application_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/zarf-dev/zarf/src/internal/agent/operations"
 	"github.com/zarf-dev/zarf/src/types"
 	v1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -78,6 +79,48 @@ func TestArgoAppWebhook(t *testing.T) {
 			},
 			code: http.StatusOK,
 		},
+		{
+			name: "should mutate even if agent patched",
+			admissionReq: createArgoAppAdmissionRequest(t, v1.Create, &Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"zarf-agent": "patched",
+					},
+				},
+				Spec: ApplicationSpec{
+					Source: &ApplicationSource{RepoURL: "https://diff-git-server.com/peanuts"},
+					Sources: []ApplicationSource{
+						{
+							RepoURL: "https://diff-git-server.com/cashews",
+						},
+						{
+							RepoURL: "https://diff-git-server.com/almonds",
+						},
+					},
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/spec/source/repoURL",
+					"https://git-server.com/a-push-user/peanuts-3883081014",
+				),
+				operations.ReplacePatchOperation(
+					"/spec/sources/0/repoURL",
+					"https://git-server.com/a-push-user/cashews-580170494",
+				),
+				operations.ReplacePatchOperation(
+					"/spec/sources/1/repoURL",
+					"https://git-server.com/a-push-user/almonds-640159520",
+				),
+				operations.ReplacePatchOperation(
+					"/metadata/labels",
+					map[string]string{
+						"zarf-agent": "patched",
+					},
+				),
+			},
+			code: http.StatusOK,
+		},
 		{
 			name: "should return internal server error on bad git URL",
 			admissionReq: createArgoAppAdmissionRequest(t, v1.Create, &Application{

diff --git a/src/internal/agent/hooks/argocd-repository_test.go b/src/internal/agent/hooks/argocd-repository_test.go
@@ -83,6 +83,44 @@ func TestArgoRepoWebhook(t *testing.T) {
 			},
 			code: http.StatusOK,
 		},
+		{
+			name: "should mutate even if agent patched",
+			admissionReq: createArgoRepoAdmissionRequest(t, v1.Create, &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"argocd.argoproj.io/secret-type": "repository",
+						"zarf-agent": "patched",
+					},
+					Name:      "argo-repo-secret",
+					Namespace: "argo",
+				},
+				Data: map[string][]byte{
+					"url": []byte("https://diff-git-server.com/podinfo"),
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/data/url",
+					b64.StdEncoding.EncodeToString([]byte("https://git-server.com/a-push-user/podinfo-1868163476")),
+				),
+				operations.ReplacePatchOperation(
+					"/data/username",
+					b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullUsername)),
+				),
+				operations.ReplacePatchOperation(
+					"/data/password",
+					b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullPassword)),
+				),
+				operations.ReplacePatchOperation(
+					"/metadata/labels",
+					map[string]string{
+						"argocd.argoproj.io/secret-type": "repository",
+						"zarf-agent":                     "patched",
+					},
+				),
+			},
+			code: http.StatusOK,
+		},
 		{
 			name: "matching hostname on update should stay the same, but secret should be added",
 			admissionReq: createArgoRepoAdmissionRequest(t, v1.Update, &corev1.Secret{

diff --git a/src/internal/agent/hooks/flux-gitrepo_test.go b/src/internal/agent/hooks/flux-gitrepo_test.go
@@ -73,6 +73,37 @@ func TestFluxMutationWebhook(t *testing.T) {
 			},
 			code: http.StatusOK,
 		},
+		{
+			name: "should mutate even if agent patched",
+			admissionReq: createFluxGitRepoAdmissionRequest(t, v1.Create, &flux.GitRepository{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "mutate-this",
+					Labels: map[string]string{
+						"zarf-agent": "patched",
+					},
+				},
+				Spec: flux.GitRepositorySpec{
+					URL: "https://github.com/stefanprodan/podinfo.git",
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/spec/url",
+					"https://git-server.com/a-push-user/podinfo-1646971829.git",
+				),
+				operations.AddPatchOperation(
+					"/spec/secretRef",
+					fluxmeta.LocalObjectReference{Name: config.ZarfGitServerSecretName},
+				),
+				operations.ReplacePatchOperation(
+					"/metadata/labels",
+					map[string]string{
+						"zarf-agent": "patched",
+					},
+				),
+			},
+			code: http.StatusOK,
+		},
 		{
 			name: "should not mutate invalid git url",
 			admissionReq: createFluxGitRepoAdmissionRequest(t, v1.Update, &flux.GitRepository{

@@ -47,13 +47,6 @@ func mutateHelmRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluste
 		return &operations.Result{Allowed: true}, nil
 	}
 
-	if src.Labels != nil && src.Labels["zarf-agent"] == "patched" {
-		return &operations.Result{
-			Allowed:  true,
-			PatchOps: nil,
-		}, nil
-	}
-
 	zarfState, err := cluster.LoadZarfState(ctx)
 	if err != nil {
 		return nil, err

@@ -68,7 +68,7 @@ func TestFluxHelmMutationWebhook(t *testing.T) {
 			code:        http.StatusInternalServerError,
 		},
 		{
-			name: "should not mutate when agent patched",
+			name: "should mutate even if agent patched",
 			admissionReq: createFluxHelmRepoAdmissionRequest(t, v1.Update, &flux.HelmRepository{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "already-patched",
@@ -77,9 +77,26 @@ func TestFluxHelmMutationWebhook(t *testing.T) {
 					},
 				},
 				Spec: flux.HelmRepositorySpec{
+					URL:  "oci://ghcr.io/stefanprodan/charts",
 					Type: "oci",
 				},
 			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/spec/url",
+					"oci://127.0.0.1:31999/stefanprodan/charts",
+				),
+				operations.AddPatchOperation(
+					"/spec/secretRef",
+					fluxmeta.LocalObjectReference{Name: config.ZarfImagePullSecretName},
+				),
+				operations.ReplacePatchOperation(
+					"/metadata/labels",
+					map[string]string{
+						"zarf-agent": "patched",
+					},
+				),
+			},
 			code: http.StatusOK,
 		},
 		{

@@ -50,13 +50,6 @@ func mutateOCIRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster
 		message.Warnf(lang.AgentWarnSemVerRef, src.Spec.Reference.SemVer)
 	}
 
-	if src.Labels != nil && src.Labels["zarf-agent"] == "patched" {
-		return &operations.Result{
-			Allowed:  true,
-			PatchOps: []operations.PatchOperation{},
-		}, nil
-	}
-
 	zarfState, err := cluster.LoadZarfState(ctx)
 	if err != nil {
 		return nil, err

@@ -39,7 +39,7 @@ func TestFluxOCIMutationWebhook(t *testing.T) {
 
 	tests := []admissionTest{
 		{
-			name: "should not mutate when agent patched",
+			name: "should mutate even if agent patched",
 			admissionReq: createFluxOCIRepoAdmissionRequest(t, v1.Update, &flux.OCIRepository{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "already-patched",
@@ -54,7 +54,26 @@ func TestFluxOCIMutationWebhook(t *testing.T) {
 					},
 				},
 			}),
-			patch: nil,
+			patch:  []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/spec/url",
+					"oci://127.0.0.1:31999/stefanprodan/manifests/podinfo",
+				),
+				operations.AddPatchOperation(
+					"/spec/secretRef",
+					fluxmeta.LocalObjectReference{Name: config.ZarfImagePullSecretName},
+				),
+				operations.ReplacePatchOperation(
+					"/spec/ref/tag",
+					"6.4.0-zarf-2823281104",
+				),
+				operations.ReplacePatchOperation(
+					"/metadata/labels",
+					map[string]string{
+						"zarf-agent": "patched",
+					},
+				),
+			},
 			code:  http.StatusOK,
 		},
 		{