test: argo agent unit tests

packages/zarf-agent/manifests/deployment.yaml

@@ -43,9 +43,6 @@ spec:
             - name: tls-certs
               mountPath: /etc/certs
               readOnly: true
-            - name: zarf-state
-              mountPath: /etc/zarf-state
-              readOnly: true
             # Required for OpenShift to mount k9s vendored directories
             - name: config
               mountPath: /.config
@@ -55,9 +52,6 @@ spec:
         - name: tls-certs
           secret:
             secretName: agent-hook-tls
-        - name: zarf-state
-          secret:
-            secretName: zarf-state
         # Required for OpenShift to mount k9s vendored directories
         - name: config
           emptyDir: {}

src/internal/agent/hooks/argo_application_test.go

@@ -0,0 +1,95 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+
+package hooks
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/defenseunicorns/zarf/src/internal/agent/http/admission"
+	"github.com/defenseunicorns/zarf/src/internal/agent/operations"
+	"github.com/defenseunicorns/zarf/src/types"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func createArgoAppAdmissionRequest(t *testing.T, op v1.Operation, argoApp *Application) *v1.AdmissionRequest {
+	t.Helper()
+	raw, err := json.Marshal(argoApp)
+	require.NoError(t, err)
+	return &v1.AdmissionRequest{
+		Operation: op,
+		Object: runtime.RawExtension{
+			Raw: raw,
+		},
+	}
+}
+
+func TestArgoAppWebhook(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	state := &types.ZarfState{GitServer: types.GitServerInfo{
+		Address:      "https://git-server.com",
+		PushUsername: "a-push-user",
+	}}
+	c := createTestClientWithZarfState(ctx, t, state)
+	handler := admission.NewHandler().Serve(NewApplicationMutationHook(ctx, c))
+
+	tests := []admissionTest{
+		{
+			name: "should be mutated",
+			admissionReq: createArgoAppAdmissionRequest(t, v1.Create, &Application{
+				Spec: ApplicationSpec{
+					Source: &ApplicationSource{RepoURL: "https://diff-git-server.com/peanuts"},
+					Sources: []ApplicationSource{
+						{
+							RepoURL: "https://diff-git-server.com/cashews",
+						},
+						{
+							RepoURL: "https://diff-git-server.com/almonds",
+						},
+					},
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/spec/source/repoURL",
+					"https://git-server.com/a-push-user/peanuts-3883081014",
+				),
+				operations.ReplacePatchOperation(
+					"/spec/sources/0/repoURL",
+					"https://git-server.com/a-push-user/cashews-580170494",
+				),
+				operations.ReplacePatchOperation(
+					"/spec/sources/1/repoURL",
+					"https://git-server.com/a-push-user/almonds-640159520",
+				),
+			},
+			code: http.StatusOK,
+		},
+		{
+			name: "should be mutated",
+			admissionReq: createArgoAppAdmissionRequest(t, v1.Create, &Application{
+				Spec: ApplicationSpec{
+					Source: &ApplicationSource{RepoURL: "https://bad-url"},
+				},
+			}),
+			code:        http.StatusInternalServerError,
+			errContains: AgentErrTransformGitURL,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			rr := sendAdmissionRequest(t, tt.admissionReq, handler)
+			verifyAdmission(t, rr, tt)
+		})
+	}
+}

src/internal/agent/hooks/argo_repo_test.go

@@ -0,0 +1,119 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+
+package hooks
+
+import (
+	"context"
+	b64 "encoding/base64"
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/defenseunicorns/zarf/src/internal/agent/http/admission"
+	"github.com/defenseunicorns/zarf/src/internal/agent/operations"
+	"github.com/defenseunicorns/zarf/src/types"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/admission/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func createArgoRepoAdmissionRequest(t *testing.T, op v1.Operation, argoRepo *corev1.Secret) *v1.AdmissionRequest {
+	t.Helper()
+	raw, err := json.Marshal(argoRepo)
+	require.NoError(t, err)
+	return &v1.AdmissionRequest{
+		Operation: op,
+		Object: runtime.RawExtension{
+			Raw: raw,
+		},
+	}
+}
+
+func TestArgoRepoWebhook(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	state := &types.ZarfState{GitServer: types.GitServerInfo{
+		Address:      "https://git-server.com",
+		PushUsername: "a-push-user",
+		PullPassword: "a-pull-password",
+		PullUsername: "a-pull-user",
+	}}
+	c := createTestClientWithZarfState(ctx, t, state)
+	handler := admission.NewHandler().Serve(NewRepositorySecretMutationHook(ctx, c))
+
+	tests := []admissionTest{
+		{
+			name: "should be mutated",
+			admissionReq: createArgoRepoAdmissionRequest(t, v1.Create, &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"argocd.argoproj.io/secret-type": "repository",
+					},
+					Name:      "argo-repo-secret",
+					Namespace: "argo",
+				},
+				Data: map[string][]byte{
+					"url": []byte("https://diff-git-server.com/podinfo"),
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/data/url",
+					b64.StdEncoding.EncodeToString([]byte("https://git-server.com/a-push-user/podinfo-1868163476")),
+				),
+				operations.ReplacePatchOperation(
+					"/data/username",
+					b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullUsername)),
+				),
+				operations.ReplacePatchOperation(
+					"/data/password",
+					b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullPassword)),
+				),
+			},
+			code: http.StatusOK,
+		},
+		{
+			name: "matching hostname on update should stay the same, but secret should be added",
+			admissionReq: createArgoRepoAdmissionRequest(t, v1.Update, &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"argocd.argoproj.io/secret-type": "repository",
+					},
+					Name:      "argo-repo-secret",
+					Namespace: "argo",
+				},
+				Data: map[string][]byte{
+					"url": []byte("https://git-server.com/podinfo"),
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/data/url",
+					b64.StdEncoding.EncodeToString([]byte("https://git-server.com/podinfo")),
+				),
+				operations.ReplacePatchOperation(
+					"/data/username",
+					b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullUsername)),
+				),
+				operations.ReplacePatchOperation(
+					"/data/password",
+					b64.StdEncoding.EncodeToString([]byte(state.GitServer.PullPassword)),
+				),
+			},
+			code: http.StatusOK,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			rr := sendAdmissionRequest(t, tt.admissionReq, handler)
+			verifyAdmission(t, rr, tt)
+		})
+	}
+}