feat(oci-repo): add check on mutation to determine if chart

Signed-off-by: Allen Conlon <[email protected]>

Author: a1994sc

src/internal/agent/hooks/common.go

@@ -4,7 +4,21 @@
 // Package hooks contains the mutation hooks for the Zarf agent.
 package hooks
 
-import "github.com/zarf-dev/zarf/src/internal/agent/operations"
+import (
+	"context"
+	"encoding/json"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/zarf-dev/zarf/src/internal/agent/operations"
+	"github.com/zarf-dev/zarf/src/pkg/logger"
+	"github.com/zarf-dev/zarf/src/pkg/state"
+	"github.com/zarf-dev/zarf/src/pkg/transform"
+	"oras.land/oras-go/v2"
+	"oras.land/oras-go/v2/registry"
+	orasRemote "oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	orasRetry "oras.land/oras-go/v2/registry/remote/retry"
+)
 
 func getLabelPatch(currLabels map[string]string) operations.PatchOperation {
 	if currLabels == nil {
@@ -13,3 +27,44 @@ func getLabelPatch(currLabels map[string]string) operations.PatchOperation {
 	currLabels["zarf-agent"] = "patched"
 	return operations.ReplacePatchOperation("/metadata/labels", currLabels)
 }
+
+func getManifestMediaType(ctx context.Context, zarfState *state.State, imageAddress string) (string, error) {
+	l := logger.From(ctx)
+
+	image, err := transform.ParseImageRef(imageAddress)
+	if err != nil {
+		return "", err
+	}
+
+	registry := &orasRemote.Repository{
+		PlainHTTP: true,
+		Reference: registry.Reference{
+			Registry:   image.Host,
+			Repository: image.Path,
+			Reference:  image.Reference,
+		},
+		Client: &auth.Client{
+			Client: orasRetry.DefaultClient,
+			Cache:  auth.NewCache(),
+			Credential: auth.StaticCredential(imageAddress, auth.Credential{
+				Username: zarfState.RegistryInfo.PullUsername,
+				Password: zarfState.RegistryInfo.PullPassword,
+			}),
+		},
+	}
+
+	_, b, err := oras.FetchBytes(ctx, registry, imageAddress, oras.DefaultFetchBytesOptions)
+
+	if err != nil {
+		l.Debug("Got the following error when trying to fetch manifest", "imageAddress", imageAddress, "error", err)
+		return "", err
+	}
+
+	var manifest ocispec.Manifest
+	if err := json.Unmarshal(b, &manifest); err != nil {
+		l.Debug("Unable to unmarshal the manifest json", "manifest", imageAddress, "error", err)
+		return "", err
+	}
+
+	return manifest.Config.MediaType, nil
+}

src/internal/agent/hooks/flux-ocirepo.go

@@ -21,6 +21,10 @@ import (
 	v1 "k8s.io/api/admission/v1"
 )
 
+const (
+	HelmMediaTypeManifest = "application/vnd.cncf.helm.config.v1+json"
+)
+
 // NewOCIRepositoryMutationHook creates a new instance of the oci repo mutation hook.
 func NewOCIRepositoryMutationHook(ctx context.Context, cluster *cluster.Cluster) operations.Hook {
 	return operations.Hook{
@@ -97,11 +101,29 @@ func mutateOCIRepo(ctx context.Context, r *v1.AdmissionRequest, cluster *cluster
 			patchedURL = fmt.Sprintf("%s:%s", patchedURL, src.Spec.Reference.Tag)
 		}
 
+		// Always patch with crc32 hashing
 		patchedSrc, err := transform.ImageTransformHost(registryAddress, patchedURL)
 		if err != nil {
 			return nil, fmt.Errorf("unable to transform the OCIRepo URL: %w", err)
 		}
 
+		// Get the media type of the oci image
+		mediaType, err := getManifestMediaType(ctx, zarfState, patchedSrc)
+
+		// If we get an error, we fall back to existing mutation logic
+		if err != nil {
+			mediaType = ""
+		}
+
+		l.Debug("Got the following media type", "mediaType", mediaType, "registryAddress", registryAddress)
+
+		if isChart(mediaType) {
+			patchedSrc, err = transform.ImageTransformHostWithoutChecksum(registryAddress, patchedURL)
+			if err != nil {
+				return nil, fmt.Errorf("unable to transform the OCIRepo URL: %w", err)
+			}
+		}
+
 		patchedRefInfo, err := transform.ParseImageRef(patchedSrc)
 		if err != nil {
 			return nil, fmt.Errorf("unable to parse the transformed OCIRepo URL: %w", err)
@@ -147,3 +169,11 @@ func populateOCIRepoPatchOperations(repoURL string, isInternal bool, ref *flux.O
 
 	return patches
 }
+
+func isChart(mediaType string) bool {
+	switch mediaType {
+	case HelmMediaTypeManifest:
+		return true
+	}
+	return false
+}

src/internal/agent/hooks/flux-ocirepo_test.go

@@ -6,6 +6,7 @@ package hooks
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"testing"
 
@@ -16,11 +17,15 @@ import (
 	"github.com/zarf-dev/zarf/src/internal/agent/http/admission"
 	"github.com/zarf-dev/zarf/src/internal/agent/operations"
 	"github.com/zarf-dev/zarf/src/pkg/state"
+	"github.com/zarf-dev/zarf/src/pkg/transform"
+	"github.com/zarf-dev/zarf/src/test/testutil"
 	"github.com/zarf-dev/zarf/src/types"
 	v1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"oras.land/oras-go/v2"
+	"oras.land/oras-go/v2/registry/remote"
 )
 
 func createFluxOCIRepoAdmissionRequest(t *testing.T, op v1.Operation, fluxOCIRepo *flux.OCIRepository) *v1.AdmissionRequest {
@@ -35,6 +40,188 @@ func createFluxOCIRepoAdmissionRequest(t *testing.T, op v1.Operation, fluxOCIRep
 	}
 }
 
+type OCIArtifact struct {
+	Domain    string
+	Namespace string
+	Tag       string
+}
+
+func populateLocalRegistry(t *testing.T, ctx context.Context, localUrl string, artifact OCIArtifact) error {
+	localReg, err := remote.NewRegistry(localUrl)
+	if err != nil {
+		return err
+	}
+	localReg.PlainHTTP = true
+
+	remoteReg, err := remote.NewRegistry(artifact.Domain)
+	if err != nil {
+		return err
+	}
+
+	src, err := remoteReg.Repository(ctx, artifact.Namespace)
+	if err != nil {
+		return err
+	}
+	dst, err := localReg.Repository(ctx, artifact.Namespace)
+	if err != nil {
+		return err
+	}
+	desc, err := oras.Copy(ctx, src, artifact.Tag, dst, artifact.Tag, oras.DefaultCopyOptions)
+	if err != nil {
+		return err
+	}
+	t.Log(desc)
+
+	hashedTag, err := transform.ImageTransformHost(localUrl, fmt.Sprintf("%s/%s:%s", artifact.Domain, artifact.Namespace, artifact.Tag))
+	if err != nil {
+		return err
+	}
+
+	desc, err = oras.Copy(ctx, src, artifact.Tag, dst, hashedTag, oras.DefaultCopyOptions)
+	if err != nil {
+		return err
+	}
+	t.Log(desc)
+
+	return nil
+}
+
+func setupRegistry(t *testing.T, ctx context.Context) (string, error) {
+	localUrl := testutil.SetupInMemoryRegistry(ctx, t, 5000)
+
+	localReg, err := remote.NewRegistry(localUrl)
+	localReg.PlainHTTP = true
+	if err != nil {
+		return "", err
+	}
+	var artifacts = []OCIArtifact{
+		{
+			Domain:    "ghcr.io",
+			Namespace: "stefanprodan/charts/podinfo",
+			Tag:       "6.9.0",
+		},
+		{
+			Domain:    "ghcr.io",
+			Namespace: "stefanprodan/podinfo",
+			Tag:       "6.9.0",
+		},
+	}
+
+	for _, art := range artifacts {
+		err := populateLocalRegistry(t, ctx, localUrl, art)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return localUrl, nil
+}
+
+func TestFluxOCIHelmMutationWebhook(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	url, err := setupRegistry(t, ctx)
+	if err != nil {
+		panic(err)
+	}
+
+	tests := []admissionTest{
+		{
+			name: "should be mutated but not the tag",
+			admissionReq: createFluxOCIRepoAdmissionRequest(t, v1.Create, &flux.OCIRepository{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "mutate-this",
+				},
+				Spec: flux.OCIRepositorySpec{
+					URL: "oci://ghcr.io/stefanprodan/charts/podinfo",
+					Reference: &flux.OCIRepositoryRef{
+						Tag: "6.9.0",
+					},
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/spec/url",
+					"oci://localhost:5000/stefanprodan/charts/podinfo",
+				),
+				operations.AddPatchOperation(
+					"/spec/secretRef",
+					fluxmeta.LocalObjectReference{Name: config.ZarfImagePullSecretName},
+				),
+				operations.ReplacePatchOperation(
+					"/spec/ref/tag",
+					"6.9.0",
+				),
+				operations.ReplacePatchOperation(
+					"/metadata/labels",
+					map[string]string{
+						"zarf-agent": "patched",
+					},
+				),
+			},
+			code: http.StatusOK,
+		},
+		{
+			name: "should be mutated",
+			admissionReq: createFluxOCIRepoAdmissionRequest(t, v1.Create, &flux.OCIRepository{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "mutate-this",
+				},
+				Spec: flux.OCIRepositorySpec{
+					URL: "oci://ghcr.io/stefanprodan/podinfo",
+					Reference: &flux.OCIRepositoryRef{
+						Tag: "6.9.0",
+					},
+				},
+			}),
+			patch: []operations.PatchOperation{
+				operations.ReplacePatchOperation(
+					"/spec/url",
+					"oci://localhost:5000/stefanprodan/podinfo",
+				),
+				operations.AddPatchOperation(
+					"/spec/secretRef",
+					fluxmeta.LocalObjectReference{Name: config.ZarfImagePullSecretName},
+				),
+				operations.ReplacePatchOperation(
+					"/spec/ref/tag",
+					"6.9.0-zarf-2985051089",
+				),
+				operations.ReplacePatchOperation(
+					"/metadata/labels",
+					map[string]string{
+						"zarf-agent": "patched",
+					},
+				),
+			},
+			code: http.StatusOK,
+		},
+	}
+
+	s := &state.State{RegistryInfo: types.RegistryInfo{
+		Address:      url,
+		PushUsername: "",
+		PushPassword: "",
+		PullUsername: "",
+		PullPassword: "",
+	}}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			c := createTestClientWithZarfState(ctx, t, s)
+			handler := admission.NewHandler().Serve(ctx, NewOCIRepositoryMutationHook(ctx, c))
+			if tt.svc != nil {
+				_, err := c.Clientset.CoreV1().Services("zarf").Create(ctx, tt.svc, metav1.CreateOptions{})
+				require.NoError(t, err)
+			}
+			rr := sendAdmissionRequest(t, tt.admissionReq, handler)
+			verifyAdmission(t, rr, tt)
+		})
+	}
+}
+
 func TestFluxOCIMutationWebhook(t *testing.T) {
 	t.Parallel()