Preserve ObjectMeta.ResourceVersion

Signed-off-by: Nont <[email protected]>

Author: Nont

pkg/webhook/managedresource/validatingadmissionpolicy.go

@@ -25,13 +25,13 @@ func getValidatingAdmissionPolicy(isHub bool) *admv1.ValidatingAdmissionPolicy {
 }
 
 func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy, isHub bool) {
-	vap.TypeMeta = metav1.TypeMeta{
-		APIVersion: "admissionregistration.k8s.io/v1",
-		Kind:       "ValidatingAdmissionPolicy",
-	}
-	vap.ObjectMeta.Labels = map[string]string{
-		"fleet.azure.com/managed-by": "arm",
+	ometa := metav1.ObjectMeta{
+		Labels: map[string]string{
+			"fleet.azure.com/managed-by": "arm",
+		},
+		ResourceVersion: vap.ResourceVersion,
 	}
+	vap.ObjectMeta = ometa
 	vap.Spec = admv1.ValidatingAdmissionPolicySpec{
 		MatchConstraints: &admv1.MatchResources{
 			ObjectSelector: &metav1.LabelSelector{
@@ -108,13 +108,13 @@ func getValidatingAdmissionPolicyBinding() *admv1.ValidatingAdmissionPolicyBindi
 }
 
 func mutateValidatingAdmissionPolicyBinding(vapb *admv1.ValidatingAdmissionPolicyBinding) {
-	vapb.TypeMeta = metav1.TypeMeta{
-		APIVersion: "admissionregistration.k8s.io/v1",
-		Kind:       "ValidatingAdmissionPolicyBinding",
-	}
-	vapb.ObjectMeta.Labels = map[string]string{
-		"fleet.azure.com/managed-by": "arm",
+	ometa := metav1.ObjectMeta{
+		Labels: map[string]string{
+			"fleet.azure.com/managed-by": "arm",
+		},
+		ResourceVersion: vapb.ResourceVersion,
 	}
+	vapb.ObjectMeta = ometa
 	vapb.Spec = admv1.ValidatingAdmissionPolicyBindingSpec{
 		PolicyName: resourceName,
 		ValidationActions: []admv1.ValidationAction{

pkg/webhook/managedresource/validatingadmissionpolicy_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	admv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestGetValidatingAdmissionPolicy(t *testing.T) {
@@ -50,9 +51,121 @@ func TestGetValidatingAdmissionPolicy(t *testing.T) {
 	})
 }
 
+func TestMutateValidatingAdmissionPolicy(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name             string
+		isHub            bool
+		resourceVersion  string
+		initialLabels    map[string]string
+	}{
+		{
+			name:            "preserves ResourceVersion and updates labels for member cluster",
+			isHub:           false,
+			resourceVersion: "12345",
+			initialLabels:   map[string]string{"existing": "label"},
+		},
+		{
+			name:            "preserves ResourceVersion and updates labels for hub cluster",
+			isHub:           true,
+			resourceVersion: "67890",
+			initialLabels:   map[string]string{"old": "value"},
+		},
+		{
+			name:            "preserves empty ResourceVersion and sets labels",
+			isHub:           false,
+			resourceVersion: "",
+			initialLabels:   nil,
+		},
+		{
+			name:            "overwrites existing managed label while preserving ResourceVersion",
+			isHub:           false,
+			resourceVersion: "54321",
+			initialLabels:   map[string]string{"fleet.azure.com/managed-by": "old-value", "other": "label"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			vap := &admv1.ValidatingAdmissionPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "test-policy",
+					ResourceVersion: tt.resourceVersion,
+					Labels:          tt.initialLabels,
+				},
+			}
+
+			mutateValidatingAdmissionPolicy(vap, tt.isHub)
+
+			assert.Equal(t, tt.resourceVersion, vap.ResourceVersion, "ResourceVersion should be preserved")
+			assert.Equal(t, "arm", vap.Labels["fleet.azure.com/managed-by"], "managed-by label should be set to 'arm'")
+			
+			// Verify that only the managed-by label exists (other labels are not preserved)
+			expectedLabels := map[string]string{
+				"fleet.azure.com/managed-by": "arm",
+			}
+			assert.Equal(t, expectedLabels, vap.Labels, "Only the managed-by label should exist")
+		})
+	}
+}
+
 func TestGetValidatingAdmissionPolicyBinding(t *testing.T) {
 	t.Parallel()
 
 	vap := getValidatingAdmissionPolicyBinding()
 	assert.NotNil(t, vap)
 }
+
+func TestMutateValidatingAdmissionPolicyBinding(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name             string
+		resourceVersion  string
+		initialLabels    map[string]string
+	}{
+		{
+			name:            "preserves ResourceVersion and updates labels",
+			resourceVersion: "12345",
+			initialLabels:   map[string]string{"existing": "label"},
+		},
+		{
+			name:            "preserves empty ResourceVersion and sets labels",
+			resourceVersion: "",
+			initialLabels:   nil,
+		},
+		{
+			name:            "overwrites existing managed label while preserving ResourceVersion",
+			resourceVersion: "67890",
+			initialLabels:   map[string]string{"fleet.azure.com/managed-by": "old-value", "other": "label"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			vapb := &admv1.ValidatingAdmissionPolicyBinding{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            "test-binding",
+					ResourceVersion: tt.resourceVersion,
+					Labels:          tt.initialLabels,
+				},
+			}
+
+			mutateValidatingAdmissionPolicyBinding(vapb)
+
+			assert.Equal(t, tt.resourceVersion, vapb.ResourceVersion, "ResourceVersion should be preserved")
+			assert.Equal(t, "arm", vapb.Labels["fleet.azure.com/managed-by"], "managed-by label should be set to 'arm'")
+			
+			// Verify that only the managed-by label exists (other labels are not preserved)
+			expectedLabels := map[string]string{
+				"fleet.azure.com/managed-by": "arm",
+			}
+			assert.Equal(t, expectedLabels, vapb.Labels, "Only the managed-by label should exist")
+		})
+	}
+}