From c4462b2958d75938c7bd9065d2277a9caaf2c544 Mon Sep 17 00:00:00 2001
From: Cavaughn Browne <cxbrowne@amazon.com>
Date: Wed, 19 Jul 2023 11:29:51 -0500
Subject: [PATCH 1/2] allow registry mirror configurations to be mutable for BR

---
 .../kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
index d206fbc19394..87b401070cb8 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
@@ -160,6 +160,7 @@ func (in *KubeadmControlPlane) ValidateUpdate(old runtime.Object) error {
 		{spec, kubeadmConfigSpec, clusterConfiguration, controllerManager, "*"},
 		{spec, kubeadmConfigSpec, clusterConfiguration, scheduler},
 		{spec, kubeadmConfigSpec, clusterConfiguration, scheduler, "*"},
+		{spec, kubeadmConfigSpec, clusterConfiguration, "registryMirror", "*"},
 		{spec, kubeadmConfigSpec, initConfiguration, nodeRegistration},
 		{spec, kubeadmConfigSpec, initConfiguration, nodeRegistration, "*"},
 		{spec, kubeadmConfigSpec, initConfiguration, patches, directory},
@@ -174,6 +175,7 @@ func (in *KubeadmControlPlane) ValidateUpdate(old runtime.Object) error {
 		{spec, kubeadmConfigSpec, joinConfiguration, "bottlerocketControl", "*"},
 		{spec, kubeadmConfigSpec, joinConfiguration, "bottlerocketCustomBootstrapContainers"},
 		{spec, kubeadmConfigSpec, joinConfiguration, "bottlerocketSettings", "*"},
+		{spec, kubeadmConfigSpec, joinConfiguration, "registryMirror", "*"},
 		{spec, kubeadmConfigSpec, preKubeadmCommands},
 		{spec, kubeadmConfigSpec, postKubeadmCommands},
 		{spec, kubeadmConfigSpec, files},

From ad0bfad5b6a42047f761afc693770d6088c70506 Mon Sep 17 00:00:00 2001
From: Cavaughn Browne <cxbrowne@amazon.com>
Date: Wed, 19 Jul 2023 23:31:32 -0500
Subject: [PATCH 2/2] add unit test for registry mirror in allow list

---
 .../kubeadm_control_plane_webhook_test.go     | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
index 38caa9e1ef6e..45eb1976eb65 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
@@ -302,6 +302,10 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 							ImageTag:        "1.6.5",
 						},
 					},
+					RegistryMirror: bootstrapv1.RegistryMirrorConfiguration{
+						Endpoint: "https://1.1.1.1:1111",
+						CACert:   "test-cert",
+					},
 				},
 				JoinConfiguration: &bootstrapv1.JoinConfiguration{
 					Discovery: bootstrapv1.Discovery{
@@ -312,6 +316,10 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 					NodeRegistration: bootstrapv1.NodeRegistrationOptions{
 						Name: "test",
 					},
+					RegistryMirror: bootstrapv1.RegistryMirrorConfiguration{
+						Endpoint: "https://1.1.1.1:1111",
+						CACert:   "test-cert",
+					},
 				},
 				PreKubeadmCommands: []string{
 					"test", "foo",
@@ -699,6 +707,18 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 		{"/var/lib/testdir", "/var/lib/etcd/data"},
 	}
 
+	validUpdateClusterConfigRegistryMirrorCACert := before.DeepCopy()
+	validUpdateClusterConfigRegistryMirrorCACert.Spec.KubeadmConfigSpec.ClusterConfiguration.RegistryMirror.CACert = "foo:bar"
+
+	validUpdateJoinConfigRegistryMirrorCACert := before.DeepCopy()
+	validUpdateJoinConfigRegistryMirrorCACert.Spec.KubeadmConfigSpec.JoinConfiguration.RegistryMirror.CACert = "foo:bar"
+
+	validUpdateClusterConfigRegistryMirrorEndpoint := before.DeepCopy()
+	validUpdateClusterConfigRegistryMirrorEndpoint.Spec.KubeadmConfigSpec.ClusterConfiguration.RegistryMirror.Endpoint = "https://0.0.0.0:6443"
+
+	validUpdateJoinConfigRegistryMirrorEndpoint := before.DeepCopy()
+	validUpdateJoinConfigRegistryMirrorEndpoint.Spec.KubeadmConfigSpec.JoinConfiguration.RegistryMirror.Endpoint = "https://0.0.0.0:6443"
+
 	tests := []struct {
 		name                  string
 		enableIgnitionFeature bool
@@ -1104,6 +1124,31 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 			before:    before,
 			kcp:       validUpdateJoinConfBRCustomBootstrapContainers,
 		},
+		{
+			name:      "should allow changes to join configuration registry mirror caCert",
+			expectErr: false,
+			before:    before,
+			kcp:       validUpdateJoinConfigRegistryMirrorCACert,
+		},
+		{
+			name:      "should allow changes to join configuration registry mirror endpoint",
+			expectErr: false,
+			before:    before,
+			kcp:       validUpdateJoinConfigRegistryMirrorEndpoint,
+		},
+		{
+			name:      "should allow changes to cluster configuration registry mirror caCert",
+			expectErr: false,
+			before:    before,
+			kcp:       validUpdateClusterConfigRegistryMirrorCACert,
+		},
+
+		{
+			name:      "should allow changes to cluster configuration registry mirror endpoint",
+			expectErr: false,
+			before:    before,
+			kcp:       validUpdateClusterConfigRegistryMirrorEndpoint,
+		},
 	}
 
 	for _, tt := range tests {