add chart validation and webhook tests

Signed-off-by: Wei Weng <Wei.Weng@microsoft.com>

Author: Wei Weng

charts/hub-agent/templates/deployment.yaml

@@ -1,3 +1,6 @@
+{{- if and (not .Values.useCertManager) (gt (.Values.replicaCount | int) 1) }}
+{{- fail "ERROR: replicaCount > 1 requires useCertManager=true (self-signed certificates cannot be shared across replicas)" }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -86,7 +89,7 @@ spec:
       - name: webhook-cert
         secret:
           secretName: fleet-webhook-server-cert
-          defaultMode: 0644
+          defaultMode: 0400
       {{- end }}
       {{- with .Values.affinity }}
       affinity:

pkg/webhook/webhook.go

@@ -200,7 +200,7 @@ func NewWebhookConfig(mgr manager.Manager, webhookServiceName string, port int32
 		// Use self-signed certificate generation (original flow)
 		caPEM, err = w.genCertificate(certDir)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to generate self-signed certificate: %w", err)
 		}
 	}
 
@@ -694,7 +694,7 @@ func (w *Config) genCertificate(certDir string) ([]byte, error) {
 
 // loadCertManagerCA loads the CA certificate from the mounted cert-manager Secret.
 // When using cert-manager, Kubernetes mounts the Secret as files in the certDir.
-// cert-manager creates: ca.crt, tls.crt, and tls.key
+// cert-manager creates: ca.crt, tls.crt, and tls.key.
 // The tls.crt and tls.key are automatically used by the webhook server.
 // We only need to read ca.crt for the webhook configuration's CABundle.
 func (w *Config) loadCertManagerCA(certDir string) ([]byte, error) {

pkg/webhook/webhook_test.go

@@ -3,6 +3,7 @@ package webhook
 import (
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -215,3 +216,93 @@ func TestNewWebhookConfig(t *testing.T) {
 		})
 	}
 }
+func TestLoadCertManagerCA_NotFound(t *testing.T) {
+	config := &Config{}
+	_, err := config.loadCertManagerCA("/nonexistent/path")
+	if err == nil {
+		t.Error("Expected error when certificate files don't exist")
+	}
+}
+
+func TestLoadCertManagerCA_EmptyFile(t *testing.T) {
+	dir := t.TempDir()
+	// Create empty files
+	if err := os.WriteFile(filepath.Join(dir, "tls.crt"), []byte{}, 0600); err != nil {
+		t.Fatalf("failed to create empty tls.crt: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "ca.crt"), []byte{}, 0600); err != nil {
+		t.Fatalf("failed to create empty ca.crt: %v", err)
+	}
+
+	config := &Config{}
+	_, err := config.loadCertManagerCA(dir)
+	if err == nil {
+		t.Error("Expected error for empty certificate files")
+	}
+	if !strings.Contains(err.Error(), "empty") {
+		t.Errorf("Expected error message to contain 'empty', got: %v", err)
+	}
+}
+
+func TestLoadCertManagerCA_Success(t *testing.T) {
+	t.Run("loads ca.crt successfully", func(t *testing.T) {
+		dir := t.TempDir()
+		caContent := []byte("test-ca-content")
+		if err := os.WriteFile(filepath.Join(dir, "ca.crt"), caContent, 0600); err != nil {
+			t.Fatalf("failed to create ca.crt: %v", err)
+		}
+
+		config := &Config{}
+		result, err := config.loadCertManagerCA(dir)
+		if err != nil {
+			t.Errorf("Unexpected error: %v", err)
+		}
+		if string(result) != string(caContent) {
+			t.Errorf("Expected %s, got %s", caContent, result)
+		}
+	})
+}
+
+func TestNewWebhookConfig_CertManagerNotMounted(t *testing.T) {
+	t.Setenv("POD_NAMESPACE", "test-namespace")
+
+	dir := t.TempDir()
+	// Don't create any certificate files to simulate cert-manager not ready
+
+	_, err := NewWebhookConfig(nil, "test-webhook", 8080, nil, dir, true, true, false, true)
+	if err == nil {
+		t.Error("Expected error when cert-manager certificates not mounted")
+	}
+	if !strings.Contains(err.Error(), "failed to load cert-manager CA certificate") {
+		t.Errorf("Expected error about loading cert-manager CA, got: %v", err)
+	}
+}
+
+func TestNewWebhookConfig_SelfSignedCertError(t *testing.T) {
+	t.Setenv("POD_NAMESPACE", "test-namespace")
+
+	// Use an invalid certDir (read-only location) to force genCertificate to fail
+	invalidCertDir := "/proc/invalid-cert-dir"
+
+	clientConnectionType := options.Service
+	_, err := NewWebhookConfig(
+		nil,
+		"test-service",
+		443,
+		&clientConnectionType,
+		invalidCertDir,
+		false, // enableGuardRail
+		false, // denyModifyMemberClusterLabels
+		false, // enableWorkload
+		false, // useCertManager = false to trigger self-signed path
+	)
+
+	if err == nil {
+		t.Fatal("Expected error when genCertificate fails, got nil")
+	}
+
+	expectedErrMsg := "failed to generate self-signed certificate"
+	if !strings.Contains(err.Error(), expectedErrMsg) {
+		t.Errorf("Expected error to contain '%s', got: %v", expectedErrMsg, err)
+	}
+}