Don't validate software/profile labels in dry run mode

[sgress454]

For #28154

This PR fixes a bug where GitOps dry runs would fail when software installers or profiles referenced labels that were created in the same run. The issue is that GitOps utilizes the real APIs for batch software/profile creation for validation, sending a dryRun flag to prevent those APIs from actually writing data. In dry run mode, no labels are actually created, so validation checks for "don't use labels that don't exist" will always fail when new labels are referenced. Recent updates to GitOps have given it the ability to validate the labels itself, removing the need to use the API for this check.

I added a new test for this in the mdm profiles tests. The test suite for software installers is a little more challenging to update for this case, and since it's not a happy path test I'm not prioritizing it, but will try to add one time permitting.

[sgress454]

payload.ValidatedLabels is a pointer, and there's nil checks for it, so it's ok if this isn't populated in dry run mode.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.99%. Comparing base (229b51f) to head (32b26ed).
Report is 69 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #28201      +/-   ##
==========================================
+ Coverage   63.97%   63.99%   +0.02%     
==========================================
  Files        1779     1780       +1     
  Lines      170499   170731     +232     
  Branches     4952     4952              
==========================================
+ Hits       109078   109261     +183     
- Misses      52830    52855      +25     
- Partials     8591     8615      +24     

Flag	Coverage Δ
backend	65.04% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sgress454]

this mock just spit out IDs for any label you asked for; adding a carveout for the "baddy" label so we can test what happens when an unknown label is supplied when adding a profile

[sgress454]

this and the above are just formatting changes from prettier

[lucasmrod]

Could fleetctl gitops verify with other API calls if new labels referenced in installers/profiles are actually being created on the same run?

Missing changes/ file :)

[sgress454]

Could fleetctl gitops verify with other API calls if new labels referenced in installers/profiles are actually being created on the same run?

The issue affects dry-run only, because the labels aren't actually created in the run (nothing is created, because it's a dry run). But fleetctl gitops always validates that any referenced labels will exist, either by pulling the existing labels from the API or by seeing which labels are set in the YAML file. The failed runs are passing the validation inside fleetctl gitops, which knows that the labels will exist, but failing the validation in the API which doesn't have that information. We already have a bunch of dryRun carveouts in these files (e.g.

fleet/server/service/client.go

Lines 2145 to 2155 in 11e8ed2

	if config.Policies[i].InstallSoftware.AppStoreID != "" {
	softwareTitleID, ok := softwareTitleIDsByAppStoreAppID[config.Policies[i].InstallSoftware.AppStoreID]
	if !ok {
	// Should not happen because app store apps are uploaded first.
	if !dryRun {
	logFn("[!] software app store app ID without software title ID: %s\n", config.Policies[i].InstallSoftware.AppStoreID)
	}
	continue
	}
	config.Policies[i].SoftwareTitleID = &softwareTitleID
	}

), I just didn't realize it was a thing when implementing the labels-via-gitops feature.

[sgress454]

Missing changes/ file :)

Thanks, updated!