changes for V0.38.5 (#902)

* configurable tls cipher suites (#882)

* probably hoists the satoken manager high in the stack so that it never leaks again

cmd/controller/main.go

@@ -26,6 +26,8 @@ func main() {
 	flag.BoolVar(&ctrlOpts.EnablePprof, "dangerous-enable-pprof", false, "If set to true, enable pprof on "+PprofListenAddr)
 	flag.DurationVar(&ctrlOpts.APIRequestTimeout, "api-request-timeout", time.Duration(0), "HTTP timeout for Kubernetes API requests")
 	flag.BoolVar(&ctrlOpts.APIPriorityAndFairness, "enable-api-priority-and-fairness", true, "Enable/disable APIPriorityAndFairness feature gate for apiserver. Recommended to disable for <= k8s 1.19.")
+	flag.BoolVar(&ctrlOpts.StartAPIServer, "start-api-server", true, "Start apiserver")
+	flag.StringVar(&ctrlOpts.TLSCipherSuites, "tls-cipher-suites", "", "comma separated list of acceptable cipher suites. Empty list will use defaults from underlying libraries.")
 	flag.Parse()
 
 	log := zap.New(zap.UseDevMode(false)).WithName("kc")

cmd/controller/run.go

@@ -10,6 +10,7 @@ import (
 	_ "net/http/pprof" // Pprof related
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -23,9 +24,11 @@ import (
 	pkginstall "github.com/vmware-tanzu/carvel-kapp-controller/pkg/packageinstall"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/pkgrepository"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/reftracker"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/sidecarexec"
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp" // Initialize gcp client auth plugin
+	"k8s.io/component-base/cli/flag"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -46,6 +49,8 @@ type Options struct {
 	PackagingGloablNS      string
 	MetricsBindAddress     string
 	APIPriorityAndFairness bool
+	StartAPIServer         bool
+	TLSCipherSuites        string
 }
 
 // Based on https://github.com/kubernetes-sigs/controller-runtime/blob/8f633b179e1c704a6e40440b528252f147a3362a/examples/builtins/main.go
@@ -110,16 +115,22 @@ func Run(opts Options, runLog logr.Logger) error {
 	if err != nil {
 		return fmt.Errorf("Building pkg kappctrl client: %s", err)
 	}
+
+	cSuites, err := parseTLSCipherSuites(opts.TLSCipherSuites)
+	if err != nil {
+		return err
+	}
+
 	server, err := apiserver.NewAPIServer(pkgRestConfig, coreClient, pkgKcClient, apiserver.NewAPIServerOpts{
 		GlobalNamespace:              opts.PackagingGloablNS,
 		BindPort:                     bindPort,
 		EnableAPIPriorityAndFairness: opts.APIPriorityAndFairness,
 		Logger:                       runLog.WithName("apiserver"),
+		TLSCipherSuites:              cSuites,
 	})
 	if err != nil {
 		return fmt.Errorf("Building API server: %s", err)
 	}
-
 	err = server.Run()
 	if err != nil {
 		return fmt.Errorf("Starting API server: %s", err)
@@ -164,14 +175,16 @@ func Run(opts Options, runLog logr.Logger) error {
 
 	refTracker := reftracker.NewAppRefTracker()
 	updateStatusTracker := reftracker.NewAppUpdateStatus()
+	tokenMan := satoken.NewManager(coreClient, runLog.WithName("saTokenManager"))
 
 	{ // add controller for apps
 		appFactory := app.CRDAppFactory{
-			CoreClient: coreClient,
-			AppClient:  kcClient,
-			KcConfig:   kcConfig,
-			AppMetrics: appMetrics,
-			CmdRunner:  sidecarCmdExec,
+			CoreClient:   coreClient,
+			AppClient:    kcClient,
+			KcConfig:     kcConfig,
+			AppMetrics:   appMetrics,
+			CmdRunner:    sidecarCmdExec,
+			TokenManager: tokenMan,
 		}
 		reconciler := app.NewReconciler(kcClient, runLog.WithName("app"),
 			appFactory, refTracker, updateStatusTracker)
@@ -215,7 +228,7 @@ func Run(opts Options, runLog logr.Logger) error {
 	}
 
 	{ // add controller for pkgrepositories
-		appFactory := pkgrepository.AppFactory{coreClient, kcClient, kcConfig, sidecarCmdExec}
+		appFactory := pkgrepository.AppFactory{coreClient, kcClient, kcConfig, sidecarCmdExec, tokenMan}
 
 		reconciler := pkgrepository.NewReconciler(kcClient, coreClient,
 			runLog.WithName("pkgr"), appFactory, refTracker, updateStatusTracker)
@@ -253,3 +266,20 @@ func Run(opts Options, runLog logr.Logger) error {
 
 	return nil
 }
+
+// parseTLSCipherSuites tries to validate and return the user-input ciphers or returns a default list
+// implementation largely stolen from: https://github.com/antrea-io/antrea/blob/25ff93d8987c6b9e3a2062254da6d7d70c623410/pkg/util/cipher/cipher.go#L32
+func parseTLSCipherSuites(opts string) ([]string, error) {
+	csStrList := strings.Split(strings.ReplaceAll(opts, " ", ""), ",")
+	if len(csStrList) == 1 && csStrList[0] == "" {
+		return nil, nil
+	}
+
+	// check to make sure they all parse - this just a fail-fast
+	_, err := flag.TLSCipherSuites(csStrList)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse TLSCipherSuites: %s", err)
+	}
+
+	return csStrList, nil
+}

config/deployment.yml

@@ -27,6 +27,7 @@ spec:
         #@ if/end data.values.dangerous_enable_pprof:
         - -dangerous-enable-pprof=true
         - #@ "-enable-api-priority-and-fairness={}".format(data.values.enable_api_priority_and_fairness)
+        - #@ "-tls-cipher-suites={}".format(data.values.tls_cipher_suites)
         env:
         - name: KAPPCTRL_MEM_TMP_DIR
           value: /etc/kappctrl-mem-tmp

config/values.yml

@@ -9,6 +9,9 @@ enable_api_priority_and_fairness: true
 
 dangerous_enable_pprof: false
 
+#! comma separated list of cipher suites - empty for language defaults
+tls_cipher_suites: ""
+
 push_images: false
 image_cache: true
 image_repo: docker.io/k14stest/kapp-controller-test

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/go-logr/logr v0.4.0
 	github.com/spf13/cobra v1.2.1
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	k8s.io/component-base v0.22.10
 	k8s.io/klog/v2 v2.9.0
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
 )
@@ -117,7 +118,6 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.22.2 // indirect
-	k8s.io/component-base v0.22.10 // indirect
 	k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect

pkg/apiserver/apiserver.go

@@ -85,6 +85,15 @@ type NewAPIServerOpts struct {
 	// v1.19 and earlier clusters - our libraries use the beta version of those APIs but they used to be alpha.
 	EnableAPIPriorityAndFairness bool
 
+	// TLSCipherSuites is the list of cipher suites the api server will be willing to use. Empty list defaults to the underlying
+	// libraries' defaults, which is usually fine especially if you don't expose the APIServer outside the cluster.
+	// see also: https://golang.org/pkg/crypto/tls/#pkg-constants
+	// According to Antrea, who we mostly copied:
+	// Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+	// prefer TLS1.3 Cipher Suites whenever possible.
+	TLSCipherSuites []string
+
+	// Logger is a logger
 	Logger logr.Logger
 }
 
@@ -162,6 +171,7 @@ func newServerConfig(aggClient aggregatorclient.Interface, opts NewAPIServerOpts
 	// Set the PairName and CertDirectory to generate the certificate files.
 	recommendedOptions.SecureServing.ServerCert.CertDirectory = selfSignedCertDir
 	recommendedOptions.SecureServing.ServerCert.PairName = "kapp-controller"
+	recommendedOptions.SecureServing.CipherSuites = opts.TLSCipherSuites
 
 	// ports below 1024 are probably the wrong port, see https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
 	if opts.BindPort < 1024 {

pkg/app/app_factory.go

@@ -12,6 +12,7 @@ import (
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/exec"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/fetch"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/metrics"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/template"
 	vendirconf "github.com/vmware-tanzu/carvel-vendir/pkg/vendir/config"
 	"k8s.io/client-go/kubernetes"
@@ -26,6 +27,7 @@ type CRDAppFactory struct {
 	VendirConfigHook func(vendirconf.Config) vendirconf.Config
 	KbldAllowBuild   bool
 	CmdRunner        exec.CmdRunner
+	TokenManager     *satoken.Manager
 }
 
 // NewCRDApp creates a CRDApp injecting necessary dependencies.
@@ -36,6 +38,6 @@ func (f *CRDAppFactory) NewCRDApp(app *kcv1alpha1.App, log logr.Logger) *CRDApp
 	}
 	fetchFactory := fetch.NewFactory(f.CoreClient, vendirOpts, f.CmdRunner)
 	templateFactory := template.NewFactory(f.CoreClient, fetchFactory, f.KbldAllowBuild, f.CmdRunner)
-	deployFactory := deploy.NewFactory(f.CoreClient, f.KcConfig, f.CmdRunner, log)
+	deployFactory := deploy.NewFactory(f.CoreClient, f.KcConfig, f.CmdRunner, log, f.TokenManager)
 	return NewCRDApp(app, log, f.AppMetrics, f.AppClient, fetchFactory, templateFactory, deployFactory)
 }

pkg/app/app_reconcile_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/exec"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/fetch"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/metrics"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/template"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -44,7 +45,7 @@ func Test_NoInspectReconcile_IfNoDeployAttempted(t *testing.T) {
 	kappcs := fake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	crdApp := NewCRDApp(&app, log, appMetrics, kappcs, fetchFac, tmpFac, deployFac)
 	_, err := crdApp.Reconcile(false)
@@ -110,7 +111,7 @@ func Test_NoInspectReconcile_IfInspectNotEnabled(t *testing.T) {
 	kappcs := fake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	crdApp := NewCRDApp(&app, log, appMetrics, kappcs, fetchFac, tmpFac, deployFac)
 	_, err := crdApp.Reconcile(false)
@@ -181,7 +182,7 @@ func Test_TemplateError_DisplayedInStatus_UsefulErrorMessageProperty(t *testing.
 	kappcs := fake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	crdApp := NewCRDApp(&app, log, appMetrics, kappcs, fetchFac, tmpFac, deployFac)
 	_, err := crdApp.Reconcile(false)

pkg/app/app_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/exec"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/fetch"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/reftracker"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/template"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
@@ -59,7 +60,7 @@ func Test_SecretRefs_RetrievesAllSecretRefs(t *testing.T) {
 	k8scs := k8sfake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	app := apppkg.NewApp(appWithRefs, apppkg.Hooks{}, fetchFac, tmpFac, deployFac, log, nil)
 
@@ -83,7 +84,7 @@ func Test_SecretRefs_RetrievesNoSecretRefs_WhenNonePresent(t *testing.T) {
 	k8scs := k8sfake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	app := apppkg.NewApp(appEmpty, apppkg.Hooks{}, fetchFac, tmpFac, deployFac, log, nil)
 
@@ -121,7 +122,7 @@ func Test_ConfigMapRefs_RetrievesAllConfigMapRefs(t *testing.T) {
 	k8scs := k8sfake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	app := apppkg.NewApp(appWithRefs, apppkg.Hooks{}, fetchFac, tmpFac, deployFac, log, nil)
 
@@ -145,7 +146,7 @@ func Test_ConfigMapRefs_RetrievesNoConfigMapRefs_WhenNonePresent(t *testing.T) {
 	k8scs := k8sfake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	app := apppkg.NewApp(appEmpty, apppkg.Hooks{}, fetchFac, tmpFac, deployFac, log, nil)
 

pkg/deploy/factory.go

@@ -9,6 +9,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/apis/kappctrl/v1alpha1"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/exec"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"k8s.io/client-go/kubernetes"
 )
 
@@ -32,10 +33,10 @@ type KappConfiguration interface {
 
 // NewFactory returns deploy factory.
 func NewFactory(coreClient kubernetes.Interface,
-	kappConfig KappConfiguration, cmdRunner exec.CmdRunner, log logr.Logger) Factory {
+	kappConfig KappConfiguration, cmdRunner exec.CmdRunner, log logr.Logger, tokenMan *satoken.Manager) Factory {
 
 	return Factory{coreClient, kappConfig,
-		NewKubeconfigSecrets(coreClient), NewServiceAccounts(coreClient, log), cmdRunner}
+		NewKubeconfigSecrets(coreClient), NewServiceAccounts(coreClient, log, tokenMan), cmdRunner}
 }
 
 func (f Factory) NewKapp(opts v1alpha1.AppDeployKapp, saName string,

pkg/deploy/service_accounts.go

@@ -27,9 +27,8 @@ type ServiceAccounts struct {
 }
 
 // NewServiceAccounts provides access to the ServiceAccount Resource in kubernetes
-func NewServiceAccounts(coreClient kubernetes.Interface, log logr.Logger) *ServiceAccounts {
-	tokenMgr := satoken.NewManager(coreClient, log)
-	return &ServiceAccounts{coreClient: coreClient, log: log, tokenManager: tokenMgr}
+func NewServiceAccounts(coreClient kubernetes.Interface, log logr.Logger, tokenMan *satoken.Manager) *ServiceAccounts {
+	return &ServiceAccounts{coreClient: coreClient, log: log, tokenManager: tokenMan}
 }
 
 func (s *ServiceAccounts) Find(genericOpts GenericOpts, saName string) (ProcessedGenericOpts, error) {

pkg/pkgrepository/app_factory.go

@@ -12,22 +12,24 @@ import (
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/deploy"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/exec"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/fetch"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/template"
 	"k8s.io/client-go/kubernetes"
 )
 
 // AppFactory allows to create "hidden" Apps for reconciling PackageRepositories.
 type AppFactory struct {
-	CoreClient kubernetes.Interface
-	AppClient  kcclient.Interface
-	KcConfig   *config.Config
-	CmdRunner  exec.CmdRunner
+	CoreClient   kubernetes.Interface
+	AppClient    kcclient.Interface
+	KcConfig     *config.Config
+	CmdRunner    exec.CmdRunner
+	TokenManager *satoken.Manager
 }
 
 // NewCRDPackageRepo constructs "hidden" App to reconcile PackageRepository.
 func (f *AppFactory) NewCRDPackageRepo(app *kcv1alpha1.App, pkgr *pkgv1alpha1.PackageRepository, log logr.Logger) *CRDApp {
 	fetchFactory := fetch.NewFactory(f.CoreClient, fetch.VendirOpts{SkipTLSConfig: f.KcConfig}, f.CmdRunner)
 	templateFactory := template.NewFactory(f.CoreClient, fetchFactory, false, f.CmdRunner)
-	deployFactory := deploy.NewFactory(f.CoreClient, nil, f.CmdRunner, log)
+	deployFactory := deploy.NewFactory(f.CoreClient, nil, f.CmdRunner, log, f.TokenManager)
 	return NewCRDApp(app, pkgr, log, f.AppClient, fetchFactory, templateFactory, deployFactory)
 }

pkg/pkgrepository/app_reconcile_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/deploy"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/exec"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/fetch"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/template"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -41,7 +42,7 @@ func Test_NoInspectReconcile_IfNoDeployAttempted(t *testing.T) {
 	kappcs := fake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 	pkgr := v1alpha12.PackageRepository{}
 
 	crdApp := NewCRDApp(&app, &pkgr, log, kappcs, fetchFac, tmpFac, deployFac)
@@ -100,7 +101,7 @@ func Test_TemplateError_DisplayedInStatus_UsefulErrorMessageProperty(t *testing.
 	kappcs := fake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 	pkgr := v1alpha12.PackageRepository{}
 
 	crdApp := NewCRDApp(&app, &pkgr, log, kappcs, fetchFac, tmpFac, deployFac)

pkg/pkgrepository/app_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/exec"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/fetch"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/reftracker"
+	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/satoken"
 	"github.com/vmware-tanzu/carvel-kapp-controller/pkg/template"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
@@ -48,7 +49,7 @@ func Test_SecretRefs_RetrievesAllSecretRefs(t *testing.T) {
 	k8scs := k8sfake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	app := apppkg.NewApp(appWithRefs, apppkg.Hooks{}, fetchFac, tmpFac, deployFac, log, nil)
 
@@ -74,7 +75,7 @@ func Test_SecretRefs_RetrievesNoSecretRefs_WhenNonePresent(t *testing.T) {
 	k8scs := k8sfake.NewSimpleClientset()
 	fetchFac := fetch.NewFactory(k8scs, fetch.VendirOpts{}, exec.NewPlainCmdRunner())
 	tmpFac := template.NewFactory(k8scs, fetchFac, false, exec.NewPlainCmdRunner())
-	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log)
+	deployFac := deploy.NewFactory(k8scs, nil, exec.NewPlainCmdRunner(), log, satoken.NewManager(k8scs, log))
 
 	app := apppkg.NewApp(appEmpty, apppkg.Hooks{}, fetchFac, tmpFac, deployFac, log, nil)