diff --git a/config/config-defaults-triggers.yaml b/config/config-defaults-triggers.yaml index ff20e2a05..a438cf81f 100644 --- a/config/config-defaults-triggers.yaml +++ b/config/config-defaults-triggers.yaml @@ -40,3 +40,5 @@ data: # default-service-account contains the default service account name # to use for TaskRun and PipelineRun, if none is specified. default-service-account: "default" + default-run-as-user: "65532" + default-run-as-group: "65532" diff --git a/pkg/apis/config/default.go b/pkg/apis/config/default.go index a94632368..7d9e52997 100644 --- a/pkg/apis/config/default.go +++ b/pkg/apis/config/default.go @@ -17,20 +17,28 @@ limitations under the License. package config import ( + "fmt" "os" + "strconv" corev1 "k8s.io/api/core/v1" ) const ( defaultServiceAccountKey = "default-service-account" + defaultRunAsUserKey = "default-run-as-user" + defaultRunAsGroupKey = "default-run-as-group" DefaultServiceAccountValue = "default" + defaultRunAsUserValue = 65532 + defaultRunAsGroupValue = 65532 ) // Defaults holds the default configurations // +k8s:deepcopy-gen=true type Defaults struct { DefaultServiceAccount string + DefaultRunAsUser int64 + DefaultRunAsGroup int64 } // GetDefaultsConfigName returns the name of the configmap containing all @@ -52,19 +60,47 @@ func (cfg *Defaults) Equals(other *Defaults) bool { return false } - return other.DefaultServiceAccount == cfg.DefaultServiceAccount + return other.DefaultServiceAccount == cfg.DefaultServiceAccount && + other.DefaultRunAsUser == cfg.DefaultRunAsUser && + other.DefaultRunAsGroup == cfg.DefaultRunAsGroup } // NewDefaultsFromMap returns a Config given a map corresponding to a ConfigMap func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) { tc := Defaults{ DefaultServiceAccount: DefaultServiceAccountValue, + DefaultRunAsUser: defaultRunAsUserValue, + DefaultRunAsGroup: defaultRunAsGroupValue, } if defaultServiceAccount, ok := cfgMap[defaultServiceAccountKey]; ok { tc.DefaultServiceAccount = defaultServiceAccount } + if defaultRunAsUser, ok := cfgMap[defaultRunAsUserKey]; ok { + if defaultRunAsUser == "" { + tc.DefaultRunAsUser = 0 + } else { + runAsUser, err := strconv.ParseInt(defaultRunAsUser, 10, 0) + if err != nil { + return nil, fmt.Errorf("failed parsing runAsUser config %q", defaultRunAsUser) + } + tc.DefaultRunAsUser = runAsUser + } + } + + if defaultRunAsGroup, ok := cfgMap[defaultRunAsGroupKey]; ok { + if defaultRunAsGroup == "" { + tc.DefaultRunAsGroup = 0 + } else { + runAsGroup, err := strconv.ParseInt(defaultRunAsGroup, 10, 0) + if err != nil { + return nil, fmt.Errorf("failed parsing runAsUser config %q", defaultRunAsGroup) + } + tc.DefaultRunAsGroup = runAsGroup + } + } + return &tc, nil } diff --git a/pkg/apis/config/default_test.go b/pkg/apis/config/default_test.go index a2ef60239..8cd9e4c8d 100644 --- a/pkg/apis/config/default_test.go +++ b/pkg/apis/config/default_test.go @@ -36,6 +36,8 @@ func TestNewDefaultsFromConfigMap(t *testing.T) { { expectedConfig: &config.Defaults{ DefaultServiceAccount: "default", + DefaultRunAsUser: 65532, + DefaultRunAsGroup: 65532, }, fileName: config.GetDefaultsConfigName(), }, @@ -54,10 +56,22 @@ func TestNewDefaultsFromEmptyConfigMap(t *testing.T) { DefaultsConfigEmptyName := "config-defaults-empty" expectedConfig := &config.Defaults{ DefaultServiceAccount: "default", + DefaultRunAsUser: 65532, + DefaultRunAsGroup: 65532, } verifyConfigFileWithExpectedConfig(t, DefaultsConfigEmptyName, expectedConfig) } +func TestNewDefaultsFromConfigMapWithEmptyVal(t *testing.T) { + DefaultsConfigEmptyVal := "config-defaults-triggers-empty-val" + expectedConfig := &config.Defaults{ + DefaultServiceAccount: "default", + DefaultRunAsUser: 0, + DefaultRunAsGroup: 0, + } + verifyConfigFileWithExpectedConfig(t, DefaultsConfigEmptyVal, expectedConfig) +} + func TestEquals(t *testing.T) { testCases := []struct { name string diff --git a/pkg/apis/config/testdata/config-defaults-empty.yaml b/pkg/apis/config/testdata/config-defaults-empty.yaml index 99f34e691..bf7faf39f 100644 --- a/pkg/apis/config/testdata/config-defaults-empty.yaml +++ b/pkg/apis/config/testdata/config-defaults-empty.yaml @@ -37,3 +37,5 @@ data: # default-timeout-minutes contains the default number of # minutes to use for TaskRun, if none is specified. default-service-accounts: "default" + default-run-as-user: "65532" + default-run-as-group: "65532" diff --git a/pkg/apis/config/testdata/config-defaults-triggers-empty-val.yaml b/pkg/apis/config/testdata/config-defaults-triggers-empty-val.yaml new file mode 100644 index 000000000..185e5e0c0 --- /dev/null +++ b/pkg/apis/config/testdata/config-defaults-triggers-empty-val.yaml @@ -0,0 +1,23 @@ +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-defaults-triggers + namespace: tekton-pipelines +data: + default-service-account: "default" + default-run-as-user: "" + default-run-as-group: "" diff --git a/pkg/apis/config/testdata/config-defaults-triggers.yaml b/pkg/apis/config/testdata/config-defaults-triggers.yaml index 5a046d36c..fbe85cd59 100644 --- a/pkg/apis/config/testdata/config-defaults-triggers.yaml +++ b/pkg/apis/config/testdata/config-defaults-triggers.yaml @@ -19,3 +19,5 @@ metadata: namespace: tekton-pipelines data: default-service-account: "default" + default-run-as-user: "65532" + default-run-as-group: "65532" diff --git a/pkg/reconciler/eventlistener/eventlistener.go b/pkg/reconciler/eventlistener/eventlistener.go index 2a71ee445..34d1dbecf 100644 --- a/pkg/reconciler/eventlistener/eventlistener.go +++ b/pkg/reconciler/eventlistener/eventlistener.go @@ -23,6 +23,7 @@ import ( "strings" "sync" + "github.com/tektoncd/triggers/pkg/apis/config" "github.com/tektoncd/triggers/pkg/apis/triggers/contexts" "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" triggersclientset "github.com/tektoncd/triggers/pkg/client/clientset/versioned" @@ -108,10 +109,12 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, el *v1beta1.EventListene // and may not have had all of the assumed default specified. el.SetDefaults(contexts.WithUpgradeViaDefaulting(ctx)) + cfg := config.FromContextOrDefaults(ctx) + if el.Spec.Resources.CustomResource != nil { - return r.reconcileCustomObject(ctx, el) + return r.reconcileCustomObject(ctx, el, cfg) } - deploymentReconcileError := r.reconcileDeployment(ctx, el) + deploymentReconcileError := r.reconcileDeployment(ctx, el, cfg) serviceReconcileError := r.reconcileService(ctx, el) if el.Spec.Resources.CustomResource == nil { el.Status.SetReadyCondition() @@ -184,8 +187,8 @@ func (r *Reconciler) reconcileService(ctx context.Context, el *v1beta1.EventList return nil } -func (r *Reconciler) reconcileDeployment(ctx context.Context, el *v1beta1.EventListener) error { - deployment, err := resources.MakeDeployment(ctx, el, r.configAcc, r.config) +func (r *Reconciler) reconcileDeployment(ctx context.Context, el *v1beta1.EventListener, cfg *config.Config) error { + deployment, err := resources.MakeDeployment(ctx, el, r.configAcc, r.config, cfg) if err != nil { logging.FromContext(ctx).Error(err) return err @@ -247,8 +250,8 @@ func (r *Reconciler) reconcileDeployment(ctx context.Context, el *v1beta1.EventL return nil } -func (r *Reconciler) reconcileCustomObject(ctx context.Context, el *v1beta1.EventListener) error { - data, err := resources.MakeCustomObject(ctx, el, r.configAcc, r.config) +func (r *Reconciler) reconcileCustomObject(ctx context.Context, el *v1beta1.EventListener, cfg *config.Config) error { + data, err := resources.MakeCustomObject(ctx, el, r.configAcc, r.config, cfg) if err != nil { logging.FromContext(ctx).Errorf("unable to construct custom object", err) return err diff --git a/pkg/reconciler/eventlistener/eventlistener_test.go b/pkg/reconciler/eventlistener/eventlistener_test.go index 51bc9ba89..3c50f26ba 100644 --- a/pkg/reconciler/eventlistener/eventlistener_test.go +++ b/pkg/reconciler/eventlistener/eventlistener_test.go @@ -593,6 +593,10 @@ func TestReconcile(t *testing.T) { c.SetSecurityContext = ptr.Bool(false) }) + configWithSetSecurityContext := resources.MakeConfig(func(c *resources.Config) { + c.SetSecurityContext = ptr.Bool(true) + }) + configWithSetEventListenerEventEnable := resources.MakeConfig(func(c *resources.Config) { c.SetEventListenerEvent = ptr.String("enable") }) @@ -889,7 +893,28 @@ func TestReconcile(t *testing.T) { deploymentMissingSecurityContext := makeDeployment(func(d *appsv1.Deployment) { d.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{} - d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{} + d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + } + }) + + deploymentWithSecurityContext := makeDeployment(func(d *appsv1.Deployment) { + d.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{ + RunAsNonRoot: ptr.Bool(true), + } + d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.Bool(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + RunAsUser: ptr.Int64(65532), + RunAsGroup: ptr.Int64(65532), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } }) deploymentEventListenerEvent := makeDeployment(func(d *appsv1.Deployment) { @@ -1332,12 +1357,13 @@ func TestReconcile(t *testing.T) { Services: []*corev1.Service{elServiceWithTLSConnection}, }, }, { - name: "eventlistener with security context", - key: reconcileKey, + name: "eventlistener with security context", + key: reconcileKey, + config: configWithSetSecurityContext, startResources: test.Resources{ Namespaces: []*corev1.Namespace{namespaceResource}, EventListeners: []*v1beta1.EventListener{elWithStatus}, - Deployments: []*appsv1.Deployment{deploymentMissingSecurityContext}, + Deployments: []*appsv1.Deployment{deploymentWithSecurityContext}, }, endResources: test.Resources{ Namespaces: []*corev1.Namespace{namespaceResource}, diff --git a/pkg/reconciler/eventlistener/resources/container.go b/pkg/reconciler/eventlistener/resources/container.go index 7c50ac1ed..72ce5bdef 100644 --- a/pkg/reconciler/eventlistener/resources/container.go +++ b/pkg/reconciler/eventlistener/resources/container.go @@ -19,6 +19,7 @@ package resources import ( "strconv" + "github.com/tektoncd/triggers/pkg/apis/config" "github.com/tektoncd/triggers/pkg/apis/triggers" "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" corev1 "k8s.io/api/core/v1" @@ -28,7 +29,7 @@ import ( type ContainerOption func(*corev1.Container) -func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigAccessor, c Config, opts ...ContainerOption) corev1.Container { +func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigAccessor, c Config, cfg *config.Config, opts ...ContainerOption) corev1.Container { isMultiNS := false if len(el.Spec.NamespaceSelector.MatchNames) != 0 { isMultiNS = true @@ -56,9 +57,6 @@ func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigA Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - // 65532 is the distroless nonroot user ID - RunAsUser: ptr.Int64(65532), - RunAsGroup: ptr.Int64(65532), RunAsNonRoot: ptr.Bool(true), SeccompProfile: &corev1.SeccompProfile{ Type: corev1.SeccompProfileTypeRuntimeDefault, @@ -66,6 +64,9 @@ func MakeContainer(el *v1beta1.EventListener, configAcc reconcilersource.ConfigA } } + containerSecurityContext.RunAsUser = ptr.Int64(cfg.Defaults.DefaultRunAsUser) + containerSecurityContext.RunAsGroup = ptr.Int64(cfg.Defaults.DefaultRunAsGroup) + container := corev1.Container{ Name: "event-listener", Image: *c.Image, diff --git a/pkg/reconciler/eventlistener/resources/container_test.go b/pkg/reconciler/eventlistener/resources/container_test.go index cec763610..3eb0ea1a8 100644 --- a/pkg/reconciler/eventlistener/resources/container_test.go +++ b/pkg/reconciler/eventlistener/resources/container_test.go @@ -17,10 +17,12 @@ limitations under the License. package resources import ( + "context" "strconv" "testing" "github.com/google/go-cmp/cmp" + cfg "github.com/tektoncd/triggers/pkg/apis/config" "github.com/tektoncd/triggers/pkg/apis/triggers" "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" corev1 "k8s.io/api/core/v1" @@ -35,6 +37,7 @@ func TestContainer(t *testing.T) { tests := []struct { name string el *v1beta1.EventListener + cm cfg.Config want corev1.Container opts []ContainerOption }{{ @@ -480,7 +483,7 @@ func TestContainer(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got := MakeContainer(tt.el, &reconcilersource.EmptyVarsGenerator{}, config, tt.opts...) + got := MakeContainer(tt.el, &reconcilersource.EmptyVarsGenerator{}, config, cfg.FromContextOrDefaults(context.Background()), tt.opts...) if diff := cmp.Diff(tt.want, got); diff != "" { t.Errorf("MakeContainer() did not return expected. -want, +got: %s", diff) } diff --git a/pkg/reconciler/eventlistener/resources/custom.go b/pkg/reconciler/eventlistener/resources/custom.go index 41fceb886..d7053f034 100644 --- a/pkg/reconciler/eventlistener/resources/custom.go +++ b/pkg/reconciler/eventlistener/resources/custom.go @@ -23,6 +23,7 @@ import ( "os" "reflect" + "github.com/tektoncd/triggers/pkg/apis/config" "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -32,7 +33,7 @@ import ( "knative.dev/pkg/kmeta" ) -func MakeCustomObject(ctx context.Context, el *v1beta1.EventListener, configAcc reconcilersource.ConfigAccessor, c Config) (*unstructured.Unstructured, error) { +func MakeCustomObject(ctx context.Context, el *v1beta1.EventListener, configAcc reconcilersource.ConfigAccessor, c Config, cfg *config.Config) (*unstructured.Unstructured, error) { original := &duckv1.WithPod{} decoder := json.NewDecoder(bytes.NewBuffer(el.Spec.Resources.CustomResource.Raw)) if err := decoder.Decode(&original); err != nil { @@ -47,7 +48,7 @@ func MakeCustomObject(ctx context.Context, el *v1beta1.EventListener, configAcc namespace = el.GetNamespace() } - container := MakeContainer(el, configAcc, c, func(c *corev1.Container) { + container := MakeContainer(el, configAcc, c, cfg, func(c *corev1.Container) { // handle env and resources for custom object if len(original.Spec.Template.Spec.Containers) == 1 { c.Env = append(c.Env, original.Spec.Template.Spec.Containers[0].Env...) diff --git a/pkg/reconciler/eventlistener/resources/custom_test.go b/pkg/reconciler/eventlistener/resources/custom_test.go index af24b250b..1f5477da2 100644 --- a/pkg/reconciler/eventlistener/resources/custom_test.go +++ b/pkg/reconciler/eventlistener/resources/custom_test.go @@ -22,6 +22,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" + cfg "github.com/tektoncd/triggers/pkg/apis/config" "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" @@ -448,7 +449,8 @@ func TestCustomObject(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := MakeCustomObject(context.Background(), tt.el, &reconcilersource.EmptyVarsGenerator{}, config) + got, err := MakeCustomObject(context.Background(), tt.el, &reconcilersource.EmptyVarsGenerator{}, config, + cfg.FromContextOrDefaults(context.Background())) if err != nil { t.Fatalf("MakeCustomObject() = %v", err) } @@ -471,7 +473,7 @@ func TestCustomObjectError(t *testing.T) { Raw: []byte(`garbage`), }, } - }), &reconcilersource.EmptyVarsGenerator{}, config) + }), &reconcilersource.EmptyVarsGenerator{}, config, cfg.FromContextOrDefaults(context.Background())) if err == nil { t.Fatalf("MakeCustomObject() = %v, wanted error", got) } diff --git a/pkg/reconciler/eventlistener/resources/deployment.go b/pkg/reconciler/eventlistener/resources/deployment.go index aac8aeafa..dbe89b8db 100644 --- a/pkg/reconciler/eventlistener/resources/deployment.go +++ b/pkg/reconciler/eventlistener/resources/deployment.go @@ -21,6 +21,7 @@ import ( "os" "strconv" + "github.com/tektoncd/triggers/pkg/apis/config" "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -41,14 +42,12 @@ var ( } ) -func MakeDeployment(ctx context.Context, el *v1beta1.EventListener, configAcc reconcilersource.ConfigAccessor, c Config) (*appsv1.Deployment, error) { - +func MakeDeployment(ctx context.Context, el *v1beta1.EventListener, configAcc reconcilersource.ConfigAccessor, c Config, cfg *config.Config) (*appsv1.Deployment, error) { opt, err := addDeploymentBits(el, c) if err != nil { return nil, err } - - container := MakeContainer(el, configAcc, c, opt, addCertsForSecureConnection(c)) + container := MakeContainer(el, configAcc, c, cfg, opt, addCertsForSecureConnection(c)) filteredLabels := FilterLabels(ctx, el.Labels) diff --git a/pkg/reconciler/eventlistener/resources/deployment_test.go b/pkg/reconciler/eventlistener/resources/deployment_test.go index 5708ccba3..88760a38c 100644 --- a/pkg/reconciler/eventlistener/resources/deployment_test.go +++ b/pkg/reconciler/eventlistener/resources/deployment_test.go @@ -21,6 +21,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" + cfg "github.com/tektoncd/triggers/pkg/apis/config" "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -68,7 +69,7 @@ func TestDeployment(t *testing.T) { ServiceAccountName: "sa", Containers: []corev1.Container{ MakeContainer(makeEL(), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(), config), addCertsForSecureConnection(config)), }, SecurityContext: &strongerSecurityPolicy, @@ -103,7 +104,7 @@ func TestDeployment(t *testing.T) { ServiceAccountName: "sa", Containers: []corev1.Container{ MakeContainer(makeEL(), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(), config), addCertsForSecureConnection(config)), }, SecurityContext: &strongerSecurityPolicy, @@ -146,7 +147,7 @@ func TestDeployment(t *testing.T) { ServiceAccountName: "sa", Containers: []corev1.Container{ MakeContainer(makeEL(), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(), config), addCertsForSecureConnection(config)), }, SecurityContext: &strongerSecurityPolicy, @@ -192,7 +193,7 @@ func TestDeployment(t *testing.T) { ServiceAccountName: "sa", Containers: []corev1.Container{ MakeContainer(makeEL(), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(), config), addCertsForSecureConnection(config)), }, SecurityContext: &strongerSecurityPolicy, @@ -235,7 +236,7 @@ func TestDeployment(t *testing.T) { ServiceAccountName: "bob", Containers: []corev1.Container{ MakeContainer(makeEL(), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(), config), addCertsForSecureConnection(config)), }, SecurityContext: &strongerSecurityPolicy, @@ -265,7 +266,7 @@ func TestDeployment(t *testing.T) { ServiceAccountName: "sa", Containers: []corev1.Container{ MakeContainer(makeEL(withTLSEnvFrom("Bill")), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(withTLSEnvFrom("Bill")), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(withTLSEnvFrom("Bill")), config), addCertsForSecureConnection(config)), }, Volumes: []corev1.Volume{{ @@ -319,7 +320,7 @@ func TestDeployment(t *testing.T) { }}, Containers: []corev1.Container{ MakeContainer(makeEL(), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(), config), addCertsForSecureConnection(config)), }, SecurityContext: &strongerSecurityPolicy, @@ -349,7 +350,7 @@ func TestDeployment(t *testing.T) { ServiceAccountName: "sa", Containers: []corev1.Container{ MakeContainer(makeEL(setProbes()), &reconcilersource.EmptyVarsGenerator{}, config, - mustAddDeployBits(t, makeEL(setProbes()), config), + cfg.FromContextOrDefaults(context.Background()), mustAddDeployBits(t, makeEL(setProbes()), config), addCertsForSecureConnection(config)), }, SecurityContext: &strongerSecurityPolicy, @@ -361,7 +362,8 @@ func TestDeployment(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := MakeDeployment(context.Background(), tt.el, &reconcilersource.EmptyVarsGenerator{}, config) + got, err := MakeDeployment(context.Background(), tt.el, &reconcilersource.EmptyVarsGenerator{}, config, + cfg.FromContextOrDefaults(context.Background())) if err != nil { t.Fatalf("MakeDeployment() = %v", err) } @@ -374,7 +376,8 @@ func TestDeployment(t *testing.T) { func TestDeploymentError(t *testing.T) { t.Setenv("METRICS_PROMETHEUS_PORT", "bad") - got, err := MakeDeployment(context.Background(), makeEL(), &reconcilersource.EmptyVarsGenerator{}, *MakeConfig()) + got, err := MakeDeployment(context.Background(), makeEL(), &reconcilersource.EmptyVarsGenerator{}, *MakeConfig(), + cfg.FromContextOrDefaults(context.Background())) if err == nil { t.Fatalf("MakeDeployment() = %v, wanted error", got) }