Merge branch 'set-kubeconfig-nil-when-token-nil' into 'master'

Make KUBECONFIG nil if KUBE_TOKEN is nil

See merge request gitlab-org/gitlab-ce!23414

7 files changed, 48 insertions, 21 deletions

diff --git a/app/models/clusters/kubernetes_namespace.rb b/app/models/clusters/kubernetes_namespace.rb
index 34f5e38ff79..73da6cb37d7 100644
--- a/app/models/clusters/kubernetes_namespace.rb
+++ b/app/models/clusters/kubernetes_namespace.rb
@@ -33,14 +33,12 @@ module Clusters
     end
 
     def predefined_variables
-      config = YAML.dump(kubeconfig)
-
       Gitlab::Ci::Variables::Collection.new.tap do |variables|
         variables
           .append(key: 'KUBE_SERVICE_ACCOUNT', value: service_account_name.to_s)
           .append(key: 'KUBE_NAMESPACE', value: namespace.to_s)
           .append(key: 'KUBE_TOKEN', value: service_account_token.to_s, public: false)
-          .append(key: 'KUBECONFIG', value: config, public: false, file: true)
+          .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true)
       end
     end
 
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index dc8b52105cc..867f0edcb07 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -90,13 +90,11 @@ module Clusters
             # Clusters::KubernetesNamespace, so once migration has been completed,
             # this 'else' branch will be removed. For more information, please see
             # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433
-            config = YAML.dump(kubeconfig)
-
             variables
               .append(key: 'KUBE_URL', value: api_url)
               .append(key: 'KUBE_TOKEN', value: token, public: false)
               .append(key: 'KUBE_NAMESPACE', value: actual_namespace)
-              .append(key: 'KUBECONFIG', value: config, public: false, file: true)
+              .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true)
           end
         end
       end
diff --git a/app/models/project_services/kubernetes_service.rb b/app/models/project_services/kubernetes_service.rb
index c52a531e5fe..b801fd84a07 100644
--- a/app/models/project_services/kubernetes_service.rb
+++ b/app/models/project_services/kubernetes_service.rb
@@ -110,14 +110,12 @@ class KubernetesService < DeploymentService
   # Clusters::Platforms::Kubernetes, it won't be used on this method
   # as it's only needed for Clusters::Cluster.
   def predefined_variables(project:)
-    config = YAML.dump(kubeconfig)
-
     Gitlab::Ci::Variables::Collection.new.tap do |variables|
       variables
         .append(key: 'KUBE_URL', value: api_url)
         .append(key: 'KUBE_TOKEN', value: token, public: false)
         .append(key: 'KUBE_NAMESPACE', value: actual_namespace)
-        .append(key: 'KUBECONFIG', value: config, public: false, file: true)
+        .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true)
 
       if ca_pem.present?
         variables
diff --git a/changelogs/unreleased/set-kubeconfig-nil-when-token-nil.yml b/changelogs/unreleased/set-kubeconfig-nil-when-token-nil.yml
new file mode 100644
index 00000000000..6eac2a0146c
--- /dev/null
+++ b/changelogs/unreleased/set-kubeconfig-nil-when-token-nil.yml
@@ -0,0 +1,5 @@
+---
+title: Make KUBECONFIG nil if KUBE_TOKEN is nil
+merge_request: 23414
+author:
+type: fixed
diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md
index 79b36e5263e..66ad1843e93 100644
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -432,12 +432,34 @@ GitLab CI/CD build environment.
 | `KUBE_NAMESPACE` | The Kubernetes namespace is auto-generated if not specified. The default value is `<project_name>-<project_id>`. You can overwrite it to use different one if needed, otherwise the `KUBE_NAMESPACE` variable will receive the default value. |
 | `KUBE_CA_PEM_FILE` | Path to a file containing PEM data. Only present if a custom CA bundle was specified. |
 | `KUBE_CA_PEM` | (**deprecated**) Raw PEM data. Only if a custom CA bundle was specified. |
-| `KUBECONFIG` | Path to a file containing `kubeconfig` for this deployment. CA bundle would be embedded if specified. |
+| `KUBECONFIG` | Path to a file containing `kubeconfig` for this deployment. CA bundle would be embedded if specified. This config also embeds the same token defined in `KUBE_TOKEN` so you likely will only need this variable. This variable name is also automatically picked up by `kubectl` so you won't actually need to reference it explicitly if using `kubectl`. |
 
 NOTE: **NOTE:**
 Prior to GitLab 11.5, `KUBE_TOKEN` was the Kubernetes token of the main
 service account of the cluster integration.
 
+### Troubleshooting missing `KUBECONFIG` or `KUBE_TOKEN`
+
+GitLab will create a new service account specifically for your CI builds. The
+new service account is created when the cluster is added to the project.
+Sometimes there may be errors that cause the service account creation to fail.
+
+In such instances, your build will not be passed the `KUBECONFIG` or
+`KUBE_TOKEN` variables and, if you are using Auto DevOps, your Auto DevOps
+pipelines will no longer trigger a `production` deploy build. You will need to
+check the [logs](../../../administration/logs.md) to debug why the service
+account creation failed.
+
+A common reason for failure is that the token you gave GitLab did not have
+[`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+privileges as GitLab expects.
+
+Another common problem for why these variables are not being passed to your
+builds is that they must have a matching
+[`environment:name`](../../../ci/environments.md#defining-environments). If
+your build has no `environment:name` set, it will not be passed the Kubernetes
+credentials.
+
 ## Enabling or disabling the Kubernetes cluster integration
 
 After you have successfully added your cluster information, you can enable the
diff --git a/lib/gitlab/kubernetes.rb b/lib/gitlab/kubernetes.rb
index 3748fd6b5ef..a9957a85d48 100644
--- a/lib/gitlab/kubernetes.rb
+++ b/lib/gitlab/kubernetes.rb
@@ -85,6 +85,8 @@ module Gitlab
     end
 
     def to_kubeconfig(url:, namespace:, token:, ca_pem: nil)
+      return unless token.present?
+
       config = {
         apiVersion: 'v1',
         clusters: [
@@ -113,7 +115,7 @@ module Gitlab
 
       kubeconfig_embed_ca_pem(config, ca_pem) if ca_pem
 
-      config.deep_stringify_keys
+      YAML.dump(config.deep_stringify_keys)
     end
 
     private
diff --git a/spec/lib/gitlab/kubernetes_spec.rb b/spec/lib/gitlab/kubernetes_spec.rb
index 5c03a2ce7d3..f326d57e9c6 100644
--- a/spec/lib/gitlab/kubernetes_spec.rb
+++ b/spec/lib/gitlab/kubernetes_spec.rb
@@ -48,26 +48,30 @@ describe Gitlab::Kubernetes do
   end
 
   describe '#to_kubeconfig' do
+    let(:token) { 'TOKEN' }
+    let(:ca_pem) { 'PEM' }
+
     subject do
       to_kubeconfig(
         url: 'https://kube.domain.com',
         namespace: 'NAMESPACE',
-        token: 'TOKEN',
-        ca_pem: ca_pem)
+        token: token,
+        ca_pem: ca_pem
+      )
     end
 
-    context 'when CA PEM is provided' do
-      let(:ca_pem) { 'PEM' }
-      let(:path) { expand_fixture_path('config/kubeconfig.yml') }
-
-      it { is_expected.to eq(YAML.load_file(path)) }
-    end
+    it { expect(YAML.safe_load(subject)).to eq(YAML.load_file(expand_fixture_path('config/kubeconfig.yml'))) }
 
     context 'when CA PEM is not provided' do
       let(:ca_pem) { nil }
-      let(:path) { expand_fixture_path('config/kubeconfig-without-ca.yml') }
 
-      it { is_expected.to eq(YAML.load_file(path)) }
+      it { expect(YAML.safe_load(subject)).to eq(YAML.load_file(expand_fixture_path('config/kubeconfig-without-ca.yml'))) }
+    end
+
+    context 'when token is not provided' do
+      let(:token) { nil }
+
+      it { is_expected.to be_nil }
     end
   end