diff options
| author | Thong Kuah <tkuah@gitlab.com> | 2019-06-18 01:54:21 +0300 |
|---|---|---|
| committer | Thong Kuah <tkuah@gitlab.com> | 2019-06-18 01:54:21 +0300 |
| commit | 11810cb2b7185202c5178557ebb6205b27ed4148 (patch) | |
| tree | 6adb0a5756e031fbcc78f0cdc47cd0a8c3832f08 /app | |
| parent | bd228617d84b92d1e58ce9d5f583fb1ae8079f5a (diff) | |
| parent | ddd271b6027b13bca02416ec3dda17d3ec7fd5be (diff) | |
Merge branch '63079-exclude-k8s-namespaces-with-no-service-account-token' into 'master'
Don't use Kubernetes namespaces with no token
See merge request gitlab-org/gitlab-ce!29643
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/clusters/cluster.rb | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb index ccc877fb924..0206ce81c5f 100644 --- a/app/models/clusters/cluster.rb +++ b/app/models/clusters/cluster.rb @@ -193,15 +193,34 @@ module Clusters platform_kubernetes.kubeclient if kubernetes? end + ## + # This is subtly different to #find_or_initialize_kubernetes_namespace_for_project + # below because it will ignore any namespaces that have not got a service account + # token. This provides a guarantee that any namespace selected here can be used + # for cluster operations - a namespace needs to have a service account configured + # before it it can be used. + # + # This is used for selecting a namespace to use when querying a cluster, or + # generating variables to pass to CI. def kubernetes_namespace_for(project) - find_or_initialize_kubernetes_namespace_for_project(project).namespace + find_or_initialize_kubernetes_namespace_for_project( + project, scope: kubernetes_namespaces.has_service_account_token + ).namespace end - def find_or_initialize_kubernetes_namespace_for_project(project) + ## + # This is subtly different to #kubernetes_namespace_for because it will include + # namespaces that have yet to receive a service account token. This allows + # the namespace configuration process to be repeatable - if a namespace has + # already been created without a token we don't need to create another + # record entirely, just set the token on the pre-existing namespace. + # + # This is used for configuring cluster namespaces. + def find_or_initialize_kubernetes_namespace_for_project(project, scope: kubernetes_namespaces) attributes = { project: project } attributes[:cluster_project] = cluster_project if project_type? - kubernetes_namespaces.find_or_initialize_by(attributes).tap do |namespace| + scope.find_or_initialize_by(attributes).tap do |namespace| namespace.set_defaults end end |