Use separate Kubernetes namespaces per environment

Kubernetes deployments on new clusters will now have
a separate namespace per project environment, instead
of sharing a single namespace for the project.

Behaviour of existing clusters is unchanged.

All new functionality is controlled by the
:kubernetes_namespace_per_environment feature flag,
which is safe to enable/disable at any time.

3 files changed, 84 insertions, 9 deletions

diff --git a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb
index e6e0aaab60b..6ab4fca3854 100644
--- a/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb
+++ b/lib/gitlab/ci/build/prerequisite/kubernetes_namespace.rb
@@ -8,31 +8,51 @@ module Gitlab
           def unmet?
             deployment_cluster.present? &&
               deployment_cluster.managed? &&
-              (kubernetes_namespace.new_record? || kubernetes_namespace.service_account_token.blank?)
+              missing_namespace?
           end
 
           def complete!
             return unless unmet?
 
-            create_or_update_namespace
+            create_namespace
           end
 
           private
 
+          def missing_namespace?
+            kubernetes_namespace.nil? || kubernetes_namespace.service_account_token.blank?
+          end
+
           def deployment_cluster
             build.deployment&.cluster
           end
 
+          def environment
+            build.deployment.environment
+          end
+
           def kubernetes_namespace
             strong_memoize(:kubernetes_namespace) do
-              deployment_cluster.find_or_initialize_kubernetes_namespace_for_project(build.project)
+              Clusters::KubernetesNamespaceFinder.new(
+                deployment_cluster,
+                project: environment.project,
+                environment_slug: environment.slug,
+                allow_blank_token: true
+              ).execute
             end
           end
 
-          def create_or_update_namespace
+          def create_namespace
             Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService.new(
               cluster: deployment_cluster,
-              kubernetes_namespace: kubernetes_namespace
+              kubernetes_namespace: kubernetes_namespace || build_namespace_record
+            ).execute
+          end
+
+          def build_namespace_record
+            Clusters::BuildKubernetesNamespaceService.new(
+              deployment_cluster,
+              environment: environment
             ).execute
           end
         end
diff --git a/lib/gitlab/kubernetes/default_namespace.rb b/lib/gitlab/kubernetes/default_namespace.rb
new file mode 100644
index 00000000000..c95362b024b
--- /dev/null
+++ b/lib/gitlab/kubernetes/default_namespace.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Kubernetes
+    class DefaultNamespace
+      attr_reader :cluster, :project
+
+      delegate :platform_kubernetes, to: :cluster
+
+      ##
+      # Ideally we would just use an environment record here instead of
+      # passing a project and name/slug separately, but we need to be able
+      # to look up namespaces before the environment has been persisted.
+      def initialize(cluster, project:)
+        @cluster = cluster
+        @project = project
+      end
+
+      def from_environment_name(name)
+        from_environment_slug(generate_slug(name))
+      end
+
+      def from_environment_slug(slug)
+        default_platform_namespace(slug) || default_project_namespace(slug)
+      end
+
+      private
+
+      def default_platform_namespace(slug)
+        return unless platform_kubernetes&.namespace.present?
+
+        if cluster.managed? && cluster.namespace_per_environment?
+          "#{platform_kubernetes.namespace}-#{slug}"
+        else
+          platform_kubernetes.namespace
+        end
+      end
+
+      def default_project_namespace(slug)
+        namespace_slug = "#{project.path}-#{project.id}".downcase
+
+        if cluster.namespace_per_environment?
+          namespace_slug += "-#{slug}"
+        end
+
+        Gitlab::NamespaceSanitizer.sanitize(namespace_slug)
+      end
+
+      ##
+      # Environment slug can be predicted given an environment
+      # name, so even if the environment isn't persisted yet we
+      # still know what to look for.
+      def generate_slug(name)
+        Gitlab::Slug::Environment.new(name).generate
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/prometheus/query_variables.rb b/lib/gitlab/prometheus/query_variables.rb
index 9cc21129547..ba2d33ee1c1 100644
--- a/lib/gitlab/prometheus/query_variables.rb
+++ b/lib/gitlab/prometheus/query_variables.rb
@@ -4,12 +4,9 @@ module Gitlab
   module Prometheus
     module QueryVariables
       def self.call(environment)
-        deployment_platform = environment.deployment_platform
-        namespace = deployment_platform&.kubernetes_namespace_for(environment.project) || ''
-
         {
           ci_environment_slug: environment.slug,
-          kube_namespace: namespace,
+          kube_namespace: environment.deployment_namespace || '',
           environment_filter: %{container_name!="POD",environment="#{environment.slug}"}
         }
       end