diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-10 00:09:43 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-10 00:09:43 +0300 |
commit | 03d56c8af04d2982aff573b78f08192b07107c5b (patch) | |
tree | 6c9d2a9ffe63565d074a41397f06be0d22f9a8f4 /spec/services/clusters | |
parent | 9b09561f47159655d05171b4bee980c669859864 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/services/clusters')
-rw-r--r-- | spec/services/clusters/aws/fetch_credentials_service_spec.rb | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/spec/services/clusters/aws/fetch_credentials_service_spec.rb b/spec/services/clusters/aws/fetch_credentials_service_spec.rb index 4b9458d277b..0358ca1f535 100644 --- a/spec/services/clusters/aws/fetch_credentials_service_spec.rb +++ b/spec/services/clusters/aws/fetch_credentials_service_spec.rb @@ -81,5 +81,59 @@ RSpec.describe Clusters::Aws::FetchCredentialsService do expect { subject }.to raise_error(described_class::MissingRoleError, 'AWS provisioning role not configured') end end + + context 'with an instance profile attached to an IAM role' do + let(:sts_client) { Aws::STS::Client.new(region: region, stub_responses: true) } + let(:provision_role) { create(:aws_role, user: user, region: 'custom-region') } + + before do + stub_application_setting(eks_access_key_id: nil) + stub_application_setting(eks_secret_access_key: nil) + + expect(Aws::STS::Client).to receive(:new) + .with(region: region) + .and_return(sts_client) + + expect(Aws::AssumeRoleCredentials).to receive(:new) + .with( + client: sts_client, + role_arn: provision_role.role_arn, + role_session_name: session_name, + external_id: provision_role.role_external_id, + policy: session_policy + ).and_call_original + end + + context 'provider is specified' do + let(:region) { provider.region } + let(:session_name) { "gitlab-eks-cluster-#{provider.cluster_id}-user-#{user.id}" } + let(:session_policy) { nil } + + it 'returns credentials', :aggregate_failures do + expect(subject.access_key_id).to be_present + expect(subject.secret_access_key).to be_present + expect(subject.session_token).to be_present + end + end + + context 'provider is not specifed' do + let(:provider) { nil } + let(:region) { provision_role.region } + let(:session_name) { "gitlab-eks-autofill-user-#{user.id}" } + let(:session_policy) { 'policy-document' } + + before do + stub_file_read(Rails.root.join('vendor', 'aws', 'iam', 'eks_cluster_read_only_policy.json'), content: session_policy) + end + + subject { described_class.new(provision_role, provider: provider).execute } + + it 'returns credentials', :aggregate_failures do + expect(subject.access_key_id).to be_present + expect(subject.secret_access_key).to be_present + expect(subject.session_token).to be_present + end + end + end end end |