diff options
4 files changed, 53 insertions, 11 deletions
diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb index 91e49b8394a..40103d8e213 100644 --- a/app/services/clusters/gcp/finalize_creation_service.rb +++ b/app/services/clusters/gcp/finalize_creation_service.rb @@ -47,7 +47,9 @@ module Clusters end def request_kubernetes_token - Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client).execute + service_account_name = rbac_clusters_feature_enabled? ? Clusters::Gcp::Kubernetes::SERVICE_ACCOUNT_NAME : 'default' + + Clusters::Gcp::Kubernetes::FetchKubernetesTokenService.new(kube_client, service_account_name).execute end def authorization_type diff --git a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb index 5b47c0883cb..c16ce451aaf 100644 --- a/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb +++ b/app/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service.rb @@ -4,10 +4,11 @@ module Clusters module Gcp module Kubernetes class FetchKubernetesTokenService - attr_reader :kubeclient + attr_reader :kubeclient, :service_account_name - def initialize(kubeclient) + def initialize(kubeclient, service_account_name) @kubeclient = kubeclient + @service_account_name = service_account_name end def execute @@ -25,7 +26,7 @@ module Clusters private def token_regex - /#{SERVICE_ACCOUNT_NAME}-token/ + /#{service_account_name}-token/ end def read_secrets diff --git a/spec/services/clusters/gcp/finalize_creation_service_spec.rb b/spec/services/clusters/gcp/finalize_creation_service_spec.rb index eede10b55c6..278ba795042 100644 --- a/spec/services/clusters/gcp/finalize_creation_service_spec.rb +++ b/spec/services/clusters/gcp/finalize_creation_service_spec.rb @@ -52,13 +52,14 @@ describe Clusters::Gcp::FinalizeCreationService do end context 'when suceeded to fetch kuberenetes token' do + let(:secret_name) { 'default-token-Y1a' } let(:token) { 'sample-token' } before do stub_kubeclient_get_secrets( api_url, { - metadata_name: 'gitlab-token-Y1a', + metadata_name: secret_name, token: Base64.encode64(token) } ) end @@ -81,6 +82,8 @@ describe Clusters::Gcp::FinalizeCreationService do end context 'rbac_clusters feature enabled' do + let(:secret_name) { 'gitlab-token-Y1a' } + before do stub_feature_flags(rbac_clusters: true) stub_kubeclient_create_service_account(api_url) @@ -106,20 +109,44 @@ describe Clusters::Gcp::FinalizeCreationService do end end - context 'when default-token is not found' do + context 'when no matching token is found' do before do - stub_kubeclient_get_secrets(api_url, metadata_name: 'aaaa') + stub_kubeclient_get_secrets(api_url, metadata_name: 'not-default-not-gitlab') end it_behaves_like 'error' + + context 'rbac_clusters feature enabled' do + before do + stub_feature_flags(rbac_clusters: true) + stub_kubeclient_create_service_account(api_url) + stub_kubeclient_create_cluster_role_binding(api_url) + end + + it_behaves_like 'error' + end end context 'when token is empty' do + let(:secret_name) { 'default-token-123' } + before do - stub_kubeclient_get_secrets(api_url, token: '') + stub_kubeclient_get_secrets(api_url, token: '', metadata_name: secret_name) end it_behaves_like 'error' + + context 'rbac_clusters feature enabled' do + let(:secret_name) { 'gitlab-token-321' } + + before do + stub_feature_flags(rbac_clusters: true) + stub_kubeclient_create_service_account(api_url) + stub_kubeclient_create_cluster_role_binding(api_url) + end + + it_behaves_like 'error' + end end context 'when failed to fetch kuberenetes token' do @@ -128,6 +155,16 @@ describe Clusters::Gcp::FinalizeCreationService do end it_behaves_like 'error' + + context 'rbac_clusters feature enabled' do + before do + stub_feature_flags(rbac_clusters: true) + stub_kubeclient_create_service_account(api_url) + stub_kubeclient_create_cluster_role_binding(api_url) + end + + it_behaves_like 'error' + end end end diff --git a/spec/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service_spec.rb b/spec/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service_spec.rb index bd6662d7566..74d58a6d206 100644 --- a/spec/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service_spec.rb +++ b/spec/services/clusters/gcp/kubernetes/fetch_kubernetes_token_service_spec.rb @@ -2,11 +2,13 @@ require 'spec_helper' describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do describe '#execute' do - subject { described_class.new(kubeclient).execute } + subject { described_class.new(kubeclient, service_account_name).execute } + let(:service_account_name) { 'gitlab-sa' } let(:api_url) { 'http://111.111.111.111' } let(:username) { 'admin' } let(:password) { 'xxx' } + let(:kubeclient) do Gitlab::Kubernetes::KubeClient.new( api_url, @@ -44,8 +46,8 @@ describe Clusters::Gcp::Kubernetes::FetchKubernetesTokenService do .to receive(:get_secrets).and_return(secrets_json) end - context 'when gitlab-token exists' do - let(:metadata_name) { 'gitlab-token-123' } + context 'when token for service account exists' do + let(:metadata_name) { 'gitlab-sa-token-123' } it { is_expected.to eq(token) } end |