diff options
-rw-r--r-- | app/models/clusters/kubernetes_namespace.rb | 4 | ||||
-rw-r--r-- | app/models/clusters/platforms/kubernetes.rb | 4 | ||||
-rw-r--r-- | app/models/project_services/kubernetes_service.rb | 4 | ||||
-rw-r--r-- | changelogs/unreleased/set-kubeconfig-nil-when-token-nil.yml | 5 | ||||
-rw-r--r-- | doc/user/project/clusters/index.md | 24 | ||||
-rw-r--r-- | lib/gitlab/kubernetes.rb | 4 | ||||
-rw-r--r-- | spec/lib/gitlab/kubernetes_spec.rb | 24 |
7 files changed, 48 insertions, 21 deletions
diff --git a/app/models/clusters/kubernetes_namespace.rb b/app/models/clusters/kubernetes_namespace.rb index 34f5e38ff79..73da6cb37d7 100644 --- a/app/models/clusters/kubernetes_namespace.rb +++ b/app/models/clusters/kubernetes_namespace.rb @@ -33,14 +33,12 @@ module Clusters end def predefined_variables - config = YAML.dump(kubeconfig) - Gitlab::Ci::Variables::Collection.new.tap do |variables| variables .append(key: 'KUBE_SERVICE_ACCOUNT', value: service_account_name.to_s) .append(key: 'KUBE_NAMESPACE', value: namespace.to_s) .append(key: 'KUBE_TOKEN', value: service_account_token.to_s, public: false) - .append(key: 'KUBECONFIG', value: config, public: false, file: true) + .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true) end end diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index dc8b52105cc..867f0edcb07 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -90,13 +90,11 @@ module Clusters # Clusters::KubernetesNamespace, so once migration has been completed, # this 'else' branch will be removed. For more information, please see # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22433 - config = YAML.dump(kubeconfig) - variables .append(key: 'KUBE_URL', value: api_url) .append(key: 'KUBE_TOKEN', value: token, public: false) .append(key: 'KUBE_NAMESPACE', value: actual_namespace) - .append(key: 'KUBECONFIG', value: config, public: false, file: true) + .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true) end end end diff --git a/app/models/project_services/kubernetes_service.rb b/app/models/project_services/kubernetes_service.rb index c52a531e5fe..b801fd84a07 100644 --- a/app/models/project_services/kubernetes_service.rb +++ b/app/models/project_services/kubernetes_service.rb @@ -110,14 +110,12 @@ class KubernetesService < DeploymentService # Clusters::Platforms::Kubernetes, it won't be used on this method # as it's only needed for Clusters::Cluster. def predefined_variables(project:) - config = YAML.dump(kubeconfig) - Gitlab::Ci::Variables::Collection.new.tap do |variables| variables .append(key: 'KUBE_URL', value: api_url) .append(key: 'KUBE_TOKEN', value: token, public: false) .append(key: 'KUBE_NAMESPACE', value: actual_namespace) - .append(key: 'KUBECONFIG', value: config, public: false, file: true) + .append(key: 'KUBECONFIG', value: kubeconfig, public: false, file: true) if ca_pem.present? variables diff --git a/changelogs/unreleased/set-kubeconfig-nil-when-token-nil.yml b/changelogs/unreleased/set-kubeconfig-nil-when-token-nil.yml new file mode 100644 index 00000000000..6eac2a0146c --- /dev/null +++ b/changelogs/unreleased/set-kubeconfig-nil-when-token-nil.yml @@ -0,0 +1,5 @@ +--- +title: Make KUBECONFIG nil if KUBE_TOKEN is nil +merge_request: 23414 +author: +type: fixed diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md index 79b36e5263e..66ad1843e93 100644 --- a/doc/user/project/clusters/index.md +++ b/doc/user/project/clusters/index.md @@ -432,12 +432,34 @@ GitLab CI/CD build environment. | `KUBE_NAMESPACE` | The Kubernetes namespace is auto-generated if not specified. The default value is `<project_name>-<project_id>`. You can overwrite it to use different one if needed, otherwise the `KUBE_NAMESPACE` variable will receive the default value. | | `KUBE_CA_PEM_FILE` | Path to a file containing PEM data. Only present if a custom CA bundle was specified. | | `KUBE_CA_PEM` | (**deprecated**) Raw PEM data. Only if a custom CA bundle was specified. | -| `KUBECONFIG` | Path to a file containing `kubeconfig` for this deployment. CA bundle would be embedded if specified. | +| `KUBECONFIG` | Path to a file containing `kubeconfig` for this deployment. CA bundle would be embedded if specified. This config also embeds the same token defined in `KUBE_TOKEN` so you likely will only need this variable. This variable name is also automatically picked up by `kubectl` so you won't actually need to reference it explicitly if using `kubectl`. | NOTE: **NOTE:** Prior to GitLab 11.5, `KUBE_TOKEN` was the Kubernetes token of the main service account of the cluster integration. +### Troubleshooting missing `KUBECONFIG` or `KUBE_TOKEN` + +GitLab will create a new service account specifically for your CI builds. The +new service account is created when the cluster is added to the project. +Sometimes there may be errors that cause the service account creation to fail. + +In such instances, your build will not be passed the `KUBECONFIG` or +`KUBE_TOKEN` variables and, if you are using Auto DevOps, your Auto DevOps +pipelines will no longer trigger a `production` deploy build. You will need to +check the [logs](../../../administration/logs.md) to debug why the service +account creation failed. + +A common reason for failure is that the token you gave GitLab did not have +[`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) +privileges as GitLab expects. + +Another common problem for why these variables are not being passed to your +builds is that they must have a matching +[`environment:name`](../../../ci/environments.md#defining-environments). If +your build has no `environment:name` set, it will not be passed the Kubernetes +credentials. + ## Enabling or disabling the Kubernetes cluster integration After you have successfully added your cluster information, you can enable the diff --git a/lib/gitlab/kubernetes.rb b/lib/gitlab/kubernetes.rb index 3748fd6b5ef..a9957a85d48 100644 --- a/lib/gitlab/kubernetes.rb +++ b/lib/gitlab/kubernetes.rb @@ -85,6 +85,8 @@ module Gitlab end def to_kubeconfig(url:, namespace:, token:, ca_pem: nil) + return unless token.present? + config = { apiVersion: 'v1', clusters: [ @@ -113,7 +115,7 @@ module Gitlab kubeconfig_embed_ca_pem(config, ca_pem) if ca_pem - config.deep_stringify_keys + YAML.dump(config.deep_stringify_keys) end private diff --git a/spec/lib/gitlab/kubernetes_spec.rb b/spec/lib/gitlab/kubernetes_spec.rb index 5c03a2ce7d3..f326d57e9c6 100644 --- a/spec/lib/gitlab/kubernetes_spec.rb +++ b/spec/lib/gitlab/kubernetes_spec.rb @@ -48,26 +48,30 @@ describe Gitlab::Kubernetes do end describe '#to_kubeconfig' do + let(:token) { 'TOKEN' } + let(:ca_pem) { 'PEM' } + subject do to_kubeconfig( url: 'https://kube.domain.com', namespace: 'NAMESPACE', - token: 'TOKEN', - ca_pem: ca_pem) + token: token, + ca_pem: ca_pem + ) end - context 'when CA PEM is provided' do - let(:ca_pem) { 'PEM' } - let(:path) { expand_fixture_path('config/kubeconfig.yml') } - - it { is_expected.to eq(YAML.load_file(path)) } - end + it { expect(YAML.safe_load(subject)).to eq(YAML.load_file(expand_fixture_path('config/kubeconfig.yml'))) } context 'when CA PEM is not provided' do let(:ca_pem) { nil } - let(:path) { expand_fixture_path('config/kubeconfig-without-ca.yml') } - it { is_expected.to eq(YAML.load_file(path)) } + it { expect(YAML.safe_load(subject)).to eq(YAML.load_file(expand_fixture_path('config/kubeconfig-without-ca.yml'))) } + end + + context 'when token is not provided' do + let(:token) { nil } + + it { is_expected.to be_nil } end end |