Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/services
diff options
context:
space:
mode:
Diffstat (limited to 'spec/services')
-rw-r--r--spec/services/clusters/aws/authorize_role_service_spec.rb91
-rw-r--r--spec/services/clusters/aws/fetch_credentials_service_spec.rb18
-rw-r--r--spec/services/clusters/aws/proxy_service_spec.rb210
-rw-r--r--spec/services/clusters/kubernetes_spec.rb19
4 files changed, 124 insertions, 214 deletions
diff --git a/spec/services/clusters/aws/authorize_role_service_spec.rb b/spec/services/clusters/aws/authorize_role_service_spec.rb
new file mode 100644
index 00000000000..3ef332558a2
--- /dev/null
+++ b/spec/services/clusters/aws/authorize_role_service_spec.rb
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Aws::AuthorizeRoleService do
+ let(:user) { create(:user) }
+ let(:credentials) { instance_double(Aws::Credentials) }
+ let(:credentials_service) { instance_double(Clusters::Aws::FetchCredentialsService, execute: credentials) }
+
+ let(:params) do
+ params = ActionController::Parameters.new({
+ cluster: {
+ role_arn: 'arn:my-role',
+ role_external_id: 'external-id'
+ }
+ })
+
+ params.require(:cluster).permit(:role_arn, :role_external_id)
+ end
+
+ subject { described_class.new(user, params: params).execute }
+
+ before do
+ allow(Clusters::Aws::FetchCredentialsService).to receive(:new)
+ .with(instance_of(Aws::Role)).and_return(credentials_service)
+ end
+
+ context 'role does not exist' do
+ it 'creates an Aws::Role record and returns a set of credentials' do
+ expect(user).to receive(:create_aws_role!)
+ .with(params).and_call_original
+
+ expect(subject.status).to eq(:ok)
+ expect(subject.body).to eq(credentials)
+ end
+ end
+
+ context 'role already exists' do
+ let(:role) { create(:aws_role, user: user) }
+
+ it 'updates the existing Aws::Role record and returns a set of credentials' do
+ expect(role).to receive(:update!)
+ .with(params).and_call_original
+
+ expect(subject.status).to eq(:ok)
+ expect(subject.body).to eq(credentials)
+ end
+ end
+
+ context 'errors' do
+ shared_examples 'bad request' do
+ it 'returns an empty hash' do
+ expect(subject.status).to eq(:unprocessable_entity)
+ expect(subject.body).to eq({})
+ end
+ end
+
+ context 'cannot create role' do
+ before do
+ allow(user).to receive(:create_aws_role!)
+ .and_raise(ActiveRecord::RecordInvalid.new(user))
+ end
+
+ include_examples 'bad request'
+ end
+
+ context 'client errors' do
+ before do
+ allow(credentials_service).to receive(:execute).and_raise(error)
+ end
+
+ context 'error fetching credentials' do
+ let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') }
+
+ include_examples 'bad request'
+ end
+
+ context 'credentials not configured' do
+ let(:error) { Aws::Errors::MissingCredentialsError.new('error message') }
+
+ include_examples 'bad request'
+ end
+
+ context 'role not configured' do
+ let(:error) { Clusters::Aws::FetchCredentialsService::MissingRoleError.new('error message') }
+
+ include_examples 'bad request'
+ end
+ end
+ end
+end
diff --git a/spec/services/clusters/aws/fetch_credentials_service_spec.rb b/spec/services/clusters/aws/fetch_credentials_service_spec.rb
index 726d1c30603..9194947c67f 100644
--- a/spec/services/clusters/aws/fetch_credentials_service_spec.rb
+++ b/spec/services/clusters/aws/fetch_credentials_service_spec.rb
@@ -5,19 +5,18 @@ require 'spec_helper'
describe Clusters::Aws::FetchCredentialsService do
describe '#execute' do
let(:user) { create(:user) }
- let(:provider) { create(:cluster_provider_aws) }
+ let(:provider) { create(:cluster_provider_aws, region: 'ap-southeast-2') }
let(:gitlab_access_key_id) { 'gitlab-access-key-id' }
let(:gitlab_secret_access_key) { 'gitlab-secret-access-key' }
- let(:region) { 'us-east-1' }
let(:gitlab_credentials) { Aws::Credentials.new(gitlab_access_key_id, gitlab_secret_access_key) }
let(:sts_client) { Aws::STS::Client.new(credentials: gitlab_credentials, region: region) }
let(:assumed_role) { instance_double(Aws::AssumeRoleCredentials, credentials: assumed_role_credentials) }
let(:assumed_role_credentials) { double }
- subject { described_class.new(provision_role, region: region, provider: provider).execute }
+ subject { described_class.new(provision_role, provider: provider).execute }
context 'provision role is configured' do
let(:provision_role) { create(:aws_role, user: user) }
@@ -39,19 +38,30 @@ describe Clusters::Aws::FetchCredentialsService do
client: sts_client,
role_arn: provision_role.role_arn,
role_session_name: session_name,
- external_id: provision_role.role_external_id
+ external_id: provision_role.role_external_id,
+ policy: session_policy
).and_return(assumed_role)
end
context 'provider is specified' do
+ let(:region) { provider.region }
let(:session_name) { "gitlab-eks-cluster-#{provider.cluster_id}-user-#{user.id}" }
+ let(:session_policy) { nil }
it { is_expected.to eq assumed_role_credentials }
end
context 'provider is not specifed' do
let(:provider) { nil }
+ let(:region) { Clusters::Providers::Aws::DEFAULT_REGION }
let(:session_name) { "gitlab-eks-autofill-user-#{user.id}" }
+ let(:session_policy) { 'policy-document' }
+
+ before do
+ allow(File).to receive(:read)
+ .with(Rails.root.join('vendor', 'aws', 'iam', 'eks_cluster_read_only_policy.json'))
+ .and_return(session_policy)
+ end
it { is_expected.to eq assumed_role_credentials }
end
diff --git a/spec/services/clusters/aws/proxy_service_spec.rb b/spec/services/clusters/aws/proxy_service_spec.rb
deleted file mode 100644
index 7b0e0512b95..00000000000
--- a/spec/services/clusters/aws/proxy_service_spec.rb
+++ /dev/null
@@ -1,210 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe Clusters::Aws::ProxyService do
- let(:role) { create(:aws_role) }
- let(:credentials) { instance_double(Aws::Credentials) }
- let(:client_instance) { instance_double(client) }
-
- let(:region) { 'region' }
- let(:vpc_id) { }
- let(:params) do
- ActionController::Parameters.new({
- resource: resource,
- region: region,
- vpc_id: vpc_id
- })
- end
-
- subject { described_class.new(role, params: params).execute }
-
- context 'external resources' do
- before do
- allow(Clusters::Aws::FetchCredentialsService).to receive(:new) do
- double(execute: credentials)
- end
-
- allow(client).to receive(:new)
- .with(
- credentials: credentials, region: region,
- http_open_timeout: 5, http_read_timeout: 10)
- .and_return(client_instance)
- end
-
- shared_examples 'bad request' do
- it 'returns an empty hash' do
- expect(subject.status).to eq :bad_request
- expect(subject.body).to eq({})
- end
- end
-
- describe 'key_pairs' do
- let(:client) { Aws::EC2::Client }
- let(:resource) { 'key_pairs' }
- let(:response) { double(to_hash: :key_pairs) }
-
- it 'requests a list of key pairs' do
- expect(client_instance).to receive(:describe_key_pairs).once.and_return(response)
- expect(subject.status).to eq :ok
- expect(subject.body).to eq :key_pairs
- end
- end
-
- describe 'roles' do
- let(:client) { Aws::IAM::Client }
- let(:resource) { 'roles' }
- let(:response) { double(to_hash: :roles) }
-
- it 'requests a list of roles' do
- expect(client_instance).to receive(:list_roles).once.and_return(response)
- expect(subject.status).to eq :ok
- expect(subject.body).to eq :roles
- end
- end
-
- describe 'regions' do
- let(:client) { Aws::EC2::Client }
- let(:resource) { 'regions' }
- let(:response) { double(to_hash: :regions) }
-
- it 'requests a list of regions' do
- expect(client_instance).to receive(:describe_regions).once.and_return(response)
- expect(subject.status).to eq :ok
- expect(subject.body).to eq :regions
- end
- end
-
- describe 'security_groups' do
- let(:client) { Aws::EC2::Client }
- let(:resource) { 'security_groups' }
- let(:response) { double(to_hash: :security_groups) }
-
- include_examples 'bad request'
-
- context 'VPC is specified' do
- let(:vpc_id) { 'vpc-1' }
-
- it 'requests a list of security groups for a VPC' do
- expect(client_instance).to receive(:describe_security_groups).once
- .with(filters: [{ name: 'vpc-id', values: [vpc_id] }])
- .and_return(response)
- expect(subject.status).to eq :ok
- expect(subject.body).to eq :security_groups
- end
- end
- end
-
- describe 'subnets' do
- let(:client) { Aws::EC2::Client }
- let(:resource) { 'subnets' }
- let(:response) { double(to_hash: :subnets) }
-
- include_examples 'bad request'
-
- context 'VPC is specified' do
- let(:vpc_id) { 'vpc-1' }
-
- it 'requests a list of subnets for a VPC' do
- expect(client_instance).to receive(:describe_subnets).once
- .with(filters: [{ name: 'vpc-id', values: [vpc_id] }])
- .and_return(response)
- expect(subject.status).to eq :ok
- expect(subject.body).to eq :subnets
- end
- end
- end
-
- describe 'vpcs' do
- let(:client) { Aws::EC2::Client }
- let(:resource) { 'vpcs' }
- let(:response) { double(to_hash: :vpcs) }
-
- it 'requests a list of VPCs' do
- expect(client_instance).to receive(:describe_vpcs).once.and_return(response)
- expect(subject.status).to eq :ok
- expect(subject.body).to eq :vpcs
- end
- end
-
- context 'errors' do
- let(:client) { Aws::EC2::Client }
-
- context 'unknown resource' do
- let(:resource) { 'instances' }
-
- include_examples 'bad request'
- end
-
- context 'client and configuration errors' do
- let(:resource) { 'vpcs' }
-
- before do
- allow(client_instance).to receive(:describe_vpcs).and_raise(error)
- end
-
- context 'error fetching credentials' do
- let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') }
-
- include_examples 'bad request'
- end
-
- context 'credentials not configured' do
- let(:error) { Aws::Errors::MissingCredentialsError.new('error message') }
-
- include_examples 'bad request'
- end
-
- context 'role not configured' do
- let(:error) { Clusters::Aws::FetchCredentialsService::MissingRoleError.new('error message') }
-
- include_examples 'bad request'
- end
-
- context 'EC2 error' do
- let(:error) { Aws::EC2::Errors::ServiceError.new(nil, 'error message') }
-
- include_examples 'bad request'
- end
-
- context 'IAM error' do
- let(:error) { Aws::IAM::Errors::ServiceError.new(nil, 'error message') }
-
- include_examples 'bad request'
- end
-
- context 'STS error' do
- let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') }
-
- include_examples 'bad request'
- end
- end
- end
- end
-
- context 'local resources' do
- describe 'instance_types' do
- let(:resource) { 'instance_types' }
- let(:cloudformation_template) { double }
- let(:instance_types) { double(dig: %w(t3.small)) }
-
- before do
- allow(File).to receive(:read)
- .with(Rails.root.join('vendor', 'aws', 'cloudformation', 'eks_cluster.yaml'))
- .and_return(cloudformation_template)
-
- allow(YAML).to receive(:safe_load)
- .with(cloudformation_template)
- .and_return(instance_types)
- end
-
- it 'returns a list of instance types' do
- expect(subject.status).to eq :ok
- expect(subject.body).to have_key(:instance_types)
- expect(subject.body[:instance_types]).to match_array([
- instance_type_name: 't3.small'
- ])
- end
- end
- end
-end
diff --git a/spec/services/clusters/kubernetes_spec.rb b/spec/services/clusters/kubernetes_spec.rb
new file mode 100644
index 00000000000..7f2c5e0461d
--- /dev/null
+++ b/spec/services/clusters/kubernetes_spec.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Kubernetes do
+ it { is_expected.to be_const_defined(:GITLAB_SERVICE_ACCOUNT_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_SERVICE_ACCOUNT_NAMESPACE) }
+ it { is_expected.to be_const_defined(:GITLAB_ADMIN_TOKEN_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_CLUSTER_ROLE_BINDING_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_CLUSTER_ROLE_NAME) }
+ it { is_expected.to be_const_defined(:PROJECT_CLUSTER_ROLE_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_KNATIVE_SERVING_ROLE_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_CROSSPLANE_DATABASE_ROLE_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_KNATIVE_VERSION_ROLE_NAME) }
+ it { is_expected.to be_const_defined(:GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME) }
+ it { is_expected.to be_const_defined(:KNATIVE_SERVING_NAMESPACE) }
+end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-14 19:09:59 +0300