From ddd271b6027b13bca02416ec3dda17d3ec7fd5be Mon Sep 17 00:00:00 2001
From: Tiger <twatson@gitlab.com>
Date: Fri, 14 Jun 2019 10:18:50 +1000
Subject: Don't use Kubernetes namespaces with no token

Whenever we are selecting a namespace to use for a
deployment or to query a cluster we want to exclude
Kubernetes namespace records that don't have a token
set as they will not have the required permissions.
However when configuring clusters, we want to
use the original namespace record even if it has no
token, as a namespace has to be unique on a cluster.
---
 app/models/clusters/cluster.rb | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

(limited to 'app')

diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb
index ccc877fb924..0206ce81c5f 100644
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -193,15 +193,34 @@ module Clusters
       platform_kubernetes.kubeclient if kubernetes?
     end
 
+    ##
+    # This is subtly different to #find_or_initialize_kubernetes_namespace_for_project
+    # below because it will ignore any namespaces that have not got a service account
+    # token. This provides a guarantee that any namespace selected here can be used
+    # for cluster operations - a namespace needs to have a service account configured
+    # before it it can be used.
+    #
+    # This is used for selecting a namespace to use when querying a cluster, or
+    # generating variables to pass to CI.
     def kubernetes_namespace_for(project)
-      find_or_initialize_kubernetes_namespace_for_project(project).namespace
+      find_or_initialize_kubernetes_namespace_for_project(
+        project, scope: kubernetes_namespaces.has_service_account_token
+      ).namespace
     end
 
-    def find_or_initialize_kubernetes_namespace_for_project(project)
+    ##
+    # This is subtly different to #kubernetes_namespace_for because it will include
+    # namespaces that have yet to receive a service account token. This allows
+    # the namespace configuration process to be repeatable - if a namespace has
+    # already been created without a token we don't need to create another
+    # record entirely, just set the token on the pre-existing namespace.
+    #
+    # This is used for configuring cluster namespaces.
+    def find_or_initialize_kubernetes_namespace_for_project(project, scope: kubernetes_namespaces)
       attributes = { project: project }
       attributes[:cluster_project] = cluster_project if project_type?
 
-      kubernetes_namespaces.find_or_initialize_by(attributes).tap do |namespace|
+      scope.find_or_initialize_by(attributes).tap do |namespace|
         namespace.set_defaults
       end
     end
-- 
cgit v1.2.3