From ba2d8a3f3483af053eea47f84c158509a91f7012 Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Wed, 5 Dec 2018 09:09:45 +1300 Subject: Rename to CreateOrUpdateServiceAccountService This reflects how we now create or update --- .../create_or_update_namespace_service_spec.rb | 4 +- ...reate_or_update_service_account_service_spec.rb | 174 +++++++++++++++++++++ .../create_service_account_service_spec.rb | 174 --------------------- spec/services/clusters/refresh_service_spec.rb | 6 +- spec/services/projects/create_service_spec.rb | 4 +- spec/services/projects/transfer_service_spec.rb | 4 +- 6 files changed, 183 insertions(+), 183 deletions(-) create mode 100644 spec/services/clusters/gcp/kubernetes/create_or_update_service_account_service_spec.rb delete mode 100644 spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb (limited to 'spec/services') diff --git a/spec/services/clusters/gcp/kubernetes/create_or_update_namespace_service_spec.rb b/spec/services/clusters/gcp/kubernetes/create_or_update_namespace_service_spec.rb index 62a5c26d908..fe785735fef 100644 --- a/spec/services/clusters/gcp/kubernetes/create_or_update_namespace_service_spec.rb +++ b/spec/services/clusters/gcp/kubernetes/create_or_update_namespace_service_spec.rb @@ -51,7 +51,7 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' d end it 'creates project service account' do - expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateServiceAccountService).to receive(:execute).once + expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:execute).once subject end @@ -115,7 +115,7 @@ describe Clusters::Gcp::Kubernetes::CreateOrUpdateNamespaceService, '#execute' d end it 'creates project service account' do - expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateServiceAccountService).to receive(:execute).once + expect_any_instance_of(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:execute).once subject end diff --git a/spec/services/clusters/gcp/kubernetes/create_or_update_service_account_service_spec.rb b/spec/services/clusters/gcp/kubernetes/create_or_update_service_account_service_spec.rb new file mode 100644 index 00000000000..11a65d0c300 --- /dev/null +++ b/spec/services/clusters/gcp/kubernetes/create_or_update_service_account_service_spec.rb @@ -0,0 +1,174 @@ +# frozen_string_literal: true +require 'spec_helper' + +describe Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService do + include KubernetesHelpers + + let(:api_url) { 'http://111.111.111.111' } + let(:platform_kubernetes) { cluster.platform_kubernetes } + let(:cluster_project) { cluster.cluster_project } + let(:project) { cluster_project.project } + let(:cluster) do + create(:cluster, + :project, :provided_by_gcp, + platform_kubernetes: create(:cluster_platform_kubernetes, :configured)) + end + + let(:kubeclient) do + Gitlab::Kubernetes::KubeClient.new( + api_url, + auth_options: { username: 'admin', password: 'xxx' } + ) + end + + shared_examples 'creates service account and token' do + it 'creates a kubernetes service account' do + subject + + expect(WebMock).to have_requested(:post, api_url + "/api/v1/namespaces/#{namespace}/serviceaccounts").with( + body: hash_including( + kind: 'ServiceAccount', + metadata: { name: service_account_name, namespace: namespace } + ) + ) + end + + it 'creates a kubernetes secret' do + subject + + expect(WebMock).to have_requested(:post, api_url + "/api/v1/namespaces/#{namespace}/secrets").with( + body: hash_including( + kind: 'Secret', + metadata: { + name: token_name, + namespace: namespace, + annotations: { + 'kubernetes.io/service-account.name': service_account_name + } + }, + type: 'kubernetes.io/service-account-token' + ) + ) + end + end + + before do + stub_kubeclient_discover(api_url) + stub_kubeclient_get_namespace(api_url, namespace: namespace) + + stub_kubeclient_get_service_account_error(api_url, service_account_name, namespace: namespace) + stub_kubeclient_create_service_account(api_url, namespace: namespace) + + stub_kubeclient_get_secret_error(api_url, token_name, namespace: namespace) + stub_kubeclient_create_secret(api_url, namespace: namespace) + end + + describe '.gitlab_creator' do + let(:namespace) { 'default' } + let(:service_account_name) { 'gitlab' } + let(:token_name) { 'gitlab-token' } + + subject { described_class.gitlab_creator(kubeclient, rbac: rbac).execute } + + context 'with ABAC cluster' do + let(:rbac) { false } + + it_behaves_like 'creates service account and token' + end + + context 'with RBAC cluster' do + let(:rbac) { true } + let(:cluster_role_binding_name) { 'gitlab-admin' } + + before do + cluster.platform_kubernetes.rbac! + + stub_kubeclient_get_cluster_role_binding_error(api_url, cluster_role_binding_name) + stub_kubeclient_create_cluster_role_binding(api_url) + end + + it_behaves_like 'creates service account and token' + + it 'should create a cluster role binding with cluster-admin access' do + subject + + expect(WebMock).to have_requested(:post, api_url + "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings").with( + body: hash_including( + kind: 'ClusterRoleBinding', + metadata: { name: 'gitlab-admin' }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'cluster-admin' + }, + subjects: [ + { + kind: 'ServiceAccount', + name: service_account_name, + namespace: namespace + } + ] + ) + ) + end + end + end + + describe '.namespace_creator' do + let(:namespace) { "#{project.path}-#{project.id}" } + let(:service_account_name) { "#{namespace}-service-account" } + let(:token_name) { "#{namespace}-token" } + + subject do + described_class.namespace_creator( + kubeclient, + service_account_name: service_account_name, + service_account_namespace: namespace, + rbac: rbac + ).execute + end + + context 'with ABAC cluster' do + let(:rbac) { false } + + it_behaves_like 'creates service account and token' + end + + context 'With RBAC enabled cluster' do + let(:rbac) { true } + let(:role_binding_name) { "gitlab-#{namespace}"} + + before do + cluster.platform_kubernetes.rbac! + + stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace) + stub_kubeclient_create_role_binding(api_url, namespace: namespace) + end + + it_behaves_like 'creates service account and token' + + it 'creates a namespaced role binding with edit access' do + subject + + expect(WebMock).to have_requested(:post, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings").with( + body: hash_including( + kind: 'RoleBinding', + metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" }, + roleRef: { + apiGroup: 'rbac.authorization.k8s.io', + kind: 'ClusterRole', + name: 'edit' + }, + subjects: [ + { + kind: 'ServiceAccount', + name: service_account_name, + namespace: namespace + } + ] + ) + ) + end + end + end +end diff --git a/spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb b/spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb deleted file mode 100644 index 647050f6ad1..00000000000 --- a/spec/services/clusters/gcp/kubernetes/create_service_account_service_spec.rb +++ /dev/null @@ -1,174 +0,0 @@ -# frozen_string_literal: true -require 'spec_helper' - -describe Clusters::Gcp::Kubernetes::CreateServiceAccountService do - include KubernetesHelpers - - let(:api_url) { 'http://111.111.111.111' } - let(:platform_kubernetes) { cluster.platform_kubernetes } - let(:cluster_project) { cluster.cluster_project } - let(:project) { cluster_project.project } - let(:cluster) do - create(:cluster, - :project, :provided_by_gcp, - platform_kubernetes: create(:cluster_platform_kubernetes, :configured)) - end - - let(:kubeclient) do - Gitlab::Kubernetes::KubeClient.new( - api_url, - auth_options: { username: 'admin', password: 'xxx' } - ) - end - - shared_examples 'creates service account and token' do - it 'creates a kubernetes service account' do - subject - - expect(WebMock).to have_requested(:post, api_url + "/api/v1/namespaces/#{namespace}/serviceaccounts").with( - body: hash_including( - kind: 'ServiceAccount', - metadata: { name: service_account_name, namespace: namespace } - ) - ) - end - - it 'creates a kubernetes secret' do - subject - - expect(WebMock).to have_requested(:post, api_url + "/api/v1/namespaces/#{namespace}/secrets").with( - body: hash_including( - kind: 'Secret', - metadata: { - name: token_name, - namespace: namespace, - annotations: { - 'kubernetes.io/service-account.name': service_account_name - } - }, - type: 'kubernetes.io/service-account-token' - ) - ) - end - end - - before do - stub_kubeclient_discover(api_url) - stub_kubeclient_get_namespace(api_url, namespace: namespace) - - stub_kubeclient_get_service_account_error(api_url, service_account_name, namespace: namespace) - stub_kubeclient_create_service_account(api_url, namespace: namespace) - - stub_kubeclient_get_secret_error(api_url, token_name, namespace: namespace) - stub_kubeclient_create_secret(api_url, namespace: namespace) - end - - describe '.gitlab_creator' do - let(:namespace) { 'default' } - let(:service_account_name) { 'gitlab' } - let(:token_name) { 'gitlab-token' } - - subject { described_class.gitlab_creator(kubeclient, rbac: rbac).execute } - - context 'with ABAC cluster' do - let(:rbac) { false } - - it_behaves_like 'creates service account and token' - end - - context 'with RBAC cluster' do - let(:rbac) { true } - let(:cluster_role_binding_name) { 'gitlab-admin' } - - before do - cluster.platform_kubernetes.rbac! - - stub_kubeclient_get_cluster_role_binding_error(api_url, cluster_role_binding_name) - stub_kubeclient_create_cluster_role_binding(api_url) - end - - it_behaves_like 'creates service account and token' - - it 'should create a cluster role binding with cluster-admin access' do - subject - - expect(WebMock).to have_requested(:post, api_url + "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings").with( - body: hash_including( - kind: 'ClusterRoleBinding', - metadata: { name: 'gitlab-admin' }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'ClusterRole', - name: 'cluster-admin' - }, - subjects: [ - { - kind: 'ServiceAccount', - name: service_account_name, - namespace: namespace - } - ] - ) - ) - end - end - end - - describe '.namespace_creator' do - let(:namespace) { "#{project.path}-#{project.id}" } - let(:service_account_name) { "#{namespace}-service-account" } - let(:token_name) { "#{namespace}-token" } - - subject do - described_class.namespace_creator( - kubeclient, - service_account_name: service_account_name, - service_account_namespace: namespace, - rbac: rbac - ).execute - end - - context 'with ABAC cluster' do - let(:rbac) { false } - - it_behaves_like 'creates service account and token' - end - - context 'With RBAC enabled cluster' do - let(:rbac) { true } - let(:role_binding_name) { "gitlab-#{namespace}"} - - before do - cluster.platform_kubernetes.rbac! - - stub_kubeclient_get_role_binding_error(api_url, role_binding_name, namespace: namespace) - stub_kubeclient_create_role_binding(api_url, namespace: namespace) - end - - it_behaves_like 'creates service account and token' - - it 'creates a namespaced role binding with edit access' do - subject - - expect(WebMock).to have_requested(:post, api_url + "/apis/rbac.authorization.k8s.io/v1/namespaces/#{namespace}/rolebindings").with( - body: hash_including( - kind: 'RoleBinding', - metadata: { name: "gitlab-#{namespace}", namespace: "#{namespace}" }, - roleRef: { - apiGroup: 'rbac.authorization.k8s.io', - kind: 'ClusterRole', - name: 'edit' - }, - subjects: [ - { - kind: 'ServiceAccount', - name: service_account_name, - namespace: namespace - } - ] - ) - ) - end - end - end -end diff --git a/spec/services/clusters/refresh_service_spec.rb b/spec/services/clusters/refresh_service_spec.rb index 0bf2bd55c7f..470639524b8 100644 --- a/spec/services/clusters/refresh_service_spec.rb +++ b/spec/services/clusters/refresh_service_spec.rb @@ -5,11 +5,11 @@ require 'spec_helper' describe Clusters::RefreshService do shared_examples 'creates a kubernetes namespace' do let(:token) { 'aaaaaa' } - let(:service_account_creator) { double(Clusters::Gcp::Kubernetes::CreateServiceAccountService, execute: true) } + let(:service_account_creator) { double(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService, execute: true) } let(:secrets_fetcher) { double(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService, execute: token) } it 'creates a kubernetes namespace' do - expect(Clusters::Gcp::Kubernetes::CreateServiceAccountService).to receive(:namespace_creator).and_return(service_account_creator) + expect(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:namespace_creator).and_return(service_account_creator) expect(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService).to receive(:new).and_return(secrets_fetcher) expect { subject }.to change(project.kubernetes_namespaces, :count) @@ -22,7 +22,7 @@ describe Clusters::RefreshService do shared_examples 'does not create a kubernetes namespace' do it 'does not create a new kubernetes namespace' do - expect(Clusters::Gcp::Kubernetes::CreateServiceAccountService).not_to receive(:namespace_creator) + expect(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).not_to receive(:namespace_creator) expect(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService).not_to receive(:new) expect { subject }.not_to change(Clusters::KubernetesNamespace, :count) diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb index 07388eb133f..f71e2b4bc24 100644 --- a/spec/services/projects/create_service_spec.rb +++ b/spec/services/projects/create_service_spec.rb @@ -266,13 +266,13 @@ describe Projects::CreateService, '#execute' do let(:group) { group_cluster.group } let(:token) { 'aaaa' } - let(:service_account_creator) { double(Clusters::Gcp::Kubernetes::CreateServiceAccountService, execute: true) } + let(:service_account_creator) { double(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService, execute: true) } let(:secrets_fetcher) { double(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService, execute: token) } before do group.add_owner(user) - expect(Clusters::Gcp::Kubernetes::CreateServiceAccountService).to receive(:namespace_creator).and_return(service_account_creator) + expect(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:namespace_creator).and_return(service_account_creator) expect(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService).to receive(:new).and_return(secrets_fetcher) end diff --git a/spec/services/projects/transfer_service_spec.rb b/spec/services/projects/transfer_service_spec.rb index 5e0f2991a63..132ad9a2646 100644 --- a/spec/services/projects/transfer_service_spec.rb +++ b/spec/services/projects/transfer_service_spec.rb @@ -68,13 +68,13 @@ describe Projects::TransferService do let(:group) { group_cluster.group } let(:token) { 'aaaa' } - let(:service_account_creator) { double(Clusters::Gcp::Kubernetes::CreateServiceAccountService, execute: true) } + let(:service_account_creator) { double(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService, execute: true) } let(:secrets_fetcher) { double(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService, execute: token) } subject { transfer_project(project, user, group) } before do - expect(Clusters::Gcp::Kubernetes::CreateServiceAccountService).to receive(:namespace_creator).and_return(service_account_creator) + expect(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:namespace_creator).and_return(service_account_creator) expect(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService).to receive(:new).and_return(secrets_fetcher) end -- cgit v1.2.3